Fixes the following security issues:
- CVE-2021-41105: FreeSWITCH susceptible to Denial of Service via invalid
SRTP packets
When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls
can be terminated by remote attackers. This attack can be done
continuously, thus denying encrypted calls during the attack.
https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36
- CVE-2021-41157: FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default
By default, SIP requests of the type SUBSCRIBE are not authenticated in
the affected versions of FreeSWITCH.
https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj
- CVE-2021-37624: FreeSWITCH does not authenticate SIP MESSAGE requests,
leading to spam and message spoofing
By default, SIP requests of the type MESSAGE (RFC 3428) are not
authenticated in the affected versions of FreeSWITCH. MESSAGE requests
are relayed to SIP user agents registered with the FreeSWITCH server
without requiring any authentication. Although this behaviour can be
changed by setting the auth-messages parameter to true, it is not the
default setting.
https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3
- CVE-2021-41145: FreeSWITCH susceptible to Denial of Service via SIP flooding
When flooding FreeSWITCH with SIP messages, it was observed that after a
number of seconds the process was killed by the operating system due to
memory exhaustion
https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m
- CVE-2021-41158: FreeSWITCH vulnerable to SIP digest leak for configured gateways
An attacker can perform a SIP digest leak attack against FreeSWITCH and
receive the challenge response of a gateway configured on the FreeSWITCH
server. This is done by challenging FreeSWITCH's SIP requests with the
realm set to that of the gateway, thus forcing FreeSWITCH to respond with
the challenge response which is based on the password of that targeted
gateway.
https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4
Release notes:
https://github.com/signalwire/freeswitch/releases/tag/v1.10.7
Removed patch, upstream applied a different fix:
e9fde845de
Added optional dependency to libks, needed due to upstream commit
ed98516666
Added upstream patches to fix build errors.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump U-Boot to 2021.10 and kernel to 5.15.12 version.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
So far, cryptopp only had a host variant, but some use-cases require
this library on the target, so this adjusts the cryptopp package
accordingly.
One patch (submitted upstream) is needed to have the proper symlink
corresponding to the SONAME of the shared library.
Signed-off-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
prometheus remote write backend depends on protobuf and snappy and is
enabled by default since the addition of the package in commit
1d2bb46907
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In order to build the numpy distutils extension packages like
python-scipy, python-numba, it requires an explicit pkg-config
path fixup for npymath.ini.
This pkg-config path fixup would update the prefix path of
npymath.ini with actual target staging area where numpy core
was built, so that numpy distutils extension packages would
explicitly link this config path for their package environment.
Without this extension packages cannot find -lnpymath since
it uses host libraries (like libnpymath.a).
So, attach the post install staging hook with pkg-config
path fixup for npymath.ini.
Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The way that python-pybind can be used is fairly complicated, so a
runtime test for it is convenient. In addition, this test validates that
the headers actually work at runtime.
Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
[Arnout:
- Retain python3 only.
- python-pybind is a target package, not host.
- Select python-pybind instead of depend.
- Simplify python-pybind-example package.
- Check in python-pybind-example build if pybind11.get_include()
produces output.
- Don't use python3 -m pybind11 --includes: it includes the main python
includes, which are for the host, not for the target.
- Use TestPythonPackageBase instead of open-coding something imported
with host python.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
pybind11 is not really a Python module; it is actually a set of headers
that is used to wrap Python objects in C++.
Since pybind version 2.6.1, it uses CMake internally. This causes a
number of build issues for Buildroot because either no cmake is present
or it is too old.
pybind in fact has three parts: the C++ headers, a python module
pybind11, and the tests. The python package's only purpose is to serve
as a configure script for users of pybind. CMake is mainly used to build
and run the tests, which use the (mock-installed) pybind11 module to
find the (mock-installed) C++ headers. CMake is also used to install the
headers.
The setup.py script calls into CMake to install the headers and CMake
support files to a temporary directory, then copies that together with
the pybind11 module into the Python directory. The pybind11 module then
returns the include and cmake paths relative to its install location
(using __file__ to determine the install location).
This is not at all compatible with how Buildroot expects things to be
organised.
- The include and CMake files are installed somewhere within the Python
directories, where nobody will find them.
- The Python module is installed for the target, but at build time
Python modules are read from the host directory only. Therefore, a
user of pybind can't actually load the module.
To solve this, several options are possible:
- Treat pybind as a host package. This causes users of pybind to build
with an include path pointing into the host directory. This happens to
work because pybind is a header-only library and because it is
installed in a specific location which is not contaminated by other
headers. However, it is philosophically wrong - a build for the target
should never have an include path pointing to the host directory.
- Install pybind in the usual way into staging, and add a stub module to
the host directory that returns paths to the staging directory. This
leaves a useless pybind11 module in the staging directory, and puts
the headers and cmake files in an unusual location. In addition it
is not so simple - we need to jump through hoops to make sure that
cmake is called correctly when it goes through python-package.
- Install the headers and cmake files using CMake, and add a (stub)
python module in the host directory that points users to the staging
directory. This puts the headers in the usual place
(STAGING_DIR/usr/include) and still makes it possible to find them
from a python package at build time.
We choose the latter solution.
First of all, convert to cmake-package. This installs just the headers
and the cmake support files. We need to pass PYBIND11_NOPYTHON=ON
because there is a cmake module that tries to find the python binary. It
sometimes finds the system python, sometimes the host python. In either
case, it checks whether this python's bitness and endianness correspond
to that of the compiler - which generally it doesn't in
cross-compilation. PYBIND_NOPYTHON bypasses this check.
Install in staging and not in target. Before, it was installed to target
but the python module would point to the target directory so it worked
anyway; now, however, we can properly use the staging directory.
Since it is no longer a python-package, the python module is not
installed automatically. Install them manually in a post-staging-install
hook. Since the python module is supposed to be used at build time,
install it in the host directory rather than in staging.
The python module normally looks in its current directory to find the
include and cmake paths, but for cross-compilation this is wrong. Add a
non-upstreamable patch that checks for STAGING_DIR in the environment.
If it is set (which is the case in Buildroot), use that instead of the
current directory.
Add an explicit dependency on python3. The headers include Python.h, so
any user of pybind needs to implicitly depend on python3. While we're at
it, change it to support python3 only - even though pybind currently
still supports python2, adding support for it in Buildroot is a little
bit complicated and python2 will be removed soon anyway.
Cc: Esben Haabendal <esben@geanix.com>
Cc: Andreas Naumann <dev@andin.de>
Co-Developed-by: Jagan Teki <jagan@amarulasolutions.com>
Co-Developed-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following uclibc build failure raised since bump to version
0.8.1 in commit 5dbdb2535c:
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/microblazeel-buildroot-linux-uclibc/10.3.0/../../../../microblazeel-buildroot-linux-uclibc/bin/ld: xxhash.o: in function `XXH3_hashLong_128b_internal.constprop.0':
(.text+0xcbc): undefined reference to `static_assert'
Fixes:
- http://autobuild.buildroot.org/results/559/5595b21a711b482b84e582fc9f56e5468c9eb6d6/build-end.log
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Disable execinfo to avoid the following build failure raised since the
addition of libexecinfo package in commit
eea8ba446c:
/home/giuliobenetti/autobuild/run/instance-0/output-1/host/lib/gcc/arc-buildroot-linux-uclibc/10.2.0/../../../../arc-buildroot-linux-uclibc/bin/ld: main.o: in function `do_panic(int)':
/home/giuliobenetti/autobuild/run/instance-0/output-1/build/rtorrent-0.9.8/src/main.cc:606: undefined reference to `backtrace'
Fixes:
- http://autobuild.buildroot.org/results/10fc9016013931c58238240216c5950b23b56b30
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
qpdf needs atomic since bump to version 10.5.0 in commit
b5352c2177 and
c5c1a028cd:
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/m68k-buildroot-uclinux-uclibc/bin/ld.real: /home/buildroot/autobuild/instance-2/output-1/build/qpdf-10.5.0/libqpdf/build/.libs/libqpdf.a(QPDF.o): in function `QPDF::QPDF()':
QPDF.cc:(.text+0x48de): undefined reference to `__atomic_fetch_add_8'
Fixes:
- http://autobuild.buildroot.org/results/7e18689670dcbe491c35f0597e5c3c787936263f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
By default, Avahi installs service definitions for SSH and SFTP, but
those might not be present on all systems. This commit adds an option
to control the installation of those Avahi services. Even though that
potentially breaks backward compatibility with older configuration, we
have chosen to make the option default to disable, which means that
now the SSH and SFTP avahi services are no longer installed by
default.
As there is no way to tell the Avahi package not to install the
service files in the first place, we have to manually remove them from
the target directory.
Signed-off-by: Florian Larysch <fl@n621.de>
[Thomas: make the option default to disabled, fix small formatting issues.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 1bf512e9ff wrongly added that
BR2_USE_WCHAR is due to flac dependency but flac is optional so remove
this comment and add boost instead
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A client interface for the Music Player Daemon.
[Peter: license is LGPL-3.0+, add DEVELOPERS entry]
Signed-off-by: Uladzimir Bely <wiselord1983@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Enable CONFIG_IO_URING through LIBURING_LINUX_CONFIG_FIXUPS in case the
user is also building a kernel
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Bootlin toolchains for the OpenRISC architecture have been rebuilt
with the fix for binutils bug 28735, so let's update their definition
in Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
liburing is an optional dependency (enabed by default) since version
4.0.11 and
b1f9aee5c4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is the io_uring library, liburing. liburing provides helpers to
setup and teardown io_uring instances, and also a simplified interface
for applications that don't need (or want) to deal with the full kernel
side implementation.
https://git.kernel.dk/cgit/liburing
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Don't build c_example which needs a dynamic library and so will raise
the following static build failure since bump to version 2021.10 in
commit d1d93d488c and
12647a6ee5:
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/i686-buildroot-linux-uclibc/9.3.0/../../../../i686-buildroot-linux-uclibc/bin/ld: cannot find -lpcm
Fixes:
- http://autobuild.buildroot.org/results/1276a3d49c8848039f034e7f03632df365097e94
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Install libvirt in staging to allow collectd to use it
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Binutils bug 21464 is not present anymore in Buildroot so let's remove it
and its depends on in libgeos and postgis packages.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
After fixing binutils bug 21464, bug 28735 showed up. It got fixed very
soon after my request:
https://sourceware.org/pipermail/binutils/2022-January/119078.html
So let's add patch and backported patches to all binutils versions to make
Buildroot free from bug 28735. Unfortunately Bootlin toolchains have just
been rebuilt and will fail for this bug. This happened because libgeos
has been bumped few time ago and was masked by bug 21464 dependency that
prevented to build.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Disable execinfo to avoid the following musl build failure raised since
the addition of libexecinfo package in commit
eea8ba446c:
/home/buildroot/autobuild/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-musl/10.3.0/../../../../x86_64-buildroot-linux-musl/bin/ld: /home/buildroot/autobuild/instance-3/output-1/build/openipmi-2.0.28/utils/.libs/libOpenIPMIutils.so: undefined reference to `backtrace'
Fixes:
- http://autobuild.buildroot.org/results/dcc33c5cca97d538231647a94212450f043974b3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patches (already in version)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix the following build failure raised since bump to version 5.41 in
commit d38b72bcd7:
readelf.c: In function 'do_auxv_note':
readelf.c:1046:2: error: 'for' loop initial declarations are only allowed in C99 mode
for (size_t off = 0; off + elsize <= descsz; off += elsize) {
^
Fixes:
- http://autobuild.buildroot.org/results/31cbc313fceb84c0cbb1969fca5ac44244871dbc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The original patch for commit cff428fe31 ("download/git: support Git
LFS") included a call to "git lfs install" but this was a problem as it
could modify ~/.gitconfig outside the dl/ tree. When this was
updated it was thought that the modification to gitconfig was
unnecessary because the LFS fetch and checkout steps are performed
manually.
Unfortunately, this is not correct and the LFS checkout fails with:
Cannot checkout LFS objects, Git LFS is not installed.
Add the call to "git lfs install", with the --local option so that only
the repository's .git/config is modified and not the user's global
~/.gitconfig.
This is also required for submodules as the parent repository's config
is not inherited.
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Create a test to check Mender client at runtime.
The aim of this test is:
- to check the correct execution of simple Mender commands,
in a minimal environment;
- to validate there is no missing dependencies for runtime.
This test is not a board integration test for Mender,
including well-configured bootloader, partitioning, ...
Check:
- the daemon is started;
- the current 'artifact name' (name of the image or update) of the active
partition is read, without error.
For that, we need to fake (see the 'overlay' directory):
- some bootloader environment variables;
- the name of an update.
Signed-off-by: Mikael Bourhis-Cloarec <mikael.bourhis@smile.fr>
[Romain: remove single hyphen command (Mender 3.0.0)]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Single hyphen commands has been removed since Mender 3.0.0 [1]
[1] fd838ec1b0
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In both bayer2rgb-neon and gst1-plugins-bayer2rgb-neon, the Config.in
comment was not displayed on aarch64, even though both packages are
available on this architecture.
To fix this, this commit introduces
BR2_PACKAGE_BAYER2RGB_NEON_ARCH_SUPPORTS, and makes use of it in both
packages.
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[Thomas: add BR2_PACKAGE_BAYER2RGB_NEON_ARCH_SUPPORTS, use it to fix
both packages]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
gst1-plugins-bayer2rgb-neon doesn't have sub-options so use "config"
instead of "menuconfig".
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>