- Fix CVE-2020-15049: Cache Poisoning Issue in HTTP Request processing
- Fix CVE-2020-14058: Denial of Service issue in TLS handshake
- Fix CVE-2020-14059: Denial of Service when using SMP cache
This version also fix a build failure with systemd
Fixes:
- http://autobuild.buildroot.org/results/4f586c497577d6c96289e821430fa2c2f61eda2a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
systemd is an optional dependency (enabled by default) since version
4.11 and
6fa8c66435
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Netopeer2 is a set of tools implementing network configuration
tools based on the NETCONF Protocol.
Netopeer2 needs libnetconf2 to have SSL/TSL and SSH support, so
we enable both openssl and libssh+server from netopeer2, so that
libnetconf2 has appropriate support. But netopeer2 does not use
either, so does not build-depend on them.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
[yann.morin.1998@free.fr:
- fix dependencies and their comments
- explain openssl and libssh+server dependencies
- fix codestyle in Config,in, noticed by Adam
- fix codestyle in .mk
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
These functions are no longer using the GLOBAL_INSTRUMENTATION_HOOKS
mechanism, so it doesn't make much sense for them to be in the section
of pkg-generic.mk related to those hooks.
Move them to the "Helper functions" section.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Now that we are checking the host directory changes throughout all
installation steps and not just during the "host installation step",
it means that changes done within the staging directory (which is a
subdir of the host directory) are also visible in the
.files-list-host.txt file.
Note that this problem already potentially occurs if a host package is
installing files in the staging directory: they would be listed in
.files-list-host.txt even without the changes in this series.
To fix this up, we simply exclude files that are beneath the
$(STAGING_SUBDIR). Note that we do that in all cases, so when
searching $(HOST_DIR), $(HOST_DIR)/$(STAGING_SUBDIR) is excluded, but
when searching $(TARGET_DIR), $(TARGET_DIR)/$(STAGING_SUBDIR) is
excluded, and when search $(STAGING_DIR),
$(STAGING_DIR)/$(STAGING_SUBDIR) is excluded. This is not a problem in
practice since $(TARGET_DIR)/$(STAGING_SUBDIR) and
$(STAGING_DIR)/$(STAGING_SUBDIR) don't exist, but it's not very
nice. However, it allows to keep the code simple.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commits reworks the pkg_size logic to no longer use the
GLOBAL_INSTRUMENTATION_HOOKS mechanism, but instead be directly
implemented within the configure step and install step.
The problem with the current implementation in the
GLOBAL_INSTRUMENTATION_HOOKS is that we only capture what is installed
in $(HOST_DIR) during the "host installation step", what is installed
in $(TARGET_DIR) during the "target installation step" and what is
installed in "$(STAGING_DIR)" during the staging installation step.
While this seems reasonable in principle, it is in fact not completely
true. For example, "toolchain", which is a target package, installs
tons of files in $(HOST_DIR). "qt5base", which is also a target
package, also installs things in $(HOST_DIR). Same with the "syslinux"
package.
The idea behind this patch is pretty simple:
- At the beginning of the configure step, right after the per-package
directories have been populated (if BR2_PER_PACKAGE_DIRECTORIES=y),
we capture the state of the HOST_DIR, TARGET_DIR and STAGING_DIR.
- At the end of all install steps (which is possible thanks to the
newly introduced "install" step), we capture again the state of
HOST_DIR, TARGET_DIR and STAGING_DIR, and compare it to what we
have saved at the configure step.
So regardless of whether a file has been installed in $(HOST_DIR)
during the target or staging installation steps of a target package,
or if a host package has installed a file in $(TARGET_DIR), we will
detect it.
The pkg_size_before and pkg_size_after macros are intentionally left
where they are (even if they now fall in the middle of the
GLOBAL_INSTRUMENTATION_HOOKS implementations) to minimize the diffstat
and facilitate review.
Note that we also have to change check_bin_arch to be explicitly
called from the install step rather than through a
GLOBAL_INSTRUMENTATION_HOOKS as it depends on the .files-list.txt file
produced by the pkg_size_after function.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
We currently create HOST_DIR, TARGET_DIR, STAGING_DIR and BINARIES_DIR
in their respective installation steps. However, as we are about to
change how the logic to capture files installed by packages is
implemented, we will need these directories to exist at the configure
step to keep things simple.
Note that when BR2_PER_PACKAGE_DIRECTORIES=y, the HOST_DIR, TARGET_DIR
and STAGING_DIR are anyway already created at the configure step, when
populating the per-package HOST_DIR and TARGET_DIR. This also means
that we can drop the "mkdir" from per-package-rsync.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- create directories after MESSAGE
- use $(Q) not @
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
We currently have four different install steps: target installation,
staging installation, images installation and host installation. These
steps are directly triggered from the $(1)-install make target, so
there is no place where we can run some logic once all installation
steps have completed.
However, as part of improving the reliability of the logic done in
step_pkg_size_before and step_pkg_size_after to detect the files
installed by packages, we would in fact need to run some logic after
all installation steps have completed. This will allow us to make sure
that all files are detected, even if a host package installs something
in the target directory, or if a target package installs something in
the host directory.
To achieve this, this commit implements a new stamp file,
.stamp_installed, which is a step that depends on all four install
steps. Currently, this step does nothing except creating the stamp
file.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: remove stampfile on foo-reinstall]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The $(1) argument passed to step_pkg_size_{before,after}, which
contains the package name, is no longer used. We simply use $(PKG) to
get the upper-case version of the package name.
So, let's drop this first argument that isn't needed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since we're already using $(PKG)_DIR in step_pkg_size_after, we can
also just use $(PKG)_NAME. This allows to make $(1) useless, which
means it can be dropped in a follow-up commit.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Upstream improved testing and fixed minor issues.
Signed-off-by: Thomas Ruschival <thomas@ruschival.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump to 4.1.1 (commit 96d3d01796) removed setools' dependency on
BR2_INSTALL_LIBSTDCPP, but the corresponding inverse dependency on one
of its Kconfig comment was not removed. This led to have the package
being available while a Kconfig comment on non-matched dependencies is
shown. Fix this by removing the dependency on !BR2_INSTALL_LIBSTDCPP on
the Kconfig comment.
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Adapt license hash
(minor additions in LICENSE file about files in doc folder:
"Files contained in the doc/ directory may be licensed under different terms.",
but there are no folder present so no license change)
- Also separate the fields in the hash file by two spaces
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This version mainly fixes build issues with more
recent kernels.
98b163a cryptlib.c: fix build on kernel v5.5+
7e72f67 enabled the support for TLS1.1 - AES128-SHA1 - AES256-SHA1
9e76506 Fix build for Linux 5.8-rc1
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mbedtls is available (and enabled by default) since version 1.5.2 and
8e01a4fe8f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Use ENABLE_BZIP2 option which is available since version 1.5.2 and
028c492c9d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The init script S20urandom is used to preserve the kernel's RNG
seed between reboots. This functionality is not required for the
package "initscripts". Further there are use-cases where this script
should not be installed at all (e.g. systems that only have read-only
partitions), but that's currently not possible as the script is
a mandatory part of the package "initscripts".
Let's move the script into its own package "urandom-scripts" and select it,
if the default skeleton is enabled. This maintains backward-compatibility
and allows to deselect it.
Signed-off-by: Christoph Müllner <christoph.muellner@theobroma-systems.com>
[yann.morin.1998@free.fr:
- extend help text
- default y if initscripts (instead of skeleton default)
- allow use with openRC, but not systemd
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
reSIProcate is a framework that aims to fully implement the SIP
protocol in first class C++. It is intended for use in other
applications, such as the repro SIP proxy.
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Also separate the fields in the hash file by two spaces.
Signed-off-by: Sergio Prado <sergio.prado@e-labworks.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patch (already in version)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Release notes: https://libzip.org/news/
Updated license hash due to copyright year bump:
40098f0445
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Removed patches which were applied upstream.
Reformatted hashes,
Updated license hash after copyright year update:
eb40ca5fbd
Switched _SITE to https.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For details see [1].
- drop 0001-meson.build-use-local-include-path-for-tools.patch
(upstream [2])
- drop 0003-meson.build-enable-static-library-build.patch
(upstream [3])
[1] https://lists.freedesktop.org/archives/input-tools/2020-July/001541.html
[2] fe8238a71a
[3] a9d324f82b
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds a missing extern on the outfile
variable in genisoimage.h.
Signed-off-by: Urja Rannikko <urjaman@gmail.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When using ccache to build the exim package, the HOSTCC value contains
spaces, that are incorrectly interpreted by exim's Makefilei, which uses
the first word of ${CC} to test compiler options. This breaks the build
with "unrecognized option" ccache errors.
Fix that by wrapping the HOSTCC variable in double quotes, as it is done
for other variables that follow.
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
[yann.morin.1998@free.fr: slight rewording of commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Add a patch, which has been submitted upstream, to properly detect the
availability of compiler flags before using them.
This will fix the build of exiv2 on CPU architectures for which gcc
doesn't implement -fcf-protection.
Fixes:
http://autobuild.buildroot.net/results/ef6a6fa2309e66a7a36fface626ae0da1a7ec633/
(and many similar build failures on other architectures)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- fix indentation s/TAB/spaces/
- fix CRLF dropped by patchwork
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The upstream change in d7235c5905fa98207d90f3ad34bf590493498d5b is not
sufficient to prevent rpaths from being stripped in some cases due to
a bug in how it matches rpaths in LDFLAGS.
Add a patch fixing the LDFLAGS rpath match pattern.
Fixes:
http://autobuild.buildroot.net/results/f2f/f2f912416ab11d454479ef3d22ed6b757207f84f/
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Thomas:
- Fix incorrect "select"
- Simplify the build command, to allow the package Makefile to use
pkg-config, so added host-pkgconf
- Use a full destination path for the installation step
- Use the Github macro]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
From wikipedia:
utmp maintains a full accounting of the current status of the
system, system boot time (used by uptime), recording user
logins at which terminals, logouts, system events etc.
This is seldom use, if at all, on an embedded device, and may expose
users' behaviour to others (by observing who logs in from where, for
example).
Forcibly disable support for utmp.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
[yann.morin.1998@free.fr: split off to its own patch]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Systemd enables compatibility with SysV services and utmp by default,
none of which is needed for buildroot as the packages' .mk will install
only the files for the chosen init system.
Furthermore, SysV support requires a setup where *both* /etc/init.d and
/etc/rc.d exists (the latter for the usual /etc/rcN.d). However, in
Buildroot, the latter does not exist; so we would not be able to provide
a working SysV support anyway.
So, just forcibly disable SysV support.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
[yann.morin.1998@free.fr:
- expand commit log
- disable utmp in its own patch
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>