Fixes CVE-2023-4012 (see [1] for details).
[1] https://gitlab.com/NTPsec/ntpsec/-/releases/NTPsec_1_2_2a
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 642b42928e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️aubio:aubio is a valid identifier for
this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=aubio
Signed-off-by: Clément Ramirez <clement.ramirez@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 969bd6e3dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In upstream commit e71ecc8771a4f13bc6046438ab0845944831b9a6 ("build:
Remove deprecated -Diconv option"), merged since glib 2.75.1, the
meson -Diconv option was removed.
In Buildroot, this means that the build of libglib2 has been broken
since commit 3f9622fe3d, which bumped
libglib2 from 2.72.3 to 2.76.1 for configurations that have libiconv
enabled, causing this build failure:
../output-1/build/libglib2-2.76.1/meson.build:1:0: ERROR: Unknown options: "iconv"
iconv is now automatically detected by Meson machinery, and so the
option was considered as no longer being needed. This commit fixes
that by dropping the useless -Diconv=external.
Another related change done is remove the double addition of libiconv
into the <pkg>_DEPENDENCIES variable: libiconv can only be enabled
when BR2_ENABLE_LOCALE is disabled, and libglib2/Config.in selects
BR2_PACKAGE_LIBICONV when !BR2_ENABLE_LOCALE. So testing
BR2_ENABLE_LOCALE!=y and BR2_PACKAGE_LIBICONV=y is exactly the same
thing, causing libiconv to be added twice to the dependencies.
Fixes:
http://autobuild.buildroot.net/results/d2da03f7558f3b6ee59c813bb64115702e52704c/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ff050de534)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mpd's Config.in selects expat and/or yajl depending on which
sub-options is enabled, and adds build dependencies, but does not pass
-D<option>=enabled/disabled for both of these features, relying on
auto-detection.
This commit fixes that by explicitly enabling/disabling expat and yajl
depending on their presence. The mpd sub-options no longer need to
have these as build-time dependencies, as it is handled globally.
Signed-off-by: Andreas Ziegler <br015@umbiko.net>
[Thomas: extracted from
https://patchwork.ozlabs.org/project/buildroot/patch/20221005091032.3014-5-br015@umbiko.net/]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3693462a1f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Just like BR2_PACKAGE_MPD_UPNP_PUPNP needs expat and curl support,
BR2_PACKAGE_MPD_UPNP_NPUPNP also needs expat and curl. curl was
already selected, but not expat. It didn't cause any visible issue, as
BR2_PACKAGE_MPD_UPNP_NPUPNP selects BR2_PACKAGE_LIBNPUPNP, which
itself select BR2_PACKAGE_EXPAT. But as mpd directly checks for the
availability of expat, it makes sense to also select it directly.
Signed-off-by: Andreas Ziegler <br015@umbiko.net>
[Thomas: extracted from a larger patch at
https://patchwork.ozlabs.org/project/buildroot/patch/20221005091032.3014-5-br015@umbiko.net/]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6cdb48a048)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
id3tag is a sub-feature that is needed to extract information from mp3 files.
It selects the corresponding library and handles config settings. Two other
features need this sub-feature, but handle all library selections themselves
and omit enabling the id3tag feature. In consequence, users have to remember
to select both mp3 library and id3tag, otherwise the mpd executable will not
process mp3 files.
Reflect feature dependency in mpd Config.in to make id3tag selection automatic.
Signed-off-by: Andreas Ziegler <br015@umbiko.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 876a365ea2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 54b9008d48 ("package/mpd: bump
to version 0.21.11"), mpd was migrated from using the autotools build
system to the meson build system.
As part of this, the BR2_PACKAGE_MPD_TCP was incorrectly modified,
leading BR2_PACKAGE_MPD_TCP disabled to actually enable TCP, and
BR2_PACKAGE_MPD_TCP enabled to not explicitly enable TCP support.
This commit fixes that by handling this option in the common way.
Signed-off-by: Andreas Ziegler <br015@umbiko.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit be08ba3569)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The less package currently installs only the "less" binary, rather
than running the default "make install" behavior from the autotools
build system.
However, at least another binary, "lessecho" is needed for the "s"
command in less to work properly: so in that sense this commit is
fixing a broken behavior.
Since the less installation only installs 3 programs, "less",
"lessopen" and "lesskey", there is no good reason to not use the
default installation command, which we do in this commit.
Signed-off-by: Nicolas Carrier <carrier.nicolas0@gmail.com>
[Thomas: rework commit message]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8b1bc64d92)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch cleans up the shellcheck issues in the versal post scripts.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2b738044ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The at91dataflashboot code contains some hand-written ARM assembly
that uses ARM classic instructions, and will not build in Thumb-1
mode.
This issue has always existed in Buildroot, but it's only since we
started testing random configurations, including Thumb-1
configurations, that this issue popped up.
Fixes:
http://autobuild.buildroot.net/results/68bf2291201ef1882d8e8d3eca2b1a5ad731e4b0/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 07acc00add)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 319c56dfe3 bumped
stellarium which included these commits
b3f02beaec5d5edd0e5f
It downloads external packages during the build:
$ find output/build/stellarium-23.2/ -iname *.tar.*
output/build/stellarium-23.2/_deps/eigen3-subbuild/eigen3-populate-prefix/src/eigen-3.4.0.tar.bz2
output/build/stellarium-23.2/_deps/showmysky-qt5-subbuild/showmysky-qt5-populate-prefix/src/v0.3.1.tar.gz
which breaks offline builds.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2616272339)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 319c56dfe3 bumped
stellarium which included this commit
186b06fa21
It removed the previously bundled QXlsx source and lets stellarium
git-clone the sourcecode of the QXlsx package (not present in buildroot)
during the build:
$ find output/build/stellarium-23.2/ -iname .gitignore | grep qxl
output/build/stellarium-23.2/_deps/qxlsxqt5-src/.gitignore
which breaks offline builds.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b032b3b1df)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 319c56dfe3 bumped
stellarium which included this commit
186b06fa21
It removed the previously bundled libindi source and lets stellarium
download the sourcecode of the indiclient package (not present in
buildroot) during the build:
$ find output/build/stellarium-23.2/ -iname *.zip
output/build/stellarium-23.2/_deps/indiclient-subbuild/indiclient-populate-prefix/src/v1.8.5.zip
which breaks offline builds.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c2a450ddd6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 05a0adea83)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Go 1.20.6 and 1.19.11 include a security check of the http Host header:
https://github.com/golang/go/issues/60374
docker-cli does not satisfy this check:
$ docker exec -it ctr bash
http: invalid Host header
This is a backported patch to fix this issue:
Issue: https://github.com/moby/moby/issues/45935
Upstream PR: https://github.com/moby/moby/pull/45942
The upstream PR has been merged and will be included in v24.0.5.
Signed-off-by: Christian Stewart <christian@aperture.us>
Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Go 1.20.6 and 1.19.11 include a security check of the http Host header:
https://github.com/golang/go/issues/60374
docker-cli does not satisfy this check:
$ docker exec -it ctr bash
http: invalid Host header
This is a backported patch to fix this issue:
Issue: https://github.com/moby/moby/issues/45935
Upstream PR: https://github.com/moby/moby/pull/45942
The upstream PR has been merged and will be included in v24.0.5.
Signed-off-by: Christian Stewart <christian@aperture.us>
Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit f445c63558 (package/rtl8192eu: bump to version 2023-06-23 on
branch 5.11.2.1) dropped 0002-Fix-conflicting-get_ra-on-PowerPC.patch but
forgot to update .checkpackageignore, leading to gitlab failures:
.checkpackageignore:1381: ignored file package/rtl8192eu/0002-Fix-conflicting-get_ra-on-PowerPC.patch is missing
https://gitlab.com/buildroot.org/buildroot/-/jobs/4996203885
Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is no such thing as a BR2_TARGET_GENERIC_TTY_PATH variable. The
comment here should mention BR2_TARGET_GENERIC_GETTY_PORT instead.
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e0ff6ad7ff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.19.12 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler.
Fixes CVE-2023-29409: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server to
expend significant CPU time verifying signatures. Limit this by restricting the
size of RSA keys transmitted during handshakes to <= 8192 bits.
Based on a survey of publicly trusted RSA keys, there are currently only three
certificates in circulation with keys larger than this, and all three appear to
be test certificates that are not actively deployed. It is possible there are
larger keys in use in private PKIs, but we target the web PKI, so causing
breakage here in the interests of increasing the default safety of users of
crypto/tls seems reasonable.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit [1], the testsuite build is unconditionally disabled
although we have the option BR2_PACKAGE_XENOMAI_TESTSUITE to
install Xenomai testsuite on the target.
Handle --disable-testsuite option with BR2_PACKAGE_XENOMAI_TESTSUITE.
[1] 74196b7d05
Signed-off-by: Pierre Ficheux <pierre.ficheux@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bc9a8ef111)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch 0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch
should have been deleted as part of Buildroot commit
08792a60df ("package/sysdig: bump to
version 0.29.3"). Indeed, this patch was merged upstream as commit
114436c1a45142ef73acfc2607fbc6572782160f between 0.29.2 and 0.29.3.
This fixes the following build failure:
Applying 0001-cmake-Check-USE_BUNDLED_DEPS-before-getting-nlohmann.patch using patch:
patching file cmake/modules/nlohmann-json.cmake
Reversed (or previously applied) patch detected! Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file cmake/modules/nlohmann-json.cmake.rej
There are no autobuilder failures, probably because getting to build
sysdig requires so many special conditions that it never triggered.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e434d8a29f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 9079079092 (utils/docker-run: fix support for git-worktrees)
got last-minute changes when it was applied, and the case when the
current working directory is not the top of the current working copy
got broken.
Fix that by duplicating (and thus reinstating) the 'cd MAIN_DIR' to
match what is done when retrieving the git-common-dir.
Fixes: 9079079092
Reported-by: Brandon Maier <Brandon.Maier@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5b559109ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The cmocka package checks if a toolchain supports the
-fstack-clash-protection compiler flag, and if it does automatically
uses it. That flag is not supported by GCC for Thumb1 builds (at least
as of both GCC 11 and GCC 12). Let's tell cmocka about this by passing
-DWITH_STACK_CLASH_PROTECTION=OFF in this configuration, as suggested
by Arnout Vandecappelle.
Fixes:
http://autobuild.buildroot.net/results/4044b3a71d3130d934c7a7c0c5badfabb2a97030/
Signed-off-by: Joel Carlson <JoelsonCarl@gmail.com>
[Thomas: change the initial patch from Joel to use the suggestion from
Arnout]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5622c76bf4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Current versions of sam-ba are 64bit only.
objdump -p $(HOST_DIR)/bin/sam-ba
$(HOST_DIR)/bin/sam-ba: file format elf64-x86-64
Signed-off-by: Daniel Lang <d.lang@abatec.at>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 71b5ea4030)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It was a leftover from the copy-and-paste of the readme.txt file of its
almost twin sister BSH SMM S2 PRO.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Reviewed-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d4f23da67e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The bind package exhibits gcc bug 101737 when built for the SH4
architecture with optimization enabled, which causes a build failure.
As done for other packages in Buildroot work around this gcc bug by
setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_101737=y.
To achieve this we need to correct the override of CFLAGS by using:
BIND_CONF_OPTS += CFLAGS="$(BIND_CFLAGS)"
instead of:
BIND_CONF_ENV = BUILD_CFLAGS"$(BIND_CFLAGS)"
since the latter doesn't work as expected and doesn't override CFLAGS.
Fixes:
http://autobuild.buildroot.net/results/e7b/e7b9a4cbee8bb16431609182b96d1ac1ccec10e7/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 105e3b34be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The docker-run script attempts to support git-new-workdirs and
git-worktrees by resolving the symlink at '$GIT_DIR/config' to get the
true $GIT_DIR. However this does not work for git-worktrees as they do
not use symlinks, instead they change the $GIT_DIR into a regular file
that contains the path to the real $GIT_DIR. To complicate things
further, we actually want the $GIT_COMMON_DIR which is the superset of a
worktree's $GIT_DIR.
git-rev-parse supports the '--git-common-dir' which will resolve the
$GIT_COMMON_DIR for us. However it does not work for git-new-workdirs,
so we still need to detect and handle them.
'--git-common-dir' also appeared only with git 2.10.0, released in 2016,
so it will not be available in older "enterprise-grade" distributions.
In that case, 'git rev-parse --git-common-dir' would return the option
flag '--git-common-dir' as-is, which is incorrect. So, we instruct it to
never return flags.
'--git-common-dir' also returns just '.git' for the main working copy,
but 'docker run' want an absolute path, so we canonicalise it.
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
[yann.morin.1998@free.fr:
- support git versions before --git-common-dir was introduced
- don't mount GIT_DIR if unknown (i.e. not needed)
- fix expanding MAIN_DIR
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9079079092)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a bug present since v0.3.3 that causes extremely slow writes to
NOR flashes.
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit be57403d04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Backport upstream patch to fix build error seens with alsa-lib:
error.c:(.text+0x12c): undefined reference to `__tls_get_addr'
Fixes:
http://autobuild.buildroot.net/results/525ca7fe78015168c186ffda5fa52c0edb2071c9/
The fix is included in gcc 13.x.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4ce0dacb60)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure:
/tmp/ccqcLrVb.s:4053: Error: selected processor does not support `umlal r2,r1,r0,r3' in Thumb mode
/tmp/ccqcLrVb.s:4076: Error: selected processor does not support `umlal r0,r3,r1,r2' in Thumb mode
/tmp/ccqcLrVb.s:8644: Error: selected processor does not support `umlal r0,r3,r2,r4' in Thumb mode
Fixes:
http://autobuild.buildroot.net/results/1d09a0a58cbc1712416de746d57d4532df580673/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 73ddf7bf50)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
