Fixes:
CVE-2016-0766 - privilege escalation issue for users of PL/Java.
CVE-2016-0773 - issue with regular expression (regex) parsing. Prior
code allowed users to pass in expressions which included out-of-range
Unicode characters, triggering a backend crash. This issue is critical
for PostgreSQL systems with untrusted users or which generate regexes
based on user input.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2016-1521 - An exploitable out-of-bounds read vulnerability exists
in the opcode handling functionality of Libgraphite. A specially crafted
font can cause an out-of-bounds read resulting in arbitrary code
execution. An attacker can provide a malicious font to trigger this
vulnerability.
CVE-2016-1522 - An exploitable NULL pointer dereference exists in the
bidirectional font handling functionality of Libgraphite. A specially
crafted font can cause a NULL pointer dereference resulting in a crash.
An attacker can provide a malicious font to trigger this vulnerability.
CVE-2016-1523 - An exploitable heap-based buffer overflow exists in the
context item handling functionality of Libgraphite. A specially crafted
font can cause a buffer overflow resulting in potential code execution.
An attacker can provide a malicious font to trigger this vulnerability.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* --with-dbuspolicydir, --with-dbussessionservicedir, and
--with-dbussystemservicedir are no longer needed since these are
defaults in recent releases.
* --disable-dbus has no effect when combined with --disable-tests. The
option itself only applies to tests, not the runtime.
Signed-off-by: Gabe Evans <gabe@hashrabbit.co>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Various DBus activated services fail to start with errors similar to:
Unit dbus-org.freedesktop.hostname1.service failed to load: File exists.
The message itself is rather vague and can be seen as a warning in
systemd-networkd logs. Meanwhile, tools like hostnamectl don't work
at all.
The post-install target hook SYSTEMD_SANITIZE_PATH_IN_UNITS was replacing
symlinks with duplicate files. The find command could have used -type f
to avoid this but I instead chose to remove the hook since this fix doesn't
seem to be needed anymore.
Signed-off-by: Gabe Evans <gabe@hashrabbit.co>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add the findfs utility option for util-linux package.
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
Cc: Zheng Yi <yzheng@techyauld.com>
[Thomas: respect alphabetic ordering.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The e2fsprogs package's findfs option provides no capabilities. When the
option is selected, a symbolic link is generated from findfs to e2label;
however, e2label will not handle findfs since the respective code is
explicitly disabled when `--disable-libblkid` is passed in. At this
time, the e2fsprogs package only supports findfs capabilities when
building its "private blkid library".
Note that the `--disable-libblkid` configuration argument must remain
to prevent conflicts with util-linux's libblkid and an e2fsprogs-
generated variant (see e1ffc2f791).
Since e2fsprogs cannot provide findfs capabilities, the option is being
removed in this change. A following change will be introduced to include
util-linux's findfs utility.
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
Cc: Zheng Yi <yzheng@techyauld.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
CLOCK_MONOTONIC_RAW is a fairly recent addition, which may not be
available in old C libraries/kernels. This commit adds a libraw1394
patch that makes the use of CLOCK_MONOTONIC_RAW optional. The patch
has been submitted upstream.
Fixes:
http://autobuild.buildroot.net/results/198149e80be3e62eaf9f4731442031a1aa93409c/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This Byte order mark is not recognized by gcc < 4.4, which is the case
on Blackfin where gcc 4.3.x is used. Since this BOM is not useful
anyway, we simply remove it. The patch has been submitted upstream.
Fixes:
http://autobuild.buildroot.net/results/143c4c2a1d8527c97362ce11507e8b5a79dd0d6b/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Otherwise, it fails to autoreconf with a weird error message:
configure.ac:15: error: possibly undefined macro: AC_SUBST
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:40: error: possibly undefined macro: AC_MSG_WARN
Indeed, the configure.ac uses PKG_CHECK_MODULES(), so we need to have
the corresponding m4 file installed by host-pkgconf.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It's used for some small functions like md5 support, non-essential since
samba has an internal fallback for those, but still add it for
predictability.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The boost build system does not recognize the fact that fenv.h is an
optional module in uClibc and tries to use it even if UCLIBC_HAS_FENV
is disabled. This patch disables fenv support completely when compiling
with a uClibc-based toolchain.
Fixes
http://autobuild.buildroot.net/results/160/160e1b98b204148ecf128144826554b6c523931b/
and many others
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Unless the tests are built with TEST_INSTALLED_UCLIBC their rpath will
point to the build directory rather than runtime directory, resulting in
non-executable tests for the target.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
It was the only one with a trailing slash, it's only for coherence's
sake.
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-1567: Impersonation between authenticated peers.
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Kernels older than 3.9 (not counting stable releases) used the
timeconst.pl perl script for their build process.
The problem with this script is that it used deprecated perl features,
namely defined(@array) which was removed for the perl 5.22 release,
causing build failure of older kernels on newer distributions.
To fix this instead of going the hard way (moving to the new
timeconst.bc script) use the easy way by patching timeconst.pl with an
upstream patch used for stable releases.
First try a dry-run on the patch to see if it applies, if it does then
call a proper APPLY_PATCHES to it.
Tested against an arbitrary 2.6.30 kernel (applies and builds), against
4.4.1 for a missing timeconst.pl (does not apply since it's missing) and
3.8.13 (does not apply since it's fixed already).
Known broken distributions: fedora 23, debian testing (stretch) and unstable
(sid).
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/aee/aee4a895c74647292715705bfcdf742f3ea2f76f/
Since the bump to 1.0.3, xapp_xf86dga no longer uses libXt, libXaw and
libXmu. So these dependencies should be removed from the .mk file.
They were already removed from Config.in, leading to messages like:
Makefile:475: *** xlib_libXaw is in the dependency chain of xapp_xf86dga
that has added it to its _DEPENDENCIES variable without selecting it or
depending on it from Config.in. Stop.
[Peter: add autobuilder reference as suggested by Ricardo]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Tested-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
/etc/profile only sources files that matches the /etc/profile.d/*.sh
pattern, so /etc/profile.d/umask was never sourced.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit updates the graph-depends documentation to take into
account the new 'host' keyword that can be passed to the --stop-on and
--exclude options.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Just like the --stop-on and --exclude options allow to stop on or
exclude virtual packages from the list by passing the "virtual" magic
value, this commit extends the graph-depends logic to support a "host"
magic value for --stop-on and --exclude. This will allow to draw the
graph by stopping on host packages, or by excluding host packages.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[Thomas: minor code beautification suggested by Yann E. Morin.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The condition to determine if a virtual package should be excluded
from the list due to "virtual" being passed in --exclude is under a
loop iterating over each entry of the exclude_list, but it doesn't use
the iterator of this list.
Indeed, the condition contains:
"virtual" in exclude_list
which checks automatically if "virtual" was passed in the list. Due to
this, there is no need for this check to be within the "for p in
exclude_list" iteration. This commit fixes that by moving the check
outside of the loop.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fix bug in certificate validation that caused valid chains to be
rejected when the first intermediate certificate has
pathLenConstraint=0.
Removed potential leak in rsa_rsassa_pkcs1_v15_sign().
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* Changing back wget to curl cause wget it's not available
on mac os x.
* Braking up too long windows one liner.
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
As a followup to http://patchwork.ozlabs.org/patch/548550/ fully convert
the versatile defconfig to create the dtb and update the instructions.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This config has no prospect of going into the future (by using DTS), and
qemu doesn't do a good job at emulating it (networking problems), so
drop it.
All of the ARM SMP testing duties are now in the vexpress defconfig
which is better suited/supported.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We can use the vexpress arm defconfig to test SMP features in Qemu.
So document the necessary invocation changes to account for this, in
preparation of the arm nuri defconfig removal.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Remove the choice of nodejs version. Now automatically pick nodejs 0.10.x
for armv5 architectures only and the latest nodejs for all other
supported architectures.
Note that the removal of BR2_PACKAGE_NODEJS_5_X is not handled in
Config.in.legacy because buildroot has never been released with this
option included.
Signed-off-by: Martin Bark <martin@barkynet.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Patches from 5.3.0 have been copied over with the following exceptions:
- Removed 0005-Fix-crash-in-GetInterfaceAddresses.patch as this has
been applied upstream
- Renamed 0006-Fix-support-for-uClibc-ng.patch to
0005-Fix-support-for-uClibc-ng.patch
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Make it depend explicitly on BR2_PACKAGE_LIBGTK3_X11 (the X11 backend
option) to avoid the checker from complaining.
Also add a comment about yad requiring the X11 backend otherwise it's
ambiguous if a user has libgtk3 enabled with broadway/wayland and the
comment shows up. Fixes:
http://autobuild.buildroot.net/results/84d/84d97bbcc0ea4f8eaa50dd25bf9ee8fdee4b937f/
Also cleanup some tiny whitespace in the package mk file.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add a make target that will checks the dependencies of all packages.
This will currently only detect circular dependencies, but more tests
can be added later if need be.
This can then be used in the autobuilders to automatically report
dependency issues.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add an option to graph-depends to only do the dependency checks and not
generate the dot program.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Currently, if there is a circular dependency in the packages, the
graph-depends script just errors out with a Python RuntimeError which is
not caught, resulting in a very-long backtrace which does not provide
any hint as what the real issue is (even if "RuntimeError: maximum
recursion depth exceeded" is a pretty good hint at it).
We fix that by recursing the dependency chain of each package, until we
either end up with a package with no dependency, or with a package
already seen along the current dependency chain.
We need to introduce a new function, check_circular_deps(), because we
can't re-use the existing ones:
- remove_mandatory_deps() does not iterate,
- remove_transitive_deps() does iterate, but we do not call it for the
top-level package if it is not 'all'
- it does not make sense to use those functions anyway, as they were
not designed to _check_ but to _act_ on the dependency chain.
Since we've had time-related issues in the past, we do not want to
introduce yet another time-hog, so here are timings with the circular
dependency check:
$ time python -m cProfile -s cumtime support/scripts/graph-depends
[...]
28352654 function calls (20323050 primitive calls) in 87.292 seconds
Ordered by: cumulative time
ncalls tottime percall cumtime percall filename:lineno(function)
1 0.012 0.012 87.292 87.292 graph-depends:24(<module>)
21 0.000 0.000 73.685 3.509 subprocess.py:473(_eintr_retry_call)
7 0.000 0.000 73.655 10.522 subprocess.py:768(communicate)
7 73.653 10.522 73.653 10.522 {method 'read' of 'file' objects}
5/1 0.027 0.005 43.488 43.488 graph-depends:164(get_all_depends)
5 0.003 0.001 43.458 8.692 graph-depends:135(get_depends)
1 0.001 0.001 25.712 25.712 graph-depends:98(get_version)
1 0.001 0.001 13.457 13.457 graph-depends:337(remove_extra_deps)
1717 1.672 0.001 13.050 0.008 graph-depends:290(remove_transitive_deps)
9784086/2672326 5.079 0.000 11.363 0.000 graph-depends:274(is_dep)
2883343/1980154 2.650 0.000 6.942 0.000 graph-depends:262(is_dep_uncached)
1 0.000 0.000 4.529 4.529 graph-depends:121(get_targets)
2883343 1.123 0.000 1.851 0.000 graph-depends:246(is_dep_cache_insert)
9784086 1.783 0.000 1.783 0.000 graph-depends:255(is_dep_cache_lookup)
2881580 0.728 0.000 0.728 0.000 {method 'update' of 'dict' objects}
1 0.001 0.001 0.405 0.405 graph-depends:311(check_circular_deps)
12264/1717 0.290 0.000 0.404 0.000 graph-depends:312(recurse)
[...]
real 1m27.371s
user 1m15.075s
sys 0m12.673s
The cumulative time spent in check_circular_deps is just below 0.5s,
which is largely less than 1% of the total run time.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Currently, we generate the dependency graph in a single command, piping
the stdout of support/scripts/.graph-depends to the stdin of dot.
Unfortunately, this means we can't catch a failure of graph-depends, as
the shell can only treturn the exit code of the last command in a pipe.
Still, we do want to keep the output of graph-depends, and we in fact do
keep it by mean of a tee.
graph-depends has just gained the ability to generate its output to a
file, so we break the pipe in two differnet commands, so we can bail out
on graph-depends errors.
Do that for the two call sites.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Currently, graph-depends outputs the dotfile program to stdout, and uses
stderr to trace the dependencies it is currently looking for.
Redirection was done because the output was directly piped into the dot
program to generate the final PDF/SVG/... dependency graph, but that
meant that an error in the graph-depends script was never caught
(because shell pipes only return the final command exit status, and an
empty dot program is perfectly valid so dot would not complain).
Add an option to tell graph-depends where to store the generated dot
program, and keep stdout as the default if not specified.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Samuel Martin <s.martin49@gmail.com>
[Thomas: rename metavar from DOT_FILE to OUT_FILE for consistency with
the rest of the new option naming.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We currently have two circular dependency chains:
avahi -> libglade -> libgtk2 -> cups -> avahi
avahi -> libgtk3 -> cups -> avahi
The cups -> avahi dependency makes sense, as cups would be able to use
Bonjour and mDNS to find printers, so we want to keep that dependency.
The libgtk2 -> cups and libgtk3 -> cups dependencies also make sense, to
be able to offer cups in the print dialogs.
However, the avahi -> libglade and avahi -> libgtk3 dependencies do not
really make sense. As Thomas puts it:
The avahi GUI programs seem really useless to me. On Debian/Ubuntu
distributions, they are not even packaged within the main avahi
packages, but as separate packages, probably indicating that they
are not very commonly used.
So, we drop the avahi -> libglade and avahi -> libgtk3 dependencies, to
break the circular dependency chain.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: add comment in the .mk file.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
