Fixes the following security issues:
https://webkitgtk.org/security/WSA-2024-0001.html
- CVE-2024-23222: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue may
have been exploited. Description: A type confusion issue was addressed
with improved checks.
- CVE-2024-23206: A maliciously crafted webpage may be able to fingerprint
the user. Description: An access issue was addressed with improved access
restrictions.
- CVE-2024-23213: Processing web content may lead to arbitrary code execution.
Description: The issue was addressed with improved memory handling.
- CVE-2023-40414: Processing web content may lead to arbitrary code
execution. Description: A use-after-free issue was addressed with
improved memory management.
- CVE-2023-42833: Processing web content may lead to arbitrary code execution.
Description: A correctness issue was addressed with improved checks.
- CVE-2014-1745: Processing a file may lead to a denial-of-service or
potentially disclose memory contents. Description: The issue was
addressed with improved checks.
https://webkitgtk.org/security/WSA-2023-0012.html
- CVE-2023-42883: Processing a SVG image may lead to a denial-of-service.
Description: The issue was addressed with improved memory handling.
- CVE-2023-42890: Processing web content may lead to arbitrary code
execution. Description: The issue was addressed with improved memory
handling.
https://webkitgtk.org/security/WSA-2023-0011.html
- CVE-2023-42916: Processing web content may disclose sensitive information.
Apple is aware of a report that this issue may have been actively
exploited. Description: An out-of-bounds read was addressed with improved
input validation.
- CVE-2023-42917: Processing web content may lead to arbitrary code
execution. Apple is aware of a report that this issue may have been
actively exploited. Description: A memory corruption vulnerability was
addressed with improved locking.
Add an upstream post-2.42.5 patch to fix an issue with an invalid backport
causing a build issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 1edb9d691d (package/v4l2loopback: add
V4L2LOOPBACK_CPE_ID_VENDOR) added that variable, but set to its default
value.
This is however not required to define a valid CPE ID, as it also
defines a non-default CPE_ID_PREFIX.
Drop V4L2LOOPBACK_CPE_ID_VENDOR now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The symmetric encryption test can sometimes take longer than the default
timeout. This commit increase the timeout to 10 seconds for that
command.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds support for the AVNET RZBoard V2L.
The board support creates a bootable sd card image. The board is
shipped with a u-boot inside its eMMC. The board support uses this
u-boot and does not build and deploy a u-boot onto the sd card.
Instead the sd card only contains a uEnv.txt, a kernel image and the
rootfs.
Signed-off-by: Kilian Zinnecker <kilian.zinnecker@mail.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The petitboot UI looks much nicer in a Unicode locale:
* Items in the language selection submenu use multibyte Unicode
characters. In other locales, they say "Unable to display text in this
locale".
* The combination of TERM=linux with a UTF-8 locale is required to
trigger a special-case workaround in ncurses code[1]. Without
this, line-drawing characters in the menu look like q's.
Turn on wchar support in ncurses, and add a reminder that a UTF-8 locale
should be generated for things to look right.
[1] https://invisible-island.net/ncurses/ncurses.faq.html#no_line_drawing
Signed-off-by: Reza Arbab <arbab@linux.ibm.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Normalize the order of arguments to $(INSTALL). Remove an unnecessary
pair of parentheses.
Signed-off-by: Reza Arbab <arbab@linux.ibm.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This ensures that we don't have duplicate dependencies.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The asn1parse command hangs forever on 3.2.0 when the genstr or genconf
option is passed.
This commit fixes the issue by adding upstream commits [1] [2].
[1] a552c23c65
[2] 749fcc0e3c
Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The patch drops the file README.md from the license files. Indeed, the
licensing terms apply to third-party libraries that uuu links to, and
even though they are bundled in the source tree of uuu|mfgtools, they
are not used by Buildroot as we use the ones we build. Therefore, the
actual license file of the package is the file LICENSE.
Moreover, this also leads to simplifying the bump to new versions.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop no longer required python-setuptools runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
License hash changed due to year update:
1615584814
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
When the CVE lookup was added in commit
4a157be9ef, the starting year of the JSON
files was set to 2002. However, there are also CVEs from 1999, 2000 and
2001. It is not clear why these were skipped back then.
Set the start year to 1999 to capture these old CVEs too.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
NVD will deprecate the v1.1 API which allows us to download the full
database as individual JSON files. Instead, there's a horribly crappy
API that is extremely slow and subject to race conditions.
Fortunately, there is a project, Fraunhofer FKIE - Cyber Analysis and
Defense [1], that goes through the effort of adapting to this new API
and regenerating the convenient JSON files. The JSON files and meta
files are re-generated daily.
Instead of implementing the NVD v2 API, we decided to just use the JSON
files generatd by fkie-cad. That saves us the effort of solving the race
conditions, devising a cache mechanism that works, handling the frequent
gateway timeouts on the NVD servers, dealing with the rate limiting, and
keeping up with changes in the API.
Switch to this repository on github as NVD_BASE_URL. The file name is
also slightly different (CVE-20XX.json instead of nvdcve-1.1-20XX.json).
The fkie-cad repository compresses with xz instead of gz. Therefore:
- rename the filename variables to _xz instead of _gz;
- use xz as a subprocess because there is no xz decompressor in Python
stdlib.
[1] https://www.fkie.fraunhofer.de/en/departments/cad.html
Cc: Daniel Lang <dalang@gmx.at>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We currently check the CPE database to see if the CPE ID we use
(including the version) is already in the database.
However, the version part of the CPE ID is not actually used for CVE
matching. Instead, the CVEs have a range of versions associated with
them and we match against those ranges.
In addition, NVD is moving to a new API for accessing the CPE database.
It will not longer be possible to simply download all the CPE IDs, and
due to rate limiting, the download will have to be done in several
queries.
Since all of this is anyway of limited use, drop the CPE database lookup
entirely. Instead, as long as a CPE ID is defined in a package, it is
considered OK, without any checks.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The package/busybox/busybox-minimal.config is the default configuration
for MMU-less systems, so the setting is redundant and can be removed
without effect.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patch (already in version)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix the following build failure with aarch64 and BR2_OPTIMIZE_0 raised
since commit 0512910e49:
src/convert-neon-body-bayer8.inc.h: In function 'bayer2rgb_convert_neon':
src/convert-neon.c:233:17: error: third argument to '__builtin_prefetch' must be a constant
233 | __builtin_prefetch(((void const *)(_addr)) + 64, 0, (_lvl)); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/convert-neon-body-bayer8.inc.h:8:9: note: in expansion of macro 'do_prefetch'
8 | do_prefetch(&in[+1*stride - 1], (rows_per_loop) < 3 ? 3 : 0);
| ^~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/307c1c448becd99dfba3a17b3ef816db0bb5cad6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
swugenerator might use openssl to encrypt files in .swu(cpio)
resulting output archive and gzip or zlib to compress the same files
but we're not sure whether build environment have or not openssl, gzip
and zlib installed so we add them as host dependencies.
Signed-off-by: Giulio Benetti <giulio.benetti+tekvox@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libglib2 can compile without localization support, but still depends
on libiconv, which is selected in Config.in.
This fallback support was broken, and is fixed in this upstream commit:
a497d5be12,
which partially reverts commits that were brought through merge commit
4a8120ec22be0b63705c1ed28b47920b99388087, that landed in 2.74.0 (as
the first stable release).
The other patch is purely added to avoid merge conflicts while
cherry-picking.
Fixes:
http://autobuild.buildroot.org/results/04d9a17e64503e0bece7bad33549ef3ad4b237c9/
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License hash changed due to MIT header added:
a4a82c1b64
Migrate from setuptools to hatchling pep517 build backend.
Drop no longer python-pyopenssl runtime dependency.
Drop no longer python-six runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
The meson upgrade from 1.1.1 to 1.2.0 have been reverted because
host-qemu (version v8.0.3) was searching libraries in the build machine
instead of buildroot host directory [1].
$ grep -r LINK_ARGS * | grep "\-L/usr"
build.ninja: LINK_ARGS =
-L/usr/lib/gcc/x86_64-linux-gnu/10 \
-L/usr/lib/gcc/x86_64-linux-gnu/10/../../../x86_64-linux-gnu -L/usr/lib/x86_64-linux-gnu \
-L/usr/lib/gcc/x86_64-linux-gnu/10/../../../../lib -L/usr/lib \
-L/lib/x86_64-linux-gnu \
-L/lib/../lib \
-L/usr/lib/../lib \
-L/usr/lib/gcc/x86_64-linux-gnu/10/../../.. \
-L/lib \
-I/[...]/host/include \
-L/[...]/host/lib \
-I/[...]/host/include/libfdt \
...
Upgrading qemu to version v8.1.0 solves the problem:
$ grep -r LINK_ARGS * | grep "\-L/usr"
build.ninja: LINK_ARGS =
-I/[...]/host/include \
-L/[...]/host/lib \
-I/[...]/host/include/libfdt \
...
Those two tests were done with the same buildroot version (2023.08) on
the same machine were the bug appeared. Using, git bisect, in this
environment, it was found that the problem was fixed in qemu by the
commit [2].
Thus, it is possible that the problem was introduced by improper use of
meson by qemu <= v8.0.3. Also, meson has been updated to version 1.2.1
and 1.3.0 in yocto and it doesn't seem to create any issue. [3]
The original problem is no longer present and some projects require
meson > 1.1.1 (e.g. rusticl requires meson 1.2.0 since mesa 23.3.0 and
meson 1.3.1 since mesa 24.0.0).
"pkgconfig" field is deprecated by meson 1.3.0 and replaced by
"pkg-config". See: [4]
The patch that adds the pkg_config_static property has been rebased.
[1] acfdf21f0b
[2] https://gitlab.com/qemu-project/qemu/-/commit/Fc9a809e0d28417fa1e7f7efc19f845bda4c1be9
[3] https://github.com/yoctoproject/poky/commits/master/meta/recipes-devtools/meson
[4] https://mesonbuild.com/Release-notes-for-1-3-0.html#machine-files-pkgconfig-field-deprecated-and-replaced-by-pkgconfig
Signed-off-by: Antoine Coutant <antoine.coutant@smile.fr>
[yann.morin.1998@free.fr:
- keep our formatting in the patch
- reflow commit log (to keep busy while test-building!)
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
TestGlxinfo fail with a new runtime error:
# glxinfo -B -display :0
name of display: :0
traps: glxinfo[84] trap invalid opcode ip:b73c7027 sp:bf8433c0 error:0 in swrast_dri.so[b6e4c000+64f000]
Illegal instruction
The x86-core2 Bootlin toolchains are built for a core2 CPU [0],
this means that the Bootlin toolchains may use core2-specific
instructions.
The TestGlxinfo test is setup for BR2_x86_core2, so our
executables will also contain core2 instructions.
However, the default Qemu x86 is not guaranteed to emulate all the
instructions specific to core2, causing runtime issues as reported
above.
A similar issue has been fixed by adding Nehalem cpu emulation on
the qemu command line. See 4f565b5222 ("support/testing: use Nehalem
cpu emulation for TestGrubX8664EFI").
Set core2duo cpu emulation for TestGlxinfo on the qemu command line.
[0] https://gitlab.com/buildroot.org/toolchains-builder/-/blob/kubu/toolchain-builder-2023.08/configs/arch/x86-core2.config?ref_type=heads
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mesa3d 23.3 added dri3_priv.h header and dri3_check_multibuffer() function in
drisw (part of swrast gallium driver) that can be build without dri3.
i686-buildroot-linux-gnu/bin/ld: src/glx/libglx.a.p/drisw_glx.c.o: in function `driswCreateScreenDriver':
drisw_glx.c:(.text.driswCreateScreenDriver+0x3a0): undefined reference to `dri3_check_multibuffer'
collect2: error: ld returned 1 exit status
Add HAVE_DRI3 guard around dri3_priv.h header and the zink code using
dri3_check_multibuffer().
While testing again the TestGlxinfo runtime test, a new unexpected error line
appeared in the glxinfo log:
MESA-LOADER: failed to open zink: /usr/lib/dri/zink_dri.so
mesa3d try to load zink gallium driver even if it was not enabled at
build time, indeed there is no such option in Buildroot.
Apply patches sent upstream:
https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/27478
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/6093854455
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
python-bitstring require python-bitarray and python-zlib at runtime
since 4.1.0 release [1][2].
python-zlib is now needed for the "Experimental support for two 8-bit
float types" [2].
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/6114047821
[1] https://github.com/scott-griffiths/bitstring/releases/tag/bitstring-4.1.0
[2] 70c8af4d8b
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package is needed at runtime by python-bitstring since
4.1.0 already [1].
Note: the License is under Python-2.0 but "Python Software
Foundation License (PSF)" has been remplaced by the author
of bitarray Ilan Schnell.
[1] https://github.com/scott-griffiths/bitstring/releases/tag/bitstring-4.1.0
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The defconfig choice is the default one, so it is redundant and can be
removed without effect.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 6b2329bb80 ("configs/ti_am64x_sk: new defconfig") forgot to
specify the Linux kernel version, so do that now.
When the defconfig was added, the default version was 6.4.x, so use
version 6.4.16.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes build issue of the python support with python 3.12 (2.3.4
unconditionally uses distutils).
The license file used being a header file, it has changed due to code
changes, but the license is still LGPL-3.0+.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 719921bebe (package/kexec: bump to version 2.0.27) forgot to
propagate the new dependency on kernel headers to petitboot, which may
select kexec, causing unmet dependencies warnings (unfortunately, not
errors), such as:
$ KCONFIG_SEED=0x84462FFC make randconfig
WARNING: unmet direct dependencies detected for BR2_PACKAGE_KEXEC
Depends on [n]: BR2_PACKAGE_KEXEC_ARCH_SUPPORTS [=y] && BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_17 [=n]
Selected by [y]:
- BR2_PACKAGE_PETITBOOT [=y] && (BR2_PACKAGE_KEXEC_ARCH_SUPPORTS [=y] || BR2_PACKAGE_KEXEC_LITE_ARCH_SUPPORTS [=n]) && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y] && !BR2_STATIC_LIBS [=n] && BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_PACKAGE_HAS_UDEV [=y] && !BR2_PACKAGE_KEXEC_LITE_ARCH_SUPPORTS [=n]
Propagate the dependency from kexec, and add comments about dependencies
also inherited from kexec-lite.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Laurent Vivier <laurent@vivier.eu>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit ebe47e7605 forgot to add C++
dependency resulting in the following build failure:
../output-1/build/python-numpy-1.25.0/meson.build:1:0: ERROR: Unable to detect GNU compiler type:
Fixes:
- http://autobuild.buildroot.org/results/6f3532598355732b289730fc751e9aebdab4b0e4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, the comment about availability is between the package main
symbol and its suboptions, breaking the threading in menuconfig.
Invert the order, and move the comment last. Also enclose the suboptions
between an if-block, as it is more customary.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>