Fixes the following security issues:
- CVE-2019-19921: runc volume mount race condition with shared mounts
- CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through
19.03.2-ce and other products, allows AppArmor restriction bypass because
libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a
malicious Docker image can mount over a /proc directory.
For details, see the announcement:
https://github.com/containerd/containerd/releases/tag/v1.2.12
containerd is now a separate CNCF sponsored project, and is no longer
explicitly associated with docker/moby.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps Linux CIP RT version to 4.19.98-cip19-rt7.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps Linux CIP version to 4.19.98-cip19.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-9755: An integer underflow issue exists in ntfs-3g 2017.3.23.
A local attacker could potentially exploit this by running /bin/ntfs-3g with
specially crafted arguments from a specially crafted directory to cause a
heap buffer overflow, resulting in a crash or the ability to execute
arbitrary code. In installations where /bin/ntfs-3g is a setuid-root
binary, this could lead to a local escalation of privileges.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2020-7595: xmlStringLenDecodeEntities in parser.c in libxml2
2.9.10 has an infinite loop in a certain end-of-file situation.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security vulnerabilities:
- CVE-2014-9638: oggenc in vorbis-tools 1.4.0 allows remote attackers to
cause a denial of service (divide-by-zero error and crash) via a WAV file
with the number of channels set to zero.
- CVE-2014-9639: Integer overflow in oggenc in vorbis-tools 1.4.0 allows
remote attackers to cause a denial of service (crash) via a crafted number
of channels in a WAV file, which triggers an out-of-bounds memory access.
- CVE-2014-9640: oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote
attackers to cause a denial of service (out-of-bounds read) via a crafted
raw file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In gcc 5.1.0, a change was introduced which causes internal search paths
inside the sysroot to be relative to 'lib64' rather than 'lib'. See [1] [2]
and [3].
For example for dtc:
LD convert-dtsv0
/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/mips64-octeon-linux-gnu/7.3.0/../../../../mips64-octeon-linux-gnu/bin/ld: cannot find crt1.o: No such file or directory
/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/mips64-octeon-linux-gnu/7.3.0/../../../../mips64-octeon-linux-gnu/bin/ld: cannot find crti.o: No such file or directory
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:236: convert-dtsv0] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/opt/buildroot/output/build/dtc-1.4.7'
make: *** [package/pkg-generic.mk:241: /opt/buildroot/output/build/dtc-1.4.7/.stamp_built] Error 2
In this case, crt1.o was searched for in following locations:
16073 access("/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/mips64-octeon-linux-gnu/7.3.0/n32/octeon3/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/n32/octeon3/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/mips64-octeon-linux-gnu/7.3.0/../../../../mips64-octeon-linux-gnu/lib/mips64-octeon-linux-gnu/7.3.0/n32/octeon3/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/mips64-octeon-linux-gnu/7.3.0/../../../../mips64-octeon-linux-gnu/lib/../lib32-fp/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/mips64-buildroot-linux-gnu/sysroot/lib64/mips64-octeon-linux-gnu/7.3.0/n32/octeon3/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/mips64-buildroot-linux-gnu/sysroot/lib64/../lib32-fp/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/mips64-buildroot-linux-gnu/sysroot/usr/lib64/mips64-octeon-linux-gnu/7.3.0/n32/octeon3/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/mips64-buildroot-linux-gnu/sysroot/usr/lib64/../lib32-fp/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/mips64-octeon-linux-gnu/7.3.0/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/mips64-octeon-linux-gnu/7.3.0/../../../../mips64-octeon-linux-gnu/lib/mips64-octeon-linux-gnu/7.3.0/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/mips64-octeon-linux-gnu/7.3.0/../../../../mips64-octeon-linux-gnu/lib/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/mips64-buildroot-linux-gnu/sysroot/lib64/mips64-octeon-linux-gnu/7.3.0/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/mips64-buildroot-linux-gnu/sysroot/lib64/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/mips64-buildroot-linux-gnu/sysroot/usr/lib64/mips64-octeon-linux-gnu/7.3.0/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
16073 access("/opt/buildroot/output/host/mips64-buildroot-linux-gnu/sysroot/usr/lib64/crt1.o", R_OK) = -1 ENOENT (No such file or directory)
As can be seen above, all attempted paths contain 'lib64' as base,
instead of 'lib' or 'lib32', e.g.
.../sysroot/lib64/../lib32-fp/crt1.o
.../sysroot/lib64/crt1.o
This problem was detected on a gcc 7.x toolchain provided by Marvell as part
of their Octeon SDK. For this toolchain, here are the values of the paths
as detected by the Buildroot toolchain logic, for two different Octeon
processors:
- octeon2 (soft-float) (-mabi=n32 -march=octeon2):
SYSROOT_DIR=/opt/buildroot/output/host/opt/ext-toolchain/mips64-octeon-linux-gnu/sys-root/;
ARCH_SYSROOT_DIR=/opt/buildroot/output/host/opt/ext-toolchain/mips64-octeon-linux-gnu/sys-root/;
ARCH_SUBDIR=;
ARCH_LIB_DIR=lib32/octeon2;
SUPPORT_LIB_DIR=/opt/buildroot/output/host/opt/ext-toolchain/mips64-octeon-linux-gnu/lib32/octeon2/
- octeon3 (hard-float) (-mabi=n32 -march=octeon3):
SYSROOT_DIR=/opt/buildroot/output/host/opt/ext-toolchain/mips64-octeon-linux-gnu/sys-root/;
ARCH_SYSROOT_DIR=/opt/buildroot/output/host/opt/ext-toolchain/mips64-octeon-linux-gnu/sys-root/;
ARCH_SUBDIR=;
ARCH_LIB_DIR=lib32-fp;
SUPPORT_LIB_DIR=/opt/buildroot/output/host/opt/ext-toolchain/mips64-octeon-linux-gnu/lib32-fp/
For both cases (MIPS64n32) Buildroot created a symlink 'lib32->lib', from
SYSTEM_LIB_SYMLINK in system/system.mk. Additionally, the function
create_lib_symlinks in
toolchain/toolchain-external/pkg-toolchain-external.mk will use ARCH_LIB_DIR
and create an additional link $(ARCH_LIB_DIR)->lib.
For the Octeon3 case this thus results in the following symlinks (where the
'lib32' one is normally not needed):
lib32 -> lib/
lib32-fp -> lib/
Since the toolchain is searching based on a 'lib64' component, it will fail
to find its internal paths.
To solve the problem, we need to create an additional symlink 'lib64':
lib64 -> lib/
[1] 257ccd463a
[2] https://gcc.gnu.org/ml/gcc-patches/2014-10/msg03377.html
[3] https://gcc.gnu.org/ml/gcc-patches/2014-11/msg00539.html
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Make the package available on AArch64 now that it is supported, and
add hashes for the license files.
Signed-off-by: Refik Tuzakli <tuzakli.refik@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Drop both patches (already in version)
- Add libgcrypt optional dependency (added in version 4.15.1 with
037106ecc8)
- Add openmp support (added in version 4.15.1 with
464d21dc8c)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/d9a/d9a84b642357f758c3f84270fb9a109abd7e2684/
configure.ac contains a test using $ax_cv_check_cl_libcl:
if test "$build_modules" != 'no' || test "X$ax_cv_check_cl_libcl" != Xno; then
AC_MSG_RESULT([-------------------------------------------------------------])
AC_MSG_CHECKING([for libltdl])
But ax_cv_check_cl_libcl is only assigned a value (yes/no) if
--disable-opencl is NOT passed, as the assignment logic is inside a
conditional:
AC_ARG_ENABLE([opencl],
[AC_HELP_STRING([--disable-opencl],
[do not use OpenCL])],
[disable_opencl=$enableval],
[disable_opencl='yes'])
if test "$disable_opencl" = 'yes'; then
..
AC_CACHE_CHECK([for OpenCL library], [ax_cv_check_cl_libcl],
So configure errors out if --disable-opencl is passed on setups where
libltdl isn't available:
checking if libltdl package is complete... no
configure: error: in `/home/naourr/work/instance-0/output-1/build/imagemagick-7.0.8-59':
configure: error: libltdl is required for modules and OpenCL builds
As a workaround, explictly set ax_cv_check_cl_libcl=no to skip this
conditional.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since alsa-lib version 1.1.7 [1] the location for add-on config files
has changed.
In fact, the path for the alsa add-on config files has never been
correct set in the package (it should have been
`/usr/share/alsa/alsa.conf.d`).
With alsa-lib version 1.1.7 or later the correct path is
`/etc/alsa/conf.d`.
[1] 93e03bdc2a
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As noted in https://wiki.xenproject.org/wiki/Xen_Project_4.13_Release_Notes
- Xen 4.13 is now fully Py3 compatible
So swith to that now that python 2.x is EOL.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 61a813339a forgot to add all the
bluez5_utils dependencies
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
pkg-config is used to check if libidn2 is available since version 5.2.18
and
e20b8bbab3
This can lead to a build failure if a broken libidn2.pc is found on host
so add a mandatory host-pkgconf dependency and drop our manual handling
of HAVE_LIBIDN2 option (which does not exist anymore)
Fixes:
- http://autobuild.buildroot.org/results/6cd0dd779d72b7162943f0f7dbb4e7d258b463eb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://mariadb.com/kb/en/library/mariadb-10322-release-notes/
Changelog:
https://mariadb.com/kb/en/library/mariadb-10322-changelog/
Fixes the following security vulnerability (10.3.22):
CVE-2020-2574 - Vulnerability in the MySQL Client product of Oracle MySQL
(component: C API). Supported versions that are affected are 5.6.46 and
prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise MySQL Client. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Client.
Fixes the following security vulnerabilities (10.3.19):
CVE-2019-2974 - Vulnerability in the MySQL Server product of Oracle MySQL
(component: Server: Optimizer). Supported versions that are affected are
5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2019-2938 - Vulnerability in the MySQL Server product of Oracle MySQL
(component: InnoDB). Supported versions that are affected are 5.7.27 and
prior and 8.0.17 and prior. Difficult to exploit vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
Patch 0002-fix-build-error-with-newer-cmake.patch has been removed as it
has been applied upstream.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Support for v3d was added in mainline 4.18, and requires a few options
to be set in the kernel, so we list that in the help text.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: tweak the help text]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Remove the old gcc 5.5 fork for or1k architecture
that start to fail to build with recent version
of Binutils >= 2.32 with the following error:
host-gcc-final-or1k-musl-5.4.0-20170218/build/./gcc/crtbeginS.o: addend should be zero for plt relocations
host/or1k-buildroot-linux-uclibc/bin/ld: final link failed: bad value
https://gitlab.com/kubu93/buildroot/-/jobs/391938988
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Switch to meson buildsystem and so drop:
- !BR2_BINFMT_FLAT dependency
- hooks (not needed thanks to orc-test and tools options)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Data validation and settings management using python 3.6
type hinting.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since systemd/udev version 243, there's a new message printed if unsupported
OPTIONS value is used:
Invalid value for OPTIONS key, ignoring: 'event_timeout=180'
Add a patch to drop this invalid value.
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
php modules can't be selected if the php package is not selected, see [1].
So adding the dependency is not necessary.
Also we don't add such dependencies for python modules.
[1] https://git.buildroot.net/buildroot/tree/package/Config.in?h=2019.11#n798
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Nicolas Carrier <nicolas.carrier@orolia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The aclocal program is provided by the automake package, so it makes
sense to define aclocal-related variables in automake.mk.
Add an exception to check-package to ignore that variable.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
egrep/fgrep are wrapper scripts, calling the grep binary with the correct
arguments.
The shell wrappers use the value of SHELL at build time as the shebang value
in these wrapper scripts, which in Buildroot points to /bin/bash.
The target may not have bash available, causing runtime errors.
As a fix, add a post-install hook to change this to /bin/sh.
If the target does not have /bin/sh, simply remove the aliases.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the grep package is selected, it should be installed at the same exact
location where busybox installs it too, this way the grep/egrep/fgrep
executables will end up overwriting the busybox provided ones.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We currently install the default database by passing --user=mysql to the
install script. With the upcoming bump to the 10.4 series, this does not
work as intended. An error occurs because of missing PAM modules. We work
around this now by creating the default db as root and calling chown to
change the files to user mysql.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, mariadb creates logging files under the data directory.
This patch updates the startup scripts to log under /var/log/mysql.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For consistency with the to-be-added MYSQL_LOGFILE variable.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In order to check if the initial database needs created, the startup
script calls ls -1 $MYSQL_LIB | wc -l to check the number of files in
the directory. If the directory does not exist, an error is printed.
We fix this by redirecting stderr to /dev/null for the ls call.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We already remove mysql_config from the target since it's only useful in
staging. The same is true for mariadb_config. Thus, we remove it from the
target as well.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mysql_install_db is currently called in the systemd unit without
--user=mysql that the sysv script uses. This will generate the initial
database files with root permissions. However, mysqld runs as user mysql
so this will cause problems. We fix this by calling chown instead of
passing the user parameter because an upcoming version bump will fail when
ran this way.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
autoconf.mk defines AUTOCONF and AUTOHEADER variables, use them in packages
using autoconf.
This is a refactoring which shouldn't impact the final behavior.
Signed-off-by: Nicolas Carrier <nicolas.carrier@orolia.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Now that we do not override the automagic handling of include
directories witbh aclocal, the missing m4 directories will be
automatically created by aclocal itself.
So we can drop of hooks.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
[yann.morin.1998@free.fr: slight rewording in the commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The first include path is special in aclocal. For example it is the path
for the --install option. Also, the first include is treated in a
special way if it doesn't exists. This might be the case if there is the
following construct:
configure.ac: AC_CONFIG_MACRO_DIR([m4])
Makefile.am: ACLOCAL_AMFLAGS="-I m4"
If the package doesn't have local macros, the m4/ directory might not
exist. aclocal will then just issue a warning instead of aborting the
execution with a fatal error. See discussion here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=565663
Don't use the "-I" option in aclocal. Instead use ACLOCAL_PATH to pass
the system-wide include dirs.
As a side effect this should fix the use of $(ACLOCAL) alone. Up until
now, $(ACLOCAL) didn't include the ACLOCAL_HOST_DIR system include path.
autoreconf will pass the "-I" options to every tool it runs, of which
aclocal, which, as seen above, we don't want. So move the argument down
to each individual tool, except for aclocal.
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
[yann.morin.1998@free.fr: slight rewording of the commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
host-python was listed in jack2 dependencies, but is actually
not needed. Also tested with an experimental python3 based
Waf package infrastructure, so we can exclude that jack2
"accidentally" uses the host-python2 pulled in by Waf.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Be more specific for the hash source URL and change from
summary page (.mirrorlist) to direct sha256 download page
(.sha256).
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Be more specific for the hash source URL and change from
summary page (.mirrorlist) to direct sha256 download page
(.sha256).
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove the upstreamed patch and change the license information, as the
GPL-2.0+ files have been relicensed as GPL-2.0 since
59f92965b9
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Peter: clarify licensing change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package provides an OpenVPN plugin for network manager.
Signed-off-by: Alex Michel <alex.michel@wiedemann-group.com>
[Peter: add Config.in, DEVELOPERS entry]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While at it, we add hashes for the licenses files.
Signed-off-by: Refik Tuzakli <tuzakli.refik@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>