Fixes the following security issue:
- CVE-2023-28882: Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows
a denial of service (worker crash and unresponsiveness) because some inputs
cause a segfault in the Transaction class for some configurations.
https://security-tracker.debian.org/tracker/CVE-2023-28882
- Drop 0003-Revert-Fix-maxminddb-link-on-FreeBSD.patch, handling of libmaxminddb
was fixed upstream in d2b700d
- Drop 0004-build-pcre.m4-fix-build-without-pcre.patch, handling of PCRE was
fixed upstream in 791964a
Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a1e0e7276c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is no such thing as a BR2_TARGET_GENERIC_TTY_PATH variable. The
comment here should mention BR2_TARGET_GENERIC_GETTY_PORT instead.
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e0ff6ad7ff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.12 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler.
Fixes CVE-2023-29409: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server to
expend significant CPU time verifying signatures. Limit this by restricting the
size of RSA keys transmitted during handshakes to <= 8192 bits.
Based on a survey of publicly trusted RSA keys, there are currently only three
certificates in circulation with keys larger than this, and all three appear to
be test certificates that are not actively deployed. It is possible there are
larger keys in use in private PKIs, but we target the web PKI, so causing
breakage here in the interests of increasing the default safety of users of
crypto/tls seems reasonable.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit [1], the testsuite build is unconditionally disabled
although we have the option BR2_PACKAGE_XENOMAI_TESTSUITE to
install Xenomai testsuite on the target.
Handle --disable-testsuite option with BR2_PACKAGE_XENOMAI_TESTSUITE.
[1] 74196b7d05
Signed-off-by: Pierre Ficheux <pierre.ficheux@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bc9a8ef111)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch 0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch
should have been deleted as part of Buildroot commit
08792a60df ("package/sysdig: bump to
version 0.29.3"). Indeed, this patch was merged upstream as commit
114436c1a45142ef73acfc2607fbc6572782160f between 0.29.2 and 0.29.3.
This fixes the following build failure:
Applying 0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch using patch:
patching file cmake/modules/nlohmann-json.cmake
Reversed (or previously applied) patch detected! Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file cmake/modules/nlohmann-json.cmake.rej
There are no autobuilder failures, probably because getting to build
sysdig requires so many special conditions that it never triggered.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e434d8a29f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 9079079092 (utils/docker-run: fix support for git-worktrees)
got last-minute changes when it was applied, and the case when the
current working directory is not the top of the current working copy
got broken.
Fix that by duplicating (and thus reinstating) the 'cd MAIN_DIR' to
match what is done when retrieving the git-common-dir.
Fixes: 9079079092
Reported-by: Brandon Maier <Brandon.Maier@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5b559109ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The cmocka package checks if a toolchain supports the
-fstack-clash-protection compiler flag, and if it does automatically
uses it. That flag is not supported by GCC for Thumb1 builds (at least
as of both GCC 11 and GCC 12). Let's tell cmocka about this by passing
-DWITH_STACK_CLASH_PROTECTION=OFF in this configuration, as suggested
by Arnout Vandecappelle.
Fixes:
http://autobuild.buildroot.net/results/4044b3a71d3130d934c7a7c0c5badfabb2a97030/
Signed-off-by: Joel Carlson <JoelsonCarl@gmail.com>
[Thomas: change the initial patch from Joel to use the suggestion from
Arnout]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5622c76bf4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Current versions of sam-ba are 64bit only.
objdump -p $(HOST_DIR)/bin/sam-ba
$(HOST_DIR)/bin/sam-ba: file format elf64-x86-64
Signed-off-by: Daniel Lang <d.lang@abatec.at>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 71b5ea4030)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It was a leftover from the copy-and-paste of the readme.txt file of its
almost twin sister BSH SMM S2 PRO.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Reviewed-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d4f23da67e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The bind package exhibits gcc bug 101737 when built for the SH4
architecture with optimization enabled, which causes a build failure.
As done for other packages in Buildroot work around this gcc bug by
setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_101737=y.
To achieve this we need to correct the override of CFLAGS by using:
BIND_CONF_OPTS += CFLAGS="$(BIND_CFLAGS)"
instead of:
BIND_CONF_ENV = BUILD_CFLAGS"$(BIND_CFLAGS)"
since the latter doesn't work as expected and doesn't override CFLAGS.
Fixes:
http://autobuild.buildroot.net/results/e7b/e7b9a4cbee8bb16431609182b96d1ac1ccec10e7/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 105e3b34be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The docker-run script attempts to support git-new-workdirs and
git-worktrees by resolving the symlink at '$GIT_DIR/config' to get the
true $GIT_DIR. However this does not work for git-worktrees as they do
not use symlinks, instead they change the $GIT_DIR into a regular file
that contains the path to the real $GIT_DIR. To complicate things
further, we actually want the $GIT_COMMON_DIR which is the superset of a
worktree's $GIT_DIR.
git-rev-parse supports the '--git-common-dir' which will resolve the
$GIT_COMMON_DIR for us. However it does not work for git-new-workdirs,
so we still need to detect and handle them.
'--git-common-dir' also appeared only with git 2.10.0, released in 2016,
so it will not be available in older "enterprise-grade" distributions.
In that case, 'git rev-parse --git-common-dir' would return the option
flag '--git-common-dir' as-is, which is incorrect. So, we instruct it to
never return flags.
'--git-common-dir' also returns just '.git' for the main working copy,
but 'docker run' want an absolute path, so we canonicalise it.
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
[yann.morin.1998@free.fr:
- support git versions before --git-common-dir was introduced
- don't mount GIT_DIR if unknown (i.e. not needed)
- fix expanding MAIN_DIR
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9079079092)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a bug present since v0.3.3 that causes extremely slow writes to
NOR flashes.
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit be57403d04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure:
/tmp/ccqcLrVb.s:4053: Error: selected processor does not support `umlal r2,r1,r0,r3' in Thumb mode
/tmp/ccqcLrVb.s:4076: Error: selected processor does not support `umlal r0,r3,r1,r2' in Thumb mode
/tmp/ccqcLrVb.s:8644: Error: selected processor does not support `umlal r0,r3,r2,r4' in Thumb mode
Fixes:
http://autobuild.buildroot.net/results/1d09a0a58cbc1712416de746d57d4532df580673/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 73ddf7bf50)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
LICENSE file hash changed, due to year update.
For change log, see:
https://github.com/esnet/iperf/blob/3.13/RELNOTES.md#iperf-313-2023-02-16
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 06fa870d7e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Backport upstream patch to fix build error seens with alsa-lib:
error.c:(.text+0x12c): undefined reference to `__tls_get_addr'
Fixes:
http://autobuild.buildroot.net/results/525ca7fe78015168c186ffda5fa52c0edb2071c9/
The fix is included in gcc 13.x.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4ce0dacb60)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfixes and updates.
https://github.com/containerd/containerd/releases/tag/v1.6.22
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 718c4972c6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The seatd service was changed to use the "seat" group in version 0.6.0:
5535c2c3b1
In buildroot we updated seatd past version 0.6.0 in commit:
c54f85ca0d
However we forgot to fix the group name when doing so.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 50a8d8330b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building a fip firmware (BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y), the
TF-A build recipe starts by building the host program fiptool with the
proper build environment variables. Then the main TF-A target firmware
build step takes place, with the expectation that the fiptool program will
be used under the hood if necessary.
In TF-A, the build recipe for the host program fiptool has subtly changed
after v2.7, in commit cf2dd17ddda2 ("refactor(security): add OpenSSL 1.x
compatibility"). This change has the effect to force re-linking fiptool
each time.
If we try to build with Buildroot a fip firmware with a TF-A version after
v2.7 comprising the aforementioned change, the fiptool program is forcibly
re-linked during the main firmware build step. This happens without the
proper build environment variables and consequently, if openssl is not
installed on the host, the libcrypto shared library will not be found by
the linker and the link will fail with the following error:
/usr/bin/ld: cannot find -lcrypto: No such file or directory
A patch has been integrated into TF-A to avoid re-linking fiptool when not
necessary, which should solve the problem starting with version v2.10. Add
that patch in Buildroot for versions v2.8 and v2.9, to repair the build in
the cases described above.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4664845767
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
Cc: Sergey Matyukevich <geomatsi@gmail.com>
[yann.morin.1998@free.fr:
- don't use symlink in v2.9, just copy patch
- fix numbering in v2.8 which now has two patches
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f3597910cf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The fragments provided by toolchains.bootlin.com were incorrectly
flagging toolchains as not having OpenMP support while they had it
[0]. This has been fixed in toolchains.bootlin.com, so a run of
gen-bootlin-toolchains has allowed to adjust the toolchain definitions
in Buildroot, leading to this commit.
OpenMP support needs to be flagged so the proper libraries get copied
into the resultant filesystem to avoid missing dependencies [1].
[0]: https://github.com/bootlin/toolchains-builder/issues/60
[1]: https://bugs.busybox.net/show_bug.cgi?id=15634
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 746ac56850)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The wiiuse code force an out-of-tree build:
https://github.com/supertuxkart/stk-code/blob/master/lib/wiiuse/cmake/cmake-4.0.0-modules/RequireOutOfSourceBuild.cmake#L41
Fixes a build error not yet caught by the autobuilders:
-- Configuring WiiUse version 0.15.5
CMake Error at lib/wiiuse/cmake/cmake-4.0.0-modules/RequireOutOfSourceBuild.cmake:41 (message):
You must set a binary directory that is different from your source
directory. You might consider
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d1e79b4c95)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since upstream Linux commit 6898e60f709b0047206110d3ec9f4612210e3ff7
("perf build: If libtraceevent isn't present error the build") present
in Linux 6.4 and newer, Linux will fail to build if libtraceevent is not
present. Since we do not currently have support for libtracevent in
buildroot, pass NO_LIBTRACEVENT=1 to get perf to build again.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b4ab45a5c1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, module libraries have a suffix based on cpython version + host
architecture: this is fine for a native compile when these libraries are used on
the same computer (or similar computers). But when target architecture is not
the same python is unable to find libraries due to the wrong suffix and produces
unclear errors messages:
# python3
Python 3.11.3 (main, Jun 19 2023, 14:15:44) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from gnuradio import blocks
Traceback (most recent call last):
File "/home/xxx/buildroot/output/build/gnuradio-3.10.4.0/gr-blocks/python/blocks/__init__.py", line 18, in <module>
ModuleNotFoundError: No module named 'gnuradio.blocks.blocks_python'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/xxx/buildroot/output/build/gnuradio-3.10.4.0/gr-blocks/python/blocks/__init__.py", line 22, in <module>
ModuleNotFoundError: No module named 'gnuradio.blocks.blocks_python'
>>>
By adding _PYTHON_SYSCONFIGDATA_NAME="$(PKG_PYTHON_SYSCONFIGDATA_NAME)" at configure time, sysconfig will
return correct informations (target architecture) instead of host architecture.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e22b450692)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-30630: Dmidecode before 3.5 allows -dump-bin to overwrite a
local file: https://nvd.nist.gov/vuln/detail/CVE-2023-30630
For change log, see:
https://git.savannah.gnu.org/cgit/dmidecode.git/tree/NEWS?h=dmidecode-3-5
Note: this patch also adds a comment about pgp signature verification in
the hash file.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c97f27283b)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
