Commit Graph

44603 Commits

Author SHA1 Message Date
Fabrice Fontaine
45e5cdcf2f package/supertux: fix build on powerpc64le
Fixes:
 - http://autobuild.buildroot.org/results/c484079b2736eb3c21adff257f3e3ab1acc67f9a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8867e95a21)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 23:01:21 +01:00
Samuel Mendoza-Jonas
00eb766a92 lvm2: Update to 2.02.183
In particular update to solve an issue where LVM would fail to
initialise LVM devices when asynchronous IO was not available and it
would fail to fall back to synchronous IO. [0][1]

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1650652
[1] https://github.com/open-power/petitboot/issues/60

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ba9442dfe3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 23:00:28 +01:00
Reed Nightingale
e47fa646dc package/eigen: bump to 3.3.7
Bumped the version of eigen to 3.3.7, which fixes issues when compiling with GCC7 (notably int-in-bool-context errors, fixed in 3.3.5), in addition to various other issues noted in the eigen change logs: http://eigen.tuxfamily.org/index.php?title=ChangeLog
Legal hashes are unchanged in 3.3.7

Signed-off-by: Reed Nightingale <reed.nightingale@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 06a1ff4fd3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 22:58:42 +01:00
Peter Korsgaard
2fb549c388 package/libseccomp: security bump to version 2.4.0
>From the advisory:

Jann Horn  identified a problem in current versions of
libseccomp where the library did not correctly generate 64-bit syscall
argument comparisons using the arithmetic operators (LT, GT, LE, GE).
Jann has done a search using codesearch.debian.net and it would appear
that only systemd and Tor are using libseccomp in such a way as to
trigger the bad code.  In the case of systemd this appears to affect
the socket address family and scheduling class filters.  In the case
of Tor it appears that the bad filters could impact the memory
addresses passed to mprotect(2).

The libseccomp v2.4.0 release fixes this problem, and should be a
direct drop-in replacement for previous v2.x releases.

https://www.openwall.com/lists/oss-security/2019/03/15/1

v2.4.0 adds a new scmp_api_level utility, so update 0001-remove-static.patch
to match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 02300786c2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 22:49:59 +01:00
Peter Korsgaard
b5735379c5 package/libssh2: security bump to latest git
Bump the version to latest git to fix the following security issues:

CVE-2019-3855
 Possible integer overflow in transport read allows out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3855.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch

CVE-2019-3856
 Possible integer overflow in keyboard interactive handling allows
 out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3856.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch

CVE-2019-3857
 Possible integer overflow leading to zero-byte allocation and out-of-bounds
 write
 URL: https://www.libssh2.org/CVE-2019-3857.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch

CVE-2019-3858
 Possible zero-byte allocation leading to an out-of-bounds read
 URL: https://www.libssh2.org/CVE-2019-3858.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch

CVE-2019-3859
 Out-of-bounds reads with specially crafted payloads due to unchecked use of
 `_libssh2_packet_require` and `_libssh2_packet_requirev`
 URL: https://www.libssh2.org/CVE-2019-3859.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

CVE-2019-3860
 Out-of-bounds reads with specially crafted SFTP packets
 URL: https://www.libssh2.org/CVE-2019-3860.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch

CVE-2019-3861
 Out-of-bounds reads with specially crafted SSH packets
 URL: https://www.libssh2.org/CVE-2019-3861.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch

CVE-2019-3862
 Out-of-bounds memory comparison
 URL: https://www.libssh2.org/CVE-2019-3862.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch

CVE-2019-3863
 Integer overflow in user authenicate keyboard interactive allows
 out-of-bounds writes
 URL: https://www.libssh2.org/CVE-2019-3863.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.txt

Drop 0003-openssl-fix-dereferencing-ambiguity-potentially-caus.patch as that
is now upstream.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f4f7dd9557)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 22:31:53 +01:00
Fabrice Fontaine
1f464e0314 package/jq: security bump to version 1.6
- Fix CVE-2015-8863 and  CVE-2016-4074:
  https://github.com/stedolan/jq/issues/1406
- Add hash for license file
- Disable oniguruma (enabled by default)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3a026d650c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 22:25:27 +01:00
Ryan Coe
4716f1a94b package/mariadb: security bump to version 10.3.13
Release notes:
https://mariadb.com/kb/en/library/mariadb-10313-release-notes/

Changelog:
https://mariadb.com/kb/en/mariadb-10313-changelog/

Fixes the following security vulnerabilities:

CVE-2019-2510 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.7.24 and
prior and 8.0.13 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.

CVE-2019-2537 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are 5.6.42
and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.

Note that the hash for README.md changed due to Travis CI and Appveyor CI
updates.

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f389df2334)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 16:00:04 +01:00
Adam Duskett
ed3c3f26f7 package/libglib2: add optional dependency in libselinux
If libselinux is selected, explicitly set --enable-selinux in the
configure options and build the library first.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8f43ec6ce8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:59:15 +01:00
Alistair Francis
427742a029 linux: allow BR2_LINUX_KERNEL_IMAGE on RISC-V
We will need to build Image files for OpenSBI so allow that now.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a3a4d4d4d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:57:57 +01:00
Fabrice Fontaine
249e67e10b package/kf5-modemmanager-qt: link with libatomic when needed
On some architectures, atomic binutils are provided by the libatomic
library from gcc. Linking with libatomic is therefore necessary,
otherwise the build fails with:

sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line

This is often for example the case on sparcv8 32 bit.

Fixes:
 - http://autobuild.buildroot.org/results/b941a3deaa57cac79f1686d47ca6ababf2f0d5e4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3cb7546d95)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:55:20 +01:00
Norbert Lange
4d6a0e4d7a package/binutils: upstream fixes for 2.31.1
Combining musl and binutils 2.31.1 will produce static applications
that crash immediately. This commit picks up 3 upstream commits to
remedy this.

See https://sourceware.org/bugzilla/show_bug.cgi?id=23428

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0c34e138b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:40:46 +01:00
James Hilliard
5113a17c33 package/python-aiojobs: drop aiohttp dependency
aiohttp isn't a required dependency for aiojobs

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 53e3860a0e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:39:22 +01:00
Fabrice Fontaine
b9896bd300 package/libpcap: fix bluez5_utils-headers dependency
Commit c46afc37dc changed bluez5-utils
dependency by bluez5_utils-headers without replacing the test on
BR2_PACKAGE_BLUEZ5_UTILS by BR2_PACKAGE_BLUEZ5_UTILS_HEADERS

Fix this mistake and also add a select on
BR2_PACKAGE_BLUEZ5_UTILS_HEADERS if BR2_PACKAGE_BLUEZ5_UTILS is set
so the user does not have to do it

Fixes:
 - http://autobuild.buildroot.org/results/c6828df1f3782564451ddd4187ff026679bf37d8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3033e83d12)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:34:39 +01:00
Baruch Siach
f20b18f66a package/libpcap: fix bluez circular dependency
The optional bluez_utils dependency of libpcap creates a circular
dependency:

$ make dbus-show-recursive-depends

Recursion detected for  : systemd
which is a dependency of: dbus
which is a dependency of: bluez_utils
which is a dependency of: libpcap
which is a dependency of: iptables
which is a dependency of: systemd
make: *** [package/dbus/dbus.mk:121: dbus-show-recursive-depends] Error 1

Drop support for bluez_utils. For bluez5_utils, which also depends on
dbus, we only need the headers in the bluez5_utils-headers package. Use
that to break the circular dependency.

Fixes:
http://autobuild.buildroot.net/results/9c3/9c3ee798fa6bb501a20a7892c0b085d2b279b664/

Suggested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c46afc37dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:31:41 +01:00
Fabrice Fontaine
d56572e447 package/fltk: add optional xlib_libXrender dependency
xlib_libXrender is enabled by default and has been added since version
1.3.4-1 and
a6c4b29a18

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 65895f36ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:29:01 +01:00
Yann E. MORIN
f5a48dfe27 package/pkg-generic: tweak only .la files that need it
Currently, when we tweak the .la files, we do so unconditionally on all
.la files, even those we already fixed in a previous run.

This has the nasty side effect that each .la file will be reported as
being touched by all packages that are installed after the package that
actually installed said .la file.

Since we can't easily know what files were installed by a package (that
is an instrumentation hook, and comes after the mangling), we use a
trick (like is done in libtool?): we do mangle all files, each into a
temporary location; if the result is identical to the input, we remove
the temporary, while if the result differs from the output, we move
the temporary to replace the input.

Reported-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8623cc5deb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 14:52:20 +01:00
Michel Stempin
25e5c401fa package/x11r7/xdriver_xf86-video-fbdev: bump to version 0.5.0
Starting X manually resulted in a symbol error:
| Xorg: symbol lookup error: /usr/lib/xorg/modules/drivers/fbdev_drv.so: undefined symbol: shadowUpdatePackedWeak

This bug was reported against the fbdev driver, which is fixed
upstream in 0.5.0:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900317

Signed-off-by: Michel Stempin <michel.stempin@wanadoo.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9047503631)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 10:47:49 +01:00
Fabrice Fontaine
ef54e73682 package/cups: security bump to version 2.2.10
- Fixes CVE-2018-4700: Linux session cookies used a predictable random
  number seed: https://github.com/apple/cups/releases/tag/v2.2.10.
- Remove fifth patch (already in version)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 260d9e5342)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 10:44:42 +01:00
Vadim Kochan
6cfd314ed3 utils/test-pkg: generate package config if it is not specified
It is possible to generate one-line config for the package just by
normalize it to the form:

    BR2_PACKAGE_${pkg_replaced-to_and_uppercase}

it simplifes a bit of testing package where no additional config options
are needed.

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a946813dd5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 10:42:52 +01:00
Peter Korsgaard
18ae511d81 package/nodejs: security bump to version 8.15.1
Fixes the following security issues:

Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

For more details, see the CHANGELOG:
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-26 15:01:42 +01:00
Bernd Kuhls
59f9971694 package/samba4: security bump to version 4.9.5
Release notes: https://www.samba.org/samba/history/samba-4.9.5.html

Fixes CVE-2019-3824:
ldb: Out of bound read in ldb_wildcard_compare

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e7d67faac5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 22:23:19 +01:00
Fabrice Fontaine
3d0ad9cc82 package/gerbera: fix static build with curl and libidn2
Fixes:
 - http://autobuild.buildroot.org/results/be5893b507d22a23951efeea20c18642742cef5a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7553b6ad23)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 22:20:53 +01:00
Fabrice Fontaine
1d7ca92535 package/beecrypt: fix build without C++
Do not check for C++ compiler as C++ support has been disabled since
commit dd4d3c18d6 otherwise
build will fail on toolchains without a working C++ compiler:

checking how to run the C++ preprocessor... /lib/cpp
configure: error: in `/data/buildroot/buildroot-test/instance-1/output/build/beecrypt-4.2.1':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check

Fixes:
 - http://autobuild.buildroot.org/results/3c79cc68f1b088ad24daf7f9bd70718d702be577

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6255c81623)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 22:15:36 +01:00
Norbert Lange
5219bb25bf package/musl: remove rcrt1.o from target installation
rcrt1.o is a new startup for "static-pie" apps, and only needed for
building, should not end up in the target filesystem.

Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit de5fef8c04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 22:13:17 +01:00
Arnout Vandecappelle (Essensium/Mind)
bc31a761c5 linux{, -headers}: support downloads of v5+
With the arrival of linux v5.0, we need yet another condition to set
_SITE correctly. Instead of continuing this madness, solve the problem
generically: use v2.6 for 2.6.*, and use the number before the first dot
in the other cases.

While we're at it, remove the comment which has been incorrect since
80d7b68167 (7 years ago).

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Tested-by: Adam Duskett <aduskett@gmail.com>
Reviewed-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4ed7246a59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:46:10 +01:00
Arnout Vandecappelle (Essensium/Mind)
7d0322fe3c package/linux-headers: fix support for -rc kernels
-rc kernels after v3.x are no longer available in the testing
subdirectory. Instead they should be fetched from cgit.

Commit ff4cccbdcf did this for linux
itself, now we also do it for linux-headers.

When fetched from cgit, .tar.xz can't be used. Adding this to the
existing condition is not so simple, so refactor how _SOURCE is set:
simply set it explicitly in each branch of the condition. While more
verbose (it is repeated 4 times), it's easier to understand and to
maintain.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1b94e8dcb3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:41:26 +01:00
Baruch Siach
d902c871d4 package/libpcap: disable dbus to break circular dependency
The optional dbus dependency of libpcap creates a circular dependency
chain:

$ make libpcap-show-recursive-depends

Recursion detected for  : systemd
which is a dependency of: dbus
which is a dependency of: libpcap
which is a dependency of: iptables
which is a dependency of: systemd
make: *** [package/libpcap/libpcap.mk:55: libpcap-show-recursive-depends] Error 1

Of all these dependencies the one of libpcap on dbus seems to be less
useful. Drop it.

Fixes:
http://autobuild.buildroot.net/results/0b5d18bff816cbcee11e8645449701722d956de5/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b01d463c14)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:39:23 +01:00
Bernd Kuhls
48b328c195 package/x11r7/xapp_xdm: security bump to version 1.1.12
Fixes CVE-2013-2179.

Release notes:
https://lists.x.org/archives/xorg-announce/2019-March/002959.html

Added all license hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2776484107)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:23:31 +01:00
Artem Panfilov
853cff9679 package/avahi: add upstream security fix
Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7
inadvertently responds to IPv6 unicast queries with source addresses
that are not on-link, which allows remote attackers to cause a denial
of service (traffic amplification) and may cause information leakage
by obtaining potentially sensitive information from the responding
device via port-5353 UDP packets.

Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e17adf1c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:20:59 +01:00
Peter Korsgaard
5c38c2ea3d package/bash: add upstream patches up to patch level 23
We unfortunately cannot easily download these because of the file names (not
ending in patch) and patch format (p0), so convert to p1 format and include
in package/bash with the following script:

j=1; for i in 19 20 21 22 23; do
    file=$(printf '%04d-patch44-0%d.patch' $j $i)
    cat > $file << EOF
>From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

EOF
    curl https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i | \
        sed -e 's|^\*\*\* \.\./|*** |' -e 's|^--- |--- b/|' >> $file

    j=$(( j + 1 ))
done

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 87a8f5f51c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:20:07 +01:00
Adrien Gallouët
14d2b53d41 package/kexec: update to 2.0.18
This release fixes the following issue with new kernels:

kexec --load bzImage --reuse-cmdline
Unhandled rela relocation: R_X86_64_PLT32

Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 254384e769)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:18:06 +01:00
Artem Senichev
272a6677ff package/kexec: enable powerpc64le platforms
kexec has fully support of ppc64 platform:
https://www.kernel.org/doc/Documentation/kdump/kdump.txt

Signed-off-by: Artem Senichev <artemsen@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 46a4af5214)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:18:00 +01:00
Fabrice Fontaine
8c16591d89 package/libdrm: amdgpu needs MMU
amdgpu test uses fork() so disable amdgpu without MMU

Fixes:
 - http://autobuild.buildroot.org/results/8d6194982c1080e173fcef8212fb06e6dc275d58

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9972dc2e82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 20:11:02 +01:00
Christian Stewart
af99ecabd5 package/go: set GOCACHE to a host path
Set the GOCACHE environment variable properly.

It was previously unset, and defaults to $HOME/.cache/go-build.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3909423f1c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 19:00:22 +01:00
Peter Korsgaard
e3404b10ba package/openjpeg: security bump to latest git version
Current git contains fixes for a number of post-2.3.0 security issues:

git shortlog --no-merges -i --grep cve --grep overflow --grep zero v2.3.0..
Even Rouault (2):
      Avoid out-of-bounds write overflow due to uint32 overflow computation on images with huge dimensions.
      color_apply_icc_profile: avoid potential heap buffer overflow

Hugo Lefeuvre (4):
      convertbmp: fix issues with zero bitmasks
      jp3d/jpwl convert: fix write stack buffer overflow
      jp2: convert: fix null pointer dereference
      convertbmp: detect invalid file dimensions early

Karol Babioch (2):
      jp3d: Replace sprintf() by snprintf() in volumetobin()
      opj_mj2_extract: Check provided output prefix for length

Stefan Weil (1):
      Fix some potential overflow issues (#1161)

Young_X (5):
      [MJ2] To avoid divisions by zero / undefined behaviour on shift
      [JPWL] fix CVE-2018-16375
      [JPWL] imagetotga(): fix read heap buffer overflow if numcomps < 3 (#987)
      [JPWL] opj_compress: reorder checks related to code block dimensions to avoid potential int overflow
      [JP3D] To avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423

ichlubna (1):
      openjp3d: Int overflow fixed (#1159)

setharnold (1):
      fix unchecked integer multiplication overflow

Drop now upstreamed 0004-install-static-lib.patch.

Add a hash for the LICENSE file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a5e8c81875)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 18:55:53 +01:00
Peter Korsgaard
a22fc3a0eb package/mosquitto: bump version to 1.5.8
Bugfix release, fixing a number of issues discovered post-1.5.7

https://mosquitto.org/blog/2019/02/version-1-5-8-released/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 24cc2eaa33)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 18:52:25 +01:00
Peter Korsgaard
99d8c1a07c package/php: security bump to version 7.3.3
php-7.3.3 fixes a number of security issues (no CVE known, bugtracker issues
not yet public): https://secure.php.net/ChangeLog-7.php#7.3.3

Drop 0004-OPcache-flock-mechanism-is-obviously-linux-so-force-.patch as the
flock detection has been removed since commit 9222702633 (Avoid dependency
on "struct flock" fields order.)

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b821ae3d63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:38:51 +01:00
Baruch Siach
c19f815add ntp: security bump to version 4.2.8p13
Fixes CVE-2019-8936: Crafted null dereference attack in authenticated
mode 6 packet.

Drop upstream patches.

Update COPYRIGHT file hash; text formatting (line width) changes.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7ffdc08f04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:36:23 +01:00
Baruch Siach
85c408fcc0 package/file: security bump to version 5.36
CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has
an out-of-bounds read because memcpy is misused.

CVE-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a
stack-based buffer over-read, related to file_printf and file_vprintf.

Update license files hashes; removal of trailing white spaces.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 14d6e6df7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:34:01 +01:00
Fabrice Fontaine
5154f90009 package/wireshark: add optional spandsp dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ee772dad7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:32:32 +01:00
Romain Naour
a0134c3606 package/tpm2-abrmd: rename libsapi to libtss2-sys in the help text
libsapi was renamed to libtss2-sys in tpm2-tss library:
5f0ab55d4e

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8f297cc033)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:30:35 +01:00
Romain Naour
8854e0f9b0 package/tpm2-tss: rename tpm2-tss libraries in the help text
Since tpm2-tss version 2.0.0, tpm2 libraries have been renamed.

libsapi renamed to libtss2-sys
5f0ab55d4e

libtcti-device renamed to libtss2-tcti-device
libtcti-socket renamed to libtss2-tcti-mssim
b8584accbd

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fb9c137660)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:30:19 +01:00
Fabrice Fontaine
b3399de9e6 package/xen: fix build with gcc 8.1
Fixes:
 - http://autobuild.buildroot.org/results/df5abe6ca8b4c8935f3d5c257aef816190771200

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9b2bf1b745)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:26:52 +01:00
Fabrice Fontaine
1f04edb23b package/gnuradio: add optional log4cpp dependency
Currently, logger component is enabled if log4cpp is found

Moreover, it should be noted that log4cpp is now mandatory in latest
upstream:
d242896120

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 50e1d12e07)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:26:10 +01:00
Fabrice Fontaine
335165f718 package/mongodb: disable on powerpc64
As stated in SConstruct, the altivec runtime test breaks
cross-compilation: "This checks for an altivec optimization we use in
full text search. Different versions of gcc appear to put output bytes
in different parts of the output vector produced by vec_vbpermq.  This
configure check looks to see which format the compiler produces. NOTE:
This breaks cross compiles, as it relies on checking runtime
functionality for the environment we're in."

Fixes:
 - http://autobuild.buildroot.org/results/162198617979a83b66f70ed6013251942ed04d67

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9fd193141)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:23:17 +01:00
Fabrice Fontaine
5271f2f65c package/mongodb: needs host-python2
mongodb (like gnuradio) needs host-python2 however there is no way to
enforce this so add a dependency on !BR2_PACKAGE_PYTHON3.
Indeed, if BR2_PACKAGE_PYTHON3 is selected, then buildroot will only
build and install host-python-typing for host-python3.

This issue was not raised in the previous version of mongodb as
host-scons was the only dependency however we now have
host-python-typing and host-python-pyyaml dependencies and it
does not seem right to enforce python2 on those packages

Fixes:
 - http://autobuild.buildroot.org/results/693bdba2c01a1b69f56d6ee75094a6a0fc3f40b4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: propagate dependency to Config.in comment]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit bf57446a0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:23:02 +01:00
Fabrice Fontaine
884e3918bf package/log4cplus: add optional qt5 dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: test BR2_PACKAGE_QT5BASE instead of BR2_PACKAGE_QT5, just for
consistency with the package we add to the DEPENDENCIES variable.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit d04b12d19e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:17:48 +01:00
Vadim Kochan
119abfcddd package/sunxi-tools: fix build meminfo with musl
musl does not provide inx/outx API for ARM arch, so use
io memory access via pointers which is actually done this
way in glibc/ulibc.

Fixes:
    http://autobuild.buildroot.net/results/bf10cbe40c0f672c34db72e4eea4c168d5932bd4/

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d12d3969d1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 13:22:15 +01:00
Gaël PORTAY
ebe2c9accd qt5webkit: select leveldb package and memenv
This patch fixes the build issue reported by autobuilder [0].

        /home/naourr/work/instance-2/output/build/qt5webkit-5.9.1/Source/WebCore//.obj/platform/leveldb/LevelDBDatabase.o: In function
	`WebCore::LevelDBDatabase::openInMemory(WebCore::LevelDBComparator const*)':
	LevelDBDatabase.cpp.text._ZN7WebCore15LevelDBDatabase12openInMemoryEPKNS_17LevelDBComparatorE+0x34): undefined reference to `leveldb::NewMemEnv(leveldb::Env*)'
        collect2: error: ld returned 1 exit status
        make[3]: *** [Makefile.api:97: ../lib/libQt5WebKit.so.5.9.1]
	Error 1

The issue happens when both packages leveldb and qt5webkit are enabled.

QtWebKit builds its own copy of leveldb [1] (as a third-party) if the
system does not provided it (i.e. buildroot). It builds it differently
and this is the origin of that issue. Instead of using the Makefile
provided by leveldb [2], QtWebKit uses qmake to build that library [3].

The missing symbol issue happens because the symbol leveldb::NewMemEnv
is bundled in the static library libmemenv.a (aside libleveldb.so).
This static library consists of this single symbol which is like an
extra that is built but *NOT* shipped by default at installation in the
staging directory. Unfortunatly, that symbol is required later by
WebCore [4].

The copy built by QtWebKit is an all-in-one library including both
libleveldb and libmemenv; thus QtWebKit links against libleveldb only.
Also, the linker finds the buildroot's copy first (not the third-party):
that explains why it is complaining about a missing symbol. That copy
does not have the symbol leveldb::NewMemEnv.

Fortunatly, QtWebKit provides a facility to link against the system
leveldb package. The qmake flag WEBKIT_CONFIG+=use_system_leveldb tells
Qt5WebKit to link against libleveldb *AND* libmemenv [5].

To fix that issue, this commit selects the package leveldb that now
installs the libmemenv static library and its header. It ensures that
QtWebKit has everything it needs to be built. It also sets the
appropriate qmake configure flags to tell QtWebKit to use the leveldb
copy built by buildroot instead of the bundled one.

[0]: http://autobuild.buildroot.net/results/46033e82adf592c3b92c6d50cfaf45bd58beeaa4
[1]: https://github.com/qt/qtwebkit/tree/5.9/Source/ThirdParty/leveldb
[2]: https://github.com/qt/qtwebkit/blob/5.9/Source/ThirdParty/leveldb/Makefile#L167-L169
[3]: https://github.com/qt/qtwebkit/blob/5.9/Source/ThirdParty/leveldb/Target.pri#L80
[4]: https://github.com/qt/qtwebkit/blob/5.9/Source/WebCore/platform/leveldb/LevelDBDatabase.cpp#L185
[5]: https://github.com/qt/qtwebkit/blob/5.9/Source/WebCore/WebCore.pri#L254
[6]: 739c25100e

Signed-off-by: Gaël PORTAY <gael.portay@collabora.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 2d7c746ed8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 11:41:10 +01:00
Gaël PORTAY
a3cf782748 leveldb: generate pic for static libraries
The project's static libraries are not compiled with the -fPIC compiler
flag. This prevents dynamic libraries to link against those libraries.

This commit adds a patch that sets the -fPIC compiler flag to the list of
CFLAGS/CXXFLAGS.

The project now generates position independant code for all of its
outputs (i.e. not limited anymore to its shared libraries).

Fixes:

	/home/gportay/src/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-amd-linux-gnu/6.2.0/../../../../x86_64-amd-linux-gnu/bin/ld: /home/gportay/src/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libmemenv.a(memenv.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
	/home/gportay/src/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libmemenv.a: error adding symbols: Bad value
	collect2: error: ld returned 1 exit status

Signed-off-by: Gaël PORTAY <gael.portay@collabora.com>
[Arnout: renumber patch]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

(cherry picked from commit 088f261dbb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 11:40:15 +01:00