sqlite3 refuses to be built with -ffast-math (a side effect of -Ofast) when it
falls back to implementing its own isnan() function.
sqlite3.c: In function ‘sqlite3IsNaN’:
sqlite3.c:28554:3: error: #error SQLite will not work correctly with the -ffast-math option of GCC.
To work around this, when -Ofast is used replace with -O3.
Signed-off-by: Joshua Henderson <joshua.henderson@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 83781f11dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Just like the target acpica package needs host-flex and host-bison,
the host variant also needs the same dependencies. This allows to fix
the build of "make host-acpica", which was detected thanks to
per-package directory support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8681430628)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit aa556e2035
("utils/genrandconfig: test with BR2_OPTIMIZE_2=y"), we are doing
builds at -O2 instead of -Os. This has unveiled an issue in the
strsep.c file:
strsep.c:65:23: error: register name not specified for 'delim'
register const char *delim;
This strsep.c compatibility code is compiled in if HAVE_STRSEP is not
defined, but dhcpdump does not use any kind of configure script to
detect the availability of strsep(). Therefore by default, it gets
compiled in, and the "register" specifier used for some variable
declarations in strsep.c cause build issues at -O2.
A previous commit in Buildroot from
c2a7f0d605 ("dhcpdump: Fix strsep()
feature test"), attempted to fix this problem by changing the test on
HAVE_STRSEP by a test on _BSD_SOURCE.
Unfortunately, _BSD_SOURCE is not meant to be tested: it's a feature
macro that is meant to be *defined* by some code to tell the C library
headers to expose (or not) some given functionality.
So instead, we basically revert commit
c2a7f0d605 by dropping the patch, and
pass -DHAVE_STRSEP in the CFLAGS when building dhcpdump.
Fixes:
http://autobuild.buildroot.net/results/7231170d3d3e3637f02382c1a0a96009b0527618/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 136c8862cf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building a minimal defconfig such as:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-2018.05.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_4_9=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_1=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XAPP_RGB=y
by running "make xapp_rgb" gives the following build failure:
checking for RGB... configure: error: in `/home/test/buildroot/output/build/xapp_rgb-1.0.6':
configure: error: The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
Alternatively, you may set the environment variables RGB_CFLAGS
and RGB_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
The configure script uses pkg-config, but host-pkgconf is missing in
the list of dependencies.
This issue was detected thanks to per-package directory support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 401b7b94a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
If per_listener_settings is set to true, then the acl_file setting was
ignored for the "default listener" only. This has been fixed. This does
not affect any listeners defined with the listener option.
https://mosquitto.org/blog/2018/12/version-155-released/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 726be29277)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-1160: Netatalk before 3.1.12 is vulnerable to an out of
bounds write in dsi_opensess.c. This is due to lack of bounds checking on
attacker controlled data. A remote unauthenticated attacker can leverage
this vulnerability to achieve arbitrary code execution.
For more details, see the release notes:
http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8aaf05916c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
shairport-sync creates its pidfile at /var/run/shairport-sync/, so pass
that path to start-stop-daemon in the stop operation.
Also pass the executable path, allowing start-stop-daemon to check if
the PID matches the shairport-sync process, preventing killing some
other inocent daemon.
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=11566
Reported-by: Bin Zhang <yangtze31@gmail.com>
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6568b93929)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade
There is a stack overflow vulnerability in the res_http_websocket.so module of
Asterisk that allows an attacker to crash Asterisk via a specially crafted
HTTP request to upgrade the connection to a websocket. The attacker’s
request causes Asterisk to run out of stack space and crash.
For more details, see the announcement:
https://www.asterisk.org/downloads/asterisk-news/asterisk-13231-1478-1561-and-1321-cert3-now-available-security-release
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: mark as security fix, extend commit message]
(cherry picked from commit 19b64c2286)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a bug introduced in 2.20.0 with unintended Authorization header
stripping for redirects using default ports (http/80, https/443).
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 745132abc0)
[Peter: mention fix from 2.20.0]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-18074: The Requests package before 2.20.0 for Python sends an
HTTP Authorization header to an http URI upon receiving a same-hostname
https-to-http redirect, which makes it easier for remote attackers to
discover credentials by sniffing the network.
LICENSE update: replaced http address with https.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 42bebd1e7c)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.9.1 (released 2017/10/04) includes two security fixes.
go1.9.2 (released 2017/10/25) includes fixes to the compiler, linker,
runtime, documentation, go command, and the crypto/x509, database/sql, log,
and net/smtp packages. It includes a fix to a bug introduced in Go 1.9.1
that broke go get of non-Git repositories under certain conditions.
go1.9.3 (released 2018/01/22) includes fixes to the compiler, runtime, and
the database/sql, math/big, net/http, and net/url packages.
go1.9.4 (released 2018/02/07) includes a security fix to “go get”.
go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command,
and net/http/pprof package.
go1.9.6 (released 2018/05/01) includes fixes to the compiler and go command.
go1.9.7 (released 2018/06/05) includes fixes to the go command, and the
crypto/x509, and strings packages. In particular, it adds minimal support
to the go command for the vgo transition.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
luvi fails to run when it was build with CMake 3.12+:
```
[string "return require('init')(...)"]:1: module 'init' not found:
no field package.preload['init']
no file './init.lua'
no file '/usr/share/luajit-2.0.5/init.lua'
no file '/usr/local/share/lua/5.1/init.lua'
no file '/usr/local/share/lua/5.1/init/init.lua'
no file '/usr/share/lua/5.1/init.lua'
no file '/usr/share/lua/5.1/init/init.lua'
no file './init.so'
no file '/usr/local/lib/lua/5.1/init.so'
no file '/usr/lib/lua/5.1/init.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
```
Looking at link.txt for the luvi executable shows that `-rdynamic` is
not set anymore in CMake 3.12. This has the effect, that symbols are
missing in the `.dynsym` section in the binary.
The patch, sets `ENABLE_EXPORTS` to true in CMakeLists.txt to force setting
`-rdynamic` explicitly.
Upstream status: b8781653dcb8815a3019a77baf4f3b7f7a255ebe
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56d2ac54dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE identifiers: CVE-2018-4437,
CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, and
CVE-2018-4464. Additionally, it fixes a couple of build failures in
unusual build configurations.
Release notes can be found in the announcement:
https://webkitgtk.org/2018/12/13/webkitgtk2.22.5-released.html
More details on the issues covered by security fixes can be found
in the corresponding security advisory:
https://webkitgtk.org/security/WSA-2018-0009.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6bbfaf1d40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update to version 2018.11 to resolve the following build failure:
corelib/channel_curl.c: In function ‘channel_map_curl_error’:
corelib/channel_curl.c:298:2: error: duplicate case value
case CURLE_SSL_CACERT:
^
corelib/channel_curl.c:297:2: error: previously used here
case CURLE_PEER_FAILED_VERIFICATION:
^
when building with CONFIG_DOWNLOAD=y. This issue is happening since
the libcurl bump to 7.62.0.
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1040b18634)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove upstream patches:
* 0001-compat.h-introduce-compatibility-header.patch
* 0002-Fix-build-if-DOWNLOAD-is-set-but-no-JSON.patch
Update note about bundled modified version of mongoose 6.11.
Update licenses. Some files are LGPL-2.1+ now. Remove Public Domain as the
relevant bundled sqlite3 code was removed some time age.
Regenerated the .config file by doing:
```
make swupdate-menuconfig
make swupdate-update-config
```
.. and removing the paths for the build options manually.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 26184c2815)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
1.15.7 contains a number of bugfixes. From the changes file:
*) Bugfix: memory leak on errors during reconfiguration.
*) Bugfix: in the $upstream_response_time, $upstream_connect_time, and
$upstream_header_time variables.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used on 32-bit platforms.
https://nginx.org/en/CHANGES
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bc60c57f69)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libgpgme installs a gpgme-config script, it should be tweaked using
the <pkg>_CONFIG_SCRIPTS mechanism. This is generally useful and is
going to be particularly important with per-package directories.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3df53aa11d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Definitions of POLLWRNORM, POLLWRBAND and POLLREMOVE in xtensa linux
kernel are non-standard. Provide bits/poll.h with correct values for
these constants for uclibc-ng.
This fixes the following strace build errors:
In file included from xlat/pollflags.h:4:0,
from poll.c:34:
./static_assert.h:40:24: error: static assertion failed: "POLLWRBAND != 0x0100"
# define static_assert _Static_assert
^
xlat/pollflags.h:75:1: note: in expansion of macro ‘static_assert’
static_assert((POLLWRBAND) == (0x0100), "POLLWRBAND != 0x0100");
^~~~~~~~~~~~~
./static_assert.h:40:24: error: static assertion failed: "POLLREMOVE != 0x0800"
# define static_assert _Static_assert
^
xlat/pollflags.h:117:1: note: in expansion of macro ‘static_assert’
static_assert((POLLREMOVE) == (0x0800), "POLLREMOVE != 0x0800");
^~~~~~~~~~~~~
Fixes:
http://autobuild.buildroot.net/results/5a0112b7a2c81fa5253c9adc93efe415256cd811
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 95f11fb25d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When one of BR2_PACKAGE_FFTW_PRECISION_* is enabled, liquid-dsp links
against fftw3f, fftw3 or fftw3l, but forgets to add the fftw package
in its dependencies. It works fine in practice because "fftw" is
before "liquid-dsp" in the alphabetic ordering, but building with
"make liquid-dsp" or with per-package directory causes a build
failure.
Fix that by adding the missing dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Reviewed-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2517fa73ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The sdl2_net configure script uses pkg-config to finx sdl2. If it
doesn't find pkg-config, it tries to locate sdl2-config, and defaults
to /usr/bin/sdl2-config, which causes the build to fail with:
arm-linux-gcc: ERROR: unsafe header/library path used in cross-compilation: '-I/usr/include/SDL2'
Fix this by adding host-pkgconf to the dependencies of sdl2_net. We
could have added the right autoconf cache variable to tell the
configure script where sdl2-config is located, but since pkg-config is
tried first, let's use that.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c2a1bcb1b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Just like the build of the target wine, the build of host wine also
needs bison and flex, otherwise the build fails with:
checking for flex... no
configure: error: no suitable flex found. Please install the 'flex' package.
(and similarly for bison once host-flex is provided)
This was detected using per-package directories. It used to "work"
because host-wine comes alphabetically after host-flex and host-bison,
which are dependencies of target wine.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e4d153b16a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
multiplication (CVE-2018-5407)
For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0de2c9c76c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
as used in imap_open() in PHP and other products, launches an rsh command
(by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
function in osdep/unix/tcp_unix.c) without preventing argument injection,
which might allow remote attackers to execute arbitrary OS commands if the
IMAP server name is untrusted input (e.g., entered by a user of a web
application) and if rsh has been replaced by a program with different
argument semantics. For example, if rsh is a link to ssh (as seen on Debian
and Ubuntu systems), then the attack can use an IMAP server name containing
a "-oProxyCommand" argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1af5232138)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The logic to ensure at least one compression backend is selected was not
updated when lz4, xz and zstd were introduced - Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
[Peter: add comment as suggested by Peter Seiderer]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84aeb4419f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported in bug #11426, the ppsfind shell script uses /bin/bash,
but the Buildroot pps-tools package doesn't depend on bash. In fact,
upstream has fixed the problem, and the script can now be used with a
POSIX shell, and the shebang is /bin/sh.
This commit therefore bumps pps-tools to the latest upstream commit,
which is precisely this fix.
Fixes bug #11426.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5c89726d9f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Lynx configure script uses pkg-config when available:
checking for nios2-buildroot-linux-gnu-pkg-config... /home/thomas/projets/buildroot/output/host/bin/pkg-config
checking pkg-config for openssl... yes
[...]
checking pkg-config for ncurses... yes
Using pkg-config avoids build failures such as:
checking for _nc_freeall... no
configure: error: Configuration does not support color-styles
make: *** [/home/test/autobuild/run/instance-1/output/build/lynx-2.8.9rel.1/.stamp_configured] Error 1
When building with "make lynx", so that pkg-config is not built
before. The issue is that in this case, lynx configure script picks up
the ncurses6-config script for the host ncurses instead of the one in
staging. Using pkg-config solves that nicely.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67ee7f9eb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libcurl doesn't find any trust path for CA certs when it cross-compiles.
When using OpenSSL, it is explicitly configured to use the SSL cert
directory with OpenSSL style hash files in it. But with GnuTLS, it gets
nothing.
Rather than configure libcurl to use the OpenSSL directory or a bundle
file, configure it to use the GnuTLS default. This way the CA certs
path can be configured in one place (gnutls) and then libcurl and anyone
else who uses gnutls can default to that.
Also, when libcurl with gnutls is configured to use a directory, it ends
up loading each cert three times.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 43b4d3ae45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gnutls is building with no default location to look for CA certs. Since
there are buildroot packages to provide these, configure it to use them
by default.
Configure gnutls to find them using the bundle file which contains all
certs, rather than looking in the cert directory. When gnutls is told
to use the directory, it loads *every* file in it. This means it loads
the bundle with all certs, then loads each cert a second time using the
individual pem files, and then loads them all the third time via the
hash symlinks to the pem files.
When p11-kit is enabled, use its trust module instead of the bundle
file. p11-kit can be configured to use the bundle (the default), but it
can do other things too, such as integrate with the "trust" command for
adding and removing trust anchors.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 379306e8f2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
fstatfs/statfs on aarch64 seems broken, add a patch from uClibc-ng
upstream git to fix it.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2179ca4a61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
