Commit Graph

45093 Commits

Author SHA1 Message Date
Bernd Kuhls
423bd5c767 package/freeswitch: bump version to 1.8.6
Updated license hash after upstream commit
a1f3b4862e

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2df2bde27f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:06:32 +02:00
Bernd Kuhls
385e1455b5 package/vlc: security bump to version 3.0.7
Fixes the following security issues:
 * Fix multiple buffer overflows in the ps demuxer
 * Fix a buffer overflow when copying a biplanar YUV image
 * Fix multiple buffer overflows in the faad decoder
 * Fix buffer overflow in the svcdsub decoder
 * Fix buffer overflows in the ogg muxer & demuxer
 * Fix buffer overflows in libavformat demuxer
 * Fix multiple buffer overflows in the MKV demuxer
 * Fix a buffer overflow in the MP4 demuxer
 * Fix a buffer overflow in the textst decoder
 * Fix a buffer overflow in the webvtt decoder
 * Fix a buffer overflow in the ASF demux
 * Fix a buffer overflow in the UPNP SD
 * Fix use after free in the ogg demuxer
 * Fix multiple use after free in the MKV demuxer
 * Fix multiple use after free in the DMO decoder
 * Fix integer underflow in the MKV demuxer
 * Fix an updater NULL pointer dereference on invalid signing keys
 * Fix NULL pointer dereference in the MKV demuxer
 * Fix an integer overflow in the spudec decoder
 * Fix an integer overflow in the nsc demuxer
 * Fix an integer overflow in the avi demuxer
 * Fix reads of uninitialized pointers in the MKV demuxer
 * Fix a floating point exception in the MKV demuxer
 * Fix an infinite loop in the flac packetizer

For more details, see the NEWS file:
https://www.videolan.org/developers/vlc-branch/NEWS

Removed patch 0010, applied upstream.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 04efb17c86)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:59:11 +02:00
Bernd Kuhls
6a7068607b package/vlc: fix build with libvpx 1.8.0
Fixes
http://autobuild.buildroot.net/results/e44/e44d5ca85be9e0dafa4a3d8b0187c54cff6e2d55/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6aa1b96ff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:58:49 +02:00
Jörg Krause
7bf7db4589 package/gerbera: add upstream patch to fix find_program with taglib-config
Add an from from upstream to fix linking Gerbera with taglib. The patch
fixes the following issue:

When cross-compiling CMakes `find_program()` will search for binaries on the
host. This is typically correct, e.g. when search for compilers or shells.

When cross-compiling, searching for `taglib-config` using `find_program` should
not find the binary on the host, instead it should find the binary in the sysroot
directory, as the host `taglib-config` will output the wrong host paths
and libs, whereas the sysroot `taglib-config` will output the correct sysroot
paths and libs.

Therefore, use the `CMAKE_FIND_ROOT_PATH_MODE_PROGRAM` variable when
cross-compiling. This variable controls whether the `CMAKE_FIND_ROOT_PATH`
and `CMAKE_SYSROOT` are used by find_program().

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 6d52768315)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:25:27 +02:00
Jörg Krause
6275dff6dd package/taglib: add upstream patch to fix taglib-config
The current taglib-config program does not work when cross-compiling as it only
returns paths to the host, which breaks building programs which link against
taglib.

For example gerbera uses `taglib-config` and it fails with:

```
[..]
-- Found TagLib: -L/usr/lib -ltag
[..]
arm-linux-gnueabihf-g++: ERROR: unsafe header/library path used in cross-compilation: '-L/usr/lib'
```

Before the patch the output of `taglib-config` is:
```
$ ./output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/bin/taglib-config --libs
-L/usr/lib -ltag
```

Add a patch from upstream which fixes taglib-config.

After applying the fix, the pkg-config file is correct:
```
$ ./output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/bin/taglib-config --libs
-L/home/joerg/Development/git/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -ltag
```

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ad29cd6224)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:24:51 +02:00
Jan Kundrát
17729645c6 docs: use-case for un-ignoring VCS directories and overridden source dir
Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Suggested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes: a27078d32d Allow overriding the VCS exclude list with *_OVERRIDE_SRCDIR_RSYNC_EXCLUSIONS
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f52809cbd2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:16:21 +02:00
Julien Olivain
269e89be98 manual/contribute.txt: fix typo
Signed-off-by: Julien Olivain <juju@cotds.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0c48904f76)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:13:50 +02:00
Fabrice Fontaine
79cdc64c62 package/libgit2: security bump to version 0.27.8
Fixing the following list of issues (fixed in 0.27.6 and 0.27.5):

    The function family git__strtol is used to parse integers
    from a buffer. As the functions do not take a buffer length as
    argument, they will scan either until the end of the current
    number or until a NUL byte is encountered. Many callers have
    been misusing the function and called it on potentially
    non-NUL-terminated buffers, resulting in possible out-of-bounds
    reads. Callers have been fixed to use git__strntol functions
    instead and git__strtol functions were removed.

    The function git__strntol64 relied on the undefined behavior
    of signed integer overflows. While the code tried to detect
    such overflows after they have happened, this is unspecified
    behavior and may lead to weird behavior on uncommon platforms.

    In the case where git__strntol32 was unable to parse an
    integer because it doesn't fit into an int32_t, it printed an
    error message containing the string that is currently being
    parsed. The code didn't truncate the string though, which
    caused it to print the complete string until a NUL byte is
    encountered and not only the currently parsed number. In case
    where the string was not NUL terminated, this could have lead
    to an out-of-bounds read.

    When parsing tags, all unknown fields that appear before the
    tag message are skipped. This skipping is done by using a plain
    strstr(buffer, "\n\n") to search for the two newlines that
    separate tag fields from tag message. As it is not possible to
    supply a buffer length to strstr, this call may skip over the
    buffer's end and thus result in an out of bounds read. As
    strstr may return a pointer that is out of bounds, the
    following computation of buffer_end - buffer will overflow
    and result in an allocation of an invalid length. Note that
    when reading objects from the object database, we make sure to
    always NUL terminate them, making the use of strstr safe.

    When parsing the "encoding" field of a commit, we may perform
    an out of bounds read due to using git__prefixcmp instead of
    git__prefixncmp. This can result in the parsed commit object
    containing uninitialized data in both its message encoding and
    message fields. Note that when reading objects from the object
    database, we make sure to always NUL terminate them, making the
    use of strstr safe.

    Submodule URLs and paths with a leading "-" are now ignored.
    This is due to the recently discovered CVE-2018-17456, which
    can lead to arbitrary code execution in upstream git. While
    libgit2 itself is not vulnerable, it can be used to inject
    options in an implementation which performs a recursive clone
    by executing an external command.

    When running repack while doing repo writes,
    packfile_load__cb() could see some temporary files in the
    directory that were bigger than the usual, and makes memcmp
    overflow on the p->pack_name string. This issue was reported
    and fixed by bisho.

    The configuration file parser used unbounded recursion to parse
    multiline variables, which could lead to a stack overflow. The
    issue was reported by the oss-fuzz project, issue 10048 and
    fixed by Nelson Elhage.

    The fix to the unbounded recursion introduced a memory leak in
    the config parser. While this leak was never in a public
    release, the oss-fuzz project reported this as issue 10127. The
    fix was implemented by Nelson Elhage and Patrick Steinhardt.

    When parsing "ok" packets received via the smart protocol, our
    parsing code did not correctly verify the bounds of the
    packets, which could result in a heap-buffer overflow. The
    issue was reported by the oss-fuzz project, issue 9749 and
    fixed by Patrick Steinhardt.

    The parsing code for the smart protocol has been tightened in
    general, fixing heap-buffer overflows when parsing the packet
    type as well as for "ACK" and "unpack" packets. The issue was
    discovered and fixed by Patrick Steinhardt.

    Fixed potential integer overflows on platforms with 16 bit
    integers when parsing packets for the smart protocol. The issue
    was discovered and fixed by Patrick Steinhardt.

    Fixed potential NULL pointer dereference when parsing
    configuration files which have "include.path" or
    "includeIf..path" statements without a value.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 02afc9db7a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:10:56 +02:00
Jan Kundrát
17463b4f77 Allow overriding the VCS exclude list with *_OVERRIDE_SRCDIR_RSYNC_EXCLUSIONS
We have some internal packages which automatically bake a version string
from the git checkout, and we usually combine these with a
*_OVERRIDE_SRCDIR. I would like to let Buildroot *not* skip the .git
directory when picking up sources from the local checkout.  It turns out
that the existing mechanism (*_OVERRIDE_SRCDIR_RSYNC_EXCLUSIONS) only
supports adding to the exclude list because `rsync` simply uses the
first match from the provided filtering rules.

Solve this by using the user-provided values first. If they match, then
`rsync` won't exclude stuff based on the generic VCS exclude patterns.

Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit a27078d32d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:09:27 +02:00
Bernd Kuhls
81994e1631 package/samba4: security bump version to 4.9.9
Release notes: https://www.samba.org/samba/history/samba-4.9.9.html

Fixes CVE-2019-12435.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e9213e3c20)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:05:52 +02:00
Fabrice Fontaine
db479016f5 package/samba4: drop third patch
Drop third patch which is not upstreamable and set XSLTPROC to false
instead to disable documentation

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 48a9848cd6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:05:46 +02:00
Fabrice Fontaine
558cd377cc package/samba4: drop unneeded second patch
This patch is not needed since version 4.9.0 and
859698d29b
which solved the issue by avoiding calling this function.

Also renumber the remaining patches.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit df859a83f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:05:39 +02:00
Fabrice Fontaine
fad7b2f590 package/mpd: fix static build with tremor and vorbis
mpd can't be built statically with tremor and vorbis, build fails on:
block.c:(.text+0x11c): multiple definition of `vorbis_block_init'
/usr/lfs/v0/rc-buildroot-test/scripts/instance-2/output/host/bin/../sparc-buildroot-linux-uclibc/sysroot/usr/lib/libvorbisidec.a(block.o):block.c:(.text+0x0): first defined here
/usr/lfs/v0/rc-buildroot-test/scripts/instance-2/output/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/7.4.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: Disabling relaxation: it will not work with multiple definitions
/usr/lfs/v0/rc-buildroot-test/scripts/instance-2/output/host/bin/../sparc-buildroot-linux-uclibc/sysroot/usr/lib/libvorbis.a(block.o): In function `_vorbis_block_alloc':

Fix this by making both options mutually exclusive

It should be noted that upstream explicitly removed the possibility to
enable tremor and vorbis at the same time since version 0.21.6 and
c18cd941aa
Since we only have 0.20.23, it is still possible to build them together,
but there is clearly no need to allow it.

Fixes:
 - http://autobuild.buildroot.org/results/60c721a82ffd668bebf02d80bca83780d6cdb2f2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5395b1ca45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 21:19:45 +02:00
Fabrice Fontaine
441038cd83 package/mpd: drop tremor select
Drop tremor select added by commit
d428dddf68

Indeed, nowadays, mpd can be built successfully even if there is no
input plugin selected.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5d4ee34c39)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 21:19:38 +02:00
Esben Haabendal
76e1aeba4f arch: Fix typo breaking use of core-avx2 arch
Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 498a1fabe8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 21:05:53 +02:00
Peter Korsgaard
3e8b918b87 Update for 2019.02.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-07 09:36:49 +02:00
Peter Korsgaard
7b23d35df4 package/python-django: security bump to version 2.1.9
Fixes the following security issues:

CVE-2019-12308: AdminURLFieldWidget XSS¶

The clickable "Current URL" link generated by AdminURLFieldWidget displayed
the provided value without validating it as a safe URL.  Thus, an
unvalidated value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator
before displaying the clickable link.  You may customize the validator by
passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g.
when using formfield_overrides.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
Object.prototype pollution.  If an unsanitized source object contained an
enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to
allow for the select2 library’s use of jQuery.extend().

For more details, see the release notes:
https://docs.djangoproject.com/en/dev/releases/2.1.9/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 426084e25f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:38:46 +02:00
Peter Korsgaard
bc5213f7df package/exim: add upstream security fix for CVE-2019-10149
A flaw was found in Exim versions 4.87 to 4.91 (inclusive).  Improper
validation of recipient address in deliver_message() function in
src/deliver.c may lead to remote command execution.

For more details, see the advisory:

https://www.exim.org/static/doc/security/CVE-2019-10149.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 83967ef53d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:37:19 +02:00
Peter Korsgaard
9c788c3614 package/libcurl: bump version to 7.65.1
Fixes a number of bugs discovered after the 7.65.0 release.

https://daniel.haxx.se/blog/2019/06/05/7-65-1-patched-up-and-ready-to-go/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1272878fd0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:36:10 +02:00
Peter Korsgaard
e4f8a9a628 {linux, linux-headers}: bump 4.{9, 14, 19}.x / 5.{0, 1}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 5.{0, 1}.x bump]
(cherry picked from commit b827a3f50e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:32:27 +02:00
Markus Mayer
b2080a2f2f package/busybox: add dependency on dosfstools
dosfstools and busybox may each install mkfs.vfat, so dosfstools must
be installed before busybox.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca42df2111)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:26:51 +02:00
Francois Perrad
a6f7a75022 DEVELOPERS: Drop support for some packages from Francois Perrad
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4ddaaa65fa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:26:44 +02:00
Romain Naour
47fbfdb18f package/gcc: don't build a toolchain for powerpc with spe ABI with gcc >= 8.x
The powerpc*-*-*spe* support has been deprecated in GCC 8 [1] and has
been removed in GCC 9 [2].

While building with GCC 8, the build stop since we don't provide --enable-obsolete
option.

For now, keep powerpcspe support in Buildroot but only for older compiler
up to GCC 7.

Note: Although we can't select Glibc for powerpcspe since commit [4], this
support has been removed for the next version of Glibc (the upcoming 2.30).

[1] https://gcc.gnu.org/ml/gcc/2018-04/msg00102.html
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=b31d0348ddada49453e3edaaf93a423fdc61dc79
[3] https://sourceware.org/git/?p=glibc.git;a=commit;h=a053e878494080f7070cf92890e546057236c9c9
[4] https://git.buildroot.net/buildroot/commit/?id=5777e3ffd99132a57e3d29659850eec14b1625f8

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2df8b1417b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:44:20 +02:00
Peter Korsgaard
ac4c799278 {linux, linux-headers}: bump 4.{9, 14, 19}.x / 5.{0, 1}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: drop 5.{0, 1}.x bump]
(cherry picked from commit b24f274abe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:40:40 +02:00
James Hilliard
009cd18c8d package/v4l2loopback: bump to version 0.12.2 to fix Linux 5.1 compat
This fixes a kernel 5.1.x compatibility issue. The only changes
between 0.12.1 and 0.12.2 are:

d3b198ef6f57ca512fb25147c9d85b922fd4651a Released v0.12.2
376c2c28bd7d4470cd92ff646d6087ca70cd9d2e fixed typo
6edc4b164b1f05bee74cb507a4f50776a65ceb73 mentioned support for 5.0.0
0b8feb80fdef9a415d8250bca1790b3ff23e8391 Replace v4l2_get_timestamp with ktime_get_ts(64)
541e3bc7aaf46dc9a21f92c7f527397fce03dfd8 Update README.md

So the only functional change is the actual ktime_get_ts() fix, which
is needed for Linux 5.1 compatibility. Therefore, bumping is pretty
much the same as backporting just this commit.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Thomas: extend the commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 7a8460d45b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:38:59 +02:00
James Hilliard
4004bab2e6 package/v4l2loopback: bump to version v0.12.1
This should fix a kernel 5.x.x compatibility issue.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eb81fe39a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:38:43 +02:00
Peter Korsgaard
eb1db3ac17 package/netsurf: disallow on archs requiring ABI specific CFLAGS
Fixes:
http://autobuild.buildroot.net/results/67ef520d82ea529a9fe593d83a3aeae5f8b0ee5d/
http://autobuild.buildroot.net/results/eafc3e4be571d5ecee549a11530ac4e508f31782/
http://autobuild.buildroot.net/results/ba7f30833fef54162a82f4b336a72d6599594526/

The netsurf build system mixes up host and target CFLAGS, so it isn't
compatible with architectures where we pass ABI specific compiler flags (in
TARGET_ABI).

Add a _ARCH_SUPPORTS kconfig variable matching the TARGET_ABI logic we have
in package/Makefile.in, and use it to disallow netsurf for those
architectures.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 18855d79e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:37:53 +02:00
Adam Duskett
5d667bd7e2 package/gstreamer1/gst1-plugins-bad: require dynamic library for decklink plugin
The decklink plugin uses <dlfcn.h> functions: dlopen(), dlsym(), etc.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e49d5e946d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:37:06 +02:00
Markus Mayer
6549ef8d4c package/dosfstools: introduce custom install routine
We can't use dosfstools' install target, because it'll install *all*
binaries, even the disabled ones. Also, we can't just delete dosfstools
binaries from the target directory after installing them, because other
packages (specifically Busybox) may provide tools of the same name, and
we may end up deleting those instead.

To avoid any issues, we create our own install routines, which only
copy the enabled binaries into the target location.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
[Thomas: use full destination path for INSTALL commands.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 4cc31dfa3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:36:41 +02:00
Peter Korsgaard
32433179b3 package/libnss: security bump to version 3.42.1
Fixes the following security issues:

(3.41) CVE-2018-12404: Cache side-channel variant of the Bleichenbacher
attack

(3.42.1) CVE-2018-18508: Add additional null checks to several CMS functions
to fix a rare CMS crash.  Thanks to Hanno Böck and Damian Poddebniak for the
discovery and fixes

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8c0bff1b4f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:35:56 +02:00
Fabrice Fontaine
2436dc3be5 package/libopenssl: fix static build
no-dso option has been removed with
31b6ed76df

To fix this error, use "gcc" target in static builds. This target is
very minimalistic, we need to manually pass -lpthread and
-DOPENSSL_THREADS however we can also remove libdl workarounds

Fixes:
 - http://autobuild.buildroot.org/results/96d6b89d20980e8f7fa450b832474a81d492b315

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8c2c959b02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:35:10 +02:00
Peter Korsgaard
7b32265736 package/libopenssl: security bump to version 1.1.1c
Fixes the following security issues:

Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation.  RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes).  OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes.  However it
also incorrectly allows a nonce to be set of up to 16 bytes.  In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.

It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks.  If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher.  Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.  Any OpenSSL internal use of this cipher, including in SSL/TLS, is
safe because no such use sets such a long nonce value.  However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cfedfdee95)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:35:02 +02:00
Peter Korsgaard
2b1cc1af76 package/libopenssl: bump to version 1.1.1b
Drop patches 4..6 as they are now upstream.

Update the hash of the license file as the copyright dates changed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c2c57aa30f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:34:53 +02:00
Yann E. MORIN
60817d0403 infra/pkg-kconfig: do not rely on package's .config as a timestamp
Since linux-4.19, the kernel's build system internally touches its
.config file.

However, we currently used that file as a timestamp to detect whether
our kconfig fixups were to be (re)applied or not, which in turn is used
to decide whether we should (re)build the package or not.

But with latest kernel versions, this timestamp heuristic is now broken,
and we always rebuild the kernel on subsequent builds.

We fix that by introducing a separate timestamp file of our own, which
we know the kernel (or the kconfig-based packages, for that matters)
does not use.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 05fea6e4a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:33:28 +02:00
Fabrice Fontaine
6918255dde package/matchbox-panel: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/3e72c2c2baae3a70fb5145b1b09a1f3716e4bce2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 46668b157a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:33:03 +02:00
Yegor Yefremov
6f654cabb4 package/dropbear: rework license information
According to the LICENSE file curve25519-donna is licensed under
BSD-3-Clause license.

There is only BSD-2-Clause license mentioned so remove
BSD-2-Clause-like.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b7f1363050)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:32:32 +02:00
Asaf Kahlon
74debfb99b package/python-cython: bump to version 0.29.9
Fixes a number of crashes / bugs. For details, see:
https://github.com/cython/cython/blob/master/CHANGES.rst

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f2c9e9707e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:29:44 +02:00
Asaf Kahlon
c477a97d5d package/python-cython: bump to version 0.29.5
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c809f1b352)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:29:38 +02:00
Bernd Kuhls
f8fc86bace package/php: security bump version to 7.3.6
Release notes: https://www.php.net/archive/2019.php#id2019-05-30-1

Fixes
CVE 2019-11038: https://bugs.php.net/bug.php?id=77973
CVE 2019-11039: https://bugs.php.net/bug.php?id=78069
CVE 2019-11040: https://bugs.php.net/bug.php?id=77988

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8d27812ac1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:27:57 +02:00
Mirza Krak
601d2b356d package/mender: update readme.txt
Provide additional details on how Mender works within Buildroot.

Signed-off-by: Mirza Krak <mirza.krak@northern.tech>
[Thomas: remove duplicate "Default configuration files" title, rewrap
text]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit a10d911788)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:26:41 +02:00
Mirza Krak
b6669b433d package/mender: install additional inventory scripts
There are two additional inventory scripts provided in
the Mender client repository, let's install them.

- mender-inventory-os
    - will push content of /etc/os-release
- mender-inventory-rootfs-type
    - will push filesystem type of rootfs

Signed-off-by: Mirza Krak <mirza.krak@northern.tech>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit bbb4bc7dfa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:26:28 +02:00
Mirza Krak
175c0bb03d package/mender: update rootfs parts in mender.conf
The configuration options (RootfsPartA/RootfsPartB) must
provide a valid path to a block devices.

Signed-off-by: Mirza Krak <mirza.krak@northern.tech>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 637352b50b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:26:23 +02:00
Fabrice Fontaine
4c3753a617 package/supertux: fix debug build on uclibc/musl
Always set CMAKE_BUILD_TYPE to Release otherwise supertux will be built
with -pg since:
afd5f1b33c

This will result in the following build failure on uclibc or musl:
[ 77%] Linking C executable sq_static
CMakeFiles/sq_static.dir/sq.c.o: In function `quit':
/home/buildroot/autobuild/instance-3/output/build/supertux-0.6.0/external/squirrel/sq/sq.c:42: undefined reference to `__gnu_mcount_nc'

Fixes:
 - http://autobuild.buildroot.org/results/b0b2e25af198d01713d1e2bcf38c77ae8ffbd7de

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c283f0216d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:21:29 +02:00
Giulio Benetti
6b05ed63e1 package/flare-engine: fix check-package failure
Check-package gives error on flare-engine due to trailing whitespace in
flare-engine.mk comment inserted with commit:
https://git.buildroot.net/buildroot/commit/?id=1203cca1b51eefb4ee236d998ab6ec32bdd087d8

Remove trailing whitespace in flare-engine.mk comment.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit bf6c06152f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:20:26 +02:00
Arnout Vandecappelle (Essensium/Mind)
99b9fddc9c package/flare-engine: fix typo in comment
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 56b6bd893a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:20:16 +02:00
Giulio Benetti
84b577c1de package/flare-engine: re-enable package on microblaze
With Microblaze Gcc version < 8.x the build hangs due to bug 85180:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180
To avoid this, the flare-engine package has a
!BR2_TOOLCHAIN_HAS_GCC_BUG_85180 dependency. However, gcc bug 85180 only
triggers when optimization is enabled, so we can work around the issue
by passing -O0, which is what we do in other Buildroot packages to work
around this bug.

So, this commit passes -O0 when BR2_TOOLCHAIN_HAS_GCC_BUG_85180, and
re-enables flare-engine on Microblaze. It is not enough to set
CMAKE_CXX_FLAGS, because flare-engine's CMakeLists.txt sets
CMAKE_CXX_FLAGS_<BUILD_TYPE> (depending on the value of
CMAKE_BUILD_TYPE), and the build-type-specific flags come after the
generic flags, so our -O0 gets overridden again. Therefore, also set
CMAKE_BUILD_TYPE to the dummy value Buildroot.

Fixes:
http://autobuild.buildroot.net/results/706/7065e14917a8bbc0faf21b29183ac55b6c800ee3/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Arnout: extend explanatory comment and update commit log]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

(cherry picked from commit 1203cca1b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:20:10 +02:00
Guo Ren
1897bdb400 support/gnuconfig/config.sub: add C-SKY support
Modify config.sub so that it knows about the C-SKY
architecture. Without this, all autotools projects fail to build on
C-SKY.

Signed-off-by: Guo Ren <ren_guo@c-sky.com>
[Thomas: improved commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 2213636675)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:18:47 +02:00
Artem Panfilov
9338cc4bbb package/linuxptp: fix build with new headers
net_tstamp.h in recent kernel versions requires time.h for clockid_t.

Fixes:
  http://autobuild.buildroot.net/results/93903e8abfeaa7df0b6525033fa63e29f2c9e7ae

Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1ab26a8264)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:16:15 +02:00
Fabrice Fontaine
3880c159fe package/botan: fix static build with atomic
Fixes:
 - http://autobuild.buildroot.org/results/9db39b209a0f4be1e09b7e4ddb5e9a63da4fbbfa

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
(cherry picked from commit b79439af44)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:10:41 +02:00
Fabrice Fontaine
52b3f8187f package/gpsd: fix BR2_PACKAGE_GPSD_MAX_{CLIENT, DEV} options
limited_max_clients and limited_max_devices have been renamed in 3.12
as max_clients and max_devices, respectively.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Benoît Thébaudeau <benoit.thebaudeau.dev@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 87cc11688d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:06:51 +02:00