Commit Graph

53062 Commits

Author SHA1 Message Date
Lukasz Tekieli
3c5ca644ef package/busybox: fix avahi-autoipd error message
When using a combination of udhcpc and avahi-autoipd in case of receiving IP
from a DHCP server, the following message can be seen:
"Failed to kill daemon: No such file or directory".
Add a check for a running avahi-autoipd to fix this issue.

Signed-off-by: Lukasz Tekieli <tekieli.lukasz@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-31 22:03:59 +02:00
Peter Korsgaard
b4fcf2ff58 package/avahi: disable introspection
Fixes:
http://autobuild.buildroot.net/results/b9bf7cea8be9231552a10e8ea828bf24394402ba/

Building with introspection (together with D-Bus) support currently fails.
Fixing it is not trivial, so explicitly disable introspection for now.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-31 20:38:59 +02:00
Fabrice Fontaine
607215cd91 package/rtty: fix build with mbedtls but without zlib
zlib is not mandatory with mbedtls, only optional, however as mbedtls
does not provide a pkg-config file, we assume that if zlib is
available, we must link with it to avoid a build failure when linking
statically with a zlib-enabled mbedtls.

This change was pushed upstream with
7b8efe11db
and is in buildroot since the bump to version 7.1.4 with commit
0c80245ddb.
However, this change will raise a build failure if ZLIB_LIBRARIES is
used when zlib is not found. This patch is fixing this build failure.

However, it should be noted that the compression support in mbedtls is
only enabled if BR2_PACKAGE_MBEDTLS_COMPRESSION=y. So we can have a
situation where mbedtls is enabled, zlib is enabled, but mbedtls is not
using zlib and as a result, since version 7.1.4, rttyt will needlessly
link with zlib in such a situation.

The only sane way to fix this is to use pkg-config, but as mbedtls
apparently doesn't provide any .pc file, we leave it as it is.

Fixes:
 - http://autobuild.buildroot.org/results/a0ebffe58bbf14cab74b7d2111d4d88a9c725273

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-31 15:20:24 +02:00
Fabrice Fontaine
f1d9589029 package/am33x-cm3: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/a991e6efa012df518ff1bb35017ad2c96c8feedc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-31 15:18:01 +02:00
Peter Korsgaard
bf27781bb1 package/docker-cli: fix version info since move to 19.03.x
Upstream changed the variables used when outputting version / git commit
info in docker version since:

 commit 04b5f44230162de40741acaa0f94c7af6f2fa1d5
 Author: Ian Campbell <ijc@docker.com>
 Date:   Tue Jan 8 15:03:51 2019 +0000

    Move versioning variables to a separate package.

    This helps to avoid circular includes, by separating the pure data out from the
    actual functionality in the cli subpackage, allowing other code which is
    imported to access the data.

    Signed-off-by: Ian Campbell <ijc@docker.com>
    Upstream-commit: 20c19830a95455e8562551aad52c715ad0807cc6
    Component: cli

Which is included in docker-cli 19.3.x - So adjust the _CLI_LDFLAGS to match
to get proper docker version output:

Client:
 Version:           19.03.11
 API version:       1.40
 Go version:        go1.13.14
 Git commit:        19.03.11

vs:

Client:
 Version:           unknown-version
 API version:       1.40
 Go version:        go1.13.14
 Git commit:        unknown-commit

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-31 15:16:47 +02:00
Julien Grossholtz
179e8390a7 package/paho-mqtt-c: bump to version 1.3.5
This is a paho-mqtt-c maintainace release. It fixes some memory leaks as
well as a potential deadlock:

https://github.com/eclipse/paho.mqtt.c/milestone/8?closed=1

Signed-off-by: Julien Grossholtz <julien.grossholtz@openest.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-31 15:16:10 +02:00
Iulian Onofrei
fef674dbf5 package/libeXosip2: fix typos in help text
Signed-off-by: Iulian Onofrei <iulian.onofrei@yahoo.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-31 09:08:04 +02:00
Iulian Onofrei
21fca042d9 package/nvidia-driver: fix typos in comments
Signed-off-by: Iulian Onofrei <iulian.onofrei@yahoo.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-31 08:41:55 +02:00
Bernd Kuhls
904c48ac07 package/stress-ng: add upstream patch to fix build failure for getresuid32
Fixes:
http://autobuild.buildroot.net/results/f13/f13d85dfec371c38229bca988cd4bffa4cb97ae5/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-08-30 20:20:55 +02:00
Fabrice Fontaine
8f2fe00f08 package/imagemagick: (security) bump to version 7.0.10-28
- Fix CVE-2019-17547: In ImageMagick before 7.0.8-62, TraceBezier in
  MagickCore/draw.c has a use-after-free.
- Fix CVE-2019-18853: ImageMagick before 7.0.9-0 allows remote attackers
  to cause a denial of service because XML_PARSE_HUGE is not properly
  restricted in coders/svg.c, related to SVG and libxml2.
- Update hash of LICENSE file (update in year with
  f775a5cf27)
- Update indentation in hash file (two spaces)
- Switch to github helper - it has always been an autogenerated archive.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: use github helper]
2020-08-30 19:03:43 +02:00
Yann E. MORIN
94bb89ad57 package/pkg-kconfig: quote HOSTCC_NOCCACHE
HOSTCC may contain spaces, so needs to be quoted.

Most of the places where it is already quoted use double-quotes, so we
use that.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-08-30 18:33:39 +02:00
Fabrice Fontaine
d441abef2b package/menu-cache: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/a97825f3c3e6245f8d1c2eb0cdb079f5dd6f1b47

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-08-30 18:26:59 +02:00
Fabrice Fontaine
d3a06c2fc4 package/graphite2: security bump to version 1.3.14
- Switch site to github, here is an extract of
  https://sourceforge.net/projects/silgraphite:
  "This project has been deprecated. Graphite2, a new version of the
  Graphite engine, is available at: https://github.com/silnrsi/graphite
  with its own bug tracker."
- graphite2 can be built statically since version 1.3.11 and
  2f143c04da
- Update indentation in hash file (two spaces)

Extract from ChangeLog:

1.3.14
    . Bug fixes
    . Allow features to be hidden (for aliases)
    . Move to python3
    . Rename doc files from .txt to .asc

1.3.13
    . Resolve minor spacing issue in rtl non-overlap kerning
    . python3 for graphite.py
    . Better fuzzing
    . Better building on windows

1.3.12
    . Graphite no longer does dumb rendering for fonts with no smarts
    . Segment caching code removed. Anything attempting to use the segment cache gets given a regular face instead
    . Add libfuzzer support
    . Builds now require C++11
    . Improvements to Windows 64 bit builds
    . Support different versions of python including 32 bit and python 3
    . Various minor bug fixes

1.3.11
    . Fixes due to security review
    . Minor collision avoidance fixes
    . Fix LZ4 decompressor against high compression

The fixes due to security review are a little bit vague, a quick search
on github seems to indicate that those issues could be related to
segcache which has been removed since version 1.3.12:
https://github.com/silnrsi/graphite/search?q=security&type=Issues
b0f77e4a9d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-08-30 18:21:11 +02:00
Yann E. MORIN
689fe66100 package/uclibc: use HOSTCC_NOCCACHE as kconfig HOSTCC
uclibc is part of the toolchain, and as such does not have a dependency
on it. As a consequence, it does not have a dependency on host-ccache,
when this is needed.

Usually, host-ccache is built before uclibc, as part of the dependency
of gcc-initial, host-binutils, and a few other host packages that are
built before uclibc.

However, during top-level parallel builds, this ordering is only ever
guaranteed at the beginning of the configure step, and not before.

But for kconfig-packages, the moment we apply the configuration to
prepare the .config file is a pseudo step that happens somewhere in
limbo between the patch step and the configure step. As such, the
build ordering that is otherwise guaranteed by the _DEPENDENCIES is not
applicable yet.

And so, with top-level parallel builds with ccache enabled, there is
nothing that guarantees host-ccache to be built and installed by the
time we are trying to generate uclibc's .config file, which can be quite
early in the build process, and thus the build fails:

    /home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/per-package/uclibc/host/bin/ccache /usr/bin/gcc /home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/build/uclibc-1.0.34/extra/config/conf.c  -c -o ../../extra/config/conf.o -Os -I/usr/include/ncursesw -DCURSES_LOC="<curses.h>"  -DNCURSES_WIDECHAR=1 -DLOCALE -DKBUILD_NO_NLS -DCONFIG_='""'   -I/usr/include/ncursesw -DCURSES_LOC="<curses.h>"  -DNCURSES_WIDECHAR=1 -DLOCALE -DKBUILD_NO_NLS -DCONFIG_='""'
    /bin/sh: 1: /home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/per-package/uclibc/host/bin/ccache: not found
    make[2]: *** [Makefile:64: ../../extra/config/conf.o] Error 127
    make[1]: *** [Makefile.in:475: extra/config/conf] Error 2
    make[1]: Leaving directory '/home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/build/uclibc-1.0.34'
    make: *** [package/uclibc/uclibc.mk:458: /home/raphael/github/ftcommunity-TXT/buildroot-rootfs/output/build/uclibc-1.0.34/.stamp_dotconfig] Error 2
    make: *** Waiting for unfinished jobs....

The root cause is that uclibc sets;

    UCLIBC_KCONFIG_OPTS = $(UCLIBC_MAKE_FLAGS) [...]

with:

    UCLIBC_MAKE_FLAGS = [...] HOSTCC="$(HOSTCC)"

And then the kconfig-package infra calls to the configurators,
menuconfig, xconfig et al, but also olddefconfig et al.. with:

    [...] $($(1)_MAKE) [...] $(PKG_KCONFIG_COMMON_OPTS) $($(1)_KCONFIG_OPTS) [...]

with (note a latent bug in there, will be fixed in another patch):

    PKG_KCONFIG_COMMON_OPTS = HOSTCC=$(HOSTCC_NOCCACHE)

So, a HOSTCC as set by a package will always win onver the one set by
the infra, which is exactly what we want.

But in this case, uclibc sets HOSTCC so that it can build its host tools
needed during the build, and in doing so uses the ccache-enabled host c
compiler. Which might not yet be available for the kconfig-package infra
to generate the .config file.

We had a similar (non-)issue for the linux package, which was fixed in
commit 71a31b2357 (linux: use HOSTCC_NOCCACHE as kconfig HOSTCC).

But here, uclibc does not have the toolchain in its dependencies (as said
earlier, uclibc *is* part of the toolchain).

Since the host compiler is only used to build very few files to generate
the simple executable needed to generate the .config file, doing without
the ccache-enabled host compiler will be amply enough.

So, we override HOSTCC in UCLIBC_KCONFIG_OPTS, to use the non-cached
host compiler.

Note that, in a first approximation, one would be tempted to change the
ordering in the kconfig-package infra:

        $($(1)_KCONFIG_OPTS) $(PKG_KCONFIG_COMMON_OPTS)

so that the non-cached HOSTCC always wins over the cached one. But this
would be incorrect, in cases where the package really needs to override
HOSTCC; indeed we want the package-provided values to always win over
the default ones providing by the infra.

Reported-by: Raphael Jacob <r.jacob2002@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 23:11:47 +02:00
Peter Korsgaard
55df8d4c85 docs/website: update for 2020.02.5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 21:55:08 +02:00
Peter Korsgaard
b13d173016 Update for 2020.02.5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6ec5f4eb71)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 21:52:14 +02:00
Peter Korsgaard
2915d1bd32 CHANGES: fix typos in 2020.08-rcX notes
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 20:38:56 +02:00
Peter Korsgaard
03b7ef2277 docs/website: update for 2020.05.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 20:37:24 +02:00
Peter Korsgaard
e11f38130b Update for 2020.05.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1549e0b607)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 20:34:43 +02:00
Fabrice Fontaine
c0126c38d6 package/domoticz: drop SYNC4 from comment
Commit 8f5a9f597e forgot to drop SYNC4
from comment

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 20:04:37 +02:00
Titouan Christophe
df15d751c7 package/mosquitto: security bump to v1.6.12
Mosquitto 1.6.11 is a bugfix release, read the whole announcement on
http://mosquitto.org/blog/2020/08/version-1-6-11-released/

Mosquitto 1.6.12 is a security and bugfix release, read
http://mosquitto.org/blog/2020/08/version-1-6-12-released/

>From the 1.6.11 changelog of the client library:
mosquitto_loop_start() now sets a thread name on Linux, FreeBSD, NetBSD,
and OpenBSD. Closes #1777.
This is done with pthread_setname_np; so mosquitto now requires
BR2_TOOLCHAIN_HAS_THREADS_NPTL when built with threading support.

2 reverse dependencies use the threaded API, but they already
depend on BR2_TOOLCHAIN_HAS_THREADS_NPTL:
* domoticz [1] (we add a comment for mosquitto)
* shairport-sync [2]

[1] https://github.com/domoticz/domoticz/blob/2020.1/main/mosquitto_helper.cpp#L344
[2] https://github.com/mikebrady/shairport-sync/blob/3.3.6/mqtt.c#L227-L229

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:31:41 +02:00
Titouan Christophe
8f5a9f597e package/{collectd, domoticz}: fix outdated dependencies for mosquitto
In 4fc62e1eb6, we removed arch/toolchain
dependencies from the mosquitto library (MMU, !STATIC, SYNC4), and moved
them to the mosquitto broker only.

All the packages modified here only need the mosquitto library, so they
shouldn't have those depends anymore; but this was never done before.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
[Peter: leave mmu/!static dependency for domoticz as it uses fork()/looks
	for libmosquitto.so]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 19:30:46 +02:00
Fabrice Fontaine
d0ac6246ca package/wolfssl: fix build with big endian
Fixes:
 - http://autobuild.buildroot.org/results/21098180d386890025ed5cdd243bf5a9b444c5cf

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 18:51:31 +02:00
Fabrice Fontaine
0947cbb470 package/haproxy: bump to version 2.2.2
Drop patch (already in version)

http://www.haproxy.org/download/2.2/src/CHANGELOG

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 18:50:21 +02:00
Fabrice Fontaine
d226d30286 package/libressl: bump to version 3.1.4
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 18:49:33 +02:00
Fabrice Fontaine
4ae517aa7a package/zbar: fix NLS build with musl
Fixes:
 - http://autobuild.buildroot.org/results/b93ce5430bf22ddda94ee30882a883348617f5b1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 18:36:58 +02:00
Fabrice Fontaine
b6466ec414 package/systemd: disable audit for host package
Disable audit for host package to avoid getting the following error if
it is found on host:

[84/662] Generating audit_type-list.txt with a meson_exe.py custom command
In file included from <command-line>:32:
./../src/basic/missing_audit.h:7:10: fatal error: libaudit.h: No such file or directory
    7 | #include <libaudit.h>
      |          ^~~~~~~~~~~~

Fixes:
 - http://autobuild.buildroot.org/results/67782c225c08387c1bbcbea9eee3ca12bc6577cd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 18:34:54 +02:00
Fabrice Fontaine
04b54138e6 package/systemd: disable cryptsetup for host package
Build with cryptsetup and without libblkid will fail on:

../src/shared/dissect-image.c:1336:34: error: 'N_DEVICE_NODE_LIST_ATTEMPTS' undeclared (first use in this function)
 1336 |         for (unsigned i = 0; i < N_DEVICE_NODE_LIST_ATTEMPTS; i++) {
      |                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~

This bug has been reported upstream:
https://github.com/systemd/systemd/pull/16901
and is not an issue for the target variant as libblkid is select by
BR2_PACKAGE_UTIL_LINUX_MOUNT

As cryptsetup does not seem needed for host-systemd, just disable it

Fixes:
 - http://autobuild.buildroot.org/results/67782c225c08387c1bbcbea9eee3ca12bc6577cd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 18:34:38 +02:00
Yann E. MORIN
5754d9c9b1 Makefile: use $(Q) instead of @ to silence target-finalize commands
As 18f6c26118 just did to silence the file lists commands, switch to
using $(Q) instead of a plain @, to silence the commands.

Using $(Q) will allow to debug the commands with V=1.

We keep @ for the calls to MESSAGE, though.

The commands that are not currently silenced are left as-is, and they
can be converted to being silent in a followup patch, if need be,

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 18:28:27 +02:00
Paul Cercueil
532fe9fb57 linux: run depmod only if modules directory exists
If the modules directory that corresponds to the version of the kernel
being built has been deleted, don't try to run depmod, which will
obviously fail.

This can happen for instance when the modules are stripped from the main
root filesystem, and placed into a separate filesystem image, so that
the root filesystem and the kernel can be updated separately.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 16:56:30 +02:00
Peter Korsgaard
b9026e83f9 fs/cpio/init: unbreak ttyname_r() on glibc after dropping /dev/console exec
Commit 98a6f1fc02 (fs/cpio: make initramfs init script survive 'console='
kernel argument) dropped the explicit /dev/console execs for fd 0,1,2, as
they fail when booted with console= and aren't really needed as the kernel
will setup fd 0,1,2 from /dev/console before executing the initramfs anyway.

Not doing this unfortunately confuses glibc's ttyname_r(3) implementation
(used by E.G.  busybox/coreutils 'tty'), causing it to fail with ENOENT as
it does a fstat on fd 0 and tries to match up st_ino / st_dev against the
entries in /dev (since glibc 2.26):

 commit 15e9a4f378c8607c2ae1aa465436af4321db0e23
 Author: Christian Brauner <christian.brauner@canonical.com>
 Date:   Fri Jan 27 15:59:59 2017 +0100

    linux ttyname and ttyname_r: do not return wrong results

    If a link (say /proc/self/fd/0) pointing to a device, say /dev/pts/2, in a
    parent mount namespace is passed to ttyname, and a /dev/pts/2 exists (in a
    different devpts) in the current namespace, then it returns /dev/pts/2.
    But /dev/pts/2 is NOT the current tty, it is a different file and device.

    Detect this case and return ENODEV.  Userspace can choose to take this as a hint
    that the fd points to a tty device but to act on the fd rather than the link.

    Signed-off-by: Serge Hallyn <serge@hallyn.com>
    Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

The reason it fails is that we manually mount devtmpfs on /dev in /init, so
the /dev/console used by the kernel (in rootfs) is not the same file as
/dev/console at runtime (in devtmpfs).

Notice: Once logged in, tty does work correctly.  Presumably login reopens
stdin/stdout/stderr.

To fix this, re-add the exec of /dev/console for fd 0,1,2, but only do so if
possible.  Because of the above mentioned shell behaviour (specified by
POSIX [0]), perform this check in a subshell.

[0] https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_20_01

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 16:32:33 +02:00
Fabrice Fontaine
4c2532fc8b package/lxc: bump to version 4.0.4
- Bug fix release: https://linuxcontainers.org/fr/lxc/news
- Drop patch (already in version)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 16:03:15 +02:00
Fabrice Fontaine
35ebee6510 package/postgresql: security bump to version 12.4
- Fix CVE-2020-14349: It was found that PostgreSQL versions before 12.4,
  before 11.9 and before 10.14 did not properly sanitize the search_path
  during logical replication. An authenticated attacker could use this
  flaw in an attack similar to CVE-2018-1058, in order to execute
  arbitrary SQL command in the context of the user used for replication.
- Fix CVE-2020-14350: It was found that some PostgreSQL extensions did
  not use search_path safely in their installation script. An attacker
  with sufficient privileges could use this flaw to trick an
  administrator into executing a specially crafted script, during the
  installation or update of such extension. This affects PostgreSQL
  versions before 12.4, before 11.9, before 10.14, before 9.6.19, and
  before 9.5.23.

https://www.postgresql.org/docs/12/release-12-4.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 16:00:35 +02:00
Fabrice Fontaine
f5919b6059 package/mongodb: security bump to version 4.2.9
SERVER-47733 SymmetricEncryptorWindows shouldn’t pad when update is
called

https://docs.mongodb.com/manual/release-notes/4.2-changelog/#id1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-29 16:00:11 +02:00
Thomas Petazzoni
18f6c26118 Makefile: hide commands that build the package file lists at end of build
Since commit 0e2be4db8a
("package/pkg-generic: make file list logic parallel build
compatible"), the commands executed at the every end of the build
to assemble the list of files installed by the different packages
are visible in the make output. They are quite noisy, and clutter
the output.

The other commands in target-finalize are also hidden using "@",
so we should also do the same for those commands. But that hurts
debuggability, so we use $(Q) (the existing '@'s can be changed
in a followup patch).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: use '$(Q)', not '@']
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 14:33:21 +02:00
Peter Korsgaard
71ac106bb3 package/squid: security bump to version 4.13
Fixes the following security issues:

CVE-2020-15810: HTTP(S) Request Smuggling
Due to incorrect data validation Squid is vulnerable to HTTP Request
Smuggling attacks against HTTP and HTTPS traffic.  This leads to cache
poisoning.
https://github.com/squid-cache/squid/security/advisories/GHSA-3365-q9qx-f98m

CVE-2020-15811: HTTP(S) Request Splitting
Due to incorrect data validation Squid is vulnerable to HTTP Request
Splitting attacks against HTTP and HTTPS traffic.  This leads to cache
poisoning.
https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv

CVE-2020-24606: Denial of Service processing Cache Digest Response
Due to Improper Input Validation Squid is vulnerable to a Denial of Service
attack against the machine operating Squid.
https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 12:03:45 +02:00
Fabrice Fontaine
0ed8bf6d2b package/wolfssl: security bump to version 4.5.0
wolfSSL version 4.5.0 contains 6 vulnerability fixes: 2 fixes for TLS 1.3,
2 side channel attack mitigations, 1 fix for a potential private key leak
in a specific use case, 1 fix for DTLS including those 3 CVEs:

- Fix CVE-2020-12457: An issue was discovered in wolfSSL before 4.5.0.
  It mishandles the change_cipher_spec (CCS) message processing logic
  for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a
  crafted way involving more than one in a row, the server becomes stuck
  in the ProcessReply() loop, i.e., a denial of service.
- Fix CVE-2020-15309: An issue was discovered in wolfSSL before 4.5.0,
  when single precision is not employed. Local attackers can conduct a
  cache-timing attack against public key operations. These attackers may
  already have obtained sensitive information if the affected system has
  been used for private key operations (e.g., signing with a private
  key).
- Fix CVE-2020-24585: An issue was discovered in the DTLS handshake
  implementation in wolfSSL before 4.5.0. Clear DTLS application_data
  messages in epoch 0 do not produce an out-of-order error. Instead,
  these messages are returned to the application.

Also update hash of LICENSING as well as WOLF_LICENSE due to later
verbage update with
970391319b

https://www.wolfssl.com/docs/security-vulnerabilities/

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 10:36:52 +02:00
Fabrice Fontaine
753d01ac56 package/wireshark: security bump to version 3.2.6
Fix CVE-2020-17498: In Wireshark 3.2.0 to 3.2.5, the Kafka protocol
dissector could crash. This was addressed in
epan/dissectors/packet-kafka.c by avoiding a double free during LZ4
decompression.

https://www.wireshark.org/security/wnpa-sec-2020-10.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-29 10:36:50 +02:00
Fabrice Fontaine
5739453eac package/chocolate-doom: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/02828f2d9956d1e3727774b5045790aa3611428d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-29 00:09:40 +02:00
Fabrice Fontaine
452db3f521 package/bluez-tools: fix build with gcc 10
Fixes:
 - http://autobuild.buildroot.org/results/2641cea0483c5f6b65ece8016d546ee9bea0d7d1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 23:53:15 +02:00
Peter Korsgaard
8679866508 Update for 2020.08-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 23:10:20 +02:00
Peter Korsgaard
aa70a16caf package/glibc: security bump for additional post-2.31.x fixes
Fixes the following security issue:

  CVE-2016-10228: An infinite loop has been fixed in the iconv program when
  invoked with the -c option and when processing invalid multi-byte input
  sequences.  Reported by Jan Engelhardt.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 22:57:25 +02:00
Fabrice Fontaine
79f41c3e72 package/openal: needs gcc >= 4.9
openal uses std::max_align_t since version 1.20.0 and
585b0cf3be

As a result, it is affected by
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56019
and the build with gcc <= 4.8 will fail on:

/home/buildroot/autobuild/instance-2/output-1/build/openal-1.20.1/common/almalloc.cpp: In function 'void* al_malloc(size_t, size_t)':
/home/buildroot/autobuild/instance-2/output-1/build/openal-1.20.1/common/almalloc.cpp:20:45: error: 'max_align_t' is not a member of 'std'
     alignment = std::max(alignment, alignof(std::max_align_t));
                                             ^

Fixes:
 - http://autobuild.buildroot.org/results/589c7853ce334c7502f7cd4cdbcaaf3c6840f43b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 22:56:49 +02:00
Adam Duskett
db751e2c89 package/mender: Fix incorrectly named service file
Many of the mender CLI commands use systemctl commands to get information about
the daemon, such as the PID (IE: systemctl show -p MainPID mender-client).
As seen above, these commands expect the service file to be named
"mender-client" instead of "mender."

As such, in the current state, running a forced update check in the CLI will
result in the following error:
failed to force updateCheck: could not find the PID of the mender daemon.

Changing the name of mender.service to mender-client.service fixes the issue.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 22:36:49 +02:00
Peter Korsgaard
3cf6d708e1 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 7}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 22:35:15 +02:00
Yann E. MORIN
3f6a40e9fa linux: workaround make-4.1 bug
On Ubuntu 18.04, make-4.1 emits spurious, incorrect "entering/leaving"
messages, which end up in the LINUX_VERSION_PROBED variable:

    printf 'probed linux version: "%s"\n' "$(LINUX_VERSION_PROBED)"
    probed linux version: "make[1]: Entering directory '/home/buildroot'
    4.19.78-linux4sam-6.2
    make[1]: Leaving directory '/home/buildroot/output/build/linux-linux4sam_6.2'"

First, the messages are displayed even though we do explicitly pass
--no-print-directory -s.

Second, the entering and leaving messages are not about the same
directory!

This *only* occurs in the following conditions:

  - the user has the correct 0022 umask,
  - top-level parallel is used (with or without PPD),
  - initial -C is specified as well.

    $ umask 0022
    $ make -j16 -C $(pwd)
    [...]
    depmod: ERROR: Bad version passed make[1]:
    [...]

(yes, 'make[1]:' is the string depmod is trying, and fails, to parse as
a version string).

If any of the three conditions above is removed, the problem no longer
occurs. Here's a table of the MAKEFLAGS:

                |                   0002                         |          0022            |
    ----+-------+------------------------------------------------+--------------------------+
        | no-j  | --no-print-directory --                        |                          |
    noC |       +------------------------------------------------+--------------------------+
        | -j16  | -j --jobserver-fds=3,4 --no-print-directory -- | -j --jobserver-fds=3,4   |
    ----+-------+------------------------------------------------+--------------------------+
        | no-j  | --no-print-directory --                        | w                        |
    -C  |       +------------------------------------------------+--------------------------+
        | -j16  | -j --jobserver-fds=3,4 --no-print-directory -- | w -j --jobserver-fds=3,4 |
    ----+-------+------------------------------------------------+--------------------------+

    0002: umask == 0002
    0022: umask == 0022

    no-j: no -j flag
    -j16: -j16 flag

    noC: no -C flag
    -C : -C /path/of/buildroot/

Only the bottom-right-most case fails...

This behaviour goes against what is documented:

    https://www.gnu.org/software/make/manual/make.html#g_t_002dw-Option

    5.7.4 The ‘--print-directory’ Option
    [...]
    you do not need to specify this option because ‘make’ does it for
    you: ‘-w’ is turned on automatically when you use the ‘-C’ option,
    and in sub-makes. make will not automatically turn on ‘-w’ if you
    also use ‘-s’, which says to be silent, or if you use
    ‘--no-print-directory’ to explicitly disable it.

So this exactly describes our situation; yet 'w' is added to MAKEFLAGS.

Getting rid of the 'w' flag makes the build succeed again, so that's
what we do here (bleark, icky)...

Furthermore, the documented way to override MAKEFLAGS is to do so as a
make parameter:

    https://www.gnu.org/software/make/manual/make.html#Options_002fRecursion

    5.7.3 Communicating Options to a Sub-make
    [...]
    If you do not want to pass the other flags down, you must change the
    value of MAKEFLAGS, like this:

        subsystem:
            cd subdir && $(MAKE) MAKEFLAGS=

However, doing so does not fix the issue. So we resort to pass the
modified MAKEFLAGS via the environment (bleark, icky)...

Fixes: #13141

Reported-by: Laurent <laurent@neko-labs.eu>
Reported-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 22:09:52 +02:00
Peter Korsgaard
e71be18354 package/trousers: add upstream security fix
Fixes the following security issues:

CVE-2020-24332
If the tcsd daemon is started with root privileges,
the creation of the system.data file is prone to symlink attacks

CVE-2020-24330
If the tcsd daemon is started with root privileges,
it fails to drop the root gid after it is no longer needed

CVE-2020-24331
If the tcsd daemon is started with root privileges,
the tss user has read and write access to the /etc/tcsd.conf file

For details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/05/20/3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-28 19:53:26 +02:00
Bernd Kuhls
ab0c98cac8 package/x11r7/xlib_libX11: security bump version to 1.6.12
Fixes CVE-2020-14363:
https://lists.x.org/archives/xorg-announce/2020-August/003056.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 09:11:04 +02:00
Bernd Kuhls
b7f0ee878c package/x11r7/xserver_xorg-server: security bump version to 1.20.9
Fixes CVE-2020-14345, CVE-2020-14346, CVE-2020-14361 & CVE-2020-1436:
https://lists.x.org/archives/xorg-announce/2020-August/003058.html

Removed patch 0002, not needed anymore due to upstream commit
https://cgit.freedesktop.org/xorg/xserver/commit/configure.ac?h=server-1.20-branch&id=c601c8faf54ff9e3bcbc653421828d71042deef7

Build-tested with wayland:
checking for a useful monotonic clock ......
checking whether CLOCK_MONOTONIC is declared... yes
guessing yes

Removed patch 0007, included in upstream release.

Rebased and renumbered remaining patches.

Reformatted license hashes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-28 09:10:22 +02:00
Fabrice Fontaine
fd3dd9d9c5 package/shadowsocks-libev: security bump to version 3.3.4
- Fix CVE-2019-5163: An exploitable denial-of-service vulnerability
  exists in the UDPRelay functionality of Shadowsocks-libev 3.3.2. When
  utilizing a Stream Cipher and a local_address, arbitrary UDP packets
  can cause a FATAL error code path and exit. An attacker can send
  arbitrary UDP packets to trigger this vulnerability.
- Fix CVE-2019-5164: An exploitable code execution vulnerability exists
  in the ss-manager binary of Shadowsocks-libev 3.3.2. Specially crafted
  network packets sent to ss-manager can cause an arbitrary binary to
  run, resulting in code execution and privilege escalation. An attacker
  can send network packets to trigger this vulnerability.

Also update indentation in hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-27 23:29:37 +02:00