Fixes a bug introduced in 2.20.0 with unintended Authorization header
stripping for redirects using default ports (http/80, https/443).
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 745132abc0)
[Peter: mention fix from 2.20.0]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-18074: The Requests package before 2.20.0 for Python sends an
HTTP Authorization header to an http URI upon receiving a same-hostname
https-to-http redirect, which makes it easier for remote attackers to
discover credentials by sniffing the network.
LICENSE update: replaced http address with https.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 42bebd1e7c)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
setup.py explicitly listed a maximum allowed version of python-requests,
causing runtime failures with the python-requests version we have:
Loaded image: docker-enp.bin.cloud.barco.com/eis/baseos-docker-snmp:0.1.0
Traceback (most recent call last):
File "/usr/bin/docker-compose", line 6, in <module>
from pkg_resources import load_entry_point
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3123, in <module>
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3107, in _call_aside
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 3136, in _initialize_master_working_set
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 580, in _build_master
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 593, in _build_from_requirements
File "usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 781, in resolve
pkg_resources.DistributionNotFound: The 'requests!=2.11.0,!=2.12.2,!=2.18.0,<2.19,>=2.6.1' distribution was not found and is required by docker-compose
FAIL
Upstream regularly updates setup.py as new python-requests releases are
made, but it is unknown why new python-requests releases (which are supposed
to be backwards compatible) should not be allowed right away.
Add a path submitted upstream to only disallow new major versions, similar
to how the other dependencies are handled.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 53261d8082)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, U-Boot is failing to build, due to some issues
with the toolchain and the U-Boot port.
Fix it.
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit aacf3acb84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There are various versions shipped in linux-firmware. In the past we
decided that it was up to the developer to filter out the ones they want
for their specific kernel version, so install them all.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6a6f9306d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
luvi fails to run when it was build with CMake 3.12+:
```
[string "return require('init')(...)"]:1: module 'init' not found:
no field package.preload['init']
no file './init.lua'
no file '/usr/share/luajit-2.0.5/init.lua'
no file '/usr/local/share/lua/5.1/init.lua'
no file '/usr/local/share/lua/5.1/init/init.lua'
no file '/usr/share/lua/5.1/init.lua'
no file '/usr/share/lua/5.1/init/init.lua'
no file './init.so'
no file '/usr/local/lib/lua/5.1/init.so'
no file '/usr/lib/lua/5.1/init.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
```
Looking at link.txt for the luvi executable shows that `-rdynamic` is
not set anymore in CMake 3.12. This has the effect, that symbols are
missing in the `.dynsym` section in the binary.
The patch, sets `ENABLE_EXPORTS` to true in CMakeLists.txt to force setting
`-rdynamic` explicitly.
Upstream status: b8781653dcb8815a3019a77baf4f3b7f7a255ebe
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56d2ac54dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE identifiers: CVE-2018-4437,
CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, and
CVE-2018-4464. Additionally, it fixes a couple of build failures in
unusual build configurations.
Release notes can be found in the announcement:
https://webkitgtk.org/2018/12/13/webkitgtk2.22.5-released.html
More details on the issues covered by security fixes can be found
in the corresponding security advisory:
https://webkitgtk.org/security/WSA-2018-0009.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6bbfaf1d40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update to version 2018.11 to resolve the following build failure:
corelib/channel_curl.c: In function ‘channel_map_curl_error’:
corelib/channel_curl.c:298:2: error: duplicate case value
case CURLE_SSL_CACERT:
^
corelib/channel_curl.c:297:2: error: previously used here
case CURLE_PEER_FAILED_VERIFICATION:
^
when building with CONFIG_DOWNLOAD=y. This issue is happening since
the libcurl bump to 7.62.0.
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1040b18634)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
1.15.7 contains a number of bugfixes. From the changes file:
*) Bugfix: memory leak on errors during reconfiguration.
*) Bugfix: in the $upstream_response_time, $upstream_connect_time, and
$upstream_header_time variables.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used on 32-bit platforms.
https://nginx.org/en/CHANGES
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bc60c57f69)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libgpgme installs a gpgme-config script, it should be tweaked using
the <pkg>_CONFIG_SCRIPTS mechanism. This is generally useful and is
going to be particularly important with per-package directories.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3df53aa11d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Definitions of POLLWRNORM, POLLWRBAND and POLLREMOVE in xtensa linux
kernel are non-standard. Provide bits/poll.h with correct values for
these constants for uclibc-ng.
This fixes the following strace build errors:
In file included from xlat/pollflags.h:4:0,
from poll.c:34:
./static_assert.h:40:24: error: static assertion failed: "POLLWRBAND != 0x0100"
# define static_assert _Static_assert
^
xlat/pollflags.h:75:1: note: in expansion of macro ‘static_assert’
static_assert((POLLWRBAND) == (0x0100), "POLLWRBAND != 0x0100");
^~~~~~~~~~~~~
./static_assert.h:40:24: error: static assertion failed: "POLLREMOVE != 0x0800"
# define static_assert _Static_assert
^
xlat/pollflags.h:117:1: note: in expansion of macro ‘static_assert’
static_assert((POLLREMOVE) == (0x0800), "POLLREMOVE != 0x0800");
^~~~~~~~~~~~~
Fixes:
http://autobuild.buildroot.net/results/5a0112b7a2c81fa5253c9adc93efe415256cd811
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 95f11fb25d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When one of BR2_PACKAGE_FFTW_PRECISION_* is enabled, liquid-dsp links
against fftw3f, fftw3 or fftw3l, but forgets to add the fftw package
in its dependencies. It works fine in practice because "fftw" is
before "liquid-dsp" in the alphabetic ordering, but building with
"make liquid-dsp" or with per-package directory causes a build
failure.
Fix that by adding the missing dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Reviewed-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2517fa73ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The sdl2_net configure script uses pkg-config to finx sdl2. If it
doesn't find pkg-config, it tries to locate sdl2-config, and defaults
to /usr/bin/sdl2-config, which causes the build to fail with:
arm-linux-gcc: ERROR: unsafe header/library path used in cross-compilation: '-I/usr/include/SDL2'
Fix this by adding host-pkgconf to the dependencies of sdl2_net. We
could have added the right autoconf cache variable to tell the
configure script where sdl2-config is located, but since pkg-config is
tried first, let's use that.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c2a1bcb1b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Just like the build of the target wine, the build of host wine also
needs bison and flex, otherwise the build fails with:
checking for flex... no
configure: error: no suitable flex found. Please install the 'flex' package.
(and similarly for bison once host-flex is provided)
This was detected using per-package directories. It used to "work"
because host-wine comes alphabetically after host-flex and host-bison,
which are dependencies of target wine.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e4d153b16a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
multiplication (CVE-2018-5407)
For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0de2c9c76c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 38de434123 ("download: fix file:// BR2_PRIMARY_SITE
(download cache)"), the urlencode option is no longer passed to the
download backend, because we use ${backend} instead of
${backend_urlencode}.
We must get the urlencode information from backend_urlencode.
Signed-off-by: Damien Thébault <damien.thebault@vitec.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[Thomas: rework commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bb7c13273f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
as used in imap_open() in PHP and other products, launches an rsh command
(by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
function in osdep/unix/tcp_unix.c) without preventing argument injection,
which might allow remote attackers to execute arbitrary OS commands if the
IMAP server name is untrusted input (e.g., entered by a user of a web
application) and if rsh has been replaced by a program with different
argument semantics. For example, if rsh is a link to ssh (as seen on Debian
and Ubuntu systems), then the attack can use an IMAP server name containing
a "-oProxyCommand" argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1af5232138)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
liboping.c: In function 'ping_host_add':
liboping.c:207:9: error: '%s' directive output may be truncated writing
up to 255 bytes into a region of size 243 [-Werror=format-truncation=]
"%s: %s", function, message);
^~
liboping.c:1644:40:
ping_set_error (obj, "getaddrinfo", errmsg);
~~~~~~
liboping.c:206:2: note: 'snprintf' output between 14 and 269 bytes into
a destination of size 256
snprintf (obj->errmsg, sizeof (obj->errmsg),
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"%s: %s", function, message);
Fixes:
- http://autobuild.buildroot.org/results/b12d86388b495a96194e0bcbb5c19a4e35cbc53d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8361c53eac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The logic to ensure at least one compression backend is selected was not
updated when lz4, xz and zstd were introduced - Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
[Peter: add comment as suggested by Peter Seiderer]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84aeb4419f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
prosody is not available for Lua 5.3, but only 5.1 & 5.2.
prosody needs the module BitOp which is included in LuaJIT
note: the actual config is working only LuaJIT
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 768a9b9dd7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported in bug #11426, the ppsfind shell script uses /bin/bash,
but the Buildroot pps-tools package doesn't depend on bash. In fact,
upstream has fixed the problem, and the script can now be used with a
POSIX shell, and the shebang is /bin/sh.
This commit therefore bumps pps-tools to the latest upstream commit,
which is precisely this fix.
Fixes bug #11426.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5c89726d9f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Lynx configure script uses pkg-config when available:
checking for nios2-buildroot-linux-gnu-pkg-config... /home/thomas/projets/buildroot/output/host/bin/pkg-config
checking pkg-config for openssl... yes
[...]
checking pkg-config for ncurses... yes
Using pkg-config avoids build failures such as:
checking for _nc_freeall... no
configure: error: Configuration does not support color-styles
make: *** [/home/test/autobuild/run/instance-1/output/build/lynx-2.8.9rel.1/.stamp_configured] Error 1
When building with "make lynx", so that pkg-config is not built
before. The issue is that in this case, lynx configure script picks up
the ncurses6-config script for the host ncurses instead of the one in
staging. Using pkg-config solves that nicely.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67ee7f9eb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using an initramfs, on the first-pass build, we create a dummy cpio
so that the build succeeeds. The real cpio will come later, and we'll do
a second-pass build to use the actual cpio.
However, when we touch that dummy cpio, the images/ directory may not
yet exist, since commit d0f4f95e39 (Makefile: rework main directory
creation logic) removed its creation at the begining of the build, to
only at the moment we need it, i.e. during the *_INSTALL_IMAGES_CMDS
steps.
However, the linux build is not a _INSTALL_IMAGES_CMDS step, so there is
no guarantee that images/ already exist at that time.
Fix that by explicitly creating images/ before touching the dummy cpio.
Reported-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 524fb10bbe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libcurl doesn't find any trust path for CA certs when it cross-compiles.
When using OpenSSL, it is explicitly configured to use the SSL cert
directory with OpenSSL style hash files in it. But with GnuTLS, it gets
nothing.
Rather than configure libcurl to use the OpenSSL directory or a bundle
file, configure it to use the GnuTLS default. This way the CA certs
path can be configured in one place (gnutls) and then libcurl and anyone
else who uses gnutls can default to that.
Also, when libcurl with gnutls is configured to use a directory, it ends
up loading each cert three times.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 43b4d3ae45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gnutls is building with no default location to look for CA certs. Since
there are buildroot packages to provide these, configure it to use them
by default.
Configure gnutls to find them using the bundle file which contains all
certs, rather than looking in the cert directory. When gnutls is told
to use the directory, it loads *every* file in it. This means it loads
the bundle with all certs, then loads each cert a second time using the
individual pem files, and then loads them all the third time via the
hash symlinks to the pem files.
When p11-kit is enabled, use its trust module instead of the bundle
file. p11-kit can be configured to use the bundle (the default), but it
can do other things too, such as integrate with the "trust" command for
adding and removing trust anchors.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 379306e8f2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
fstatfs/statfs on aarch64 seems broken, add a patch from uClibc-ng
upstream git to fix it.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2179ca4a61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, the go compiler will spawn as many jobs as there are CPUs
available, thus possibily over-shooting the limits set by the user.
Make it abide by the user's wish, and specify the number of jobs allowed
to run.
We can do so without fear of a package failing to build in parallel,
because they were already all building in parallel, as that is the
default for the go compiler.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5af65f6557)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pass -Werror=shadow in args of cc.compiles in meson.build otherwise test
will always succeed, causing -Werror=shadow to be passed, even on older gcc versions.
GCC 4.8 changed the behaviour of -Werror=shadow to no longer complain about
local variable declariations shadowing functions, which systemd has. From
the changelog:
The option -Wshadow no longer warns if a declaration shadows a function
declaration, unless the former declares a function or pointer to function,
because this is a common and valid case in real-world code.
https://www.gnu.org/software/gcc/gcc-4.8/changes.html
Fixes:
- http://autobuild.buildroot.org/results/ffd71c473d3b29618c18cd2e04705370266696f2
[Peter: extend commit message, add gcc 4.8 link]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 76cf905c7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2018-17961: Artifex Ghostscript 9.25 and earlier allows attackers to
bypass a sandbox protection mechanism via vectors involving errorhandler
setup. NOTE: this issue exists because of an incomplete fix for
CVE-2018-17183.
- CVE-2018-18284: Artifex Ghostscript 9.25 and earlier allows attackers to
bypass a sandbox protection mechanism via vectors involving the 1Policy
operator.
- CVE-2018-19409: An issue was discovered in Artifex Ghostscript before
9.26. LockSafetyParams is not checked correctly if another device is
used.
- CVE-2018-19475: psi/zdevice2.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because available
stack space is not checked when the device remains the same.
- CVE-2018-19476: psi/zicc.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because of a
setcolorspace type confusion.
- CVE-2018-19477: psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because of a
JBIG2Decode type confusion.
For more details, see the release notes:
https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e52b02677a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
