Commit Graph

45008 Commits

Author SHA1 Message Date
John Keeping
3ebf356935 support/download/git: fix formatting of error message
'.' should be at the end of the sentence, not the beginning of a new
line.

Signed-off-by: John Keeping <john@metanate.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8dd1a41630)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-24 21:11:26 +02:00
Giulio Benetti
0224c93210 package/tvheadend: fix PIE build failures
Package tvheadend builds using '-pie' linker flag in any case. This
leads to linking failure if toolchain doesn't support 'pie'.

Add patch to fix tvheadend's Makefile bug where '-pie' flag is hardcoded
making it depend on '--disable-pie' as compiler's flags already are
treated.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit dd0907d465)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-24 21:09:54 +02:00
Pierre-Jean Texier
473ac73c41 package/psplash: add license file details
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 32a0d3a8e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-24 21:06:54 +02:00
Pierre-Jean Texier
eac3149323 package/haveged: fix legal-info
Add hash for COPYING file

Fixes:

$: make haveged-legal-info
 >>> haveged 1.9.4 Collecting legal info
 ERROR: No hash found for COPYING

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0ae29b98d1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-24 21:05:26 +02:00
Peter Korsgaard
3c254130b1 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.1.x series
Includes fixes for the "TCP SACK PANIC" vulnerability:

https://access.redhat.com/security/vulnerabilities/tcpsack

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 19f6b3281c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-24 21:03:22 +02:00
Pierre-Jean Texier
cbbabb1cb3 package/logrotate: fix legal-info
Add hash for COPYING file

Fixes:

$: make logrotate-legal-info
 >>> logrotate 3.15.0 Collecting legal info
 ERROR: No hash found for COPYING

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 38626b4b63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-24 20:45:01 +02:00
Pierre-Jean Texier
9ea24ca83b package/mongoose: bump to version 6.15
See https://github.com/cesanta/mongoose/releases/tag/6.15

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit da7fdfe6a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-24 20:39:50 +02:00
Peter Korsgaard
c284f1fe38 package/python3: add upstream security fix for CVE-2019-10160
Fixes CVE-2019-10160: urlsplit does not handle NFKC normalization (2nd fix)

While the fix for CVE-2019-9936 is included in 3.7.3, the followup
regression fixes unfortunatly aren't.

https://bugs.python.org/issue36742

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b57490563c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:30:21 +02:00
Peter Korsgaard
a2ed4387b8 package/python: add upstream security fix for CVE-2019-9636
Fixes CVE-2019-9636: urlsplit does not handle NFKC normalization

https://bugs.python.org/issue36216

The fix unfortunately introduced regressions, so also apply the followup
fixes.

https://bugs.python.org/issue36742

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 58d0bc2f29)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:27:10 +02:00
Peter Korsgaard
f977487ef4 package/python: add upstream security fix for CVE-2019-9948
Fixes CVE-2019-9948: Unnecessary URL scheme exists to allow file:// reading
file in urllib.

https://bugs.python.org/issue35907

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6522aad76a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:27:02 +02:00
Peter Korsgaard
5a103c8e52 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{0, 1}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2676d4fb2a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:14:57 +02:00
Peter Korsgaard
841c274200 package/dbus: security bump to version 1.12.16
Fixes the following security issues:

- CVE-2019-12749: Do not attempt to carry out DBUS_COOKIE_SHA1
  authentication for identities that differ from the user running the
  DBusServer.  Previously, a local attacker could manipulate symbolic links
  in their own home directory to bypass authentication and connect to a
  DBusServer with elevated privileges.  The standard system and session
  dbus-daemons in their default configuration were immune to this attack
  because they did not allow DBUS_COOKIE_SHA1, but third-party users of
  DBusServer such as Upstart could be vulnerable.  Thanks to Joe Vennix of
  Apple Information Security.

  For details, see the advisory:
  https://www.openwall.com/lists/oss-security/2019/06/11/2

Also contains a number of other smaller fixes, including fixes for memory
leaks.  For details, see NEWS:

https://gitlab.freedesktop.org/dbus/dbus/blob/dbus-1.12/NEWS

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 992b106d1d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:10:29 +02:00
Esben Haabendal
87f3439e30 package/openblas: Handle new westmere target architecture
Nehalem, the predecessor to westmere, is best match for westmere
architecture in current openblas.

Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b04f1deab3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:09:09 +02:00
Esben Haabendal
b2a4e994b5 arch: Add support for Westmere targets
The westmere line of x86_64 targets lies between nehalem (corei7) and
sandybridge (corei7-avx).  Allowing use of -march=westmere enables use of
AES instruction set on these targets.

Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 97651ce275)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:09:07 +02:00
Ryan Coe
e335f33ceb package/mariadb: security bump to version 10.3.15
The licensing text in README.md has changed slightly. The reference to
COPYING.LESSER has been removed. The file itself has been gone for awhile
now. COPYING.thirdparty has also been renamed to THIRDPARTY.

Release notes:
https://mariadb.com/kb/en/library/mariadb-10315-release-notes/

Changelog:
https://mariadb.com/kb/en/mariadb-10315-changelog/

Fixes the following security vulnerabilities:

CVE-2019-2614 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Replication). Supported versions that are affected
are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior. Difficult to
exploit vulnerability allows high privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.

CVE-2019-2627 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Security: Privileges). Supported versions that are
affected are 5.6.43 and prior, 5.7.25 and prior and 8.0.15 and prior.
Easily exploitable vulnerability allows high privileged attacker with
network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized ability
to cause a hang or frequently repeatable crash (complete DOS) of MySQL
Server.

CVE-2019-2628 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.7.25 and
prior and 8.0.15 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently repeatable
crash (complete DOS) of MySQL Server.

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 033844c44d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:07:40 +02:00
Bernd Kuhls
423bd5c767 package/freeswitch: bump version to 1.8.6
Updated license hash after upstream commit
a1f3b4862e

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2df2bde27f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 23:06:32 +02:00
Bernd Kuhls
385e1455b5 package/vlc: security bump to version 3.0.7
Fixes the following security issues:
 * Fix multiple buffer overflows in the ps demuxer
 * Fix a buffer overflow when copying a biplanar YUV image
 * Fix multiple buffer overflows in the faad decoder
 * Fix buffer overflow in the svcdsub decoder
 * Fix buffer overflows in the ogg muxer & demuxer
 * Fix buffer overflows in libavformat demuxer
 * Fix multiple buffer overflows in the MKV demuxer
 * Fix a buffer overflow in the MP4 demuxer
 * Fix a buffer overflow in the textst decoder
 * Fix a buffer overflow in the webvtt decoder
 * Fix a buffer overflow in the ASF demux
 * Fix a buffer overflow in the UPNP SD
 * Fix use after free in the ogg demuxer
 * Fix multiple use after free in the MKV demuxer
 * Fix multiple use after free in the DMO decoder
 * Fix integer underflow in the MKV demuxer
 * Fix an updater NULL pointer dereference on invalid signing keys
 * Fix NULL pointer dereference in the MKV demuxer
 * Fix an integer overflow in the spudec decoder
 * Fix an integer overflow in the nsc demuxer
 * Fix an integer overflow in the avi demuxer
 * Fix reads of uninitialized pointers in the MKV demuxer
 * Fix a floating point exception in the MKV demuxer
 * Fix an infinite loop in the flac packetizer

For more details, see the NEWS file:
https://www.videolan.org/developers/vlc-branch/NEWS

Removed patch 0010, applied upstream.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 04efb17c86)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:59:11 +02:00
Bernd Kuhls
6a7068607b package/vlc: fix build with libvpx 1.8.0
Fixes
http://autobuild.buildroot.net/results/e44/e44d5ca85be9e0dafa4a3d8b0187c54cff6e2d55/

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6aa1b96ff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:58:49 +02:00
Jörg Krause
7bf7db4589 package/gerbera: add upstream patch to fix find_program with taglib-config
Add an from from upstream to fix linking Gerbera with taglib. The patch
fixes the following issue:

When cross-compiling CMakes `find_program()` will search for binaries on the
host. This is typically correct, e.g. when search for compilers or shells.

When cross-compiling, searching for `taglib-config` using `find_program` should
not find the binary on the host, instead it should find the binary in the sysroot
directory, as the host `taglib-config` will output the wrong host paths
and libs, whereas the sysroot `taglib-config` will output the correct sysroot
paths and libs.

Therefore, use the `CMAKE_FIND_ROOT_PATH_MODE_PROGRAM` variable when
cross-compiling. This variable controls whether the `CMAKE_FIND_ROOT_PATH`
and `CMAKE_SYSROOT` are used by find_program().

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 6d52768315)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:25:27 +02:00
Jörg Krause
6275dff6dd package/taglib: add upstream patch to fix taglib-config
The current taglib-config program does not work when cross-compiling as it only
returns paths to the host, which breaks building programs which link against
taglib.

For example gerbera uses `taglib-config` and it fails with:

```
[..]
-- Found TagLib: -L/usr/lib -ltag
[..]
arm-linux-gnueabihf-g++: ERROR: unsafe header/library path used in cross-compilation: '-L/usr/lib'
```

Before the patch the output of `taglib-config` is:
```
$ ./output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/bin/taglib-config --libs
-L/usr/lib -ltag
```

Add a patch from upstream which fixes taglib-config.

After applying the fix, the pkg-config file is correct:
```
$ ./output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/bin/taglib-config --libs
-L/home/joerg/Development/git/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -ltag
```

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ad29cd6224)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:24:51 +02:00
Jan Kundrát
17729645c6 docs: use-case for un-ignoring VCS directories and overridden source dir
Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Suggested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes: a27078d32d Allow overriding the VCS exclude list with *_OVERRIDE_SRCDIR_RSYNC_EXCLUSIONS
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f52809cbd2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:16:21 +02:00
Julien Olivain
269e89be98 manual/contribute.txt: fix typo
Signed-off-by: Julien Olivain <juju@cotds.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0c48904f76)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:13:50 +02:00
Fabrice Fontaine
79cdc64c62 package/libgit2: security bump to version 0.27.8
Fixing the following list of issues (fixed in 0.27.6 and 0.27.5):

    The function family git__strtol is used to parse integers
    from a buffer. As the functions do not take a buffer length as
    argument, they will scan either until the end of the current
    number or until a NUL byte is encountered. Many callers have
    been misusing the function and called it on potentially
    non-NUL-terminated buffers, resulting in possible out-of-bounds
    reads. Callers have been fixed to use git__strntol functions
    instead and git__strtol functions were removed.

    The function git__strntol64 relied on the undefined behavior
    of signed integer overflows. While the code tried to detect
    such overflows after they have happened, this is unspecified
    behavior and may lead to weird behavior on uncommon platforms.

    In the case where git__strntol32 was unable to parse an
    integer because it doesn't fit into an int32_t, it printed an
    error message containing the string that is currently being
    parsed. The code didn't truncate the string though, which
    caused it to print the complete string until a NUL byte is
    encountered and not only the currently parsed number. In case
    where the string was not NUL terminated, this could have lead
    to an out-of-bounds read.

    When parsing tags, all unknown fields that appear before the
    tag message are skipped. This skipping is done by using a plain
    strstr(buffer, "\n\n") to search for the two newlines that
    separate tag fields from tag message. As it is not possible to
    supply a buffer length to strstr, this call may skip over the
    buffer's end and thus result in an out of bounds read. As
    strstr may return a pointer that is out of bounds, the
    following computation of buffer_end - buffer will overflow
    and result in an allocation of an invalid length. Note that
    when reading objects from the object database, we make sure to
    always NUL terminate them, making the use of strstr safe.

    When parsing the "encoding" field of a commit, we may perform
    an out of bounds read due to using git__prefixcmp instead of
    git__prefixncmp. This can result in the parsed commit object
    containing uninitialized data in both its message encoding and
    message fields. Note that when reading objects from the object
    database, we make sure to always NUL terminate them, making the
    use of strstr safe.

    Submodule URLs and paths with a leading "-" are now ignored.
    This is due to the recently discovered CVE-2018-17456, which
    can lead to arbitrary code execution in upstream git. While
    libgit2 itself is not vulnerable, it can be used to inject
    options in an implementation which performs a recursive clone
    by executing an external command.

    When running repack while doing repo writes,
    packfile_load__cb() could see some temporary files in the
    directory that were bigger than the usual, and makes memcmp
    overflow on the p->pack_name string. This issue was reported
    and fixed by bisho.

    The configuration file parser used unbounded recursion to parse
    multiline variables, which could lead to a stack overflow. The
    issue was reported by the oss-fuzz project, issue 10048 and
    fixed by Nelson Elhage.

    The fix to the unbounded recursion introduced a memory leak in
    the config parser. While this leak was never in a public
    release, the oss-fuzz project reported this as issue 10127. The
    fix was implemented by Nelson Elhage and Patrick Steinhardt.

    When parsing "ok" packets received via the smart protocol, our
    parsing code did not correctly verify the bounds of the
    packets, which could result in a heap-buffer overflow. The
    issue was reported by the oss-fuzz project, issue 9749 and
    fixed by Patrick Steinhardt.

    The parsing code for the smart protocol has been tightened in
    general, fixing heap-buffer overflows when parsing the packet
    type as well as for "ACK" and "unpack" packets. The issue was
    discovered and fixed by Patrick Steinhardt.

    Fixed potential integer overflows on platforms with 16 bit
    integers when parsing packets for the smart protocol. The issue
    was discovered and fixed by Patrick Steinhardt.

    Fixed potential NULL pointer dereference when parsing
    configuration files which have "include.path" or
    "includeIf..path" statements without a value.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 02afc9db7a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:10:56 +02:00
Jan Kundrát
17463b4f77 Allow overriding the VCS exclude list with *_OVERRIDE_SRCDIR_RSYNC_EXCLUSIONS
We have some internal packages which automatically bake a version string
from the git checkout, and we usually combine these with a
*_OVERRIDE_SRCDIR. I would like to let Buildroot *not* skip the .git
directory when picking up sources from the local checkout.  It turns out
that the existing mechanism (*_OVERRIDE_SRCDIR_RSYNC_EXCLUSIONS) only
supports adding to the exclude list because `rsync` simply uses the
first match from the provided filtering rules.

Solve this by using the user-provided values first. If they match, then
`rsync` won't exclude stuff based on the generic VCS exclude patterns.

Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit a27078d32d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:09:27 +02:00
Bernd Kuhls
81994e1631 package/samba4: security bump version to 4.9.9
Release notes: https://www.samba.org/samba/history/samba-4.9.9.html

Fixes CVE-2019-12435.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e9213e3c20)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:05:52 +02:00
Fabrice Fontaine
db479016f5 package/samba4: drop third patch
Drop third patch which is not upstreamable and set XSLTPROC to false
instead to disable documentation

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 48a9848cd6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:05:46 +02:00
Fabrice Fontaine
558cd377cc package/samba4: drop unneeded second patch
This patch is not needed since version 4.9.0 and
859698d29b
which solved the issue by avoiding calling this function.

Also renumber the remaining patches.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit df859a83f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 22:05:39 +02:00
Fabrice Fontaine
fad7b2f590 package/mpd: fix static build with tremor and vorbis
mpd can't be built statically with tremor and vorbis, build fails on:
block.c:(.text+0x11c): multiple definition of `vorbis_block_init'
/usr/lfs/v0/rc-buildroot-test/scripts/instance-2/output/host/bin/../sparc-buildroot-linux-uclibc/sysroot/usr/lib/libvorbisidec.a(block.o):block.c:(.text+0x0): first defined here
/usr/lfs/v0/rc-buildroot-test/scripts/instance-2/output/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/7.4.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: Disabling relaxation: it will not work with multiple definitions
/usr/lfs/v0/rc-buildroot-test/scripts/instance-2/output/host/bin/../sparc-buildroot-linux-uclibc/sysroot/usr/lib/libvorbis.a(block.o): In function `_vorbis_block_alloc':

Fix this by making both options mutually exclusive

It should be noted that upstream explicitly removed the possibility to
enable tremor and vorbis at the same time since version 0.21.6 and
c18cd941aa
Since we only have 0.20.23, it is still possible to build them together,
but there is clearly no need to allow it.

Fixes:
 - http://autobuild.buildroot.org/results/60c721a82ffd668bebf02d80bca83780d6cdb2f2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5395b1ca45)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 21:19:45 +02:00
Fabrice Fontaine
441038cd83 package/mpd: drop tremor select
Drop tremor select added by commit
d428dddf68

Indeed, nowadays, mpd can be built successfully even if there is no
input plugin selected.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5d4ee34c39)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 21:19:38 +02:00
Esben Haabendal
76e1aeba4f arch: Fix typo breaking use of core-avx2 arch
Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 498a1fabe8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-23 21:05:53 +02:00
Peter Korsgaard
3e8b918b87 Update for 2019.02.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-07 09:36:49 +02:00
Peter Korsgaard
7b23d35df4 package/python-django: security bump to version 2.1.9
Fixes the following security issues:

CVE-2019-12308: AdminURLFieldWidget XSS¶

The clickable "Current URL" link generated by AdminURLFieldWidget displayed
the provided value without validating it as a safe URL.  Thus, an
unvalidated value stored in the database, or a value provided as a URL query
parameter payload, could result in an clickable JavaScript link.

AdminURLFieldWidget now validates the provided value using URLValidator
before displaying the clickable link.  You may customize the validator by
passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g.
when using formfield_overrides.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶

jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
Object.prototype pollution.  If an unsanitized source object contained an
enumerable __proto__ property, it could extend the native Object.prototype.

The bundled version of jQuery used by the Django admin has been patched to
allow for the select2 library’s use of jQuery.extend().

For more details, see the release notes:
https://docs.djangoproject.com/en/dev/releases/2.1.9/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 426084e25f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:38:46 +02:00
Peter Korsgaard
bc5213f7df package/exim: add upstream security fix for CVE-2019-10149
A flaw was found in Exim versions 4.87 to 4.91 (inclusive).  Improper
validation of recipient address in deliver_message() function in
src/deliver.c may lead to remote command execution.

For more details, see the advisory:

https://www.exim.org/static/doc/security/CVE-2019-10149.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 83967ef53d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:37:19 +02:00
Peter Korsgaard
9c788c3614 package/libcurl: bump version to 7.65.1
Fixes a number of bugs discovered after the 7.65.0 release.

https://daniel.haxx.se/blog/2019/06/05/7-65-1-patched-up-and-ready-to-go/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1272878fd0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:36:10 +02:00
Peter Korsgaard
e4f8a9a628 {linux, linux-headers}: bump 4.{9, 14, 19}.x / 5.{0, 1}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 5.{0, 1}.x bump]
(cherry picked from commit b827a3f50e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:32:27 +02:00
Markus Mayer
b2080a2f2f package/busybox: add dependency on dosfstools
dosfstools and busybox may each install mkfs.vfat, so dosfstools must
be installed before busybox.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca42df2111)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:26:51 +02:00
Francois Perrad
a6f7a75022 DEVELOPERS: Drop support for some packages from Francois Perrad
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4ddaaa65fa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 22:26:44 +02:00
Romain Naour
47fbfdb18f package/gcc: don't build a toolchain for powerpc with spe ABI with gcc >= 8.x
The powerpc*-*-*spe* support has been deprecated in GCC 8 [1] and has
been removed in GCC 9 [2].

While building with GCC 8, the build stop since we don't provide --enable-obsolete
option.

For now, keep powerpcspe support in Buildroot but only for older compiler
up to GCC 7.

Note: Although we can't select Glibc for powerpcspe since commit [4], this
support has been removed for the next version of Glibc (the upcoming 2.30).

[1] https://gcc.gnu.org/ml/gcc/2018-04/msg00102.html
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=b31d0348ddada49453e3edaaf93a423fdc61dc79
[3] https://sourceware.org/git/?p=glibc.git;a=commit;h=a053e878494080f7070cf92890e546057236c9c9
[4] https://git.buildroot.net/buildroot/commit/?id=5777e3ffd99132a57e3d29659850eec14b1625f8

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2df8b1417b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:44:20 +02:00
Peter Korsgaard
ac4c799278 {linux, linux-headers}: bump 4.{9, 14, 19}.x / 5.{0, 1}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: drop 5.{0, 1}.x bump]
(cherry picked from commit b24f274abe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:40:40 +02:00
James Hilliard
009cd18c8d package/v4l2loopback: bump to version 0.12.2 to fix Linux 5.1 compat
This fixes a kernel 5.1.x compatibility issue. The only changes
between 0.12.1 and 0.12.2 are:

d3b198ef6f57ca512fb25147c9d85b922fd4651a Released v0.12.2
376c2c28bd7d4470cd92ff646d6087ca70cd9d2e fixed typo
6edc4b164b1f05bee74cb507a4f50776a65ceb73 mentioned support for 5.0.0
0b8feb80fdef9a415d8250bca1790b3ff23e8391 Replace v4l2_get_timestamp with ktime_get_ts(64)
541e3bc7aaf46dc9a21f92c7f527397fce03dfd8 Update README.md

So the only functional change is the actual ktime_get_ts() fix, which
is needed for Linux 5.1 compatibility. Therefore, bumping is pretty
much the same as backporting just this commit.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Thomas: extend the commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 7a8460d45b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:38:59 +02:00
James Hilliard
4004bab2e6 package/v4l2loopback: bump to version v0.12.1
This should fix a kernel 5.x.x compatibility issue.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eb81fe39a7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:38:43 +02:00
Peter Korsgaard
eb1db3ac17 package/netsurf: disallow on archs requiring ABI specific CFLAGS
Fixes:
http://autobuild.buildroot.net/results/67ef520d82ea529a9fe593d83a3aeae5f8b0ee5d/
http://autobuild.buildroot.net/results/eafc3e4be571d5ecee549a11530ac4e508f31782/
http://autobuild.buildroot.net/results/ba7f30833fef54162a82f4b336a72d6599594526/

The netsurf build system mixes up host and target CFLAGS, so it isn't
compatible with architectures where we pass ABI specific compiler flags (in
TARGET_ABI).

Add a _ARCH_SUPPORTS kconfig variable matching the TARGET_ABI logic we have
in package/Makefile.in, and use it to disallow netsurf for those
architectures.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 18855d79e2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:37:53 +02:00
Adam Duskett
5d667bd7e2 package/gstreamer1/gst1-plugins-bad: require dynamic library for decklink plugin
The decklink plugin uses <dlfcn.h> functions: dlopen(), dlsym(), etc.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e49d5e946d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:37:06 +02:00
Markus Mayer
6549ef8d4c package/dosfstools: introduce custom install routine
We can't use dosfstools' install target, because it'll install *all*
binaries, even the disabled ones. Also, we can't just delete dosfstools
binaries from the target directory after installing them, because other
packages (specifically Busybox) may provide tools of the same name, and
we may end up deleting those instead.

To avoid any issues, we create our own install routines, which only
copy the enabled binaries into the target location.

Signed-off-by: Markus Mayer <mmayer@broadcom.com>
[Thomas: use full destination path for INSTALL commands.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 4cc31dfa3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:36:41 +02:00
Peter Korsgaard
32433179b3 package/libnss: security bump to version 3.42.1
Fixes the following security issues:

(3.41) CVE-2018-12404: Cache side-channel variant of the Bleichenbacher
attack

(3.42.1) CVE-2018-18508: Add additional null checks to several CMS functions
to fix a rare CMS crash.  Thanks to Hanno Böck and Damian Poddebniak for the
discovery and fixes

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8c0bff1b4f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:35:56 +02:00
Fabrice Fontaine
2436dc3be5 package/libopenssl: fix static build
no-dso option has been removed with
31b6ed76df

To fix this error, use "gcc" target in static builds. This target is
very minimalistic, we need to manually pass -lpthread and
-DOPENSSL_THREADS however we can also remove libdl workarounds

Fixes:
 - http://autobuild.buildroot.org/results/96d6b89d20980e8f7fa450b832474a81d492b315

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8c2c959b02)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:35:10 +02:00
Peter Korsgaard
7b32265736 package/libopenssl: security bump to version 1.1.1c
Fixes the following security issues:

Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation.  RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes).  OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes.  However it
also incorrectly allows a nonce to be set of up to 16 bytes.  In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.

It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks.  If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher.  Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.  Any OpenSSL internal use of this cipher, including in SSL/TLS, is
safe because no such use sets such a long nonce value.  However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cfedfdee95)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:35:02 +02:00
Peter Korsgaard
2b1cc1af76 package/libopenssl: bump to version 1.1.1b
Drop patches 4..6 as they are now upstream.

Update the hash of the license file as the copyright dates changed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c2c57aa30f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:34:53 +02:00
Yann E. MORIN
60817d0403 infra/pkg-kconfig: do not rely on package's .config as a timestamp
Since linux-4.19, the kernel's build system internally touches its
.config file.

However, we currently used that file as a timestamp to detect whether
our kconfig fixups were to be (re)applied or not, which in turn is used
to decide whether we should (re)build the package or not.

But with latest kernel versions, this timestamp heuristic is now broken,
and we always rebuild the kernel on subsequent builds.

We fix that by introducing a separate timestamp file of our own, which
we know the kernel (or the kconfig-based packages, for that matters)
does not use.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 05fea6e4a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:33:28 +02:00
Fabrice Fontaine
6918255dde package/matchbox-panel: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/3e72c2c2baae3a70fb5145b1b09a1f3716e4bce2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 46668b157a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-06-06 17:33:03 +02:00