Fixes CVE-2018-10933: authentication bypass vulnerability in the server
code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in
place of the SSH2_MSG_USERAUTH_REQUEST message which the server would
expect to initiate authentication, the attacker could successfully
authenticate without any credentials.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
Drop an upstream patch.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Config.in for glibc is a blind option and not part of the menu for
a user to select (the pkg is used for the Buildroot toolchain build),
however this patch adds the link for completeness of the pkg-stats
report and for future scripting which will generate xml updates of the
package's Common Product Enumeration (used for vunerability checking).
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When two Buildroot builds run in parallel, and they both happen to call
npm at roughly the same time, the two npm instances may conflict when
accessing the npm cache, which is by default ~/.npm
Although npm is supposed to lock access to the cache, it seems it does
sometimes fail to do so properly, bailling out in error, when it would
never ever crash at all when not running in parallel. We suspect that
the sequence leading to such failures are something like:
npm-1 npm-2
lock(retry=few, sleep=short) .
does-stuff() .
. lock(retry=few, sleep=short)
. # can't lock local cache
. download-module()
. # can't download
. exit(1)
unlock()
As per the docs [0], few = 10, short = 10. So if the first npm (npm-1)
takes more than 100s (which can happen behind slow links and/or big
modules that contain native code that is compiled), then the second npm
(npm-2) will bail out (the download would fail if there is no network
access, for example, and only local modules are used).
Point npm to use a per-build cache directory, so they no longer compete
across builds.
That would still need some care when we do top-level parallel builds,
though.
Note also that the conflicts are not totally eliminated: two or more npm
instances may still compete for some other resource that has not yet
been identified.
But, at least, the conflict window has been drastically shortened now,
to the point where it now seldom occurs.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit adjusts the mdadm package to also install the mdmon
utility, which is used to "monitor MD external metadata arrays". It
adds ~250 KB to the installed size:
-rwxr-xr-x 1 thomas thomas 446064 Oct 14 21:55 mdadm
-rwxr-xr-x 1 thomas thomas 244672 Oct 14 21:55 mdmon
Fixes bug #11376.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The upstream Makefile by default installs to /sbin but we override
that to install it in /usr/sbin. Since mdadm is a pretty core utility
for the boot process, it makes sense to comply with upstream's default
behavior, so we change mdadm.mk to install mdadm in /sbin. This also
removes the somewhat non-standard DESTDIR value.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is absolutely no reason for mdadm.mk to use autotools-package:
this package does not have any configure script at all, and its
Makefile is not generated using automake.
Therefore, convert it to use the generic-package
infrastructure. Compared to the previous code, we are now using
$(TARGET_CONFIGURE_OPTS), which passes our CPPFLAGS. This overrides
the CPPFLAGS from mdadm's Makefile, so we repeat the only CPPFLAGS
flag passed in the Makefile, -DBINDIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While Erlang includes a version of zlib, it's intended for Windows and
there's an expectation that non-Windows platforms provide it. It's also
not as regularly updated as the one in Buildroot. This change makes
Erlang always use a Buildroot-provided zlib.
Fixes this compile error:
CC /home/buildroot/autobuild/run/instance-0/output/build/erlang-21.0/erts/emulator/zlib/obj/x86_64-buildroot-linux-musl/opt/adler32.o
In file included from zlib/adler32.c:11:0:
zlib/zutil.h:172:39: error: "_LFS64_LARGEFILE" is not defined [-Werror=undef]
(!defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0)
^~~~~~~~~~~~~~~~
See http://autobuild.buildroot.net/results/fc633f80c7c36a90e641487f5a888fbb767c2a54/.
Signed-off-by: Frank Hunleth <fhunleth@troodon-software.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/005/00588d7cd37ba9620f01e970bf328540527558fc/http://autobuild.buildroot.net/results/2fc/2fc2d0111e467671ee4cec427234a9b2aada1cc9/
Linux 4.4 moved the NVME ioctl definitions from nvme.h to nvme_ioctl.h in
commit 9d99a8dda154 (nvme: move hardware structures out of the uapi version
of nvme.h), but nvme_ioctl.h was only exported to user space in 4.4.4 in
commit 7712c014b16f64d3 (uapi: update install list after nvme.h rename).
sedutil contains the needed logic to look at either nvme.h or nvme_ioctl.h,
but as the ioctl definitions are not exported in 4.4..4.4.3, it fails to
build.
The MIPS Codesourcery toolchain uses 4.4.1 kernel headers, so disable the
sedutil package if this toolchain is used.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Clarify OCB license details, and add Doc/LEGAL/COPYRIGHT.pycrypto
to the license files list.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump to version 1.31.4 which is the first version including the fix for
glibc 2.28 issue with major/minor:
3424bef7ef
Do not bump to latest version of gvfs as:
- this is a major rework: autotools has been dropped in favor of meson
- it requires libglib in version 2.57.1 and we have currently 2.56.1
Also:
- add hash for license file
- Remove --disable-bash-completion, no more option since 1.31.1:
2f28fa49cf
- Remove --disable-hal, dropped since 1.31.1:
ec9c45d7c7
Fixes:
- http://autobuild.buildroot.net/results/07fa7b0ad9ae0fa9c2e59d54e4d4c76ae4f26166
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 87d759ced5 (ntp: fix build for no-MMU) added a patch to make MMU
dependent code hidden behind HAVE_WORKING_FORK. It turns out that the
patch covers too much code. When libcap is enabled we pass
--enable-linuxcaps, which in turn enables HAVE_DROPROOT. This adds calls
to code that is covered by HAVE_WORKING_FORK.
Update the no-MMU fix so that HAVE_WORKING_FORK only covers the no-MMU
incompatible routine.
Fixes:
http://autobuild.buildroot.net/results/c5c/c5cf28bb969fec7c07864cdd094dedfa4d5439d2/
Cc: Artem Panfilov <apanfilov@spectracom.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For some reason, ustr installs its own source code, which means we end
up with 448 KB of source code in /usr/share in the target filesystem:
$ tree output/target/usr/share/
output/target/usr/share/
└── ustr-1.0.4
├── malloc-check.h
├── ustr-b-code.h
├── ustr-b-dbg-code.c
├── ustr-b-opt-code.c
├── ustr-cmp-code.h
├── ustr-cmp-dbg-code.c
├── ustr-cmp-internal.h
├── ustr-cmp-opt-code.c
├── ustr-cntl-code.h
├── ustr-fmt-code.h
├── ustr-fmt-dbg-code.c
├── ustr-fmt-internal.h
[...]
$ du -sh output/target/usr/share/ustr-1.0.4/
448K output/target/usr/share/ustr-1.0.4/
So let's drop this source code in a post-install target hook.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Remove patch (already in version), see:
e15f61e5d2
- Add hash for license file
- Drop -L from PYTHONLIBDIR, which is now really used as a path, and
not as flags.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Remove first patch (already in version):
f8532f1773
- Update second and third patch
- For target variant, set SHLIBDIR=/usr/lib because by default it is set
to /lib and LIBDIR is set to $(PREFIX)/lib (with PREFIX=/usr)
- For host variant, set SHLIBDIR=$(HOST_DIR)/lib otherwise shared
library will be installed in /lib (PREFIX is not used to install
shared library)
- Add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Remove second patch (already in version), see
b24980ec07
- Update third patch
- For target variant, set SHLIBDIR=/usr/lib because by default it is set
to /lib and LIBDIR is set to $(PREFIX)/lib (with PREFIX=/usr)
- For host variant, set SHLIBDIR=$(HOST_DIR)/lib otherwise shared
library will be installed in /lib (PREFIX is not used to install
shared library)
- Add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop GNU glob detection patch; issue fixed upstream.
Add upstream patch that completes the build fix when GNU glob is not
present.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
