qemu_aarch64_virt_defconfig (implicitly) specifies cortex-a53, so adjust the
QEMU command line to also emulate a a53 instead of a57.
Also adjust the defconfig to explicitly specify a53 for consistency/clarity.
Signed-off-by: Gerome Burlats <gerome.burlats@smile.fr>
Cc: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0203df36ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Overriding variables in packages recipes is an error-prone practice.
Current behavior of installing either only as a script or only as a
binary is intended, as describe in the commit log of "d3e4db4e34
usb_modeswitch: bump to version 1.2.6" from 2013.
Rewrite the code to keep the same behavior while replacing variable
override [1] by conditional assignments [2].
[1]
VAR = ...
if ...
VAR = ...
[2]
if ...
VAR = ...
else
VAR = ...
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e25040d31a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit "a554109af8 package/usb_modeswitch: disable parallel build" added
a unicode space in a comment. Replace it with a normal ASCII space for
consistency with elsewhere.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8be8c72c2b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit d1f545004b from 2014
because the added variables already existed. The real problem at the
time was that one of the pre-existent variables had a typo, fixed in a
later commit.
Currently AVRDUDE_LICENSE and AVRDUDE_LICENSE_FILES are declared twice
with the same values for each one. So remove one of them.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Wojciech M. Zabolotny <wzab01@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d6bce837ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since "57ace26b6c package/sdl_sound: add optional support for
libmodplug" from 2016, optional CONF_OPTS are added but they do not
really take effect because there is an unconditional override below the
conditional append.
Currently this does not cause build failures, but it can lead to wrong
detection of dependencies because many explicit --enable/--disable are
not passed to configure.
Fix this by moving the unconditional code to the top.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit df0d7d1371)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit "c5b85231fb s6-networking: enable SSL if libressl is selected"
actually dropped the dependency on s6-dns and s6 when libressl is
enabled.
Fix this by using += inside the conditional code.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 30ff614a03)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add backported patches for the following four security issues in libarchive.
There is no new release yet including these patches.
- CVE-2018-1000877 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000877)
"libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards
(release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in
RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(),
realloc(rar->lzss.window, new_size) with new_size = 0 that can result in
Crash/DoS. This attack appear to be exploitable via the victim must open a
specially crafted RAR archive."
- CVE-2018-1000878 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000878)
"libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards
(release v3.1.0 onwards) contains a CWE-416: Use After Free vulnerability in
RAR decoder - libarchive/archive_read_support_format_rar.c that can result
in Crash/DoS - it is unknown if RCE is possible. This attack appear to be
exploitable via the victim must open a specially crafted RAR archive."
- CVE-2018-1000879 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000879)
"libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards
(release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference
vulnerability in ACL parser - libarchive/archive_acl.c,
archive_acl_from_text_l() that can result in Crash/DoS. This attack appear
to be exploitable via the victim must open a specially crafted archive
file."
- CVE-2018-1000880 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000880)
"libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards
(release v3.2.0 onwards) contains a CWE-20: Improper Input Validation
vulnerability in WARC parser -
libarchive/archive_read_support_format_warc.c, _warc_read() that can result
in DoS - quasi-infinite run time and disk usage from tiny file. This attack
appear to be exploitable via the victim must open a specially crafted WARC
file."
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 17ba24bac1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2018-14629 dns: Fix CNAME loop prevention using counter regression
- CVE-2018-16853: Fix S4U2Self crash with MIT KDC build
- CVE-2018-16853: Do not segfault if client is not set
For more info, see the release notes:
https://www.samba.org/samba/history/samba-4.8.8.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The websock_config.h file currently ends up being installed into the
sysroot with a #include "config.h" line but the config.h file does not
get copied into the sysroot. Refactoring the original patch to have the
configure script properly report whether or not SSL support is enabled
without using the config.h file.
Patch has been submitted upstream but may never be merged since upstream
appears to be dead.
https://github.com/payden/libwebsock/pull/38
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f6843a75fe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9a76fd4dd6)
[Peter: drop 4.19.x/4.20.x, linux / hash changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
*) SECURITY: CVE-2018-17199 (cve.mitre.org)
mod_session: mod_session_cookie does not respect expiry time allowing
sessions to be reused. [Hank Ibell]
*) SECURITY: CVE-2018-17189 (cve.mitre.org)
mod_http2: fixes a DoS attack vector. By sending slow request bodies
to resources not consuming them, httpd cleanup code occupies a server
thread unnecessarily. This was changed to an immediate stream reset
which discards all stream state and incoming data. [Stefan Eissing]
*) SECURITY: CVE-2019-0190 (cve.mitre.org)
mod_ssl: Fix infinite loop triggered by a client-initiated
renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and
later. PR 63052. [Joe Orton]
For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.38
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7675863549)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2018-19935: Allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via an empty string in the
message argument to the imap_mail function.
https://www.cvedetails.com/cve/CVE-2018-19935/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libpango in Pango 1.40.8 through 1.42.3, as used in hexchat and other
products, allows remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via crafted text with
invalid Unicode sequences.
https://nvd.nist.gov/vuln/detail/CVE-2018-15120
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1574dd6d48)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
CVE-2017-14634: In libsndfile 1.0.28, a divide-by-zero error exists in the
function double64_init() in double64.c, which may lead to DoS when playing a
crafted audio file
CVE-2017-17456: The function d2alaw_array() in alaw.c of libsndfile
1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown address
0x000000000000), a different vulnerability than CVE-2017-14245
CVE-2017-17457: The function d2ulaw_array() in ulaw.c of libsndfile
1.0.29pre1 may lead to a remote DoS attack (SEGV on unknown address
0x000000000000), a different vulnerability than CVE-2017-14246
CVE-2018-13139: A stack-based buffer overflow in psf_memset in common.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a crafted
audio file. The vulnerability can be triggered by the executable
sndfile-deinterleave
CVE-2018-19661: An issue was discovered in libsndfile 1.0.28. There is a
buffer over-read in the function i2ulaw_array in ulaw.c that will lead to a
denial of service
CVE-2018-19662: An issue was discovered in libsndfile 1.0.28. There is a
buffer over-read in the function i2alaw_array in alaw.c that will lead to a
denial of service
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 45014da2b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d9dcf1c5c1)
[Peter: drop 4.19.x/4.20.x, linux / hash changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libmad uses a very old configure script.
When the toolchain lacks C++ and the build machine lacks /lib/cpp, this
old configure script fails because it can't find a C++ preprocessor that
is valid:
checking for arm-buildroot-linux-uclibcgnueabi-g++... no
checking whether we are using the GNU C++ compiler... no
checking whether no accepts -g... no
checking dependency style of no... none
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
See `config.log' for more details.
This is yet another case that was tentatively fixed by bd39d11d2e
(core/infra: fix build on toolchain without C++), further amended by
4cd1ab1588 (core: alternate solution to disable C++).
However, this only works on libtool scripts that are recent enough, and
thus we need to autoreconf to get it.
We also need to patch configure.ac so that it does not fail on the
missing, GNU-specific files: NEWS, AUTHORS, and Changelog.
Fixes:
- http://autobuild.buildroot.org/results/6a6aa29295bd70679c3a22a149e79010fa20c1bf
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eae18d01ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When linking the host cargo binary, the linker should be told to find
libraries in $(HOST_DIR)/lib, otherwise it will not work libraries
such as libhttp_parser. This was found with per-package directory
support, where the build failed with:
= note: /usr/bin/ld: cannot find -lhttp_parser
collect2: error: ld returned 1 exit status
In order to fix this, instead of passing -L$(HOST_DIR)/lib during the
build of Cargo, we make sure all flags in $(HOST_LDFLAGS) are passed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b5e1b51dd1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- epoll supported since linux-2.5.44/glibc-2.3.2 (see [1])
- dup3 supported since linux-2.6.27/glibc-2.9 (see [2])
- SOCK_CLOEXEC supported on linux (see [3])
- accept4 suppported since linux-2.6.28/glibc-2.10 (see [4])
Fixes [5] apache runtime failure (#11576)
[mpm_event:crit] [pid 173:tid 1996214272] (70023)This function has not been
implemented on this platform: AH00495: Couldn't create a Thread Safe Pollset.
Is it supported on your platform?Also check system or user limits!
[:emerg] [pid 173:tid 1996214272] AH00017: Pre-configuration failed, exiting
[1] http://man7.org/linux/man-pages/man7/epoll.7.html
[2] https://linux.die.net/man/2/dup3
[4] https://linux.die.net/man/2/accept4
[5] https://bugs.busybox.net/show_bug.cgi?id=11576
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a3b44f445)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This script currently uses "/usr/bin/env python" as shebang but it does
not really support Python3. Instead of limiting the script to Python2,
fix it to support both versions.
So change all imports to absolute imports because Python3 follows PEP328
and dropped implicit relative imports.
In order to avoid errors when decoding files with the default 'utf-8'
codec, use errors="surrogateescape" when opening files, the docs for
open() states: "This is useful for processing files in an unknown
encoding.". This argument is not compatible with Python2 open() so
import 'six' to use it only when running in Python3.
As a consequence the file handler becomes explicit, so use it to close()
the file after it got processed.
This "surrogateescape" is a simple alternative to the complete solution
of opening files with "rb" and changing all functions in the lib*.py
files to use bytes objects instead of strings. The only case we can have
non-ascii/non-utf-8 files being checked by the script are for patch
files when the upstream file to be patched is not ascii or utf-8. There
is currently one case in the tree:
package/urg/0002-urg-gcc6-fix-narrowing-conversion.patch.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Tested-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 02b165dc71)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
This release of wolfSSL includes a fix for 1 security vulnerability.
Medium level fix for potential cache attack with a variant of
Bleichenbacher’s attack. Earlier versions of wolfSSL leaked PKCS #1 v1.5
padding information during private key decryption that could lead to a
potential padding oracle attack. It is recommended that users update to the
latest version of wolfSSL if they have RSA cipher suites enabled and have
the potential for malicious software to be ran on the same system that is
performing RSA operations. Users that have only ECC cipher suites enabled
and are not performing RSA PKCS #1 v1.5 Decryption operations are not
vulnerable. Also users with TLS 1.3 only connections are not vulnerable to
this attack. Thanks to Eyal Ronen (Weizmann Institute), Robert Gillham
(University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir
(Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of
Adelaide and Data61) for the report.
The paper for further reading on the attack details can be found at
http://cat.eyalro.net/cat.pdf
Drop now upstreamed patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4e1b3c6e9f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
wolfssl is a library, so it should be installed into staging so other
packages can find the header files / library.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ff1d005f80)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The build fails because $(TARGET_DIR)/bin folder may not exist if for
example to use the following defconfig:
BR2_x86_64=y
BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
BR2_SYSTEM_BIN_SH_DASH=y
BR2_TARGET_GENERIC_GETTY_PORT="tty1"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86_64/linux.config"
BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y
BR2_PACKAGE_S6_LINUX_INIT=y
BR2_TARGET_ROOTFS_EXT2=y
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
[Peter: use install -D]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 89fdf21d58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The syscfg header name is now based on the target triplet, with the
vendor part set to "unknown". The symlink approach no longer works since
we use "buildroot" for the vendor part. Override the target host
configure parameter to match the build system expectation.
The x86 header vendor part has been renamed to "unknown" as well.
Account for that in BR2_PACKAGE_LIBGPG_ERROR_SYSCFG.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e58b5b1b93)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop patch #1. uClibc no longer includes pthreads.h indirectly.
Drop patch #2. The sys/param.h header is included indirectly through the
local includes.h header since version 6.8p1.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 458ad4d7b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cc-tool depends on signals2 not signals, indeed only signals2 is used
in src/data/progress_watcher.h and BOOST_SIGNALS defined in
m4/boost.m4 is never used in configure.ac.
There is no need to select any sort of BR2_PACKAGE_BOOST_SIGNALS2
option, as signals2 is a header-only boost library, and such
header-only boost libraries do not have any Config.in options, as they
are all always installed with the base boost library.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: tweak commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 024ed470ad)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In 36568732e4, we expanded toolchain.cmake to also define the value for
CMAKE_SYSTEM_VERSION, as the cmake documentation states that it must be
manually defined when doing cross-compilation [0]:
When the CMAKE_SYSTEM_NAME variable is set explicitly to enable
cross compiling then the value of CMAKE_SYSTEM_VERSION must also
be set explicitly to specify the target system version.
However, the fix in 36568732e4 uses the version of the kernel headers,
assuming that would be the oldest kernel we could run on. Yet, this is
not the case, because glibc (for example) has fallbacks to support
running on kernels older than the headers it was built against.
The cmake official wiki [1] additionally states:
* CMAKE_SYSTEM_VERSION : optional, version of your target system, not
used very much.
Folllowed a little bit below, by:
* CMAKE_TOOLCHAIN_FILE : absolute or relative path to a cmake script
which sets up all the toolchain related variables mentioned above
For instance for crosscompiling from Linux to Embedded Linux on PowerPC
this file could look like this:
# this one is important
SET(CMAKE_SYSTEM_NAME Linux)
#this one not so much
SET(CMAKE_SYSTEM_VERSION 1)
[...]
Furthermore, using the kernel headers version can be a bit misleading (as
it really looks like is is the correct version to use when it is not),
while it is obvious that 1 is not really the output of `uname -r` and
thus is definitely not misleading.
Finally, random searches [2] about CMAKE_SYSTEM_VERSION, mostly only
turns up issues related with Windows, Mac-OS, and to a lesser extent,
Android (where it is forcibly set to 1), with issues realted to running
under just Linux (as opposed to Adnroid) mostly non-existent.
Consequently, we revert to using the value that is suggested in the
cmake WiKi, i.e. 1, and which is basically what we also used as a
workaround in the azure-iot-sdk-c paclkage up until d300b1d3b1.
A case were we will need to have a real kernel version, is if we one day
have a cmake-based pacakge that builds and installs a kernel module [3],
because it will need the _running_ kernel version to install it in
/lib/modules/VERSION/, but in that case it will anyway most probably
not be the headers version.
[0] https://cmake.org/cmake/help/v3.8/variable/CMAKE_SYSTEM_VERSION.html
[1] https://gitlab.kitware.com/cmake/community/wikis/doc/cmake/CrossCompiling
[2] https://duckduckgo.com/?q=CMAKE_SYSTEM_VERSION
[3] https://stackoverflow.com/questions/38205745/cmake-system-version-not-updated-for-new-kernel
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Samuel Martin <s.martin49@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fc8a5f56b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Quoting the CMake documentation:
When the CMAKE_SYSTEM_NAME variable is set explicitly to enable cross
compiling then the value of CMAKE_SYSTEM_VERSION must also be set
explicitly to specify the target system version.
Thus, we should also set CMAKE_SYSTEM_VERSION in toolchainfile.cmake. It
is supposed to be set to the value of `uname -r` on the target. We don't
have that exact value available (unless we build the kernel), but the
value of BR2_TOOLCHAIN_HEADERS_AT_LEAST contains the (minimum) version
of the kernel it will run on, so it should be OK for all practical
purposes.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 36568732e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the bump to version 1.15, libsquish can conditionally
build/install its shared library, which makes it possible to re-enable
this package for BR2_STATIC_LIBS configurations.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ae4b9e4afb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While testing the new supertuxkart 0.10-beta1 version, the build
failed due to missing libsquash shared library.
Indeed, by default (see config file) the shared library is not build
and all symlinks created by LIBSQUISH_INSTALL_{STAGING,TARGET}_CMDS
are curently broken.
To fix that, add USE_SHARED=1 to LIBSQUISH_MAKE_ENV.
Also add a patch to allow reinstall the package.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b621273755)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
releases.nixos.org gives some weird XML pages. The upstream location is
nixos.org/releases.
This side uses HSTS, so switch to https to avoid a needless redirect.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e2fa462426)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit ec69d3820f (package/lighttpd: bump to version 1.4.52) bumped the
lighttpd version but forgot to adjust the upstream hash comment.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b99b09caee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 78f0c1fe4a)
[Peter: drop 4.19.x/4.20.x, linux / hash changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As xenomai release tarballs ship with a configure script, there is only a
need for autoreconfiguring when patches are applied.
The last patch was removed with git commit
de993bc23a but the AUTORECONF line remained.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4219c58c38)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream CHANGELOG entry for 4.3.0 lists these fixes:
- CVE-2018-18408 use-after-free in post_args (#489)
- CVE-2018-18407 heap-buffer-overflow csum_replace4 (#488)
- CVE-2018-17974 heap-buffer-overflow dlt_en10mb_encode (#486)
- CVE-2018-17580 heap-buffer-overflow fast_edit_packet (#485)
- CVE-2018-17582 heap-buffer-overflow in get_next_packet (#484)
- CVE-2018-13112 heap-buffer-overflow in get_l2len (#477 dup #408)
Drop tr_cv_libpcap_version and ac_cv_have_bpf; unused in current
configure script.
Make configure script use pcap-config to list library dependencies.
Unfortunately, pcap-config is not entirely correct, so we still need to
set the LIBS variable for static linking.
Use the smaller tar.xz archive.
Add license file hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f5961ff56a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 62d5558f76 (utils/get-developers: make it callable from elsewhere
than the toplevel directory) tried to fix this by passing in the toplevel
directory when the DEVELOPERS file is parsed.
Unfortunately this is not enough, as E.G. also the paths listed in the
patches are relative to the toplevel directory, causing it to not match the
entries in the DEVELOPERS file.
In concept this can be fixed by also passing the toplevel directory to the
Developers class, but the simplest solution is just to chdir to the toplevel
Buildroot directory before calling any of the getdeveloperlib functions.
This does require us to finish parsing command line arguments (which opens
the provided patch files) to not get into trouble with relative paths to
patches before chdir'ing / initializing getdeveloperlib.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 45aabcddc5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 62d5558f76.
This actually does not work, as patches contain paths relative to the
toplevel directory as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 74fbc20504)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes regressions introduced by the v8.14.0 security release. From the
announcement:
The 8.14.0 security release introduced some unexpected breakages on the 8.x
release line. This is a special release to fix a regression in the HTTP
binary upgrade response body and add a missing CLI flag to adjust the max
header size of the http parser.
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f68e5cf72)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Explain how this can be used with git send-email, and how git can be
configured to use it automatically.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 507d56a6be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Config.in comment of lua-msgpack-native only indicates that it
needs Lua 5.1, while the package can actually build with LuaJIT. This
commit adjusts the comment to match the reality.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6141506760)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Before this commit, the grub configuration file was copied to the
TARGET_DIR in a post-image hook, after the filesystem has been
generated. It was kinda working because the board/pc's grub
configuration and the default one are the same and the later was
copied during the build process of the grub2 package.
This commit ensures the custom board/pc grub configuration is copied at
the right time.
Signed-off-by: Grégoire Delattre <gregoire.delattre@gmail.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0b28397a9b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following vulnerabilities have been fixed:
- wnpa-sec-2018-51 The Wireshark dissection engine could crash. Bug 14466. CVE-2018-19625.
- wnpa-sec-2018-52 The DCOM dissector could crash. Bug 15130. CVE-2018-19626.
- wnpa-sec-2018-53 The LBMPDM dissector could crash. Bug 15132. CVE-2018-19623.
- wnpa-sec-2018-54 The MMSE dissector could go into an infinite loop. Bug 15250. CVE-2018-19622.
- wnpa-sec-2018-55 The IxVeriWave file parser could crash. Bug 15279. CVE-2018-19627.
- wnpa-sec-2018-56 The PVFS dissector could crash. Bug 15280. CVE-2018-19624.
- wnpa-sec-2018-57 The ZigBee ZCL dissector could crash. Bug 15281. CVE-2018-19628.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2ec38321d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Remove first patch (inet_pton test removed since version 2.5.0 and
12d63c428f)
- Remove second patch (already in version, since
3761ef3785)
- Remove WIRESHARK_AUTORECONF=yes as configure.ac is not patched anymore
- gcrypt is a mandatory dependency since version 2.4.0 and
6b84ddee83
- geoip support has been replaced by maxminddb since version 2.5.0 and
a1da75c554
- Drop includedir "hack", this is not needed anymore and wireshark is
now installing files in target. With this hack, build fails on:
wireshark: installs files in /home/fabrice/buildroot/output/target//home/fabrice/buildroot/output
package/pkg-generic.mk:310: recipe for target '/home/fabrice/buildroot/output/build/wireshark-2.6.4/.stamp_target_installed' failed
- Disable all new optional features
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: keep optional dependencies alphabetic on Config.in name;
add comment of libgcrypt -> libgpg-error dependency.]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 72bafd5e45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- lua 5.3 or luajit is not supported
- Don't specify the path to find lua as pkgconfig is used for lua
(this is not the case for the other options)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fb59a8857e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In order to provide info about a bundle file, e.g. running "rauc info
bundle.raucb", rauc needs to use the unsquashfs progam from the squashfs
package.
This was not documented until upstream commit 10c501c12752 ("docs:
integration: document need for 'unsquashfs' tool for 'rauc info'"), but
is already present in rauc.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4a4dba21b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sqlite3 refuses to be built with -ffast-math (a side effect of -Ofast) when it
falls back to implementing its own isnan() function.
sqlite3.c: In function ‘sqlite3IsNaN’:
sqlite3.c:28554:3: error: #error SQLite will not work correctly with the -ffast-math option of GCC.
To work around this, when -Ofast is used replace with -O3.
Signed-off-by: Joshua Henderson <joshua.henderson@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 83781f11dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Just like the target acpica package needs host-flex and host-bison,
the host variant also needs the same dependencies. This allows to fix
the build of "make host-acpica", which was detected thanks to
per-package directory support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8681430628)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit aa556e2035
("utils/genrandconfig: test with BR2_OPTIMIZE_2=y"), we are doing
builds at -O2 instead of -Os. This has unveiled an issue in the
strsep.c file:
strsep.c:65:23: error: register name not specified for 'delim'
register const char *delim;
This strsep.c compatibility code is compiled in if HAVE_STRSEP is not
defined, but dhcpdump does not use any kind of configure script to
detect the availability of strsep(). Therefore by default, it gets
compiled in, and the "register" specifier used for some variable
declarations in strsep.c cause build issues at -O2.
A previous commit in Buildroot from
c2a7f0d605 ("dhcpdump: Fix strsep()
feature test"), attempted to fix this problem by changing the test on
HAVE_STRSEP by a test on _BSD_SOURCE.
Unfortunately, _BSD_SOURCE is not meant to be tested: it's a feature
macro that is meant to be *defined* by some code to tell the C library
headers to expose (or not) some given functionality.
So instead, we basically revert commit
c2a7f0d605 by dropping the patch, and
pass -DHAVE_STRSEP in the CFLAGS when building dhcpdump.
Fixes:
http://autobuild.buildroot.net/results/7231170d3d3e3637f02382c1a0a96009b0527618/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 136c8862cf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building a minimal defconfig such as:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-2018.05.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_4_9=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_1=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XAPP_RGB=y
by running "make xapp_rgb" gives the following build failure:
checking for RGB... configure: error: in `/home/test/buildroot/output/build/xapp_rgb-1.0.6':
configure: error: The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
Alternatively, you may set the environment variables RGB_CFLAGS
and RGB_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.
The configure script uses pkg-config, but host-pkgconf is missing in
the list of dependencies.
This issue was detected thanks to per-package directory support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 401b7b94a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The first stage bootloader on LEGO MINDSTORMS EV3 only loads the first
256K of the flash memory (this is hard-coded in an EEPROM). So, the
second stage bootloader (U-Boot) cannot exceed this size.
Signed-off-by: David Lechner <david@lechnology.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b2e5014af5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
If per_listener_settings is set to true, then the acl_file setting was
ignored for the "default listener" only. This has been fixed. This does
not affect any listeners defined with the listener option.
https://mosquitto.org/blog/2018/12/version-155-released/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 726be29277)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-1160: Netatalk before 3.1.12 is vulnerable to an out of
bounds write in dsi_opensess.c. This is due to lack of bounds checking on
attacker controlled data. A remote unauthenticated attacker can leverage
this vulnerability to achieve arbitrary code execution.
For more details, see the release notes:
http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8aaf05916c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
shairport-sync creates its pidfile at /var/run/shairport-sync/, so pass
that path to start-stop-daemon in the stop operation.
Also pass the executable path, allowing start-stop-daemon to check if
the PID matches the shairport-sync process, preventing killing some
other inocent daemon.
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=11566
Reported-by: Bin Zhang <yangtze31@gmail.com>
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6568b93929)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade
There is a stack overflow vulnerability in the res_http_websocket.so module of
Asterisk that allows an attacker to crash Asterisk via a specially crafted
HTTP request to upgrade the connection to a websocket. The attacker’s
request causes Asterisk to run out of stack space and crash.
For more details, see the announcement:
https://www.asterisk.org/downloads/asterisk-news/asterisk-13231-1478-1561-and-1321-cert3-now-available-security-release
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: mark as security fix, extend commit message]
(cherry picked from commit 19b64c2286)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a bug introduced in 2.20.0 with unintended Authorization header
stripping for redirects using default ports (http/80, https/443).
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 745132abc0)
[Peter: mention fix from 2.20.0]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-18074: The Requests package before 2.20.0 for Python sends an
HTTP Authorization header to an http URI upon receiving a same-hostname
https-to-http redirect, which makes it easier for remote attackers to
discover credentials by sniffing the network.
LICENSE update: replaced http address with https.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 42bebd1e7c)
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.9.1 (released 2017/10/04) includes two security fixes.
go1.9.2 (released 2017/10/25) includes fixes to the compiler, linker,
runtime, documentation, go command, and the crypto/x509, database/sql, log,
and net/smtp packages. It includes a fix to a bug introduced in Go 1.9.1
that broke go get of non-Git repositories under certain conditions.
go1.9.3 (released 2018/01/22) includes fixes to the compiler, runtime, and
the database/sql, math/big, net/http, and net/url packages.
go1.9.4 (released 2018/02/07) includes a security fix to “go get”.
go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command,
and net/http/pprof package.
go1.9.6 (released 2018/05/01) includes fixes to the compiler and go command.
go1.9.7 (released 2018/06/05) includes fixes to the go command, and the
crypto/x509, and strings packages. In particular, it adds minimal support
to the go command for the vgo transition.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, U-Boot is failing to build, due to some issues
with the toolchain and the U-Boot port.
Fix it.
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit aacf3acb84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
luvi fails to run when it was build with CMake 3.12+:
```
[string "return require('init')(...)"]:1: module 'init' not found:
no field package.preload['init']
no file './init.lua'
no file '/usr/share/luajit-2.0.5/init.lua'
no file '/usr/local/share/lua/5.1/init.lua'
no file '/usr/local/share/lua/5.1/init/init.lua'
no file '/usr/share/lua/5.1/init.lua'
no file '/usr/share/lua/5.1/init/init.lua'
no file './init.so'
no file '/usr/local/lib/lua/5.1/init.so'
no file '/usr/lib/lua/5.1/init.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
```
Looking at link.txt for the luvi executable shows that `-rdynamic` is
not set anymore in CMake 3.12. This has the effect, that symbols are
missing in the `.dynsym` section in the binary.
The patch, sets `ENABLE_EXPORTS` to true in CMakeLists.txt to force setting
`-rdynamic` explicitly.
Upstream status: b8781653dcb8815a3019a77baf4f3b7f7a255ebe
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56d2ac54dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE identifiers: CVE-2018-4437,
CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, and
CVE-2018-4464. Additionally, it fixes a couple of build failures in
unusual build configurations.
Release notes can be found in the announcement:
https://webkitgtk.org/2018/12/13/webkitgtk2.22.5-released.html
More details on the issues covered by security fixes can be found
in the corresponding security advisory:
https://webkitgtk.org/security/WSA-2018-0009.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6bbfaf1d40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update to version 2018.11 to resolve the following build failure:
corelib/channel_curl.c: In function ‘channel_map_curl_error’:
corelib/channel_curl.c:298:2: error: duplicate case value
case CURLE_SSL_CACERT:
^
corelib/channel_curl.c:297:2: error: previously used here
case CURLE_PEER_FAILED_VERIFICATION:
^
when building with CONFIG_DOWNLOAD=y. This issue is happening since
the libcurl bump to 7.62.0.
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1040b18634)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove upstream patches:
* 0001-compat.h-introduce-compatibility-header.patch
* 0002-Fix-build-if-DOWNLOAD-is-set-but-no-JSON.patch
Update note about bundled modified version of mongoose 6.11.
Update licenses. Some files are LGPL-2.1+ now. Remove Public Domain as the
relevant bundled sqlite3 code was removed some time age.
Regenerated the .config file by doing:
```
make swupdate-menuconfig
make swupdate-update-config
```
.. and removing the paths for the build options manually.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 26184c2815)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
1.15.7 contains a number of bugfixes. From the changes file:
*) Bugfix: memory leak on errors during reconfiguration.
*) Bugfix: in the $upstream_response_time, $upstream_connect_time, and
$upstream_header_time variables.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_mp4_module was used on 32-bit platforms.
https://nginx.org/en/CHANGES
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bc60c57f69)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libgpgme installs a gpgme-config script, it should be tweaked using
the <pkg>_CONFIG_SCRIPTS mechanism. This is generally useful and is
going to be particularly important with per-package directories.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3df53aa11d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Definitions of POLLWRNORM, POLLWRBAND and POLLREMOVE in xtensa linux
kernel are non-standard. Provide bits/poll.h with correct values for
these constants for uclibc-ng.
This fixes the following strace build errors:
In file included from xlat/pollflags.h:4:0,
from poll.c:34:
./static_assert.h:40:24: error: static assertion failed: "POLLWRBAND != 0x0100"
# define static_assert _Static_assert
^
xlat/pollflags.h:75:1: note: in expansion of macro ‘static_assert’
static_assert((POLLWRBAND) == (0x0100), "POLLWRBAND != 0x0100");
^~~~~~~~~~~~~
./static_assert.h:40:24: error: static assertion failed: "POLLREMOVE != 0x0800"
# define static_assert _Static_assert
^
xlat/pollflags.h:117:1: note: in expansion of macro ‘static_assert’
static_assert((POLLREMOVE) == (0x0800), "POLLREMOVE != 0x0800");
^~~~~~~~~~~~~
Fixes:
http://autobuild.buildroot.net/results/5a0112b7a2c81fa5253c9adc93efe415256cd811
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 95f11fb25d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When one of BR2_PACKAGE_FFTW_PRECISION_* is enabled, liquid-dsp links
against fftw3f, fftw3 or fftw3l, but forgets to add the fftw package
in its dependencies. It works fine in practice because "fftw" is
before "liquid-dsp" in the alphabetic ordering, but building with
"make liquid-dsp" or with per-package directory causes a build
failure.
Fix that by adding the missing dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Reviewed-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2517fa73ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The sdl2_net configure script uses pkg-config to finx sdl2. If it
doesn't find pkg-config, it tries to locate sdl2-config, and defaults
to /usr/bin/sdl2-config, which causes the build to fail with:
arm-linux-gcc: ERROR: unsafe header/library path used in cross-compilation: '-I/usr/include/SDL2'
Fix this by adding host-pkgconf to the dependencies of sdl2_net. We
could have added the right autoconf cache variable to tell the
configure script where sdl2-config is located, but since pkg-config is
tried first, let's use that.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c2a1bcb1b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Just like the build of the target wine, the build of host wine also
needs bison and flex, otherwise the build fails with:
checking for flex... no
configure: error: no suitable flex found. Please install the 'flex' package.
(and similarly for bison once host-flex is provided)
This was detected using per-package directories. It used to "work"
because host-wine comes alphabetically after host-flex and host-bison,
which are dependencies of target wine.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e4d153b16a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
multiplication (CVE-2018-5407)
For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0de2c9c76c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX,
as used in imap_open() in PHP and other products, launches an rsh command
(by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
function in osdep/unix/tcp_unix.c) without preventing argument injection,
which might allow remote attackers to execute arbitrary OS commands if the
IMAP server name is untrusted input (e.g., entered by a user of a web
application) and if rsh has been replaced by a program with different
argument semantics. For example, if rsh is a link to ssh (as seen on Debian
and Ubuntu systems), then the attack can use an IMAP server name containing
a "-oProxyCommand" argument.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1af5232138)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The logic to ensure at least one compression backend is selected was not
updated when lz4, xz and zstd were introduced - Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
[Peter: add comment as suggested by Peter Seiderer]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84aeb4419f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported in bug #11426, the ppsfind shell script uses /bin/bash,
but the Buildroot pps-tools package doesn't depend on bash. In fact,
upstream has fixed the problem, and the script can now be used with a
POSIX shell, and the shebang is /bin/sh.
This commit therefore bumps pps-tools to the latest upstream commit,
which is precisely this fix.
Fixes bug #11426.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5c89726d9f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Lynx configure script uses pkg-config when available:
checking for nios2-buildroot-linux-gnu-pkg-config... /home/thomas/projets/buildroot/output/host/bin/pkg-config
checking pkg-config for openssl... yes
[...]
checking pkg-config for ncurses... yes
Using pkg-config avoids build failures such as:
checking for _nc_freeall... no
configure: error: Configuration does not support color-styles
make: *** [/home/test/autobuild/run/instance-1/output/build/lynx-2.8.9rel.1/.stamp_configured] Error 1
When building with "make lynx", so that pkg-config is not built
before. The issue is that in this case, lynx configure script picks up
the ncurses6-config script for the host ncurses instead of the one in
staging. Using pkg-config solves that nicely.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67ee7f9eb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using an initramfs, on the first-pass build, we create a dummy cpio
so that the build succeeeds. The real cpio will come later, and we'll do
a second-pass build to use the actual cpio.
However, when we touch that dummy cpio, the images/ directory may not
yet exist, since commit d0f4f95e39 (Makefile: rework main directory
creation logic) removed its creation at the begining of the build, to
only at the moment we need it, i.e. during the *_INSTALL_IMAGES_CMDS
steps.
However, the linux build is not a _INSTALL_IMAGES_CMDS step, so there is
no guarantee that images/ already exist at that time.
Fix that by explicitly creating images/ before touching the dummy cpio.
Reported-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 524fb10bbe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libcurl doesn't find any trust path for CA certs when it cross-compiles.
When using OpenSSL, it is explicitly configured to use the SSL cert
directory with OpenSSL style hash files in it. But with GnuTLS, it gets
nothing.
Rather than configure libcurl to use the OpenSSL directory or a bundle
file, configure it to use the GnuTLS default. This way the CA certs
path can be configured in one place (gnutls) and then libcurl and anyone
else who uses gnutls can default to that.
Also, when libcurl with gnutls is configured to use a directory, it ends
up loading each cert three times.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 43b4d3ae45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gnutls is building with no default location to look for CA certs. Since
there are buildroot packages to provide these, configure it to use them
by default.
Configure gnutls to find them using the bundle file which contains all
certs, rather than looking in the cert directory. When gnutls is told
to use the directory, it loads *every* file in it. This means it loads
the bundle with all certs, then loads each cert a second time using the
individual pem files, and then loads them all the third time via the
hash symlinks to the pem files.
When p11-kit is enabled, use its trust module instead of the bundle
file. p11-kit can be configured to use the bundle (the default), but it
can do other things too, such as integrate with the "trust" command for
adding and removing trust anchors.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 379306e8f2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
fstatfs/statfs on aarch64 seems broken, add a patch from uClibc-ng
upstream git to fix it.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2179ca4a61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
CVE-2018-19591: A file descriptor leak in if_nametoindex can lead to a
denial of service due to resource exhaustion when processing getaddrinfo
calls with crafted host names. Reported by Guido Vranken.
Adhemerval Zanella (2):
Fix misreported errno on preadv2/pwritev2 (BZ#23579)
x86: Fix Haswell CPU string flags (BZ#23709)
Alexandra Hájková (1):
Add an additional test to resolv/tst-resolv-network.c
Andreas Schwab (1):
libanl: properly cleanup if first helper thread creation failed (bug 22927)
Florian Weimer (3):
preadv2/pwritev2: Handle offset == -1 [BZ #22753]
conform: XFAIL siginfo_t si_band test on sparc64
CVE-2018-19591: if_nametoindex: Fix descriptor for overlong name [BZ #23927]
Ilya Yu. Malakhov (1):
signal: Use correct type for si_band in siginfo_t [BZ #23562]
Martin Kuchta (1):
pthread_cond_broadcast: Fix waiters-after-spinning case [BZ #23538]
Stefan Liebler (2):
Fix segfault in maybe_script_execute.
Fix race in pthread_mutex_lock while promoting to PTHREAD_MUTEX_ELISION_NP [BZ #23275]
Szabolcs Nagy (1):
i64: fix missing exp2f, log2f and powf symbols in libm.a [BZ #23822]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2018-17961: Artifex Ghostscript 9.25 and earlier allows attackers to
bypass a sandbox protection mechanism via vectors involving errorhandler
setup. NOTE: this issue exists because of an incomplete fix for
CVE-2018-17183.
- CVE-2018-18284: Artifex Ghostscript 9.25 and earlier allows attackers to
bypass a sandbox protection mechanism via vectors involving the 1Policy
operator.
- CVE-2018-19409: An issue was discovered in Artifex Ghostscript before
9.26. LockSafetyParams is not checked correctly if another device is
used.
- CVE-2018-19475: psi/zdevice2.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because available
stack space is not checked when the device remains the same.
- CVE-2018-19476: psi/zicc.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because of a
setcolorspace type confusion.
- CVE-2018-19477: psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows
remote attackers to bypass intended access restrictions because of a
JBIG2Decode type confusion.
For more details, see the release notes:
https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e52b02677a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
*) Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
shown to be vulnerable to a microarchitecture timing side channel attack.
An attacker with sufficient access to mount local timing attacks during
ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
(CVE-2018-5407)
[Billy Brumley]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
For more information, see the changelog:
https://www.openssl.org/news/cl102.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3301b6e1b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
PLATFORM is an environment variable used by xfsprogs' configure script
to determine the platform for which the applications are being built. If
we set some incorrect/unsupported value through e.g: export, this will
be picked up by xfsprogs' configure script and used as-is and assigned
to PKG_PLATFORM, which will lead to build failures.
If PLATFORM was empty/unset, then uname on the host building xfsprogs
gets used to determine the build platform, which again could be
incorrect if we e.g: built xfsprogs on a Darwin system.
Since we are obviously building for Linux, let's just make sure we
define it that way which solves both issues.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 257a2118be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2018-14629:
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
- CVE-2018-16841:
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
- CVE-2018-16851:
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
There is no further vulnerability associated with this issue, merely a
denial of service.
- CVE-2018-16853:
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
For more details, see the release notes:
https://www.samba.org/samba/history/samba-4.8.7.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tests are enabled if gperf and zlib are found and they fail on:
/home/buildroot/autobuild/run/instance-0/output/build/msgpack-2.1.5/include/msgpack/v1/object.hpp:652:34:
error: 'void* memcpy(void*, const void*, size_t)' copying an object of non-trivial type 'struct msgpack::v2::object' from an array of 'const msgpack_object' {aka 'const struct msgpack_object'} [-Werror=class-memaccess]
std::memcpy(&o, &v, sizeof(v));
So disable them.
Fixes:
- http://autobuild.buildroot.org/results/7d7aa9723f02f9bc78dbf6248674be4d402199bf
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit d2d75e07db)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libid3tag uses a very old configure script.
When the toolchain lacks C++ and the build machine lacks /lib/cpp, this
old configure script fails because it can't find a C++ preprocessor that
is valid:
checking for arm-buildroot-linux-uclibcgnueabi-g++... no
checking whether we are using the GNU C++ compiler... no
checking whether no accepts -g... no
checking dependency style of no... none
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
See `config.log' for more details.
This is yet another case that was tentatively fixed by bd39d11d2e
(core/infra: fix build on toolchain without C++), further amended by
4cd1ab1588 (core: alternate solution to disable C++).
However, this only works on libtool scripts that are recent enough, and
thus we need to autoreconf to get it.
We also need to patch configure.ac so that it does not fail on the
missing, GNU-specific files: NEWS, AUTHORS, and Changelog.
Fixes:
http://autobuild.buildroot.org/results/ac3/ac3870208aab6001db6b790b6c5dde64d08f7669/http://autobuild.buildroot.org/results/cc1/cc18397f38dfd4f1e6605f7a6f58edab49b396ac/
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 43274dd3e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
