Security Fixes:
- rndc "" could trigger an assertion failure in named. This flaw is
disclosed in (CVE-2017-3138). [RT #44924]
- Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed in
CVE-2017-3137. [RT #44734]
- dns64 with break-dnssec yes; can result in an assertion failure. This
flaw is disclosed in CVE-2017-3136. [RT #44653]
- If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server
crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
- A coding error in the nxdomain-redirect feature could lead to an
assertion failure if the redirection namespace was served from a
local authoritative data source such as a local zone or a DLZ instead
of via recursive lookup. This flaw is disclosed in CVE-2016-9778.
[RT #43837]
- named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
- named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
- named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
- It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
Full release notes:
ftp://ftp.isc.org/isc/bind9/9.11.0-P5/RELEASE-NOTES-bind-9.11.0-P5.html
Also, remove --enable-rrl configure option from bind.mk as it doesn't
exist anymore.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add a config option for enabling/disabling SMP
in Xenomai userspace in version 3.x
Enabled by default.
Signed-off-by: Pawel Sikora <sikor6@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout at mind.be>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Thomas: implement minor tweaks suggested by Thomas DS.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add an option choice for Cobalt or Mercury core
depending on option BR2_LINUX_KERNEL_EXT_XENOMAI.
Signed-off-by: Pawel Sikora <sikor6@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout at mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes a follow-up error with this defconfig
http://autobuild.buildroot.net/results/642/6422adeef19ec547c7bc3f8ad3b0d51702015240/
which occurs after disabling inline mmx with the previous patch:
This is the error message:
fmpeg/libavcodec/libavcodec.a(apedec.o): In function `ape_decode_frame':
apedec.c:(.text+0x1df5): undefined reference to `avpriv_emms_yasm'
ffmpeg/libavcodec/libavcodec.a(asvdec.o): In function `decode_frame':
asvdec.c:(.text+0x77c): undefined reference to `avpriv_emms_yasm'
ffmpeg/libavcodec/libavcodec.a(bink.o): In function `decode_frame':
bink.c:(.text+0x2809): undefined reference to `avpriv_emms_yasm'
ffmpeg/libavcodec/libavcodec.a(dvdec.o): In function `dvvideo_decode_frame':
dvdec.c:(.text+0x575): undefined reference to `avpriv_emms_yasm'
ffmpeg/libavcodec/libavcodec.a(ffv1dec.o): In function `decode_slice':
ffv1dec.c:(.text+0x3110): undefined reference to `avpriv_emms_yasm'
ffmpeg/libavcodec/libavcodec.a(h264.o):h264.c:(.text+0xea8): more undefined references to `avpriv_emms_yasm' follow
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
MPlayer contains mmxext code for which a SSE-enabled CPU is required,
for details see https://bugs.funtoo.org/browse/FL-2202
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The mod_redis module enables ProFTPD support for caching data in Redis
servers, using the hiredis client library. This is available since
proftpd-1.3.6rc5 and later.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Patch 0002-__mempcpy.patch is not necessary since this commit:
8dfaceb389
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
A long time ago, the blind config option BR2_LINUX_KERNEL_UBOOT_IMAGE
was introduced to be able to trigger the linux -> host-uboot-tools
dependency. Back in those days, there was no user-configurable
BR2_PACKAGE_HOST_UBOOT_TOOLS.
Now, however, it is possible to select a custom kernel image name that
needs uboot-tools, and manually enable BR2_PACKAGE_HOST_UBOOT_TOOLS. In
this case, however, the linux -> host-uboot-tools is missed and the
build is not reproducible. An example of such a situation is the
upcoming CI40 defconfig.
As a solution, remove BR2_LINUX_KERNEL_UBOOT_IMAGE entirely. Instead,
just select BR2_PACKAGE_HOST_UBOOT_TOOLS and add the dependency if it
is selected.
Note that this may introduce a redundant dependency in case the user
selected BR2_PACKAGE_HOST_UBOOT_TOOLS for some other reason (e.g. to
be able to generate a U-Boot environment to include in the image, while
the kernel is built as a zImage). However, the redundant dependency
shouldn't hurt much.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Abhimanyu Vishwakarma <abhimanyu.v@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
While testing minetest with libhiredis library, the game crached due to
missing libhiredis.so.0.13 library.
The hiredis.mk doesn't use "make install" because "make install" depends
on building both the shared and static libraries, which fails in
static-only scenarios.
However, the installation logic in hiredis.mk is bogus: it installs the
library as libhiredis.so, while its SONAME is libhiredis.so.0.13. We fix
this by using the same logic as the one done by the package "make
install" process: install the library as libhiredis.so.0.13, and create
libhiredis.so as a symbolic link to it.
While at it:
- Install the library 0755, this is more common.
- Do not create $(TARGET_DIR)/usr/lib, since $(INSTALL) -D will create
the necessary directories for the destination path.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: rework to use the same installation logic as the one from
hiredis "make install".]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
With this patch we add a couple of of-the-tree patches for u-boot.
We have an update in hardware that changed the kick-start slave cores
procedure. So these patches introduce fixes to work with new axs103
version correctly.
They have been already accepted in upstream u-boot so we need to get rid
of them as soon as these updates will get available in buildroot.
Signed-off-by: Vlad Zakharov <vzakhar@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
With this commit we update axs10x defconfigs with the following changes:
- rename "snps_axs101_defconfig" and "snps_axs103_defconfig" to
"snps_arc700_axs101_defconfig" and "snps_archs38_axs103_defconfig",
to reflect the ARC core being used
- bump linux kernel version to 4.10.8
- set up host linux headers to 4.10
- bump u-boot version to 2017.01
Signed-off-by: Vlad Zakharov <vzakhar@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
With this commit we update snps_archs38_zebu_defconfig the following:
- bump linux kernel version to 4.10.9
- set up host linux headers to 4.10
Signed-off-by: Vlad Zakharov <vzakhar@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CVE-2017-7407: --write-out out of buffer read
https://curl.haxx.se/docs/adv_20170403.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Select the fsck required by systemd provided by util-linux. This
prevents ending up with fsck from busybox, which is incompatible
with systemd.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Update Xen to version 4.8.1 and update the patches to allow Xen
hypervisor and Xen tools to build.
The patches applied were re-aranged a little bit. Patches 2, 3 and 4
have been accepted by upstream Xen and won't be required in future
releases.
Patch 1 (previously patch 2) is still required and was moved to patch 1
to better reflect it's status.
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In 2010 commit 32d319e6f "gst-plugins-base: ensure <stdint.h> is used"
introduced a typo (missing backslash) that made the code ineffective.
It can be confirmed by looking at the output of:
$ make printvars | grep '^GST_PLUGINS_BASE_CONF_ENV\|^FT2_CONFIG'
FT2_CONFIG=/bin/false ac_cv_header_stdint_t="stdint.h"
GST_PLUGINS_BASE_CONF_ENV=
Add the missing backslash to fix the code.
While at it, fix the indentation to use one tab instead of two.
The (end of the) diff of config.log confirms the code is still needed
when the host has freetype-config installed:
@@ -1674,10 +1674,8 @@
configure:21882: checking for emmintrin.h
configure:21882: result: no
configure:21894: checking for stdint types
-configure:21917: /tmp/gst/output/host/usr/bin/i686-pc-linux-gnu-gcc -std=gnu99 -c conftest.c >&5
-configure:21917: $? = 0
configure:21961: result: stdint.h (shortcircuit)
-configure:22348: result: make use of stdint.h in _stdint.h (assuming C99 compatible system)
+configure:22348: result: make use of stdint.h in _stdint.h
configure:22359: checking for localtime_r
configure:22359: /tmp/gst/output/host/usr/bin/i686-pc-linux-gnu-gcc -std=gnu99 -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c >&5
configure:22359: $? = 0
@@ -2468,8 +2466,7 @@
Package 'freetype2', required by 'world', not found
configure:31257: result: no
configure:31298: checking for freetype-config
-configure:31316: found /usr/bin/freetype-config
-configure:31329: result: /usr/bin/freetype-config
+configure:31329: result: /bin/false
configure:31339: checking for FreeType - version >= 2.0.9
configure:31427: result: yes
configure:32250: creating ./config.status
@@ -2789,7 +2786,7 @@
ac_cv_objext='o'
ac_cv_path_EGREP='/bin/grep -E'
ac_cv_path_FGREP='/bin/grep -F'
-ac_cv_path_FT2_CONFIG='/usr/bin/freetype-config'
+ac_cv_path_FT2_CONFIG='/bin/false'
ac_cv_path_GMSGFMT='/tmp/gst/output/host/usr/bin/msgfmt'
ac_cv_path_GREP='/bin/grep'
ac_cv_path_MSGFMT='/tmp/gst/output/host/usr/bin/msgfmt'
@@ -2818,7 +2815,6 @@
ac_cv_prog_cxx_g='yes'
ac_cv_prog_make_make_set='yes'
ac_cv_stdint_message='using gnu compiler i686-pc-linux-gnu-gcc (Sourcery CodeBench Lite 2012.09-62) 4.7.2'
-ac_cv_stdint_result='(assuming C99 compatible system)'
ac_cv_sys_file_offset_bits='no'
ac_cv_sys_largefile_CC='no'
ac_cv_sys_largefile_source='no'
@@ -2965,9 +2961,9 @@
EXEEXT=''
FFLAGS=' -Os '
FGREP='/bin/grep -F'
-FT2_CFLAGS='-I/usr/include/freetype2'
-FT2_CONFIG='/usr/bin/freetype-config'
-FT2_LIBS='-lfreetype'
+FT2_CFLAGS=''
+FT2_CONFIG='/bin/false'
+FT2_LIBS=''
GCOV=''
GCOV_CFLAGS=''
GCOV_LIBS=''
Detected by check-package.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In the default xserver_xorg-server version 1.19.x, the AIGLX option
is no longer available (cfr. commit ec502ea8e4). In fact, AIGLX is
always enabled. So remove this option.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Now we have changed the default ext2/3/4 filesystem size from automatic
to 60MB, the minnowboard_max graphical demo config doesn't fit anymore.
So increase it to double.
The exact number doesn't matter much, it has to be somewhat smaller
than 128MiB, so let's take a round number of 120000K.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
According to the Buildroot convention, 'depends on' attributes shall
come before 'select' ones in Kconfig files.
Detected by check-package.
Signed-off-by: Rodrigo Rebello <rprebello@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Security fix:
passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS (CVE-2017-2669)
Full ChangeLog 2.2.29 (including CVE fix):
https://www.dovecot.org/list/dovecot-news/2017-April/000341.html
Full ChangeLog 2.2.29.1 (some fixes forgotten in the 2.2.29 release):
https://www.dovecot.org/list/dovecot-news/2017-April/000344.html
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Support was added by this commit:
8bf3932539
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The host package will be needed by tvheadend.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Thomas:
- group the host commands together and the target commands together
- use --prefix=$(HOST_DIR)/usr for host configuration, and do not
override PREFIX= at host install time
- use DESTDIR=$(TARGET_DIR) instead of overriding PREFIX= at target
install time.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
[Thomas: use SPDX license codes.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
A similar fix was committed to ffmpeg in the past:
https://git.buildroot.net/buildroot/commit/package/ffmpeg?id=bfb8df2ad9b164b421d25294c6882c8b61dc59a5
which will be reverted with another patch.
Mplayer contains ffmpeg 3.0, with current ffmpeg 3.2.4 the bug is gone,
the difference between both revisions is too big in order to find a
real fix for the problem.
Special cflags, added by
https://git.buildroot.net/buildroot/commit/package/multimedia/mplayer?id=fd38100e1189d19cad87a64c52df2c773eb47e40
are no longer needed now so remove them as well.
Testing these defconfigs did not produce compile errors with current
ffmpeg but with mplayer:
BR2_i386=y
BR2_x86_i586=y
BR2_GCC_VERSION_4_8_X=y
BR2_i386=y
BR2_x86_i586=y
BR2_GCC_VERSION_5_X=y
BR2_i386=y
BR2_x86_i586=y
BR2_GCC_VERSION_6_X=y
BR2_i386=y
BR2_x86_i486=y
BR2_GCC_VERSION_5_X=y
BR2_i386=y
BR2_x86_i686=y
BR2_GCC_VERSION_5_X=y
BR2_i386=y
BR2_x86_pentium_mmx=y
BR2_GCC_VERSION_5_X=y
BR2_i386=y
BR2_x86_corei7=y
BR2_GCC_VERSION_5_X=y
Fixes
http://autobuild.buildroot.net/results/030/03066dd8937ef4c75d62f237fd195df92b247ee2//
and many others.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This reverts commit bfb8df2ad9.
With current toolchains it was not possible to trigger the bug anymore.
Tested with these settings:
BR2_i386=y
BR2_x86_i586=y
BR2_GCC_VERSION_4_8_X=y
BR2_i386=y
BR2_x86_i586=y
BR2_GCC_VERSION_5_X=y
BR2_i386=y
BR2_x86_i586=y
BR2_GCC_VERSION_6_X=y
Other x86 variants also work:
BR2_i386=y
BR2_x86_i486=y
BR2_GCC_VERSION_5_X=y
BR2_i386=y
BR2_x86_i686=y
BR2_GCC_VERSION_5_X=y
BR2_i386=y
BR2_x86_pentium_mmx=y
BR2_GCC_VERSION_5_X=y
BR2_i386=y
BR2_x86_corei7=y
BR2_GCC_VERSION_5_X=y
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This python utility scans the logs for messages logged when the system
denied permission for operations, and generates a snippet of policy
rules which, if loaded into policy, might have allowed those operations
to succeed. However, this utility only generates Type Enforcement (TE)
allow rules.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
[Thomas: adjust Config.in to propagate the dependencies of sepolgen,
checkpolicy and python3.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
