Commit Graph

69303 Commits

Author SHA1 Message Date
Julien Olivain
579896c2f2 package/expect: update Kconfig package URL
The old expect homepage URL [1] is now redirecting to [2]. This commit
updates the URL to the new one.

[1] http://expect.sourceforge.net/
[2] https://core.tcl.tk/expect/

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 21:19:50 +02:00
Jens Maus
565e494f86 package/linux-firmware: add iwlwifi quz firmware
This commit integrates support for the iwlwifi QuZ firmware files
to support the wifi chipsets for the intel NUC10 type of hardware.
Thus, this change adds BR2_PACKAGE_LINUX_FIRMWARE_IWLWIFI_QUZ.

Signed-off-by: Jens Maus <mail@jens-maus.de>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 21:18:43 +02:00
Michael Nosthoff
6fd23d68d5 package/catch2: bump to version 3.4.0
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 21:00:48 +02:00
Angelo Compagnucci
ba3c548562 package/grep: bump to version 3.11
No security fixes introduced in the latest version.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 20:59:59 +02:00
Angelo Compagnucci
90cfb81b51 package/python-can: bump to version 4.2.2
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 20:59:14 +02:00
Julien Olivain
ec8a9cc518 package/tcl: fix package patch
The commit 4e365d1768 "package/tcl: bump to version 8.6.13" did NOT
refreshed the package patch, because the patch was still applying
correctly and the package was working as expected.

It was refreshed in the previous bump, in commit 9cf314745a
"package/tcl: bump to version 8.6.12". This was part of 2022.02.

Looking closer at the patch content, the -/+ lines are exactly the
same. So this patch does not change anything. Since the file was kept
and the commit log mention a patch refresh, the intent was more
likely to carry over the old patch (which was declaring all libc
functions as "unbroken".

This commit actually refreshes this patch. It was regenerated with
git format-patch. Since the patch is renamed due to git format-patch,
the .checkpackageignore is updated accordingly.

Note:
This ancient patch will be removed soon, as an upstream commit [1],
not yet in a release, cleaned up and removed those old parts.

[1] 04d66a2571

Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 20:49:26 +02:00
Daniel Lang
6425e0b848 package/sysstat: drop CVE-2022-39377 from IGNORE_CVES
As off 2022-11-22 CVE-2022-39377 is listed as affecting sysstat
< 2.16.1 instead of < 2.17.1. The text is not updated, but the CPE info
is.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 20:30:02 +02:00
Thomas Petazzoni
0b764a7d1e package/ne10: install shared libraries only when built
The install to staging commands of the ne10 package are careful to
install the shared libraries only if they are built, but we forgot to
use the same care for the install to target commands, causing a build
failure on BR2_STATIC_LIBS=y configurations as no shared library was
built:

cp: cannot stat '/home/autobuild/autobuild/instance-15/output-1/build/ne10-1.2.1/modules/libNE10*.so*': No such file or directory

This commit fixes this by guarding the target installation commands to
BR2_STATIC_LIBS being empty.

The problem exists since the package was introduced in commit
318f3db0dc ("ne10: new package"), a good
10 years ago. Most likely it was not seen for many years as this
package is only available for ARM with NEON and AArch64, and we were
not testing fully static builds, except for ARMv5 that don't have
NEON. Now that we are doing more random testing, the problem started
being visible.

Fixes:

  http://autobuild.buildroot.net/results/45b2c1af052271bc2f1bb96544f138d29e4f7dfd/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 20:26:16 +02:00
Giulio Benetti
9a9a41f8df package/esp-hosted: fix build failure on s390x
s390x doesn't support Wi-Fi on Linux so let's disable the package for such
architecture.

Fixes:
http://autobuild.buildroot.net/results/f52e8a14330ff281a7096baa47f387f8c1859345

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 20:23:43 +02:00
TIAN Yuanhao
405ba7f2a6 package/nftables: install libnftables to staging
Needed for network-config-manager:
https://github.com/vmware/network-config-manager/blob/v0.6.4/meson.build#L119

Signed-off-by: TIAN Yuanhao <tianyuanhao3@163.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-21 20:20:20 +02:00
Baruch Siach
23166132eb package/libraw: fix IGNORE_CVES assignment
Commit bc4110b073 ("package/libraw: fix CVE-2023-1729") mistakenly
added the patch name to IGNORE_CVES instead of the CVE reference. Fix
that.

Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 15:04:24 +02:00
Francois Perrad
9041b12d2a package/open62541: bump to version 1.3.7
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 15:03:09 +02:00
Francois Perrad
7dc2462a8e package/mbedtls: bump to version 2.28.4
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 15:00:19 +02:00
Michael Nosthoff
00e23b82b4 package/gtest: bump to version 1.14.0
- tag prefix changed from 'release-' to 'v'
- C++14 is now required which gcc5 already provides
  (tested with bootlin toolchain armv7-eabihf--glibc--stable-2017.05-toolchains-1-1)

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 14:59:47 +02:00
Angelo Compagnucci
8f9d6e07f2 package/python-minimalmodbus: bump to version 2.1.1
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 14:58:01 +02:00
Angelo Compagnucci
1defedaf0b package/python-pillow: bump to version 10.0.1
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 14:52:23 +02:00
Angelo Compagnucci
51c497c90f package/python-web2py: bump to version 2.24.1
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 14:50:35 +02:00
Fabrice Fontaine
50827a45ee package/multipath-tools: update hash of README.md
Commit 9ca60c004d forgot to update hash of
README.md (multipathc added with
f220ab6678)

Fixes:
 - http://autobuild.buildroot.org/results/633ceb38996af7c95331ebe878ae8ba8a4b9b7de

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 14:50:05 +02:00
Maxim Kochetkov
40a2d729fd package/postgis: bump version to 3.4.0
Changelog: https://git.osgeo.org/gitea/postgis/postgis/src/tag/3.4.0/NEWS

Licenses updates:
- BSD-3-Clause for xsl:
  1a52581930

- Update urls and add SFCGAL links and licenses:
  0015540bc6

Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 14:28:24 +02:00
Fabrice Fontaine
45c41098ef package/openvpn: dco needs headers >= 4.16
NLMSGERR_ATTR_MAX has been added in kernel 4.16 with
dc2b9f19e3
resulting in the following build failure since bump to version 2.6.4 in
commit a46ac23465 and
e34437c26b:

dco_linux.c: In function 'ovpn_nl_cb_error':
dco_linux.c:303:27: error: 'NLMSGERR_ATTR_MAX' undeclared (first use in this function); did you mean '__CTRL_ATTR_MAX'?
     struct nlattr *tb_msg[NLMSGERR_ATTR_MAX + 1];
                           ^~~~~~~~~~~~~~~~~
                           __CTRL_ATTR_MAX

Fixes:
 - http://autobuild.buildroot.org/results/69b9737913ac0b5cd2c117d526602874da3ee487

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 14:24:41 +02:00
Daniel Lang
487c12a1f2 package/tar: drop CVE-2007-4476 from IGNORE_CVES
As off 2021-05-17 NVD added 1.19 as the first version that isn't
affected by CVE-2007-4476.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 12:32:14 +02:00
Daniel Lang
43dbfe4670 package/python3: drop CVE-2022-45061 from IGNORE_CVES
CVE-2022-45061 affects python <= 3.7.15, 3.8.0 through 3.8.15,
3.9.0 through 3.9.15, 3.10.0 through 3.10.8
The mentioned patch was removed in c38de813 when bumping to 3.11.1.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 12:30:43 +02:00
Daniel Lang
f71c794021 package/icu: drop CVE-2021-30535 from IGNORE_CVES
The mentioned patch was removed in 7549e05b when bumping to 70-1.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 12:30:28 +02:00
Daniel Lang
a01a6b8dc8 package/fail2ban: drop CVE-2021-32749 from IGNORE_CVES
CVE-2021-32749 affects fail2ban <= 0.9.7, 0.10.0 through 0.10.6, and
0.11.0 through 0.11.2.
The mentioned patch was removed in 76853089 when bumping to 1.0.1.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 12:30:09 +02:00
Fabrice Fontaine
38f39a6031 package/zxing-cpp: fix python build
Fix the following build failures raised since bump to version 1.4.0 in
commit 456a739831:

-- Found PythonInterp: /usr/bin/python3.6 (found suitable version "3.6.9", minimum required is "3.6")
CMake Error at /home/buildroot/autobuild/run/instance-3/output-1/host/sparc64-buildroot-linux-gnu/sysroot/usr/share/cmake/pybind11/FindPythonLibsNew.cmake:147 (message):
  Python config failure:

  Traceback (most recent call last):

    File "<string>", line 6, in <module>

  ImportError: cannot import name 'sysconfig'

and

In file included from /home/buildroot/autobuild/instance-1/output-1/host/include/python3.11/Python.h:38,
                 from /home/buildroot/autobuild/instance-1/output-1/host/sh4-buildroot-linux-gnu/sysroot/usr/include/pybind11/detail/common.h:266,
                 from /home/buildroot/autobuild/instance-1/output-1/host/sh4-buildroot-linux-gnu/sysroot/usr/include/pybind11/attr.h:13,
                 from /home/buildroot/autobuild/instance-1/output-1/host/sh4-buildroot-linux-gnu/sysroot/usr/include/pybind11/detail/class.h:12,
                 from /home/buildroot/autobuild/instance-1/output-1/host/sh4-buildroot-linux-gnu/sysroot/usr/include/pybind11/pybind11.h:13,
                 from /home/buildroot/autobuild/instance-1/output-1/host/sh4-buildroot-linux-gnu/sysroot/usr/include/pybind11/numpy.h:12,
                 from /home/buildroot/autobuild/instance-1/output-1/build/zxing-cpp-2.1.0/wrappers/python/zxing.cpp:18:
/home/buildroot/autobuild/instance-1/output-1/host/include/python3.11/pyport.h:601:2: error: #error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)."
  601 | #error "LONG_BIT definition appears wrong for platform (bad gcc/glibc config?)."
      |  ^~~~~

Fixes:
 - http://autobuild.buildroot.org/results/665b246a4bb14480152ee59050672a7469148a5b
 - http://autobuild.buildroot.org/results/0502b05020de57e4910125c699c4264047187c51
 - http://autobuild.buildroot.org/results/c5e7fe83d46c704e05800e3ae62bf476458c7b71

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-21 12:29:14 +02:00
Roberto Medina
ec3b960418 configs/roc_pc_rk3399: enable OpenSSL for U-Boot
Enable OpenSSL to build U-boot. Reported by the daily autobuild.

Fixes:

  https://gitlab.com/buildroot.org/buildroot/-/jobs/5083367140

Signed-off-by: Roberto Medina <robertoxmed@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-20 22:34:23 +02:00
Fabrice Fontaine
60fad6628e package/domoticz: bump to version 2023.2
https://github.com/domoticz/domoticz/blob/2023.2/History.txt

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-20 22:33:49 +02:00
Giulio Benetti
e604532285 package/harfbuzz: bump version to 8.2.1
Release notes: https://github.com/harfbuzz/harfbuzz/blob/main/NEWS

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-20 22:33:11 +02:00
Fabrice Fontaine
ebf9fa28e3 package/util-linux: fix build with uclibc-ng < 1.0.42
Define static_assert if needed to avoid the following build failure with
uclibc-ng < 1.0.42 raised since bump to version 2.39 in commit
ad276d94a3 and
0ff5740652:

/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabihf/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabihf/bin/ld: ./.libs/libsmartcols.so: undefined reference to `static_assert'

Fixes:
 - http://autobuild.buildroot.org/results/c3d38d92557ee9e59b717b85f6307810d5de1487

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-20 21:40:10 +02:00
Fabrice Fontaine
e9f2f48a7e package/binutils: install libsframe for all relevant binutils versions
Fix the following build failure with oprofile raised since bump of
binutils to version 2.40 in commit
35656482d3:

configure: error: bfd library not found

[...]

configure:17928: checking for bfd_openr in -lbfd
configure:17953: /home/buildroot/autobuild/run/instance-1/output-1/host/bin/arm-linux-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -Os -g0  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  conftest.c -lbfd  -liberty -lpopt  -ldl -lintl >&5
/home/buildroot/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/12.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: warning: libsframe.so.0, needed by /home/buildroot/autobuild/run/instance-1/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libbfd.so, not found (try using -rpath or -rpath-link)

Indeed, in this case, libsframe is not installed even after applying
commit 1b4d921e1d because
BR2_BINUTILS_VERSION_2_40_X is not selected by anyone (binutils package
is selected by oprofile and the toolchain is not generated by buildroot)

To fix this issue, invert the logic: install libsframe by default (i.e.
when binutils is selected or with a buildroot toolchain). libsframe will
not be installed only if binutils < 2.40 is detected.

Fixes:
 - http://autobuild.buildroot.org/results/af9a2d52823a332b48e6df14d2708b6a4b3833a4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-20 21:33:23 +02:00
Fabrice Fontaine
7c6c018ad4 package/agentpp: fix build with gcc 4.8
Fix the following build failure with gcc 4.8 raised since bump of snmppp
to version 3.5.0 in commit e011fa0415:

configure: error: Cannot find suitable libsnmp++ library

[...]

configure:9496: checking if libsnmp++ can be linked with flags from pkg-config
configure:9528: /home/buildroot/autobuild/run/instance-1/output-1/host/bin/arm-none-linux-gnueabi-g++ -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -Os -g0 -D_FORTIFY_SOURCE=1 -pthread -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -D_XOPEN_SOURCE=XPG6  conftest.cpp -L/home/buildroot/autobuild/run/instance-1/output-1/host/bin/../arm-buildroot-linux-gnueabi/sysroot/usr/lib -lsnmp++ >&5
In file included from /home/buildroot/autobuild/run/instance-1/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/include/snmp_pp/snmp_pp.h:71:0,
                 from conftest.cpp:92:
/home/buildroot/autobuild/run/instance-1/output-1/host/arm-buildroot-linux-gnueabi/sysroot/usr/include/snmp_pp/uxsnmp.h:628:35: error: 'nullptr' was not declared in this scope
      CSNMPMessage *snmp_message = nullptr);
                                   ^

Fixes:
 - http://autobuild.buildroot.org/results/f272473e7b588f5390b183072935a0217290ee4e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2023-09-20 21:31:21 +02:00
Fabrice Fontaine
d170cde027 package/netatalk: security bump to version 3.1.17
- Drop patches (already in version) and so autoreconf
- Update COPYING hash (gpl mailing address updated with
  9bd45cc06e
  6a5997fbd6)
- Fix CVE-2022-43634: This vulnerability allows remote attackers to
  execute arbitrary code on affected installations of Netatalk.
  Authentication is not required to exploit this vulnerability. The
  specific flaw exists within the dsi_writeinit function. The issue
  results from the lack of proper validation of the length of
  user-supplied data prior to copying it to a fixed-length heap-based
  buffer. An attacker can leverage this vulnerability to execute code in
  the context of root. Was ZDI-CAN-17646.
- Fix CVE-2022-45188: Netatalk through 3.1.13 has an afp_getappl
  heap-based buffer overflow resulting in code execution via a crafted
  .appl file. This provides remote root access on some platforms such as
  FreeBSD (used for TrueNAS).
- Fix CVE-2023-42464: Validate data type in dalloc_value_for_key()

https://github.com/Netatalk/netatalk/blob/netatalk-3-1-17/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:42:01 +02:00
Fabrice Fontaine
9c4c3c4c9c package/opensc: fix CVE-2023-2977
A vulnerability was found in OpenSC. This security flaw cause a buffer
overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
attacker can supply a smart card package with malformed ASN1 context.
The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
tags, where remaining length is wrongly caculated due to moved starting
pointer. This leads to possible heap-based buffer oob read. In cases
where ASAN is enabled while compiling this causes a crash. Further info
leak or more damage is possible.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:41:55 +02:00
Fabrice Fontaine
164d635f37 package/xterm: security bump to version 384
- Fix CVE-2023-40359: xterm before 380 supports ReGIS reporting for
  character-set names even if they have unexpected characters (i.e.,
  neither alphanumeric nor underscore), aka a pointer/overflow issue.
  This can only occur for xterm installations that are configured at
  compile time to use a certain experimental feature.
- Update COPYING hash (update in year and version)

https://invisible-island.net/xterm/xterm.log.html#xterm_384

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:38:01 +02:00
Daniel Lang
dc0c755273 package/e2fsprogs: drop CVE-2022-1304
CVE-2022-1304 only affects e2fsprogs 1.46.5.
The mentioned patch was removed in 6a21733f when bumping to 1.47.0.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:35:01 +02:00
Daniel Lang
880e03ba75 package/cpio: drop CVE-2021-38185 from IGNORE_CVES
CVE-2021-38185 affects cpio <= 2.13.
The mentioned patches were removed in b0306d94 when bumping to 2.14.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:34:55 +02:00
Daniel Lang
8bf82aab0c package/bind: drop CVE-2017-3139 from IGNORE_CVES
As of 2021-05-14 CVE-2017-3139 is no longer listed as affecting bind, only RHEL.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:34:49 +02:00
Fabrice Fontaine
93ef6997ae package/ghostscript: security bump to version 10.02.0
- Fix CVE-2023-36664: Artifex Ghostscript through 10.01.2 mishandles
  permission validation for pipe devices (with the %pipe% prefix or the |
  pipe character prefix).
- Fix CVE-2023-38559: A buffer overflow flaw was found in
  base/gdevdevn.c:1973 in devn_pcx_write_rle() in ghostscript. This
  issue may allow a local attacker to cause a denial of service via
  outputting a crafted PDF file for a DEVN device with gs.
- Fix CVE-2023-38560: An integer overflow flaw was found in
  pcl/pl/plfont.c:418 in pl_glyph_name in ghostscript. This issue may
  allow a local attacker to cause a denial of service via transforming a
  crafted PCL file to PDF format.

https://ghostscript.readthedocs.io/en/gs10.02.0/News.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:32:29 +02:00
Angelo Compagnucci
334d807848 package/sshguard: bump to version 2.4.3
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-20 19:17:39 +02:00
Yann E. MORIN
96130dc204 docs/manual: fix formatting for LIBFOO_SVN_EXTERNAL
Commit 7dd27cbe5b (support/download: add support to exclude svn
externals) introduced an improperly formatted list item. That was
carried over with bf2d7f8f53 (package/pkg-generic: don't download svn
externals by default).

Fix that.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-17 22:59:16 +02:00
Julien Olivain
2031fc8809 support/testing/tests/package/test_tcl.py: new runtime test
Signed-off-by: Julien Olivain <ju.o@free.fr>
[Arnout: use f-string instead of string.format]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-17 22:09:40 +02:00
Christian Stewart
47cbcb70d0 package/containerd: bump to version 1.7.6
Bugfixes and updates.

Containerd v1.7.x comes with new features including container sandboxing.

https://github.com/containerd/containerd/releases/tag/v1.7.6

Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-17 21:34:09 +02:00
Yann E. MORIN
8ce33fed49 package/gdb: gdbserver does not need zlib
Since 3341ceb1e5 (package/gdb: zlib is mandatory, not optional), zlib
has become a mandatory dependencies of the gdb package.

However, zlib is only needed for the debugger, gdb itself, while the
server, gdbserver, does not use it.

This means that, when building an SDK to be later reused as an external
toolchain, the zlib headers and libraries are present in the sysroot of
the toolchain, tainting the toolchain and making it unsuitable to be
reused.

As Julien noticed, for example, tcl will try and link with zlib if
available, and at build time it is. But at runtime, it is not, and thus
tclsh fails to run; see 7af8dee3a8 (package/tcl: add mandatory
dependency to zlib)

When we only need to build gdbserver, we still need to configure and
build the whole gdb distribution, which means we call the top-level
configure script; that script has no option to disable the detection
of zlib: it wants to either use a system one, or it will build the
bundled one.

So, when we only build gdbserver, we tell configure to not use a system
zlib. This triggers the build of the bundled one, but it is not linked
with gdbserver so in the end it is not used on the target.

Reported-by: Julien Olivain <ju.o@free.fr>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-17 21:30:19 +02:00
Fabrice Fontaine
de0f8c66ad package/wireshark: security bump to version 4.0.8
Fix CVE-2023-3648 and CVE-2023-3649

https://www.wireshark.org/security/wnpa-sec-2023-21
https://www.wireshark.org/security/wnpa-sec-2023-22
https://www.wireshark.org/security/wnpa-sec-2023-23
https://www.wireshark.org/security/wnpa-sec-2023-24
https://www.wireshark.org/security/wnpa-sec-2023-25
https://www.wireshark.org/security/wnpa-sec-2023-26
https://www.wireshark.org/docs/relnotes/wireshark-4.0.7.html
https://www.wireshark.org/docs/relnotes/wireshark-4.0.8.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-17 21:08:25 +02:00
Reza Arbab
ab91ddd8a8 package/petitboot: fix HOST_PROG_SHUTDOWN value
HOST_PROG_SHUTDOWN currently references a file that doesn't exist. Fix
by setting it to /usr/libexec/petitboot/bb-kexec-reboot, which this
package already installs but doesn't use.

Signed-off-by: Reza Arbab <arbab@linux.ibm.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2023-09-17 20:09:03 +02:00
Julien Olivain
7af8dee3a8 package/tcl: add mandatory dependency to zlib
Tcl changed its zlib handling in upstream commit [1]. Before this
commit, the HAVE_ZLIB macro was defined only if a zlib headers/library
was found. After that commit, the HAVE_ZLIB macro is unconditionally
defined. The only change is that: if a working zlib library is found
in the toolchain sysroot, it is used. Otherwise, the package will use
a shipped version in [2]. See also [3] and [4].

This tcl commit is included in Buildroot since commit 7fda943b43
"tcl: bump to version 8.6.1".

In Buildroot, we prefer to not use bundled libraries wherever possible,
so add an unconditional dependency to zlib.

Further notes:

This behavior leads to runtime failures, when the package is compiled
with toolchains including zlib in their sysroot. This is because at
configuration time, the package will detect zlib in the sysroot and
link against it, but the library files won't be installed on target.

This happen to be the case with Bootlin toolchains such as [5], as they
also contaions gdbserver, and since 3341ceb1e5 (package/gdb: zlib is
mandatory, not optional), we also build zlib even if only gdbserver is
built (gdbserver does not use zlib, so that's a bug in our gdb
packaging).

This toolchain also happen to be the one used in basic configurations
of the runtime test infrastructure (this issue was found while
attempting to write a runtime test for tcl).

In such cases, running "tclsh" command fails with error message:

    tclsh: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory

libtcl library also miss its dependency.

    ldd /usr/lib/libtcl8.6.so
	    libz.so.1 => not found
	    libm.so.6 => /lib/libm.so.6 (0xb6dad000)
	    libc.so.6 => /lib/libc.so.6 (0xb6c65000)
	    /lib/ld-linux.so.3 (0xb6f6c000)

[1] 6f3dea45ce
[2] https://github.com/tcltk/tcl/tree/core-8-6-13/compat/zlib
[3] https://github.com/tcltk/tcl/blob/core-8-6-13/unix/configure.in#L172
[4] https://github.com/tcltk/tcl/blob/core-8-6-13/unix/Makefile.in#L240
[5] https://toolchains.bootlin.com/downloads/releases/toolchains/armv5-eabi/tarballs/armv5-eabi--glibc--stable-2023.08-1.tar.bz2

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-17 15:27:01 +02:00
Fabrice Fontaine
78959665b9 package/strongswan: security bump to version 5.9.11
Fix CVE-2023-26463: strongSwan 5.9.8 and 5.9.9 potentially allows remote
code execution because it uses a variable named "public" for two
different purposes within the same function. There is initially
incorrect access control, later followed by an expired pointer
dereference. One attack vector is sending an untrusted client
certificate during EAP-TLS. A server is affected only if it loads
plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS,
EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.

https://github.com/strongswan/strongswan/blob/5.9.11/NEWS
https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-17 14:41:21 +02:00
Fabrice Fontaine
8fc24fbd17 package/haproxy: security bump to version 2.6.15
Fix CVE-2023-40225: HAProxy through 2.0.32, 2.1.x and 2.2.x through
2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15,
2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty
Content-Length headers, violating RFC 9110 section 8.6. In uncommon
cases, an HTTP/1 server behind HAProxy may interpret the payload as an
extra request.

https://www.mail-archive.com/haproxy@formilux.org/msg43864.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-17 14:41:16 +02:00
Fabrice Fontaine
bc4110b073 package/libraw: fix CVE-2023-1729
A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex()
caused by a maliciously crafted file may lead to an application crash.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-17 14:41:10 +02:00
Peter Korsgaard
56b0667406 package/libcurl: security bump to version 8.3.0
Fixes the following security issue:

CVE-2023-38039: HTTP headers eat all memory

When curl retrieves an HTTP response, it stores the incoming headers so that
they can be accessed later via the libcurl headers API.

However, curl did not have a limit on the size or quantity of headers it
would accept in a response, allowing a malicious server to stream an endless
series of headers to a client and eventually cause curl to run out of heap
memory.

https://curl.se/docs/CVE-2023-38039.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2023-09-17 14:41:04 +02:00