The host-mxsldr package was missing a hash file, add it now.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fefcfddc5e6a265c66adbdff615558f99133f148)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
MiniZip in zlib through 1.3 has an integer overflow and resultant
heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long
filename, comment, or extra field. NOTE: MiniZip is not a supported part
of the zlib product.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit de7bc4ada2ab5ef2e4094934acd5271c0aca19a1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 0b9efc991f ("linux: use BR2_MAKE") switched LINUX_MAKE to
$(BR2_MAKE) to avoid build issue with kernel version >= 6.2 and GNU
Make version < 3.82. However, the same issue is actual for kernel
modules as well.
Using $(BR2_MAKE) should guarantee a consistent behavior between
kernel and kernel-modules builds.
Signed-off-by: Alexey Romanov <avromanov@sberdevices.ru>
Signed-off-by: Sergey Bobrenok <SIBobrenok@sberdevices.ru>
[yann.morin.1998@free.fr: minor coding style]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 75fa573ef9336b57d1cfb86bfcaaed4872f64ac6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator
Following the fix for CVE-2019-14232, the regular expressions used in the
implementation of django.utils.text.Truncator’s chars() and words() methods
(with html=True) were revised and improved. However, these regular
expressions still exhibited linear backtracking complexity, so when given a
very long, potentially malformed HTML input, the evaluation would still be
slow, leading to a potential denial of service vulnerability.
The chars() and words() methods are used to implement the truncatechars_html
and truncatewords_html template filters, which were thus also vulnerable.
The input processed by Truncator, when operating in HTML mode, has been
limited to the first five million characters in order to avoid potential
performance and memory issues.
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
commit 21d52e52d8de (package/pkg-utils.mk: break hardlinks in global
{TARGET, HOST}_DIR on per-package build) was recently reverted, so we
are back to a situation where it is possible for packages and post-build
scripts to modify files in-place, and thus impact files in any arbitrary
per-package directory, which may break things on rebuild for example.
21d52e52d8de was too big a hammer, but we can still apply the reasoning
from it, to the aggregation of the final target and host directories.
This solves the case for post-build scripts at least. We leave the case
of inter-package modification aside, as it is a bigger issue that will
need more than just copying files around.
We use --hard-links, so that hard-links in the source (the PPD), are
kept as new hard-links (i.e. "copy" of hard-links) in the destination.
This contributes to limiting the size of target/.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Herve Codina <herve.codina@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Herve Codina <herve.codina@bootlin.com>
(cherry picked from commit 23edf9837c93445ff32db718b1ab6b0baa32c7a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 21d52e52d8de (package/pkg-utils.mk: break hardlinks in global
{TARGET, HOST}_DIR on per-package build) stopped hardlink the source and
destination when rsyncing per-package directory, on the rationale that
modifying files in-place after the rsync would also modify the original
file, and that break foo-rebuild and can cause issues with post-build
scripts.
However, what 21d52e52d8de did not envision, is that copying instead of
hard-linking has two nasty side effects:
- the size increase for the build directory increase with the number
of packages and with the depth of th dependency chains for those
packages: a (relatively small) build that was previously totalling
~13GiB in output/, now totals north of 122GiB, an almost 10-time
increase;
- the build time increases, as it takes more time to read+write files
than it takes to create a new link to a file; the same build saw an
increase of build time from 5min 10s to 7min 30s, a 45% increase.
These regressions are both serious, so revert the change; we'll come up
with a stopgap measure in follow-up commits.
This reverts commit 21d52e52d8dee0940d28b3a38551eb183be37813.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Herve Codina <herve.codina@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Herve Codina <herve.codina@bootlin.com>
(cherry picked from commit 8f1487d6fa4cde5330f73e2432c264c0bd7940c6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes: 487761a5b2 ("package/xdg-dbus-proxy: bump to version 0.1.5")
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d4fc46f751c7cb3db3f4cbef10f67e5ab3d90135)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc >= 13:
In file included from ../src/compressor.c:3:
../src/compressor.h:59:59: error: unknown type name 'size_t'
59 | int compressor_input(CompressorContext *c, const void *p, size_t sz);
| ^~~~~~
../src/compressor.h:19:1: note: 'size_t' is defined in header '<stddef.h>'; did you forget to '#include <stddef.h>'?
18 | #include "cacompression.h"
+++ |+#include <stddef.h>
19 |
Fixes:
- http://autobuild.buildroot.org/results/ab08f3b90d253db45643dd058b80ae1dd5f49d0f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 39e092a06ed79a98e3842f9d897c089a132eaa58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The relocate-sdk.sh script does not work correctly when
BR2_PER_PACKAGE_DIRECTORIES is enabled. relocate-sdk.sh expects
everything to point at $HOST_DIR, but each package will be pointing at
its $(O)/per-package/*/host.
Use the same command for scrubing host paths during the build, to scrub
to the final host directory location.
Signed-off-by: Brandon Maier <Brandon.Maier@collins.com>
Acked-by: Charles Hardin <ckhardin@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 25e60fbe1cabb678952330a8d8d48efe7f8e5048)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes a typo by dropping off the spurious x in ensure.
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3381a084330e8f48785fb472e95c01d7a9602b36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
All tests passed in Debian 11 with the following command:
./support/testing/run-tests tests.init.test_systemd
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Acked-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1c6b1ee63f614a7480ad100aceb6f5e85353326f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following musl build failure raised since bump to version 5.9.4
in commit 868603755c16296ae2a61845891edeafc36e48ca:
large_fd_set.c: In function 'LFD_SET':
../include/net-snmp/net-snmp-config.h:1614:30: error: unknown type name 'unknown'; did you mean 'union'?
1614 | #define NETSNMP_FD_MASK_TYPE unknown
| ^~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/394ebf93621c33dc2ddf370297268e6de9de7c9a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dad81003c905c5fe33599c1676ed46108b512bc0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 0c82f3f635 (package/gcc: remove powerpc conditional patching
logic), the macro defining the conditional patch was removed, but it was
still referenced and expanded in the apply-patches hook.
Drop that now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84cdd92f0172ccc49fd2c037caaf3a659a26194d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-39325: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and immediately
resets them can cause excessive server resource consumption. While the
total number of requests is bounded to the http2.Server.MaxConcurrentStreams
setting, resetting an in-progress request allows the attacker to create a
new request while the existing one is still executing.
go1.20.10 (released 2023-10-10) includes a security fix to the net/http
package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8c8ff426744d5c4977e06b1554185fde69a2f146)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6339e7f4132230e086a8efc5e266c21fbc3ef3c6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 688dcef3d7d2f72119320280dd63726787b1486b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a0cbea0e35ef6f62c0b073fd0724e02235921fc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3aff0c2cde63cc19ac8ea5ce50adfd19567f04b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 57fc4d90d07e00c2d49240d42141056c00fdfd6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 637cf8fdab953d7a77e640fbc10b63166c3b3b20)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
