In commit a31a66802a ("freetype:
security bump to version 2.5.3"), the freetype package was changed to
call ./autogen.sh to regenerate the autotools stuff, because the
ltmain.sh provided by upstream freetype was not compatible with
Buildroot libtool-patching logic.
Since then, freetype has been bumped several times, and the current
version packaged in Buildroot has an ltmain.sh that is compatible with
our libtool-patching logic.
Therefore, this commit drops the no longer needed autogen stuff.
This autogen stuff was badly breaking per-package host/target
directory, because the autogen happened at the post-patch hook step,
at which point the host-automake/host-autoconf/host-libtool
dependencies have not yet been copied into this package host
directory.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 88c6329521)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use system liblinear instead of using included liblinear.
liblinear in buildroot is at version 2.20 released on December 2017
whereas liblinear in nmap has not been updated since 7 years (except for
liblinear.vcxproj which has been updated 2 years ago)
Do not use --with-liblinear option as otherwise nmap will forget to add
-llinear to LIBS due to the following line in configure.ac:
if test $have_liblinear != yes; then
AC_CHECK_HEADERS([linear.h],
AC_CHECK_LIB(linear, predict, [have_liblinear=yes; LIBLINEAR_LIBS="-llinear"; break],, [-lm])
)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c0d9ba562c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When used without spdx_lookup the BSD licence cannot be
detected correctly because many Python packages just specify
BSD without the exact version in their metadata. So add a
special message warning the user instead of the licence id.
Bonus: fix typo.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d05e41eb1a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 87d759ced5 (ntp: fix build for no-MMU) added a patch to make MMU
dependent code hidden behind HAVE_WORKING_FORK. It turns out that the
patch covers too much code. When libcap is enabled we pass
--enable-linuxcaps, which in turn enables HAVE_DROPROOT. This adds calls
to code that is covered by HAVE_WORKING_FORK.
Update the no-MMU fix so that HAVE_WORKING_FORK only covers the no-MMU
incompatible routine.
Fixes:
http://autobuild.buildroot.net/results/c5c/c5cf28bb969fec7c07864cdd094dedfa4d5439d2/
Cc: Artem Panfilov <apanfilov@spectracom.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7cf152852d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Many platforms don't provide all FPU features needed by Poco when
configured for soft floating point in their fenv.h header. So
disable fpenvironment for this configuration to avoid build breakage.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c735f39881)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The enum34 dependency is required for python2.7 for both the host and
target builds. This patch adds the host dependency to match what is
already in place for the target.
The host build is used by the setools package seinfo tool offline for
host based policy analysis. The analysis is easiest performed offline
as the policy is checked for path/reachability, which is something
that occurs by taking the policy file and using debug libraries to
perform test cases.
Fixes the following runtime error:
$ ./output/host/bin/sesearch
Traceback (most recent call last):
[...]
File "/home/test/buildroot/output/host/lib/python2.7/site-packages/setools-4.1.1-py2.7-linux-x86_64.egg/setools/policyrep/util.py", line 21, in <module>
from enum import Enum
ImportError: No module named enum
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a5e4eddb84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16758: Michael Yonli discovered that tinc 1.0.34 and earlier allow
a man-in-the-middle attack that, even if the MITM cannot decrypt the traffic
sent between the two endpoints, when the MITM can correctly predict when an
ephemeral key exchange message is sent in a TCP connection between two
nodes, allows the MITM to force one node to send UDP packets in plaintext.
The tinc 1.1pre versions are not affected by this.
CVE-2018-16738: Michael Yonli discoverd that tinc versions 1.0.30 to 1.0.34
allow an oracle attack, similar to CVE-2018-16737, but due to the
mitigations put in place for the Sweet32 attack in tinc 1.0.30, it now
requires a timing attack that has only a limited time to complete. Tinc
1.1pre16 and earlier are also affected if there are nodes on the same VPN
that still use the legacy protocol from tinc version 1.0.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d0758184c0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
get-developers tries to open DEVELOPERS in the current directory, so it
breaks when calling it from elsewhere than the toplevel Buildroot directory.
Traceback (most recent call last):
File "../utils/get-developers", line 107, in <module>
__main__()
File "../utils/get-developers", line 26, in __main__
devs = getdeveloperlib.parse_developers(os.path.dirname()
File "/home/peko/source/buildroot/utils/getdeveloperlib.py", line 161, in parse_developers
with open(os.path.join(basepath, "DEVELOPERS"), "r") as f:
IOError: [Errno 2] No such file or directory: '/home/peko/source/buildroot/output-foo/DEVELOPERS'
Fix it by instead figuring out where the DEVELOPERS file is relative to the
location of get-developers (E.G. one level up).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Arnout:
- add realpath to support a symlinked get-developers script;
- pass devs_dir argument to check_developers() to support -c in subdir;
- convert basepath to absolute path to support -f option.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 62d5558f76)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes a syntax error introduced in bcf2ed5cc3.
Output before the patch:
$ ./utils/get-developers outgoing/*
File "./utils/get-developers", line 97
print dev
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean
print(dev)?
Output after the patch:
$ ./utils/get-developers outgoing/*
git send-email --to buildroot@buildroot.org
Signed-off-by: Grégoire Delattre <gregoire.delattre@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8320ad3341)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When called with a list of patches, get-developers prints the entire git
send-email invocation line:
./utils/get-developers 0001-git-security-bump-to-version-2.16.5.patch
git send-email --to buildroot@buildroot.org --cc "Matt Weber <matthew.weber@rockwellcollins.com>"
This may be handy when creating an entire patch series and editing a cover
letter, but it does mean that this has to be explicitly executed and
get-developers cannot be used directly by the --cc-cmd option of git
send-email to automatically CC affected developers.
So add an -e flag to only let get-developers print the email addresses of
the affected developers in the one-email-per-line format expected by git
send-email, similar to how get_maintainer.pl works in the Linux kernel.
With this and a suitable git configuration:
git config sendemail.to buildroot@buildroot.org
git config sendemail.ccCmd "$(pwd)/utils/get-developers -e"
You can simply do:
git send-email master
To automatically mail the buildroot list and CC affected developers on
patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bcf2ed5cc3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In addition:
- Update 0001-user-exec-fix-usage-of-mcontext-structure-on-ARM-uCl.patch
with new line numbers and file location.
- Remove upstream 0002-memfd-fix-configure-test.patch
- Add new options found in 2.12.0 in qemu.mk as disabled.
- Remove --with-system-pixman as it's no longer optional.
Tested with test-pkg:
./utils/test-pkg -p qemu -c configs/qemu_min_defconfig
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
armv5-ctng-linux-gnueabi [6/6]: OK
6 builds, 1 skipped, 0 build failed, 0 legal-info failed
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 06e3957c16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit:
https://git.buildroot.net/buildroot/commit/?id=13722d58f77d0e9fea9eefc50bf083d19f835433
Patch "0003-configure-Invert-AC_CHECK_LIB-EVP_md5-.-without-lz-w.patch"
was intended to fix AC_CHECK_FUNCS() failure on openssl functions. This
was due to missing -lz during static linking.
But the patch is wrong and results in explicitly linking against -lz in
both shared and static build.
This makes no sense, since shared linking has transitive dependency so
it doesn't need to list -lz after -lssl, -lssl is enough.
Differently static linking needs -lz to be listed after -lssl.
So the real cause of previous build failure:
http://autobuild.buildroot.net/results/881/881139fb049738b16609d39ad5a49bd77ff6b4aa/
is that when AC_CHECK_FUNCS(), $LIBS variable is overwritten with
$LIBCRYPTO without taking into accout previous $LIBS content(i.e. where
-lz is present). This results in AC_CHEC_FUNCS() to fail while trying to
statically link without listing -lz.
Then:
- Remove current "0003-configure-Invert-AC_CHECK_LIB-EVP_md5-.-without-lz-w.patch"
- Add patch "0003-configure-fix-AC_CHECK_FUNCS-EVP_sha224-EVP_sha384-..patch"
where add $LIBS content to tail of new $LIBS variable like this:
LIBS="$LIBCRYPTO $LIBS"
NOTE: $LIBS is at the end to ensure static linking to work correctly.
- Add patch 0004-configure-fix-AC_CHECK_FUNCS-TLS_method-TLSv1_method.patch
where add $LIBS content to tail of new $LIBS variable like this:
LIBS="-lssl $LIBCRYPTO $LIBS"
NOTE: $LIBS is at the end to ensure static linking to work correctly.
This way AC_CHECK_FUNCS(), when static linking, try to link with -lz too
appending it at the end of linking library list.
And after every AC_CHECK_FUNCS(), previously saved $LIBS variable gets
back to its original value(i.e. containing -lz if present) resulting in
having or not -lz appended to library list according to static or
shared build.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c5a7c287de)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-18065: _set_key in agent/helpers/table_container.c in
Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an
authenticated attacker to remotely cause the instance to crash via a crafted
UDP packet, resulting in Denial of Service.
For more details, see description and PoC:
https://dumpco.re/blog/net-snmp-5.7.3-remote-dos
Removed patch, applied upstream, autoreconf is not needed anymore.
Added sha256 hashes for tarball and license file.
Switched _SITE to https.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1fe32e8375)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Because we are patching Makefile.am, Makefile.am is newer than Makefile.in
Signed-off-by: Olivier Schonken <olivier.schonken@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package only needs ncurses when readline support is enabled, as
it's the autoconf macro file for readline (used by autoconf to create
the gnupg configure script) that checks for and pulls in ncurses.
Since readline already depends on ncurses, gnupg need only depend on
readline (when enabled).
The host package always forces readline support off, so the
host-ncurses dependency can be removed entirely.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 51e17496cc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In 0002-shared-libs-for-lua.patch, revision number is used to set
library name:
TO_SOLIB = liblua.so.$(R)
However, library is built using PKG_VERSION which is passed only during
build step:
$(CC) -o $@.$(PKG_VERSION) -shared -Wl,-soname="$@.$(PKG_VERSION)" $?
As a result, dynamic library is not installed in staging or target paths
since bump to lua 5.3.5
So, instead of replacing R by PKG_VERSION and passing this variable in
all steps, simply update R to 5
Fixes:
- http://autobuild.buildroot.net/results/28b6672188bb0082ac1467d3b45904880e3634f3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca287f2044)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop 0003-memfd-fix-configure-test.patch applied upstream.
The 4.10.2 version brings a large number of fixes:
https://xenproject.org/downloads/xen-archives/xen-project-410-series/xen-4102.html
Including a number of security fixes:
XSA-260: x86: mishandling of debug exceptions (CVE-2018-8897)
XSA-261: x86 vHPET interrupt injection errors (CVE-2018-10982)
XSA-262: qemu may drive Xen into unbounded loop (CVE-2018-10981)
XSA-263: Speculative Store Bypass (CVE-2018-3639)
XSA-264: preemption checks bypassed in x86 PV MM handling (CVE-2018-12891)
XSA-265: x86: #DB exception safety check can be triggered by a guest
(CVE-2018-12893)
XSA-266: libxl fails to honour readonly flag on HVM emulated SCSI disks
(CVE-2018-12892)
XSA-267: Speculative register leakage from lazy FPU context switching
(CVE-2018-3665)
XSA-268: Use of v2 grant tables may cause crash on ARM (CVE-2018-15469)
XSA-269: x86: Incorrect MSR_DEBUGCTL handling lets guests enable BTS
(CVE-2018-15468)
XSA-272: oxenstored does not apply quota-maxentity (CVE-2018-15470)
XSA-273: L1 Terminal Fault speculative side channel (CVE-2018-3620,
CVE-2018-3646)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 059d655f5c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2018-12543. If a message is sent to Mosquitto with a topic that
begins with $, but is not $SYS, then an assert that should be unreachable is
triggered and Mosquitto will exit.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5e62304359)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes
(http://ftp.isc.org/isc/bind9/9.11.4-P2/RELEASE-NOTES-bind-9.11.4-P2.txt):
* There was a long-existing flaw in the documentation for ms-self,
krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy
statements. Though the policies worked as intended, operators who
configured their servers according to the misleading documentation may
have thought zone updates were more restricted than they were; users of
these rule types are advised to review the documentation and correct
their configurations if necessary. New rule types matching the
previously documented behavior will be introduced in a future maintenance
release. [GL !708]
* named could crash during recursive processing of DNAME records when
deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740.
[GL #387]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 63eb34fa12)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
