Fixes CVE-2019-13224: A use-after-free in onig_new_deluxe() in regext.c
in Oniguruma 6.9.2 allows attackers to potentially cause information
disclosure, denial of service, or possibly code execution by providing a
crafted regular expression. The attacker provides a pair of a regex
pattern and a string, with a multi-byte encoding that gets handled by
onig_new_deluxe().
Fixes CVE-2019-13225: A NULL Pointer Dereference in match_at() in
regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause
denial of service by providing a crafted regular expression.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove patch: documentation can be disabled through --disable-doc
since
702d76dbd0,
and the autotools infra already passes --disable-doc to all packages.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Neil Brown no longer maintains mdadm. The old website refers to a stale
git repository. There is nothing else but this wiki page to serve as a
website.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Briefly states what the output of this target is about.
Signed-off-by: Marcel Patzlaff <m.patzlaff@pilz.de>
[Thomas: improve wording]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mosquitto library can be built statically since commit
a95bdd9647 however build fails with
openssl because mosquitto does not use pkg-config to retrieve static
dependencies so provide them through the STATIC_LIB_DEPS variable
Fixes:
- http://autobuild.buildroot.org/results/2ee69a5d7834c9a4845ebde801be6aa8f97cc5fa
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix a weird blank-line missing and 2 trailing blank-space.
Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since "2467822c85 package/checksec: bump to version 2.1.0" the hardening
tests fail because upstream slightly changed the way the script is
called.
According to README.md: "- All options now require `--$option=$value`
instead of `--$option $value`"
Instead of just replacing '--output json' with '--output=json' take into
account that upstream also changed the usage example to show --format
instead of --output. Both options do exactly the same, but following the
usage example seems to be more future-proof.
Upstream also improved the json output. Now when a file is passed as
parameter, the json has the file name as the main key, instead of the
string "file". Adjust the test cases accordingly.
Fixes:
tests.core.test_hardening.TestFortifyConserv
tests.core.test_hardening.TestFortifyNone
tests.core.test_hardening.TestRelro
tests.core.test_hardening.TestRelroPartial
tests.core.test_hardening.TestSspNone
tests.core.test_hardening.TestSspStrong
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The odroidc2_defconfig has been dropped in commit
b80712a16a, do it no longer makes sense
to list it in the DEVELOPERS file.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch extends the Developer class so that it associates each
developer with the defconfigs (in configs/) is in responsible for,
according to the DEVELOPERS file.
It will allow using the getdeveloperlib module to find which developer
is responsible for which defconfig, and send e-mail notifications of
defconfig build failures.
Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch extends the Developer class so that it associates each
developer with the runtime tests (in support/testing) is in
responsible for, according to the DEVELOPERS file.
The implementation relies on the unittest module to list all test
cases and does some manual parsing of these test-case objects to get
the actual list of test-cases per test-suite.
A global variable is used to compute the list of unittest only once.
This feature will allow to use the getdeveloperlib module to find
which developer is responsible for which runtime test, and send e-mail
notifications of runtime tests failures.
Signed-off-by: Victor Huesca <victor.huesca@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The following additional bugs are fixed:
[16573] malloc: Set and reset all hooks for tracing
[18035] Fix pldd hang
[20568] Fix crash in _IO_wfile_sync
[24228] old x86 applications that use legacy libio crash on exit
[24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
[24744] io: Remove the copy_file_range emulation
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When no filesystem is enabled, the $BINARIES_DIR is not created. Yet,
the post-image scripts are still run. When those want to generate an
image in there, they may fail as the dirctory does not exist (it did
exist before we started applying preparatory changes for top-level
parallel build, so scripts got to rely on that assumption).
Do in target-post-image as we do in the sdk rule: create the directory
before calling the scripts.
Signed-off-by: Brent Generous <bgenerous@impinj.com>
[yann.morin.1998@free.fr:
- create the directory before calling the scripts
- don't drop the creation in the sdk rule
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
gcc 9.1 is around, gcc 8.3 is the default version, so drop
6.5 in order to reduce the gcc choice.
Keep gcc 5.5 since it still used by beaglebone_qt5_defconfig.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In order to reduce the number of choice in gcc selection, remove the
gcc 4.9 version.
This version was kept due to libstdc++ ABI-incompatible changes and
other build issues with kernel and bootloader as reported by Arnout
[1].
Since then, gcc 4.9 is not supported any more since glibc 2.29 [2]
and recent kernel and bootloaders has been fixed to use more recent
compiler version.
[1] http://lists.busybox.net/pipermail/buildroot/2017-June/194374.html
[2] https://www.sourceware.org/ml/libc-alpha/2019-01/msg00723.html
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The odroidc2 defconfig is using gcc 4.9 version in order to build
uboot (2015.01) and kernel (3.14.79) for the board.
We are going to remove gcc 4.9 version in Buildroot and this
defconfig is the only remaining one using this version.
Since we don't have the board, we can't update the defconfig with
newer bootloader and kernel version.
A new defconfig for the odroidc2 board are welcome as soon as
it use a newer uboot and kernel version.
Remove the defconfig from the gitlab yaml.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Dagg Stompler <daggs@gmx.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When BR2_KERNEL_HEADERS_AS_KERNEL=y, we expect that the Linux kernel
headers code will be exactly the same as the Linux kernel code
itself. The code currently takes into account the patches defined by
BR2_LINUX_KERNEL_PATCH, but not the kernel patches that are stored in
linux's BR2_GLOBAL_PATCH_DIR.
So for example, the current qemu_riscv32_virt_defconfig has:
BR2_GLOBAL_PATCH_DIR="board/qemu/riscv32-virt/patches/"
With:
board/qemu/riscv32-virt/patches/
└── linux
└── 0001-Revert-riscv-Use-latest-system-call-ABI.patch
This patch gets properly applied when the Linux kernel is built, but
not when the linux-headers package is built.
This commit fixes that by making sure patches stored in the "linux"
BR2_GLOBAL_PATCH_DIR subdirectory are taken into account.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Python interface to the Redis key-value store.
https://github.com/andymccurdy/redis-py
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
[Peter: hiredis is an optional runtime dependency, not build time]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Python extension that wraps protocol parsing code in hiredis.
It primarily speeds up parsing of multi bulk replies.
https://github.com/redis/hiredis-py
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Libcurl is more than 250 KiB (libcurl) / 100 KiB (curl binary) in size.
About 50 KiB / 15 KiB of this can be saved by disabling features/protocols
that are not commonly needed:
- proxy support: 15 KiB
- cookies support: 10 KiB
- various less common protocols: 25 KiB (libcurl) + 15 KiB (curl binary)
Note that the exact amount of space saved depends on the architecture,
toolchain, and other factors.
Other packages that are selecting libcurl might require protocols from the
'extra' set. But, there is no clear way to find out which packages are in
this situation, in particular because issues may only be visible at runtime.
Note: remove the text 'enable' on the option for 'verbose strings' as that
is more common in Buildroot.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Peter: unconditionally remove the libcurl-option to generate C code]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Replace first patch to fix build when using a development version
- Fix build with openzwave 1.6 through:
56d3fa099d
- Add patch to revert cmake 3.14 dependency as buildroot currently
requires only 3.8
Fixes:
- http://autobuild.buildroot.org/results/3dbb6612205020cc156d245a75c76a7886f7d529
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Removed patch for sys/xattr.h handling and replaced it with the new
upstream-provided configure option --disable-xattr-h-pref-attr
848e039e6d
Removed autoreconf, not needed anymore.
Added license hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Also added a reference for upstream-provided sha1 & sha256 hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>