Fixes the following security issue:
CVE-2022-42898: In MIT krb5 releases 1.8 and later, an authenticated
attacker may be able to cause a KDC or kadmind process to crash by reading
beyond the bounds of allocated memory, creating a denial of service. A
privileged attacker may similarly be able to cause a Kerberos or GSS
application service to crash. On 32-bit platforms, an attacker can also
cause insufficient memory to be allocated for the result, potentially
leading to remote code execution in a KDC, kadmind, or GSS or Kerberos
application server process. An attacker with the privileges of a
cross-realm KDC may be able to extract secrets from a KDC process's memory
by having them copied into the PAC of a new ticket.
Bugfix tarballs are located in the same directory as the base version, so
introduce LIBKRB5_VERSION_MAJOR.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit f93c47fad8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
License text for the AES implementation was changed from something
resembling BSD-3-Clause to something resembling BSD-2-Clause.
Signed-off-by: André Zwing <nerv@dawncrow.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 22ee597f52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 3dbc86f098 (openssl: bump version, enable mdc2+camellia+tlsext)
from 2010-06-03, forced the build of mdc2. Commit a83d41867c
(package/libopenssl: add option to enable some features) added an option
to explicitly disable mdc2, but forgot to amend the existing enabling
option.
It appears that, like most (all?) openssl config options, mdc2 ends up
enabled unless explicitly disabled.
Additionally, mdc2 depends on DES, so without DES, mdc2 gets disabled.
So, drop the explicit enabling option, and make mdc2 select DES.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>
Cc: "Weber, Matthew L Collins" <Matthew.Weber@collins.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 45bb69c2bd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit a83d41867c (package/libopenssl: add option to enable some
features) added an option to enable rc5. However, since commit
1fff941219 (Fixup non-x86 openssl build), dated 2002-12-30, rc5
has always been forcibly disabled in Buildroot.
Given that it was unconditionally disabled all this time, and no
one complained, it means there is virtually no-one using rc5, so we
can just drop the option.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: "GAUTRON, Erwan" <erwan.gautron@bertin.fr>
Cc: "Weber, Matthew L Collins" <Matthew.Weber@collins.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit d7178dd432)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If the swupdate configuration contains CONFIG_UBOOT=y it uses
libubootenv to access the U-Boot environment.
We don't have Buildroot config options for all the different optional
dependencies of swupdate, instead we rely on the user to select the
appropriate packages and simply add the dependency in the .mk file. Do
this for libubootenv as well. swupdate doesn't have anything like
HAVE_LIBUBOOTENV, it just assumes libubootenv is available.
Fixes:
bootloader/uboot.c:23:10: fatal error: libuboot.h: No such file or directory
23 | #include <libuboot.h>
Note that libubootenv is normally built before swupdate (alphabetical
ordering), so the error only occrus with BR2_PER_PACKAGE_DIRECTORIES or
when building swupdate directly.
Note that the autobuilders don't have this error, because they only
build swupdate with a default configuration that doesn't have U-Boot
support.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit a11b36089b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release fixes the following Security Vulnerabilities:
- CVE-2022-42898 PAC parse integer overflows
- CVE-2022-3437 Overflows and non-constant time leaks in DES{,3} and
arcfour
- CVE-2022-41916 Fix Unicode normalization read of 1 bytes past end of
array
- CVE-2021-44758 NULL dereference DoS in SPNEGO acceptors
- CVE-2021-3671 A null pointer de-reference when handling missing sname
in TGS-REQ
- CVE-2022-44640 Heimdal KDC: invalid free in ASN.1 codec
Note that CVE-2022-44640 is a severe vulnerability, possibly a 10.0
on the Common Vulnerability Scoring System (CVSS) v3, as we believe
it should be possible to get an RCE on a KDC, which means that
credentials can be compromised that can be used to impersonate
anyone in a realm or forest of realms.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all extensible CHOICE types
used in Heimdal, though not all cases will be exploitable. We have
not completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal's ASN.1 compiler since 2005, but it may
only affect Heimdal 1.6 and up. It was first reported by Douglas
Bagnall, though it had been found independently by the Heimdal
maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
- CVE-2019-14870: Validate client attributes in protocol-transition
- CVE-2019-14870: Apply forwardable policy in protocol-transition
- CVE-2019-14870: Always lookup impersonate client in DB
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e3959a0390)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The edk2 project is licensed under the BSD-2-Clause license with a patent
grant, as per commit 304bff7223a8 ("edk2: Change License.txt from 2-Clause
BSD to BSD+Patent").
There is a BSD-2-Clause-Patent SPDX license identifier[1] for this case,
therefore refine the edk2 package to use this more specific identifier.
[1]: https://spdx.org/licenses/BSD-2-Clause-Patent.html
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 40c05259d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The edk2-platforms project is licensed under the BSD-2-Clause license with
a patent grant, as per commit ae604e4ffe8f ("edk2-platforms: Change
License.txt from 2-Clause BSD to BSD+Patent").
There is a BSD-2-Clause-Patent SPDX license identifier[1] for this case,
therefore refine the edk2-platforms package to use this more specific
identifier.
[1]: https://spdx.org/licenses/BSD-2-Clause-Patent.html
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9bd1266983)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2022-45061: An issue was discovered in Python before 3.11.1. An
unnecessary quadratic algorithm exists in one path when processing some
inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably
long name being presented to the decoder could lead to a CPU denial of
service. Hostnames are often supplied by remote servers that could be
controlled by a malicious actor; in such a scenario, they could trigger
excessive CPU consumption on the client attempting to make use of an
attacker-supplied supposed hostname. For example, the attack payload could
be placed in the Location header of an HTTP response with status code 302.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 39a2ff16f9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit d07e6b70 (boot/uboot/uboot.mk: add pmufw.elf support) broke
configurations where the UBOOT_ZYNQMP_PMUFW was blank. Previously it
would set the U-Boot CONFIG_PMUFW_INIT_FILE to the blank string, but now
it will set it to ".bin" which causes U-Boot to fail to build.
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Reviewed-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 13dc57c94f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f157a11362)
[Peter: drop 5.19.x / 6.0.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Brings a number of fixes: https://dev.gnupg.org/T6106
Add patch 0001 to fix undefined reference to `ks_ldap_free_state'
backported from commit 7011286ce6e1fb56c2989fdafbd11b931c489faa
Signed-off-by: Michael Fischer <mf@go-sys.de>
[Peter: add changelog info]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 73f04f7f0c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In 5b3b2d80f4 we dropped dbus as a build
dependency, however we still need it when building with systemd so
that the service directory is available via pkg-config.
In addition we can drop --with-dbus-datadir by unconditionally
requiring dbus as the datadir will then be fetched from pkg-config.
Fixes:
checking D-Bus bus services directory... configure: error: D-Bus bus services directory is required
http://autobuild.buildroot.net/results/4a48676460e6ce588897598f0022ec840b4b4b8d/
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 47659b4f34)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The edk2 package can be configured for platform Arm Sgi575 but this
does not build correctly:
Usage: build.exe [options] [all|fds|genc|genmake|clean|cleanall|cleanlib|modules|libraries|run]
build.exe: error: option -a: invalid choice: '-b' (choose from 'IA32', 'X64', 'EBC', 'ARM', 'AARCH64', 'RISCV64')
make[1]: *** [package/pkg-generic.mk:293: /home/thomas/buildroot/buildroot/output/build/edk2-edk2-stable202102/.stamp_built] Error 2
make: *** [Makefile:84: _all] Error 2
Add the necessary definitions to fix the build.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 79591b7667)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I am not really maintaining these packages, I don't follow closely
enough nor use them to take the time to make the necessary changes.
Giulio has been much more reactive than me to fix issues and he is
already listed for them anyway.
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 124fc473dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#6421
Backport from: da9ba3a2a1536017e4ce1ee0f4276578d1ce6e29
Signed-off-by: Michael Fischer <mf@go-sys.de>
[yann.morin.1998@free.fr: make it an actual backport]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7928c51bf6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SDL v1.2 was discovered to contain a use-after-free via the XFree function
at /src/video/x11/SDL_x11yuv.c.
https://github.com/advisories/GHSA-wr7h-5wm3-p3h4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b7368099ae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2022-42898: Samba buffer overflow vulnerabilities on 32-bit systems
https://www.samba.org/samba/security/CVE-2022-42898.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 81a02457b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2022-3821: An off-by-one Error issue was discovered in Systemd in
format_timespan() function of time-util.c. An attacker could supply
specific values for time and accuracy that leads to buffer overrun in
format_timespan(), leading to a Denial of Service.
https://github.com/systemd/systemd/issues/23928
Drop now upstream 0001-missing-syscall-define-MOVE_MOUNT_T_EMPTY_PATH-if-mi.patch
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e24033f76a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-39377: sysstat is a set of system performance tools for the
Linux operating system. On 32 bit systems, in versions 9.1.16 and newer
but prior to 12.7.1, allocate_structures contains a size_t overflow in
sa_common.c. The allocate_structures function insufficiently checks
bounds before arithmetic multiplication, allowing for an overflow in the
size allocated for the buffer representing system activities. This issue
may lead to Remote Code Execution (RCE).
Despite what is written above in the CVE announcement, and as written in
the Changelog, the fix is also included in version 12.6.1 (12.7.1 is a
development version):
c1e631eddc
As a consequence, 12.6.1 is still reported as being affected. Until the
NVD is updated appropriately, we mark the CVE as ignored with a comment
that explains why.
Note: that commit is not reachable from any branch in the sysstat
repository, and Github warns about that, but the commit does belong to
the upstream repository and is reachable from the 12.6.1 tag (it looks
like sysstat only pushes tags-with-history for fix releases).
https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7xhttps://github.com/sysstat/sysstat/blob/v12.6.1/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- ignore the CVE, explain why
- explain why github warns about the fix commit
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e4ef408e8f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
CVE-2022-45063: xterm before 375 allows code execution via font ops, e.g.,
because an OSC 50 response may have Ctrl-g and therefore lead to command
execution within the vi line-editing mode of Zsh:
https://www.openwall.com/lists/oss-security/2022/11/10/1
Additionally, patch 376 fixes a null pointer access issue:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1022942
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0cc7c63f91)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A severe bug has been found in Libksba , the library used by GnuPG for parsing
the ASN.1 structures as used by S/MIME. The bug affects all versions of Libksba
before 1.6.2 and may be used for remote code execution.
Fix CVE-2022-3515
Signed-off-by: Michael Fischer <mf@go-sys.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9c0311220f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2022-41741: Memory corruption in the ngx_http_mp4_module
- CVE-2022-41742: Memory disclosure in the ngx_http_mp4_module
https://mailman.nginx.org/archives/list/nginx-announce@nginx.org/message/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8fa2ff2857)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Rename configure options to avoid the following build failure raised
since bump to version 3.2.5 in commit
ae2807821d:
./simd-checksum-x86_64.cpp: In function 'uint32_t get_checksum1_cpp(char*, int32_t)':
./simd-checksum-x86_64.cpp:89:52: error: multiversioning needs 'ifunc' which is not supported on this target
89 | __attribute__ ((target("default"))) MVSTATIC int32 get_checksum1_avx2_64(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2) { return i; }
| ^~~~~~~~~~~~~~~~~~~~~
./simd-checksum-x86_64.cpp:480:1: error: use of multiversioned function without a default
480 | }
| ^
If you can't fix the issue, re-run ./configure with --disable-roll-simd.
Fixes:
- http://autobuild.buildroot.org/results/069da8e585da2e51bfd4f475cc12b9a134954b08
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e8b5feee87)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit
9267b0f14d ("package/f2fs-tools: bump to
version 1.15.0"), f2fs-tools was bumped from 1.14.0 to 1.15.0.
It turns out that this version bump causes the output of dump.f2fs to
slightly change.
In version 1.14.0, it looked like this:
Info: Segments per section = 1
Info: Sections per zone = 1
Info: sector size = 512
Info: total sectors = 262144 (128 MB)
Info: MKFS version
"Linux version 5.4.0-124-generic (buildd@lcy02-amd64-089) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022"
Info: FSCK version
from "Linux version 5.4.0-124-generic (buildd@lcy02-amd64-089) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 20
22"
to "Linux version 5.4.0-124-generic (buildd@lcy02-amd64-089) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 20
22"
Info: superblock features = 0 :
Info: superblock encrypt level = 0, salt = 00000000000000000000000000000000
Info: total FS sectors = 262144 (128 MB)
Info: CKPT version = 70c101c3
Info: checkpoint state = 181 : trimmed nat_bits unmount
In version 1.15.0, it looked like this:
Info: MKFS version
"Linux version 5.4.0-124-generic (buildd@lcy02-amd64-089) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022"
Info: FSCK version
from "Linux version 5.4.0-124-generic (buildd@lcy02-amd64-089) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 20
22"
to "Linux version 5.4.0-124-generic (buildd@lcy02-amd64-089) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 20
22"
Info: superblock features = 0 :
Info: superblock encrypt level = 0, salt = 00000000000000000000000000000000
Info: Segments per section = 1
Info: Sections per zone = 1
Info: total FS sectors = 262144 (128 MB)
Info: CKPT version = b89f8bb
Info: checkpoint state = 181 : trimmed nat_bits unmount
You will notice that the message "Info: total sectors = 262144 (128
MB)" is no longer present, and only "Info: total FS sectors =
262144 (128 MB)" is not present.
Except our test case was precisely looking for this "Info: total
sectors" string in the output, causing the test to fail.
We fix this by simply matching on "Info: total FS sectors" now.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/2884634814
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0214ee94e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libvncclient v0.9.13 was discovered to contain a memory leak via the
function rfbClientCleanup().
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b3ab978703)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Refresh patch
- Drop -lz from Makefile with libressl as this is the only solution for
now: https://github.com/radiator-software/p5-net-ssleay/issues/399
- License has been clarified to be Artistic-2.0 since version 1.86.11:
aa4a0206d6
- This bump will fix the following build failure with libressl:
In file included from /home/autobuild/autobuild/instance-11/output-1/host/armeb-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/perl5/5.34.1/armeb-linux/CORE/perl.h:5748,
from SSLeay.xs:141:
SSLeay.xs: In function 'XS_Net__SSLeay_SESSION_get_master_key':
SSLeay.xs:5569:37: error: invalid use of incomplete typedef 'SSL_SESSION' {aka 'struct ssl_session_st'}
5569 | sv_setpvn(ST(0), (const char*)s->master_key, s->master_key_length);
| ^~
https://metacpan.org/release/CHRISN/Net-SSLeay-1.93_01/changes
Fixes:
- http://autobuild.buildroot.org/results/71337cc496727f2b1173c055d706c5bfc2f5d2bc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 191fa1718f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 4cbf733691 ("arch/xtensa: custom
configuration requires an overlay") added a check in
arch/arch.mk.xtensa to bail out if a custom Xtensa core is selected
but not overlay file is provided. While this is indeed a perfectly
valid check to make when building an internal toolchain, with an
external toolchain it's entirely possible to build with no overlay
file: the toolchain already exists, and there's no overlay to be
applied in the context of the Buildroot build.
And indeed commit 4cbf733691 broke some
of the runtime test cases that use a custom Xtensa core configuration,
with no overlay, to test the toolchains.bootlin.com Xtensa external
toolchain. By relaxing the check to only apply to internal toolchain
configurations, we fix those test cases.
It is to be noted that this still allows a configuration where gdb gets
built for a custom core, but with no overlay, so basically that means
the fsf variant, which can lead to build or run failures that
4cbf733691 attempted to fix to begin with. This still covers the
most common cases.
Finally, it also means being able to build a kernel with no overlay, but
this is offset by the fact that the kernel may be already patched with
an overlay (as it is possible to specify a custom kernel), which is most
probably what people using a custom core would have.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/3282261966https://gitlab.com/buildroot.org/buildroot/-/jobs/3282261963
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: extend commit log with last two paragraphs]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6465c79166)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-40284: A buffer overflow was discovered in NTFS-3G before
2022.10.3. Crafted metadata in an NTFS image can cause code execution. A
local attacker can exploit this if the ntfs-3g binary is setuid root. A
physically proximate attacker can exploit this if NTFS-3G software is
configured to execute upon attachment of an external storage device.
https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-v4w8-jv3w-7prmhttps://github.com/tuxera/ntfs-3g/releases/tag/2022.10.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6facb6fa10)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
matchbox-startup-monitor is an ageing package, and uses an old
configure.ac with archaic constructs. This had generated a configure
script that incorrectly tries to look for and validate a C++ compiler:
checking for powerpc64le-buildroot-linux-gnu-g++... no
checking whether we are using the GNU C++ compiler... no
checking whether no accepts -g... no
checking dependency style of no... none
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
Calling autoreconf fixes the issue, as the generated configure no longer
tries to look for a C++ compiler at all anymore. Running autoreconf does
not add any new dependency, as they are already in the dependency chain
via other packages.
Fixes:
http://autobuild.buildroot.org/results/223/223f43dd76ee907c5f25c4fee94a0f5d75614dd5/
See also similar changes:
9993a36f5e package/pamtester: fix build without C++
c05cc5de86 package/madplay: needs autoreconf
eae18d01ab libmad: needs autoreconf
43274dd3e0 package/libid3tag: needs autoreconf
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b44f6c2f30)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ATF version 2.2 and older does not disable SSP when
ENABLE_STACK_PROTECTOR is not set. This is because the compiler enables
SSP by default, and ATF does not pass -fno-stack-protector to the
compiler. Upstream commit 7af195e29a42 ("Disable stack protection
explicitly") fixed the issue for v2.3 and newer.
Add -fno-stack-protector in CFLAGS when
BR2_TARGET_ARM_TRUSTED_FIRMWARE_SSP is not set to fix older ATF
versions.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/3301821171
Cc: Dick Olsson <hi@senzilla.io>
Cc: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5e330ff030)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since upstream commit
07f3b487f9
(which first appeared in version 7.1.0-47), ImageMagick forces the
need of a C++ compiler to build its utilities. Despite the request of
Bernd Kuhls to revert this change, upstream declined.
Since this change is causing build failures in our autobuilders, our
only choice is to follow the choice of upstream, and disable building
the utilities when C++ support is not available.
Fixes:
http://autobuild.buildroot.net/results/4283235d697408cf2e70be5e3769dbe6ebb9ddae/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0910ada70b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sudo's configure script looks up on the host to determine the path where
to install its systemd tmpfiles. That is incorrect in cross-compilation.
We can explicitly tell sudo where to install its tmpfiles, which we do
when systemd is enabled (in Buildroot, systemd-tmpfiles is always
enabled when systemd is), or we can tell it not to install tmpfiles at
all, which we do otherwise.
Signed-off-by: Nuno Gonçalves <nunog@fr24.com>
[yann.morin.1998@free.fr: reword and extend commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9c333176a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sudo's configure script looks up on the host to determine the path to
the timezone data location. That fails in cross-compilation.
This is used to sanitise the TZ envirnment variable at runtime, and is
not used at buildtime (except to be stored as a string in the program).
We can tell sudo where the tz data will be, which we do when the tzdata
package is enabled, and we can tell it not to use it at all (to not pass
TZ down to sudo-ed executions) othwerwise.
Signed-off-by: Nuno Gonçalves <nunog@fr24.com>
[yann.morin.1998@free.fr: rewrite and extend commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 51d3902af7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure raised since bump to version 0.9.4 in
commit 5cae1a0d67:
In file included from iw_if.h:26:0,
from conf.c:19:
/home/buildroot/autobuild/instance-1/output-1/host/mips-buildroot-linux-gnu/sysroot/usr/include/linux/if.h:71:2: error: redeclaration of enumerator 'IFF_UP'
IFF_UP = 1<<0, /* sysfs */
^
/home/buildroot/autobuild/instance-1/output-1/host/mips-buildroot-linux-gnu/sysroot/usr/include/net/if.h:44:5: note: previous definition of 'IFF_UP' was here
IFF_UP = 0x1, /* Interface is up. */
^
Fixes:
- http://autobuild.buildroot.org/results/cbdf3e0cf0bee8f1b076581768c24155afc320d9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 57a1ce00a2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The name of the tool in udisks2 is udisksctl.
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 593c64eaf9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pass TARGET_LDFLAGS (which contains -static) to fix the following static
build failures with gpio, iio and pci:
LINK lsgpio
/home/autobuild/autobuild/instance-8/output-1/host/lib/gcc/arm-buildroot-linux-musleabi/10.4.0/../../../../arm-buildroot-linux-musleabi/bin/ld: /home/autobuild/autobuild/instance-8/output-1/host/lib/gcc/arm-buildroot-linux-musleabi/10.4.0/libgcc.a(_dvmd_lnx.o): in function `__aeabi_ldiv0':
/home/autobuild/autobuild/instance-8/output-1/build/host-gcc-final-10.4.0/build/arm-buildroot-linux-musleabi/libgcc/../../../libgcc/config/arm/lib1funcs.S:1499: undefined reference to `raise'
[...]
LINK iio_event_monitor
/home/thomas/autobuild/instance-2/output-1/host/lib/gcc/microblazeel-buildroot-linux-musl/11.3.0/../../../../microblazeel-buildroot-linux-musl/bin/ld: /home/thomas/autobuild/instance-2/output-1/host/lib/gcc/microblazeel-buildroot-linux-musl/11.3.0/libgcc.a(unwind-dw2.o): in function `size_of_encoded_value':
/home/thomas/autobuild/instance-2/output-1/build/host-gcc-final-11.3.0/build/microblazeel-buildroot-linux-musl/libgcc/../../../libgcc/unwind-pe.h:88: undefined reference to `abort'
Fixes:
- http://autobuild.buildroot.org/results/f202eb843ef331939f5f12325bdbf2d0d664a7ce
- http://autobuild.buildroot.org/results/504ec8be1ebd15c5da09f8b90bb723a58d4c58c5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a29e7fb676)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A Floating point exception (division-by-zero) flaw was found in Mupdf
for zero width pages in muraster.c. It is fixed in Mupdf-1.20.0-rc1
upstream.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3ddca0ccb9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure without NEON probably raised since bump
to version 1.9.9-b1 in commit 1f7b12a0b4
and
ec02ecf104:
In file included from /home/autobuild/autobuild/instance-4/output-1/build/zlib-ng-2.0.6/arch/arm/adler32_neon.c:11:
/home/autobuild/autobuild/instance-4/output-1/host/lib/gcc/arm-buildroot-linux-uclibcgnueabi/10.3.0/include/arm_neon.h:31:2: error: #error "NEON intrinsics not available with the soft-float ABI. Please use -mfloat-abi=softfp or -mfloat-abi=hard"
31 | #error "NEON intrinsics not available with the soft-float ABI. Please use -mfloat-abi=softfp or -mfloat-abi=hard"
| ^~~~~
Fixes:
- http://autobuild.buildroot.org/results/8260762632cde9eb5bc2154084680b5bec034aa6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 88d2135a7a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
socat's configure script does not take the zlib dependency into
account when linking with libssl, and therefore fails at detecting
libssl in BR2_STATIC_LIBS=y configurations.
Since there is no easy way to add the zlib dependency, just disable
openssl support for static builds.
This is not fixing a build failure: libssl was not detected in
BR2_STATIC_LIBS=y configurations, so what this commit does is make it
explicit.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 934ec83e9d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
socal configure uses AC_TRY_RUN to detect printf features. This does
not work for cross compilation.
All C libraries we use support C99 snprintf. Only glibc and uClibc
support the deprecated Z modifier.
These issues were noticed by an inspection of configure.ac.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1ca100c2d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with wolfssl raised since bump to
version 5.2.0 in commit 14e0c4de71 and
33cb823148:
/home/buildroot/autobuild/instance-0/output-1/build/libuhttpd-3.14.1/src/ssl/openssl.c: In function 'handle_wolfssl_asn_error':
/home/buildroot/autobuild/instance-0/output-1/build/libuhttpd-3.14.1/src/ssl/openssl.c:339:10: error: 'ASN_NTRU_KEY_E' undeclared (first use in this function); did you mean 'ASN_ECC_KEY_E'?
339 | case ASN_NTRU_KEY_E:
| ^~~~~~~~~~~~~~
| ASN_ECC_KEY_E
Fixes:
- http://autobuild.buildroot.org/results/3261b0035c8aadd1b62538b53e03af1cd8a7b312
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ca6f38a340)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
