Changes:
* Fix potential null pointer dereference in the JP2/JPC decoder. (#269)
* Fix ignoring of JAS_STREAM_FILEOBJ_NOCLOSE at stream close time. (#286)
* Fix integral type sizing problem in JP2 codec. (#284)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7727703a8b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw
allows attackers to cause a denial of service (SEGV or buffer overflow
and application crash) or possibly have unspecified other impacts via a
crafted ELF. The highest threat from this vulnerability is to system
availability.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 92a6db4fc6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix arbitrary data copied from signature header past signature
checking (CVE-2021-3421)
- Fix signature check bypass with corrupted package (CVE-2021-20271)
- Fix missing bounds checks in headerImport() and headerCheck()
(CVE-2021-20266)
- Fix missing sanity checks on header entry count and region data
overlap
- Fix access past end of header if the last entry is string type
- Fix unsafe headerCopyLoad() still used in codebase
Drop all patches (already in version)
https://rpm.org/wiki/Releases/4.16.1.3.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 768152e2a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Out-of-bound read access when parsing LLDP-MED civic address in
liblldpctl for malformed fields.
- Fix memory leak when receiving LLDPU with duplicate fields.
CVE-2020-27827.
- More memory leak fixes on duplicate TLVs in LLDP, CDP and EDP
(related to CVE-2020-27827).
https://github.com/lldpd/lldpd/blob/1.0.9/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5522b7526b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.15.11 (released 2021/04/01) includes fixes to cgo, the compiler, linker,
runtime, the go command, and the database/sql and net/http packages
https://golang.org/doc/go1.15
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit abfb504eaf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
net-snmp-create-v3-user uses ps to check if snmpd is running. To know
how to invoke 'ps', the build system use 'which ps' and does other
checks for the output format of 'ps', therefore inspecting 'ps' on the
build machine instead of the target.
If the build machine runs a OS like Debian, that uses a merged-usr and a
PATH of '/usr/bin:/bin', then 'which ps' returns /usr/bin/ps, which will
not work on the target if it does not also use a merged-usr.
Hardcode 'ps' to be /bin/ps to fix this issue and to improve build
reproducibility.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 57d339f20b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While not a requirement to run mender itself, the mender-connect package
requires this file to be installed to talk to mender.
Signed-off-by: Adam Duskett <Aduskett@rivian.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 948e2c3467)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The current linker flag "-X main.Version=$(MENDER_VERSION)" no longer points
to the correct location, which results in "version: unknown" when runnning
"mender -version." Update the linker flag to point to the correct location.
Signed-off-by: Adam Duskett <Aduskett@rivian.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5f7fa8838)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently there is a mix of calls to package/mender and $(MENDER_PKGDIR) in the
mender.mk file. Standardize the calls to only $(MENDER_PKGDIR).
Signed-off-by: Adam Duskett <Aduskett@rivian.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e6c2e3a869)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc 10:
/home/buildroot/autobuild/run/instance-1/output-1/host/bin/aarch64-none-linux-gnu-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -I/home/buildroot/autobuild/run/instance-1/output-1/build/efivar-37/src/include/ -specs=/home/buildroot/autobuild/run/instance-1/output-1/build/efivar-37/gcc.specs -L. -fPIC -Wl,-z,muldefs -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -o efivar efivar.c -lefivar -ldl
In file included from efivar.h:28,
from efivar.c:40:
In function 'text_to_guid',
inlined from 'parse_name.constprop' at efivar.c:157:8:
guid.h:106:2: error: 'strncpy' output may be truncated copying 8 bytes from a string of length 38 [-Werror=stringop-truncation]
106 | strncpy(eightbytes, text, 8);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Fixes:
- http://autobuild.buildroot.org/results/fcba72d359f4128515560e9105384cd4deff5043
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 720deac3d9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a WPA_SUPPLICANT_IGNORE_CVES entry for CVE-2021-27803 which was
fixed by commit 9ada4eb2f1, which we
have backported as
0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1a7cf592a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Current error string speaks only about "fragment" but here we also deal
with Kconfig files, so let's add "file or fragment" instead of "fragment".
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a7348f0f7d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
--enable-more-warnings has been dropped since version 1.26.0 and
https://github.com/freedesktop/libqmi/commit/9f31a45d5fc137431705d47b83669f35259932b4
Instead, a new --disable-Werror option has been added, through the use
of AX_COMPILER_FLAGS, so use that to explicitly request wrnings not be
treated as errors.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: use --disable-Werror instead of nothing]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0de1a23c75)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-3119: Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer
dereferencing issue related to sqlcipher_export in crypto.c and
sqlite3StrICmp in sqlite3.c. This may allow an attacker to perform a
remote denial of service attack. For example, an SQL injection can be
used to execute the crafted SQL command sequence, which causes a
segmentation fault.
https://github.com/sqlcipher/sqlcipher/blob/v4.4.3/CHANGELOG.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f0a81de6b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-27928: A remote code execution issue was discovered in
MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18,
and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep
patch through 2021-03-03 for MySQL. An untrusted search path leads to
eval injection, in which a database SUPER user can execute OS commands
after modifying wsrep_provider and wsrep_notify_cmd. NOTE: this does not
affect an Oracle product.
https://mariadb.com/kb/en/mariadb-10328-release-notes/https://mariadb.com/kb/en/mariadb-10328-changelog/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f06339f3fc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-07 0.9.36
* Fix sf.net issue #5 - its possible to issue a PUT request
without a CONTENT-TYPE. Assume an octet-stream in that case.
* Change the Prefix for variables to be the REQUEST_METHOD
(PUT/DELETE/GET/POST)
**** THIS IS A BREAKING CHANGE vs 0.9.33 ****
* Mitigations vs running haserl to get access to files not
available to the user.
- Fix CVE-2021-29133: Lack of verification in haserl, a component of
Alpine Linux Configuration Framework, before 0.9.36 allows local users
to read the contents of any file on the filesystem.
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 661ce9aac9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 5502a889dd
("configs/beaglebone_qt5: don't use custom post-image script") removed the use
of genimage_linux41.cfg but didn't remove the file.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8c60df5a77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream has switched to requiring python3, so change the dependency to
always use host-python3.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7e0c490f45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit f4a61d1ae2 introduced CC_FOR_BUILD and
CXX_FOR_BUILD to avoid detecting ccache.
Both values are set to `HOSTCC`. This causes issues where C++ files are
compiled with the C compiler without passing the `stdc++` flag to the
linker, too.
Therefore, switch to pass the C++ compiler to CXX_FOR_BUILD.
Correctly fixes:
http://autobuild.buildroot.org/results/871e1362c44e5b68a149e6a5dd3caf99ea0d904a
Commit 9783c04aaf proposed a fix which in
fact is a workaround to get Meson to pass the `stdc++` flag to the C
linker.
A follow-up commit will revert this commit, as it is no longer
needed.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 00d41f58eb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Github macro example shows something that is now considered
incorrect: using v1.0 as the VERSION. This is not longer recommended
as it prevents from matching with release-monitoring.org details.
Let's update the example, and add a note to explain this in more
details.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b7cd17eb09)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When BR2_VERSION_FULL contains one or more '/', injection our version
in the perl patch-level fails:
/usr/bin/sed: -e expression #1, char 27: unknown option to `s'
When the build is done in a git tree, and HEAD is a tag, BR2_VERSION_FULL
will contain that tag name. Even if not widely common, it is not unusual
for a tag to contain a '/', and this is perfectly legit in git.
So, mangle BR2_VERSION_FULL to escape all '/' with a backslash '\', so
that the sed expression is correct, and so that we eventually have a
correct patchlevel string in perl's --version output.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0a2141349c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* ssh-agent(1): fixed a double-free memory corruption that was
introduced in OpenSSH 8.2 . We treat all such memory faults as
potentially exploitable. This bug could be reached by an attacker
with access to the agent socket.
On modern operating systems where the OS can provide information
about the user identity connected to a socket, OpenSSH ssh-agent
and sshd limit agent socket access only to the originating user
and root. Additional mitigation may be afforded by the system's
malloc(3)/free(3) implementation, if it detects double-free
conditions.
The most likely scenario for exploitation is a user forwarding an
agent either to an account shared with a malicious user or to a
host with an attacker holding root access.
* Portable sshd(8): Prevent excessively long username going to PAM.
This is a mitigation for a buffer overflow in Solaris' PAM username
handling (CVE-2020-14871), and is only enabled for Sun-derived PAM
implementations. This is not a problem in sshd itself, it only
prevents sshd from being used as a vector to attack Solaris' PAM.
It does not prevent the bug in PAM from being exploited via some
other PAM application. GHPR#212
Also license has been updated to add some openbsd-compat licenses:
https://github.com/openssh/openssh-portable/commit/922cfac5ed5ead9f796f7d39f012dd653dc5c173https://www.openssh.com/txt/release-8.5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ed63f95966)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Make sure libusb support is properly disabled even if the libusb
package is enabled, and in case it gets built before Kodi.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0e1acc6e36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes:
* Check for an image containing no samples in the PGX
decoder. (#271, #272, #273, #274, #275, #276, #281)
* Check for dimensions of zero in the JPC and JPEG decoders.
* Fix an arguably incorrect type for an integer literal
in the PGX decoder. (#270)
* Check for an invalid component reference in the
JP2 decoder. (#269)
* Check on integer size in JP2 decoder. (#278)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 34743fadba)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2021-21300:
On case-insensitive file systems with support for symbolic links, if Git is
configured globally to apply delay-capable clean/smudge filters (such as Git
LFS), Git could be fooled into running remote code during a clone.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When a --transform expression is provided, it is by default also applied
to the target of a symlink.
When we create tarballs (from git or svn checkouts), we use a --transform
expression to replace the leading ./ with the package name and version.
This causes issues when a package contains symlinks that points to
./something, as the leading './' is also replaced.
Fix that by using the 'S' transformation scope flag, as described in the
tar manual:
https://www.gnu.org/software/tar/manual/html_node/transform.html#transform
In addition, several transformation scope flags are supported, that
control to what files transformations apply. These are:
‘r’ Apply transformation to regular archive members.
‘R’ Do not apply transformation to regular archive members.
‘s’ Apply transformation to symbolic link targets.
‘S’ Do not apply transformation to symbolic link targets.
‘h’ Apply transformation to hard link targets.
‘H’ Do not apply transformation to hard link targets.
Default is ‘rsh’ [...].
Fixes: #13616
Signed-off-by: Jean-pierre Cartal <jpcartal@free.fr>
Tested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-24032: Beginning in v1.4.1 and prior to v1.4.9, due to an
incomplete fix for CVE-2021-24031, the Zstandard command-line utility
created output files with default permissions and restricted those
permissions immediately afterwards. Output files could therefore
momentarily be readable or writable to unintended parties.
https://github.com/facebook/zstd/releases/tag/v1.4.9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 74ed1b5ca0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit e8b1eeb2f3 (package/batman-adv: fix compile with
BR2_PACKAGE_BATMAN_ADV_BATMAN_V disabled) was tested against an RPi4
linux kernel already enabling the build-in batman-adv module inlcusive
batman-v, hence it missed the case where the in-tree module is not
enabled.
Taking a deeper look at the configure script gen-compat-autoconf.sh
reveals that the batman feature options must be explicitly set to 'y' or
'n' to work as expected.
Fixes:
ERROR: modpost: "batadv_v_mesh_free" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined!
ERROR: modpost: "batadv_v_mesh_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined!
ERROR: modpost: "batadv_v_hardif_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined!
ERROR: modpost: "batadv_v_init" [.../build/batman-adv-2021.0/net/batman-adv/batman-adv.ko] undefined!
Reported-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: add blurb about tests on previous commit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 20b9724ee2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The BR2_TOOLCHAIN_HAS_BINUTILS_BUG_19615 and
BR2_TOOLCHAIN_HAS_BINUTILS_BUG_20006 options were last selected by the
BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_AMD64 toolchain, but this
toolchain has been removed as part of commit
d87e114a8f in August 2020.
It's time to get rid of those two options that are never enabled.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a7143fb316)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Makefiles, variables are split, filtered, and otherwise mangled on
a space as a separator. In a shell, they will also be split on TABs.
We split and filter and iterate on variables in a lot of places, and
most importantly, spaces in PATH is very seldom tested, if at all, so
a lot of packages will not be working properly in such a situation.
For example, the config.guess contains constructs that are not resilient
to a space in PATH:
PATH=$PATH:/.attbin ; export PATH
Also, our fakedate will iterate over PATH:
for P in `echo $PATH | tr ':' ' '`; do
Those are only two cases, but the first means basically all
autotools-based packages are susceptible to subtle breakage.
Furthermore, Buildroot itself does not support that the top-level or
output directories are in a path with spaces anyway.
So, instead of chasing all cases that might be potentially broken,
let's just detect the case and bail out, like we already do when PATH
contains a \n, or when it contains the current working directory.
Reported-by: Dan Raymond <draymond@foxvalley.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e36974d9e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The OpenRISC binutils is affected by a linker bug (binutils bug 21464)
for which no workaround exists. This causes build breakage in a number
of packages, so this commit introduces a
BR2_TOOLCHAIN_HAS_BINUTILS_BUG_21464 option to identify this bug. As
all binutils versions are affected, this option is true whenever the
configuration targets OpenRISC.
The bug was already reported and it's been recently updated:
https://sourceware.org/bugzilla/show_bug.cgi?id=21464
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 227cefef41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security fix for CVE-2021-21334:
https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4
Other changes:
- Fix container create in CRI to prevent possible environment variable leak between containers
- Update shim server to return grpc NotFound error
- Add bounds on max oom_score_adj value for shim's AdjustOOMScore
- Update task manager to use fresh context when calling shim shutdown
- Update Docker resolver to avoid possible concurrent map access panic
- Update shim's log file open flags to avoid containerd hang on syscall open
- Fix incorrect usage calculation
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 43a766e92d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The license is BSD-2-Clause, not MIT.
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
[yann.morin.1998@free.fr: split off into its own commit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7b5d624bb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Details: https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
As detailed in commit 7e64a050fb, it is
difficult to utilize the upstream patches directly, so a number of
patches include changes to generated files so that we don't need invoke
the gentpl.py script.
In addition to the security fixes, these required patches has been
backported:
f76a27996 efi: Make shim_lock GUID and protocol type public
04ae030d0 efi: Return grub_efi_status_t from grub_efi_get_variable()
ac5c93675 efi: Add a function to read EFI variables with attributes
d7e54b2e5 efi: Add secure boot detection
The following security issues are fixed:
CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted
ACPI tables when Secure Boot is enabled
CWE-184
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
GRUB2 enables the use of the command acpi even when Secure Boot is signaled by
the firmware. An attacker with local root privileges to can drop a small SSDT
in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT
then gets run by the kernel and it overwrites the kernel lock down configuration
enabling the attacker to load unsigned kernel modules and kexec unsigned code.
Reported-by: Máté Kukri
*******************************************************************************
CVE-2020-25632 grub2: Use-after-free in rmmod command
CWE-416
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload
a module used as dependency without checking if any other dependent module is
still loaded. This leads to an use-after-free scenario possibly allowing an
attacker to execute arbitrary code and by-pass Secure Boot protections.
Reported-by: Chris Coulson (Canonical)
*******************************************************************************
CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize()
CWE-787
6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
grub_usb_device_initialize() is called to handle USB device initialization. It
reads out the descriptors it needs from the USB device and uses that data to
fill in some USB data structures. grub_usb_device_initialize() performs very
little bounds checking and simply assumes the USB device provides sane values.
This behavior can trigger memory corruption. If properly exploited, this would
lead to arbitrary code execution allowing the attacker to by-pass Secure Boot
mechanism.
Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive)
*******************************************************************************
CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
CWE-121
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1kB stack
buffer for temporary storage without sufficient bounds checking. If the
function is called with a command line that references a variable with a
sufficiently large payload, it is possible to overflow the stack buffer,
corrupt the stack frame and control execution. An attacker may use this to
circumvent Secure Boot protections.
Reported-by: Chris Coulson (Canonical)
*******************************************************************************
CVE-2020-27779 grub2: The cutmem command allows privileged user to remove
memory regions when Secure Boot is enabled
CWE-285
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The GRUB2's cutmem command does not honor Secure Boot locking. This allows an
privileged attacker to remove address ranges from memory creating an
opportunity to circumvent Secure Boot protections after proper triage about
grub's memory layout.
Reported-by: Teddy Reed
*******************************************************************************
CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705
CWE-281
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro
specific flaw which made upstream in the mentioned version.
If certificates that signed GRUB2 are installed into db, GRUB2 can be booted
directly. It will then boot any kernel without signature validation. The booted
kernel will think it was booted in Secure Boot mode and will implement lock
down, yet it could have been tampered.
This flaw only affects upstream and distributions using the shim_lock verifier.
Reported-by: Dimitri John Ledkov (Canonical)
*******************************************************************************
CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The option parser in GRUB2 allows an attacker to write past the end of
a heap-allocated buffer by calling certain commands with a large number
of specific short forms of options.
Reported-by: Daniel Axtens (IBM)
*******************************************************************************
CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of
space required for quoting
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu
rendering code performs a length calculation on the assumption that expressing
a quoted single quote will require 3 characters, while it actually requires
4 characters. This allow an attacker to corrupt memory by one byte for each
quote in the input.
Reported-by: Daniel Axtens (IBM)
*******************************************************************************
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1bad507220)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If PER_PACKAGE_DIRECTORIES=Y and using host-make package (because
BR2_FORCE_HOST_BUILD=Y or local make is too old) .stamp_dotconfig
target needs per-package/uboot/host/bin/host-make that doesn't
exist yet.
Add host-make into UBOOT_KCONFIG_DEPENDENCIES.
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3cf8173e5c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
opkg-utils is a collection of bash and python scripts which require
additional commands/tools be available for the bash scripts. The full
list of dependencies that the opkg-util scripts require is:
bash
binutils
bzip2
coreutils
diffutils
findutils
grep
gzip
lz4
python3
sed
tar
xz
The Buildroot manual requires a few packages (bash, binutils, bzip2,
gzip, sed and tar) to be installed on the host system, so we need not
add those. Additionally, and even though they are not in that list,
that grep and find are also required (we already make extensive use of
both everywhere, so it is as good as them being in the list).
We have a host variant for coreutils, but only for systems that do not
already have a recent-enough one, i.e. that provides 'realpath' and
'ln --relative'. opkg-utils uses neither, so can rely on the ones on the
system.
Only add dependencies on the remaining host tools: diffutils, lz4, and
xz.
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
[yann.morin.1998@free.fr:
- drop excessive dependencies,
- reword the commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9521492bd0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
opkg-utils is a package that only provides bash and python scripts.
Upon further inspection of the Makefile for the package, invoking
`make` only ever builds the manpage. The previous commit dropped the
installation of the manpage. This makes the build step unnecessary so
remove it.
Add a comment to explain the situation
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 05bf014f56)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When `make install` is run to install the opkg-utils scripts, it also
invokes building of the man page for opkg-build. The generation of the
man page requires `pod2man` executable which is a part of perl.
Since buildroot does not support man pages in the host directory,
patch the opkg-utils Makefile to separate the installation of man
pages and utility scripts.
With the options to install man pages and utils separately, only
install the opkg-utils scripts.
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0424eee0ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Aufs has been deprecated for the purposes of Docker/containers since overlay2
became the mainline kernel module of choice.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8a99b47ec2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.15.9 (released 2021/03/10) includes security fixes to the encoding/xml
package. See the Go 1.15.9 milestone on our issue tracker for details.
go1.15.10 (released 2021/03/11) includes fixes to the compiler, the go
command, and the net/http, os, syscall, and time packages. See the Go
1.15.10 milestone on our issue tracker for details.
https://golang.org/doc/devel/release.html#go1.15.minor
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|.
- Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the
largest supported size.
- Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is
beyond FD_SETSIZE.
- Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code.
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: fix the hash after upstream mess-up]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 694c7d3ece)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Buildroot, the SSP flags are passed via the wrapper, and only flags
supported by the toolchain will be used.
Add patch to remove '-fstack-protector-strong' compile flag.
Fixes:
.../aarch64-buildroot-linux-uclibc/bin/ld: runlevel.o: in function `main':
runlevel.c:(.text.startup+0x4): undefined reference to `__stack_chk_guard'
.../aarch64-buildroot-linux-uclibc/bin/ld: cannot find -lssp_nonshared
.../aarch64-buildroot-linux-uclibc/bin/ld: cannot find -lssp
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 50cbac5099)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a dependency on openssl upon BR2_PACKAGE_LIBOPENSSL=y to
enable some for OP-TEE embedded tests.
Building with libressl makes the optee-test test tool fail on a
certificate test; so we explicitly depend on libopenssl.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
[yann.morin.1998@free.fr:
- match the depenency to libopenssl, since that's is what is used in
the condition (BR2_PACKAGE_LIBOPENSSL)
- add a blurb to explain why libopenssl is used, not the virutal
openssl
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b2821ca786)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-3336: DoTls13CertificateVerify in tls13.c in wolfSSL before
4.7.0 does not cease processing for certain anomalous peer behavior
(sending an ED22519, ED448, ECC, or RSA signature without the
corresponding certificate). The client side is affected because
man-in-the-middle attackers can impersonate TLS 1.3 servers.
https://github.com/wolfSSL/wolfssl/releases/tag/v4.7.0-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 238b5df775)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit b83184de67 (package/libjpeg: switch to s.b.o. as source site)
improperly added a trailing slash '/' at the end of LIBJPEG_SITE,
causing builds to fail:
package/libjpeg/libjpeg.mk:35: *** LIBJPEG_SITE (http://sources.buildroot.org/libjpeg/) cannot have a trailing slash. Stop.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 308f4428c8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Actually asterisk package gets built with -O3 cflag since it's defaulted
into its sources, but it's not what we want, so let's empty its OPTIMIZE
Makefile variable letting Buildroot CFLAGS to take place instead.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eaba3c8e13)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openblas internally sets -O2, after the flags being passed by Buildroot
(e.g. -Os).
Patch openblas to let the Buildroot-specified flag survive.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b4df526ce3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openblas strips off -O1-O3 for certain source files, but forgets to handle
-Os, -Og and -O. This means that the intended effect of 'no optimization' is
not always reached.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a0508b5705)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot specifies a value for FFLAGS on the make command-line.
While the openblas makefiles allowed this principle for the most part by
using 'override FFLAGS += ....', the make.inc file generated for the shipped
'lapack' sources just used a 'FFLAGS = ...' statement, whose value is then
eclipsed by the command-line FFLAGS.
This meant that -fPIC may be passed to the link step but not to all relevant
source files, causing relocation failures.
Fixes: http://autobuild.buildroot.net/results/d530db0f37e1e0462e3af1e1787e15f94ff21884/
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2793167b57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#13581
The tarball for version 9d, released 2020-01-12, has been silently
replaced upstream (a unicode BOM was removed from a few files),
causing hash mismatch.
This means that all our versions since 2020.02 will fail the hash
check, and fallback to using s.b.o. so we can't update the copy we
have on s.b.o.
As a consequence, we can't update the hash in master (soon 2021.02)
otherwise it would not match what we have on s.b.o.
This means that users will see hash mismatch by default, which is not
very nice. Although we can't do anything for all previous releases,
we can still try to paper over the problem for the future ones, like
2021.02, by switching the upstream to be s.b.o.
Sigh... :-(
Reported-by: Nick Shaforostov <mshaforostov@airmusictech.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b83184de67)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes:
* Fix JP2 decoder bug that can cause a null pointer dereference for
some invalid CDEF boxes. (#268)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5742a0f33e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- wpa_supplicant P2P provision discovery processing vulnerability (no CVE
yet)
A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.
For more details, see the advisory:
https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: actually add the patch URL to the patch list]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9ada4eb2f1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-14343: A vulnerability was discovered in the PyYAML library
in versions before 5.4, where it is susceptible to arbitrary code
execution when it processes untrusted YAML files through the full_load
method or with the FullLoader loader. Applications that use the library
to process untrusted input may be vulnerable to this flaw. This flaw
allows an attacker to execute arbitrary code on the system by abusing
the python/object/new constructor. This flaw is due to an incomplete fix
for CVE-2020-1747.
Update hash of LICENSE file (update in year:
https://github.com/yaml/pyyaml/commit/58d0cb7ee09954c67fabfbd714c5673b03e7a9e1)
https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit de43a9775d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gr-qtgui examples needs to have gr-analog enabled, without this dependency
compile crash with:
In file included from
/x/output/build/gnuradio-3.8.1.0/gr-qtgui/examples/c++/display_qt.cc:22:
/x/output/build/gnuradio-3.8.1.0/gr-qtgui/examples/c++/display_qt.h:24:10:
fatal error: gnuradio/analog/noise_source.h: No such file or directory
24 | #include <gnuradio/analog/noise_source.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make[3]: *** [gr-qtgui/examples/c++/CMakeFiles/display_qt.dir/build.make:67:
gr-qtgui/examples/c++/CMakeFiles/display_qt.dir/display_qt.cc.o] Error 1
make[3]: *** Waiting for unfinished jobs....
In file included from
/somewhere/gnuradio/build/gr-qtgui/examples/c++/moc_display_qt.cpp:10:
/somewhere/gnuradio/build/gr-qtgui/examples/c++/../../../../gr-qtgui/examples/c++/display_qt.h:24:10:
fatal error: gnuradio/analog/noise_source.h: No such file or directory
24 | #include <gnuradio/analog/noise_source.h>
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
GR_ANALOG is not an explicit dependency of GR_QTGUI, so disable c++ examples if
user has not selected this option.
[backported from 7470a7a3771dd90defb826b464dfe62977cb1eb6]
Fixes:
- http://autobuild.buildroot.net/results/fde670499289f3d7d47379eebccf6e0f92c6d200/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 6b714a9c3b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
(https://github.com/redis/redis/blob/6.0.12/00-RELEASENOTES)
================================================================================
Redis 6.0.11 Released Mon Feb 22 16:13:23 IST 2021
================================================================================
Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), LOW
otherwise.
Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.
================================================================================
Redis 6.0.12 Released Mon Mar 1 17:29:52 IST 2021
================================================================================
Upgrade urgency: LOW, fixes a compilation issue.
Bug fixes:
* Fix compilation error on non-glibc systems if jemalloc is not used (#8533)
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cbd5f7e3a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
https://blog.prosody.im/prosody-0.11.8-released/
This release also fixes a security issue, where channel binding, which
connects the authentication layer (i.e. SASL) with the security layer (i.e.
TLS) to detect man-in-the-middle attacks, could be used on connections
encrypted with TLS 1.3, despite the holy texts declaring this undefined.
https://issues.prosody.im/1542
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: mark as security bump, expand commit text]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9aba85e3f5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
runuser allows running commands as another user, but needs to run as
root to be able to setuid(). But Buildroot does not require running as
root, and so runuser can't be used.
Incientally, that fixes host build in case unsuitable libs are found on
the system:
http://lists.busybox.net/pipermail/buildroot/2021-February/304261.html
Reported-by: GA K <guyarkam@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- expand the commit log with a more fundamental explanation that
runuser can't be used anyway
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 955d6c099b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Privoxy 3.0.32 fixes a number of security issues:
- Security/Reliability:
- ssplit(): Remove an assertion that could be triggered with a
crafted CGI request.
Commit 2256d7b4d67. OVE-20210203-0001.
Reported by: Joshua Rogers (Opera)
- cgi_send_banner(): Overrule invalid image types. Prevents a
crash with a crafted CGI request if Privoxy is toggled off.
Commit e711c505c48. OVE-20210206-0001.
Reported by: Joshua Rogers (Opera)
- socks5_connect(): Don't try to send credentials when none are
configured. Fixes a crash due to a NULL-pointer dereference
when the socks server misbehaves.
Commit 85817cc55b9. OVE-20210207-0001.
Reported by: Joshua Rogers (Opera)
- chunked_body_is_complete(): Prevent an invalid read of size two.
Commit a912ba7bc9c. OVE-20210205-0001.
Reported by: Joshua Rogers (Opera)
- Obsolete pcre: Prevent invalid memory accesses with an invalid
pattern passed to pcre_compile(). Note that the obsolete pcre code
is scheduled to be removed before the 3.0.33 release. There has been
a warning since 2008 already.
Commit 28512e5b624. OVE-20210222-0001.
Reported by: Joshua Rogers (Opera)
for more details, see the announcement:
https://www.openwall.com/lists/oss-security/2021/02/28/1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e276d14cd8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in
the scp.c toremote function, as demonstrated by backtick characters in the
destination argument. NOTE: the vendor reportedly has stated that they
intentionally omit validation of "anomalous argument transfers" because that
could "stand a great chance of breaking existing workflows."
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6609cd0d88)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2021-21330: Open redirect vulnerability in aiohttp
(normalize_path_middleware middleware)
Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async
HTTP client/server framework, is prone to an open redirect vulnerability. A
maliciously crafted link to an aiohttp-based web-server could redirect the
browser to a different website.
For more details, see the advisory:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0e60a9aa83)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2021-27218: An issue was discovered in GNOME GLib before 2.66.7 and
2.67.x before 2.67.4. If g_byte_array_new_take() was called
with a buffer of 4GB or more on a 64-bit platform, the length would be
truncated modulo 2**32, causing unintended length truncation.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion
failure in slapd can occur in the issuerAndThisUpdateCheck function via a
crafted packet, resulting in a denial of service (daemon exit) via a short
timestamp. This is related to schema_init.c and checkTime.
For more details, see the bugtracker:
https://bugs.openldap.org/show_bug.cgi?id=9454
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2d6a0ea93e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a
denial of service (invalid write access and application crash) or possibly
have unspecified other impact via a crafted UTF-8 character sequence.
For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2021/02/09/3
So far no fix has been added to upstream git, and a number of early proposed
fixes caused regressions, so pull the security fix from the screen 4.8.0-5
Debian package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6ca1a7c277)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and
7.0.10-57 in gem.c. This flaw allows an attacker who submits a crafted file
that is processed by ImageMagick to trigger undefined behavior through a
division by zero. The highest threat from this vulnerability is to system
availability.
For more details, see the bugtracker:
https://github.com/ImageMagick/ImageMagick/issues/3077
- bump version to 7.0.10-62
- update license file hash (copyright year update)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: mention security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a11b6beab9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when
too many connection attempts with an 'unknownProtocol' are established.
This leads to a leak of file descriptors. If a file descriptor limit is
configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g. a file. If no
file descriptor limit is configured, then this lead to an excessive memory
usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when
the whitelist includes “localhost6”. When “localhost6” is not present in
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
over network. If the attacker controls the victim's DNS server or can spoof
its responses, the DNS rebinding protection can be bypassed by using the
“localhost6” domain. As long as the attacker uses the “localhost6” domain,
they can still apply the attack described in CVE-2018-7160.
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7cb44a2011)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-23336: urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a
query args separator
https://bugs.python.org/issue42967
And fixes a number of issues. For details, see the changelog:
https://docs.python.org/release/3.9.2/whatsnew/changelog.html
Drop the now upstreamed security patch and update the license hash for a
change of copyright year:
-2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation;
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation;
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4e6ee9eb53)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2020-8625: When tkey-gssapi-keytab or tkey-gssapi-credential was
configured, a specially crafted GSS-TSIG query could cause a buffer
overflow in the ISC implementation of SPNEGO (a protocol enabling
negotiation of the security mechanism to use for GSSAPI authentication).
This flaw could be exploited to crash named. Theoretically, it also
enabled remote code execution, but achieving the latter is very difficult
in real-world conditions
For details, see the advisory:
https://kb.isc.org/docs/cve-2020-8625
In addition, 9.11.26-27 fixed a number of issues, see the release notes for
details:
https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html
Drop now upstreamed patches, update the GPG key for the 2021-2022 variant
and update the COPYRIGHT hash for a change of year:
-Copyright (C) 1996-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2021 Internet Systems Consortium, Inc. ("ISC")
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6376decbda)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
- http://autobuild.buildroot.net/results/966a3de94aa97fa8e9895eede29c9cbfb4bd7301
.../host/lib/gcc/arm-buildroot-linux-musleabihf/9.3.0/../../../../arm-buildroot-linux-musleabihf/bin/ld: warning: libisccfg.so.163, needed by ../../lib/bind9/.libs/libbind9.so, not found (try using -rpath or -rpath-link)
.../host/lib/gcc/arm-buildroot-linux-musleabihf/9.3.0/../../../../arm-buildroot-linux-musleabihf/bin/ld: ../../lib/bind9/.libs/libbind9.so: undefined reference to `cfg_obj_line'
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: replace by upstream patches]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e4af234d3c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release contains a number of bug fixes. There is added support
for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID
option (RFC 5001). Unbound control has added commands to enable and
disable rpz processing. Reply callbacks have a start time passed to
them that can be used to calculate time, these are callbacks for
response processing. With the option serve-original-ttl the TTL served
in responses is the original, not counted down, value, for when in
front of authority service.
https://github.com/NLnetLabs/unbound/releases/tag/release-1.13.1
Signed-off-by: Stefan Ott <stefan@ott.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 048f772354)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported on IRC by sephthir, the gitlab test of the defconfig
qemu_sparc_ss10_defconfig doesn't error out while the system
is not working properly.
This is because we explicitly wait for the timeout as an expected
condition, but do not check for it. Indeed, pexpect.expect() returns
the index of the matching condition in the list of expected conditions,
but we just ignore the return code, so we are not able to differentiate
between a successful login (or prompt) from a timeout.
By default, pexepect.expect() raises the pexpect.TIMEOUT exception on a
timeout, and we are already prepared to catch and handle that exception.
But because pexpect.TIMEOUT is passed as an expected condition, the
exception is not raised.
Remove pexpect.TIMEOUT from the list of expected conditions, so that the
exception is properly raised again, and so that we can catch it.
The qemu_sparc_ss10_defconfig is already fixed by
4d16e6f532.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 03c3fbd81c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add patch to fix irqbalance/irqbalance-ui socket communication by
fixing uint64_t printf format usage.
Fixes:
$ irqbalance-ui
Invalid data sent. Unexpected token: (null)TYPE
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- do an actual backport as upstream applied the patch
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f204e58740)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
scanpypi is python3 compatible. In addition, it executes the setup.py
of Python modules to extract the relevant information. Since these are
more and more commonly using python3 constructs, using "python" to run
scanpypi causes problems on systems that have python2 installed as
python, when trying to parse setup.py scripts with python3 constructs.
Fixes part of #13516.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ee8b680816)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 689b9c1a7c (package/cegui: disable xerces support) added
an unconditional assignment to _CONF_OPTS before all the conditional
ones, but used the append-assignment instead of the traditional plain
assignment.
Fix that by removing the append-assignment.
Use that opportunity to also move the first item of this multi-line
assignment, to its own line.
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr:
- reference the exact commit that introduce the issue
- also move the first item to its own line
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 86fbba8b81)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()
Django contains a copy of urllib.parse.parse_qsl() which was added to
backport some security fixes. A further security fix has been issued
recently such that parse_qsl() no longer allows using ; as a query
parameter separator by default. Django now includes this fix. See
bpo-42967 for further details.
For more details, see the advisory:
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 82abd78a01)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-23841: Null pointer deref in X509_issuer_and_serial_hash()
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.
- CVE-2021-23839: Incorrect SSLv2 rollback protection
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2
with a server that is configured to support both SSLv2 and more recent SSL
and TLS versions then a check is made for a version rollback attack when
unpadding an RSA signature. Clients that support SSL or TLS versions
greater than SSLv2 are supposed to use a special form of padding. A
server that supports greater than SSLv2 is supposed to reject connection
attempts from a client where this special form of padding is present,
because this indicates that a version rollback has occurred (i.e. both
client and server support greater than SSLv2, and yet this is the version
that is being requested).
The implementation of this padding check inverted the logic so that the
connection attempt is accepted if the padding is present, and rejected if
it is absent. This means that such as server will accept a connection if
a version rollback attack has occurred. Further the server will
erroneously reject a connection if a normal SSLv2 connection attempt is
made.
OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable
to this issue. The underlying error is in the implementation of the
RSA_padding_check_SSLv23() function. This also affects the
RSA_SSLV23_PADDING padding mode used by various other functions. Although
1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still
exists, as does the RSA_SSLV23_PADDING padding mode. Applications that
directly call that function or use that padding mode will encounter this
issue. However since there is no support for the SSLv2 protocol in 1.1.1
this is considered a bug and not a security issue in that version.
- CVE-2021-23840: Integer overflow in CipherUpdate
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
overflow the output length argument in some cases where the input length
is close to the maximum permissable length for an integer on the platform.
In such cases the return value from the function call will be 1
(indicating success), but the output length value will be negative. This
could cause applications to behave incorrectly or crash.
For more details, see the advisory:
https://www.openssl.org/news/secadv/20210216.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4745a484a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The compiler detection since openblas 0.3.8 added support for gcc 10, but
this broke detection of compilers created with crosstool-ng, or other
toolchains that have a package version containing a version like x.y.z where
at least one of x, y or z have more than one digit, for example
"Crosstool-NG 1.24.0".
See the reported issue for more details [1].
Backport the upstream patch that fixes it.
[1] https://github.com/xianyi/OpenBLAS/issues/3099
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8efa82a41d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing a number of issues:
- Fix RunLoop objects leaked in worker threads.
- Fix JavaScriptCore AArch64 LLInt build with JIT disabled.
- Use Internet Explorer quirk for Google Docs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 824473576e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2020-13558: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: A use after free issue in the
AudioSourceProviderGStreamer class was addressed with improved memory
management
For more details, see the advisory:
https://webkitgtk.org/security/WSA-2021-0001.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 157dc4e3cf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1019385940
FAIL: test_run (tests.core.test_timezone.TestGlibcNonDefaultLimitedTimezone)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/builds/buildroot.org/buildroot/support/testing/tests/core/test_timezone.py", line 66, in test_run
self.assertEqual(tz[0].strip(), "EST")
AssertionError: '' != 'EST'
Commit 7868289fd5 (package/zic: bump version to 2020f) bumped the zic
version to 2020f, which changed the default output format from the classic
"fat" format to the new "slim" format:
https://github.com/eggert/tz/commit/6ba6f2117b95eab345a7ed9159cef939e30c4cd3
The slim format is unfortunately not supported by glibc < 2.28 or uClibc, so
explicitly request the classic "fat" format.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1efb7b9618)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, the envimage creation logic only depends on u-boot when the
user does not specify a custom envimage source via
BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE. This assumes that the
user-provided envimage source is not coming from the u-boot source
tree.
But especially given the fact that the envimage creation logic used to
be part of the u-boot package, this is a realistic scenario: users may
have provided a value of BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE
based on $(UBOOT_DIR), e.g.:
$(UBOOT_DIR)/board/foo-vendor/bar-board/env.txt
Therefore, always add the u-boot dependency if u-boot is selected, for
either case of custom or default envimage source.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Thomas: re-organize code a bit.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 10ad952ea9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the upgrade of ebtables from 2.0.10-4 to 2.0.11, there no longer is an
'ebtables' binary. It has been renamed to 'ebtables-legacy' and moved from
'/sbin' to '/usr/sbin'. This change is part of the upstream change to
integrate the functionality of ebtables (and arptables) in the iptables
package, using the nf_tables kernel backend [1].
Unfortunately, the renaming (and move) of the original 'ebtables' binary
breaks existing scripts that are calling 'ebtables' or '/sbin/ebtables'.
Therefore, add a symlink from the original path to 'ebtables-legacy'.
However, do not provide this symlink if BR2_PACKAGE_IPTABLES_NFTABLES is
enabled. In this case, the iptables package will build the new equivalent
of ebtables -- a symlink to ebtables-legacy would cause conflicts.
[1] https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 938c085109)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Glibc 2.33 removed `_STAT_VER`. On host machines, which updated to glibc
2.33, building host-fakeroot breaks:
```
In file included from communicate.h:20,
from libfakeroot.c:60:
libfakeroot.c: In function ‘chown’:
libfakeroot.c:99:40: error: ‘_STAT_VER’ undeclared (first use in this function)
99 | #define INT_NEXT_STAT(a,b) NEXT_STAT64(_STAT_VER,a,b)
```
The issue has been discussed on some package maintainer threads, e.g.:
https://bugs.archlinux.org/task/69572https://bugzilla.redhat.com/show_bug.cgi?id=1889862#c13
A patch series was prepared by Ilya Lipnitskiy which included two other
patches not related to the glibc 2.33 compatibility issue and submitted as
merge request for upstream:
https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg57280.html
Upstream accepted the merge request:
https://salsa.debian.org/clint/fakeroot/-/merge_requests/10
Note, that this patch series only contains the necessay patches for glibc
2.33 compatibility.
Tested on my Arch Linux machine, building a UBIFS/OverlayFS-based root
filesystem for an i.MX6ULL target board.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Tested-by: Bartosz Bilas <b.bilas@grinn-global.com>
[Peter: drop patch numbering (PATCH x/y) as pointed out by check-package]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f45925a951)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Unit tests fail to build with gcc 10 on:
[100%] Linking C executable NE10_dsp_unit_test_smoke
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-none-linux-gnu/10.2.1/../../../../aarch64-none-linux-gnu/bin/ld: CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_suite_fft_float32.c.o:(.bss+0x0): multiple definition of `seatest_simple_test_result'; CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_main.c.o:(.bss+0x0): first defined here
So just disable them and, while at it, also disable examples which are
also enabled by default
Fixes:
- http://autobuild.buildroot.org/results/c658d52668825c26a15d6ac3ca538472cad5cd78
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c4bc257a09)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes:
* Fix memory-related bugs in the JPEG-2000 codec resulting from
attempting to decode invalid code streams. (#264, #265)
This fix is associated with CVE-2021-26926 and CVE-2021-26927.
* Fix wrong return value under some compilers (#260)
* Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 72b801010c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes:
* Add JAS_VERSION_MAJOR, JAS_VERSION_MINOR, JAS_VERSION_PATCH for
easier access to the JasPer version.
* Fixes stack overflow bug on Windows, where variable-length
arrays are not available. (#256)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a5c61d59b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a
denial of service (segmentation fault) or possibly have unspecified other
impact via a crafted UTF-8 character sequence.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fd6f7061ca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion
mod_authz_svn
Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile option
and a client sends a request for a non-existing repository URL.
For more details, see the advisory:
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4109401acd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing the following issue:
- Check contexts before importing them to reduce risk of extracted files
escaping context store
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- cmd/go: packages using cgo can cause arbitrary code execution at build time
The go command may execute arbitrary code at build time when cgo is in use
on Windows. This may occur when running “go get”, or any other command
that builds code. Only users who build untrusted code (and don’t execute
it) are affected.
In addition to Windows users, this can also affect Unix users who have “.”
listed explicitly in their PATH and are running “go get” or build commands
outside of a module or with module mode disabled.
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.
- crypto/elliptic: incorrect operations on the P-224 curve
The P224() Curve implementation can in rare circumstances generate
incorrect outputs, including returning invalid points from ScalarMult.
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.
The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).
This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0e1b5aa572)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When a developer has package/pkg-<infra>.mk assigned to him/her in the
DEVELOPERS file, this has 3 implications:
(1) Patches adding new packages using this infrastructure are Cc'ed
to this developer. This is done by the analyze_patch() function,
which matches the regexp r"^\+\$\(eval
\$\((host-)?([^-]*)-package\)\)$" in the patch, i.e where an
added line contains a reference to the infra maintained by the
developer.
(2) Patches touching the package/pkg-<infra>.mk file itself are Cc'ed
to this developer.
(3) Any patch touching a package using this infra are also Cc'ed to
this developer.
Point (3) causes a significant amount of patches to be sent to
developers who have package/pkg-generic.mk and
package/pkg-autotools.mk assigned to them in the DEVELOPERS
file. Basically, all patches touching generic or autotools packages
get CC'ed to such developers, which causes a massive amount of patches
to be received.
So this patch adjusts the getdeveloperlib.py to drop point (3), but
preserves point (1) and (2). Indeed, it makes sense to be Cc'ed on new
package additions (to make a review that they use the package
infrastructure correctly), and it makes sense to be Cc'ed on patches
that touch the infrastructure code itself.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 38b0560f4e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The memtester build system does not use CFLAGS/LDFLAGS variables.
Everything should be written to conf-cc and conf-ld.
Use '%' as sed expression delimiter because comma might appear in
LDFLAGS.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 25e09fdb9e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-3177: Python 3.x through 3.9.1 has a buffer overflow in
PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution
in certain Python applications that accept floating-point numbers as
untrusted input, as demonstrated by a 1e300 argument to
c_double.from_param. This occurs because sprintf is used unsafely.
For details, see the advisory:
https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5405b29570)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure on sparc64:
/home/giuliobenetti/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc64-buildroot-linux-gnu/9.3.0/../../../../sparc64-buildroot-linux-gnu/bin/ld: /tmp/ccylTux8.o: in function `find_kaslr_offsets':
/home/giuliobenetti/autobuild/run/instance-0/output-1/build/makedumpfile-1.6.8/makedumpfile.c:4017: undefined reference to `get_kaslr_offset'
Even if this build failure is only raised with version 1.6.8,
get_kaslr_offset was also undeclared on sparc64 in version 1.6.7
Fixes:
- http://autobuild.buildroot.org/results/1421f54f7599bba62c0a4bd5c65ce21c8cc7ee1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 28df31e8dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixed the following security issue:
- CVE-2020-6097: An exploitable denial of service vulnerability exists in
the atftpd daemon functionality of atftp 0.7.git20120829-3.1+b1. A
specially crafted sequence of RRQ-Multicast requests trigger an assert()
call resulting in denial-of-service. An attacker can send a sequence of
malicious packets to trigger this vulnerability.
For more details, see the report:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5b36e91fda)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- wpa_supplicant P2P group information processing vulnerability (no CVE yet)
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners. The actual
parsing of that information validates field lengths appropriately, but
processing of the parsed information misses a length check when storing a
copy of the secondary device types. This can result in writing attacker
controlled data into the peer entry after the area assigned for the
secondary device type. The overflow can result in corrupting pointers
for heap allocations. This can result in an attacker within radio range
of the device running P2P discovery being able to cause unexpected
behavior, including termination of the wpa_supplicant process and
potentially arbitrary code execution.
For more details, see the advisory:
https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: keep _PATCH near _VERSION and _SITE]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 74c854bd51)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When a armv8 target is used in 32bits mode, xenomai fail to detect the
ARM architecture and abord the build. (__ARM_ARCH_7A__ is not defined
for armv8 cpus).
There are no autobuilder failures for this issue since cobalt is never
selected, but the following defconfig:
BR2_arm=y
BR2_cortex_a53=y
BR2_ARM_FPU_NEON_VFPV4=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_XENOMAI=y
BR2_PACKAGE_XENOMAI_COBALT=y
This was initialy reproduced using the raspberrypi3_defconfig with
Xenomai package with cobalt selected.
In order to use Xenomai on raspberrypi3 in 32 bits mode, one has to
select BR2_cortex_a7 instead of BR2_cortex_a53 (see a13a388dd4).
See:
https://gitlab.denx.de/Xenomai/xenomai/-/blob/v3.1/lib/cobalt/arch/arm/include/asm/xenomai/features.h#L52
Signed-off-by: Romain Naour <romain.naour@gmail.com>
[yann.morin.1998@free.fr:
- switch to independent conditional 'default y'
- slightly reword the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6490a11018)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-11105: An issue was discovered in USC iLab cereal through
1.3.0. It employs caching of std::shared_ptr values, using the raw
pointer address as a unique identifier. This becomes problematic if an
std::shared_ptr variable goes out of scope and is freed, and a new
std::shared_ptr is allocated at the same address. Serialization fidelity
thereby becomes dependent upon memory layout. In short, serialized
std::shared_ptr variables cannot always be expected to serialize back
into their original values. This can have any number of consequences,
depending on the context within which this manifests.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 26a46564f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump to the latest git commit as this will fix the following CVEs:
git log|grep CVE
sox-fmt: validate comments_bytes before use (CVE-2019-13590) [bug #325]
fix possible null pointer deref in lsx_make_lpf() (CVE-2019-8357)
fft4g: bail if size too large (CVE-2019-8356)
fix possible overflow in lsx_(re)valloc() size calculation (CVE-2019-8355)
fix possible buffer size overflow in lsx_make_lpf() (CVE-2019-8354)
xa: validate channel count (CVE-2017-18189)
aiff: fix crash on empty comment chunk (CVE-2017-15642)
adpcm: fix stack overflow with >4 channels (CVE-2017-15372)
flac: fix crash on corrupt metadata (CVE-2017-15371)
wav: ima_adpcm: fix buffer overflow on corrupt input (CVE-2017-15370)
wav: fix crash writing header when channel count >64k (CVE-2017-11359)
hcom: fix crash on input with corrupt dictionary (CVE-2017-11358)
wav: fix crash if channel count is zero (CVE-2017-11332)
- Tweak configuration options due to
https://sourceforge.net/p/sox/code/ci/6ff0e9322f9891f5a6ac6c9b3bceffbfca16bec3
- libgsm is now an optional dependency since
https://sourceforge.net/p/sox/code/ci/e548827ffcf4dffa7f21709b8e96b04b481c09b8
- Add patch to put back --disable-stack-protector
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6871f9d93)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2020-28473: The package bottle from 0 and before 0.12.19 are vulnerable
to Web Cache Poisoning by using a vector called parameter cloaking. When
the attacker can separate query parameters using a semicolon (;), they can
cause a difference in the interpretation of the request between the proxy
(running with default configuration) and the server. This can result in
malicious requests being cached as completely safe ones, as the proxy would
usually not see the semicolon as a separator, and therefore would not
include it in a cache key of an unkeyed parameter.
In addition, bottle 0.12.18 fixed a compatibility issue with python 3.8+:
https://github.com/bottlepy/bottle/issues/1181
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 14cc349d26)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For instance on risc-v 64 arch the build would otherwise fail because
of undefined ucontext_t because "-DOPENSSL_NO_ASYNC" would not propagate
through to CFLAGS in the Makefile.
Signed-off-by: Yann Sionneau <ysionneau@kalray.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a00b6354a2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit f4a61d1ae2 (package/pkg-meson.mk avoid host ccache detection)
forced the host C and C++ compilers so that meson does not try to
autodetect ccache, and instead relies on what we provide.
However, this incorrectly used single-expansion of variables in a
package infra.
For traditional builds, this is OK, because the value does not change
across packages.
However, for builds with per-package directories, this value only refers
to the generic path, which ill not exist until the end of the build when
all packages are aggregated in the host-finalize step.
Fix that by postponing the variable evaluation like all the others.
Reported-by: Xogium on IRC
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 548b8c5412)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using the headers from the kernel to be built, with the kernel
set to a custom version, and overriding the kernel sources with
LINUX_OVERRIDE_SRCDIR, the linux-headers package is still trying to
download an archive, and fails to validate its hash.
What is going on under the hood is that, with _OVERRIDE_SRCDIR, the
_VERSION of a package is set to 'custom'. Furthermore, the variable
BR_NO_CHECK_HASH_FOR is recursively expanded, so its value is only
evaluated when it is needed.
For linux-headers, we inherit the values from the linux package, and
the LINUX_HEADERS_VERSION takes the value from the configuration.
Thus we end up with the following situation:
LINUX_VERSION=custom
LINUX_HEADERS_VERSION=5.10 # For example
BR_NO_CHECK_HASH_FOR=... linux-custom.tar.gz ...
And thus the archive downloaded by linux-headers will not match any
exclusion, and since there will most probably not be a hash for it,
the download will fail, as was noticed and reported by Jarkko.
But in this case, what we really want is to really use the headers
from the kernel that we build, we do not even want to attempt a
download at all.
So, when using the headers from the kernel to be built, we also
propagate the LINUX_OVERRIDE_SRCDIR to linux-headers, so that we
also use the headers from the overridden sources.
Furthermore, in that configuration, we explicitly disallow
overriding the linux-headers specifically, as it does not make sense
(even though, if they were overridden to the same location, that'd
be OK, but to simplify the condition, we do not even check for that).
Reported-by: Jarkko Sakkinen <jjs@kapsi.fi>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit b9e7adc152)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2020-7746 (https://nvd.nist.gov/vuln/detail/CVE-2020-7746)
The options parameter is not properly sanitized when it is processed.
When the options are processed, the existing options (or the defaults
options) are deeply merged with provided options. However, during this
operation, the keys of the object being set are not checked, leading to
a prototype pollution.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a20a86d7f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
chartjs 2.9.3 has a security vulnerability (CVE-2020-7746) which is not
detected by the CVE scripts, presumably because our version variable starts
with a 'v'.
Move that 'v' prefix out of the version variable to fix that.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0244b11597)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The check for a default route is inverted, causing the script to wait
for the timeout even when a default IPv6 route is available. Fix this up
so that it exits early as expected.
Reported-by: Bhattiprolu RaviKumar <ravikumar.bhattiprolu@gmail.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 09ad6f392f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2021-3281: Potential directory-traversal via archive.extract()
The django.utils.archive.extract() function, used by startapp --template and
startproject --template, allowed directory-traversal via an archive with
absolute paths or relative paths with dot segments.
For details, see the advisory:
https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
Additionally, 3.0.11 fixed a regression:
https://docs.djangoproject.com/en/3.1/releases/3.0.11/
Update indentation in hash file (two spaces).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 28355e20fe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the announcement:
ChangeLog for Privoxy 3.0.31
--------------------------------------------------------------------
- Security/Reliability:
- Prevent an assertion from getting triggered by a crafted CGI request.
Commit 5bba5b89193fa. OVE-20210130-0001.
Reported by: Joshua Rogers (Opera)
- Fixed a memory leak when decompression fails "unexpectedly".
Commit f431d61740cc0. OVE-20210128-0001.
- Bug fixes:
- Fixed detection of insufficient data for decompression.
Previously Privoxy could try to decompress a partly
uninitialized buffer.
https://www.privoxy.org/announce.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3a6fde69e1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When BR2_PACKAGE_XENOMAI_CUSTOM_TARBALL is selected, the xenomai package
declared an empty version, which among others means that the build directory
becomes output/build/xenomai without any version specification, and empty
version information in 'xenomai-show-info'.
Other packages that allow a custom tarball, like 'linux' and
'arm-trusted-firmware', specify 'custom' as version in this case.
Adapt the xenomai package accordingly.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 603bfafa97)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Both S40xorg and S90nodm tries to run an Xserver on vt1, causing the nodm
one to fail. If nodm is enabled, then that is likely what the user wants to
run, so skip installing S40xorg.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 735581122a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-3181: rfc822.c in Mutt through 2.0.4 allows remote attackers to
cause a denial of service (mailbox unavailability) by sending email
messages with sequences of semicolon characters in RFC822 address fields
(aka terminators of empty groups). A small email message from the
attacker can cause large memory consumption, and the victim may then be
unable to see email messages from other persons.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c1413cd94c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host build of uboot-tools can occur early in the build process and may
require the creation of BINARIES_DIR before generation of an enabled envimage
and/or boot script binary. So to resolve this in proper way, separated the
build and installation part of uboot env/script in their respective commands.
Signed-off-by: Kalpesh Panchal <kalpesh.panchal@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d8db91fc6f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 4fea71ac78 (package/sudo: security bump to version 1.9.5p2)
removed the patch, but forgot to remove the now unneeded autoreconf. Fix
that.
Reported-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84a8aac451)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Major changes between sudo 1.9.5p2 and 1.9.5p1
* Buildroot: dropped a patch that was included in the release.
* Fixed sudo's setprogname(3) emulation on systems that don't
provide it.
* Fixed a problem with the sudoers log server client where a partial
write to the server could result the sudo process consuming large
amounts of CPU time due to a cycle in the buffer queue. Bug #954.
* Added a missing dependency on libsudo_util in libsudo_eventlog.
Fixes a link error when building sudo statically.
* The user's KRB5CCNAME environment variable is now preserved when
performing PAM authentication. This fixes GSSAPI authentication
when the user has a non-default ccache.
* When invoked as sudoedit, the same set of command line options
are now accepted as for "sudo -e". The -H and -P options are
now rejected for sudoedit and "sudo -e" which matches the sudo
1.7 behavior. This is part of the fix for CVE-2021-3156.
* Fixed a potential buffer overflow when unescaping backslashes
in the command's arguments. Normally, sudo escapes special
characters when running a command via a shell (sudo -s or sudo
-i). However, it was also possible to run sudoedit with the -s
or -i flags in which case no escaping had actually been done,
making a buffer overflow possible. This fixes CVE-2021-3156.
https://www.sudo.ws/stable.html#1.9.5p2
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4fea71ac78)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
opentracing-cpp fails to build if clang-tidy is installed:
...
-- clang-tidy found: /usr/lib/llvm/11/bin/clang-tidy
-- Configuring done
-- Generating done
...
[ 25%] Building CXX object CMakeFiles/opentracing.dir/src/propagation.cpp.o
.../buildroot/output/build/opentracing-cpp-1.5.1/include/opentracing/string_view.h:5:10: error: 'algorithm' file not found [clang-diagnostic-error]
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:3:11: warning: '__llvm_libc' needs to be the outermost namespace [llvmlibc-implementation-in-namespace]
namespace opentracing {
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:11:3: warning: use '= default' to define a trivial default constructor [hicpp-use-equals-default,modernize-use-equals-default]
PropagationErrorCategory() {}
^ ~~
= default;
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:13:15: warning: use a trailing return type for this function [modernize-use-trailing-return-type]
const char* name() const noexcept override {
~~~~~~~~~~~ ^
auto -> const char*
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:13:15: warning: method 'name' can be made static [readability-convert-member-functions-to-static]
const char* name() const noexcept override {
^ ~~~~~~
static
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:17:24: warning: use a trailing return type for this function [modernize-use-trailing-return-type]
std::error_condition default_error_condition(int code) const
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:37:15: warning: use a trailing return type for this function [modernize-use-trailing-return-type]
std::string message(int code) const override {
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp:58:28: warning: use a trailing return type for this function [modernize-use-trailing-return-type]
const std::error_category& propagation_error_category() {
^
226 warnings and 1 error generated.
Error while processing .../buildroot/output/build/opentracing-cpp-1.5.1/src/propagation.cpp.
Suppressed 218 warnings (218 in non-user code).
Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well.
Found compiler error(s).
make[3]: *** [CMakeFiles/opentracing.dir/build.make:83: CMakeFiles/opentracing.dir/src/propagation.cpp.o] Error 1
make[3]: *** Waiting for unfinished jobs....
.../buildroot/output/build/opentracing-cpp-1.5.1/include/opentracing/string_view.h:5:10: error: 'algorithm' file not found [clang-diagnostic-error]
^
.../buildroot/output/build/opentracing-cpp-1.5.1/src/dynamic_load.cpp:4:
Disable the 'ENABLE_LINTING' option to avoid this influence.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit aede6dd7b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop libupnp18 as libupnp has been bumped to 1.14.x and 1.8.x will not
been fixed against CallStranger a.k.a. CVE-2020-12695
mpd and vlc are already compliant with libupnp 1.14.x (i.e those
packages use UpnpInit2 instead of the deprecated UpnpInit)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit eddc9df972)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Move site to Orange-OpenSource
- Drop patch (already in version)
- This version is compatible with libupnp 1.14.x to fix
CallStranger a.k.a. CVE-2020-12695
- Add threadutil license (BSD-3-Clause)
- Update hash in license file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a83073ac31)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CallStranger a.k.a. CVE-2020-12695 as well as CVE-2020-13848
- Update indentation in hash file (two spaces)
- Backport all changes from libupnp18 to libupnp:
- Use COPYING instead of LICENSE (no license change)
- Add host-pkgconf dependency
- Add --enable-reuseaddr
- Add openssl optional dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 118648d161)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-36221: An integer underflow was discovered in OpenLDAP before
2.4.57 leading to slapd crashes in the Certificate Exact Assertion
processing, resulting in denial of service (schema_init.c
serialNumberAndIssuerCheck).
- CVE-2020-36222: A flaw was discovered in OpenLDAP before 2.4.57 leading to
an assertion failure in slapd in the saslAuthzTo validation, resulting in
denial of service.
- CVE-2020-36223: A flaw was discovered in OpenLDAP before 2.4.57 leading to
a slapd crash in the Values Return Filter control handling, resulting in
denial of service (double free and out-of-bounds read).
- CVE-2020-36224: A flaw was discovered in OpenLDAP before 2.4.57 leading to
an invalid pointer free and slapd crash in the saslAuthzTo processing,
resulting in denial of service.
- CVE-2020-36225: A flaw was discovered in OpenLDAP before 2.4.57 leading to
a double free and slapd crash in the saslAuthzTo processing, resulting in
denial of service.
- CVE-2020-36226: A flaw was discovered in OpenLDAP before 2.4.57 leading to
a memch->bv_len miscalculation and slapd crash in the saslAuthzTo
processing, resulting in denial of service.
- CVE-2020-36227: A flaw was discovered in OpenLDAP before 2.4.57 leading to
an infinite loop in slapd with the cancel_extop Cancel operation,
resulting in denial of service.
- CVE-2020-36228: An integer underflow was discovered in OpenLDAP before
2.4.57 leading to a slapd crash in the Certificate List Exact Assertion
processing, resulting in denial of service.
- CVE-2020-36229: A flaw was discovered in ldap_X509dn2bv in OpenLDAP before
2.4.57 leading to a slapd crash in the X.509 DN parsing in ad_keystring,
resulting in denial of service.
- CVE-2020-36230: A flaw was discovered in OpenLDAP before 2.4.57 leading in
an assertion failure in slapd in the X.509 DN parsing in decode.c
ber_next_element, resulting in denial of service.
https://www.openldap.org/software/release/changes.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 46c4c9684d)
[Peter: mark as security bump, add CVE info]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some external packages call pg_config to determine the installed
PostgreSQL options. Add this output to Buildroots own pg_config,
so these packages correctly compile.
Added options:
--pkgincludedir
--pgxs
--cflags
--cc
--pkglibdir
--bindir
--sharedir
--localedir
--docdir
--mandir
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e3ff618bd8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See also commit 4ff6e52392 which describes the
problem in detail.
The same problem now arises again, because syslog-ng renamed the
--enable-snmp-dest option into --enable-afsnmp. See syslog-ng commit
4537938474771673ef5bd4a9cad7c9a7dc20b7c1, first part of 3.27.1.
Update the configure options passed from Buildroot accordingly.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 40f4468e94)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 40bb37bd70 refactored get-developers, and now the 'os' module is
no longer needed, but still imported:
utils/get-developers:6:1: F401 'os' imported but unused
1 F401 'os' imported but unused
Drop it now.
Reported-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9277978e28)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
meson will by default try to detect the presence of ccache, and if
found, will use it unconditionally.
However, using a system-wide ccache, which would be using our own cache
directory, may very well conflict with our own ccache.
But there is no option to disable that meson behaviour. The only
workaround that is even the official documented way to do so, is to
actually pass environment variables that point to the compiler:
https://mesonbuild.com/Feature-autodetection.html#ccache
For the host variants, we pass $(HOST_CONFIGURE_OPTS) in the environment,
and this contains correct settings for CC and CXX, so meson does not try
and detect ccache; it uses exactly what we tell it to use.
For the target variant, the settings for the cross-compiler are defined
in the cross-compilation file, and so meson just abides by our will. But
for the compiler-for-build, there is no way to specify the CC_FOR_BUILD
or CXX_FOR_BUILD via a cross-compilation file:
https://mesonbuild.com/Machine-files.htmlhttps://mesonbuild.com/Cross-compilation.html
We could pass the full TARGET_CONFIGURE_OPTS in the environment, like we
do for the host variant, but this contains a lot more variables that are
supposed to be covered by the cross-compilation file.
So, we stay safe and just provide the exact two variables that meson
will use to avoid detecting ccache.
If the current configuration defines the use of ccache, then these two
variables will be properly setup to use our own ccache.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Gleb Mazovetskiy <glex.spb@gmail.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Norbert Lange <nolange79@gmail.com>
(cherry picked from commit f4a61d1ae2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported on IRC by sephthir, the qemu_sparc_ss10_defconfig doesn't
work as expected: the system generated when booted under Qemu produces
illegal instruction messages.
gcc 8.3, 9.2 are the latest working gcc version. git bisect between
gcc 8.3 and 8.4 allowed to identify the commit that introcuced the
regression.
Reverting this patch allowed to produce a working rootfs.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/786589934
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4d16e6f532)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit dfcc18f84b cmake-package
_INSTALL_STAGING_OPTS/_INSTALL_TARGET_OPTS use 'install/fast'
instead of 'install', adjust documentation accordingly.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0c80a0da9a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fixes CVE-2021-23239, a potential information leak in sudoedit that
could be used to test for the existence of directories not normally
accessible to the user in certain circumstances. When creating a new
file, sudoedit checks to make sure the parent directory of the new
file exists before running the editor. However, a race condition
exists if the invoking user can replace (or create) the parent
directory. If a symbolic link is created in place of the parent
directory, sudoedit will run the editor as long as the target of the
link exists. If the target of the link does not exist, an error
message will be displayed. The race condition can be used to test for
the existence of an arbitrary directory. However, it cannot be used to
write to an arbitrary location.
- Fixes CVE-2021-23240, a flaw in the temporary file handling of
sudoedit's SELinux RBAC support. On systems where SELinux is enabled,
a user with sudoedit permissions may be able to set the owner of an
arbitrary file to the user-ID of the target user. On Linux kernels
that support protected symlinks setting
/proc/sys/fs/protected_symlinks to 1 will prevent the bug from being
exploited. For more information, see Symbolic link attack in
SELinux-enabled sudoedit.
- Update license hash:
- copyright of python bindings added with
https://github.com/sudo-project/sudo/commit/6c1b155fed23348c58a03f6c1193922132b5b66a
- a few other files (ISC licenced) added with
https://github.com/sudo-project/sudo/commit/d4b2db9078bd54f158261017dcb4d1340398a5fa
- year updated with
https://github.com/sudo-project/sudo/commit/9e111eae57524ca72002ad1db36eb68ccd50b167
- Update indentation in hash file (two spaces)
https://www.sudo.ws/stable.html#1.9.5p1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1b14e99666)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Using absolute paths within getdeveloperlib isn't very sensible, it
makes a lot more sense to handle everything as relative paths from the
top-level Buildroot source directory.
parse_developers() is changed to no longer take the base path as
argument: it is automatically calculated based on the location of
utils/getdeveloperlib.py. Then, the rest of the logic is adjusted to
use relative paths, and prepend them with the base "brpath" when
needed.
This commit allows pkg-stats to report correct developers information
even when executed from an out of tree directory.
Before this patch:
$ ~/buildroot/support/scripts/pkg-stats -p ipmitool --json out.json
$ cat out.json | jq '.packages.ipmitool.developers'
[]
$ cat out.json | jq '.defconfigs.stm32f469_disco'
{
"name": "stm32f469_disco",
"path": "configs/stm32f469_disco_defconfig",
"developers": []
}
After this patch:
$ ~/buildroot/support/scripts/pkg-stats -p ipmitool --json out.json
$ cat out.json | jq '.packages.ipmitool.developers'
[
"Floris Bos <bos@je-eigen-domein.nl>",
"Heiko Thiery <heiko.thiery@gmail.com>"
]
$ cat out.json | jq '.defconfigs.stm32f469_disco'
{
"name": "stm32f469_disco",
"path": "configs/stm32f469_disco_defconfig",
"developers": [
"Christophe Priouzeau <christophe.priouzeau@st.com>"
]
}
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 40bb37bd70)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With Python 3.8, the following deprecation warnings are emitted:
/home/thomas/projets/buildroot/./support/scripts/pkg-stats:418: DeprecationWarning: The explicit passing of coroutine objects to asyncio.wait() is deprecated since Python 3.8, and scheduled for removal in Python 3.11.
/home/thomas/projets/buildroot/./support/scripts/pkg-stats:536: DeprecationWarning: The explicit passing of coroutine objects to asyncio.wait() is deprecated since Python 3.8, and scheduled for removal in Python 3.11.
The correct way to pass coroutines is to use asyncio.create_task(),
but this is rather new method (Python 3.7), and using it breaks
compatibility with older Python versions. As suggested at
https://docs.python.org/3/library/asyncio-task.html#asyncio.create_task,
use the more cryptic, but also more compatible asyncio.ensure_future()
method.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ffb2620405)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The cve module needs ijson, which may not be installed. Since cve
matching is only enabled when --nvd-path is passed, it is a bit silly
to error out about ijson being missing if it's not used.
So instead of unconditionally importing the cve module, only do it
conditionally.
However, instead of doing it right at the point where it is used, we
do it at the beginning of the main() function. Indeed, if the cve
module is needed but cannot be imported, we want to error out
immediately rather than doing a whole bunch of things, and failing on
the user later on in the middle of the pkg-stats execution.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 824032d168)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Until now the bootlin-x86-64-glibc was using a Bootlin toolchain as a
custom external toolchain. However, now that we have the
toolchain-external-bootlin package explicitly supporting Bootlin
toolchains as known toolchain profiles, it makes sense to use
that. Indeed, this will ensure that this autobuilder configuration
will use the latest available version of the Buildroot toolchain for
x86-64 glibc.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 01533244a5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When a package has both a target and a host variant, and uses git
submodules, and the host variant is downloaded before the target one, we
end up with the generated archive missing the submodules.
This happens in exactly one package in our tree: c-capnproto.
This issue was not caught before because after a few days, the full
sources are added to sources.buildroot.net. So when the hash check
fails, the full tarball is simply downloaded from there.
Propagate the git submodule setting from the target variant to the host
variant, unless the host variant explicitly opted-out.
Fixes:
http://autobuild.buildroot.org/results/2de9c6c8ce83569d18cc7140ebc60d6fe1aadcbf/
Reported-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 4d03923b6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes build error
output/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-amd-linux-gnu/4.9.1/../../../../aarch64-amd-linux-gnu/bin/ld:
cannot find -latomic
using this defconfig
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_AARCH64=y
BR2_PACKAGE_OPENSSL=y
libopenssl is only used here as an example: all packages adding -latomic
if BR2_TOOLCHAIN_HAS_LIBATOMIC=y are broken, like dav1d, ffmpeg, gnutls,
kodi and vlc.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a530fd4a42)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The LLVM project has switched to using a monorepo to host all their
components. The separate, individual repositories have been closed
late 2020 / early 2021. The libclc repository is no longer.
Switch to using the libclc source from the llvm legacy and frozen
mirror.
Even though we could switch over to using the github helper, we just
keep using the git download method: it is a small repository, and it
will not impact people that were already using it.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Valentin Korenblit <valentinkorenblit@gmail.com>
Cc: Michael Opdenacker <michael.opdenacker@bootlin.com>
Acked-by: Romain Naour <romain.naour@gmail.com>
(cherry picked from commit 971d1ea7ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following commits:
- 7868289fd5 package/zic: bump version to 2020f
- c99374ecbb package/tzdata: bump version to 2020f
bumped the tzdata from version 2020a to 2020f. However, in 2020b, the
zic option '-y' was removed, and so was the yearistype.sh script [0].
This now spews annoying warnings:
warning: -y ignored
Fortunately, it still consumes its argument, so the missing yearistype.sh
is simply ignored.
Drop that option.
[0] https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
(cherry picked from commit 7f78eef767)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As stated in README.md, multipath-tools is covered by several licenses
and LGPL-2.0 is "just" the default license:
- GPL-2.0+ (e.g. libmultipath/alias.c)
- GPL-3.0+ (e.g. libdmmp/libdmmp.c)
- LGPL-2.1+ (e.g. libmpathcmd/mpath_cmd.c)
So replace COPYING (which is a symlink to LICENSES/LGPL-2.0) by the
approriate license files in LICENSES directory
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: further split long lines]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fc7b7f73c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Set the new WARNFLAGS to "" which has been added since version 0.8.5 and
https://github.com/opensvc/multipath-tools/commit/82f1b164cb21c9632b3c73f865d97777c7a61e0d
Otherwise, -Werror will raise the following build failure:
/srv/storage/autobuild/run/instance-3/output-1/host/bin/mipsel-linux-gcc --std=gnu99 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -D_FORTIFY_SOURCE=1 -Werror -Wall -Wextra -Wformat=2 -Werror=implicit-int -Werror=implicit-function-declaration -Werror=format-security -Wno-clobbered -Wno-error=clobbered -Werror=cast-qual -Werror=discarded-qualifiers -pipe -DBIN_DIR=\"/sbin\" -DLIB_STRING=\"lib\" -DRUN_DIR=\"run\" -MMD -MP -fPIC -I.. -I../../libmultipath/nvme -Wp,-D_FORTIFY_SOURCE=2 -c -o nvme.o nvme.c
<command-line>: error: "_FORTIFY_SOURCE" redefined [-Werror]
Fixes:
- http://autobuild.buildroot.org/results/71f7661e7d26ca8608e902eee9f2a92376b00601
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fe4b4e9dc3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions
are vulnerable to a use-after-free bug in its TLS implementation. When
writing to a TLS enabled socket, node::StreamBase::Write calls
node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first
argument. If the DoWrite method does not return an error, this object is
passed back to the caller as part of a StreamWriteResult structure. This
may be exploited to corrupt memory leading to a Denial of Service or
potentially other exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of
Node.js allow two copies of a header field in a http request. For
example, two Transfer-Encoding header fields. In this case Node.js
identifies the first header field and ignores the second. This can lead
to HTTP Request Smuggling
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
Update the license hash for the addition of the (MIT licensed)
cjs-module-lexer module:
https://github.com/nodejs/node/commit/9eb1fa19248949dfc716807b1dc97dedf36da14e
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ecc8f0fe84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2020-35512: On Unix, avoid a use-after-free if two usernames have the
same numeric uid. In older versions this could lead to a crash (denial of
service) or other undefined behaviour, possibly including incorrect
authorization decisions if <policy group=...> is used. Like Unix
filesystems, D-Bus' model of identity cannot distinguish between users of
different names with the same numeric uid, so this configuration is not
advisable on systems where D-Bus will be used.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c80989aa9d)
[Peter: mention security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit d82da39d55 forgot to move
BR2_PACKAGE_CA_CERTIFICATES condition under BR2_PACKAGE_LIBTASN1 to
avoid the following build failure:
checking if trust module is enabled... configure: WARNING: --with-libtasn1 is needed in order to build the trust module, disabling
no
checking for trust module paths... configure: error: need --enable-trust-module in order to specify trust module paths.
Fixes:
- http://autobuild.buildroot.org/results/e7f68205e1b776f9af34e6017f6eb17f46aa2f19
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0ad12b3a6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2020-27618: An infinite loop has been fixed in the iconv program when
invoked with input containing redundant shift sequences in the IBM1364,
IBM1371, IBM1388, IBM1390, or IBM1399 character sets.
CVE-2020-29562: An assertion failure has been fixed in the iconv function
when invoked with UCS4 input containing an invalid character.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
linux-*/arch/arm/boot/dts/imx6ul.dtsi
requires the install of the sdma-imx6q.bin as stated in
line 727: fsl,sdma-ram-script-name = "imx/sdma/sdma-imx6q.bin";
without the BR2_PACKAGE_FIRMWARE_IMX_SDMA_FW_NAME being set to "imx6q"
line 102 of firmware-imx.mk does not install the firmware to to target
Signed-off-by: Rob Mellor <Rob.Mellor@ultra-pals.com>
Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 8e00c32b14)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since its introduction in Buildroot in 2013 with commit 07203d78c2
(trace-cmd: new package), trace-cmd has declared installing in staging.
But trace-cmd is a generic-package, and has never, ever provided any
commands for staging installation.
Drop this declaration.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 896b93310a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
rpcbind is only used by nfsd to export nfs share supporting older
v2, v3 protocols.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998@free.fr:
- move the select to the corresponding symbol
- tweak the commit title
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 95fdf09731)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://www.python.org/downloads/release/python-391/
Changelog:
https://docs.python.org/release/3.9.1/whatsnew/changelog.html
Fixes the following security issues:
- bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when
processing malformed Apple Property List files in binary format.
- bpo-42051: The plistlib module no longer accepts entity declarations in
XML plist files to avoid XML vulnerabilities. This should not affect
users as entity declarations are not used in regular plist files.
- bpo-40791: Add volatile to the accumulator variable in
hmac.compare_digest, making constant-time-defeating optimizations less
likely.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cde875bf8b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add -p argument that ignore that specified directory already exists.
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr:
- split to its own patch
- rewrite commit title
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9c5ef6018e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add -p argument that ignore that specified directory already exists.
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr:
- split to its own patch
- rewrite commit title
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d2d629ecd8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr:
- use $(INSTALL), not "mkdir -p + cp"
- split to its own patch
- rewrite commit title
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 25bd8ba690)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
An 'else' or 'elif' clause inside a make conditional should not be indented
in the same way as the if/endif clause. check-package did not recognize the
else statement and expected an indentation.
For example:
ifdef FOOBAR
interesting
else
more interesting
endif
would, according to check-package, need to become:
ifdef FOOBAR
interesting
else
more interesting
endif
Treat 'else' and 'elif' the same as if-like keywords in the Indent test, but
take into account that 'else' is also valid shell, so we need to correctly
handle line continuation to prevent complaining about the 'else' in:
ifdef FOOBAR
if true; \
... \
else \
... \
fi
endif
We don't add the 'else' and 'elif' statements to start_conditional, because
it would cause incorrect nesting counting in class OverriddenVariable.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a1bb132a81)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 7105e65cd6 ("package/openvpn:
adds target install of systemd unit files") added the installation of
systemd unit files. But in fact, they can be installed by openvpn's
build system. It was simply not working due to the custom install step
implemented in openvpn.mk.
So instead, let's have the autotools-package infra call "make
install", which properly installs everything that's needed for
openvpn, including systemd units, but also plugins, etc.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 30bc58d376)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dependency on threads comes from libllcp itself not from libusb (which
is not even selected)
While at it, also add a comment about this dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b9dc970909)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In barebox v2020.09.0, kconfig has been updated to a newer version
based on Linux 5.9-rc2. As in linux, kconfig can call the compiler
to test its capabilities.
We have no way to know if a custom version would require it or not,
so we just unconditionally depend on the toolchain
Signed-off-by: Jules Maselbas <jmaselbas@kalray.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1c1a629d81)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The upstream git tree has disappeared, but a ZIP file is still hosted
somewhere at NXP. The content of that zip file has been verified to be
100% identical to the tarball we hosted on s.b.o.
As this is a zip file, we can't use the generic extract commands, and
must come up with our own. As such, it no longer makes sense to fix the
CRLF as a post-extract hook; this is moved to the extract command.
Add a hash file while at it.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bd560b6da5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the folloing build failure with protobuf (enabled since commit
31c68a449e) and gcc 5.3.0:
[ 53%] Building CXX object modules/dnn/CMakeFiles/opencv_dnn.dir/opencv-caffe.pb.cc.o
In file included from /home/peko/autobuild/instance-1/output-1/per-package/opencv3/host/opt/ext-toolchain/mips64el-buildroot-linux-uclibc/include/c++/5.5.0/atomic:38:0,
from /home/peko/autobuild/instance-1/output-1/per-package/opencv3/host/mips64el-buildroot-linux-uclibc/sysroot/usr/include/google/protobuf/io/coded_stream.h:115,
from /home/peko/autobuild/instance-1/output-1/build/opencv3-3.4.12/buildroot-build/modules/dnn/opencv-caffe.pb.h:23,
from /home/peko/autobuild/instance-1/output-1/build/opencv3-3.4.12/buildroot-build/modules/dnn/opencv-caffe.pb.cc:4:
/home/peko/autobuild/instance-1/output-1/per-package/opencv3/host/opt/ext-toolchain/mips64el-buildroot-linux-uclibc/include/c++/5.5.0/bits/c++0x_warning.h:32:2: error: #error This file requires compiler and library support for the ISO C++ 2011 standard. This support must be enabled with the -std=c++11 or -std=gnu++11 compiler options.
#error This file requires compiler and library support \
^
Fixes:
- http://autobuild.buildroot.org/results/7caf175af039054a032b8f63b458b3940d9ec0f3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bf96f4e8d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
OpenCV-3's buildsystem will try to detect ccache and use it if
available. This may yield a system-installed ccache.
However, in Buildroot, ccache is entirely hidden away and handled in the
toolchain wrapper.
Forcibly disable detection of ccache.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 505e7f4771)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In buildroot, stripping for the target is configured and implemented
with the global `BR2_STRIP_strip` option that drive the stripping in
the target-finalize step.
So, we explicitly disable stripping at build time for the target
variants.
For the host variants, however, we don't much care about symbols and
stuff, but smaller executables will hopefully load faster than bigger
ones (disputable, given that sections in ELF files are paged-in
on-demand), so we explictly enable stripping.
Signed-off-by: Gleb Mazovetskiy <glex.spb@gmail.com>
[yann.morin.1998@free.fr:
- add burb about the target-finalize step
- enable stripping for host variants
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3f39f902b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2020-25692: A NULL pointer dereference was found in OpenLDAP server
and was fixed in openldap 2.4.55, during a request for renaming RDNs. An
unauthenticated attacker could remotely crash the slapd process by sending
a specially crafted request, causing a Denial of Service.
- CVE-2020-25709: Assertion failure in CSN normalization with invalid input
- CVE-2020-25710: Assertion failure in CSN normalization with invalid input
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: add CVE info]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 09a565d940)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Includes security fixes up to XSA-359:
XSA-345: x86: Race condition in Xen mapping code
XSA-346: undue deferral of IOMMU TLB flushes
XSA-347: unsafe AMD IOMMU page table updates
XSA-348: undue recursion in x86 HVM context switch code (CVE-2020-29566)
XSA-351: Information leak via power sidechannel (CVE-2020-28368)
XSA-352: oxenstored: node ownership can be changed by unprivileged clients
(CVE-2020-29486)
XSA-353: oxenstored: permissions not checked on root node (CVE-2020-29479)
XSA-355: stack corruption from XSA-346 change
XSA-356: infinite loop when cleaning up IRQ vectors (CVE-2020-29567)
XSA-358: FIFO event channels control block related ordering (CVE-2020-29570)
XSA-359: FIFO event channels control structure ordering (CVE-2020-29571)
And drop now upstreamed security patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c9d27610ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a host of
their choice could trigger a Denial of Service by getting the application
to resolve a DNS record with a larger number of responses.
https://nodejs.org/en/blog/release/v12.19.1/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f359580796)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This will avoid the following build failure with xtensa:
[ 62%] Linking CXX executable ../../guids_test
[ 62%] Building CXX object retrace/CMakeFiles/retrace_common.dir/retrace.cpp.o
CMakeFiles/guids_test.dir/guids_test.cpp.o:(.debug_line+0xf7b): dangerous relocation: overflow after relaxation
collect2: error: ld returned 1 exit status
lib/guids/CMakeFiles/guids_test.dir/build.make:85: recipe for target 'guids_test' failed
Fixes:
- http://autobuild.buildroot.org/results/8fea93a88bb34e98e391a048c3b996b45ebac803
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0d209dce35)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In a Linux system without IPv6 support (or booted with "ipv6.disable=1")
file /proc/net/snmp6 is not present. If such file is not present an allocated
memory is not freed. Memory leak occurs even without snmp queries.
Problem seen at least since netsnmp 5.7.3 (probably even v5.6.1).
Patch backported from netsnmp 5.9, where the problem does not appear any more.
Signed-off-by: Adam Wujek <dev_public@wujek.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5e6f6e0745)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that
$ssl_force_tls was processed if an IMAP server's initial server response
was invalid. The connection was not properly closed, and the code could
continue attempting to authenticate. This could result in authentication
credentials being exposed on an unencrypted connection, or to a
machine-in-the-middle.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 89a9f74fa8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BR2_PACKAGE_QT5BASE_OPENSSL was dropped by commit 4be1f9b9873
(package/qt5enginio: drop qt 5.6 support), but python-pyqt5 not updated to
match. Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 54854dc44e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host-ncurses install step attempts to run ldconfig, causing a permission
failure:
cd /buildroot/output/host/lib && (ln -s -f libncurses.so.6.0 libncurses.so.6; ln -s -f libncurses.so.6 libncurses.so; )
test -z "" && /sbin/ldconfig
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied
make[3]: [/buildroot/output/host/lib/libncurses.so.6.0] Error 1 (ignored)
The error is non-fatal and ignored, but confusing.
The ncurses makefiles already avoid calling ldconfig when DESTDIR is set
(target case) but for host-ncurses DESTDIR is empty and the output/host path
is passed via --prefix.
Pass an empty ac_cv_path_LDCONFIG to the configure step, so than ldconfig is
not called.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 389f48fe90)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The 'opkg.py' script installed by host-opkg-utils has as shebang:
#!/usr/bin/env python3
which may not be available on all host machines.
Add a potential dependency on host-python3 via BR2_PYTHON3_HOST_DEPENDENCY,
which will only add the host-python3 dependency if no python3 is already
available on the host.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7dcd20f9d5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When BR2_PER_PACKAGE_DIRECTORIES=y, $(TARGET_DIR) is evaluated as
$(BASE_DIR)/target, but $$(TARGET_DIR) is evaluated as
$(BASE_DIR)/per-package/$(PKG)_NAME/target.
Signed-off-by: Tian Yuanhao <tianyuanhao@aliyun.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8d595c0d92)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building for an ARMv8 in 32-bit, Go does not yet support ARMv8
optimizations (see issue: https://github.com/golang/go/issues/29373)
but can still benefit from ARMv7 optimizations.
Signed-off-by: Michael Baudino <michael@baudi.no>
[yann.morin.1998@free.fr:
- move the comment to its own line, expand and reword it a bit
- reword the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c59409afd9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit fixes a typo in variable names that caused CC and CXX
environment variables to be empty.
Signed-off-by: Michael Baudino <michael@baudi.no>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4e81152078)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Starting with CMake 3.4 CMake supports setting a compiler launcher
like ccache. The feature is described in
https://cmake.org/cmake/help/latest/variable/CMAKE_LANG_COMPILER_LAUNCHER.html
This should be safe since everything is built for the host using make or ninja.
The use of *_ARG1 is discouraged by the cmake developers
https://cmake-developers.cmake.narkive.com/OTa9EKfj/cmake-c-compiler-arg-not-documented .
Without this patch I get the following error message with CMake 3.19.1 on Arch Linux.
Disabling BR2_CCACHE also resolves the issue.
/usr/bin/cmake [~]/buildroot/build/host-lzo-2.10/ -DCMAKE_INSTALL_SO_NO_EXE=0 -DCMAKE_FIND_ROOT_PATH="[...]" -DCMAKE_FIND_ROOT_PATH_MODE_PROGRAM="BOTH" -DCMAKE_FIND_ROOT_P
ATH_MODE_LIBRARY="BOTH" -DCMAKE_FIND_ROOT_PATH_MODE_INCLUDE="BOTH" -DCMAKE_INSTALL_PREFIX="[...]" -DCMAKE_C_FLAGS="-O2 -I[...]/include" -DCMAKE_CXX_FLAGS="-O2 -I[...]/include" -DCMAKE_EXE_LINKER_FLAGS="-L[...]/lib -Wl,-rpath,[...]/lib" -DCMAKE_SHARED_LINKER_FLAGS="-L[...]/l
ib -Wl,-rpath,[...]/lib" -DCMAKE_ASM_COMPILER="/usr/bin/as" -DCMAKE_C_COMPILER="[...]/bin/ccache" -DCMAKE_CXX_COMPILER="[...]/bin/ccache"
-DCMAKE_C_COMPILER_ARG1="/usr/bin/gcc" -DCMAKE_CXX_COMPILER_ARG1="/usr/bin/g++" -DCMAKE_COLOR_MAKEFILE=OFF -DBUILD_DOC=OFF -DBUILD_DOCS=OFF -DBUILD_EXAMPLE=OFF -DBUILD_EXAMPLES=OFF -DBUILD_TEST=OFF -DBUILD_TESTS=OFF -DBUILD_TESTING=O
FF -DENABLE_SHARED=ON -DENABLE_STATIC=OFF )
-- The C compiler identification is unknown
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - failed
-- Check for working C compiler: [...]/bin/ccache
-- Check for working C compiler: [...]/bin/ccache - broken
CMake Error at /usr/share/cmake-3.19/Modules/CMakeTestCCompiler.cmake:66 (message):
The C compiler
Signed-off-by: Bernd Amend <bernd.amend@gmail.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0e310b4fd0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.15.6 (released 2020/12/03) includes fixes to the compiler, linker, runtime,
the go command, and the io package.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 267dd8b427)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
TF-A supports stack smashing protection (-fstack-protector-*).
However, that feature is currently silently disabled because
ENABLE_STACK_PROTECTOR is not set during build time.
As documented in the TF-A user guide, the flag ENABLE_STACK_PROTECTOR
is required to enable stack protection support. When enabled the symbols
for the stack protector (e.g. __stack_chk_guard) are built.
This needs to be done because TF-A does not link against an external
library that provides that symbols (e.g. libc).
So in case we see that BR2_SSP_* is enabled, let's enable the corresponding
ENABLE_STACK_PROTECTOR build flag for TF-A as documented in the TF-A user guide.
This patch also fixes a the following linker errors with older TF-A versions
if BR2_SSP_* is enabled (i.e. -fstack-protector-* is used as compiler flag)
and ENABLE_STACK_PROTECTOR is not set, which are caused by the missing
stack protector symbols:
[...]
params_setup.c:(.text.params_early_setup+0xc): undefined reference to `__stack_chk_guard'
aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x14): undefined reference to `__stack_chk_guard'
aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x104): undefined reference to `__stack_chk_guard'
aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x118): undefined reference to `__stack_chk_fail'
aarch64-none-linux-gnu-ld: ./build/px30/release/bl31/pmu.o: in function `rockchip_soc_sys_pwr_dm_suspend':
pmu.c:(.text.rockchip_soc_sys_pwr_dm_suspend+0xc): undefined reference to `__stack_chk_guard'
[...]
TF-A releases after Nov 2019, that include 7af195e29a4, will circumvent
these issue by explicitliy and silently disabling the stack protector
by appending '-fno-stack-protector' to the compiler flags in case
ENABLE_STACK_PROTECTOR is not set.
Tested on a Rockchip PX30 based system (TF-A v2.2 and upstream/master).
Signed-off-by: Christoph Müllner <christoph.muellner@theobroma-systems.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7b3fcbcdaa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch '0001-fix-compile-time-atomic-detection.patch' claims to be Merged but
this is not true. The linked issue is closed with 'Needs information', and
the code itself is effectively not merged.
Clarify the 'Upstream-status' line to make this more clear.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 43021dfb77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
* 4.6.2: A vulnerability (CVE-2020-27783) was discovered in the HTML Cleaner
by Yaniv Nizry, which allowed JavaScript to pass through. The cleaner now
removes more sneaky "style" content.
* 4.6.1: A vulnerability was discovered in the HTML Cleaner by Yaniv Nizry,
which allowed JavaScript to pass through. The cleaner now removes more
sneaky "style" content.
For more details, see the changes file:
https://github.com/lxml/lxml/blob/lxml-4.6.2/CHANGES.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ea41a5faab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-27207: Zetetic SQLCipher 4.x before 4.4.1 has a
use-after-free, related to sqlcipher_codec_pragma and sqlite3Strlen30 in
sqlite3.c. A remote denial of service attack can be performed. For
example, a SQL injection can be used to execute the crafted SQL command
sequence. After that, some unexpected RAM data is read.
https://www.zetetic.net/blog/2020/11/25/sqlcipher-442-release
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f38893f8dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old git tree is unreachable now, switch to using the new one.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c7bd3805bd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Weston does not work with the ti-sgx SDK, so switch to using the
KMS-based demos.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[yann.morin.1998@free.fr: split off into its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 29ff603f08)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
weston does not work on the ti-sgx SDK, so switch to using KMS directly,
and drop the wayland-related config options.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[yann.morin.1998@free.fr: split into its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8efc5dce98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
scan.c in x11vnc 0.9.16 uses IPC_CREAT|0777 in shmget calls, which
allows access by actors other than the current user.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b6a105af8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-25412: com_line() in command.c in gnuplot 5.4 leads to an
out-of-bounds-write from strncpy() that may lead to arbitrary code
execution.
- Drop second patch (already in version)
- Update indentation in hash file (two spaces)
http://gnuplot.info/ReleaseNotes_5_4_1.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2020-15257: Access controls for the shim’s API socket verified that
the connecting process had an effective UID of 0, but did not otherwise
restrict access to the abstract Unix domain socket. This would allow
malicious containers running in the same network namespace as the shim,
with an effective UID of 0 but otherwise reduced privileges, to cause new
processes to be run with elevated privileges.
For more details, see the advisory:
https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libcap builds an incorrect libcap.pc because libdir is pulled from the
host os:
ifndef lib
lib=$(shell ldd /usr/bin/ld|egrep "ld-linux|ld.so"|cut -d/ -f2)
endif
Fix this error by passing lib=lib and prefix in
{HOST_LIBCAP,LIBCAP}_BUILD_CMDS
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=13276
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
* CVE-2020-14360 / ZDI CAN 11572 XkbSetMap Out-Of-Bounds Access
Insufficient checks on the lengths of the XkbSetMap request can lead to
out of bounds memory accesses in the X server.
* CVE-2020-25712 / ZDI-CAN-11839 XkbSetDeviceInfo Heap-based Buffer Overflow
Insufficient checks on input of the XkbSetDeviceInfo request can lead to a
buffer overflow on the head in the X server.
For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/12/01/3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
- Security/Reliability:
- Fixed memory leaks when a response is buffered and the buffer
limit is reached or Privoxy is running out of memory.
Commits bbd53f1010b and 4490d451f9b. OVE-20201118-0001.
Sponsored by: Robert Klemme
- Fixed a memory leak in the show-status CGI handler when
no action files are configured. Commit c62254a686.
OVE-20201118-0002.
Sponsored by: Robert Klemme
- Fixed a memory leak in the show-status CGI handler when
no filter files are configured. Commit 1b1370f7a8a.
OVE-20201118-0003.
Sponsored by: Robert Klemme
- Fixes a memory leak when client tags are active.
Commit 245e1cf32. OVE-20201118-0004.
Sponsored by: Robert Klemme
- Fixed a memory leak if multiple filters are executed
and the last one is skipped due to a pcre error.
Commit 5cfb7bc8fe. OVE-20201118-0005.
- Prevent an unlikely dereference of a NULL-pointer that
could result in a crash if accept-intercepted-requests
was enabled, Privoxy failed to get the request destination
from the Host header and a memory allocation failed.
Commit 7530132349. CID 267165. OVE-20201118-0006.
- Fixed memory leaks in the client-tags CGI handler when
client tags are configured and memory allocations fail.
Commit cf5640eb2a. CID 267168. OVE-20201118-0007.
- Fixed memory leaks in the show-status CGI handler when memory
allocations fail. Commit 064eac5fd0 and commit fdee85c0bf3.
CID 305233. OVE-20201118-0008.
For more details, see the announcement:
https://www.openwall.com/lists/oss-security/2020/11/29/1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-15180: during SST a joiner sends an sst method name to the donor.
Donor then appends it to the "wsrep_sst_" string to get the name of the
sst script to use, e.g. wsrep_sst_rsync. There is no validation or
filtering here, so if the malicious joiner sends, for example, "rsync `rm
-rf /`" the donor will execute that too.
- CVE-2020-14812: Vulnerability in the MySQL Server product of Oracle MySQL
(component: Server: Locking). Supported versions that are affected are
5.6.49 and prior, 5.7.31 and prior and 8.0.21 and prior. Easily
exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause
a hang or frequently repeatable crash (complete DOS) of MySQL Server.
- CVE-2020-14765: Vulnerability in the MySQL Server product of Oracle MySQL
(component: Server: FTS). Supported versions that are affected are 5.6.49
and prior, 5.7.31 and prior and 8.0.21 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
- CVE-2020-14776: Vulnerability in the MySQL Server product of Oracle MySQL
(component: InnoDB). Supported versions that are affected are 5.7.31 and
prior and 8.0.21 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
- CVE-2020-14789: Vulnerability in the MySQL Server product of Oracle MySQL
(component: Server: FTS). Supported versions that are affected are 5.7.31
and prior and 8.0.21 and prior. Easily exploitable vulnerability allows
high privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.
- CVE-2020-28912:
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bui.pdf
describes a named pipe privilege vulnerability, specifically for MySQL,
where an unprivileged user, located on the same machine as the server, can
act as man-in-the-middle between server and client.
Additionally, 10.3.27 fixes a regression added in 10.3.26.
Drop weak md5/sha1 checksums.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
1.3.6e
---------
+ Fixed null pointer deference in mod_sftp when using SCP incorrectly
(Issue #1043).
1.3.6d
---------
+ Fixed issue with FTPS uploads of large files using TLSv1.3 (Issue #959).
1.3.6c
---------
+ Fixed regression in directory listing latency (Issue #863).
+ Detect OpenSSH-specific formatted SFTPHostKeys, and log hint for
converting them to supported format.
+ Fixed use-after-free vulnerability during data transfers (Issue #903)
[CVE-2020-9273]
+ Fixed out-of-bounds read in mod_cap by updating the bundled libcap
(Issue #902) [CVE-2020-9272]
http://proftpd.org/docs/RELEASE_NOTES-1.3.6e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: mark as security bump, add CVEs]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
routines, ensure that pkt_len is large enough to accommodate the
respective protocol headers, lest it should do an OOB access.
Add check to avoid it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#13341
The -x / --exec start-stop-daemon option expects the path to the executable,
not just the name, leading to errors when running the init script:
Starting vsftpd: start-stop-daemon: unable to stat //vsftpd (No such file or directory)
Reported-by: tochansky@tochlab.net
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream patch [1] to fix (musl) time_t related compile failure.
Fixes:
- https://bugs.busybox.net/show_bug.cgi?id=13336
src/thd_trip_point.cpp: In member function ‘bool cthd_trip_point::thd_trip_point_check(int, unsigned int, int, bool*)’:
src/thd_trip_point.cpp:250:19: error: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Werror=format=]
250 | thd_log_info("Too early to act zone:%d index %d tm %ld\n",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
251 | zone_id, cdev->thd_cdev_get_index(),
252 | tm - cdevs[i].last_op_time);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| time_t {aka long long int}
src/thermald.h:82:57: note: in definition of macro ‘thd_log_info’
82 | #define thd_log_info(...) g_log(NULL, G_LOG_LEVEL_INFO, __VA_ARGS__)
| ^~~~~~~~~~~
src/thd_trip_point.cpp:250:59: note: format string is defined here
250 | thd_log_info("Too early to act zone:%d index %d tm %ld\n",
| ~~^
| |
| long int
| %lld
[1] https://github.com/intel/thermal_daemon/commit/a7136682b9e6ebdb53c3c8b472bcd5039d62dc78.patch
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop dependency on BR2_ENABLE_LOCALE, which was marked as a dependency
of wlroots, but wlroots does not depend on it anymore.
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop dependency on BR2_ENABLE_LOCALE, which was marked as a dependency of
libinput which is selected by wlroots. However, libinput does not depend on
BR2_ENABLE_LOCALE since commit bef6b92b67 (package/libinput: remove
dependency on BR2_ENABLE_LOCALE).
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
xinetd does not enforce the user and group configuration directives for
TCPMUX services, which causes these services to be run as root and makes it
easier for remote attackers to gain privileges by leveraging another
vulnerability in a service.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Without hashlib module pip returns the following errors:
# pip
ValueError: unsupported hash type sha224
ERROR:root:code for hash sha256 was not found.
Traceback (most recent call last):
File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha256
ERROR:root:code for hash sha384 was not found.
Traceback (most recent call last):
File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha384
ERROR:root:code for hash sha512 was not found.
Traceback (most recent call last):
File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha512
Traceback (most recent call last):
File "/usr/bin/pip", line 11, in <module>
load_entry_point('pip==20.0.2', 'console_scripts', 'pip')()
File "/usr/lib/python2.7/site-packages/pip/_internal/cli/main.py", line 73, in main
File "/usr/lib/python2.7/site-packages/pip/_internal/commands/__init__.py", line 96, in create_command
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
File "/usr/lib/python2.7/site-packages/pip/_internal/commands/install.py", line 24, in <module>
File "/usr/lib/python2.7/site-packages/pip/_internal/cli/req_command.py", line 15, in <module>
File "/usr/lib/python2.7/site-packages/pip/_internal/index/package_finder.py", line 21, in <module>
File "/usr/lib/python2.7/site-packages/pip/_internal/index/collector.py", line 12, in <module>
File "/usr/lib/python2.7/site-packages/pip/_vendor/requests/__init__.py", line 43, in <module>
File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/__init__.py", line 7, in <module>
File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connectionpool.py", line 29, in <module>
File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connection.py", line 40, in <module>
File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/__init__.py", line 7, in <module>
File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/ssl_.py", line 8, in <module>
ImportError: cannot import name md5
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-28196: MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before
1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message
because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite
lengths lacks a recursion limit.
Also fix .hash file indentation.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF
Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the
XML writer, leading to heap-based buffer overflows (sometimes seen in
raptor_qname_format_as_xml).
For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2020/11/13/1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libmagic is an optional dependency of gensoimage that can raise the
following build failure:
/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: /home/buildroot/autobuild/instance-0/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libmagic.a(compress.o): in function `uncompressbuf':
compress.c:(.text+0x7bc): undefined reference to `lzma_auto_decoder'
/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: compress.c:(.text+0x828): undefined reference to `lzma_code'
/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: compress.c:(.text+0x848): undefined reference to `lzma_end'
collect2: error: ld returned 1 exit status
genisoimage/CMakeFiles/genisoimage.dir/build.make:628: recipe for target 'genisoimage/genisoimage' failed
Fixes:
- http://autobuild.buildroot.org/results/7e06edc363817c9c9a1687ec89e9984a90a2012d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The wcsnrtombs function has been found to have multiple bugs in handling of
destination buffer size when limiting the input character count, which can
lead to infinite loop with no forward progress (no overflow) or writing past
the end of the destination buffer.
For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/11/20/4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a minor release which solved a build issues and fixes a number
of rendering issues. Release notes:
https://wpewebkit.org/release/wpewebkit-2.30.3.html
Patch "0002-WebProcess-InjectedBundle-fix-compile-without-video-.patch"
can be removed because a similar fix is included in this release.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2020-25032: An issue was discovered in Flask-CORS (aka CORS Middleware
for Flask) before 3.0.9. It allows ../ directory traversal to access
private resources because resource matching does not ensure that pathnames
are in a canonical format.
Also drop outdated md5 checksum and fix .hash indentation.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 4266c9f54f (package/gvfs: needs dynamic library) updated the
dependency of gvfs, but inverted the comment dependency, causing it to only
be shown if !static - Fix that.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Reviewed-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Replace ENABLE_DPKD by ENABLE_DPDK to fix the following error:
Manually-specified variables were not used by the project:
BUILD_DOC
BUILD_DOCS
BUILD_EXAMPLE
BUILD_EXAMPLES
BUILD_TEST
BUILD_TESTING
BUILD_TESTS
ENABLE_DPKD
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
pkg-stats is not able anymore to set the developers for defconfigs and
packages. This issue is introduced with
ae86067a15. The hasfile() method from
Developer object tries to check an absolute path against a relative path.
Convert the filepath to be checked also into an absolute path.
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- avoid read-heap-buffer-overflow in ares_parse_soa_reply found during
fuzzing
- Avoid theoretical buffer overflow in RC4 loop comparison
- Empty hquery->name could lead to invalid memory access
- ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was
passed in
https://c-ares.haxx.se/changelog.html#1_17_0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using a custom git or mercurial repository for u-boot the error message
indicating a version had not been provided incorrectly stated that the URL was
missing. Update the error message to indicate that it's the version that's
missing.
Signed-off-by: Garret Kelly <garret.kelly@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This will avoid the following build failure with qemu 5.0.0 and above:
/srv/storage/autobuild/run/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/8.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: /srv/storage/autobuild/run/instance-2/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/lib/../lib64/libnuma.a(libnuma.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a PIE object; recompile with -fPIC
Fixes:
- http://autobuild.buildroot.org/results/616dff216a215dc0494c846d337e03e0795b2fb2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
--disable-bzip2 is not a recognized option so replace it by
--disable-libbz2 to match the target logic.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We change Trent's e-mail address in commit
1c20802d4b, but it turns out the new one
also doesn't work:
<trent.piepho@synapse.com>: host
synapse-com.mail.protection.outlook.com[104.47.57.138] said: 550 5.4.1
Recipient address rejected: Access denied. AS(201806281)
[DM6NAM11FT063.eop-nam11.prod.protection.outlook.com] (in reply to RCPT TO
command)
So let's drop Trent entirely, which orphans the libp11 package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Attempting to compile this package with newer Kernel version (e.g. v5.4)
fails with message:
Generating local configuration database from kernel ...Kernel version parse failed!
Upgrading the package to 5.8 fixes this issue. Anyways, v4.4 is now
rather old and beat the very purpose of having newer drivers in older
kernels.
Since backports tag v4.14-rc4-1, the requirement on minimal kernel
version changed from 3.0 to 3.10. See commit [1]. The minimal kernel
version check is changed accordingly.
License files are also updated: the linux backports package copies the
license files from the kernel version used for its generation. v5.8 is
now "GPL-2.0 WITH Linux-syscall-note". However, there is no such SPDX
identifier (contrary to what is said in the COPYING file), so we keep it
as GPL-2.0 (which also keeps it aligned to what we have in linux.mk).
[1] https://git.kernel.org/pub/scm/linux/kernel/git/backports/backports.git/commit/?id=a0d05f9f9ca50ea8b1d60726fac6b54167257e76
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
[yann.morin.1998@free.fr: keep license as GPL-2.0, like for linux]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since there is not necessary to have support of systemd within the host
variant let's disable it unconditionally to solve the following errors:
/usr/bin/install -c -m 644 data/rauc.service '/usr/lib/systemd/system'
/usr/bin/install: cannot create regular file '/usr/lib/systemd/system/rauc.service': Permission denied
/usr/bin/install -c -m 644 data/de.pengutronix.rauc.conf 'no'
make[4]: *** [Makefile:1700: install-nodist_systemdunitDATA] Error 1
make[4]: *** Waiting for unfinished jobs....
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While testing Buildroot on a Cortex-A5 that doesn't provide NEON, we
found out that a system generated with the ARM toolchain from Arm
didn't boot. It turns out that this ARM toolchain is built with:
--with-arch=armv7-a --with-fpu=neon --with-float=hard --with-mode=thumb
So, it uses NEON as its FPU, which means it can only work on CPU cores
that have NEON support. This commit adds the appropriate dependency to
the toolchain-external-arm-arm package, and adjusts the Config.in help
text accordingly.
While at it, it also drops the part of the Config.in help text that
says the code is tuned for Cortex-A9, as it is not the case: it was
the case for the Linaro toolchain (built with --with-tune=cortex-a9),
but not for the ARM toolchain, for which no specific --with-tune is
passed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a
large amount of memory.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The commit 05fea6e4a6 "infra/pkg-kconfig:
do not rely on package's .config as a timestamp" broke the kernel
version check of this linux-backports package (it was no longer
executed). Since linux-4.19, the kernel's build system internally
touches its .config file, so it can no longer be used as a stamp file.
The stamp file defined in KCONFIG_STAMP_DOTCONFIG variable of
pkg-kconfig infra need to be used instead.
This commit fixes the kernel version check.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
- math/big: panic during recursive division of very large numbers
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted
large inputs. For the panic to happen, the divisor or modulo argument
must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on
64-bit architectures). Multiple math/big.Rat methods are similarly affected.
crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify may
panic when provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams with
unusually large field sizes (several times larger than the largest
supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted
X.509 certificate chain can lead to a panic, even if the certificates
don’t chain to a trusted root. The chain can be delivered via a
crypto/tls connection to a client, or to a server that accepts and
verifies client certificates. net/http clients can be made to crash by an
HTTPS server, while net/http servers that accept client certificates will
recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed
host key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.
Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting
this. Thanks to Rémy Oudompheng and Robert Griesemer for their help
developing and validating the fix.
This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.
- cmd/go: arbitrary code execution at build time through cgo
The go command may execute arbitrary code at build time when cgo is in
use. This may occur when running go get on a malicious package, or any
other command that builds untrusted code.
This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.
Thanks to Imre Rad and to Chris Brown and Tempus Ex respectively for
reporting these issues.
These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
- https://bugs.busybox.net/show_bug.cgi?id=13306
.../wpewebkit-2.30.2/Source/WebKit/WebProcess/InjectedBundle/InjectedBundle.cpp:242:30: error: ‘class WebCore::Settings’ has no member named ‘setGenericCueAPIEnabled’; did you mean ‘setBeaconAPIEnabled’?
page->settings().setGenericCueAPIEnabled(enabled);
^~~~~~~~~~~~~~~~~~~~~~~
setBeaconAPIEnabled
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream backports package does not define the LEX/YACC Makefile
variables, contrary to the Kernel which is defining those in [1]. The
default "lex" and "yacc" are then used. On some systems, "yacc" is
Berkeley Yacc. Kconfig parser files are using non-Posix Bison
constructs.
Attempting to generate the parser with byacc fails with error:
yacc: e - line 97 of "zconf.y", syntax error
%destructor {
^
This patch defines the LEX and YACC Makefile variable to use flex and
bison, to fix this issue. The host-bison and host-flex dependencies are
added only if the host does not have them, following the same logic of
the Kernel.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=73a4f6dbe70a1b93c11e2d1d6ca68f3522daf434
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
- AST-2020-001: Remote crash in res_pjsip_session
Upon receiving a new SIP Invite, Asterisk did not return the created
dialog locked or referenced.
- AST-2020-002: Outbound INVITE loop on challenge with different nonce
If Asterisk is challenged on an outbound INVITE and the nonce is changed
in each response, Asterisk will continually send INVITEs in a loop. This
causes Asterisk to consume more and more memory since the transaction will
never terminate (even if the call is hung up), ultimately leading to a
restart or shutdown of Asterisk. Outbound authentication must be
configured on the endpoint for this to occur.
For details, see the announcement:
https://www.asterisk.org/asterisk-news/asterisk-13-37-1-16-14-1-17-8-1-18-0-1-and-16-8-cert5-now-available-security/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Avoid setting executable bits for apparmor.service. This gets rid of a
corresponding warning during installation:
Configuration file ../target/usr/lib/systemd/system/apparmor.service
is marked executable. Please remove executable permission bits.
Proceeding anyway.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use fbset.c as the license file and, while at it, also update
indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use argp.h as the license file and, while at it, update indentation in
hash file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that pkg-stats is not just a maintainer-oriented tool, but a tool
generally useful to users, introduce a make target to run
pkg-stats. Of course, it is run with the newly introduced -c option,
which produces a pkg-stats output for just the selection of packages
of the currently defined configuration.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that pkg-stats is able to generate its output based on the list of
packages enabled in the current configuration, cve-checker doesn't
serve any purpose.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
pkg-stats was initially a Buildroot maintenance oriented tool: it was
designed to examine all Buildroot packages and provide
statistics/details about them.
However, it turns out that a number of details provided by pkg-stats,
especially CVEs, are relevant also for Buildroot users, who would like
to check regularly if their specific Buildroot configuration is
affected by CVEs or not, and possibly check if all packages have
license information, license files, etc.
The cve-checker script was recently introduced to provide an output
relatively similar to pkg-stats, but focused on CVEs only.
But in fact, its main difference is on the set of packages that we
consider: pkg-stats considers all packages, while cve-checker uses
"make show-info" to only consider packages enabled in the current
configuration.
So, this commit introduces a -c option to pkg-stats, to tell pkg-stats
to generate its output based on the list of configured packages. -c is
mutually exclusive with the -p option (explicit list of packages) and
-n option (a number of packages, picked randomly).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, pkg-stats expects being executed from Buildroot's top-level
source directory. As we are going to extend pkg-stats to cover only
the packages available in the current configuration, it makes sense to
be able to run it from the output directory, which can be anywhere
compared to Buildroot's top-level directory.
This commit adjusts pkg-stats to this, by inferring all Buildroot
paths based on the location of the pkg-stats script itself.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
"loader_dr3_helper.c uses xcb_xfixes_create_region() that requires dep_xcb_xfixes to link.
This is dependent on with_platform_x11 and with_dri3.
But the source meson file does not set this up dependent on with_dri3."
i686-buildroot-linux-gnu/bin/ld: src/loader/libloader_dri3_helper.a(loader_dri3_helper.c.o): in function `loader_dri3_swap_buffers_msc':
loader_dri3_helper.c:(.text.loader_dri3_swap_buffers_msc+0x33e): undefined reference to `xcb_xfixes_create_region'
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/830981830
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
WPE WebKit 2.30.0 added an USE_SYSTEMD buil option, which needs to
be set to avoid CMake from trying to use systemd unconditionally.
Based on a similar patch for package/webkitgtk by Peter Seiderer.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix a typo in service location, the right location is indeed /usr/sbin.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- systemd support/USE_SYSTEMD option was added since 2.30.0,
so add an optional dependency
Fixes:
-- Could NOT find Systemd (missing: Systemd_LIBRARY Systemd_INCLUDE_DIR)
CMake Error at Source/cmake/OptionsGTK.cmake:425 (message):
libsystemd is needed for USE_SYSTEMD
Reported-by: C Larbi <pkl2000us@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- option was renamed from ENABLE_OPENGL to ENABLE_GRAPHICS_CONTEXT_GL
since 2.30.0
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Qemu 5.1, this defconfig doesn't boot due to the to small SD card image size (60MB).
qemu-system-arm: sd_init failed: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it currently is).
qemu-system-arm: sd_init failed
From [1]:
"While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end."
The qemu_arm_vexpress_tz_defconfig doesn't trigger such issue since
it doesn't use the same filesystem support (i.e doesn't use
-drive file=output/images/rootfs.ext2,if=sd,format=raw).
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/766482935
[1] https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
qemu_arm_versatile doesn't use SD card interface but SCSI, so there is no
need to increase the image size.
The change was for qemu_arm_vexpress_defconfig instead (notice the
name of the defconfig used in gitlab).
This reverts commit cb62a8e0a2.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build of xen tools fails if slirp is built before xen because xen is not
compatible with spice slirp which does not provide libslirp.h:
/home/buildroot/autobuild/instance-2/output-1/build/xen-4.13.0/tools/qemu-xen/net/slirp.c:40:10: fatal error: libslirp.h: No such file or directory
#include <libslirp.h>
^~~~~~~~~~~~
Indeed, xen prefers a system-provided slirp over its internal one
So add slirp as a mandatory dependency (now that we switched to the up
to date https://gitlab.freedesktop.org/slirp/libslirp)
This build failure is raised since, at least, version 4.13.0
Fixes:
- http://autobuild.buildroot.org/results/b80b33ed558518f7bbb0a3c8586bf2d0b8acc36f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
festival fails to built with glibc 2.18 due to fopen and the h_addr field in
struct hostent:
../gst/festival/gstfestival.c: In function 'gst_festival_chain':
../gst/festival/gstfestival.c:273:3: warning: implicit declaration of function 'fdopen' [-Wimplicit-function-declaration]
fd = fdopen (f, "wb");
^
../gst/festival/gstfestival.c:273:6: warning: assignment makes pointer from integer without a cast [enabled by default]
fd = fdopen (f, "wb");
^
../gst/festival/gstfestival.c: In function 'festival_socket_open':
../gst/festival/gstfestival.c:367:45: error: 'struct hostent' has no member named 'h_addr'
memmove (&serv_addr.sin_addr, serverhost->h_addr, serverhost->h_length);
^
Both of which are hidden behind _GNU_SOURCE in glibc 2.18, so enable that to
fix this build issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
dvbsubenc fails to build with gcc 4.8 due to restrict keyword and for
loop declarations:
../gst/dvbsubenc/libimagequant/blur.c:10:46: error: expected ';', ',' or ')' before 'src'
transposing_1d_blur (unsigned char *restrict src, unsigned char *restrict dst,
^
../gst/dvbsubenc/libimagequant/blur.c: In function 'liq_min3':
../gst/dvbsubenc/libimagequant/blur.c:101:5: error: 'for' loop initial declarations are only allowed in C99 mode
for (unsigned int i = 0; i < width - 1; i++) {
^
../gst/dvbsubenc/libimagequant/blur.c:101:5: note: use option -std=c99 or -std=gnu99 to compile your code
Fixes:
- http://autobuild.buildroot.org/results/183e876d63340b5c204f47a4653cbfebb0523277
Both of which are C99 features, so explicitly enable C99 support to fix
that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add license file and, while at it, update indentation to two spaces
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit b737c6b351. This was not
supposed to be committed, as the patch did not update linux.hash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I haven't looked at that package and touched it for 6 years now, and
clearly others have taken care of it when looking at the Git history.
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release. From the release notes:
go1.15.4 (released 2020/11/05) includes fixes to cgo, the compiler, linker,
runtime, and the compress/flate, net/http, reflect, and time packages.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Various bfd section macros and functions like bfd_section_size() have been
modified starting with binutils >= 2.34.
Add a patch to handle this API change.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following check-package warning added by commit
a2b98a6add:
package/davfs2/davfs2.mk:22: expected indent with tabs
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mount.davfs expects the availability of the user and group davfs2.
Signed-off-by: Sven Klomp <mail@klomp.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch is needed to fix the build with freetype >= 2.10.3.
https://www.freetype.org/index.html#news
"A warning for distribution maintainers: Version 2.10.3 and later may
break the build of ghostscript, due to ghostscript's use of a with-
drawn macro that wasn't intended for external usage."
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Although BR2_DL_DIR is indeed a site-local setting, which does not
actually define the target system, we've had it in the tree for a
long time now, and people have been depending on it for a variety
of use-cases.
Furthermore, BR2_DL_DIR is far from the only such site-local setting,
BR2_CCACHE_DIR springs to mind, and in the less-obvious category, we
can also find BR2_JLEVEL, but also BR2_WGET, BR2_SVN, BR2_GIT et al.
as they may be tweaked to set the timeout, number of retries or so on
to work around stupid proxies. But of course, the most local site-local
setting is probably BR2_PACKAGE_OVERRIDE_FILE, with its default value
being explicitly just 'local.mk'.
Ideally, we would like to have a clear separation between the
configuration that actually defines the target system on one hand,
and the site-local settings that drive and control how the build is
performed, on the other hand. This is by far a much bigger endeavour
than just dropping BR2_DL_DIR from the saved defconfig.
This reverts commit 36edacce9c (adapted
to keep the fix from 1a7873ec98).
Closes: #13291
Note: thanks to Thomas; some phrasing above was borrowed from a
discussion with him.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Lance Fredrickson <lancethepants@gmail.com>
Cc: Sven Oliver Moll <buildroot@svol.li>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Adam Duskett <aduskett@gmail.com>
This will fix the following build failure with python 3.9 and
sigrok-cli:
/srv/storage/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/mips64el-buildroot-linux-uclibc/5.5.0/../../../../mips64el-buildroot-linux-uclibc/bin/ld: /srv/storage/autobuild/run/instance-1/output-1/host/bin/../mips64el-buildroot-linux-uclibc/sysroot/usr/lib/libsigrokdecode.so: undefined reference to `PyList_Insert'
Fixes:
- http://autobuild.buildroot.org/results/cc6447b926f8223c68d0086428d29a037b18252d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following flake8 warnings:
support/testing/tests/core/test_selinux.py:21:1: E302 expected 2 blank lines, found 1
support/testing/tests/core/test_selinux.py:38:1: E302 expected 2 blank lines, found 1
support/testing/tests/core/test_selinux.py:51:1: E302 expected 2 blank lines, found 1
support/testing/tests/core/test_selinux.py:62:1: E302 expected 2 blank lines, found 1
support/testing/tests/core/test_selinux.py:65:14: E127 continuation line over-indented for visual indent
support/testing/tests/init/test_systemd_selinux.py:53:1: E302 expected 2 blank lines, found 1
support/testing/tests/init/test_systemd_selinux.py:64:1: E302 expected 2 blank lines, found 1
Interestingly, the "continuation line over-indented for visual indent"
shows up only once, while the same pattern is there at multiple places
in the file. We fix all places with that over-indentation pattern.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
NOTE: this version requires mbim: >= 1.24.0, qmi: >= 1.26.0.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since
https://github.com/dddomodossola/remi/commit/481ee7ca3df55be127db35560978a36997a2c088
remi use setuptools-scm to obtain version, but .git directory is dropped when
the archive is fetched. The result is a build failure like:
Traceback (most recent call last):
File "setup.py", line 22, in <module>
include_package_data=True,
File "/tmp/instance-0/output-1/host/lib/python2.7/site-packages/setuptools/__init__.py", line 145, in setup
return distutils.core.setup(**attrs)
File "/tmp/instance-0/output-1/host/lib/python2.7/distutils/core.py", line 111, in setup
_setup_distribution = dist = klass(attrs)
File "/tmp/instance-0/output-1/host/lib/python2.7/site-packages/setuptools/dist.py", line 448, in __init__
k: v for k, v in attrs.items()
File "/tmp/instance-0/output-1/host/lib/python2.7/distutils/dist.py", line 287, in __init__
self.finalize_options()
File "/tmp/instance-0/output-1/host/lib/python2.7/site-packages/setuptools/dist.py", line 740, in finalize_options
ep.load()(self)
File "/tmp/instance-0/output-1/host/lib/python2.7/site-packages/setuptools/dist.py", line 747, in _finalize_setup_keywords
ep.load()(self, ep.name, value)
File "/tmp/instance-0/output-1/host/lib/python2.7/site-packages/setuptools_scm/integration.py", line 17, in version_keyword
dist.metadata.version = _get_version(config)
File "/tmp/instance-0/output-1/host/lib/python2.7/site-packages/setuptools_scm/__init__.py", line 147, in _get_version
parsed_version = _do_parse(config)
File "/tmp/instance-0/output-1/host/lib/python2.7/site-packages/setuptools_scm/__init__.py", line 118, in _do_parse
"use git+https://github.com/user/proj.git#egg=proj" % config.absolute_root
LookupError: setuptools-scm was unable to detect version for u'/tmp/instance-0/output-1/build/python-remi-2020.10.30'.
Make sure you're either building from a fully intact git repository or PyPI tarballs. Most other sources (such as GitHub's tarballs, a git checkout without the .git folder) don't contain the necessary metadata and will not work.
For example, if you're using pip, instead of https://github.com/user/proj/archive/master.zip use git+https://github.com/user/proj.git#egg=proj
make: *** [package/pkg-generic.mk:250: /tmp/instance-0/output-1/build/python-remi-2020.10.30/.stamp_built] Error 1
make: Leaving directory '/tmp/instance-0/buildroot'
Fix:
- http://autobuild.buildroot.net/results/3a6/3a62359d0e183d45e50e999fc2c58f7805bda142/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
[Peter: drop _LICENSE_FILES, tarball does not include LICENSE file]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add initial support for Orangepi Zero Plus board:
- U-Boot 2020.10
- Linux 5.7.19
- Default packages from buildroot
This patch is based on Orangepi Zero Plus2 board support, so genimage
configuration and description is copy pasted. One difference is that
newer Linux and U-Boot are selected. Another difference is Ethernet
support (Plus) instead of WiFi (Plus2).
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
opencv3 does not install anything in $(TARGET_DIR)/usr/share/OpenCV/doc
so drop OPENCV3_CLEAN_INSTALL_DOC
However it installs its licence files in
$(TARGET_DIR)/usr/share/licenses/opencv3 so add
OPENCV3_CLEAN_INSTALL_LICENSE
Moreover, the cmake hook does not catch all cmake files and missed the
valgrind files so update OPENCV3_CLEAN_INSTALL_CMAKE and add
OPENCV3_CLEAN_INSTALL_VALGRIND to delete those files:
OpenCVConfig.cmake OpenCVConfig-version.cmake OpenCVModules.cmake OpenCVModules-release.cmake valgrind_3rdparty.supp valgrind.supp
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 23a79ddb45 updated md5 and sha1 for
imlib2_loaders-1.6.1.tar.bz2 instead of imlib2-1.6.1.tar.bz2
Fix this mistake and, while at it, update indentation to two spaces
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Busybox is mainly licensed under the GPL-2.0, but the bzip2 part is a
modified copy of the bzip2/libbzip2 project, which comes with its own
license.
Update the licensing information accordingly.
Add the hash for the new license file, and fixup indentation (2 spaces).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For grub-efi we can align the rootfs to start at exactly 16MB from the
beginning of the disk. This can be done by reducing the vfat partition to
be 32 KB smaller than its 16MB size, just like the offset of the vfat
partition.
Signed-off-by: Florian La Roche <Florian.LaRoche@gmail.com>
[Peter: drop redundant offset/size settings, add comment]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In order to simplify the usage of a buildroot toolchain within
the buildroot shell, a "cmake" alias is provided to call cmake
with the correct toolchain file and options.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In order to simplify the usage of a buildroot toolchain within
the buildroot shell, a "configure" alias is provided to call
./configure with the correct flags.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The meson options were in some semi-sorted order with no logic in it.
Sort them alphabetically instead.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Since we don't enable sysv any support, it makes no sense to set the
path to telinit either.
The path we were setting was anyway wrong: we set a path into
TARGET_DIR, but this path is only used at runtime, on the target, where
TARGET_DIR doesn't exist (it should have been /usr/sbin/telinit).
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
If paths are not set, then meson will search the host system for the
binaries (or the target, where those binaries are not yet installed).
So add the missing paths.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
As we many times by now discussed that - some ARC cores might
not have atomic instructions implemented. Namely that's ARC700
w/o explicitly added atomics during design creation/configuration.
Because of that when GCC gets configured for ARC700, i.e. via
"--with-cpu=arc700" atomic ops are assumed disabled.
Usually it's not a problem as we add "-matomics" in the wraper for
building all packages if targets CPU has atomis (BR2_ARC_ATOMIC_EXT).
But when bulding target's binaries which are essential parts of
the GCC itself we don't use the wrapper. Instead xgcc is being used.
That way we lose that important part of system's configuration about
atomics and:
1. Atomic ops won't be used where otherwise they could have been used.
2. Some configuration checks might end-up thinking there're no atomics
In particular (2) leads to pretty obscure failure on bulding of some
packages which use C++, for example:
log4cplus: http://autobuild.buildroot.net/results/a7732fdb2ba526a114d9fb759814236c5332f8d7
------------------------>8--------------------
./.libs/liblog4cplus.so: undefined reference to `std::__atomic_futex_unsigned_base::_M_futex_notify_all(unsigned int*)'
collect2: error: ld returned 1 exit status
------------------------>8--------------------
bitcoin: http://autobuild.buildroot.net/results/f73/f73d4c77e5fd6223abdbc83e344addcfc93227b8
------------------------>8--------------------
(.text+0x110c): undefined reference to `std::__atomic_futex_unsigned_base::_M_futex_wait_until(unsigned int*, unsigned int, bool, std::chrono::duration<long long, std::ratio<1ll, 1ll> >, std::chrono::duration<long long, std::ratio<1ll, 1000000000ll> >)'
collect2: error: ld returned 1 exit status
------------------------>8--------------------
apcupsd: http://autobuild.buildroot.net/results/7a2/7a2cc7a4ac2237c185817f75e55e05d144efd100
------------------------>8--------------------
/tmp/instance-0/output-1/host/lib/gcc/arc-buildroot-linux-uclibc/9.3.1/../../../../arc-buildroot-linux-uclibc/bin/ld: eh_throw.cc:(.text._ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+0x24): undefined reference to `__gnu_cxx::__exchange_and_add(int volatile*, int)'
collect2: error: ld returned 1 exit status
------------------------>8--------------------
...and many more.
Interesting enough that was not seen earlier because "-matomic"
used to be added in TARGET_{C|CXX}FLAGS via TARGET_ABI,
but later "-matomic" was moved to ARCH_TOOLCHAIN_WRAPPER_OPTS, see
https://git.buildroot.org/buildroot/commit/?id=c568b4f37fa6d7f51e6d14d33d7eb75dfe26d7bf
and since then we started to see that new breakage which we now
attempt to fix right where it hapens on GCC configuration.
In contrast ARC HS family has atomic ops enabled by default thus
we never spotted that kind of problem for it.
More datails with analysis of what really happens under the hodd and
how do error messages above are related to libs of GCC configuration could
be found here: http://lists.busybox.net/pipermail/buildroot/2020-October/293614.html
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Romain Naour <romain.naour@gmail.com>
[Peter: simplify conditional]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* add a comment about the kernel header dependencies when bumping
versions
* set url to kernel.org as github is unmaintained and outdated
* use two spaces in hash-file
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit bumps ARC toolchain to arc-2020.09-release.
ARC GNU tools of version arc-2020.09-release bring some quite significant
changes like:
* Binutils 2.34.50 with additional ARC patches
* GCC 10.0.2 with additional ARC patches
* GDB 10.0.50 with additional ARC patches
Signed-off-by: Evgeniy Didin <Evgeniy.Didin@synopsys.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: arc-buildroot@synopsys.com
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 2acaa86ce6 replaced util-linux by
util-linux-libs but this raises the following build failure:
Makefile:585: *** util-linux-libs is in the dependency chain of libglib2 that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in. Stop.
To fix this build failure, use util-linux or util-linux-libs depending
on BR2_PACKAGE_UTIL_LINUX_LIBS
Fixes:
- http://autobuild.buildroot.org/results/8bf6360a343edd10c73a756ab86cdba727f9ea43
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
opencv 2.x has seen no release since July 2018 and all buildroot
packages are already compatible with opencv3 so drop it to ease the
addition of opencv4 which is not fully backward compatible with opencv3
as "a lot of C API from OpenCV 1.x has been removed.":
https://opencv.org/opencv-4-0.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The GCC-7.x compiler series was the last to officially support PowerPC
SPE CPUs. Now that GCC-8.x is the default compiler used by Buildroot,
some defconfigs, notably the arcturus_ucp1020_defconfig and
freescale_p1025twr_defconfig ones started to fail building, as they
are PowerPC SPE platforms.
In fact, the GCC-8.x compiler series continues to support PowerPC SPE
CPU cores, but only as an --enable-obsoleted instruction set. This
patch enables the use of GCC-8.x and asserts the required option to
enable the PowerPC SPE instruction set.
This patch passes compilation and run tests with the
arcturus/ppc-ucp1020 board.
This patch should address a noted job failure on GitLab CI
https://gitlab.com/buildroot.org/buildroot/-/jobs/805461732
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/805461732
Signed-off-by: Michael Durrant <mdurrant@ArcturusNetworks.com>
Signed-off-by: Oleksandr G Zhadan <Oleks@ArcturusNetworks.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Last commit fixed eglfs_kms support for i.MX8 platforms that required to
declare imx-gpu-viv as the gbm provider.
However, this broke the eglfs "fbdev" imx6 support as gbm isn't provided
in this case. So limit the gbm option to imx-gpu-viv when wayland
backend is used only.
Fixes: 82fb51d3b5 ("package/qt5/qt5base: allow to use imx-gpu-viv as GBM
provider")
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump OP-TEE Test package version to OP-TEE release 3.11.0.
Add dependency on BR2_INSTALL_LIBSTDCPP since C++ support is needed
to build some OP-TEE test trusted applications.
Remove local patch files since issues addressed since.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump OP-TEE Client package version to OP-TEE release 3.11.0.
Remove local patch file since issue addressed since.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump OP-TEE OS package version to OP-TEE release 3.11.0.
Remove patches since merged in OP-TEE OS 3.11.0
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
As we are about to bump the optee-test package to 3.11.0, which
requires C++ support, let's enable C++ support in the
qemu_arm_vexpress_tz_defconfig, which uses optee-test.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
receive.c in fastd before v21 allows denial of service (assertion
failure) when receiving packets with an invalid type code.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
pax-utils uses asprintf() since version 1.2.4 (commit
9c0ec154d782795daa3b7d2ae273bbda2b36ae83), and recent versions of
gnulib make use of wctomb() in their implementation of asprintf(),
causing a build failure.
While it seems to be an issue in gnulib, let's for now mark pax-utils
as being not available with !wchar toolchains.
Fixes:
http://autobuild.buildroot.org/results/613840edba8ea161bb900f3b56d8d3605961c78f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
wine was bumped to 5.12 in commit
6daf15db41, but a few changes in
optional dependencies were not taken into account:
- A new optional dependency on libusb exists
- The option name to use libv4l has been changed
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of
RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a
non-random/predictable session_id.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
As it doesn't seem to be needed any longer. Also it was agreed to fix
packages not using pkgconfig properly instead of doing this sed.
Tested on i.MX6 platform with Qt5, no more issues.
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The commit 7e6f4e5 introduces a new bug when building the gst-omx package
for the raspberry.
GST_OMX_VARIANT variable in gst-omx.mk was shadowed to 'generic' after being
set well for raspberry. It results having the gstomx.conf not being installed,
and thus having gst-omx installed but none of its features available.
Signed-off-by: Augustin Thiercelin <augustin.thiercelin@outlook.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The official repo pointed by https://ltrace.org/ hasn't seen any
updates in 5 years, so this commit switches to
https://github.com/dkogan/ltrace from Dima Kogan that includes some
bug fixes, in particular the following commit to avoid a crash:
192e0a6 void struct members are now ignored
The previous ltrace version gave a crash on a ARMv7 device, showing
this error:
"Assertion `field_info->type != ARGTYPE_VOID' failed."
Using this commit ltrace shows a '<void>' return value in such cases,
but at least avoids the crash.
Signed-off-by: Mauro Meneghin <mauro.meneghin@youview.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Julien's e-mail @cotds.org is no longer working:
<juju@cotds.org>: host mail.cotds.org[194.117.244.136] said: 451 4.3.5 Server
configuration problem (in reply to RCPT TO command)
Use his @free.fr e-mail address instead.
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: adjust email address after Julien's review]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
His/her e-mail address is bouncing:
VMSDVM9.POK.IBM.COM unable to deliver following mail to recipient(s):
<mamatha4@linux.ibm.com>
VMSDVM9.POK.IBM.COM received negative reply:
550 5.1.1 <mamatha4@linux.ibm.com>: Recipient address rejected: User unknown in local recipient table
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add missing space for the cross-compilation.conf.in cpu_family
entry.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Source package of newest release does not contain license file, so
PKG-INFO is used for now. Missing LICENSE file was added to master
branch of xmodem repository ([1]), so hopefully it will replace PKG-INFO
check after new xmodem release.
[1] https://github.com/tehmaze/xmodem/pull/42
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix CVE-2020-14382: A vulnerability was found in upstream release
cryptsetup-2.2.0 where, there's a bug in LUKS2 format validation code,
that is effectively invoked on every device/image presenting itself as
LUKS2 container. The bug is in segments validation code in file
'lib/luks2/luks2_json_metadata.c' in function
hdr_validate_segments(struct crypt_device *cd, json_object *hdr_jobj)
where the code does not check for possible overflow on memory allocation
used for intervals array (see statement "intervals = malloc(first_backup
* sizeof(*intervals));"). Due to the bug, library can be *tricked* to
expect such allocation was successful but for far less memory then
originally expected. Later it may read data FROM image crafted by an
attacker and actually write such data BEYOND allocated memory.
https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.4-ReleaseNotes
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mosquitto nowadays works correctly with libressl, so allow that as the
openssl backend as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add optional gst1-rtsp-server dependency as checked for in
gst1-devtools-1.18.0/validate/tools/meson.build.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- remove patches that are already upstrem
- modified and renumbered existing patch
- add CROSS_COMPILE make arg
- update hashfile for new version
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is a follow-up to 4027ba29f4 ("package/nginx: use /run for
PIDFile"), in which we missed that nginx is still built with /var/run
paths.
This commit changes the compile options to use /run instead of
/var/run for pid and lock file to make it consistent.
Further dropping the passing of the pid option in the service file as
this isn't neccessary. Neither debian nor nginx default .service does
it.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
go1.15.3 (released 2020/10/14) includes fixes to cgo, the compiler, runtime, the
go command, and the bytes, plugin, and testing packages.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add missing semicolon for linux kernel verson < 5.6.x compile introduced
by patch 0006-rtw_proc-convert-file_operations-to-proc_ops-for-5.6.patch.
Fixes:
os_dep/linux/rtw_proc.c:195:1: error: expected ‘,’ or ‘;’ before ‘int’
195 | int rtw_drv_proc_init(void)
| ^~~
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
WebKit's JavaScriptCore does not support using JIT nor the LLint
interpreter on ARMv5 and ARMv6, so add those two cases when checking
for target CPUs which need to use the CLoop interpreter.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ENABLE_C_LOOP option conflicts with ENABLE_SAMPLING_PROFILER, so
the WebKit CMake build system will emit an error when both are enabled
at the same time. To avoid hitting that situation, explicitly disable
ENABLE_SAMPLING_PROFILER as needed.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
WebKit's JavaScriptCore does not support using JIT nor the LLint
interpreter on ARMv5 and ARMv6, so add those two cases when checking
for target CPUs which need to use the CLoop interpreter.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ENABLE_C_LOOP option conflicts with ENABLE_SAMPLING_PROFILER, so
the WebKit CMake build system will emit an error when both are enabled
at the same time. To avoid hitting that situation, explicitly disable
ENABLE_SAMPLING_PROFILER as needed.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Docker developers appear to no longer be tagging releases on the
docker/engine repository on GitHub, but are tagging releases on the main
moby/moby repository, which still is the true home of "dockerd."
This commit changes the upstream repo to moby/moby with no changes required.
Signed-off-by: Christian Stewart <christian@paral.in>
v1 -> v2:
- updated hash
- changed upstream to moby/moby
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The hash of the NOTICE file has changed due to the following minor update:
-Exceptions to the Apache 2.0 License:
-=====================================
+(Optional) Exceptions to the Apache 2.0 License:
+================================================
Also update hash file formatting (2 spaces)
See changelog https://github.com/michaelrsweet/mxml/releases/tag/v3.2
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
zlib is required to build s390-tools and cannot be disabled for now
due to libvmdump.
Fixes:
$BUILD_DIR/host/bin/s390x-buildroot-linux-gnu-g++ ... -c vmdump_convert.cpp -o vmdump_convert.o
lkcd_dump.cpp:15:10: fatal error: zlib.h: No such file or directory
15 | #include <zlib.h>
| ^~~~~~~~
compilation terminated.
Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* removed patch 0003 as it is now in upstream
* removed patch 0002 as the logic has been reworked
* adjusted patch 0001 offset
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When we savedefconfig, we remove BR2_DEFCONFIG (f71a621d91, savedefconfig:
Remove BR2_DEFCONFIG from saved defconfig file) and BR2_DL_DIR (36edacce9c,
Makefile: exclude BR2_DL_DIR from savedefconfig), because their meaning
is only valid locally.
However, we were not careful to really match the exact variables, so we
could match arbitrary options.
For example, these config options would all be dropped:
BR2_DEFCONFIG="toto"
BR2_DL_DIR="titi"
BR2_PACKAGE_SABR2_DEFCONFIG="tutu"
BR2_PACKAGE_SABR2_DL_DIR=y
While the first two are indeed the ones we want to drop, the last two
are options (whatever their meaning or how poorly named they are) of the
hypothetical 'sabr2' package, and we want to keep those in a defconfig.
When cleaning the just-saved defconfig, be sure to anchor the patterns to
the beginning of the line.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Sven Oliver Moll <buildroot@svol.li>
Cc: Herve Codina <Herve.CODINA@celad.com>
Acked-by: Herve Codina <Herve.CODINA@celad.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump package to the latest version 1.3.10, and remove the two patches
which are not needed anymore.
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
LICENSE diff:
-This software is copyright (c) 2014 by Christopher J. Madsen.
+This software is copyright (c) 2020 by Christopher J. Madsen.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Running "make savedefconfig" with BR2_DL_DIR set also saves that
variable, which is only useful in local context.
Signed-off-by: Sven Oliver Moll <buildroot@svol.li>
[yann.morin.1998@free.fr: wrap line]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since version 2.34 binutils enables debuginfod support by default if the
debuginfod library is found to be available at build time.
On Fedora 32, libdebuginfod may be present on the system, and the
dependency chain of interest is then:
libdebuginfod.so
-> libcurl.so
-> libk5crypto.so
-> libcrypto.so
If the Buildroot configuration ever needs to build host-openssl, which
may happen when building the kernel to sign modules for example, this
leads to an inconsistency between the system-provided libcrypto and
ours, leading to missing symbols:
$ make defconfig
$ make host-binutils
$ ./output/host/bin/i686-buildroot-linux-uclibc-objdump --help
[--snip some help text--]
$ make host-openssl
$ ./output/host/bin/i686-buildroot-linux-uclibc-objdump --help
./output/host/bin/i686-buildroot-linux-uclibc-objdump: symbol lookup
error: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version
OPENSSL_1_1_1b
EVP_KDF_ctrl comes from libcrypto:
$ nm -D /usr/lib64/libcrypto.so.1.1 |grep EVP_KDF_ctrl
0000000000176000 T EVP_KDF_ctrl
$ nm -D output/host/lib/libcrypto.so.1.1 |grep EVP_KDF_ctrl
[--empty--]
So, if host-binutils tools, like objdump et al., are called after our
host-openssl is built, then when run, the system-provided libk5crypto.so
is used, but our libcrypto.so is used, because of the RPATH we set on
our host tools.
And boom.
Note that there is also a latent similar issue if we were to build our
host-libcurl too...
Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
[yann.morin.1998@free.fr: rewrite commit log with a bit more info]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
OPENCV3_WARNINGS_ARE_ERRORS option does not exist so rename it to
OPENCV_WARNINGS_ARE_ERRORS (even if it is already disabled by default)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Update first patch to fix build of transmission 3.00 with UTP. Since
upstream commit f27596238d37 (Include stdbool.h unconditionally),
upstream no longer ever defines HAVE_STDBOOL_H, so we always fallback to
manually defining 'bool' which conflicts with the type used elsewhere in
the code.
Drop our workaround, to always include stdbool.h unconditionally.
Fixes:
- http://autobuild.buildroot.org/results/bbfb61cf911fb29dcc02626f6eb47fff9e5e64f5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- expand commit log
- drop commented-out code
- restore CR-LF line endings in replacement code, as used by upstream
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit b6b5981f70 (package/mksh: update to R59b) forgot to update the
hash of mksh.1 which is used as the license file. Although the manpage
has changed to accomodate changes in mksh, the licensing blurb has not
changed.
Fixes:
- http://autobuild.buildroot.org/results/1291917e4b17e087455a6698c4b82e4ff783600d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- expand commit log to state the license has not changed
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Don't build shared library with BR2_SHARED_LIBS=OFF to avoid the
following build failure:
[100%] Linking CXX shared library libpistache.so
make[3]: Leaving directory `/home/buildroot/autobuild/run/instance-1/output-1/build/pistache-f2f5a50fbfb5b8ef6cf1d3d2a9d442a8270e375d'
[100%] Built target pistache_static
/home/buildroot/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: /home/buildroot/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/crtbeginT.o: relocation R_X86_64_32 against hidden symbol `__TMC_END__' can not be used when making a shared object
Fixes:
- http://autobuild.buildroot.org/results/6cc/6cc76b3e76defa9b8154568a6ebcd6bf4cadd334/build-end.log
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: update upstream status now they merged it]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
snmpd loudly complains every 3 seconds about a failure reading
/proc/net/if_inet6 if the system does not have IPv6 support:
Jan 1 00:00:12 buildroot daemon.err snmpd[92]: ipaddress_linux: could not open /proc/net/if_inet6: No such file or directory
Jan 1 00:00:15 buildroot daemon.err snmpd[92]: ipaddress_linux: could not open /proc/net/if_inet6: No such file or directory
Jan 1 00:00:18 buildroot daemon.err snmpd[92]: ipaddress_linux: could not open /proc/net/if_inet6: No such file or directory
Jan 1 00:00:21 buildroot daemon.err snmpd[92]: ipaddress_linux: could not open /proc/net/if_inet6: No such file or directory
Add an upstream patch to only print this warning once, rather than on every
poll iteration.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The brcmfmac drivers now load settings files for BCM434xx devices and
fail if they're missing on the Raspberry Pi:
brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.raspberrypi,3-model-b-plus.txt failed with error -2
This commit copies the missing settings files over to the firmware
directory with the other files.
Signed-off-by: Frank Hunleth <fhunleth@troodon-software.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The python-argon2-cffi package can be used with the system libargon2,
we should use that instead of the embedded version.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Extract from bug report:
"Code line 120 to line 128 is to check whether the patch containing
"rename from" and "rename to". But it directly use grep to find,
ignoring the patch may be a tar file or else. It can only work on patch
of textfile form."
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=11931
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Version 2.5.0 enables the new libmpdec++ library by default:
http://www.bytereef.org/mpdecimal/changelog.html#version-2-5-0
Adapt the existing patch, to allow static build of this C++ library.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- meld the C++-enabling and the static-patch commits into one
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
There are two groups of chipsets in the BCM4366 family requiring two
different firmware files. Each is quite big (over 1 MiB) so use
separated options for them.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: split to a separate condition]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This will fix the following build failure with
gstreamer1-editing-services which optionally depends on gst1-devtools
since commit 08a213c1a5:
Run-time dependency gst-validate-1.0 found: NO (tried pkgconfig and cmake)
Looking for a fallback subproject for the dependency gst-validate-1.0
../output-1/build/gstreamer1-editing-services-1.18.0/meson.build:101:0: ERROR: Subproject directory not found and gst-devtools.wrap file not found
Fixes:
- http://autobuild.buildroot.org/results/e9d96a63861737d82734559db5e5ffbf5996ffde
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit 391c448acb (package/kernel-module-imx-gpu-viv: bear the kernel
options munging) improperly named the macro, including a superfluous
'MODULE' in the middle of the macro name, which meant it was totally
unused.
Fix that.
Reported-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
ipcalc is an ancient and venerable tool for manipulating IP addresses,
networks, & interfaces from shell scripts. There is a subtool in busybox,
but it does not support everything the upstream tool [1] supports.
[1] https://gitlab.com/ipcalc/ipcalc
Signed-off-by: Derrick Lyndon Pallas <derrick@meter.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- change home page url to https
- change download url to https
- download source renamed from gstreamer-editing-services to
gst-editing-services
- convert to meson build
- use BR2_PACKAGE_GST1_DEVTOOLS/gst1-devtools instead of legacy
BR2_PACKAGE_GST1_VALIDATE/gst1-validate
- drop examples support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
As resizing the rootfs partition using a partition manager can result
in a non booting image due to the firmware's location, removal of the
size limit for the rootfs allows better match size-wise.
Signed-off-by: Dagg Stompler <daggs@gmx.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Drop all patches (not needed anymore)
- Update help message of Config.in: kismet does not support only WiFi
but also Bluetooth, SDR ...
- Remove ncurses dependency
- libnl is now optional
- Drop --with-netlink-version (not available anymore)
- Add protobuf, protobuf-c, sqlite and zlib mandatory dependencies
- kismet_client and kismet_drone have been dropped since version 2019-04-R1
- Select libmicrohttpd for kismet_server
- Add optional libusb and lm-sensors dependencies
- Use --{enable,disable}-{libcap,pcre} options
- Use the new LICENSE file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix CVE-2020-26159: In Oniguruma 6.9.5_rev1, an attacker able to supply
a regular expression for compilation may be able to overflow a buffer by
one byte in concat_opt_exact_str in src/regcomp.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Use official tarball instead of github helper
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
U-Boot 2020.10 no longer provides boot command in default environment for
Udoo Quad/Dual board. Boot script needs to be added to the image. In order
to keep using common infrastructure for freescale boards, move boot files
to root filesystem and add boot script there. Also switch Udoo Neo board
to common freescale infrastructure to simplify maintenance.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
After BSP update Udoo Quad/Dual board once again hangs on boot. On a
new kernel disabling CONFIG_USB option is not enough to work around
the troublesome usb host on Udoo Quad/Dual board. So in order to be
future-proof it makes sense to disable usbh1 block in device tree
rather than fine-tune kernel configuration after BSP updates.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump ATF, U-Boot and kernel to the NXP BSP 5.4.24_2.1.0 versions.
On 5.4.24_2.1.0 the revC board is supported by default.
In case an older revB board is used, then the following step in U-Boot is
needed:
=> setenv fdt_file imx8mm-evk-revb.dtb
=> saveenv
=> reset
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When using the imx8 NXP kernel, it is preferred to use the imx_v8_defconfig
instead of the generic arm64 defconfig, as the NXP defconfig selects more
imx8 specific drivers.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- 0001-Temporary-fix-for-build-without-C.patch, AC_PROG_CXX line
number changed.
- Makefile-fuzz-generated.am now in size zero.
- json-c, libcurl: new (FAPI) dependencies since tpm2-tss version 2.4.0
Signed-off-by: Yair Ben-Avraham <yairba@protonmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Use a fixed kernel version to have a reproducible and tested
configuration.
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The 2020.08-1 release of Bootlin toolchains has brought support for 3
additional architecture variants, so let's support them.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bootlin toolchains in version 2020.08-1 have just been released, so
let's update the toolchain-external-bootlin package to those new
toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When building iputils for powerpc with BR2_PIC_PIE enabled, the
arping/rdisc/tftpd binaries will segfault at runtime. This can be
traced back to a few bugs in patchelf corrupting the ELFs when
resizing the RPATH to replace "$ORIGIN/" with "/usr/sbin".
This patch pulls in upstream fixes to prevent the binaries from being
needlessly inflated, prevent the startPage from always being adjusted,
fix a few minor bugs, and fix incorrect endianness handling.
Signed-off-by: Conrad Ratschan <conrad.ratschan@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
[yann.morin.1998@free.fr:
- move before skeletons
- select the custom 'mine' skeleton, not the sysv one
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Some externals may wish to provide custom init systems for tightly
integrated boot. This has been supported through the BR2_INIT_NONE,
however a downside to the BR2_INIT_NONE is it forces the custom init
system to use either skeleton-custom and roll a custom skeleton for
each target, or skeleton-init-none which isn't a complete skeleton.
Allowing br2-external to define custom BR2_INIT_* means they can now
safely 'select' the BR2_PACKAGE_SKELETON_INIT_*, and re-use any of the
skeletons in Buildroot, or one from a br2-external tree.
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
In preparation for supporting br2-external inits, move the 'select' for
the BR2_PACKAGE_SKELETON_INIT_* to their respective init systems. This
will allow a br2-external init to 'select' which skeleton it needs as a
default skeleton.
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
[yann.morin.1998@free.fr:
- add comment to init choice, to remind why selecting skeletons is OK
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
[yann.morin.1998@free.fr:
- alphabetical order (skeleton before toolchain)
- leave the list of choices 'open'
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Today, the BR2_ROOTFS_SKELETON_CUSTOM is the only way to build a custom
skeleton. But it's limiting as users must provide a pre-built skeleton
for each target. Supporting a br2-external package allows users to build
up a skeleton and customize it with their own KConfig options.
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Some packages have their own waf copy, but not located at the
top-level directory. In order to support those packages, we allow
packages to override the default <pkg>_WAF location.
Signed-off-by: David GOUARIN <dgouarin@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The -Dremote=true flag enables three tools: systemd-journal-gatewayd,
systemd-journal-remote and systemd-journal-upload.
It is not possible with simple means to install them seperately. So use
the systemd-journal-remote option to enable or disable them all together.
Drop systemd-journal-gatewayd option and add it to legacy.
Fixes: #12301
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
systemds libqrencode support is independent from journal-gatewayd. In
v247 it will additionally be used in homectl for recovery key
generation.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is compatible with release-monitoring.org, so it allows easier
tracking of update status.
There appears to be no easy way to use anything other than tag/commit
for _VERSION with the git download method. git.ti.com offers snapshot
download over https, so use use that instead. As added bonus, the https
download method is more firewall friendly.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This version adds wrappers for getgroups and statx, the latter is used
by coreutils 8.32.
Removed patches that are now in upstream.
Added a patch to fix failure when installing.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit changes the stm32mp1 configurations to use the TF-A ->
U-Boot boot flow (called "trusted boot flow" by ST) instead of the
U-Boot SPL -> U-Boot boot flow. ST recommands this trusted boot, and
it's also the only one that allows to use the STM32 Cube Programmer
for reflashing devices.
As part of this, the genimage configuration file is now generated, as
it contains some file names that depend on the platform. Removing
partition-type from genimage.cfg is mandatory, since it would cause a
hybrid MBR partition table to be created, which itself would prevent
ATF from finding the ssbl parition.
Signed-off-by: Shlomi Vaknin <shlomi.39sd@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add `.stm32` binary format that U-Boot generates for the trusted
configuration of STM32MP platforms.
Signed-off-by: Shlomi Vaknin <shlomi.39sd@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Starting with linux kernel v5.9 all required configuration options are
available in the default config.
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update the chromebook elm configuration to use v5.9 instead of an
intermediate release candidate.
At the latter stages of the v5.9 release, a patch was added which
broke the Chromebook Elm HDMI. Therefore add a revert patch to get rid
of this problem. The fix (and the revert) are already on the mailing
list (https://lkml.org/lkml/2020/10/10/32) and should become available
with v5.10
Signed-off-by: Bilal Wasim <bilal.wasim@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patch that is not upstreamable and replace it by using
--{dis,en}able-threads option
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This patch bumps apparmor and libapparmor to version 3.0.0
Of all our patches, one was already a backport, one is no longer
applicable (file largely rewritten), and the four others have been
applied upstream now.
The hash for the tarball is available on the homepage, so use that
as a reference.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998@free.fr:
- expand commit log to explain why we drop all the patches
- add a reference for the hash for the source tarball
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This reverts commit 6afc5eb696. This should
not have been applied yet, but got pushed by accident.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sentry-sdk has a set of optional "integrations", some of which use asyncio.
pycompile unfortunately errors out on these files when running under Python
2.x:
../scripts/pycompile.py ..
error: File "/usr/lib/python2.7/site-packages/sentry_sdk/integrations/sanic.py", line 64
async def sentry_handle_request(self, request, *args, **kwargs):
^
SyntaxError: invalid syntax
As a workaround, simply drop the unusable files from TARGET_DIR if building
for python 2.x.
Fixes:
http://autobuild.buildroot.net/results/9e4/9e47ee2a56153379e4e7bc839be5972a2302ba9f/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a regression introduced in patch level 16.
Rename the 2 uClibc patches so the upstream patch numbering matches ours.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pymodbus has optional support for asyncio. Pycompile unfortunately errors
out on these files when running under Python 2.x:
../scripts/pycompile.py ..
error: File "/usr/lib/python2.7/site-packages/pymodbus/client/asynchronous/asyncio/__init__.py", line 257
yield from self._connect()
^
SyntaxError: invalid syntax
As a workaround, simply drop the unusable files from TARGET_DIR if building
for python 2.x.
Fixes:
http://autobuild.buildroot.net/results/cc4/cc48927cbe9ae6c2d8b12d65467ec40df82febf6/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also dropping upstream patch.
With this release quazip drops the qmake build in favour of cmake.
It still ships the pkgconfig .pc file, so it's possible to link to
it by using CMake's find_package() or with pkgconfig.
Signed-off-by: Zoltan Gyarmati <zgyarmati@zgyarmati.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop unneeded CC variable which is not recognized by cmake:
CMake Warning:
Manually-specified variables were not used by the project:
BUILD_DOC
BUILD_DOCS
BUILD_EXAMPLE
BUILD_EXAMPLES
BUILD_TEST
BUILD_TESTING
BUILD_TESTS
CC
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Fix CVE-2020-25862: In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and
2.6.0 to 2.6.20, the TCP dissector could crash. This was addressed in
epan/dissectors/packet-tcp.c by changing the handling of the invalid
0xFFFF checksum.
- Fix CVE-2020-25863: In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and
2.6.0 to 2.6.20, the MIME Multipart dissector could crash. This was
addressed in epan/dissectors/packet-multipart.c by correcting the
deallocation of invalid MIME parts.
- Fix CVE-2020-25866: In Wireshark 3.2.0 to 3.2.6 and 3.0.0 to 3.0.13,
the BLIP protocol dissector has a NULL pointer dereference because a
buffer was sized for compressed (not uncompressed) messages. This was
addressed in epan/dissectors/packet-blip.c by allowing reasonable
compression ratios and rejecting ZIP bombs.
https://www.wireshark.org/docs/relnotes/wireshark-3.2.7.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
TimescaleDB is an open-source database designed to make SQL scalable
for time-series data. It is engineered up from PostgreSQL and
packaged as a PostgreSQL extension, providing automatic partitioning
across time and space (partitioning key), as well as full SQL support.
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Some external packages call pg_config to determine the installed
PostgreSQL server includedir and configure options. Add this output to
Buildroots own pg_config, so these packages correctly compile.
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes (reproducible):
http://autobuild.buildroot.net/results/50f/50f199bfe06d054cc6770760e73ac0de594a0670/diffoscope-results.txt
Fail2ban installs the fail2ban-python symlink pointing to the host python
intepreter used to run setup.py, which is naturally not valid at runtime and
breaks the reproducible tests as shown in the diffoscope results:
│ -lrwxrwxrwx 0 0 0 0 2020-10-04 10:50:38.000000 ./usr/bin/fail2ban-python -> /home/naourr/work/instance-0/output-1/host/bin/python
│ +lrwxrwxrwx 0 0 0 0 2020-10-04 10:50:38.000000 ./usr/bin/fail2ban-python -> /home/naourr/work/instance-0/output-2/host/bin/python
As a workaround, update the symlink after installation to point to the
correct target python.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
engineio has conditional logic to load asyncio files when running under
Python 3.x:
if sys.version_info >= (3, 5): # pragma: no cover
from .asyncio_server import AsyncServer
from .asyncio_client import AsyncClient
from .async_drivers.asgi import ASGIApp
try:
from .async_drivers.tornado import get_tornado_handler
except ImportError:
get_tornado_handler = None
else: # pragma: no cover
AsyncServer = None
AsyncClient = None
get_tornado_handler = None
ASGIApp = None
pycompile unfortunately errors out on these files when running under Python
2.x:
../scripts/pycompile.py ..
error: File "/usr/lib/python2.7/site-packages/engineio/asyncio_socket.py", line 13
async def poll(self):
^
SyntaxError: invalid syntax
As a workaround, simply drop the unusable file from TARGET_DIR if building
for python 2.x.
Fixes:
http://autobuild.buildroot.net/results/72c/72cfdffeb4d0fb7c3032b52f0a26a4758eea6762/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
socketio has conditional logic to load asgi/asyncio files when running under
Python 3.x:
if sys.version_info >= (3, 5): # pragma: no cover
from .asyncio_client import AsyncClient
from .asyncio_server import AsyncServer
from .asyncio_manager import AsyncManager
from .asyncio_namespace import AsyncNamespace, AsyncClientNamespace
from .asyncio_redis_manager import AsyncRedisManager
from .asyncio_aiopika_manager import AsyncAioPikaManager
from .asgi import ASGIApp
else: # pragma: no cover
AsyncClient = None
AsyncServer = None
AsyncManager = None
AsyncNamespace = None
AsyncRedisManager = None
AsyncAioPikaManager = None
pycompile unfortunately errors out on these files when running under Python
2.x:
../scripts/pycompile.py ..
error: File "/usr/lib/python2.7/site-packages/socketio/asyncio_server.py", line 84
async def emit(self, event, data=None, to=None, room=None, skip_sid=None,
^
SyntaxError: invalid syntax
As a workaround, simply drop the unusable file from TARGET_DIR if building
for python 2.x.
Fixes:
http://autobuild.buildroot.net/results/455f3e09a590f7a6724ab8cd1b86bdf2bba8071a/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that binutils 2.35.1 has been released, it is time to move to
binutils 2.34 as the default binutils version, instead of 2.33.1.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch sets the --with-xattr option when generating an image with
mkfs.jffs2, so that SELinux security contexts and other extended
attributes will be kept and available in jffs2 images.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When compiling the host version of mtd, --with-jffs and --with-ubifs are
always set, meaning --with-xattr is set by default. The xattr support
only work if 'sys/acl.h' is available, otherwise the feature is silently
dropped (a warning is shown during the configuration step).
This patch adds a dependency on host-acl for host-mtd, so that the xattr
feature is correctly supported. Logic to have xattr support is already
there and working for the non-host flavour.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop gdlib-config and use pkg-config to find gd because gdlib-config
has been dropped from version 2.3.0
gdlib.pc is available since version 2.1.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
gawk can't be selected when busybox is not available as gawk needs
wchar:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_GAWK
Depends on [n]: BR2_USE_WCHAR [=n] && BR2_USE_MMU [=y] && BR2_PACKAGE_BUSYBOX_SHOW_OTHERS [=y]
Selected by [y]:
- BR2_PACKAGE_CUKINIA [=y] && !BR2_PACKAGE_BUSYBOX [=n]
So replace this "select" by a "depends on", as already done by
BR2_PACKAGE_APPARMOR_UTILS_EXTRA
Fixes:
- http://autobuild.buildroot.org/results/66dacfe7b0783c7df29052fff20f3e79ecbcf054
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
There is a typo between 'N' (for Firstname Lastname <email>) & 'F'
(for file pattern or directory)
$: ./utils/get-developers outgoing/*
WARNING: 'Sven Fischer <sven@leiderfischer.de>' doesn't match any file
Fixes: e7ebc7cd09 ("package/qt5/qt5remoteobjects: new package")
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For defconfigs that create a boot envimage, add the host package
uboot-tools and update the script variable names.
Add BR2_PACKAGE_HOST_UBOOT_TOOLS=y just before the existing
BR2_TARGET_UBOOT_ENVIMAGE option. Note that for the defconfigs that are
not manually formatted (i.e. just the result of 'make savedefconfig'),
this puts them in the wrong place. However, it's easier this way, and
it's more consistent in general to have the definition of the envimage
close to BR2_TARGET_UBOOT itself.
Related to 78559d699a
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
For defconfigs that create a boot script, add the host package
uboot-tools and update the script variable names.
Add BR2_PACKAGE_HOST_UBOOT_TOOLS=y just before the existing
BR2_TARGET_UBOOT_BOOT_SCRIPT option. Note that for the defconfigs that
are not manually formatted (i.e. just the result of 'make
savedefconfig'), this puts them in the wrong place. However, it's easier
this way, and it's more consistent in general to have the definition of
the script close to BR2_TARGET_UBOOT itself.
Special cases:
- nanopi_* had the definition of the _SCRIPT variable in a weird place.
These are moved to close to BR2_TARGET_UBOOT.
- Same for orangepi_plus.
- orangpi_pc_* already had BR2_PACKAGE_HOST_UBOOT_TOOLS=y so it's not
added there.
Related to db2b684126
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
apply-patches currently blindly removes *.orig / .*.orig files as GNU patch
by default writes these as backup files when patches only apply with fuzz.
This is unfortunate as package sources may contain files ending in .orig as
well, breaking the build. Luckily GNU patch can be told to not write these
backup files using the --no-backup-if-mismatch option, so used that instead
of the .orig removal step.
--no-backup-if-mismatch is supported since GNU patch 2.3.8 (1997-06-17) and
busybox patch if built with CONFIG_DESKTOP, but E.G. isn't supported by the
BSD patch, so add logic to dependencies.sh to error out if patch doesn't
support the flag.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Normally the kconfig stings would end up empty and cause a build
error. This patch provides test files to allow testing the creation
of uboot environment and script bin files from user provided txt files.
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
For consistancy and dependencies between uboot and uboot-tools,
this patch migrates the script creation over in a similar way as
the env image creation.
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Migrating the support for this feature to uboot-tools to gain the
ability to build env files when BR2_TARGET_UBOOT isn't selected.
When _ENVIMAGE_SOURCE is not set, we generate a default environment.
However, this default depends on the U-Boot configuration. Therefore,
this can only be done if uboot itself is built as well, and
host-uboot-tools needs to depend on uboot.
For the same reason, the commands for creating the environment have to
be adapted a little. Take this occasion to drastically simplify them.
Note: This patch creates a circular dependency with uboot until the
similar migration patch is merged for uboot scripts
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
uclibc-ng supports the RISC-V architecture since version 1.0.31, so
let's allow selecting this C library when RISC-V is used.
There was a previous attempt in commit
bd9810e176, which was reverted in
e7d631c0df, due to uClibc-ng not
implementing the __riscv_flush_icache() which is needed by
gcc. However this function has been implemented in upstream uClibc-ng
as of 1.0.35, so we can now safely re-enable uClibc-ng on RISC-V.
Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For 9 years the recommended mount point for selinuxfs has been
/sys/fs/selinux, as stated in Linux kernel commit 7a627e3b9a2b:
"""
For selinuxfs, this mount point should be in /sys/fs/selinux/
"""
As other projects follow this convention, not doing so result in
potential issues. One of them is the refpolicy not correctly labelling
and supporting the mount point.
Fix this by using /sys/fs/selinux as of now in Buildroot.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Qt 5.12 added a library for IPC, so let's have a package for it. The
dependency on qtdeclarative is optional.
Signed-off-by: Sven Fischer <sven@leiderfischer.de>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This partially reverts commit a3aac6d847,
just dropping the atomic dependency.
That dependency would introduce a "recursive dependency" chain in
Kconfig.
However, r100 is only available on i386 and x86-64, and they both have
sync4, which means libdrm's HAS_ATOMICS is always 'y' when r100 is
available.
So, like we did in 00c1a8c34f (package/mesa3d: propagate missing
libdrm-freedreno deps), we just add a fat comment that explains why the
dependency is not propagated.
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
To allow easier installation of ebtables-legacy-save from the config
menu, select BR2_PACKAGE_BASH. All dependencies of bash are met
already by ebtables depending on BR2_USE_MMU.
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
Tested-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the version bump to 2.0.11, ebtables switch to autotools build
system. In addition, ebtables-{restore/save} moved to being installed
as ebtables-legacy-{restore/save}.
Changes to support this version bump include:
* Remove dependency on !BR2_STATIC_LIBS for ebtables-restore as the
switch to autotools supports compiling with static libraries.
* Update ebtables-save script patch to use /usr/sbin/ebtables-legacy
* Remove 0001-*-ethernetdb*.patch as it was merged with commit:
http://git.netfilter.org/ebtables/commit/?id=f8079671326e9fd079391d24911a9a8a77f1d6fd
* Remove 0002-*-musl-*.patch as support was added with commit:
http://git.netfilter.org/ebtables/commit/?id=9fff3d5f9da00255463d28b38d688c25025b7fb1
Tested with test-pkg with BR2_PACKAGE_EBTABLES=y:
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
sourcery-arm [6/6]: OK
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
Tested-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Curently, host-kmod has no option to enable it, because only
the kernel depends on it, and this is unconditional (because
we can't know if modules will be enabled in the kernel config).
But we're soon to add options to enable various features of
kmod, so we'll need a place where to show those features.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Cc: Lucian Buga <lucianbuga@gmail.com>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cukinia is a test framework designed to help Linux-based embedded
systems developers run simple system-level validation tests on their
firmware.
It is designed to integrate well with embedded Linux systems
generation tools, and can be run manually (providing a quick
colourized summary to eye-catch regressions), or any of continuous
available integration framework, by generating Junit-XML or CSV test
reports.
Signed-off-by: Jérôme Oufella <jerome.oufella@savoirfairelinux.com>
Signed-off-by: Shyam Saini <shyam.saini@savoirfairelinux.com>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently, we handle three kinds of tests: basic, defconfig, and
runtime, and we treat them totally independently ones from the others.
Except for the basic tests that are ignored when defconfig or runtime
tests are explicitly requested.
The basic tests are also run systematically on all our reference
branches: master, next (when it exists), and the maintenance branches:
YYYY.MM.x.
Furthermore, we can see that the conditions to run each set of tests
are very similar, with only the explicit queries differing by name.
Rework the script so that the conditions are expressed only once, and
each set of tests is decided for each condition. This makes it easier
to decide what tests should run under what conditions.
Using GitLab-CI's schedules, with a variable expressing the actual test
to run, would seem the obvious choice to trigger the pipelines. However,
a schedule is configured for a specific branch, which means we would
need one schedule per branch we want to build per test cases we want to
run, *and* that we update those schedules when we add/remove branches
(e.g. when we open/close 'next', or a maintenance branch). This is not
very nice, as it requires some manual tweaking and twiddling on the web
UI.
Instead, we resort to using triggers, that will be triggered from a
cronjob on some server. Using a cronjiob allows us to more easily manage
the branches we want to test and test cases we want to run, to more
easily spread the load over the week, etc...
Note: triggering a pipeline can be done with a simple curl invocation:
$ curl -X POST \
-F "token=${YOUR_TOKEN}" \
-F "ref=${BRANCH_TO_TEST}" \
-F "variables[BR_SCHEDULE_JOBS]=${TEST_TO_RUN}" \
"https://gitlab.com/api/v4/projects/${YOUR_PROJECT_ID}/trigger/pipeline"
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add tests to ensure the packages SELinux functionalities (being able to
select an extra SELinux module in the refpolicy, and being able to
provide a custom SELinux module) are working as expected.
We use a BR2_EXTERNAL folder, provided in the tests, to use a custom
SELinux enabled package.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a test for BR2_PACKAGE_REFPOLICY_CUSTOM_GIT (which allows to select
a custom location for the SELinux refpolicy). The test uses the official
refpolicy as a test (we only want to test the functionality is working,
not that another refpolicy is correctly building; that is an user
problematic).
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a test for the BR2_REFPOLICY_EXTRA_MODULES_DIRS functionality (which
allows to provide custom SELinux modules).
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds a test for the BR2_REFPOLICY_EXTRA_MODULES
functionality (which allows to select extra modules within the SELinux
refpolicy using Kconfig).
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a test called 'SELinuxSystemdSquashfs' which will perform the same
tests as the Ext4 version, but using a Squashfs filesystem. Thanks to
this, we'll have a test on a real only filesystem.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This adds a test called 'SELinuxSystemdExt4'. This test will build an
SELinux enabled image with systemd, boot it, and perform a few runtime
tests to check SELinux related capabilities.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
REFPOLICY_EXTRA_MODULES_DIRS contains
$(PACKAGES_SELINUX_EXTRA_MODULES_DIRS) which is filled in by
package/pkg-generic.mk with the list of packages that have a selinux/
sub-directory. Due to how variable expansion works, if there is an
ifeq/ifneq test of REFPOLICY_EXTRA_MODULES_DIRS, it will only see the
value of REFPOLICY_EXTRA_MODULES_DIRS with the list of packages
*before* refpolicy in alphabetic ordering. This means that packages
after refpolicy in alphabetic ordering would not be taken into
account.
To fix this, we switch to an $(if ...) test, which allows the variable
to really be evaluated during the refpolicy build. This makes sures
the expansion is correct.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The buildroot custom bareboxenv compile command misses the additional
include path 'scripts/include' to gain access to the local copy of the
kernel header files (which leads to compile error when using an older
toolchain).
This could be fixed by enhancing the custom bareboxenv compile command
(see [1]) or by using the barebox build system by simply enabling the
CONFIG_BAREBOXENV_TARGET option (available since April 2012, see [2])
instead (as suggested by Yann E. MORIN).
Fixes (with BR2_TARGET_BAREBOX_BAREBOXENV enabled):
build/barebox-2019.12.0/scripts/bareboxenv.c:100:10: fatal error: linux/list.h: No such file or directory
[1] http://lists.busybox.net/pipermail/buildroot/2020-January/270942.html
[2] https://git.pengutronix.de/cgit/barebox/commit/?id=afb03d7a554a2911a3742e316f011319fcb416f1
Note: a user who would previously provide a barebox config file which
had CONFIG_BAREBOXENV_TARGET=y, but a Buildroot config file which did
not have BR2_TARGET_BAREBOX_BAREBOXENV=y, would have bareboxenv-target
built, but it would not be installed in the target. Now, and unset
BR2_TARGET_BAREBOX_BAREBOXENV will not even build it, but his is not a
regression: it was anyway previously not installed.
Reported-by: Frederick Gotham <cauldwell.thomas@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- also explicitly disable it when not selected
- rewrap commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Default value of MinTLSversion set to 1.2.
- mbed TLS updated to 2.23.0.
- Small bugfixes.
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patches (already in version) and so autoreconf
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-7069: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with
openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the
IV is actually used. This can lead to both decreased security and
incorrect encryption data.
- Fix CVE-2020-7070: In PHP versions 7.2.x below 7.2.34, 7.3.x below
7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP
cookie values, the cookie names are url-decoded. This may lead to
cookies with prefixes like __Host confused with cookies that decode to
such prefix, thus leading to an attacker being able to forge cookie
which is supposed to be secure. See also CVE-2020-8184 for more
information.
https://www.php.net/ChangeLog-7.php#7.4.11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
All the python packages are inside a
if BR2_PACKAGE_PYTHON || BR2_PACKAGE_PYTHON3
conditional, so no need to repeat it in the Config.in.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 9e4ffdc8cf modified the output of
'setlocalversion' so that the Buildroot version tag is included in the
output, the version part was added in Makefile.
Due to differences in behavior of the used git and Mercurial commands, this
caused different output for the Mercurial case, in BR2_VERSION_FULL and thus
/etc/os-release and 'make print-version'. Assuming the official Buildroot
releases are tagged and no project-specific tags are present, the output
after commit 9e4ffdc8cf is:
-hg<commit>
whereas it is expected to be something like:
2020.02.6-hg<commit>
Change the Mercurial case in setlocalversion to behave similar to git,
looking up the latest tag if the current revision is not itself tagged.
The number of commits after the latest tag is not added, unlike in git, as
this value is not commonly present in Mercurial output, and its added value
can be disputed in this context. Even one commit could bring a huge change
to the sources, so in order to interpret the number one has to look at the
repository anyhow, in which case the commit ID can just be used.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The content of the license file (doc/readme.html) differs between lua 5.3
and 5.4, so we cannot use a shared .hash file for all versions.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Qemu 5.1, this defconfig doesn't boot due to the to small SD card image size (60MB).
qemu-system-arm: sd_init failed: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it currently is).
qemu-system-arm: sd_init failed
From [1]:
"While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end."
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/766482935
[1] https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a9bcedd15a5834ca9ae6c3a97933e85ac7edbd36
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/72e0cc78194a1b93bf26a50742e59a1e93bde1d1/
fire has conditional logic to load test_components_py3.py when running under
Python 3.x:
if six.PY3:
from fire import test_components_py3 as py3
pycompile unfortunately errors out on it:
../scripts/pycompile.py ..
error: File "/usr/lib/python2.7/site-packages/fire/test_components_py3.py", line 18
def identity(arg1, arg2: int, arg3=10, arg4: int = 20, *arg5,
^
SyntaxError: invalid syntax
As a workaround, simply drop the unusable _py3 file from TARGET_DIR if
building for python 2.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/4ca459d54545c0e20b0f0cdc63bd81844ecd7f36/
aenum has conditional logic to load python 3.x code located in test_v3.py:
if pyver >= 3.0:
from aenum.test_v3 import TestEnumV3, TestOrderV3, TestNamedTupleV3
And contains logic in setup.py to drop that file during setup.py install if
building for python 2.x:
py3_only = ('aenum/test_v3.py', )
..
if __name__ == '__main__':
if 'install' in sys.argv:
import os, sys
..
if sys.version_info[0] != 3:
for file in py3_only:
try:
os.unlink(file)
But this doesn't work in Buildroot as pkg-python.dk first does setup.py
build (which copies test_v3.py to the build directory) before setup.py
install, so test_v3.py gets installed, leading to errors from pycompile:
error: File "/usr/lib/python2.7/site-packages/aenum/test_v3.py", line 12
class MagicAutoNumberEnum(Enum, settings=AutoNumber):
^
SyntaxError: invalid syntax
As a workaround, add a hook to drop it from the target directory when
building for python 2.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion
Affected Node.js versions converted carriage returns in HTTP request
headers to a hyphen before parsing. This can lead to HTTP Request
Smuggling as it is a non-standard interpretation of the header.
Impacts:
All versions of the 14.x and 12.x releases line
- CVE-2020-8252: fs.realpath.native may cause buffer overflow
libuv's realpath implementation incorrectly determined the buffer size
which can result in a buffer overflow if the resolved path is longer than
256 bytes.
Impacts:
All versions of the 10.x release line
All versions of the 12.x release line
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Adjust license hash for the addition of the BSD-3c licensed highlight.js:
https://github.com/nodejs/node/commit/6f8b7a85d239129273948386c34775810f2dc4a3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
We used to have a conditional patch applied on PowerPC soft-float, but
this logic was dropped in commit
0c82f3f635 ("package/gcc: remove powerpc
conditional patching logic"). However, we still have some related
leftovers in the calculation of the hashes for ccache, which can now
be dropped.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Acked-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The logic in libbacktrace/configure.ac to detect if __sync builtins
are available assumes they are as soon as target_subdir is not
empty, i.e when cross-compiling. However, some platforms do not have
__sync builtins, so help the configure script a bit.
"libbacktrace_cv_sys_sync=no" is lost when it is added to
HOST_GCC_COMMON_CONF_ENV because the environment is not exported
when executing the libbacktrace configure script.
Use target_configargs to force "libbacktrace_cv_sys_sync=no" when
executiong the libbacktrace configure script.
Fixes:
https://gitlab.com/bootlin/toolchains-builder/-/jobs/729359681
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain: use target_configargs="libbacktrace_cv_sys_sync=no"]
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We dropped the CodeBench 2012.09 toolchain for SuperH a long time,
and with recent toolchains, Ruby at -Os builds perfectly fine, so
there's no reason to keep this work-around.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: slight rewording in the commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit f89ca996b6 enabled linux-pam on
musl however rlogind fails to build on musl because it uses logwtmp:
/home/giuliobenetti/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: rlogind.c:(.text.startup+0x9ec): undefined reference to `logwtmp'
As this package is unmaintained, just disable back rlogind on musl
Fixes:
- http://autobuild.buildroot.org/results/f2eb1c0bab7c6c32d6c561da0f85a530bd419206
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
DEPS_DIR is a new CLI option introduced by the version 3.4.0,
which avoids the use of `external_deps_dirs` in the config files.
now, the host config doesn't need to be altered.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When gdb is built from sources fetched from Git, it contains both the
gdb and the binutils code base. In order to really build only gdb, we
disable a number of binutils components in the
GDB_DISABLE_BINUTILS_CONF_OPTS variable: --disable-binutils,
--disable-ld, --disable-gas, etc. However, gprof was still being
built, so disable it as well.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The GDB version used on ARC is based on a recent gdb code base, post
gdb 9.2. This recent gdb code base, which pre-figures what will be in
gdb 10, has a significant change: gdbserver is not longer in
gdb/gdbserver, but at the top-level, and the mechanism to build
gdbserver only has changed. Due to this change, a build of ARC GDB for
gdbserver only fails with:
/bin/bash: line 0: cd: /opt/output/build/gdb-arc-2020.03-release-gdb/gdb/gdbserver: No such file or directory
This commit adjusts gdb.mk to support four cases:
- "old" gdb, gdbserver only
- "old" gdb, with the gdb debugger (and optionally gdbserver as well)
- "new" gdb, gdbserver only
- "new" gdb, with the gdb debugger (and optionally gdbserver as well)
A boolean GDB_GDBSERVER_TOPLEVEL is introduced to differentiate
between the old and new gdb, it is set to "y" for gdb versions that
have the gdbserver code at the top-level. For now, only the ARC
version sets it, but in the future, upstream gdb version 10 will also
have to set it.
Here is the behavior, for each case:
(1) "old" gdb, gdbserver only
We set GDB_SUBDIR to gdb/gdbserver, so only the configure script
in this folder gets called.
--enable-gdbserver --disable-gdb are passed in CONF_OPTS.
(2) "old" gdb, with the gdb debugger (and optionally gdbserver as well)
We set GDB_SUBDIR to build/, an empty directory which allows to
do an out of tree build, which is mandatory for a full gdb build
since gdb 9.x.
--enable-gdb is passed in CONF_OPTS as well as --enable-gdbserver
or --disable-gdbserver depending on whether gdbserver is enabled
as well.
(3) "new" gdb, gdbserver only
We set GDB_SUBDIR to build/, an empty directory which allows to
do an out of tree build, which is mandatory for a full gdb build
since gdb 9.x.
--enable-gdbserver --disable-gdb are passed in CONF_OPTS.
(4) "new" gdb, with the gdb debugger (and optionally gdbserver as well)
We set GDB_SUBDIR to build/, an empty directory which allows to
do an out of tree build, which is mandatory for a full gdb build
since gdb 9.x.
--enable-gdb is passed in CONF_OPTS as well as --enable-gdbserver
or --disable-gdbserver depending on whether gdbserver is enabled
as well.
In addition to these changes, some related changes are done as well:
- We re-enable building both gdb and gdbserver on ARC, as it works
again.
- We only pass --with-curses when curses is really provided, i.e when
the full debugger is being built.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
From release note:
Version 3.1 - September 2020
This release offers substantial new functionality. Users are encouraged
to upgrade. The most notable changes are as follows.
* Fixes non-functional NMEA mode of the ts2phc program (since 3.0)
* Improves system time synchronization via the PTP_SYS_OFFSET_PRECISE
and PTP_SYS_OFFSET_EXTENDED ioctls.
* Supports implementing a PTP GM clock by using a GPS radio or other
PPS time source.
* Provides per-port statistics via the management interface.
* Implements IEEE 1588 v2.1 slave event monitoring.
* Adds Automotive Profile support.y
utils/test-pkg -p linuxptp
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: OK
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
sourcery-arm [6/6]: OK
6 builds, 0 skipped, 0 build failed, 0 legal-info failed
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Upstream repository has been dead for quite a while now, and in fact
we are using s.b.o as the "official" location now.
There however exists a Github repository, which is still alive. That
repository has not been touched in a looooong while, but it's still
up, and there is a revision which actually gives the exact same
content (although the hash changes, because the directory name has
changed, from open2300-12/ to open2300-f2198.../).
Also fix spaces in hash file.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The whole arch/Config.in.s390x file is only included by arch/Config.in
if BR2_s390x=y, so having "depends on" conditions on each options of
the choice doesn't make much sense.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: drop first, empty line]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Refreshed patch #1 and disable debuginfod.
The debuginfod tools needs to hook into serverinfrastructure,
this currently only exists for Fedora.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
http://autobuild.buildroot.net/results/76b580000e6311e88584874f942517badd6fadf6/
python-txtorcon DOES support python 2.x, but it contains some optional
python 3 / async code in controller_py3.py which is conditionally used from
controller.py:
try:
from .controller_py3 import _AsyncOnionAuthContext
HAVE_ASYNC = True
except Exception:
HAVE_ASYNC = False
pycompile unfortunately errors out on the async code:
../scripts/pycompile.py ..
error: File "/usr/lib/python2.7/site-packages/txtorcon/controller_py3.py", line 13
async def __aenter__(self):
^
SyntaxError: invalid syntax
As a workaround, simply drop the unusable _py3 file from TARGET_DIR if
building for python 2.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The host-zstd-build step was not actually compiling the library:
make[1]: Entering directory '/buildroot/output/build/host-zstd-1.4.5/lib'
make[1]: Nothing to be done for 'default'.
make[1]: Leaving directory '/buildroot/output/build/host-zstd-1.4.5/lib'
and the actual compilation was part of the install step.
This is not how other Buildroot packages work.
Make sure to specify which library targets we want instead. The total amount
of compiled files does not change with this patch.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit a2830f0dad (support/gnuconfig: bump version) carried
spurious, uncommited local changes to config.sub, that were not
part of upstream commit d7a4dee7cc25e332b990d0a6d9f0ddd42cb33cf5.
Fix that by actually using the code as it is upstream.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- squash the revert and the new bump into this commit
- ammend commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
fixes following in the generated cross-complation.conf file:
pkg_config_static = '$(if $(BR2_STATIC_LIBS),true,false)'
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The fakeroot script does not appear to be used in any of the checked
in defconfig targets, but it seems that most often the post
fakeroot script should be done after all the packages rules have
been applied instead of before.
Given that a change in systemd moved the SYSTEMD_PRESET_ALL hook to
a ROOTFS_PRE_CMD_HOOKS, there was no way to use a FAKEROOT script
to disable a service or fixup a systemd configuration. The systemd
move makes sense, and this just tries to preserve the same ability
to fixup a rootfs after all the cmd hooks are processed.
Refer to commit 65b63785a6 for
the change that instigated this reordering.
Signed-off-by: Charles Hardin <ckhardin@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When one GPL-licensed plugin was enabled, the license of
gst1-plugins-ugly would be "LGPL-2.1+ GPL-2.0", but licenses should be
comma separated, not space separated. So let's fix that to get the
expected value of "LGPL-2.1+, GPL-2.0".
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
[yann.morin.1998@free.fr:
- don't force network range
- don't forward TCP port
- drop post-build script to add tty1
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
[yann.morin.1998@free.fr: drop supperfluous depends on s390x in choice]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit adds supports for building buildroot kernel + rootfs
for MT8173 Elm board, also known as Chromebook Elm
(https://www.acer.com/ac/en/US/content/series/acerchromebookr13).
Though Chrome-OS is officially supproted on this board, the
mainline kernel works as well (benchmarks + conformance), and so
the 5.9 kernel is used. As the 5.9 kernel isn't yet released, we
use the 5.9-rc5 for now, which will be up-revd to 5.9 once its
released.
Using the mainline kernel means that we have to apply certain patches
to get the HDMI screen working. These patches are lying in the
"drm-misc-next" list and will make it to the kernel after 5.9. At that
time, we will remove the patches and point Buildroot to use the latest
kernel (hopefully, 5.10).
This commit also adds an ITS file (for creating FIT images), an ARGS
file (for providing kernel args) and a "sign.sh" script to generate
signed kernel images. Though the "sign.sh" is very similar to the
coresponding file under board/chromebook/snow, it cannot be shared
between both boards, as the script requires access to the board
specific its / args file.
Additionally a readme & defconfig is added to help the user get started.
Signed-off-by: Bilal Wasim <bilalwasim676@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The same script is going to be used by the Chromebook Elm to generate
a bootable SD / USB image. Therefore, move the script out of the snow
folder to one level above (board/chromebook/snow -> board/chromebook).
Update the chromebook_snow_defconfig to reflect the new location of
the script.
Signed-off-by: Bilal Wasim <bilalwasim676@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
PowerPC has two PLT models: BSS-PLT and Secure-PLT. BSS-PLT uses
runtime code generation to generate the PLT stubs. Secure-PLT was
introduced with GCC 4.1 and Binutils 2.17 (base has GCC 4.2.1 and
Binutils 2.17), and is a more secure PLT format, using a read-only
linkage table, with the dynamic linker populating a non-executable
index table.
References to other distro/BSD transitions:
https://patchwork.openembedded.org/patch/106621/https://reviews.freebsd.org/D20598
Fixes a bug observed when creating SELinux policy where all apps
require execmem because the heap requires execute before this change.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
While the imagemagick C++ support requires wchar, it is not the case
for the graphicsmagick C++ support, so we can drop the BR2_USE_WCHAR
condition when deciding whether or not GraphicsMagick++-config should
be tweaked.
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
qprint is a small utility that handles encoding and decoding arbitrary
binary data in the Quoted-Printable format, which was introduced along
MIME.
As stated in the package description, although MUAs nowadays usually
take care of doing this encoding themselves, there are some use cases
where doing it manually is needed, and providing a command-line program
to do it is amenable to shell scripts.
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The CMake based build system will be eventually removed by upstream
so it seems like a good idea to switch over to Meson already before
that happens.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When multiple conditions match simultaneously, even though that should
not happen in practice, we want the more "important" one to win over
the less "important" ones. For example, a tag is more important than a
branch name or a trigger.
Currently, the latest condition to match takes precendence over any
previous one, while we want the exact opposite.
Fix that with proper fallbacks in else-blocks.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
According to the original patch message:
Some Broadcom set-top-box boards have PCI busses, but the GPU is
still probed through DT. We would dereference a null busid here
in that case.
Fixes a segfault on at least the RPi 4 w/ xserver 1.20.9, probably
others as well.
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Current version does not run on imx6 and fails like this:
Error: eglCreateWindowSurface failed with error: 0x3009
Error: eglCreateWindowSurface failed with error: 0x3009
Error: CanvasGeneric: Invalid EGL state
Error: main: Could not initialize canvas
Bumping to the latest version fixes this problem.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
RFC3442 specifies a DHCP extension to provide the client with a list of
static routes to use. This is already handled by udhcpc and exposed as the
"staticroutes" environment variable, but currently not handled by the action
script.
Extend the script to do so. The RFC specifies that if this option is
provided by the server then the normal "routes" (3) option should be
ignored, so ensure that is done.
As we may now have more than just a default route on the interface, extend
the route cleanup logic to handle all routes for the interface (except for
the implied local 0.0.0.0 one).
Notice that this option is only sent by servers if explicitly requested by
the client, E.G. using the -O staticroutes option to udhcpc.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add support for imx8mqevk_defconfig that allows booting a mainline
kernel.
This defconfig still relies on NXP ATF and U-Boot, but in the long term
the plan is to switch to mainline ATF and U-Boot as well.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
http://autobuild.buildroot.net/results/d2d/d2d73f3c7075ca6e9782b9bb591dae40ab56b6a2/
ffmpeg configure prints: "ERROR: fontconfig not found using pkg-config"
Please note that the ffmpeg build error was reproducible but with a
different error message in ffbuild/config.log:
sysroot/usr/lib/libfontconfig.a(fccache.o): in function `lock_cache':
fccache.c:(.text+0xcd8): undefined reference to `pthread_mutex_init'
arm-buildroot-linux-gnueabi/bin/ld: fccache.c:(.text+0xcf8):
undefined reference to `pthread_mutex_destroy'
arm-buildroot-linux-gnueabi/bin/ld: fccache.c:(.text+0xd00):
undefined reference to `pthread_mutex_lock'
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix CVE-2020-14342: It was found that cifs-utils' mount.cifs was
invoking a shell when requesting the Samba password, which could be used
to inject arbitrary commands. An attacker able to invoke mount.cifs with
special permission, such as via sudo rules, could use this flaw to
escalate their privileges.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ARC glibc port was merged upstream in 2.32, so use that instead of
the one available from Synosys's Github.
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- change download url to https (as redirected by the original http url)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 82442b54b6 removed
0001-no-wchar.patch but without importing an upstream patch that
"should" have been equivalent to our patch but resulted in a build
failure on toolchains with wchar but without mbsrtowcs
So add a bunch of upstream patches and a new patch to fix this build
failure
While at it, also put back 0003-glob-detection.patch which, again, has
been upstreamed but is not in version 1.18 ...
Fixes:
- http://autobuild.buildroot.org/results/27f184af35468941173628e5e847a284c0b80d73
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- updated hashes
- explicitly advise to update hash in python-protobuf
- changed link in python-protobuf to point to the protobuf site
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
patch release with two bugfixes
- fixes the list of dependencies of absl::Cord in the CMake build
- bug fix for absl::Status::ErasePayload
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Disable static building of external/squirrel to fix the following build
failure with RELRO:
/home/peko/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: CMakeFiles/sq_static.dir/sq.c.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a PIE object; recompile with -fPIC
/home/peko/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/8.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: final link failed: nonrepresentable section on output
collect2: error: ld returned 1 exit status
Fixes:
- http://autobuild.buildroot.org/results/46e8f5e622ce450a89bc6d70f4bfd38182557901
- http://autobuild.buildroot.org/results/a43720492d817e4555d728546da9114e3ccba952
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Use dhcpdump target to avoid building dhcpdump.8 as it will raise the
following build failure if pod2man is not available:
pod2man --section 8 \
--date "23 June 2008" \
--name "DHCPDUMP" \
--center "User Contributed Software" \
dhcpdump.pod dhcpdump.8
/bin/sh: pod2man: command not found
make[1]: *** [Makefile:11: dhcpdump.8] Error 127
Fixes:
- http://autobuild.buildroot.org/results/db3be149ec71de8376f685a6a9f027191d9bccc9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This release adds support for ambient capabilities and V3 filesystem
capabilities.
A bug in the python bindings was also fixed which prevented use of
capng_updatev.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Do not build examples to avoid a build failure on rtop example which
depends on ncurses and has been added in version 4.11.0 with
https://sourceforge.net/p/perfmon2/libpfm4/ci/7d1ec562ddbb2af2d6b7af8cec78b03213a3e4ce
/tmp/instance-0/output-1/host/bin/arm-linux-gcc -I. -I/tmp/instance-0/output-1/build/libpfm4-4.11.0/perf_examples/../include -DCONFIG_PFMLIB_DEBUG -DCONFIG_PFMLIB_OS_LINUX -I. -D_GNU_SOURCE -pthread -o rtop rtop.o perf_util.o /tmp/instance-0/output-1/build/libpfm4-4.11.0/perf_examples/../lib/libpfm.a -lpthread -lncurses -ltinfo -lm
/tmp/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-gnueabihf/9.2.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: cannot find -ltinfo
Fixes:
- http://autobuild.buildroot.org/results/8ad23a82bcf32cd22256f9984a8f4cfa45951eee
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- rename pidfile from htpdate to htpdate.pid
Fixes:
PIDFile= references a path below legacy directory /var/run/, updating
/var/run/htpdate.pid → /run/htpdate.pid; please update the unit file
accordingly.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add gentoo patch to fix bison-3.7.1 related compile failure and
an additional one doing a similare change for another bison call
in Source/WebCore/DerivedSources.pri.
Fixes:
generated/XPathGrammar.tab.c:124:10: fatal error: XPathGrammar.tab.h: No such file or directory
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
netcalc is a slimmed down clone of sipcalc, using the popular output
format of ipcalc (perl). It is written in C and only depends on a
POSIX compliant C library. Both IPv4 and IPv6 are supported.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Reviewed-by: Michael Nosthoff <buildroot@heine.tech>
Tested-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following check-package warning:
package/makedumpfile/makedumpfile.mk:24: consecutive empty lines
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
MAKEDUMP_MAKE_OPTS contains an important option to enable LZO support,
but it was not passed at build time.
Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- update home page URL
- change download to new location
- remove old patches (first release since 2010)
- autoreconf now useless
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The CMake based build system will be eventually removed by upstream
so it seems like a good idea to switch over to Meson already before
that happens.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Changes:
* Coding style has been unified
* SCRAM-SHA-256 and SCRAM-SHA-512 support
* c-ares support
* LibreSSL support
* Introduced global timed handlers that fire periodically regardless
of connections status, such a handler can be used to implement
deferred re-connection
* examples/register implements XEP-0077
* Fixed issue with IPv6 on Windows (#153)
* Improved portability across systems such as Haiku, Windows
* New API:
- xmpp_stanza_get_child_by_name_and_ns()
- xmpp_conn_is_connecting()
- xmpp_conn_is_connected()
- xmpp_conn_is_disconnected()
- xmpp_stanza_new_from_string()
- xmpp_stanza_add_child_ex()
- xmpp_stanza_get_context()
- xmpp_stanza_reply_error()
- xmpp_global_timed_handler_add()
- xmpp_global_timed_handler_delete()
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CMake offers the BUILD_SHARED_LIBS flag as a default parameter
and most packages honor them.
Similar to pkg-autotools.mk build host packages always with
BUILD_SHARED_LIBS=ON.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is similar to the llvm package which also disables shared libs
for the host variant.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
doxygen fails to build with BUILD_SHARED_LIBS=ON as it only
for some targets honors this flag and links the rest static.
So enforce BUILD_SHARED_LIBS=OFF for this package.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Analog audio is enabled by default in sunxi_defconfig since commit 5d2408c6
(ARM: configs: sunxi: Add sun8i analog codec), so drop from fragment.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The previous commit to this package
(37c5e903a7) introduced a bunch of patches
to fix a CVE. Unfortunatly only applying of the patches was tested but
not building the package.
This commit replaces a define that was introduced in a previous patch
upstream and caused the build failure.
Tested:
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
sourcery-arm [6/6]: OK
Fixes:
- http://autobuild.buildroot.net/results/3f7fe8ad181318153c459ba5e1afbbc8b49d541c/
- and more
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
wlconf is build and installed as a host utility to be able to tweak
the wl18xx firmware configuration at build time.
Signed-off-by: Miken Valabdas <mvalabdas@distech-controls.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Brings a number of fixes and audio support. The aarch64 defconfig has
grown, so bump the ext4 size to make it fit.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add patch from upstream that fixes build with Bison 3.7.
There are no autobuilder failures for this issue, but the following
defconfig:
BR2_arm=y
BR2_cortex_a8=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_INIT_NONE=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_SYSTEM_BIN_SH_NONE=y
BR2_PACKAGE_QT5=y
BR2_PACKAGE_QT5WEBENGINE=y
BR2_PACKAGE_RPI_USERLAND=y
Failed with:
/home/thomas/buildroot/buildroot/output/build/qt5webengine-5.15.0/src/core/release/gen/third_party/blink/renderer/core/xpath_grammar.cc:124:10: fatal error: xpath_grammar.hh: No such file or directory
124 | #include "xpath_grammar.hh"
| ^~~~~~~~~~~~~~~~~~
compilation terminated.
With this patch applied, it builds fine.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: add url to upstream commit, provided by Peter]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
>From the release notes
See: https://github.com/redis/redis/blob/6.0.8/00-RELEASENOTES
================================================================================
Redis 6.0.7 Released Fri Aug 28 11:05:09 IDT 2020
================================================================================
Upgrade urgency MODERATE: several bugs with moderate impact are fixed,
Specifically the first two listed below which cause protocol errors for clients.
================================================================================
Redis 6.0.8 Released Wed Sep 09 23:34:17 IDT 2020
================================================================================
Upgrade urgency HIGH: Anyone who's using Redis 6.0.7 with Sentinel or
CONFIG REWRITE command is affected and should upgrade ASAP, see #7760.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Alteras Jam STAPL Bytecode Player with 64-bit support.
This is a user-space port of the altera-stapl driver from the linux kernel.
The source released by Altera wasn't 64-bit compatible.
Additionally, the linux version is much cleaner and old cruft was removed.
Signed-off-by: Jochen Baltes <jochen.baltes@gmail.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
[yann.morin.1998@free.fr: use the latest HEAD of the repository]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Currently, the cross-compilation.conf installed in
$(HOST_DIR)/etc/meson/cross-compilation.conf for use by the SDK is
generated in a post-install-staging hook of the toolchain package.
With per-package directory support enabled, this means that the
generated cross-compilation.conf contains references to the
per-package directory of the toolchain/ package, which is not want we
want:
[binaries]
c = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-gcc'
cpp = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-g++'
ar = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-ar'
strip = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/bin/arm-linux-strip'
pkgconfig = '/home/thomas/projets/buildroot/output/per-package/toolchain/host/usr/bin/pkg-config'
So instead, we generate this file in TOOLCHAIN_TARGET_FINALIZE_HOOKS,
so that the global paths are used:
[binaries]
c = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-gcc'
cpp = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-g++'
ar = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-ar'
strip = '/home/thomas/projets/buildroot/output/host/bin/arm-linux-strip'
pkgconfig = '/home/thomas/projets/buildroot/output/host/usr/bin/pkg-config'
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Add several upstream patches that are made to fix this CVE. Since there
is still no dated plan to release a new version add this bunch of
patches.
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Just like glibc, host-localedef needs python3 on the host to
build... since host-localedef is basically using the sources of glibc.
Fixes:
checking if /build/build/per-package/host-localedef/host/bin/ccache
/usr/bin/gcc is sufficient to build libc... yes
checking for x86_64-pc-linux-gnu-nm... /usr/bin/nm
checking for python3... no
checking for python... python
checking version of python... 2.7.18, bad
configure: error:
*** These critical programs are missing or too old: python
*** Check the INSTALL file for required versions.
As reported at:
http://lists.busybox.net/pipermail/buildroot/2020-September/291929.html
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Major updates:
- AMD Zen1 core PMU updates
- AMD Zen2 core PMU support
- Intel Icelake core PMU support
- support to report if events are speculative
- support for Extended PEBS events on Icelake
- Intel Tremont core PMU support
- ARM Neoverse N1 core PMU support
- s390 event table updates
- Marvell TX2 core and uncore updates
- Intel CascadeLakeX uncore PMU support
- Various other event table updates and bug fixes
http://perfmon2.sourceforge.net/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Use --with-openssl=pkg-config otherwise sofia-sip will fail to retrieve
openssl dependencies resulting in the following build failure:
/srv/storage/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: ../libsofia-sip-ua/.libs/libsofia-sip-ua.a(tport_type_ws.o): in function `tport_ws_deinit_primary':
tport_type_ws.c:(.text+0x2c): undefined reference to `SSL_CTX_free'
/srv/storage/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: ../libsofia-sip-ua/.libs/libsofia-sip-ua.a(tport_type_ws.o): in function `tport_ws_init_primary_secure':
pkg-config option has been added to freeswitch sofia-sip since 2007 and
https://github.com/freeswitch/sofia-sip/commit/044ac9d8fa7e840cf3e38c3fa7f8cacd0d21b3ea
Fixes:
- http://autobuild.buildroot.org/results/8a0c9dbad74a3b358f90c7a3b56b638c4bdb8045
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Use tar.gz as SHA512SUMS does not contain the hash for tar.xz
- Fix CVE-2020-15900: A memory corruption issue was found in Artifex
Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator
can allow overriding of file access controls. The 'rsearch'
calculation for the 'post' size resulted in a size that was too large,
and could underflow to max uint32_t.
https://www.ghostscript.com/doc/9.53.0/News.htm
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
re2 unconditionally uses -pthread and add it to re2.pc
Moreover, it fails to buid without threads on:
In file included from /home/peko/autobuild/instance-0/output-1/per-package/re2/host/opt/ext-toolchain/arm-buildroot-linux-uclibcgnueabihf/include/c++/8.3.0/arm-buildroot-linux-uclibcgnueabihf/bits/os_defines.h:39,
from /home/peko/autobuild/instance-0/output-1/per-package/re2/host/opt/ext-toolchain/arm-buildroot-linux-uclibcgnueabihf/include/c++/8.3.0/arm-buildroot-linux-uclibcgnueabihf/bits/c++config.h:508,
from /home/peko/autobuild/instance-0/output-1/per-package/re2/host/opt/ext-toolchain/arm-buildroot-linux-uclibcgnueabihf/include/c++/8.3.0/bits/stl_algobase.h:59,
from /home/peko/autobuild/instance-0/output-1/per-package/re2/host/opt/ext-toolchain/arm-buildroot-linux-uclibcgnueabihf/include/c++/8.3.0/memory:62,
from /home/peko/autobuild/instance-0/output-1/build/re2-2020-08-01/re2/filtered_re2.h:24,
from /home/peko/autobuild/instance-0/output-1/build/re2-2020-08-01/re2/filtered_re2.cc:5:
/home/peko/autobuild/instance-0/output-1/per-package/re2/host/arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/include/features.h:218:5: warning: #warning requested reentrant code, but thread support was disabled [-Wcpp]
# warning requested reentrant code, but thread support was disabled
^~~~~~~
In file included from /home/peko/autobuild/instance-0/output-1/build/re2-2020-08-01/re2/prog.h:22,
from /home/peko/autobuild/instance-0/output-1/build/re2-2020-08-01/re2/bitstate.cc:28:
/home/peko/autobuild/instance-0/output-1/build/re2-2020-08-01/re2/re2.h:768:16: error: 'once_flag' in namespace 'std' does not name a type
mutable std::once_flag rprog_once_;
^~~~~~~~~
/home/peko/autobuild/instance-0/output-1/build/re2-2020-08-01/re2/re2.h:768:11: note: 'std::once_flag' is defined in header '<mutex>'; did you forget to '#include <mutex>'?
/home/peko/autobuild/instance-0/output-1/build/re2-2020-08-01/re2/re2.h:218:1:
+#include <mutex>
Fixes:
- http://autobuild.buildroot.org/results/7d7c6dcac3cb8ea6deb753178e85eb1c5c74c8e3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Drop patches (already in version)
- Fix CVE-2020-16135: libssh 0.9.4 has a NULL pointer dereference in
tftpserver.c if ssh_buffer_new returns NULL.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot generates Linux systems, so there is no need to have
MS Windows executables in there.
This reduces the target filesystem size by about 600kB:
$ du -hcs usr/lib/python2.7/distutils/command/wininst-*.exe
60K usr/lib/python2.7/distutils/command/wininst-6.0.exe
64K usr/lib/python2.7/distutils/command/wininst-7.1.exe
60K usr/lib/python2.7/distutils/command/wininst-8.0.exe
192K usr/lib/python2.7/distutils/command/wininst-9.0.exe
220K usr/lib/python2.7/distutils/command/wininst-9.0-amd64.exe
596K total
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot generates Linux systems, so there is no need to have
MS Windows executables in there.
This reduces the target filesystem size by about 2MB:
$ du -hcs usr/lib/python3.8/distutils/command/wininst-*.exe
60K usr/lib/python3.8/distutils/command/wininst-6.0.exe
64K usr/lib/python3.8/distutils/command/wininst-7.1.exe
60K usr/lib/python3.8/distutils/command/wininst-8.0.exe
192K usr/lib/python3.8/distutils/command/wininst-9.0.exe
220K usr/lib/python3.8/distutils/command/wininst-9.0-amd64.exe
188K usr/lib/python3.8/distutils/command/wininst-10.0.exe
220K usr/lib/python3.8/distutils/command/wininst-10.0-amd64.exe
448K usr/lib/python3.8/distutils/command/wininst-14.0.exe
576K usr/lib/python3.8/distutils/command/wininst-14.0-amd64.exe
2,0M total
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add an upstream patch that disable -Werror to avoid the following build
failure:
lttng-live.c: In function 'lttng_live_msg_iter_next':
lttng-live.c:1226:15: error: 'stream_iter' may be used uninitialized in this function [-Werror=maybe-uninitialized]
int ret = common_muxing_compare_messages(
^
lttng-live.c:1198:38: note: 'stream_iter' was declared here
struct lttng_live_stream_iterator *stream_iter;
^
lttng-live.c: At top level:
cc1: error: unrecognized command line option '-Wno-cast-function-type' [-Werror]
cc1: all warnings being treated as errors
Fixes:
- http://autobuild.buildroot.org/results/ff41326f913e71f982b3d5cbaf054f8be47913aa
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 4e60247be6 ("package/xerces: fix
coding style in Config.in") introduced a silly typo in the xerces
package depends on... which effectively made it impossible to enable
this package as the "USE_WCHAR" option does not exist.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop default dependencies, haveged needs nothing but local sockets and
/dev/random.
The service file now mostly matches the upstream Fedora file, except a
lot of isolation options have been dropped. The benefit for a
completely controlled system is small, and those option would pull in
dependencies, delaying entropy being filled up.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes issues with the triple on IBM s390x and Z machines.
Signed-off-by: Alexander Egorenkov <egorenar@linux.ibm.com>
[yann.morin.1998@free.fr: update both, using the update script]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Add a new option that prints the (runtime) path of compiled .py files
when VERBOSE=1 is set.
Signed-off-by: Robin Jarry <robin.jarry@6wind.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When generating a .pyc file, the original .py source file path is
encoded in it. It is used for various purposes: traceback generation,
.pyc file comparison with its .py source, and code inspection.
By default, the source path used when invoking compileall is encoded in
the .pyc file. Since we use paths relative to TARGET_DIR, we end up with
paths that are only valid when relative to '/' encoded in the installed
.pyc files on the target.
This breaks code inspection at runtime since the original source path
will be invalid unless the code is executed from '/'.
Unfortunately, compileall cannot be forced to use the proper path. It
was not written with cross-compilation usage in mind.
Rework the script to call py_compile.compile() directly with pertinent
options:
- The script now has a new --strip-root argument. This argument is
optional but will always be specified when compiling py files in
buildroot.
- All other (non-optional) arguments are folders in which all
"importable" .py files will be compiled to .pyc.
- Using --strip-root=$(TARGET_DIR), the future runtime path of each .py
file is computed and encoded into the compiled .pyc.
No need to change directory before running the script anymore.
The trickery used to handle error reporting was only applicable with
compileall. Since we implement our own "compileall", error reporting
becomes trivial.
Previously, we had a --force option to tell compileall.compiledir() to
forcibly recompile files if they had changed. Now, we would have to
handle it ourselves. It turns out to not be easy and would need us to
delve into the format of bytecompiled files to extract metadata and
compare it with the expected values, that being even dependent on the
python version being used (fortunately, only two for us: python 2.7 and
the latext 3.x).
Still, this is deemed too complex, and byte-compiling is pretty fast, so
much so that it should be eclipsed by the build duration anyway.
So we just drop support for --force, and instead we always byte-compile.
Signed-off-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Robin Jarry <robin.jarry@6wind.com>
[yann.morin.1998@free.fr:
- always byte-compile
- drop --force
- expand commit log to state so and explain why
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Now that upstream supports this board add buildroot support for it,
too.
This supports:
- latest upstream linux kernel. Since the support for this board and
its SoC is still in active development, we want to follow the
upstream kernel releases for now.
- building an image which can be installed to eMMC, SD card or USB
thumb drive.
- upstream u-boot patches are pending, therefore no support for
building a bootloader for now.
Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Babeltrace 2 is a trace manipulation toolkit.
The Babeltrace 2 project offers a library with a C API, Python 3
bindings, and a command-line tool which makes it very easy for mere
mortals to view, convert, transform, and analyze traces.
See <https://babeltrace.org/> for more details.
Babeltrace 2 is a major update of Babeltrace 1 (Buildroot package
`lttng-babeltrace`). Both projects are coinstallable. Except for the
command-line tool (named `babeltrace2`), the Babeltrace 2 project is not
backward compatible with Babeltrace 1.
I'm naming this package `babeltrace2` instead of `lttng-babeltrace2`
because, although it can read LTTng traces, the two projects are
independent. All major distributions use `babeltrace2` as the
Babeltrace 2 package's name.
I'm keeping the `lttng-babeltrace` package because, as of this date, we
still add bug and security fixes from time to time, therefore the
project is not in EOL stage. Some external, custom packages could still
depend on the Babeltrace 1 library, for example.
As with `lttng-babeltrace`, you can build and install the host version
of Babeltrace 2 for the workflow where you trace the target, download
the resulting trace (or receive it during the tracing process), and then
read and analyze it with Babeltrace 2.
If you enable the `elfutils` package (`BR2_PACKAGE_ELFUTILS`), then
support for Babeltrace 2's debugging information filter component
class is enabled.
Tested with glibc, uClibc-ng, and musl.
Signed-off-by: Philippe Proulx <eeppeliteloop@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- the package couldn't be selected with vivante backend anyway since
the split
- the package couldn't be updated to newer versions as it would imply
forking libdrm and wayland-protocols for it to build
- drawback of not using NXP weston is the lack of G2D support, let's
have it as a known issue for Buildroot but use standard weston
package
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- add defaults for all meson options (and order according to
meson_options.txt file)
- drop pthread linking flags previously needed for the test
programs (maybe not needed by meson, tests disabled by option)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update nginx-upload to a newer Git commit which adds upload support over
HTTP2 as well as other fixes.
Remove a patch which is no longer required in the current version.
Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit adds a patch that passes -fno-builtin to fix the build
with gcc 10. The patch has been submitted upstream.
There are no autobuilder failures, since it's a bootloader package,
and therefore not tested by the autobuilders. However, a build failure
was detected when building toolchains and a minimal ARMv7-M system at
https://gitlab.com/bootlin/toolchains-builder/-/jobs/729359529.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the bump of libcap to 2.42, host-libcap unconditionally tries to
build a shared library, which fails on build machines where the static
version of the C library is not available.
This issue was reported upstream, who fixed it by two different
commits, which are backported as patches 0001 and 0002. They require
passing a DYNAMIC= value, which should be "yes" to enable dynamic
linking, or empty when not using dynamic linking.
However, other upstream changes broke our logic to support static-only
linking for the target. So we introduce a 0003 patch which extends how
the DYNAMIC flag is used to disable the build of the shared library in
the libcap/ folder. This allows to greatly simplify libcap.mk.
Note that the refactoring is mixed with the fix: the two are hardly
splitable. We need to be able to pass the same options at all steps, and
especially the staging step, otherwise some code gets compiled with the
host compiler, installed in staging, and thus fails the architecture
check later on.
Fixes:
host-libcap build failure on system without a static libc
http://autobuild.buildroot.net/results/4b14458014e420ffe088f118e7d0261e67f2d551/
libcap build failure on static only systems
http://autobuild.buildroot.net/results/8961759067c4639ae697b6ee5db606f098b7c7e8/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- also pass DYNAMIC=yes at host-install step
- extend commit log to explain why we refactor and fix together
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Stop trying to enable the xcb-errors Meson option and always disable it:
there is no xcb-util-errors package in Buildroot. The build recipe was
wrongly assuming that the XCB errors library would be installed as part
of the xcb-util package, which is not the case.
Fixes the following autobuilder failure:
http://autobuild.buildroot.net/results/1891aa624b29e4bbcbbe6bc752a1cc90c316024e/
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since commit efa95b19ae
("package/libxml-parser-perl: make host build use correct compiler"),
we pass $(HOST_CONFIGURE_OPTS) when building host-libxml-parser-perl,
in order to use the correct host compiler.
However, this means that LD="$(HOSTLD)" is passed. However, the
host-libxml-parser-perl passes compiler arguments to LD, so it really
assumes that LD is gcc, not ld. For example, it tries to pass
-mtune=generic.
So, let's tell host-libxml-parser-perl that LD is "$(HOSTCC)".
Fixes:
http://autobuild.buildroot.net/results/2ed2e5ccefe9047c597f84d5880de2e8de2bdd94/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
GCC 10 with -std=c++20 breaks boost library due to allocator changes.
https://github.com/boostorg/bimap/issues/23
We need boost 1.74.0 to fix build with gcc-10 -std=c++20. Note that none
of the Buildroot packages that use boost set -std=c++20, so no in-tree
failures.
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Reviewed-by: Michael Nosthoff <buildroot@heine.tech>
Tested-by: Michael Nosthoff <buildroot@heine.tech> for arm
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Only run code when the script is executed directly (not imported).
Factorize command description by using the script's __doc__ variable.
Fix typo in --force help message.
Signed-off-by: Robin Jarry <robin.jarry@6wind.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
In commit c2009e9f75
("package/linux-headers: license files hashes only valid for latest
version"), we introduced BR2_KERNEL_HEADERS_LATEST, which should only
be set for the most recent kernel headers versions.
Indeed, the COPYING file of Linux has changed before/after Linux 5.6,
causing its hash file to be different. Since linux-headers uses
linux/linux.hash as the hash file, and this hash file contains the
COPYING hash of Linux >= 5.6, we cannot use that hash for Linux
versions older than 5.6.
When newer versions of the headers than 5.4 were added, this
BR2_KERNEL_HEADERS_LATEST was not moved as it should have been. We fix
this, which fixes a legal-info failure happening when Linux kernel
headers 5.4 are used:
>>> linux-headers 5.4.63 Patching
>>> linux-headers 5.4.63 Collecting legal info
ERROR: COPYING has wrong sha256 hash:
ERROR: expected: fb5a425bd3b3cd6071a3a9aff9909a859e7c1158d54d32e07658398cd67eb6a0
ERROR: got : ee5808b032a67f587d3541099d46de34f5bec8cd5976114ba07f1299ee6001ff
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, the check of defconfigs is run for all branches, even those
that are pushed only to run runtime tests. This is very inconvenient.
In fact, we only want to check the defconfigs on standard branches, that
is master, next, and the maintenance branches.
This will also decrease drastically the number gitlab-ci minutes used
when one pushes their repo to gitlab.com, where the number of CI minutes
are now going to be pretty severely restricted.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Note that those tests were so far ignored only when requesting a single
defconfig build, or a single runtime test build; everything else
was trigerring thoses tests.
However, it feels more natural that they are also ignored when all
defconfigs build. or all runtime tests, are explictly requested.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
- CVE-2020-15166: Denial-of-Service on CURVE/ZAP-protected servers by
unauthenticated clients.
If a raw TCP socket is opened and connected to an endpoint that is fully
configured with CURVE/ZAP, legitimate clients will not be able to exchange
any message. Handshakes complete successfully, and messages are delivered
to the library, but the server application never receives them. For more
information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m
- Stack overflow on server running PUB/XPUB socket (CURVE disabled).
The PUB/XPUB subscription store (mtrie) is traversed using recursive
function calls. In the remove (unsubscription) case, the recursive calls
are NOT tail calls, so even with optimizations the stack grows linearly
with the length of a subscription topic. Topics are under the control of
remote clients - they can send a subscription to arbitrary length topics.
An attacker can thus cause a server to create an mtrie sufficiently large
such that, when unsubscribing, traversal will cause a stack overflow. For
more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
- Memory leak in PUB server induced by malicious client(s) without CURVE/ZAP.
Messages with metadata are never processed by PUB sockets, but the
metadata is kept referenced in the PUB object and never freed. For more
information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-4p5v-h92w-6wxw
- Memory leak in client induced by malicious server(s) without CURVE/ZAP.
When a pipe processes a delimiter and is already not in active state but
still has an unfinished message, the message is leaked.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
- Heap overflow when receiving malformed ZMTP v1 packets (CURVE disabled).
By crafting a packet which is not valid ZMTP v2/v3, and which has two
messages larger than 8192 bytes, the decoder can be tricked into changing
the recorded size of the 8192 bytes static buffer, which then gets
overflown by the next message. The content that gets written in the
overflown memory is entirely decided by the sender.
For more information see the security advisory:
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
Drop now upstreamed patches, autoreconf and reformat hash file with 2 space
delimiters.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit [1] in U-Boot upstrea, there is no necessity to pass extra
metadata_csum option due to changed env location in U-Boot so we can
drop it completely.
[1] 76db1681da52342ca9f4fb7e6787bd83cc82f429:
stm32mp1: use a specific SD/eMMC partition for U-Boot enviromnent
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr: 76db1681d referecnes a U-Boot commit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
IPython-enabled pdb.
This package can be very helpful when someone wants to debug
a Python application on the board itself.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
On aarch64 With the config option "--enable-mpers=check" the configure.ac
script searchs for a 32bit compiler. When a matching compiler is found
in the PATH some compatiblity checks are done. This can fail when the
available kernel headers on host and buildroot target does not match.
Since buildroot does not support 32bit binaries when building for 64bit
architecture (no -m32 option) we can disable this option unconditionally.
When disabling unconditionally also the configuration for toolchain using
MUSL can be removed.
Cc: Baruch Siach <baruch@tkos.co.il>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Force GIT_VERSION to avoid git version logic that takes the Buildroot
git commit id.
Update LICENSE hash; copyright year update.
Format hashes file with two space delimiters.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package uses gcc filename without absolute path, which breaks
the host build if host and target compiler have the same filename.
(Can happen with an external toolchain).
This patch adds the variables for the host as overrides,
as they are otherwise not picked up from the environment.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Both patches are now upstream and can be dropped:
- 7cfaa9dede0f7f711a0fb961559e9629e7c7a259 is "MakeHeader.py: Fix for
non-utf8 environments"
- dfd9279f87791e36a5212726781c31fbe7110361 is "Resolve complation
issues with -fno-common (default from gcc-10)"
The license file hash is changed due to the removal of one empty line:
@@ -353,4 +353,3 @@
applicable licenses of the version of PLPA used in your combined work,
provided that you include the source code of such version of PLPA when
and as the GNU GPL requires distribution of source code.
-
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Easyframes uses fork when capturing frames in a pcap file, therefore
add the dependency BR2_USE_MMU.
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Contains fixes for overflows when input chunks are larger than 2 GiB,
an uninitialized data access, and minor correctness and performance
improvements. There does not seem to be any CVEs filed, but there is
a security notice in the release notes at:
https://github.com/google/brotli/releases/tag/v1.0.9
Patch "0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch"
is rebased against the latest upstream changes.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
graphical is equivalent to the sysvinit runlevel 5
multi-user is equivalent to a runlevel between 2 and 4
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
opcua-asyncio is an asyncio-based asynchronous OPC UA client
based on python-opcua, removing hacks for support of
python < 3.6.
Asynchronous programming allows for simpler code (e.g. less need
for locks) and potentially performance gains.
More information is available at :
https://github.com/FreeOpcUa/opcua-asyncio.
Signed-off-by: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Ordinary local file IO is blocking, and cannot easily and
portably made asynchronous.
This means doing file IO may interfere with asyncio applications,
which shouldn’t block the executing thread. aiofiles helps
with this y introducing asynchronous versions of files
that support delegating operations to a separate thread pool.
More information is available at :
https://pypi.org/project/aiofiles.
Signed-off-by: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
janus-gateway comes with an example website to test its features.
Since the bump to 0.10.3, this website takes 1.8MiB uncompressed on
the target, among which is a 1MiB video sample which does not compress
well.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This will avoid the following build failure with openpgm 5.3:
In file included from /home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-gnueabihf/sysroot/usr/include/pgm-5.3/pgm/skbuff.h:39,
from /home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-gnueabihf/sysroot/usr/include/pgm-5.3/pgm/msgv.h:33,
from /home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-gnueabihf/sysroot/usr/include/pgm-5.3/pgm/pgm.h:44,
from src/ip.cpp:67:
/home/fabrice/buildroot/output/host/bin/../arm-buildroot-linux-gnueabihf/sysroot/usr/include/pgm-5.3/pgm/socket.h:207:1: error: ‘const char* pgm_family_string(int)’ defined but not used [-Werror=unused-function]
207 | pgm_family_string (
| ^~~~~~~~~~~~~~~~~
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
No MINIDLNA_IGNORE_CVES entry is added as no CVE has been assigned to
minidlna. Indeed, CallStranger vulnerability affect(ed) most of the UPnP
stacks (e.g. gupnp, libupnp)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Per-package build of apparmor with apache fails on:
/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apparmor/host/x86_64-buildroot-linux-musl/sysroot/usr/bin/apxs -c mod_apparmor.c -L/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apparmor/host/bin/../x86_64-buildroot-linux-musl/sysroot/usr/lib -lapparmor
/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apache/host/x86_64-buildroot-linux-musl/sysroot/usr/bin/../../usr/build-1/libtool --silent --mode=compile /usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apache/host/bin/x86_64-linux-gcc -prefer-pic -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g2 -I/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apache/host/x86_64-buildroot-linux-musl/sysroot/usr/include -I/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apache/host/x86_64-buildroot-linux-musl/sysroot/usr/bin/../../usr/include/apr-1 -I/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apache/host/x86_64-buildroot-linux-musl/sysroot/usr/bin/../../usr/include/apr-1 -I/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apache/host/x86_64-buildroot-linux-musl/sysroot/usr/bin/../../../../x86_64-buildroot-lin
ux-musl/sysroot/usr/include -c -o mod_apparmor.lo mod_apparmor.c && touch mod_apparmor.slo
mod_apparmor.c:28:10: fatal error: sys/apparmor.h: No such file or directory
#include <sys/apparmor.h>
^~~~~~~~~~~~~~~~
The issue is that sys/appamor.h is not installed in the apache
per-package directory which is mangled by
APACHE_FIX_STAGING_APACHE_CONFIG, i.e.
/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/per-package/apache/host/x86_64-buildroot-linux-musl/sysroot/usr/include
So implement the same workaround made on apache to replace those wrong
apache paths by apparmor paths in apxs binary and its configuration file
(i.e. config_vars.mk) as suggested by Thomas Petazzoni and Yann E. Morin
during review of the first iteration of this patch
Fixes:
- http://autobuild.buildroot.org/results/ef1fcd57e0c09a2806bf2272bb21df6d3300b45b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
GraphicsMagick through 1.3.35 has a heap-based buffer overflow in
ReadMNGImage in coders/png.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
The server sending a "no_renegotiation" alert in an unexpected timing,
followed by an invalid second handshake was able to cause a TLS 1.3
client to crash via a null-pointer dereference. The crash happens in the
application's error handling path, where the gnutls_deinit function is
called after detecting a handshake failure (#1071).
[GNUTLS-SA-2020-09-04, CVSS: medium]
https://lists.gnupg.org/pipermail/gnutls-help/2020-September/004669.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issues:
CVE-2020-25125: Importing an OpenPGP key having a preference list for AEAD
algorithms will lead to an array overflow and thus often to a crash or other
undefined behaviour (affected: 2.2.21 / 2.2.22)
For more details, see the announcement:
https://lists.gnupg.org/pipermail/gnupg-announce/2020q3/000448.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
certutil is a command-line utility for managing keys and certificate in
both NSS databases and other NSS tokens.
Signed-off-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cherry-pick a patch from upstream project that fixes the build when used
with a uClibc based toolchain.
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patches that are now upstream.
Pipewire now requires renderer-gl, only enable pipewire when
renderer-gl is also enabled.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The libcamera project has moved to C++17, therefore also update the
toolchain requirements accordingly.
Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
[yann.morin.1998@free.fr: s/\t/ / in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The ControlValue structure is currently defined with a 16-bit hole
(causing unaligned access to the numElements_ field, though that's a
separate topic).
This structure has a static assertion to ensure that its size does not
change without due care, as it forms part of our ABI and is used in
Serialisation between the pipeline handlers and IPA components.
The m68k architecture is the only target which fails this assertion,
which is likely because it can pack the structure more efficiently,
producing a different binary size.
This is likely an area we will tackle before stabilising our ABI, but
until then, disable m68k builds as libcamera is not expected to be
supported on this target.
Fixes;
- http://autobuild.buildroot.net/results/9dce26e94299a2c61bba60cbc7803926e2f85e29/
Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
[yann.morin.1998@free.fr, suggestions from Thomas:
- introduce BR2_PACKAGE_LIBCAMERA_ARCH_SUPPORTS
- propagate that to the comment
- add autobuilder reference
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When both BR2_REFPOLICY_EXTRA_MODULES_DIRS and
PACKAGES_SELINUX_EXTRA_MODULES_DIRS are empty, we expect
REFPOLICY_EXTRA_MODULES_DIRS to also be empty. However, due to spaces,
this is not the case. This commit adds a $(strip ...) call to ensure
it is the case.
Thanks to this, the check on whether REFPOLICY_EXTRA_MODULES_DIRS is
empty later on will really work as it should.
Reported-by: Antoine Ténart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Extract from bug report:
"In usb_modeswitch Makefile dispatcher-script, dispatcher-dynlink and
dispatcher-statlink are .PHONY targets. The result is that sources are
compiled also when install targets are called.
USB_MODESWITCH_INSTALL_TARGET_CMDS calls $(MAKE) which is a call to
parallel make eg. make -j9. So the install phase can install empty
usb_modeswitch binary (happened once) if the compiler have just cleared
the binary and install command installs it before compiler writes the
binary. USB_MODESWITCH_INSTALL_TARGET_CMDS should call $(MAKE1)."
Instead of disabling parellel install, use install-common target instead
of install-{dyn,stat}link targets. Indeed, the dynamic or static
usb_modeswitch_dispatcher binary will be built by
all-with-{dyn,stat}link-dispatcher targets, there is no need to rebuild
it during the install step
Fixes:
- https://bugs.buildroot.org/show_bug.cgi?id=12911
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
tinyhttpd is affected by CVE-2002-1819 and is not maintained anymore
(no release since 2001) so remove it
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If BR2_TARGET_ROOTFS_UBIFS is selected, enable the following kernel options:
- CONFIG_UBIFS_FS_XATTR
- CONFIG_UBIFS_FS_SECURITY
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If BR2_TARGET_ROOTFS_SQUASHFS is selected, enable the following kernel options:
- CONFIG_SQUASHFS_XATTR
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If BR2_TARGET_ROOTFS_JFFS2 is selected, enable the following kernel options:
- CONFIG_JFS_SECURITY
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If BR2_TARGET_ROOTFS_F2FS is selected, enable the following kernel options:
- CONFIG_F2FS_FS_XATTR
- CONFIG_F2FS_FS_SECURITY
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If BR2_TARGET_ROOTFS_EXT2_4 is selected, enable the following kernel options:
- CONFIG_EXT4_FS_SECURITY
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If BR2_TARGET_ROOTFS_EXT2_3 is selected, enable the following kernel options:
- CONFIG_EXT3_FS_SECURITY
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If BR2_TARGET_ROOTFS_EXT2 is selected, enable the following kernel options:
- CONFIG_EXT2_FS_XATTR
- CONFIG_EXT2_FS_SECURITY
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If BR2_TARGET_ROOTFS_EROFS is selected, enable the following kernel options:
- CONFIG_EROFS_FS_XATTR
- CONFIG_EROFS_FS_SECURITY
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently, the libselinux package sets the CONFIG_DEFAULT_SECURITY_SELINUX
kernel option. However, as of kernels >= 5.1, this option is superseded in
favor of the CONFIG_LSM option, a comma-separated list of LSMs the kernel
should initialize in order.
As the previous behavior of this package sets the kernel's default and only
LSM to initialize to SELinux, it is safe to set this string to just selinux.
If the user wants additional LSM's, they may do so with a custom kernel config.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add documentation about how to use SELinux in Buildroot, and what are
the available mechanisms to extend and customize the SELinux policy.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
[Thomas: misc improvements.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The refpolicy configure and build step were not correctly defined. The
configuration was split between the configure and build step, while
both the compilation and the installation were done in the install
step. Fix this by moving all the configuration within the
configuration step and by adding a call to make in the build step to
compile the policy.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Allow packages to have an 'selinux' subfolder containing SELinux modules
(sources) to be synced and compiled within the refpolicy, if the package
is selected.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add support for the user to provide a fully custom refpolicy. When
this is used, modules aren't disabled anymore and packages do not
select refpolicy available modules either. The custom refpolicy must
define the full policy explicitly, and must be a fork of the original
refpolicy, to have the same build system.
This is added to allow users to fully control an SELinux policy, by
providing a complete custom policy.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Allow users to select additional modules available in the refpolicy, to
be built in the binary policy. This will allow non-base modules to be
selected based on the user use-case and to select extra module
dependencies when providing out-of-tree modules.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Allow users to provide custom SELinux modules to be part of the final
policy. A new configuration variable is added, pointing to list of
directories containing the custom modules.
SELinux modules do require a metadata.xml file to be well integrated
in the refpolicy build. If this file isn't provided, it will be
automatically created.
For now, this option requires the extra modules to be directly into
the BR2_REFPOLICY_EXTRA_MODULES directory, and subfolders aren't
supported. They may never be, as having subfolders could introduce
issues when two different modules have the same name (which isn't
supported by the refpolicy).
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Select the fstools SELinux module when e2fsprogs binaries are compiled
and installed in the target filesystem, so that they'll be supported by
the SELinux policy.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Select the fstools SELinux module to be compiled in the policy for the
relevant binaries of util-linux.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Select the dbus SElinux module so that it will be compiled in the
refpolicy. This way, if an SELinux policy is generated, dbus will be
supported.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Select the systemd and udev SELinux modules so that they will be
compiled in the refpolicy. This way, if an SELinux policy is generated,
Systemd will be supported.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add support for packages to enable SELinux modules already supported by
the refpolicy, but not selected by default in its policy.
With this commit, packages will be able to do something like:
SYSTEMD_SELINUX_MODULES = systemd udev
to enable additional SELinux modules.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The refpolicy is configured to use a monolithic build, compiling all the
available modules (whether they're 'base' or 'modules' ones) in the
binary policy. The result is a quite big SELinux policy, with a lot more
rules than what would be needed in a Buildroot image.
Refactor the refpolicy build configuration to enable less modules by
default. To achieve this, all the modules marked as being part of the
'base' policy are kept but all the modules marked as being only
'modules' are disabled. Then a static list of modules (in addition to
the already selected 'base' ones) are enabled. The result is a much
smaller refpolicy: tests showed a reduction of the binary policy from
2.4M to 249K (~90% smaller).
This minimal set of SELinux modules should allow to boot a system in
enforcing mode in the future. It currently does not work, not because
extra modules are needed, but because of required changes within the
selected modules.
This patch would break backward compatibility as the refpolicy will no
longer have all the modules provided by the project, but only those
selected. This should not be an issue as this configuration was not
suitable directly for a real system. Modifications had to be done. If we
still find out later that this is an issue for someone, we'll have the
ability to mimic what was done previously thanks to other mechanisms
(such as providing the upstream policy as a "custom" policy location).
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Set the SELinux file security contexts using setfiles when generating
root filesystem images.
Without such security contexts created at build time, they need to be
setup at first boot by running the restorecon utility on the target.
This has two drawbacks:
- You have to special case the first boot, which cannot be done in
enforcing mode, and will have to run restorecon, then reboot.
- You cannot support read-only filesystems.
By setting up the security contexts at build time, we can have a
filesystem image that is immediately ready to boot an SELinux system
in enforcing mode, including if the root filesystem is read-only.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The mke2fs binary copies the xattrs of the source directory when
creating an image, but this logic did not include the root directory of
the resulting image. A patch was sent upstream to fix this. Include the
patch in Buildroot to allow creating SELinux ready images at build time.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Mg is a small Emacs-like editor with no external dependencies except a
standard C library. It weighs in at 130 kiB and is one of a select few
completely free (public domain) text editors suitable for small and
embedded systems.
This version is based on the OpenBSD Mg, but with more features, one of
which being the no-ncurses/termcap support, which heavily reduces the
impact on a resource constrained system.
Upstream: https://github.com/troglobit/mg/
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
GraphicsMagick is the swiss army knife of image processing.
It provides a robust and efficient collection of tools
and libraries which support reading, writing,
and manipulating an image in over 89 major formats
including important formats like DPX, GIF, JPEG, JPEG-2000,
PNG, PDF, PNM, TIFF, and WebP.
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that RISC-V 32-bit (RV32) support has been merged into mainline
glibc, we can use the Linux 5.4 kernel.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
By default, the iputils build script might build binaries which are
useless for certain applications, like tftpd or ninfod. Those binaries
will add to the target filesystem size unless a post-build script removes
them manually, which is cumbersome and doesn't shorten build times.
In particular, in a certain aarch64 Buildroot project with musl selected
as a C library, this patch allowed to shrink the full iputils package from
219 KiB (if every option is selected) to 63 KiB (with only the ping
binary selected) - a 71.2% relative size decrease.
Moreover, upstream recently introduced a commit that disabled tftpd from
building by default, like rarpd. In the current state of things, this change
will introduce inconveniences for Buildroot users which prefer to use the
tftpd implementation provided by this package. With this patch, however, that
decision and similar future ones won't be a concern, because they will
have complete control of what binaries are built.
These changes add Kconfig options which let the user select what
binaries are built with ease.
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The apu2 by PC Engines is a 64 bit single board computer with coreboot
BIOS. It only has serial output, but no graphics chip. With its 2–4
ethernet ports, it is often used to build a firewall or router.
The provided defconfig configures busybox and isolinux. It will output
a hybrid ISO image that can be written to a USB stick or burned to a
CD.
Configuration based on a blogpost by Tony Arkles:
http://www.better-bsp.com/blog/2017/03/02/buildrooting-for-apu2/
Signed-off-by: Danilo Bargen <mail@dbrgn.ch>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Examples and tests are not needed especially because of them fails on
some architectures because it wrongly tries to use wc_Sha256FinalRaw:
CCLD tests/unit.test
/tmp/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-none-linux-gnu/9.2.1/../../../../aarch64-none-linux-gnu/bin/ld: tests/tests_unit_test-api.o: in function `test_wc_Sha256FinalRaw':
/tmp/instance-0/output-1/build/wolfssl-4.5.0-stable/tests/api.c:6504: undefined reference to `wc_Sha256FinalRaw'
Fixes:
- http://autobuild.buildroot.org/results/d5b6f97f7510874fe28c675e599be08cb8a78c7b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
"mkdir" (without "-p") fails if the target directory exists, which means
that if alsa-utils is being reinstalled or if other files have
previously been installed in the alsa-state.d or alsa-restore.d
directories the installation will fail.
Switch to "$(INSTALL) -d" which allows us to be explicit about the
permissions and handles the case of a pre-existing directory correctly.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The AmLogic Odroid C2 boards use an ATF version for which the source
code is not available. The mainline U-Boot documentation at
doc/board/amlogic/odroid-c2.rst details how to build a bootable U-Boot
image for this platform: it requires fetching the ATF binary files
from https://github.com/hardkernel/u-boot.git as well as a tool called
fip_create from the same repository.
This commit therefore implements a simple Buildroot package that
retrieves this repository, installs the firmware files, and
builds/installs the host fip_create utility.
This package really installs target images (firmware files) and one
host utility, so we had to take an arbitrary decision on whether it
should be a target package or a host package, and we've chosen to make
it a target package.
Signed-off-by: Dagg Stompler <daggs@gmx.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The manual has a section on adding board support to upstream buildroot,
but it fails to mention some of the things we expect. Add more of them.
- Internal toolchain.
- Beautify defconfig file.
- Fixed versions for components.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Adam Duskett <Aduskett@gmail.com>
Reviewed-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
- use +monospace+ for the variables
- use _italic_ for sections in defconfig
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This patch is based on patch from the rockchip tree:
commit c8a337593660f27379c30248a11bf08dc8712113
Author: Jeffy Chen <jeffy.chen@rock-chips.com>
Date: Tue Nov 13 18:59:43 2018 +0800
package: cups: Add udev rules to assign usb printers' group to lp
Change-Id: Ieae17deaa7d3623e1f0e1cc826871f1719d98d88
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
but removes a hardcoded device usb vendor/id and keps only the usb
printer class.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This patch is a backport from the rockchip tree.
Author: Jeffy Chen <jeffy.chen@rock-chips.com>
Date: Tue Nov 13 18:25:34 2018 +0800
package: cups: Add lp user as default cups user
Change-Id: Ic7434fe0a7b41b86b5b8b097fa29dd9718e29aa5
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
User lp is necessary for running the cups spooler.
Groups lpadmin grants administrative privileges to users.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
A defconfig for the friendlyarm nanopc-t4 was added in
c23895f06e, but then removed
in 8efd4463f7 because an ARM32
compiler was needed to build ATF, and this was not supported
back then.
Now, since package/arm-gnu-a-toolchain/ has been added, this
defconfig can be re-introduced.
Following new changes are introduced in comparision with the
older changeset:
- updated readme
- GPT partition layout is being used
- update defconfig to build ATF
- bump u-boot to 2020.07
- bump linux to 5.8.2
Signed-off-by: Suniel Mahesh <sunil@amarulasolutions.com>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: fixate U-Boot version; remove blind BR2_TARGET_UBOOT_NEEDS_PYTHON]
A defconfig for the friendlyarm nanopi-m4 was added in
493c3979a4, but then removed
in a24bd8936f because an ARM32
compiler was needed to build ATF, and this was not supported
back then.
Now, since package/arm-gnu-a-toolchain/ has been added, this
defconfig can be re-introduced.
Following new changes are introduced in comparision with the
older changeset:
- readme updated
- GPT partition layout
- update defconfig to build ATF
- bump u-boot to 2020.07
- bump linux to 5.8.2
Signed-off-by: Suniel Mahesh <sunil@amarulasolutions.com>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: fixate U-Boot version; remove blind BR2_TARGET_UBOOT_NEEDS_PYTHON]
A defconfig for the rockpro64 was added in
59e1077b4e, but then removed
in 10f49213b7 because an ARM32
compiler was needed to build ATF, and this was not supported
back then.
Now, since package/arm-gnu-a-toolchain/ has been added, this
defconfig can be re-introduced.
Following new changes are introduced in comparision with the
older changeset:
- renamed defconfig from pine64_rockpro64 to rockpro64
- updated readme
- using a GPT partition layout
- update defconfig to build ATF
- bump u-boot to 2020.07
- bump linux to 5.8.2
Signed-off-by: Suniel Mahesh <sunil@amarulasolutions.com>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: fixate U-Boot version; remove blind BR2_TARGET_UBOOT_NEEDS_PYTHON]
Move the code to run check-flake8 into the Makefile, like we have for
check-package, so that it is easy to run locally (and not wait for
someone to report a failure from their Gitlab pipelines).
Compared to the existing check from gitlab-ci.yml, the Makefile check
differs in this respect:
- don't explicitly find *.py files: they are supposed to also be found
as a result of running 'file' on them;
- use git ls-tree instead of find: this is supopsedly faster as it
uses the index rather than readdir();
- don't output the count of warnings or errors: the output is a single
integer, which is confusing when there are errors, and even more so
when there are no, when it is simply '0';
- don't sort: the output is already stable and independent from the
locale;
- don't report the number of processed files: this information is
rather useless, and getting a hold of it would be more challenging
in this new code.
Note: ideally, we would want to use --null, --zero, or similar options,
with utilities that generates or parses a files listing. While git
ls-tree and xargs do support it, it becomes a little bit tricky to use
the --print0 option of file, and then grep in that output (it is not
undoable, but would requires replacing grep+cut with some sed trickery).
Since we do not expect our scripts names to contain funky chars (like
\n or a colon), we just hand-wave away that issue (and the old code was
doing the same assumption too).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The variables for the "docker version" output are located at
$(DOCKER_CLI_GOMOD)/cli/version - correct the path to these in the ldflags to
fix the following "unknown" lines in "docker version" output:
Client:
Version: unknown-version
Git commit: unknown-commit
Built: unknown-buildtime
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Upstream does not maintain these older versions anymore. Due to security
fixes not being backported to these versions anymore we remove these old
X server versions.
Move current patches from version-specific directory to package directory.
No legacy handling is added for the old versions, since it's simply a
version bump. THe old packages and features (AIGLX) that depend on the
old versions do have legacy handling.
Remove legacy handling for 1.19.*
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Current X.org X server is incompatible with this driver.
We no longer support unmaintainted versions of X.org X server.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Current X.org X server is incompatible with this driver.
We no longer support unmaintainted versions of X.org X server.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
boost-thread needs std::current_exception since version 1.71.0 and
https://github.com/boostorg/exception/commit/386f5507cb8ec99c03ca535bea4f8bd61e0de910
std::current_exception depends on !BR2_TOOLCHAIN_HAS_GCC_BUG_64735 as a
result, uhd fails to build on:
In file included from /home/buildroot/autobuild/run/instance-2/output-1/build/uhd-3.15.0.0/host/include/uhd/error.h:74:0,
from /home/buildroot/autobuild/run/instance-2/output-1/build/uhd-3.15.0.0/host/include/uhd/types/metadata.h:12,
from /home/buildroot/autobuild/run/instance-2/output-1/build/uhd-3.15.0.0/host/lib/types/metadata_c.cpp:8:
/home/buildroot/autobuild/run/instance-2/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/include/boost/exception/diagnostic_information.hpp: In function 'std::__cxx11::string boost::current_exception_diagnostic_information(bool)':
/home/buildroot/autobuild/run/instance-2/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/include/boost/exception/diagnostic_information.hpp:54:26: error: 'current_exception' is not a member of 'std'
else if (auto* p=std::current_exception().__cxa_exception_type())
^
In file included from /home/buildroot/autobuild/run/instance-2/output-1/build/uhd-3.15.0.0/host/include/uhd/error.h:74:0,
from /home/buildroot/autobuild/run/instance-2/output-1/build/uhd-3.15.0.0/host/include/uhd/types/ranges.h:12,
from /home/buildroot/autobuild/run/instance-2/output-1/build/uhd-3.15.0.0/host/lib/types/ranges_c.cpp:8:
/home/buildroot/autobuild/run/instance-2/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/include/boost/exception/diagnostic_information.hpp: In function 'std::__cxx11::string boost::current_exception_diagnostic_information(bool)':
/home/buildroot/autobuild/run/instance-2/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/include/boost/exception/diagnostic_information.hpp:54:26: error: 'current_exception' is not a member of 'std'
else if (auto* p=std::current_exception().__cxa_exception_type())
So add a dependency to !BR2_TOOLCHAIN_HAS_GCC_BUG_64735
Fix:
- http://autobuild.buildroot.net/results/0cdbf01df174648cf0dfb34d9506eb80570e99c0/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Use UDEV_USERS, now that it's suported by virtual packages.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Use LUAINTERPRETER_TARGET_FINALIZE_HOOKS, now that it's suported by
virtual packages.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: don't remove relevant comment]
Virtual packages are not built but it's useful to allow them to have
permission/device/user tables and target-finalize/rootfs-pre-cmd hooks.
With this change we don't need to duplicate data as currently done in
eudev and systemd user tables, or test if the package is selected to add
a target-finalize hook as in luainterpreter.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reformat the dependency on libcap-ng same as other dependencies: in one
line, preceded by a comment that it is used only by setpriv.
This also makes it clear why it's not included in util-linux-libs.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
There was a private variable UTIL_LINUX_LIBS that is used by the
util-linux package. With the addition of the util-linux-libs package,
this is a bit confusing. Therefore, rename the variable to
UTIL_LINUX_LINK_LIBS.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The different tools and libraries in util-linux have a lot of optional
dependencies. When we want to support those optional dependencies, we
can easily generate dependency cycles. For instance, findmount and lsblk
need udev to work correctly, but eudev and systemd both depend libblkid,
which comes from util-linux.
Normal distros (e.g. Debian) solve this by first building a minimal
package that has no dependencies at all, then build the packages that
depend on util-linux, and finally rebuild util-linux with all bells and
whistles. Solve it in Buildroot by means of the following changes:
- Split util-linux into two packages:
- util-linux-libs, providing lib{blkid,fdisk,mount,smartcols,uuid}.
- util-linux, providing both the aforementioned libs and the programs.
- Add a blind selection for util-linux-libs, i.e. it is indirectly
selected according to the util-linux options.
- Make host and target util-linux have a build dependencies on the -libs
packages.
- Make eudev and systemd have build dependencies on util-linux-libs.
This can be extended to other packages in the future but is not needed
right now because the configuration options are backward-compatible.
- Make util-linux have an optional build dependency on the package that
provides libudev (either eudev or systemd), if it is selected.
Installing util-linux overrides files installed by util-linux-libs but
this is not a problem: it's allowed for a package to overwrite files
from another package, as long as there is a dependency between the two.
util-linux-libs has a Config.in symbol for the package as a whole, but
not for the individual libraries: it simply reuses the symbols of the
full package.
The build dependency of util-linux on util-linux-libs ensures that
util-linux overwrites the files installed by util-linux-libs and not
vice versa. In practice this dependency shouldn't be needed: the only
reason for util-linux-libs to be built is to break a circular
dependency. In that case, there is already a transitive dependency of
util-linux on util-linux-libs, so adding it explicitly is redundant.
Still, better safe than sorry.
host-util-linux-libs is not needed at the moment. It can be added if we
have a dependency cycle problem later.
With this approach we don't need to patch configuration files neither
change packages other than eudev and systemd.
Other packages that require util-linux libraries and whose libraries may
be used by util-linux programs can be updated later. We also don't need
to change any existing defconfig, since all configuration options are
kept in the util-linux package.
Fixes: https://bugs.busybox.net/show_bug.cgi?id=11811
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This patch makes the upcoming udisks2 version bump patch easier to
read, and also fixes the udisks.mk, so it follows Buildroot's package
guidelines.
Host packages are placed on top of the dependency list, followed by
target dependencies.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch makes the upcoming udisks2 version bump patch easier to
read, and also fixes the Config.in, so it follows Buildroot's package
guidelines.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Extract from ChangeLog:
- In release 1.6.1 the version number in CMakeLists.txt wasn't
updated, affecting the installed cmake and pkgconfig files. The
version number has been bumped to 1.6.2 in all relevant files now.
- "KaxBlockAddIDValue" class: this class is no longer marked as
"mandatory" in order to coincide with the latest specification.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update indentation in hash file (two spaces)
Extract from NEWS:
- Fix unlikely memory leak in idna_to_unicode_4z4z().
- Check codepoint validity in punycode_decode() and punycode_decode().
- tld: Add U+00EF to .nl TLD table.
- Indent code.
- Translation fixes.
- Update gnulib files.
- API and ABI is backwards compatible with the previous version.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Drop patch (already in version) and so autoreconf
- Update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update indentation in hash file (two spaces)
Extract from NEWS:
- mkdir: fixed exit code with -f option.
- ftp: made ftp:use-pret setting tri-boolean.
- get/mget/put/mput: don't try next files after error if cmd:fail-exit
is true.
- get/mget: fixed -O option with remote URL and xfer:use-temp-file being
true.
- mirror: disallow empty patterns; don't delete "..".
- mirror: fixed --on-change with --reverse.
- sftp: fixed a bug with truncated files when packets are reordered
(finally).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Upstream removed spandsp and sofia-sip from source and now uses external
packages, removed patch 0001 which fixed a bug in the internal sofia-sip
code, removed insecure md5 and sha1 hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Extract from NEWS:
- Fix subscription check on V6 link-local addresses
- Add autofree function for GUPnPServiceProxyAction
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>From https://github.com/PurpleI2P/i2pd/releases/tag/2.33.0:
- UDP tunnels through ECIES-X25519-AEAD-Ratchet
- Shared transient addresses
- ECIES-X25519-AEAD-Ratchet and multiple encryption keys through I2CP
- Pre-calculated x25519 ephemeral keys
- crypto.ratchet.inboundTags parameter
- Don't save invalid address to AddressBook
- Correct ECDSA signatures names in SAM
- New webconsole layout
- Shared routing path for datagram session
- Change datagram routing path if nothing comes back in 10 seconds
- Updated reseed servers list
- Don't connect through terminated SAM destination
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 25b1dc4613 disabled parted on
uClibc due to the following build failure:
atari.c:221:9: error: dereferencing pointer to incomplete type 'struct __uclibc_locale_struct'
return isalnum_l(part->id[0], atr_c_locale)
This was fixed in upstream uClibc-ng as of upstream commit
d1a3ca7ca56630fddde7311a0474eed4a21335a7, which was part of the 1.0.33
uClibc-ng release. On the Buildroot side, even though Buildroot
2020.02 was using uClibc-ng 1.0.32, we already had this patch
backported.
So we can now safely re-enable parted for uClibc-ng toolchains, as
well as its reverse dependencies.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libbytesize is a small library providing a C "class" for working with
arbitrary big sizes in bytes.
The mdraid plugin for libblockdev depends on this package, which newer
versions of udisks require when building with the udisks daemon
enabled.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libblockdev is a C library supporting GObject introspection for
manipulation of block devices. It has a plugin-based architecture
where each technology (like LVM, Btrfs, MD RAID, Swap,...) is
implemented in a separate plugin, possibly with multiple
implementations.
gobject-introspection is not a strict dependency and may be disabled
via a configure flag.
This is the base package with everything disabled, the subsequent
patches in this series will add more options necessary to bump udisks
to the latest.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit adds the new test cases generated automatically by the
bl-toolchains-gen script, to test the integration of the Bootlin
toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit wires-up the toolchain-external-bootlin package into
Buildroot by:
- Adding
toolchain/toolchain-external/toolchain-external-bootlin/Config.in,
which is not generated by the bl-toolchains-gen script as it is a
static file that does not depend on the list and characteristics of
available Bootlin toolchains.
- Including that file, as well as the Config.in.options file, from
toolchain/toolchain-external/Config.in.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Tested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit adds the contents of the
toolchain/toolchain-external/toolchain-external-bootlin/ files
generated by bl-toolchains-gen, unmodified.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
https://toolchains.bootlin.com/ has been providing for a few years a
number of ready-to-use pre-built toolchains, for a wide range of
architectures (which it turns out, are all built using Buildroot).
While toolchains.bootlin.com provides Buildroot config fragments to
easily use those toolchains with Buildroot (see [0] for example), this
is not visible anywhere. So instead, we would like to add support for
these toolchains in Buildroot just like we have existing support for
Linaro, ARM, Synopsys, etc. toolchains.
[0] https://toolchains.bootlin.com/downloads/releases/toolchains/aarch64/fragments/aarch64--glibc--bleeding-edge-2020.02-2.frag
However, the number of toolchains provided by toolchains.bootlin.com
is really large, and they are regularly updated. Maintaining that
manually would be time consuming and error-prone. So instead, this
commit introduces a script that automatically generates:
- toolchain/toolchain-external/toolchain-external-bootlin/Config.in.options
- toolchain/toolchain-external/toolchain-external-bootlin/toolchain-external-bootlin.mk
- toolchain/toolchain-external/toolchain-external-bootlin/toolchain-external-bootlin.hash
- support/testing/tests/toolchain/test_external_bootlin.py
We create a single external toolchain package, with a Kconfig "choice"
as a sub-option to select the toolchain variant to be used. The script
contains a Python dict that provides the mapping between the
toolchains provided by toolchains.bootlin.com, and the architecture
options/variants they are applicable to.
The test cases allow to verify that the toolchain configuration is
correct, and that it is able to build a Busybox based system. It
doesn't do any runtime testing as such testing is already done by
toolchains.bootlin.com: the test cases here are only meant to verify
that the toolchain-external-bootlin package works as expected.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@railnova.eu>
Tested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since the go.mod integration, the <pkg>_WORKSPACE variable is useless,
so drop it.
Reported-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that we have switched to the go.mod integration, all Go packages
are built with -mod=vendor, so there's no need to have custom GOFLAGS
in mender-artifact.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the go.mod integration, the <pkg>_WORKSPACE variable has become
useless, drop it.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the go.mod integration, the DOCKER_ENGINE_SRC_SUBDIR has become
useless, drop it.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the go.mod integration, the <pkg>_WORKSPACE variable is no longer
needed, drop it.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the go.mod integration, the <pkg>_WORKSPACE variable has become
useless, so drop it.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Go compiler needs to know the "import path" to the root of package
source repositories. Previously, this was done by creating a fake
_gopath in the build directory and symlinking the package source into
that path.
Go has deprecated the GOPATH mechanism in favor of a new approach -
Modules - which specifies the root import path (and dependencies) in a
"go.mod" file. This commit moves Buildroot to use the new go.mod
approach, which requires:
- Passing GO111MODULE=on when building host or target Go packages.
- Passing GOPROXY=off and -mod=vendor to prevent the Go module system
from downloading by itself sources from the Internet. We currently
only support Go packages that have all their dependencies in their
source tree in "vendor" directories.
- Specifying a <pkg>_GOMOD variable, which is used both to create a
minimal go.mod file in the package source tree if it exists, and to
invoke the right build targets. Indeed, all elements in
<pkg>_BUILD_TARGETS are now relative to <pkg>_GOMOD.
Reference: https://github.com/golang/go/wiki/Modules
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In preparation for the go.mod integration, define the DOCKER_CLI_GOMOD
variable.
We also use it as a handy shortcut when defining DOCKER_CLI_LDFLAGS.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In preparation for the go.mod integration, define the
DOCKER_ENGINE_GOMOD variable.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In preparation for the go.mod integration, define the
DOCKER_CONTAINERD_GOMOD variable.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that GO_TARGET_ENV and GO_HOST_ENV are just aliases to
HOST_GO_TARGET_ENV and HOST_GO_HOST_ENV, drop the former two, and use
the latter two directly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
There is no point in having some common Go env variables defined in
pkg-golang.mk:GO_COMMON_ENV, and some in
package/go/go.mk:HOST_GO_COMMON_ENV. Let's move all of them to
package/go/go.mk:HOST_GO_COMMON_ENV.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
HOST_GO_HOST_ENV is explicitly specifying
HOST_CGO_{CFLAGS,CXXFLAGS,LDFLAGS}, so let's do the same for target
packages.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
A few variables are common between HOST_GO_TARGET_ENV and
HOST_GO_HOST_ENV, so let's introduce a HOST_GO_COMMON_ENV variable for
those few common ones (which will increase in follow-up commits).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
package/go/go.mk provides a HOST_GO_TARGET_ENV which provides a useful
set of environment variables needed to build target Go packages.
For host packages, we simply have package/pkg-golang.mk defining
GO_HOST_ENV to specify CFLAGS/LDFLAGS, but that's it: we don't pass an
explicit path to the compiler, we don't pass GO111MODULE, GOCACHE,
GOROOT, etc.
This commit introduces a HOST_GO_HOST_ENV variable that provides the
appropriate set of environment variables to use when building host
golang packages.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The upstream tarball provides an already generated configure script,
which works fine, so there's no need to AUTORECONF.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
watchdog is a flexible watchdog daemon that improves on the already
available Busybox watchdog daemon by providing more advanced features,
like defining custom system status checks and executing repair scripts
to react upon invariants that don't hold.
Due to "watchdog" being also provided by Busybox, we need to make that
package/watchdog installs the watchdog binary in the same place as
Busybox (i.e in /sbin), and need to add a dependency of Busybox on
this new watchdog package.
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
By default, go will attempt to download needed modules before building, which
is not desirable. This behavior also causes permission issues when cleaning,
as go downloads modules as read-only by default. Because mender-artifact
includes the modules in the vendor directory, mod=vendor prevents the package
from downloading the go modules during the build process and prevents
permission issues when cleaning.
Fixes:
http://autobuild.buildroot.net/results/d5bcaca73ae74fe8b0ebd39b6331564cd639fb66
Signed-off-by: Mirza Krak <mirza.krak@northern.tech>
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Also separate the fields in the hash file by two spaces and add pgp
signature check.
Since we're now using the default value for POWERTOP_SOURCE, drop this
variable definition.
Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Mainline Linux now has basic s500/roseapplepi support, so switch to that to
get rid of the dependency on gcc7. Add two patches for the dts / fix that
didn't make it for kernel 5.7.
The mainline kernel does not yet have support for the mmc interface, so
change to initramfs for now. Patches for mmc support have been posted
recently, so this can be reverted once they show up in a stable kernel:
https://lore.kernel.org/lkml/cover.1593124368.git.cristian.ciocaltea@gmail.com/
The owl serial port is called ttyOWLn in mainline, so adjust the bootargs to
match. Also drop the unneeded execute permission on uEnv.txt.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This scripts takes as entry on stdin a JSON description of the package
used for a given configuration. This description is the one generated
by "make show-info".
The script generates the list of all the packages used and if they are
affected by a CVE. The output is either a JSON or an HTML file similar
to the one generated by pkg-stats.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>=
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The affects method of the CVE uses the Package class defined in
pkg-stats. The purpose of migrating the CVE class outside of pkg-stats
was to be able to reuse it from other scripts. So let's remove the
Package dependency and only use the needed information.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add the list of the CVEs to ignore for each package because they
already have a fix for it.
This information will be useful for a cve-checker.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In 2019, the JSON vulnerability feeds switched their schema from
version 1.0 to 1.1.
The main difference is the removal of the "affects" element that we
were using to check if a package was affected by a CVE.
This information is now available in the "configuration" element which
contains the cpeid as well as properties about the versions
affected. Instead of having a list of the versions affected, with
these properties, it is possible to have a range of versions.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In order to be able to use the CVE checking logic outside of
pkg-stats, move the CVE class in a module that can be used by other
scripts.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Some CVE entries in the NVD database have version_value set to "-",
which seems to indicate that it applies to all versions of the
software project, or that they don't really know which versions are
affected, and which are not.
So, for the benefit of doubt, it seems more appropriate to consider
such CVEs as affecting our packages.
This makes the total number of CVEs affecting our next branch jump
from 141 CVEs to 658 CVEs, but that number will go back down once we
switch to the JSON 1.1 schema. Indeed, in the JSON 1.0 schema, there
are often cases where a version_value is set to "=" *and* specific
versions are set to.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- remove patch that is in new version
- update indentation in hash file (two spaces)
Run tests:
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: OK
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
sourcery-arm [6/6]: OK
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
FRR is free software that implements and manages various IPv4 and IPv6
routing protocols. It runs on nearly all distributions of Linux and
BSD as well as Solaris and supports all modern CPU architectures.
FRR currently supports the following protocols:
BGP
OSPFv2
OSPFv3
RIPv1
RIPv2
RIPng
IS-IS
PIM-SM/MSDP
LDP
BFD
Babel
PBR
OpenFabric
VRRP
EIGRP (alpha)
NHRP (alpha)
Some not-needed features were disabled to minimize package
dependencies:
- POSIX capabilities
- RPKi
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[Thomas:
- select bash instead of depending on it
- switch to version 7.4, since 7.3 was not building (it's using
TRUE/FALSE, which are not standard, and this was fixed in 7.4)
- use the github macro to define FRR_SITE
- use host-python3 instead of host-python]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This option is required by frr package, so enable it by default as there
is no size difference with or without this option enabled.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
IPTraf-ng is a console-based network monitoring program for Linux that
displays information about IP traffic. It returns such information as:
- Current TCP connections
- UDP, ICMP, OSPF, and other types of IP packets
- Packet and byte counts on TCP connections
- IP, TCP, UDP, ICMP, non-IP, and other packet and byte counts
- TCP/UDP counts by ports
- Packet counts by packet sizes
- Packet and byte counts by IP address
- Interface activity
- Flag statuses on TCP packets
- LAN station statistics
V1.2.1 fixed multiple issues in V1.1.4 like :
- Introduce packet capturing abstraction: add recvmmsg(),
TPACKET_V2 and TPACKET_V3 to capture in multigigabit speeds.
- Handling mlock() failures and carry on execution (without
crashing iptraf-ng).
- Properly account non-IP packets.
- Show dropped packet count.
Signed-off-by: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove patch from this version.
Remove USE_CRYPTO related config (configuration was removed in this
release).
tftpd is not built by default since this release, thus explicitly enable it.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The src/v3.cpp source file, used as a license file, has seen a few
modifications (hence the change of hash) but none of these changes are
related to licensing.
Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that gdb 9.2 has been introduced, and gdb 8.3 is the default gdb
version, we can drop the oldest gdb version, 8.1.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Use "/usr/bin:/usr/sbin" as the default path if BR2_ROOTFS_MERGED_USR
is enabled, otherwise use "/bin:/sbin:/usr/bin:/usr/sbin".
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The TestExternalToolchain() base class implement a test checking if
the ELF interpreter that is advertised by Busybox really exists in the
rootfs. Of course, this only makes sense with ELF toolchains. Until
now, only ELF toolchains were tested, but we are going to use
TestExternalToolchain() with non-ELF toolchains as well, so let's make
this conditional.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: strip() lines during readlines()]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Related changes:
- add dependency on Google RE2 package
- update patches to new offsets
Tested on Ubuntu 20.04
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
RE2 is a fast, safe, thread-friendly alternative to backtracking
regular expression engines like those used in PCRE, Perl, and
Python. It is a C++ library.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the Xen package to the latest release. We can also remove a patch
to change the CFLAGS as it is no longer required.
The hash of the license file is changed, as ZPL-2.0 is no longer
listed as one of the licenses of 3rd party code imported into Xen.
Signed-off-by: Alistair Francis <alistair@alistair23.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit slightly improves the output of pkg-stats by showing the
progress of the upstream URL checks and latest version retrieval, on a
package basis:
Checking URL status
[0001/0062] curlpp
[0002/0062] cmocka
[0003/0062] snappy
[0004/0062] nload
[...]
[0060/0062] librtas
[0061/0062] libsilk
[0062/0062] jhead
Getting latest versions ...
[0001/0064] libglob
[0002/0064] perl-http-daemon
[0003/0064] shadowsocks-libev
[...]
[0061/0064] lua-flu
[0062/0064] python-aiohttp-security
[0063/0064] ljlinenoise
[0064/0064] matchbox-lib
Note that the above sample was run on 64 packages. Only 62 packages
appear for the URL status check, because packages that do not have any
URL in their Config.in file, or don't have any Config.in file at all,
are not checked and therefore not accounted.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit reworks the code that checks if the upstream URL of each
package (specified by its Config.in file) using the aiohttp
module. This makes the implementation much more elegant, and avoids
the problematic multiprocessing Pool which is causing issues in some
situations.
Suggested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit reworks the code that retrieves the latest upstream
version of each package from release-monitoring.org using the aiohttp
module. This makes the implementation much more elegant, and avoids
the problematic multiprocessing Pool which is causing issues in some
situations.
Since we're now using some async functionality, the script is Python
3.x only, so the shebang is changed to make this clear.
Suggested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The new version requires an extra features in the toolchain and won't
build with a specific gcc bug, therefore two new toolchain options are
added as dependencies:
* !BR2_TOOLCHAIN_HAS_GCC_BUG_64735
* BR2_TOOLCHAIN_HAS_UCONTEXT
Signed-off-by: Koen Martens <gmc@sonologic.nl>
Reviewed-by: Joel Carlson <JoelsonCarl@gmail.com>
Tested-by: Joel Carlson <JoelsonCarl@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove patch that is no longer needed as of upstream commit
1c33be992e8120abd20add8021e4d91d226f5b6a which removed the old VM.
We need to add an exclusion rule for guile modules to check-bin-arch
as they appear as valid ELF binaries but with an architecture of
"None".
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Thomas:
- bump to 3.0.4
- rework how check-bin-arch excludes checking the Guile .go files]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit bumps stress-ng version to 0.11.17.
This version includes the patch that fixes musl build at commit
03416938871388243d28621f4b59ce532231f11c, and also fixes a
"Invalid syntax in conditional" build error in a Makefile.
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In preparation for the introduction of Lua 5.4, we need to adjust the
dependency of the lua-compat53 package: it only makes sense when a Lua
5.1-compatible interpreter is available (either Lua 5.1 or LuaJIT). We
use the recently introduced BR2_PACKAGE_LUAINTERPRETER_ABI_VERSION_5_1
symbol to achieve this.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In preparation for the introduction of Lua 5.4, clarify the dependency
of luabitop: it only makes sense when used with Lua 5.1.
Also update the comment to no longer mention Lua 5.2, since we don't
support Lua 5.2 in Buildroot anymore.
Note that as explained in https://luajit.org/extensions.html, LuaJit
already implements luabitop functions, so luabitop is really for Lua
5.1 only, not for all Lua interpreters that implemented the 5.1 ABI.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
0001-configure-add-without-demo-option: adapt patch to 5.4.0 version
Signed-off-by: Michael Fischer <mf@go-sys.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
From 5448f328ff63a6ca4a64519c2f1dfc63a33df4b7 Mon Sep 17 00:00:00 2001
From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Date: Thu, 10 Sep 2020 11:37:33 +0200
Subject: [PATCH] Pass -fno-builtin to fix build with gcc 10
gcc 10, if it recognizes some hand-written code that looks like
memcpy, will generate a call to memcpy().
For example:
while (dst < &_end_data) {
*dst++ = *src++;
}
gets recognized as such. However, in the context of bare-metal code,
having a call to memcpy() in the C library doesn't work. So we fix
that by disabling builtins.
Fixes:
/home/thomas/projets/buildroot/output/host/opt/ext-toolchain/bin/../arm-buildroot-uclinux-uclibcgnueabi/bin/ld.real: stm32f429i-disco.o: in function `reset':
stm32f429i-disco.c:(.text.reset+0x1a): undefined reference to `memcpy'
/home/thomas/projets/buildroot/output/host/opt/ext-toolchain/bin/../arm-buildroot-uclinux-uclibcgnueabi/bin/ld.real: stm32f429i-disco.c:(.text.reset+0x34): undefined reference to `memset'
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.