- Fix CVE-2017-6312: Integer overflow in io-ico.c in gdk-pixbuf allows
context-dependent attackers to cause a denial of service (segmentation
fault and application crash) via a crafted image entry offset in an
ICO file, which triggers an out-of-bounds read, related to compiler
optimizations.
- Fix CVE-2017-6313: Integer underflow in the load_resources function in
io-icns.c in gdk-pixbuf allows context-dependent attackers to cause a
denial of service (out-of-bounds read and program crash) via a crafted
image entry size in an ICO file.
- Fix CVE-2017-6314: The make_available_at_least function in io-tiff.c
in gdk-pixbuf allows context-dependent attackers to cause a denial of
service (infinite loop) via a large TIFF file.
Also update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add docs/license.rst to PYTHON_WTFORMS_LICENSE_FILES
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/674933582
Signed-off-by: Michael Durrant <mdurrant@arcturusnetworks.com>
Signed-off-by: Oleksandr G Zhadan <Oleks@ArcturusNetworks.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The vendor kernel we are currently selecting no longer builds,
and fails with a ton of:
from include/linux/list.h:8,
from include/linux/module.h:9,
from arch/mips/jz4740/prom.c:16:
include/linux/log2.h:22:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=a
ttributes]
22 | int ____ilog2_NaN(void);
| ^~~
We can't afford to fix that, so let's just move to upstream
kernel and bootloader. It doesn't make much sense to keep
using an unsupported kernel and bootloader at this point.
This means we will be missing some of the features supported
by the vendor (such as HDMI support), but it is what it is.
Linux v5.7 and v5.4 have been tested to boot fine, the latter
is picked for the defconfig as it is an LTS version.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/674933782
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since 948666dfde, librtlsdr in Buildroot is no longer
built from an official release, but from a commit on the master branch. However, the
commit that was referenced has a broken pkgconfig file templating, such that
other packages using `pkgconfig --libs librtlsdr` as part of their build process
(such as dump1090) could not be built anymore:
Before 948666dfde:
$ cat staging/usr/lib/pkgconfig/librtlsdr.pc
prefix=/usr
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=${prefix}/include
Name: RTL-SDR Library
Description: C Utility Library
Version: 0.6.0
Cflags: -I${includedir}/
Libs: -L${libdir} -lrtlsdr -lusb-1.0
Libs.private:
On 948666dfde:
$ cat staging/usr/lib/pkgconfig/librtlsdr.pc
prefix=
exec_prefix=
libdir=
includedir=
Name: RTL-SDR Library
Description: C Utility Library
Version: 7082
Cflags: -I${includedir}/
Libs: -L${libdir} -lrtlsdr
Libs.private: -lusb-1.0
In the meantime, upstream released a bugfix for that ([1]), so we bump to that
commit as well, and update the only patch for shared libs accordingly, because
upstream also added a new tool called `rtl_biast` in the meantime.
Finaly, we update the hash file to the two-spaces convention.
Fixes: http://autobuild.buildroot.net/results/b4c/b4cdcb59cc61c51c024197a64865ad4b60023d0c/
[1]: ed0317e6a5
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Tested-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Even though librtlsdr was initially introduced by Jason Pruitt in
2014, and Jason is still listed in the DEVELOPERS file for this
package, in recent times it's mainly Gwenhael who has been taking of
this package. Let's reflect that in the DEVELOPERS file so that
Gwenhael gets notified when there are librtlsdr issues.
Cc: Jason Pruitt <jrspruitt@gmail.com>
Cc: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
librtlsdr currently fails to build on the autobuilders, as it fails
for out of tree builds. Indeed, there is some CMake logic in librtlsdr
that determines the version using Git. This works fine when librtlsdr
is fetched from Git of course. But in the context of Buildroot,
librtlsdr is extracted from a tarball.
For an in-tree build, the "git describe" invocation goes all the way
up to the Buildroot .git/ metadata, and uses that as the librtlsdr
version (it's of course wrong, but the build works). In an out-of-tree
build, there is no parent directory with .git/ metadata, so Git fails,
the VERSION variable is empty and later CMake aborts the build because
of that.
We fix that by adjusting the version retrieving logic to only use Git
if a .git/ metadata folder is found at the root of the librtlsdr
source tree. The patch has been submitted upstream.
Fixes:
http://autobuild.buildroot.net/results/ea52be1da8ed03272db06679d5a0a441ffe6ea0c/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patch (already in version). The commit list between 3.9.2 and
3.9.4 is just made of fixes:
db9b4fa148e6c22c0d4b4c567fa65d1cd5368152 Released 3.9.4
50cbca799c1f9b010fabaa0dd4a387f29d140873 fuse_send_data_iov(): correctly calculate total buffer size.
7b3e3899157566875280a8b860eb5ad5c73eadc1 Define fuse_session_loop_mt as a macro on uclibc and MacOS (#532)
c5e8684b5a2f3400af6d7a3edcaeb3ce8ffc51b5 Fixed typo in command to compile program (#536)
e8a9e84672dcaa892d4708c163f768dc177b6d4c Doc fixes (#537)
d1deae6968c49d83334e874c33abfe15824c4548 Fix FreeBSD CI (#539)
48450411647ca0818821af7b05b819ceff92ae7c Fix: crash on failure to set locale (#529)
9e1c2a4959c16c0b50090dd822389ad9acb08111 fuse_lowlevel: Move assert for se before dereferencing it with se->debug (#530)
7471156354002c6547aa6c3a4f39a3262f435ba4 Fixed minor print alignment issue in iconv_help(), replacing tab with space (#519)
9fa4dc1661f085d4e89a54d75acc3347d52f33fa Fix the typo "filed" -> "field" in fuse manpage (#524)
717c8b8b3ed815f14e5607a995d0113446e3fb0b README: Correct the directory name from 'examples' to 'example' (#526)
032db1ab298d62c4d0c5be1f9fb2df299aec2346 docs: Replace `mesonconf` with `meson configure` (#528)
06342ca60ed822b856990915f127d8beddc0d1f6 libfuse: Assign NULL to "old" to avoid free it twice (#522)
5021d6a0a100d4987be126e87b7ee5fbfc17bbdc Typo fixed. (#520)
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit slightly improves the output of pkg-stats by showing the
progress of the upstream URL checks and latest version retrieval, on a
package basis:
Checking URL status
[0001/0062] curlpp
[0002/0062] cmocka
[0003/0062] snappy
[0004/0062] nload
[...]
[0060/0062] librtas
[0061/0062] libsilk
[0062/0062] jhead
Getting latest versions ...
[0001/0064] libglob
[0002/0064] perl-http-daemon
[0003/0064] shadowsocks-libev
[...]
[0061/0064] lua-flu
[0062/0064] python-aiohttp-security
[0063/0064] ljlinenoise
[0064/0064] matchbox-lib
Note that the above sample was run on 64 packages. Only 62 packages
appear for the URL status check, because packages that do not have any
URL in their Config.in file, or don't have any Config.in file at all,
are not checked and therefore not accounted.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit reworks the code that checks if the upstream URL of each
package (specified by its Config.in file) using the aiohttp
module. This makes the implementation much more elegant, and avoids
the problematic multiprocessing Pool which is causing issues in some
situations.
Suggested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit reworks the code that retrieves the latest upstream
version of each package from release-monitoring.org using the aiohttp
module. This makes the implementation much more elegant, and avoids
the problematic multiprocessing Pool which is causing issues in some
situations.
Since we're now using some async functionality, the script is Python
3.x only, so the shebang is changed to make this clear.
Suggested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit slightly improves the output of pkg-stats by showing the
progress of the upstream URL checks and latest version retrieval, on a
package basis:
Checking URL status
[0001/0062] curlpp
[0002/0062] cmocka
[0003/0062] snappy
[0004/0062] nload
[...]
[0060/0062] librtas
[0061/0062] libsilk
[0062/0062] jhead
Getting latest versions ...
[0001/0064] libglob
[0002/0064] perl-http-daemon
[0003/0064] shadowsocks-libev
[...]
[0061/0064] lua-flu
[0062/0064] python-aiohttp-security
[0063/0064] ljlinenoise
[0064/0064] matchbox-lib
Note that the above sample was run on 64 packages. Only 62 packages
appear for the URL status check, because packages that do not have any
URL in their Config.in file, or don't have any Config.in file at all,
are not checked and therefore not accounted.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit reworks the code that checks if the upstream URL of each
package (specified by its Config.in file) using the aiohttp
module. This makes the implementation much more elegant, and avoids
the problematic multiprocessing Pool which is causing issues in some
situations.
Suggested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit reworks the code that retrieves the latest upstream
version of each package from release-monitoring.org using the aiohttp
module. This makes the implementation much more elegant, and avoids
the problematic multiprocessing Pool which is causing issues in some
situations.
Since we're now using some async functionality, the script is Python
3.x only, so the shebang is changed to make this clear.
Suggested-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of ATF to 2.2 for the ATF Vexpress test case in commit
fc3d6a3ed0
("support/testing/tests/boot/test_atf: update U-Boot/ATF use in
TestATFVexpress"), DTC is now needed otherwise the build fails with:
make[2]: dtc: Command not found
Makefile:873: recipe for target 'build/juno/release/fdts/juno_tb_fw_config.dtb' failed
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/674934470
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The libabseil-cpp package fails to build on a number of CPU
architectures in our autobuilders.
On most CPU architectures, the first issue looked like this:
libabseil-cpp-20200225/absl/base/internal/direct_mmap.h: In function 'void* absl::lts_2020_02_25::base_internal::DirectMmap(void*, size_t, int, int, int, off64_t)':
libabseil-cpp-20200225/absl/base/internal/direct_mmap.h:121:39: error: static assertion failed: Platform is not 64-bit
121 | static_assert(sizeof(unsigned long) == 8, "Platform is not 64-bit");
| ~~~~~~~~~~~~~~~~~~~~~~^~~~
libabseil-cpp-20200225/absl/base/internal/direct_mmap.h:123:15: error: 'SYS_mmap' was not declared in this scope; did you mean 'SYS_mmap2'?
123 | syscall(SYS_mmap, start, length, prot, flags, fd, offset));
| ^~~~~~~~
| SYS_mmap2
Indeed, on 32-bit architectures, libabseil-cpp has some special code
to use the mmap2() system call, and it white-lists the supported
architectures. It is therefore trivial to add support for more
architectures.
However, once this is fixed, another issue arises:
absl/debugging/internal/examine_stack.cc uses the ucontext data
structures, which are not provided by uClibc-ng on all CPU
architectures, and even the code of libabseil-cpp does not exist for
all CPU architectures.
So, this commit solves that by simply making libabseil-cpp available
on architectures/C libraries where it is supported: it needs ucontext
support in the toolchain + a CPU architecture where
absl/debugging/internal/examine_stack.cc has the appropriate logic.
This new dependency is propagated to the reverse dependencies of
libabseil-cpp.
With this commit, libabseil-cpp passes a test-pkg -a test (so all
external toolchains used by the autobuilders):
andes-nds32 [ 1/45]: SKIPPED
arm-aarch64 [ 2/45]: OK
br-aarch64-glibc [ 3/45]: OK
br-arcle-hs38 [ 4/45]: SKIPPED
br-arm-basic [ 5/45]: SKIPPED
br-arm-cortex-a9-glibc [ 6/45]: OK
br-arm-cortex-a9-musl [ 7/45]: OK
br-arm-cortex-m4-full [ 8/45]: SKIPPED
br-arm-full [ 9/45]: OK
br-arm-full-nothread [10/45]: SKIPPED
br-arm-full-static [11/45]: SKIPPED
br-i386-pentium4-full [12/45]: OK
br-i386-pentium-mmx-musl [13/45]: OK
br-m68k-5208-full [14/45]: SKIPPED
br-m68k-68040-full [15/45]: SKIPPED
br-microblazeel-full [16/45]: SKIPPED
br-mips32r6-el-hf-glibc [17/45]: OK
br-mips64-n64-full [18/45]: OK
br-mips64r6-el-hf-glibc [19/45]: OK
br-mipsel-o32-full [20/45]: OK
br-nios2-glibc [21/45]: SKIPPED
br-openrisc-uclibc [22/45]: SKIPPED
br-powerpc-603e-basic-cpp [23/45]: SKIPPED
br-powerpc64le-power8-glibc [24/45]: OK
br-powerpc64-power7-glibc [25/45]: OK
br-powerpc-e500mc-full [26/45]: SKIPPED
br-riscv32 [27/45]: OK
br-riscv64 [28/45]: OK
br-riscv64-musl [29/45]: OK
br-sh4-full [30/45]: SKIPPED
br-sparc64-glibc [31/45]: SKIPPED
br-sparc-uclibc [32/45]: SKIPPED
br-x86-64-core2-full [33/45]: OK
br-x86-64-musl [34/45]: OK
br-xtensa-full [35/45]: SKIPPED
linaro-aarch64-be [36/45]: OK
linaro-aarch64 [37/45]: OK
linaro-arm [38/45]: OK
sourcery-arm-armv4t [39/45]: OK
sourcery-arm [40/45]: OK
sourcery-arm-thumb2 [41/45]: OK
sourcery-mips64 [42/45]: OK
sourcery-mips [43/45]: OK
sourcery-nios2 [44/45]: SKIPPED
sourcery-x86-64 [45/45]: OK
45 builds, 18 skipped, 0 build failed, 0 legal-info failed
Fixes:
http://autobuild.buildroot.net/results/ead663b4b67b0b57ed003a46db3182d95cc01bc0/
(and many similar build failures)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Binary diff and patch using the BSDIFF4-format.
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump to a later version of ATF and cleanup the Python
configuration. Previously this configuration had to work around Python
3 issues with OP-TEE. Now this relies on OP-TEE properly building
itself with host-python3.
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Recent versions of OP-TEE depend on Python 3. Currently, OP-TEE is
building with the Python interpreter provided by the user. This patch
includes an upstream patch that makes the interpreter configurable,
and makes use of this configuration with host-python3.
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package will ensure that pycryptodomex is built for Python 3.
Comments in both python-pycryptodome and python3-pycryptodomex are
added to ensure they stay in sync.
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The luabitop package is only available with Lua 5.1. LuaJIT, Lua 5.3
or more recent versions of Lua have this functionality built-in.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In preparation for the introduction of Lua 5.4, clarify the dependency
of luabitop: it only makes sense when used with Lua 5.1.
Also update the comment to no longer mention Lua 5.2, since we don't
support Lua 5.2 in Buildroot anymore.
Note that as explained in https://luajit.org/extensions.html, LuaJit
already implements luabitop functions, so luabitop is really for Lua
5.1 only, not for all Lua interpreters that implemented the 5.1 ABI.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
setools needs python3 since version 4.2.0 and
e292a77c52
However today in Buildroot, when no target python is selected, or when
BR2_PACKAGE_PYTHON=y, all host python modules are installed for
host-python, i.e Python 2. But this module won't install in Python 2,
so let's force its host variant to be installed with Python 3 on the
host. Of course, for that to work, its dependency must also be built
for host-python3, so we change it to the newly introduced
host-python3-cython package.
Fixes:
- http://autobuild.buildroot.org/results/c2febcea5fbd8a21709721524ae9e9b5fc0896f9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The host-setools package needs to be built for the host-python3, even
when the target Python is not necessarily Python 3.x. Since it depends
on host-python-cython, we need a Python 3 variant of it, which this
patch introduces.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The new version requires an extra features in the toolchain and won't
build with a specific gcc bug, therefore two new toolchain options are
added as dependencies:
* !BR2_TOOLCHAIN_HAS_GCC_BUG_64735
* BR2_TOOLCHAIN_HAS_UCONTEXT
Signed-off-by: Koen Martens <gmc@sonologic.nl>
Reviewed-by: Joel Carlson <JoelsonCarl@gmail.com>
Tested-by: Joel Carlson <JoelsonCarl@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Changelog of this bugfix release:
https://www.php.net/ChangeLog-7.php#7.4.9
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
bluez-utils has been removed, so use bluez5-utils instead for the
microchip_sama5d27-wlsom1_ek_mmc_dev configuration, to avoid a build
failure due to legacy options being selected.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/674934030
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Remove patch that is no longer needed as of upstream commit
1c33be992e8120abd20add8021e4d91d226f5b6a which removed the old VM.
We need to add an exclusion rule for guile modules to check-bin-arch
as they appear as valid ELF binaries but with an architecture of
"None".
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Thomas:
- bump to 3.0.4
- rework how check-bin-arch excludes checking the Guile .go files]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit bumps stress-ng version to 0.11.17.
This version includes the patch that fixes musl build at commit
03416938871388243d28621f4b59ce532231f11c, and also fixes a
"Invalid syntax in conditional" build error in a Makefile.
Signed-off-by: Alejandro González <alejandro.gonzalez.correo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>