Compare commits

...

522 Commits

Author SHA1 Message Date
Peter Korsgaard 15a05e6d5a Update for 2020.02.9
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 17:55:12 +01:00
Fabrice Fontaine fc321efabb package/opencv3: fix build with protobuf and gcc < 6
Fix the folloing build failure with protobuf (enabled since commit
31c68a449e) and gcc 5.3.0:

[ 53%] Building CXX object modules/dnn/CMakeFiles/opencv_dnn.dir/opencv-caffe.pb.cc.o
In file included from /home/peko/autobuild/instance-1/output-1/per-package/opencv3/host/opt/ext-toolchain/mips64el-buildroot-linux-uclibc/include/c++/5.5.0/atomic:38:0,
                 from /home/peko/autobuild/instance-1/output-1/per-package/opencv3/host/mips64el-buildroot-linux-uclibc/sysroot/usr/include/google/protobuf/io/coded_stream.h:115,
                 from /home/peko/autobuild/instance-1/output-1/build/opencv3-3.4.12/buildroot-build/modules/dnn/opencv-caffe.pb.h:23,
                 from /home/peko/autobuild/instance-1/output-1/build/opencv3-3.4.12/buildroot-build/modules/dnn/opencv-caffe.pb.cc:4:
/home/peko/autobuild/instance-1/output-1/per-package/opencv3/host/opt/ext-toolchain/mips64el-buildroot-linux-uclibc/include/c++/5.5.0/bits/c++0x_warning.h:32:2: error: #error This file requires compiler and library support for the ISO C++ 2011 standard. This support must be enabled with the -std=c++11 or -std=gnu++11 compiler options.
 #error This file requires compiler and library support \
  ^

Fixes:
 - http://autobuild.buildroot.org/results/7caf175af039054a032b8f63b458b3940d9ec0f3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bf96f4e8d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 14:45:31 +01:00
Yann E. MORIN 1420d5bcca package/opencv3: do not detect ccache
OpenCV-3's buildsystem will try to detect ccache and use it if
available. This may yield a system-installed ccache.

However, in Buildroot, ccache is entirely hidden away and handled in the
toolchain wrapper.

Forcibly disable detection of ccache.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 505e7f4771)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 14:20:27 +01:00
Romain Naour 067b7faa89 package/freescale-imx/imx-gpu-viv: install Vendor ICDs file (Vivante.icd)
Without this file, the clinfo binary provided by the package doesn't
detect the opencl support.

Fixes:
https://github.com/boundarydevices/buildroot-external-boundary/issues/5

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b37cd79daf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 09:33:48 +01:00
Romain Naour a06a86582a board/boundarydevices: promote buildroot-external-boundary project
It may be useful for users using Boundary Devices boards to find
more advanced defconfigs than the one provided by Buildroot.

See:
https://github.com/boundarydevices/buildroot-external-boundary#configurations-details

Update the readme.txt to add the link to the br2_external maintained
by Boundary Devices.

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7554332284)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 09:30:34 +01:00
Gleb Mazovetskiy 6ea9c167b3 package/pkg-meson: force-disable binary stripping
In buildroot, stripping for the target is configured and implemented
with the global `BR2_STRIP_strip` option that drive the stripping in
the target-finalize step.

So, we explicitly disable stripping at build time for the target
variants.

For the host variants, however, we don't much care about symbols and
stuff, but smaller executables will hopefully load faster than bigger
ones (disputable, given that sections in ELF files are paged-in
on-demand), so we explictly enable stripping.

Signed-off-by: Gleb Mazovetskiy <glex.spb@gmail.com>
[yann.morin.1998@free.fr:
  - add burb about the target-finalize step
  - enable stripping for host variants
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3f39f902b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 09:21:32 +01:00
Fabrice Fontaine c91c3b9b96 package/dhcpcd: add udev optional dependency
udev is an optional dependency (enabled by default) since version 6.1.0:
https://github.com/rsmarples/dhcpcd/commit/12bbc8cb5c7507be15a7e0af4140c3d81125c46c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 580eac9468)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 09:10:57 +01:00
Fabrice Fontaine a69107c62b package/dhcpcd: enhance syntax
Add all configure options through DHCP_CONFIG_OPTS and avoid splitting
lines when they are less than 80 characters

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 909432e0bb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 09:10:53 +01:00
Fabrice Fontaine 09658e44ba package/mutt: fix activation of openssl on imap
Activation of openssl for imap is broken since commit
0fcd010a2d because of the following typo:
BR2_PACKAGET_MUTT_IMAP

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit dc1ec5b78b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 09:01:01 +01:00
Baruch Siach 10bcf5fb66 libcurl: security bump to version 7.74.0
Fixes security issues:

CVE-2020-8286: Inferior OCSP verification

CVE-2020-8285: FTP wildcard stack overflow

CVE-2020-8284: trusting FTP PASV responses

Drop upstream patch.

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 365ab82008)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 08:50:11 +01:00
Baruch Siach 8652521dec package/libcurl: fix build with libssh2 and disabled proxy
Add patch fixing build of libssh2 support when
BR2_PACKAGE_LIBCURL_PROXY_SUPPORT is disabled.

Fixes:
http://autobuild.buildroot.net/results/113407c1721b601cf2b721d0b78392622000cc3f/
http://autobuild.buildroot.net/results/a5abdcc6a12d2326da0fe3daf9ecbb96e5c6cac3/
http://autobuild.buildroot.net/results/ab1f7b9837ac74fad359e6c239f45ed25ad31df3/

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0fa9af8be0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 08:49:56 +01:00
Baruch Siach 4e8399040b package/libcurl: bump to version 7.73.0
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2d0be6577e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-27 08:49:51 +01:00
Asaf Kahlon 3e2c4e4fba package/{libuv, uvw}: bump to versions 1.40.0, 2.8.0_libuv_v1.40
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1931f9abf9)
[Peter: needed for nodejs]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-26 11:41:58 +01:00
Asaf Kahlon 32c7626f32 package/{libuv,uvw}: bump to versions 1.38.0, 2.6.0_libuv-v1.38
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3634b9d11a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-26 11:41:49 +01:00
Asaf Kahlon c19df4469e package/{libuv,uvw}: bump to versions 1.37.0, 2.5.0_libuv-v1.37
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7d9ed0a19d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-26 11:41:43 +01:00
Jörg Krause 4aa12ace24 package/libuv: bump to version 1.35.0
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 60011f1456)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-26 11:41:35 +01:00
Francois Perrad bd434ec787 package/openldap: security bump to version 2.4.56
Fixes the following security issue:

- CVE-2020-25692: A NULL pointer dereference was found in OpenLDAP server
  and was fixed in openldap 2.4.55, during a request for renaming RDNs.  An
  unauthenticated attacker could remotely crash the slapd process by sending
  a specially crafted request, causing a Denial of Service.

- CVE-2020-25709: Assertion failure in CSN normalization with invalid input

- CVE-2020-25710: Assertion failure in CSN normalization with invalid input

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: add CVE info]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 09a565d940)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-24 12:49:13 +01:00
Marcin Niestroj 0e40c041dc package/python-crc16: allow to build with python3
python3 is officially supported by package, as there is a usage example
at [1]. Simply remove dependency on BR2_PACKAGE_PYTHON.

[1] https://pypi.org/project/crc16/

Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a7fdc5686b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-24 12:48:05 +01:00
Fabrice Fontaine 39da6d8217 package/rauc: fix build with headers < 4.14
Fixes:
 - http://autobuild.buildroot.org/results/829ae7ed66686c11a941ac99bd08a06f754affb4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 45a09e9041)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-24 09:49:50 +01:00
Peter Korsgaard 351fb9d639 package/nodejs: security bump to version 12.19.1
Fixes the following security issue:

- CVE-2020-8277: Denial of Service through DNS request (High).  A Node.js
  application that allows an attacker to trigger a DNS request for a host of
  their choice could trigger a Denial of Service by getting the application
  to resolve a DNS record with a larger number of responses.

https://nodejs.org/en/blog/release/v12.19.1/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f359580796)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-24 09:46:19 +01:00
Fabrice Fontaine a76c9fd92d package/apitrace: disable unit tests
This will avoid the following build failure with xtensa:

[ 62%] Linking CXX executable ../../guids_test
[ 62%] Building CXX object retrace/CMakeFiles/retrace_common.dir/retrace.cpp.o
CMakeFiles/guids_test.dir/guids_test.cpp.o:(.debug_line+0xf7b): dangerous relocation: overflow after relaxation
collect2: error: ld returned 1 exit status
lib/guids/CMakeFiles/guids_test.dir/build.make:85: recipe for target 'guids_test' failed

Fixes:
 - http://autobuild.buildroot.org/results/8fea93a88bb34e98e391a048c3b996b45ebac803

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0d209dce35)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-24 09:44:13 +01:00
Adam Wujek 3f457f8323 package/netsnmp: fix memory leak in IP-MIB when running without IPv6
In a Linux system without IPv6 support (or booted with "ipv6.disable=1")
file /proc/net/snmp6 is not present. If such file is not present an allocated
memory is not freed. Memory leak occurs even without snmp queries.

Problem seen at least since netsnmp 5.7.3 (probably even v5.6.1).
Patch backported from netsnmp 5.9, where the problem does not appear any more.

Signed-off-by: Adam Wujek <dev_public@wujek.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5e6f6e0745)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-24 09:37:11 +01:00
Fabrice Fontaine b246d34507 package/mutt: fix CVE-2020-28896
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that
$ssl_force_tls was processed if an IMAP server's initial server response
was invalid. The connection was not properly closed, and the code could
continue attempting to authenticate. This could result in authentication
credentials being exposed on an unencrypted connection, or to a
machine-in-the-middle.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 89a9f74fa8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-24 09:34:02 +01:00
Peter Korsgaard 9f4ec41161 package/haproxy: bump to version 2.1.10
Fixes a large number of issues.  For details, see the changelog:
https://www.haproxy.org/download/2.1/src/CHANGELOG

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-23 09:28:38 +01:00
Peter Korsgaard 993c977d44 package/rauc: security bump to version 1.5
Fixes the following security issue:

- CVE-2020-25860: Time-of-Check-Time-of-Use Vulnerability in code that
  checks and installs a firmware bundle.
  For more details, see the advisory:
  https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 41bbe8df54)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 15:17:34 +01:00
Thomas Petazzoni 523963d8f2 package/rauc: fix URL of the signed tarball
Reported-by: Yair Ben Avraham <yairba@protonmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a9b454387c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 15:17:10 +01:00
Yair Ben-Avraham ebe548a23a package/rauc: bump version to 1.4
Signed-off-by: Yair Ben Avraham <yairba@protonmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ac841cc7ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 15:17:01 +01:00
Pierre-Jean Texier 55b00b50d0 package/rauc: bump to version 1.3
See: https://github.com/rauc/rauc/releases/tag/v1.3

And update hash file formatting (2 spaces).

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ce6b0ace35)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 15:16:51 +01:00
Peter Korsgaard d74ea609ab package/python-pyqt5: fix qt5 openssl conditional
BR2_PACKAGE_QT5BASE_OPENSSL was dropped by commit 4be1f9b9873
(package/qt5enginio: drop qt 5.6 support), but python-pyqt5 not updated to
match.  Fix that.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 54854dc44e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 15:15:47 +01:00
Peter Korsgaard 858b20597a package/ti-sgx-*: fix s/correpsonds/corresponds/ typo
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 292475976f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 15:14:37 +01:00
Fabrice Fontaine 9b29bfa5dc package/ghostscript: bump to version 9.53.3
https://www.ghostscript.com/doc/9.53.3/News.htm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d1c5397e9e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 13:51:11 +01:00
Fabrice Fontaine 2078446f6c package/imagemagick: security bump to version 7.10.51
- Fix CVE-2020-29599: ImageMagick before 6.9.11-40 and 7.x before
  7.0.10-40 mishandles the -authenticate option, which allows setting a
  password for password-protected PDF files. The user-controlled password
  was not properly escaped/sanitized and it was therefore possible to
  inject additional shell commands via coders/pdf.c.
- Update license hash (correct wording to match Apache 2 license:
  https://github.com/ImageMagick/ImageMagick/commit/45e5d2493c08e7cb49f7268c01d847e88f78fd6c)

https://github.com/ImageMagick/ImageMagick/blob/7.0.10-51/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b898e80639)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 11:54:33 +01:00
Fabrice Fontaine c59e742b70 package/cryptopp: security bump to version 8.3.0
- Fix CVE-2019-14318: Crypto++ 8.2.0 and earlier contains a timing side
  channel in ECDSA signature generation. This allows a local or remote
  attacker, able to measure the duration of hundreds to thousands of
  signing operations, to compute the private key used. The issue occurs
  because scalar multiplication in ecp.cpp (prime field curves, small
  leakage) and algebra.cpp (binary field curves, large leakage) is not
  constant time and leaks the bit length of the scalar among other
  information. For details, see:
  https://github.com/weidai11/cryptopp/issues/869

- Update license hash due to the addition of ARM SHA1 and SHA256 asm
  implementation from Cryptogams
  https://github.com/weidai11/cryptopp/commit/1a63112faf5af60e0ebcc60654eef806e7f6f11a
  https://github.com/weidai11/cryptopp/commit/4c9ca6b723b5ec5aab7eec720ad4d22598abe941

https://www.cryptopp.com/release830.html

[Peter: adjust CVE info, issue is fixes in 8.3.0]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e7c789d48f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 11:53:33 +01:00
Thomas De Schampheleire 9f1e9894ba package/ncurses: don't attempt calling ldconfig in host-ncurses
The host-ncurses install step attempts to run ldconfig, causing a permission
failure:

cd /buildroot/output/host/lib && (ln -s -f libncurses.so.6.0 libncurses.so.6; ln -s -f libncurses.so.6 libncurses.so; )
test -z "" && /sbin/ldconfig
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied
make[3]: [/buildroot/output/host/lib/libncurses.so.6.0] Error 1 (ignored)

The error is non-fatal and ignored, but confusing.

The ncurses makefiles already avoid calling ldconfig when DESTDIR is set
(target case) but for host-ncurses DESTDIR is empty and the output/host path
is passed via --prefix.

Pass an empty ac_cv_path_LDCONFIG to the configure step, so than ldconfig is
not called.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 389f48fe90)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 11:51:44 +01:00
Thomas De Schampheleire 10a8c7a0ca package/opkg-utils: needs Python3 on the host
The 'opkg.py' script installed by host-opkg-utils has as shebang:
    #!/usr/bin/env python3

which may not be available on all host machines.
Add a potential dependency on host-python3 via BR2_PYTHON3_HOST_DEPENDENCY,
which will only add the host-python3 dependency if no python3 is already
available on the host.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7dcd20f9d5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 11:51:22 +01:00
Thomas Petazzoni 6226bd680b DEVELOPERS: remove Thomas Davis
His e-mail has been bouncing for quite a while:

<sunsetbrew@sunsetbrew.com>: connect to
    sunsetbrew.com[2a05:d014:9da:8c10:306e:3e07:a16f:a552]:25: Network is
    unreachable

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fd5eeabac0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 11:49:46 +01:00
Tian Yuanhao f9e0f044c4 package/pkg-golang.mk: postpone evaluation of TARGET_DIR and HOST_DIR
When BR2_PER_PACKAGE_DIRECTORIES=y, $(TARGET_DIR) is evaluated as
$(BASE_DIR)/target, but $$(TARGET_DIR) is evaluated as
$(BASE_DIR)/per-package/$(PKG)_NAME/target.

Signed-off-by: Tian Yuanhao <tianyuanhao@aliyun.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8d595c0d92)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 11:49:02 +01:00
Fabrice Fontaine 3df036c745 package/tinycbor: fix build on musl
Fixes:
 - http://autobuild.buildroot.org/results/c23b694442e7f86cbdd14d8789b12e6a8fd26a70

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eaff5c39c1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 11:39:47 +01:00
Peter Korsgaard 9b550a71e3 package/wireshark: security bump to version 3.2.10
The following vulnerabilities have been fixed:
- wnpa-sec-2020-16 Kafka dissector memory leak. Bug 16739.
  CVE-2020-26418.
- wnpa-sec-2020-17 USB HID dissector crash. Bug 16958. CVE-2020-26421.
- wnpa-sec-2020-18 RTPS dissector memory leak. Bug 16994.
  CVE-2020-26420.

https://www.wireshark.org/docs/relnotes/wireshark-3.2.9.html
https://www.wireshark.org/docs/relnotes/wireshark-3.2.10.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 09:46:55 +01:00
Bernd Amend 432eb23e19 pkg-cmake.mk: fix host ccache support for CMake 3.19
Starting with CMake 3.4 CMake supports setting a compiler launcher
like ccache. The feature is described in
https://cmake.org/cmake/help/latest/variable/CMAKE_LANG_COMPILER_LAUNCHER.html
This should be safe since everything is built for the host using make or ninja.
The use of *_ARG1 is discouraged by the cmake developers
https://cmake-developers.cmake.narkive.com/OTa9EKfj/cmake-c-compiler-arg-not-documented .

Without this patch I get the following error message with CMake 3.19.1 on Arch Linux.
Disabling BR2_CCACHE also resolves the issue.

/usr/bin/cmake [~]/buildroot/build/host-lzo-2.10/ -DCMAKE_INSTALL_SO_NO_EXE=0 -DCMAKE_FIND_ROOT_PATH="[...]" -DCMAKE_FIND_ROOT_PATH_MODE_PROGRAM="BOTH" -DCMAKE_FIND_ROOT_P
ATH_MODE_LIBRARY="BOTH" -DCMAKE_FIND_ROOT_PATH_MODE_INCLUDE="BOTH" -DCMAKE_INSTALL_PREFIX="[...]" -DCMAKE_C_FLAGS="-O2 -I[...]/include" -DCMAKE_CXX_FLAGS="-O2 -I[...]/include" -DCMAKE_EXE_LINKER_FLAGS="-L[...]/lib -Wl,-rpath,[...]/lib" -DCMAKE_SHARED_LINKER_FLAGS="-L[...]/l
ib -Wl,-rpath,[...]/lib" -DCMAKE_ASM_COMPILER="/usr/bin/as" -DCMAKE_C_COMPILER="[...]/bin/ccache" -DCMAKE_CXX_COMPILER="[...]/bin/ccache"
-DCMAKE_C_COMPILER_ARG1="/usr/bin/gcc" -DCMAKE_CXX_COMPILER_ARG1="/usr/bin/g++"  -DCMAKE_COLOR_MAKEFILE=OFF -DBUILD_DOC=OFF -DBUILD_DOCS=OFF -DBUILD_EXAMPLE=OFF -DBUILD_EXAMPLES=OFF -DBUILD_TEST=OFF -DBUILD_TESTS=OFF -DBUILD_TESTING=O
FF  -DENABLE_SHARED=ON -DENABLE_STATIC=OFF )
-- The C compiler identification is unknown
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - failed
-- Check for working C compiler: [...]/bin/ccache
-- Check for working C compiler: [...]/bin/ccache - broken
CMake Error at /usr/share/cmake-3.19/Modules/CMakeTestCCompiler.cmake:66 (message):
The C compiler

Signed-off-by: Bernd Amend <bernd.amend@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0e310b4fd0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 09:23:05 +01:00
Peter Korsgaard 572418f82b {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 9}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0675498b5d)
[Peter: drop 5.9.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-22 00:04:20 +01:00
Fabrice Fontaine ed1777c0e4 package/shadowsocks-libev: fix static build with netfilter_conntrack
Fixes:
 - http://autobuild.buildroot.org/results/6cad497a7ab941a0ee3fd7007defc81e30cdcbe0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1294447142)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 15:19:54 +01:00
Christoph Müllner 1ed3998ba3 boot/arm-trusted-firmware: Forward stack protection configuration
TF-A supports stack smashing protection (-fstack-protector-*).
However, that feature is currently silently disabled because
ENABLE_STACK_PROTECTOR is not set during build time.

As documented in the TF-A user guide, the flag ENABLE_STACK_PROTECTOR
is required to enable stack protection support. When enabled the symbols
for the stack protector (e.g. __stack_chk_guard) are built.
This needs to be done because TF-A does not link against an external
library that provides that symbols (e.g. libc).

So in case we see that BR2_SSP_* is enabled, let's enable the corresponding
ENABLE_STACK_PROTECTOR build flag for TF-A as documented in the TF-A user guide.

This patch also fixes a the following linker errors with older TF-A versions
if BR2_SSP_* is enabled (i.e. -fstack-protector-* is used as compiler flag)
and ENABLE_STACK_PROTECTOR is not set, which are caused by the missing
stack protector symbols:

  [...]
  params_setup.c:(.text.params_early_setup+0xc): undefined reference to `__stack_chk_guard'
  aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x14): undefined reference to `__stack_chk_guard'
  aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x104): undefined reference to `__stack_chk_guard'
  aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x118): undefined reference to `__stack_chk_fail'
  aarch64-none-linux-gnu-ld: ./build/px30/release/bl31/pmu.o: in function `rockchip_soc_sys_pwr_dm_suspend':
  pmu.c:(.text.rockchip_soc_sys_pwr_dm_suspend+0xc): undefined reference to `__stack_chk_guard'
  [...]

TF-A releases after Nov 2019, that include 7af195e29a4, will circumvent
these issue by explicitliy and silently disabling the stack protector
by appending '-fno-stack-protector' to the compiler flags in case
ENABLE_STACK_PROTECTOR is not set.

Tested on a Rockchip PX30 based system (TF-A v2.2 and upstream/master).

Signed-off-by: Christoph Müllner <christoph.muellner@theobroma-systems.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7b3fcbcdaa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 15:16:12 +01:00
Thomas De Schampheleire 0e6c245f7a package/libglib2: correct upstream status for patch 0001
Patch '0001-fix-compile-time-atomic-detection.patch' claims to be Merged but
this is not true. The linked issue is closed with 'Needs information', and
the code itself is effectively not merged.

Clarify the 'Upstream-status' line to make this more clear.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 43021dfb77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 14:46:14 +01:00
Peter Korsgaard b7efd22e1d package/python-lxml: security bump to version 4.6.2
Fixes the following security issues:

* 4.6.2: A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner
  by Yaniv Nizry, which allowed JavaScript to pass through.  The cleaner now
  removes more sneaky "style" content.

* 4.6.1: A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry,
  which allowed JavaScript to pass through.  The cleaner now removes more
  sneaky "style" content.

For more details, see the changes file:
https://github.com/lxml/lxml/blob/lxml-4.6.2/CHANGES.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ea41a5faab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 14:42:17 +01:00
Asaf Kahlon a727619768 package/python-lxml: bump to version 4.5.1
The options --with-xslt-config and --with-xml2-config were
renamed to --xslt-config and --xml2-config", respectively.

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fac3cfc110)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 14:42:12 +01:00
James Hilliard c65d237786 package/python-lxml: bump to version 4.5.0
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 36074cd3de)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 14:42:03 +01:00
Fabrice Fontaine 5543ec89bc package/sqlcipher: security bump to version 4.4.2
Fix CVE-2020-27207: Zetetic SQLCipher 4.x before 4.4.1 has a
use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in
sqlite3.c. A remote denial of service attack can be performed. For
example, a SQL injection can be used to execute the crafted SQL command
sequence. After that, some unexpected RAM data is read.

https://www.zetetic.net/blog/2020/11/25/sqlcipher-442-release

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f38893f8dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 14:40:59 +01:00
Yann E. MORIN 76428d0f07 package/dtv-scan-tables: switch upstream location
The old git tree is unreachable now, switch to using the new one.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c7bd3805bd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 14:13:41 +01:00
Yann E. MORIN 4d5e23d20b package/qt5base: fix build with TI SGX GL stack
qt5base FTBFS with TI SGX GL stack because it defines a type that is
incompatible with that expected by Qt.

Fix that by adapting a mix of upstream bug reports, upstream tentative
patch, and various comments on various Qt forums, none of which were
satisfying for various reasons explained in each resource:

  - https://bugreports.qt.io/browse/QTBUG-72567
  - https://codereview.qt-project.org/c/qt/qtbase/+/248270
  - https://forum.qt.io/topic/88588/qtbase-compilation-error-with-device-linux-rasp-pi3-g-qeglfskmsgbmwindow-cpp/8
  - https://forum.qt.io/topic/91596/raspberry-pi-3-compiling-qt-5-11-0-problem/6
  - https://patchwork.ozlabs.org/project/buildroot/patch/20200702201125.3639873-1-aduskett@gmail.com/#2579598

... which, mixed together with my little understanding of Qt, GL, and
C++, gave a relatively simple patch that overcomes the build failure on
TI's SGX, while at the same time keeping buildability and functionality
on other platforms.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Markus <zehnder@live.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf7f3112f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d71fc330fe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:48:56 +01:00
Peter Korsgaard e8b2fcec13 package/qt5xmlpatterns: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 80dd5c98f4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:48:23 +01:00
Peter Korsgaard bcfcd258f3 package/qt5x11extras: drop qt 5.6 support
And get rid of the 5.12.8 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 83f8813d41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:47:36 +01:00
Peter Korsgaard 15c57e1768 package/qt5webview: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 55e5b3464b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:46:51 +01:00
Peter Korsgaard bd1881d1ec package/qt5websockets: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9c59c74714)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:46:07 +01:00
Peter Korsgaard 09b287465f package/qt5webkit-examples: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b15344f43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:45:40 +01:00
Peter Korsgaard 6cf7b1dfb8 package/qt5webkit: drop qt 5.6 support
And get rid of the 5.9.1 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 68917a6fe5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:45:10 +01:00
Peter Korsgaard 2ecafe6d10 package/qt5webengine: drop qt 5.6 support
And get rid of the 5.12.8 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d2b562b5ff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:43:59 +01:00
Peter Korsgaard 7caf208b08 package/qt5webchannel: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f57ab9d1d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:42:11 +01:00
Peter Korsgaard d3d75aed03 package/qt5wayland: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a962dacdc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:41:30 +01:00
Peter Korsgaard 608108df3f package/qt5virtualkeyboard: drop qt 5.6 support
And get rid of the 5.12.8 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8f6092dbb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:40:54 +01:00
Peter Korsgaard 5bf9a03252 package/qt5tools: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 86940ea633)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:40:12 +01:00
Peter Korsgaard 55e1da2290 package/qt5svg: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c99c2f7e6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:39:39 +01:00
Peter Korsgaard 50556ade3b package/qt5serialport: drop qt 5.6 support
And get rid of the 5.12.8 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit abdf3851e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:38:58 +01:00
Peter Korsgaard 8180d61712 package/qt5serialbus: drop qt 5.6 support
And get rid of the 5.12.8 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 061157fc7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:37:46 +01:00
Peter Korsgaard 844ce63431 package/qt5sensors: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e4b6e4198a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:36:53 +01:00
Peter Korsgaard 698211f5be package/qt5scxml: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 57e30291c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:36:23 +01:00
Peter Korsgaard 6134b5fe0c package/qt5script: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 051a2e7b1b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:36:10 +01:00
Peter Korsgaard d43070a001 package/qt5quickcontrols2: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6496afdcde)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:35:03 +01:00
Peter Korsgaard 79b03affb0 package/qt5quickcontrols: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 49bdf1763b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:33:12 +01:00
Peter Korsgaard 3152f3995a package/qt5multimedia: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit be8015ac6d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:32:30 +01:00
Peter Korsgaard e3b230b391 package/qt5location: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7bc2eca708)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:31:53 +01:00
Peter Korsgaard 6a204ef35a package/qt5imageformats: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fce260c8c0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:31:11 +01:00
Peter Korsgaard 556206d43c package/qt5graphicaleffects: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bd75bdc762)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:30:36 +01:00
Peter Korsgaard 0df80d8969 package/qt5enginio: drop qt 5.6 support
And get rid of the now unused BR2_PACKAGE_QT5BASE_OPENSSL symbol.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 366b3bb39f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:30:05 +01:00
Peter Korsgaard b99ba37135 package/qt5declarative: drop 5.6 support
And get rid of the 5.12.8 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 17fafd712a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:29:00 +01:00
Peter Korsgaard a2cd78333f package/qt5connectivity: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 29469b6452)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:12:32 +01:00
Peter Korsgaard 3e0af84a27 package/qt5charts: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4ccf0f8360)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:10:45 +01:00
Peter Korsgaard 65670e9e4e package/qt5canvas3d: drop qt 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 50a3409a91)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:08:39 +01:00
Peter Korsgaard b31ec94b71 package/qt53d: drop 5.6 support
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 66afb27b9d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 12:07:40 +01:00
Peter Korsgaard 1c07cb49bf package/qt5base: drop 5.6 support
And get rid of the 5.12.8 subdir now that the version selection is gone.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7ef6ade0de)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 11:43:41 +01:00
Adam Duskett 796733bd2a package/ti-sgx-demos: use KMS-based demos
Weston does not work with the ti-sgx SDK, so switch to using the
KMS-based demos.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[yann.morin.1998@free.fr: split off into its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 29ff603f08)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 10:57:03 +01:00
Adam Duskett 4ee7723e76 configs/beaglebone_qt5: switch to using KMS instead of wayland+weston
weston does not work on the ti-sgx SDK, so switch to using KMS directly,
and drop the wayland-related config options.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[yann.morin.1998@free.fr: split into its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8efc5dce98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-21 10:56:39 +01:00
Peter Korsgaard 90588ad893 package/ruby: add upstream security fix for CVE-2020-25613
For details, see the advisory:
https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-19 08:37:05 +01:00
Peter Korsgaard 69614ac90f package/libressl: security bump to version 3.1.5
Fixes the following security issues:

    * Malformed ASN.1 in a certificate revocation list or a timestamp
      response token can lead to a NULL pointer dereference.

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.5-relnotes.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 23:39:54 +01:00
Fabrice Fontaine 420fa7ecc7 package/libressl: bump to version 3.1.4
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d226d30286)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 23:39:49 +01:00
Adam Duskett 67f4c95b03 package/libressl: bump version to 3.1.3
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7c8910e095)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 23:39:44 +01:00
Adam Duskett 43887867ca package/libresslL: bump version to 3.1.2
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e976958563)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 23:39:38 +01:00
Fabrice Fontaine e179ef2193 package/mbedtls: security bump to version 2.16.9
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 455387fa3a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:21:08 +01:00
Marcin Niestroj 53b53b01ae package/python-pyparsing: update link to project
Old link no longer works, so replace that with link to GitHub.

Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1cec1e3f7f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:17:30 +01:00
Julien Grossholtz c9b60fb1b7 package/paho-mqtt-c: bump to version 1.3.7
Paho-mqtt-c maintainance release. It fixes some bugs including client
times out and buffer overflow:

https://github.com/eclipse/paho.mqtt.c/milestone/9?closed=1

Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 71e0d12ed1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:14:30 +01:00
Fabrice Fontaine 0ad49b4144 package/paho-mqtt-c: bump to version 1.3.6
Update LICENSE hash, EDL version has been fixed with
https://github.com/eclipse/paho.mqtt.c/commit/34ec96cac554c4ae1527b92433730233f1bdca40

https://github.com/eclipse/paho.mqtt.c/milestone/11?closed=1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6eba48124e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:14:27 +01:00
Michael Vetter e3d92a854b package/jasper: security bump to 2.0.23
Changes:
* Fix CVE-2020-27828, heap-overflow in cp_create() in jpc_enc.c

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ac9f50f204)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:12:04 +01:00
Fabrice Fontaine a9cd449546 package/jasper: fix tarball name in hash file
tarball name was not updated by commit
0ca16ace62

While at it also update indentation in hash file (two spaces)

Fixes:
 - http://autobuild.buildroot.org/results/1356d309d45b5eedeec375e2fdc0cf2ad7839a55

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 245c643fc7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:11:56 +01:00
Michael Vetter 0a1d926e10 package/jasper: bump to version 2.0.22
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0ca16ace62)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:11:46 +01:00
Michael Vetter 8848396f17 package/jasper: bump to version 2.0.21
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3c133b50b4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:11:38 +01:00
Michael Vetter 7be0d30464 package/jasper: bump to version 2.0.20
Bump JasPer to 2.0.20

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a108bbf38e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:11:31 +01:00
Bernd Kuhls 55bb3acdd0 package/ca-certificates: bump version to 20200601
Reformatted hashes.

Updated license hash due to upstream commit:
https://salsa.debian.org/debian/ca-certificates/-/commit/1e2be69b0823dfb56dc3981b7547afd181e066cc

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dae3159221)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:03:15 +01:00
Bernd Kuhls 859e268b56 package/libopenssl: security bump version to 1.1.1i
Rebased patches 0001 & 0004.

Fixes CVE-2020-1971.

Changelog: https://www.openssl.org/news/changelog.html#openssl-111

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop patch 0004, not in 2020.02.x]
(cherry picked from commit 5cf57efbd3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:01:46 +01:00
Peter Korsgaard 7a850e0328 package/libopenssl: bump to version 1.1.1h
For details, see the release notes:
https://www.openssl.org/news/openssl-1.1.1-notes.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 35fad96c2c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 11:01:16 +01:00
Romain Naour 6fe2623f0a package/flare-engine: require sdl2_image with png support
flare-engine fail to start if sdl2_image library is build without
libpng support.

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6c4328a5ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 10:45:48 +01:00
Bernd Kuhls 4824ec560c package/x11r7/xserver_xorg-server: bump version to 1.20.10
Release notes:
https://lists.x.org/archives/xorg-announce/2020-December/003067.html

Remove patches which were applied upstream.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5f6e3c0962)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-13 00:45:46 +01:00
Fabrice Fontaine 023ac3c6c1 package/x11vnc: fix CVE-2020-29074
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which
allows access by actors other than the current user.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b6a105af8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-12 12:02:51 +01:00
Peter Korsgaard 0b09bbd604 package/docker-containerd: security bump to version 1.4.3
Fixes the following security issue:

- CVE-2020-15257: Access controls for the shim’s API socket verified that
  the connecting process had an effective UID of 0, but did not otherwise
  restrict access to the abstract Unix domain socket.  This would allow
  malicious containers running in the same network namespace as the shim,
  with an effective UID of 0 but otherwise reduced privileges, to cause new
  processes to be run with elevated privileges.

For more details, see the advisory:
https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1e1d1278c7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-12 11:05:37 +01:00
Christian Stewart 04edde7a26 package/docker-containerd: bump to version 1.4.1
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 87a8cbe617)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-12 11:05:31 +01:00
Christian Stewart a6de54d16b package/docker-containerd: bump to version 1.4.0
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 04b2afc65b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-12 11:05:12 +01:00
Fabrice Fontaine 694d03de22 package/libcap: fix libcap.pc
libcap builds an incorrect libcap.pc because libdir is pulled from the
host os:

ifndef lib
lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
endif

Fix this error by passing lib=lib and prefix in
{HOST_LIBCAP,LIBCAP}_BUILD_CMDS

Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=13276

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 07f8ea3913)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-12 09:22:26 +01:00
Peter Korsgaard 818acd27e2 package/x11r7/xserver_xorg-server: add upstream security fixes for CVE-2020-14360 / 25712
Fixes the following security issues:

* CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access

  Insufficient checks on the lengths of the XkbSetMap request can lead to
  out of bounds memory accesses in the X server.

* CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow

  Insufficient checks on input of the XkbSetDeviceInfo request can lead to a
  buffer overflow on the head in the X server.

For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/12/01/3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c773336463)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-12 00:17:51 +01:00
Bernd Kuhls 670208cd16 package/setserial: add license hash
Also reformatted hash file.

Fixes:
http://autobuild.buildroot.net/results/d1c/d1ccecc74755155664cd17c8d33721c804a37b25/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 23d8b04295)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:31:37 +01:00
Peter Korsgaard 377fa247b9 package/privoxy: security bump to version 3.0.29
From the release notes:

- Security/Reliability:
  - Fixed memory leaks when a response is buffered and the buffer
    limit is reached or Privoxy is running out of memory.
    Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
    Sponsored by: Robert Klemme
  - Fixed a memory leak in the show-status CGI handler when
    no action files are configured. Commit c62254a686.
    OVE-20201118-0002.
    Sponsored by: Robert Klemme
  - Fixed a memory leak in the show-status CGI handler when
    no filter files are configured. Commit 1b1370f7a8a.
    OVE-20201118-0003.
    Sponsored by: Robert Klemme
  - Fixes a memory leak when client tags are active.
    Commit 245e1cf32. OVE-20201118-0004.
    Sponsored by: Robert Klemme
  - Fixed a memory leak if multiple filters are executed
    and the last one is skipped due to a pcre error.
    Commit 5cfb7bc8fe. OVE-20201118-0005.
  - Prevent an unlikely dereference of a NULL-pointer that
    could result in a crash if accept-intercepted-requests
    was enabled, Privoxy failed to get the request destination
    from the Host header and a memory allocation failed.
    Commit 7530132349. CID 267165. OVE-20201118-0006.
  - Fixed memory leaks in the client-tags CGI handler when
    client tags are configured and memory allocations fail.
    Commit cf5640eb2a. CID 267168. OVE-20201118-0007.
  - Fixed memory leaks in the show-status CGI handler when memory
    allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
    CID 305233. OVE-20201118-0008.

For more details, see the announcement:
https://www.openwall.com/lists/oss-security/2020/11/29/1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9ef54b7d0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:30:46 +01:00
Fabrice Fontaine 9f1d64c225 package/privoxy: bump to version 3.0.28
- Update indentation of hash file (two spaces)
- Add sha256 hash

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit eb0cd9cf12)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:30:41 +01:00
Fabrice Fontaine af78dfd96f package/libplist: drop duplicated COPYING hash
Commit 762119b4c5 resulted in a duplicated
line for COPYING hash so drop it

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 26c2db20d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:29:51 +01:00
Peter Korsgaard a844780187 package/lynx: fix reproducible build issues
Fixes (part of) http://autobuild.buildroot.net/results/23fe4365ca65f37eace8265a70fbfb9723b8ee9d/

Lynx by default contains logic to generate a "configuration info" HTML page,
which leaks build paths, and adds the build timestamp to the version output.
Disable both when building in reproducible mode.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3fb7c63687)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:28:23 +01:00
Peter Korsgaard b11f85d9c4 package/jemalloc: add jemalloc-config to _CONFIG_SCRIPTS handling
Fixes (part of) http://autobuild.buildroot.net/results/23fe4365ca65f37eace8265a70fbfb9723b8ee9d/

jemalloc installs a jemalloc-config script, leaking build paths and breaking
reproducible builds (and per-package builds).

Add it to _CONFIG_SCRIPTS so the paths get fixed up for staging and the
script removed from target.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 288ece60bb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:27:53 +01:00
Peter Korsgaard c4eba7965f package/mariadb: security bump to version 10.3.27
Fixes the following security issues:

- CVE-2020-15180: during SST a joiner sends an sst method name to the donor.
  Donor then appends it to the "wsrep_sst_" string to get the name of the
  sst script to use, e.g.  wsrep_sst_rsync.  There is no validation or
  filtering here, so if the malicious joiner sends, for example, "rsync `rm
  -rf /`" the donor will execute that too.

- CVE-2020-14812: Vulnerability in the MySQL Server product of Oracle MySQL
  (component: Server: Locking).  Supported versions that are affected are
  5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior.  Easily
  exploitable vulnerability allows high privileged attacker with network
  access via multiple protocols to compromise MySQL Server.  Successful
  attacks of this vulnerability can result in unauthorized ability to cause
  a hang or frequently repeatable crash (complete DOS) of MySQL Server.

- CVE-2020-14765: Vulnerability in the MySQL Server product of Oracle MySQL
  (component: Server: FTS).  Supported versions that are affected are 5.6.49
  and prior, 5.7.31 and prior and 8.0.21 and prior.  Easily exploitable
  vulnerability allows low privileged attacker with network access via
  multiple protocols to compromise MySQL Server.  Successful attacks of this
  vulnerability can result in unauthorized ability to cause a hang or
  frequently repeatable crash (complete DOS) of MySQL Server.

- CVE-2020-14776: Vulnerability in the MySQL Server product of Oracle MySQL
  (component: InnoDB).  Supported versions that are affected are 5.7.31 and
  prior and 8.0.21 and prior.  Easily exploitable vulnerability allows high
  privileged attacker with network access via multiple protocols to
  compromise MySQL Server.  Successful attacks of this vulnerability can
  result in unauthorized ability to cause a hang or frequently repeatable
  crash (complete DOS) of MySQL Server.

- CVE-2020-14789: Vulnerability in the MySQL Server product of Oracle MySQL
  (component: Server: FTS).  Supported versions that are affected are 5.7.31
  and prior and 8.0.21 and prior.  Easily exploitable vulnerability allows
  high privileged attacker with network access via multiple protocols to
  compromise MySQL Server.  Successful attacks of this vulnerability can
  result in unauthorized ability to cause a hang or frequently repeatable
  crash (complete DOS) of MySQL Server.

- CVE-2020-28912:
  https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf
  describes a named pipe privilege vulnerability, specifically for MySQL,
  where an unprivileged user, located on the same machine as the server, can
  act as man-in-the-middle between server and client.

Additionally, 10.3.27 fixes a regression added in 10.3.26.

Drop weak md5/sha1 checksums.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 163334a707)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:27:11 +01:00
Fabrice Fontaine 1aeccce6bd package/bustle: fix license
bustle binaries are licensed under GPL-3.0:
https://gitlab.freedesktop.org/bustle/bustle/-/blob/bustle-0.7.5/LICENSE

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f3ca4f1086)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:26:01 +01:00
Fabrice Fontaine 8e070645e8 package/proftpd: security bump to version 1.3.6e
1.3.6e
---------
  + Fixed null pointer deference in mod_sftp when using SCP incorrectly
    (Issue #1043).

1.3.6d
---------
  + Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).

1.3.6c
---------
  + Fixed regression in directory listing latency (Issue #863).
  + Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for
    converting them to supported format.
  + Fixed use-after-free vulnerability during data transfers (Issue #903)
    [CVE-2020-9273]
  + Fixed out-of-bounds read in mod_cap by updating the bundled libcap
    (Issue #902) [CVE-2020-9272]

http://proftpd.org/docs/RELEASE_NOTES-1.3.6e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: mark as security bump, add CVEs]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7ba4aa9298)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 22:24:58 +01:00
Peter Korsgaard c3abbfa5f4 package/slirp: add upstream security fix for CVE-2020-29129 / CVE-2020-29130
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 282fc60ed4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 14:56:14 +01:00
Fabrice Fontaine 9fe1926498 package/qemu: use a system-wide slirp
Use a system-wide slirp now that we switched to the up to date
https://gitlab.freedesktop.org/slirp/libslirp

qemu already depends on libglib2 so we don't need to add any new
dependencies

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7e237b79ad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 14:54:44 +01:00
Peter Korsgaard c40a0a4ef6 package/vsftpd: S70vsftpd: correct -x argument to start-stop-daemon
Fixes #13341

The -x / --exec start-stop-daemon option expects the path to the executable,
not just the name, leading to errors when running the init script:

Starting vsftpd: start-stop-daemon: unable to stat //vsftpd (No such file or directory)

Reported-by: tochansky@tochlab.net
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 405f76425d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 13:59:43 +01:00
Bernd Kuhls d1a789d163 package/minidlna: security bump version to 1.3.0
Changelog:
https://sourceforge.net/p/minidlna/git/ci/master/tree/NEWS

Fixes CVE-2020-28926 & CVE-2020-12695.

Removed patch 0001 which was applied upstream:
https://sourceforge.net/p/minidlna/git/ci/b5e75ff7d160a02632cab416ff0af66504c7db8b/

Removed patch 0002 which was not applied upstream, upstream applied
a different fix for CVE-2020-12695:
https://sourceforge.net/p/minidlna/git/ci/06ee114731612462eb1eb1266f0431ccf59269d2/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 30f6776c79)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 13:59:02 +01:00
Bernd Kuhls ca184d2fda package/php: security bump version to 7.4.13
Rebased patches.

Changelog: https://www.php.net/ChangeLog-7.php#7.4.13

According to the release notes this is a "security bug fix release":
https://news-web.php.net/php.announce/301

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8c38262066)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 13:57:56 +01:00
Peter Korsgaard 693adf96cf {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 9}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6ca12d89f1)
[Peter: drop 5.9.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 13:46:27 +01:00
Heiko Thiery f84c7bcc64 package/openrc: add upstream security fix for CVE-2018-21269
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2d38c5a4e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 13:22:04 +01:00
Peter Korsgaard eed59b9e3d package/xinetd: add upstream security fix for CVE-2013-4342
xinetd does not enforce the user and group configuration directives for
TCPMUX services, which causes these services to be run as root and makes it
easier for remote attackers to gain privileges by leveraging another
vulnerability in a service.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d5abf5ff61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 11:22:21 +01:00
Bartosz Bilas 6e9b814f1b package/python-pip: needs hashlib module
Without hashlib module pip returns the following errors:

# pip
ValueError: unsupported hash type sha224
ERROR:root:code for hash sha256 was not found.
Traceback (most recent call last):
  File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
  File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha256
ERROR:root:code for hash sha384 was not found.
Traceback (most recent call last):
  File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
  File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha384
ERROR:root:code for hash sha512 was not found.
Traceback (most recent call last):
  File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
  File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha512
Traceback (most recent call last):
  File "/usr/bin/pip", line 11, in <module>
    load_entry_point('pip==20.0.2', 'console_scripts', 'pip')()
  File "/usr/lib/python2.7/site-packages/pip/_internal/cli/main.py", line 73, in main
  File "/usr/lib/python2.7/site-packages/pip/_internal/commands/__init__.py", line 96, in create_command
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
  File "/usr/lib/python2.7/site-packages/pip/_internal/commands/install.py", line 24, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_internal/cli/req_command.py", line 15, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_internal/index/package_finder.py", line 21, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_internal/index/collector.py", line 12, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/requests/__init__.py", line 43, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/__init__.py", line 7, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connectionpool.py", line 29, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connection.py", line 40, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/__init__.py", line 7, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/ssl_.py", line 8, in <module>
ImportError: cannot import name md5

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d5e3e1144e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 11:19:16 +01:00
Peter Korsgaard f79d1d6211 package/ncurses: mark CVE-2019-1759{4, 5} as fixed by 20191012 patch
According to the NVE data, these are fixes in the 20191012 patch - So mark
them as such.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f7fc4bf1b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 10:59:27 +01:00
Peter Seiderer 16f32fca2f package/wireless-regdb: bump version to 2020.11.20
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f457760f54)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 10:47:23 +01:00
Peter Seiderer 09074290f0 package/wireless-regdb: bump version to 2020.04.29
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c8175568e7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-11 10:47:18 +01:00
Peter Korsgaard c38f411d36 package/libkrb5: security bump to version 1.17.2
Fixes the following security issues:

- CVE-2020-28196: MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before
  1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message
  because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite
  lengths lacks a recursion limit.

Also fix .hash file indentation and update the NOTICE hash for a change of
copyright year.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-09 09:38:38 +01:00
Fabrice Fontaine c845a61b72 package/jpeg-turbo: bump to version 2.0.6
Update hash of README.ijg (URLs updated and Usenet info removed with
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/26e3aedbe569329d8ab005bad5481bcbd1f43ac8)

https://sourceforge.net/projects/libjpeg-turbo/files/2.0.6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 74cce093b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-09 09:26:28 +01:00
Peter Korsgaard 87f762d618 package/raptor: fix CVE-2017-18926
raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF
Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the
XML writer, leading to heap-based buffer overflows (sometimes seen in
raptor_qname_format_as_xml).

For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2020/11/13/1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a683a54cc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-08 10:59:50 +01:00
Peter Korsgaard 1b73859df5 package/xen: security bump to version 4.13.2
Includes XSA-327..XSA-347 security fixes.  For details, see the
announcement:

https://xenproject.org/downloads/xen-project-archives/xen-project-4-13-series/xen-project-4-13-2/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-08 10:36:50 +01:00
Fabrice Fontaine 2f24522299 package/cdrkit: fix static build with libmagic
libmagic is an optional dependency of gensoimage that can raise the
following build failure:

/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: /home/buildroot/autobuild/instance-0/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libmagic.a(compress.o): in function `uncompressbuf':
compress.c:(.text+0x7bc): undefined reference to `lzma_auto_decoder'
/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: compress.c:(.text+0x828): undefined reference to `lzma_code'
/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: compress.c:(.text+0x848): undefined reference to `lzma_end'
collect2: error: ld returned 1 exit status
genisoimage/CMakeFiles/genisoimage.dir/build.make:628: recipe for target 'genisoimage/genisoimage' failed

Fixes:
 - http://autobuild.buildroot.org/results/7e06edc363817c9c9a1687ec89e9984a90a2012d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6ca1b3ee2a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-07 21:51:43 +01:00
Peter Korsgaard c582ac5dfb package/musl: add upstream security fix for CVE-2020-28928
The wcsnrtombs function has been found to have multiple bugs in handling of
destination buffer size when limiting the input character count, which can
lead to infinite loop with no forward progress (no overflow) or writing past
the end of the destination buffer.

For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/11/20/4

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 09caefda2a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-07 21:50:22 +01:00
Fabrice Fontaine c8b4783f3d package/monkey: drop wrong comment
Commit 5fea6e2a2f forgot to remove the
generic-package comment

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c4ea32d006)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-07 21:38:14 +01:00
Baruch Siach 1e063bef46 support/dependencies: clarify intended use of host bison/flex
We should not rely on host installed bison/flex for target code. This
ensures better reproducibility of generated code.

http://lists.busybox.net/pipermail/buildroot/2020-November/296786.html

Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b1c049af2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-07 21:36:04 +01:00
Peter Korsgaard a4b3cf5901 package/python-flask-cors: security bump to version 3.0.9
Fixes the following security issue:

- CVE-2020-25032: An issue was discovered in Flask-CORS (aka CORS Middleware
  for Flask) before 3.0.9.  It allows ../ directory traversal to access
  private resources because resource matching does not ensure that pathnames
  are in a canonical format.

Also drop outdated md5 checksum and fix .hash indentation.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c356b20ba8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-06 23:26:19 +01:00
Pierre-Jean Texier 456c78319d DEVELOPERS: update email address for Pierre-Jean Texier
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 248c2e909e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-06 23:23:13 +01:00
Fabrice Fontaine 221b1daf31 package/jpeg-turbo: fix license hash
Commit 105d61c850 forgot to update hash of
LICENSE.md (update in year:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/00607ec260efa4cfe10f9b36d6e3d3590ae92d79)

While at it, also update indentation in hash file (two spaces)

Fixes:
 - http://autobuild.buildroot.org/results/66fb5c0171af73d4c1c93241b285fac8f8f494f7

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c9ca2a596e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-06 23:19:51 +01:00
Heiko Stuebner ccc0a9a79b package/jpeg-turbo: security bump to version 2.0.5
Fixes the following security issue:

- CVE-2020-13790: ibjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based
  buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input
  file

For more details, see the release notes:
https://github.com/libjpeg-turbo/libjpeg-turbo/releases/tag/2.0.5

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
[Peter: mark as security bump / extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 105d61c850)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-06 23:19:47 +01:00
Fabrice Fontaine 9d84300d6f package/c-ares: fix install
c-ares 1.17.0 removed install of ares_dns.h which will result in build
failures with libeXosip and resiprocate

Fixes:
 - http://autobuild.buildroot.org/results/51573434303118fd92f32819e038971edee8bc28
 - http://autobuild.buildroot.org/results/cbf158f0c037d44ef293a8804d18c84e3b731059

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b359d0e7e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-06 23:18:19 +01:00
Fabrice Fontaine fa4716cba0 package/c-ares: security bump to version 1.17.0
- avoid read-heap-buffer-overflow in ares_parse_soa_reply found during
  fuzzing
- Avoid theoretical buffer overflow in RC4 loop comparison
- Empty hquery->name could lead to invalid memory access
- ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was
  passed in

https://c-ares.haxx.se/changelog.html#1_17_0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c7a369a907)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-06 23:18:13 +01:00
Michael Nosthoff c61e99f65d package/libgpiod: bump version to 1.4.5
* add a comment about the kernel header dependencies when bumping
versions
* set url to kernel.org as github is unmaintained and outdated
* use two spaces in hash-file

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ff30bab611)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-20 18:14:58 +01:00
Peter Korsgaard a4832641bc Update for 2020.02.8
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 00:04:03 +01:00
Garret Kelly 422f0599e5 boot/uboot: fix custom repo error message
When using a custom git or mercurial repository for u-boot the error message
indicating a version had not been provided incorrectly stated that the URL was
missing. Update the error message to indicate that it's the version that's
missing.

Signed-off-by: Garret Kelly <garret.kelly@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1271867831)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 22:30:44 +01:00
Bernd Kuhls 50a984d07a package/dovecot-pigeonhole: fix build with per-package directories
Fix wrong path in usr/lib/dovecot-config which was copied from the
dovecot staging dir.

Fixes:
http://autobuild.buildroot.net/results/5fb/5fb1cd57bc3fdf4f75019c7b25d65ef887eea539/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0901355c11)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 22:28:52 +01:00
Baruch Siach c8685aafe6 package/openntpd: needs host-bison
Build fails when no yacc alternative is installed.

Fixes:
http://autobuild.buildroot.net/results/1ba8e339cbb5646663d0bf4e158d89e54433b242/
http://autobuild.buildroot.net/results/a00a53d6635c64e72c50d4841658155de5380110/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b8de3cb374)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 22:25:14 +01:00
Fabrice Fontaine d60adedde5 package/xorriso: fix host option
--disable-bzip2 is not a recognized option so replace it by
--disable-libbz2 to match the target logic.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 41236c61b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 22:24:05 +01:00
Thomas Petazzoni e59655a591 DEVELOPERS: drop Trent Piepho
We change Trent's e-mail address in commit
1c20802d4b, but it turns out the new one
also doesn't work:

<trent.piepho@synapse.com>: host
    synapse-com.mail.protection.outlook.com[104.47.57.138] said: 550 5.4.1
    Recipient address rejected: Access denied. AS(201806281)
    [DM6NAM11FT063.eop-nam11.prod.protection.outlook.com] (in reply to RCPT TO
    command)

So let's drop Trent entirely, which orphans the libp11 package.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4ceae1b2ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 22:23:30 +01:00
Fabrice Fontaine 25a0727fa1 package/postgresql: security bump to version 12.5
Fix the following CVEs:
- CVE-2020-25695: Multiple features escape "security restricted
  operation" sandbox
- CVE-2020-25694: Reconnection can downgrade connection security
  settings
- CVE-2020-25696: psql's \gset allows overwriting specially treated
  variables

https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8e68f00b91)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 22:23:03 +01:00
Peter Korsgaard bd21b79f1f package/redis: security bump to version 5.0.10
This release fixes a potential heap overflow when using a heap allocator
other than jemalloc or glibc's malloc. See:
https://github.com/redis/redis/pull/7963

https://raw.githubusercontent.com/redis/redis/5.0/00-RELEASENOTES

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 22:17:03 +01:00
Bartosz Bilas 7175373205 package/rauc: disable systemd for host build
Since there is not necessary to have support of systemd within the host
variant let's disable it unconditionally to solve the following errors:

/usr/bin/install -c -m 644 data/rauc.service '/usr/lib/systemd/system'
/usr/bin/install: cannot create regular file '/usr/lib/systemd/system/rauc.service': Permission denied
/usr/bin/install -c -m 644 data/de.pengutronix.rauc.conf 'no'
make[4]: *** [Makefile:1700: install-nodist_systemdunitDATA] Error 1
make[4]: *** Waiting for unfinished jobs....

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit abeebe1ea8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 16:06:00 +01:00
Thomas Petazzoni 5c0d2b5cd3 toolchain/toolchain-external/toolchain-external-arm-arm: add dependency on NEON
While testing Buildroot on a Cortex-A5 that doesn't provide NEON, we
found out that a system generated with the ARM toolchain from Arm
didn't boot. It turns out that this ARM toolchain is built with:

  --with-arch=armv7-a --with-fpu=neon --with-float=hard --with-mode=thumb

So, it uses NEON as its FPU, which means it can only work on CPU cores
that have NEON support. This commit adds the appropriate dependency to
the toolchain-external-arm-arm package, and adjusts the Config.in help
text accordingly.

While at it, it also drops the part of the Config.in help text that
says the code is tuned for Cortex-A9, as it is not the case: it was
the case for the Linaro toolchain (built with --with-tune=cortex-a9),
but not for the ARM toolchain, for which no specific --with-tune is
passed.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8477c41244)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 16:05:34 +01:00
Fabrice Fontaine 20d3a17f64 package/tcpdump: fix CVE-2020-8037
The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a
large amount of memory.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e3a663f570)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 15:51:00 +01:00
Julien Olivain 64aa92911a package/linux-backports: fix kernel version check
The commit 05fea6e4a6 "infra/pkg-kconfig:
do not rely on package's .config as a timestamp" broke the kernel
version check of this linux-backports package (it was no longer
executed). Since linux-4.19, the kernel's build system internally
touches its .config file, so it can no longer be used as a stamp file.
The stamp file defined in KCONFIG_STAMP_DOTCONFIG variable of
pkg-kconfig infra need to be used instead.

This commit fixes the kernel version check.

Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 464bb73b92)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 15:48:37 +01:00
Bartosz Bilas 8c822798a5 package/rauc: prevent occurring the error when directory exists
Add -p argument that ignore that specified directory already exists.

Fixes:
 mkdir: cannot create directory ‘/home/bartekk/buildroot-2020.11-rc1/output/target/usr/lib/systemd/system/rauc.service.d’: File exists

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fefdd0511e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 15:45:27 +01:00
Peter Korsgaard 31fdf8528b package/wireguard-linux-compat: bump version to 1.0.20201112
Fixes a build issue with linux 5.4.76+.  For details, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-November/005997.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 041cde5c26)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 15:21:42 +01:00
Peter Korsgaard 68b7d6f6e1 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 9}.x series
Including the fix for CVE-2020-8694:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0b817d8c8e)
[Peter: drop 5.9.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 15:05:10 +01:00
Peter Korsgaard ee8be68ab2 package/tor: security bump to version 0.4.3.7
Fixes the following security issue:

- TROVE-2020-005: When completing a channel, relays now check more
  thoroughly to make sure that it matches any pending circuits before
  attaching those circuits.  Previously, address correctness and Ed25519
  identities were not checked in this case, but only when extending circuits
  on an existing channel

For more details, see the release notes:
https://blog.torproject.org/node/1952

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 13:25:21 +01:00
Bernd Kuhls 3a8951dae1 package/tor: bump version to 0.4.3.6
Release notes for 0.4.3.5: https://blog.torproject.org/node/1872
"Tor 0.4.3.5 is the first stable release in the 0.4.3.x series."

Release notes for 0.4.3.6: https://blog.torproject.org/node/1900

The fix for CVE-2020-15572 "Fix a crash due to an out-of-bound memory
access when Tor is compiled with NSS support" does not affect buildroot
because we do not support building tor with libnss.

Rebased patch 0001.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ad9125d7a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 13:20:21 +01:00
Julien Olivain b062bb1619 package/linux-backports: use flex and bison to generate kconfig parser
Upstream backports package does not define the LEX/YACC Makefile
variables, contrary to the Kernel which is defining those in [1]. The
default "lex" and "yacc" are then used. On some systems, "yacc" is
Berkeley Yacc. Kconfig parser files are using non-Posix Bison
constructs.

Attempting to generate the parser with byacc fails with error:

    yacc: e - line 97 of "zconf.y", syntax error
    %destructor {
    ^

This patch defines the LEX and YACC Makefile variable to use flex and
bison, to fix this issue. The host-bison and host-flex dependencies are
added only if the host does not have them, following the same logic of
the Kernel.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73a4f6dbe70a1b93c11e2d1d6ca68f3522daf434

Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ec493ea489)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-15 16:08:27 +01:00
Peter Korsgaard 4eace1bdff package/asterisk: security bump to version 16.14.1
Fixes the following security issues:

- AST-2020-001: Remote crash in res_pjsip_session
  Upon receiving a new SIP Invite, Asterisk did not return the created
  dialog locked or referenced.

- AST-2020-002: Outbound INVITE loop on challenge with different nonce
  If Asterisk is challenged on an outbound INVITE and the nonce is changed
  in each response, Asterisk will continually send INVITEs in a loop.  This
  causes Asterisk to consume more and more memory since the transaction will
  never terminate (even if the call is hung up), ultimately leading to a
  restart or shutdown of Asterisk.  Outbound authentication must be
  configured on the endpoint for this to occur.

For details, see the announcement:
https://www.asterisk.org/asterisk-news/asterisk-13-37-1-16-14-1-17-8-1-18-0-1-and-16-8-cert5-now-available-security/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 339d3e82e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-15 14:22:36 +01:00
Bernd Kuhls 8524d035ac package/asterisk: bump version to 16.13.0
Release notes:
https://www.asterisk.org/asterisk-news/asterisk-16-13-0-now-available/
https://www.asterisk.org/asterisk-news/asterisk-16120-now-available/
https://www.asterisk.org/asterisk-news/asterisk-16110-now-available/

Updated license hash due to upstream commit:
https://github.com/asterisk/asterisk/commit/9e7fc210868c200138f41db9dbb2400aad62deec

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 14c29ea9d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-15 14:22:29 +01:00
Fabrice Fontaine c86092c8bf package/fbset: add license file
Use fbset.c as the license file and, while at it, also update
indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1379ef161b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:12:20 +01:00
Fabrice Fontaine b38cc29ec1 package/bandwidthd: add license file
Use README as the license file until upstream provides one:
https://github.com/nroach44/bandwidthd/issues/2

While at it, also update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ffc3d6c240)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:11:53 +01:00
Fabrice Fontaine 77c523b62d package/argp-standalone: add license file
Use argp.h as the license file and, while at it, update indentation in
hash file

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ad0e1d609b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:11:01 +01:00
Peter Korsgaard 3183bff9ee package/tmux: add upstream security fix for CVE-2020-27347
Fixes CVE-2020-27347: The function input_csi_dispatch_sgr_colon() in file
input.c contained a stack-based buffer-overflow that can be exploited by
terminal output.

For details, see:
https://www.openwall.com/lists/oss-security/2020/11/05/3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7e0f81a9f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 14:09:53 +01:00
Romain Naour dd8bada803 support/testing/test_hardening: add missing Kconfig symbol
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y is needed to use the
custom external toolchain x86-i686--glibc--bleeding-edge-2018.11-1.tar.bz2

Otherwise the symbol BR2_TOOLCHAIN_EXTERNAL_URL is lost.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981738
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981739
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981740
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981741
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981742
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981743

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7b9762f4ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 12:23:06 +01:00
Fabrice Fontaine 2f55d265a9 package/xen: add slirp dependency for tools
Build of xen tools fails if slirp is built before xen because xen is not
compatible with spice slirp which does not provide libslirp.h:

/home/buildroot/autobuild/instance-2/output-1/build/xen-4.13.0/tools/qemu-xen/net/slirp.c:40:10: fatal error: libslirp.h: No such file or directory
 #include <libslirp.h>
          ^~~~~~~~~~~~

Indeed, xen prefers a system-provided slirp over its internal one

So add slirp as a mandatory dependency (now that we switched to the up
to date https://gitlab.freedesktop.org/slirp/libslirp)

This build failure is raised since, at least, version 4.13.0

Fixes:
 - http://autobuild.buildroot.org/results/b80b33ed558518f7bbb0a3c8586bf2d0b8acc36f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a0a5c184ef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 10:59:00 +01:00
Fabrice Fontaine 66abb77157 package/slirp: add libglib2 mandatory dependency
slirp depends on libglib2, don't update xen as it already depends on it

Fixes:
 - http://autobuild.buildroot.org/results/0b9cff1bc650876a6fff6102b2cb31dcdf4c5e8f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 88a62fac1f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 10:58:49 +01:00
Fabrice Fontaine 062f732520 package/slirp: switch official tarball
Other "official" tarballs don't ship .tarball-version resulting in a build
failure: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/24

Fixes:
 - http://autobuild.buildroot.org/results/0b9cff1bc650876a6fff6102b2cb31dcdf4c5e8f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 47ffaa992c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 10:58:41 +01:00
Fabrice Fontaine c335124eac package/slirp: security bump to version 4.3.1
- Use an up to date fork (spice slirp is archived and has not been
  updated since 2012)
- Add COPYRIGHT as the license file
- BSD-4-Clause has been replaced by BSD-3-Clause since
  https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3
  https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954
- Add hash file
- Switch to meson-package
- Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434,
  CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 97fcae8ddf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 10:58:33 +01:00
Angelo Compagnucci 124239f9aa linux: bump CIP RT kernel to version 4.19.152-cip37-rt16
This patch bumps Linux CIP RT to version 4.19.152-cip37-rt16

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0e4d645cf2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 09:03:48 +01:00
Angelo Compagnucci b819e86c22 linux: bump CIP kernel to version 4.19.152-cip37
This patch bumps Linux CIP to version 4.19.152-cip37

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 18729f8d64)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 09:03:15 +01:00
Peter Korsgaard fa5ac3e452 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 8, 9}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 493b1d7b25)
[Peter: drop 5.8.x/5.9.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-14 09:02:07 +01:00
Fabrice Fontaine 7b6ba121c8 package/bitcoin: set BITCOIN_GENBUILD_NO_GIT
Set BITCOIN_GENBUILD_NO_GIT to not include (Buildroot) git version info in
build, which is available since version 0.15.0 and
https://github.com/bitcoin/bitcoin/commit/e98e3dde6a976a2c8f266ee963d6931fd4b37262

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 82d6abda1a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 23:44:16 +01:00
Fabrice Fontaine 396ce56ac3 package/bitcoin: security bump to version 0.20.1
- openssl is not a dependency since version 0.20.0 and
  https://github.com/bitcoin/bitcoin/commit/8983ee3e6dd8ab658bd2caf97c326cc53ea50818
- boost chrono is not needed since version 0.20.0 and
  https://github.com/bitcoin/bitcoin/commit/bd37f2bc26158f85ef1ab73b9ca1fc0da8ea562a
- Update hash of COPYING (update in year:
  https://github.com/bitcoin/bitcoin/commit/8dc9aa90c3c7990dd5b491937ddc0e39bc929d1c)
- Update indentation in hash file (two spaces)
- Tag as a security bump as having an up to date bitcoin is important:
  https://patchwork.ozlabs.org/project/buildroot/patch/20200202085526.35742-1-james.hilliard1@gmail.com

https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.20.1.md
https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.20.0.md
https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-0.19.1.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b62e8beea8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 23:44:11 +01:00
Fabrice Fontaine 6e29a7c4f8 package/libiqrf: add license file
Add license file and, while at it, update indentation to two spaces

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 062e5d8a65)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 23:42:41 +01:00
Antoine Tenart 957773cec3 DEVELOPERS: remove myself for wf111
I haven't looked at that package and touched it for 6 years now, and
clearly others have taken care of it when looking at the Git history.

Signed-off-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 19932c8e02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 23:38:26 +01:00
Antoine Tenart fc384b8f44 DEVELOPERS: update Antoine Tenart's email address
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e6b3803c84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 23:37:00 +01:00
Romain Naour 31c336fb8e support/testing: TestInitSystemSystemdRwIfupdown test expect a RW rootfs
When running the TestInitSystemSystemdRwIfupdown test, the rootfs must
be in read-write mode. The commit log [1] introducing systemd tests say
so:

"basic systemd, read-write, network w/ ifupdown"

With systemd 246.5, the service systemd-update-done return an error code
when it can't write on the filesystem (/etc)

[1] 117835d5fc
[2] https://github.com/systemd/systemd/commit/8019995e9af9c6d7b5985198cedccd24eda3e26e

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981813

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 14ed65e3a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 23:36:07 +01:00
Angelo Compagnucci 3cca053d1b linux: fix linux CIP description typo
Version is 4.19 and not 4.4.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 642f821ce5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 23:34:25 +01:00
Fabrice Fontaine c8af5345bf package/bitcoin: drop boost program-options
boost program-options is not needed since version 0.17.0 and
https://github.com/bitcoin/bitcoin/commit/f447a0a7079619f0d650084df192781cca9fd826

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2185877a80)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 22:45:36 +01:00
Fabrice Fontaine 9469abe42d package/fbtft: add license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 19275a1a56)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 22:11:03 +01:00
Bernd Kuhls 177215e289 package/libexif: add security fix for CVE-2020-0452
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 70a036fb30)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 19:08:04 +01:00
Bernd Kuhls 4f675137ca package/libexif: add security fix for CVE-2020-0198
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0606633608)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-13 19:07:59 +01:00
Fabrice Fontaine 371df00b28 package/davfs2: fix indent
Fix the following check-package warning added by commit
a2b98a6add:

package/davfs2/davfs2.mk:22: expected indent with tabs

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 62bb541d99)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 11:01:05 +01:00
Sven Klomp cb56a4169e package/davfs2: add davfs2 user and group
mount.davfs expects the availability of the user and group davfs2.

Signed-off-by: Sven Klomp <mail@klomp.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a2b98a6add)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:52:20 +01:00
Fabrice Fontaine fd430ccd80 package/lzlib: add license file
Add lzlib.c as the license file and, while at it, update indentation to
two spaces

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit afdaeab729)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:51:08 +01:00
Fabrice Fontaine 76bc74ddae package/darkhttpd: add license file
Add license file and, while at it, update indentation to two spaces

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1906912a04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:50:32 +01:00
Bernd Kuhls dc54edd57a package/freetype: security bump version to 2.10.4
Fixes CVE-2020-15999, https://www.freetype.org/index.html#news

"This is an emergency release, fixing a severe vulnerability in embedded
 PNG bitmap handling [...].

 All users should update immediately."

Removed md5 hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1ffe654c6d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:44:48 +01:00
Bernd Kuhls 6a36c7f1a5 package/freetype: bump version to 2.10.2
Release notes:
https://sourceforge.net/projects/freetype/files/freetype2/2.10.2/

Reformatted hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d32fc1f9c9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:44:17 +01:00
Bernd Kuhls 3fba9ffaa5 package/ghostscript: fix build with freetype >= 2.10.3
This patch is needed to fix the build with freetype >= 2.10.3.

https://www.freetype.org/index.html#news
"A warning for distribution maintainers: Version 2.10.3 and later may
 break the build of ghostscript, due to ghostscript's use of a with-
 drawn macro that wasn't intended for external usage."

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5177f726a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:43:36 +01:00
Bernd Kuhls 9bb3817d33 package/jsoncpp: security bump version to 1.9.4
Release notes of this "Security and build system fixes" release:
https://github.com/open-source-parsers/jsoncpp/releases/tag/1.9.4

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b2019a5183)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:37:44 +01:00
Bernd Kuhls 1383a8c6b1 package/jsoncpp: bump version to 1.9.3
Removed patch which was committed upstream.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bab0d6ef43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:37:40 +01:00
Fabrice Fontaine d4330f5dc6 package/oniguruma: security bump to version 6.9.6
Drop patch (already in version)

Fixed many problems found by OSS-Fuzz
Fixed many problems found by Coverity

https://github.com/kkos/oniguruma/releases/tag/v6.9.6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 969fe10855)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:32:53 +01:00
Fabrice Fontaine 72a2393712 package/oniguruma: bump to version 6.9.5
Update hash of COPYING (update in year):
https://github.com/kkos/oniguruma/commit/1952e8970a7449d5ca42a7f3bd9ce26ec6e32f43

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ab8964ae77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:32:44 +01:00
Fabrice Fontaine 83a9d9eb29 package/gstreamer1/gst1-plugins-bad: fix typo
dvdsub{enc,overlay} -> dvbsub{enc,overlay}

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8d6c60656e)
[Peter: drop dvbsubenc, only added in 1.18.0]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:29:54 +01:00
Fabrice Fontaine 65864c4cf4 package/opencv3: fix OPENCV3_CLEAN_INSTALL_{DOC, CMAKE}
opencv3 does not install anything in $(TARGET_DIR)/usr/share/OpenCV/doc
so drop OPENCV3_CLEAN_INSTALL_DOC

However it installs its licence files in
$(TARGET_DIR)/usr/share/licenses/opencv3 so add
OPENCV3_CLEAN_INSTALL_LICENSE

Moreover, the cmake hook does not catch all cmake files and missed the
valgrind files so update OPENCV3_CLEAN_INSTALL_CMAKE and add
OPENCV3_CLEAN_INSTALL_VALGRIND to delete those files:
OpenCVConfig.cmake  OpenCVConfig-version.cmake  OpenCVModules.cmake  OpenCVModules-release.cmake  valgrind_3rdparty.supp  valgrind.supp

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 436f4804b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-09 10:20:00 +01:00
Vadym Kochan 2ef3e19b7b Revert "keepalived: needs headers >= 3.4"
This reverts commit d01b0bbad0.

Original commit  made restriction for Linux headers < 3.4 which was
related to keepalived version 1.3.5, but it compiles fine now at least
with a toolchain based on 3.2 headers and keepalived 2.0.15 together
with ipset enabled.

Probably it was fixed by this commit:

    https://github.com/acassen/keepalived/commit/5a7f895bb795269f79e6353c6269dfbc0b782281

Signed-off-by: Vadym Kochan <vadym.kochan@plvision.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c69a88190a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-08 19:24:08 +01:00
Yann E. MORIN 60b751a126 package/busybox: update licensing info
Busybox is mainly licensed under the GPL-2.0, but the bzip2 part is a
modified copy of the bzip2/libbzip2 project, which comes with its own
license.

Update the licensing information accordingly.

Add the hash for the new license file, and fixup indentation (2 spaces).

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca76d0336d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-08 19:14:23 +01:00
Arnout Vandecappelle (Essensium/Mind) 51a2114b60 systemd: clear telinit path
Since we don't enable sysv any support, it makes no sense to set the
path to telinit either.

The path we were setting was anyway wrong: we set a path into
TARGET_DIR, but this path is only used at runtime, on the target, where
TARGET_DIR doesn't exist (it should have been /usr/sbin/telinit).

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 8bc9350963)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-08 18:50:09 +01:00
Norbert Lange d8636f93e7 package/systemd: add missing path options
If paths are not set, then meson will search the host system for the
binaries (or the target, where those binaries are not yet installed).
So add the missing paths.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit acb62b3336)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-08 18:49:45 +01:00
Alexey Brodkin f3b39430ab package/gcc: Fix libs building on ARC700 with atomics
As we many times by now discussed that - some ARC cores might
not have atomic instructions implemented. Namely that's ARC700
w/o explicitly added atomics during design creation/configuration.

Because of that when GCC gets configured for ARC700, i.e. via
"--with-cpu=arc700" atomic ops are assumed disabled.

Usually it's not a problem as we add "-matomics" in the wraper for
building all packages if targets CPU has atomis (BR2_ARC_ATOMIC_EXT).

But when bulding target's binaries which are essential parts of
the GCC itself we don't use the wrapper. Instead xgcc is being used.
That way we lose that important part of system's configuration about
atomics and:
 1. Atomic ops won't be used where otherwise they could have been used.
 2. Some configuration checks might end-up thinking there're no atomics

In particular (2) leads to pretty obscure failure on bulding of some
packages which use C++, for example:

log4cplus: http://autobuild.buildroot.net/results/a7732fdb2ba526a114d9fb759814236c5332f8d7
------------------------>8--------------------
./.libs/liblog4cplus.so: undefined reference to `std::__atomic_futex_unsigned_base::_M_futex_notify_all(unsigned int*)'
collect2: error: ld returned 1 exit status
------------------------>8--------------------

bitcoin: http://autobuild.buildroot.net/results/f73/f73d4c77e5fd6223abdbc83e344addcfc93227b8
------------------------>8--------------------
(.text+0x110c): undefined reference to `std::__atomic_futex_unsigned_base::_M_futex_wait_until(unsigned int*, unsigned int, bool, std::chrono::duration<long long, std::ratio<1ll, 1ll> >, std::chrono::duration<long long, std::ratio<1ll, 1000000000ll> >)'
collect2: error: ld returned 1 exit status
------------------------>8--------------------

apcupsd: http://autobuild.buildroot.net/results/7a2/7a2cc7a4ac2237c185817f75e55e05d144efd100
------------------------>8--------------------
/tmp/instance-0/output-1/host/lib/gcc/arc-buildroot-linux-uclibc/9.3.1/../../../../arc-buildroot-linux-uclibc/bin/ld: eh_throw.cc:(.text._ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+0x24): undefined reference to `__gnu_cxx::__exchange_and_add(int volatile*, int)'
collect2: error: ld returned 1 exit status
------------------------>8--------------------

...and many more.

Interesting enough that was not seen earlier because "-matomic"
used to be added in TARGET_{C|CXX}FLAGS via TARGET_ABI,
but later "-matomic" was moved to ARCH_TOOLCHAIN_WRAPPER_OPTS, see
https://git.buildroot.org/buildroot/commit/?id=c568b4f37fa6d7f51e6d14d33d7eb75dfe26d7bf
and since then we started to see that new breakage which we now
attempt to fix right where it hapens on GCC configuration.

In contrast ARC HS family has atomic ops enabled by default thus
we never spotted that kind of problem for it.

More datails with analysis of what really happens under the hodd and
how do error messages above are related to libs of GCC configuration could
be found here: http://lists.busybox.net/pipermail/buildroot/2020-October/293614.html

Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Romain Naour <romain.naour@gmail.com>
[Peter: simplify conditional]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d2ae7eb2a2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-07 19:53:37 +01:00
Fabrice Fontaine f744fc3a01 package/zeromq: add libbsd optional dependency
libbsd is an optional dependency which is enabled by default since
version 4.3.3 and
https://github.com/zeromq/libzmq/commit/068385c951c0608edec6264d55ba9c4c923acccc

Fixes:
 - http://autobuild.buildroot.org/results/51220b1b82774e8f6f6ed8593c58d2e3c31a1531

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 25b5dc747a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-07 18:45:19 +01:00
Fabrice Fontaine 57aabd3ca1 package/libass: security bump to version 0.15
- harfbuzz is mandatory since
  https://github.com/libass/libass/commit/f3e2c97e1818598afb0b1c7010003ffe4823ff21
- Fix CVE-2020-26682 (In libass 0.14.0, the `ass_outline_construct`'s
  call to `outline_stroke` causes a signed integer overflow.) through
  https://github.com/libass/libass/commit/676f9dc5b52ef406c5527bdadbcb947f11392929
  which does not apply cleanly over version 0.14.
  It should be noted that version 0.15 also fixes other integer
  overflows (which have no CVE assigned)
- Update indentation in hash file (two spaces)

https://github.com/libass/libass/releases/tag/0.15.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4ae8ecea8f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-07 18:41:06 +01:00
Gwenhael Goavec-Merou de8089fbf4 package/gnuradio: backport patch to fix INTERFACE_INCLUDE_DIRECTORIES
gnuradio-runtimeTargets.cmake and gnuradio-pmtTargets.cmake are filled
using CMAKE_INSTALL_PREFIX for INSTALL_INTERFACE.

Since CMAKE_INSTALL_PREFIX, in buildroot, is set to /usr, these files contains
path to host system.

With BR2_COMPILER_PARANOID_UNSAFE_PATH package using gnuradio fails with:
arm-linux-gnueabihf-g++: ERROR: unsafe header/library path used in cross-compilation: '-isystem' '/usr/include'

By simply providing 'include', produced .cmake contains:
INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
instead of
INTERFACE_INCLUDE_DIRECTORIES "/usr/include"

[Upstream status: https://github.com/gnuradio/gnuradio/pull/3737]

Fix (many) gr-osmosdr build failure:
- http://autobuild.buildroot.net/results/66b76c07f15bb3e6db697c47796ae3dd15ecf4b9/

Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5209123494)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a81b187c16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 17:58:51 +01:00
Fabrice Fontaine ed28e24083 package/wireshark: add zstd optional dependency
zstd is available since version 3.1.1 and is enabled by default:
https://github.com/wireshark/wireshark/commit/ad94c4d459d243c0cbbb9b222d5f7cdf8189ab86

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 105004f72a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 11:16:47 +01:00
Fabrice Fontaine 913ff39ca4 package/wireshark: security bump to version 3.2.8
- Fix CVE-2020-26575: In Wireshark through 3.2.7, the Facebook Zero
  Protocol (aka FBZERO) dissector could enter an infinite loop. This was
  addressed in epan/dissectors/packet-fbzero.c by correcting the
  implementation of offset advancement.
  https://www.wireshark.org/security/wnpa-sec-2020-14.html
- Fix GQUIC dissector crash:
  https://www.wireshark.org/security/wnpa-sec-2020-15.html

https://www.wireshark.org/docs/relnotes/wireshark-3.2.8.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7da2b1ebf9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 11:12:44 +01:00
Gary Bisson c1ca8b6b51 package/qt5/qt5base: fix imx6 eglfs support with imx-gpu-viv
Last commit fixed eglfs_kms support for i.MX8 platforms that required to
declare imx-gpu-viv as the gbm provider.
However, this broke the eglfs "fbdev" imx6 support as gbm isn't provided
in this case. So limit the gbm option to imx-gpu-viv when wayland
backend is used only.

Fixes: 82fb51d3b5 ("package/qt5/qt5base: allow to use imx-gpu-viv as GBM
provider")

Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 25f2191ed2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 11:09:58 +01:00
Fabrice Fontaine cb0cac5081 package/libraw: needs autoreconf
configure is older than configure.ac in official libraw 0.20.2 tarball:
https://github.com/LibRaw/LibRaw/issues/353

Fixes:
 - http://autobuild.buildroot.org/results/abef2ac14a959093a6391cad28e738558e15ceec

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 082d0fea3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 11:04:18 +01:00
Fabrice Fontaine 66197f9760 package/fastd: libcap is optional not mandatory
libcap is an optional dependency which is available since version 7:
https://github.com/NeoRaider/fastd/commit/eaac49427339a365aac2d3505f567572cfbdbb96

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 25ab2d8b11)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 10:39:38 +01:00
Michael Nosthoff dbf5097d51 package/grpc: fix build on ubuntu gcc 4.8
gcc 4.8 on ubuntu 14.04 does some broken optimization at link-time
which causes grpc to create a grpc_cpp_plugin which quits because
of a failing assertion. The created plugin is itself used during
compilation which lets the build fail.
With the added -Wl,--no-as-needed flag the LTO is disabled and grpc
compiles successfully.

fixes:
- http://autobuild.buildroot.net/results/b554f6f2fb66892273f7520ad6e36923557b229e
- http://autobuild.buildroot.net/results/3ebb2880b9b3fd5154979016391dde897e2c039c
- http://autobuild.buildroot.net/results/c2078e821e0728fe980be2c849c25d82e791a4c2

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
[yann.morin.1998@free.fr: rewrap the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 19dfe7f6e7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 10:27:16 +01:00
Fabrice Fontaine 7d275737cf package/fastd: fix CVE-2020-27638
receive.c in fastd before v21 allows denial of service (assertion
failure) when receiving packets with an invalid type code.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7e4af3ce3f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 08:46:49 +01:00
Bernd Kuhls 4b576cf66f package/samba4: security bump version to 4.11.15
Fixes
o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
o CVE-2020-14323: Unprivileged user can crash winbind.
o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
                  crafted records.

Release notes:
https://www.samba.org/samba/history/samba-4.11.14.html (bugfix-only)
https://www.samba.org/samba/history/samba-4.11.15.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3adbb6d296)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-03 08:42:41 +01:00
Bernd Kuhls 85edcc54c7 package/php: security bump version to 7.4.12
Changelog: https://www.php.net/ChangeLog-7.php#7.4.12

According to the release notes this is a "security bug fix release":
https://news-web.php.net/php.announce/300

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 69beb4dd98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-02 23:10:15 +01:00
Fabrice Fontaine f8ad439d53 package/libpam-tacplus: fix CVE-2020-27743
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of
RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a
non-random/predictable session_id.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 70499767e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-02 22:55:30 +01:00
Fabrice Fontaine 374235351b package/libpam-tacplus: fix build when time_t is 64 bits
Fixes:
 - http://autobuild.buildroot.org/results/874433d8cb30d21332f23024081a8b6d7b3254ae

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bcc02f5fe5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-02 22:55:00 +01:00
Fabrice Fontaine d0637d7592 package/libpam-tacplus: fix build on musl
Retrieve two upstream patches to fix build on musl

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cca807a3a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-02 22:54:49 +01:00
Doug Kehn 48052b57f6 DEVELOPERS: update email address
Signed-off-by: Doug Kehn <rdkehn@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b6c1441636)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-02 22:17:08 +01:00
Thomas Petazzoni 5cecde822f DEVELOPERS: replace Trent Piepho's e-mail address
Trent's e-mail address is no longer working:

<tpiepho@impinj.com>: host us-smtp-inbound-2.mimecast.com[205.139.110.221]
    said: 550 Invalid Recipient -
    https://community.mimecast.com/docs/DOC-1369#550
    [7R954rMIM8GCM0FMERvPAg.us536] (in reply to RCPT TO command)

Use another e-mail that Trent has recently used on the mailing list.

Cc: Trent Piepho <trent.piepho@synapse.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1c20802d4b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-30 09:48:41 +01:00
Thomas Petazzoni 44e5489a31 DEVELOPERS: change Julien Olivain's e-mail address
Julien's e-mail @cotds.org is no longer working:

<juju@cotds.org>: host mail.cotds.org[194.117.244.136] said: 451 4.3.5 Server
    configuration problem (in reply to RCPT TO command)

Use his @free.fr e-mail address instead.

Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: adjust email address after Julien's review]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1194b5c81a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-30 09:45:37 +01:00
Thomas Petazzoni dba08b1b95 DEVELOPERS: drop Mamatha Inamdar
His/her e-mail address is bouncing:

VMSDVM9.POK.IBM.COM unable to deliver following mail to recipient(s):
    <mamatha4@linux.ibm.com>
VMSDVM9.POK.IBM.COM received negative reply:
550 5.1.1 <mamatha4@linux.ibm.com>: Recipient address rejected: User unknown in local recipient table

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 656c34dc87)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-30 09:44:08 +01:00
Ryan Coe e72ea47e4c DEVELOPERS: remove Ryan Coe
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bbbbe9661f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-30 09:42:25 +01:00
Matt Weber b01baed229 package/gcc: disable fortran use of libquadmath
The GCC package has a default conf option of disabling libquadmath and
the toolchain dependencies selectively enabled it if i386 / x64.

Fixes:
https://gitlab.com/bootlin/toolchains-builder/-/jobs/729359622

This patch fixes a build failure when (GCC + glibc) is being built for
the IBM Power8 arch and has libgfortran enabled + libquadmath disabled.
The libgfortran has a code condition for __float128 and includes the
quadmath headers. The bug occurs because Power8 has emulated
float128 support. The fix per GCC options is to also set
--disable-libquadmath-support which disables the
__float128/libquadmath support in gcc/fortran and in libgfortran [1].

Another option to fix the build failure was to enable libquadmath for
IBM Power8 (ISA 2.07), however this would be soft float based as the
ISA 3.0+ (Power9) first supports native float128 [2][3].

[1] https://fortran.gcc.gnu.narkive.com/8uSfoKUS/patch-build-pr-46540-add-disable-libquadmath-disable-libquadmath-support
[2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66382#c7
[3] https://gcc.gnu.org/onlinedocs/gcc/RS_002f6000-and-PowerPC-Options.html

Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a07fc4b03b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-30 09:36:06 +01:00
Peter Korsgaard 957ff8fa25 package/cryptsetup: backport upstream security fixes
Fixes CVE-2020-14382: A vulnerability was found in upstream release
cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code, that
is effectively invoked on every device/image presenting itself as LUKS2
container.  The bug is in segments validation code in file
'lib/luks2/luks2_json_metadata.c' in function hdr_validate_segments(struct
crypt_device *cd, json_object *hdr_jobj) where the code does not check for
possible overflow on memory allocation used for intervals array (see
statement "intervals = malloc(first_backup * sizeof(*intervals));").  Due to
the bug, library can be *tricked* to expect such allocation was successful
but for far less memory then originally expected.  Later it may read data
FROM image crafted by an attacker and actually write such data BEYOND
allocated memory.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-30 09:32:00 +01:00
Michael Nosthoff bdaa66edcb package/nginx: use /run instead of /var/run
This is a follow-up to 4027ba29f4 ("package/nginx: use /run for
PIDFile"), in which we missed that nginx is still built with /var/run
paths.

This commit changes the compile options to use /run instead of
/var/run for pid and lock file to make it consistent.

Further dropping the passing of the pid option in the service file as
this isn't neccessary. Neither debian nor nginx default .service does
it.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d200ceffb2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 23:01:34 +01:00
Adrian Perez de Castro 46704f89e8 package/webkitgtk: disable JIT for ARMv5 and ARMv6
WebKit's JavaScriptCore does not support using JIT nor the LLint
interpreter on ARMv5 and ARMv6, so add those two cases when checking
for target CPUs which need to use the CLoop interpreter.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 594eb3df50)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 20:00:12 +01:00
Adrian Perez de Castro 35845ba676 package/webkitgtk: fix build with ENABLE_C_LOOP=ON
The ENABLE_C_LOOP option conflicts with ENABLE_SAMPLING_PROFILER, so
the WebKit CMake build system will emit an error when both are enabled
at the same time. To avoid hitting that situation, explicitly disable
ENABLE_SAMPLING_PROFILER as needed.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e6e78c1752)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 20:00:07 +01:00
Adrian Perez de Castro 4401bd205a package/wpewebkit: disable JIT for ARMv5 and ARMv6
WebKit's JavaScriptCore does not support using JIT nor the LLint
interpreter on ARMv5 and ARMv6, so add those two cases when checking
for target CPUs which need to use the CLoop interpreter.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f8eaccdddc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 19:59:57 +01:00
Adrian Perez de Castro 5a9db3ce3a package/wpewebkit: fix build with ENABLE_C_LOOP=ON
The ENABLE_C_LOOP option conflicts with ENABLE_SAMPLING_PROFILER, so
the WebKit CMake build system will emit an error when both are enabled
at the same time. To avoid hitting that situation, explicitly disable
ENABLE_SAMPLING_PROFILER as needed.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7a66e3e189)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 19:59:51 +01:00
Christian Stewart f70d050e0e package/docker-engine: bump to version 19.03.13
The Docker developers appear to no longer be tagging releases on the
docker/engine repository on GitHub, but are tagging releases on the main
moby/moby repository, which still is the true home of "dockerd."

This commit changes the upstream repo to moby/moby with no changes required.

Signed-off-by: Christian Stewart <christian@paral.in>

v1 -> v2:

 - updated hash
 - changed upstream to moby/moby

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5ebd4d9a61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 18:40:00 +01:00
Christian Stewart ff6cc76c64 package/docker-cli: bump to version 19.03.13
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7534354563)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 18:39:55 +01:00
Fabrice Fontaine a83dc6faef package/libraw: security bump to version 0.20.2
Fix CVE-2020-24890: libraw 20.0 has a null pointer dereference
vulnerability in parse_tiff_ifd in src/metadata/tiff.cpp, which may
result in context-dependent arbitrary code execution.

https://www.libraw.org/news/libraw-0-20-2-Release

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1a05b7cc7c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 17:38:51 +01:00
Ignacy Gawędzki 11f1178c14 package/angularjs: security bump version to 1.8.0
Fixes the following security issue:

- CVE-2020-11022: Potential XSS vulnerability in jQuery
  https://github.com/advisories/GHSA-gxr4-xjj5-5px2

Signed-off-by: Ignacy Gawędzki <ignacy.gawedzki@green-communications.fr>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4fc87ffb50)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 17:27:29 +01:00
Fabrice Fontaine 33f02d588f package/opencv3: fix typo in OPENCV_WARNINGS_ARE_ERRORS
OPENCV3_WARNINGS_ARE_ERRORS option does not exist so rename it to
OPENCV_WARNINGS_ARE_ERRORS (even if it is already disabled by default)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit caeb69cbf7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 16:57:32 +01:00
Peter Korsgaard 44421d582c package/netsnmp: silence warning when running without IPv6
snmpd loudly complains every 3 seconds about a failure reading
/proc/net/if_inet6 if the system does not have IPv6 support:

Jan  1 00:00:12 buildroot daemon.err snmpd[92]: ipaddress_linux: could not open /proc/net/if_inet6: No such file or directory
Jan  1 00:00:15 buildroot daemon.err snmpd[92]: ipaddress_linux: could not open /proc/net/if_inet6: No such file or directory
Jan  1 00:00:18 buildroot daemon.err snmpd[92]: ipaddress_linux: could not open /proc/net/if_inet6: No such file or directory
Jan  1 00:00:21 buildroot daemon.err snmpd[92]: ipaddress_linux: could not open /proc/net/if_inet6: No such file or directory

Add an upstream patch to only print this warning once, rather than on every
poll iteration.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ae85c9fd71)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 16:41:00 +01:00
Fabrice Fontaine 80c28bcde9 package/opencv3: link with libatomic if needed
Restore the atomic workaround that was wrongly removed when bumping to
version 3.4.9 in commit f6fb2cae06 as it
seems that opencv3 still needs help to detect atomic library

Fixes:
 - http://autobuild.buildroot.org/results/9162b29725f8d9b891eb74fcb8078f211140a841

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit dd69967123)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 16:04:30 +01:00
Frank Hunleth 0a48766018 package/linux-firmware: add rpi settings files
The brcmfmac drivers now load settings files for BCM434xx devices and
fail if they're missing on the Raspberry Pi:

brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.raspberrypi,3-model-b-plus.txt failed with error -2

This commit copies the missing settings files over to the firmware
directory with the other files.

Signed-off-by: Frank Hunleth <fhunleth@troodon-software.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f76cbc2d48)
[Peter: drop unavailable rpi4 file]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 15:29:48 +01:00
Fabrice Fontaine 23982a10c2 package/python-pyqt5: QtSvg needs QtWidgets
Building QtSvg without QtWidgets results in the following build failure:

/tmp/instance-0/output-1/host/bin/powerpc64le-linux-g++ -c -pipe -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os --sysroot=/tmp/instance-0/output-1/host/powerpc64le-buildroot-linux-gnu/sysroot -fno-exceptions -Wall -Wextra -D_REENTRANT -fPIC -DSIP_PROTECTED_IS_PUBLIC -Dprotected=public -DQT_NO_DEBUG -DQT_PLUGIN -DQT_SVG_LIB -DQT_GUI_LIB -DQT_CORE_LIB -I. -I. -I../../../host/powerpc64le-buildroot-linux-gnu/sysroot/usr/include/python3.8 -I../../../host/powerpc64le-buildroot-linux-gnu/sysroot/usr/include/qt5 -I../../../host/powerpc64le-buildroot-linux-gnu/sysroot/usr/include/qt5/QtSvg -I../../../host/powerpc64le-buildroot-linux-gnu/sysroot/usr/include/qt5/QtGui -I../../../host/powerpc64le-buildroot-linux-gnu/sysroot/usr/include/qt5/QtCore -I. -I../../../host/mkspecs/devices/linux-buildroot-g++ -o sipQtSvgcmodule.o sipQtSvgcmodule.cpp
sip/QtWidgets/qwidget.sip:28:10: fatal error: qwidget.h: No such file or directory
compilation terminated.
sip/QtWidgets/qgraphicsitem.sip:26:10: fatal error: qgraphicsitem.h: No such file or directory
compilation terminated.

Fixes:
 - http://autobuild.buildroot.org/results/26f55a1fa9f6520ce449b98b40d98f984cec07b3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 19ee46b1dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 15:13:49 +01:00
Fabrice Fontaine c983f93091 package/samba4: fix uclibc build with openldap
Fixes:
 - http://autobuild.buildroot.org/results/09e84d15efe755bdefa9f8c6b8355c49ddbc2f65

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 990c7bfd46)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-29 14:58:59 +01:00
Fabrice Fontaine 150a9c4024 support/scripts/apply-patches.sh: manage uncompression
Extract from bug report:

"Code line 120 to line 128 is to check whether the patch containing
"rename from" and "rename to". But it directly use grep to find,
ignoring the patch may be a tar file or else. It can only work on patch
of textfile form."

Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=11931

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 35c3a1e693)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-28 23:28:37 +01:00
Fabrice Fontaine 1ca19d1dad package/zxing-cpp: add opencv3 optional dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: split to a separate condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a25793ba04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-28 23:12:16 +01:00
Waldemar Brodkorb 4edc7959d4 DEVELOPERS: add mksh/ruby to Waldemar Brodkorb
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4d564368aa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-28 22:51:40 +01:00
Fabrice Fontaine 0f130e060f package/oniguruma: fix CVE-2020-26159
Fix CVE-2020-26159: In Oniguruma 6.9.5_rev1, an attacker able to supply
a regular expression for compilation may be able to overflow a buffer by
one byte in concat_opt_exact_str in src/regcomp.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5dbebf3d35)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-28 16:01:13 +01:00
Conrad Ratschan 38ddceb79d package/patchelf: pull in upstream bugfixes
When building iputils for powerpc with BR2_PIC_PIE enabled, the
arping/rdisc/tftpd binaries will segfault at runtime. This can be
traced back to a few bugs in patchelf corrupting the ELFs when
resizing the RPATH to replace "$ORIGIN/" with "/usr/sbin".

This patch pulls in upstream fixes to prevent the binaries from being
needlessly inflated, prevent the startPage from always being adjusted,
fix a few minor bugs, and fix incorrect endianness handling.

Signed-off-by: Conrad Ratschan <conrad.ratschan@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1be8b22f48)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-28 14:21:22 +01:00
Peter Korsgaard de9db913b4 package/docker-containerd: security bump to version 1.2.14
Fixes the following security issue:

- CVE-2020-15157: containerd v1.2.x can be coerced into leaking credentials
  during image pull

For details, see the advisory:
https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-18 21:28:08 +02:00
Peter Korsgaard d8082db677 Update for 2020.02.7
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-12 23:33:22 +02:00
Peter Korsgaard 2fe040e7e7 package/cryptsetup: add upstream patch to fix runtime issue with json-c >= 0.14.0
Fixes #13251

json-c >= 0.14.0 has a name clash with internal cryptsetup functions,
causing a runtime issue.  Backport an upstream patch to rename the internal
functions to fix this.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-12 11:26:14 +02:00
Peter Korsgaard 5489b3a6c8 package/python-sentry-sdk: drop asyncio files for python 2.x to fix pycompile issue
sentry-sdk has a set of optional "integrations", some of which use asyncio.

pycompile unfortunately errors out on these files when running under Python
2.x:

../scripts/pycompile.py ..
error:   File "/usr/lib/python2.7/site-packages/sentry_sdk/integrations/sanic.py", line 64
    async def sentry_handle_request(self, request, *args, **kwargs):
            ^
SyntaxError: invalid syntax

As a workaround, simply drop the unusable files from TARGET_DIR if building
for python 2.x.

Fixes:
http://autobuild.buildroot.net/results/9e4/9e47ee2a56153379e4e7bc839be5972a2302ba9f/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d62f0042e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-12 10:57:18 +02:00
Peter Korsgaard 7306650bcf package/python-pymodbus: drop asyncio files for python 2.x to fix pycompile issue
Pymodbus has optional support for asyncio.  Pycompile unfortunately errors
out on these files when running under Python 2.x:

../scripts/pycompile.py ..
error:   File "/usr/lib/python2.7/site-packages/pymodbus/client/asynchronous/asyncio/__init__.py", line 257
    yield from self._connect()
             ^
SyntaxError: invalid syntax

As a workaround, simply drop the unusable files from TARGET_DIR if building
for python 2.x.

Fixes:
http://autobuild.buildroot.net/results/cc4/cc48927cbe9ae6c2d8b12d65467ec40df82febf6/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7d417ed7f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-12 10:57:03 +02:00
Peter Korsgaard 4b7c4b4236 package/bash: update to patch level 18
Fixes a regression introduced in patch level 16.

Rename the 2 uClibc patches so the upstream patch numbering matches ours.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d73ec6e0ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-12 10:37:59 +02:00
Peter Korsgaard f5e83d08ee {linux, linux-headers}: bump 4.19.x / 5.{4, 8}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4dbae8ed2c)
[Peter: drop 5.8.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-12 10:20:07 +02:00
Fabrice Fontaine 3a2b907381 package/wireshark: security bump to version 3.2.7
- Fix CVE-2020-25862: In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and
  2.6.0 to 2.6.20, the TCP dissector could crash. This was addressed in
  epan/dissectors/packet-tcp.c by changing the handling of the invalid
  0xFFFF checksum.
- Fix CVE-2020-25863: In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and
  2.6.0 to 2.6.20, the MIME Multipart dissector could crash. This was
  addressed in epan/dissectors/packet-multipart.c by correcting the
  deallocation of invalid MIME parts.
- Fix CVE-2020-25866: In Wireshark 3.2.0 to 3.2.6 and 3.0.0 to 3.0.13,
  the BLIP protocol dissector has a NULL pointer dereference because a
  buffer was sized for compressed (not uncompressed) messages. This was
  addressed in epan/dissectors/packet-blip.c by allowing reasonable
  compression ratios and rejecting ZIP bombs.

https://www.wireshark.org/docs/relnotes/wireshark-3.2.7.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d9521e0447)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-12 09:19:44 +02:00
Peter Korsgaard 6cfc64df27 python-scapy: add upstream patch fixing python 2.x compatibility
Fixes:
http://autobuild.buildroot.net/results/829/8293529a72ac4c8e93919b8bc0ea758fbb4bc444/

Python 2.x gets confused by rb"string", but not br"string", so add an
upstream patch changing the former to the latter to fix a pycompile issue
with python 2.x:

error:   File "/usr/lib/python2.7/site-packages/scapy/tools/generate_ethertypes.py", line 23
    reg = rb".*ETHERTYPE_([^\s]+)\s.0x([0-9A-Fa-f]+).*\/\*(.*)\*\/"
                                                                  ^
SyntaxError: invalid syntax

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-11 23:11:10 +02:00
Peter Korsgaard 74aed83080 package/python-autobahn: drop asyncio files for python 2.x to fix pycompile issu
Fixes:
http://autobuild.buildroot.net/results/234/234913f86da45df0708bbe3bf7361169e2398c9f

Autobahn contains optional logic using asyncio, which causes pycompile
issues when running in python 2.x:

pycompile.py --strip-root /srv/storage/autobuild/run/instance-1/output-1/target /srv/storage/autobuild/run/instance-1/output-1/target/usr/lib/python2.7
error:   File "/usr/lib/python2.7/site-packages/autobahn/xbr/_blockchain.py", line 97
    async def get_market_status(self, market_id):
            ^
SyntaxError: invalid syntax

As a workaround, simply drop the unusable files from TARGET_DIR if building
for python 2.x.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-11 23:10:56 +02:00
Ryan Barnett 2c30267ef1 DEVELOPERS: add c-periphery to my package watch list
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 071a369c3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-11 18:11:21 +02:00
Fabrice Fontaine 43bb5874d6 package/suricata: security bump to version 4.1.9
These are the second releases after Suricata joined the Oss-Fuzz
program, leading to discovery of a number of (potential) security
issues. We recommend upgrading as soon as possible.

https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1bfc53289a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-11 18:10:39 +02:00
Fabrice Fontaine 48304cb30d package/libhtp: bump to version 0.5.35
Drop patch (already in version)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5f5fe7de52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-11 18:10:09 +02:00
Maxim Kochetkov ec5d9ab6fc package/postgresql: add configure and includedir-server output to pg_config
Some external packages call pg_config to determine the installed
PostgreSQL server includedir and configure options. Add this output to
Buildroots own pg_config, so these packages correctly compile.

Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 787ad0b35d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-11 17:53:28 +02:00
Peter Korsgaard 20878bc9ce package/fail2ban: fix fail2ban-python symlink
Fixes (reproducible):
http://autobuild.buildroot.net/results/50f/50f199bfe06d054cc6770760e73ac0de594a0670/diffoscope-results.txt

Fail2ban installs the fail2ban-python symlink pointing to the host python
intepreter used to run setup.py, which is naturally not valid at runtime and
breaks the reproducible tests as shown in the diffoscope results:

│ -lrwxrwxrwx   0        0        0        0 2020-10-04 10:50:38.000000 ./usr/bin/fail2ban-python -> /home/naourr/work/instance-0/output-1/host/bin/python
│ +lrwxrwxrwx   0        0        0        0 2020-10-04 10:50:38.000000 ./usr/bin/fail2ban-python -> /home/naourr/work/instance-0/output-2/host/bin/python

As a workaround, update the symlink after installation to point to the
correct target python.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 084ffc69be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 22:59:54 +02:00
Peter Korsgaard f4fc691181 package/python-engineio: drop asyncio files for python 2.x to fix pycompile issue
engineio has conditional logic to load asyncio files when running under
Python 3.x:

if sys.version_info >= (3, 5):  # pragma: no cover
    from .asyncio_server import AsyncServer
    from .asyncio_client import AsyncClient
    from .async_drivers.asgi import ASGIApp
    try:
        from .async_drivers.tornado import get_tornado_handler
    except ImportError:
        get_tornado_handler = None
else:  # pragma: no cover
    AsyncServer = None
    AsyncClient = None
    get_tornado_handler = None
    ASGIApp = None

pycompile unfortunately errors out on these files when running under Python
2.x:

../scripts/pycompile.py ..
error:   File "/usr/lib/python2.7/site-packages/engineio/asyncio_socket.py", line 13
    async def poll(self):
            ^
SyntaxError: invalid syntax

As a workaround, simply drop the unusable file from TARGET_DIR if building
for python 2.x.

Fixes:
http://autobuild.buildroot.net/results/72c/72cfdffeb4d0fb7c3032b52f0a26a4758eea6762/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b8ae383dd3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 22:59:23 +02:00
Peter Korsgaard 160faed799 package/python-socketio: drop asgi/asyncio files for python 2.x to fix pycompile issue
socketio has conditional logic to load asgi/asyncio files when running under
Python 3.x:

if sys.version_info >= (3, 5):  # pragma: no cover
    from .asyncio_client import AsyncClient
    from .asyncio_server import AsyncServer
    from .asyncio_manager import AsyncManager
    from .asyncio_namespace import AsyncNamespace, AsyncClientNamespace
    from .asyncio_redis_manager import AsyncRedisManager
    from .asyncio_aiopika_manager import AsyncAioPikaManager
    from .asgi import ASGIApp
else:  # pragma: no cover
    AsyncClient = None
    AsyncServer = None
    AsyncManager = None
    AsyncNamespace = None
    AsyncRedisManager = None
    AsyncAioPikaManager = None

pycompile unfortunately errors out on these files when running under Python
2.x:

../scripts/pycompile.py ..
error:   File "/usr/lib/python2.7/site-packages/socketio/asyncio_server.py", line 84
    async def emit(self, event, data=None, to=None, room=None, skip_sid=None,
            ^
SyntaxError: invalid syntax

As a workaround, simply drop the unusable file from TARGET_DIR if building
for python 2.x.

Fixes:
http://autobuild.buildroot.net/results/455f3e09a590f7a6724ab8cd1b86bdf2bba8071a/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6beb6dd5c6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 22:59:22 +02:00
Peter Korsgaard 3a813a6a52 support/scripts/apply-patches.sh: do not blindly remove *.orig files
apply-patches currently blindly removes *.orig / .*.orig files as GNU patch
by default writes these as backup files when patches only apply with fuzz.

This is unfortunate as package sources may contain files ending in .orig as
well, breaking the build.  Luckily GNU patch can be told to not write these
backup files using the --no-backup-if-mismatch option, so used that instead
of the .orig removal step.

--no-backup-if-mismatch is supported since GNU patch 2.3.8 (1997-06-17) and
busybox patch if built with CONFIG_DESKTOP, but E.G.  isn't supported by the
BSD patch, so add logic to dependencies.sh to error out if patch doesn't
support the flag.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 42f61e759a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 22:43:06 +02:00
Yann E. MORIN 439447d1eb package/mesa3d: drop r100 dependency on _HAS_ATOMIC
This partially reverts commit a3aac6d847,
just dropping the atomic dependency.

That dependency would introduce a "recursive dependency" chain in
Kconfig.

However, r100 is only available on i386 and x86-64, and they both have
sync4, which means libdrm's HAS_ATOMICS is always 'y' when r100 is
available.

So, like we did in 00c1a8c34f (package/mesa3d: propagate missing
libdrm-freedreno deps), we just add a fat comment that explains why the
dependency is not propagated.

Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
(cherry picked from commit 0b029cac1b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 22:39:37 +02:00
James Hilliard 3e9e5bbc80 package/mesa3d: add missing depends and driver name to r100 driver
Propagate libdrm dependencies.

Add r100 to menu name to differentiate from r200 dri driver.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a3aac6d847)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 22:39:34 +02:00
Fabrice Fontaine 94d7c1485f package/brotli: fix pkg-config
brotli pkg-config files are broken since version 1.0.8 and
https://github.com/google/brotli/commit/31754d4ffce14153b5c2addf7a11019ec23f51c1

This raise static build failures with all packages using brotli,
fontconfig or freetype such as fbterm:

-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -Os   -static -static  -static -o fbterm fbterm-fbconfig.o fbterm-fbio.o fbterm-fbshell.o fbterm-fbshellman.o fbterm-fbterm.o fbterm-font.o fbterm-input.o fbterm-mouse.o fbterm-screen.o fbterm-improxy.o fbterm-screen_render.o fbterm-fbdev.o fbterm-vesadev.o lib/libshell.a -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -lfreetype -lbz2 -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -lz -lpng16 -lz -R/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -lbrotlidec -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -R/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buil
 droot-linux-uclibcgnueabihf/sysroot/usr/lib -lbrotlicommon  -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -lfontconfig -lfreetype -lbz2 -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -lz -lpng16 -lz -R/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -lbrotlidec -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -R/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -lbrotlicommon -L/srv/storage/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/lib -luuid -lexpat   -lutil -lutil
arm-linux-g++.br_real: error: unrecognized command line option '-R'

Fixes:
 - http://autobuild.buildroot.org/results/21ede59686d4998c9e643ea874396a11b1c0df93

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 35a451d987)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 22:24:08 +02:00
Antoine Tenart 8d495eb362 DEVELOPERS: add Antoine Ténart for libselinux and refpolicy
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f2a0da36ef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 22:21:52 +02:00
Peter Seiderer 7e384e3c44 boot/barebox: fix target bareboxenv command compile
The buildroot custom bareboxenv compile command misses the additional
include path 'scripts/include' to gain access to the local copy of the
kernel header files (which leads to compile error when using an older
toolchain).

This could be fixed by enhancing the custom bareboxenv compile command
(see [1]) or by using the barebox build system by simply enabling the
CONFIG_BAREBOXENV_TARGET option (available since April 2012, see [2])
instead (as suggested by Yann E. MORIN).

Fixes (with BR2_TARGET_BAREBOX_BAREBOXENV enabled):

  build/barebox-2019.12.0/scripts/bareboxenv.c:100:10: fatal error: linux/list.h: No such file or directory

[1] http://lists.busybox.net/pipermail/buildroot/2020-January/270942.html
[2] https://git.pengutronix.de/cgit/barebox/commit/?id=afb03d7a554a2911a3742e316f011319fcb416f1

Note: a user who would previously provide a barebox config file which
had CONFIG_BAREBOXENV_TARGET=y, but a Buildroot config file which did
not have BR2_TARGET_BAREBOX_BAREBOXENV=y, would have bareboxenv-target
built, but it would not be installed in the target. Now, and unset
BR2_TARGET_BAREBOX_BAREBOXENV will not even build it, but his is not a
regression: it was anyway previously not installed.

Reported-by: Frederick Gotham <cauldwell.thomas@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
  - also explicitly disable it when not selected
  - rewrap commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3cc2534b57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 21:55:28 +02:00
Yann E. MORIN 8e274f0d47 boot/barebox: don't specify .config to munge
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7a2524bf54)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 21:55:20 +02:00
Fabrice Fontaine f27b4185db package/vlc: fix build with live555 and without openssl
Pass -DNO_OPENSSL to avoid a build failure with live555 but without
openssl

Fixes:
 - http://autobuild.buildroot.org/results/70ca93aa5c9488a4657c7bcafa40bfb2e974a5b3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e0fb418f78)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 21:42:57 +02:00
Romain Naour 32aaf6d853 package/supertux: build squirrel builtin library with fPIC
Ensure that squirrel is compiled with -fPIC to allow linking the static
libraries with dynamically linked programs. This is not a requirement
for most architectures but is mandatory for ARM.

Fixes:
http://autobuild.buildroot.org/results/46e8f5e622ce450a89bc6d70f4bfd38182557901
http://autobuild.buildroot.org/results/a43720492d817e4555d728546da9114e3ccba952

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4473c41941)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 08:51:29 +02:00
Fabrice Fontaine c74a02f937 Revert "package/supertux: fix build with RELRO"
This reverts commit 80be040817 because
libsquirrel.so.0 and libsqstdlib.so.0 are missing in TARGET_DIR.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7d85d5e5ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-10 08:51:27 +02:00
Fabrice Fontaine 74d60d39af package/php: security bump to version 7.4.11
- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
  7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
  openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
  IV is actually used. This can lead to both decreased security and
  incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
  7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
  cookie values, the cookie names are url-decoded. This may lead to
  cookies with prefixes like __Host confused with cookies that decode to
  such prefix, thus leading to an attacker being able to forge cookie
  which is supposed to be secure. See also CVE-2020-8184 for more
  information.

https://www.php.net/ChangeLog-7.php#7.4.11

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 51d9617474)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-05 08:10:47 +02:00
Peter Korsgaard 57e7cbaa4b package/python-cycler: drop redundant python|python3 dependencies
All the python packages are inside a

if BR2_PACKAGE_PYTHON || BR2_PACKAGE_PYTHON3

conditional, so no need to repeat it in the Config.in.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 36031fd91d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-05 08:10:21 +02:00
Thomas De Schampheleire 5b59dc0354 support/scripts/setlocalversion: fix/improve Mercurial output
Commit 9e4ffdc8cf modified the output of
'setlocalversion' so that the Buildroot version tag is included in the
output, the version part was added in Makefile.

Due to differences in behavior of the used git and Mercurial commands, this
caused different output for the Mercurial case, in BR2_VERSION_FULL and thus
/etc/os-release and 'make print-version'. Assuming the official Buildroot
releases are tagged and no project-specific tags are present, the output
after commit 9e4ffdc8cf is:
    -hg<commit>
whereas it is expected to be something like:
    2020.02.6-hg<commit>

Change the Mercurial case in setlocalversion to behave similar to git,
looking up the latest tag if the current revision is not itself tagged.

The number of commits after the latest tag is not added, unlike in git, as
this value is not commonly present in Mercurial output, and its added value
can be disputed in this context. Even one commit could bring a huge change
to the sources, so in order to interpret the number one has to look at the
repository anyhow, in which case the commit ID can just be used.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 32eb5a1d16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-05 08:09:33 +02:00
Francois Perrad 1b54d0349f package/lua: split hash files, add license hash for 5.3 / 5.4
The content of the license file (doc/readme.html) differs between lua 5.3
and 5.4, so we cannot use a shared .hash file for all versions.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 036c41db1a)
[Peter: drop 5.4]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-05 08:08:44 +02:00
Peter Korsgaard 9e5f973ea7 package/python-fire.mk: drop test_components_py3.py file for python 2.x to fix pyfile issue
Fixes:
http://autobuild.buildroot.net/results/72e0cc78194a1b93bf26a50742e59a1e93bde1d1/

fire has conditional logic to load test_components_py3.py when running under
Python 3.x:

if six.PY3:
  from fire import test_components_py3 as py3

pycompile unfortunately errors out on it:

../scripts/pycompile.py ..

error:   File "/usr/lib/python2.7/site-packages/fire/test_components_py3.py", line 18
    def identity(arg1, arg2: int, arg3=10, arg4: int = 20, *arg5,
                           ^
SyntaxError: invalid syntax

As a workaround, simply drop the unusable _py3 file from TARGET_DIR if
building for python 2.x.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6bfedaf577)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-05 08:04:04 +02:00
Peter Korsgaard fc8b89bced package/python-aenum: drop test_v3.py file for python 2.x to fix pycompile issue
Fixes:
http://autobuild.buildroot.net/results/4ca459d54545c0e20b0f0cdc63bd81844ecd7f36/

aenum has conditional logic to load python 3.x code located in test_v3.py:

if pyver >= 3.0:
    from aenum.test_v3 import TestEnumV3, TestOrderV3, TestNamedTupleV3

And contains logic in setup.py to drop that file during setup.py install if
building for python 2.x:

py3_only = ('aenum/test_v3.py', )
..
if __name__ == '__main__':
    if 'install' in sys.argv:
        import os, sys
	..
        if sys.version_info[0] != 3:
            for file in py3_only:
                try:
                    os.unlink(file)

But this doesn't work in Buildroot as pkg-python.dk first does setup.py
build (which copies test_v3.py to the build directory) before setup.py
install, so test_v3.py gets installed, leading to errors from pycompile:

error:   File "/usr/lib/python2.7/site-packages/aenum/test_v3.py", line 12
    class MagicAutoNumberEnum(Enum, settings=AutoNumber):
                                            ^
SyntaxError: invalid syntax

As a workaround, add a hook to drop it from the target directory when
building for python 2.x.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 753c031977)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-05 08:04:02 +02:00
Fabrice Fontaine 422fe3eb82 package/memcached: security bump to version 1.5.22
- Fix a security issue: When enabling SASL authentication for binary
  protocol, enabling UDP mode would allow bypassing SASL. Now refuses
  to start with both UDP and SASL enabled. Text mode authentication was
  not vulnerable.
- Drop patches (already in version) and so autoreconf
- Update indentation in hash file (two spaces)

https://github.com/memcached/memcached/wiki/ReleaseNotes1522

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-04 20:42:13 +02:00
Peter Korsgaard 1332032d63 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 8}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a6e8e8fae7)
[Peter: drop 5.8.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 23:03:46 +02:00
Peter Korsgaard 6fd8e71ab9 package/python3: bump to version 3.8.6
Contains a number of bugfixes. For details, see the changelog:

https://docs.python.org/release/3.8.6/whatsnew/changelog.html#changelog

Update the license hash for the addition of a note stating that the examples
and documentation is now dual licensed under the PSF and a Zero-Clause BSD
license since:

https://github.com/python/cpython/commit/9fef7c54a0adfade5ec94259d97f22e05fe9e3e3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3469e6e46b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 22:52:44 +02:00
Fabrice Fontaine 0749af79b0 package/freetype: unconditionally disable harfbuzz
Commit 939e714393 added an optional
harfbuzz dependency to freetype but this creates a circular dependency
so unconditionally disable it

Fixes:
 - http://autobuild.buildroot.org/results/3cc4ce3207a253186a9c4f8f5151ea0fc0854a28

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a98b79e2e6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 10:39:59 +02:00
Fabrice Fontaine d78ea69ceb package/freetype: add harfbuzz optional dependency
harfbuzz is an optional dependency (enabled by default) since version
2.5.3 and
https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=86026a47b345a8c254dd5e6be77bf116737cdafb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 939e714393)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 08:34:19 +02:00
Fabrice Fontaine 73ce759aa4 package/freetype: drop libpng workaround
libpng workaround which has been added with commit
f7313cadf2 is not needed since version
2.5.3 and
https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=00c79ed9680a0d7a367c6914adc7485391299542

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 005a3437a5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 08:34:17 +02:00
Peter Korsgaard bac46d4cec package/nodejs: security bump to version 12.18.4
Fixes the following security issues:

- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion

  Affected Node.js versions converted carriage returns in HTTP request
  headers to a hyphen before parsing.  This can lead to HTTP Request
  Smuggling as it is a non-standard interpretation of the header.

  Impacts:
    All versions of the 14.x and 12.x releases line

- CVE-2020-8252: fs.realpath.native may cause buffer overflow

  libuv's realpath implementation incorrectly determined the buffer size
  which can result in a buffer overflow if the resolved path is longer than
  256 bytes.

  Impacts:
    All versions of the 10.x release line
    All versions of the 12.x release line

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

Adjust license hash for the addition of the BSD-3c licensed highlight.js:
https://github.com/nodejs/node/commit/6f8b7a85d239129273948386c34775810f2dc4a3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b6d64d7fa4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 08:17:33 +02:00
Thomas Petazzoni 577f258ceb package/gcc: help libbacktrace detection of sync builtins
The logic in libbacktrace/configure.ac to detect if __sync builtins
are available assumes they are as soon as target_subdir is not
empty, i.e when cross-compiling. However, some platforms do not have
__sync builtins, so help the configure script a bit.

"libbacktrace_cv_sys_sync=no" is lost when it is added to
HOST_GCC_COMMON_CONF_ENV because the environment is not exported
when executing the libbacktrace configure script.

Use target_configargs to force "libbacktrace_cv_sys_sync=no" when
executiong the libbacktrace configure script.

Fixes:
https://gitlab.com/bootlin/toolchains-builder/-/jobs/729359681

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain: use target_configargs="libbacktrace_cv_sys_sync=no"]
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0bec4c8a4a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 08:08:45 +02:00
Fabrice Fontaine 5d0fad8d0d package/ghostscript: bump to version 9.53.2
- Drop first patch (already in version)
- Drop second patch (not needed since
  https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f0d19bf181a156d011dba422ae4d165b36b0af7e)
- Drop autoreconf

https://www.ghostscript.com/doc/9.53.2/News.htm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56b6908bf6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 08:00:12 +02:00
Baruch Siach a7c334c1fd package/bison: disable libtextstyle
Recent bison versions added support for fancy error output using gettext
provided libtextstyle. The Buildroot gettext version does not provided
all needed features. However host-bison might detect host installed
libtextstyle at configure time, but fail at run time because of missing
symbols in Buildroot provided libtextstyle.

We don't really need fancy output of host packages, so just disable
libtextstyle support.

Fixes (libpcap):
http://autobuild.buildroot.net/results/058e8ec90da3c06e31b31eb94541331cced44db3/
http://autobuild.buildroot.net/results/d99dda99722c53730b5964bd4ff1e1281c4ad759/
http://autobuild.buildroot.net/results/056fd1246554fe7def416429620175e86530c0a7/

Cc: Xogium <contact@xogium.me>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Tested-by: Xogium <contact@xogium.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8d389c521c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-03 07:56:57 +02:00
Thomas Petazzoni f5bc68f7b7 package/gdb: also disable gprof
When gdb is built from sources fetched from Git, it contains both the
gdb and the binutils code base. In order to really build only gdb, we
disable a number of binutils components in the
GDB_DISABLE_BINUTILS_CONF_OPTS variable: --disable-binutils,
--disable-ld, --disable-gas, etc. However, gprof was still being
built, so disable it as well.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 71719b91ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 22:33:00 +02:00
Gary Bisson 985512051e package/qt5/qt5base: allow to use imx-gpu-viv as GBM provider
Needed in order to use eglfs_kms platform backend.

Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 82fb51d3b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 21:48:28 +02:00
Peter Korsgaard b683ba7b88 package/python-txtorcon.mk: drop _py3 file for python 2.x to fix pycompile issue
Fixes:
http://autobuild.buildroot.net/results/76b580000e6311e88584874f942517badd6fadf6/

python-txtorcon DOES support python 2.x, but it contains some optional
python 3 / async code in controller_py3.py which is conditionally used from
controller.py:

try:
    from .controller_py3 import _AsyncOnionAuthContext
    HAVE_ASYNC = True
except Exception:
    HAVE_ASYNC = False

pycompile unfortunately errors out on the async code:

../scripts/pycompile.py ..
error:   File "/usr/lib/python2.7/site-packages/txtorcon/controller_py3.py", line 13
    async def __aenter__(self):
            ^
SyntaxError: invalid syntax

As a workaround, simply drop the unusable _py3 file from TARGET_DIR if
building for python 2.x.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6728c67307)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 15:15:33 +02:00
Peter Korsgaard dc404eaa08 package/python-tinyrpc: not available for python 2.x
Fixes:
http://autobuild.buildroot.net/results/eef0969bac04800cec51fa27f1e1ecd3a4c8211e/

tinyrpc 1.x is not compatible with python 2.x, leading to errors during the
pycompile step:

error:   File "/usr/lib/python2.7/site-packages/tinyrpc/client.py", line 37
    self, protocol: RPCProtocol, transport: ClientTransport
                  ^
SyntaxError: invalid syntax

As also documented in the README:
The current version will support Python3 only.  Have a look at the 0.9.x
version if you need Python2 support

https://github.com/mbr/tinyrpc/blob/1.0.4/README.rst

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6d87acc19f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:57:41 +02:00
Thomas De Schampheleire 8d4c84c9d5 package/zstd: avoid compilation during host-zstd install step
The host-zstd-build step was not actually compiling the library:

make[1]: Entering directory '/buildroot/output/build/host-zstd-1.4.5/lib'
make[1]: Nothing to be done for 'default'.
make[1]: Leaving directory '/buildroot/output/build/host-zstd-1.4.5/lib'

and the actual compilation was part of the install step.
This is not how other Buildroot packages work.

Make sure to specify which library targets we want instead. The total amount
of compiled files does not change with this patch.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2e8bf36dc4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:55:50 +02:00
Norbert Lange 6d661ac848 package/pkg-meson.mk: fix generation of pkg_config_static prop
fixes following in the generated cross-complation.conf file:
pkg_config_static = '$(if $(BR2_STATIC_LIBS),true,false)'

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 78da84eca9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:40:12 +02:00
Thomas Petazzoni 95a6c9b48c package/gstreamer1/gst1-plugins-ugly: add missing comma in license variable
When one GPL-licensed plugin was enabled, the license of
gst1-plugins-ugly would be "LGPL-2.1+ GPL-2.0", but licenses should be
comma separated, not space separated. So let's fix that to get the
expected value of "LGPL-2.1+, GPL-2.0".

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4626bafe5c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:31:53 +02:00
Francois Perrad 596aef22da package/lua: bump to version 5.3.6
Bugfix release.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 86a6eb872c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:19:13 +02:00
Peter Korsgaard 91348417e7 package/python-semver: bump version to 2.10.2
Bugfix release, fixing an issue with version fields containing '0'.  For
details, see the changelog:

https://python-semver.readthedocs.io/en/2.10.2/changelog.html#version-2-10-2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2be774303d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:14:32 +02:00
Peter Korsgaard 2e679087e8 package/python-semver: bump version to 2.10.1
And adjust the .hash spacing.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 63a3b012ba)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:14:27 +02:00
Peter Korsgaard 61689e7bb5 package/wireguard-linux-compat: bump version to 1.0.20200908
Fixes a race condition. For details, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-September/005817.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d8cb637442)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:12:20 +02:00
Peter Korsgaard 6865aa62dc package/python-texttable: bump version to 1.6.3
Bugfix release, fixing an issue with integer/float handling:
https://github.com/foutaise/texttable/issues/70

Adjust the .hash spacing and update the license hash for a copyright year
change:
https://github.com/foutaise/texttable/commit/13ff0b57d3f727a266ce45f86642f0458257bb8e

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit dc68be6944)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-10-02 10:02:57 +02:00
Matt Weber 85b5f2c6ff package/gcc: transition PowerPC 32 to secureplt
PowerPC has two PLT models: BSS-PLT and Secure-PLT. BSS-PLT uses
runtime code generation to generate the PLT stubs. Secure-PLT was
introduced with GCC 4.1 and Binutils 2.17 (base has GCC 4.2.1 and
Binutils 2.17), and is a more secure PLT format, using a read-only
linkage table, with the dynamic linker populating a non-executable
index table.

References to other distro/BSD transitions:
  https://patchwork.openembedded.org/patch/106621/
  https://reviews.freebsd.org/D20598

Fixes a bug observed when creating SELinux policy where all apps
require execmem because the heap requires execute before this change.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9b539bf40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 21:08:49 +02:00
Joseph Kogut 063c282383 package/x11r7/xserver_xorg-server: fix segfault on brcm platforms
According to the original patch message:
    Some Broadcom set-top-box boards have PCI busses, but the GPU is
    still probed through DT.  We would dereference a null busid here
    in that case.

Fixes a segfault on at least the RPi 4 w/ xserver 1.20.9, probably
others as well.

Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6427ede939)
[Peter: move to 1.20.9 subdir]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 20:42:39 +02:00
Fabrice Fontaine 803b26b798 package/vsftpd: renumber patches
Commit 415765b5a8 removed the second patch
without renumbering the remaining ones

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cd847f0986)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 20:35:12 +02:00
Fabrice Fontaine e76e4273a3 package/cifs-utils: security bump to version 6.11
Fix CVE-2020-14342: It was found that cifs-utils' mount.cifs was
invoking a shell when requesting the Samba password, which could be used
to inject arbitrary commands. An attacker able to invoke mount.cifs with
special permission, such as via sudo rules, could use this flaw to
escalate their privileges.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ce0e86b293)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 17:35:20 +02:00
Ryan Barnett 2cc9ced194 package/cifs-utils: bump to version 6.10
In the version bump to 6.10 the following changes were:

 * Fix hash file to two spaces format
 * Add patch to respect DESTDIR and optionally install man pages for
   mount.smb3 by utilizing CONFIG_MAN.
 * Pass -std=gnu11 to fix compile issues found with the sourcery-arm
   toolchain with C99 style code errors in smbinfo.c and defintion of
   'struct sa' uisng gnu11 for C11 GNU extensions.

Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
CC: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3fe17ae48d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 17:35:10 +02:00
Bernd Kuhls a41e709f37 package/samba4: security bump version to 4.11.13
Version 4.11.11 fixed
o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
		  LDAP Server with ASQ, VLV and paged_results.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
		  excessive CPU
o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
		  paged_results and VLV.
o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.

Version 4.11.12 was a bugfix-only release.

Version 4.11.13 fixes CVE-2020-1472.

Release notes:
https://www.samba.org/samba/history/samba-4.11.11.html
https://www.samba.org/samba/history/samba-4.11.12.html
https://www.samba.org/samba/security/CVE-2020-1472.html

Rebased patches 0001 & 0002.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e56f54220e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 17:33:34 +02:00
Bernd Kuhls 4c220c7b6c package/php: bump version to 7.4.10
Changelog: https://www.php.net/ChangeLog-7.php#7.4.10

Rebased patches 0002 & 0003.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4fecbce953)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 17:29:25 +02:00
Fabrice Fontaine 7401e05143 package/ympd: renumber patch
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7018cacaf8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 17:20:56 +02:00
Fabrice Fontaine e8272016df package/libxml2: fix CVE-2020-24977
GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a530ca6bd9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 16:19:42 +02:00
Fabrice Fontaine 50ea613163 package/efl: needs host gcc >= 4.9
Commit dbe2d2e686 forgot to add a
host gcc >= 4.9 dependency on efl (because of host-efl)

Fixes:
 - http://autobuild.buildroot.org/results/f627d44919c20e068e377d7fe113833e2d4d0ad3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 60cd158f0e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 16:18:08 +02:00
Peter Seiderer 360273fa69 package/wayland-protocols: change download url to https
- change download url to https (as redirected by the original http url)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 79609dd78f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 15:58:07 +02:00
Fabrice Fontaine 38535c6842 package/supertux: fix build with RELRO
Disable static building of external/squirrel to fix the following build
failure with RELRO:

/home/peko/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: CMakeFiles/sq_static.dir/sq.c.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a PIE object; recompile with -fPIC
/home/peko/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: final link failed: nonrepresentable section on output
collect2: error: ld returned 1 exit status

Fixes:
 - http://autobuild.buildroot.org/results/46e8f5e622ce450a89bc6d70f4bfd38182557901
 - http://autobuild.buildroot.org/results/a43720492d817e4555d728546da9114e3ccba952

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 80be040817)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-29 15:44:08 +02:00
Fabrice Fontaine 05498d367f package/dhcpdump: fix build without pod2man
Use dhcpdump target to avoid building dhcpdump.8 as it will raise the
following build failure if pod2man is not available:

pod2man --section 8 \
	--date "23 June 2008" \
	--name "DHCPDUMP" \
	--center "User Contributed Software" \
	dhcpdump.pod dhcpdump.8
/bin/sh: pod2man: command not found
make[1]: *** [Makefile:11: dhcpdump.8] Error 127

Fixes:
 - http://autobuild.buildroot.org/results/db3be149ec71de8376f685a6a9f027191d9bccc9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 698dcb61ea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 23:21:12 +02:00
Norbert Lange de76434713 DEVELOPERS: add myself as contact for systemd
As requested, I add myself to systemd.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit dcee2627f4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 23:19:33 +02:00
James Hilliard 2e56b20a4b package/meson: support additional cpu families
Meson expects known cpu families to be in a normalized format based on
https://mesonbuild.com/Reference-tables.html#cpu-families

Add support for m68k, microblaze and sh4 cpu families.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2f5a26630c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 23:14:49 +02:00
Fabrice Fontaine 9b02393346 package/ecryptfs-utils: fix build failure without pod2man
Set ac_cv_path_POD2MAN to true to avoid the following build failure:

checking for pod2man... no
configure: error: I couldn't find pod2man; make sure it's installed and in your path

Fixes:
 - http://autobuild.buildroot.org/results/7a3a182aa91a07a720a02f854c59f952930708e1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1030f295e6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 23:01:58 +02:00
Michael Nosthoff 15689a10b6 package/postgresql: remove PIDFile from .service
commit eada187e77 changed the service to Type=notify.
notify units don't need a PIDFile so this can be removed.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a9bc0024b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 22:56:28 +02:00
Michael Nosthoff 99273babe6 package/openvmtools: use /run for PIDFile
Fixes:

PIDFile= references a path below legacy directory /var/run/, updating
/var/run/vmtoolsd.pid → /run/vmtoolsd.pid; please update the unit file
accordingly.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e97fe4f28c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 22:56:07 +02:00
Michael Nosthoff b4fd1d20d4 package/nss-pam-ldapd: use /run for PIDFile
Fixes:

PIDFile= references a path below legacy directory /var/run/, updating
/var/run/nslcd.pid → /run/nslcd.pid; please update the unit file
accordingly.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ce3d5129a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 22:56:00 +02:00
Michael Nosthoff 264667d91a package/minidlna: use /run for PIDFile
Fixes:

PIDFile= references a path below legacy directory /var/run/, updating
/var/run/minidlna.pid → /run/minidlna.pid; please update the unit file
accordingly.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ad46c0ac36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 22:55:48 +02:00
Michael Nosthoff dd8b784259 package/dhcpcd: use /run for PIDFile
Fixes:

PIDFile= references a path below legacy directory /var/run/, updating
/var/run/dhcpcd.pid → /run/dhcpcd.pid; please update the unit file
accordingly.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9668296056)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 22:55:26 +02:00
Michael Nosthoff ab8123c18a package/bandwithd: use /run for PIDFile
Fixes:

PIDFile= references a path below legacy directory /var/run/, updating
/var/run/bandwithd.pid → /run/bandwithd.pid; please update the unit file
accordingly.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cdc183eef0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-28 22:55:15 +02:00
Michael Nosthoff b6b2266f2b package/nginx: use /run for PIDFile
Fixes:

systemd[1]: /usr/lib/systemd/system/nginx.service:7: PIDFile= references
a path below legacy directory /var/run/, updating /var/run/nginx.pid →
/run/nginx.pid; please update the unit file accordingly.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4027ba29f4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-25 17:38:26 +02:00
Fabrice Fontaine 34498c1f1a package/gstreamer1/gst1-plugins-base: gl needs api, platform and window
Build will fail if gl is enabled without an api, a platform and a
window:

Message: No OpenGL Platforms found or requested
Message: No OpenGL Window systems found or requested

gst-libs/gst/gl/meson.build:948:2: ERROR: Problem encountered: GStreamer OpenGL integration required via options, but needed dependencies not found.

This requirement is already specified in Config.in through a simple
comment:

comment "The opengl library needs an API, a platform and a window system"
	depends on !BR2_PACKAGE_GST1_PLUGINS_BASE_HAS_LIB_OPENGL

Fixes:
 - http://autobuild.buildroot.org/results/d171059801adf8dea1a2116d7c729a2aa5767ac8
 - http://autobuild.buildroot.org/results/b1bfa505bba534440d331c4948eea5eb2d165c97

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 66e484a751)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-25 15:30:56 +02:00
Heiko Thiery 31794691b4 package/ipmitool: fix 0011-channel-Fix-buffer-overflow.patch
The previous commit to this package
(37c5e903a7) introduced a bunch of patches
to fix a CVE. Unfortunatly only applying of the patches was tested but
not building the package.

This commit replaces a define that was introduced in a previous patch
upstream and caused the build failure.

Tested:

                             br-arm-full [1/6]: OK
                  br-arm-cortex-a9-glibc [2/6]: OK
                   br-arm-cortex-m4-full [3/6]: SKIPPED
                          br-x86-64-musl [4/6]: OK
                      br-arm-full-static [5/6]: OK
                            sourcery-arm [6/6]: OK

Fixes:
 - http://autobuild.buildroot.net/results/3f7fe8ad181318153c459ba5e1afbbc8b49d541c/
 - and more

Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b81307162)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-23 21:07:15 +02:00
Brandon Maier 4c077cfbba package/systemd: bump version to 244.5
Tag 244.5 includes our patches, so drop them.

Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-22 09:58:49 +02:00
Thomas Petazzoni f0f448180b package/pkg-meson: ensure the global cross-compilation.conf file is correct
Currently, the cross-compilation.conf installed in
$(HOST_DIR)/etc/meson/cross-compilation.conf for use by the SDK is
generated in a post-install-staging hook of the toolchain package.

With per-package directory support enabled, this means that the
generated cross-compilation.conf contains references to the
per-package directory of the toolchain/ package, which is not want we
want:

[binaries]
c = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-gcc'
cpp = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-g++'
ar = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-ar'
strip = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-strip'
pkgconfig = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/usr/bin/pkg-config'

So instead, we generate this file in TOOLCHAIN_TARGET_FINALIZE_HOOKS,
so that the global paths are used:

[binaries]
c = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-gcc'
cpp = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-g++'
ar = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-ar'
strip = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-strip'
pkgconfig = '/home/thomas/projets/buildroot/output/host/usr/bin/pkg-config'

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 48d2606e28)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 21:02:39 +02:00
Heiko Thiery b0406bb0df package/ipmitool: fix CVE-2020-5208
Add several upstream patches that are made to fix this CVE. Since there
is still no dated plan to release a new version add this bunch of
patches.

Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 37c5e903a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 21:00:03 +02:00
Michael Nosthoff ae88d05bb2 package/localedef: depend host build on python3
Just like glibc, host-localedef needs python3 on the host to
build... since host-localedef is basically using the sources of glibc.

Fixes:

checking if /build/build/per-package/host-localedef/host/bin/ccache
/usr/bin/gcc is sufficient to build libc... yes
checking for x86_64-pc-linux-gnu-nm... /usr/bin/nm
checking for python3... no
checking for python... python
checking version of python... 2.7.18, bad
configure: error:
*** These critical programs are missing or too old: python
*** Check the INSTALL file for required versions.

As reported at:

  http://lists.busybox.net/pipermail/buildroot/2020-September/291929.html

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6e73c71cc4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:58:21 +02:00
Christian Stewart f6f3a34810 package/docker-engine: bump to version 19.03.12
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f826e8817a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:54:05 +02:00
Christian Stewart 5cef89e48a package/docker-cli: bump to version 19.03.12
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e3d734c431)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:54:02 +02:00
Christian Stewart a0a3e86c83 package/runc: security bump to version 1.0.0-rc92
1.0.0-rc91 fixes a minor security issue:
https://github.com/opencontainers/runc/security/advisories/GHSA-g54h-m393-cpwq

In addition, 1.0.0-rc92 fixes a regression introduced in 1.0.0-rc91.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2462bf1ba5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:44:18 +02:00
Fabrice Fontaine e058e5e1bc package/efl: depends on gcc >= 4.9
efl depends on C++11 since version 1.22.0 and
https://github.com/Enlightenment/efl/commit/ac95f38d1b06ac6977ea6d8b9f14f9405396858f

Fixes:
 - http://autobuild.buildroot.org/results/458ec719a7251b59796edfc865b7226baaed6d8f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit dbe2d2e686)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:20:48 +02:00
Fabrice Fontaine a052a9dfc3 package/ghostscript: security bump to version 9.53.0
- Use tar.gz as SHA512SUMS does not contain the hash for tar.xz
- Fix CVE-2020-15900: A memory corruption issue was found in Artifex
  Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator
  can allow overriding of file access controls. The 'rsearch'
  calculation for the 'post' size resulted in a size that was too large,
  and could underflow to max uint32_t.

https://www.ghostscript.com/doc/9.53.0/News.htm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cae8be20ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:16:51 +02:00
Fabrice Fontaine 3c547c1827 package/libssh: security bump to version 0.9.5
- Drop patches (already in version)
- Fix CVE-2020-16135: libssh 0.9.4 has a NULL pointer dereference in
  tftpserver.c if ssh_buffer_new returns NULL.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit df2adb2a09)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:13:51 +02:00
Titouan Christophe 28ba28ef5c package/python: do not install MS Windows installers on the target
Buildroot generates Linux systems, so there is no need to have
MS Windows executables in there.

This reduces the target filesystem size by about 600kB:
$ du -hcs usr/lib/python2.7/distutils/command/wininst-*.exe
60K usr/lib/python2.7/distutils/command/wininst-6.0.exe
64K usr/lib/python2.7/distutils/command/wininst-7.1.exe
60K usr/lib/python2.7/distutils/command/wininst-8.0.exe
192K    usr/lib/python2.7/distutils/command/wininst-9.0.exe
220K    usr/lib/python2.7/distutils/command/wininst-9.0-amd64.exe
596K    total

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a7e71716f5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:10:27 +02:00
Titouan Christophe 5a31e4f565 package/python3: do not install MS Windows installers on the target
Buildroot generates Linux systems, so there is no need to have
MS Windows executables in there.

This reduces the target filesystem size by about 2MB:
$ du -hcs usr/lib/python3.8/distutils/command/wininst-*.exe
60K usr/lib/python3.8/distutils/command/wininst-6.0.exe
64K usr/lib/python3.8/distutils/command/wininst-7.1.exe
60K usr/lib/python3.8/distutils/command/wininst-8.0.exe
192K    usr/lib/python3.8/distutils/command/wininst-9.0.exe
220K    usr/lib/python3.8/distutils/command/wininst-9.0-amd64.exe
188K    usr/lib/python3.8/distutils/command/wininst-10.0.exe
220K    usr/lib/python3.8/distutils/command/wininst-10.0-amd64.exe
448K    usr/lib/python3.8/distutils/command/wininst-14.0.exe
576K    usr/lib/python3.8/distutils/command/wininst-14.0-amd64.exe
2,0M    total

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4e97032c82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:10:24 +02:00
Robin Jarry a25c190df4 support/scripts/pycompile: fix .pyc original source file paths
When generating a .pyc file, the original .py source file path is
encoded in it. It is used for various purposes: traceback generation,
.pyc file comparison with its .py source, and code inspection.

By default, the source path used when invoking compileall is encoded in
the .pyc file. Since we use paths relative to TARGET_DIR, we end up with
paths that are only valid when relative to '/' encoded in the installed
.pyc files on the target.

This breaks code inspection at runtime since the original source path
will be invalid unless the code is executed from '/'.

Unfortunately, compileall cannot be forced to use the proper path. It
was not written with cross-compilation usage in mind.

Rework the script to call py_compile.compile() directly with pertinent
options:

- The script now has a new --strip-root argument. This argument is
  optional but will always be specified when compiling py files in
  buildroot.
- All other (non-optional) arguments are folders in which all
  "importable" .py files will be compiled to .pyc.
- Using --strip-root=$(TARGET_DIR), the future runtime path of each .py
  file is computed and encoded into the compiled .pyc.

No need to change directory before running the script anymore.

The trickery used to handle error reporting was only applicable with
compileall. Since we implement our own "compileall", error reporting
becomes trivial.

Previously, we had a --force option to tell compileall.compiledir() to
forcibly recompile files if they had changed. Now, we would have to
handle it ourselves. It turns out to not be easy and would need us to
delve into the format of bytecompiled files to extract metadata and
compare it with the expected values, that being even dependent on the
python version being used (fortunately, only two for us: python 2.7 and
the latext 3.x).

Still, this is deemed too complex, and byte-compiling is pretty fast, so
much so that it should be eclipsed by the build duration anyway.

So we just drop support for --force, and instead we always byte-compile.

Signed-off-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Robin Jarry <robin.jarry@6wind.com>
[yann.morin.1998@free.fr:
  - always byte-compile
  - drop --force
  - expand commit log to state so and explain why
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c566f5206a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:06:11 +02:00
Robin Jarry 8673646dcc support/scripts/pycompile: sort imports
Signed-off-by: Robin Jarry <robin.jarry@6wind.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4c77dca550)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:06:07 +02:00
Robin Jarry 416bb105d8 support/scripts/pycompile: add main entry point
Only run code when the script is executed directly (not imported).
Factorize command description by using the script's __doc__ variable.
Fix typo in --force help message.

Signed-off-by: Robin Jarry <robin.jarry@6wind.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7b3025f93e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 20:05:58 +02:00
Peter Korsgaard 941efc499f package/zeromq: security bump to version 4.3.3
Fixes the following security issues:

- CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
  unauthenticated clients.
  If a raw TCP socket is opened and connected to an endpoint that is fully
  configured with CURVE/ZAP, legitimate clients will not be able to exchange
  any message.  Handshakes complete successfully, and messages are delivered
  to the library, but the server application never receives them.  For more
  information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

- Stack overflow on server running PUB/XPUB socket (CURVE disabled).
  The PUB/XPUB subscription store (mtrie) is traversed using recursive
  function calls.  In the remove (unsubscription) case, the recursive calls
  are NOT tail calls, so even with optimizations the stack grows linearly
  with the length of a subscription topic.  Topics are under the control of
  remote clients - they can send a subscription to arbitrary length topics.
  An attacker can thus cause a server to create an mtrie sufficiently large
  such that, when unsubscribing, traversal will cause a stack overflow.  For
  more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8

- Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
  Messages with metadata are never processed by PUB sockets, but the
  metadata is kept referenced in the PUB object and never freed.  For more
  information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw

- Memory leak in client induced by malicious server(s) without CURVE/ZAP.
  When a pipe processes a delimiter and is already not in active state but
  still has an unfinished message, the message is leaked.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87

- Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
  By crafting a packet which is not valid ZMTP v2/v3, and which has two
  messages larger than 8192 bytes, the decoder can be tricked into changing
  the recorded size of the 8192 bytes static buffer, which then gets
  overflown by the next message.  The content that gets written in the
  overflown memory is entirely decided by the sender.
  For more information see the security advisory:
  https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6

Drop now upstreamed patches, autoreconf and reformat hash file with 2 space
delimiters.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fd1ac2e762)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 19:47:15 +02:00
Brandon Maier 6dbe986282 docs/manual: Add section about contributing to maintenance branches
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
[yann.morin.1998@free.fr:
  - s/release branch/maintenance branch/
  - extend the master-then-backport section
  - slight eye-candy on the rest
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 76ed69499d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-15 19:46:48 +02:00
Heiko Thiery 98948b69d9 package/strace: disable mpers support
On aarch64 With the config option "--enable-mpers=check" the configure.ac
script searchs for a 32bit compiler. When a matching compiler is found
in the PATH some compatiblity checks are done. This can fail when the
available kernel headers on host and buildroot target does not match.

Since buildroot does not support 32bit binaries when building for 64bit
architecture (no -m32 option) we can disable this option unconditionally.

When disabling unconditionally also the configuration for toolchain using
MUSL can be removed.

Cc: Baruch Siach <baruch@tkos.co.il>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bae6142582)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-11 23:31:18 +02:00
Thomas Petazzoni 728bc4ce59 package/libxml-parser-perl: use the compiler as "LD"
Since commit efa95b19ae
("package/libxml-parser-perl: make host build use correct compiler"),
we pass $(HOST_CONFIGURE_OPTS) when building host-libxml-parser-perl,
in order to use the correct host compiler.

However, this means that LD="$(HOSTLD)" is passed. However, the
host-libxml-parser-perl passes compiler arguments to LD, so it really
assumes that LD is gcc, not ld. For example, it tries to pass
-mtune=generic.

So, let's tell host-libxml-parser-perl that LD is "$(HOSTCC)".

Fixes:

  http://autobuild.buildroot.net/results/2ed2e5ccefe9047c597f84d5880de2e8de2bdd94/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 43a26d7fe4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-11 23:18:37 +02:00
Norbert Lange 04af94f347 package/libxml-parser-perl: make host build use correct compiler
This package uses gcc filename without absolute path, which breaks
the host build if host and target compiler have the same filename.
(Can happen with an external toolchain).

This patch adds the variables for the host as overrides,
as they are otherwise not picked up from the environment.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit efa95b19ae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-11 23:18:30 +02:00
Fabrice Fontaine e4ee12e107 package/libraw: security bump to version 0.20.0
- Fix CVE-2020-15503: LibRaw before 0.20-RC1 lacks a thumbnail size
  range check. This affects decoders/unpack_thumb.cpp,
  postprocessing/mem_image.cpp, and utils/thumb_utils.cpp. For example,
  malloc(sizeof(libraw_processed_image_t)+T.tlength) occurs without
  validating T.tlength.

- zlib is an optional dependency since
  https://github.com/LibRaw/LibRaw/commit/b63f017b063edb5e7091e3952ee20cb4d002edbe

Also update indentation in hash file (two spaces) as well as README.md
hash, no license changes:
 - https://github.com/LibRaw/LibRaw/commit/d1975cb0e055d2bfe58c9d845c9a3e57c346a2f9
 - https://github.com/LibRaw/LibRaw/commit/d38361b76e1a405a25b11165a1ee5495fc899246

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fd50e0f93f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-11 23:06:37 +02:00
Fabrice Fontaine 81e54c98e2 package/libraw: drop unrecognized options
demosaic packs have been removed since version 0.19.0 and
https://github.com/LibRaw/LibRaw/commit/b85690eb4881d613dd48068ee82f98ac246690b8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 68480c9bf0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-11 23:06:34 +02:00
Adrian Perez de Castro 51c21c223d package/brotli: security update to version 1.0.9
Contains fixes for overflows when input chunks are larger than 2 GiB,
an uninitialized data access, and minor correctness and performance
improvements. There does not seem to be any CVEs filed, but there is
a security notice in the release notes at:

  https://github.com/google/brotli/releases/tag/v1.0.9

Patch "0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch"
is rebased against the latest upstream changes.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 777bbd1b07)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-11 23:04:39 +02:00
Fabrice Fontaine c1f8ff7e92 package/minidlna: fix CallStranger a.k.a. CVE-2020-12675
No MINIDLNA_IGNORE_CVES entry is added as no CVE has been assigned to
minidlna. Indeed, CallStranger vulnerability affect(ed) most of the UPnP
stacks (e.g. gupnp, libupnp)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9ab9118831)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-11 22:22:51 +02:00
Fabrice Fontaine f1e0848aef package/minidlna: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/8754bb4f7d749f999d5f8ddfec587470ceec4476

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9e31511d64)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-11 22:22:46 +02:00
Peter Korsgaard 84e9581bd4 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d25b9ead1e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-09 22:43:36 +02:00
Fabrice Fontaine 41b5fbd621 package/gnutls: security bump to version 3.6.15
libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
The server sending a "no_renegotiation" alert in an unexpected timing,
followed by an invalid second handshake was able to cause a TLS 1.3
client to crash via a null-pointer dereference. The crash happens in the
application's error handling path, where the gnutls_deinit function is
called after detecting a handshake failure (#1071).
[GNUTLS-SA-2020-09-04, CVSS: medium]

https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fb3b23220b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-09 22:31:15 +02:00
Brandon Maier 81b7cfcbd9 package/systemd: Backport fix for makefs
The systemd fstab option "x-systemd.makefs" will fail to work, and throw
an error that it can't find a device named "" (an empty string).
Backport this fix from systemd v245.

Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-09 08:03:22 +02:00
Brandon Maier eb81345aa9 package/systemd: Backport fix for network-generator
The systemd-network-generator.service will fail to parse the bootarg "ip=xxx"
if it's missing the (optional) hostname field. Backport this fix from
systemd v245.

Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-09 08:02:24 +02:00
Brandon Maier bd5de6ab6a package/systemd: Fix patch numbering
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-09 08:02:10 +02:00
Brandon Maier 7813cc4aaf package/systemd: bump version to 244.4
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-09 08:01:55 +02:00
Peter Korsgaard 42b76c6383 package/go: security bump to version 1.13.15
Fixes the following security issue:

CVE-2020-16845: Go before 1.13.15 and 14.x before 1.14.7 can have an
infinite read loop in ReadUvarint and ReadVarint in encoding/binary via
invalid inputs

https://github.com/golang/go/issues/40620

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-08 23:12:20 +02:00
Peter Korsgaard 437ee02227 .gitlab-ci.yml: use python3 for flake8 run
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 22:03:37 +02:00
Yann E. MORIN a7f088767c gitlab-ci: update the image version
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7f654438c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 21:49:40 +02:00
Peter Korsgaard b120226e0e Update for 2020.02.6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 21:10:33 +02:00
Fabrice Fontaine 1c8ec92a39 package/usb_modeswitch: fix parallel install
Extract from bug report:

"In usb_modeswitch Makefile dispatcher-script, dispatcher-dynlink and
dispatcher-statlink are .PHONY targets. The result is that sources are
compiled also when install targets are called.
USB_MODESWITCH_INSTALL_TARGET_CMDS calls $(MAKE) which is a call to
parallel make eg. make -j9. So the install phase can install empty
usb_modeswitch binary (happened once) if the compiler have just cleared
the binary and install command installs it before compiler writes the
binary. USB_MODESWITCH_INSTALL_TARGET_CMDS should call $(MAKE1)."

Instead of disabling parellel install, use install-common target instead
of install-{dyn,stat}link targets. Indeed, the dynamic or static
usb_modeswitch_dispatcher binary will be built by
all-with-{dyn,stat}link-dispatcher targets, there is no need to rebuild
it during the install step

Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=12911

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 345c68f04f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 14:23:53 +02:00
Fabrice Fontaine c27723190e package/wolfssl: disable examples and tests
Examples and tests are not needed especially because of them fails on
some architectures because it wrongly tries to use wc_Sha256FinalRaw:

  CCLD     tests/unit.test
/tmp/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-none-linux-gnu/9.2.1/../../../../aarch64-none-linux-gnu/bin/ld: tests/tests_unit_test-api.o: in function `test_wc_Sha256FinalRaw':
/tmp/instance-0/output-1/build/wolfssl-4.5.0-stable/tests/api.c:6504: undefined reference to `wc_Sha256FinalRaw'

Fixes:
 - http://autobuild.buildroot.org/results/d5b6f97f7510874fe28c675e599be08cb8a78c7b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5a33de882e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 10:22:05 +02:00
John Keeping 2256837ec3 package/alsa-utils: fix install if directories exist
"mkdir" (without "-p") fails if the target directory exists, which means
that if alsa-utils is being reinstalled or if other files have
previously been installed in the alsa-state.d or alsa-restore.d
directories the installation will fail.

Switch to "$(INSTALL) -d" which allows us to be explicit about the
permissions and handles the case of a pre-existing directory correctly.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a421da99a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 10:18:01 +02:00
Arnout Vandecappelle (Essensium/Mind) 86b650fc0a manual: board support: add more of our expectations
The manual has a section on adding board support to upstream buildroot,
but it fails to mention some of the things we expect. Add more of them.

- Internal toolchain.
- Beautify defconfig file.
- Fixed versions for components.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Adam Duskett <Aduskett@gmail.com>
Reviewed-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - use +monospace+ for the variables
  - use _italic_ for sections in defconfig
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit af6cffb64e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 10:14:49 +02:00
Angelo Compagnucci 657eb07888 package/cups: security bump to version 2.3.3
Fixes the following security issues:

CVE-2019-8842: The `ippReadIO` function may under-read an extension field

CVE-2020-3898: heap based buffer overflow in libcups's ppdFindOption() in
ppd-mark.c

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9b4a6cbc21)
[Mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 10:10:45 +02:00
Angelo Compagnucci c1af27f635 package/cups: Add udev rules to assign usb printers group to lp
This patch is based on patch from the rockchip tree:

commit c8a337593660f27379c30248a11bf08dc8712113
Author: Jeffy Chen <jeffy.chen@rock-chips.com>
Date:   Tue Nov 13 18:59:43 2018 +0800

    package: cups: Add udev rules to assign usb printers' group to lp

    Change-Id: Ieae17deaa7d3623e1f0e1cc826871f1719d98d88
    Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>

but removes a hardcoded device usb vendor/id and keps only the usb
printer class.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 9c47056c0c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 10:02:56 +02:00
Angelo Compagnucci 3437f849b9 package/cups: Add lp user as default cups user
This patch is a backport from the rockchip tree.

Author: Jeffy Chen <jeffy.chen@rock-chips.com>
Date:   Tue Nov 13 18:25:34 2018 +0800

    package: cups: Add lp user as default cups user

    Change-Id: Ic7434fe0a7b41b86b5b8b097fa29dd9718e29aa5
    Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>

User lp is necessary for running the cups spooler.
Groups lpadmin grants administrative privileges to users.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 608c12c044)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 10:02:54 +02:00
Fabrice Fontaine 23a3616440 package/mbedtls: security bump to version 2.16.8
Fix a "Local side channel attack on classical CBC decryption in (D)TLS"
a.k.a. CVE-2020-16150:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1

as well as a "Local side channel attack on RSA and static
Diffie-Hellman" (no CVE):
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2

Also change MBEDTLS_SITE and retrieve hash provided by upstream

https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 61bb1370d0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 09:42:47 +02:00
Peter Korsgaard d4519dff4c package/python-django: security bump to version 3.0.10
Fixes the following security issues:

CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to
intermediate-level directories created in the process of uploading files and
to intermediate-level collected static directories when using the
collectstatic management command.

You should review and manually fix permissions on existing
intermediate-level directories.

CVE-2020-24584: Permission escalation in intermediate-level directories of
the file system cache on Python 3.7+
On Python 3.7+, the intermediate-level directories of the file system cache
had the system’s standard umask rather than 0o077 (no group or others
permissions).

https://docs.djangoproject.com/en/dev/releases/3.0.10/

In addition, 3.0.8..10 contains a number of bugfixes.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eaefa775ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 09:40:38 +02:00
Lukasz Tekieli 39acdd9081 package/busybox: fix avahi-autoipd error message
When using a combination of udhcpc and avahi-autoipd in case of receiving IP
from a DHCP server, the following message can be seen:
"Failed to kill daemon: No such file or directory".
Add a check for a running avahi-autoipd to fix this issue.

Signed-off-by: Lukasz Tekieli <tekieli.lukasz@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3c5ca644ef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-05 09:38:00 +02:00
Norbert Lange e99e884e10 package/systemd: move preset-all HOOK to fakeroot stage
User can drop in more systemd units or presets
in an rootfs overlay, which will be copied over *after*
the TARGET_FINALIZE_HOOKS are run.

Instead, run preset-all afterwards from ROOTFS_PRE_CMD_HOOKS

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: Jérémy ROSEN <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 65b63785a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-04 11:48:35 +02:00
Peter Korsgaard 7aa8b41642 package/avahi: disable introspection
Fixes:
http://autobuild.buildroot.net/results/b9bf7cea8be9231552a10e8ea828bf24394402ba/

Building with introspection (together with D-Bus) support currently fails.
Fixing it is not trivial, so explicitly disable introspection for now.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b4fcf2ff58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 21:39:56 +02:00
Peter Korsgaard 0ebd8c25d3 package/docker-cli: fix version info since move to 19.03.x
Upstream changed the variables used when outputting version / git commit
info in docker version since:

 commit 04b5f44230162de40741acaa0f94c7af6f2fa1d5
 Author: Ian Campbell <ijc@docker.com>
 Date:   Tue Jan 8 15:03:51 2019 +0000

    Move versioning variables to a separate package.

    This helps to avoid circular includes, by separating the pure data out from the
    actual functionality in the cli subpackage, allowing other code which is
    imported to access the data.

    Signed-off-by: Ian Campbell <ijc@docker.com>
    Upstream-commit: 20c19830a95455e8562551aad52c715ad0807cc6
    Component: cli

Which is included in docker-cli 19.3.x - So adjust the _CLI_LDFLAGS to match
to get proper docker version output:

Client:
 Version:           19.03.11
 API version:       1.40
 Go version:        go1.13.14
 Git commit:        19.03.11

vs:

Client:
 Version:           unknown-version
 API version:       1.40
 Go version:        go1.13.14
 Git commit:        unknown-commit

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bf27781bb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 21:38:38 +02:00
Julien Grossholtz 4346b8c407 package/paho-mqtt-c: bump to version 1.3.5
This is a paho-mqtt-c maintainace release. It fixes some memory leaks as
well as a potential deadlock:

https://github.com/eclipse/paho.mqtt.c/milestone/8?closed=1

Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 179e8390a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 21:37:56 +02:00
Fabrice Fontaine 75f3570d0c package/paho-mqtt-c: drop dynamic library dependency
paho-mqtt-c can be built statically since version 1.3.3 and
https://github.com/eclipse/paho.mqtt.c/commit/f1459fac2532658a04962ae0ab67b5c3dc92ad75

See https://github.com/eclipse/paho.mqtt.c/issues/848

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ddde40f371)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 21:37:38 +02:00
Iulian Onofrei 073883278f package/libeXosip2: fix typos in help text
Signed-off-by: Iulian Onofrei <iulian.onofrei@yahoo.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fef674dbf5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 21:35:47 +02:00
Iulian Onofrei a1085fc208 package/nvidia-driver: fix typos in comments
Signed-off-by: Iulian Onofrei <iulian.onofrei@yahoo.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 21fca042d9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 21:35:45 +02:00
Fabrice Fontaine 2f7f15b1c8 package/imagemagick: (security) bump to version 7.0.10-28
- Fix CVE-2019-17547: In ImageMagick before 7.0.8-62, TraceBezier in
  MagickCore/draw.c has a use-after-free.
- Fix CVE-2019-18853: ImageMagick before 7.0.9-0 allows remote attackers
  to cause a denial of service because XML_PARSE_HUGE is not properly
  restricted in coders/svg.c, related to SVG and libxml2.
- Update hash of LICENSE file (update in year with
  https://github.com/ImageMagick/ImageMagick/commit/f775a5cf27a95c42bb6d19b50f4869db265fdaa9)
- Update indentation in hash file (two spaces)
- Switch to github helper - it has always been an autogenerated archive.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: use github helper]
(cherry picked from commit 8f2fe00f08)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 20:42:26 +02:00
Yann E. MORIN aadc2bb445 package/pkg-kconfig: quote HOSTCC_NOCCACHE
HOSTCC may contain spaces, so needs to be quoted.

Most of the places where it is already quoted use double-quotes, so we
use that.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 94bb89ad57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 20:41:40 +02:00
Fabrice Fontaine f1930002b0 package/graphite2: fix static install
Don't install an incorrect libtool file when building a static library
to fix the following build failure with harfbuzz:

arm-linux-g++.br_real: error: /home/buildroot/autobuild/run/instance-3/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libgraphite2.so: No such file or directory
make[5]: *** [main] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/9ebe1d11e80755d59190ef2aae82bbba5cc45e44

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dd2d4caf56)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 20:35:00 +02:00
Fabrice Fontaine 164ef30bfe package/graphite2: security bump to version 1.3.14
- Switch site to github, here is an extract of
  https://sourceforge.net/projects/silgraphite:
  "This project has been deprecated. Graphite2, a new version of the
  Graphite engine, is available at: https://github.com/silnrsi/graphite
  with its own bug tracker."
- graphite2 can be built statically since version 1.3.11 and
  https://github.com/silnrsi/graphite/commit/2f143c04da5caa43ddf4dba437b2f2bc26bf4238
- Update indentation in hash file (two spaces)

Extract from ChangeLog:

1.3.14
    . Bug fixes
    . Allow features to be hidden (for aliases)
    . Move to python3
    . Rename doc files from .txt to .asc

1.3.13
    . Resolve minor spacing issue in rtl non-overlap kerning
    . python3 for graphite.py
    . Better fuzzing
    . Better building on windows

1.3.12
    . Graphite no longer does dumb rendering for fonts with no smarts
    . Segment caching code removed. Anything attempting to use the segment cache gets given a regular face instead
    . Add libfuzzer support
    . Builds now require C++11
    . Improvements to Windows 64 bit builds
    . Support different versions of python including 32 bit and python 3
    . Various minor bug fixes

1.3.11
    . Fixes due to security review
    . Minor collision avoidance fixes
    . Fix LZ4 decompressor against high compression

The fixes due to security review are a little bit vague, a quick search
on github seems to indicate that those issues could be related to
segcache which has been removed since version 1.3.12:
https://github.com/silnrsi/graphite/search?q=security&type=Issues
https://github.com/silnrsi/graphite/commit/b0f77e4a9dc50a888f74e904000a2486b2fc5527

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit d3a06c2fc4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 20:34:57 +02:00
Yann E. MORIN 77fd26d562 package/uclibc: use HOSTCC_NOCCACHE as kconfig HOSTCC
uclibc is part of the toolchain, and as such does not have a dependency
on it. As a consequence, it does not have a dependency on host-ccache,
when this is needed.

Usually, host-ccache is built before uclibc, as part of the dependency
of gcc-initial, host-binutils, and a few other host packages that are
built before uclibc.

However, during top-level parallel builds, this ordering is only ever
guaranteed at the beginning of the configure step, and not before.

But for kconfig-packages, the moment we apply the configuration to
prepare the .config file is a pseudo step that happens somewhere in
limbo between the patch step and the configure step. As such, the
build ordering that is otherwise guaranteed by the _DEPENDENCIES is not
applicable yet.

And so, with top-level parallel builds with ccache enabled, there is
nothing that guarantees host-ccache to be built and installed by the
time we are trying to generate uclibc's .config file, which can be quite
early in the build process, and thus the build fails:

    /home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/per-package/uclibc/host/bin/ccache /usr/bin/gcc /home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/build/uclibc-1.0.34/extra/config/conf.c  -c -o ../../extra/config/conf.o -Os -I/usr/include/ncursesw -DCURSES_LOC="<curses.h>"  -DNCURSES_WIDECHAR=1 -DLOCALE -DKBUILD_NO_NLS -DCONFIG_='""'   -I/usr/include/ncursesw -DCURSES_LOC="<curses.h>"  -DNCURSES_WIDECHAR=1 -DLOCALE -DKBUILD_NO_NLS -DCONFIG_='""'
    /bin/sh: 1: /home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/per-package/uclibc/host/bin/ccache: not found
    make[2]: *** [Makefile:64: ../../extra/config/conf.o] Error 127
    make[1]: *** [Makefile.in:475: extra/config/conf] Error 2
    make[1]: Leaving directory '/home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/build/uclibc-1.0.34'
    make: *** [package/uclibc/uclibc.mk:458: /home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/build/uclibc-1.0.34/.stamp_dotconfig] Error 2
    make: *** Waiting for unfinished jobs....

The root cause is that uclibc sets;

    UCLIBC_KCONFIG_OPTS = $(UCLIBC_MAKE_FLAGS) [...]

with:

    UCLIBC_MAKE_FLAGS = [...] HOSTCC="$(HOSTCC)"

And then the kconfig-package infra calls to the configurators,
menuconfig, xconfig et al, but also olddefconfig et al.. with:

    [...] $($(1)_MAKE) [...] $(PKG_KCONFIG_COMMON_OPTS) $($(1)_KCONFIG_OPTS) [...]

with (note a latent bug in there, will be fixed in another patch):

    PKG_KCONFIG_COMMON_OPTS = HOSTCC=$(HOSTCC_NOCCACHE)

So, a HOSTCC as set by a package will always win onver the one set by
the infra, which is exactly what we want.

But in this case, uclibc sets HOSTCC so that it can build its host tools
needed during the build, and in doing so uses the ccache-enabled host c
compiler. Which might not yet be available for the kconfig-package infra
to generate the .config file.

We had a similar (non-)issue for the linux package, which was fixed in
commit 71a31b2357 (linux: use HOSTCC_NOCCACHE as kconfig HOSTCC).

But here, uclibc does not have the toolchain in its dependencies (as said
earlier, uclibc *is* part of the toolchain).

Since the host compiler is only used to build very few files to generate
the simple executable needed to generate the .config file, doing without
the ccache-enabled host compiler will be amply enough.

So, we override HOSTCC in UCLIBC_KCONFIG_OPTS, to use the non-cached
host compiler.

Note that, in a first approximation, one would be tempted to change the
ordering in the kconfig-package infra:

        $($(1)_KCONFIG_OPTS) $(PKG_KCONFIG_COMMON_OPTS)

so that the non-cached HOSTCC always wins over the cached one. But this
would be incorrect, in cases where the package really needs to override
HOSTCC; indeed we want the package-provided values to always win over
the default ones providing by the infra.

Reported-by: Raphael Jacob <r.jacob2002@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 689fe66100)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-01 20:28:58 +02:00
Yann E. MORIN 9841cc9432 package/pkg-utils.mk: kconfig mangling defaults to current package's .config
The kconfig mangling macros currently operate on the caller-supplied
.config file, on the assumption that the caller will always know what
file to mangle.

This was correct so far, as packages would indeed only mangle their
own .config files.

However, the Linux kernel does its mangling based on whether some
other packages are enabled or not. That list of conditional mangling
is getting bigger and bigger with each new package that needs such
mangling, culminating with the pending firewalld one [0]. Furthermore,
this mangling is not accessible to packages in br2-external trees. So
we'll want to have packages provide the mangling commands.

So we'll want the mangling to be done on the Linux' .config file in
the expanding package context, not in the package calling the macros.

But packages do not, and should not have knowledge about where the
.config file is, nor how it is named.

So we make the parameter to specify the .config file to mangle
optional.  If it is set, this is what the macros will mangle; if it is
not set, the expanding package's .config file will be used.

This has the added benefit that we do not have to repeat in the
expanding package context the knowledge of how the .config file is
named:

    FOO_KCONFIG_DOTCONFIG = .config
    define FOO_KCONFIG_FIXUPS_CMDS
        $(call KCONFIG_ENABLE_OPT,BLA)
    endef

[0] http://lists.busybox.net/pipermail/buildroot/2020-March/278683.html

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 21e69972bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-30 08:53:37 +02:00
Yann E. MORIN 61ba2ec685 package/pkg-utils.mk: rationalise kconfig option mangling
Currently, we have three macros that may mangle a .config file. All
three are modeled after the same pattern: removing the existing option
from the .config file, then adding the new definition for that option;
all three also implement that pattern with the same commands: sed and
echo.

This is all good so far, because it was simple enough, and they always
worked on a file passed in parameter.

However, we're soon going to change this file parameter to make it
optional, so that the file will then be auto-deduced for the current
package. In that case, the file to sed and echo into will be a more
complex structure than just the parameter.

As such, move the actual mangling down to a helper macro, that is called
from the three existing ones.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 653afb764a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-30 08:53:18 +02:00
Peter Korsgaard 6ec5f4eb71 Update for 2020.02.5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 21:31:44 +02:00
Fabrice Fontaine dc2152dbb6 package/domoticz: drop SYNC4 from comment
Commit 8f5a9f597e forgot to drop SYNC4
from comment

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c0126c38d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 20:05:10 +02:00
Titouan Christophe d5438fdb06 package/mosquitto: security bump to v1.6.12
Mosquitto 1.6.11 is a bugfix release, read the whole announcement on
http://mosquitto.org/blog/2020/08/version-1-6-11-released/

Mosquitto 1.6.12 is a security and bugfix release, read
http://mosquitto.org/blog/2020/08/version-1-6-12-released/

>From the 1.6.11 changelog of the client library:
mosquitto_loop_start() now sets a thread name on Linux, FreeBSD, NetBSD,
and OpenBSD. Closes #1777.
This is done with pthread_setname_np; so mosquitto now requires
BR2_TOOLCHAIN_HAS_THREADS_NPTL when built with threading support.

2 reverse dependencies use the threaded API, but they already
depend on BR2_TOOLCHAIN_HAS_THREADS_NPTL:
* domoticz [1] (we add a comment for mosquitto)
* shairport-sync [2]

[1] https://github.com/domoticz/domoticz/blob/2020.1/main/mosquitto_helper.cpp#L344
[2] https://github.com/mikebrady/shairport-sync/blob/3.3.6/mqtt.c#L227-L229

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit df15d751c7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:51:55 +02:00
Titouan Christophe 7de027bf95 package/{collectd, domoticz}: fix outdated dependencies for mosquitto
In 4fc62e1eb6, we removed arch/toolchain
dependencies from the mosquitto library (MMU, !STATIC, SYNC4), and moved
them to the mosquitto broker only.

All the packages modified here only need the mosquitto library, so they
shouldn't have those depends anymore; but this was never done before.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
[Peter: leave mmu/!static dependency for domoticz as it uses fork()/looks
	for libmosquitto.so]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8f5a9f597e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:51:21 +02:00
Fabrice Fontaine 9806ac3df0 package/wolfssl: fix build with big endian
Fixes:
 - http://autobuild.buildroot.org/results/21098180d386890025ed5cdd243bf5a9b444c5cf

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0ac6246ca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:49:31 +02:00
Paul Cercueil 332e245792 linux: run depmod only if modules directory exists
If the modules directory that corresponds to the version of the kernel
being built has been deleted, don't try to run depmod, which will
obviously fail.

This can happen for instance when the modules are stripped from the main
root filesystem, and placed into a separate filesystem image, so that
the root filesystem and the kernel can be updated separately.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 532fe9fb57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:42:26 +02:00
Peter Korsgaard f1a83afe2d fs/cpio/init: unbreak ttyname_r() on glibc after dropping /dev/console exec
Commit 98a6f1fc02 (fs/cpio: make initramfs init script survive 'console='
kernel argument) dropped the explicit /dev/console execs for fd 0,1,2, as
they fail when booted with console= and aren't really needed as the kernel
will setup fd 0,1,2 from /dev/console before executing the initramfs anyway.

Not doing this unfortunately confuses glibc's ttyname_r(3) implementation
(used by E.G.  busybox/coreutils 'tty'), causing it to fail with ENOENT as
it does a fstat on fd 0 and tries to match up st_ino / st_dev against the
entries in /dev (since glibc 2.26):

 commit 15e9a4f378c8607c2ae1aa465436af4321db0e23
 Author: Christian Brauner <christian.brauner@canonical.com>
 Date:   Fri Jan 27 15:59:59 2017 +0100

    linux ttyname and ttyname_r: do not return wrong results

    If a link (say /proc/self/fd/0) pointing to a device, say /dev/pts/2, in a
    parent mount namespace is passed to ttyname, and a /dev/pts/2 exists (in a
    different devpts) in the current namespace, then it returns /dev/pts/2.
    But /dev/pts/2 is NOT the current tty, it is a different file and device.

    Detect this case and return ENODEV.  Userspace can choose to take this as a hint
    that the fd points to a tty device but to act on the fd rather than the link.

    Signed-off-by: Serge Hallyn <serge@hallyn.com>
    Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The reason it fails is that we manually mount devtmpfs on /dev in /init, so
the /dev/console used by the kernel (in rootfs) is not the same file as
/dev/console at runtime (in devtmpfs).

Notice: Once logged in, tty does work correctly.  Presumably login reopens
stdin/stdout/stderr.

To fix this, re-add the exec of /dev/console for fd 0,1,2, but only do so if
possible.  Because of the above mentioned shell behaviour (specified by
POSIX [0]), perform this check in a subshell.

[0] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_20_01

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b9026e83f9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:40:49 +02:00
Fabrice Fontaine eb5b33c51d package/postgresql: security bump to version 12.4
- Fix CVE-2020-14349: It was found that PostgreSQL versions before 12.4,
  before 11.9 and before 10.14 did not properly sanitize the search_path
  during logical replication. An authenticated attacker could use this
  flaw in an attack similar to CVE-2018-1058, in order to execute
  arbitrary SQL command in the context of the user used for replication.
- Fix CVE-2020-14350: It was found that some PostgreSQL extensions did
  not use search_path safely in their installation script. An attacker
  with sufficient privileges could use this flaw to trick an
  administrator into executing a specially crafted script, during the
  installation or update of such extension. This affects PostgreSQL
  versions before 12.4, before 11.9, before 10.14, before 9.6.19, and
  before 9.5.23.

https://www.postgresql.org/docs/12/release-12-4.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 35ebee6510)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:39:27 +02:00
Bernd Kuhls 6788863f84 package/postgresql: bump version to 12.3
Changelog: https://www.postgresql.org/about/news/2038/

Fixes CVE-2020-10733 which is only relevant for Windows.

Reformatted hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1fcf0e27b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:39:20 +02:00
Yann E. MORIN eac943b234 Makefile: use $(Q) instead of @ to silence target-finalize commands
As 18f6c26118 just did to silence the file lists commands, switch to
using $(Q) instead of a plain @, to silence the commands.

Using $(Q) will allow to debug the commands with V=1.

We keep @ for the calls to MESSAGE, though.

The commands that are not currently silenced are left as-is, and they
can be converted to being silent in a followup patch, if need be,

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5754d9c9b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:36:24 +02:00
Thomas Petazzoni 72ec125c16 Makefile: hide commands that build the package file lists at end of build
Since commit 0e2be4db8a
("package/pkg-generic: make file list logic parallel build
compatible"), the commands executed at the every end of the build
to assemble the list of files installed by the different packages
are visible in the make output. They are quite noisy, and clutter
the output.

The other commands in target-finalize are also hidden using "@",
so we should also do the same for those commands. But that hurts
debuggability, so we use $(Q) (the existing '@'s can be changed
in a followup patch).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: use '$(Q)', not '@']
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 18f6c26118)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:36:17 +02:00
Peter Korsgaard a81e60cebd package/squid: security bump to version 4.13
Fixes the following security issues:

CVE-2020-15810: HTTP(S) Request Smuggling
Due to incorrect data validation Squid is vulnerable to HTTP Request
Smuggling attacks against HTTP and HTTPS traffic.  This leads to cache
poisoning.
https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m

CVE-2020-15811: HTTP(S) Request Splitting
Due to incorrect data validation Squid is vulnerable to HTTP Request
Splitting attacks against HTTP and HTTPS traffic.  This leads to cache
poisoning.
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv

CVE-2020-24606: Denial of Service processing Cache Digest Response
Due to Improper Input Validation Squid is vulnerable to a Denial of Service
attack against the machine operating Squid.
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 71ac106bb3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 13:36:56 +02:00
Peter Korsgaard cc3e09eba0 package/glibc: security bump for additional post-2.30.x fixes
Fixes the following security issue:

arm: CVE-2020-6096: Fix multiarch memcpy for negative length [BZ #25620]
Unsigned branch instructions could be used for r2 to fix the wrong behavior
when a negative length is passed to memcpy.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 12:24:03 +02:00
Fabrice Fontaine cd67d6c08b package/wolfssl: security bump to version 4.5.0
wolfSSL version 4.5.0 contains 6 vulnerability fixes: 2 fixes for TLS 1.3,
2 side channel attack mitigations, 1 fix for a potential private key leak
in a specific use case, 1 fix for DTLS including those 3 CVEs:

- Fix CVE-2020-12457: An issue was discovered in wolfSSL before 4.5.0.
  It mishandles the change_cipher_spec (CCS) message processing logic
  for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a
  crafted way involving more than one in a row, the server becomes stuck
  in the ProcessReply() loop, i.e., a denial of service.
- Fix CVE-2020-15309: An issue was discovered in wolfSSL before 4.5.0,
  when single precision is not employed. Local attackers can conduct a
  cache-timing attack against public key operations. These attackers may
  already have obtained sensitive information if the affected system has
  been used for private key operations (e.g., signing with a private
  key).
- Fix CVE-2020-24585: An issue was discovered in the DTLS handshake
  implementation in wolfSSL before 4.5.0. Clear DTLS application_data
  messages in epoch 0 do not produce an out-of-order error. Instead,
  these messages are returned to the application.

Also update hash of LICENSING as well as WOLF_LICENSE due to later
verbage update with
https://github.com/wolfSSL/wolfssl/commit/970391319beb023680eccd0e447e76834dbb4808

https://www.wolfssl.com/docs/security-vulnerabilities/

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0ed8bf6d2b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 11:57:44 +02:00
Sergio Prado 3aba2e0c2e package/wolfssl: bump version to 4.4.0
Also change the hash file to separate the fields by two spaces.

Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4b71f00b1e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 11:57:35 +02:00
Fabrice Fontaine 15389955ae package/wireshark: security bump to version 3.2.6
Fix CVE-2020-17498: In Wireshark 3.2.0 to 3.2.5, the Kafka protocol
dissector could crash. This was addressed in
epan/dissectors/packet-kafka.c by avoiding a double free during LZ4
decompression.

https://www.wireshark.org/security/wnpa-sec-2020-10.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 753d01ac56)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 11:56:46 +02:00
Peter Korsgaard 813178eb21 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 7}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3cf6d708e1)
[Peter: drop 5.7.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 10:44:00 +02:00
Yann E. MORIN 7d3df069d5 linux: workaround make-4.1 bug
On Ubuntu 18.04, make-4.1 emits spurious, incorrect "entering/leaving"
messages, which end up in the LINUX_VERSION_PROBED variable:

    printf 'probed linux version: "%s"\n' "$(LINUX_VERSION_PROBED)"
    probed linux version: "make[1]: Entering directory '/home/buildroot'
    4.19.78-linux4sam-6.2
    make[1]: Leaving directory '/home/buildroot/output/build/linux-linux4sam_6.2'"

First, the messages are displayed even though we do explicitly pass
--no-print-directory -s.

Second, the entering and leaving messages are not about the same
directory!

This *only* occurs in the following conditions:

  - the user has the correct 0022 umask,
  - top-level parallel is used (with or without PPD),
  - initial -C is specified as well.

    $ umask 0022
    $ make -j16 -C $(pwd)
    [...]
    depmod: ERROR: Bad version passed make[1]:
    [...]

(yes, 'make[1]:' is the string depmod is trying, and fails, to parse as
a version string).

If any of the three conditions above is removed, the problem no longer
occurs. Here's a table of the MAKEFLAGS:

                |                   0002                         |          0022            |
    ----+-------+------------------------------------------------+--------------------------+
        | no-j  | --no-print-directory --                        |                          |
    noC |       +------------------------------------------------+--------------------------+
        | -j16  | -j --jobserver-fds=3,4 --no-print-directory -- | -j --jobserver-fds=3,4   |
    ----+-------+------------------------------------------------+--------------------------+
        | no-j  | --no-print-directory --                        | w                        |
    -C  |       +------------------------------------------------+--------------------------+
        | -j16  | -j --jobserver-fds=3,4 --no-print-directory -- | w -j --jobserver-fds=3,4 |
    ----+-------+------------------------------------------------+--------------------------+

    0002: umask == 0002
    0022: umask == 0022

    no-j: no -j flag
    -j16: -j16 flag

    noC: no -C flag
    -C : -C /path/of/buildroot/

Only the bottom-right-most case fails...

This behaviour goes against what is documented:

    https://www.gnu.org/software/make/manual/make.html#g_t_002dw-Option

    5.7.4 The ‘--print-directory’ Option
    [...]
    you do not need to specify this option because ‘make’ does it for
    you: ‘-w’ is turned on automatically when you use the ‘-C’ option,
    and in sub-makes. make will not automatically turn on ‘-w’ if you
    also use ‘-s’, which says to be silent, or if you use
    ‘--no-print-directory’ to explicitly disable it.

So this exactly describes our situation; yet 'w' is added to MAKEFLAGS.

Getting rid of the 'w' flag makes the build succeed again, so that's
what we do here (bleark, icky)...

Furthermore, the documented way to override MAKEFLAGS is to do so as a
make parameter:

    https://www.gnu.org/software/make/manual/make.html#Options_002fRecursion

    5.7.3 Communicating Options to a Sub-make
    [...]
    If you do not want to pass the other flags down, you must change the
    value of MAKEFLAGS, like this:

        subsystem:
            cd subdir && $(MAKE) MAKEFLAGS=

However, doing so does not fix the issue. So we resort to pass the
modified MAKEFLAGS via the environment (bleark, icky)...

Fixes: #13141

Reported-by: Laurent <laurent@neko-labs.eu>
Reported-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3f6a40e9fa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 10:39:33 +02:00
Peter Korsgaard 3fbff36337 package/trousers: add upstream security fix
Fixes the following security issues:

CVE-2020-24332
If the tcsd daemon is started with root privileges,
the creation of the system.data file is prone to symlink attacks

CVE-2020-24330
If the tcsd daemon is started with root privileges,
it fails to drop the root gid after it is no longer needed

CVE-2020-24331
If the tcsd daemon is started with root privileges,
the tss user has read and write access to the /etc/tcsd.conf file

For details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/05/20/3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e71be18354)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 10:39:13 +02:00
Peter Korsgaard a4c252e967 package/cryptsetup: add upstream patch to fix build against json-c >= 0.14.0
Fixes:
http://autobuild.buildroot.net/results/2ae/2aec06342f325c6d1f26376ef258f441b15098d5/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 09:30:09 +02:00
Bernd Kuhls 53575d5ff2 package/dovecot-pigeonhole: bump version to 0.5.11
Release notes:
https://dovecot.org/pipermail/dovecot-news/2020-August/000439.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bbb4e21046)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:55:45 +02:00
Bernd Kuhls b4aea092ba package/dovecot-pigeonhole: bump version to 0.5.10
Release notes:
https://raw.githubusercontent.com/dovecot/pigeonhole/release-0.5.10/NEWS

Reformatted hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 88aa55953c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:55:42 +02:00
Bernd Kuhls c64bec3a35 package/x11r7/xlib_libX11: security bump version to 1.6.12
Fixes CVE-2020-14363:
https://lists.x.org/archives/xorg-announce/2020-August/003056.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ab0c98cac8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:52:24 +02:00
Bernd Kuhls 04f7aee1da package/x11r7/xserver_xorg-server: security bump version to 1.20.9
Fixes CVE-2020-14345, CVE-2020-14346, CVE-2020-14361 & CVE-2020-1436:
https://lists.x.org/archives/xorg-announce/2020-August/003058.html

Removed patch 0002, not needed anymore due to upstream commit
https://cgit.freedesktop.org/xorg/xserver/commit/configure.ac?h=server-1.20-branch&id=c601c8faf54ff9e3bcbc653421828d71042deef7

Build-tested with wayland:
checking for a useful monotonic clock ......
checking whether CLOCK_MONOTONIC is declared... yes
guessing yes

Removed patch 0007, included in upstream release.

Rebased and renumbered remaining patches.

Reformatted license hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b7f0ee878c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:51:26 +02:00
Fabrice Fontaine 267804d758 package/shadowsocks-libev: security bump to version 3.3.4
- Fix CVE-2019-5163: An exploitable denial-of-service vulnerability
  exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When
  utilizing a Stream Cipher and a local_address, arbitrary UDP packets
  can cause a FATAL error code path and exit. An attacker can send
  arbitrary UDP packets to trigger this vulnerability.
- Fix CVE-2019-5164: An exploitable code execution vulnerability exists
  in the ss-manager binary of Shadowsocks-libev 3.3.2. Specially crafted
  network packets sent to ss-manager can cause an arbitrary binary to
  run, resulting in code execution and privilege escalation. An attacker
  can send network packets to trigger this vulnerability.

Also update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fd3dd9d9c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:50:56 +02:00
Fabrice Fontaine e1e1767daa package/python-matplotlib: simplify version checks
Hopefully, this should fix the following error on one of the
autobuilders:

png: no  [The C/C++ header for libpng (png.h) could not
     be found.  You may need to install the development
     package.]

Fixes:
 - http://autobuild.buildroot.org/results/afddcc44b2fb7983244f24542bfae921869e4ab8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 07b74f914d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:49:30 +02:00
Fabrice Fontaine 1ee1539bd0 package/openjpeg: add CVE-2020-15389 entry
Commit b006cc373f forgot to add
the OPENJPEG_IGNORE_CVES entry

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 77ef9c333c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:45:21 +02:00
Fabrice Fontaine fea8055872 package/openjpeg: fix CVE-2020-15389
Fix CVE-2020-15389: jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a
use-after-free that can be triggered if there is a mix of valid and
invalid files in a directory operated on by the decompressor. Triggering
a double-free may also be possible. This is related to calling
opj_image_destroy twice.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b006cc373f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:44:53 +02:00
Fabrice Fontaine f4cd4359ab package/json-c: security bump to version 0.15
Fix CVE-2020-12762: json-c through 0.14 has an integer overflow and
out-of-bounds write via a large JSON file, as demonstrated by
printbuf_memappend.

Also update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 071e719d58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:43:04 +02:00
Christopher Pelloux 7df4edb05a package/json-c: bump version to 0.14
Notes:

- json-c now uses cmake instead of autoconf
- This version also brings support to the much welcomed feature for
  parsing uint64_t types

Signed-off-by: Christopher Pelloux <git@chp.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7b4581cca8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:43:00 +02:00
Thomas Petazzoni fc24b95723 support/scripts/pkg-stats: drop erroneous "break" in CVE.affects()
Commit 7d2779ecbb
("support/script/pkg-stats: handle exception when version comparison
fails") erroneousy introduced a "break" within a try/expect block.

This break has the unfortunate consequence that every CVE that was
using the <= operator was skipped, and according to the current
CVE statistics, made us miss 74 CVEs out of 141 CVEs.

Here is for reference the complete list of CVEs we missed:

 - gnupg
   CVE-2006-3082
   CVE-2019-13050

 - jhead
   CVE-2020-6624
   CVE-2020-6625

 - patch
   CVE-2018-6952
   CVE-2019-20633

 - json-c
   CVE-2020-12762

 - git
   CVE-2018-1000110
   CVE-2018-1000182
   CVE-2019-1003010
   CVE-2020-2136

 - iperf2
   CVE-2016-4303

 - libtorrent
   CVE-2009-1760
   CVE-2016-5301

 - lua
   CVE-2020-15888
   CVE-2020-15889
   CVE-2020-15945
   CVE-2020-24342

 - openvpn
   CVE-2020-7224

 - smack
   CVE-2016-10027

 - bashtop
   CVE-2019-18276

 - links
   CVE-2008-3319

 - argus
   CVE-2011-3332

 - libraw
   CVE-2020-15503

 - netcat
   CVE-2008-5727
   CVE-2008-5728
   CVE-2008-5729
   CVE-2008-5730
   CVE-2008-5742
   CVE-2015-2214

 - subversion
   CVE-2017-1000085
   CVE-2018-1000111
   CVE-2020-2111

 - python
   CVE-2013-1753
   CVE-2015-5652
   CVE-2017-17522
   CVE-2017-18207
   CVE-2019-20907
   CVE-2019-9674

 - cereal
   CVE-2020-11104
   CVE-2020-11105

 - opencv
   CVE-2017-1000450
   CVE-2017-12597
   CVE-2017-12598
   CVE-2017-12599
   CVE-2017-12600
   CVE-2017-12601
   CVE-2017-12602
   CVE-2017-12603
   CVE-2017-12604
   CVE-2017-12605
   CVE-2017-12606
   CVE-2017-12862
   CVE-2017-12863
   CVE-2017-12864
   CVE-2019-15939

 - docker
   CVE-2015-1843
   CVE-2015-3627
   CVE-2015-3630
   CVE-2015-3631
   CVE-2016-3697
   CVE-2017-14992
   CVE-2019-16884

 - trousers
   CVE-2020-24330
   CVE-2020-24331
   CVE-2020-24332

 - libcroco
   CVE-2020-12825

 - libpupnp
   CVE-2020-13848

 - openjpeg
   CVE-2020-15389

 - flex
   CVE-2015-1773

 - libesmtp
   CVE-2019-19977

 - ed
   CVE-2015-2987

 - libmad
   CVE-2018-7263

 - grub
   CVE-2020-15705

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b3f959fe96)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:29:38 +02:00
Sam Voss 80c9d50e5e package/ripgrep: fix build directories
RIPGREP_CARGO_MODE was no longer defined after 832c076f26 and caused
issues during the install step as the build directory was malformed.

This patch maintains the release/dev profile distinction, while also
assigning appropriate build folders.

Fixes:
 - http://autobuild.buildroot.net/results/a4cd7ecc6d983aa6f15d3be1e21529f17e04b825/
 - http://autobuild.buildroot.net/results/2bab8ffa590d4c4eabffe94ed27311c7f6607c98/

Signed-off-by: Sam Voss <sam.voss@gmail.com>
CC: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 32d27c2f4c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:28:48 +02:00
Yann Sionneau 8ddefc303c package/patchelf: keep RPATH entries even without DT_NEEDED libraries
Our patch
0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch adds
an option --make-rpath-relative, which we use to tweak RPATH of target
binaries.

However, one of the effect of this option is that it drops RPATH
entries if the corresponding directory does not contain a library that
is referenced by a DT_NEEDED entry of the binary.

This unfortunately isn't correct, as RPATH entries are not only used
by the dynamic linker to resolve the location of libraries listed
through DT_NEEDED entries: RPATH entries are also used by dlopen()
when resolving the location of libraries that are loaded at runtime.

Therefore, the removal of RPATH entries that don't correspond to
directories containing libraries referenced by DT_NEEDED entries break
legitimate uses of RPATH for dlopen()ed libraries.

This issue was even pointed out during the review of the upstream pull
request:

  https://github.com/NixOS/patchelf/pull/118#discussion_r329660138

This fixes tst-origin uClibc-ng unit test:

https://github.com/wbx-github/uclibc-ng-test/blob/master/test/dlopen/Makefile.in#L25
https://github.com/wbx-github/uclibc-ng-test/blob/master/test/dlopen/tst-origin.c#L15

Without this patch:

$ gcc -o toto toto.c -Wl,-rpath,/tmp/test/bar
$ readelf -d toto | grep PATH
 0x000000000000000f (RPATH)              Library rpath: [/tmp/test/bar]
$ ./output/host/bin/patchelf --debug --make-rpath-relative /tmp/
toto
patching ELF file `toto'
Kernel page size is 4096 bytes
removing directory '/tmp/test/bar' from RPATH because it does not contain needed libs
new rpath is `'
$ readelf -d toto | grep PATH
 0x000000000000001d (RUNPATH)            Library runpath: []

With the patch applied:

$ gcc -o toto toto.c -Wl,-rpath,/tmp/test/bar
$ readelf -d toto | grep PATH
 0x000000000000000f (RPATH)              Library rpath: [/tmp/test/bar]
$ ./output/host/bin/patchelf --debug --make-rpath-relative /tmp/ toto
patching ELF file `toto'
Kernel page size is 4096 bytes
keeping relative path of /tmp/test/bar
new rpath is `test/bar'
$ readelf -d toto | grep PATH
 0x000000000000001d (RUNPATH)            Library runpath: [test/bar]

Signed-off-by: Yann Sionneau <ysionneau@kalray.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bcdb74512d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:22:08 +02:00
Peter Korsgaard df77691b15 package/hostapd: add upstream 2020-1 security patches
Fixes the following security vulnerabilities:

CVE-2020-12695: The Open Connectivity Foundation UPnP specification before
2020-04-17 does not forbid the acceptance of a subscription request with a
delivery URL on a different network segment than the fully qualified
event-subscription URL, aka the CallStranger issue.

For details, see the advisory:
https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9b020359b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:19:59 +02:00
Peter Korsgaard 9393ff855d {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 7}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a3711132a)
[Peter: drop 5.7.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:14:03 +02:00
Fabrice Fontaine da17a05721 package/ripgrep: fix debug build
There is no --debug mode for cargo resulting in the following build
failure since the addition of this package with commit
4b0d1ef6ac:

error: Unknown flag: '--debug'

Fixes:
 - http://autobuild.buildroot.org/results/58e74bb056ec65680ecebaa559aa14bdebbf5c85
 - http://autobuild.buildroot.org/results/28c6364a89a6044d5a036614f7a6e59815efb770

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: keep the default 'dev' mode when in debug]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d67ff44850)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:08:57 +02:00
Fabrice Fontaine 94efdad6c7 docs/manual/adding-packages-cargo.txt: drop debug profile
There is no debug profile on cargo. The available profiles are: dev
(enabled by default), release, test and bench.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ec5b470710)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:07:52 +02:00
Peter Korsgaard f7c58e57ad package/xen: add upstream security fix for XSA-327
Fixes the following security issue:

CVE-2020-15564: Missing alignment check in VCPUOP_register_vcpu_info

For further details, see the advisory:

https://xenbits.xenproject.org/xsa/advisory-327.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b541b68067)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:06:26 +02:00
Peter Korsgaard 5bbe135cf8 package/tpm2-abrmd: bump to version 2.3.3
Bugfix release with a single fix:

Fixed:
  - Fixed handle resource leak exhausting TPM resources.

https://github.com/tpm2-software/tpm2-abrmd/releases/tag/2.3.3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b557b2e812)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:05:43 +02:00
Titouan Christophe e551d8c364 package/libcurl: security bump to 7.72.0
This new version fixes, amongst many other things, CVE-2020-8231
(https://curl.haxx.se/docs/CVE-2020-8231.html). See the full changelog
on https://curl.haxx.se/changes.html#7_72_0 .

Also drop the 4 patches, that have all been released upstream.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4a55c2743b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:05:05 +02:00
Peter Korsgaard cf7176c3ef package/bind: security bump to version 9.11.22
Fixes the following security issues:

CVE-2020-8622: A truncated TSIG response can lead to an assertion failure
https://kb.isc.org/docs/cve-2020-8622

CVE-2020-8623: A flaw in native PKCS#11 code can lead to a remotely
triggerable assertion failure in pk11.c
https://kb.isc.org/docs/cve-2020-8623

CVE-2020-8624: update-policy rules of type "subdomain" are enforced incorrectly
https://kb.isc.org/docs/cve-2020-8624

For more details, see the release notes:
https://downloads.isc.org/isc/bind9/9.11.22/RELEASE-NOTES-bind-9.11.22.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4b126afd27)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:03:24 +02:00
Peter Korsgaard 09c531ca09 package/chrony: security bump to version 3.5.1
Fixes the following security issues:

CVE-2020-14367: Insecure writing of pidfile
-------------------------------------------

When chronyd is configured to save the pidfile in a directory where the
chrony user has write permissions (e.g. /var/run/chrony - the default
since chrony-3.4), an attacker that compromised the chrony user account
could create a symbolic link at the location of the pidfile to make
chronyd starting with root privileges follow the symlink and write its
process ID to a file for which the chrony user doesn't have write
permissions, causing a denial of service, or data loss.

This issue was reported by Matthias Gerstner of SUSE.

For further details, see the oss-security posting:
https://www.openwall.com/lists/oss-security/2020/08/21/1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 15484553f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:02:58 +02:00
Fabrice Fontaine 5d18afcfe4 docs/manual: fix typo
depednencies -> dependencies

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 531e96e98c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:01:43 +02:00
Fabrice Fontaine af9b6c9e89 package/gstreamer1/gst1-plugins-bad: fix deactivation of opencv
Build can fail if opencv3 is built before gst1-plugins-bad because
-Dopencv=disabled does not work in meson (i.e. since commit
5d6c408e95)

Fixes:
 - http://autobuild.buildroot.org/results/19605057c4956d97e9e65068680485db637282db

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a4bd80de75)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:57:33 +02:00
Frank Vanbever 61b25934d8 package/elixir: fix host-erlang dependency
There is no target elixir package, so setting a value to
ELIXIR_DEPENDENCIES has no effect, HOST_ELIXIR_DEPENDENCIES must be
used instead.

Fixes:

  http://autobuild.buildroot.net/results/a3a37eb724ca5689f8e83c9b2af04d07afa80315/

Signed-off-by: Frank Vanbever <frank.vanbever@essensium.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d059946df0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:53:48 +02:00
Bernd Kuhls 1ef350aa6e package/dovecot: security bump version to 2.3.11.3
Release notes:
https://dovecot.org/pipermail/dovecot-news/2020-August/000440.html

Fixes the following CVEs:

* CVE-2020-12100: Parsing mails with a large number of MIME parts could
  have resulted in excessive CPU usage or a crash due to running out of
  stack memory.
* CVE-2020-12673: Dovecot's NTLM implementation does not correctly check
  message buffer size, which leads to reading past allocation which can
  lead to crash.
* CVE-2020-10967: lmtp/submission: Issuing the RCPT command with an
  address that has the empty quoted string as local-part causes the lmtp
  service to crash.
* CVE-2020-12674: Dovecot's RPA mechanism implementation accepts
  zero-length message, which leads to assert-crash later on.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6db0ea91ef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:52:17 +02:00
Fabrice Fontaine 93a9d8d127 package/ghostscript: security bump to version 9.52
Fix a bunch of CVEs: CVE-2020-16287, CVE-2020-16288, CVE-2020-16289,
CVE-2020-16290, CVE-2020-16291, CVE-2020-16292, CVE-2020-16293,
CVE-2020-16294, CVE-2020-16295, CVE-2020-16296, CVE-2020-16297,
CVE-2020-16298, CVE-2020-16299, CVE-2020-16300, CVE-2020-16301,
CVE-2020-16302, CVE-2020-16303, CVE-2020-16304, CVE-2020-16305
CVE-2020-16308, CVE-2020-16309, CVE-2020-17538

PKGCONFIG must be passed since version 9.51 and
https://github.com/ArtifexSoftware/ghostpdl/commit/2d84ecc57837785b566ebd9d5909ba9edc9d697f

Also drop patch (already in version) and update indentation in hash file
(two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e90c68e775)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:50:24 +02:00
Fabrice Fontaine 3e499ad849 package/opencv3: fix build with jasper >= 2.0.17
Fixes:
 - http://autobuild.buildroot.org/results/8da00d4b079195f45fe74d879b10db05d74d0559

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 594201acb5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:45:52 +02:00
Fabrice Fontaine d95e110e44 package/opencv: fix build with jasper >= 2.0.17
Fixes:
 - http://autobuild.buildroot.org/results/656e2232a0566ba8f7826a87b1fab9cc2c3d8e46

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 521854251f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:45:46 +02:00
Fabrice Fontaine 44dff152c6 package/mpv: atomic is mandatory
__sync builtins have been dropped since version 0.24.0 and
https://github.com/mpv-player/mpv/commit/c3205d294e519f994829d9355eb133670729aab4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c6c381c483)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:43:57 +02:00
Fabrice Fontaine df8c34723e package/mpv: link with libatomic if needed
Fixes:
 - http://autobuild.buildroot.org/results/12f4580429427b6b546184366f74da16f83d692c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 71cb0f0f72)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:42:23 +02:00
Thomas Petazzoni 98adbe7f90 DEVELOPERS: drop Maxime Ripard from kmsxx maintainers
Maxime Ripard is no longer at Bootlin, his e-mail is bouncing:

<maxime.ripard@bootlin.com>: host spool.mail.gandi.net[217.70.178.1] said: 550
    5.1.1 <maxime.ripard@bootlin.com>: Recipient address rejected: User unknown
    in virtual mailbox table (in reply to RCPT TO command)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3a4053b585)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:38:26 +02:00
Thomas Petazzoni 9cd8ee158f support/docker: drop Python 2.x modules
Since commit 4a40d36f13
("support/testing: switch to Python 3 only") our runtime testing
infrastructure is Python 3.x only.

Therefore, it is no longer needed to have python-nose2 and
python-pexpect in the Docker container used to run our Gitlab CI jobs.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 23f7fa874b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:38:04 +02:00
Thomas Petazzoni ddf41cf9a7 support/docker: use python3-flake8
support/scripts/pkg-stats now uses some Python 3.x only constructs
("async" and related keywords), so we must use the Python 3.x flake8.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 385c4da3dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:35:49 +02:00
Thomas Petazzoni caf04bab8d utils/scanpypi: use raw strings in re.compile/re.sub
Fixes the following Python 3.x flake8 warning:

W605 invalid escape sequence '\w'

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9150a6a3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:34:43 +02:00
Thomas Petazzoni f23dd5e4a2 utils/getdeveloperlib.py: use raw strings for re.compile/re.match
Fixes the following Python 3.x flake8 warning:

W605 invalid escape sequence '\s'

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c5b848d719)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:34:41 +02:00
Thomas Petazzoni d917bf4727 support/testing/tests/core/test_timezone.py: fix indentation
Fixes:

support/testing/tests/core/test_timezone.py:7:9: E117 over-indented

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cc061128de)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:32:58 +02:00
Thomas Petazzoni 76bbb43441 support/testing: consistently use raw strings for re.compile
Otherwise Python 3.x flake8 complains with:

W605 invalid escape sequence '\s'

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b0078c058a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:32:16 +02:00
Thomas Petazzoni 09ba349f0d utils/{check-package, checkpackagelib}: consistently use raw strings for re.compile
Raw strings need to be used when calling re.compile() otherwise Python
3.x flake8 complains with:

W605 invalid escape sequence '\s'

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 163f160a8e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:32:07 +02:00
Peter Seiderer fd9a468b4e package/cvs: fix mktime related compile failure
Use ac_cv_func_working_mktime=yes to force the use of a provided
mktime implementation instead of compiling the failing own one.

Fixes:

  http://autobuild.buildroot.net/results/5bcd8f4235002da682cc900f866116d2fe87f1c8

  mktime.c: In function 'ydhms_diff':
  mktime.c:106:52: error: size of array 'a' is negative
   #define verify(name, assertion) struct name { char a[(assertion) ? 1 : -1]; }
                                                      ^
  mktime.c:170:3: note: in expansion of macro 'verify'
     verify (long_int_year_and_yday_are_wide_enough,
     ^~~~~~

with the failure/assert comming from the lines:

  verify (long_int_year_and_yday_are_wide_enough,
          INT_MAX <= LONG_MAX / 2 || TIME_T_MAX <= UINT_MAX);

which fails since the y2038 time_t conversion from 32bit to 64bit
(musl libc).

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ea2f52494c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:31:03 +02:00
Christian Stewart def480591c package/rtl8821au: add patch fixing sprintf error
Fixes compile errors against certain kernels.

Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d83e94ed82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:29:06 +02:00
Fabrice Fontaine 0567bb15cd package/capnproto: add openssl optional dependency
openssl is an optional dependency that is enabled by default since
version 0.7.0 and
https://github.com/capnproto/capnproto/commit/23db5e3fd91104a0b2881d8f8ab3c10bf9dd8e75

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c20798bca2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:27:34 +02:00
Sergey Matyukevich 0c0356e86c package/wpa_supplicant: disable TEAP for internal TLS implementation
EAP-TEAP support in hostapd/wpa_supplicant fails to build with internal
TLS implementation. This patch disables TEAP support in wpa_supplicant
when internal TLS implementation is selected. Similar fix for hostapd
package has already been merged to Buildroot: see commit 47d14e3b1c
("package/hostapd: disable TEAP for internal TLS implementation").

TEAP is still an experimental feature that is not recommmended for
production use. Currently it should not be used for anything else
than experimentation and interoperability testing. Those who needs
experimenting with TEAP are encouraged to enable openssl in their
buildroot configuration.

Fixes:
http://autobuild.buildroot.net/results/e83613c06041a60f89da787f4ebf876245713cd2/

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bb27efbce7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:24:57 +02:00
Fabrice Fontaine 3d5c530da5 package/python-gunicorn: select python-setuptools
Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=13111

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f242f9bad9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:23:34 +02:00
Fabrice Fontaine aa9b2b0abe package/ghostscript: fix CVE-2020-15900
A memory corruption issue was found in Artifex Ghostscript 9.50 and
9.52. Use of a non-standard PostScript operator can allow overriding of
file access controls. The 'rsearch' calculation for the 'post' size
resulted in a size that was too large, and could underflow to max
uint32_t. This was fixed in commit
5d499272b95a6b890a1397e11d20937de000d31b.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 13ddfcdce7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:10:40 +02:00
Michael Nosthoff aa1773ea21 package/live555: license is now LGPL-3.0+ and not LGPL-2.1+
The live555 source code includes both a COPYING file (with the GPL-3.0
license text) and a COPYING.LESSER file (with the LGPL-3.0 license
text). However, all source files indicate a LGPL-3.0 license, and none
of them indicate a GPL-3.0 license. In addition,
http://live555.com/liveMedia/faq.html#copyright-and-license says the
source code is under the LGPL.

So, we:

- Bump LGPL License to 3.0+
- Add a comment about the GPL-3.0 license

Fixes:

- https://bugs.busybox.net/show_bug.cgi?id=13156

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 650c5408bd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:08:19 +02:00
Fabrice Fontaine bda27f1b0c package/cpio: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/22fefd9774cbd6648d67f29826f47f1978e9c069

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0428b87a6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 18:01:24 +02:00
Peter Seiderer a4de835979 package/rtl8188eu: bump version to 0924dc8f
- fixes compile against linux-5.4.x

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 854b98408c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:59:47 +02:00
Fabrice Fontaine e0707286e6 package/iputils: drop wrong linux-headers dependency
Commit 9ffcd9279e wrongly added a
linux-headers dependency when switching to meson.

Remove it as headers are always provided by the toolchain.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d1d89d37c0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:57:56 +02:00
Fabrice Fontaine 0c871aaa38 package/gdk-pixbuf: security bump to version 2.36.12
- Fix CVE-2017-6312: Integer overflow in io-ico.c in gdk-pixbuf allows
  context-dependent attackers to cause a denial of service (segmentation
  fault and application crash) via a crafted image entry offset in an
  ICO file, which triggers an out-of-bounds read, related to compiler
  optimizations.
- Fix CVE-2017-6313: Integer underflow in the load_resources function in
  io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a
  denial of service (out-of-bounds read and program crash) via a crafted
  image entry size in an ICO file.
- Fix CVE-2017-6314: The make_available_at_least function in io-tiff.c
  in gdk-pixbuf allows context-dependent attackers to cause a denial of
  service (infinite loop) via a large TIFF file.

Also update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d455914332)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:56:55 +02:00
Thomas Petazzoni 777d730a00 DEVELOPERS: add Gwenhael Goavec-Merou for librtlsdr
Even though librtlsdr was initially introduced by Jason Pruitt in
2014, and Jason is still listed in the DEVELOPERS file for this
package, in recent times it's mainly Gwenhael who has been taking of
this package. Let's reflect that in the DEVELOPERS file so that
Gwenhael gets notified when there are librtlsdr issues.

Cc: Jason Pruitt <jrspruitt@gmail.com>
Cc: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 72df067afe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:55:32 +02:00
Bernd Kuhls 10ba4cf76d package/x11r7/xserver_xorg-server: add security fix for CVE-2020-14347
Release notes:
https://lists.x.org/archives/xorg-announce/2020-July/003051.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Thomas: add IGNORE_CVES entry.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8a46f3237a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:54:27 +02:00
Thomas Petazzoni be53bbbdd0 support/scripts/pkg-stats: show progress of upstream URL and latest version
This commit slightly improves the output of pkg-stats by showing the
progress of the upstream URL checks and latest version retrieval, on a
package basis:

Checking URL status
[0001/0062] curlpp
[0002/0062] cmocka
[0003/0062] snappy
[0004/0062] nload
[...]
[0060/0062] librtas
[0061/0062] libsilk
[0062/0062] jhead
Getting latest versions ...
[0001/0064] libglob
[0002/0064] perl-http-daemon
[0003/0064] shadowsocks-libev
[...]
[0061/0064] lua-flu
[0062/0064] python-aiohttp-security
[0063/0064] ljlinenoise
[0064/0064] matchbox-lib

Note that the above sample was run on 64 packages. Only 62 packages
appear for the URL status check, because packages that do not have any
URL in their Config.in file, or don't have any Config.in file at all,
are not checked and therefore not accounted.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5fea2e3997)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:48:32 +02:00
Thomas Petazzoni bc51041e6b support/scripts/pkg-stats: use aiohttp for upstream URL checking
This commit reworks the code that checks if the upstream URL of each
package (specified by its Config.in file) using the aiohttp
module. This makes the implementation much more elegant, and avoids
the problematic multiprocessing Pool which is causing issues in some
situations.

Suggested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5c3221ac20)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:48:25 +02:00
Thomas Petazzoni 8e0b8bcbd3 support/scripts/pkg-stats: use aiohttp for latest version retrieval
This commit reworks the code that retrieves the latest upstream
version of each package from release-monitoring.org using the aiohttp
module. This makes the implementation much more elegant, and avoids
the problematic multiprocessing Pool which is causing issues in some
situations.

Since we're now using some async functionality, the script is Python
3.x only, so the shebang is changed to make this clear.

Suggested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 68093f4778)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:48:13 +02:00
Thomas Petazzoni 7cc13f49af support/scripts/pkg-stats: fix flake8 warning
This fixes the following flake8 warning:

support/scripts/pkg-stats:1005:9: E117 over-indented

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 204d03ae43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:46:17 +02:00
Gregory CLEMENT 44f78b11de support/script/pkg-stats: handle exception when version comparison fails
With python 3, when a package has a version number x-y-z instead of
x.y.z, then the version returned by LooseVersion can't be compared
which raises a TypeError exception:

Traceback (most recent call last):
  File "./support/scripts/pkg-stats", line 1062, in <module>
    __main__()
  File "./support/scripts/pkg-stats", line 1051, in __main__
    check_package_cves(args.nvd_path, {p.name: p for p in packages})
  File "./support/scripts/pkg-stats", line 613, in check_package_cves
    if pkg_name in packages and cve.affects(packages[pkg_name]):
  File "./support/scripts/pkg-stats", line 386, in affects
    return pkg_version <= cve_affected_version
  File "/usr/lib64/python3.8/distutils/version.py", line 58, in __le__
    c = self._cmp(other)
  File "/usr/lib64/python3.8/distutils/version.py", line 337, in _cmp
    if self.version < other.version:
TypeError: '<' not supported between instances of 'str' and 'int'

This patch handles this exception by adding a new return value when
the comparison can't be done. The code is adjusted to take of this
change. For now, a return value of CVE_UNKNOWN is handled the same way
as a CVE_DOESNT_AFFECT return value, but this can be improved later
on.

Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7d2779ecbb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:46:10 +02:00
Heiko Thiery 94725bb729 support/scripts/pkg-stats: add tilde '~' expansion for pathes
When the 'nvd-path', 'json' and 'html' are used like this:

  --html ~/foo

then the tilde expansion is properly done by the shell. However, when
they are used like this:

  --html=~/foo

The shell doesn't do the tilde expansion, and pkg-stats doesn't do
it. This commit modifies pkg-stats to ensure that tilde expansion is
done when parsing the 'nvd-path', 'json' and 'html' arguments.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
[Thomas: improve commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f41056ec4b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:45:21 +02:00
Thomas Petazzoni 6a8e31a27a support/scripts/pkg-stats: fix flake8 E722 warning
flake8 complains with:

  support/scripts/pkg-stats:339:13: E722 do not use bare 'except'

Due to the construct:

  try:
     something
  except:
     print("some message")
     raise

Which is in fact OK because the exception is re-raised. This issue is
discussed at https://github.com/PyCQA/pycodestyle/issues/703, and the
general agreement is that these "bare except" are OK, and should be
ignored from flake8 using a noqa statement.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b5bc480a5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:45:16 +02:00
Thomas Petazzoni 48d9765054 support/scripts/pkg-stats: fix flake8 E501 warning
Fixes:

support/scripts/pkg-stats:281:133: E501 line too long (139 > 132 characters)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f7f33771b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:45:12 +02:00
Thomas Petazzoni 903b4fa920 support/scripts/pkg-stats: fix flake8 E117 warning
Fixes:

  support/scripts/pkg-stats:146:17: E117 over-indented

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 198d76efb3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:45:07 +02:00
Thomas Petazzoni 9f21e32341 support/scripts/pkg-stats: fix flake8 E302 warning
Fixes:

  support/scripts/pkg-stats:57:1: E302 expected 2 blank lines, found 1

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e03bdef0ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:45:03 +02:00
Thomas Petazzoni 0ab030f188 support/scripts/pkg-stats: fix flake8 E402 warning
flake8 complains with:

pkg-stats:38:1: E402 module level import not at top of file

This is due to sys.path.append() being before the import from
getdeveloperlib, but we really need this sys.path.append() to be
before, so let's ignore this flake8 warning.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 769f98c18c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:44:57 +02:00
Heiko Thiery 7c87a94ef8 support/scripts/pkg-stats: add list of status checks to the json output
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 759521dae6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:42:26 +02:00
Heiko Thiery ef3585d6b8 support/scripts/pkg-stats: set status to 'na' for virtual packages
If there is no infra set or infra is virtual the status is set to 'na'.

This is done for the follwing checks:
 - license
 - license-files
 - hash
 - hash-license
 - patches
 - version

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fb879c1954)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:42:14 +02:00
Heiko Thiery 75d97f2a8f support/scripts/pkg-stats: add defconfig support
Scan configs directory and create Defconfig objects.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8d77ecbad0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:42:09 +02:00
Heiko Thiery 3c98107873 support/scripts/pkg-stats: store pkg dir path
This value can be used for later processing.

In the buildroot-stats application this is used to create links pointing
to the git repo of buildroot.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d31fadfbf5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:42:04 +02:00
Heiko Thiery 3a8dd28bc5 support/scripts/pkg-stats: add package count to stats
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0e267518cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:41:59 +02:00
Heiko Thiery af549ab68f support/scripts/pkg-stats: add package status
Unify the status check information. The status is stored in a tuple. The
first entry is the status that can be 'ok', 'warning' or 'error'. The
second entry is a verbose message.

The following checks are performed:
- url: status of the URL check
- license: status of the license presence check
- license-files: status of the license file check
- hash: status of the hash file presence check
- patches: status of the patches count check
- pkg-check: status of the check-package script result
- developers: status if a package has developers in the DEVELOPERS file
- version: status of the version check

With that status information the following variables are replaced:
has_license, has_license_files, has_hash, url_status

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f422fa991f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:41:55 +02:00
Heiko Thiery 8ca8c1572c support/scripts/pkg-stats: store licences of package
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5b7278e5f1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:41:51 +02:00
Heiko Thiery 743b013a56 support/scripts/pkg-stats: set developers info
Use the function 'parse_developers' function from getdeveloperlib that
collect the information about the developers and the files they
maintain. Then set the maintainer(s) to each package.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c1fc827934)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:41:46 +02:00
Heiko Thiery 7f72379943 support/scripts/pkg-stats: store patch files for the package
Remove the patch_count attribute and use a class property instead.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b1916b0a8d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:41:42 +02:00
Heiko Thiery 922cd9e7f7 support/scripts/pkg-stats: store latest version in a dict
This patch changes the type of the latest_version variable to a dict.
This is for better readability/usability of the data. With this the json
output is more descriptive in later processing of the json output.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c46e707182)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:41:35 +02:00
Bernd Kuhls bd77d9131e package/php: bump version to 7.4.9
Changelog of this bugfix release:
https://www.php.net/ChangeLog-7.php#7.4.9

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 46ed4ac847)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:10:50 +02:00
Norbert Lange be642d909d package/f2fs-tools: fsck should use correct returncodes
fsck.f2fs does not implement the returncodes from the fsck interface.
This is particularly bad if systemd is used with a root f2fs partition,
as it will interpret the rc as order to reboot.

for thread & pending upstream fix see:
https://sourceforge.net/p/linux-f2fs/mailman/message/37079401/

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5d8811eb87)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:06:19 +02:00
Bernd Kuhls 7e7f34281b package/apache: security bump version to 2.4.46
Changelog: http://archive.apache.org/dist/httpd/CHANGES_2.4.46

Release notes: https://downloads.apache.org/httpd/Announcement2.4.html

Fixes CVE-2020-9490, CVE-2020-11984 & CVE-2020-11993:
https://httpd.apache.org/security/vulnerabilities_24.html

Added sha512 hash provided by upstream.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[yann.morin.1998@free.fr:
  - don't add md5 and sha1 hashes
  - single comment above hashes
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7667418d97)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 17:03:52 +02:00
Michael Nosthoff 9c0aa8de35 package/boost: fixup Optimization flag in boost build
When building with Boost Build the CXXFLAGS are extended depending
on the optimization level set. When not defined explicitly the
optimization level depends on the <variant>. For release it's 'speed'
and for debug it's set to 'off'

These flags overwrite the -O flag passed in with TARGET_CXXFLAGS as
it is appended when calling g++.

This commit sets the Optimization flags generated by Boost Build
to the value of TARGET_OPTIMIZATION no matter what level is used.

As Boost Build offers no nice way to alter those values the gcc
toolchain file is altered directly.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit af148ef4f0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 16:56:28 +02:00
Brandon Maier ff849fed45 boot/uboot: Fix kconfig to use $(BR2_MAKE)
U-Boot must use $(BR2_MAKE) as it uses a Make feature from v4.0. We
already use $(BR2_MAKE) in the BUILD_CMDS, but the kconfig commands
still uses $(MAKE). Without this fix, building U-Boot with kconfig will
fail with the following cryptic error.

> Makefile:37: *** missing separator.  Stop.

Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 43dc2007a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 16:54:12 +02:00
Brandon Maier f0f7595cea package/pkg-kconfig: Support custom $(MAKE)
The U-Boot package requires GNU Make v4.0 or later, and so all U-Boot
"make" commands must use "$(BR2_MAKE)" so they use the host-make
package. Currently pkg-kconfig is hardcoded to uses $(MAKE), so add a
way to support $(BR2_MAKE). The package infra for pkg-automake and
pkg-cmake have a similar problem, and they solved it by defining a
$(PKG)_MAKE variable, and allowing each package to override it.

Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e729d0d4b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 16:54:04 +02:00
Norbert Lange 9faba29108 package/busybox: enable flags for use as systemd pager
If the less package is not enable and systemd is enabled,
then configure the less applet to fully work with systemd.

systemd sets the flags for less in an environment variable
and requires a few options for correct display.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c2caf816e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 16:47:26 +02:00
Peter Korsgaard 329ff9e9b8 package/ffmpeg: bump version to 4.2.4
Bugfix release, fixing a number of issues since 4.2.3.  For details, see the
changelog:

https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/n4.2.4:/Changelog

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 16:37:04 +02:00
Eugen Hristev c0cef3d444 boot/at91bootstrap3: enable for cortexa7
Enable this bootloader for cortex a7 based SoCs: support for the
sama7g5 SoC is now in upstream at91bootstrap3, and it is a Cortex-A7
based SoC.

Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 33003a47c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:39:41 +02:00
Peter Korsgaard 9cc3e64390 package/ruby: security bump to version 2.4.10
Fixes the following security issues:

- CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON (Additional
  fix)
  https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 79c9a82a10)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:36:31 +02:00
Angelo Compagnucci 408392d26f package/cups: add proper init script
Cups service for systemv was erroneously installed in /etc/rcX.d and
therefore not working. Also, its init script installed in /etc/init.d
was definitely not a Buildroot-style init script.

This patch adds a Buildroot style init script instead of using the
example provided by the package.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 04226ac6b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:36:09 +02:00
Fabrice Fontaine b70686422d package/gd: fix CVE-2018-14553 and CVE-2019-6977
- Fix CVE-2018-14553 : gdImageClone in gd.c in libgd 2.1.0-rc2 through
  2.2.5 has a NULL pointer dereference allowing attackers to crash an
  application via a specific function call sequence.

- Fix CVE-2019-6977: gdImageColorMatch in gd_color_match.c in the GD
  Graphics Library (aka LibGD) 2.2.5, as used in the imagecolormatch
  function in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14,
  and 7.3.x before 7.3.1, has a heap-based buffer overflow. This can be
  exploited by an attacker who is able to trigger imagecolormatch calls
  with crafted image data.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6fa1a32dac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:34:59 +02:00
Michael Vetter 5a9d4094b7 package/jasper: security bump to version 2.0.19
Fixes the following security issues:
* Fix CVE-2018-9154
  https://github.com/jasper-software/jasper/issues/215
  https://github.com/jasper-software/jasper/issues/166
  https://github.com/jasper-software/jasper/issues/175
  https://github.com/jasper-maint/jasper/issues/8

* Fix CVE-2018-19541
  https://github.com/jasper-software/jasper/pull/199
  https://github.com/jasper-maint/jasper/issues/6

* Fix CVE-2016-9399, CVE-2017-13751
  https://github.com/jasper-maint/jasper/issues/1

* Fix CVE-2018-19540
  https://github.com/jasper-software/jasper/issues/182
  https://github.com/jasper-maint/jasper/issues/22

* Fix CVE-2018-9055
  https://github.com/jasper-maint/jasper/issues/9

* Fix CVE-2017-13748
  https://github.com/jasper-software/jasper/issues/168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  https://github.com/jasper-maint/jasper/issues/3
  https://github.com/jasper-maint/jasper/issues/4
  https://github.com/jasper-maint/jasper/issues/5
  https://github.com/jasper-software/jasper/issues/88
  https://github.com/jasper-software/jasper/issues/89
  https://github.com/jasper-software/jasper/issues/90

* Fix CVE-2018-9252
  https://github.com/jasper-maint/jasper/issues/16

* Fix CVE-2018-19139
  https://github.com/jasper-maint/jasper/issues/14

* Fix CVE-2018-19543, CVE-2017-9782
  https://github.com/jasper-maint/jasper/issues/13
  https://github.com/jasper-maint/jasper/issues/18
  https://github.com/jasper-software/jasper/issues/140
  https://github.com/jasper-software/jasper/issues/182

* Fix CVE-2018-20570
  https://github.com/jasper-maint/jasper/issues/11
  https://github.com/jasper-software/jasper/issues/191

* Fix CVE-2018-20622
  https://github.com/jasper-maint/jasper/issues/12
  https://github.com/jasper-software/jasper/issues/193

* Fix CVE-2016-9398
  https://github.com/jasper-maint/jasper/issues/10

* Fix CVE-2017-14132
  https://github.com/jasper-maint/jasper/issues/17

* Fix CVE-2017-5499
  https://github.com/jasper-maint/jasper/issues/2
  https://github.com/jasper-software/jasper/issues/63

* Fix CVE-2018-18873
  https://github.com/jasper-maint/jasper/issues/15
  https://github.com/jasper-software/jasper/issues/184

* Fix CVE-2017-13750
  https://github.com/jasper-software/jasper/issues/165
  https://github.com/jasper-software/jasper/issues/174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0f7b241d4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:33:06 +02:00
Stefan Sørensen 7958c928fb boot/grub2: Backport Boothole securify fixes
Details: https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html

Fixes the following security issues:

 * CVE-2020-10713
   A flaw was found in grub2, prior to version 2.06. An attacker may
   use the GRUB 2 flaw to hijack and tamper the GRUB verification
   process. This flaw also allows the bypass of Secure Boot
   protections. In order to load an untrusted or modified kernel, an
   attacker would first need to establish access to the system such as
   gaining physical access, obtain the ability to alter a pxe-boot
   network, or have remote access to a networked system with root
   access. With this access, an attacker could then craft a string to
   cause a buffer overflow by injecting a malicious payload that leads
   to arbitrary code execution within GRUB. The highest threat from
   this vulnerability is to data confidentiality and integrity as well
   as system availability.

 * CVE-2020-14308
   In grub2 versions before 2.06 the grub memory allocator doesn't
   check for possible arithmetic overflows on the requested allocation
   size. This leads the function to return invalid memory allocations
   which can be further used to cause possible integrity,
   confidentiality and availability impacts during the boot process.

 * CVE-2020-14309
   There's an issue with grub2 in all versions before 2.06 when
   handling squashfs filesystems containing a symbolic link with name
   length of UINT32 bytes in size. The name size leads to an
   arithmetic overflow leading to a zero-size allocation further
   causing a heap-based buffer overflow with attacker controlled data.

 * CVE-2020-14310
   An integer overflow in read_section_from_string may lead to a heap
   based buffer overflow.

 * CVE-2020-14311
   An integer overflow in grub_ext2_read_link may lead to a heap-based
   buffer overflow.

 * CVE-2020-15706
   GRUB2 contains a race condition in grub_script_function_create()
   leading to a use-after-free vulnerability which can be triggered by
   redefining a function whilst the same function is already
   executing, leading to arbitrary code execution and secure boot
   restriction bypass

 * CVE-2020-15707
   Integer overflows were discovered in the functions grub_cmd_initrd
   and grub_initrd_init in the efilinux component of GRUB2, as shipped
   in Debian, Red Hat, and Ubuntu (the functionality is not included
   in GRUB2 upstream), leading to a heap-based buffer overflow. These
   could be triggered by an extremely large number of arguments to the
   initrd command on 32-bit architectures, or a crafted filesystem
   with very large files on any architecture. An attacker could use
   this to execute arbitrary code and bypass UEFI Secure Boot
   restrictions. This issue affects GRUB2 version 2.04 and prior
   versions.

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2f7a8021b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:29:24 +02:00
Bernd Kuhls 91ad3f6e85 package/x11r7/xlib_libX11: bump version to 1.6.11
Reformatted license hash.

Quoting release notes:
https://lists.x.org/archives/xorg-announce/2020-August/003053.html
"This release fixes a regression introduced by the security patches in
 1.6.10.
 See https://gitlab.freedesktop.org/xorg/lib/libx11/-/issues/116 for
 details."

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit de47f7b494)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:28:14 +02:00
Bernd Kuhls c35e7bc7ed package/x11r7/xlib_libX11: security bump version to 1.6.10
Fixes CVE-2020-14344:
https://lists.x.org/archives/xorg-announce/2020-July/003050.html

Removed md5 & sha1 hashes, upstream does not provide them anymore.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2f81258db1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:28:11 +02:00
Bernd Kuhls 1dc191efe6 package/mesa3d: xvmc needs x11
This is a follow-up patch to

https://git.buildroot.net/buildroot/commit/package/mesa3d?id=e79ee3b0f91aa3eb1b20d86701a195e3bd9a26d3

to make sure that MESA3D_PLATFORMS contains x11 needed by xvmc:
https://cgit.freedesktop.org/mesa/mesa/tree/meson.build?h=20.1#n510

Fixes
http://autobuild.buildroot.net/results/dae/dae41e30d2ac69b768ec0a5b795a2e559c35bcd3/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c35fe399cd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:24:21 +02:00
Peter Korsgaard 3957a66827 support/testing: drop explicit CGROUPFS_MOUNT from docker test
Since commit 4f8229653 (package/docker-engine: needs more runtime
dependencies), docker-engine now automatically pulls in cgroupfs-mount, so
drop the explicit handling of it in TestDockerCompose.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4726cf9517)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-18 17:23:27 +02:00
Adrian Perez de Castro 44f88e3084 package/webkitgtk: security bump to version 2.28.4
This is a minor release which provides fixes for CVE-2020-9862,
CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, and
CVE-2020-9925.

Full release notes can be found at:

  https://webkitgtk.org/2020/07/28/webkitgtk2.28.4-released.html

A detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2020-0007.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0b4d5678f1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 21:14:13 +02:00
Adrian Perez de Castro 1b420fc037 package/wpewebkit: security bump to version 2.28.4
This is a minor release which provides fixes for CVE-2020-9862,
CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, and
CVE-2020-9925.

Full release notes can be found at:

  https://wpewebkit.org/release/wpewebkit-2.28.4.html

A detailed security advisory can be found at:

  https://wpewebkit.org/security/WSA-2020-0007.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4416e0e7ba)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 21:14:06 +02:00
John Keeping 3bd799aa49 package/dbus: disable systemd for host build
This fixes an issue if host-dbus happens to be rebuilt after systemd, in
which case it autodetects systemd support but then ignored the prefix
when installing unit files.  That means that is tries to write to the
host system's /usr/lib/ which fails.

There is no reason to build and install systemd support in the host
build, so disable it explicitly.

Signed-off-by: John Keeping <john@metanate.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1bfdb3d08d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 21:12:23 +02:00
Peter Korsgaard 5247a63723 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 7}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 38f4587997)
[Peter: drop 5.7.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 21:11:39 +02:00
Baruch Siach 2ea0d106c9 package/libcurl: fix build against gnutls with proxy disabled
Add upstream patch (#4) fixing build with gnutls when
BR2_PACKAGE_LIBCURL_PROXY_SUPPORT is disabled.

Patch #4 depends on #3 to apply so add this one as well.

Fixes:
http://autobuild.buildroot.net/results/31d7204869ff71319ea055688c919a646bfb200b/
http://autobuild.buildroot.net/results/f8d2fb919475cdff4a36ad93071048ee09193b98/
http://autobuild.buildroot.net/results/2f07a0ac1240a6040a3509d2ebf06906a31fd172/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 30a73893f5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 20:42:11 +02:00
James Hilliard 785925c0eb package/efl: depend on LuaJIT
Luajit is a provider for luainterpreter. We can't select providers of
virtual packages; we can only depend on them.

Note also that it is not very clear whether the host and target variants
of EFL need to be built with the same lua interpreter. Today, this is
guaranteed as we inly use luajit in both cases. But there were issues
with lua 5.1 in the past, so stick to only using luajit.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[yann.morin.1998@free.fr:
  - depend on luajit, not "any" luainterpreter
  - which keeps the host and target variants built with the same
    interpreter
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f3134e7159)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 20:36:31 +02:00
Thomas Petazzoni 9e4ffdc8cf Makefile: properly account for custom tags in BR2_VERSION_FULL
BR2_VERSION_FULL is currently defined as follows:

  BR2_VERSION_FULL := $(BR2_VERSION)$(shell $(TOPDIR)/support/scripts/setlocalversion)

This BR2_VERSION_FULL value then gets used as the "VERSION" variable
in the /etc/os-release file.

The logic of "setlocalversion" is that if it is exactly on a tag, it
returns nothing.

If it is on a tag + a number of commits, then it returns only
-XYZ-gABC where XYZ is the number of commits since the last tag, and
ABC the git commit hash (these are extracted from git describe).

This output then gets concatenated to BR2_VERSION which gives
something like 2020.05 or 2020.05-00123-g5bc6a.

The issue is that when you're on a tag specific to your project, which
is not a Buildroot YYYY.MM tag, then the output of setlocalversion is
empty, and all you get as VERSION in os-release is $(BR2_VERSION)
which is not really nice. Worse, if you have another non-official
Buildroot tag between the last official Buildroot tag/version and
where you are, you will get $(BR2_VERSION)-XYZ-gABC, but XYZ will not
correspond to the number of commits since BR2_VERSION, but since the
last tag that "git describe" as found, which is clearly incorrect.

Here is an example: you're on master, "make print-version" (which
displays BR2_VERSION_FULL) will show:

$ make print-version
2020.08-git-00758-gc351877a6e

So far so good. Now, you create a tag say 5 commits "before" master,
and show BR2_VERSION_FULL again:

$ git tag -a -m "dummy tag" dummy-tag HEAD~5
$ make print-version
2020.08-git-00005-gc351877a6e

This makes you believe you are 5 commits above 2020.08, which is
absolutely wrong.

So this commit simplifies the logic of setlocalversion to simply
return what "git describe" provides, and not prepend $(BR2_VERSION) in
the main Makefile. Since official Buildroot tags match official
Buildroot version names, you get the same output when you're on an
official Buildroot tag, or some commits above a Buildroot tag. An in
other cases, you get a sensible output. The logic is also adjusted for
the Mercurial case.

In the above situation, with this commit applied, we get:

$ make print-version
dummy-tag-6-g6258cdddeb

(6 commits instead of 5 as we have this very commit applied, but at
least it's 6 commits on top of the dummy-tag)

Finally, if you're not using a version control system, setlocalversion
was already returning nothing, so in this case, the Makefile simply
sets BR2_VERSION_FULL to BR2_VERSION to preserve this behavior.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 98c99556e3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 20:06:23 +02:00
James Hilliard b620a7962b package/nodejs: use system-icu for host-nodejs
The nodejs configure.py file orders zlib headers before the bundled ICU
headers. The zlib headers happen to be located in the system include
directory, next to some system ICU headers (not bundled). If these are
built before nodejs is, nodejs will get confused and try to use the
system ICU headers instead of the bundled ones.

Fix this by always using host-icu.

Set CXXFLAGS to -DU_DISABLE_RENAMING=1 when building with
system-icu since host-icu is built with --disable-renaming.

Fixes:
 - http://autobuild.buildroot.net/results/1ef947553ec762dba6a6202b1cfc84ceed75dbb2/

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[yann.morin.1998@free.fr:
  - keep alphabetical order in _DEPENDENCIES
  - don't introduce HOST_NODEJS_CONF_OPTS
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 319f7b0dab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 18:43:45 +02:00
Francois Perrad 3cb9d2ecab package/docker-engine: needs more runtime dependencies
fix error:
	failed to start daemon: Devices cgroup isn't mounted

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4f82296536)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 18:42:11 +02:00
Peter Korsgaard 5be79ef42d package/tpm2-tools: bump version to 4.1.2
Bugfix release with a single fix:

- Fix missing handle maps for ESY3 handle breaks. See #1994

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9652e2cbe5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 12:01:21 +02:00
Peter Korsgaard 9e427ca5a9 package/tpm2-abrmd: bump version to 2.3.2
Fixes various initialization / systemd issues. From the changelog:

- Provide meaningful exit codes on initialization failures.
- Prevent systemd from starting the daemon before udev changes ownership of
  the TPM device node.
- Prevent systemd from starting the daemon if there is no TPM device node.
- Prevent systemd from restarting the daemon if it fails.
- Add SELinux policy to allow daemon to resolve names.
- Add SELinux policy boolean (disabled by default) to allow daemon to
  connect to all unreserved ports.

Also adjust .hash file white space to match new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 56ff08cea0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 12:00:53 +02:00
Romain Naour 6cbf1b57b0 gitlab-ci: convert only/except to rules
only/except keywords will be deprecated by upcoming gitlab release,
upstream recommend to use rules keyword instead [1][2][3][4][5].

This patch convert .gitlab-ci.yml to use rules, no functional
changes intended.

After this patch, we should still have the following behaviour
while pushing commit, tag, branches:

     - to trigger only the check-* jobs:
       $ git push gitlab HEAD:<name>

     - to trigger all defconfigs and all check-* jobs:
       $ git push gitlab HEAD:<name>-defconfigs

     - to trigger all runtime tests and all check-* jobs:
       $ git push gitlab HEAD:<name>-runtime-tests

     - to trigger one defconfig job:
       $ git push gitlab HEAD:<name>-<defconfig name>

     - to trigger one runtime job:
       $ git push gitlab HEAD:<name>-<test case name>

[1] https://gitlab.com/gitlab-org/gitlab/-/commit/7eaaa597e24bf24743bdd8f8d1d51ade83b3f6de
[2] https://about.gitlab.com/releases/2020/06/22/gitlab-13-1-released/#templates-to-simplify-initial-rules-keyword-configuration
[3] https://about.gitlab.com/releases/2020/05/22/gitlab-13-0-released/#auto-devops-and-secure-configuration-templates-are-changing-to-%60rules%60-instead-of-%60only/except%60
[4] https://gitlab.com/gitlab-org/gitlab/issues/27449
[5] https://gitlab.com/groups/gitlab-org/-/epics/2783
[6] https://buildroot.org/downloads/manual/manual.html#_using_the_run_tests_framework

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 35de2fdcf7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 11:43:09 +02:00
Adam Duskett 0433910910 package/libwebsockets: remove dependency on mmu
Six years ago, commit b6b5bb518d added the MMU
dependency for the libwebsockets package. However, according to the git
history of the CMakeLists.txt file, libwebsockets has supported the vfork
function for at least the last five years.

After testing with the qemu_arm_versatile_nommu_defconfig and the
br-arm-cortex-m4-full.config file, no errors occurred when building
libwebsockets without MMU support.

Remove the dependency; it is no longer necessary. Update the reverse
dependencies as needed.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ad953b0149)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 11:39:09 +02:00
Angelo Compagnucci 883e514f5b DEVELOPERS: add Angelo Compagnucci to several packages
This patch adds some packages I contributed to my entry.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit db49315a61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 11:33:20 +02:00
Angelo Compagnucci b442ccb43e linux: bump CIP RT kernel to version 4.19.132-cip30-rt12
This patch bumps Linux CIP RT to version 4.19.132-cip30-rt12

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c009545716)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 11:29:43 +02:00
Angelo Compagnucci 17041efcf9 linux: bump CIP kernel to version 4.19.132-cip30
This patch bumps Linux CIP to version 4.19.132-cip30

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 50d243cda9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-13 11:27:11 +02:00
Thomas De Schampheleire 7e90b0171f package/dropbear: backport security fix for CVE-2018-20685
The update to 2020.79 contains several other changes that may not be
appropriate for the LTS branch, hence just backport the single fix.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-05 22:18:29 +02:00
Nicola Di Lieto 37b5713442 package/uacme: don't allow ualpn with mbedTLS
ualpn requires mbedTLS to be configured and built with
MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
which is not the default and can be a security risk.

Therefore make BR2_PACKAGE_UACME_UALPN depend on
BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS.

Fixes http://autobuild.buildroot.net/results/d241121f8155bad9b6b25c16234576abb7fc940b

See also

https://github.com/ndilieto/uacme/issues/23
https://github.com/ARMmbed/mbedtls/issues/3241
https://github.com/ARMmbed/mbedtls/pull/3243
http://lists.busybox.net/pipermail/buildroot/2020-April/281059.html
http://lists.busybox.net/pipermail/buildroot/2020-April/281108.html

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 96c3b52132)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-27 22:06:31 +02:00
Nicola Di Lieto 26c7864b4e package/uacme: bump version to 1.2.4
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 812cc01f69)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-27 22:06:19 +02:00
Nicola Di Lieto cf92dbcf81 package/uacme: bump version to 1.2.3
This version fixes https://github.com/ndilieto/uacme/issues/22

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5946c1fe99)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-27 22:05:48 +02:00
Nicola Di Lieto 1e88b79a75 package/uacme: bump version to 1.2.2
This version includes a new binary named "ualpn", a proxying
ACMEv2 tls-alpn-01 responder.

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6fb42fd549)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-27 22:05:20 +02:00
Nicola Di Lieto df83838d94 package/uacme: bump version to 1.0.22
Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 066d552499)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-27 22:01:10 +02:00
Titouan Christophe 2c9acdc898 package/mosquitto: bump to v1.6.10
This release fix some bugs in the broker and client libraries,
as well as building with below C99 suport.

Read the whole announcement on:
https://mosquitto.org/blog/2020/05/version-1-6-8-released/

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 466bce9c9b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-26 17:11:21 +02:00
Peter Korsgaard 77fa6bd5b2 package/python-django: security bump to version 3.0.7
Fixes the following security issues:

- CVE-2020-13254: Potential data leakage via malformed memcached keys

  In cases where a memcached backend does not perform key validation,
  passing malformed cache keys could result in a key collision, and
  potential data leakage.  In order to avoid this vulnerability, key
  validation is added to the memcached cache backends.

- CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget

  Query parameters for the admin ForeignKeyRawIdWidget were not properly URL
  encoded, posing an XSS attack vector.  ForeignKeyRawIdWidget now ensures
  query parameters are correctly URL encoded.

For details, see the announcement:
https://docs.djangoproject.com/en/dev/releases/3.0.7/

Additionally, 3.0.5..3.0.7 contains a number of non-security related
bugfixes.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 36d78abceb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-26 17:09:04 +02:00
Francois Perrad 3a2bef1f4f package/perl: security bump to version 5.30.3
Fixes the following security issues:

[CVE-2020-10543] Buffer overflow caused by a crafted regular
                 expression

[CVE-2020-10878] Integer overflow via malformed bytecode produced by a
                 crafted regular expression

[CVE-2020-12723] Buffer overflow caused by a crafted regular
                 expression

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 13ceb980a2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-26 17:06:26 +02:00
Francois Perrad 8dbb329307 package/perl: bump perl-cross to version 1.3.3
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 94f40137bd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-26 17:06:18 +02:00
616 changed files with 14248 additions and 4093 deletions
+25 -17
View File
@@ -4,12 +4,13 @@
# It needs to be regenerated every time a defconfig is added, using
# "make .gitlab-ci.yml".
image: buildroot/base:20191027.2027
image: buildroot/base:20200814.2228
.check_base:
except:
- /^.*-.*_defconfig$/
- /^.*-tests\..*$/
rules:
- if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/ || $CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/'
when: never
- when: always
check-DEVELOPERS:
extends: .check_base
@@ -27,7 +28,7 @@ check-flake8:
- find * -type f -print0 | xargs -0 file | grep 'Python script' | cut -d':' -f1 >> files.txt
- sort -u files.txt | tee files.processed
script:
- python -m flake8 --statistics --count --max-line-length=132 $(cat files.processed)
- python3 -m flake8 --statistics --count --max-line-length=132 $(cat files.processed)
after_script:
- wc -l files.processed
@@ -69,17 +70,21 @@ check-package:
extends: .defconfig_base
# Running the defconfigs for every push is too much, so limit to
# explicit triggers through the API.
only:
- triggers
- tags
- /-defconfigs$/
rules:
# For tags, create a pipeline.
- if: '$CI_COMMIT_TAG'
# For pipeline created by using a trigger token.
- if: '$CI_PIPELINE_TRIGGERED'
# For the branch or tag name named *-defconfigs, create a pipeline.
- if: '$CI_COMMIT_REF_NAME =~ /^.*-defconfigs$/'
before_script:
- DEFCONFIG_NAME=${CI_JOB_NAME}
one-defconfig:
extends: .defconfig_base
only:
- /^.*-.*_defconfig$/
rules:
# For the branch or tag name named *-*_defconfigs, create a pipeline.
- if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/'
before_script:
- DEFCONFIG_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g')
@@ -103,17 +108,20 @@ one-defconfig:
extends: .runtime_test_base
# Running the runtime tests for every push is too much, so limit to
# explicit triggers through the API.
only:
- triggers
- tags
- /-runtime-tests$/
rules:
# For tags, create a pipeline.
- if: '$CI_COMMIT_TAG'
# For pipeline created by using a trigger token.
- if: '$CI_PIPELINE_TRIGGERED'
# For the branch or tag name named *-runtime-tests, create a pipeline.
- if: '$CI_COMMIT_REF_NAME =~ /^.*-runtime-tests$/'
before_script:
- TEST_CASE_NAME=${CI_JOB_NAME}
one-runtime_test:
extends: .runtime_test_base
only:
- /^.*-tests\..*$/
rules:
- if: '$CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/'
before_script:
- TEST_CASE_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g')
aarch64_efi_defconfig: { extends: .defconfig }
+25 -17
View File
@@ -4,12 +4,13 @@
# It needs to be regenerated every time a defconfig is added, using
# "make .gitlab-ci.yml".
image: buildroot/base:20191027.2027
image: buildroot/base:20200814.2228
.check_base:
except:
- /^.*-.*_defconfig$/
- /^.*-tests\..*$/
rules:
- if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/ || $CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/'
when: never
- when: always
check-DEVELOPERS:
extends: .check_base
@@ -27,7 +28,7 @@ check-flake8:
- find * -type f -print0 | xargs -0 file | grep 'Python script' | cut -d':' -f1 >> files.txt
- sort -u files.txt | tee files.processed
script:
- python -m flake8 --statistics --count --max-line-length=132 $(cat files.processed)
- python3 -m flake8 --statistics --count --max-line-length=132 $(cat files.processed)
after_script:
- wc -l files.processed
@@ -69,17 +70,21 @@ check-package:
extends: .defconfig_base
# Running the defconfigs for every push is too much, so limit to
# explicit triggers through the API.
only:
- triggers
- tags
- /-defconfigs$/
rules:
# For tags, create a pipeline.
- if: '$CI_COMMIT_TAG'
# For pipeline created by using a trigger token.
- if: '$CI_PIPELINE_TRIGGERED'
# For the branch or tag name named *-defconfigs, create a pipeline.
- if: '$CI_COMMIT_REF_NAME =~ /^.*-defconfigs$/'
before_script:
- DEFCONFIG_NAME=${CI_JOB_NAME}
one-defconfig:
extends: .defconfig_base
only:
- /^.*-.*_defconfig$/
rules:
# For the branch or tag name named *-*_defconfigs, create a pipeline.
- if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/'
before_script:
- DEFCONFIG_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g')
@@ -103,16 +108,19 @@ one-defconfig:
extends: .runtime_test_base
# Running the runtime tests for every push is too much, so limit to
# explicit triggers through the API.
only:
- triggers
- tags
- /-runtime-tests$/
rules:
# For tags, create a pipeline.
- if: '$CI_COMMIT_TAG'
# For pipeline created by using a trigger token.
- if: '$CI_PIPELINE_TRIGGERED'
# For the branch or tag name named *-runtime-tests, create a pipeline.
- if: '$CI_COMMIT_REF_NAME =~ /^.*-runtime-tests$/'
before_script:
- TEST_CASE_NAME=${CI_JOB_NAME}
one-runtime_test:
extends: .runtime_test_base
only:
- /^.*-tests\..*$/
rules:
- if: '$CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/'
before_script:
- TEST_CASE_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g')
+144
View File
@@ -1,3 +1,147 @@
2020.02.9, released December 27th, 2020
Important / security related fixes.
Infrastructure:
- cmake: fix host ccache handling for CMake 3.19
- meson: Forcibly disable binary stripping for
target builds, enable for host builds
- golang: Fix HOST / TARGET directories for per-package builds
Defconfigs: Beaglebone Qt5: Fix ti-sgx related issues
Updated/fixed packages: apitrace, arm-trusted-firmware,
bustle, c-ares, ca-certificates, cdrkit, cryptopp, dhcpcd,
docker-containerd, dtv-scan-tables, flare-engine, ghostscript,
haproxy, imagemagick, imx-gpu-viv, jasper, jemalloc,
jpeg-turbo, libcap, libcurl, libglib2, libgpiod, libkrb5,
libopenssl, libplist, libressl, libuv, libuvw, lynx, mariadb,
mbedtls, minidlna, monkey, musl, mutt, ncurses, netsnmp,
nodejs, opencv3, openldap, openrc, opkg-utils, paho-mqtt-c,
php, privoxy, proftpd, python-crc16, python-flask-cors,
python-lxml, python-pip, python-pyparsing, python-pyqt5, qemu,
qt5base, raptor, rauc, ruby, setserial, shadowsocks-libev,
slirp, sqlcipher, ti-sgx-demos, tinycbor, vsftpd,
wireless-regdb, wireshark, x11vnc, xen, xinetd,
xserver_xorg-server
Issues resolved (http://bugs.uclibc.org):
#13276: libcap builds libcap.pc incorrectly
#13316: beaglebone_qt5_defconfig: PowerVR fails to start
#13341: Mistake in /etc/init.d/S70vsftpd
2020.02.8, released November 16th, 2020
Important / security related fixes.
Updated/fixed packages: angularjs, argp-standalone, asterisk,
bandwidthd, bitcoin, busybox, cryptsetup, darkhttpd, davfs2,
docker-cli, docker-containerd, docker-engine,
dovecot-pigeonhole, fastd, fbset, fbtft, freetype, gcc,
ghostscript, gnuradio, grpc, gst1-plugins-bad, jsoncpp,
keepalived, libass, libexif, libiqrf, libpam-tacplus, libraw,
linux-backports, linux-firmware, lzlib, netsnmp, nginx,
oniguruma, opencv3, openntpd, patchelf, php, postgresql,
python-pyqt5, qt5base, rauc, redis, samba4, slirp, systemd,
tcpdump, tmux, tor, webkitgtk, wireguard-linux-compat,
wireshark, wpewebkit, xen, xorriso, zeromq, zxing-cpp
Issues resolved (http://bugs.uclibc.org):
#11931: Bugs in support/scripts/apply-patches.sh
2020.02.7, released October 12th, 2020
Important / security related fixes.
meson: Correct SDK cross-compilation.conf file when
per-package builds were used to build SDK.
systemd: Use /run rather than /var/run for PID files in units.
Toolchain: use Secure-PLT rather than BSS-PLT for PowerPC 32.
support/script/pycompile: Rework logic to ensure .pyc files
contain absolute target paths, fixing code inspection at
runtime when executed with cwd != '/'.
support/scripts/setlocalversion: Correct Mercurial output to
match behaviour with Git.
support/scripts/apply-patches.sh: Use patch
--no-backup-if-mismatch, so we no longer blindly have to
remove *.orig files after patching, fixing issues with
packages containing such files.
Updated/fixed packages: bandwidthd, barebox, bash, bison,
brotli, cifs-utils, cryptsetup, dhcpcd, dhcpdump, docker-cli,
docker-engine, ecryptfs-utils, efl, fail2ban, freetype, gcc,
gdb, ghostscript, gnutls, go, gst1-plugins-base,
gst1-plugins-ugly, ipmitool, libhtp, libraw, libssh, libxml2,
libxml-parser-perl, localedef, lua, memcached, mesa3d, meson,
minidlna, nginx, nodejs, nss-pam-ldapd, openvmtools, php,
postgresql, python, python-aenum, python-autobahn,
python-engineio, python-fire, python-pymodbus, python-scapy,
python-semver, python-sentry-sdk, python-socketio,
python-texttable, python-tinyrpc, python-txtorcon, python3,
qt5base, runc, samba4, strace, supertux, suricata, systemd,
vlc, wayland-protocols, wireguard-linux-compat, wireshark,
xserver_xorg-server, zeromq, zstd
Issues resolved (http://bugs.uclibc.org):
#12911: usb_modeswitch installation race condition
#13251: cryptsetup does not work on branch 2020.02 following..
2020.02.6, released September 5th, 2020
Important / security related fixes.
Fix a 2020.02.5 build regression in busybox when systemd (and
not less) are enabled because of missing infrastructure.
Updated/fixed packages: alsa-utils, avahi, busybox, cups,
docker-cli, graphite2, imagemagick, libeXosip2, mbedtls,
nvidia-driver, paho-mqtt-c, python-django, systemd, uclibc,
usb_modeswitch, wolfssl
Issues resolved (http://bugs.uclibc.org):
#12911: usb_modeswitch installation race condition
2020.02.5, released August 29th, 2020
Important / security related fixes.
Infrastructure: Ensure RPATH entries that may be needed for
dlopen() are not dropped by patchelf.
BR_VERSION_FULL/setlocalversion (used by make print-version
and /etc/os-release): Properly handle local git tags
Updated/fixed packages: apache, at91bootstrap3, bind, boost,
busybox, capnproto, chrony, collectd, cpio, cryptsetup, cups,
cvs, dbus, docker-engine, domoticz, dovecot,
dovecot-pigeonhole, dropbear, efl, elixir, f2fs-tools, ffmpeg,
gd, gdk-pixbuf, ghostscript, glibc, grub2, gst1-plugins-bad,
hostapd, iputils, jasper, json-c, libcurl, libwebsockets,
linux, live555, mesa3d, mosquitto, mpv, nodejs, opencv,
opencv3, openjpeg, patchelf, perl, php, postgresql,
python-django, python-gunicorn, python-matplotlib, ripgrep,
rtl8188eu, rtl8821au, ruby, shadowsocks-libev, squid,
tpm2-abrmd, tpm2-tools, trousers, uacme, webkitgtk, wireshark,
wolfssl, wpa_supplicant, wpewebkit, xen, xlib_libX11,
xserver_xorg-server
Issues resolved (http://bugs.uclibc.org):
#12876: nodejs fails to build when host-icu has been built before
#13111: python-gunicorn: missing dependency on python-setuptools
#13121: wpa_supplicant fails to build without libopenssl enabled
#13141: Target-finalize fail with "depmod: ERROR: Bad version passed"
#13156: package live555 new license
2020.02.4, released July 26th, 2020
Important / security related fixes.
+18 -22
View File
@@ -186,18 +186,25 @@ F: package/rauc/
N: Angelo Compagnucci <angelo.compagnucci@gmail.com>
F: package/corkscrew/
F: package/cups/
F: package/cups-filters/
F: package/fail2ban/
F: package/grep/
F: package/i2c-tools/
F: package/jq/
F: package/libb64/
F: package/mender/
F: package/mender-artifact/
F: package/mono/
F: package/mono-gtksharp3/
F: package/monolite/
F: package/openjpeg/
F: package/python-can/
F: package/python-pillow/
F: package/python-pydal/
F: package/python-spidev/
F: package/python-web2py/
F: package/sam-ba/
F: package/sshguard/
F: package/sunwait/
F: package/sysdig/
@@ -210,8 +217,9 @@ F: package/pkg-golang.mk
N: Anthony Viallard <viallard@syscom-instruments.com>
F: package/gnuplot/
N: Antoine Ténart <antoine.tenart@bootlin.com>
F: package/wf111/
N: Antoine Tenart <atenart@kernel.org>
F: package/libselinux/
F: package/refpolicy/
N: Antony Pavlov <antonynpavlov@gmail.com>
F: package/lsscsi/
@@ -659,7 +667,7 @@ N: Dominik Faessler <faessler@was.ch>
F: package/logsurfer/
F: package/python-id3/
N: Doug Kehn <rdkehn@yahoo.com>
N: Doug Kehn <rdkehn@gmail.com>
F: package/nss-pam-ldapd/
F: package/sp-oops-extract/
F: package/unscd/
@@ -1035,6 +1043,7 @@ N: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
F: package/gnuradio/
F: package/gqrx/
F: package/gr-osmosdr/
F: package/librtlsdr/
F: package/libusbgx/
F: package/python-cheetah/
F: package/python-markdown/
@@ -1352,7 +1361,7 @@ F: board/technologic/ts7680/
F: configs/ts7680_defconfig
F: package/paho-mqtt-c
N: Julien Olivain <juju@cotds.org>
N: Julien Olivain <ju.o@free.fr>
F: board/technexion/imx8mmpico/
F: board/technexion/imx8mpico/
F: configs/imx8mmpico_defconfig
@@ -1478,9 +1487,6 @@ F: package/mpv/
F: package/rpi-firmware/
F: package/rpi-userland/
N: Mamatha Inamdar <mamatha4@linux.vnet.ibm.com>
F: package/nvme/
N: Manuel Vögele <develop@manuel-voegele.de>
F: package/python-pyqt5/
F: package/python-requests-toolbelt/
@@ -1713,9 +1719,6 @@ F: package/systemd-bootchart/
F: package/tinyalsa/
F: package/tinyxml/
N: Maxime Ripard <maxime.ripard@bootlin.com>
F: package/kmsxx/
N: Michael Durrant <mdurrant@arcturusnetworks.com>
F: board/arcturus/
F: configs/arcturus_ucp1020_defconfig
@@ -1810,6 +1813,7 @@ F: package/tpm-tools/
F: package/trousers/
N: Norbert Lange <nolange79@gmail.com>
F: package/systemd/
F: package/tcf-agent/
N: Nylon Chen <nylon7@andestech.com>
@@ -1999,7 +2003,7 @@ F: package/kf5/
N: Pierre Floury <pierre.floury@gmail.com>
F: package/trace-cmd/
N: Pierre-Jean Texier <pjtexier@koncepto.io>
N: Pierre-Jean Texier <texier.pj2@gmail.com>
F: package/fping/
F: package/genimage/
F: package/haveged/
@@ -2135,6 +2139,7 @@ F: package/davfs2/
N: Ryan Barnett <ryan.barnett@rockwellcollins.com>
F: package/atftp/
F: package/c-periphery/
F: package/miraclecast/
F: package/python-pyasn/
F: package/python-pysnmp/
@@ -2142,11 +2147,6 @@ F: package/python-pysnmp-mibs/
F: package/python-tornado/
F: package/websocketpp/
N: Ryan Coe <bluemrp9@gmail.com>
F: package/inadyn/
F: package/libite/
F: package/mariadb/
N: Ryan Wilkins <ryan@deadfrog.net>
F: package/biosdevname/
@@ -2328,9 +2328,6 @@ N: Thomas Claveirole <thomas.claveirole@green-communications.fr>
F: package/fcgiwrap/
F: package/openlayers/
N: Thomas Davis <sunsetbrew@sunsetbrew.com>
F: package/civetweb/
N: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
F: docs/manual/
F: package/cereal/
@@ -2425,9 +2422,6 @@ F: package/redis/
F: package/waf/
F: support/testing/tests/package/test_crudini.py
N: Trent Piepho <tpiepho@impinj.com>
F: package/libp11/
N: Tudor Holton <buildroot@tudorholton.com>
F: package/openjdk/
@@ -2476,6 +2470,8 @@ N: Wade Berrier <wberrier@gmail.com>
F: package/ngrep/
N: Waldemar Brodkorb <wbx@openadk.org>
F: package/mksh/
F: package/ruby/
F: package/uclibc/
F: package/uclibc-ng-test/
+21 -15
View File
@@ -92,9 +92,9 @@ all:
.PHONY: all
# Set and export the version string
export BR2_VERSION := 2020.02.4
export BR2_VERSION := 2020.02.9
# Actual time the release is cut (for reproducible builds)
BR2_VERSION_EPOCH = 1595750000
BR2_VERSION_EPOCH = 1609088000
# Save running make version since it's clobbered by the make package
RUNNING_MAKE_VERSION := $(MAKE_VERSION)
@@ -113,7 +113,13 @@ DATE := $(shell date +%Y%m%d)
# Compute the full local version string so packages can use it as-is
# Need to export it, so it can be got from environment in children (eg. mconf)
export BR2_VERSION_FULL := $(BR2_VERSION)$(shell $(TOPDIR)/support/scripts/setlocalversion)
BR2_LOCALVERSION := $(shell $(TOPDIR)/support/scripts/setlocalversion)
ifeq ($(BR2_LOCALVERSION),)
export BR2_VERSION_FULL := $(BR2_VERSION)
else
export BR2_VERSION_FULL := $(BR2_LOCALVERSION)
endif
# List of targets and target patterns for which .config doesn't need to be read in
noconfig_targets := menuconfig nconfig gconfig xconfig config oldconfig randconfig \
@@ -793,9 +799,9 @@ endif
# counterparts are appropriately setup as symlinks ones to the others.
ifeq ($(BR2_ROOTFS_MERGED_USR),y)
@$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \
$(call MESSAGE,"Sanity check in overlay $(d)"); \
not_merged_dirs="$$(support/scripts/check-merged-usr.sh $(d))"; \
$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \
@$(call MESSAGE,"Sanity check in overlay $(d)")$(sep) \
$(Q)not_merged_dirs="$$(support/scripts/check-merged-usr.sh $(d))"; \
test -n "$$not_merged_dirs" && { \
echo "ERROR: The overlay in $(d) is not" \
"using a merged /usr for the following directories:" \
@@ -805,20 +811,20 @@ ifeq ($(BR2_ROOTFS_MERGED_USR),y)
endif # merged /usr
@$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \
$(call MESSAGE,"Copying overlay $(d)"); \
$(call SYSTEM_RSYNC,$(d),$(TARGET_DIR))$(sep))
$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \
@$(call MESSAGE,"Copying overlay $(d)")$(sep) \
$(Q)$(call SYSTEM_RSYNC,$(d),$(TARGET_DIR))$(sep))
$(if $(TARGET_DIR_FILES_LISTS), \
$(Q)$(if $(TARGET_DIR_FILES_LISTS), \
cat $(TARGET_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list.txt
$(if $(HOST_DIR_FILES_LISTS), \
$(Q)$(if $(HOST_DIR_FILES_LISTS), \
cat $(HOST_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list-host.txt
$(if $(STAGING_DIR_FILES_LISTS), \
$(Q)$(if $(STAGING_DIR_FILES_LISTS), \
cat $(STAGING_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list-staging.txt
@$(foreach s, $(call qstrip,$(BR2_ROOTFS_POST_BUILD_SCRIPT)), \
$(call MESSAGE,"Executing post-build script $(s)"); \
$(EXTRA_ENV) $(s) $(TARGET_DIR) $(call qstrip,$(BR2_ROOTFS_POST_SCRIPT_ARGS))$(sep))
$(foreach s, $(call qstrip,$(BR2_ROOTFS_POST_BUILD_SCRIPT)), \
@$(call MESSAGE,"Executing post-build script $(s)")$(sep) \
$(Q)$(EXTRA_ENV) $(s) $(TARGET_DIR) $(call qstrip,$(BR2_ROOTFS_POST_SCRIPT_ARGS))$(sep))
touch $(TARGET_DIR)/usr
+11 -1
View File
@@ -7,7 +7,7 @@ Description
This configuration will build a complete image for the beaglebone and
the TI AM335x-EVM, the board type is identified by the on-board
EEPROM. The configuration is based on the
ti-processor-sdk-02.00.00.00. Device tree blobs for beaglebone
ti-processor-sdk-06.01.00.08. Device tree blobs for beaglebone
variants and the evm-sk are built too.
For Qt5 support support use the beaglebone_qt5_defconfig.
@@ -43,10 +43,20 @@ output/images/
To copy the image file to the sdcard use dd:
$ dd if=output/images/sdcard.img of=/dev/XXX
Running Qt5 hellowindow opengl demo:
===================
# export QT_QPA_EGLFS_KMS_CONFIG=/etc/qt5/eglfs_kms_cfg.json
# export QT_QPA_PLATFORM=eglfs
# export QT_QPA_EGLFS_INTEGRATION=none
# /usr/lib/qt/examples/opengl/hellowindow/hellowindow
Tested hardware
===============
am335x-evm (rev. 1.1A)
beagleboneblack (rev. A5A)
beaglebone (rev. A6)
2020, Adam Duskett <aduskett@gmail.com>
2016, Lothar Felten <lothar.felten@gmail.com>
@@ -0,0 +1,15 @@
{
"device": "/dev/dri/card0",
"hwcursor": false,
"pbuffers": true,
"outputs": [
{
"name": "VGA1",
"mode": "off"
},
{
"name": "HDMI1",
"mode": "1024x768"
}
]
}
+6
View File
@@ -28,3 +28,9 @@ Where 'sdX' is the device node of the uSD partition.
To upgrade u-boot, cancel autoboot and type:
> run upgradeu
See Boundary Devices's buildroot-external-boundary project
for additional and advanced defconfigs using Qt5, gstreamer,
NXP proprietary packages with demo applications:
https://github.com/boundarydevices/buildroot-external-boundary
@@ -96,6 +96,14 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += MV_DDR_PATH=$(MV_DDR_MARVELL_DIR)
ARM_TRUSTED_FIRMWARE_DEPENDENCIES += mv-ddr-marvell
endif
ifeq ($(BR2_SSP_REGULAR),y)
ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=default
else ifeq ($(BR2_SSP_STRONG),y)
ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=strong
else ifeq ($(BR2_SSP_ALL),y)
ARM_TRUSTED_FIRMWARE_MAKE_OPTS += ENABLE_STACK_PROTECTOR=all
endif
ARM_TRUSTED_FIRMWARE_MAKE_TARGETS = all
ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP),y)
+1 -1
View File
@@ -1,6 +1,6 @@
config BR2_TARGET_AT91BOOTSTRAP3
bool "AT91 Bootstrap 3"
depends on BR2_arm926t || BR2_cortex_a5
depends on BR2_arm926t || BR2_cortex_a5 || BR2_cortex_a7
help
AT91Bootstrap is a first level bootloader for the Atmel AT91
devices. It integrates algorithms for:
+15 -11
View File
@@ -88,13 +88,6 @@ $(1)_KCONFIG_DEPENDENCIES = \
$(BR2_BISON_HOST_DEPENDENCY) \
$(BR2_FLEX_HOST_DEPENDENCY)
ifeq ($$(BR2_TARGET_$(1)_BAREBOXENV),y)
define $(1)_BUILD_BAREBOXENV_CMDS
$$(TARGET_CC) $$(TARGET_CFLAGS) $$(TARGET_LDFLAGS) -o $$(@D)/bareboxenv \
$$(@D)/scripts/bareboxenv.c
endef
endif
ifeq ($$(BR2_TARGET_$(1)_CUSTOM_ENV),y)
$(1)_ENV_NAME = $$(notdir $$(call qstrip,\
$$(BR2_TARGET_$(1)_CUSTOM_ENV_PATH)))
@@ -109,12 +102,23 @@ endef
endif
ifneq ($$($(1)_CUSTOM_EMBEDDED_ENV_PATH),)
define $(1)_KCONFIG_FIXUP_CMDS
$$(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_ENVIRONMENT,$$(@D)/.config)
$$(call KCONFIG_SET_OPT,CONFIG_DEFAULT_ENVIRONMENT_PATH,"$$($(1)_CUSTOM_EMBEDDED_ENV_PATH)",$$(@D)/.config)
define $(1)_KCONFIG_FIXUP_CUSTOM_EMBEDDED_ENV_PATH
$$(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_ENVIRONMENT)
$$(call KCONFIG_SET_OPT,CONFIG_DEFAULT_ENVIRONMENT_PATH,"$$($(1)_CUSTOM_EMBEDDED_ENV_PATH)")
endef
endif
define $(1)_KCONFIG_FIXUP_BAREBOXENV
$$(if $$(BR2_TARGET_$(1)_BAREBOXENV),\
$$(call KCONFIG_ENABLE_OPT,CONFIG_BAREBOXENV_TARGET),\
$$(call KCONFIG_DISABLE_OPT,CONFIG_BAREBOXENV_TARGET))
endef
define $(1)_KCONFIG_FIXUP_CMDS
$$($(1)_KCONFIG_FIXUP_CUSTOM_EMBEDDED_ENV_PATH)
$$($(1)_KCONFIG_FIXUP_BAREBOXENV)
endef
define $(1)_BUILD_CMDS
$$($(1)_BUILD_BAREBOXENV_CMDS)
$$(TARGET_MAKE_ENV) $$(MAKE) $$($(1)_MAKE_FLAGS) -C $$(@D)
@@ -136,7 +140,7 @@ endef
ifeq ($$(BR2_TARGET_$(1)_BAREBOXENV),y)
define $(1)_INSTALL_TARGET_CMDS
cp $$(@D)/bareboxenv $$(TARGET_DIR)/usr/bin
cp $$(@D)/scripts/bareboxenv-target $$(TARGET_DIR)/usr/bin/bareboxenv
endef
endif
@@ -0,0 +1,73 @@
From a7ab0cc98fa89a3d5098c29cbe44bcd24b0a6454 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 15 Apr 2020 15:45:02 -0400
Subject: [PATCH] yylex: Make lexer fatal errors actually be fatal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When presented with a command that can't be tokenized to anything
smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
expecting that will stop further processing, as such:
#define YY_DO_BEFORE_ACTION \
yyg->yytext_ptr = yy_bp; \
yyleng = (int) (yy_cp - yy_bp); \
yyg->yy_hold_char = *yy_cp; \
*yy_cp = '\0'; \
if ( yyleng >= YYLMAX ) \
YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
yyg->yy_c_buf_p = yy_cp;
The code flex generates expects that YY_FATAL_ERROR() will either return
for it or do some form of longjmp(), or handle the error in some way at
least, and so the strncpy() call isn't in an "else" clause, and thus if
YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
questionable limit, and predictable results ensue.
Unfortunately, our implementation of YY_FATAL_ERROR() is:
#define YY_FATAL_ERROR(msg) \
do { \
grub_printf (_("fatal error: %s\n"), _(msg)); \
} while (0)
The same pattern exists in yyless(), and similar problems exist in users
of YY_INPUT(), several places in the main parsing loop,
yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
yy_scan_buffer(), etc.
All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
the things they do if it returns after calling it are wildly unsafe.
Fixes: CVE-2020-10713
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/script/yylex.l | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
index 7b44c37b7..b7203c823 100644
--- a/grub-core/script/yylex.l
+++ b/grub-core/script/yylex.l
@@ -37,11 +37,11 @@
/*
* As we don't have access to yyscanner, we cannot do much except to
- * print the fatal error.
+ * print the fatal error and exit.
*/
#define YY_FATAL_ERROR(msg) \
do { \
- grub_printf (_("fatal error: %s\n"), _(msg)); \
+ grub_fatal (_("fatal error: %s\n"), _(msg));\
} while (0)
#define COPY(str, hint) \
--
2.26.2
@@ -0,0 +1,128 @@
From 782a4580a5e347793443aa8e9152db1bf4a0fff8 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 15 Jun 2020 10:58:42 -0400
Subject: [PATCH] safemath: Add some arithmetic primitives that check for
overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This adds a new header, include/grub/safemath.h, that includes easy to
use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
bool OP(a, b, res)
where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
case where the operation would overflow and res is not modified.
Otherwise, false is returned and the operation is executed.
These arithmetic primitives require newer compiler versions. So, bump
these requirements in the INSTALL file too.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
INSTALL | 22 ++--------------------
include/grub/compiler.h | 8 ++++++++
include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 47 insertions(+), 20 deletions(-)
create mode 100644 include/grub/safemath.h
diff --git a/INSTALL b/INSTALL
index 8acb40902..dcb9b7d7b 100644
--- a/INSTALL
+++ b/INSTALL
@@ -11,27 +11,9 @@ GRUB depends on some software packages installed into your system. If
you don't have any of them, please obtain and install them before
configuring the GRUB.
-* GCC 4.1.3 or later
- Note: older versions may work but support is limited
-
- Experimental support for clang 3.3 or later (results in much bigger binaries)
+* GCC 5.1.0 or later
+ Experimental support for clang 3.8.0 or later (results in much bigger binaries)
for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64
- Note: clang 3.2 or later works for i386 and x86_64 targets but results in
- much bigger binaries.
- earlier versions not tested
- Note: clang 3.2 or later works for arm
- earlier versions not tested
- Note: clang on arm64 is not supported due to
- https://llvm.org/bugs/show_bug.cgi?id=26030
- Note: clang 3.3 or later works for mips(el)
- earlier versions fail to generate .reginfo and hence gprel relocations
- fail.
- Note: clang 3.2 or later works for powerpc
- earlier versions not tested
- Note: clang 3.5 or later works for sparc64
- earlier versions return "error: unable to interface with target machine"
- Note: clang has no support for ia64 and hence you can't compile GRUB
- for ia64 with clang
* GNU Make
* GNU Bison 2.3 or later
* GNU gettext 0.17 or later
diff --git a/include/grub/compiler.h b/include/grub/compiler.h
index c9e1d7a73..8f3be3ae7 100644
--- a/include/grub/compiler.h
+++ b/include/grub/compiler.h
@@ -48,4 +48,12 @@
# define WARN_UNUSED_RESULT
#endif
+#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
+# define CLANG_PREREQ(maj,min) \
+ ((__clang_major__ > (maj)) || \
+ (__clang_major__ == (maj) && __clang_minor__ >= (min)))
+#else
+# define CLANG_PREREQ(maj,min) 0
+#endif
+
#endif /* ! GRUB_COMPILER_HEADER */
diff --git a/include/grub/safemath.h b/include/grub/safemath.h
new file mode 100644
index 000000000..c17b89bba
--- /dev/null
+++ b/include/grub/safemath.h
@@ -0,0 +1,37 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2020 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Arithmetic operations that protect against overflow.
+ */
+
+#ifndef GRUB_SAFEMATH_H
+#define GRUB_SAFEMATH_H 1
+
+#include <grub/compiler.h>
+
+/* These appear in gcc 5.1 and clang 3.8. */
+#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
+
+#define grub_add(a, b, res) __builtin_add_overflow(a, b, res)
+#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res)
+#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res)
+
+#else
+#error gcc 5.1 or newer or clang 3.8 or newer is required
+#endif
+
+#endif /* GRUB_SAFEMATH_H */
--
2.26.2
@@ -0,0 +1,246 @@
From 5775eb40862b67468ced816e6d7560dbe22a3670 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 15 Jun 2020 12:15:29 -0400
Subject: [PATCH] calloc: Make sure we always have an overflow-checking
calloc() available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This tries to make sure that everywhere in this source tree, we always have
an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
available, and that they all safely check for overflow and return NULL when
it would occur.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/kern/emu/misc.c | 12 +++++++++
grub-core/kern/emu/mm.c | 10 ++++++++
grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++
grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++--
grub-core/lib/posix_wrap/stdlib.h | 8 +++++-
include/grub/emu/misc.h | 1 +
include/grub/mm.h | 6 +++++
7 files changed, 85 insertions(+), 3 deletions(-)
diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
index 65db79baa..dfd8a8ec4 100644
--- a/grub-core/kern/emu/misc.c
+++ b/grub-core/kern/emu/misc.c
@@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...)
exit (1);
}
+void *
+xcalloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *p;
+
+ p = calloc (nmemb, size);
+ if (!p)
+ grub_util_error ("%s", _("out of memory"));
+
+ return p;
+}
+
void *
xmalloc (grub_size_t size)
{
diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
index f262e95e3..145b01d37 100644
--- a/grub-core/kern/emu/mm.c
+++ b/grub-core/kern/emu/mm.c
@@ -25,6 +25,16 @@
#include <string.h>
#include <grub/i18n.h>
+void *
+grub_calloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *ret;
+ ret = calloc (nmemb, size);
+ if (!ret)
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
+ return ret;
+}
+
void *
grub_malloc (grub_size_t size)
{
diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
index ee88ff611..f2822a836 100644
--- a/grub-core/kern/mm.c
+++ b/grub-core/kern/mm.c
@@ -67,8 +67,10 @@
#include <grub/dl.h>
#include <grub/i18n.h>
#include <grub/mm_private.h>
+#include <grub/safemath.h>
#ifdef MM_DEBUG
+# undef grub_calloc
# undef grub_malloc
# undef grub_zalloc
# undef grub_realloc
@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size)
return 0;
}
+/*
+ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
+ * integer overflow.
+ */
+void *
+grub_calloc (grub_size_t nmemb, grub_size_t size)
+{
+ void *ret;
+ grub_size_t sz = 0;
+
+ if (grub_mul (nmemb, size, &sz))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ return NULL;
+ }
+
+ ret = grub_memalign (0, sz);
+ if (!ret)
+ return NULL;
+
+ grub_memset (ret, 0, sz);
+ return ret;
+}
+
/* Allocate SIZE bytes and return the pointer. */
void *
grub_malloc (grub_size_t size)
@@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno)
grub_printf ("\n");
}
+void *
+grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
+{
+ void *ptr;
+
+ if (grub_mm_debug)
+ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
+ file, line, size);
+ ptr = grub_calloc (nmemb, size);
+ if (grub_mm_debug)
+ grub_printf ("%p\n", ptr);
+ return ptr;
+}
+
void *
grub_debug_malloc (const char *file, int line, grub_size_t size)
{
diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c
index beeb661a3..74c6eafe5 100644
--- a/grub-core/lib/libgcrypt_wrap/mem.c
+++ b/grub-core/lib/libgcrypt_wrap/mem.c
@@ -4,6 +4,7 @@
#include <grub/crypto.h>
#include <grub/dl.h>
#include <grub/env.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -36,7 +37,10 @@ void *
gcry_xcalloc (size_t n, size_t m)
{
void *ret;
- ret = grub_zalloc (n * m);
+ size_t sz;
+ if (grub_mul (n, m, &sz))
+ grub_fatal ("gcry_xcalloc would overflow");
+ ret = grub_zalloc (sz);
if (!ret)
grub_fatal ("gcry_xcalloc failed");
return ret;
@@ -56,7 +60,10 @@ void *
gcry_xcalloc_secure (size_t n, size_t m)
{
void *ret;
- ret = grub_zalloc (n * m);
+ size_t sz;
+ if (grub_mul (n, m, &sz))
+ grub_fatal ("gcry_xcalloc would overflow");
+ ret = grub_zalloc (sz);
if (!ret)
grub_fatal ("gcry_xcalloc failed");
return ret;
diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
index 3b46f47ff..7a8d385e9 100644
--- a/grub-core/lib/posix_wrap/stdlib.h
+++ b/grub-core/lib/posix_wrap/stdlib.h
@@ -21,6 +21,7 @@
#include <grub/mm.h>
#include <grub/misc.h>
+#include <grub/safemath.h>
static inline void
free (void *ptr)
@@ -37,7 +38,12 @@ malloc (grub_size_t size)
static inline void *
calloc (grub_size_t size, grub_size_t nelem)
{
- return grub_zalloc (size * nelem);
+ grub_size_t sz;
+
+ if (grub_mul (size, nelem, &sz))
+ return NULL;
+
+ return grub_zalloc (sz);
}
static inline void *
diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h
index ce464cfd0..ff9c48a64 100644
--- a/include/grub/emu/misc.h
+++ b/include/grub/emu/misc.h
@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev);
#define GRUB_HOST_PRIuLONG_LONG "llu"
#define GRUB_HOST_PRIxLONG_LONG "llx"
+void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
diff --git a/include/grub/mm.h b/include/grub/mm.h
index 28e2e53eb..9c38dd3ca 100644
--- a/include/grub/mm.h
+++ b/include/grub/mm.h
@@ -29,6 +29,7 @@
#endif
void grub_mm_init_region (void *addr, grub_size_t size);
+void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
void EXPORT_FUNC(grub_free) (void *ptr);
@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
void grub_mm_dump_free (void);
void grub_mm_dump (unsigned lineno);
+#define grub_calloc(nmemb, size) \
+ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
+
#define grub_malloc(size) \
grub_debug_malloc (GRUB_FILE, __LINE__, size)
@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
#define grub_free(ptr) \
grub_debug_free (GRUB_FILE, __LINE__, ptr)
+void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
+ grub_size_t nmemb, grub_size_t size);
void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
grub_size_t size);
void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
--
2.26.2
File diff suppressed because it is too large Load Diff
File diff suppressed because it is too large Load Diff
@@ -0,0 +1,72 @@
From e0dd17a3ce79c6622dc78c96e1f2ef1b20e2bf7b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 4 Jul 2020 12:25:09 -0400
Subject: [PATCH] iso9660: Don't leak memory on realloc() failures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/fs/iso9660.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 7ba5b300b..5ec4433b8 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx,
{
int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
grub_size_t sz;
+ char *new;
if (grub_add (size, len2, &sz) ||
grub_add (sz, 1, &sz))
return;
- ctx->symlink = grub_realloc (ctx->symlink, sz);
- if (! ctx->symlink)
- return;
+ new = grub_realloc (ctx->symlink, sz);
+ if (!new)
+ {
+ grub_free (ctx->symlink);
+ ctx->symlink = NULL;
+ return;
+ }
+ ctx->symlink = new;
grub_memcpy (ctx->symlink + size, part, len2);
ctx->symlink[size + len2] = 0;
@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
is the length. Both are part of the `Component
Record'. */
if (ctx->symlink && !ctx->was_continue)
- add_part (ctx, "/", 1);
+ {
+ add_part (ctx, "/", 1);
+ if (grub_errno)
+ return grub_errno;
+ }
+
add_part (ctx, (char *) &entry->data[pos + 2],
entry->data[pos + 1]);
ctx->was_continue = (entry->data[pos] & 1);
@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
add_part (ctx, "/", 1);
break;
}
+
+ /* Check if grub_realloc() failed in add_part(). */
+ if (grub_errno)
+ return grub_errno;
+
/* In pos + 1 the length of the `Component Record' is
stored. */
pos += entry->data[pos + 1] + 2;
--
2.26.2
@@ -0,0 +1,41 @@
From 73bc7a964c9496d5b0f00dbd69959dacf5adcebe Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Tue, 7 Jul 2020 15:36:26 +0200
Subject: [PATCH] font: Do not load more than one NAME section
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The GRUB font file can have one NAME section only. Though if somebody
crafts a broken font file with many NAME sections and loads it then the
GRUB leaks memory. So, prevent against that by loading first NAME
section and failing in controlled way on following one.
Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/font/font.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/grub-core/font/font.c b/grub-core/font/font.c
index 5edb477ac..d09bb38d8 100644
--- a/grub-core/font/font.c
+++ b/grub-core/font/font.c
@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
{
+ if (font->name != NULL)
+ {
+ grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
+ goto fail;
+ }
+
font->name = read_section_as_string (&section);
if (!font->name)
goto fail;
--
2.26.2
@@ -0,0 +1,39 @@
From 9ff609f0e7798bc5fb04f791131c98e7693bdd9b Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Wed, 8 Jul 2020 20:41:56 +0000
Subject: [PATCH] gfxmenu: Fix double free in load_image()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
self->bitmap should be zeroed after free. Otherwise, there is a chance
to double free (USE_AFTER_FREE) it later in rescale_image().
Fixes: CID 292472
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/gfxmenu/gui_image.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/grub-core/gfxmenu/gui_image.c b/grub-core/gfxmenu/gui_image.c
index 29784ed2d..6b2e976f1 100644
--- a/grub-core/gfxmenu/gui_image.c
+++ b/grub-core/gfxmenu/gui_image.c
@@ -195,7 +195,10 @@ load_image (grub_gui_image_t self, const char *path)
return grub_errno;
if (self->bitmap && (self->bitmap != self->raw_bitmap))
- grub_video_bitmap_destroy (self->bitmap);
+ {
+ grub_video_bitmap_destroy (self->bitmap);
+ self->bitmap = 0;
+ }
if (self->raw_bitmap)
grub_video_bitmap_destroy (self->raw_bitmap);
--
2.26.2
@@ -0,0 +1,58 @@
From dc9777dc17697b196c415c53187a55861d41fd2a Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Wed, 8 Jul 2020 21:30:43 +0000
Subject: [PATCH] xnu: Fix double free in grub_xnu_devprop_add_property()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get
allocated and freed in the caller.
Minor improvement: do prop fields initialization after memory allocations.
Fixes: CID 292442, CID 292457, CID 292460, CID 292466
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/loader/i386/xnu.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
index b7d176b5d..e9e119259 100644
--- a/grub-core/loader/i386/xnu.c
+++ b/grub-core/loader/i386/xnu.c
@@ -262,20 +262,19 @@ grub_xnu_devprop_add_property (struct grub_xnu_devprop_device_descriptor *dev,
if (!prop)
return grub_errno;
- prop->name = utf8;
- prop->name16 = utf16;
- prop->name16len = utf16len;
-
- prop->length = datalen;
- prop->data = grub_malloc (prop->length);
+ prop->data = grub_malloc (datalen);
if (!prop->data)
{
- grub_free (prop->name);
- grub_free (prop->name16);
grub_free (prop);
return grub_errno;
}
- grub_memcpy (prop->data, data, prop->length);
+ grub_memcpy (prop->data, data, datalen);
+
+ prop->name = utf8;
+ prop->name16 = utf16;
+ prop->name16len = utf16len;
+ prop->length = datalen;
+
grub_list_push (GRUB_AS_LIST_P (&dev->properties),
GRUB_AS_LIST (prop));
return GRUB_ERR_NONE;
--
2.26.2
@@ -0,0 +1,55 @@
From 78829f0c230680e386fff9f420bb1631bc20f761 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Thu, 9 Jul 2020 03:05:23 +0000
Subject: [PATCH] lzma: Make sure we don't dereference past array
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
using the GetLenToPosState() macro which checks if len is less than 5,
and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
Obviously we don't want to dereference that far out so we check if the
position found is greater or equal kNumLenToPosStates (4) and bail out.
N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
without any history.
Fixes: CID 51526
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/lib/LzmaEnc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
index f2ec04a8c..753e56a95 100644
--- a/grub-core/lib/LzmaEnc.c
+++ b/grub-core/lib/LzmaEnc.c
@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
}
else
{
- UInt32 posSlot;
+ UInt32 posSlot, lenToPosState;
RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
p->state = kMatchNextStates[p->state];
LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
pos -= LZMA_NUM_REPS;
GetPosSlot(pos, posSlot);
- RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot);
+ lenToPosState = GetLenToPosState(len);
+ if (lenToPosState >= kNumLenToPosStates)
+ {
+ p->result = SZ_ERROR_DATA;
+ return CheckErrors(p);
+ }
+ RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot);
if (posSlot >= kStartPosModelIndex)
{
--
2.26.2
@@ -0,0 +1,69 @@
From 8d3b6f9da468f666e3a7976657f2ab5c52762a21 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Tue, 7 Jul 2020 15:12:25 -0400
Subject: [PATCH] term: Fix overflow on user inputs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This requires a very weird input from the serial interface but can cause
an overflow in input_buf (keys) overwriting the next variable (npending)
with the user choice:
(pahole output)
struct grub_terminfo_input_state {
int input_buf[6]; /* 0 24 */
int npending; /* 24 4 */ <- CORRUPT
...snip...
The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow
npending with "q" (aka increase npending to 161). The simplest fix is to
just to disallow overwrites input_buf, which exactly what this patch does.
Fixes: CID 292449
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/term/terminfo.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/grub-core/term/terminfo.c b/grub-core/term/terminfo.c
index d317efa36..5fa94c0c3 100644
--- a/grub-core/term/terminfo.c
+++ b/grub-core/term/terminfo.c
@@ -398,7 +398,7 @@ grub_terminfo_getwh (struct grub_term_output *term)
}
static void
-grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
+grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, int max_len,
int (*readkey) (struct grub_term_input *term))
{
int c;
@@ -414,6 +414,9 @@ grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
if (c == -1) \
return; \
\
+ if (*len >= max_len) \
+ return; \
+ \
keys[*len] = c; \
(*len)++; \
}
@@ -602,8 +605,8 @@ grub_terminfo_getkey (struct grub_term_input *termi)
return ret;
}
- grub_terminfo_readkey (termi, data->input_buf,
- &data->npending, data->readkey);
+ grub_terminfo_readkey (termi, data->input_buf, &data->npending,
+ GRUB_TERMINFO_READKEY_MAX_LEN, data->readkey);
#if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275)
if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC
--
2.26.2
+59
View File
@@ -0,0 +1,59 @@
From 748b691761d31bfff7e9d0d210caa606294c2b52 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Tue, 7 Jul 2020 22:02:31 -0400
Subject: [PATCH] udf: Fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: CID 73796
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/fs/udf.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 21ac7f446..2ac5c1d00 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -965,8 +965,10 @@ grub_udf_iterate_dir (grub_fshelp_node_t dir,
return 0;
if (grub_udf_read_icb (dir->data, &dirent.icb, child))
- return 0;
-
+ {
+ grub_free (child);
+ return 0;
+ }
if (dirent.characteristics & GRUB_UDF_FID_CHAR_PARENT)
{
/* This is the parent directory. */
@@ -988,11 +990,18 @@ grub_udf_iterate_dir (grub_fshelp_node_t dir,
dirent.file_ident_length,
(char *) raw))
!= dirent.file_ident_length)
- return 0;
+ {
+ grub_free (child);
+ return 0;
+ }
filename = read_string (raw, dirent.file_ident_length, 0);
if (!filename)
- grub_print_error ();
+ {
+ /* As the hook won't get called. */
+ grub_free (child);
+ grub_print_error ();
+ }
if (filename && hook (filename, type, child, hook_data))
{
--
2.26.2
@@ -0,0 +1,38 @@
From 49bf3faa106498e151306fc780c63194a14751e3 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Fri, 26 Jun 2020 10:51:43 -0400
Subject: [PATCH] multiboot2: Fix memory leak if
grub_create_loader_cmdline() fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: CID 292468
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/loader/multiboot_mbi2.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c
index 53da78615..0efc66062 100644
--- a/grub-core/loader/multiboot_mbi2.c
+++ b/grub-core/loader/multiboot_mbi2.c
@@ -1070,7 +1070,11 @@ grub_multiboot2_add_module (grub_addr_t start, grub_size_t size,
err = grub_create_loader_cmdline (argc, argv, newmod->cmdline,
newmod->cmdline_size, GRUB_VERIFY_MODULE_CMDLINE);
if (err)
- return err;
+ {
+ grub_free (newmod->cmdline);
+ grub_free (newmod);
+ return err;
+ }
if (modules_last)
modules_last->next = newmod;
--
2.26.2
@@ -0,0 +1,283 @@
From b6c4a1b204740fe52b32e7f530831a59f4038e20 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Thu, 9 Jul 2020 08:10:40 +0000
Subject: [PATCH] tftp: Do not use priority queue
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There is not need to reassemble the order of blocks. Per RFC 1350,
server must wait for the ACK, before sending next block. Data packets
can be served immediately without putting them to priority queue.
Logic to handle incoming packet is this:
- if packet block id equal to expected block id, then
process the packet,
- if packet block id is less than expected - this is retransmit
of old packet, then ACK it and drop the packet,
- if packet block id is more than expected - that shouldn't
happen, just drop the packet.
It makes the tftp receive path code simpler, smaller and faster.
As a benefit, this change fixes CID# 73624 and CID# 96690, caused
by following while loop:
while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0)
where tftph pointer is not moving from one iteration to another, causing
to serve same packet again. Luckily, double serving didn't happen due to
data->block++ during the first iteration.
Fixes: CID 73624, CID 96690
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/net/tftp.c | 168 ++++++++++++++-----------------------------
1 file changed, 53 insertions(+), 115 deletions(-)
diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
index 7d90bf66e..b4297bc8d 100644
--- a/grub-core/net/tftp.c
+++ b/grub-core/net/tftp.c
@@ -25,7 +25,6 @@
#include <grub/mm.h>
#include <grub/dl.h>
#include <grub/file.h>
-#include <grub/priority_queue.h>
#include <grub/i18n.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -106,31 +105,8 @@ typedef struct tftp_data
int have_oack;
struct grub_error_saved save_err;
grub_net_udp_socket_t sock;
- grub_priority_queue_t pq;
} *tftp_data_t;
-static int
-cmp_block (grub_uint16_t a, grub_uint16_t b)
-{
- grub_int16_t i = (grub_int16_t) (a - b);
- if (i > 0)
- return +1;
- if (i < 0)
- return -1;
- return 0;
-}
-
-static int
-cmp (const void *a__, const void *b__)
-{
- struct grub_net_buff *a_ = *(struct grub_net_buff **) a__;
- struct grub_net_buff *b_ = *(struct grub_net_buff **) b__;
- struct tftphdr *a = (struct tftphdr *) a_->data;
- struct tftphdr *b = (struct tftphdr *) b_->data;
- /* We want the first elements to be on top. */
- return -cmp_block (grub_be_to_cpu16 (a->u.data.block), grub_be_to_cpu16 (b->u.data.block));
-}
-
static grub_err_t
ack (tftp_data_t data, grub_uint64_t block)
{
@@ -207,73 +183,60 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
return GRUB_ERR_NONE;
}
- err = grub_priority_queue_push (data->pq, &nb);
- if (err)
- return err;
-
- {
- struct grub_net_buff **nb_top_p, *nb_top;
- while (1)
- {
- nb_top_p = grub_priority_queue_top (data->pq);
- if (!nb_top_p)
- return GRUB_ERR_NONE;
- nb_top = *nb_top_p;
- tftph = (struct tftphdr *) nb_top->data;
- if (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) >= 0)
- break;
- ack (data, grub_be_to_cpu16 (tftph->u.data.block));
- grub_netbuff_free (nb_top);
- grub_priority_queue_pop (data->pq);
- }
- while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0)
- {
- unsigned size;
-
- grub_priority_queue_pop (data->pq);
-
- if (file->device->net->packs.count < 50)
+ /* Ack old/retransmitted block. */
+ if (grub_be_to_cpu16 (tftph->u.data.block) < data->block + 1)
+ ack (data, grub_be_to_cpu16 (tftph->u.data.block));
+ /* Ignore unexpected block. */
+ else if (grub_be_to_cpu16 (tftph->u.data.block) > data->block + 1)
+ grub_dprintf ("tftp", "TFTP unexpected block # %d\n", tftph->u.data.block);
+ else
+ {
+ unsigned size;
+
+ if (file->device->net->packs.count < 50)
+ {
err = ack (data, data->block + 1);
- else
- {
- file->device->net->stall = 1;
- err = 0;
- }
- if (err)
- return err;
-
- err = grub_netbuff_pull (nb_top, sizeof (tftph->opcode) +
- sizeof (tftph->u.data.block));
- if (err)
- return err;
- size = nb_top->tail - nb_top->data;
-
- data->block++;
- if (size < data->block_size)
- {
- if (data->ack_sent < data->block)
- ack (data, data->block);
- file->device->net->eof = 1;
- file->device->net->stall = 1;
- grub_net_udp_close (data->sock);
- data->sock = NULL;
- }
- /* Prevent garbage in broken cards. Is it still necessary
- given that IP implementation has been fixed?
- */
- if (size > data->block_size)
- {
- err = grub_netbuff_unput (nb_top, size - data->block_size);
- if (err)
- return err;
- }
- /* If there is data, puts packet in socket list. */
- if ((nb_top->tail - nb_top->data) > 0)
- grub_net_put_packet (&file->device->net->packs, nb_top);
- else
- grub_netbuff_free (nb_top);
- }
- }
+ if (err)
+ return err;
+ }
+ else
+ file->device->net->stall = 1;
+
+ err = grub_netbuff_pull (nb, sizeof (tftph->opcode) +
+ sizeof (tftph->u.data.block));
+ if (err)
+ return err;
+ size = nb->tail - nb->data;
+
+ data->block++;
+ if (size < data->block_size)
+ {
+ if (data->ack_sent < data->block)
+ ack (data, data->block);
+ file->device->net->eof = 1;
+ file->device->net->stall = 1;
+ grub_net_udp_close (data->sock);
+ data->sock = NULL;
+ }
+ /*
+ * Prevent garbage in broken cards. Is it still necessary
+ * given that IP implementation has been fixed?
+ */
+ if (size > data->block_size)
+ {
+ err = grub_netbuff_unput (nb, size - data->block_size);
+ if (err)
+ return err;
+ }
+ /* If there is data, puts packet in socket list. */
+ if ((nb->tail - nb->data) > 0)
+ {
+ grub_net_put_packet (&file->device->net->packs, nb);
+ /* Do not free nb. */
+ return GRUB_ERR_NONE;
+ }
+ }
+ grub_netbuff_free (nb);
return GRUB_ERR_NONE;
case TFTP_ERROR:
data->have_oack = 1;
@@ -287,19 +250,6 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
}
}
-static void
-destroy_pq (tftp_data_t data)
-{
- struct grub_net_buff **nb_p;
- while ((nb_p = grub_priority_queue_top (data->pq)))
- {
- grub_netbuff_free (*nb_p);
- grub_priority_queue_pop (data->pq);
- }
-
- grub_priority_queue_destroy (data->pq);
-}
-
static grub_err_t
tftp_open (struct grub_file *file, const char *filename)
{
@@ -372,17 +322,9 @@ tftp_open (struct grub_file *file, const char *filename)
file->not_easily_seekable = 1;
file->data = data;
- data->pq = grub_priority_queue_new (sizeof (struct grub_net_buff *), cmp);
- if (!data->pq)
- {
- grub_free (data);
- return grub_errno;
- }
-
err = grub_net_resolve_address (file->device->net->server, &addr);
if (err)
{
- destroy_pq (data);
grub_free (data);
return err;
}
@@ -392,7 +334,6 @@ tftp_open (struct grub_file *file, const char *filename)
file);
if (!data->sock)
{
- destroy_pq (data);
grub_free (data);
return grub_errno;
}
@@ -406,7 +347,6 @@ tftp_open (struct grub_file *file, const char *filename)
if (err)
{
grub_net_udp_close (data->sock);
- destroy_pq (data);
grub_free (data);
return err;
}
@@ -423,7 +363,6 @@ tftp_open (struct grub_file *file, const char *filename)
if (grub_errno)
{
grub_net_udp_close (data->sock);
- destroy_pq (data);
grub_free (data);
return grub_errno;
}
@@ -466,7 +405,6 @@ tftp_close (struct grub_file *file)
grub_print_error ();
grub_net_udp_close (data->sock);
}
- destroy_pq (data);
grub_free (data);
return GRUB_ERR_NONE;
}
--
2.26.2
@@ -0,0 +1,153 @@
From 1c7b619c84f229c1602c1958bcd054b6d9937562 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Wed, 15 Jul 2020 06:42:37 +0000
Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr()
input args against integer underflow/overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use arithmetic macros from safemath.h to accomplish it. In this commit,
I didn't want to be too paranoid to check every possible math equation
for overflow/underflow. Only obvious places (with non zero chance of
overflow/underflow) were refactored.
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/loader/i386/linux.c | 9 +++++++--
grub-core/loader/i386/pc/linux.c | 9 +++++++--
grub-core/loader/i386/xen.c | 12 ++++++++++--
grub-core/loader/xnu.c | 11 +++++++----
4 files changed, 31 insertions(+), 10 deletions(-)
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index d0501e229..02a73463a 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -36,6 +36,7 @@
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
#include <grub/machine/kernel.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -547,9 +548,13 @@ grub_linux_boot (void)
{
grub_relocator_chunk_t ch;
+ grub_size_t sz;
+
+ if (grub_add (ctx.real_size, efi_mmap_size, &sz))
+ return GRUB_ERR_OUT_OF_RANGE;
+
err = grub_relocator_alloc_chunk_addr (relocator, &ch,
- ctx.real_mode_target,
- (ctx.real_size + efi_mmap_size));
+ ctx.real_mode_target, sz);
if (err)
return err;
real_mode_mem = get_virtual_current_address (ch);
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
index 47ea2945e..31f09922b 100644
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@@ -35,6 +35,7 @@
#include <grub/i386/floppy.h>
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -218,8 +219,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
setup_sects = GRUB_LINUX_DEFAULT_SETUP_SECTS;
real_size = setup_sects << GRUB_DISK_SECTOR_BITS;
- grub_linux16_prot_size = grub_file_size (file)
- - real_size - GRUB_DISK_SECTOR_SIZE;
+ if (grub_sub (grub_file_size (file), real_size, &grub_linux16_prot_size) ||
+ grub_sub (grub_linux16_prot_size, GRUB_DISK_SECTOR_SIZE, &grub_linux16_prot_size))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ goto fail;
+ }
if (! grub_linux_is_bzimage
&& GRUB_LINUX_ZIMAGE_ADDR + grub_linux16_prot_size
diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c
index 8f662c8ac..cd24874ca 100644
--- a/grub-core/loader/i386/xen.c
+++ b/grub-core/loader/i386/xen.c
@@ -41,6 +41,7 @@
#include <grub/linux.h>
#include <grub/i386/memory.h>
#include <grub/verify.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -636,6 +637,7 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
grub_relocator_chunk_t ch;
grub_addr_t kern_start;
grub_addr_t kern_end;
+ grub_size_t sz;
if (argc == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
@@ -703,8 +705,14 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
xen_state.max_addr = ALIGN_UP (kern_end, PAGE_SIZE);
- err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start,
- kern_end - kern_start);
+
+ if (grub_sub (kern_end, kern_start, &sz))
+ {
+ err = GRUB_ERR_OUT_OF_RANGE;
+ goto fail;
+ }
+
+ err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, sz);
if (err)
goto fail;
kern_chunk_src = get_virtual_current_address (ch);
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
index 77d7060e1..9ae4ceb35 100644
--- a/grub-core/loader/xnu.c
+++ b/grub-core/loader/xnu.c
@@ -34,6 +34,7 @@
#include <grub/env.h>
#include <grub/i18n.h>
#include <grub/verify.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -59,15 +60,17 @@ grub_xnu_heap_malloc (int size, void **src, grub_addr_t *target)
{
grub_err_t err;
grub_relocator_chunk_t ch;
+ grub_addr_t tgt;
+
+ if (grub_add (grub_xnu_heap_target_start, grub_xnu_heap_size, &tgt))
+ return GRUB_ERR_OUT_OF_RANGE;
- err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch,
- grub_xnu_heap_target_start
- + grub_xnu_heap_size, size);
+ err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, tgt, size);
if (err)
return err;
*src = get_virtual_current_address (ch);
- *target = grub_xnu_heap_target_start + grub_xnu_heap_size;
+ *target = tgt;
grub_xnu_heap_size += size;
grub_dprintf ("xnu", "val=%p\n", *src);
return GRUB_ERR_NONE;
--
2.26.2
@@ -0,0 +1,341 @@
From 0cfbbca3ccd84d36ffb1bcd6644ada7c73b19fc0 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Wed, 8 Jul 2020 01:44:38 +0000
Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_align()
max_addr against integer underflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This commit introduces integer underflow mitigation in max_addr calculation
in grub_relocator_alloc_chunk_align() invocation.
It consists of 2 fixes:
1. Introduced grub_relocator_alloc_chunk_align_safe() wrapper function to perform
sanity check for min/max and size values, and to make safe invocation of
grub_relocator_alloc_chunk_align() with validated max_addr value. Replace all
invocations such as grub_relocator_alloc_chunk_align(..., min_addr, max_addr - size, size, ...)
by grub_relocator_alloc_chunk_align_safe(..., min_addr, max_addr, size, ...).
2. Introduced UP_TO_TOP32(s) macro for the cases where max_addr is 32-bit top
address (0xffffffff - size + 1) or similar.
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/lib/i386/relocator.c | 28 ++++++++++----------------
grub-core/lib/mips/relocator.c | 6 ++----
grub-core/lib/powerpc/relocator.c | 6 ++----
grub-core/lib/x86_64/efi/relocator.c | 7 +++----
grub-core/loader/i386/linux.c | 5 ++---
grub-core/loader/i386/multiboot_mbi.c | 7 +++----
grub-core/loader/i386/pc/linux.c | 6 ++----
grub-core/loader/mips/linux.c | 9 +++------
grub-core/loader/multiboot.c | 2 +-
grub-core/loader/multiboot_elfxx.c | 10 ++++-----
grub-core/loader/multiboot_mbi2.c | 10 ++++-----
grub-core/loader/xnu_resume.c | 2 +-
include/grub/relocator.h | 29 +++++++++++++++++++++++++++
13 files changed, 69 insertions(+), 58 deletions(-)
diff --git a/grub-core/lib/i386/relocator.c b/grub-core/lib/i386/relocator.c
index 71dd4f0ab..34cbe834f 100644
--- a/grub-core/lib/i386/relocator.c
+++ b/grub-core/lib/i386/relocator.c
@@ -83,11 +83,10 @@ grub_relocator32_boot (struct grub_relocator *rel,
/* Specific memory range due to Global Descriptor Table for use by payload
that we will store in returned chunk. The address range and preference
are based on "THE LINUX/x86 BOOT PROTOCOL" specification. */
- err = grub_relocator_alloc_chunk_align (rel, &ch, 0x1000,
- 0x9a000 - RELOCATOR_SIZEOF (32),
- RELOCATOR_SIZEOF (32), 16,
- GRUB_RELOCATOR_PREFERENCE_LOW,
- avoid_efi_bootservices);
+ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0x1000, 0x9a000,
+ RELOCATOR_SIZEOF (32), 16,
+ GRUB_RELOCATOR_PREFERENCE_LOW,
+ avoid_efi_bootservices);
if (err)
return err;
@@ -125,13 +124,10 @@ grub_relocator16_boot (struct grub_relocator *rel,
grub_relocator_chunk_t ch;
/* Put it higher than the byte it checks for A20 check. */
- err = grub_relocator_alloc_chunk_align (rel, &ch, 0x8010,
- 0xa0000 - RELOCATOR_SIZEOF (16)
- - GRUB_RELOCATOR16_STACK_SIZE,
- RELOCATOR_SIZEOF (16)
- + GRUB_RELOCATOR16_STACK_SIZE, 16,
- GRUB_RELOCATOR_PREFERENCE_NONE,
- 0);
+ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0x8010, 0xa0000,
+ RELOCATOR_SIZEOF (16) +
+ GRUB_RELOCATOR16_STACK_SIZE, 16,
+ GRUB_RELOCATOR_PREFERENCE_NONE, 0);
if (err)
return err;
@@ -183,11 +179,9 @@ grub_relocator64_boot (struct grub_relocator *rel,
void *relst;
grub_relocator_chunk_t ch;
- err = grub_relocator_alloc_chunk_align (rel, &ch, min_addr,
- max_addr - RELOCATOR_SIZEOF (64),
- RELOCATOR_SIZEOF (64), 16,
- GRUB_RELOCATOR_PREFERENCE_NONE,
- 0);
+ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, min_addr, max_addr,
+ RELOCATOR_SIZEOF (64), 16,
+ GRUB_RELOCATOR_PREFERENCE_NONE, 0);
if (err)
return err;
diff --git a/grub-core/lib/mips/relocator.c b/grub-core/lib/mips/relocator.c
index 9d5f49cb9..743b213e6 100644
--- a/grub-core/lib/mips/relocator.c
+++ b/grub-core/lib/mips/relocator.c
@@ -120,10 +120,8 @@ grub_relocator32_boot (struct grub_relocator *rel,
unsigned i;
grub_addr_t vtarget;
- err = grub_relocator_alloc_chunk_align (rel, &ch, 0,
- (0xffffffff - stateset_size)
- + 1, stateset_size,
- sizeof (grub_uint32_t),
+ err = grub_relocator_alloc_chunk_align (rel, &ch, 0, UP_TO_TOP32 (stateset_size),
+ stateset_size, sizeof (grub_uint32_t),
GRUB_RELOCATOR_PREFERENCE_NONE, 0);
if (err)
return err;
diff --git a/grub-core/lib/powerpc/relocator.c b/grub-core/lib/powerpc/relocator.c
index bdf2b111b..8ffb8b686 100644
--- a/grub-core/lib/powerpc/relocator.c
+++ b/grub-core/lib/powerpc/relocator.c
@@ -115,10 +115,8 @@ grub_relocator32_boot (struct grub_relocator *rel,
unsigned i;
grub_relocator_chunk_t ch;
- err = grub_relocator_alloc_chunk_align (rel, &ch, 0,
- (0xffffffff - stateset_size)
- + 1, stateset_size,
- sizeof (grub_uint32_t),
+ err = grub_relocator_alloc_chunk_align (rel, &ch, 0, UP_TO_TOP32 (stateset_size),
+ stateset_size, sizeof (grub_uint32_t),
GRUB_RELOCATOR_PREFERENCE_NONE, 0);
if (err)
return err;
diff --git a/grub-core/lib/x86_64/efi/relocator.c b/grub-core/lib/x86_64/efi/relocator.c
index 3caef7a40..7d200a125 100644
--- a/grub-core/lib/x86_64/efi/relocator.c
+++ b/grub-core/lib/x86_64/efi/relocator.c
@@ -50,10 +50,9 @@ grub_relocator64_efi_boot (struct grub_relocator *rel,
* 64-bit relocator code may live above 4 GiB quite well.
* However, I do not want ask for problems. Just in case.
*/
- err = grub_relocator_alloc_chunk_align (rel, &ch, 0,
- 0x100000000 - RELOCATOR_SIZEOF (64_efi),
- RELOCATOR_SIZEOF (64_efi), 16,
- GRUB_RELOCATOR_PREFERENCE_NONE, 1);
+ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0, 0x100000000,
+ RELOCATOR_SIZEOF (64_efi), 16,
+ GRUB_RELOCATOR_PREFERENCE_NONE, 1);
if (err)
return err;
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 02a73463a..efbb99307 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -181,9 +181,8 @@ allocate_pages (grub_size_t prot_size, grub_size_t *align,
for (; err && *align + 1 > min_align; (*align)--)
{
grub_errno = GRUB_ERR_NONE;
- err = grub_relocator_alloc_chunk_align (relocator, &ch,
- 0x1000000,
- 0xffffffff & ~prot_size,
+ err = grub_relocator_alloc_chunk_align (relocator, &ch, 0x1000000,
+ UP_TO_TOP32 (prot_size),
prot_size, 1 << *align,
GRUB_RELOCATOR_PREFERENCE_LOW,
1);
diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c
index ad3cc292f..a67d9d0a8 100644
--- a/grub-core/loader/i386/multiboot_mbi.c
+++ b/grub-core/loader/i386/multiboot_mbi.c
@@ -466,10 +466,9 @@ grub_multiboot_make_mbi (grub_uint32_t *target)
bufsize = grub_multiboot_get_mbi_size ();
- err = grub_relocator_alloc_chunk_align (grub_multiboot_relocator, &ch,
- 0x10000, 0xa0000 - bufsize,
- bufsize, 4,
- GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+ err = grub_relocator_alloc_chunk_align_safe (grub_multiboot_relocator, &ch,
+ 0x10000, 0xa0000, bufsize, 4,
+ GRUB_RELOCATOR_PREFERENCE_NONE, 0);
if (err)
return err;
ptrorig = get_virtual_current_address (ch);
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
index 31f09922b..5fed5ffdf 100644
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@@ -453,10 +453,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
{
grub_relocator_chunk_t ch;
- err = grub_relocator_alloc_chunk_align (relocator, &ch,
- addr_min, addr_max - size,
- size, 0x1000,
- GRUB_RELOCATOR_PREFERENCE_HIGH, 0);
+ err = grub_relocator_alloc_chunk_align_safe (relocator, &ch, addr_min, addr_max, size,
+ 0x1000, GRUB_RELOCATOR_PREFERENCE_HIGH, 0);
if (err)
return err;
initrd_chunk = get_virtual_current_address (ch);
diff --git a/grub-core/loader/mips/linux.c b/grub-core/loader/mips/linux.c
index 7b723bf18..e4ed95921 100644
--- a/grub-core/loader/mips/linux.c
+++ b/grub-core/loader/mips/linux.c
@@ -442,12 +442,9 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
{
grub_relocator_chunk_t ch;
- err = grub_relocator_alloc_chunk_align (relocator, &ch,
- (target_addr & 0x1fffffff)
- + linux_size + 0x10000,
- (0x10000000 - size),
- size, 0x10000,
- GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+ err = grub_relocator_alloc_chunk_align_safe (relocator, &ch, (target_addr & 0x1fffffff) +
+ linux_size + 0x10000, 0x10000000, size,
+ 0x10000, GRUB_RELOCATOR_PREFERENCE_NONE, 0);
if (err)
goto fail;
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
index 4a98d7082..facb13f3d 100644
--- a/grub-core/loader/multiboot.c
+++ b/grub-core/loader/multiboot.c
@@ -403,7 +403,7 @@ grub_cmd_module (grub_command_t cmd __attribute__ ((unused)),
{
grub_relocator_chunk_t ch;
err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch,
- lowest_addr, (0xffffffff - size) + 1,
+ lowest_addr, UP_TO_TOP32 (size),
size, MULTIBOOT_MOD_ALIGN,
GRUB_RELOCATOR_PREFERENCE_NONE, 1);
if (err)
diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
index cc6853692..f2318e0d1 100644
--- a/grub-core/loader/multiboot_elfxx.c
+++ b/grub-core/loader/multiboot_elfxx.c
@@ -109,10 +109,10 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
if (load_size > mld->max_addr || mld->min_addr > mld->max_addr - load_size)
return grub_error (GRUB_ERR_BAD_OS, "invalid min/max address and/or load size");
- err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch,
- mld->min_addr, mld->max_addr - load_size,
- load_size, mld->align ? mld->align : 1,
- mld->preference, mld->avoid_efi_boot_services);
+ err = grub_relocator_alloc_chunk_align_safe (GRUB_MULTIBOOT (relocator), &ch,
+ mld->min_addr, mld->max_addr,
+ load_size, mld->align ? mld->align : 1,
+ mld->preference, mld->avoid_efi_boot_services);
if (err)
{
@@ -256,7 +256,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
continue;
err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch, 0,
- (0xffffffff - sh->sh_size) + 1,
+ UP_TO_TOP32 (sh->sh_size),
sh->sh_size, sh->sh_addralign,
GRUB_RELOCATOR_PREFERENCE_NONE,
mld->avoid_efi_boot_services);
diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c
index 0efc66062..03967839c 100644
--- a/grub-core/loader/multiboot_mbi2.c
+++ b/grub-core/loader/multiboot_mbi2.c
@@ -295,10 +295,10 @@ grub_multiboot2_load (grub_file_t file, const char *filename)
return grub_error (GRUB_ERR_BAD_OS, "invalid min/max address and/or load size");
}
- err = grub_relocator_alloc_chunk_align (grub_multiboot2_relocator, &ch,
- mld.min_addr, mld.max_addr - code_size,
- code_size, mld.align ? mld.align : 1,
- mld.preference, keep_bs);
+ err = grub_relocator_alloc_chunk_align_safe (grub_multiboot2_relocator, &ch,
+ mld.min_addr, mld.max_addr,
+ code_size, mld.align ? mld.align : 1,
+ mld.preference, keep_bs);
}
else
err = grub_relocator_alloc_chunk_addr (grub_multiboot2_relocator,
@@ -708,7 +708,7 @@ grub_multiboot2_make_mbi (grub_uint32_t *target)
COMPILE_TIME_ASSERT (MULTIBOOT_TAG_ALIGN % sizeof (grub_properly_aligned_t) == 0);
err = grub_relocator_alloc_chunk_align (grub_multiboot2_relocator, &ch,
- 0, 0xffffffff - bufsize,
+ 0, UP_TO_TOP32 (bufsize),
bufsize, MULTIBOOT_TAG_ALIGN,
GRUB_RELOCATOR_PREFERENCE_NONE, 1);
if (err)
diff --git a/grub-core/loader/xnu_resume.c b/grub-core/loader/xnu_resume.c
index 8089804d4..d648ef0cd 100644
--- a/grub-core/loader/xnu_resume.c
+++ b/grub-core/loader/xnu_resume.c
@@ -129,7 +129,7 @@ grub_xnu_resume (char *imagename)
{
grub_relocator_chunk_t ch;
err = grub_relocator_alloc_chunk_align (grub_xnu_relocator, &ch, 0,
- (0xffffffff - hibhead.image_size) + 1,
+ UP_TO_TOP32 (hibhead.image_size),
hibhead.image_size,
GRUB_XNU_PAGESIZE,
GRUB_RELOCATOR_PREFERENCE_NONE, 0);
diff --git a/include/grub/relocator.h b/include/grub/relocator.h
index 24d8672d2..1b3bdd92a 100644
--- a/include/grub/relocator.h
+++ b/include/grub/relocator.h
@@ -49,6 +49,35 @@ grub_relocator_alloc_chunk_align (struct grub_relocator *rel,
int preference,
int avoid_efi_boot_services);
+/*
+ * Wrapper for grub_relocator_alloc_chunk_align() with purpose of
+ * protecting against integer underflow.
+ *
+ * Compare to its callee, max_addr has different meaning here.
+ * It covers entire chunk and not just start address of the chunk.
+ */
+static inline grub_err_t
+grub_relocator_alloc_chunk_align_safe (struct grub_relocator *rel,
+ grub_relocator_chunk_t *out,
+ grub_phys_addr_t min_addr,
+ grub_phys_addr_t max_addr,
+ grub_size_t size, grub_size_t align,
+ int preference,
+ int avoid_efi_boot_services)
+{
+ /* Sanity check and ensure following equation (max_addr - size) is safe. */
+ if (max_addr < size || (max_addr - size) < min_addr)
+ return GRUB_ERR_OUT_OF_RANGE;
+
+ return grub_relocator_alloc_chunk_align (rel, out, min_addr,
+ max_addr - size,
+ size, align, preference,
+ avoid_efi_boot_services);
+}
+
+/* Top 32-bit address minus s bytes and plus 1 byte. */
+#define UP_TO_TOP32(s) ((~(s) & 0xffffffff) + 1)
+
#define GRUB_RELOCATOR_PREFERENCE_NONE 0
#define GRUB_RELOCATOR_PREFERENCE_LOW 1
#define GRUB_RELOCATOR_PREFERENCE_HIGH 2
--
2.26.2
@@ -0,0 +1,37 @@
From 73aa0776457066ee6ebc93486c3cf0e6b755d1b8 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Fri, 10 Jul 2020 11:21:14 +0100
Subject: [PATCH] script: Remove unused fields from grub_script_function
struct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
include/grub/script_sh.h | 5 -----
1 file changed, 5 deletions(-)
diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
index 360c2be1f..b382bcf09 100644
--- a/include/grub/script_sh.h
+++ b/include/grub/script_sh.h
@@ -359,13 +359,8 @@ struct grub_script_function
/* The script function. */
struct grub_script *func;
- /* The flags. */
- unsigned flags;
-
/* The next element. */
struct grub_script_function *next;
-
- int references;
};
typedef struct grub_script_function *grub_script_function_t;
--
2.26.2
@@ -0,0 +1,113 @@
From 26349fcf80982b4d0120b73b2836e88bcf16853c Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Fri, 10 Jul 2020 14:41:45 +0100
Subject: [PATCH] script: Avoid a use-after-free when redefining a
function during execution
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Defining a new function with the same name as a previously defined
function causes the grub_script and associated resources for the
previous function to be freed. If the previous function is currently
executing when a function with the same name is defined, this results
in use-after-frees when processing subsequent commands in the original
function.
Instead, reject a new function definition if it has the same name as
a previously defined function, and that function is currently being
executed. Although a behavioural change, this should be backwards
compatible with existing configurations because they can't be
dependent on the current behaviour without being broken.
Fixes: CVE-2020-15706
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/script/execute.c | 2 ++
grub-core/script/function.c | 16 +++++++++++++---
grub-core/script/parser.y | 3 ++-
include/grub/script_sh.h | 2 ++
4 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index c8d6806fe..7e028e135 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
old_scope = scope;
scope = &new_scope;
+ func->executing++;
ret = grub_script_execute (func->func);
+ func->executing--;
function_return = 0;
active_loops = loops;
diff --git a/grub-core/script/function.c b/grub-core/script/function.c
index d36655e51..3aad04bf9 100644
--- a/grub-core/script/function.c
+++ b/grub-core/script/function.c
@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
func = (grub_script_function_t) grub_malloc (sizeof (*func));
if (! func)
return 0;
+ func->executing = 0;
func->name = grub_strdup (functionname_arg->str);
if (! func->name)
@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
grub_script_function_t q;
q = *p;
- grub_script_free (q->func);
- q->func = cmd;
grub_free (func);
- func = q;
+ if (q->executing > 0)
+ {
+ grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("attempt to redefine a function being executed"));
+ func = NULL;
+ }
+ else
+ {
+ grub_script_free (q->func);
+ q->func = cmd;
+ func = q;
+ }
}
else
{
diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
index 4f0ab8319..f80b86b6f 100644
--- a/grub-core/script/parser.y
+++ b/grub-core/script/parser.y
@@ -289,7 +289,8 @@ function: "function" "name"
grub_script_mem_free (state->func_mem);
else {
script->children = state->scripts;
- grub_script_function_create ($2, script);
+ if (!grub_script_function_create ($2, script))
+ grub_script_free (script);
}
state->scripts = $<scripts>3;
diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
index b382bcf09..6c48e0751 100644
--- a/include/grub/script_sh.h
+++ b/include/grub/script_sh.h
@@ -361,6 +361,8 @@ struct grub_script_function
/* The next element. */
struct grub_script_function *next;
+
+ unsigned executing;
};
typedef struct grub_script_function *grub_script_function_t;
--
2.26.2
@@ -0,0 +1,49 @@
From 06aa91f79f902752cb7e5d22ac0ea8e13bffd056 Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Fri, 17 Jul 2020 05:17:26 +0000
Subject: [PATCH] relocator: Fix grub_relocator_alloc_chunk_align() top
memory allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Current implementation of grub_relocator_alloc_chunk_align()
does not allow allocation of the top byte.
Assuming input args are:
max_addr = 0xfffff000;
size = 0x1000;
And this is valid. But following overflow protection will
unnecessarily move max_addr one byte down (to 0xffffefff):
if (max_addr > ~size)
max_addr = ~size;
~size + 1 will fix the situation. In addition, check size
for non zero to do not zero max_addr.
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/lib/relocator.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
index 5847aac36..f2c1944c2 100644
--- a/grub-core/lib/relocator.c
+++ b/grub-core/lib/relocator.c
@@ -1386,8 +1386,8 @@ grub_relocator_alloc_chunk_align (struct grub_relocator *rel,
};
grub_addr_t min_addr2 = 0, max_addr2;
- if (max_addr > ~size)
- max_addr = ~size;
+ if (size && (max_addr > ~size))
+ max_addr = ~size + 1;
#ifdef GRUB_MACHINE_PCBIOS
if (min_addr < 0x1000)
--
2.26.2
@@ -0,0 +1,61 @@
From feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 14:43:31 -0400
Subject: [PATCH] hfsplus: Fix two more overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Both node->size and node->namelen come from the supplied filesystem,
which may be user-supplied. We can't trust them for the math unless we
know they don't overflow. Making sure they go through grub_add() or
grub_calloc() first will give us that.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/fs/hfsplus.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index dae43becc..9c4e4c88c 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -31,6 +31,7 @@
#include <grub/hfs.h>
#include <grub/charset.h>
#include <grub/hfsplus.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
{
char *symlink;
grub_ssize_t numread;
+ grub_size_t sz = node->size;
- symlink = grub_malloc (node->size + 1);
+ if (grub_add (sz, 1, &sz))
+ return NULL;
+
+ symlink = grub_malloc (sz);
if (!symlink)
return 0;
@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)
if (type == GRUB_FSHELP_UNKNOWN)
return 0;
- filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
- * GRUB_MAX_UTF8_PER_UTF16 + 1);
+ filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
+ GRUB_MAX_UTF8_PER_UTF16 + 1);
if (! filename)
return 0;
--
2.26.2
@@ -0,0 +1,116 @@
From a1845e90fc19fb5e904091bad8a378f458798e4a Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 15:48:20 -0400
Subject: [PATCH] lvm: Fix two more potential data-dependent alloc
overflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It appears to be possible to make a (possibly invalid) lvm PV with
a metadata size field that overflows our type when adding it to the
address we've allocated. Even if it doesn't, it may be possible to do so
with the math using the outcome of that as an operand. Check them both.
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++--------
1 file changed, 40 insertions(+), 8 deletions(-)
diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
index d1df640b3..139fafd47 100644
--- a/grub-core/disk/lvm.c
+++ b/grub-core/disk/lvm.c
@@ -25,6 +25,7 @@
#include <grub/lvm.h>
#include <grub/partition.h>
#include <grub/i18n.h>
+#include <grub/safemath.h>
#ifdef GRUB_UTIL
#include <grub/emu/misc.h>
@@ -102,10 +103,11 @@ grub_lvm_detect (grub_disk_t disk,
{
grub_err_t err;
grub_uint64_t mda_offset, mda_size;
+ grub_size_t ptr;
char buf[GRUB_LVM_LABEL_SIZE];
char vg_id[GRUB_LVM_ID_STRLEN+1];
char pv_id[GRUB_LVM_ID_STRLEN+1];
- char *metadatabuf, *p, *q, *vgname;
+ char *metadatabuf, *p, *q, *mda_end, *vgname;
struct grub_lvm_label_header *lh = (struct grub_lvm_label_header *) buf;
struct grub_lvm_pv_header *pvh;
struct grub_lvm_disk_locn *dlocn;
@@ -205,19 +207,31 @@ grub_lvm_detect (grub_disk_t disk,
grub_le_to_cpu64 (rlocn->size) -
grub_le_to_cpu64 (mdah->size));
}
- p = q = metadatabuf + grub_le_to_cpu64 (rlocn->offset);
- while (*q != ' ' && q < metadatabuf + mda_size)
- q++;
-
- if (q == metadatabuf + mda_size)
+ if (grub_add ((grub_size_t)metadatabuf,
+ (grub_size_t)grub_le_to_cpu64 (rlocn->offset),
+ &ptr))
{
+ error_parsing_metadata:
#ifdef GRUB_UTIL
grub_util_info ("error parsing metadata");
#endif
goto fail2;
}
+ p = q = (char *)ptr;
+
+ if (grub_add ((grub_size_t)metadatabuf, (grub_size_t)mda_size, &ptr))
+ goto error_parsing_metadata;
+
+ mda_end = (char *)ptr;
+
+ while (*q != ' ' && q < mda_end)
+ q++;
+
+ if (q == mda_end)
+ goto error_parsing_metadata;
+
vgname_len = q - p;
vgname = grub_malloc (vgname_len + 1);
if (!vgname)
@@ -367,8 +381,26 @@ grub_lvm_detect (grub_disk_t disk,
{
const char *iptr;
char *optr;
- lv->fullname = grub_malloc (sizeof ("lvm/") - 1 + 2 * vgname_len
- + 1 + 2 * s + 1);
+
+ /*
+ * This is kind of hard to read with our safe (but rather
+ * baroque) math primatives, but it boils down to:
+ *
+ * sz0 = vgname_len * 2 + 1 +
+ * s * 2 + 1 +
+ * sizeof ("lvm/") - 1;
+ */
+ grub_size_t sz0 = vgname_len, sz1 = s;
+
+ if (grub_mul (sz0, 2, &sz0) ||
+ grub_add (sz0, 1, &sz0) ||
+ grub_mul (sz1, 2, &sz1) ||
+ grub_add (sz1, 1, &sz1) ||
+ grub_add (sz0, sz1, &sz0) ||
+ grub_add (sz0, sizeof ("lvm/") - 1, &sz0))
+ goto lvs_fail;
+
+ lv->fullname = grub_malloc (sz0);
if (!lv->fullname)
goto lvs_fail;
--
2.26.2
@@ -0,0 +1,38 @@
From 320e86747a32e4d46d24ee4b64493741c161da50 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 16:08:08 -0400
Subject: [PATCH] emu: Make grub_free(NULL) safe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The grub_free() implementation in grub-core/kern/mm.c safely handles
NULL pointers, and code at many places depends on this. We don't know
that the same is true on all host OSes, so we need to handle the same
behavior in grub-emu's implementation.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/kern/emu/mm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
index 145b01d37..4d1046a21 100644
--- a/grub-core/kern/emu/mm.c
+++ b/grub-core/kern/emu/mm.c
@@ -60,7 +60,8 @@ grub_zalloc (grub_size_t size)
void
grub_free (void *ptr)
{
- free (ptr);
+ if (ptr)
+ free (ptr);
}
void *
--
2.26.2
@@ -0,0 +1,239 @@
From c330aa099a38bc5c4d3066954fe35767cc06adb1 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sun, 19 Jul 2020 16:53:27 -0400
Subject: [PATCH] efi: Fix some malformed device path arithmetic errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Several places we take the length of a device path and subtract 4 from
it, without ever checking that it's >= 4. There are also cases where
this kind of malformation will result in unpredictable iteration,
including treating the length from one dp node as the type in the next
node. These are all errors, no matter where the data comes from.
This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which
can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH()
return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when
the length is too small. Additionally, it makes several places in the
code check for and return errors in these cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/kern/efi/efi.c | 64 +++++++++++++++++++++++++-----
grub-core/loader/efi/chainloader.c | 13 +++++-
grub-core/loader/i386/xnu.c | 9 +++--
include/grub/efi/api.h | 14 ++++---
4 files changed, 79 insertions(+), 21 deletions(-)
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index dc31caa21..c97969a65 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -332,7 +332,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
dp = dp0;
- while (1)
+ while (dp)
{
grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
@@ -342,9 +342,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
if (type == GRUB_EFI_MEDIA_DEVICE_PATH_TYPE
&& subtype == GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE)
{
- grub_efi_uint16_t len;
- len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
- / sizeof (grub_efi_char16_t));
+ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
+
+ if (len < 4)
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE,
+ "malformed EFI Device Path node has length=%d", len);
+ return NULL;
+ }
+ len = (len - 4) / sizeof (grub_efi_char16_t);
filesize += GRUB_MAX_UTF8_PER_UTF16 * len + 2;
}
@@ -360,7 +366,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
if (!name)
return NULL;
- while (1)
+ while (dp)
{
grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
@@ -376,8 +382,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
*p++ = '/';
- len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
- / sizeof (grub_efi_char16_t));
+ len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
+ if (len < 4)
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE,
+ "malformed EFI Device Path node has length=%d", len);
+ return NULL;
+ }
+
+ len = (len - 4) / sizeof (grub_efi_char16_t);
fp = (grub_efi_file_path_device_path_t *) dp;
/* According to EFI spec Path Name is NULL terminated */
while (len > 0 && fp->path_name[len - 1] == 0)
@@ -452,7 +465,26 @@ grub_efi_duplicate_device_path (const grub_efi_device_path_t *dp)
;
p = GRUB_EFI_NEXT_DEVICE_PATH (p))
{
- total_size += GRUB_EFI_DEVICE_PATH_LENGTH (p);
+ grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (p);
+
+ /*
+ * In the event that we find a node that's completely garbage, for
+ * example if we get to 0x7f 0x01 0x02 0x00 ... (EndInstance with a size
+ * of 2), GRUB_EFI_END_ENTIRE_DEVICE_PATH() will be true and
+ * GRUB_EFI_NEXT_DEVICE_PATH() will return NULL, so we won't continue,
+ * and neither should our consumers, but there won't be any error raised
+ * even though the device path is junk.
+ *
+ * This keeps us from passing junk down back to our caller.
+ */
+ if (len < 4)
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE,
+ "malformed EFI Device Path node has length=%d", len);
+ return NULL;
+ }
+
+ total_size += len;
if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (p))
break;
}
@@ -497,7 +529,7 @@ dump_vendor_path (const char *type, grub_efi_vendor_device_path_t *vendor)
void
grub_efi_print_device_path (grub_efi_device_path_t *dp)
{
- while (1)
+ while (GRUB_EFI_DEVICE_PATH_VALID (dp))
{
grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
@@ -909,7 +941,10 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
/* Return non-zero. */
return 1;
- while (1)
+ if (dp1 == dp2)
+ return 0;
+
+ while (GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
{
grub_efi_uint8_t type1, type2;
grub_efi_uint8_t subtype1, subtype2;
@@ -945,5 +980,14 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
dp2 = (grub_efi_device_path_t *) ((char *) dp2 + len2);
}
+ /*
+ * There's no "right" answer here, but we probably don't want to call a valid
+ * dp and an invalid dp equal, so pick one way or the other.
+ */
+ if (GRUB_EFI_DEVICE_PATH_VALID (dp1) && !GRUB_EFI_DEVICE_PATH_VALID (dp2))
+ return 1;
+ else if (!GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
+ return -1;
+
return 0;
}
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index daf8c6b54..a8d7b9155 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -156,9 +156,18 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
size = 0;
d = dp;
- while (1)
+ while (d)
{
- size += GRUB_EFI_DEVICE_PATH_LENGTH (d);
+ grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (d);
+
+ if (len < 4)
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE,
+ "malformed EFI Device Path node has length=%d", len);
+ return NULL;
+ }
+
+ size += len;
if ((GRUB_EFI_END_ENTIRE_DEVICE_PATH (d)))
break;
d = GRUB_EFI_NEXT_DEVICE_PATH (d);
diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
index e9e119259..a70093607 100644
--- a/grub-core/loader/i386/xnu.c
+++ b/grub-core/loader/i386/xnu.c
@@ -515,14 +515,15 @@ grub_cmd_devprop_load (grub_command_t cmd __attribute__ ((unused)),
devhead = buf;
buf = devhead + 1;
- dpstart = buf;
+ dp = dpstart = buf;
- do
+ while (GRUB_EFI_DEVICE_PATH_VALID (dp) && buf < bufend)
{
- dp = buf;
buf = (char *) buf + GRUB_EFI_DEVICE_PATH_LENGTH (dp);
+ if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
+ break;
+ dp = buf;
}
- while (!GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp) && buf < bufend);
dev = grub_xnu_devprop_add_device (dpstart, (char *) buf
- (char *) dpstart);
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index addcbfa8f..cf1355a8c 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
@@ -625,6 +625,7 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
#define GRUB_EFI_DEVICE_PATH_TYPE(dp) ((dp)->type & 0x7f)
#define GRUB_EFI_DEVICE_PATH_SUBTYPE(dp) ((dp)->subtype)
#define GRUB_EFI_DEVICE_PATH_LENGTH(dp) ((dp)->length)
+#define GRUB_EFI_DEVICE_PATH_VALID(dp) ((dp) != NULL && GRUB_EFI_DEVICE_PATH_LENGTH (dp) >= 4)
/* The End of Device Path nodes. */
#define GRUB_EFI_END_DEVICE_PATH_TYPE (0xff & 0x7f)
@@ -633,13 +634,16 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
#define GRUB_EFI_END_THIS_DEVICE_PATH_SUBTYPE 0x01
#define GRUB_EFI_END_ENTIRE_DEVICE_PATH(dp) \
- (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
- && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
- == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE))
+ (!GRUB_EFI_DEVICE_PATH_VALID (dp) || \
+ (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
+ && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
+ == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE)))
#define GRUB_EFI_NEXT_DEVICE_PATH(dp) \
- ((grub_efi_device_path_t *) ((char *) (dp) \
- + GRUB_EFI_DEVICE_PATH_LENGTH (dp)))
+ (GRUB_EFI_DEVICE_PATH_VALID (dp) \
+ ? ((grub_efi_device_path_t *) \
+ ((char *) (dp) + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) \
+ : NULL)
/* Hardware Device Path. */
#define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1
--
2.26.2
@@ -0,0 +1,78 @@
From fb55bc37dd510911df4eaf649da939f5fafdc7ce Mon Sep 17 00:00:00 2001
From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Wed, 29 Jul 2020 13:38:31 +0200
Subject: [PATCH] efi/chainloader: Propagate errors from copy_file_path()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Without any error propagated to the caller, make_file_path()
would then try to advance the invalid device path node with
GRUB_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL
pointer that would subsequently be dereferenced. Hence, propagate
errors from copy_file_path().
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/loader/efi/chainloader.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index a8d7b9155..7b31c3fb9 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -106,7 +106,7 @@ grub_chainloader_boot (void)
return grub_errno;
}
-static void
+static grub_err_t
copy_file_path (grub_efi_file_path_device_path_t *fp,
const char *str, grub_efi_uint16_t len)
{
@@ -118,7 +118,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
if (!path_name)
- return;
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "failed to allocate path buffer");
size = grub_utf8_to_utf16 (path_name, len * GRUB_MAX_UTF16_PER_UTF8,
(const grub_uint8_t *) str, len, 0);
@@ -131,6 +131,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
fp->path_name[size++] = '\0';
fp->header.length = size * sizeof (grub_efi_char16_t) + sizeof (*fp);
grub_free (path_name);
+ return GRUB_ERR_NONE;
}
static grub_efi_device_path_t *
@@ -189,13 +190,19 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
d = (grub_efi_device_path_t *) ((char *) file_path
+ ((char *) d - (char *) dp));
grub_efi_print_device_path (d);
- copy_file_path ((grub_efi_file_path_device_path_t *) d,
- dir_start, dir_end - dir_start);
+ if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
+ dir_start, dir_end - dir_start) != GRUB_ERR_NONE)
+ {
+ fail:
+ grub_free (file_path);
+ return 0;
+ }
/* Fill the file path for the file. */
d = GRUB_EFI_NEXT_DEVICE_PATH (d);
- copy_file_path ((grub_efi_file_path_device_path_t *) d,
- dir_end + 1, grub_strlen (dir_end + 1));
+ if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
+ dir_end + 1, grub_strlen (dir_end + 1)) != GRUB_ERR_NONE)
+ goto fail;
/* Fill the end of device path nodes. */
d = GRUB_EFI_NEXT_DEVICE_PATH (d);
--
2.26.2
@@ -0,0 +1,183 @@
From 8a6d6299efcffd14c1130942195e6c0d9b50cacd Mon Sep 17 00:00:00 2001
From: Alexey Makhalov <amakhalov@vmware.com>
Date: Mon, 20 Jul 2020 23:03:05 +0000
Subject: [PATCH] efi: Fix use-after-free in halt/reboot path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
commit 92bfc33db984 ("efi: Free malloc regions on exit")
introduced memory freeing in grub_efi_fini(), which is
used not only by exit path but by halt/reboot one as well.
As result of memory freeing, code and data regions used by
modules, such as halt, reboot, acpi (used by halt) also got
freed. After return to module code, CPU executes, filled
by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as
a code. Which leads to #UD exception later.
grub> halt
!!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!!
RIP - 0000000003F4EC28, CS - 0000000000000038, RFLAGS - 0000000000200246
RAX - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41
RBX - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000
RSI - 00000000064DB768, RDI - 000000000832C5C3
R8 - 0000000000000002, R9 - 0000000000000000, R10 - 00000000061E2E52
R11 - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4
R14 - 0000000003E10D80, R15 - 00000000061E2F60
DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030
GS - 0000000000000030, SS - 0000000000000030
CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000
CR4 - 0000000000000668, CR8 - 0000000000000000
DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000
IDTR - 0000000007598018 0000000000000FFF, TR - 0000000000000000
FXSAVE_STATE - 0000000007F0F4C0
Proposal here is to continue to free allocated memory for
exit boot services path but keep it for halt/reboot path
as it won't be much security concern here.
Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY
loader flag to be used by efi halt/reboot path.
Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/kern/arm/efi/init.c | 3 +++
grub-core/kern/arm64/efi/init.c | 3 +++
grub-core/kern/efi/efi.c | 3 ++-
grub-core/kern/efi/init.c | 1 -
grub-core/kern/i386/efi/init.c | 9 +++++++--
grub-core/kern/ia64/efi/init.c | 9 +++++++--
grub-core/kern/riscv/efi/init.c | 3 +++
grub-core/lib/efi/halt.c | 3 ++-
include/grub/loader.h | 1 +
9 files changed, 28 insertions(+), 7 deletions(-)
diff --git a/grub-core/kern/arm/efi/init.c b/grub-core/kern/arm/efi/init.c
index 06df60e2f..40c3b467f 100644
--- a/grub-core/kern/arm/efi/init.c
+++ b/grub-core/kern/arm/efi/init.c
@@ -71,4 +71,7 @@ grub_machine_fini (int flags)
efi_call_1 (b->close_event, tmr_evt);
grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/arm64/efi/init.c b/grub-core/kern/arm64/efi/init.c
index 6224999ec..5010caefd 100644
--- a/grub-core/kern/arm64/efi/init.c
+++ b/grub-core/kern/arm64/efi/init.c
@@ -57,4 +57,7 @@ grub_machine_fini (int flags)
return;
grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index c97969a65..9cfd88d77 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -157,7 +157,8 @@ grub_efi_get_loaded_image (grub_efi_handle_t image_handle)
void
grub_reboot (void)
{
- grub_machine_fini (GRUB_LOADER_FLAG_NORETURN);
+ grub_machine_fini (GRUB_LOADER_FLAG_NORETURN |
+ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY);
efi_call_4 (grub_efi_system_table->runtime_services->reset_system,
GRUB_EFI_RESET_COLD, GRUB_EFI_SUCCESS, 0, NULL);
for (;;) ;
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 3dfdf2d22..2c31847bf 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -80,5 +80,4 @@ grub_efi_fini (void)
{
grub_efidisk_fini ();
grub_console_fini ();
- grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/i386/efi/init.c b/grub-core/kern/i386/efi/init.c
index da499aba0..deb2eacd8 100644
--- a/grub-core/kern/i386/efi/init.c
+++ b/grub-core/kern/i386/efi/init.c
@@ -39,6 +39,11 @@ grub_machine_init (void)
void
grub_machine_fini (int flags)
{
- if (flags & GRUB_LOADER_FLAG_NORETURN)
- grub_efi_fini ();
+ if (!(flags & GRUB_LOADER_FLAG_NORETURN))
+ return;
+
+ grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/ia64/efi/init.c b/grub-core/kern/ia64/efi/init.c
index b5ecbd091..f1965571b 100644
--- a/grub-core/kern/ia64/efi/init.c
+++ b/grub-core/kern/ia64/efi/init.c
@@ -70,6 +70,11 @@ grub_machine_init (void)
void
grub_machine_fini (int flags)
{
- if (flags & GRUB_LOADER_FLAG_NORETURN)
- grub_efi_fini ();
+ if (!(flags & GRUB_LOADER_FLAG_NORETURN))
+ return;
+
+ grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/kern/riscv/efi/init.c b/grub-core/kern/riscv/efi/init.c
index 7eb1969d0..38795fe67 100644
--- a/grub-core/kern/riscv/efi/init.c
+++ b/grub-core/kern/riscv/efi/init.c
@@ -73,4 +73,7 @@ grub_machine_fini (int flags)
return;
grub_efi_fini ();
+
+ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
+ grub_efi_memory_fini ();
}
diff --git a/grub-core/lib/efi/halt.c b/grub-core/lib/efi/halt.c
index 5859f0498..29d413641 100644
--- a/grub-core/lib/efi/halt.c
+++ b/grub-core/lib/efi/halt.c
@@ -28,7 +28,8 @@
void
grub_halt (void)
{
- grub_machine_fini (GRUB_LOADER_FLAG_NORETURN);
+ grub_machine_fini (GRUB_LOADER_FLAG_NORETURN |
+ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY);
#if !defined(__ia64__) && !defined(__arm__) && !defined(__aarch64__) && \
!defined(__riscv)
grub_acpi_halt ();
diff --git a/include/grub/loader.h b/include/grub/loader.h
index 7f82a499f..b20864282 100644
--- a/include/grub/loader.h
+++ b/include/grub/loader.h
@@ -33,6 +33,7 @@ enum
{
GRUB_LOADER_FLAG_NORETURN = 1,
GRUB_LOADER_FLAG_PXE_NOT_UNLOAD = 2,
+ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY = 4,
};
void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
--
2.26.2
@@ -0,0 +1,32 @@
From a2a7464e9f10a677d6f91e1c4fa527d084c22e7c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 24 Jul 2020 13:57:27 -0400
Subject: [PATCH] loader/linux: Avoid overflow on initrd size calculation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/loader/linux.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 471b214d6..4cd8c20c7 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -151,8 +151,7 @@ grub_initrd_init (int argc, char *argv[],
initrd_ctx->nfiles = 0;
initrd_ctx->components = 0;
- initrd_ctx->components = grub_zalloc (argc
- * sizeof (initrd_ctx->components[0]));
+ initrd_ctx->components = grub_calloc (argc, sizeof (initrd_ctx->components[0]));
if (!initrd_ctx->components)
return grub_errno;
--
2.26.2
@@ -0,0 +1,173 @@
From 0367e7d1b9bac3a78608a672bf6e4ace6a28b964 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sat, 25 Jul 2020 12:15:37 +0100
Subject: [PATCH] linux: Fix integer overflows in initrd size handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These could be triggered by a crafted filesystem with very large files.
Fixes: CVE-2020-15707
Signed-off-by: Colin Watson <cjwatson@debian.org>
Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
---
grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++-----------
1 file changed, 54 insertions(+), 20 deletions(-)
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 4cd8c20c7..3fe390f17 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -4,6 +4,7 @@
#include <grub/misc.h>
#include <grub/file.h>
#include <grub/mm.h>
+#include <grub/safemath.h>
struct newc_head
{
@@ -98,13 +99,13 @@ free_dir (struct dir *root)
grub_free (root);
}
-static grub_size_t
+static grub_err_t
insert_dir (const char *name, struct dir **root,
- grub_uint8_t *ptr)
+ grub_uint8_t *ptr, grub_size_t *size)
{
struct dir *cur, **head = root;
const char *cb, *ce = name;
- grub_size_t size = 0;
+ *size = 0;
while (1)
{
for (cb = ce; *cb == '/'; cb++);
@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
ptr = make_header (ptr, name, ce - name,
040777, 0);
}
- size += ALIGN_UP ((ce - (char *) name)
- + sizeof (struct newc_head), 4);
+ if (grub_add (*size,
+ ALIGN_UP ((ce - (char *) name)
+ + sizeof (struct newc_head), 4),
+ size))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ grub_free (n->name);
+ grub_free (n);
+ return grub_errno;
+ }
*head = n;
cur = n;
}
root = &cur->next;
}
- return size;
+ return GRUB_ERR_NONE;
}
grub_err_t
@@ -172,26 +181,33 @@ grub_initrd_init (int argc, char *argv[],
eptr = grub_strchr (ptr, ':');
if (eptr)
{
+ grub_size_t dir_size, name_len;
+
initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
- if (!initrd_ctx->components[i].newc_name)
+ if (!initrd_ctx->components[i].newc_name ||
+ insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
+ &dir_size))
{
grub_initrd_close (initrd_ctx);
return grub_errno;
}
- initrd_ctx->size
- += ALIGN_UP (sizeof (struct newc_head)
- + grub_strlen (initrd_ctx->components[i].newc_name),
- 4);
- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
- &root, 0);
+ name_len = grub_strlen (initrd_ctx->components[i].newc_name);
+ if (grub_add (initrd_ctx->size,
+ ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
+ &initrd_ctx->size) ||
+ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
+ goto overflow;
newc = 1;
fname = eptr + 1;
}
}
else if (newc)
{
- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
- + sizeof ("TRAILER!!!") - 1, 4);
+ if (grub_add (initrd_ctx->size,
+ ALIGN_UP (sizeof (struct newc_head)
+ + sizeof ("TRAILER!!!") - 1, 4),
+ &initrd_ctx->size))
+ goto overflow;
free_dir (root);
root = 0;
newc = 0;
@@ -207,19 +223,29 @@ grub_initrd_init (int argc, char *argv[],
initrd_ctx->nfiles++;
initrd_ctx->components[i].size
= grub_file_size (initrd_ctx->components[i].file);
- initrd_ctx->size += initrd_ctx->components[i].size;
+ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
+ &initrd_ctx->size))
+ goto overflow;
}
if (newc)
{
initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
- + sizeof ("TRAILER!!!") - 1, 4);
+ if (grub_add (initrd_ctx->size,
+ ALIGN_UP (sizeof (struct newc_head)
+ + sizeof ("TRAILER!!!") - 1, 4),
+ &initrd_ctx->size))
+ goto overflow;
free_dir (root);
root = 0;
}
return GRUB_ERR_NONE;
+
+ overflow:
+ free_dir (root);
+ grub_initrd_close (initrd_ctx);
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
}
grub_size_t
@@ -260,8 +286,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
if (initrd_ctx->components[i].newc_name)
{
- ptr += insert_dir (initrd_ctx->components[i].newc_name,
- &root, ptr);
+ grub_size_t dir_size;
+
+ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
+ &dir_size))
+ {
+ free_dir (root);
+ grub_initrd_close (initrd_ctx);
+ return grub_errno;
+ }
+ ptr += dir_size;
ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
grub_strlen (initrd_ctx->components[i].newc_name),
0100777,
--
2.26.2
+11
View File
@@ -21,6 +21,17 @@ endef
GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF
HOST_GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF
# 0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
GRUB2_IGNORE_CVES += CVE-2020-10713
# 0005-calloc-Use-calloc-at-most-places.patch
GRUB2_IGNORE_CVES += CVE-2020-14308
# 0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch
GRUB2_IGNORE_CVES += CVE-2020-14309 CVE-2020-14310 CVE-2020-14311
# 0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch
GRUB2_IGNORE_CVES += CVE-2020-15706
# 0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch
GRUB2_IGNORE_CVES += CVE-2020-15707
ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
GRUB2_INSTALL_TARGET = YES
else
+4 -3
View File
@@ -16,6 +16,7 @@ UBOOT_INSTALL_IMAGES = YES
# u-boot 2020.01+ needs make 4.0+
UBOOT_DEPENDENCIES = $(BR2_MAKE_HOST_DEPENDENCY)
UBOOT_MAKE = $(BR2_MAKE)
ifeq ($(UBOOT_VERSION),custom)
# Handle custom U-Boot tarballs as specified by the configuration
@@ -247,7 +248,7 @@ UBOOT_POST_PATCH_HOOKS += UBOOT_FIXUP_LIBFDT_INCLUDE
ifeq ($(BR2_TARGET_UBOOT_BUILD_SYSTEM_LEGACY),y)
define UBOOT_CONFIGURE_CMDS
$(TARGET_CONFIGURE_OPTS) \
$(BR2_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \
$(UBOOT_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \
$(UBOOT_BOARD_NAME)_config
endef
else ifeq ($(BR2_TARGET_UBOOT_BUILD_SYSTEM_KCONFIG),y)
@@ -284,7 +285,7 @@ define UBOOT_BUILD_CMDS
cp -f $(UBOOT_CUSTOM_DTS_PATH) $(@D)/arch/$(UBOOT_ARCH)/dts/
)
$(TARGET_CONFIGURE_OPTS) \
$(BR2_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \
$(UBOOT_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \
$(UBOOT_MAKE_TARGET)
$(if $(BR2_TARGET_UBOOT_FORMAT_SD),
$(@D)/tools/mxsboot sd $(@D)/u-boot.sb $(@D)/u-boot.sd)
@@ -484,7 +485,7 @@ ifeq ($(call qstrip,$(BR2_TARGET_UBOOT_CUSTOM_REPO_URL)),)
$(error No custom U-Boot repository URL specified. Check your BR2_TARGET_UBOOT_CUSTOM_REPO_URL setting)
endif # qstrip BR2_TARGET_UBOOT_CUSTOM_CUSTOM_REPO_URL
ifeq ($(call qstrip,$(BR2_TARGET_UBOOT_CUSTOM_REPO_VERSION)),)
$(error No custom U-Boot repository URL specified. Check your BR2_TARGET_UBOOT_CUSTOM_REPO_VERSION setting)
$(error No custom U-Boot repository version specified. Check your BR2_TARGET_UBOOT_CUSTOM_REPO_VERSION setting)
endif # qstrip BR2_TARGET_UBOOT_CUSTOM_CUSTOM_REPO_VERSION
endif # BR2_TARGET_UBOOT_CUSTOM_GIT || BR2_TARGET_UBOOT_CUSTOM_HG
+1 -4
View File
@@ -20,11 +20,8 @@ BR2_PACKAGE_FBV=y
BR2_PACKAGE_QT5=y
BR2_PACKAGE_QT5BASE_EXAMPLES=y
BR2_PACKAGE_QT5BASE_EGLFS=y
BR2_PACKAGE_QT5BASE_DEFAULT_QPA="wayland"
BR2_PACKAGE_QT5BASE_DEFAULT_QPA="eglfs"
BR2_PACKAGE_QT5QUICKCONTROLS=y
BR2_PACKAGE_QT5WAYLAND=y
BR2_PACKAGE_QT5WAYLAND_COMPOSITOR=y
BR2_PACKAGE_WESTON=y
BR2_PACKAGE_TI_SGX_DEMOS=y
BR2_PACKAGE_TI_SGX_KM=y
BR2_PACKAGE_TI_SGX_UM=y
+14 -4
View File
@@ -10,9 +10,9 @@ that is known to work. You are welcome to add support for other boards
to Buildroot too.
To do so, you need to create a normal Buildroot configuration that
builds a basic system for the hardware: toolchain, kernel, bootloader,
filesystem and a simple BusyBox-only userspace. No specific package
should be selected: the configuration should be as minimal as
builds a basic system for the hardware: (internal) toolchain, kernel,
bootloader, filesystem and a simple BusyBox-only userspace. No specific
package should be selected: the configuration should be as minimal as
possible, and should only build a working basic BusyBox system for the
target platform. You can of course use more complicated configurations
for your internal projects, but the Buildroot project will only
@@ -22,7 +22,17 @@ selections are highly application-specific.
Once you have a known working configuration, run +make
savedefconfig+. This will generate a minimal +defconfig+ file at the
root of the Buildroot source tree. Move this file into the +configs/+
directory, and rename it +<boardname>_defconfig+.
directory, and rename it +<boardname>_defconfig+. If the configuration
is a bit more complicated, it is nice to manually reformat it and
separate it into sections, with a comment before each section. Typical
sections are _Architecture_, _Toolchain options_ (typically just linux
headers version), _Firmware_, _Bootloader_, _Kernel_, and _Filesystem_.
Always use fixed versions or commit hashes for the different
components, not the "latest" version. For example, set
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y+ and
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE+ to the kernel version you tested
with.
It is recommended to use as much as possible upstream versions of the
Linux kernel and bootloaders, and to use as much as possible default
+20 -21
View File
@@ -47,32 +47,31 @@ package. Let's start with an example:
13: FOO_DEPENDENCIES = host-cargo
14:
15: FOO_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo
16: FOO_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release)
17:
18: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
19:
20: FOO_CARGO_OPTS = \
21: --$(FOO_CARGO_MODE) \
22: --target=$(RUSTC_TARGET_NAME) \
23: --manifest-path=$(@D)/Cargo.toml
24:
25: define FOO_BUILD_CMDS
26: $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
27: cargo build $(FOO_CARGO_OPTS)
28: endef
29:
30: define FOO_INSTALL_TARGET_CMDS
31: $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
32: $(TARGET_DIR)/usr/bin/foo
33: endef
34:
35: $(eval $(generic-package))
16:
17: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
18:
19: FOO_CARGO_OPTS = \
20: $(if $(BR2_ENABLE_DEBUG),,--release) \
21: --target=$(RUSTC_TARGET_NAME) \
22: --manifest-path=$(@D)/Cargo.toml
23:
24: define FOO_BUILD_CMDS
25: $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
26: cargo build $(FOO_CARGO_OPTS)
27: endef
28:
29: define FOO_INSTALL_TARGET_CMDS
30: $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
31: $(TARGET_DIR)/usr/bin/foo
32: endef
33:
34: $(eval $(generic-package))
--------------------------------
The Makefile starts with the definition of the standard variables for package
declaration (lines 7 to 11).
As seen in line 35, it is based on the
As seen in line 34, it is based on the
xref:generic-package-tutorial[+generic-package+ infrastructure]. So, it defines
the variables required by this particular infrastructure, where Cargo is
invoked:
+1 -1
View File
@@ -34,7 +34,7 @@ will automatically download the tarball from this location.
On line 10, we tell Buildroot what options to enable for libfoo.
On line 11, we tell Buildroot the depednencies of libfoo.
On line 11, we tell Buildroot the dependencies of libfoo.
Finally, on line line 13, we invoke the +waf-package+
macro that generates all the Makefile rules that actually allows the
+31
View File
@@ -371,6 +371,37 @@ in the following cases:
* whenever you feel it will help presenting your work, your choices,
the review process, etc.
==== Patches for maintenance branches
When fixing bugs on a maintenance branch, bugs should be fixed on the
master branch first. The commit log for such a patch may then contain a
post-commit note specifying what branches are affected:
----
package/foo: fix stuff
Signed-off-by: Your Real Name <your@email.address>
---
Backport to: 2020.02.x, 2020.05.x
(2020.08.x not affected as the version was bumped)
----
Those changes will then be backported by a maintainer to the affected
branches.
However, some bugs may apply only to a specific release, for example
because it is using an older version of a package. In that case, patches
should be based off the maintenance branch, and the patch subject prefix
must include the maintenance branch name (for example "[PATCH 2020.02.x]").
This can be done with the +git format-patch+ flag +--subject-prefix+:
---------------------
$ git format-patch --subject-prefix "PATCH 2020.02.x" \
-M -s -o outgoing origin/2020.02.x
---------------------
Then send the patches with +git send-email+, as described above.
==== Patch revision changelog
When improvements are requested, the new revision of each commit
+11
View File
@@ -1,4 +1,15 @@
#!/bin/sh
# devtmpfs does not get automounted for initramfs
/bin/mount -t devtmpfs devtmpfs /dev
# use the /dev/console device node from devtmpfs if possible to not
# confuse glibc's ttyname_r().
# This may fail (E.G. booted with console=), and errors from exec will
# terminate the shell, so use a subshell for the test
if (exec 0</dev/console) 2>/dev/null; then
exec 0</dev/console
exec 1>/dev/console
exec 2>/dev/console
fi
exec /sbin/init "$@"
+6 -6
View File
@@ -30,7 +30,7 @@ config BR2_LINUX_KERNEL_LATEST_VERSION
bool "Latest version (5.4)"
config BR2_LINUX_KERNEL_LATEST_CIP_VERSION
bool "Latest CIP SLTS version (4.19.118-cip25)"
bool "Latest CIP SLTS version (4.19.152-cip37)"
help
CIP launched in the spring of 2016 to address the needs of
organizations in industries such as power generation and
@@ -43,13 +43,13 @@ config BR2_LINUX_KERNEL_LATEST_CIP_VERSION
implementation of software building blocks that meet
these requirements.
The CIP community plans to maintain 4.4 for security and
The CIP community plans to maintain 4.19 for security and
bug fixes for more than 10 years.
https://www.cip-project.org
config BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION
bool "Latest CIP RT SLTS version (4.19.115-cip24-rt9)"
bool "Latest CIP RT SLTS version (4.19.152-cip37-rt16)"
help
Same as the CIP version, but this is the PREEMPT_RT realtime
variant.
@@ -128,9 +128,9 @@ endif
config BR2_LINUX_KERNEL_VERSION
string
default "5.4.45" if BR2_LINUX_KERNEL_LATEST_VERSION
default "4.19.118-cip25" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
default "4.19.115-cip24-rt9" if BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION
default "5.4.83" if BR2_LINUX_KERNEL_LATEST_VERSION
default "4.19.152-cip37" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
default "4.19.152-cip37-rt16" if BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION
default BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE \
if BR2_LINUX_KERNEL_CUSTOM_VERSION
default "custom" if BR2_LINUX_KERNEL_CUSTOM_TARBALL
+7 -7
View File
@@ -1,13 +1,13 @@
# From https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
sha256 103f039f34a9009c42ea643b4f473bda6bb9607d5ad7f63b56b3e2351615fe2e linux-5.4.45.tar.xz
sha256 beec970bbb93de8ab839f27930f7ab00c7bd65af0ffa07a50e765affdc2561c6 linux-5.4.83.tar.xz
# From https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
sha256 418299385195f09b27e371a35f305f3aff148e7557a341b53460091303aa9bb7 linux-4.4.226.tar.xz
sha256 460a8c168fe5c60ce5b30015a4e4bf348d93a89f8b949de1f90779567ef345ca linux-4.9.226.tar.xz
sha256 4265afef56819b04656107a5abecde205c5bc5fb04b2e81447955e7e45db8085 linux-4.14.183.tar.xz
sha256 82af886bc588b5c8d7474beb2bac13810ee3ed07da356a2553c81ae8e52e586f linux-4.19.127.tar.xz
sha256 e52a49ceb639d871478a143c314648c35e22222c317ecdf49866830fea5c3dfc linux-4.4.248.tar.xz
sha256 4687268061c9933c298b30d28e4bf1a30dfbab7c0da4bee194968e4f81ffeccf linux-4.9.248.tar.xz
sha256 0e1bc32c4842c3bbee3a15454408f528acd4d3c5e83312b93008d5ee2e9a0c79 linux-4.14.212.tar.xz
sha256 3eeec4e5eb8a129be3536357ecb028fae7d82fac933dcfac0b6089ee398fc5fc linux-4.19.163.tar.xz
# Locally computed
sha256 ea53913813cb5a9069608532b327de7a7ed0fdc8fed8c6f10cd55d1ac6a58ffb linux-cip-4.19.118-cip25.tar.gz
sha256 7f0a0db0e1cfb14053523f4432f1ad1468b5bd42305b44905c4b103466c8d655 linux-cip-4.19.115-cip24-rt9.tar.gz
sha256 d2a06f52143deb929b8d513cf9afc9bd065951389a80fa70bc4d63025b5b3fb9 linux-cip-4.19.152-cip37.tar.gz
sha256 bc1dacd3d0f526de3e8754a444e8e02a54521527af639ddb907cb35cda775a8c linux-cip-4.19.152-cip37-rt16.tar.gz
# Licenses hashes
sha256 ee5808b032a67f587d3541099d46de34f5bec8cd5976114ba07f1299ee6001ff COPYING
+4 -2
View File
@@ -160,7 +160,8 @@ endif
# Get the real Linux version, which tells us where kernel modules are
# going to be installed in the target filesystem.
LINUX_VERSION_PROBED = `$(MAKE) $(LINUX_MAKE_FLAGS) -C $(LINUX_DIR) --no-print-directory -s kernelrelease 2>/dev/null`
# Filter out 'w' from MAKEFLAGS, to workaround a bug in make 4.1 (#13141)
LINUX_VERSION_PROBED = `MAKEFLAGS='$(filter-out w,$(MAKEFLAGS))' $(MAKE) $(LINUX_MAKE_FLAGS) -C $(LINUX_DIR) --no-print-directory -s kernelrelease 2>/dev/null`
LINUX_DTS_NAME += $(call qstrip,$(BR2_LINUX_KERNEL_INTREE_DTS_NAME))
@@ -531,7 +532,8 @@ endef
# Run depmod in a target-finalize hook, to encompass modules installed by
# packages.
define LINUX_RUN_DEPMOD
if grep -q "CONFIG_MODULES=y" $(LINUX_DIR)/.config; then \
if test -d $(TARGET_DIR)/lib/modules/$(LINUX_VERSION_PROBED) \
&& grep -q "CONFIG_MODULES=y" $(LINUX_DIR)/.config; then \
$(HOST_DIR)/sbin/depmod -a -b $(TARGET_DIR) $(LINUX_VERSION_PROBED); \
fi
endef
+2 -2
View File
@@ -90,10 +90,10 @@ define ALSA_UTILS_INSTALL_INIT_SYSTEMD
$(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service
$(INSTALL) -D -m 0644 $(@D)/alsactl/alsa-state.service \
$(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service
mkdir $(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d
$(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d
printf '[Install]\nWantedBy=multi-user.target\n' \
>$(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d/buildroot-enable.conf
mkdir $(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d
$(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d
printf '[Install]\nWantedBy=multi-user.target\n' \
>$(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d/buildroot-enable.conf;
endef
+2 -2
View File
@@ -1,3 +1,3 @@
# Locally computed:
sha256 7182e7f39b921469157971d9e0783745758df4b625322d606ec7d9abf2b28af2 angular-1.7.9.zip
sha256 2420c59374dcdc1ca9721c334a32afee92f0610280cae0d1b3952b1279bc2b24 angular.js
sha256 c4098f594dc24cc4c8ad469c6d5785a65c0df812afe9f56ea0e4d3490c2fd46d angular-1.8.0.zip
sha256 c7df41bc00628bec220b0378dc1f2f5041980758403b6f24b9774ac43a9186d8 angular.js
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
ANGULARJS_VERSION = 1.7.9
ANGULARJS_VERSION = 1.8.0
ANGULARJS_SOURCE = angular-$(ANGULARJS_VERSION).zip
ANGULARJS_SITE = https://code.angularjs.org/$(ANGULARJS_VERSION)
ANGULARJS_LICENSE = MIT
+3 -2
View File
@@ -1,4 +1,5 @@
# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256
sha256 a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 httpd-2.4.43.tar.bz2
# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.{sha256,sha512}
sha256 740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea httpd-2.4.46.tar.bz2
sha512 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2
# Locally computed
sha256 47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43 LICENSE
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
APACHE_VERSION = 2.4.43
APACHE_VERSION = 2.4.46
APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2
APACHE_SITE = http://archive.apache.org/dist/httpd
APACHE_LICENSE = Apache-2.0
@@ -0,0 +1,104 @@
From 7f0f1e7e34f997eef697856804dd478b54bb365e Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Tue, 22 Dec 2020 10:45:21 +0100
Subject: [PATCH] CMakeLists.txt: respect BUILD_TESTING=OFF
Allow the user to disable unit tests through BUILD_TESTING=OFF:
https://cmake.org/cmake/help/latest/command/enable_testing.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Upstream status: https://github.com/apitrace/apitrace/pull/698]
---
CMakeLists.txt | 6 +++++-
gui/CMakeLists.txt | 6 ++++--
lib/guids/CMakeLists.txt | 6 ++++--
lib/os/CMakeLists.txt | 6 ++++--
lib/trace/CMakeLists.txt | 6 ++++--
5 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4a07f069..ee401887 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -41,6 +41,8 @@ option (ENABLE_FRAME_POINTER "Disable frame pointer omission" ON)
option (ENABLE_ASAN "Enable Address Sanitizer" OFF)
+option (BUILD_TESTING "Enable unit tests" ON)
+
option (ENABLE_TESTS "Enable additional tests" OFF)
if (ANDROID)
@@ -433,7 +435,9 @@ endmacro ()
# which subdirectory they are declared
set (CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR})
-enable_testing ()
+if (BUILD_TESTING)
+ enable_testing ()
+endif ()
if (CMAKE_CROSSCOMPILING)
add_custom_target (check)
elseif (DEFINED CMAKE_BUILD_TYPE)
diff --git a/gui/CMakeLists.txt b/gui/CMakeLists.txt
index 5baf3552..ad6ee501 100644
--- a/gui/CMakeLists.txt
+++ b/gui/CMakeLists.txt
@@ -13,8 +13,10 @@ add_library (qubjson STATIC
qubjson.cpp
)
-add_gtest (qubjson_test qubjson_test.cpp)
-target_link_libraries (qubjson_test qubjson)
+if (BUILD_TESTING)
+ add_gtest (qubjson_test qubjson_test.cpp)
+ target_link_libraries (qubjson_test qubjson)
+endif ()
set(qapitrace_SRCS
apisurface.cpp
diff --git a/lib/guids/CMakeLists.txt b/lib/guids/CMakeLists.txt
index ce0f86da..ea28a18f 100644
--- a/lib/guids/CMakeLists.txt
+++ b/lib/guids/CMakeLists.txt
@@ -5,5 +5,7 @@ add_library (guids STATIC
guids.hpp
)
-add_gtest (guids_test guids_test.cpp)
-target_link_libraries (guids_test guids)
+if (BUILD_TESTING)
+ add_gtest (guids_test guids_test.cpp)
+ target_link_libraries (guids_test guids)
+endif ()
diff --git a/lib/os/CMakeLists.txt b/lib/os/CMakeLists.txt
index 222411e0..b7134b57 100644
--- a/lib/os/CMakeLists.txt
+++ b/lib/os/CMakeLists.txt
@@ -36,5 +36,7 @@ if (APPLE)
)
endif ()
-add_gtest (os_thread_test os_thread_test.cpp)
-target_link_libraries (os_thread_test os)
+if (BUILD_TESTING)
+ add_gtest (os_thread_test os_thread_test.cpp)
+ target_link_libraries (os_thread_test os)
+endif ()
diff --git a/lib/trace/CMakeLists.txt b/lib/trace/CMakeLists.txt
index c68bd00f..d95df978 100644
--- a/lib/trace/CMakeLists.txt
+++ b/lib/trace/CMakeLists.txt
@@ -34,5 +34,7 @@ target_link_libraries (common
brotli_dec brotli_common
)
-add_gtest (trace_parser_flags_test trace_parser_flags_test.cpp)
-target_link_libraries (trace_parser_flags_test common)
+if (BUILD_TESTING)
+ add_gtest (trace_parser_flags_test trace_parser_flags_test.cpp)
+ target_link_libraries (trace_parser_flags_test common)
+endif ()
--
2.29.2
+4 -1
View File
@@ -1,2 +1,5 @@
# Locally calculated after checking pgp signature
sha256 dec79694da1319acd2238ce95df57f3680fea2482096e483323fddf3d818d8be argp-standalone-1.3.tar.gz
sha256 dec79694da1319acd2238ce95df57f3680fea2482096e483323fddf3d818d8be argp-standalone-1.3.tar.gz
# License file
sha256 bbb8919aa520069b0234faf5e83a94052d278419ffe97ca8e843ecc9b212d1ab argp.h
@@ -8,6 +8,7 @@ ARGP_STANDALONE_VERSION = 1.3
ARGP_STANDALONE_SITE = http://www.lysator.liu.se/~nisse/archive
ARGP_STANDALONE_INSTALL_STAGING = YES
ARGP_STANDALONE_LICENSE = LGPL-2.0+
ARGP_STANDALONE_LICENSE_FILES = argp.h
ARGP_STANDALONE_CONF_ENV = \
CFLAGS="$(TARGET_CFLAGS) -fPIC -fgnu89-inline"
+2 -2
View File
@@ -1,5 +1,5 @@
# Locally computed
sha256 f0ba5e3c4ef46f6657dd3a7167190f9b6cd6bbf4af09ecc291a9d5868b477609 asterisk-16.10.0.tar.gz
sha256 226eaef400d2d335ce29d7b3c8aca8dfdfc5e854c215e0c47615c095ced12171 asterisk-16.14.1.tar.gz
# sha1 from: http://downloads.asterisk.org/pub/telephony/sounds/releases
# sha256 locally computed
@@ -12,4 +12,4 @@ sha256 449fb810d16502c3052fedf02f7e77b36206ac5a145f3dacf4177843a2fcb538 asteri
sha256 82af40ed7f49c08685360811993d9396320842f021df828801d733e8fdc0312f COPYING
sha256 ac5571f00e558e3b7c9b3f13f421b874cc12cf4250c4f70094c71544cf486312 main/sha1.c
sha256 6215e3ed73c3982a5c6701127d681ec0b9f1121ac78a28805bd93f93c3eb84c0 codecs/speex/speex_resampler.h
sha256 1ca2c7a7a1ae7ccd75212a8c1e85dd9ec92bdbc9170aafd97ea60459387755fd utils/db1-ast/include/db.h
sha256 ea69cc96ab8a779c180a362377caeada71926897d1b55b980f04d74ba5aaa388 utils/db1-ast/include/db.h
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
ASTERISK_VERSION = 16.10.0
ASTERISK_VERSION = 16.14.1
# Use the github mirror: it's an official mirror maintained by Digium, and
# provides tarballs, which the main Asterisk git tree (behind Gerrit) does not.
ASTERISK_SITE = $(call github,asterisk,asterisk,$(ASTERISK_VERSION))
+1
View File
@@ -81,6 +81,7 @@ AVAHI_CONF_OPTS = \
--disable-mono \
--disable-monodoc \
--disable-stack-protector \
--disable-introspection \
--with-distro=none \
--disable-manpages \
$(if $(BR2_PACKAGE_AVAHI_AUTOIPD),--enable,--disable)-autoipd \
+2 -1
View File
@@ -1,2 +1,3 @@
# Locally calculated
sha256 0270d0def6cc53c8d47d59a9dd093d51fbca1620adeef85c15e35a32010e26ab bandwidthd-2.0.1-auto-r11.tar.gz
sha256 0270d0def6cc53c8d47d59a9dd093d51fbca1620adeef85c15e35a32010e26ab bandwidthd-2.0.1-auto-r11.tar.gz
sha256 58573c40770e0c0b91f3eef8192952832321a344f66a4fb2d966095cbbfc86c2 README
+1
View File
@@ -10,6 +10,7 @@ BANDWIDTHD_SITE = $(call github,nroach44,bandwidthd,v$(BANDWIDTHD_VERSION))
# Specified as "any version of the GPL that is current as of your
# download" by upstream.
BANDWIDTHD_LICENSE = GPL
BANDWIDTHD_LICENSE_FILES = README
BANDWIDTHD_DEPENDENCIES = gd libpng libpcap host-pkgconf
+1 -1
View File
@@ -5,7 +5,7 @@ After=network.target
[Service]
Type=forking
ExecStart=/usr/bin/bandwidthd
PIDFile=/var/run/bandwidthd.pid
PIDFile=/run/bandwidthd.pid
[Install]
WantedBy=multi-user.target
+293
View File
@@ -0,0 +1,293 @@
From https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash55-017
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BASH PATCH REPORT
=================
Bash-Release: 5.0
Patch-ID: bash50-017
Bug-Reported-by: Valentin Lab <valentin.lab@kalysto.org>
Bug-Reference-ID: <ab981b9c-60a5-46d0-b7e6-a6d88b80df50@kalysto.org>
Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2020-03/msg00062.html
Bug-Description:
There were cases where patch 16 reaped process substitution file descriptors
(or FIFOs) and processes to early. This is a better fix for the problem that
bash50-016 attempted to solve.
Patch (apply with `patch -p0'):
*** bash-5.0-patched/subst.c 2019-08-29 11:16:49.000000000 -0400
--- b/subst.c 2020-04-02 16:24:19.000000000 -0400
***************
*** 5337,5341 ****
}
! char *
copy_fifo_list (sizep)
int *sizep;
--- b/5337,5341 ----
}
! void *
copy_fifo_list (sizep)
int *sizep;
***************
*** 5343,5347 ****
if (sizep)
*sizep = 0;
! return (char *)NULL;
}
--- b/5343,5347 ----
if (sizep)
*sizep = 0;
! return (void *)NULL;
}
***************
*** 5409,5414 ****
if (fifo_list[i].file)
{
! fifo_list[j].file = fifo_list[i].file;
! fifo_list[j].proc = fifo_list[i].proc;
j++;
}
--- b/5409,5419 ----
if (fifo_list[i].file)
{
! if (i != j)
! {
! fifo_list[j].file = fifo_list[i].file;
! fifo_list[j].proc = fifo_list[i].proc;
! fifo_list[i].file = (char *)NULL;
! fifo_list[i].proc = 0;
! }
j++;
}
***************
*** 5426,5433 ****
void
close_new_fifos (list, lsize)
! char *list;
int lsize;
{
int i;
if (list == 0)
--- b/5431,5439 ----
void
close_new_fifos (list, lsize)
! void *list;
int lsize;
{
int i;
+ char *plist;
if (list == 0)
***************
*** 5437,5442 ****
}
! for (i = 0; i < lsize; i++)
! if (list[i] == 0 && i < fifo_list_size && fifo_list[i].proc != -1)
unlink_fifo (i);
--- b/5443,5448 ----
}
! for (plist = (char *)list, i = 0; i < lsize; i++)
! if (plist[i] == 0 && i < fifo_list_size && fifo_list[i].proc != -1)
unlink_fifo (i);
***************
*** 5560,5568 ****
}
! char *
copy_fifo_list (sizep)
int *sizep;
{
! char *ret;
if (nfds == 0 || totfds == 0)
--- b/5566,5574 ----
}
! void *
copy_fifo_list (sizep)
int *sizep;
{
! void *ret;
if (nfds == 0 || totfds == 0)
***************
*** 5570,5579 ****
if (sizep)
*sizep = 0;
! return (char *)NULL;
}
if (sizep)
*sizep = totfds;
! ret = (char *)xmalloc (totfds * sizeof (pid_t));
return (memcpy (ret, dev_fd_list, totfds * sizeof (pid_t)));
}
--- b/5576,5585 ----
if (sizep)
*sizep = 0;
! return (void *)NULL;
}
if (sizep)
*sizep = totfds;
! ret = xmalloc (totfds * sizeof (pid_t));
return (memcpy (ret, dev_fd_list, totfds * sizeof (pid_t)));
}
***************
*** 5648,5655 ****
void
close_new_fifos (list, lsize)
! char *list;
int lsize;
{
int i;
if (list == 0)
--- b/5654,5662 ----
void
close_new_fifos (list, lsize)
! void *list;
int lsize;
{
int i;
+ pid_t *plist;
if (list == 0)
***************
*** 5659,5664 ****
}
! for (i = 0; i < lsize; i++)
! if (list[i] == 0 && i < totfds && dev_fd_list[i])
unlink_fifo (i);
--- b/5666,5671 ----
}
! for (plist = (pid_t *)list, i = 0; i < lsize; i++)
! if (plist[i] == 0 && i < totfds && dev_fd_list[i])
unlink_fifo (i);
*** bash-5.0-patched/subst.h 2018-10-21 18:46:09.000000000 -0400
--- b/subst.h 2020-04-02 16:29:28.000000000 -0400
***************
*** 274,280 ****
extern void unlink_fifo __P((int));
! extern char *copy_fifo_list __P((int *));
! extern void unlink_new_fifos __P((char *, int));
! extern void close_new_fifos __P((char *, int));
extern void clear_fifo_list __P((void));
--- b/274,279 ----
extern void unlink_fifo __P((int));
! extern void *copy_fifo_list __P((int *));
! extern void close_new_fifos __P((void *, int));
extern void clear_fifo_list __P((void));
*** bash-5.0-patched/execute_cmd.c 2020-02-06 20:16:48.000000000 -0500
--- b/execute_cmd.c 2020-04-02 17:00:10.000000000 -0400
***************
*** 565,569 ****
#if defined (PROCESS_SUBSTITUTION)
volatile int ofifo, nfifo, osize, saved_fifo;
! volatile char *ofifo_list;
#endif
--- b/565,569 ----
#if defined (PROCESS_SUBSTITUTION)
volatile int ofifo, nfifo, osize, saved_fifo;
! volatile void *ofifo_list;
#endif
***************
*** 751,760 ****
# endif
! if (variable_context != 0) /* XXX - also if sourcelevel != 0? */
{
ofifo = num_fifos ();
ofifo_list = copy_fifo_list ((int *)&osize);
begin_unwind_frame ("internal_fifos");
! add_unwind_protect (xfree, ofifo_list);
saved_fifo = 1;
}
--- b/751,762 ----
# endif
! /* XXX - also if sourcelevel != 0? */
! if (variable_context != 0)
{
ofifo = num_fifos ();
ofifo_list = copy_fifo_list ((int *)&osize);
begin_unwind_frame ("internal_fifos");
! if (ofifo_list)
! add_unwind_protect (xfree, ofifo_list);
saved_fifo = 1;
}
***************
*** 1100,1123 ****
nfifo = num_fifos ();
if (nfifo > ofifo)
! close_new_fifos ((char *)ofifo_list, osize);
free ((void *)ofifo_list);
discard_unwind_frame ("internal_fifos");
}
- # if defined (HAVE_DEV_FD)
- /* Reap process substitutions at the end of loops */
- switch (command->type)
- {
- case cm_while:
- case cm_until:
- case cm_for:
- case cm_group:
- # if defined (ARITH_FOR_COMMAND)
- case cm_arith_for:
- # endif
- reap_procsubs ();
- default:
- break;
- }
- # endif /* HAVE_DEV_FD */
#endif
--- b/1102,1109 ----
nfifo = num_fifos ();
if (nfifo > ofifo)
! close_new_fifos ((void *)ofifo_list, osize);
free ((void *)ofifo_list);
discard_unwind_frame ("internal_fifos");
}
#endif
*** bash-5.0/patchlevel.h 2016-06-22 14:51:03.000000000 -0400
--- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 16
#endif /* _PATCHLEVEL_H_ */
--- b/26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 17
#endif /* _PATCHLEVEL_H_ */
+49
View File
@@ -0,0 +1,49 @@
From https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash55-018
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BASH PATCH REPORT
=================
Bash-Release: 5.0
Patch-ID: bash50-018
Bug-Reported-by: oguzismailuysal@gmail.com
Bug-Reference-ID:
Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2019-10/msg00098.html
Bug-Description:
In certain cases, bash does not perform quoted null removal on patterns
that are used as part of word expansions such as ${parameter##pattern}, so
empty patterns are treated as non-empty.
Patch (apply with `patch -p0'):
*** bash-5.0.17/subst.c 2020-04-02 17:14:58.000000000 -0400
--- b/subst.c 2020-07-09 15:28:19.000000000 -0400
***************
*** 5113,5116 ****
--- b/5113,5118 ----
(int *)NULL, (int *)NULL)
: (WORD_LIST *)0;
+ if (l)
+ word_list_remove_quoted_nulls (l);
pat = string_list (l);
dispose_words (l);
*** bash-5.0/patchlevel.h 2016-06-22 14:51:03.000000000 -0400
--- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 17
#endif /* _PATCHLEVEL_H_ */
--- b/26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 18
#endif /* _PATCHLEVEL_H_ */
+2 -2
View File
@@ -1,4 +1,4 @@
# Verified from https://ftp.isc.org/isc/bind9/9.11.20/bind-9.11.20.tar.gz.asc
# Verified from https://ftp.isc.org/isc/bind9/9.11.22/bind-9.11.22.tar.gz.asc
# with key AE3FAC796711EC59FC007AA474BB6B9A4CBB3D38
sha256 306831a738a275693bbe1d6839a09b34a2c8b5c26f8a42ea57ef000a6a99c2b6 bind-9.11.20.tar.gz
sha256 afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9 bind-9.11.22.tar.gz
sha256 da2aec2b7f6f0feb16bcb080e2c587375fd3195145f047e4d92d112f5b9db501 COPYRIGHT
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
BIND_VERSION = 9.11.20
BIND_VERSION = 9.11.22
BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
# bind does not support parallel builds.
BIND_MAKE = $(MAKE1)
+1
View File
@@ -13,5 +13,6 @@ BISON_LICENSE_FILES = COPYING
BISON_MAKE = $(MAKE1)
HOST_BISON_DEPENDENCIES = host-m4
HOST_BISON_CONF_OPTS = --enable-relocatable
HOST_BISON_CONF_ENV = ac_cv_libtextstyle=no
$(eval $(host-autotools-package))
@@ -0,0 +1,48 @@
From 330cb33985d0ce97c20f4a0f0bbda0fbffe098d4 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Mon, 9 Nov 2020 21:18:40 +0100
Subject: [PATCH] src/randomenv.cpp: fix build on uclibc
Check for HAVE_STRONG_GETAUXVAL or HAVE_WEAK_GETAUXVAL before using
getauxval to avoid a build failure on uclibc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Upstream status: https://github.com/bitcoin/bitcoin/pull/20358]
---
src/randomenv.cpp | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/randomenv.cpp b/src/randomenv.cpp
index 07122b7f6..5e07c3db4 100644
--- a/src/randomenv.cpp
+++ b/src/randomenv.cpp
@@ -53,7 +53,7 @@
#include <sys/vmmeter.h>
#endif
#endif
-#ifdef __linux__
+#if defined(HAVE_STRONG_GETAUXVAL) || defined(HAVE_WEAK_GETAUXVAL)
#include <sys/auxv.h>
#endif
@@ -326,7 +326,7 @@ void RandAddStaticEnv(CSHA512& hasher)
// Bitcoin client version
hasher << CLIENT_VERSION;
-#ifdef __linux__
+#if defined(HAVE_STRONG_GETAUXVAL) || defined(HAVE_WEAK_GETAUXVAL)
// Information available through getauxval()
# ifdef AT_HWCAP
hasher << getauxval(AT_HWCAP);
@@ -346,7 +346,7 @@ void RandAddStaticEnv(CSHA512& hasher)
const char* exec_str = (const char*)getauxval(AT_EXECFN);
if (exec_str) hasher.Write((const unsigned char*)exec_str, strlen(exec_str) + 1);
# endif
-#endif // __linux__
+#endif // HAVE_STRONG_GETAUXVAL || HAVE_WEAK_GETAUXVAL
#ifdef HAVE_GETCPUID
AddAllCPUID(hasher);
--
2.28.0
-3
View File
@@ -18,9 +18,6 @@ config BR2_PACKAGE_BITCOIN
select BR2_PACKAGE_BOOST_SYSTEM
select BR2_PACKAGE_BOOST_FILESYSTEM
select BR2_PACKAGE_BOOST_THREAD
select BR2_PACKAGE_BOOST_CHRONO
select BR2_PACKAGE_BOOST_PROGRAM_OPTIONS
select BR2_PACKAGE_OPENSSL
select BR2_PACKAGE_LIBEVENT
help
Bitcoin Core is an open source project which maintains and
+3 -3
View File
@@ -1,5 +1,5 @@
# From https://bitcoincore.org/bin/bitcoin-core-0.19.0.1/SHA256SUMS.asc
sha256 7ac9f972249a0a16ed01352ca2a199a5448fe87a4ea74923404a40b4086de284 bitcoin-0.19.0.1.tar.gz
# From https://bitcoincore.org/bin/bitcoin-core-0.20.1/SHA256SUMS.asc
sha256 4bbd62fd6acfa5e9864ebf37a24a04bc2dcfe3e3222f056056288d854c53b978 bitcoin-0.20.1.tar.gz
# Hash for license file
sha256 9a0f75d688e9cf5c69d3efdaa2a83af496700d252b212ec6a72f7784b47fed0c COPYING
sha256 96fe807030b21f88305adc32af62f9aa19915f2783509fd6f52aea02cf83f644 COPYING
+3 -2
View File
@@ -4,12 +4,13 @@
#
################################################################################
BITCOIN_VERSION = 0.19.0.1
BITCOIN_VERSION = 0.20.1
BITCOIN_SITE = https://bitcoincore.org/bin/bitcoin-core-$(BITCOIN_VERSION)
BITCOIN_AUTORECONF = YES
BITCOIN_LICENSE = MIT
BITCOIN_LICENSE_FILES = COPYING
BITCOIN_DEPENDENCIES = host-pkgconf boost openssl libevent
BITCOIN_DEPENDENCIES = host-pkgconf boost libevent
BITCOIN_MAKE_ENV = BITCOIN_GENBUILD_NO_GIT=1
BITCOIN_CONF_OPTS = \
--disable-bench \
--disable-wallet \
+1
View File
@@ -134,6 +134,7 @@ define BOOST_CONFIGURE_CMDS
(cd $(@D) && ./bootstrap.sh $(BOOST_FLAGS))
echo "using gcc : `$(TARGET_CC) -dumpversion` : $(TARGET_CXX) : <cxxflags>\"$(BOOST_TARGET_CXXFLAGS)\" <linkflags>\"$(TARGET_LDFLAGS)\" ;" > $(@D)/user-config.jam
echo "" >> $(@D)/user-config.jam
sed -i "s/: -O.* ;/: $(TARGET_OPTIMIZATION) ;/" $(@D)/tools/build/src/tools/gcc.jam
endef
define BOOST_BUILD_CMDS
@@ -1,6 +1,6 @@
From 7289e5a378ba13801996a84d89d8fe95c3fc4c11 Mon Sep 17 00:00:00 2001
From 6cb16322decd643fed9de332d9cda77f7738b7af Mon Sep 17 00:00:00 2001
From: Adrian Perez de Castro <aperez@igalia.com>
Date: Mon, 26 Mar 2018 19:08:31 +0100
Date: Mon, 7 Sep 2020 12:14:22 +0300
Subject: [PATCH] CMake: Allow using BUILD_SHARED_LIBS to choose static/shared
libs
@@ -18,16 +18,16 @@ This way, the following will both work as expected:
This is helpful for distributions which need (or want) to build only
static libraries.
---
CMakeLists.txt | 42 ++++++++++++++----------------------------
c/fuzz/test_fuzzer.sh | 6 +++---
2 files changed, 17 insertions(+), 31 deletions(-)
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Upstream-Status: Submitted [https://github.com/google/brotli/pull/655]
[Upstream status: https://github.com/google/brotli/pull/655]
---
CMakeLists.txt | 46 ++++++++++++++-----------------------------
c/fuzz/test_fuzzer.sh | 6 +++---
2 files changed, 18 insertions(+), 34 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index fc45f80..3f87f13 100644
index 4ff3401..f889311 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -6,6 +6,8 @@ cmake_minimum_required(VERSION 2.8.6)
@@ -36,10 +36,10 @@ index fc45f80..3f87f13 100644
+option(BUILD_SHARED_LIBS "Build shared libraries" ON)
+
# If Brotli is being bundled in another project, we don't want to
# install anything. However, we want to let people override this, so
# we'll use the BROTLI_BUNDLED_MODE variable to let them do that; just
@@ -114,10 +116,6 @@ set(BROTLI_LIBRARIES_CORE brotlienc brotlidec brotlicommon)
if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
message(STATUS "Setting build type to Release as none was specified.")
set(CMAKE_BUILD_TYPE "Release" CACHE STRING "Choose the type of build." FORCE)
@@ -137,10 +139,6 @@ set(BROTLI_LIBRARIES_CORE brotlienc brotlidec brotlicommon)
set(BROTLI_LIBRARIES ${BROTLI_LIBRARIES_CORE} ${LIBM_LIBRARY})
mark_as_advanced(BROTLI_LIBRARIES)
@@ -50,14 +50,20 @@ index fc45f80..3f87f13 100644
if(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
add_definitions(-DOS_LINUX)
elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
@@ -137,24 +135,22 @@ endfunction()
transform_sources_list("scripts/sources.lst" "${CMAKE_CURRENT_BINARY_DIR}/sources.lst.cmake")
@@ -161,29 +159,25 @@ transform_sources_list("scripts/sources.lst" "${CMAKE_CURRENT_BINARY_DIR}/source
include("${CMAKE_CURRENT_BINARY_DIR}/sources.lst.cmake")
-add_library(brotlicommon SHARED ${BROTLI_COMMON_C})
-add_library(brotlidec SHARED ${BROTLI_DEC_C})
-add_library(brotlienc SHARED ${BROTLI_ENC_C})
-
if(BROTLI_EMSCRIPTEN)
- set(BROTLI_SHARED_LIBS "")
-else()
- set(BROTLI_SHARED_LIBS brotlicommon brotlidec brotlienc)
- add_library(brotlicommon SHARED ${BROTLI_COMMON_C})
- add_library(brotlidec SHARED ${BROTLI_DEC_C})
- add_library(brotlienc SHARED ${BROTLI_ENC_C})
+ set(BUILD_SHARED_LIBS OFF)
endif()
-set(BROTLI_STATIC_LIBS brotlicommon-static brotlidec-static brotlienc-static)
-add_library(brotlicommon-static STATIC ${BROTLI_COMMON_C})
-add_library(brotlidec-static STATIC ${BROTLI_DEC_C})
-add_library(brotlienc-static STATIC ${BROTLI_ENC_C})
@@ -68,27 +74,27 @@ index fc45f80..3f87f13 100644
# Older CMake versions does not understand INCLUDE_DIRECTORIES property.
include_directories(${BROTLI_INCLUDE_DIRS})
-foreach(lib IN LISTS BROTLI_SHARED_LIBS)
- target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
- string(TOUPPER "${lib}" LIB)
- set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION")
-endforeach()
+if(BUILD_SHARED_LIBS)
+ foreach(lib brotlicommon brotlidec brotlienc)
+ target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
+ string(TOUPPER "${lib}" LIB)
+ set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION" )
+ set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION")
+ endforeach()
+endif()
+
foreach(lib brotlicommon brotlidec brotlienc)
- target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
- string(TOUPPER "${lib}" LIB)
- set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION" )
-endforeach()
-
-foreach(lib brotlicommon brotlidec brotlienc brotlicommon-static brotlidec-static brotlienc-static)
-foreach(lib IN LISTS BROTLI_SHARED_LIBS BROTLI_STATIC_LIBS)
+foreach(lib brotlicommon brotlidec brotlienc)
target_link_libraries(${lib} ${LIBM_LIBRARY})
set_property(TARGET ${lib} APPEND PROPERTY INCLUDE_DIRECTORIES ${BROTLI_INCLUDE_DIRS})
set_target_properties(${lib} PROPERTIES
@@ -167,9 +163,6 @@ endforeach()
target_link_libraries(brotlidec brotlicommon)
@@ -200,9 +194,6 @@ target_link_libraries(brotlidec brotlicommon)
target_link_libraries(brotlienc brotlicommon)
endif()
-target_link_libraries(brotlidec-static brotlicommon-static)
-target_link_libraries(brotlienc-static brotlicommon-static)
@@ -96,7 +102,7 @@ index fc45f80..3f87f13 100644
# For projects stuck on older versions of CMake, this will set the
# BROTLI_INCLUDE_DIRS and BROTLI_LIBRARIES variables so they still
# have a relatively easy way to use Brotli:
@@ -183,7 +176,7 @@ endif()
@@ -216,7 +207,7 @@ endif()
# Build the brotli executable
add_executable(brotli ${BROTLI_CLI_C})
@@ -104,8 +110,8 @@ index fc45f80..3f87f13 100644
+target_link_libraries(brotli ${BROTLI_LIBRARIES})
# Installation
if(NOT BROTLI_BUNDLED_MODE)
@@ -199,13 +192,6 @@ if(NOT BROTLI_BUNDLED_MODE)
if(NOT BROTLI_EMSCRIPTEN)
@@ -233,13 +224,6 @@ if(NOT BROTLI_BUNDLED_MODE)
RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
)
@@ -119,26 +125,6 @@ index fc45f80..3f87f13 100644
install(
DIRECTORY ${BROTLI_INCLUDE_DIRS}/brotli
DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}"
diff --git a/c/fuzz/test_fuzzer.sh b/c/fuzz/test_fuzzer.sh
index 9985194..4b99947 100755
--- a/c/fuzz/test_fuzzer.sh
+++ b/c/fuzz/test_fuzzer.sh
@@ -13,12 +13,12 @@ mkdir bin
cd bin
cmake $BROTLI -DCMAKE_C_COMPILER="$CC" \
- -DBUILD_TESTING=OFF -DENABLE_SANITIZER=address
-make -j$(nproc) brotlidec-static
+ -DBUILD_TESTING=OFF -DBUILD_SHARED_LIBS=OFF -DENABLE_SANITIZER=address
+make -j$(nproc) brotlidec
${CC} -o run_decode_fuzzer -std=c99 -fsanitize=address -I$SRC/include \
$SRC/fuzz/decode_fuzzer.c $SRC/fuzz/run_decode_fuzzer.c \
- ./libbrotlidec-static.a ./libbrotlicommon-static.a
+ ./libbrotlidec.a ./libbrotlicommon.a
mkdir decode_corpora
unzip $BROTLI/java/org/brotli/integration/fuzz_data.zip -d decode_corpora
--
2.19.1
2.28.0
@@ -0,0 +1,51 @@
From 09b0992b6acb7faa6fd3b23f9bc036ea117230fc Mon Sep 17 00:00:00 2001
From: Eugene Kliuchnikov <eustas.ru@gmail.com>
Date: Wed, 2 Sep 2020 11:38:26 +0200
Subject: [PATCH] Revert "Add runtime linker path to pkg-config files (#740)"
(#838)
This reverts commit 31754d4ffce14153b5c2addf7a11019ec23f51c1.
[Retrieved from:
https://github.com/google/brotli/commit/09b0992b6acb7faa6fd3b23f9bc036ea117230fc]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
scripts/libbrotlicommon.pc.in | 2 +-
scripts/libbrotlidec.pc.in | 2 +-
scripts/libbrotlienc.pc.in | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/libbrotlicommon.pc.in b/scripts/libbrotlicommon.pc.in
index 10ca969e..2a8cf7a3 100644
--- a/scripts/libbrotlicommon.pc.in
+++ b/scripts/libbrotlicommon.pc.in
@@ -7,5 +7,5 @@ Name: libbrotlicommon
URL: https://github.com/google/brotli
Description: Brotli common dictionary library
Version: @PACKAGE_VERSION@
-Libs: -L${libdir} -R${libdir} -lbrotlicommon
+Libs: -L${libdir} -lbrotlicommon
Cflags: -I${includedir}
diff --git a/scripts/libbrotlidec.pc.in b/scripts/libbrotlidec.pc.in
index e7c3124f..6f8ef2e4 100644
--- a/scripts/libbrotlidec.pc.in
+++ b/scripts/libbrotlidec.pc.in
@@ -7,6 +7,6 @@ Name: libbrotlidec
URL: https://github.com/google/brotli
Description: Brotli decoder library
Version: @PACKAGE_VERSION@
-Libs: -L${libdir} -R${libdir} -lbrotlidec
+Libs: -L${libdir} -lbrotlidec
Requires.private: libbrotlicommon >= 1.0.2
Cflags: -I${includedir}
diff --git a/scripts/libbrotlienc.pc.in b/scripts/libbrotlienc.pc.in
index 4dd0811b..2098afe2 100644
--- a/scripts/libbrotlienc.pc.in
+++ b/scripts/libbrotlienc.pc.in
@@ -7,6 +7,6 @@ Name: libbrotlienc
URL: https://github.com/google/brotli
Description: Brotli encoder library
Version: @PACKAGE_VERSION@
-Libs: -L${libdir} -R${libdir} -lbrotlienc
+Libs: -L${libdir} -lbrotlienc
Requires.private: libbrotlicommon >= 1.0.2
Cflags: -I${includedir}
+1 -1
View File
@@ -1,5 +1,5 @@
# Locally generated:
sha512 a82362aa36d2f2094bca0b2808d9de0d57291fb3a4c29d7c0ca0a37e73087ec5ac4df299c8c363e61106fccf2fe7f58b5cf76eb97729e2696058ef43b1d3930a v1.0.7.tar.gz
sha512 b8e2df955e8796ac1f022eb4ebad29532cb7e3aa6a4b6aee91dbd2c7d637eee84d9a144d3e878895bb5e62800875c2c01c8f737a1261020c54feacf9f676b5f5 v1.0.9.tar.gz
# Hash for license files:
sha512 bae78184c2f50f86d8c727826d3982c469454c42b9af81f4ef007e39036434fa894cf5be3bf5fc65b7de2301f0a72d067a8186e303327db8a96bd14867e0a3a8 LICENSE
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
BROTLI_VERSION = 1.0.7
BROTLI_VERSION = 1.0.9
BROTLI_SOURCE = v$(BROTLI_VERSION).tar.gz
BROTLI_SITE = https://github.com/google/brotli/archive
BROTLI_LICENSE = MIT
+1 -1
View File
@@ -6,7 +6,7 @@
BUSTLE_VERSION = 0.7.5
BUSTLE_SITE = https://www.freedesktop.org/software/bustle/$(BUSTLE_VERSION)
BUSTLE_LICENSE = LGPL-2.1+
BUSTLE_LICENSE = LGPL-2.1+, GPL-3.0 (binaries)
BUSTLE_LICENSE_FILES = LICENSE
BUSTLE_DEPENDENCIES = libglib2 libpcap host-pkgconf
+3 -2
View File
@@ -1,4 +1,5 @@
# From https://busybox.net/downloads/busybox-1.31.1.tar.bz2.sha256
sha256 d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998 busybox-1.31.1.tar.bz2
sha256 d0f940a72f648943c1f2211e0e3117387c31d765137d92bd8284a3fb9752a998 busybox-1.31.1.tar.bz2
# Locally computed
sha256 bbfc9843646d483c334664f651c208b9839626891d8f17604db2146962f43548 LICENSE
sha256 bbfc9843646d483c334664f651c208b9839626891d8f17604db2146962f43548 LICENSE
sha256 b5a136ed67798e51fe2e0ca0b2a21cb01b904ff0c9f7d563a6292e276607e58f archival/libarchive/bz/LICENSE
+15 -2
View File
@@ -7,8 +7,8 @@
BUSYBOX_VERSION = 1.31.1
BUSYBOX_SITE = http://www.busybox.net/downloads
BUSYBOX_SOURCE = busybox-$(BUSYBOX_VERSION).tar.bz2
BUSYBOX_LICENSE = GPL-2.0
BUSYBOX_LICENSE_FILES = LICENSE
BUSYBOX_LICENSE = GPL-2.0, bzip2-1.0.4
BUSYBOX_LICENSE_FILES = LICENSE archival/libarchive/bz/LICENSE
define BUSYBOX_HELP_CMDS
@echo ' busybox-menuconfig - Run BusyBox menuconfig'
@@ -237,6 +237,18 @@ define BUSYBOX_SET_SELINUX
endef
endif
# enable relevant options to allow the Busybox less applet to be used
# as a systemd pager
ifeq ($(BR2_PACKAGE_SYSTEMD):$(BR2_PACKAGE_LESS),y:)
define BUSYBOX_SET_LESS_FLAGS
$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_DASHCMD)
$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_RAW)
$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_TRUNCATE)
$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_FLAGS)
$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_ENV)
endef
endif
ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
define BUSYBOX_SET_INDIVIDUAL_BINARIES
$(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
@@ -338,6 +350,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
$(BUSYBOX_SET_INIT)
$(BUSYBOX_SET_WATCHDOG)
$(BUSYBOX_SET_SELINUX)
$(BUSYBOX_SET_LESS_FLAGS)
$(BUSYBOX_SET_INDIVIDUAL_BINARIES)
endef
+3 -3
View File
@@ -42,19 +42,19 @@ case "$1" in
rm -f $TMPFILE
if [ -x /usr/sbin/avahi-autoipd ]; then
/usr/sbin/avahi-autoipd -k $interface
/usr/sbin/avahi-autoipd -c $interface && /usr/sbin/avahi-autoipd -k $interface
fi
;;
leasefail|nak)
if [ -x /usr/sbin/avahi-autoipd ]; then
/usr/sbin/avahi-autoipd -wD $interface --no-chroot
/usr/sbin/avahi-autoipd -c $interface || /usr/sbin/avahi-autoipd -wD $interface --no-chroot
fi
;;
renew|bound)
if [ -x /usr/sbin/avahi-autoipd ]; then
/usr/sbin/avahi-autoipd -k $interface
/usr/sbin/avahi-autoipd -c $interface && /usr/sbin/avahi-autoipd -k $interface
fi
/sbin/ifconfig $interface $ip $BROADCAST $NETMASK
if [ -n "$ipv6" ] ; then
@@ -0,0 +1,37 @@
From e2180d95fb67f57b6ffba01fefb4844a1ca4f792 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Wed, 18 Nov 2020 08:12:45 +0100
Subject: [PATCH] src/lib/Makefile.am: install ares_dns.h
This will avoid the following build failure with resiprocate:
In file included from dns/DnsCnameRecord.cxx:7:
dns/AresCompat.hxx:5:10: fatal error: ares_dns.h: No such file or directory
#include "ares_dns.h"
^~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/cbf158f0c037d44ef293a8804d18c84e3b731059
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Upstream status: https://github.com/c-ares/c-ares/pull/376]
---
src/lib/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
index c918667..92a4152 100644
--- a/src/lib/Makefile.am
+++ b/src/lib/Makefile.am
@@ -14,6 +14,8 @@ lib_LTLIBRARIES = libcares.la
man_MANS = $(MANPAGES)
+include_HEADERS = ares_dns.h
+
# adig and ahost are just sample programs and thus not mentioned with the
# regular sources and headers
EXTRA_DIST = Makefile.inc config-win32.h CMakeLists.txt \
--
2.29.2
+1 -1
View File
@@ -1,5 +1,5 @@
# Locally calculated after checking pgp signature
sha256 d08312d0ecc3bd48eee0a4cc0d2137c9f194e0a28de2028928c0f6cae85f86ce c-ares-1.16.1.tar.gz
sha256 1cecd5dbe21306c7263f8649aa6e9a37aecb985995a3489f487d98df2b40757d c-ares-1.17.0.tar.gz
# Hash for license file
sha256 db4eb63fe09daebdf57d3f79b091bb5ee5070c0d761040e83264e648d307af4c LICENSE.md
+3 -1
View File
@@ -4,12 +4,14 @@
#
################################################################################
C_ARES_VERSION = 1.16.1
C_ARES_VERSION = 1.17.0
C_ARES_SITE = http://c-ares.haxx.se/download
C_ARES_INSTALL_STAGING = YES
C_ARES_CONF_OPTS = --with-random=/dev/urandom
C_ARES_LICENSE = MIT
C_ARES_LICENSE_FILES = LICENSE.md
# We're patching src/lib/Makefile.am
C_ARES_AUTORECONF = YES
$(eval $(autotools-package))
$(eval $(host-autotools-package))
+3 -3
View File
@@ -1,6 +1,6 @@
# hashes from: $(CA_CERTIFICATES_SITE)/ca-certificates_$(CA_CERTIFICATES_VERSION).dsc :
sha1 47d4584eae85fc905e4994766eb3930a8a84e2e1 ca-certificates_20190110.tar.xz
sha256 ee4bf0f4c6398005f5b5ca4e0b87b82837ac5c3b0280a1cb3a63c47555c3a675 ca-certificates_20190110.tar.xz
sha1 f17235bc9c3aec538065a655681815c242a6d7d5 ca-certificates_20200601.tar.xz
sha256 43766d5a436519503dfd65ab83488ae33ab4d4ca3d0993797b58c92eb9ed4e63 ca-certificates_20200601.tar.xz
# Locally computed
sha256 80fd11117df5543d5cf17bfd951b0ead213f7867d0b09f09c6d5a5eca3ff7422 debian/copyright
sha256 e85e1bcad3a915dc7e6f41412bc5bdeba275cadd817896ea0451f2140a93967c debian/copyright
+2 -2
View File
@@ -4,9 +4,9 @@
#
################################################################################
CA_CERTIFICATES_VERSION = 20190110
CA_CERTIFICATES_VERSION = 20200601
CA_CERTIFICATES_SOURCE = ca-certificates_$(CA_CERTIFICATES_VERSION).tar.xz
CA_CERTIFICATES_SITE = http://snapshot.debian.org/archive/debian/20190513T145054Z/pool/main/c/ca-certificates
CA_CERTIFICATES_SITE = http://snapshot.debian.org/archive/debian/20200602T145955Z/pool/main/c/ca-certificates
CA_CERTIFICATES_DEPENDENCIES = host-openssl
# ca-certificates can be built with either python 2 or python 3
# but it must be at least python 2.7
+7
View File
@@ -21,5 +21,12 @@ endif
# The actual source to be compiled is within a 'c++' subdirectory
CAPNPROTO_SUBDIR = c++
ifeq ($(BR2_PACKAGE_OPENSSL),y)
CAPNPROTO_CONF_OPTS += --with-openssl
CAPNPROTO_DEPENDENCIES += openssl
else
CAPNPROTO_CONF_OPTS += --without-openssl
endif
$(eval $(autotools-package))
$(eval $(host-autotools-package))
+9
View File
@@ -18,5 +18,14 @@ else
CDRKIT_CONF_OPTS += -DBITFIELDS_HTOL=0
endif
ifeq ($(BR2_PACKAGE_FILE),y)
CDRKIT_DEPENDENCIES += host-pkgconf file
CDRKIT_CONF_OPTS += \
-DUSE_MAGIC=ON \
-DEXTRA_LIBS="`$(PKG_CONFIG_HOST_BINARY) --libs libmagic`"
else
CDRKIT_CONF_OPTS += -DUSE_MAGIC=OFF
endif
$(eval $(cmake-package))
$(eval $(host-cmake-package))
+3 -4
View File
@@ -1,5 +1,4 @@
# From https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2019/05/msg00001.html
md5 5f66338bc940a9b51eede8f391e7bed3 chrony-3.5.tar.gz
sha1 79e9aeace143550300387a99f17bff04b45673f7 chrony-3.5.tar.gz
# From https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html
sha256 1ba82f70db85d414cd7420c39858e3ceca4b9eb8b028cbe869512c3a14a2dca7 chrony-3.5.1.tar.gz
# Locally calculated
sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING
sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
CHRONY_VERSION = 3.5
CHRONY_VERSION = 3.5.1
CHRONY_SITE = http://download.tuxfamily.org/chrony
CHRONY_LICENSE = GPL-2.0
CHRONY_LICENSE_FILES = COPYING
@@ -0,0 +1,41 @@
From dbb4452787cb966cc74b2015689961875fd5d668 Mon Sep 17 00:00:00 2001
From: Ryan Barnett <ryanbarnett3@gmail.com>
Date: Mon, 27 Apr 2020 22:03:25 -0500
Subject: [PATCH] Use DESTDIR when installing mount.smb3 and optionally install
man page
Properly create mount.smb3 symlink by using DESTDIR. Also use
CONFIG_MAN to optionally install manpage for mount.smb3.
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
---
Upstream: https://marc.info/?l=linux-cifs&m=158804444725745&w=2
---
Makefile.am | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index fe9cd34..e0587f1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -119,11 +119,13 @@ endif
SUBDIRS = contrib
install-exec-hook:
- (cd $(ROOTSBINDIR) && ln -sf mount.cifs mount.smb3)
+ (cd $(DESTDIR)$(ROOTSBINDIR) && ln -sf mount.cifs mount.smb3)
+if CONFIG_MAN
install-data-hook:
- (cd $(man8dir) && ln -sf mount.cifs.8 mount.smb3.8)
+ (cd $(DESTDIR)$(man8dir) && ln -sf mount.cifs.8 mount.smb3.8)
+endif
uninstall-hook:
- (cd $(ROOTSBINDIR) && rm -f $(ROOTSBINDIR)/mount.smb3)
- (cd $(man8dir) && rm -f $(man8dir)/mount.smb3.8)
+ rm -f $(DESTDIR)$(ROOTSBINDIR)/mount.smb3
+ rm -f $(DESTDIR)$(man8dir)/mount.smb3.8
--
2.17.1
+2 -2
View File
@@ -1,5 +1,5 @@
# Locally calculated after checking pgp signature
sha256 18d8f1bf92c13c4d611502dbd6759e3a766ddc8467ec8a2eda3f589e40b9ac9c cifs-utils-6.9.tar.bz2
sha256 b859239a3f204f8220d3e54ed43bf8109e1ef202042dd87ba87492f8878728d9 cifs-utils-6.11.tar.bz2
# Hash for license file:
sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING
sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING
+5 -2
View File
@@ -4,12 +4,12 @@
#
################################################################################
CIFS_UTILS_VERSION = 6.9
CIFS_UTILS_VERSION = 6.11
CIFS_UTILS_SOURCE = cifs-utils-$(CIFS_UTILS_VERSION).tar.bz2
CIFS_UTILS_SITE = http://ftp.samba.org/pub/linux-cifs/cifs-utils
CIFS_UTILS_LICENSE = GPL-3.0+
CIFS_UTILS_LICENSE_FILES = COPYING
# Missing install-sh in release tarball
# Missing install-sh in release tarball and patching Makefile.am
CIFS_UTILS_AUTORECONF = YES
CIFS_UTILS_DEPENDENCIES = host-pkgconf
@@ -17,6 +17,9 @@ CIFS_UTILS_DEPENDENCIES = host-pkgconf
# the global BR2_RELRO_FULL option.
CIFS_UTILS_CONF_OPTS = --disable-pie --disable-man
# uses C11 code in smbinfo.c and mtab.c
CIFS_UTILS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=gnu11"
ifeq ($(BR2_PACKAGE_KEYUTILS),y)
CIFS_UTILS_DEPENDENCIES += keyutils
endif
-1
View File
@@ -593,7 +593,6 @@ comment "grpc needs a toolchain w/ C++, gcc >= 4.8"
config BR2_PACKAGE_COLLECTD_MQTT
bool "mqtt"
depends on BR2_TOOLCHAIN_HAS_SYNC_4 # mosquitto
select BR2_PACKAGE_MOSQUITTO
help
Sends metrics to and/or receives metrics from an MQTT broker.
+30
View File
@@ -0,0 +1,30 @@
From 641d3f489cf6238bb916368d4ba0d9325a235afb Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <gray@gnu.org>
Date: Mon, 20 Jan 2020 07:45:39 +0200
Subject: Minor fix * src/global.c: Remove superfluous declaration of
program_name
[Retrieved from:
https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=641d3f489cf6238bb916368d4ba0d9325a235afb]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/global.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/global.c b/src/global.c
index fb3abe9..acf92bc 100644
--- a/src/global.c
+++ b/src/global.c
@@ -184,9 +184,6 @@ unsigned int warn_option = 0;
/* Extract to standard output? */
bool to_stdout_option = false;
-/* The name this program was run with. */
-char *program_name;
-
/* A pointer to either lstat or stat, depending on whether
dereferencing of symlinks is done for input files. */
int (*xstat) ();
--
cgit v1.2.1
+3 -3
View File
@@ -1,5 +1,5 @@
# Hash from: https://www.cryptopp.com/release820.html:
sha256 03f0e2242e11b9d19b28d0ec5a3fa8ed5cc7b27640e6bed365744f593e858058 cryptopp820.zip
# Hash from: https://www.cryptopp.com/release830.html:
sha512 ad5219a66c5924d330d3646d0ff996dd235006f6812074bc4eb9e8c662a4f000ba20449d377f24b133d19ce682f7b2a3b2eb4c08857ce0f5bb39743d1d425147 cryptopp830.zip
# Hash for license file:
sha256 f29d65ae3f0c8e327284f193524643ffb4d682fcca3e1740a5c6cbab0e720583 License.txt
sha256 e668af8c73a38a66a1e8951d14ec24e7582fee5254dd6c3dae488a416d105d5f License.txt
+1 -1
View File
@@ -4,7 +4,7 @@
#
################################################################################
CRYPTOPP_VERSION = 8.2.0
CRYPTOPP_VERSION = 8.3.0
CRYPTOPP_SOURCE = cryptopp$(subst .,,$(CRYPTOPP_VERSION)).zip
CRYPTOPP_SITE = https://cryptopp.com
CRYPTOPP_LICENSE = BSL-1.0, BSD-3-Clause (CRYPTOGAMS), Public domain (ChaCha SSE2 and AVX)
@@ -0,0 +1,179 @@
From 604abec333a0efb44fd8bc610aa0b1151dd0f612 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Mon, 13 Apr 2020 11:48:17 +0200
Subject: [PATCH] Add support for upcoming json-c 0.14.0.
* TRUE/FALSE are not defined anymore. 1 and 0 are used instead.
* json_object_get_uint64() and json_object_new_uint64() are part
of the upstream API now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
lib/luks2/luks2_internal.h | 4 +++-
lib/luks2/luks2_json_metadata.c | 38 +++++++++++++++++----------------
2 files changed, 23 insertions(+), 19 deletions(-)
diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h
index b9fec6b5..939101d6 100644
--- a/lib/luks2/luks2_internal.h
+++ b/lib/luks2/luks2_internal.h
@@ -58,9 +58,11 @@ json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr);
void hexprint_base64(struct crypt_device *cd, json_object *jobj,
const char *sep, const char *line_sep);
+#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99))
uint64_t json_object_get_uint64(json_object *jobj);
-uint32_t json_object_get_uint32(json_object *jobj);
json_object *json_object_new_uint64(uint64_t value);
+#endif
+uint32_t json_object_get_uint32(json_object *jobj);
int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val);
void json_object_object_del_by_uint(json_object *jobj, unsigned key);
diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
index 781280c2..712c2bbd 100644
--- a/lib/luks2/luks2_json_metadata.c
+++ b/lib/luks2/luks2_json_metadata.c
@@ -234,13 +234,14 @@ static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value)
tmp = strtoull(json_object_get_string(jobj), &endptr, 10);
if (*endptr || errno) {
*value = 0;
- return FALSE;
+ return 0;
}
*value = tmp;
- return TRUE;
+ return 1;
}
+#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99))
uint64_t json_object_get_uint64(json_object *jobj)
{
uint64_t r;
@@ -262,6 +263,7 @@ json_object *json_object_new_uint64(uint64_t value)
jobj = json_object_new_string(num);
return jobj;
}
+#endif
/*
* Validate helpers
@@ -273,9 +275,9 @@ static json_bool numbered(struct crypt_device *cd, const char *name, const char
for (i = 0; key[i]; i++)
if (!isdigit(key[i])) {
log_dbg(cd, "%s \"%s\" is not in numbered form.", name, key);
- return FALSE;
+ return 0;
}
- return TRUE;
+ return 1;
}
json_object *json_contains(struct crypt_device *cd, json_object *jobj, const char *name,
@@ -300,7 +302,7 @@ json_bool validate_json_uint32(json_object *jobj)
errno = 0;
tmp = json_object_get_int64(jobj);
- return (errno || tmp < 0 || tmp > UINT32_MAX) ? FALSE : TRUE;
+ return (errno || tmp < 0 || tmp > UINT32_MAX) ? 0 : 1;
}
static json_bool validate_keyslots_array(struct crypt_device *cd,
@@ -313,17 +315,17 @@ static json_bool validate_keyslots_array(struct crypt_device *cd,
jobj = json_object_array_get_idx(jarr, i);
if (!json_object_is_type(jobj, json_type_string)) {
log_dbg(cd, "Illegal value type in keyslots array at index %d.", i);
- return FALSE;
+ return 0;
}
if (!json_contains(cd, jobj_keys, "", "Keyslots section",
json_object_get_string(jobj), json_type_object))
- return FALSE;
+ return 0;
i++;
}
- return TRUE;
+ return 1;
}
static json_bool validate_segments_array(struct crypt_device *cd,
@@ -336,17 +338,17 @@ static json_bool validate_segments_array(struct crypt_device *cd,
jobj = json_object_array_get_idx(jarr, i);
if (!json_object_is_type(jobj, json_type_string)) {
log_dbg(cd, "Illegal value type in segments array at index %d.", i);
- return FALSE;
+ return 0;
}
if (!json_contains(cd, jobj_segments, "", "Segments section",
json_object_get_string(jobj), json_type_object))
- return FALSE;
+ return 0;
i++;
}
- return TRUE;
+ return 1;
}
static json_bool segment_has_digest(const char *segment_name, json_object *jobj_digests)
@@ -357,10 +359,10 @@ static json_bool segment_has_digest(const char *segment_name, json_object *jobj_
UNUSED(key);
json_object_object_get_ex(val, "segments", &jobj_segments);
if (LUKS2_array_jobj(jobj_segments, segment_name))
- return TRUE;
+ return 1;
}
- return FALSE;
+ return 0;
}
static json_bool validate_intervals(struct crypt_device *cd,
@@ -372,18 +374,18 @@ static json_bool validate_intervals(struct crypt_device *cd,
while (i < length) {
if (ix[i].offset < 2 * metadata_size) {
log_dbg(cd, "Illegal area offset: %" PRIu64 ".", ix[i].offset);
- return FALSE;
+ return 0;
}
if (!ix[i].length) {
log_dbg(cd, "Area length must be greater than zero.");
- return FALSE;
+ return 0;
}
if ((ix[i].offset + ix[i].length) > keyslots_area_end) {
log_dbg(cd, "Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").",
ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end);
- return FALSE;
+ return 0;
}
for (j = 0; j < length; j++) {
@@ -393,14 +395,14 @@ static json_bool validate_intervals(struct crypt_device *cd,
log_dbg(cd, "Overlapping areas [%" PRIu64 ",%" PRIu64 "] and [%" PRIu64 ",%" PRIu64 "].",
ix[i].offset, ix[i].offset + ix[i].length,
ix[j].offset, ix[j].offset + ix[j].length);
- return FALSE;
+ return 0;
}
}
i++;
}
- return TRUE;
+ return 1;
}
static int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj, json_object *hdr_keyslot, const char *key)
--
2.20.1

Some files were not shown because too many files have changed in this diff Show More