This bump will fix the following build failure with libmodsecurity (and
a lot of other packages) raised since bump of libxml2 to version 2.12.1
in commit d8ac52108c:
modsecurity.cc: In constructor 'modsecurity::ModSecurity::ModSecurity()':
modsecurity.cc:89:5: error: 'xmlInitParser' was not declared in this scope
89 | xmlInitParser();
| ^~~~~~~~~~~~~
https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.12.3/NEWS
Fixes:
- http://autobuild.buildroot.org/results/d6749bacf6c7c04a74e136585d36bc731716f6fd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
1) CVE-2023-6377: X.Org server: Out-of-bounds memory write in XKB button actions
A device has XKB button actions for each button on the device. When a
logical device switch happens (e.g. moving from a touchpad to a mouse), the
server re-calculates the information available on the respective master
device (typically the Virtual Core Pointer). This re-calculation only
allocated enough memory for a single XKB action rather instead of enough for
the newly active physical device's number of button. As a result, querying
or changing the XKB button actions results in out-of-bounds memory reads and
writes.
This may lead to local privilege escalation if the server is run as root or
remote code execution (e.g. x11 over ssh).
2) CVE-2023-6478: X.Org server: Out-of-bounds memory read in
RRChangeOutputProperty and RRChangeProviderProperty
This fixes an OOB read and the resulting information disclosure.
Length calculation for the request was clipped to a 32-bit integer. With
the correct stuff->nUnits value the expected request size was truncated,
passing the REQUEST_FIXED_SIZE check.
The server then proceeded with reading at least stuff->nUnits bytes
(depending on stuff->format) from the request and stuffing whatever it finds
into the property. In the process it would also allocate at least
stuff->nUnits bytes, i.e. 4GB.
See also CVE-2022-46344 where this issue was fixed for other requests.
For more details, see the advisory:
https://lists.x.org/archives/xorg-announce/2023-December/003435.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Switch site to github to get latest release
- Drop LIBIEC61850_IGNORE_CVES as CVE-2023-27772 only affects version
1.5.1
https://github.com/mz-automation/libiec61850/blob/v1.5.3/CHANGELOG
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mbedtls is an optional dependency since bump to version 1.5.0 in
commit a42e0e4600 and
19f2cbf0e7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix the following build failure raised since bump of libxml2 to version
2.12.1 in commit d8ac52108c:
/home/buildroot/autobuild/instance-1/output-1/build/libiio-0.25/xml.c: In function 'xml_create_context':
/home/buildroot/autobuild/instance-1/output-1/build/libiio-0.25/xml.c:481:15: warning: implicit declaration of function 'xmlReadFile' [-Wimplicit-function-declaration]
481 | doc = xmlReadFile(xml_file, NULL, XML_PARSE_DTDVALID);
| ^~~~~~~~~~~
/home/buildroot/autobuild/instance-1/output-1/build/libiio-0.25/xml.c:481:43: error: 'XML_PARSE_DTDVALID' undeclared (first use in this function); did you mean 'XML_DOC_DTDVALID'?
481 | doc = xmlReadFile(xml_file, NULL, XML_PARSE_DTDVALID);
| ^~~~~~~~~~~~~~~~~~
| XML_DOC_DTDVALID
Fixes:
- http://autobuild.buildroot.org/results/f97c2db33e07a02699e4650caf97de5f3c475eb8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fix the following build failure raised since bump of libxml2 to version
2.12.1 in commit d8ac52108c:
../libxml++/nodes/entityreference.cc: In member function 'xmlpp::ustring xmlpp::EntityReference::get_resolved_text() const':
../libxml++/nodes/entityreference.cc:30:35: error: invalid use of incomplete type 'struct _xmlEntity'
30 | const xmlChar* pch = cEntity->content;
| ^~
Fixes:
- http://autobuild.buildroot.org/results/f3cef04950eeaa744ebe9409561d505606375787
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libsoup3 is supported since bump to version 2023.3 in commit
618eb375a0 and
d0ea2db430
So switch to libsoup3 and drop libsoup2 as:
- libsoup2 is unmaintained (as stated by commit
b45c2a048d)
- libsoup2 will be removed at some point (as stated by commit
f93380ab1a)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patch (already in version)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- Drop patches (already in version)
- Add patch to fix build with libxml2 2.12
https://gitlab.gnome.org/GNOME/gupnp/-/blob/gupnp-1.6.6/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- libsoup has been replaced by libsoup3 with
e223e6f75e
- Disable manpages which are enabled by default since their addition:
1970906319https://gitlab.gnome.org/GNOME/gssdp/-/blob/gssdp-1.6.3/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: multiline assignment is entirely multiline]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop patch (already in version)
https://github.com/lldpd/lldpd/blob/1.0.17/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Drop patch (already in version)
- Update hash of web/license.html because SPDX identifier is used since
6bf68d3086
- COPYING has been replaced by LICENSE-LGPL and LICENSE-MIT since
1638416feehttps://github.com/OSGeo/shapelib/releases/tag/v1.6.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With this patch package builds with Linux up to version 6.7
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop second patch (already in version)
http://www.gnuplot.info/ReleaseNotes_5_4_10.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
python3 is an optional dependency (enabled by default) since bump to
version 0.7.7 in commit 4314c86b0b and
02fc25f9d3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The test_python_ml_dtypes.py enabled BR2_PACKAGE_PYTHON3_ZLIB=y in its
configuration to workaround the fact that the toolchain used to
testing was tainted with zlib.
The commit 7e0e6e3
"toolchain/toolchain-external/toolchain-external-bootlin: update to
2023.11-1" updated the toolchains which are no longer tainted with
zlib.
The workaround is no longer needed and this commit removes this
config, for consistency.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
New toolchains have been released, with the following changes:
- The bleeding-edge toolchains are based on gcc 13.2, binutils 2.41,
gdb 14.1, kernel headers 5.10, glibc 2.38, musl 1.2.4 or uclibc-ng
1.0.45.
- The stable toolchains are based on gcc 12.3, binutils 2.40, gdb
13.2, kernel headers 4.14, glibc 2.38, musl 1.2.4 or uclibc-ng
1.0.45.
- The glibc version is no longer affected by CVE-2023-4911
- The gdb build has been fixed to no longer rely on uninstalled
libbfd.so and libopcodes.so libraries
- The zlib library, which was incorrectly present in the toolchain
sysroot, is gone, fixing various build failures encountered with
2023.08 toolchains.
- There are now toolchains for m68k 68xxx based on uclibc and musl in
addition to glibc, which was already supported
The careful reviewer will notice that a number of
depends on !BR2_ARCH_NEEDS_GCC_AT_LEAST_14
are being added to the toolchains that use gcc 13.x, as per
a0d2a5cfec
("support/scripts/gen-bootlin-toolchains: generate
BR2_ARCH_NEEDS_GCC_AT_LEAST_X guard").
All 214 test cases were successfully run:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1120323562
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since commit
a0d2a5cfec ("support/scripts/gen-bootlin-toolchains:
generate BR2_ARCH_NEEDS_GCC_AT_LEAST_X guard"), the
gen-bootlin-toolchains script will generate references to
BR2_ARCH_NEEDS_GCC_AT_LEAST_X including potentially against the "next"
version of gcc.
Indeed, a toolchain using gcc 13.x should have a "depends on
!BR2_ARCH_NEEDS_GCC_AT_LEAST_14" so that once some architectures that
require gcc 14.x are added, such toolchains are not made visible.
In order for this to work, we must have the
BR2_ARCH_NEEDS_GCC_AT_LEAST_x symbol ready for the N+1 version of gcc
compared to the latest one we support.
As we're supporting up to gcc 13.x right now, let's introduce the
symbol BR2_ARCH_NEEDS_GCC_AT_LEAST_14 so that gcc 13.x toolchains can
be marked depends on !BR2_ARCH_NEEDS_GCC_AT_LEAST_14.
The other alternative would be to make the gen-bootlin-toolchains a
bit smarter, and not emit this depends on
!BR2_ARCH_NEEDS_GCC_AT_LEAST_14 if BR2_ARCH_NEEDS_GCC_AT_LEAST_14 does
not exist. But this would require re-running the script when
BR2_ARCH_NEEDS_GCC_AT_LEAST_14 which we are unlikely to do. While
today, when the script is invoked, the usual check-symbols complains
and reminds us that BR2_ARCH_NEEDS_GCC_AT_LEAST_14 should be added, so
we remember to do it right away.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
