Bump to latest upstream commit as it fixes a huge number of CVEs. Some
of them can't be linked to a given commit (e.g.
https://github.com/ckolivas/lrzip/issues/67). Moreover, upstream does
not plan to tag a new release any time soon:
https://github.com/ckolivas/lrzip/issues/99
- Fix CVE-2017-8842: The bufRead::get() function in libzpaq/libzpaq.h in
liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial
of service (divide-by-zero error and application crash) via a crafted
archive.
- Fix CVE-2017-8843: The join_pthread function in stream.c in
liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted archive.
- Fix CVE-2017-8844: The read_1g function in stream.c in liblrzip.so in
lrzip 0.631 allows remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly have
unspecified other impact via a crafted archive.
- Fix CVE-2017-8845: The lzo1x_decompress function in lzo1x_d.ch in LZO
2.08, as used in lrzip 0.631, allows remote attackers to cause a
denial of service (invalid memory read and application crash) via a
crafted archive.
- Fix CVE-2017-8846: The read_stream function in stream.c in
liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial
of service (use-after-free and application crash) via a crafted
archive.
- Fix CVE-2017-8847: The bufRead::get() function in libzpaq/libzpaq.h in
liblrzip.so in lrzip 0.631 allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a
crafted archive.
- Fix CVE-2017-9928: In lrzip 0.631, a stack buffer overflow was found
in the function get_fileinfo in lrzip.c:979, which allows attackers to
cause a denial of service via a crafted file.
- Fix CVE-2017-9929: In lrzip 0.631, a stack buffer overflow was found
in the function get_fileinfo in lrzip.c:1074, which allows attackers
to cause a denial of service via a crafted file.
- Fix CVE-2018-5747: In Long Range Zip (aka lrzip) 0.631, there is a
use-after-free in the ucompthread function (stream.c). Remote
attackers could leverage this vulnerability to cause a denial of
service via a crafted lrz file.
- Fix CVE-2018-11496: In Long Range Zip (aka lrzip) 0.631, there is a
use-after-free in read_stream in stream.c, because decompress_file in
lrzip.c lacks certain size validation.
Also:
- update indentation of hash file (two spaces)
- drop patch (already in version)
- manage host-nasm dependency which is enabled by default and has been
fixed by:
9f16f65705
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Mesa chooses the first platform specified in -Dplatforms as the default
EGL native platform. [0]
Configure Options
-D platforms=...
List the platforms (window systems) to support. Its argument is
a comma separated string such as -D platforms=x11,drm. It
decides the platforms a driver may support. The first listed
platform is also used by the main library to decide the native
platform.
This has the effect of breaking EGL applications running on X11 and
possibly Wayland when the first platform specified isn't x11 or wayland,
and EGL_PLATFORM isn't set.
Reorder the specified platforms to use x11, wayland, and drm before
surfaceless, as this is the order chosen by other common distributions,
such as Arch Linux [1], Debian [2], and Fedora [3].
Users preferring drm or surfaceless over x11 or wayland likely know how
to override the native EGL platform, and likely have x11 and wayland
disabled anyway.
[0] https://www.mesa3d.org/egl.html
[1] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/mesa#n45
[2] fb8c1efb57/debian/rules (L38)
[3] https://src.fedoraproject.org/rpms/mesa/blob/master/f/mesa.spec#_337
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
We will need this Python 3.x variant of the host-python-pyelftools
package to be able to build some recent versions of U-Boot (>=
2020.01).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patch that is now upstream.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add conditional support to allow the module tools to use openssl
on target to inspect the signature of signed modules. If openssl
is not enabled the modinfo will show a hash algo as unknown.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Tested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patches that are now upstream.
We don't need to autoreconf since we are using a release tarball.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Xtensa have added new relocation types R_XTENSA_[NP]DIFF{8,16,32} with
the same properties as the existing types R_XTENSA_DIFF{8,16,32}.
Add them to the list of ignored relocation types.
This fixes the following error when invoking elf2flt on xtensa binaries
built with the recent binutils:
ERROR: reloc type R_XTENSA_PDIFF32 unsupported in this context
Reported-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove tinyxml2 dependency as tinyxml2 is not a part of version 0.8.7.
Indeed, tinyxml2 has been added in September 2016 with
49b3fd9d6f
whereas version 0.8.7 has been released in April 2016
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
fakeroot does mask out necessary flags, instead pass through
the flags that are supported by fstatat
Upstream BR: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959876
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libopcodes was installed in staging/ in commit 6a508d9361 (binutils:
Also install libopcodes in staging), but was not installed in target/
Starting with linux-5.6, perf (linux-tools) will link to libopcodes when
it is present. Since it is available in staging, the build succeeds.
However, libopcodes missing in target, perf fails at runtime:
perf: ...libopcodes-2.33.1.so: cannot open shared object file
Install libopcodes to target as well.
Signed-off-by: Lecopzer Chen <lecopzer@gmail.com>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security vulnerabilities:
CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
corruption when they were passed a pseudo-zero argument. Reported by Guido
Vranken / ForAllSecure Mayhem.
CVE-2020-1751: A defect in the PowerPC backtrace function could cause an
out-of-bounds write when executed in a signal frame context.
CVE-2020-1752: A use-after-free vulnerability in the glob function when
expanding ~user has been fixed.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
- Improve mitigation for CVE-2019-14271 for some nscd configuration.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prevent possible use-after-free and double-free in ares_getaddrinfo() if
ares_destroy() is called prior to ares_getaddrinfo() completing.
https://c-ares.haxx.se/changelog.html#1_16_1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-markdown2 through 2.3.8 allows XSS because element names are
mishandled unless a \w+ match succeeds. For example, an attack might use
elementname@ or elementname- with an onclick attribute.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-future does not depends on python2.
The package work with python 3.x.
Signed-off-by: Louis Aussedat <aussedat.louis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add patch to fix availability check for storeRGB32FromARGB32PM_neon(), only
available for arm little-endian.
Fixes:
- http://autobuild.buildroot.net/results/ab623253a6d988f4ee03d292ee85f3455de2ea25
.obj/qimage_conversions.o: In function `convert_generic(QImageData*, QImageData const*, QFlags<Qt::ImageConversionFlag>)':
qimage_conversions.cpp:(.text+0x2598): undefined reference to `storeRGB32FromARGB32PM_neon(unsigned char*, unsigned int const*, int, int, QVector<unsigned int> const*, QDitherInfo*)'
qimage_conversions.cpp:(.text+0x259c): undefined reference to `storeRGB32FromARGB32PM_neon(unsigned char*, unsigned int const*, int, int, QVector<unsigned int> const*, QDitherInfo*)'
.obj/qimage_conversions.o: In function `convert_generic_inplace(QImageData*, QImage::Format, QFlags<Qt::ImageConversionFlag>)':
qimage_conversions.cpp:(.text+0x28fc): undefined reference to `storeRGB32FromARGB32PM_neon(unsigned char*, unsigned int const*, int, int, QVector<unsigned int> const*, QDitherInfo*)'
qimage_conversions.cpp:(.text+0x2900): undefined reference to `storeRGB32FromARGB32PM_neon(unsigned char*, unsigned int const*, int, int, QVector<unsigned int> const*, QDitherInfo*)'
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To match the docker-engine version.
./support/testing/run-tests tests.package.test_docker_compose.TestDockerCompose
09:54:39 TestDockerCompose Starting
09:54:40 TestDockerCompose Building
10:45:33 TestDockerCompose Building done
10:46:30 TestDockerCompose Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 3121.828s
OK
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Set PAHO_HIGH_PERFORMANCE to disable free redefiniton as suggested by
upstream in https://github.com/eclipse/paho.mqtt.c/issues/846.
This will avoid the following build failure on musl:
/tmp/instance-1/output-1/host/x86_64-buildroot-linux-musl/sysroot/usr/include/sched.h:80:17: error: expected declaration specifiers or '...' before string constant
void free(void *);
^
/tmp/instance-1/output-1/host/x86_64-buildroot-linux-musl/sysroot/usr/include/sched.h:80:17: error: expected declaration specifiers or '...' before numeric constant
void free(void *);
^
[ 35%] Building C object src/CMakeFiles/common_obj.dir/Base64.c.o
[ 36%] Building C object src/CMakeFiles/common_obj.dir/SHA1.c.o
make[3]: *** [src/CMakeFiles/common_obj.dir/build.make:284: src/CMakeFiles/common_obj.dir/MQTTReasonCodes.c.o] Error 1
Fixes:
- http://autobuild.buildroot.org/results//fbe57a1602fed331ddff3ff3560dce02573816ff
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a
HandleCursorShape integer overflow and heap-based buffer overflow via a
large height or width value. NOTE: this may overlap CVE-2019-15690.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream patch to fix squashfs-tools build failures because
of missing external declaration for fwriter_buffer and
bwriter_buffer.
Fixes:
- http://autobuild.buildroot.net/results/6789b668898245926e0a3a3e7caf823dff515d71
/usr/bin/ld: read_fs.o:(.bss+0x0): multiple definition of `fwriter_buffer'; mksquashfs.o:(.bss+0x400c90): first defined here
/usr/bin/ld: read_fs.o:(.bss+0x8): multiple definition of `bwriter_buffer'; mksquashfs.o:(.bss+0x400c98): first defined here
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Add two upstream patches fixing input_event time related
compile failures.
Fixes:
- http://autobuild.buildroot.net/results/3883a948e30cfd235cfca1fb8646fe8032f5e18d
keytable.c: In function 'test_event':
keytable.c:1536:11: error: 'struct input_event' has no member named 'time'; did you mean 'type'?
ev[i].time.tv_sec, ev[i].time.tv_usec,
^~~~
type
keytable.c:1536:30: error: 'struct input_event' has no member named 'time'; did you mean 'type'?
ev[i].time.tv_sec, ev[i].time.tv_usec,
^~~~
type
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
- http://autobuild.buildroot.net/results/af76190876656252eb6f60220cdb1d627a03b7c3
evdevkeyboard/qevdevkeyboardhandler.cpp: In member function ‘void QEvdevKeyboardHandler::switchLed(int, bool)’:
evdevkeyboard/qevdevkeyboardhandler.cpp:153:28: error: ‘struct input_event’ has no member named ‘time’; did you mean ‘type’?
::gettimeofday(&led_ie.time, 0);
^~~~
type
evdevtouch/qevdevtouchhandler.cpp: In member function ‘void QEvdevTouchScreenData::processInputEvent(input_event*)’:
evdevtouch/qevdevtouchhandler.cpp:579:29: error: ‘struct input_event’ has no member named ‘time’; did you mean ‘type’?
m_timeStamp = data->time.tv_sec + data->time.tv_usec / 1000000.0;
^~~~
type
evdevtouch/qevdevtouchhandler.cpp:579:49: error: ‘struct input_event’ has no member named ‘time’; did you mean ‘type’?
m_timeStamp = data->time.tv_sec + data->time.tv_usec / 1000000.0;
^~~~
type
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
cvs is an old package, and it shows:
- CVS is licensed under GPL-1.0+ as stated in README (referenced in source
code) and COPYING files;
- COPYING.LIB also give the terms of LGPL-2.0+, and is referenced by a
few files, like lib/strnlen1.c, mostly vampirised rom older versions
of the GNU C library (glibc);
- additionally, the glob implementation was also grabbed from a more
recent (but still old) glibc version, and is LGPL-2.1+, but there is
no license file associated with it, so we use the header instead.
Also update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- LGPL-2.0+ is used, reference at least one file
- LGPL-2.1+ is also used
- reword commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
BR2_PACKAGE_HOST_ZLIB does not exist, and should anyway not be
selected by the target pigz package.
Signed-off-by: Louis-Paul Cordier <lpdev@cordier.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
- http://autobuild.buildroot.net/results/5c5/5c5d71fde80a4f2f027085bdb0fae9fb76ab9d32
fsck.c:1062:18: error: 'node' may be used uninitialized in this function [-Werror=maybe-uninitialized]
node->parent = dir;
^
fsck.c:870:22: note: 'node' was declared here
struct exfat_inode *node;
^
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
- http://autobuild.buildroot.net/results/a7364a6b3801d7d18c30c7242c6faf19431fddfd
mkfs.c:60:14: error: format '%llu' expects argument of type 'long long unsigned int', but argument 2 has type 'long unsigned int' [-Werror=format=]
exfat_debug("Volume Length(sectors) : %llu\n",
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Irrlicht fail to detect properly the NEON support on aarch64 or ARM with NEON FPU support.
While linking an application with libIrrlicht.so, we get an undefined reference to
png_init_filter_functions_neon.
Some files are missing in the libpng bundled in Irrlicht, in particular arm/arm_init.c [1],
so disable NEON support completely.
This can be reproduced by building minetest using this defconfig for aarch64:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_MINETEST=y
BR2_PACKAGE_MINETEST_CLIENT=y
BR2_PACKAGE_MINETEST_SERVER=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
Or for ARM with NEON FPU support:
BR2_arm=y
BR2_cortex_a15=y
BR2_ARM_FPU_NEON=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_MINETEST=y
BR2_PACKAGE_MINETEST_CLIENT=y
BR2_PACKAGE_MINETEST_SERVER=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
[1] https://github.com/glennrp/libpng/tree/v1.6.37/arm
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a
heap-based buffer overflow during JPEG_MARKER_SOS handling because of a
missing length check.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Back in commit [1], a patch fixing an issue a PowerPC issue in gcc was
added in gcc 4.3.3. It was present until gcc 4.9, which itself was
removed in [2]. The patch was dropped starting gcc 5.1 [3] but it's
know to be useful for gcc 4.7.3 [4]. However, even though we no longer
support building any of those older gcc versions, the conditional
patching logic in gcc.mk is still there.
We used to have a patch directory (package/gcc/$(GCC_VERSION)) for
every gcc version available in Buildroot, the apply-patches.sh script
doesn't error out even if
1000-powerpc-link-with-math-lib.patch.conditional is missing.
But with gcc 10, we don't need (for the moment) to apply any patch, so
the patch directory doesn't exist. apply-patches.sh breaks the build
since the patch directory is missing:
Aborting. 'package/gcc/10.1.0' is not a directory.
Since we removed gcc 4.9 last year [2], we can safely remove this code.
Tested using qemu_ppc_virtex_ml507_defconfig.
[1] bb1f42e442
[2] baf1775022
[3] 4deb2d93c5
[4] 197006a41c
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 3052da3eac did not renumber
remaining patches, fix that
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
If libapparmor is selected, depend on libapparmor and set -Dapparmor=true
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
