Commit Graph

45303 Commits

Author SHA1 Message Date
Carlos Santos
0dbf9b709d package/eudev: add missing user/groups "kvm" and "render"
They are required by the default udev rules.

Fixes: https://bugs.busybox.net/show_bug.cgi?id=12141

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0aa6634318)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 21:48:18 +02:00
Yegor Yefremov
45f6b6fc04 DEVELOPERS: add Yegor Yefremov to dhcpcd and nftables package
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cc74a1488b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 21:46:13 +02:00
Carlos Santos
658838df1d package/util-linux: create $(TARGET_DIR)/etc/pam.d if necessary
Useful for test purposes when we want to install util-linux with a
custom TARGET_DIR, e.g.

    $ make util-linux-reinstall TARGET_DIR=/tmp/util-linux

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 40af3a6661)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 21:44:33 +02:00
Carlos Santos
70c5b3c4ee package/thttpd: fix systemd startup
Create the configuration file as /etc/thttpd.conf, as expected by the
systemd unit file.

This matches other web server packages that install configuration files
at /etc/lighttpd/, /etc/apache2, etc.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 349501320b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 21:41:01 +02:00
Carlos Santos
9557a7eff5 package/thttpd: fix init script
The init script provided by thttpd is for FreeBSD. Add a custom one,
made specifically for Buildroot.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fc7488e99f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 21:37:35 +02:00
Peter Korsgaard
797f7b6203 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.2.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dc82013bf5)
[Peter: drop 5.2.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 21:04:20 +02:00
Peter Korsgaard
cdd1059b5c package/libcurl: security bump to version 7.66.0
Fixes the following security vulnerabilities:

CVE-2019-5481: FTP-KRB double-free
https://curl.haxx.se/docs/CVE-2019-5481.html

CVE-2019-5482: TFTP small blocksize heap buffer overflow
https://curl.haxx.se/docs/CVE-2019-5482.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2683200065)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 20:00:33 +02:00
Peter Korsgaard
b775c99262 package/nodejs: security bump to version v8.16.1
Fixes the following security vulnerabilities:

- CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data
  from a specified resource over multiple streams.  They manipulate window
  size and stream priority to force the server to queue the data in 1-byte
  chunks.  Depending on how efficiently this data is queued, this can
  consume excess CPU, memory, or both, potentially leading to a denial of
  service.

- CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume excess
  CPU, memory, or both, potentially leading to a denial of service.

- CVE-2019-9513 "Resource Loop": The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way that
  causes substantial churn to the priority tree.  This can consume excess
  CPU, potentially leading to a denial of service.

- CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and
  sends an invalid request over each stream that should solicit a stream of
  RST_STREAM frames from the peer.  Depending on how the peer queues the
  RST_STREAM frames, this can consume excess memory, CPU, or both,
  potentially leading to a denial of service.

- CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS
  frames to the peer.  Since the RFC requires that the peer reply with one
  acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
  equivalent in behavior to a ping.  Depending on how efficiently this data
  is queued, this can consume excess CPU, memory, or both, potentially
  leading to a denial of service.

- CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of
  headers with a 0-length header name and 0-length header value, optionally
  Huffman encoded into 1-byte or greater headers.  Some implementations
  allocate memory for these headers and keep the allocation alive until the
  session dies.  This can consume excess memory, potentially leading to a
  denial of service.

- CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave the
  TCP window closed so the peer cannot actually write (many of) the bytes on
  the wire.  The attacker then sends a stream of requests for a large
  response object.  Depending on how the servers queue the responses, this
  can consume excess memory, CPU, or both, potentially leading to a denial
  of service.

- CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames
  with an empty payload and without the end-of-stream flag.  These frames
  can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE.  The peer spends
  time processing each frame disproportionate to attack bandwidth.  This can
  consume excess CPU, potentially leading to a denial of service.
  (Discovered by Piotr Sikora of Google)

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 19:52:25 +02:00
Martin Bark
dd4f4fe45b package/nodejs: use shared nghttp2 library
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9a52e173b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 19:28:05 +02:00
Peter Korsgaard
7fcd08bf68 package/nghttp2: security bump to version 1.39.2
Fixes the following security issues:

CVE-2019-9511: Data Dribble
CVE-2019-9513: Resource Loop

For details, see the advisory:
https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/

Notice that libnghttp2 itself is not affected by these vulnerabilities, only
nghttpx and nghttpd (which are currently not built).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4c7e7acbe4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 19:26:42 +02:00
Martin Bark
3cbc9a3ff4 package/nghttp2: bump version to 1.37.0
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bd52cb76b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 19:26:30 +02:00
Peter Korsgaard
d2465aac0e package/luksmeta: do not build man pages
Fixes:
http://autobuild.buildroot.net/results/a6247b95f1578fe1daec485589582310c75b5d84/

luksmeta-v9 generates man pages at build if a2x is available since:

commit 3fa51bb22350fee101fc52044949f6eb394114ae
Author: Daniel Kopeček <dkopecek@redhat.com>
Date:   Fri Jul 13 01:52:45 2018 +0200

   Generate manual page from source during build time

   If a2x (asciidoc) is not available during configure time,
   a warning will be generated and the manual page wont be
   generated nor installed.

Man pages are not needed on target and the build step fails in certain
setups, so disable it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0471f650b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 18:04:58 +02:00
Peter Korsgaard
51af5842af package/luksmeta: bump to version v9
Bugfix release, fixing a potential infinite loop when handling the LUKS
header:

git shortlog v8..v9
Daniel Kopeček (2):
      Use asciidoc as the manual page source format
      Generate manual page from source during build time

Milan Broz (1):
      Fix infinite loop when initializing trimmed LUKS header.

Nathaniel McCallum (3):
      Fix invalid man page section reference
      Fix typos in the man page
      Release version 9

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8103460aa1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 18:04:48 +02:00
Carlos Santos
f9400e938c package/nfs-utils: always use libtirpc and enable IPv6
nfs-utils selects rpcbind, and rpcbind unconditionally selects
libtirpc. Therefore, nfs-utils will never be used with the C library
RPC implementation: libtirpc will always be used. Consequently, all
the conditional logic to use libtirpc only if available is useless,
and we can use libtirpc unconditionally.

As an added bonus, this means that we can enable IPv6, because
libtirpc provides an IPv6-compatible RPC implementation.

Fixes: https://bugs.busybox.net/show_bug.cgi?id=10806

Signed-off-by: Carlos Santos <unixmania@gmail.com>
[Thomas: rework commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 749334cb36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 18:00:50 +02:00
Baruch Siach
6218199ccd package/libnftnl: drop obsolete patch
Patch #1 is obsolete since upstream commit 244d60de2f1 ("utils: define
xfree() as macro") in version 1.0.3. xfree is no longer a symbol, so it
can't conflict with symbols of the code libnftnl links with.

Cc: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 291bfa5902)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 14:22:32 +02:00
Baruch Siach
e9a935047f package/libnftnl: bump to version 1.1.3
Rebase patch #1.

Cc: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1208e41561)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-25 14:22:27 +02:00
Pierre-Jean Texier
cd72d5bf57 package/haveged: bump to version 1.9.6
This includes the following changes:

94079e6 Fixed invalid UTF-8 codes in ChangeLog
1470a82 Updated service.fedora
9596c53 Updated service.fedora
b50b59b New version 1.9.5
037e059 New version 1.9.5
2681d01 Added test for /dev/random symlink
0dac21b Update to automake 1.16
638e2f0 Fixed built issue on Cygwin
083f827 minimize diff
b38def1 minimize diff
e16369d take into account review by @nbraud
6dfce53 Remove support for CPUID on ia64
fc50dda [PATCH] Output some progress during CUSUM and RANDOM EXCURSION test
be4e481 NEWS: Cleanup extraneous whitespace
0815b3c Fixup upstream changelog
6d52229 Fix type mismatch in get_poolsize
90d00f7 service.redhat: update PIDFile
16a9726 fix segv at start
ceab89a init.d/Makefile.am: add missing dependency
01e3154 Diagnostics capture mode now works correctly by referencing the right variable during rng warmup
f219358 Fix segfault on arm machines

Also add a 'v' prefix in _SITE variable.

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8e1b0d8857)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-24 16:49:04 +02:00
Pierre-Jean Texier
2940519e54 package/haveged: bump to version 1.9.4
See https://github.com/jirka-h/haveged/releases/tag/1.9.4

Also change the site location, upstream release
mechanism has switched to using github.

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6bc4189b82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-24 16:48:18 +02:00
Raphaël Mélotte
1f17bc1719 docs/manual/adding-packages-python.txt: fix outdated Python 3 explanation
Python packages should no longer depend on BR2_PACKAGE_PYTHON in their
config file, unless they are only compatible with Python 2.

Signed-off-by: Raphaël Mélotte <raphael.melotte@essensium.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5c553ba59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-24 16:32:13 +02:00
Thomas Petazzoni
b916a116f5 DEVELOPERS: remove Pranit Sirsat, e-mail bounces
<Pranit.Sirsat@imgtec.com>: host mxa-00376f01.gslb.pphosted.com[91.207.212.86]
    said: 550 5.1.1 User Unknown (in reply to RCPT TO command)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fa54d02458)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-24 16:28:57 +02:00
Fabrice Fontaine
c546f46e03 package/augeas: drop AUTORECONF
autoreconf is not needed since bump to version 1.10.1 in
commit 3cd6faa04c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 75baf4764c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-24 16:03:19 +02:00
Baruch Siach
c4ed5ae29b package/iptables: bump to version 1.8.3
Drop upstream patches.

Fixes a buffer overflow issue in iptables-save parsing.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 326a9ae2e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-19 17:08:04 +02:00
Bernd Kuhls
2e92975b70 package/libgpg-error: fix build with gawk 5.0
Fixes:

  http://autobuild.buildroot.net/results/e815bed0e7b3d9cbf50ebf605666a50e7032e5a1/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
(cherry picked from commit d503003c36)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:56:34 +02:00
Giulio Benetti
2dffa1853d package/libnss: fix build failure on aarch64_be
Fixes:
http://autobuild.buildroot.net/results/bfd29593bb6c53d3e9e2d02d2ed6bea360d99c00/

In libnss there is a bug leading to build failure due to double declared
functions. This is due to 2 different #ifdef statements treating the
same function-set.

Add patch to fix this by making the 2 #ifdef statements equal.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 82187f9481)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:39:11 +02:00
Giulio Benetti
f09f5a8c72 package/libnss: security bump to version 3.46
Fixes the following security issues:

(3.44.1)
CVE-2019-11729: More thorough input checking
CVE-2019-11719: Don't unnecessarily strip leading 0's from key material
during PKCS11 import
CVE-2019-11727: Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3

Note:
This version requires nspr 4.22 or newer provided by the previous patch.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7e509333ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:39:05 +02:00
Giulio Benetti
8df739fc9c package/libnspr: bump to version 4.22
Rework all 3 patches to make that applicable to 4.22 version.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 385b5686a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:38:39 +02:00
Nylon Chen
ab857abea8 package/libnspr: add patch for nds32 support.
Fixes:

  http://autobuild.buildroot.net/results/9380435440c977eeaf98a1ffa80f411f07f62482/

Signed-off-by: Nylon Chen <nylon7@andestech.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3388027e0d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:38:33 +02:00
Thomas Petazzoni
3b3040442a DEVELOPERS: remove Kevin Joly, e-mail is bouncing
Kevin Joly (kevin.joly@sensefly.com)<mailto:kevin.joly@sensefly.com>
Your message couldn't be delivered to the recipient because you don't have permission to send to it.

Looking at his LinkedIn profile, he left SenseFly in January 2019,
which quite certainly explains why his @sensefly.com e-mail address is
no longer working.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 55814b8ef9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:30:49 +02:00
Romain Naour
04f1779cba configs/aarch64_efi: fix typo AARCH64 -> ARM64
There is no option BR2_TARGET_GRUB2_AARCH64_EFI but
BR2_TARGET_GRUB2_ARM64_EFI in grub2 package.

BR2_TARGET_GRUB2_ARM64_EFI was introduced by the commit [1].

[1] 273a27804a

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Erico Nunes <nunes.erico@gmail.com>
Reviewed-by: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0525ca4711)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:26:39 +02:00
Peter Korsgaard
c2c35ab857 package/asterisk: security bump to version 16.5.1
Fixes the following security issues:

AST-2019-004: Crash when negotiating for T.38 with a declined stream
When Asterisk sends a re-invite initiating T.38 faxing, and the endpoint
responds with a declined media stream a crash will then occur in Asterisk.
https://downloads.asterisk.org/pub/security/AST-2019-004.pdf

AST-2019-005: Remote Crash Vulnerability in audio transcoding
When audio frames are given to the audio transcoding support in Asterisk the
number of samples are examined and as part of this a message is output to
indicate that no samples are present. A change was done to suppress this
message for a particular scenario in which the message was not relevant. This
change assumed that information about the origin of a frame will always exist
when in reality it may not.
https://downloads.asterisk.org/pub/security/AST-2019-005.pdf

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 965e26fd99)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:13:31 +02:00
Bernd Kuhls
0fff609694 package/asterisk: bump version to 16.5.0
Release notes:
https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-16-current-summary.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 45ea73584b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:13:26 +02:00
Peter Korsgaard
1e7753dbb7 package/exim: security bump to version 4.92.2
Fixes CVE-2019-15846: Local or remote attacker can execute programs with
root privileges

For details, see the advisory:
https://exim.org/static/doc/security/CVE-2019-15846.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f2c8428bde)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 22:11:42 +02:00
Peter Korsgaard
6243b953be package/e2fsprogs: bump to version 1.44.6
Fixes a number of bugs:

- If files are created while e4defrag is running, it's quite possible for
  succeed_cnt to be larger than total_count, in which case the number of
  failures (calculated via total_count - succeed_cnt) will overflow and
  become a very large unsigned number.  (Addresses Debian Bug: #888899)

- Fix e2fsck so it can correctly handle directories > 2 GiB when the
  largedir feature is enabled.

- Fix mke2fs's hugefile creation so that we correctly reserve enough
  metadata blocks for a given file system size.  Otherwise for certain
  unfortunately sized disks/partitions, the hugefile creation would fail.
  (Addresses Google Bug: 123239032)

- Fix the libext2fs library to be more robust against invalid block group
  descriptors to prevent e2fsprogs from crashing (or possibly being p0wned)
  by maliciously modified file systems.  (Addresses Google Bugs: 119171089,
  119929050)

- Fix mke2fs and debugfs so they can correctly copy in files > 2 GiB.

- Fix debugfs so its stat command can correct supportly display directory
  sizes > 2 GiB.

- Fix memory leaks in debugfs, mke2fs, and e2freefrag.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 21:37:54 +02:00
Fabrice Fontaine
a0805e2331 package/cups: security bump to version 2.2.12
- Remove fifth patch (already in version)
- Fix CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
  (rdar://51685251)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 44c5c95760)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 20:18:12 +02:00
Sam Bobroff
4e4cbccdb5 package/cups: bump to version 2.2.11 and add gzip fix
This patch bumps cups to version 2.2.11 so that an upstream fix will
apply cleanly.

The upstream fix corrects a build failure when GZIP is set in the
build environment, as it is for buildroot's reproducible builds, as
shown below:

gzip: /bin/gzip.gz: Permission denied
gzip: /bin/gzip.gz: Permission denied
Makefile:114: recipe for target 'install-data' failed

The patch will be included upstream in version 2.2.12.

Fixes:
 - http://autobuild.buildroot.net/results/c4e0f6a3c79c9cb083a08f811b7d4838efef50f9/

Signed-off-by: Sam Bobroff <sbobroff@linux.ibm.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8a698b7313)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-17 20:18:08 +02:00
Arnout Vandecappelle (Essensium/Mind)
eccfb3e425 package/linux-headers: fix whitespace error in Config.in.host
The cherry-pick from master introduced a space-before-tab error. This is
reported by check-package.

Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/287919259

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-09-07 13:20:09 +02:00
Peter Korsgaard
ae81527917 package/dropbear: add upstream patch to fix norootlogin (-w) with pam
Fixes #12181

The security fix for CVE-2018-15599 broke the norootlogin (-w) handling when
pam support is enabled.  Add an upstream patch to fix it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-05 12:13:27 +02:00
Peter Korsgaard
0ba993ea5c package/samba4: security bump to version 4.9.13
Release notes: https://www.samba.org/samba/history/samba-4.9.13.html

Fixes CVE-2019-10197
 Combination of parameters and permissions can allow user
 to escape from the share path definition.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-04 23:30:45 +02:00
Sébastien Szymanski
32d6c7f4c0 package/unzip: add security patch from Debian
Fix the URL and add a new patch. Quoting changelog [1]:

unzip (6.0-25) unstable; urgency=medium

  * Apply one more patch by Mark Adler:
  - Do not raise a zip bomb alert for a misplaced central directory.
    This should allow Firefox to build again. Closes: #932404.
    Reported by Peter Green. Hopefully CVE-2019-13232 is fixed now.

 -- Santiago Vila <sanvila@debian.org>  Sat, 27 Jul 2019 18:01:36 +0200

[1] https://sources.debian.org/data/main/u/unzip/6.0-25/debian/changelog

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a1a7dff4f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-04 22:53:51 +02:00
Peter Korsgaard
7cabca6d4d package/qemu: fixup patches after 3.1.1 bump
Fixes:
http://autobuild.buildroot.net/results/71f/71f711d30ddc9edc8da0d1a60636e7a13b546ebe/

Commit a0b032ad85 (package/qemu: security bump to version 3.1.1)
bumped the version but didn't update the patch subdirectory name, so the
patches were now ignored.

This was then backported to 2019.02.x / 2019.05.x where the sub directory
did not exist - So the patches _WHERE_ used, but failed to apply as patch
0002 is now upstream.

Fix that by removing the patch.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop subdirectory]
(cherry picked from commit c796c83037)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-04 22:48:01 +02:00
Peter Korsgaard
b1408d04a3 Update for 2019.02.5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 22:15:58 +02:00
Peter Korsgaard
96502c2a46 CHANGES: Add missing issues header for 2019.02.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 22:06:43 +02:00
Alexandre PAYEN
a834e423c0 package/python-numpy: add reverse dependency on packages using python-numpy
Since commit 1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed[1] is merged, a
new build failure occurs when selecting packages which needs
python-numpy as dependency.

This fix a build issue[2] by adding the correct reverse dependencies
to the following packages :
- gnuradio (for python support)
- opencv3 (for python support)
- piglit
- python-matplotlib

So :
- adding to every listed packages
  `depends on !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)`
  and add a comment to explain what happend.

[1] https://git.buildroot.net/buildroot/commit/?id=1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed
[2] http://autobuild.buildroot.org/results/b76/b76b6cf9602bcf5df69a7276762eab54cf74007b

Signed-off-by: Alexandre PAYEN <alexandre.payen@smile.fr>
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Damien DUVAL <damien.duval@smile.fr>
Cc: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a546b87d5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 18:26:42 +02:00
Bernd Kuhls
78405f8792 package/php: security bump version to 7.3.9
Release notes: https://www.php.net/archive/2019.php#2019-08-29-1
Changelog: https://www.php.net/ChangeLog-7.php#7.3.9

Fixes CVE-2019-13224 & CVE-2019-13225:
https://bugs.mageia.org/show_bug.cgi?id=25380

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0c5acbbcb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 18:22:12 +02:00
Bernd Kuhls
96c1d00829 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.2.x series
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 5.2.x bump]
(cherry picked from commit b6255a16ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 18:19:58 +02:00
Adrian Perez de Castro
0e0eccfaff package/webkitgtk: security bump to version 2.24.4
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8676,
CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and
CVE-2019-8688.

This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes at:

  https://webkitgtk.org/2019/08/28/webkitgtk2.24.4-released.html

The detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2019-0004.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 046b09f776)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 18:14:26 +02:00
Bernd Kuhls
e0cebcc876 package/x11r7/xfont_font-util: bump version to 1.3.2
Added all hashes provided by upstream and license hash.

Fixes a crash on 32bit archs.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 09472e11dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 18:12:50 +02:00
Adam Duskett
f1978bbf1a package/x11r7/xfont_font-util: add license hash
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit be110da4a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 18:12:41 +02:00
Bernd Kuhls
11b8880d2f package/x11r7/libxcb: bump version to 1.13.1
Upstream does not provide a sha512 hash anymore.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 53e1150671)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 18:11:31 +02:00
Bernd Kuhls
76757c1788 package/dovecot-pigeonhole: security bump version to 0.5.7.2
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116876.html

Fixes
* CVE-2019-11500: ManageSieve protocol parser does not properly handle
  NUL byte when scanning data in quoted strings, leading to out of
  bounds heap memory writes. Found by Nick Roessler and Rafi Rubin.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 77b2dd9a53)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 18:09:00 +02:00