Commit Graph

45025 Commits

Author SHA1 Message Date
Fabrice Fontaine
4318a8179b package/connman-gtk: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/30b775323b4780b35a163100097952eff232339e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2b4d843daf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:12:59 +02:00
Atharva Lele
bcf15a35cc Makefile: don't export GZIP environment variable
We export GZIP = -n so that GZIP does not record original
name and timestamps. However..

GZIP environment variable is deprecated and soon will not be
supported in future GZIP versions. GZIP suggests the use of a
wrapper to pass options globally but it might be difficult to
implement in Buildroot. For now, we don't export the variable
and fix reproducibility issues per package as they show up in
Autobuilder.

Signed-off-by: Atharva Lele <itsatharva@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d590b37633)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:10:21 +02:00
Atharva Lele
098cea58fc fs/common.mk: do not store original names and timestamps when creating gzipped rootfs
Using the GZIP environment variable to pass gzip options is
deprecated, and therefore we are going to remove the "GZIP = -n"
definition from the main Buildroot Makefile. In preparation for this,
we explicitly add the -n argument to the gzip call in fs/common.mk to
ensure reproducibility.

Signed-off-by: Atharva Lele <itsatharva@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 44d17dd128)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:10:13 +02:00
Fabrice Fontaine
ed723deef5 package/gnutls: fix build on sparc
gnutls source code uses the C++11 <atomic> functionality since
7978a73346,
which internally is implemented using the __atomic_*() gcc built-ins

On certain architectures, the __atomic_*() built-ins are implemented in
the libatomic library that comes with the rest of the gcc runtime. Due
to this, code using <atomic> might need to link against libatomic,
otherwise one hits build issues such as:

../lib/.libs/libgnutls.so: undefined reference to `__atomic_fetch_sub_4'

on an architecture like SPARC.

To solve this, link against libatomic if BR2_PACKAGE_HAS_LIBATOMIC is set.

This fix gnutls build failures as well as cups, gnupg and libmicrohttpd

Fixes:
 - http://autobuild.buildroot.org/results/1c7541fc6ac4b52d1dfe02a9a7d61db90f4521eb
 - http://autobuild.buildroot.org/results/42c8803b98e38ebd48870fe6b1a20a1d6c351e5f
 - http://autobuild.buildroot.org/results/a1e96d02d41f7fec0f5327f65fb34405f963a1e9
 - http://autobuild.buildroot.org/results/59c92706457a9da29dd44425e546a7c80c18b454

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e5a2354b6b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:08:40 +02:00
Alex Xu
c161675343 package/json-glib: set -Dintrospection=false
When -Dintrospection=false is not passed, the meson script
auto-detects the host g-ir-scanner, which is not usable in a
cross-compile environment.

Signed-off-by: Alex Xu <alex_y_xu@yahoo.ca>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6afc3edd41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:06:27 +02:00
Bernd Kuhls
cfe35b8543 package/x11r7/xlib_libICE: security bump version to 1.0.10
Fixes CVE-2017-2626, release notes:
https://lists.x.org/archives/xorg-announce/2019-July/003006.html

Added all hashes provided by upstream, added license hash.
Updated _SITE according to release notes.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c6657f450a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:03:12 +02:00
Fabrice Fontaine
df376cb2fe package/glib-networking: drop host-intltool
intltool is not needed since version 2.49.90 and
f539b7ebdb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 454d2a32ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 18:59:10 +02:00
Peter Seiderer
62f9e4dd02 package/cryptopp: replace utf-8 space by ascii character
Replace utf-8 NO-BREAK-SPACE (c2 a0) in comment line by simple
ascii space character.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 695f20cd0c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-02 22:41:20 +02:00
Fabrice Fontaine
d22a31da4a package/cryptopp: fix build with gcc < 4.9
Fixes:
 - http://autobuild.buildroot.org/results/7e68f32e62c34497848f0f7fc1f12dba67bf44d0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: re-order the assignments]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0a0648226b)
[Peter: the existing patch in fact doesn't work as GCC 4.9 defines __AVX2__]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-02 22:40:18 +02:00
Fabrice Fontaine
f1cdd80c4d package/cryptopp: don't build cryptest.exe
Replace install target by install-lib target to avoid building and
installing cryptest.exe

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bd1ba229be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-02 22:37:23 +02:00
Giulio Benetti
f0175174f8 package/brotli: properly pass TARGET_CFLAGS in Microblaze workaround
In commit 39dde1ffb6 ("package/brotli:
work around gcc bug 68485"), a mistake was made: when
BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y, we're only passing -O0 as CFLAGS,
completely ignoring TARGET_CFLAGS, which is not good.

This commit fixes that by introducing a BROTLI_CFLAGS variable,
initially defined to TARGET_CFLAGS, and to which we add -O0 when
BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Thomas: rework commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 657ffee375)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-01 11:10:40 +02:00
Giulio Benetti
6155749436 package/brotli: work around gcc bug 68485
With Microblaze Gcc version <= 9.x the build fails due to gcc bug 68485:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68485. The bug show up when
building brotli with optimization but not when building with -O0. To
work around this, if BR2_TOOLCHAIN_HAS_GCC_BUG_68458=y, we force using
-O0.

Fixes:

  http://autobuild.buildroot.net/results/d86/d86251974a0a348a64d9a1d1fd7d02dd4aff0792/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 39dde1ffb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-01 11:10:32 +02:00
Fabrice Fontaine
186172bd0c package/imx-uuc: fix static build with musl
Use TARGET_CONFIGURE_OPTS to pass -static in LDFLAGS when building
statically

Fixes:
 - http://autobuild.buildroot.org/results/12c08173f83315fb68fe3c3d34a78ed919ba5a79

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit df781e31ca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-01 00:21:53 +02:00
Fabrice Fontaine
bf73e317d7 package/zeromq: fix sha256 hash
Bump to version 4.3.2 did not update sha256 hash

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2312a83288)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-01 00:16:47 +02:00
Asaf Kahlon
f466c88ec2 package/zeromq: security bump to version 4.3.2
Fixes the following security issue:

CVE-2019-13132: a remote, unauthenticated client connecting to a
libzmq application, running with a socket listening with CURVE
encryption/authentication enabled, may cause a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. Users running public servers with the above configuration
are highly encouraged to upgrade as soon as possible, as there are no
known mitigations. All versions from 4.0.0 and upwards are affected.
Thank you Fang-Pen Lin for finding the issue and reporting it!

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: mention security impact]
(cherry picked from commit 45e5cd5a2b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-01 00:13:42 +02:00
Giulio Benetti
6495a148c2 package/x11r7/xlib_libXfont2: work around gcc bug 85180
On Microblaze, with gcc versions < 8.x the build of xlib_libXfont2
hangs due to gcc bug 85180:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180.

The bug shows up when building xlib_libXfont2 with optimization but
not when building with -O0. To work around this, if
BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y we force using -O0.

Fixes:

  http://autobuild.buildroot.net/results/21099d27c03948daaca2d1c149eeba084427e3af/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5942dcdc5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-01 00:09:44 +02:00
Sébastien Szymanski
bc367e42f3 package/unzip: update security and bug fix patches from Debian
Fix the URL and add three new patches. Quoting changelog [1]:

unzip (6.0-24) unstable; urgency=medium

  * Apply two patches by Mark Adler:
  - Fix bug in undefer_input() that misplaced the input state.
  - Detect and reject a zip bomb using overlapped entries. Closes: #931433.
    Bug discovered by David Fifield. For reference, this is CVE-2019-13232.

 -- Santiago Vila <sanvila@debian.org>  Thu, 11 Jul 2019 18:03:34 +0200

unzip (6.0-23) unstable; urgency=medium

  * Fix lame code in fileio.c which parsed 64-bit values incorrectly.
    Thanks to David Fifield for the report. Closes: #929502.

 -- Santiago Vila <sanvila@debian.org>  Wed, 29 May 2019 00:24:08 +0200

[1] https://sources.debian.org/data/main/u/unzip/6.0-24/debian/changelog

Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 009c59a261)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-01 00:02:10 +02:00
Atharva Lele
5014abb34a fs/tar: explicitly set extended header values to ensure binary reproducibility
Since we use --xattrs-include='*' to include all extended attributes,
tar creates a PAX formatted archive. The archive metadata captures atime
and ctime of files. To fix this, GNU recommends that we pass this added
argument to tar to create binary reproducible packages. Setting of mtime
is handled in fs/common.mk using touch on all files.

Diffoscope output pre-change: https://gitlab.com/snippets/1871111
Diffoscope output after change is blank i.e. binary reproducibile rootfs
is created.

GNU Recommendation: https://www.gnu.org/software/tar/manual/tar.html#SEC147

Signed-off-by: Atharva Lele <itsatharva@gmail.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9c449f9dd8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 23:47:37 +02:00
Bernd Kuhls
06b6cb2870 package/imagemagick: add upstream security fix for CVE-2019-13454
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0287136ff7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 23:46:10 +02:00
Bernd Kuhls
02c6fc424f package/imagemagick: security bump to version 7.0.8-53
Fixes various CVE IDs:

CVE-2019-13133, CVE-2019-13134, CVE-2019-13135, CVE-2019-13136,
CVE-2019-13137, CVE-2019-13295, CVE-2019-13296, CVE-2019-13297,
CVE-2019-13298, CVE-2019-13299, CVE-2019-13300, CVE-2019-13301,
CVE-2019-13302, CVE-2019-13303, CVE-2019-13304, CVE-2019-13305,
CVE-2019-13306, CVE-2019-13307, CVE-2019-13308, CVE-2019-13309,
CVE-2019-13310, CVE-2019-13311, CVE-2019-13391

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f7820c535)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 23:46:06 +02:00
Arnout Vandecappelle (Essensium/Mind)
e3055cb553 docs/manual: 'Fixes' tag needs a colon
Apparently, patchwork only recognizes the 'Fixes' tag if it is followed
by a colon. So make sure the manual documents it as such.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e875c2ffd2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 23:42:38 +02:00
Adam Duskett
9e12fb0ebe package/python3: security bump to version 3.7.4
Fixes the following security issues:

- bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with
  additional text after the address and only quad-dotted notation without
  trailing whitespaces.  Some inet_aton() implementations ignore whitespace
  and all data after whitespace, e.g.  ‘127.0.0.1 whatever’.

- bpo-35907: CVE-2019-9948: Avoid file reading by disallowing local-file://
  and local_file:// URL schemes in URLopener().open() and
  URLopener().retrieve() of urllib.request.

- bpo-30458: Address CVE-2019-9740 by disallowing URL paths with embedded
  whitespace or control characters through into the underlying http client
  request.  Such potentially malicious header injection URLs now cause an
  http.client.InvalidURL exception to be raised.

- bpo-33529: Prevent fold function used in email header encoding from
  entering infinite loop when there are too many non-ASCII characters in a
  header.

- bpo-35755: shutil.which() now uses os.confstr("CS_PATH") if available and
  if the PATH environment variable is not set.  Remove also the current
  directory from posixpath.defpath.  On Unix, shutil.which() and the
  subprocess module no longer search the executable in the current directory
  if the PATH environment variable is not set.

Also remove the following upstreamed patches:
  - 0033-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
  - 0034-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

(cherry picked from commit 906ed044aa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 23:39:38 +02:00
Fabrice Fontaine
4de50d7281 package/python3: drop unrecognized option
--enable-old-stdlib-cache is not recognozed since at least version
3.6.3, see:
http://autobuild.buildroot.org/results/b957f956100fc36c7d5ffab1d7df41a65ae52ded

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 440eaa41d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 23:39:33 +02:00
Baruch Siach
e6f996d64e package/gnupg2: security bump to version 2.2.17
This release mitigates the effects of the denial-of-service attacks on
the keyserver network (CVE-2019-13050).

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
https://access.redhat.com/articles/4264021

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 410e8a5977)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 23:32:34 +02:00
Baruch Siach
0dc00072e4 package/gnupg2: bump to version 2.2.13
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 32ef40a9d9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 23:30:06 +02:00
Fabrice Fontaine
46857255ea package/json-glib: fix NLS build
Fixes:
 - http://autobuild.buildroot.org/results/a9515ce8acb2d13532d0d43f8f61fa890a4705b3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: put LDFLAGS after DEPENDENCIES]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

(cherry picked from commit ff26958c3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 21:47:15 +02:00
Fabrice Fontaine
97508f1445 package/atk: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/67367706de3b38f31b9f59a7cb98cb2186e8ee6b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 65b1494754)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 21:46:29 +02:00
Fabrice Fontaine
cde507bf83 package/gvfs: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/8b061756ae6081d21d6ede8b27844f8fc3131953

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1a82e95237)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 21:45:50 +02:00
Fabrice Fontaine
bfe06e958b package/gupnp-tools: fix build with NLS
Fixes:
 - No autobuilder failures yet

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f8e16b6d64)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-31 21:44:33 +02:00
Yann E. MORIN
9ff9168b19 package/weston: fix build with latest freerdp
Commit 942da943f3 (package/freerdp: security bump to version 2.0.0-rc4)
backported a patch from master, that bumps FreeRDP for security fixes.

However, the FreeRDP development process is, well, a bit weird, as they
have been in the rc phase for the past two years now (2.0.0-rc0 was on
2017-07-24). As such, they still continue to do huge code refactoring
and cleanup and stuff, even though this is the rc phase. Their API thus
changed quite a bit between rc2 and rc4.

Thus the backport now breaks weston.

We do not have the problem on master or 2019.05.x, because we are using
a more recent weston (6.0.0) which has the fix already. But on 2019.02.x,
we're still using an older weston (5.0.0), which misses the fix.

Backport the fix from upstream.

Fixes (2019.02.x):
    http://autobuild.buildroot.net/results/5fb140acadf26b7f38d3f5c07a4f8dd4dc9acb9e
    http://autobuild.buildroot.org/results/b16610516a8514cf45860a48d693dd0db275e8d9

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Alexey Lukyanchuk <skif@skif-web.ru>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-29 10:16:22 +02:00
Peter Korsgaard
26bae84832 Update for 2019.02.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-10 10:02:18 +02:00
Bernd Kuhls
4a6165aa4e package/php: bump version to 7.3.7
Changelog: https://www.php.net/ChangeLog-7.php#7.3.7

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7accdcb3a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:57:11 +02:00
Adrian Perez de Castro
b6a34aa99d package/webkitgtk: bump to version 2.24.3
Version 2.24.3 is a minor update which contains many bugfixes.
>From the announcement:

  - Fix previous/next gestures in RTL mode.
  - Fix rendering artifacts in popular sites (YouTube, GitHub, etc.)
  - Fix media playback annoyances (volume randomly changing, HLS streams
    starting too slowly, some audio streams would not play, etc.)
  - Fix build with audio and video disabled.

  https://webkitgtk.org/2019/07/02/webkitgtk2.24.3-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3ff05d9094)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:56:03 +02:00
Peter Korsgaard
cd8ff25d7f {linux, linux-headers}: bump 4.{14, 19}.x / 5.1.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 5.1.x bump]
(cherry picked from commit 173ed657f3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:54:55 +02:00
Fabrice Fontaine
656bd2d824 package/libsecret: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/1497d7c2485c4a107ab82c870d78744981efb6d3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3bd1574aef)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:47:00 +02:00
Peter Korsgaard
920e467980 package/python-django: security bump to version 2.1.10
Fixes the following security vulnerabilities:

CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via
HTTPS

For more details, see the announcement:
https://www.djangoproject.com/weblog/2019/jul/01/security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 9f87b3785f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:45:30 +02:00
Baruch Siach
90c114911f package/faad2: add upstream security fixes
CVE-2018-20194: Stack buffer overflow on invalid input

CVE-2018-20362: Null pointer dereference when processing crafted AAC
input

Add two more crash fixes from upstream.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7f4dde3318)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:43:21 +02:00
Brandon Maier
036a9add4b utils/check-package: Add a quiet flag
When running in a CI system, stat messages become white noise. Introduce
an option to suppress non-error, non-warning, messages.

Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 44af8386f8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:42:09 +02:00
Marcin Niestroj
769ce63723 boot/barebox: needs host-{flex,bison}
Barebox starting from 2019.02 no longer ships flex/bison generated
parser. Add conditional kconfig dependencies, same as we did for kernel
and uboot.

Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e7d8d9a765)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:41:15 +02:00
Peter Korsgaard
259d203f5a package/irssi: security bump to version 1.0.8
Fixes the following security vulnerability:

CVE-2019-13045: Use after free when sending SASL login to the server found
by ilbelkyr

For more details, see the advisory:
https://irssi.org/security/html/irssi_sa_2019_06/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0a1b957d4e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:39:56 +02:00
Yann E. MORIN
721208a871 package/meson: fix empty arguments in cross-compilation.conf
When TARGET_CFLAGS (or _LDFLAGS or _CXXFLAGS) are empty, but were
constructed by appending other variables, like:

    TARGET_CFLAGS = $(SOMETHING) $(SOMETHING_ELSE)

and both variables are empty, then $(TARGET_CFLAGS) is _not_ the
null-string; it's value is a string made of a single space.

This means that the construct:

    $(if $(TARGET_CFLAGS),true,false)

will in fact return 'true'.

In our case, it means that we will call:

    `printf '"%s", ' `

which expands to just:

    "",

which we are then happy to insert as-is in the generated
cross-compilation.conf.

Then meson, will happily call the compiler with an empty argument.

The compiler is less happy, though:

    arm-none-linux-gnueabi-gcc: error: : No such file or directory

And this is not even trivial to debug either... The only clue being that
there seems to be something missing between ': :'

We fix that testing the $(strip)ed value. We can still pass the
non-$(strip) expansion, because the shell will just do it for us, and we
are then sure there is at least one non-blank word in there.

Thanks a lot to Adam for his invaluable help debugging this!

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e9de6d9e0a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:33:55 +02:00
Fabrice Fontaine
17ebddd571 package/dialog: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/9287ffbb86a7dc09cda5f99f87445fa884e77625

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0953377a9e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:31:49 +02:00
Peter Korsgaard
55fd596e7d package/expat: security bump to version 2.2.7
Fixes the following security vulnerabilites:

CVE-2018-20843: In libexpat in Expat before 2.2.7, XML input including XML
names that contain a large number of colons could make the XML parser
consume a high amount of RAM and CPU resources while processing (enough to
be usable for denial-of-service attacks).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 84fd08cf4f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:30:55 +02:00
Peter Korsgaard
cac0c6fa2f package/docker-cli: security bump to version 18.09.7
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are
vulnerable to a symlink-exchange attack with Directory Traversal, giving
attackers arbitrary read-write access to the host filesystem with root
privileges, because daemon/archive.go does not do archive operations on a
frozen filesystem (or from within a chroot).

And includes additional post-18.09.6 fixes:

Builder
- Fixed a panic error when building dockerfiles that contain only comments.
  moby/moby#38487
- Added a workaround for GCR authentication issue. moby/moby#38246
- Builder-next: Fixed a bug in the GCR token cache implementation
  workaround.  moby/moby#39183

Runtime
- Added performance optimizations in aufs and layer store that helps in
  massively parallel container creation and removal.  moby/moby#39107,
  moby/moby#39135
- daemon: fixed a mirrors validation issue. moby/moby#38991
- Docker no longer supports sorting UID and GID ranges in ID maps.
  moby/moby#39288

Logging
- Added a fix that now allows large log lines for logger plugins.
  moby/moby#39038

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit cdbb3ced00)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:29:53 +02:00
Peter Korsgaard
3f1c6740ea package/docker-engine: security bump to version 18.09.7
Fixes CVE-2018-15664: API endpoints behind the 'docker cp' command are
vulnerable to a symlink-exchange attack with Directory Traversal, giving
attackers arbitrary read-write access to the host filesystem with root
privileges, because daemon/archive.go does not do archive operations on a
frozen filesystem (or from within a chroot).

And includes additional post-18.09.6 fixes:

Builder
- Fixed a panic error when building dockerfiles that contain only comments.
  moby/moby#38487
- Added a workaround for GCR authentication issue. moby/moby#38246
- Builder-next: Fixed a bug in the GCR token cache implementation
  workaround.  moby/moby#39183

Runtime
- Added performance optimizations in aufs and layer store that helps in
  massively parallel container creation and removal.  moby/moby#39107,
  moby/moby#39135
- daemon: fixed a mirrors validation issue. moby/moby#38991
- Docker no longer supports sorting UID and GID ranges in ID maps.
  moby/moby#39288

Logging
- Added a fix that now allows large log lines for logger plugins.
  moby/moby#39038

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 13cf6f0c0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:29:30 +02:00
Jared Bents
3fdb256bf9 package/bzip2: add upstream security fix for CVE-2019-12900
Patch to resolve cve-2019-12900 which affects bzip2 versions 1.0.6 and older

More information can be found at
https://nvd.nist.gov/vuln/detail/CVE-2019-12900

Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6581c441df)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:19:13 +02:00
Adam Duskett
ceafdfb7d4 package/bzip2: add hash for license file
Also add a standard sha256 hash for the package itself.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cc7581a850)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 08:19:04 +02:00
Peter Korsgaard
5a74214681 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.1.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 5.1.x bump]
(cherry picked from commit abc782c0b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 00:11:10 +02:00
Yann E. MORIN
ef3b031a81 board/qemu: ensure root is available before mounting it
On my machine, it happens once in a while that the virtualised machine
boots too fast for the rootfs to be available at the time the kernel
tries to mount it.

For example, board/qemu/arm-vexpress/readme.txt suggested changing
"-smp 1" up to "-smp 4". But doing so here causes a kernel panic:

    VFS: Cannot open root device "mmcblk0" or unknown-block(0,0): error -6
    Please append a correct "root=" boot option; here are the available partitions:
    1f00          131072 mtdblock0
     (driver?)
    1f01           32768 mtdblock1
     (driver?)
    Kernel panic - not syncing: VFS: Unable to mount root fs on
    unknown-block(0,0)

So, add the oh-so-useful 'rootwait' option to all kernel command lines
for qemu defconfigs.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Joel Stanley <joel@jms.id.au>
Cc: Mark Corbin <mark.corbin@embecosm.com>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 626c9705d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-07 00:09:02 +02:00
Peter Korsgaard
fab4d559d1 package/libglib2: backport upstream security fix for CVE-2019-12450
Fixes CVE-2019-12450: file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0
through 2.61.1 does not properly restrict file permissions while a copy
operation is in progress.  Instead, default permissions are used.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-27 18:02:08 +02:00