Commit Graph

45303 Commits

Author SHA1 Message Date
Thomas Petazzoni
490a4ae972 DEVELOPERS: remove Abhilash Tuse
His e-mail address @imgtec.com is bouncing:

<abhilash.tuse@imgtec.com>: host
    mxa-00376f01.gslb.pphosted.com[185.132.180.163] said: 550 5.1.1 User
    Unknown (in reply to RCPT TO command)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e78528f8a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 14:36:28 +02:00
Fabrice Fontaine
d8afbdc8dc package/tcpreplay: add optional libdnet dependency
Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=12096

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3cd991c226)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 14:34:28 +02:00
Fabrice Fontaine
97d7e73bdb package/libdnet: fix dnet-config
Add dnet-config to LIBDNET_CONFIG_SCRIPTS so this script can be used by
applications such as tcpreplay

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3a4b68278a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 14:32:52 +02:00
Fabrice Fontaine
2d1276f7f3 package/tcpreplay: security bump to version 4.3.2
This release contains bug fixes only:

 - CVE-2019-8381 memory access in do_checksum() (#538)
 - CVE-2019-8376 NULL pointer dereference get_layer4_v6() (#537)
 - CVE-2019-8377 NULL pointer dereference get_ipv6_l4proto() (#536)
 - Rename Ethereal to Wireshark (#545)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit dc2067d51c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 14:32:02 +02:00
Arnout Vandecappelle (Essensium/Mind)
1f85820ac4 package/qt5/qt5enginio/Config.in: depends before select
In Config.in, we put 'depends' lines before 'select' lines, as reported
by check-package.

Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/273215267

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 71d68f2431)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 14:30:45 +02:00
Thomas Petazzoni
023e624314 package/qt5/qt5enginio: switch to a depends on for SSL support
qt5enginio requires SSL support in qt5base. However, the SSL support
in qt5base is a bit annoying: while it can be provided by either
openssl or libressl for Qt latest, it can only be provided by
libressl for Qt 5.6.

Fabrice Fontaine initially proposed [0] a dependency on
BR2_PACKAGE_QT5BASE_OPENSSL, and a long discussion
followed. Ultimately, we found the dependency to not be nice, as it
required users to know that they need to enable some SSL
implementation to be able to enable qt5enginio.

The current solution enables BR2_PACKAGE_OPENSSL (the virtual
package), which can be either openssl or libressl. This choice was
done under the assumption that we anyway don't test Qt 5.6 in the
autobuilders. However, this is incorrect: Qt latest needs gcc >= 4.8
on host and target, and we have configurations in the autobuilders
that don't meet this requirement, and therefore build Qt 5.6, and face
a build issue due to OpenSSL being used instead of LibreSSL.

After additional thinking, this commit simply gets back to the
original solution proposed by Fabrice: a "depends on". We simply add
Config.in comments to help the user in knowing what is missing to
enable qt5enginio.

An alternate solution would have been to disallow selecting qt5enginio
when Qt 5.6 is used. But fixing the qt5enginio build is also needed
for the LTS branch, and we can't drop qt5enginio on Qt 5.6 in the LTS
branch, as that could bother users.

Fixes:

  http://autobuild.buildroot.net/results/227d4b9e2b48c5b3f2dcf0fad9eefa2816c1eb0c/

[0] https://patchwork.ozlabs.org/patch/1053883/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 035540b64a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 14:28:46 +02:00
Fabrice Fontaine
3e79c24b01 package/libbsd: security bump to version 0.10.0
- Remove patch (already in version)
- Update site to get the latest version
- Update hash of license file (update in year, new file and author)
- Remove !(BR2_TOOLCHAIN_USES_UCLIBC && !BR2_USE_MMU) dependency,
  __register_at_fork availability is correclty checked since
  b0ebb0d4c2
- Includes Several security related fixes for nlist() reported by Daniel
  Hodson and one by Coverity Scan, see
  https://lists.freedesktop.org/archives/libbsd/2019-August/000229.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1f6c7d6e0f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 13:52:34 +02:00
Fabrice Fontaine
e29187f10b package/rygel: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/1aea53bedb9620a0881e5d4ea76820d49df2f2d8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b7511fa256)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 13:47:59 +02:00
Peter Korsgaard
a9db41dd13 package/mpg123: security bump to version 1.25.12
>From the release notes:
- Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames
  (oss-fuzz-bug 15975). The earlier fix around the same location needed
  one thought more. Actually, another though was needed, oss-fuzz-bug 16009
  documents the incomplete fix.

- Fix an invalid write of one zero byte for empty ID3v2 frames that demand
  de-unsyncing (oss-fuzz-bug 16050).

- Fix dynamic build with gcc -fsanitize=address (check for all dl functions
  before deciding that separate -ldl is not needed).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b907d344d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 13:46:16 +02:00
Pierre-Jean Texier
283dc5b629 package/mpg123: fix hash
When bumping to version 1.25.11, an incorrect hash was set.

Fixes:
 - http://autobuild.buildroot.net/results/454/454bc42053deb84a73ed75dda99ae9015d23da84/

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 900de6e41b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 13:46:09 +02:00
Jörg Krause
42c69cc300 package/mpg123: security bump to version 1.25.11
>From https://www.mpg123.de/cgi-bin/news.cgi:

Fixes a number of bugs found by OSS-Fuzz:
 * Fix out-of-bounds reads in ID3 parser for unsynced frames.
   (oss-fuzz-bug 15852)
 * Fix out-of-bounds read for RVA2 frames with non-delimited identifier.
   (oss-fuzz-bug 15852)
 * Fix implementation-defined parsing of RVA2 values.
   (oss-fuzz-bug 15862)
 * Fix undefined parsing of APE header for skipping. Also prevent endless loop
   on premature end of supposed APE header. (oss-fuzz-bug 15864)
 * Fix some syntax to make pedantic compiler happy.

The serious bugs trigger Denial of Service either via the nasty endless loop in
supposed APE tags or by crashes if the invalid reads hit a diagnostic by the OS
or, more likely, a security mechanism like the sanitizer instrumentation that
enabled finding the bugs.

I do not have CVE numbers for these bugs. I rather fix the bugs than name them.
Just update, will you?

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7291360fd8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 13:46:03 +02:00
Jörg Krause
3c39066fce package/wireless-regdb: bump to version 2019.06.03
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4de0b10d57)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 13:44:03 +02:00
Fabrice Fontaine
bf10e2ddcc package/metacity: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/c7a12e45c774905d4253db35c35c208d3f21ad49

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2c81486967)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 13:15:34 +02:00
Bernd Kuhls
7064d9ed89 package/postgresql: security bump version to 11.5
Release notes: https://www.postgresql.org/about/news/1960/

Switch POSTGRESQL_SITE to https.

Fixes CVE-2019-10208, CVE-2019-10209, CVE-2019-10210 & CVE-2019-10211.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7ea64484d4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 13:14:33 +02:00
Bernd Kuhls
f9e03e3854 package/imagemagick: security bump version to 7.0.8-59
Fixes
https://github.com/ImageMagick/ImageMagick/issues/1641 (no CVE id yet)
https://github.com/ImageMagick/ImageMagick/issues/1644 (no CVE id yet)

Removed patch included in version 7.0.8-54.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e9811b52fc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 12:41:00 +02:00
Fabrice Fontaine
9692f0c55d package/yad: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/40ccab40d7c82b908a622d45998d057a31d9cac6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 29e689d41a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 12:39:19 +02:00
Fabrice Fontaine
8f05e6445d package/pcmanfm: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/f6dfad52aa7f3528472a33a0fe4f5e35932541d8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 36418cb159)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 12:38:32 +02:00
Bernd Kuhls
336b51ed16 package/clamav: security bump version to 0.101.4
Fixes CVE-2019-12900 and adds an additional fix for CVE-2019-12625.

Release notes:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 914ba20600)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 12:34:58 +02:00
Bernd Kuhls
1cf102235a package/clamav: security bump version to 0.101.3
Release notes:
https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9537db0d82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-02 12:34:55 +02:00
Baruch Siach
f13153a8ff package/mdadm: update website link
Neil Brown no longer maintains mdadm. The old website refers to a stale
git repository. There is nothing else but this wiki page to serve as a
website.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 036dee02cd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-01 22:38:18 +02:00
Peter Korsgaard
28669fde4e package/glibc: bump version for additional post-2.28 fixes
The following additional bugs are fixed:

  [18035] Fix pldd hang
  [20568] Fix crash in _IO_wfile_sync
  [24228] old x86 applications that use legacy libio crash on exit
  [24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
  [24744] io: Remove the copy_file_range emulation.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-01 22:18:54 +02:00
Peter Korsgaard
91bb43f529 package/collectd: security bump to version 5.7.2
Fixes the following security issue:

- CVE-2017-7401: Incorrect interaction of the parse_packet() and
  parse_part_sign_sha256() functions in network.c in collectd 5.7.1 and
  earlier allows remote attackers to cause a denial of service (infinite
  loop) of a collectd instance (configured with "SecurityLevel None" and
  with empty "AuthFile" options) via a crafted UDP packet

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-09-01 22:06:15 +02:00
Bernd Kuhls
e563427a12 package/collectd: remove libvirt from list of disabled plugins
With collectd 5.5.0 the "libvirt plugin has been renamed to virt":
https://git.octo.it/?p=collectd.git;a=blob;f=ChangeLog;h=b0a997c53ac1a74bc39470bdd243f853fa095c9f;hb=refs/tags/collectd-5.5.0#l235

"virt" is already mentioned in COLLECTD_PLUGINS_DISABLE so we can just
remove "libvirt" to fix:

configure: WARNING: unrecognized options: [...] --disable-libvirt

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a8c80b72e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-31 10:12:38 +02:00
Fabrice Fontaine
e2f3101671 package/collectd: explicitly disable lua
lua plugin has been added in version 5.6.0 with
023092323c

Disabled it otherwise it'll be enabled if liblua is found

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 753bfec583)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-31 10:11:16 +02:00
Brent Generous
5f04aa58e8 Makefile: ensure $BINARIES_DIR exist before post-image scripts
When no filesystem is enabled, the $BINARIES_DIR is not created. Yet,
the post-image scripts are still run. When those want to generate an
image in there, they may fail as the dirctory does not exist (it did
exist before we started applying preparatory changes for top-level
parallel build, so scripts got to rely on that assumption).

Do in target-post-image as we do in the sdk rule: create the directory
before calling the scripts.

Signed-off-by: Brent Generous <bgenerous@impinj.com>
[yann.morin.1998@free.fr:
  - create the directory before calling the scripts
  - don't drop the creation in the sdk rule
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit d57e73078a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-31 09:59:37 +02:00
Thomas Petazzoni
0327344636 package/linux-headers: apply all Linux patches when BR2_KERNEL_HEADERS_AS_KERNEL=y
When BR2_KERNEL_HEADERS_AS_KERNEL=y, we expect that the Linux kernel
headers code will be exactly the same as the Linux kernel code
itself. The code currently takes into account the patches defined by
BR2_LINUX_KERNEL_PATCH, but not the kernel patches that are stored in
linux's BR2_GLOBAL_PATCH_DIR.

So for example, the current qemu_riscv32_virt_defconfig has:

BR2_GLOBAL_PATCH_DIR="board/qemu/riscv32-virt/patches/"

With:

board/qemu/riscv32-virt/patches/
└── linux
    └── 0001-Revert-riscv-Use-latest-system-call-ABI.patch

This patch gets properly applied when the Linux kernel is built, but
not when the linux-headers package is built.

This commit fixes that by making sure patches stored in the "linux"
BR2_GLOBAL_PATCH_DIR subdirectory are taken into account.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f79cebe6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-31 09:58:25 +02:00
Bernd Kuhls
db4116bd64 package/bzip2: security bump version to 1.0.8
Switched to new maintainer source:
https://sourceware.org/ml/bzip2-devel/2019-q2/msg00022.html

Version 1.0.7 fixes CVE-2016-3189 & CVE-2019-12900

Version 1.0.8 fixes the fix for CVE-2019-12900 from 1.0.7:
https://sourceware.org/ml/bzip2-devel/2019-q3/msg00031.html

Rebased 0002-improve-build-system.patch.

Removed 0003-Make-sure-nSelectors-is-not-out-of-range.patch, applied
upstream:
https://sourceware.org/git/?p=bzip2.git;a=commitdiff;h=7ed62bfb46e87a9e878712603469440e6882b184
and reverted later on
https://sourceware.org/git/?p=bzip2.git;a=commitdiff;h=b07b105d1b66e32760095e3602261738443b9e13

Added upstream sha512 hash and updated license hash after upstream
commits:
https://sourceware.org/git/?p=bzip2.git;a=history;f=LICENSE;h=81a37eab7a5be1a34456f38adb74928cc9073e9b;hb=HEAD

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7ae14d201e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-31 09:53:50 +02:00
Peter Korsgaard
ace10dd654 package/python3: adjust _REMOVE_USELESS_FILES fix for new layout
python3 nowadays appends the triplet to the config-<version>m directory:

echo target/usr/lib/python3.7/config-*
target/usr/lib/python3.7/config-3.7m-powerpc-linux-gnu

Likewise, there is no longer a pyconfig.h:

ls target/usr/lib/python3.7/config-3.7m-powerpc-linux-gnu
config.c  config.c.in  install-sh  libpython3.7m.a  Makefile
makesetup  python-config.py  python.o  Setup  Setup.local

So adjust the removal logic to match.  Use a wildcard rather than
$GNU_TARGET_NAME as buildroot and python3's idea of the triplet doesn't
always match (E.G.  for musl/uclibc).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit b3424c8fc9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-31 09:48:44 +02:00
Peter Korsgaard
a02325adf4 package/python3: fix configure issue for musl/uclibc GCC 8+ toolchains on powerpc
Fixes:
http://autobuild.buildroot.net/results/cb4/cb49c539501342e45cbe5ade82e588fcdf51f05b

GCC commit 6834b83784dcf0364eb820e8 (multiarch support for non-glibc linux
systems), which is part of GCC 8+, changed the multiarch logic to use
$arch-linux-musl / $arch-linux-uclibc rather than $arch-linux-gnu.

This then causes the python3 configure script to error out:

checking for the platform triplet based on compiler characteristics... powerpc-linux-gnu
configure: error: internal configure error for the platform triplet, please file a bug report

http://autobuild.buildroot.net/results/cb4/cb49c539501342e45cbe5ade82e588fcdf51f05b

As it requires that the --print-multiarch output (if not empty) matches the
deduced triplet (which always uses -linux-gnu).

It isn't quite clear why --print-multiarch returns something for a
non-multiarch toolchain on some architectures (E.G.  PowerPC), but as a
workaround, add a patch to rewrite the --print-multiarch output to match
older GCC versions to keep the configure script happy.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 38b28e48d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:36:13 +02:00
Frank Vanbever
8b87b66815 support/cmake: Explicitly set CMAKE_SYSTEM
Some packages test for CMAKE_SYSTEM explicitly[1]

CMAKE_SYSTEM is comprised of CMAKE_SYSTEM_NAME and CMAKE_SYSTEM_VERSION.
It defaults to CMAKE_SYSTEM_NAME if CMAKE_SYSTEM_VERSION is not set[2]

At the point CMAKE_SYSTEM_NAME is set to "Linux" CMAKE_SYSTEM is already
constructed. Setting it explicitly ensures that it is the correct value.

This is because we do set CMAKE_SYSTEM_NAME twice, in fact:

  - first in toolchainfile.cmake, so that we tell cmake to use the
    "Buildroot" platform,

  - second, in the Buildroot.cmake platform definition itself, so that
    we eventually behave like the Linux platform.

We also set CMAKE_SYSTEM_VERSION to 1, and so the real CMAKE_SYSTEM
value should be set to Linux-1 if we were to follow the documentation to
the letter.

However, for Linux, the version does not matter, and in some situations
may even be harmful (that was reported in one of the commits that
introduce Buildroot.cmake and toolchainfile.cmake).

[1] Fluidsynth 0cd44d00e1/CMakeLists.txt (L80)
[2] https://cmake.org/cmake/help/git-master/variable/CMAKE_SYSTEM.html#variable:CMAKE_SYSTEM

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Peter: update commit message with description from Yann]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

(cherry picked from commit 07f31ee263)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:33:52 +02:00
Peter Korsgaard
d74dfcc913 package/busybox/udhcpc.script: fix domain search comment
The domain search option is from RFC3397, not RFC3359 (which is about TLV
codepoints), so fix that.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 67a52f6fc9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:33:10 +02:00
Alexey Brodkin
1ee3ea40c9 busybox: Enable domain search list support in udhcpc
This is useful in networks with internal resources as it allows
to use much shorter names.

E.g. instead of "server.internal.company.com" it's possible
to use just "server" if DHCP server is configured with:
---------------------------->8-----------------------
option domain-search "internal.company.com";
---------------------------->8-----------------------

This improvement consists of 2 parts:

1. Enable handling of RFC3397 so DHCP client is ready for processing
   corresponding data from DHCP server.

2. Some DHCP servers always send out search list if it is set in server's
   configuration and some servers only provide search list if client
   asks for that (sending list of options it expects to get).

   And exactly for those stubborn DHCP servers we need to add "-O search"
   to udhcp's command line via CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS.

Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Ignacy Gawedzki <ignacy.gawedzki@green-communications.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 80291c3e9c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:31:56 +02:00
Fabrice Fontaine
ad22667c10 package/elfutils: fix build with glibc < 2.16
Fixes:
 - autobuild.buildroot.net/results/1053e2b4b51bc225c4a1a29c93946101a7a53be9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dde53fd59e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:29:19 +02:00
Fabrice Fontaine
667d5cb73d package/elfutils: security bump to version 0.176
Fixes CVE-2018-18310: An invalid memory address dereference was
discovered in dwfl_segment_report_module.c in libdwfl in elfutils
through v0.174. The vulnerability allows attackers to cause a denial of
service (application crash) with a crafted ELF file, as demonstrated by
consider_notes.

Fixes CVE-2018-18520: An Invalid Memory Address Dereference exists in
the function elf_end in libelf in elfutils through v0.174. Although
eu-size is intended to support ar files inside ar files,
handle_ar in size.c closes the outer ar file before handling all inner
entries. The vulnerability allows attackers to cause a denial of service
(application crash) with a crafted ELF file.

Fixes CVE-2018-18521: Divide-by-zero vulnerabilities in the function
arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers
to cause a denial of service (application crash) with a crafted ELF
file, as demonstrated by eu-ranlib, because a zero sh_entsize is
mishandled.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 725531fc32)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:29:09 +02:00
Giulio Benetti
0701c33e7a package/prboom: work around gcc bug 85180
With Microblaze Gcc version < 8.x the build hangs due to gcc bug
85180: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180. The bug
shows up when building prboom with optimization but not when building
with -O0. To work around this, if BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y we
force using -O0.

Fixes:
http://autobuild.buildroot.net/results/e72/e72a2070ab7e9a093c3c70002ee94ee57a6154f6/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 801c83da19)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:27:03 +02:00
Giulio Benetti
010c898226 package/prboom: avoid using hardcoded optimization flags
Package prboom builds using -O2 flag ignoring Buildroot settings, this
is due to the fact that -O2 is appended at the end of compiler flags.

Remove -O2 from 'configure.ac' file and set PRBOOM_AUTORECONF to YES,
this way CFLAGS_OPTS will contain Buildroot TARGET_CFLAGS.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 34bcc4c6b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:26:55 +02:00
Giulio Benetti
c5616fc1f0 package/qt5/qt5base: build with correct optimization
Qt5 has predefined optimization flags depending if you're building for
size, for debug etc. These flags are defined in
mkspecs/common/gcc-base.conf:

QMAKE_CFLAGS_OPTIMIZE      = -O2
QMAKE_CFLAGS_OPTIMIZE_FULL = -O3
QMAKE_CFLAGS_OPTIMIZE_DEBUG = -Og
QMAKE_CFLAGS_OPTIMIZE_SIZE = -Os

Then, in common/features/default_post.prf, they add those flags to
QMAKE_CFLAGS_RELEASE/QMAKE_CXXFLAGS_RELEASE depending on various build
options (optimize_size, optimize_full, optimize_debug):

optimize_size {
    !isEmpty(QMAKE_CFLAGS_OPTIMIZE):!isEmpty(QMAKE_CFLAGS_OPTIMIZE_SIZE)  {
        QMAKE_CFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
        QMAKE_CXXFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
        QMAKE_CFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_SIZE
        QMAKE_CXXFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_SIZE
    }
} else: optimize_full {
    !isEmpty(QMAKE_CFLAGS_OPTIMIZE):!isEmpty(QMAKE_CFLAGS_OPTIMIZE_FULL)  {
        QMAKE_CFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
        QMAKE_CXXFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
        QMAKE_CFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_FULL
        QMAKE_CXXFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_FULL
    }
}

Since this default_post.prf is included *after* our qmake.conf file,
these flags override our optimizations flags, which is not good.

However, our qmake.conf file is included *after* gcc-base.conf, so we
can simply reset those variables to have the empty value, and our
optimization flags will be used.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Thomas: completely change the approach, by simply resetting the
QMAKE_CFLAGS_OPTIMIZE_* variables in qmake.conf]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 7c0aa83527)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:39:01 +02:00
Giulio Benetti
269e14f89f package/qt5/qt5base: drop wrong optimization flag
In qmake.conf.in has been left 'QMAKE_CXXFLAGS_RELEASE += -O3' but this
leads to not use Buildroot CXXFLAGS when building in release
mode(without debugging symbols). So let's remove it to let Qt5 to follow
Buildroot optimization flags like other packages do.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0650c4c7a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:35:12 +02:00
Alexandre PAYEN
b096a2ae06 package/python-numpy: fix run-time failure with clapack
The numpy build system attempts to find lapack/blas at build time. It
tries a lot of different implementations, e.g. lapack, openblas, atlas,
... It is possible to help this automatic discovery by specifying
libraries to load in site.cfg and/or by setting environment variables
BLAS and LAPACK.

Unfortunately, the build system's logic is really hard to understand and
it's fragile. For example, regardless of what is specified as libraries
to load, it *will* try to find libblas.so and liblapack.so. However,
when something is specified explicitly in site.cfg, it will use a
different code path.

It turns out that when we specified the blas and lapack libraries
explicitly, as is done now, the build system logic will assume (without
checking) that cblas is used. This causes calls to cblas_* to be linked
in - again without checking, because numpy contains a copy of the header
and it uses dlopen to load it. clapack, however, does *not* provide
cblas (although it does provide a library libblas.so, but no
libcblas.so). Therefore, when importing numpy at runtime, we get an
error like:

ImportError: /usr/lib/python3.7/site-packages/numpy/core/_multiarray_umath.cpython-37m-arm-linux-gnueabihf.so: undefined symbol: cblas_sgemm

The initial attempt to fix this added cblas to the libraries. This
happens to work because apparently the entire libraries line is ignored
when a non-existing library is added to it (remember, clapack does not
provide libcblas).

Another attempt was to set BLAS=None in the environment. This didn't
have any effect. Setting both BLAS=None and LAPACK=None does disable
lapack and blas, but then we don't use clapack at all.

In fact, it is not necessary to provide a libraries line at all: the
build system will attempt to find liblapack, libblas and libcblas
without any help.

Therefore, remove the libraries line from site.cfg and remove
PYTHON_NUMPY_SITE_CFG_LIBS.

Note that the paths to staging's /usr/include and /usr/lib need to be
specified explicitly. Indeed, the numpy build system doesn't use the
compiler to check the presence/absence of includes and libraries; it
searches the paths itself. It also hardcodes paths to /usr/lib etc, but
this is something that will be tackled in a separate commit.

Note that there is another problem: both lapack and clapack provide
libblas.so and liblapack.so. This will be handled in a later commit.

Also, openblas provides a cblas implementation in libopenblas.so, so
there should be a dependency on openblas to make sure numpy can find it.
This part is not entirely clear yet, so it will also be handled in a
separate commit.

Runtime testing is essential to be able to track this kind of issue, so
that is something that will be added in a separate commit as well.

Fixes:
http://lists.busybox.net/pipermail/buildroot/2019-June/252380.html

Initial patch from Giulio Benetti :
[v1] http://patchwork.ozlabs.org/patch/1100100/
[v2] http://patchwork.ozlabs.org/patch/1100208/

Signed-off-by: Alexandre PAYEN <alexandre.payen@smile.fr>
Cc: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 4c2b6978f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:30:20 +02:00
Fabrice Fontaine
ec29b6b180 package/vte: needs host-intltool
Fixes:
 - http://autobuild.buildroot.org/results/30a8032ebba5a30bacd321c407a1d0734fadf757

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 82fc6379f0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:17:41 +02:00
Peter Korsgaard
d13cc2b4f2 package/imagemagick: fix host build for old distributions
Fixes:
http://autobuild.buildroot.net/results/5f0/5f0b85033e800c9eebc46812592966ec6826bb5d/

imagemagick uses clock_gettime, which was provided by librt rather than libc
in glibc < 2.17 - Causing link errors.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 273427f928)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:07:32 +02:00
Arnout Vandecappelle (Essensium/Mind)
419af2f0ca package/Config.in: remove double /
Detected by check-package, which gets confused by it.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 651524db3a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:05:57 +02:00
Titouan Christophe
dee9e6800a package/mosquitto: fix typo in Config.in
Introduced in ea989ad2b2

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 22f3c69149)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 22:56:16 +02:00
Peter Korsgaard
86f86a724b package/python3-urllib: security bump to version 1.24.3
Fixes the following security vulnerability:

CVE-2019-9740: An issue was discovered in urllib2 in Python 2.x through
2.7.16 and urllib in Python 3.x through 3.7.3.  CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the first
argument to urllib.request.urlopen with \r\n (specifically in the query
string after a ?  character) followed by an HTTP header or a Redis command.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 17:14:40 +02:00
Arnout Vandecappelle (Essensium/Mind)
99468e399d package/quagga: fix static linking with getopt
quagga has its own copy of getopt_long() instead of using the system's,
and this copy also defines the opterr and optind variables. Obviously,
this is only apparent when linking statically.

This problem can easily be avoided by making sure that getopt() itself
is defined too. This way, there is no reason any more to pull in libc's
getopt() and the corresponding definitions of opterr and optind. Note
that getopt() itself is pulled in by netsnmp, not by quagga itself.

Fortunately, there's a REALLY_NEED_PLAIN_GETOPT flag that we can define
to make sure getopt() does get built by quagga. We can safely do this
unconditionally (instead of only when BR2_PACKAGE_QUAGGA_SNMP and
BR2_STATIC_LIBS are enabled): without netsnmp, getopt() will simply not
be used, and with dynamic libs there's no risk of conflicts anyway.

Fixes:
http://autobuild.buildroot.net/results/0ac598c2259a8d7e8b72d4e8ed95079675b31b84

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d7215f2bbb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-22 17:32:27 +02:00
Bernd Kuhls
3d140b8702 package/php: security bump version to 7.3.8
Release notes: https://www.php.net/ChangeLog-7.php#7.3.8

Fixes CVE-2019-11042 & CVE-2019-11041

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b9833c6f52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-22 17:29:07 +02:00
Fabrice Fontaine
0211f1b83e package/cloop: needs _GNU_SOURCE
host-cloop needs _GNU_SOURCE for loff_t otherwise build fails with gcc
8.3.0 on:
extract_compressed_fs.c: In function 'main':
extract_compressed_fs.c:55:2: error: unknown type name 'loff_t'; did you mean 'off_t'?
  loff_t *offsets;

Fixes:
 - No autobuilder failures

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit edf97df877)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-21 14:41:50 +02:00
Vincent Stehlé
6fee778121 qemu: fix host virtfs option
Fix the build of host-qemu with virtfs enabled: fix a typo in makefile
conditional and add a dependency on host-libcap as that is a dependency of
virtfs support:

    if test "$virtfs" != no && test "$cap" = yes && test "$attr" = yes ; then
      virtfs=yes

The virtfs configuration option was added by commit e0f49e6484
("package/qemu: add option to enable virtual filesystem in host qemu").

Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 499dfc9410)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-21 14:37:19 +02:00
Peter Korsgaard
64a9777ef1 package/python-django: security bump to version 2.1.11
Fixes the following security issues:

CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator

If django.utils.text.Truncator's chars() and words() methods were passed the
html=True argument, they were extremely slow to evaluate certain inputs due
to a catastrophic backtracking vulnerability in a regular expression.  The
chars() and words() methods are used to implement the truncatechars_html and
truncatewords_html template filters, which were thus vulnerable.

The regular expressions used by Truncator have been simplified in order to
avoid potential backtracking issues.  As a consequence, trailing punctuation
may now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in strip_tags()

Due to the behavior of the underlying HTMLParser,
django.utils.html.strip_tags() would be extremely slow to evaluate certain
inputs containing large sequences of nested incomplete HTML entities.  The
strip_tags() method is used to implement the corresponding striptags
template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing
tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of
strip_tags() being HTML safe.  So NEVER mark safe the result of a
strip_tags() call without escaping it first, for example with
django.utils.html.escape().

CVE-2019-14234: SQL injection possibility in key and index lookups for
JSONField/HStoreField

Key and index lookups for django.contrib.postgres.fields.JSONField and key
lookups for django.contrib.postgres.fields.HStoreField were subject to SQL
injection, using a suitably crafted dictionary, with dictionary expansion,
as the **kwargs passed to QuerySet.filter().

CVE-2019-14235: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()

If passed certain inputs, django.utils.encoding.uri_to_iri could lead to
significant memory usage due to excessive recursion when re-percent-encoding
invalid UTF-8 octet sequences.

uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8
octet sequences.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-21 14:28:07 +02:00
Thomas Petazzoni
996994f8f2 package/webkitgtk: remove upstreamed patch
The bump of webkitgtk to 2.24.3 in commit
3ff05d9094 forgot to drop a patch that
was upstreamed, and is now part of 2.24.3, causing a build failure, so
let's drop this patch.

Fixes:

  http://autobuild.buildroot.net/results/4d7bffd20344f06ca719b7c8083b81053b255aa5/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d069301d63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 23:52:05 +02:00