If tty_handler() resets terminal while pkttyagent is run in background job,
the process gets stopped by SIGTTOU. This impacts systemctl, hence it must
be blocked for a while and then the process gets killed anyway.
Upstream commit: 28e3a6653d8c3777b07e0128a0d97d46e586e311
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0d749be3e1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch fixes two small memory leaks.
Upstream commit: 28e3a6653d8c3777b07e0128a0d97d46e586e311
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ba70e29fea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The default installed service file is missing a target, which causes preset-all
to not enable the service.
Add the service file to package/polkit with the addition of:
[Install]
WantedBy=multi-user.target
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3f885d9dfe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
0001-make-netgroup-support-optional.patch patches configure.ac, but we
don't autoreconf the package, which is not good.
However, simply adding AUTORECONF = YES is not sufficient: polkit
Makefile.am use the automake conditional HAVE_INTROSPECTION, which is
"available" only when the gobject-introspection m4 file is installed.
Since we don't want to make gobject-introspection a mandatory
dependency of polkit, we take a simpler route: add a copy of
introspection.m4 into the polkit source tree. This is only a 142 lines
file, and it can be dropped when
0001-make-netgroup-support-optional.patch is merged upstream.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8edcb84730)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The help text was wrong, as it didn't match the actual default values
we were specifying. Indeed, when we specify:
default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
It means that the policy version 30 is supported starting from Linux
4.3 included, and that 31 is supported from Linux 4.13 included.
So we shouldn't have:
> 4.3 <= 4.13 30
> 4.13 31
but:
>= 4.3 < 4.13 30
>= 4.13 31
This patch fixes that for all versions.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67d7705a9a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
EXT_SUFFIX in Python versions > 3.5 contains a platform tag which only applies
to cpython extensions. Given that ctypes.util.find_library does not work on the
target due to the absence of the underlying tools '.so' needs to be added as a
possible suffix for libraries to enable python-iptables to find the iptables
shared libraries.
Signed-off-by: Frank Vanbever <frank.vanbever@essensium.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 52276cdda3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ctypes.util.find_library() depends on gcc and friends to detect the location of
a given shared library. Given that these are not available on the target and
that python-iptables depends on this functionality we need to work around this.
The SONAMEs of the libc are well known so we try the known ones for glibc,
uClibc and musl.
Fixes: https://bugs.busybox.net/show_bug.cgi?id=12271
Signed-off-by: Frank Vanbever <frank.vanbever@essensium.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 90c18ab269)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-10932: fix side channel in ECC code that allowed an
adversary with access to precise enough timing and memory access
information (typically an untrusted operating system attacking a
secure enclave) to fully recover an ECDSA private key.
- Fix a potentially remotely exploitable buffer overread in a DTLS
client when parsing the Hello Verify Request message.
- Fix bug in DTLS handling of new associations with the same parameters
(RFC 6347 section 4.2.8): after sending its HelloVerifyRequest, the
server would end up with corrupted state and only send invalid records
to the client. An attacker able to send forged UDP packets to the
server could use that to obtain a Denial of Service. This could only
happen when MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE was enabled in
config.h (which it is by default).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5704f8869)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, exim stores its PID file in /var/spool/exim, and its log
file in /var/spool/exim/log, but it makes a lot more sense to have the
logs in /var/log/exim and the PID file in /var/run/exim.
Using binary name subdirectory in both cases allows for the use of
systemd's LogsDirectory and RuntimeDirectory statements
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 754341460b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The released libssh package does wrongly reports the previous version.
This patch fixes the version field in the lib.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a7db921da5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2020-1730: Possible DoS in client and server when handling
AES-CTR keys with OpenSSL.
Format hash file with two spaces delimiter.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6b8a47e292)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is no reason to create boot.scr in board/udoo/neo and later
install it in TARGET_DIR/boot, leaving a stale file behind.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2306339d1f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is no reason to create boot.scr in board/solidrun/mx6cubox and
later install it in TARGET_DIR/boot, leaving a stale file behind.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9ddbd11620)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is no reason to create boot.scr at board/wandboard and later
install it at TARGET_DIR/boot, leaving a stale file behind.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f14e95b3ff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Unlike the other libraries built by azure-iot-sdk-c, libumqtt follows
a regular versioning scheme. It has a libumqtt.so.1 SONAME, with
libumqtt.so.1 being a symlink to libumqtt.so.1.1.11.
However, we currently install the library itself as libumqtt.so to the
target filesystem, which is not its SONAME, which means it cannot be
found by any other library/program linked against it.
This commit fixes that by installing the library as
libumqtt.so.1.1.11, and creating the appropriate symlinks. The static
library installation is not modified.
Signed-off-by: Stephan Hoffmann <stephan.hoffmann@ext.grandcentrix.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 570dd0c31b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As a preparation for adding the creation of some symlinks, let's
factor the library installation into a function.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 43822bb6db)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The canonical way to use $(INSTALL) is to have a full destination
path, that includes the file name.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 59de11b047)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The original pattern for creating the pid file was:
open_create(pid_file)
write(pid_file, pid)
close(pid_file)
But if a power outage occurs between open_create and write, the file will
be empty and httpd will refuse to start afterwards unless the corrupt pid
file is removed.
This patch uses the pattern:
open_create(temp_pid_file)
write(temp_pid_file)
close(temp_pid_file)
rename(temp_pid_file, pid_file)
which is guaranteed to be atomic, provided that temp_pid_file and pid_file
are located in the same file system, which this patch does by creating
a temporary file name with the pattern:
pid_file_name + random_suffix
Patch is upstream as of
dd10a9352e,
which will be in the next 2.5.x version.
Signed-off-by: Nicolas Carrier <nicolas.carrier@orolia.com>
[Thomas: update to use upstreamed patch.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67fbb903b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
*) SECURITY: CVE-2020-1934 (cve.mitre.org)
mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
server. [Eric Covener]
*) SECURITY: CVE-2020-1927 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
matches and substitutions with encoded line break characters.
The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]
The LICENSE file has been updated to fix a s/waranties/warranties/ typo, so
update the hash to match and adjust the spacing to match recent agreements:
-This software is provided "as is" and any express or implied waranties,
+This software is provided "as is" and any express or implied warranties,
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2bf40ad66b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch adds @CMAKE_SYSROOT@ to mariadb_config.c.in. Without it,
mariadb_config and mysql_config incorrectly returns host paths for
include paths and library paths.
The patch has been accepted upstream at
b787c0d69c
Reported-by: Alexey Lukyanchuk <skif@skif-web.ru>
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 905e4f2890)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream libmad is dead since 2004 so switch to debian package to get
two patches that fix the following CVEs:
- CVE-2017-8372: The mad_layer_III function in layer3.c in Underbit MAD
libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to
cause a denial of service (assertion failure and application exit)
via a crafted audio file.
- CVE-2017-8373: The mad_layer_III function in layer3.c in Underbit MAD
libmad 0.15.1b allows remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly have
unspecified other impact via a crafted audio file.
- CVE-2017-8374: The mad_bit_skip function in bit.c in Underbit MAD
libmad 0.15.1b allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted
audio file.
Moreover:
- Remove third patch (replaced by optimize.diff debian patch)
- Remove fourth patch (same patch than
Provide-Thumb-2-alternative-code-for-MAD_F_MLN.diff)
- Remove fifth patch (same patch than libmad.thumb.diff)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 858df3643f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since switch to debian in commit
210ccaef57, host-gperf is needed to
generate frametype.c because debian/patches/add-m4-directory.patch
patches Makefile.am. As a side effect, libid3tag tries to generate
frametype.c from frametype.gperf due to following rule:
$(srcdir)/frametype.c: $(srcdir)/frametype.gperf Makefile.am
cd $(srcdir) && \
gperf -tCcTonD -K id -N id3_frametype_lookup -s -3 -k '*' \
frametype.gperf | \
sed -e 's/\(struct id3_frametype\);/\1/' | \
sed -e '/\$$''Id: /s/\$$//g' >frametype.c
If host-gperf is not available, frametype.c will be empty and build with
madplay will fail on:
configure:17243: checking for snd_pcm_open in -lasound
configure:17268: /home/giuliobenetti/autobuild/run/instance-3/output-1/host/bin/powerpc64-linux-gcc -o conftest -Wall -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=1 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c -lasound -L/home/giuliobenetti/autobuild/run/instance-3/output-1/host/bin/../powerpc64-buildroot-linux-gnu/sysroot/usr/lib -lasound -L/home/giuliobenetti/autobuild/run/instance-3/output-1/host/bin/../powerpc64-buildroot-linux-gnu/sysroot/usr/lib -lid3tag >&5
/home/giuliobenetti/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/powerpc64-buildroot-linux-gnu/8.3.0/../../../../powerpc64-buildroot-linux-gnu/bin/ld: /home/giuliobenetti/autobuild/run/instance-3/output-1/host/bin/../powerpc64-buildroot-linux-gnu/sysroot/usr/lib/libid3tag.so: undefined reference to `id3_frametype_lookup'
Fixes:
- http://autobuild.buildroot.org/results/15a8c7f6e34b26446179c04383719ea71495403e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7ecd0e4edf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream libid3tag is dead since 2004 so switch to debian to get two
patches that fix the following CVEs:
- CVE-2004-2779: id3_utf16_deserialize() in utf16.c in libid3tag
through 0.15.1b misparses ID3v2 tags encoded in UTF-16 with an odd
number of bytes, triggering an endless loop allocating memory until
an OOM condition is reached, leading to denial-of-service (DoS).
- CVE-2017-11550: The id3_ucs4_length function in ucs4.c in libid3tag
0.15.1b allows remote attackers to cause a denial of service (NULL
Pointer Dereference and application crash) via a crafted mp3 file.
- CVE-2017-11551: The id3_field_parse function in field.c in libid3tag
0.15.1b allows remote attackers to cause a denial of service (OOM)
via a crafted MP3 file.
Moreover, drop patch (replaced by add-m4-directory.patch debian patch)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 210ccaef57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The DTLS support needs either gnutls or openssl, so let's have these
packages as optional dependencies. We prefer gnutls over openssl as
done by upstream in their configure.ac when the user does not provide
any option (which is the case currently)
While there is support for tinydtls, and Buildroot has a tinydtls
package, libcoap is only able to use its own internal library, and
only when static linking is enabled, so we simply disable the use of
tinydtls altogether.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8b14f6b49b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since there is a variable definition between the definition of
BR2_PACKAGE_JPEG and the choice depending on it, the choice is
not indented bewlo the "jpeg support" prompt, like we like to
have:
[*] jpeg support
jpeg variant (jpeg-turbo) --->
Move the BR2_PACKAGE_JPEG right before the choice (really, move
BR2_PACKAGE_JPEG_SIMD_SUPPORT before BR2_PACKAGE_JPEG, but diff
finds the move of BR2_PACKAGE_JPEG is smaller to display):
[*] jpeg support
jpeg variant (jpeg-turbo) --->
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7a48ac725f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 2cc2ae83fc, kodi-pvr-vuplus
has a dependency on json-for-modern-cpp, but the dependency of
json-for-modern-cpp on gcc >= 4.9 was not propagated. Let's fix that.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 76c2914703)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 9cae8f557b introduced an optional
dependency on GPM, but got the name of the option wrong, and used
GMP. In fact, even the commit title was wrong.
This causes a build failure:
Makefile:578: *** gpm is in the dependency chain of mc that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in. Stop.
Fixes:
http://autobuild.buildroot.net/results/52fb92ae7dd55cba7d19862bb6cd89c80da9a4b6/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 52d10583b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
