Fixes the following security issues:
- CVE-2016-6328: A vulnerability was found in libexif. An integer overflow
when parsing the MNOTE entry data of the input file. This can cause
Denial-of-Service (DoS) and Information Disclosure (disclosing some
critical heap chunk metadata, even other applications' private data).
- CVE-2017-7544: libexif through 0.6.21 is vulnerable to out-of-bounds heap
read vulnerability in exif_data_save_data_entry function in
libexif/exif-data.c caused by improper length computation of the allocated
data of an ExifMnote entry which can cause denial-of-service or possibly
information disclosure.
- CVE-2018-20030: An error when processing the EXIF_IFD_INTEROPERABILITY and
EXIF_IFD_EXIF tags within libexif version 0.6.21 can be exploited to
exhaust available CPU resources.
- CVE-2019-9278: In libexif, there is a possible out of bounds write due to
an integer overflow. This could lead to remote escalation of privilege in
the media content provider with no additional execution privileges needed.
User interaction is needed for exploitation.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Backport patch from upstream to fix build failures such as:
In file included from /home/buildroot/autobuild/instance-0/output-1/build/gnuradio-3.8.0.0/gr-digital/lib/glfsr.cc:23:
/home/buildroot/autobuild/instance-0/output-1/build/gnuradio-3.8.0.0/gr-digital/lib/../include/gnuradio/digital/glfsr.h:42:5: error: 'uint32_t' does not name a type; did you mean 'u_int32_t'?
uint32_t d_shift_register;
^~~~~~~~
u_int32_t
Since Gnuradio policy is Less boost == better and C++11 is used, use cstdint
instead of boost/cstdint.hpp.
Applied in gnuradio master (475e4a156b516c089175afb998acdc80b740b437)
fix:
- http://autobuild.buildroot.net/results/14015f499e58fee530877ac052878bbe2f799942/
- http://autobuild.buildroot.net/results/53239f98dd5e03d4dc1bb4eb91ed765f77dbf0ec/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
[yann.morin.1998@free.fr:
- add upstream reference in the patch itself
- minor eye-candy in commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[yann.morin.1998@free.fr: also guard comment with x86 dependency]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
iris is inherently an x86-only driver, and it hard codes gcc options
specific to x86m like -msse2, causing build breakage on other
architectures.
iris also does not use kmsro, but the select was accidentally added when
iris was introduced.
Fix both by adding the missing dependency to x86, and by removing the
select to kmsro.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[yann.morin.1998@free.fr:
- ad dependency to x86
- reword commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
These updated patches fix the same issues but are backported from upstream
commits instead of pull requests.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
After commit:
https://git.buildroot.net/buildroot/commit/?id=fb49c7a26182f9d48f8283e7328fddc216962c94
gstreamer entry in package/Config.in was left behind resulting in every
make call to fail. So let's remove orphaned gstreamer entry from
package/Config.in
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Gstreamer 0.10 has been deprecated upstream since 2012 and is missing a lot
of features and (security) fixes compared to gstreamer1, so remove it.
All gstreamer-0.10 sub packages depends on gstreamer, so we only need to add
a legacy entry for that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the upcoming removal of gstreamer 0.10, the logic for installing
binaries using gstreamer 0.10.x in nvidia-tegra23-binaries must go as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the upcoming removal of gstreamer 0.10, the logic for building freerdp
with support for it must go as well.
As there is now a single option for gstreamer (1.x) support, convert the
gstreamer support choice to a normal option for simplicity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the upcoming removal of gstreamer 0.10, the logic for building opencv3
with support for it must go as well.
As there is now a single option for gstreamer (1.x) support, convert the
gstreamer support choice to a normal option for simplicity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the upcoming removal of gstreamer 0.10, the logic for building opencv
with support for it must go as well.
As there is now a single option for gstreamer (1.x) support, convert the
gstreamer support choice to a normal option for simplicity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Libplayer is dead upstream. The mercurial repo is no longer online, it
hasn't seen any releases since 2010 and the mplayer backend was removed from
Buildroot in 2018.
With the upcoming removal of gstreamer 0.10, there is no longer any backends
available in Buildroot, so remove the package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the upcoming removal of gstreamer 0.10, the logic for building
qt5multimeda with support for it must go as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the upcoming removal of gstreamer 0.10, the logic for building
libnice with support for it must go as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the upcoming removal of gstreamer 0.10, the logic for building
gupnp-dlna with support for it must go as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With the upcoming removal of gstreamer 0.10, the logic for building
classpath with support for it must go as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Most, but not all our C code follows the Linux kernel code style (as
documented in Documentation/process/coding-style.rst). Adjust the few
places doing differently:
- Braces:
..but the preferred way, as shown to us by the prophets Kernighan
and Ritchie, is to put the opening brace last on the line
- Spaces after keywords:
Use a space after (most) keywords
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When Buildroot is released, it knows up to a certain kernel header
version, and no later. However, it is possible that an external
toolchain will be used, that uses headers newer than the latest version
Buildroot knows about.
This may also happen when testing a development, an rc-class, or a newly
released kernel, either in an external toolchain, or with an internal
toolchain with custom headers (same-as-kernel, custom version, custom
git, custom tarball).
In the current state, Buildroot would refuse to use such toolchains,
because the test is for strict equality.
We'd like to make that situation possible, but we also want the user not
to be lenient at the same time, and select the right headers version
when it is known.
So, we add a new Kconfig blind option that the latest kernel headers
version selects. This options is then used to decide whether we do a
strict or loose check of the kernel headers.
Suggested-by: Aaron Sierra <asierra@xes-inc.com>
Signed-off-by: Vincent Fazio <vfazio@xes-inc.com>
[yann.morin.1998@free.fr:
- only do a loose check for the latest version
- expand commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Vincent Fazio <vfazio@xes-inc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The default inittab files added by busybox and sysvinit runs 'swapon -a'
during init and 'swapoff -a' during shutdown, but those programs are not
guaranteed to be available, so the boot log may become polluted by error
messages like this:
swapon: not found
Add a target-finalize hook to skeleton-init-sysv that enables or disables
the swapon/swapoff lines in /etc/inittab, depending on the existence of
$(TARGET_DIR)/sbin/swap{on,off}.
Based on a previous patch sent by Thomas De Schampheleire.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
After d255b67972 (autotools: do not overwrite first include path), the
ordering of include paths has changed: the system directories are
specified with explicit options passed to autoreconf, which means that
any directory specified in the package _AUTORECONF_OPTS are no longer
first:
- in package/autoconf/autoconf.mk, we define AUTORECONF as:
AUTOCONF = $(HOST_DIR)/bin/autoconf -I "$(ACLOCAL_DIR)" -I "$(ACLOCAL_HOST_DIR)"
- in package/pkg-autotools.mk, we call AUTORECONF with:
$($(PKG)_AUTORECONF_ENV) $(AUTORECONF) $($(PKG)_AUTORECONF_OPTS)
So, the include directory specified by SDL_MIXER_AUTORECONF_OPTS is now
lagging behind the system headers, and the very issue that d255b67972
was suposed to fix in a generic way, pops up back for this specific
case.
We fix that by patching sdl_mixer so that it uses the bog-down standard
mechanisms, to specify the macro directory from within configure.in,
instead of specifying it on the command line, so that the magic
introduced by d255b67972 does happen.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Michael Walle <michael@walle.cc>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The glibc package has been updating the toolchain version
dependency since 2.28.x. The dependencies don't currently
apply to the localedef build of the package, so this
patchset relaxes the restriction such that builds can still
occur on older host machines.
The current supported minimum versions after this patch
is applied are:
GCC 4.8
Binutils 2.24
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
an internal API change introduced by version 3.3.0 causes the following failure:
```
Error: LuaRocks 3.3.1 bug (please report at https://github.com/luarocks/luarocks/issues).
Arch.: linux-x86_64
.../user/build/qarm/host/share/lua/5.3/luarocks/queries.lua:55: assertion failed!
stack traceback:
[C]: in function 'assert'
.../user/build/qarm/host/share/lua/5.3/luarocks/queries.lua:55: in function 'luarocks.queries.new'
...m/host/share/lua/5.3/luarocks/cmd/external/buildroot.lua:322: in function 'luarocks.cmd.external.buildroot.command'
(...tail calls...)
[C]: in function 'xpcall'
/home/user/build/qarm/host/share/lua/5.3/luarocks/cmd.lua:620: in function 'luarocks.cmd.run_command'
/home/user/build/qarm/host/bin/luarocks:38: in main chunk
[C]: in ?
```
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop patches already applied upstream and, consequently, AUTORECONF.
util-linux 2.35.1 Release Notes
===============================
build-sys:
- add --disable-hwclock-gplv3 [Karel Zak]
chrt:
- Use sched_setscheduler system call directly [jonnyh64]
lib/randutils:
- use explicit data types for bit ops [Karel Zak]
libfdisk:
- fix __copy_partition() [Karel Zak]
- make sure we use NULL after free [Karel Zak]
libmount:
- fix x- options use for non-root users [Karel Zak]
po:
- update uk.po (from translationproject.org) [Yuri Chornoivan]
sfdisk:
- make sure we do not overlap on --move [Karel Zak]
- remove broken step alignment for --move [Karel Zak]
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If the host cmake is 3.10, the configuration step produces
the following error:
CMake Error at CMakeLists.txt:87 (target_link_libraries):
Target "libninja" of type OBJECT_LIBRARY may not be linked into another
target. One may link only to STATIC or SHARED libraries, or to executables
with the ENABLE_EXPORTS property set.
This patch fixes CMakeLists.txt to use the object library as it was intended
in cmake 3.10.
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=12546
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Tested-by: Damian Tometzki <dti@familie-tometzki.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop libmnl dependency. From the announcement:
* netlink: remove libmnl requirement
We no longer require libmnl. It turns out that inlining the small subset of
libmnl that we actually use results in a smaller binary than the overhead of
linking to the external library.
pkg-config is still used for the systemd support though, so move the
host-pkgconf dependency there.
For more details, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-February/004963.html
While we are at it, adjust the white space in the .hash file to match the
new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Includes fixes for issues found through fuzzing. For details, see the
announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-February/004962.html
While we are at it, adjust the white space in the .hash file to match the
new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a bugfix release which solves a couple of build issues.
Full release notes:
https://wpewebkit.org/release/wpebackend-fdo-1.4.1.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add an upstreamed patch that reorders find_package() commands.
This way Python interpreter will be detected first and based on
it the Python libraries can be found.
Fixes the following CMake error:
Could NOT find PythonLibs (missing: PYTHON_LIBRARIES PYTHON_INCLUDE_DIRS)
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2020-3123: A vulnerability in the Data-Loss-Prevention (DLP)
module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0
could allow an unauthenticated, remote attacker to cause a denial of service
condition on an affected device. The vulnerability is due to an
out-of-bounds read affecting users that have enabled the optional DLP
feature. An attacker could exploit this vulnerability by sending a crafted
email file to an affected device. An exploit could allow the attacker to
cause the ClamAV scanning process crash, resulting in a denial of service
condition.
Release notes:
https://lists.clamav.net/pipermail/clamav-announce/2020/000045.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We can only know the details of the license files for known versions. For
custom, older or newer versions, the license files may change, or may be
moved around.
So, do for optee-os as was done for other packages in the recent past,
and only define the list of license files for the latest version.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We can only know the details of the license files for known versions. For
custom, older or newer versions, the license files may change, or may be
moved around.
So, do for at91bootstrap3 as was done for other packages in the recent
past, and only define the list of license files for the latest version.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We can only know the details of the license files for known versions. For
custom, older or newer versions, the license files may change, or may be
moved around.
So, do for Barebox as was done for ATF, linux, and linux-headers, and
only define the list of license files for the latest version.
Add the hash for that license file, and align hashes to the new spacing
convention.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We can only know the details of the license files for known versions. For
custom, older or newer versions, the license files may change, or may be
moved around.
So, do for U-Boot as was done for ATF, linux, and linux-headers, and only
define the list of license files for the latest version.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Like we did for the linux kernel, change linux-headers to only check the
license hashes for the latest known version as the content of COPYING has
changed between versions.
To simplify the test, we introduce an intermediate, blind option that get
selected when the latest kernel sources are used.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The content of COPYING changed between v4.16 and v4.17. Since kernels
before and after the change are supported, storing the hash for this
file will cause an error during "make legal-info" when a kernel with the
respective other hash is being used.
So, for the kernel, we do like we did for ATF: the license file is only
listed for the latest version.
In the process, add the missing license files referenced from COPYING
and align the fields to the new spacing convention.
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
[yann.morin.1998@free.fr:
- only list the licenses files for the latest version
- restore the hash for COPYING
- introduce hashes for the two new license files
- expand commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
GLSL Sandbox standalone player allow one to run and render
(most of) nice shaders available online on the
http://glslsandbox.com/ website, but without the need of an
Internet connection, a web browser or any of its
dependencies. Instead, the only requirement of
glslsandbox-player is a working EGL and GLESv2 libraries.
This package is useful for stressing and testing GLES shader
compiler in GPU drivers.
https://github.com/jolivain/glslsandbox-player
Signed-off-by: Julien Olivain <juju@cotds.org>
[Arnout: add dependency on threads and make BUSYBOX_SHOW_OTHERS
conditional]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This fixes CVE-2020-7044:
In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash.
This was addressed in epan/dissectors/packet-wassp.c by using
>= and <= to resolve off-by-one errors.
Also change the hash file to the new spacing convention introduced
by Yann E. Morin.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This fixes CVE-2019-5188:
A code execution vulnerability exists in the directory rehashing
functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4
directory can cause an out-of-bounds write on the stack, resulting
in code execution. An attacker can corrupt a partition to trigger
this vulnerability.
Also change the hash file to the new spacing convention introduced
by Yann E. Morin.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Xen was bumped from 4.12 to 4.13 in commit
268e5689b5, but the license file hash
was not updated. However, the license file has changed, with a new
paragraph about the Sphinx documentation being licensed under CC-BY
4.0 was added. Update the SHA to match the new license.
Take this opportunity to re-align the hashes.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The seperation of the fields in the hash file should be 2 spaces for
consitency
Update the manual accordingly.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
[yann.morin.1998@free.fr:
- drop the notes part, reword the first hunk
- update the examples
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This makes slight modifications to the waf build definition files
that make possible to compile norm with Waf running on Python3.
This has been tested on my experimental Python3 waf-package
infrastructure, and still works with the actual Py2 setup.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>