There is no host-libssh in Buildroot, avoid qemu build system
to find libssh from the host.
Under certain circumstances (host distribution, openssl version), the
qemu-system binary fail to start:
host/bin/qemu-system-aarch64: symbol lookup error: /lib64/libssh.so.4: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
$ ldd output/host/bin/qemu-system-aarch64
[...]
libssh.so.4 => /lib64/libssh.so.4
Explicitely disable libssh for the host variant.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0c4a80c7c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Without a source for randomness, qpdf will crash with 'no such file'
error. It's can me tested by command like 'qpd some_pdf.pdf -'.
This problem breaks cups printing.
This patch change configure options to '--with-random=/dev/urandom'
Signed-off-by: Alexey Lukyanchuk <skif@skif-web.ru>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 69dfbbd33b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- ChangeLog:
- compression bomb protection
- memory handling issue found by Oss-Fuzz
- improve handling of anomalies in traffic
- Drop first patch (already in version)
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b3d5194696)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit b80712a16a ("configs/odroidc2:
remove the defconfig") has removed the odroidc2 defconfig, but left
behind a number of files in board/hardkernel/odroidc2, which are now
unused. Let's remove them.
Signed-off-by: Dagg Stompler <daggs@gmx.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 197da62866)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- I fixed build problems on cups and cups-filters but don't use them.
- gtest, libpam-radius-auth, libpam-tacplus and perl-file-util were
used in my previous job. I don't have access to the packages that
use them neither to the corresponding test infrastructure anymore.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1c3ffaed57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Back in 2014, about 6 years ago now, in my infinite wisdom, I
decided that extracting the tzdata source was not necessary for
the target variant, because we would be installing the files
generated by the host variant, in commit 7aad5daa5d (package/tzdata:
only compile the zoneinfo once).
However, that did not account for the fact that we would eventually
like to have the licensing information for tzdata, later added in
2019, in commit 60889ccdf0 (package/tzdata: bump to version 2019b).
However, that last comit only added the license file to the host
variant, without explanations why that was so. It turns out that the
reason it was not added to the target variant is, probably, that he
source code for the target variant is not extracted, and thus saving
the license file fails.
But we really want the license file for what goes on into the target.
So, do extract the source code for the target variant, even if only to
get the license file.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Richard Braun <rbraun@sceen.net>
Cc: Martin Bark <martin@barkynet.com>
Cc: Christopher McCrory <chrismcc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5c0c4861be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Alexander Dahl <post@lespocky.de>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2f976c31b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Alexander Dahl <post@lespocky.de>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7656cae01e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a minor release which provides fixes for CVE-2020-11793,
CVE-2020-3887, CVE-2020-3894, and CVE-2020-3899.
Updating from 2.28.0 also brings a few rendering fixes, a build fix
on MIPS64, a build fix for GStreamer 1.12, and solves a couple of
crashes. The full release notes covering 2.28.1 and 2.28.2 can be
found at:
https://webkitgtk.org/2020/04/13/webkitgtk2.28.1-released.htmlhttps://webkitgtk.org/2020/04/24/webkitgtk2.28.2-released.html
A detailed security advisory can be found at:
https://webkitgtk.org/security/WSA-2020-0004.html
Note that the above does not cover all the CVEs, and a new advisory
including them is expected to be published in the next days.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 080f4251ad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a minor release which provides fixes for CVE-2020-11793,
CVE-2020-3887, CVE-2020-3894, and CVE-2020-3899.
Updating from 2.28.0 also brings a few rendering fixes, a build fix
on MIPS64, a build fix for GStreamer 1.12, and solves a couple of
crashes. The full release notes covering 2.28.1 and 2.28.2 can be
found at:
https://wpewebkit.org/release/wpewebkit-2.28.1.htmlhttps://wpewebkit.org/release/wpewebkit-2.28.2.html
A detailed security advisory can be found at:
https://wpewebkit.org/security/WSA-2020-0004.html
Note that the above does not cover all the CVEs, and a new advisory
including them is expected to be published in the next days.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e028d52b7e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mesa3d-headers is a little bit special: it uses the same sources as
the mesa3d package, named just 'mesa' upstream. mesa uses the meson
buildsystem, an that is what we use in the mesa3d package.
However, mesa3d-headers does not install the whole of mesa; it only
installs a select set of headers for those binary blobs that do not
provide them.
mesa does not provide such a feature (only installing headers) with
its meson buildsystem. As a consequence, we've made mesa3d-headers a
generic package, that basically only copies headers over.
Additionally, mesa3d-headers also provides the dri.pc file for when
Xorg is enabled; see 7468b60e7c (package/mesa3d-headers: also install
dri header and .pc file).
We used to manually generate that file from a .in template that was
present in mesa source code at the time it was still using autotools.
But when they switched over to using meson, the template was dropped
[0], and the dri.pc is now entirely generated using meson internals
[1].
So we now have no template present in the source code, so we must
come up with our own. This simplifies the replacement pattern to
just inject the version string.
[0] https://cgit.freedesktop.org/mesa/mesa/commit/?id=158758618264eac113025a86a360dc305ed4498b
[1] https://cgit.freedesktop.org/mesa/mesa/tree/src/mesa/drivers/dri/meson.build?h=19.2#n93
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Tested-by: Vincent Fazio <vfazio@xes-inc.com>
[yann.morin.1998@free.fr:
- entirely rework the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9014c21cac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
paho-mqtt-c by default enables the building of test materials and
install of CPack documentation:
PAHO_ENABLE_TESTING - "Build tests and run"
PAHO_ENABLE_CPACK - "Enable CPack"
Let's disable these to save a couple megabytes and time. This is
in keeping with the generic settings in pkg-cmake.mk.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5686d69eef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When 4bcc344464 was applied, it was not
noticed that 96dc6701af (from another
contributor) had already been
applied. 4bcc344464 essentially did the
same thing as 96dc6701af, except it also
disable zstd support explicitly in the host-libarchive package.
Let's drop the part of 4bcc344464 that
duplicates 96dc6701af.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 37e853d63c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When booting with 'console=<empty>' in the kernel command line (as e.g.
U-Boot does with silent flags in effect), opening /dev/console fails.
As per POSIX [0], when iany redirection fails, the shell running exec
shal exit in error. So, when 'console=<empty>' is specified.
/dev/console can't be opened, and the redirection fails, and /init is
killed.
That behaviour was fixed on the kernel side with commit 2bd3a997befc2
(Open /dev/console from rootfs), present since 2.6.34, released in May
2010, so any [dr]ecent kernel will have that fix.
Furthermore, busybox will fix things up anyway (in bb_sanitize_stdio()),
falling back to opening /dev/null if no console is availble. systemd
does a similar thing (in make_console_stdio()), and sysvinit again has
a similar approach (in console_init()).
The archealogy search turned up those relevant commits:
2011-08-04 10a130f91e initramfs/init: make sure that 0, 1, 2 fds are available
introduces the three exec redirections in initramfs
2011-09-06 3fac21ef8d cpio: fix boot with dynamic /dev
introduces the three exec redirections in cpio
2011-09-06 13a3afc536 fs/initramfs: refactor with fs/cpio
dropped the initramfs tweaks to reuse the cpio ones
2012-11-04 e1ebae700a fs/common: Create initial console device
introduces the /dev/console char,5,1 pseudo device creation in
cpio
2018-03-31 dec061adce fs/cpio: don't extend packages' permissions table
switched from the permission-table to a manual mknod to create
/dev/console
The redirections were added before we could guarantee there was a
/dev/console in the rootfs.
We're now guaranteed to have /dev/console in an initramfs, and any recent
kernel will automatically open /dev/console before spawning /init.
The three redirections are useless now, and cause harm under certain
conditions. Drop them.
[0] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_20_01
Signed-off-by: Timo Ketola <timo.ketola@exertus.fi>
Cc: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr:
- extend commit log with the analysis done with Peter
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 98a6f1fc02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The reason why the external wireguard kernel module is not allowed with
kernel headers >= 5.6 is that wireguard is included in the upstream kernel
since 5.6 rather than some kind of (fixable) incompatibility issue. Adjust
the comment to make that clear.
While we're at it, drop the redundant !5.6 dependency on the kernel headers
dependency comment. If headers are older than 3.10, then they are also
older than 5.6, so the statement is redundant.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 74a865b1fc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since wireguard is built into kernels 5.6 and later we can't build
wireguard-linux-compat on them, so we need to depend on
!BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_6.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit da5afc10a4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Latest version of Apache introduce a new apxs with a slightly modified
path handling logic. In order to simplify the crosscompilation, the
software removes the common prefix from bin install dir and build
install dir, but for this to work they both should have a common prefix.
So we introduce a new regexp to fix /usr/bin to staging dir, the regexps
are also fixed to replace only the exact path between double quotes, to
avoid replacing the she-bang line.
Fixes:
http://autobuild.buildroot.net/results/c41f31566974209897a3a1ec35afe2536fb248cchttp://autobuild.buildroot.net/results/b93f19976ce96e79ea159c25ed74a7377c78f334
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[yann.morin.1998@free.fr:
- add the last few words about the she-bang blurb
- do not use quotes in the existing /sur/bin regexp
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit aa04edab77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-jedi bundles its own copy of typeshed since version 0.14.0 and
7d2b7bb3c1
So add it to the license files (and update indentation of hash file to
two spaces while at it)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ab98c1ffb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Notice: 5.5.x is now EOL, so should be dropped at the next version bump.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: drop 5.5.x / 5.6.x bump]
(cherry picked from commit 72a6e50da9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Several directories and files are currently not installed during the
target installation, these include:
- conf
Several configuration files, including security configuration files which
may be necessary for running various java applications.
- legal
This directory contains legal notices that some java applications may
require, as they may print legal information and will throw exceptions at
runtime if the legal files are not present on the system.
- release
This file contains a list of modules included in the image.
Because these directories take up less than of megabyte extra, it is not an
issue to install all of them.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Reviewed-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Tested-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 63b576095b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, Buildroot installs the jre libraries using
cp -dprf /build/linux-*-release/images/jre/lib/* $(TARGET_DIR)/usr/lib/
However, if a system has a merged /usr directory, and there is a built kernel
before installing OpenJDK, the installation fails because jre/lib has binary
modules file, which causes the following error: cp: cannot overwrite directory
'/usr/lib/modules with non-directory
The obvious fix is to install the modules to /usr/lib/jvm/ and set the
appropriate rpaths via the --with-extra-ldflags conf option. However, this fix
does not work because the built binaries themselves do not link against
libjava.so
Indeed, running readelf on the built java binary reports the following:
"(RUNPATH) Library runpath: [/usr/lib/jvm]" and /usr/lib/jvm/libjava.so exists.
However, when running the Java binary on the target, the following error
occurs: "Error: could not find libjava.so."
The following is the result of "strace java" ran on the target:
faccessat(AT_FDCWD, "/usr/lib/libjava.so", F_OK) = -1 ENOENT
faccessat(AT_FDCWD, "/usr/jre/lib/libjava.so", F_OK) = -1 ENOENT
newfstatat(AT_FDCWD, "/usr/lib/libjava.so", 0x7ffe7b4af8, 0) = -1 ENOENT
newfstatat(AT_FDCWD, "/usr/lib/jvm/libjli.so", [sic] AT_SYMLINK_NOFOLLOW) = 0
As seen above, the java binary searches for libjli.so in /usr/lib/jvm,
which demonstrates that the java binary searches for some of the
DT_NEEDED libraries using the correct rpath. But libjava.so is not
searched from the rpath; it is instead dl-opened manually, looked for in
the search paths hardcoded to the following directories:
- /usr/lib/
- /usr/jre/lib/
- $(dirname $0)/../lib/
The reason behind the hardcoded paths given by the maintainers is due to
historical purposes for the need to support several java versions at the
same time on a single system, and that changing the above behavior is not
likely to ever happen.
As such, most distributions such as Redhat do the following:
- Create the directory /usr/lib/jvm/java-$(JAVA_VERSION)/
- Install all directories and files found in images/jre to that directory.
- Symlink the binaries to in /usr/lib/jvm/java-$(JAVA_VERSION)/bin to
/usr/bin.
However, because Buildroot does not need to support multiple versions of java
concurrently, there is no need for the additional java-$(JAVA_VERSION)
directory.
To fix the above issue, the following changes are performed:
- Introduce the variable "OPENJDK_INSTALL_BASE" which points to /usr/lib/jvm
- Set the --with-extra-ldflags conf_opt to
"-Wl,-rpath,$(OPENJDK_INSTALL_BASE)/lib,-rpath,
$(OPENJDK_INSTALL_BASE)/lib/$(OPENJDK_JVM_VARIANT)"
- Run "mkdir -p $(TARGET_DIR)/usr/lib/jvm/" in the INSTALL_TARGET_CMDS step.
- Copy both the lib and bin directories to /usr/lib/jvm/
- Symlink the binaries in /usr/lib/jvm/bin/ to /usr/bin.
Fixes: https://bugs.busybox.net/show_bug.cgi?id=12751
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Reviewed-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Tested-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
[yann.morin.1998@free.fr: fix two remaining mis-placed '/']
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3edb915709)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prior to commit 4102db0f7a ("package/libglib2: bump to version 2.60.3")
which converted libglib2 to meson, Buildroot used to set a range of
autoconf options to bypass tests that require running binaries.
The meson version of libglib2's build system has many fewer of these
checks, but there are still some and these can be fed the "correct"
answer by adding properties to cross-compilation.conf.
Add the necessary properties to indicate that we have C99 compliant
print functions to avoid pulling in the gnulib fallback.
Signed-off-by: John Keeping <john@metanate.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4f91198f0d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes CVE-2020-1967:
Server or client applications that call the SSL_check_chain() function during
or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this
issue. This issue did not affect OpenSSL versions prior to 1.1.1d.
See https://www.openssl.org/news/secadv/20200421.txt
Also update the hash file to the new two spaces convention
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 849aee4f88)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
