systemd's configure is looking in $PATH to find utilities that will be
needed at runtime.
Usually, those utilties, when installed on the host, will be found in
the same path they would be present on the target. For example,
/usr/bin/mount on the host would also be /usr/bin/mount on the target,
and all is find.
Except when we need to install a host variant of util-linux, which will
install mount in $(HOST_DIR), in which case systemd's configure would
find that one.
Of course, it is also very well possible that those utilities are not
installed on the host in the same location they would be on the target,
in case a user has manually installed some of those (e.g. in /usr/local/
or in /opt/)
Forcibly set the path to those utilities, as they are expected to be on
the target.
For kexec, we can set it even though we do not depend on it (yet).
systemd will appropriately test it at runtime.
For quota, we point to non-existing files, so as to catch errors at
runtime. It is to be noted that quotacheck is optional, while quotaon
does not seem to be (a service file is always installed, that uses it).
Note: utilties listed in the order they appear in configure.ac
Reported-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 68986ea301)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-0376: Fix a remotely triggerable assertion failure caused by
receiving a BEGIN_DIR cell on a hidden service rendezvous circuit.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9bf22d3e80)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As can be seen in linux/arch/powerpc/include/uapi/asm/termbits.h are
defined as (note that those are octal numbers):
\#define TABDLY 00006000
\#define CSIZE 00001400
\#define CRDLY 00030000
which gives shifts of 10, 8 and 12. Adjust socat.mk accordingly to
reflect that difference.
Signed-off-by: Mark Hinds <zoronic@gmail.com>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit a52896f755)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In 4c10eedc1 (systemd: enable required kernel features), we added
setting a few required kernel features to ensure systemd works.
However, there was a typo for one of the variables: CONFIG_TMPFS_XATTR
was written as CONFIG_TMPFS_POSIX_XATTR, which does not exist (and never
ever existed, at least not since 2.6.12)...
Reported-by: Michael Heinemann <posted@heine.so>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Cc: Michael Heinemann <posted@heine.so>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b0fc65a11b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 039f7d0d2f (nodejs: bump 6.x version to 6.10.2) bumped the 6.x
version but forgot to rename the patch directory, so the patches were no
longer used.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes
sdksyms.c:311:15: error: expected expression before »,« token
(void *) &, /* ../../include/os.h:96 */
by backporting an upstream patch, sdksyms.c is generated by
hw/xfree86/sdksyms.sh which is broken when used with gcc5+.
Problem was found while testing
http://patchwork.ozlabs.org/patch/762102/
using this defconfig
BR2_TOOLCHAIN_BUILDROOT_WCHAR=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XSERVER_XORG_SERVER=y
BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_14=y
BR2_PACKAGE_XDRIVER_XF86_INPUT_TSLIB=y
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 99058b2586)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Botan compiles all PowerPC code with AltiVec support and only determines
at runtime whether the CPU even supports it. If the target CPU uses the
older SPE extensions, though, this is too late; since SPE and AltiVec
are incompatible, gcc aborts the compilation. This patch explicitly
disables AltiVec support unless BR2_POWERPC_CPU_HAS_ALTIVEC is defined
Signed-off-by: Tobias Blass <tobias.blass@rohde-schwarz.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit e654839f9e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bash's malloc relies on sbrk which is implemented as a fail-only stub in
musl. Presently, it is disabled when configured for static
libs. Instead, default to using libc malloc.
Fixes:
# bash
bash: xmalloc: locale.c:81: cannot allocate 18 bytes (0 bytes allocated)
Signed-off-by: Daniel Sabogal <dsabogalcc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 43552504c8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-1000367 - Potential overwrite of arbitrary files on Linux
On Linux systems, sudo parses the /proc/[pid]/stat file to determine the
device number of the process's tty (field 7). The fields in the file are
space-delimited, but it is possible for the command name (field 2) to
include spaces, which sudo does not account for. A user with sudo
privileges can cause sudo to use a device number of the user's choosing by
creating a symbolic link from the sudo binary to a name that contains a
space, followed by a number.
If SELinux is enabled on the system and sudo was built with SELinux support,
a user with sudo privileges may be able to to overwrite an arbitrary file.
This can be escalated to full root access by rewriting a trusted file such
as /etc/shadow or even /etc/sudoers.
For more details, see: https://www.sudo.ws/alerts/linux_tty.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fddb760946)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The external toolchain code has some logic to calculate the correct name
for the dynamic linker symbolic link that needs to be created when the
musl C library is being used. There was already some handling for the
mipsel+soft-float case, but not for the mips+soft-float case. Due to
this, the symbolic link was incorrectly named, and programs were
referencing an non-existing file.
Reported-by: Florent Jacquet <florent.jacquet@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit a6a4a8b2ef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7650: Two errors in the "asn1_find_node()" function
(lib/parser_aux.c) within GnuTLS libtasn1 version 4.10 can be exploited to
cause a stacked-based buffer overflow by tricking a user into processing a
specially crafted assignments file via the e.g. asn1Coding utility.
For more details, see:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-11/
Or the 1.4.11 release mail (no mail about 1.4.12, but identical to 1.4.11 +
a soname fix):
https://lists.gnu.org/archive/html/help-libtasn1/2017-05/msg00003.html
Remove 0001-configure-don-t-add-Werror-to-build-flags.patch and autoreconf
as that patch is now upstream.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2fb7cbeb74)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7650: Pattern based ACLs can be bypassed by clients that set
their username/client id to ‘#’ or ‘+’. This allows locally or remotely
connected clients to access MQTT topics that they do have the rights to.
The same issue may be present in third party authentication/access control
plugins for Mosquitto.
For more details, see:
https://mosquitto.org/2017/05/security-advisory-cve-2017-7650/
Remove 0001-Remove-lanl-when-WITH_ADNS-is-unset.patch as that patch is now
upstream.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9e9dee2534)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- This version requires a patch (sent upstream) to remove -lanl from
all Linux builds as this library is only needed for adns support
- sha512 must be computed locally as eclipse.org does not give it for
this version
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d098e18d14)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a number of security issues: CVE-2017-7607, CVE-2017-7608,
CVE-2017-7609, CVE-2017-7610, CVE-2017-7611, CVE-2017-7612, CVE-2017-7613.
Rebase patches, and convert to git format.
Remove --disable-werror; unrecognized configure option.
Use upstream provided hash.
Cc: Stefan Fröberg <stefan.froberg@petroprogram.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 27e0626e99)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported by Bernd [1], using POST_EXTRACT to copy
linux_syscall_support.h break the legal-info target when
google-breakpad package is selected:
/usr/bin/install: cannot stat '/home/bernd/buildroot/buildroot/output/ost/usr/i586-buildroot-linux-uclibc/sysroot/usr/include/linux_syscall_support.h': No such file or directory
This is because linux_syscall_support.h is installed by a dependency
of google-breakpad, and dependencies are only guaranteed to be
available for the configure step of a package. To fix this, we use a
PRE_CONFIGURE hook instead of POST_EXTRACT hook.
[1] http://lists.busybox.net/pipermail/buildroot/2017-May/192844.html
Reported-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 557f8d649d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
