>From the NEWS file:
- Mitigate a flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster". For details see
<https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Build tested with Qemu X86 sample.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As all librt and libpthread functions are integrated into
libc for a while, workaround no longer required.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Thanks to the bump of gnu-efi from 3.0.5 to 3.0.6, patch 0008 in the
syslinux package is no longer needed. More specifically, it's commit
bf07e8141777e5a2d67ec8447084215224bdad4b in upstream gnu-efi that
fixed the underlying issue.
Signed-off-by: Benoît Allard <benoit.allard@greenbone.net>
[Thomas: add better commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH
values to manipulate the heap/stack, causing them to alias, potentially
resulting in arbitrary code execution. Please note that additional
hardening changes have been made to glibc to prevent manipulation of stack
and heap memory but these issues are not directly exploitable, as such they
have not been given a CVE.
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Patches are identical to upstream, except that the ChangeLog modifications
have been stripped.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-9868: In Mosquitto through 1.4.12, mosquitto.db (aka the
persistence file) is world readable, which allows local users to obtain
sensitive MQTT topic information.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a fix for CVE-2017-9445: In systemd through 233, certain sizes passed to
dns_packet_new in systemd-resolved can cause it to allocate a buffer that's
too small. A malicious DNS server can exploit this via a response with a
specially crafted TCP payload to trick systemd-resolved into allocating a
buffer that's too small, and subsequently write arbitrary data beyond the
end of it.
The other patch fixes an issue with the security fix.
[Peter: use CVE description from MITRE]
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#9976.
Reported-by: Nick Wright <nwright98@gmail.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit log 0e0ea8cf5e (uboot-tools: install libubootenv to staging)
mentions that installation is done in <pkg>_INSTALL_STAGING_CMDS directly, but
forgot to remove the now empty UBOOT_TOOLS_INSTALL_LIBUBOOTENV.
Cc: Jörg Krause <joerg.krause@embedded.rocks>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
tmpfile support is optional in systemd but the dhcp server install it's
config file in $(TARGET_DIR)/usr/lib/tmpfiles.d directory when systemd
is used as init system.
So it seems that dhcp server require tmpfile support for systemd based
system.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Also propagate reverse dependency to mesa3d and xserver_xorg-server.
Fixes xserver_xorg-server build
http://autobuild.buildroot.net/results/7da/7da8b46cda8786422e8293f26b79582b35a433d6/
For patch discussion refer to http://patchwork.ozlabs.org/patch/674595/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Thomas: only select BR2_PACKAGE_XPROTO_PRESENTPROTO if
BR2_TOOLCHAIN_HAS_SYNC_4 is available, add comment explaining why.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This is useful on CentOS 7, whose "cmake" utility corresponds to version
2.8.12, which is too old for Buildroot.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add the BR2_CMAKE_CANDIDATES variable, containing a list of candidates
to check and use as BR2_CMAKE, if possible.
This allows using "cmake3" on CentOS 7, whose default cmake corresponds
to version 2.8.12. Example:
$ make BR2_CMAKE_CANDIDATES="cmake cmake3"
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This is useful on CentOS 7 whose "cmake" package provides cmake 2.8.12,
which is too old, but the "cmake3" package (from EPEL) provides version
3.6.3, which is satisfactory. Examples:
$ sh support/dependencies/check-host-cmake.sh 2.8 cmake cmake3
/usr/bin/cmake
$ sh support/dependencies/check-host-cmake.sh 3.1 cmake cmake3
/usr/bin/cmake3
$ sh support/dependencies/check-host-cmake.sh 3.8 cmake cmake3
(nothing)
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Pass the minimal version before the program name. In a later change the
script will become able to test a list of candidates.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit fixes a problem where it was not possible to replace
/etc/shadow with a symlink to a e.g. a user partition where the
shadow file is placed. This is required, e.g. for systems where the
rootfs is mounted read-only but users should still be able to be
added. Thus, if within an filesystem overlay setup a user tries
to replace /etc/shadow with a symlink to the real file on a user
partition a buildroot build stops with an error message because
sed is called on the symlink instead of following the symlink.
This commit fixes this shortcoming.
Signed-off-by: Jens Maus <mail@jens-maus.de>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We do not support uClibc-ng/musl C library version choice support,
do the same for GNU C Library.
No legacy handling required as only version choice is removed.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas: move 3.2 kernel headers dependency to the libc choice in
toolchain/toolchain-buildroot/Config.in file, and added a Config.in
comment about it.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Optional C++ support depends on icu, the icu version bump to 59.1
brought ABI-breaking changes
http://site.icu-project.org/download/59#TOC-char16_t-in-C-
which are incompatible with beecrypt. Since beecrypt did not get any
updates upstream since 2009 and no package uses beecrypt's C++ support
we disable this broken option.
With C++ support removed patches 0002 & 0004 are not needed anymore.
Fixes
http://autobuild.buildroot.net/results/a1a/a1ad507371192ddecacab0df91f7b2a84c7c288d/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add initial support for Engicam Is.IoT MX6UL SOM board
with below features:
- U-Boot 2017.07-rc1
- Linux 4.11.5
- Default packages from buildroot
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
[Thomas: add host-dosfstools/host-mtools.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add initial support for Engicam GEAM6UL SOM board
with below features:
- U-Boot 2017.07-rc1
- Linux 4.11.5
- Default packages from buildroot
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
[Thomas: add host-dosfstools and host-mtools.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Create board/engicam/icorem6 for i.CoreM6 supported files.
and update the readme.txt so-that it can list i.CoreM6 board
details.
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add initial support for Engicam i.CoreM6 Quad/Dual/DualLite/Solo RQS
board with below features:
- U-Boot 2017.07-rc1
- Linux 4.11.5
- Default packages from buildroot
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
[Thomas: add missing host-dosfstools and host-mtools.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
A VFAT filesystem is described in the genimage configuration file, so
we need host-dosfstools and host-mtools enabled in the defconfig.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add initial support for Engicam i.CoreM6 DualLite/Solo board
with below features:
- U-Boot 2017.07-rc1
- Linux 4.11.5
- Default packages from buildroot
U-Boot 2017.07-rc1 has common u-boot defconfig for All i.CoreM6
variant boards, so this patch update the same along with
buildroot defconfig that reflect the common name.
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Patches were changed to git format, because libglib is a git project.
0003-gio-2.0.pc-include-libmount-in-Libs.private.patch was added to upstream
as of commit:
https://git.gnome.org/browse/glib/commit/?id=ecdd3c29fc4bd28f01fe53d0528bfee888c9c62c.
Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The gitlab repo is much more informative and updated.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Forward port 0001-link-against-libintl.patch. Since now autoreconf works, move
the patch from Makefile.in to Makefile.am. Also, convert to git format.
Remove 0002-no-__progname.patch. Buildroot default uClibc and musl now provide
__progname.
Add a patch that adds the git-version-gen script to fix autoreconf.
Remove upstream patch.
Upstream switched to .xz tarballs.
Add upstream provided hashes.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add host-pkgconf to dependencies as we now use PKG_CHECK_MODULES in
configure.ac.
Changelog for v0.3:
New features:
- gpiomon can now watch multiple lines at the same time and supports custom
output formats which can be specified using the --format argument
- testing framework can now test external programs: test cases for gpio-tools
have been added
Improvements:
- improve error messages
- improve README examples
- configure script improvements
Bug fixes:
- use correct UAPI flags when requesting line events
Also includes bug fixes from v0.2.1:
Bug fixes:
- capitalize 'GPIO' in error messages in gpioset, gpioget & gpiomon
- tweak the error message on invalid arguments in gpiofind
- don't ignore superfluous arguments and fix the displayed name for falling
edge events in gpiomon
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add two upstreamable patches for this package to fix uClibc
and musl builds.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The two patches are no longer needed with the latest upstream version,
so bump to the latest one.
Tested on imx6.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- Update the "basic set" description to include fincore, which is built
by default, and remove tailf, which was removed in this version.
- Add configuration options for the new utilities "chmem" and "lsmem".
- Add a patch to revert the assumption that ncursesw headers are under
/usr/include/ncursesw/ only. That's necessary to have both versions
for ABI/API compatibility but does not make sense on embedded systems.
- Drop autoreconf, since the patch on term-utils/Makemodule.am is gone.
The patch is a bit drastic but it solves the problem of using ncursews
while we discuss a better solution in the util-linux mailing list.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes the following security issues:
CVE-2016-9577
Frediano Ziglio of Red Hat discovered a buffer overflow
vulnerability in the main_channel_alloc_msg_rcv_buf function. An
authenticated attacker can take advantage of this flaw to cause a
denial of service (spice server crash), or possibly, execute
arbitrary code.
CVE-2016-9578
Frediano Ziglio of Red Hat discovered that spice does not properly
validate incoming messages. An attacker able to connect to the
spice server could send crafted messages which would cause the
process to crash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2016-0749: The smartcard interaction in SPICE allows remote attackers to
cause a denial of service (QEMU-KVM process crash) or possibly execute
arbitrary code via vectors related to connecting to a guest VM, which
triggers a heap-based buffer overflow.
CVE-2016-2150: SPICE allows local guest OS users to read from or write to
arbitrary host memory locations via crafted primary surface parameters, a
similar issue to CVE-2015-5261.
The pyparsing check has been dropped from configure, and the spice protocol
definition is again included, so the workarounds can be removed.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
