Currently libnss is configured with BUILD_OPT=1 and due to that that
it doesn't take into account Buildroot TARGET_CFLAGS nor
TARGET_LDFLAGS resulting in pre-chosen optimizations and debugging
symbols being used.
We can't pass TARGET_CFLAGS through CFLAGS or similar otherwise other
internal libnss one will be overwritten (i.e. -fPIC), so we prefer to
append TARGET_CFLAGS at the end of Linux.mk as well as TARGET_LDFLAGS
according to internal libnss Makefile system's names. And obviously
remove BUILD_OPT=1 from BUILD_VARS.
This reveals hidden bugs when building with -Os due to bogus
uninitialized warnings from gcc turned into errors because of -Werror,
so we explicitly pass NSS_ENABLE_WERROR=0 to avoid the use of -Werror.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Thomas: drop the libnss patches, and pass NSS_ENABLE_WERROR instead]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5e787b0014)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Move site from http to https as HTTP URL now returns
"301 Moved Permanently"
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e7609a80b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* exp_inter.c: [https://sourceforge.net/p/expect/patches/22/]
Fix interact bug - handle reads of 0 length on
non-blocking channels by explicitly checking if the channel
is non-blocking. Fix by Jack Bates.
* expect.c: [https://sourceforge.net/p/expect/patches/21/]
Fix eof bug introduced with previous bug fix - ensure that data
received just before an eof is processed. Fix by Sergei Golovan.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6fffbffb6f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream pushes their delivery archives in to places:
https://download.qt.io/official_releases/https://download.qt.io/archive/
After a while, only the latter remains, whith the former being pruned
actively to contain only officially supported versions.
Switch to using the archive location, as it has everything, even the
latest versions.
Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 675d38dd65)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The 4.11.2 release brings a large number of fixes:
https://xenproject.org/downloads/xen-project-archives/xen-project-4-11-series/xen-project-4-11-2/
Including a number of security fixes:
XSA-284: grant table transfer issues on large hosts
XSA-285: race with pass-through device hotplug
XSA-287: x86: steal_page violates page_struct access discipline
XSA-288: x86: Inconsistent PV IOMMU discipline
XSA-290: missing preemption in x86 PV page table unvalidation
XSA-291: x86/PV: page type reference counting issue with failed IOMMU update
XSA-292: x86: insufficient TLB flushing when using PCID
XSA-293: x86: PV kernel context switch corruption
XSA-294: x86 shadow: Insufficient TLB flushing when using PCID
XSA-295: Unlimited Arm Atomics Operations
XSA-297: Microarchitectural Data Sampling speculative side channel
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2905569284)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2019-12827: A specially crafted SIP in-dialog MESSAGE message can cause
Asterisk to crash:
https://downloads.asterisk.org/pub/security/AST-2019-002.html
CVE-2019-13161: When T.38 faxing is done in Asterisk a T.38 reinvite may be
sent to an endpoint to switch it to T.38. If the endpoint responds with an
improperly formatted SDP answer including both a T.38 UDPTL stream and an
audio or video stream containing only codecs not allowed on the SIP peer or
user a crash will occur. The code incorrectly assumes that there will be at
least one common codec when T.38 is also in the SDP answer:
https://downloads.asterisk.org/pub/security/AST-2019-003.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2cb389deca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cb60af6002)
[Peter: drop 5.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-13917:
http://www.exim.org/static/doc/security/CVE-2019-13917.txtd185889f47
added new code to "Prebuild the data structure for builtin macros".
This function needs a host-built binary called macro_predef, it depends
on host-berkeleydb, host-pcre and optionally on host-openssl.
With an openssl-enabled exim the host build of macro_predef will fail
if host-openssl is missing:
/usr/bin/gcc -DMACRO_PREDEF macro_predef.c
In file included from hash.h:14,
from exim.h:485,
from macro_predef.c:11:
sha_ver.h:37:12: fatal error: openssl/ssl.h: No such file or directory
because macro_predef also has the an optional dependency on openssl:
https://github.com/Exim/exim/blob/exim-4.92%2Bfixes/src/src/macro_predef.c#L130
Removed patches applied upstream:
0004: 98913c8ea2
0005: cf3cd30606
0007: 7ea1237c78 (diff-58af16fe62ea674adf1730edc078d175R6243)
Added patch to fix uClibc build.
Added license hash, switched _SITE to https.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1d3fe88d08)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Needed for the upcoming Exim security version bump.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d4ec3c1596)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openvmtools detects and uses an external RPC library if RPC is not
supported by the toolchain C library, so let's select package/libtirpc
when necessary.
Signed-off-by: Simon Rowe <simon.rowe@citrix.com>
[Thomas: add missing dependency on libtirpc]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d006737faa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since version 3.4.1 [1], opencv disable pkg-config while cross-compiling to
avoid host headers/libraries poisoning.
Due to this, opencv fail to detect ffmpeg, gstreamer and gtk dependencies
even if the corresponding support is requested by
BR2_PACKAGE_OPENCV3_WITH_{FFMPEG,GSTREAMER,GTK2,GTK3}.
Maybe other dependencies are affected by this issue...
While configuring opencv we can notice the following messages:
"-- OpenCV disables pkg-config to avoid using of host libraries. Consider using PKG_CONFIG_LIBDIR to specify target SYSROOT"
"-- Can't find ffmpeg - 'pkg-config' utility is missing"
As the result ffmpeg and gstreamer are not enabled:
-- Video I/O:
-- FFMPEG: NO
-- avcodec: NO
-- avformat: NO
-- avutil: NO
-- swscale: NO
-- avresample: NO
-- GStreamer: NO
-- libv4l/libv4l2: NO
-- v4l/v4l2: linux/videodev2.h
We can fixes this by adding a new option OPENCV_ENABLE_PKG_CONFIG=ON
-- Video I/O:
-- FFMPEG: YES
-- avcodec: YES (ver 58.35.100)
-- avformat: YES (ver 58.20.100)
-- avutil: YES (ver 56.22.100)
-- swscale: YES (ver 5.3.100)
-- avresample: YES (ver 4.0.0)
-- GStreamer:
-- base: YES (ver 1.16.0)
-- video: YES (ver 1.16.0)
-- app: YES (ver 1.16.0)
-- riff: YES (ver 1.16.0)
-- pbutils: YES (ver 1.16.0)
-- libv4l/libv4l2: NO
-- v4l/v4l2: linux/videodev2.h
Add host-pkgconf in the dependencies.
If there is a path poisoning issue, it will be detected by the toolchain
paranoid wrapper.
[1] c4f9ff0285
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Samuel Martin <s.martin49@gmail.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 41f5ee957c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The licensing information, and especially the name of the license file,
is known only for the official v1.4 version. For example, in later
versions, the license file has been renamed.
Since we can't be sure of the licensing information for custom versions,
or for versions from git, define that only for the known v1.4 version.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d1a61703f7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With Microblaze Gcc version < 8.x the build hangs due to gcc bug
85180: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180. The bug
shows up when building xlib_libXfont with optimization but not when
building with -O0. To work around this, if
BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y we force using -O0.
Fixes:
http://autobuild.buildroot.net/results/7c6/7c64becbf06a1e00e41b7ddb95dd0c65bf364eb7/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6910e723a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A very small fix for the progress meter regression in 7.65.2.
See https://curl.haxx.se/mail/lib-2019-07/0052.html
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3fac250944)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Contains a number of fixes for issues discovered post-7.65.1.
For details, see full changelog:
https://curl.haxx.se/changes.html#7_65_2
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 28e91cf3a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
idna requires unicodedata:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "usr/lib/python3.7/site-packages/idna/__init__.py", line 2, in <module>
File "usr/lib/python3.7/site-packages/idna/core.py", line 3, in <module>
ModuleNotFoundError: No module named 'unicodedata'
Signed-off-by: Alex Xu <alex_y_xu@yahoo.ca>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9177475111)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We export GZIP = -n so that GZIP does not record original
name and timestamps. However..
GZIP environment variable is deprecated and soon will not be
supported in future GZIP versions. GZIP suggests the use of a
wrapper to pass options globally but it might be difficult to
implement in Buildroot. For now, we don't export the variable
and fix reproducibility issues per package as they show up in
Autobuilder.
Signed-off-by: Atharva Lele <itsatharva@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d590b37633)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Using the GZIP environment variable to pass gzip options is
deprecated, and therefore we are going to remove the "GZIP = -n"
definition from the main Buildroot Makefile. In preparation for this,
we explicitly add the -n argument to the gzip call in fs/common.mk to
ensure reproducibility.
Signed-off-by: Atharva Lele <itsatharva@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 44d17dd128)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When -Dintrospection=false is not passed, the meson script
auto-detects the host g-ir-scanner, which is not usable in a
cross-compile environment.
Signed-off-by: Alex Xu <alex_y_xu@yahoo.ca>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6afc3edd41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
intltool is not needed since version 2.49.90 and
f539b7ebdb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 454d2a32ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Replace utf-8 NO-BREAK-SPACE (c2 a0) in comment line by simple
ascii space character.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 695f20cd0c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Replace install target by install-lib target to avoid building and
installing cryptest.exe
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bd1ba229be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 39dde1ffb6 ("package/brotli:
work around gcc bug 68485"), a mistake was made: when
BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y, we're only passing -O0 as CFLAGS,
completely ignoring TARGET_CFLAGS, which is not good.
This commit fixes that by introducing a BROTLI_CFLAGS variable,
initially defined to TARGET_CFLAGS, and to which we add -O0 when
BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Thomas: rework commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 657ffee375)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With Microblaze Gcc version <= 9.x the build fails due to gcc bug 68485:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68485. The bug show up when
building brotli with optimization but not when building with -O0. To
work around this, if BR2_TOOLCHAIN_HAS_GCC_BUG_68458=y, we force using
-O0.
Fixes:
http://autobuild.buildroot.net/results/d86/d86251974a0a348a64d9a1d1fd7d02dd4aff0792/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 39dde1ffb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use TARGET_CONFIGURE_OPTS to pass -static in LDFLAGS when building
statically
Fixes:
- http://autobuild.buildroot.org/results/12c08173f83315fb68fe3c3d34a78ed919ba5a79
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit df781e31ca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump to version 4.3.2 did not update sha256 hash
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2312a83288)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2019-13132: a remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations. All versions from 4.0.0 and upwards are affected.
Thank you Fang-Pen Lin for finding the issue and reporting it!
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: mention security impact]
(cherry picked from commit 45e5cd5a2b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On Microblaze, with gcc versions < 8.x the build of xlib_libXfont2
hangs due to gcc bug 85180:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180.
The bug shows up when building xlib_libXfont2 with optimization but
not when building with -O0. To work around this, if
BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y we force using -O0.
Fixes:
http://autobuild.buildroot.net/results/21099d27c03948daaca2d1c149eeba084427e3af/
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5942dcdc5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the URL and add three new patches. Quoting changelog [1]:
unzip (6.0-24) unstable; urgency=medium
* Apply two patches by Mark Adler:
- Fix bug in undefer_input() that misplaced the input state.
- Detect and reject a zip bomb using overlapped entries. Closes: #931433.
Bug discovered by David Fifield. For reference, this is CVE-2019-13232.
-- Santiago Vila <sanvila@debian.org> Thu, 11 Jul 2019 18:03:34 +0200
unzip (6.0-23) unstable; urgency=medium
* Fix lame code in fileio.c which parsed 64-bit values incorrectly.
Thanks to David Fifield for the report. Closes: #929502.
-- Santiago Vila <sanvila@debian.org> Wed, 29 May 2019 00:24:08 +0200
[1] https://sources.debian.org/data/main/u/unzip/6.0-24/debian/changelog
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 009c59a261)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since we use --xattrs-include='*' to include all extended attributes,
tar creates a PAX formatted archive. The archive metadata captures atime
and ctime of files. To fix this, GNU recommends that we pass this added
argument to tar to create binary reproducible packages. Setting of mtime
is handled in fs/common.mk using touch on all files.
Diffoscope output pre-change: https://gitlab.com/snippets/1871111
Diffoscope output after change is blank i.e. binary reproducibile rootfs
is created.
GNU Recommendation: https://www.gnu.org/software/tar/manual/tar.html#SEC147
Signed-off-by: Atharva Lele <itsatharva@gmail.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9c449f9dd8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Apparently, patchwork only recognizes the 'Fixes' tag if it is followed
by a colon. So make sure the manual documents it as such.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e875c2ffd2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
additional text after the address and only quad-dotted notation without
trailing whitespaces. Some inet_aton() implementations ignore whitespace
and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
and local_file:// URL schemes in URLopener().open() and
URLopener().retrieve() of urllib.request.
- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
whitespace or control characters through into the underlying http client
request. Such potentially malicious header injection URLs now cause an
http.client.InvalidURL exception to be raised.
- bpo-33529: Prevent fold function used in email header encoding from
entering infinite loop when there are too many non-ASCII characters in a
header.
- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
if the PATH environment variable is not set. Remove also the current
directory from posixpath.defpath. On Unix, shutil.which() and the
subprocess module no longer search the executable in the current directory
if the PATH environment variable is not set.
Also remove the following upstreamed patches:
- 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
- 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 906ed044aa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
--enable-old-stdlib-cache is not recognozed since at least version
3.6.3, see:
http://autobuild.buildroot.org/results/b957f956100fc36c7d5ffab1d7df41a65ae52ded
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 440eaa41d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
