package/dbus: security bump to version 1.12.18

- Fix CVE-2020-12049: An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. - Also update indentation in hash file (two spaces) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
toolchain: adjust version check to allow for single numbers
2026-01-05 14:09:53 +03:00 · 2020-06-14 22:06:48 +02:00 · 2020-06-14 22:02:26 +02:00 · 2020-06-14 22:00:43 +02:00 · 2020-06-14 22:00:43 +02:00 · 2020-06-14 22:00:43 +02:00
8 changed files with 80 additions and 8 deletions
--- a/package/dbus/dbus.hash
+++ b/package/dbus/dbus.hash
@@ -1,6 +1,6 @@
 # Locally calculated after checking pgp signature
-# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.16.tar.gz.asc
+# https://dbus.freedesktop.org/releases/dbus/dbus-1.12.18.tar.gz.asc
 # using key 36EC5A6448A4F5EF79BEFE98E05AE1478F814C4F
-sha256	54a22d2fa42f2eb2a871f32811c6005b531b9613b1b93a0d269b05e7549fec80  dbus-1.12.16.tar.gz
+sha256  64cf4d70840230e5e9bc784d153880775ab3db19d656ead8a0cb9c0ab5a95306  dbus-1.12.18.tar.gz
 # Locally calculated
-sha256	0e46f54efb12d04ab5c33713bacd0e140c9a35b57ae29e03c853203266e8f3a1  COPYING
+sha256  0e46f54efb12d04ab5c33713bacd0e140c9a35b57ae29e03c853203266e8f3a1  COPYING
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################

-DBUS_VERSION = 1.12.16
+DBUS_VERSION = 1.12.18
 DBUS_SITE = https://dbus.freedesktop.org/releases/dbus
 DBUS_LICENSE = AFL-2.1 or GPL-2.0+ (library, tools), GPL-2.0+ (tools)
 DBUS_LICENSE_FILES = COPYING
--- a/support/docker/Dockerfile.base
+++ b/support/docker/Dockerfile.base
@@ -0,0 +1 @@
+Dockerfile.debian-stretch
--- a/support/docker/Dockerfile.debian-stretch
+++ b/support/docker/Dockerfile.debian-stretch
@@ -1,6 +1,9 @@
+# vi: ft=dockerfile
 # This Dockerfile generates the docker image that gets used by Gitlab CI
 # To build it (YYYYMMDD.HHMM is the current date and time in UTC):
-#   sudo docker build -t buildroot/base:YYYYMMDD.HHMM support/docker
+#   sudo docker build -t buildroot/base:YYYYMMDD.HHMM \
+#                     -f support/docker/Dockerfile.debian-stretch \
+#                     support/docker
 #   sudo docker push buildroot/base:YYYYMMDD.HHMM

 # We use a specific tag for the base image *and* the corresponding date
@@ -16,7 +19,7 @@ description="Container with everything needed to run Buildroot"
 ENV DEBIAN_FRONTEND noninteractive

 # This repository can be a bit slow at times. Don't panic...
-COPY apt-sources.list /etc/apt/sources.list
+COPY debian-stretch.apt-sources.list /etc/apt/sources.list

 # The container has no package lists, so need to update first
 RUN dpkg --add-architecture i386 && \
@@ -46,6 +49,7 @@ RUN apt-get install -y --no-install-recommends \
        qemu-system-x86 \
        rsync \
        subversion \
+        sudo \
        unzip \
        wget \
        && \
@@ -57,7 +61,9 @@ RUN sed -i 's/# \(en_US.UTF-8\)/\1/' /etc/locale.gen && \
    /usr/sbin/locale-gen

 RUN useradd -ms /bin/bash br-user && \
-    chown -R br-user:br-user /home/br-user
+    chown -R br-user:br-user /home/br-user && \
+    printf 'br-user ALL=NOPASSWD: /bin/su -\n' >/etc/sudoers.d/br-user && \
+    chmod 0440 /etc/sudoers.d/br-user

 USER br-user
 WORKDIR /home/br-user
--- a/support/docker/Dockerfile.fedora-32
+++ b/support/docker/Dockerfile.fedora-32
@@ -0,0 +1,48 @@
+# vi: ft=dockerfile
+# Note: this dockerfile is not reproducible, because the repository
+# where we fetch packages from is not pinned to a specific point in
+# time; i.e. we'll get whatever is current at the moment we build.
+
+FROM fedora:32
+
+LABEL maintainer="Buildroot mailing list <buildroot@buildroot.org>" \
+      vendor="Buildroot" \
+      description="Container based on Fedora 32, with everything needed to run Buildroot already installed"
+
+# Remove the repository with updates, so we only
+# get packages as they were at time of release.
+RUN rm -f /etc/yum.repos.d/fedora-updates*.repo && \
+    dnf -y install \
+        @development-tools \
+        bc \
+        bzip2 \
+        bzr \
+        cpio \
+        cvs \
+        file \
+        gcc-c++ \
+        git \
+        mercurial \
+        ncurses-devel \
+        perl-ExtUtils-MakeMaker \
+        perl-Thread-Queue \
+        python-nose2 \
+        python-pexpect \
+        qemu-system-arm \
+        qemu-system-x86 \
+        rsync \
+        subversion \
+        unzip \
+        wget \
+        which \
+    && dnf -y clean all
+
+RUN useradd -ms /bin/bash br-user && \
+    chown -R br-user:br-user /home/br-user && \
+    printf 'br-user ALL=NOPASSWD: /usr/bin/su -\n' >/etc/sudoers.d/br-user && \
+    chmod 0440 /etc/sudoers.d/br-user
+
+USER br-user
+WORKDIR /home/br-user
+ENV HOME /home/br-user
+ENV LC_ALL C.utf8
--- a/support/docker/build-all
+++ b/support/docker/build-all
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+
+BR2_DOCKER_VERSION="${1}"
+
+if [ -z "${BR2_DOCKER_VERSION}" ]; then
+    printf "Usage: ${0} VERSION\n"
+    exit 1
+fi
+
+CONTEXT_DIR="${0%/*}"
+for d in "${CONTEXT_DIR}"/Dockerfile.*; do \
+    distro="${d#*/Dockerfile.}"
+    docker build \
+        -t "buildroot/${distro}:${BR2_DOCKER_VERSION}" \
+        -f "${d}" "${CONTEXT_DIR}"
+done
--- a/support/docker/debian-stretch.apt-sources.list
+++ b/support/docker/debian-stretch.apt-sources.list
--- a/toolchain/helpers.mk
+++ b/toolchain/helpers.mk
@@ -184,7 +184,7 @@ check_gcc_version = \
 		exit 0 ; \
 	fi; \
 	real_version=`$(1) -dumpversion` ; \
-	if [[ ! "$${real_version}" =~ ^$${expected_version}\. ]] ; then \
+	if [[ ! "$${real_version}." =~ ^$${expected_version}\. ]] ; then \
 		printf "Incorrect selection of gcc version: expected %s.x, got %s\n" \
 			"$${expected_version}" "$${real_version}" ; \
 		exit 1 ; \
Author	SHA1	Message	Date
Fabrice Fontaine	3d4b21dac1	package/dbus: security bump to version 1.12.18 - Fix CVE-2020-12049: An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. - Also update indentation in hash file (two spaces) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>	2020-06-14 22:06:48 +02:00
Norbert Lange	0813d8a324	toolchain: adjust version check to allow for single numbers A gcc compiler, which was configured with --with-gcc-major-version-only, will only return a single number. (debian does this for example). A simple modification allows the check to work with both single numbers (eg. '9') and full versions (eg. '9.2.1'). Signed-off-by: Norbert Lange <nolange79@gmail.com> Reviewed-by: Romain Naour <romain.naour@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>	2020-06-14 22:02:26 +02:00
Yann E. MORIN	bcf890301f	support/docker: add a Fedore-32 based image Hopefully, this image is reproducible, since we are not using any update repository, and from the looks of it, the repository of the release is never touched. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> --- Changes v1 -> v2: - fix ordering of packages list (Ricardo)	2020-06-14 22:00:43 +02:00
Yann E. MORIN	c15a40e128	support/docker: allow the br-user to becone root When our Dockerfiles (and images) get reused by users, they might need to locally add new packages or tweak the iamge to heir local needs. As such, register the br-user to become root by running (exactly!): $ sudo su - This will allow acutally becoing root without prompting for a password, but no other command will be accepted, and no other paramter will be accepted either. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc; Thomas Petazzoni <thomas.petazzoni@bootlin.com>	2020-06-14 22:00:43 +02:00
Yann E. MORIN	5e264875e0	support/docker: add script to generate docker iamges Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>	2020-06-14 22:00:43 +02:00
Yann E. MORIN	14fc4fe1ed	support/docker: rename the Dockerfile and its accompanying file Currently, we only generate one docker image, for use by the gitlab-ci infra. However, users have expressed an interest in using that image for other uses, like: - reproducing build failures as reported by the gitlab-ci jobs; - having a ready-to-use base image to use as-is, or as a template for further customisations. Additionally, some users have reported the need for similar base images, but based off different distros, with the same goals as above, plus: - reproducing build failures reported by users on other distros. As a first step toward providing such images, rename our Dockerfile to include the name and version of the distro it is based off. We add a symlink so that we still have a 'base' image that we can reference from the gitlab-ci infra. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>	2020-06-14 22:00:43 +02:00