Fixes the following security issue:
- CVE-2024-43167: A NULL pointer dereference flaw was found in the
ub_ctx_set_fwd function in Unbound. This issue could allow an attacker
who can invoke specific sequences of API calls to cause a segmentation
fault
See announcement:
https://nlnetlabs.nl/news/2024/Aug/15/unbound-1.21.0-released/
See also change log:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-21-0
This commit also updates the _SITE url from [1] to [2], to follow the
HTTP redirect, and the url published on the download page [3].
Finally, this commit adds a comment in the hash file that the PGP
signature was checked.
[1] https://www.unbound.net/downloads
[2] https://nlnetlabs.nl/downloads/unbound
[3] https://nlnetlabs.nl/projects/unbound/download
Signed-off-by: Julien Olivain <ju.o@free.fr>
[Peter: Mark as security bump, add CVE info]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ed34c4c77b8b2a830c7a9ffb1d75c7bf1e35a7c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I lack the time (and interest) to properly keep these entries up to
date, so drop them from my section.
Signed-off-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6fdbab87a2b9d00743ed9fe6caa6db365d7ca326)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As explained in:
https://security-tracker.debian.org/tracker/CVE-2024-1048https://www.openwall.com/lists/oss-security/2024/02/06/3
CVE-2024-1048 is related to a tool called grub-set-bootflag which only
exists in the Redhat fork of Grub, and which we don't use in
Buildroot, so this CVE should be ignored.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2495630383c4a6659b6b91a58e4f71cdda283f2f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update the site path to reflect the recent organizational changes on the
chronox.de website.
Fixes:
- http://autobuild.buildroot.org/results/77243633783ac2d037d15d7e9c01384781fe700e
Signed-off-by: Tan En De <ende.tan@starfivetech.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d4d8881731ed745aff676b860a05abdff9ff1a0c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following build failure on xtensa:
Waf: Entering directory `/home/buildroot/instance-0/output-1/build/ntpsec-1.2.3/build/host'
[1/2] Processing ntpd/ntp_parser.y
[2/2] Compiling build/host/ntpd/ntp_parser.tab.c
gcc: error: unrecognized command-line option '-mlongcalls'
gcc: error: unrecognized command-line option '-mauto-litpools'
reveals that the target's CFLAGS are being used for host compilation.
The patch fixes the host compilation by correctly setting the CFLAGS to
be used.
It should be noted that the build script used by ntpsec applies CFLAGS
for host compilation and --cross-cflags for target compilation.
Fixes:
- http://autobuild.buildroot.org/results/9321a637f2c340ce8dcb24249676bb6c44d0dfc6
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 064e4c09fa788ccf0927fcaf3987e0f0fdc08eb7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old URL gives 403 forbidden.
Use a working sourceforge URL.
Fixes:
http://autobuild.buildroot.org/results/c0c3945cade7a6d7a615ac23523c93b02dbb056f
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 77512bba98e09c7231a2629652e464dbf882fd23)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable RNG support so that following build failure does not happen:
In file included from ../../../../src/libstrongswan/plugins/plugin.h:28,
from wolfssl_plugin.h:34,
from wolfssl_plugin.c:29:
wolfssl_plugin.c: In function 'get_features':
../../../../src/libstrongswan/plugins/plugin_feature.h:321:119: error: 'FEATURE_WC_RNG' undeclared (first use in this function); did you mean 'FEATURE_RNG'?
321 | #define __PLUGIN_FEATURE_REGISTER(type, _f) (plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg.f = _f }
| ^~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:332:73: note: in expansion of macro '__PLUGIN_FEATURE_REGISTER'
332 | #define _PLUGIN_FEATURE_REGISTER_RNG(type, f) __PLUGIN_FEATURE_REGISTER(type, f)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:248:39: note: in expansion of macro '_PLUGIN_FEATURE_REGISTER_RNG'
248 | #define PLUGIN_REGISTER(type, f, ...) _PLUGIN_FEATURE_REGISTER_##type(type, f, ##__VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
wolfssl_plugin.c:510:17: note: in expansion of macro 'PLUGIN_REGISTER'
510 | PLUGIN_REGISTER(RNG, wolfssl_rng_create),
| ^~~~~~~~~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:321:119: note: each undeclared identifier is reported only once for each function it appears in
321 | #define __PLUGIN_FEATURE_REGISTER(type, _f) (plugin_feature_t){ FEATURE_REGISTER, FEATURE_##type, .arg.reg.f = _f }
| ^~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:332:73: note: in expansion of macro '__PLUGIN_FEATURE_REGISTER'
332 | #define _PLUGIN_FEATURE_REGISTER_RNG(type, f) __PLUGIN_FEATURE_REGISTER(type, f)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
../../../../src/libstrongswan/plugins/plugin_feature.h:248:39: note: in expansion of macro '_PLUGIN_FEATURE_REGISTER_RNG'
248 | #define PLUGIN_REGISTER(type, f, ...) _PLUGIN_FEATURE_REGISTER_##type(type, f, ##__VA_ARGS__)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
wolfssl_plugin.c:510:17: note: in expansion of macro 'PLUGIN_REGISTER'
510 | PLUGIN_REGISTER(RNG, wolfssl_rng_create),
| ^~~~~~~~~~~~~~~
make[6]: *** [Makefile:659: wolfssl_plugin.lo] Error 1
Reported Upstream:
https://github.com/strongswan/strongswan/issues/2410
This build failure started since 5.9.11 update in commit
78959665b9.
Fixes:
http://autobuild.buildroot.net/results/278b3f74c48c858ae368d59069752adb69c05246
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 89d512729cfa5b2ef5c5165492789ba4441add19)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for complete changelogs:
https://botan.randombit.net/news.html#version-3-5-0-2024-07-08https://botan.randombit.net/news.html#version-3-4-0-2024-04-08
CVE-2024-34702: Fix a DoS caused by excessive name constraints. (GH
CVE-2024-39312: Fix a name constraint processing error, where if
permitted and excluded rules both applied to a certificate, only the
permitted rules would be checked.
The License hash changed because the year was updated from 2023 to 2024.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3ba9ac62052c99d7557adf2bbad1bab0c5577a81)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for a ChangeLog:
https://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-20-current.md
20.8.1 contains a fix for CVE-2024-35190. However, the vulnerability
was introduced in commit 68a49128253f677f9e1b235c70d2316342372f7d
between 20.7.0 and 20.8.0, and Buildroot was using 20.7.0, so we were
not affected by this vulnerability.
Patch 0005 is applied upstream.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 622957a2adb224b8a666472c3a58bc1ade8a2040)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 8f88a644ed "support/scripts/apply-patches.sh: set the maximum
fuzz factor to 0" reduced the fuzz factor.
Due to this change, asterisk fails to build with output:
Applying 0004-install-samples-need-the-data-files.patch using patch:
patching file Makefile
Hunk #1 FAILED at 779.
1 out of 1 hunk FAILED -- saving rejects to file Makefile.rej
This commit rebase the package patches on the current package version.
Note: the patch 0005 is unchanged, as it is correct in its current
state.
Fixes:
- http://autobuild.buildroot.org/results/92d/92d58ecb67f11a6eb74695bc1efcc672f69a57a9
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a6fabd961058a77622a725e7d58ac3ffb05ce5b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following uclibc-ng build failure raised since bump to version
20.7.0 in commit 0e6d4d2171 and
2694792e13:
stasis/control.c: In function 'exec_command_on_condition':
stasis/control.c:313:3: warning: implicit declaration of function 'pthread_kill'; did you mean 'pthread_yield'? [-Wimplicit-function-declaration]
313 | pthread_kill(control->control_thread, SIGURG);
| ^~~~~~~~~~~~
| pthread_yield
stasis/control.c:313:41: error: 'SIGURG' undeclared (first use in this function)
313 | pthread_kill(control->control_thread, SIGURG);
| ^~~~~~
Fixes: 0e6d4d2171
- http://autobuild.buildroot.org/results/d16e4ca4bd26234f84d17da24c04a8c19faba6c5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ebd44d7c5b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix a compile issue when libyuv and libjpeg is enabled.
Detection of following function fails:
checking for pjsip_dlg_create_uas_and_inc_lock in -lpjsip... no
In config.log you see that libjpeg is missing.
Fixes:
http://autobuild.buildroot.net/results/7bed9fc68fc9331ad12942c3eab9742ee8a7a4c4
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 07b7d8708d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for changes:
https://downloads.asterisk.org/pub/telephony/asterisk/ChangeLog-20-current.md
There is still an open issue reported upstream:
https://github.com/asterisk/asterisk/issues/671
But it seems it is not reproducible by the asterisk developers, so
update the package so others can make use of it.
Use the external pjsip package, instead of the bundled one.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 0e6d4d2171)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Botan commit 313e439c786d68bcf374b2cb0edfe3ffd891db94 added a
dependency to pthread.h. Add a dependency to thread support.
Fixes:
- http://autobuild.buildroot.org/results/205/205d7505803990508bbd545393902789063ababd
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ad6e6f5d598a9311fc9141e4b9b08820562d1792)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tweaking this variable should allow us to get better coverage of
packages with larger dependency trees.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ea6bb507b1d3841be052525936121f7e88c43fbd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 2f260084d577 (utils/genrandconfig: remove support for toolchain
CSV) kept the --no-toolchains-csv option, but in the rework forgot to
keep it as a bool, while argparse default is to expect a string.
Rather than re-introduce the action="store_true" which implies the
argument is a bool, explicit make it a bool.
Fixes: 2f260084d5771728f3340ff6a86a23391133a635
Reported-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4dbb87bb6676b82f34981f6adedccfa03a9667cd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Right now, genrandconfig just spits out the random messages from the
different make invocations, which isn't terribly useful. Instead,
let's redirect the output of make invocations to oblivion, and add
some more high level logging.
As part of this logging, we're interested to see how many iterations
were needed to find a valid configuration, so changed the loop logic
to count from 0 to 100 instead of from 100 to 0 so that we can easily
show the iteration number.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ce3dedc26b9080399c44d86e14aa1704f7bf563a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In order to test that upstream sites are still working, we need to NOT
fallback to sources.buildroot.net for some builds.
As there is anyway a local cache in the autobuilder instances, we need
to do quite a lot of builds without any BR2_BACKUP_SITE configured to
have a chance to catch issues, which is why a 50% chance is used to
unset BR2_BACKUP_SITE.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit da5c25c9f91b17a3c00ff0b35164881f2d1aa425)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Before calling randpackageconfig/randconfig, we were pre-generating a
snippet of .config with:
(1) minimal.config
(2) BR2_CURL/BR2_WGET settings
(3) some random selection of init system, debug, runtime debug, etc
(4) enabling BR2_REPRODUCIBLE=y when diffoscope was found
Now that we only use randconfig, this whole fine-tuning is completely
irrelevant, as it gets overridden by "make randconfig".
(1) and (3) above are useless, as randconfig does all the
randomization that is needed.
However, we want to preserve (2) and (4) above, so we re-implement
those fixups, but *after* randconfig has done its job.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3d33d394c2c9659f8c487929bf45f7daf673e521)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that the support for generating a fully random configuration has
been well-tested, the whole mechanism based on a toolchain CSV isn't
really useful anymore, so let's drop it to simplify the logic.
Note that the autobuilder code still uses --{,no-}toolchains-csv, so we
can't remove those or the autobuilders would fail. Once all supported
branches no longer use those argumetns, we can drop them from the
autobuilder code, then ask people to update their runners, and we will
finally be able to drop those arguments. Eventually.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: keep --{,no-}toolchains-csv and explain why]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2f260084d5771728f3340ff6a86a23391133a635)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We have accumulated a whole bunch of very old fixups to avoid issues
with super old CT-NG toolchains, which we are not testing anymore, so
remove those fixups.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9e3388256811c943d8312db289959b74cae9536e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The LICENSE file gets installed directly to the root of $(TARGET_DIR),
which clashes with other packages:
FileExistsError: File already exists: /home/autobuild/autobuild/instance-3/output-1/target/LICENSE
This commit fixes this issue for the python-unittest-xml-reporting
package. Other fixes will be needed for the other patches.
The issue in python-unittest-xml-reporting was introduced in upstream
commit c43427611390fba83ca13fbb5311bd8fece5048f, which first appeared
in v3.1.0. We switched from a pre-3.1.0 version to 3.2.0 in Buildroot
in commit 69ba1562d5, which was merged
in 2023.02.
Fixes:
http://autobuild.buildroot.net/results/2c91243b440087bbc7d051d65f553f59d05dd207/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 182d3556a6838c01b0d1f4e6a36da84260605298)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The python-huepy has an incorrect data_files statement in its
setup.py, causing the LICENSE file to be installed directly as
$(TARGET_DIR)/LICENSE. This was detected because several packages were
doing this, and the second package doing
it (python-unittest-xml-reporting, fixed separately) was erroring out
when trying to overwrite this already existing file.
This commit fixes the case of python-huepy by adding a patch that has
been submitted upstream.
There are no autobuilder failures related to python-huepy, but this
was detected while fixing
http://autobuild.buildroot.net/results/2c91243b440087bbc7d051d65f553f59d05dd207/
for python-unittest-xml-reporting.
This bug has been in huepy since at least 2018, so this patch can be
backported to previous Buildroot versions.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4e78b2c8b1109d8a456e426ccf03a02df5f2ee2c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
lib/print.c in gnu-efi contains some floating point computation. On
ARM soft-float configurations, these floating point operations
generate calls to __eabi_*() functions that are provided by
gcc. However, gnu-efi builds some freestanding code, so it doesn't
link with libgcc, and therefore the build fails with:
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1431:(.text+0x78c): undefined reference to `__aeabi_i2d'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1431:(.text+0x7a0): undefined reference to `__aeabi_dsub'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1431:(.text+0x7a4): undefined reference to `__aeabi_d2f'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1432:(.text+0x7b4): undefined reference to `__aeabi_fcmplt'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1438:(.text+0x7c8): undefined reference to `__aeabi_fmul'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1440:(.text+0x7d4): undefined reference to `__aeabi_fcmpeq'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1444:(.text+0x7f8): undefined reference to `__aeabi_fmul'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1440:(.text+0x808): undefined reference to `__aeabi_fcmpeq'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1440:(.text+0x818): undefined reference to `__aeabi_f2iz'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1451:(.text+0x834): undefined reference to `__aeabi_i2f'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1451:(.text+0x840): undefined reference to `__aeabi_fcmpeq'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1453:(.text+0x858): undefined reference to `__aeabi_fmul'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1451:(.text+0x860): undefined reference to `__aeabi_f2iz'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1451:(.text+0x868): undefined reference to `__aeabi_i2f'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1451:(.text+0x870): undefined reference to `__aeabi_fcmpeq'
arm-buildroot-linux-gnueabi-ld: /output-1/build/gnu-efi-3.0.18//lib/print.c:1451:(.text+0x89c): undefined reference to `__aeabi_f2iz'
Since we don't care about gnu-efi support on ARM soft-float
configurations, let's disable such configurations.
Note that we have chosen to use BR2_ARM_SOFT_FLOAT as we're for now
making this specific to ARM as we're not sure what is the situation on
other CPU architectures (for example RISC-V without FPU maybe). This
can be revisited once we get more data on the behavior on other CPU
architectures that can support soft-float.
Fixes:
http://autobuild.buildroot.net/results/98d955fd2fcf4a3db1ab46e4f553447031a23b92/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b62f2f7f12a381c2e8d4aeb9562b6dfc87728589)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the bump of gnu-efi to version 3.0.17 in Buildroot commit
fa9893ad8f, the build of gnu-efi fails
on ARM big endian and AArch64 big endian.
Indeed, since that bump, gnu-efi builds some "apps", using a special
linker file part of gnu-efi that explicitly sets the architecture:
OUTPUT_FORMAT("elf32-littlearm", "elf32-littlearm", "elf32-littlearm")
OUTPUT_FORMAT("elf64-littleaarch64", "elf64-littleaarch64", "elf64-littleaarch64")
Due to this, big endian builds are now failing:
armeb-buildroot-linux-gnueabi-ld: ../gnuefi/crt0-efi-arm.o: compiled for a big endian system and target is little endian
armeb-buildroot-linux-gnueabi-ld: failed to merge target specific data of file ../gnuefi/crt0-efi-arm.o
Since we are not really interested in supporting gnu-efi on ARM big
endian and AArch64 big endian and it is not supported upstream, let's
disabled on those architectures.
Fixes:
http://autobuild.buildroot.org/results/4d385d6759346e19664d0bded1e419f004f82b47/ (ARM big endian)
http://autobuild.buildroot.net/results/b6df43408ca4cd469962c96d49d9ac7935b6dbe9/ (AArch64 big endian)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 308d2c992714520844b2dd96a4d79d688afcd28a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Import a patch that has been accepted upstream and fixes build failures
caused by a missing explicit cast to EGLNativeWindowType.
Fixes: http://autobuild.buildroot.net/results/92c5cc3134e92c263a0cbb4c05ef8956569e434b/
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0904d3a2ee4132b2611a86d14da60285080d1adb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changes with nginx 1.26.2 14 Aug 2024
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8f31fea6d038c3390ab480e4c27837b8c720597b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Compilation with -Os triggers this assembler problem.
The problematic C code contains a long switch statement, so
everything looks like GCC Bug 104028 is triggered.
Fixes:
- http://autobuild.buildroot.net/results/db5/db58215fb3c7f30b6c0f0764a84271010346edfb
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6362dd1d1416949cfccb2469f4da4c52b4ac8491)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Without the unbound user the daemon does not start on bootup.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67e6d0a3f1a0893183885b947f4472ef4c04bfc4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- gh-115398: Allow controlling Expat >=2.6.0 reparse deferral
(CVE-2023-52425) by adding five new methods:
xml.etree.ElementTree.XMLParser.flush()
xml.etree.ElementTree.XMLPullParser.flush()
xml.parsers.expat.xmlparser.GetReparseDeferralEnabled()
xml.parsers.expat.xmlparser.SetReparseDeferralEnabled()
xml.sax.expatreader.ExpatParser.flush()
- gh-115243: Fix possible crashes in collections.deque.index() when the
deque is concurrently modified.
- gh-114572: ssl.SSLContext.cert_store_stats() and
ssl.SSLContext.get_ca_certs() now correctly lock access to the certificate
store, when the ssl.SSLContext is shared across multiple threads.
For more details, see the changelog:
https://docs.python.org/release/3.11.9/whatsnew/changelog.html#python-3-11-9
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports an upstream patch to fix CVE-2024-39936.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports two upstream patches needed to fix
CVE-2023-34410. According to the CVE details, both patches are needed
for the fix.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports upstream patches that are needed to fix
CVE-2023-37369. The second one is the actual CVE fix, the first one is
needed to only backporting the second patch in a reasonable way.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports upstream patches that are needed to fix
CVE-2023-51714. The second one is the actual CVE fix, the first one is
needed to only backporting the second patch in a reasonable way.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports an upstream patch to fix CVE-2023-38197, which
requires 3 other patches to be backported in order to work properly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports some upstream commits to fix CVE-2023-32763.
To backport the CVE fix, we had to backport two other related patches
to make the backport reasonably clean/straightforward.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports an upstream patch that fixes CVE-2023-32762.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports an upstream patch that fixes CVE-2023-33285.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit backports an upstream patch fixing CVE-2023-32573.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
