Upstream CHANGELOG entry for 4.3.0 lists these fixes:
- CVE-2018-18408 use-after-free in post_args (#489)
- CVE-2018-18407 heap-buffer-overflow csum_replace4 (#488)
- CVE-2018-17974 heap-buffer-overflow dlt_en10mb_encode (#486)
- CVE-2018-17580 heap-buffer-overflow fast_edit_packet (#485)
- CVE-2018-17582 heap-buffer-overflow in get_next_packet (#484)
- CVE-2018-13112 heap-buffer-overflow in get_l2len (#477 dup #408)
Drop tr_cv_libpcap_version and ac_cv_have_bpf; unused in current
configure script.
Make configure script use pcap-config to list library dependencies.
Unfortunately, pcap-config is not entirely correct, so we still need to
set the LIBS variable for static linking.
Use the smaller tar.xz archive.
Add license file hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update x11vnc from 0.9.15 to 0.9.16. For the changes, see
https://github.com/LibVNC/x11vnc/compare/0.9.15...0.9.16
Signed-off-by: Martin Kepplinger <martink@posteo.de>
[Peter: add hash for COPYING]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The hard coded -I/usr/include/efivar has been dropped from the Makefile in
commit 000eb0020c02 (Set pkg-config binary as variable) which is part of
v13, so drop the unneeded (misnamed) EFIBOOTMSR_PATCH_HEADER_PATH workaround.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes an out-of-bounds read, the parsing of some a malformed URIs and a
function that reported 1 more byte than actually needed for IPv4 address
URIs. For additional datails, see
https://github.com/uriparser/uriparser/blob/uriparser-0.9.1/ChangeLog
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following warning:
package/exempi/Config.in:14:warning: multi-line strings not supported
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The license.txt file has been updated with Solarus Free Resource Pack URL.
Before version 1.6.0, the archive was downloaded from github and license_gpl.txt
file which is present in the git repository.
Since version 1.6.0, the archive is downloaded from [1] but the license_gpl.txt
file is missing.
This has been reported upstream [2].
[1] http://www.solarus-games.org
[2] https://gitlab.com/solarus-games/solarus/issues/1328
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This includes an patch that fixes the following error:
```
/home/buildroot/build/instance-0/output/build/php-zmq-1.1.3/zmq.c: In function 'php_zmq_context_get':
/home/buildroot/build/instance-0/output/build/php-zmq-1.1.3/zmq.c:238:20: error: lvalue required as left operand of assignment
GC_REFCOUNT(&le) = 1;
^
/home/buildroot/build/instance-0/output/build/php-zmq-1.1.3/zmq.c: In function 'php_zmq_socket_store':
/home/buildroot/build/instance-0/output/build/php-zmq-1.1.3/zmq.c:538:19: error: lvalue required as left operand of assignment
GC_REFCOUNT(&le) = 1;
```
The patch was created from the PR at:
https://github.com/mkoppanen/php-zmq/pull/195
Upstream has not merged the PR. Fixes:
http://autobuild.buildroot.org/results/3f2/3f258fbc7352c3d7205bc6402145be1102d69683
Signed-off-by: Frank Hunleth <fhunleth@troodon-software.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the upstream changelog:
New Features in irqbalance 1.5.0
* file based socket ipc mechanism
* support for multiple policy scripts
* add some sandboxing support
* enhanced debug output
* Imroved irq type determination for ARM
Bugs fixed:
* Fixed xen event interrupt detection
* Fix node parsing in sysfs
* Covscan fixes
* Fix use on systems without a pci bus
* Various other cleanups
Signed-off-by: Florian La Roche <F.LaRoche@pilz.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The licence changed from BSD to LGPL 2.1 or later, update this
accordingly.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This enables a riscv32 system to be built with a Buildroot generated
toolchain (gcc >= 7.x, binutils >= 2.30, glibc only).
This requires a custom version of glibc 2.26 from the riscv-glibc
repository. Note that there are no tags in this repository, so the
glibc version just consists of the 40 character commit id string.
Thanks to Fabrice Bellard for pointing me towards the 32-bit glibc
repository and for providing the necessary patch to get it to build.
Signed-off-by: Mark Corbin <mark.corbin@embecosm.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2019-3498: Content spoofing possibility in the default 404 page
For more details, see the announcement:
https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
[Peter: mention that bump fixes security issues]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 62d5558f76 (utils/get-developers: make it callable from elsewhere
than the toplevel directory) tried to fix this by passing in the toplevel
directory when the DEVELOPERS file is parsed.
Unfortunately this is not enough, as E.G. also the paths listed in the
patches are relative to the toplevel directory, causing it to not match the
entries in the DEVELOPERS file.
In concept this can be fixed by also passing the toplevel directory to the
Developers class, but the simplest solution is just to chdir to the toplevel
Buildroot directory before calling any of the getdeveloperlib functions.
This does require us to finish parsing command line arguments (which opens
the provided patch files) to not get into trouble with relative paths to
patches before chdir'ing / initializing getdeveloperlib.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 62d5558f76.
This actually does not work, as patches contain paths relative to the
toplevel directory as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From [1]:
* All GCC 8.2 features. For details on GCC 8 release series.
* Linaro specific pre-processor macros to ensure that this is a
continuation from the Linaro releases.
* Spectre v1 mitigation backport from upstream FSF trunk include the
revisions. This is an initial backport of those mitigations in
the GNU toolchain and should be regarded as support for prototyping
and early access only. Moreover, while the backports include support
for the other architectures, they are included for completeness and
all issues regarding these patches must be taken up upstream in the
https://gcc.gnu.org/bugzilla by reproducing the same with upstream
FSF trunk.
Arm is interested in feedback regarding these workarounds for
Spectre v1.
A description of the mitigation has been published on LWN.net.
See "Release Note":
[1] https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads#
Tested with qemu_aarch64_virt_defconfig.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From [1]:
* All GCC 8.2 features. For details on GCC 8 release series.
* Linaro specific pre-processor macros to ensure that this is a
continuation from the Linaro releases.
* Spectre v1 mitigation backport from upstream FSF trunk include the
revisions. This is an initial backport of those mitigations in
the GNU toolchain and should be regarded as support for prototyping
and early access only. Moreover, while the backports include support
for the other architectures, they are included for completeness and
all issues regarding these patches must be taken up upstream in the
https://gcc.gnu.org/bugzilla by reproducing the same with upstream
FSF trunk.
Arm is interested in feedback regarding these workarounds for
Spectre v1.
A description of the mitigation has been published on LWN.net.
See "Release Note":
[1] https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads#
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From [1]:
* All GCC 8.2 features. For details on GCC 8 release series.
* Linaro specific pre-processor macros to ensure that this is a
continuation from the Linaro releases.
* Spectre v1 mitigation backport from upstream FSF trunk include the
revisions. This is an initial backport of those mitigations in
the GNU toolchain and should be regarded as support for prototyping
and early access only. Moreover, while the backports include support
for the other architectures, they are included for completeness and
all issues regarding these patches must be taken up upstream in the
https://gcc.gnu.org/bugzilla by reproducing the same with upstream
FSF trunk.
Arm is interested in feedback regarding these workarounds for
Spectre v1.
A description of the mitigation has been published on LWN.net.
See "Release Note":
[1] https://developer.arm.com/open-source/gnu-toolchain/gnu-a/downloads#
Tested with qemu_arm_vexpress_defconfig.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes regressions introduced by the v8.14.0 security release. From the
announcement:
The 8.14.0 security release introduced some unexpected breakages on the 8.x
release line. This is a special release to fix a regression in the HTTP
binary upgrade response body and add a missing CLI flag to adjust the max
header size of the http parser.
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump Linux to version 4.14.91 and U-Boot to version 2018.11.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump U-Boot and kernel to their latest releases.
Remove the documented limitations. Recent kernels added support for the
SOM SPI flash, and the carrier SFP port.
Mention the 'dd' command in the warning text. No script is involved.
Cc: Jan Kundrát <jan.kundrat@cesnet.cz>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to https://www.kernel.org/category/releases.html, these kernel
versions are no longer supported, so drop them now that we have added 4.20.x
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The script is utils/get-developers but the manual refers to get-developer in
several places.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This update includes two specific fixes that have been backported
to the glibc 2.28 release branch from the glibc master branch:
1) UAPI header file asm/syscalls.h has been merged into the UAPI
asm/unistd.h header file for the RISC-V architecture in the
4.20 kernel. This causes the glibc 2.28 build to break.
2) sysdeps/ieee754/soft-fp: ignore maybe-uninitialized with -O
[BZ #19444]. The current patch for this issue can now be dropped
from Buildroot.
Signed-off-by: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
scp download is broken, because scp is called without filename argument and
only the server is specified. The call is:
scp <server> <outputfile>
but should be:
scp <server>/<filename> <outputfile>
Instead of assuming '-u' lists a full URL including filename (which it is
not), align with the wget helper where -u is the server URL and -f gives the
filename.
With this commit, an scp download can work if FOO_SITE_METHOD is explicitly
set to 'scp' and the server does not have a scheme prefix 'scp://'.
The next commit will handle the case where a scheme prefix is present.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[Thomas: s/URL/URI/, as noticed by Yann.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For some odd reason, the new pkg-config 1.5.3 changed the behavior of
"pkg-config --version": as soon as another argument than "--version"
is passed, the code assumes the user wanted to run "--modversion"
instead.
Sadly, this breaks badly with our pkg-config wrapper that
unconditionally passes --static to pkg-config when
BR2_STATIC_LIBS=y. When ffmpeg calls "pkg-config --version" to test if
pkg-config is available and functional, it's actually "pkg-config
--static --version" that gets executed. pkg-config assumes that the
user wanted to use --modversion and bails out with an error.
This causes a build failure of ffmpeg in BR2_STATIC_LIBS=y
configuration.
This misbehavior of pkg-config has been reported upstream at
https://git.dereferenced.org/pkgconf/pkgconf/issues/19, but until it
gets fixed, we work around the issue by reverting the commit that does
the "hey let's assume you're using --modversion if --version is passed
with more than one argument".
Fixes:
http://autobuild.buildroot.net/results/ed82a95e1866ea2caadbb3433b2a255b2cf621d2/
(and plenty of other ffmpeg + BR2_STATIC_LIBS=y build failures)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently, if a user runs "make" while specifying a specific package
(IE: make -p foo), the Makefile logic skips checking to see if all the
dependencies are selected in the specified packages config file. This behavior
is useful to test simple packages which do not have "complex" dependencies.
However; if a developer uses test-pkg -p ${package_name} to check their package,
the package may pass all the checks, but would have otherwise failed with a
simple "make" because the developer may have failed to add a select line in
packages config file, even if there is a new dependency in the packages
Makefile.
Pass the environment variable "BR_FORCE_CHECK_DEPENDENCIES" to the Makefile in
the test-pkg script, and check it's value in the Makefile. If the value is
"YES" force checking for dependency issues.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Config.in comment of lua-msgpack-native only indicates that it
needs Lua 5.1, while the package can actually build with LuaJIT. This
commit adjusts the comment to match the reality.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
All the packages modified by this commit have their Config.in included
by package/Config.in inside a BR2_PACKAGE_HAS_LUAINTERPRETER &&
!BR2_STATIC_LIBS condition. Therefore, duplicating the
BR2_PACKAGE_HAS_LUAINTERPRETER condition in each of their Config.in
file is redundant and unnecessary. This commit drops such redundant
"depends on" statements.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Acked-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We need to update linux/linux.hash as part of this commit, because
package/linux-headers/linux-headers.hash is a symlink to
linux/linux.hash.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>