pjsip:pjsip has been deprecated by teluu:pjsip since September 2021:
<cpe-23:cpe23-item name="cpe:2.3🅰️pjsip:pjsip:2.7.1:*:*:*:*:*:*:*">
<cpe-23:deprecated-by name="cpe:2.3🅰️teluu:pjsip:2.7.1:*:*:*:*:*:*:*" type="NAME_CORRECTION"/>
<cpe-item name="cpe:/a:pjsip:pjsip:2.7.2" deprecated="true" deprecation_date="2021-09-02T14:49:19.527Z">
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c99d84fb96)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
RK3399_ROCKPRO64 has been picked from pine64/rockpro64 but here we deal
with orangepi-rk3399, so let's change the label to RK3399_ORANGEPI.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 07a0d71657)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog (since 1.1.7):
8b70f08 Add definition of new event GstAppSinkCallbacks for interpipesink element
ddaa9b5 Add conditional build according to GST_VERSION_MINOR
730dea6 Bump project version
8718b12 Add initialization for the GstAppSinkCallbacks struct
f015ff7 Remove redundant initialization of new_event callback
530da92 Update copyright year in README file
e8ce826 Add explanatory comment on the memset of GstAppSinkCallbacks struct
f0f3b8e Fix README copyright date to 2016-2022
814982e Merge branch 'hotfix/add-new-event-callback'
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0872ac72b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in
tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by
a crafted XML message and leads to a denial of service.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b23ef21029)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mod_compress has been subsumed by mod_deflate since version 1.4.56 and
dab212b5f5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 653dc2e710)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch added by commit eee96b0f0a on gcc
9.3.0 must also be applied on gcc 10 and 11 to avoid the following build
failure on numerous packages (babeltrace2, pcsc-lite, tpm2-pkcs11,
etc.):
configure:13774: checking whether pthreads work with -pthread
configure:13868: /home/giuliobenetti/autobuild/run/instance-0/output-1/host/bin/or1k-linux-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g2 -std=gnu99 -pthread -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c >&5
conftest.c:27:26: error: #error "_REENTRANT must be defined"
27 | # error "_REENTRANT must be defined"
| ^~~~~
It should be noted that external bootlins will have to be rebuilt.
Fixes:
- http://autobuild.buildroot.org/results/cb58d4fbaeb08d188c2f8bf05ef1604789fa8766
- http://autobuild.buildroot.org/results/7af9d4b68bd46ed260ed66ba2cc3c9c21482e741
- http://autobuild.buildroot.org/results/6f926bec146752873f8032b593f0de1cb222ea46
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 98e39dc80e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
rdgif.c, cderror.h: add sanity check for GIF image dimensions.
Thank to Casper Sun for cjpeg potential vulnerability report.
- Update hash of README (changes not related to license)
- Update indentation in hash file (two spaces)
https://jpegclub.org/reference/reference-sources/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5e36f80a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5.15.2 is the last public release of 5.15 and does not contain this CVE
fix. However, >=6.1.2 and >5.12.12 all contain the necessary patches so
let's port them to 5.15.2.
Technically only the first two patches are required to patch the CVE.
However, the second patch introduces a regression that is fixed in the third
patch.
The patches are taken from KDE kde/5.15 git branch.
Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9151eab3c7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: also change in Config.in]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f6297befe1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is
specifically defined to use a particular SAN type, can result in bypassing
name-constrained intermediates. Node.js was accepting URI SAN types, which
PKIs are often not defined to use. Additionally, when a protocol allows URI
SANs, Node.js did not match the URI correctly.
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Node.js converts SANs (Subject Alternative Names) to a string format. It
uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate chain,
allowing the bypass of these name constraints.
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Node.js did not handle multi-value Relative Distinguished Names correctly.
Attackers could craft certificate subjects containing a single-value
Relative Distinguished Name that would be interpreted as a multi-value
Relative Distinguished Name, for example, in order to inject a Common Name
that would allow bypassing the certificate subject verification.
Prototype pollution via console.table properties (Low)(CVE-2022-21824)
Due to the formatting logic of the console.table() function it was not safe
to allow user controlled input to be passed to the properties parameter
while simultaneously passing a plain object with at least one property as
the first parameter, which could be __proto__. The prototype pollution has
very limited control, in that it only allows an empty string to be assigned
numerical keys of the object prototype.
For details, see the advisory:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9096036f00)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer
overflow in sampled_data_finish (called from sampled_data_continue and
interp).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c817641331)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in
sampled_data_sample (called from sampled_data_continue and interp).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 70910c4092)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2020-13867: Open-iSCSI targetcli-fb through 2.1.52 has weak
permissions for /etc/target (and for the backup directory and backup
files).
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 488f92a1c3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-4192: vim is vulnerable to Use After Free
Fix CVE-2021-4193: vim is vulnerable to Out-of-bounds Read
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 33a3f1f30d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The commit 2f50686401 added a patch for
util-linux, but forgot to create a symlink to util-linux-libs. This
results in inconsistent libblkid.so builds from util-linux and
util-linux-libs.
If you enable BR2_PER_PACKAGE_DIRECTORIES, you will find that different
libblkid.so is used in different
$(BASE_DIR)/per-package/$(PKG)_NAME/target.
Signed-off-by: TIAN Yuanhao <tianyuanhao3@163.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 93d23ef91f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with introspection:
/home/giuliobenetti/autobuild/run/instance-3/output-1/host/riscv32-buildroot-linux-gnu/sysroot/usr/bin/g-ir-compiler gst/rtsp-server/GstRtspServer-1.0.gir --output gst/rtsp-server/GstRtspServer-1.0.typelib --includedir=/usr/share/gir-1.0
Could not find GIR file 'Gst-1.0.gir'; check XDG_DATA_DIRS or use --includedir
error parsing file gst/rtsp-server/GstRtspServer-1.0.gir: Failed to parse included gir Gst-1.0
If the above error message is about missing .so libraries, then setting up GIR_EXTRA_LIBS_PATH in the .mk file should help.
Typically like this: PKG_MAKE_ENV += GIR_EXTRA_LIBS_PATH="$(@D)/.libs"
Fixes:
- http://autobuild.buildroot.org/results/04af6b22cfa0cffb6a3109a3b32b27137ad2e0b0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fa3e7a63b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit db14f7d715)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop third patch (already in version)
- Fix build failure with autoconf >= 2.70 raised since commit
ecd54b65c1
Fixes:
- http://autobuild.buildroot.org/results/4f52b2f194dcfd619fefb192d1c0fd070d5bd408
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2ad6a3a428)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
He has privately requested to no longer be notified regarding this
package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f51be73f25)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit f81242ae4f forgot to drop C++
comment
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fb9a65d98b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 4dff1be05e (package/libvirt: libvirtd needs C++ for nmap-ncat)
introduce a recursive dependency (really: a circular dependency):
package/busybox/Config.in:33:error: recursive dependency detected!
package/busybox/Config.in:33: symbol BR2_PACKAGE_BUSYBOX_SHOW_OTHERS is selected by BR2_PACKAGE_EBTABLES_UTILS_SAVE
package/ebtables/Config.in:11: symbol BR2_PACKAGE_EBTABLES_UTILS_SAVE depends on BR2_PACKAGE_EBTABLES
package/ebtables/Config.in:1: symbol BR2_PACKAGE_EBTABLES is selected by BR2_PACKAGE_LIBVIRT_DAEMON
package/libvirt/Config.in:44: symbol BR2_PACKAGE_LIBVIRT_DAEMON depends on BR2_PACKAGE_NETCAT_OPENBSD
package/netcat-openbsd/Config.in:1: symbol BR2_PACKAGE_NETCAT_OPENBSD depends on BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
As usual with this kind of circular depednency, it is not trivial to see
what the real cuplrit is, or where to cut the circle.
A simple solution in this case is to drop the C++ dependency, and switch
the netcat-openbsd and nmap-ncat dependencies conditions.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f81242ae4f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure raised since commit
fbf25acfbf:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_NMAP
Depends on [n]: BR2_INSTALL_LIBSTDCPP [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y]
Selected by [y]:
- BR2_PACKAGE_LIBVIRT_DAEMON [=y] && BR2_PACKAGE_LIBVIRT [=y] && !BR2_PACKAGE_NETCAT_OPENBSD [=n]
Fixes:
- No autobuilder failures (yet)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: C++ only needed without NETCAT_OPENBSD]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4dff1be05e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sasl depends on libsasl2 (https://github.com/cyrusimap/cyrus-sasl) which
is not packaged yet in buildroot and will result in the following build
failure raised since commit fbf25acfbf:
output/build/libvirt-7.7.0/meson.build:1212:2: ERROR: Dependency "libsasl2" not found, tried pkgconfig
Fixes:
- No autobuilder failures (yet)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ba2016dc04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
support/scripts/pkg-stats:1171:8: E713 test for membership should be 'not in'
support/scripts/pkg-stats:1175:8: E713 test for membership should be 'not in'
support/scripts/pkg-stats:1179:8: E713 test for membership should be 'not in'
3 E713 test for membership should be 'not in'
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/1955772278
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 02e679d8bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When debugging pkg-stats, it's quite useful to be able to disable some
features that are quite long (checking upstream URL, checking latest
version, checking CVE). This commit adds a --disable option, which can
take a comma-separated list of features to disable, such as:
./support/scripts/pkg-stats --disable url,upstream
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b102352b62)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The .affects() method of the CVE class in support/scripts/cve.py can
return 3 values: CVE_AFFECTS, CVE_DOESNT_AFFECT and CVE_UNKNOWN.
We of course properly account for CVEs where .affects() return
CVE_AFFECTS, but the ones for which CVE_UNKNOWN is returned are
currently ignored, and therefore treated as if they did not affect the
package.
However CVE_UNKNOWN in fact indicates that the v_start/v_end fields of
the CPE entry could not be parsed by
distutils.version.LooseVersion(). Instead of ignoring such cases, this
commit adds support for the concept of "unsure CVEs", which will be
listed next to CVEs known to affect the package, so that we are aware
of them and can investigate the version issue.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a206bbc5fe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
s/interperter/interpreter/ and drop 'use use' / 'depend on use'.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 65054d1a19)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add "Linux" before kernel in comment to be consistent with other
packages and manual
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 956cd5b9b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add "Linux" before kernel in comment to be consistent with other
packages and manual
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e0de6291e3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add "Linux" before kernel in comment to be consistent with other
packages and manual
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0730b8b822)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop duplicated sentence from Config.in
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 59bbe7cc74)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
riscv64gc was made available for BR2_riscv, but RISC-V can be 32-bit
or 64-bit, so we need to restrict it to BR2_RISCV_64. There's no need
to keep the BR2_riscv dependency, as BR2_RISCV_64 can only be true
when BR2_riscv is true.
Also, BR2_PACKAGE_HOST_RUSTC_ARCH needs to be set to riscv64gc to
allow rust-bin to download its pre-compiled standard library
correctly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 79c5639597)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BR2_PACKAGE_HOST_RUSTC_ARCH only had a special value for
BR2_ARM_CPU_ARMV7A, but it also needs a special value for
BR2_ARM_CPU_ARMV5, as the pre-compiled Rust standard library for
ARMv5TE is identified with the "armv5te" architecture name, see
https://doc.rust-lang.org/nightly/rustc/platform-support.html.
We noticed this because Rust binaries wouldn't work on an ARMv5
platform (Illegal instruction). This was due to the usage of the
arm-unknown-linux-gnueabi variant of the Rust standard library, which
is for ARMv6. Thanks to this commit, we correctly use the
armv5te-unknown-linux-gnueabi variant, and Rust binaries work properly
on ARMv5TE.
A better approach would be to do the conversion from architecture
options to Rust tuples in a single string symbol that also defines the
supported architectures, similar to how it's done in e.g. openblas.
However, that's a much bigger change. So for now, just do the easy thing
and fix this one issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1ed4147e76)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
