Fixes the following security vulnerabilities:
CVE-2020-10029: Trigonometric functions on x86 targets suffered from stack
corruption when they were passed a pseudo-zero argument. Reported by Guido
Vranken / ForAllSecure Mayhem.
CVE-2020-1751: A defect in the PowerPC backtrace function could cause an
out-of-bounds write when executed in a signal frame context.
CVE-2020-1752: A use-after-free vulnerability in the glob function when
expanding ~user has been fixed.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
- Improve mitigation for CVE-2019-14271 for some nscd configuration.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prevent possible use-after-free and double-free in ares_getaddrinfo() if
ares_destroy() is called prior to ares_getaddrinfo() completing.
https://c-ares.haxx.se/changelog.html#1_16_1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-markdown2 through 2.3.8 allows XSS because element names are
mishandled unless a \w+ match succeeds. For example, an attack might use
elementname@ or elementname- with an onclick attribute.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-future does not depends on python2.
The package work with python 3.x.
Signed-off-by: Louis Aussedat <aussedat.louis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add patch to fix availability check for storeRGB32FromARGB32PM_neon(), only
available for arm little-endian.
Fixes:
- http://autobuild.buildroot.net/results/ab623253a6d988f4ee03d292ee85f3455de2ea25
.obj/qimage_conversions.o: In function `convert_generic(QImageData*, QImageData const*, QFlags<Qt::ImageConversionFlag>)':
qimage_conversions.cpp:(.text+0x2598): undefined reference to `storeRGB32FromARGB32PM_neon(unsigned char*, unsigned int const*, int, int, QVector<unsigned int> const*, QDitherInfo*)'
qimage_conversions.cpp:(.text+0x259c): undefined reference to `storeRGB32FromARGB32PM_neon(unsigned char*, unsigned int const*, int, int, QVector<unsigned int> const*, QDitherInfo*)'
.obj/qimage_conversions.o: In function `convert_generic_inplace(QImageData*, QImage::Format, QFlags<Qt::ImageConversionFlag>)':
qimage_conversions.cpp:(.text+0x28fc): undefined reference to `storeRGB32FromARGB32PM_neon(unsigned char*, unsigned int const*, int, int, QVector<unsigned int> const*, QDitherInfo*)'
qimage_conversions.cpp:(.text+0x2900): undefined reference to `storeRGB32FromARGB32PM_neon(unsigned char*, unsigned int const*, int, int, QVector<unsigned int> const*, QDitherInfo*)'
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To match the docker-engine version.
./support/testing/run-tests tests.package.test_docker_compose.TestDockerCompose
09:54:39 TestDockerCompose Starting
09:54:40 TestDockerCompose Building
10:45:33 TestDockerCompose Building done
10:46:30 TestDockerCompose Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 3121.828s
OK
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Set PAHO_HIGH_PERFORMANCE to disable free redefiniton as suggested by
upstream in https://github.com/eclipse/paho.mqtt.c/issues/846.
This will avoid the following build failure on musl:
/tmp/instance-1/output-1/host/x86_64-buildroot-linux-musl/sysroot/usr/include/sched.h:80:17: error: expected declaration specifiers or '...' before string constant
void free(void *);
^
/tmp/instance-1/output-1/host/x86_64-buildroot-linux-musl/sysroot/usr/include/sched.h:80:17: error: expected declaration specifiers or '...' before numeric constant
void free(void *);
^
[ 35%] Building C object src/CMakeFiles/common_obj.dir/Base64.c.o
[ 36%] Building C object src/CMakeFiles/common_obj.dir/SHA1.c.o
make[3]: *** [src/CMakeFiles/common_obj.dir/build.make:284: src/CMakeFiles/common_obj.dir/MQTTReasonCodes.c.o] Error 1
Fixes:
- http://autobuild.buildroot.org/results//fbe57a1602fed331ddff3ff3560dce02573816ff
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a
HandleCursorShape integer overflow and heap-based buffer overflow via a
large height or width value. NOTE: this may overlap CVE-2019-15690.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bumping the hashes for CIP and CIP RT.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream patch to fix squashfs-tools build failures because
of missing external declaration for fwriter_buffer and
bwriter_buffer.
Fixes:
- http://autobuild.buildroot.net/results/6789b668898245926e0a3a3e7caf823dff515d71
/usr/bin/ld: read_fs.o:(.bss+0x0): multiple definition of `fwriter_buffer'; mksquashfs.o:(.bss+0x400c90): first defined here
/usr/bin/ld: read_fs.o:(.bss+0x8): multiple definition of `bwriter_buffer'; mksquashfs.o:(.bss+0x400c98): first defined here
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Remove double space in AT_SPI2_ATK_SITE
- Add link to upstream sha256 file
- License is LPGL-2.1+ since
468b527d8a
- Switch to meson-package
- Add a patch to disable tests to avoid adding libxml2 dependency
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Drop patch (already in version)
- Add upstream link on sha256
- License is LGPL-2.1+ since
1256988c43
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add two upstream patches fixing input_event time related
compile failures.
Fixes:
- http://autobuild.buildroot.net/results/3883a948e30cfd235cfca1fb8646fe8032f5e18d
keytable.c: In function 'test_event':
keytable.c:1536:11: error: 'struct input_event' has no member named 'time'; did you mean 'type'?
ev[i].time.tv_sec, ev[i].time.tv_usec,
^~~~
type
keytable.c:1536:30: error: 'struct input_event' has no member named 'time'; did you mean 'type'?
ev[i].time.tv_sec, ev[i].time.tv_usec,
^~~~
type
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
- http://autobuild.buildroot.net/results/af76190876656252eb6f60220cdb1d627a03b7c3
evdevkeyboard/qevdevkeyboardhandler.cpp: In member function ‘void QEvdevKeyboardHandler::switchLed(int, bool)’:
evdevkeyboard/qevdevkeyboardhandler.cpp:153:28: error: ‘struct input_event’ has no member named ‘time’; did you mean ‘type’?
::gettimeofday(&led_ie.time, 0);
^~~~
type
evdevtouch/qevdevtouchhandler.cpp: In member function ‘void QEvdevTouchScreenData::processInputEvent(input_event*)’:
evdevtouch/qevdevtouchhandler.cpp:579:29: error: ‘struct input_event’ has no member named ‘time’; did you mean ‘type’?
m_timeStamp = data->time.tv_sec + data->time.tv_usec / 1000000.0;
^~~~
type
evdevtouch/qevdevtouchhandler.cpp:579:49: error: ‘struct input_event’ has no member named ‘time’; did you mean ‘type’?
m_timeStamp = data->time.tv_sec + data->time.tv_usec / 1000000.0;
^~~~
type
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
cvs is an old package, and it shows:
- CVS is licensed under GPL-1.0+ as stated in README (referenced in source
code) and COPYING files;
- COPYING.LIB also give the terms of LGPL-2.0+, and is referenced by a
few files, like lib/strnlen1.c, mostly vampirised rom older versions
of the GNU C library (glibc);
- additionally, the glob implementation was also grabbed from a more
recent (but still old) glibc version, and is LGPL-2.1+, but there is
no license file associated with it, so we use the header instead.
Also update indentation in hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- LGPL-2.0+ is used, reference at least one file
- LGPL-2.1+ is also used
- reword commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
BR2_PACKAGE_HOST_ZLIB does not exist, and should anyway not be
selected by the target pigz package.
Signed-off-by: Louis-Paul Cordier <lpdev@cordier.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Rebase/update disable tests patch.
Replace autotools build system with meson as autotools is deprecated
and will be removed.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
- http://autobuild.buildroot.net/results/5c5/5c5d71fde80a4f2f027085bdb0fae9fb76ab9d32
fsck.c:1062:18: error: 'node' may be used uninitialized in this function [-Werror=maybe-uninitialized]
node->parent = dir;
^
fsck.c:870:22: note: 'node' was declared here
struct exfat_inode *node;
^
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
- http://autobuild.buildroot.net/results/a7364a6b3801d7d18c30c7242c6faf19431fddfd
mkfs.c:60:14: error: format '%llu' expects argument of type 'long long unsigned int', but argument 2 has type 'long unsigned int' [-Werror=format=]
exfat_debug("Volume Length(sectors) : %llu\n",
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Irrlicht fail to detect properly the NEON support on aarch64 or ARM with NEON FPU support.
While linking an application with libIrrlicht.so, we get an undefined reference to
png_init_filter_functions_neon.
Some files are missing in the libpng bundled in Irrlicht, in particular arm/arm_init.c [1],
so disable NEON support completely.
This can be reproduced by building minetest using this defconfig for aarch64:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_MINETEST=y
BR2_PACKAGE_MINETEST_CLIENT=y
BR2_PACKAGE_MINETEST_SERVER=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
Or for ARM with NEON FPU support:
BR2_arm=y
BR2_cortex_a15=y
BR2_ARM_FPU_NEON=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_MINETEST=y
BR2_PACKAGE_MINETEST_CLIENT=y
BR2_PACKAGE_MINETEST_SERVER=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
[1] https://github.com/glennrp/libpng/tree/v1.6.37/arm
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
NEON support is enabled by default on aarch64, so we
can enable it unconditionaly.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The openssh package comprises three separate entities: the SSH client, SSH
server, and some SSH key utilities. One may want the client but not the
server, the server but not the client, or maybe only the key utilities.
Add separate options for each entity and update the files installed on
target accordingly.
On an ARM Cortex-A53 configuration, size of stripped binaries are:
Client programs: 2213118 bytes (2161 KB)
usr/bin/ssh,657180
usr/bin/scp,99836
usr/bin/ssh-add,312800
usr/bin/ssh-agent,296428
usr/libexec/ssh-keysign,398908
usr/libexec/ssh-pkcs11-helper,292316
usr/bin/sftp,144992
usr/bin/ssh-copy-id,10658
Server programs: 806840 bytes (787 KB)
usr/libexec/sftp-server,112140
usr/sbin/sshd,694168
etc/init.d/S50sshd,532
Key utilities: 789648 bytes (771 KB)
usr/bin/ssh-keygen,398924
usr/bin/ssh-keyscan,390724
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When NetworkManager is built with ModemManager support, it should only
require the generic ModemManager dependency; it shouldn't configure
which features ModemManager provides.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a
heap-based buffer overflow during JPEG_MARKER_SOS handling because of a
missing length check.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch bumps Linux CIP RT version to 4.19.115-cip24-rt9.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch bumps Linux CIP version to v4.19.118-cip25.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Back in commit [1], a patch fixing an issue a PowerPC issue in gcc was
added in gcc 4.3.3. It was present until gcc 4.9, which itself was
removed in [2]. The patch was dropped starting gcc 5.1 [3] but it's
know to be useful for gcc 4.7.3 [4]. However, even though we no longer
support building any of those older gcc versions, the conditional
patching logic in gcc.mk is still there.
We used to have a patch directory (package/gcc/$(GCC_VERSION)) for
every gcc version available in Buildroot, the apply-patches.sh script
doesn't error out even if
1000-powerpc-link-with-math-lib.patch.conditional is missing.
But with gcc 10, we don't need (for the moment) to apply any patch, so
the patch directory doesn't exist. apply-patches.sh breaks the build
since the patch directory is missing:
Aborting. 'package/gcc/10.1.0' is not a directory.
Since we removed gcc 4.9 last year [2], we can safely remove this code.
Tested using qemu_ppc_virtex_ml507_defconfig.
[1] bb1f42e442
[2] baf1775022
[3] 4deb2d93c5
[4] 197006a41c
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 3052da3eac did not renumber
remaining patches, fix that
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
