CMakeLists.txt contains a toolchain check:
if (${CMAKE_CXX_COMPILER_ID} STREQUAL "GNU")
if (${CMAKE_CXX_COMPILER_VERSION} VERSION_LESS "7.3.0")
message(FATAL_ERROR "GCC 7.3 or newer is required to build WebKit. Use a newer GCC version or Clang.")
endif ()
endif ()
So bump the toolchain dependency to >= GCC 7. The check is really about >=
7.3.0, but we do not have such detailed version checks. Given that GCC
7.3.0 was released in January 2018 (and 7.1.0 in May 2017), most external
GCC 7.x toolchains probably use >= 7.3.0.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ec1ff802df)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Forcibly disable the JavaScriptCore JIT compilation support
for MIPSr6 processors, which are unsupported.
Fixes: http://autobuild.buildroot.net/results/3d21d3c3460cd85a4c828dd197929cdf17aaf4e0
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5eb70ceced)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1a6de2da70)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2019-8835: Multiple memory corruption issues were addressed with
improved memory handling
- CVE-2019-8844: Multiple memory corruption issues were addressed with
improved memory handling
- CVE-2019-8846: A use after free issue was addressed with improved memory
management
For details, see the advisory:
https://webkitgtk.org/security/WSA-2020-0001.html
Drop now upstreamed patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 35df7bdb07)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
His e-mail address is bouncing:
Your message to bachmann@tofwerk.com couldn't be delivered.
bachmann wasn't found at tofwerk.com.
thomas.petazzoni Office 365 bachmann
Action Required Recipient
Unknown To address
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 19829deb25)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
His e-mail address is bouncing:
----- The following addresses had permanent fatal errors -----
<sbobroff@linux.ibm.com>
(reason: 550 5.1.1 <sbobroff@linux.ibm.com>: Recipient address rejected: User unknown in local recipient table)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 374fe52bb0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Even though pyqt5 would be perfectly usable with just the core Qt5
modules (QtCore, QtDbus, ...), its configure.py script passes the -gui
option to qmake unconditionally. Therefore, make sure that GUI is built.
Fixes:
- http://autobuild.buildroot.org/results/ea0c8db44aacf1ce76f75e8288969fe5da6690d9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 6b0ba1a3c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Qt5 has predefined optimization flags depending if you're building for
size, for debug etc. These flags are defined in
mkspecs/common/gcc-base.conf:
QMAKE_CFLAGS_OPTIMIZE = -O2
QMAKE_CFLAGS_OPTIMIZE_FULL = -O3
QMAKE_CFLAGS_OPTIMIZE_DEBUG = -Og
QMAKE_CFLAGS_OPTIMIZE_SIZE = -Os
Then, in the same file, they use them to set
QMAKE_CFLAGS_RELEASE/QMAKE_CXXFLAGS_RELEASE:
QMAKE_CFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE
QMAKE_CXXFLAGS_RELEASE += $$QMAKE_CFLAGS_RELEASE
At this point there is our chance to override QMAKE_CFLAGS_OPTIMIZE_* in
qmake.conf, but it's too late, because QMAKE_CFLAGS_RELEASE is already
set (i.e. -O2) so trying to add or remove QMAKE_CFLAGS_OPTIMIZE (that is
reset now on) from QMAKE_CLAGS_RELEASE in
common/features/default_post.prf won't work:
optimize_size {
!isEmpty(QMAKE_CFLAGS_OPTIMIZE):!isEmpty(QMAKE_CFLAGS_OPTIMIZE_SIZE) {
QMAKE_CFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
QMAKE_CXXFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
QMAKE_CFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_SIZE
QMAKE_CXXFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_SIZE
}
} else: optimize_full {
!isEmpty(QMAKE_CFLAGS_OPTIMIZE):!isEmpty(QMAKE_CFLAGS_OPTIMIZE_FULL) {
QMAKE_CFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
QMAKE_CXXFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
QMAKE_CFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_FULL
QMAKE_CXXFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_FULL
}
}
So let's reset:
QMAKE_CFLAGS_RELEASE
QMAKE_CFLAGS_DEBUG
QMAKE_CXXFLAGS_RELEASE
QMAKE_CXXFLAGS_DEBUG
in our qmake.conf since the only assignment done in
mkspecs/common/gcc-base.conf only regards optimization.
This package is also affected by BR2_TOOLCHAIN_HAS_GCC_BUG_90620 and
it's been worked around by appending -O0 to CFLAGS/CXXFLAGS. This bug
prevented workaround to work overriding optimization flags, so solving
this also solves workaround problem.
Fixes:
http://autobuild.buildroot.net/results/ada/adaa9b4bcc6f9d2b5e82c479859a07e8abf5cf13/http://autobuild.buildroot.net/results/a83/a83bdd1f3bf309c07abebe871b017c331ed36e67/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: add a comment to qmake.conf.in]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c4a6f974b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2018-11813: libjpeg 9c has a large loop because read_pixel in
rdtarga.c mishandles EOF.
- Update hash of README (small updates such as authors, year ...)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 75a14ec067)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues (4.10.12):
CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
Directory not automatic.
CVE-2019-14907: Crash after failed character conversion at log level 3
or above.
CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD
DC.
For more details, see the release notes:
https://www.samba.org/samba/history/samba-4.9.18.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As recently reported to the list:
http://lists.busybox.net/pipermail/buildroot/2020-January/271937.html
The hardcoded rootfs partition size can lead to hard to understand build
failures if more packages are added.
So drop the hardcoded partition size. Genimage will then size the partition
to match the size of the rootfs image (which by default is also 60MB for ext4).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f1d1967422)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 20286d494a)
[Peter: drop 5.4.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The 4.11.3 release brings a large number of fixes:
https://xenproject.org/downloads/xen-project-archives/xen-project-4-11-series/xen-project-4-11-3/
Including a number of security fixes:
XSA-298: missing descriptor table limit checking in x86 PV emulation
(CVE-2019-18425)
XSA-299: Issues with restartable PV type change operations (CVE-2019-18421)
XSA-301: add-to-physmap can be abused to DoS Arm hosts (CVE-2019-18423)
XSA-302: passed through PCI devices may corrupt host memory after
deassignment (CVE-2019-18424)
XSA-303: ARM: Interrupts are unconditionally unmasked in exception handlers
(CVE-2019-18422)
XSA-304: x86: Machine Check Error on Page Size Change DoS (CVE-2018-12207)
XSA-305: TSX Asynchronous Abort speculative side channel (CVE-2019-11135)
XSA-306: Device quarantine for alternate pci assignment methods
(CVE-2019-19579)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/14af2dc3219847a92c6ec2db14ba387159b61fde
The Xen build system builds and embeds a default XSM FLASK (Flux Advanced
Security Kernel) security policy if it detects SELinux checkpolicy on the
build machine.
If enabled, a gen-policy.py python script is used to convert the binary
FLASK policy to a C array initialization list to embed it in the Xen binary.
Depending on the python version and locale available on the host, this fails
with byte values outside the 0..255 range:
policy.c:7:10: error: unsigned conversion from 'int' to 'unsigned char' changes value from '56575' to '255' [-Werror=overflow]
0xdc8c, 0xdcff, 0x7c, 0xdcf9, 0x08, 0x00, 0x00, 0x00, 0x58, 0x65, 0x6e, 0x46, 0x6c,
To fix this and ensure a consistent build, pass XEN_HAS_CHECKPOLICY=n to
disable the checkpolicy detection.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b60f3e2ae6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The README file saved by legal-info does not mention the host package
variant of the saved material. Add them.
Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ec78068972)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This list dates back to 2012. Since a long time now Buildroot saves the
patches applied as well as the actual source code for some external
toolchains. Update the manual accordingly.
Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a74e57c932)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2019-18222: Our bignum implementation is not constant
time/constant trace, so side channel attacks can retrieve the blinded
value, factor it (as it is smaller than RSA keys and not guaranteed to
have only large prime factors), and then, by brute force, recover the
key. Reported by Alejandro Cabrera Aldaya and Billy Brumley.
For more details, see the announcement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch adds a new manual section that captures an overview
of the run-tests tool, how to manually run a test and where to
find the test case script.
A brief set of steps is included to go through how to add a new
test case and suggestions on how to test/debug.
Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[yann.morin.1998@free.fr:
- switch the creating and debugging sections
- minor reformatting
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e2e57d5678)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2019-10155 (IKEv1 information exchange packet's integrity check
value is not verified)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 94c66ece47)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This will fix a static build failure with czmq
Fixes:
- http://autobuild.buildroot.org/results/4a12f1ede260cd956a0b5ccb4eec6ca8b44cb04f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f2fc6df260)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 565db7267e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2019-13117: In numbers.c in libxslt 1.1.33, an xsl:number with certain
format strings could lead to a uninitialized read in
xsltNumberFormatInsertNumbers. This could allow an attacker to discern
whether a byte on the stack contains the characters A, a, I, i, or 0, or
any other character.
- CVE-2019-13118: In numbers.c in libxslt 1.1.33, a type holding grouping
characters of an xsl:number instruction was too narrow and an invalid
character/length combination could be passed to xsltNumberFormatDecimal,
leading to a read of uninitialized stack data.
- CVE-2019-18197: In xsltCopyText in transform.c in libxslt 1.1.33, a
pointer variable isn't reset under certain circumstances. If the relevant
memory area happened to be freed and reused in a certain way, a bounds
check could fail and memory outside a buffer could be written to, or
uninitialized data could be disclosed.
Remove patch (already in version)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: mention security impact]
(cherry picked from commit 5645107c39)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adds the --dynamic option to xml2-config, needed by libxslt 1.1.34+.
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: mention the dependency from libxslt]
(cherry picked from commit 2eeff06272)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2019-14491: An issue was discovered in OpenCV before 3.4.7
and 4.x before 4.1.1. There is an out of bounds read in the function
cv::predictOrdered<cv::HaarEvaluator> in
modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
- Fix CVE-2019-14492: An issue was discovered in OpenCV before 3.4.7
and 4.x before 4.1.1. There is an out of bounds read/write in the
function HaarEvaluator::OptFeature::calc in
modules/objdetect/src/cascadedetect.hpp, which leads to denial of service.
- atomic workaround is not needed since version 3.4.8 and
464972855e
- Update hash of license file (Xperience.AI added:
766465ce94)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f6fb2cae06)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With Microblaze Gcc version <= 9.x the build fails due to gcc bug 68485:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68485. The bug show up when
building opencv3 with optimization but not when building with -O0. To
work around this, if BR2_TOOLCHAIN_HAS_GCC_BUG_68458=y, we force using
-O0.
Fixes:
- http://autobuild.buildroot.org/results/c78eac84d1c5a6702e7759cd5364da1c3e399b4b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 87040137a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3cb8d6c3a6)
[Peter: drop 5.4.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Removed patches 0006 & 0007 which were applied upstream as single
commit on the server-1.20-branch branch:
07efd81b81
Updated upstream URL for patch 0001.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5f90daa66f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
In file included from lnx_init.c:33:
../../../../hw/xfree86/common/compiler.h:767:10: fatal error: sys/io.h: No such file or directory
#include <sys/io.h>
^~~~~~~~~~
compilation terminated.
The ARM sys/io.h has been removed from upstream glibc, which is in
buildroot. This causes the xorg-server build to fail on ARM when using
the glibc toolchain. See [1], [2].
The following patches ([3], [4]) from upstream xserver fix this, but
have not yet been released.
[1] https://sourceware.org/glibc/wiki/Release/2.30#A.3Csys.2BAC8-io.h.3E_removed_on_32-bit_Arm
[2] https://gitlab.freedesktop.org/xorg/xserver/issues/840
[3] 6a2ce6c5da
[4] fe4cd0e7f5
Signed-off-by: Thomas Preston <thomas.preston@codethink.co.uk>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b07952073)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add two patches to fix openssl support:
- 0003-Fix-openssl-detection.patch (suggested by Jonathan Kimmitt)
- 0004-Support-OpenSSL-1.1.0.patch (taken from upstream)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 62ad96c057)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 5eecaf354c (package/rtl8821au: switch to abperiasamy fork) changed
the upstream location, but didn't update the link in the help text.
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6d4c2d062e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Without the device-mapper udev rules, dm devices will not get a proper
symlink like /dev/disk/by-label/LABEL, which in turn causes fstab
LABEL= mounts to fails.
And by extension causes shenanigans with systemd, where it will
unmount a manually mounted disk because it can't resolve the label.
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 51ec0f48ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2019-19221: In Libarchive 3.4.0, archive_wstring_append_from_mbs in
archive_string.c has an out-of-bounds read because of an incorrect mbrtowc
or mbtowc call. For example, bsdtar crashes via a crafted archive.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2019-14271: In Docker 19.03.x before 19.03.1 linked against the GNU C
Library (aka glibc), code injection can occur when the nsswitch facility
dynamically loads a library inside a chroot that contains the contents of
the container
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 39cffd5356)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
- CVE-2019-14271: In Docker 19.03.x before 19.03.1 linked against the GNU C
Library (aka glibc), code injection can occur when the nsswitch facility
dynamically loads a library inside a chroot that contains the contents of
the container
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0161899ae5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerabilities:
containerd 1.2.9/gRPC:
- CVE-2019-9512: Some HTTP/2 implementations are vulnerable to ping floods,
potentially leading to a denial of service. The attacker sends continual
pings to an HTTP/2 peer, causing the peer to build an internal queue of
responses. Depending on how efficiently this data is queued, this can
consume excess CPU, memory, or both
- CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset
flood, potentially leading to a denial of service. The attacker opens a
number of streams and sends an invalid request over each stream that
should solicit a stream of RST_STREAM frames from the peer. Depending on
how the peer queues the RST_STREAM frames, this can consume excess memory,
CPU, or both
- CVE-2019-9515: Some HTTP/2 implementations are vulnerable to a settings
flood, potentially leading to a denial of service. The attacker sends a
stream of SETTINGS frames to the peer. Since the RFC requires that the
peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory, or
both
containerd 1.2.10/runc:
- CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through
19.03.2-ce and other products, allows AppArmor restriction bypass because
libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a
malicious Docker image can mount over a /proc director
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f40f2bae81)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
- CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through
19.03.2-ce and other products, allows AppArmor restriction bypass because
libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a
malicious Docker image can mount over a /proc directory.
Signed-off-by: Christian Stewart <christian@paral.in>
[Peter: mention security impact]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dbbf08849b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
