Fixes the following security vulnerabilities:
- CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when
scanning a specially crafted email file as a result of excessively long
scan times. The issue is resolved by implementing several maximums in
parsing MIME messages and by optimizing use of memory allocation.
Similar to the 0.102.0 bump, building with the internal libmspack copy is
broken, so instead link against the system one.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Needed for upcoming clamav version bump to 0.102.0.
Package passed test-pkg:
andes-nds32 [ 1/44]: OK
arm-aarch64 [ 2/44]: OK
br-aarch64-glibc [ 3/44]: OK
br-arcle-hs38 [ 4/44]: OK
br-arm-basic [ 5/44]: OK
br-arm-cortex-a9-glibc [ 6/44]: OK
br-arm-cortex-a9-musl [ 7/44]: OK
br-arm-cortex-m4-full [ 8/44]: OK
br-arm-full [ 9/44]: OK
br-arm-full-nothread [10/44]: OK
br-arm-full-static [11/44]: OK
br-i386-pentium4-full [12/44]: OK
br-i386-pentium-mmx-musl [13/44]: OK
br-m68k-5208-full [14/44]: OK
br-m68k-68040-full [15/44]: OK
br-microblazeel-full [16/44]: OK
br-mips32r6-el-hf-glibc [17/44]: OK
br-mips64-n64-full [18/44]: OK
br-mips64r6-el-hf-glibc [19/44]: OK
br-mipsel-o32-full [20/44]: OK
br-nios2-glibc [21/44]: OK
br-openrisc-uclibc [22/44]: OK
br-powerpc-603e-basic-cpp [23/44]: OK
br-powerpc64le-power8-glibc [24/44]: OK
br-powerpc64-power7-glibc [25/44]: OK
br-powerpc-e500mc-full [26/44]: OK
br-riscv32 [27/44]: OK
br-riscv64 [28/44]: OK
br-sh4-full [29/44]: OK
br-sparc64-glibc [30/44]: OK
br-sparc-uclibc [31/44]: OK
br-x86-64-core2-full [32/44]: OK
br-x86-64-musl [33/44]: OK
br-xtensa-full [34/44]: OK
linaro-aarch64-be [35/44]: OK
linaro-aarch64 [36/44]: OK
linaro-arm [37/44]: OK
sourcery-arm-armv4t [38/44]: OK
sourcery-arm [39/44]: OK
sourcery-arm-thumb2 [40/44]: OK
sourcery-mips64 [41/44]: OK
sourcery-mips [42/44]: OK
sourcery-nios2 [43/44]: OK
sourcery-x86-64 [44/44]: OK
44 builds, 0 skipped, 0 build failed, 0 legal-info failed
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 22362af85a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The two helper programs TexturePackager and JsonSchemaBuilder are built
out of the same source tree as Kodi, so to avoid downloading the same
archive three times, let's them share the same download directory.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ce9a16fdfe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A sub-component of Kodi (cpluff) needs to be autoreconf-ed, and uses
gettext, so calls to autopoint:
[ 2%] Performing autoreconf step for 'libcpluff'
autoreconf: Entering directory `.'
autoreconf: running: autopoint --force
Can't exec "autopoint": No such file or directory at [...]/host/share/autoconf/Auto4te/FileUtils.pm line 345.
autoreconf: failed to run autopoint: No such file or directory
autoreconf: autopoint is needed because this package uses Gettext
make[4]: *** [CMakeFiles/libcpluff.dir/build.make:121: build/cpluff/src/libcpluff-stamp/libcpluff-autoreconf] Error 1
make[3]: *** [CMakeFiles/Makefile2:615: CMakeFiles/libcpluff.dir/all] Error 2
Add a dependency to host-gettext to bring an appropriate variant that
provides autotpoint (gettext-tiny's autopoint works like a charm, for
the curious).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d90fc22ee3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gettext-tiny also installs a fake autopoint, but it still needs to be
pointed at the m4 macros, which the template autopoint expects to be in
@datadir@, where datadir is the traditional autotools datadir, derived
from datarootdir, itself derived from prefix.
So, pass prefix so all the locations are properly pointing to HOST_DIR,
instead of the default /usr/local.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Vadim Kochan <vadim4j@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 75a257f45e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
neardal is licensed under LGPL-2.0, which is (most likely) not license
compatible with readline (GPL-3.0+), so always use the libedit backend.
The choice is done by ./configure, which first checks for libedit, and
uses readline only as a fallback. Since we do build libedit before
neardal, that's what is going to be picked up.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr:
- add blurb about preference in ./configure
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 93e9b5378d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
COPYING states LGPL-2.0, not GPL-2.0:
GNU LIBRARY GENERAL PUBLIC LICENSE
Version 2, June 1991
So use that for the license tag.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7387a50c30)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
{python-,}readline is (no longer) a required dependency of kodi, and
readline (GPL-3.0+) is not license compatible with kodi (GPL-2.0), so drop
the dependency.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6d588b718d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
oracle-mysql is licensed under GPL-2.0, which is not license compatible with
modern readline (GPL-3.0+), so instead use the bundled older version
(GPL-2.0+ licensed) of readline instead.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 11e75a7145)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
socat is licensed under GPL-2.0, which is not license compatible with
readline (GPL-3.0+), so drop the optional dependency and add a comment
explaining why.
This also matches how socat is packaged in Debian, where the man page has
the following snippet added:
READLINE
Uses GNU readline and history on stdio to allow editing and reusing input lines (example).
Due to licensing restrictions the readline feature is disabled in Debian. See BUGS.
You can use STDIO instead.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 47def13564)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mariadb is licensed under GPL-2.0, which is not license compatible with
modern readline (GPL-3.0+), so instead use the bundled older version
(GPL-2.0+ licensed) of readline instead.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 29cdf119f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
lvm2 is licensed under GPL-2.0, which is not license compatible with
readline (GPL-3.0+), so drop the optional dependency and add a comment
explaining why.
Notice: The readline support is only used when the raw lvm tool is called
without arguments.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit be72d8c9e6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The tarball unfortunately does not include a dedicated license file, so
instead use the main source file for the setkey command.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2dff01f24b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
chrony is licensed under GPL-2.0, which is not license compatible with
readline (GPL-3.0+), so remove the optional readline handling and replace
with libedit instead.
While we are at it, also explicitly disable the libedit backend when not
available.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit baadfbcc02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dropwatch links with readline, which is GPL-3.0+, so not compatible with
GPL-2.0. When asked about this, upstream has clarified that the license
really is GPL-2.0+:
https://github.com/nhorman/dropwatch/issues/14
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: add a coomet as suggested by Baruc]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Baruch Siach <baruch@tkos.co.il>
(cherry picked from commit c074fade2c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While the core connman code is licensed under GPL-2.0, the client code is
GPL-2.0+ for compatibility with readline (which is GPL-3.0+).
Extend the _LICENSE with this info to clarify that linking against
readline is OK licensing wise.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7d0ee8b4b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ninja depends on python3 specifically, but the configure.py file
simply uses "env python". Where no python is selected for the target
you simply won't get a python symlink in $(HOST_DIR)/usr/bin, so the
configure.py script fails to run since it can't find "python".
Notice that in order to reproduce the issue, you must not have
python2 installed on your host machine.
Signed-off-by: Avi Shukron <avraham.shukron@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f31cd33cef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build can sometimes fails on:
src/svgtiny.c:21:10: fatal error: autogenerated_colors.c: No such file or directory
#include "autogenerated_colors.c"
^~~~~~~~~~~~~~~~~~~~~~~~
because svgtiny.c does not properly depends on autogenerated_colors.c
that is built by gperf. So, just disable parallel build instead of
trying to fix this issue especially because libsvgtiny uses the netsurf
buildsystem
Fixes:
- http://autobuild.buildroot.org/results/48e7a7f7c72634d59cca817778d31661bfe8e72f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 26d67a2599)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit fixes a number of small minor details in the jailhouse
Config.in file:
- The Config.in comment is in the middle of the main
BR2_PACKAGE_JAILHOUSE option and its sub-options, causing the
sub-options to not be indented properly in menuconfig
- jailhouse was capitalized as Jailhouse, while all Buildroot
packages in menuconfig use small letters, so use "jailhouse"
everywhere
- no need to repeat "jailhouse" in the prompt of the sub-option for
helper scripts, since it is not properly indented under the main
jailhouse option. Ditto in the comment when python is disabled.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- further drop 'jailhouse' from the helper scripts comment when
python is not enabled
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a1fddd832e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Thomas: cherry-picked to master as it fixes a build issue with the
musl C library:
output/build/libressl-2.9.2/crypto/compat/getprogname_linux.c: In function ‘getprogname’:
output/build/libressl-2.9.2/crypto/compat/getprogname_linux.c:32:2: error: #error "Cannot emulate getprogname"
#error "Cannot emulate getprogname"]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 26f42106e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commits 495e757d2 (package/dtc: add optional libyaml dependency) and
e43d9072a (package/dtc: fix build without libyaml), added a conditional
dependency to host-pkgconf, when libyaml is enabled, while commit
56d6dd453 (package/dtc: disable valgrind) explicitly disabled support of
valgrind.
However, presence of libyaml, as well as that of valgrind, *is* detected
by calling pkg-config:
NO_VALGRIND := $(shell $(PKG_CONFIG) --exists valgrind; echo $$?)
NO_YAML := $(shell $(PKG_CONFIG) --exists yaml-0.1; echo $$?)
Passing NO_YAML=1 or NO_VALGRIND=1 do not prevent the tests from being
executed, which would yield messages like:
/bin/sh: 1: /home/ymorin/dev/buildroot/O/host/bin/pkg-config: not found
(note however that, even if the test is executed, the value we pass on
the command line still takes precedence, and the support for either is
properly disabled.)
So, move the dependency on host-pkgconfig out of the condition. Ditto
for the host package.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Cc: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 78b77a5c4a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When a package specifies extra downloads, it has the option to only name
the basename of the extra download, in which case that extra download
will be retrieved from the same location the main download is retrieved
from.
In that case, if the extra download contains a '+', it would confuse the
dl-wrapper, which believes the LHS of the '+' is the site method, and
the RHS the actual URI, and so the dl-wrapper mangles and damages the
URI when fetching such extra downloads, like that happens with android
tools, where the proper URI and mangled URIs of the extra download are,
respectively:
https://launchpad.net/ubuntu/+archive/primary/+files/android-tools_4.2.2+git20130218-3ubuntu41.debian.tar.gzhttp://archive/primary/+files/android-tools_4.2.2+git20130218-3ubuntu41.debian.tar.gz
We fix that by always propagating the site method to extra downloads,
but only when they are specified as relative to the main download URI.
For the extra downloads that specify a full URI, it is not systematic
that it is the same site method. For example, a main download could be a
git clone, but an extra download a pure http download; in that case we
can't replicate the site method for extra downloads, so they'll have to
take appropriate care to specify the required method and encoding if
needed.
Reported-by: Jemy Zhang <jemy.zhang@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Jemy Zhang <jemy.zhang@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2c543b4f4c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The name of the option to enable/disable support for pulseaudio has been
in flux in FreeRDP, sometimes being WITH_PULSE, sometimes being the
erroneous WITH_PULSEAUDIO. Eventually, FreeRDP came to their feet, and
fixed it to WITH_PULSE everywhere.
Signed-off-by: Alexey Lukyanchuk <skif@skif-web.ru>
[yann.morin.1998@free.fr:
- remove useless (obsolete) WITH_PULSEAUDIO
- fix the else clause too
- enhance commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 807495a885)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The current URL from which we download the yaffs2utils tarball no
longer works:
-2019-11-02 10:17:20-- https://yaffs2utils.googlecode.com/files/0.2.9.tar.gz
Resolving yaffs2utils.googlecode.com (yaffs2utils.googlecode.com)... 2a00:1450:400c:c02::52, 173.194.76.82
Connecting to yaffs2utils.googlecode.com (yaffs2utils.googlecode.com)|2a00:1450:400c:c02::52|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2019-11-02 10:17:20 ERROR 404: Not Found.
So, let's replace it with a working URL.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 41f4c85dd0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
eudev and systemd provide a hardware database (hwdb) as a set of
multiple files. Various other utilities may also use that database.
Those files have to be "compiled" into a binary to be useful; libudev
(and thus all utilities based on it) only use the compiled hwdb.
Compiling the hwdb is done with udevadm, using the hwdb sub-command:
udevadm hwdb --update
Provide a simple host-variant of eudev, so that we can call udevadm at
build time.
When it is configured, eudev will shoehorn its --prefix path as the base
location where the .hwdb file will be searched from, as well as where
the hwdb.bin will be generated in. This means that with the usual
--prefix=$(HOST_DIR), it would look into there.
udevadm also accepts a --root=/path option at runtime, which prepends
/path to all the paths it uses to find and generate files.
Obviously, combining --root=$(TARGET_DIR) and --prefix=$(HOST_DIR) would
not do what we want: all files would be searched for, and generated, in
$(HOST_DIR)$(TARGET_DIR)/ . Avoiding use of --root would not help much
either, as files would still searched in $(HOST_DIR) (we could use a
trick to copy files there, generate and then move the hwdb.bin, but
that's not nice).
However, since we only need udevadm, and since udevadm has no internal
and no external dependency, we can use a less dirty trick and configure
host-eudev with --prefix=/usr (and similar for the other paths), manually
copy udevadm to HOST_DIR, and then use --root when calling it.
Then, we get a udevadm that can read files from, and generate files into
$(TARGET_DIR). We register a target-finalize hook to generate the
hwdb.bin, so that any pakage may install its .hwdb files (currently only
eudev and systemd do, but other packages might (e.g. sane is known to do
so on standard desktop distros))
The *.hwdb source files consume a lot of space, roughly the same as the
generated database, i.e. ~8MiB as of today, and they are totally useless
on the target; only the generated hwdb.bin is useful. So we want to get
rid of them.
However, we also want to be able to complete a build (e.g. make
foo-reinstall to reinstall more hwdb files), so we don't want to
irremediably lose them. As such, we register a pre-rootfs-cmd hook, that
removes them just before assembling the filesystems, when we're only
using a copy of the target directory.
Note that this is the first host package to register a target-finalize
hook, and also the first to register a pre-rootfs-cmd hook. This avoids
duplicating these hooks logic in both eudev and systemd.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c2fee90943)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The indirect dependency through kmod was not tracked.
Detected with randconfig.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0c768dbbd9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The indirect dependency via python-cryptography was not set in the
Config.in.
Detected with randconfig.
And propagate this to the reverse dependencies.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Peter: also propagate to the reverse dependencies]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a0e9caf40d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
fakeroot can be built to either use SYSV IPC or TCP for message passing.
A bug was discovered where Microsoft Windows 10 Services for Linux
doesn't include support for SYSV IPC MsgQ. This patch adds support to
detect this case and automatically build fakeroot to use the TCP
transport instead (It is assumed a TCP transport would definitely have
more overhead then MsgQs so the default wasn't changed to TCP).
Fixes
https://bugs.busybox.net/show_bug.cgi?id=11366
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Jean-Francois Doyon <jfdoyon@gmail.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[Arnout: use a post-patch hook and AUTORECONF=YES]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit fd1bcce989)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when
rendering the document page as HTML. (Contributed by Dong-hee Na in
bpo-38243.)
- bpo-38174: Update vendorized expat library version to 2.2.8, which
resolves CVE-2019-15903.
- bpo-37764: Fixes email._header_value_parser.get_unstructured going into an
infinite loop for a specific case in which the email header does not have
trailing whitespace, and the case in which it contains an invalid encoded
word. Patch by Ashwin Ramaswami.
- bpo-37461: Fix an infinite loop when parsing specially crafted email
headers. Patch by Abhilash Raj.
- bpo-34155: Fix parsing of invalid email addresses with more than one @
(e.g. a@b@c.com.) to not return the part before 2nd @ as valid email
address. Patch by maxking & jpic.
Additionally, the release contains a number of non-security related fixes.
For details, see the changelog:
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-5-final
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
iconv.h is always included by mz_os_posix.c so select
BR2_PACKAGE_LIBICONV if !BR2_ENABLE_LOCALE
Fixes:
- No autobuilder failures
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 19806dab03)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
