Fixes CVE-2018-10906 - In fuse before versions 2.9.8 and 3.x before 3.2.5,
fusermount is vulnerable to a restriction bypass when SELinux is active.
This allows non-root users to mount a FUSE file system with the
'allow_other' mount option regardless of whether 'user_allow_other' is set
in the fuse configuration. An attacker may use this flaw to mount a FUSE
file system, accessible by other users, and trick them into accessing files
on that file system, possibly causing Denial of Service or other unspecified
effects.
And additionally:
- libfuse no longer segfaults when fuse_interrupted() is called outside the
event loop.
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount options
must now match a hard-coded whitelist. It is expected that this whitelist
covers all regular use-cases.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
u-boot 2018.01 now fails to build with the following error:
CC arch/arm/lib/asm-offsets.s
In file included from /builds/buildroot.org/buildroot/output/host/include/libfdt.h:54:0,
from /builds/buildroot.org/buildroot/output/build/uboot-2018.01/scripts/dtc/libfdt/fdt.c:54:
/builds/buildroot.org/buildroot/output/host/include/libfdt_env.h:82:24: error: redefinition of 'fdt16_to_cpu'
static inline uint16_t fdt16_to_cpu(fdt16_t x)
^~~~~~~~~~~~
In file included from /builds/buildroot.org/buildroot/output/build/uboot-2018.01/scripts/dtc/libfdt/fdt.c:51:0:
/builds/buildroot.org/buildroot/output/build/uboot-2018.01/scripts/dtc/libfdt/libfdt_env.h:81:24: note: previous definition of 'fdt16_to_cpu' was here
static inline uint16_t fdt16_to_cpu(fdt16_t x)
https://gitlab.com/buildroot.org/buildroot/-/jobs/88314891
Fix it by bumping the u-boot version to 2018.07.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
u-boot 2018.05 now fails to build with the following error:
HOSTCC scripts/dtc/flattree.o
In file included from /builds/buildroot.org/buildroot/output/host/include/libfdt.h:54:0,
from /builds/buildroot.org/buildroot/output/build/uboot-2018.05/scripts/dtc/libfdt/fdt.c:54:
/builds/buildroot.org/buildroot/output/host/include/libfdt_env.h:82:24: error: redefinition of 'fdt16_to_cpu'
static inline uint16_t fdt16_to_cpu(fdt16_t x)
^~~~~~~~~~~~
In file included from /builds/buildroot.org/buildroot/output/build/uboot-2018.05/scripts/dtc/libfdt/fdt.c:51:0:
/builds/buildroot.org/buildroot/output/build/uboot-2018.05/scripts/dtc/libfdt/libfdt_env.h:81:24: note: previous definition of 'fdt16_to_cpu' was here
static inline uint16_t fdt16_to_cpu(fdt16_t x)
^~~~~~~~~~~~
https://gitlab.com/buildroot.org/buildroot/-/jobs/88314886
Fix it by bumping the u-boot version to 2018.07.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit replaces the loop copying out-of-tree DTS into the kernel
tree by a make foreach loop instead of a shell for loop. This allows
to error out if one of the DTS file cannot be copied (for example if
it doesn't exist).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
coroutine module does use chrono directly:
./libs/coroutine/performance/asymmetric/segmented/Jamfile.v2: <library>/boost/chrono//boost_chrono
./libs/coroutine/performance/asymmetric/Jamfile.v2: <library>/boost/chrono//boost_chrono
./libs/coroutine/performance/symmetric/segmented/Jamfile.v2: <library>/boost/chrono//boost_chrono
./libs/coroutine/performance/symmetric/Jamfile.v2: <library>/boost/chrono//boost_chrono
So put back select of chrono for coroutine
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The bzip.org website is down. Use the Buildroot backup download site.
Remove the website link as there is no clear alternative upstream at
this point.
https://lwn.net/Articles/762264/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
chrono is selected by thread (see libs/thread/build/Jamfile.v2):
rule usage-requirements ( properties * )
{
[...]
result += <library>/boost/chrono//boost_chrono ;
}
So add this select for BR2_PACKAGE_BOOST_THREAD and remove it from
BR2_PACKAGE_BOOST_COROUTINE, BR2_PACKAGE_BOOST_LOG,
BR2_PACKAGE_TYPE_ERASURE and BR2_PACKAGE_BOOST_WAVE
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Retrieve correct appversion.default (9700) from upstream
Without this patch, the wrong version is displayed in the web ui and
when the user checks for an update, domoticz wrongly says that a new
version is available
This issue was reported by an email from Eyal Eshed <eeshed@coldroll.ca>
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Release notes: https://www.samba.org/samba/history/samba-4.8.4.html
Fixes
o CVE-2018-1139 (Weak authentication protocol allowed.)
o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.)
o CVE-2018-10858 (Insufficient input validation on client directory
listing in libsmbclient.)
o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
server.)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As explained in pkg-generic.mk, all variable references inside the
inner-xxx-package should use $$(...). Otherwise, they are evaluated
too early, and will not contain the expected value. In the content of
the pkg-golang infrastructure, the <pkg>_SRC_DOMAIN, <pkg>_SRC_VENDOR
and <pkg>_SRC_SOFTWARE variables were not properly escaping their
reference to the $$($(2)_SITE) variable.
This was not visible until now, as only target Go packages were
supported, where $(2)_SITE was always defined prior to this macro
being expanded. With the upcoming support of host Go packages, we need
to fix this, as $(2)_SITE may be defined later, inherited from
$(3)_SITE.
Signed-off-by: Mirza Krak <mirza.krak@northern.tech>
[Thomas: rework commit log.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes [1]:
make[2]: Entering directory '.../build/qt5serialbus-5.11.1/examples'
Some of the required modules (qtHaveModule(widgets)) are not available.
Skipped.
[...]
cp -dpfr .../host/mips64el-buildroot-linux-gnu/sysroot/usr/lib/qt/examples/serialbus .../target/usr/lib/qt/examples/
cp: cannot stat '.../host/mips64el-buildroot-linux-gnu/sysroot/usr/lib/qt/examples/serialbus': No such file or directory
[1] http://autobuild.buildroot.net/results/147809b5f8758af935bee48c0fc83fd86a8509e9
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When using uclibc libdevmapper.so was calling dm_task_get_info_base()
function recursively, leading to segmentation fault. This was
happening because uclibc linker loader just takes first existing
'dm_task_get_info' (which is 'dm_task_get_info_base') symbol in elf
binary, instead of default version.
Add upstreamable lvm2 patch [1], which introduces
--enable-symvers[=STYLE] switch. Use that switch to disable symbol
versions, as we do not plan to support binaries compiled against
old libdevmapper library.
Fixes bug #10781.
[1] https://www.redhat.com/archives/dm-devel/2018-July/msg00187.html
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Problem starting lighttpd application with systemd.
/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
2018-06-22 11:21:34: (server.c.733) opening errorlog '/var/log/lighttpd-error.log' failed: Permission denied
2018-06-22 11:21:34: (server.c.1420) Opening errorlog failed. Going down.
Lighttpd can not write the 'lighttpd-access.log' and 'lighttpd-error.log' files
to the directory '/var/log/'.
When using systemd the directory '/var/log' does not allow the user www-data to
write.
To correct the problem, we add /usr/lib/tmpfiles.d/lighttpd.conf.
This file create the 'lighttpd-access.log' and 'lighttpd-error.log' files with
the permission
Signed-off-by: Laurent Hartanerot <laurent.hartanerot@atos.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes [1]:
../3rdparty/double-conversion/include/double-conversion/utils.h:81:2: error: #error Target architecture was not detected as supported by Double-Conversion.
#error Target architecture was not detected as supported by Double-Conversion.
[1] http://autobuild.buildroot.net/results/1fe2be0f26e5b92db57a5cfb5646dd253b731a5c
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
ATF in version 1.2 fails to build with:
./build/juno/release/bl1/context_mgmt.o: In function `cm_prepare_el3_exit':
context_mgmt.c:(.text.cm_prepare_el3_exit+0x54): undefined reference to `cm_set_next_context'
context_mgmt.c:(.text.cm_prepare_el3_exit+0x54): relocation truncated to fit: R_AARCH64_JUMP26 against undefined symbol `cm_set_next_context'
This has been fixed in ATF v1.3. Even though there are even newer
versions of ATF available, we take a conservative approach, and bump
to the first version that has the build issue fixed.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/88314771
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
512B is not a correct size to express "512 bytes", and causes a
genimage failure:
ERROR: Invalid size suffix 'B' in '512B'
To express "512 bytes", using just "512" is sufficient. With this
commit, genimage works fine, and we indeed have a 512 bytes unused
partition:
$ fdisk -l output/images/sdcard.img
Disk output/images/sdcard.img: 60 MiB, 62915584 bytes, 122882 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Sectors Size Id Type
output/images/sdcard.img1 1 1 1 512B 0 Empty
output/images/sdcard.img2 2 524289 524288 256M 83 Linux
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/88314963
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In commit 2cdfa6c849 ("synopsys/axs10x:
Update /etc/inittab by post-build"), two Synopsys platforms were
changed to use a post-build script adding an extra getty in the
inittab instead of a rootfs overlay containing a custom
inittab. However, in this commit, configs/snps_archs38_vdk_defconfig
was not changed, even though it was using the same rootfs overlay.
This commit therefore adjusts configs/snps_archs38_vdk_defconfig to
also use the newly introduced post-build script, fixing the build of
configs/snps_archs38_vdk_defconfig.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/88314952
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The default size of the ext4 filesystem is no longer sufficient to
hold all the kernel modules built by the RPi Linux kernel
configuration. Let's increase to 120 MB, like we did for
raspberrypi3_defconfig.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/88314938
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With some "old" toolchains (glibc, uclibc in version 4.9.4, 5.3, 5.4,
5.5 ...), the following error is raised by the compiler:
../src/screen.cxx:60:29: required from here
/usr/lfs/v0/rc-buildroot-test/scripts/instance-1/output/host/opt/ext-toolchain/mips-linux-gnu/include/c++/5.3.0/ext/new_allocator.h:120:4:
error: no matching function for call to 'std::pair<const screen_functions* const, std::unique_ptr<Page> >::pair(const screen_functions*, Page*)'
[...]
/usr/lfs/v0/rc-buildroot-test/scripts/instance-1/output/host/opt/ext-toolchain/mips-linux-gnu/include/c++/5.3.0/bits/stl_pair.h:112:26:
note: candidate: constexpr std::pair<_T1, _T2>::pair(const _T1&, const _T2&) [with _T1 = const screen_functions* const; _T2 = std::unique_ptr<Page>]
_GLIBCXX_CONSTEXPR pair(const _T1& __a, const _T2& __b)
^
/usr/lfs/v0/rc-buildroot-test/scripts/instance-1/output/host/opt/ext-toolchain/mips-linux-gnu/include/c++/5.3.0/bits/stl_pair.h:112:26:
note: no known conversion for argument 2 from 'Page*' to 'const std::unique_ptr<Page>&'
This is due to the fact that init function of screen_functions
structure returns Page* but PageMap wants a std::unique_ptr<Page>
To fix this, cast raw pointer into a unique_ptr with an explicit cast
Fixes:
- http://autobuild.buildroot.net/results/d8a7339d8bdd5cdc6bd1716585d4bcf15a2e8015
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
As noted by Arnout in [1], the logic in mesa3d-headers.mk generates a
bogus dri.pc file, which looks like this:
prefix=/usr
exec_prefix=/usr
libdir=/lib
includedir=/include
dridriverdir=/dri
Indeed, the ${...} are expanded as shell variables when the sed
command is executed, while the intention is that those ${...} should
go in the .pc file. By escaping those using $${...}, we get the
expected .pc file:
prefix=/usr
exec_prefix=/usr
libdir=${exec_prefix}/lib
includedir=${prefix}/include
dridriverdir=${libdir}/dri
This was detected by the not yet committed check-package improvement
from Ricardo that detects bogus ${...} usage to reference make
variables.
[1] http://lists.busybox.net/pipermail/buildroot/2018-July/225402.html
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes configure warning:
checking for SPEEX... yes
checking for SPEEXDSP... no
configure: WARNING: Package speexdsp was not found in the pkg-config search path.
Perhaps you should add the directory containing `speexdsp.pc'
to the PKG_CONFIG_PATH environment variable
Package 'speexdsp', required by 'world', not found.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently makedevs silently ignores extended attributes with leading
whitespace, for example those added to a <PACKAGE>_PERMISSIONS following
the recommended style from check-package.
Makedevs already ignores leading whitespace for normal entries (file
permission changes and device files creation). Do the same for extended
attributes.
Fixes: #11191.
Reported-by: Jean-pierre Cartal <jpcartal@free.fr>
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit b35ad5d0b4 (ncurses: make host-ncurses use host terminfo), we
are now pointing host-ncurses to the host terminfo (typically) located in
/usr/share/terminfo.
With this change we are reusing the existing host terminfo database, so
there is no point in trying to install our own on top. The user running
buildroot typically will have no write access to /usr/share/terminfo, but
tic in that case falls back to writing the database to $HOME/.terminfo.
Neither of which are desirable.
In case $HOME/.terminfo also isn't writable, tic fails, breaking the install
step for host-ncurses:
** Building terminfo database, please wait...
Running sh ./shlib tic to install /usr/share/terminfo ...
You may see messages regarding extended capabilities, e.g., AX.
These are extended terminal capabilities which are compiled
using
tic -x
If you have ncurses 4.2 applications, you should read the INSTALL
document, and install the terminfo without the -x option.
"terminfo.tmp", line 21272, terminal 'v3220': /home/peko/.terminfo: permission denied (errno 30)
To fix all of this, simply disable the terminfo database install.
Suggested-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Hollis Blanchard <hollis_blanchard@mentor.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
chrony calls getrandom() at startup if available, so it needs a workaround
for the blocking behaviour on recent (4.14.39+), similar to what was done
for util-linux in commit c4d86707cd (util-linux: add two upstream patches
to fix blocking on getrandom() with recent kernels).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
