Our pkg-config wrapper is not used since commit
4e0bc29993, this raise static build
failures with libglib2 because --static is not passed anymore to
pkg-config so add a patch to get back the old behaviour.
The patch was proposed upstream
https://github.com/mesonbuild/meson/pull/6629, and the feedback was
not very positive. However, we need a solution that works for
Buildroot now, and this proposal is simple enough.
Fixes:
http://autobuild.buildroot.org/results/0d36952def63cb69628697fa6408aeb6ce10cb5b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf75d7da98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
wget has an optional dependency to libiconv:
http://git.savannah.gnu.org/cgit/wget.git/tree/configure.ac#n344
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a3460121b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since there is a variable definition between the definition of
BR2_PACKAGE_JPEG and the choice depending on it, the choice is
not indented bewlo the "jpeg support" prompt, like we like to
have:
[*] jpeg support
jpeg variant (jpeg-turbo) --->
Move the BR2_PACKAGE_JPEG right before the choice (really, move
BR2_PACKAGE_JPEG_SIMD_SUPPORT before BR2_PACKAGE_JPEG, but diff
finds the move of BR2_PACKAGE_JPEG is smaller to display):
[*] jpeg support
jpeg variant (jpeg-turbo) --->
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7a48ac725f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 02dfcda54a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f0c0c7b75d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f2047e3d00)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 2cc2ae83fc, kodi-pvr-vuplus
has a dependency on json-for-modern-cpp, but the dependency of
json-for-modern-cpp on gcc >= 4.9 was not propagated. Let's fix that.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 76c2914703)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported by our gitlab runtime test [1] and on the mailing list
[2], the test_python_django is failing due to django server taking a
lot of time to start. Since the django server is started in background
through pexpect, we can't easily wait for the last startup line:
"January 01, 1970 - 00:00:41
Django version 3.0.4, using settings 'testsite.settings'
Starting development server at http://0.0.0.0:1234/
Quit the server with CONTROL-C."
In the failing gitlab job, we don't see such lines.
If we increase a lot the timout, the test passes.
Use timeout_multiplier introduced by [3] in order to adjust the
timeout.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/488816222
Tested:
https://gitlab.com/kubu93/buildroot/-/jobs/507458355
[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/488816222
[2] http://lists.busybox.net/pipermail/buildroot/2020-April/279598.html
[3] 6e45e33f27
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3e6b97e09e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 9cae8f557b introduced an optional
dependency on GPM, but got the name of the option wrong, and used
GMP. In fact, even the commit title was wrong.
This causes a build failure:
Makefile:578: *** gpm is in the dependency chain of mc that has added it to its _DEPENDENCIES variable without selecting it or depending on it from Config.in. Stop.
Fixes:
http://autobuild.buildroot.net/results/52fb92ae7dd55cba7d19862bb6cd89c80da9a4b6/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 52d10583b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream commit
b9c295d3cf
which has been part of the releases since v19.10.1 has added
werkzeug dependency.
Without werkzeug package, the test TestPythonPy3Crossbar
is failing at runtime with this error:
ModuleNotFoundError: No module named 'werkzeug'
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/498144523
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3d4a545630)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove erroneously python-lxml dependency (as noted by
Peter Korsgaard).
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Reviewed-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ebc55329cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build can fail because boinc uses curl-config that it founds on host:
checking for curl-config... /usr/bin/curl-config
checking for the version of libcurl... 7.47.0
checking for libcurl >= version 7.17.1... yes
checking whether libcurl is usable... no
Fixes:
- http://autobuild.buildroot.org/results/26ab8024e3ef70b898981763f4ea89b647cc9f4b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 546d280b24)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit dcaf6e75a (package/gcc: pass -Wno-error to debug builds)
introduced non-ASCII characters in a comment, copy-pasted from a
terminal output.
check-package does not like non-ASCII characters, and whines about
them.
Replace the fancy quotes by standard ASCII ones.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2a6003ddd5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2020-11100: In hpack_dht_insert in hpack-tbl.c in the HPACK
decoder in HAProxy 1.8 through 2.x before 2.1.4, a remote attacker can
write arbitrary bytes around a certain location on the heap via a
crafted HTTP/2 request, possibly causing remote code execution.
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5ec43086bc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
* CVE-2020-11501: It was found that GnuTLS 3.6.3 introduced a
regression in the DTLS protocol implementation. This caused the DTLS
client to not contribute any randomness to the DTLS negotiation
breaking the security guarantees of the DTLS protocol.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 170d06cfc6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b27a07ceb6)
[Peter: drop 5.5.x / 5.6.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gcc fails to build in debug build with debug optimisations:
BR2_x86_corei7=y
BR2_ENABLE_DEBUG=y
BR2_DEBUG_3=y
BR2_OPTIMIZE_G=y
BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
which fails with:
../../../../libsanitizer/libbacktrace/../../libbacktrace/elf.c:772:21: error: ‘st.st_mode’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
return S_ISLNK (st.st_mode);
^
Upstream has been unable to reproduce/fix properly, details:
https://gcc.gnu.org/legacy-ml/gcc-patches/2019-03/threads.html#00827
Upstream recommends passing -Wno-error as a workaround, see:
https://gcc.gnu.org/pipermail/gcc-patches/2019-April/519867.html
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[yann.morin.1998@free.fr: add the reproducing defconfig]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit dcaf6e75ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
After the staging installation, we replace a number of paths in libtool
.la files so that those paths point to STAGING_DIR instead of a location
in the build machine.
However, we replace only paths that start with /usr. And it turns out
that the linux-pam package is configured with --libdir=/lib (linux-pam
seems to always be installed in /lib rather than /usr/lib).
Due to this, libpam.la contains the following line:
libdir='/lib'
When building a configuration that has:
- BR2_ROOTFS_MERGED_USR=y
- BR2_PACKAGE_LINUX_PAM=y
- BR2_PACKAGE_POLKIT=y
on a system that has its system-wide PAM library installed in /lib,
the build fails with:
/lib/libpam.so: file not recognized: File format not recognized
For some reason, libtool searches only in STAGING_DIR/usr/lib, but
when BR2_ROOTFS_MERGED_USR=y, STAGING_DIR/lib points to
STAGING_DIR/usr/lib, so libtool finds libpam.la. And this libpam.la
contains a bogus libdir='/lib' path. libtool then goes on, finds
/lib/libpam.so, and links with it, causing the build failure.
By doing the proper replacement of libdir='/lib', we have a correct
libpam.la, and solve the build issue.
There is no autobuilder failure associated to this issue, as it
requires /lib/libpam.so to exist. This is the case on ArchLinux, on
which Xogium reported the issue, which can also be reproduced in an
ArchLinux container.
Reported-by: Xogium <contact@xogium.me>
Cc: Xogium <contact@xogium.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr:
- tested by manually creating a symlink to libpam.so in /lib
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7ae7c82dd6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-5291: Bubblewrap (bwrap) before version 0.4.1, if installed
in setuid mode and the kernel supports unprivileged user namespaces,
then the `bwrap --userns2` option can be used to make the setuid process
keep running as root while being traceable. This can in turn be used to
gain root permissions. Note that this only affects the combination of
bubblewrap in setuid mode (which is typically used when unprivileged
user namespaces are not supported) and the support of unprivileged user
namespaces.
Also update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d82a5ade0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following defconfig:
BR2_x86_i686=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://toolchains.bootlin.com/downloads/releases/toolchains/x86-i686/tarballs/x86-i686--glibc--bleeding-edge-2018.11-1.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_8=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_14=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_INIT_NONE=y
BR2_TARGET_SYSLINUX=y
BR2_TARGET_SYSLINUX_EFI=y
fails to build due to missing setjmp/longjmp definitions, which is a
consequence of a change introduced between gnu-efi 3.0.9 and 3.0.10.
This build failure is fixed by adding another syslinux paytch, which
has been submitted upstream.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6d5da6d916)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the swupdate SYSTEMD option is enabled, systemd needs to be built
before swupdate, otherwise the build fails with:
core/notifier.c:27:10: fatal error: systemd/sd-daemon.h: No such file or directory
27 | #include <systemd/sd-daemon.h>
| ^~~~~~~~~~~~~~~~~~~~~
Of course, it remains up to the user to make sure that the systemd
package is enabled when systemd support is enabled in the swupdate
configuration.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bea0d20c78)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 79c640e2e0)
[Peter: drop 5.5.x / 5.6.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The cgit URL is a mirror of the gitlab repository.
The README.md file of the kmscube project also points
to the gitlab repository, so switch the URL accordingly.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8ab9acbed8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The sysdig homepage we have points to an "on-sale" domain, that is
purportedly serving malware while at it. Update to point to the wiki on
github instead.
Fixes#12746.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- use wiki instead of git repo
- expand commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ca3166da48)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
"This release fixes three security issues in ntpd and provides 46
bugfixes and addresses 4 other issues." [1]
NONE: Sec 3610: process_control() should bail earlier on short packets.
MEDIUM: Sec 3596: Unauthenticated ntpd may be susceptible to IPv4 spoof
attack from highly predictable transmit timestamps.
MEDIUM: Sec 3592: DoS Attack on unauthenticated client.
The fix for https://bugs.ntp.org/3445 introduced a bug whereby a system that
is running ntp-4.2.8p12 (possibly earlier) or p13 that only has one
unauthenticated time source can be attacked in a way that causes the
victim's next poll to its source to be delayed, for as long as the attack is
maintained.
[1] http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele
The copyright year has changed in the COPYRIGHT file, so adjust the hash to
match and adjust the spacing to match recent agreements:
@@ -3,7 +3,7 @@
jpg "Clone me," says Dolly sheepishly.
- Last update: 2-Jan-2017 11:58 UTC
+ Last update: 4-Feb-2020 23:47 UTC
__________________________________________________________________
The following copyright notice applies to all files collectively called
@@ -32,7 +32,7 @@
Burnicki is:
***********************************************************************
* *
-* Copyright (c) Network Time Foundation 2011-2017 *
+* Copyright (c) Network Time Foundation 2011-2020 *
* *
* All Rights Reserved *
* *
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[Peter: clarify security impact, document COPYRIGHT change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9daf7483e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The help text of BR2_LINUX_KERNEL_IMAGE_NAME is somewhat incomplete,
in the sense that it assumes just a filename can be passed, while it
can be a relative path, such as 'compressed/vmlinux.bin.z'. So make it
clear that such paths are relative to arch/ARCH/boot/.
Also, drop the part about this being only useful for Xtensa as this is
not true: on MIPS it might be needed as well for some specific image
types.
Reported-by: Paul Cercueil <paul@crapouillou.net>
Cc: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ea044ee20c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Linux kernel image is typically found in arch/ARCH/boot/, which is
why LINUX_IMAGE_PATH is defined as:
LINUX_IMAGE_PATH = $(LINUX_ARCH_PATH)/boot/$(LINUX_IMAGE_NAME)
However, on MIPS, some kernel image types are available from
arch/mips/boot/compressed, or even at the top-level directory. For
such cases, LINUX_IMAGE_NAME might be set (using
BR2_LINUX_KERNEL_IMAGE_NAME) to values such as:
compressed/vmlinux.bin.z
or
../../../uzImage.bin
Except that the line:
$(INSTALL) -m 0644 -D $(LINUX_IMAGE_PATH) $(1)/$(LINUX_IMAGE_NAME)
will lead to such images be installed in:
$(TARGET_DIR)/boot/compressed/vmlinux.bin.z
$(BINARIES_DIR)/compressed/vmlinux.bin.z
and:
$(TARGET_DIR)/boot/../../../uzImage.bin
$(BINARIES_DIR)/../../../uzImage.bin
which of course is completely bogus.
So let's install them under their name, not their full relative path
to arch/ARCH/boot/.
Reported-by: Paul Cercueil <paul@crapouillou.net>
Cc: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 19be97d497)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues (1.1.1e):
CVE-2019-1551 [Low severity]: There is an overflow bug in the x64_64
Montgomery squaring procedure used in exponentiation with 512-bit moduli.
No EC algorithms are affected. Analysis suggests that attacks against
2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect
would be very difficult to perform and are not believed likely. Attacks
against DH512 are considered just feasible. However, for an attack the
target would have to re-use the DH512 private key, which is not recommended
anyway. Also applications directly using the low level API BN_mod_exp may
be affected if they use BN_FLG_CONSTTIME. Reported by OSS-Fuzz and Guido
Vranken.
https://www.openssl.org/news/secadv/20191206.txt
CVE-2019-1563 [Low severity]: In situations where an attacker receives
automated notification of the success or failure of a decryption attempt an
attacker, after sending a very large number of messages to be decrypted, can
recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted
message that was encrypted with the public RSA key, using a Bleichenbacher
padding oracle attack. Applications are not affected if they use a
certificate together with the private RSA key to the CMS_decrypt or
PKCS7_decrypt functions to select the correct recipient info to decrypt.
Reported by Bernd Edlinger.
https://www.openssl.org/news/secadv/20190910.txt
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d397b231b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect
indication of disconnection in certain situations because source address
validation is mishandled. This is a denial of service that should have
been prevented by PMF (aka management frame protection). The attacker
must send a crafted 802.11 frame from a location that is within the
802.11 communications range.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 650d907c13)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect
indication of disconnection in certain situations because source address
validation is mishandled. This is a denial of service that should have
been prevented by PMF (aka management frame protection). The attacker
must send a crafted 802.11 frame from a location that is within the
802.11 communications range.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 749fbab0bb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2017-6892: In libsndfile version 1.0.28, an error in the
"aiff_read_chanmap()" function (aiff.c) can be exploited to cause an
out-of-bounds read memory access via a specially crafted AIFF file.
- Fix CVE-2017-8361: The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(buffer overflow and application crash) or possibly have unspecified
other impact via a crafted audio file.
- Fix CVE-2017-8362: The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(invalid read and application crash) via a crafted audio file.
- Fix CVE-2017-8363: The flac_buffer_copy function in flac.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(heap-based buffer over-read and application crash) via a crafted
audio file.
- Fix CVE-2017-8365: The i2les_array function in pcm.c in
libsndfile 1.0.28 allows remote attackers to cause a denial of service
(buffer over-read and application crash) via a crafted audio file.
- Fix CVE-2017-12562: Heap-based Buffer Overflow in the
psf_binheader_writef function in common.c in libsndfile through 1.0.28
allows remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 76d5ab4d17)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If python or python3 is selected, nftables should depend on the package
and set the --enable-python option, otherwise set --disable-python
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d6f33d36af)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
