Fixes CVE-2017-0379: Mitigate a local side-channel attack on Curve25519
dubbed "May the Fourth be With You".
As we are close to release, don't update to the latest 1.8.1 version,
but to a maintenance release from the 1.7 branch.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Mitigate a flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster". For details see
<https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
Switch to https site for better firewall compatibility and security.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
clock_gettime is defined locally, and calls pth_int_time, which
in turn calls clock_gettime.
The USB backend shouldn't overrule clock_gettime in the first place.
This patch fixes this endless recursion by removing the local defition.
Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Commit 1b974425 (MIPS: add support for M6201 cores) explained that the
new core was not supported by upstream gcc, and as of gcc-8-trunk
that's still the case.
Ditto for 3cfbeb83 (MIPS: add support for P6600 cores).
This means that we currently allow to build an internal tolchain for
those cores, yet we have no suitable gcc version.
Disable the internal backend in this case.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2017-12865: stack overflow in dns proxy feature.
Cc: Martin Bark <martin@barkynet.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
A lot of packages expect an egl.pc to decide that EGL is available. So,
provide one.
As suggested by Alexandre, use the one from nvidia-tegra23 as template.
Reported-by: Alexandre Maumené <alexandre@maumene.org>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Alexandre Maumené <alexandre@maumene.org>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Do not mark .service file executable, otherwise systemd
will give us a warning about it.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Do not mark .service file executable, otherwise systemd
will give us a warning about it.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Do not mark .service file executable, otherwise systemd
will give us a warning about it.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
host-vim is needed to provide the xxd tool, otherwise the build fails
with:
checking for xxd... no
configure: error: "xxd is required (provided by vim package)"
This isn't noticed by the autobuilders, presumably because all of them
have vim installed locally.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Vim contains a tool called xxd, which is needed by mediastreamer on
the host as part of its build process. Therefore, this commit
introduces a host variant for the vim package, that will be used by
mediastreamer.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In commit f837251785 ("package/libv4l:
allow build of v4l2 utilities on noMMU platforms"), Hugues Fruchet
added a bunch of patches to libv4l in order to allow the v4l utilities
to be built on noMMU platforms.
However, as part of those patches, he entirely disabled the build of
libv4l in static linking configurations, because libv4l uses
dlopen(). Unfortunately, this breaks the build of applications like
mediastreamer in static linking configurations, and generally makes
our libv4l packages a little bit awkward: you can enable it, but it
doesn't install anything (in static linking configurations).
A closer look shows that dlopen() is only used by libv4l for plugin
support, and libv4l only provides one single plugin, and its build is
already conditional. Therefore, this commit adds yet another patch to
libv4l, which re-enables the build of libv4l, but disables the
plugin-related logic when plugin support is disabled (and it was
already automatically disabled in static linking configurations).
While at it, we update the comment in libv4l.mk that lists the patches
that makes autoreconf necessary.
Fixes the build of mediastreamer:
http://autobuild.buildroot.net/results/af091cfd0508df9395778cdc796f77e95c168410/
Cc: Hugues Fruchet <hugues.fruchet@st.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Do not mark .service and .socket files executable, otherwise systemd
will give us a warning about it.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This bumps the package from 1.99.3 to 1.99.6 (stability fixes), plus a
few documentation changes and a fix for the build issue logged at [1].
[1] http://autobuild.buildroot.net/results/9ac/9acb15f955b8af31a3beeb0bd84c4b0db495e354/
Signed-off-by: Jérôme Oufella <jerome.oufella@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit adds a patch to cc-tool that fixes the boost.m4 logic used
to detect the linker rpath option so that it works properly with
static linking and additional libraries passed in LIBS.
This is the second step to fix static linking of cc-tool on
architectures like SPARC that need to link against libatomic:
http://autobuild.buildroot.net/results/ed9f2524d0ccef318ff1bc99e5dea980111de989/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Just like -lpthread was passed in LIBS, -latomic should also be passed
in LIBS. In order for this to work, we however need to first fix
cc-tool's Makefile.am so that it does not overwrite LIBS.
This is the first part of fixing the build of cc-tool in a static
linking scenario on SPARC, i.e to fix:
http://autobuild.buildroot.net/results/ed9f2524d0ccef318ff1bc99e5dea980111de989/
The patch has been merged upstream, in
553f9c6016.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit adds a patch to dbus-cpp to make it build with gcc 7.x.
Fixes:
http://autobuild.buildroot.net/results/07a7559c0efeeda16c239e0fa06259d4cd48c71b/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Release notes: https://mariadb.com/kb/en/mariadb-10126-release-notes/
Changelog: https://mariadb.com/kb/en/mariadb-10126-changelog/
Fixes the following security vulnerabilities:
CVE-2017-3636 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Client programs). Supported versions that are affected are
5.5.56 and earlier and 5.6.36 and earlier. Easily exploitable vulnerability
allows low privileged attacker with logon to the infrastructure where MySQL
Server executes to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized update, insert or delete access to
some of MySQL Server accessible data as well as unauthorized read access to
a subset of MySQL Server accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of MySQL Server.
CVE-2017-3641 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DML). Supported versions that are affected are
5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Easily
exploitable vulnerability allows high privileged attacker with network
access via multiple protocols to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized ability to cause
a hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2017-3653 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are
5.5.56 and earlier, 5.6.36 and earlier and 5.7.18 and earlier. Difficult
to exploit vulnerability allows low privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized update, insert or delete
access to some of MySQL Server accessible data.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
All patches continue to apply with no changes. 7.2.0 is a bugfix
release of the 7.x branch.
The only change that is not a simple bump is that the 7.2.0 tarball is
now available xz-compressed instead of bz2-compressed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
libunwind configure script explicitly links libunwind against
libgcc_s. libgcc_s is only guaranteed to be available for toolchains
that supports dynamic linking: pure static linking toolchains only
have libgcc.a, not libgcc_s.so.
Therefore, let's make libunwind unavailable on toolchains that lack
dynamic linking support. We could potentially support linking with
libgcc, but switching to libgcc_s was done upstream because libgcc was
lacking some symbols on ARM
(https://lists.nongnu.org/archive/html/libunwind-devel/2014-06/msg00024.html). Even
though recent gcc versions seem to provide such symbols in libgcc.a,
having libunwind available on static linking configurations is not a
useful enough use-case to do the necessary research to find when this
issue was fixed in gcc.
Since libunwind is not used as a mandatory dependency in any package,
adding this !BR2_STATIC_LIBS dependency is trivial and nicely avoids
the problematic situation.
This fixes two different autobuilder failures:
- Gstreamer 1.x programs failing to link, because libunwind links
against libgcc_s that isn't available (static linking
configuration):
http://autobuild.buildroot.net/results/9d4fbf7167e9afce0eef5c9e0cfd42c966ecba36/
- Gmrender-resurrect, which fails to link, because GStreamer 1.x uses
some libunwind functionality, but does not take into account the
libunwind dependency in its .pc files (static linking
configuration):
http://autobuild.buildroot.net/results/0a3a2485c187a000482c178f1e9c64dd716a858f/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is similar to 350941e31d
("python: remove target Python packages from PYTHONPATH") but for
python3.
We currently have
$(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages/
inside the PYTHON3_PATH variable, which gets used to define
PYTHONPATH, passed to the host Python interpreter when
building/installing target packages.
However, this is terribly wrong, as it causes the host interpreter to
potentially import target Python packages. This is wrong for several
reasons:
- Some Python packages might need some Python modules to be installed
on the host (described in setup_requires in setup.py), but their
installation currently works because by luck the corresponding
Python module is installed for the target. Some of those cases were
happening for real, and fixed by previous patches.
- Some Python packages include some native code, therefore built for
a specific CPU architecture. When you point the host Python
interpreter to native libraries built for the target, you get nice
build failures, such as the one affecting the python-cffi related
packages.
This change fixes the following build failures:
http://autobuild.buildroot.net/results/9005b89407e46b537a54cac6cc0c69dcac4dc5ea/
(python-cryptography)
http://autobuild.buildroot.net/results/395682d33d02fdcaa39d3c0326355bd9ea3d6feb/
(python-pynacl)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Tested-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit backports three patches that are already upstream in
kvmtool fixing build warnings with musl. Those are not strictly needed
for the build to succeed, they just reduce the amount of warning
noise.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In Linux 4.12, the header <asm/msr-index.h> has been removed from the
set of headers exported to userspace. Therefore, it cannot be used by
kvmtool anymore. This commit takes the simple approach of duplicating
inside kvmtool the MSR_* definitions that were used from this
<asm/msr-index.h> header.
This fixes:
x86/kvm-cpu.c:7:27: fatal error: asm/msr-index.h: No such file or directory
#include <asm/msr-index.h>
Which is the second part of:
http://autobuild.buildroot.net/results/4459a909e735343d1cf768d30466bc3c57eca19e/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit backports an upstream patch that fixes the build of
kvmtool with musl:
In file included from builtin-balloon.c:9:0:
include/kvm/kvm.h:22:0: warning: "PAGE_SIZE" redefined
#define PAGE_SIZE (sysconf(_SC_PAGE_SIZE))
Fixes one part of:
http://autobuild.buildroot.net/results/4459a909e735343d1cf768d30466bc3c57eca19e/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit adds a patch to the norm package that fixes the build with
gcc 7.x. Many thanks to Romain Naour for pointing out the solution to
this C++ build problem.
Fixes:
http://autobuild.buildroot.net/results/c79dc84cdc34d62199099eb4438b1aed3e7459bb/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
[Thomas: add information that the patch has been submitted upstream
and accepted.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fix a build failure in case (a non functional) sphinx documentation
system is installed on the host (reported [1] and fix tested [2]
by grunpferd@netscape.net).
Fixes:
sphinx-build -b html -d ./doctrees . ./html
Error: Source directory doesn't contain a conf.py file.
[1] http://lists.busybox.net/pipermail/buildroot/2017-August/200021.html
[2] http://lists.busybox.net/pipermail/buildroot/2017-August/200267.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Cc: grunpferd@netscape.net
[Arnout:
- use --disable-sphinx-doc instead of a cv variable
- remove the comment, it speaks for itself]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Commit 2c8de6c4 (gcc 4.9.1: add patch for PR60102) removed the SPE
condition becasue of said PR, but forgot to remove the associated
comment, which has been tagging along all this time...
Remove it, it is no longer valid and causes confusion.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The VC4 GPU does not support full GL, it only provides EGL.
Currently, it is possible to build the VC4 backend without EGL support,
but that does not make sense in the slighest.
So, forcibly enable EGL with VC4, like is done for etnaviv and virgl.
Reported-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This adds a patch cherry-picked from libepoxy 1.4.2, which adds missing
NULL-pointer checks and avoids segmentation faults when using libepoxy
under X11, when the server does not have the GLX extension, or it is
disabled -- and applications can still use EGL.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The github repo is more informative than the list Marco's software on
the previous link.
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
