Security fixes:
#562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
sequences (e.g. from start tag names) to the XML
processing application on top of Expat can cause
arbitrary damage (e.g. code execution) depending
on how invalid UTF-8 is handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#561 CVE-2022-25236 -- Passing (one or more) namespace separator
characters in "xmlns[:prefix]" attribute values
made Expat send malformed tag names to the XML
processor on top of Expat which can cause
arbitrary damage (e.g. code execution) depending
on such unexpectable cases are handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
that could be triggered by e.g. a 2 megabytes
file with a large number of opening braces.
Expected impact is denial of service or potentially
arbitrary code execution.
#560 CVE-2022-25314 -- Fix integer overflow in function copyString;
only affects the encoding name parameter at parser creation
time which is often hardcoded (rather than user input),
takes a value in the gigabytes to trigger, and a 64-bit
machine. Expected impact is denial of service.
#559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
needs input in the gigabytes and a 64-bit machine.
Expected impact is denial of service or potentially
arbitrary code execution.
https://blog.hartwork.org/posts/expat-2-4-5-released/https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
XDRIVER_XF86_VIDEO_MGA_CONF_OPTS is wrongly overridden in a conditional
since commit 105c7c7573
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
SOCKETCAND_CONF_OPTS is wrongly overridden in a conditional since commit
53e498da2f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
PERL_NETADDR_IP_CONF_OPTS is wrongly overridden in a conditional since
commit 86658b0b18
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
ARP_SCAN_CONF_OPTS is wrongly overriden in a conditional since commit
df578c86ed
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
PCRE_CONF_OPTS is wrongly overridden in a conditional since commit
9b28d48012
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following compile error:
In file included from include/bootm.h:10,
from tools/image-host.c:12:
include/image.h:1178:12: fatal error: openssl/evp.h: No such file or directory
1178 | # include <openssl/evp.h>
| ^~~~~~~~~~~~~~~
compilation terminated.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/2103784200
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
openssl is the default crypto backend since version 2.1.0 and
bc3d0feb5c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The patch 0001-Add-check-program-for-symver-attribute.patch, introduced
in 683e8387d0, touches a autoconf relevant file which causes a
configure --recheck in the make step without proper CONF_ENV.
Running autoreconf prevents this.
Signed-off-by: Moritz Bitsch <moritz@h6t.eu>
[yann.morin.1998@free.fr: add comment, add commit reference]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With python 2.x support dropped these variables no longer exist, so
unconditionally use the python3 variant.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
LIBICONV_CONF_OPTS is wrongly overridden in a conditional since commit
0d711a64d4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
URG_CONF_OPTS is wrongly overridden in a conditional since commit
d0433603e3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
XZ_CONF_OPTS is wrongly overridden in a conditional since commit
0dbc17abcb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
LIBGSASL_CONF_OPTS is wrongly overridden in a conditional since commit
c4ff6bf227
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
PSMISC_CONF_OPTS is overridden in a conditional since commit
953b0f4de8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
LIBGLVND_CONF_OPTS are wrongly overridden in conditionals since the
addition of the package in commit
0378e2e5d9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since this is a helper script there is not much reason to show the
command that's been issued. Furthermore, the incantation has been
slightly extended since the script was introduced.
The only interesting reason to print the command is to know what image
it is being spawned into. However, this is prominently displayed by
docker the first time the script is run, as it can't find the image
locally and has to fetch it first. Afterwards, users can still use
'docker image ls' to see what images they have locally.
So let's remove 'set -x' before running docker.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr: reword and expand commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Found by check-package:
package/libusb/0002-linux_usbfs-fix-maybe-uninitialized-error.patch:4: generate your patches with 'git format-patch -N'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixed a vulnerability in the EAP client implementation that was caused
by incorrectly handling early EAP-Success messages. It may allow to
bypass the client and in some scenarios even the server authentication,
or could lead to a denial-of-service attack. This vulnerability has been
registered as CVE-2021-45079:
https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).htmlhttps://github.com/strongswan/strongswan/releases/tag/5.9.5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Add -std=c99 to fix the following build failure with gcc 4.8 raised
since bump to version 3.7.1 in commit
cc27267ae4:
In file included from abort_handler_s.c:35:0:
safeclib_private.h:167:18: error: anonymous variadic macros were introduced in C99 [-Werror=variadic-macros]
#define slprintf(...) fprintf(stderr, __VA_ARGS__)
^
Fixes:
- http://autobuild.buildroot.org/results/5c3468585942879b47331e05058d25d324c8cc23
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Commit 471ecea5ee (core/show-info: 'name' only applies to packages)
removed the 'name' field for rootfs (really, for non-package) entries,
thus breaking the pkg-stats processing.
We fix that by excluding any entry that has no 'name', on the assumption
that if it has no name, it is not a package.
Reported-by: Xogium on IRC
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following build failure with gcc 4.8 raised since bump to
version 1.20.0 in commit 801131157d:
../gst-libs/gst/video/video-converter.c: In function 'convert_I420_v210':
../gst-libs/gst/video/video-converter.c:3771:7: error: 'for' loop initial declarations are only allowed in C99 mode
for (int j = width * 4 - 1; j >= 0; j--) {
^
Fixes:
- http://autobuild.buildroot.org/results/c4b1449f35debcbabff7e42abe239695d4ad4d21
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
harfbuzz is an optional dependency (which is enabled by default) since
version 2.0.18 and
328bbed78d
If harfbuzz is not disabled and not found, builtin harfbuzz is enabled
resulting in the following build failure without C++ since commit
f4da031a77 and
9a7ef3fb64:
configure: error: *** A compiler with support for C++11 language features is required.
Fixes:
- http://autobuild.buildroot.org/results/3fecb96a8063b1a28703682e9373714c1c9cfa24
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Disable builtin freetype2 which is enabled by default since bump to
version 2.0.18 in commit f4da031a77 and
834ec54127
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
FREETYPE_CONFIG is not used since version 2.0.15 and
50d72e5531
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Drop workaround added by commit bf899e50d8
because sudo natively supports pkg-config for searching openssl (which
is enabled by default) since version 1.9.2 and
4cadd54951
As a side-effect, this will fix the following build failure when openssl
is not installed on host (as LIBS is set before AX_PROG_CC_FOR_BUILD):
configure:8162: checking whether the C compiler works
configure:8184: /usr/bin/gcc -O2 -I/home/buildroot/autobuild/instance-2/output-1/host/include -I/home/buildroot/autobuild/instance-2/output-1/host/include -L/home/buildroot/autobuild/instance-2/output-1/host/lib -Wl,-rpath,/home/buildroot/autobuild/instance-2/output-1/host/lib conftest.c -L/home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lssl -L/home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -pthread -latomic -lcrypto -pthread -latomic >&5
/usr/bin/ld: skipping incompatible /home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libssl.a when searching for -lssl
/usr/bin/ld: skipping incompatible /home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libssl.a when searching for -lssl
/usr/bin/ld: cannot find -lssl
Fixes:
- http://autobuild.buildroot.org/results/7a5d4dd22343be46a5ddd1c1a1a8e1799517d564
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Currently, the docker-run script starts a container based on the
reference image, in which the user has UID:GID set to 1000:1000,
which may or may not be the same as local user uses, which may
prevent the commands in the container from creating files, which
foils the plan of using the container to run a build...
Additionally, the paths in the container differ from the paths
the user expects, as the current Buildroot tree is mounted over
the in-container user home directory. This is a bit confusing...
Finally, the container is left hanging around after the command
finishes, and thus there are as many lingering containers as the
user runs docker-run. This is not very nice...
We fix all of that (yeah, should be different patches, but meh):
- we use --mount instead of -v, which allows us to bind-mount
the Buildroot tree at the same place in the container, as
Docker will create the destination if it does not exist, while
-v seems to expect it to exist [0].
- as a consequence, we can also set the working directory as the
Buildroot top-directory;
- use --user to force the same UID:GID in the container as the
local user, so that files created in the container belong to
the local user, and so that files from the local user are
accessible from the container;
- use --rm to remove the container once it terminates; starting
a new container is very quick anyway, so it is as good as
re-using a previous container.
[0] the documentation is not clear about that. It clearly states
that the host directory (i.e. the origin, the source) is created
if missing, but it says nothing of the destination:
https://docs.docker.com/engine/reference/commandline/run/#mount-volume--v---read-only
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This update drops distutils support and requires flit package
infrastructure.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This adds pep517(needed for flit-core to build itself) and flit python
package types.
We need to add an installer script and pass it appropriate options for
installing pep517 wheels generated by python-pypa-build during the
build stage. Unfortunately it seems pep517 does not support builds
without using the wheel format.
We also need to add a patch fixing the version parser in flit-core.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Arnout:
- fix indentation in pkg-python.mk (tabs, not spaces);
- use the new _CMD variables instead of duplicating the entire _CMDS
definitions;
- no need to filter dependencies (they're not self-referencing);
- _NEEDS_HOST_PYTHON no longer exists;
- host-python-pypa-build gets added to DEPENDENCIES automatically.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following build failure raised since bump to version 2.86 in
commit 5b29096f8f:
rfc1035.c: In function 'report_addresses':
rfc1035.c:978:49: error: 'struct dnsmasq_daemon' has no member named 'workspacename'
978 | if (!extract_name(header, len, &p, daemon->workspacename, 1, 0))
| ^~
Fixes:
- http://autobuild.buildroot.org/results/51242d4f532373544e3c7ea45036b8d41390b29b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
qt5webkit needs execinfo.h since bump to version 5.212.0-alpha4 in
commit df0b0fe691:
/tmp/instance-1/output-1/build/qt5webkit-5.212.0-alpha4/Source/JavaScriptCore/inspector/JSGlobalObjectInspectorController.cpp:54:10: fatal error: execinfo.h: No such file or directory
54 | #include <execinfo.h>
| ^~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/351529f7d928e28fa2db22c6297dc70d21db562b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix the following build failure raised since bump of python3 to version
3.10.1 in commit 25b1fc2898 due to the new
"Multiple Exception types without parentheses" exception
(https://docs.python.org/3/whatsnew/3.10.html)
error: File "/usr/lib/python3.10/site-packages/cli/app.py", line 242
except Exception, e:
^^^^^^^^^^^^
SyntaxError: multiple exception types must be parenthesized
Fixes:
- http://autobuild.buildroot.org/results/8d7b0c23472abffc9447e4a6de273bdd04486d39
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Initialize active_config to an invalid value to avoid the following
compilation error:
os/linux_usbfs.c: In function ‘op_get_configuration’:
os/linux_usbfs.c:1452:12: error: ‘active_config’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
1452 | *config = (uint8_t)active_config;
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Tested-by: Eugen Hristev <eugen.hristev@microchip.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The python package infrastructure defines a number of helper variables
that are used to construct the build and install commands. However,
there are still a few parts (setup.py and its argument) that are set
explicitly in _BUILD_CMDS and _INSTALL_CMDS. This creates problems if we
want to add another setup type that does not use setup.py.
Therefore, move the setup.py part into the helper variables as well.
Since this means that the variable becomes a full command rather than
just options, rename them to _BUILD_CMD and _INSTALL_CMD.
While we're at it, also clean up the whitespace in the definition of
these variables. They were aligned on = at some point, but that
alignment was already broken.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This was only needed when the mapboxgl submodule was a separate
package(was never included in buildroot only a patch series).
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
