For consistency with chromium-lts.inc, rename chromium.inc to
chromium-latest.inc.
Signed-off-by: Laurent Hartanerot <laurent.hartanerot@atos.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b36fd21f2c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The qtwebengine package used by Qt LTS has a different set of license
files for chromium, so this commit introduces a separate
chromium-lts.inc with the right contents.
This fixes legal-info of qt5webengine with Qt LTS.
Signed-off-by: Laurent Hartanerot <laurent.hartanerot@atos.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b105dc2b0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In minicom package hash file lacks sha256 entry for COPYING file even if
it is added to MINICOM_LICENSE_FILES.
Add COPYING sha256 entry to minicom.hash file.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6edfa41a0a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add kconfig help text that explains how to manually specify an
official Linux version to use for the kernel headers.
Signed-off-by: Mark Corbin <mark.corbin@embecosm.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3beba26d76)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Similarly to c48f8a6462 (package/m4: fix build on host with glibc-2.28),
backport the two fixes fromn gnulib upstream, that allows building
host-bison on systems using glibc 2.28.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Reported-by: c32 on IRC
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 373ac58b82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/9326cb85c8ce4f98aa9d0a1238ffdab3e9829637/
Similar in spirit to commit 83d33f76 (qt5quickcontrols: update license file
names for Qt 5.6 version), but on 2018.02.x the list of files was correct
for the 5.6 version but not the 5.9 version.
Also add hashes for these licese files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/69cf9326539c8df8fa50c5e7acb2ce3bb985ede2/
The PDO mysql extension also needs the hash extension - so select it,
similar to how it was done for the mysqli extension in commit 65f9645263
(php: fix build with mysqli).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 45215ffc8a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Depending on the configuration, the cpp output may contain the string 'yes'
in a comment if built under a path containing 'yes', confusing the _AIX
test:
${CROSS}-cpp conftest.h
\# 1 "conftest.h"
\# 1 "<built-in>"
\# 1 "<command-line>"
\# 31 "<command-line>"
\# 1 "/home/peko/source/buildroot/output-yes/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/stdc-predef.h"
\# 32 "<command-line>" 2
\# 1 "conftest.txt"
If misdetected, the configure script adds -lc128 to LIBS, causing the
AC_CHECKS_FUNCS check for stat64 to fail, which in turn causes compilation
errors about redefinition of symbols:
In file included from ./src/include/pv-internal.h:9:0,
from src/pv/file.c:5:
./src/include/config.h:76:18: error: redefinition of 'struct stat'
# define stat64 stat
^
Fix it by only matching on 'yes' on a line by itself.
As pv doesn't cleanly autoreconf (it doesn't use automake and configure.in
is located in subdir), instead directly patch configure.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 994a47649b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-15473: user enumeration vulnerability due to not delaying
bailout for an invalid authenticating user until after the packet
containing the request has been fully parsed.
Some OpenSSH developers don't consider this a security issue:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-August/037138.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5ef5b39bd4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop upstream patches, renumber the rest.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a08cd50e98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This script is useful to copy SSH keys between client and server [1] and
installed on most distributions (for example on debian: [2]).
[1] https://www.ssh.com/ssh/copy-id
[2] https://packages.debian.org/fr/jessie/armhf/openssh-client/filelist
Signed-off-by: Julien BOIBESSOT <julien.boibessot@armadeus.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[Thomas: use full destination path.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0552b7fc38)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12910: The get_cookies function in soup-cookie-jar.c in
libsoup 2.63.2 allows attackers to have unspecified impact via an empty
hostname.
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a4536b2dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/d6d/d6dc9a640aa1f6650a3e7b9397f2fe2ae3433f4d/http://autobuild.buildroot.net/results/ab5/ab5a58ea7845f9f378454ee1aa7e872448618ba9/
ebx was recently added to the x86 inline asm MULADDC_STOP clobber list to
fix#1550, but this causes the build to fail with GCC < 5 when building in
PIC mode with errors like:
include/mbedtls/bn_mul.h:46:13: error: PIC register clobbered by ‘ebx’ in ‘asm’
This is because older GCC versions treated the x86 ebx register (which is
used for the GOT) as a fixed reserved register when building as PIC.
This is fixed by an improved register allocator in GCC 5+. From the release
notes:
Register allocation improvements: Reuse of the PIC hard register, instead of
using a fixed register, was implemented on x86/x86-64 targets. This
improves generated PIC code performance as more hard registers can be used.
https://www.gnu.org/software/gcc/gcc-5/changes.html
As a workaround, add a patch to detect this situation and disable the inline
assembly, similar to the MULADDC_CANNOT_USE_R7 logic.
Patch submitted upstream: https://github.com/ARMmbed/mbedtls/pull/1986
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 11241ac656)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes autobuild failures like
http://autobuild.buildroot.net/results/3288b742cee650ee47a41c5b4d6aaef1fe67bff1
php compile breaks with:
ext/mysqlnd/mysqlnd_auth.o: In function `php_mysqlnd_scramble_sha2':
mysqlnd_auth.c:(.text+0x1054): undefined reference to `PHP_SHA256Init'
mysqlnd_auth.c:(.text+0x1064): undefined reference to `PHP_SHA256Update'
mysqlnd_auth.c:(.text+0x1070): undefined reference to `PHP_SHA256Final'
mysqlnd_auth.c:(.text+0x1078): undefined reference to `PHP_SHA256Init'
mysqlnd_auth.c:(.text+0x1088): undefined reference to `PHP_SHA256Update'
mysqlnd_auth.c:(.text+0x1094): undefined reference to `PHP_SHA256Final'
mysqlnd_auth.c:(.text+0x109c): undefined reference to `PHP_SHA256Init'
mysqlnd_auth.c:(.text+0x10ac): undefined reference to `PHP_SHA256Update'
mysqlnd_auth.c:(.text+0x10bc): undefined reference to `PHP_SHA256Update'
mysqlnd_auth.c:(.text+0x10c8): undefined reference to `PHP_SHA256Final'
It looks like the php mysqli extension needs the hash extension to work. This
seems to be a php Make dependany bug. This patch works around it until the
upstream maintainers can fix it.
Signed-off-by: Christopher McCrory <chrismcc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 65f9645263)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
dropbear is affected by an user enumeration vulnerability similar to the
recent issue in openssh (CVE-2018-15473). Add an upstream patch fixing the
issue.
For more details, see the discussion on the mailing list:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002110.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4a3b0ba38f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dropbear 2018.76 now uses the --enable-static option to indicate that a static
binary should be built. This will incorrectly pick up the generic buildroot
option intended for building static libraries, causing an unwanted static
binary build with BR2_SHARED_STATIC_LIBS.
Fix by appending an --disable-static configure flag, overriding the buildroot
default.
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c9922a4d2f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dropbear 2018.76 changed the default ecdsa host key size form 521 to 256
bits, but this breaks systems with an existing 521 bit key, blocking ssh
logins.
Apply the upstream fix from https://secure.ucc.asn.au/hg/dropbear/rev/0dc3103a5900 :
Only advertise a single server ecdsa key when -R (generate as required) is
specified. Fixes -R now that default ecdsa key size has changed.
[Peter: apply-patches.sh does not like suffix-less filename, so include
patch in Buildroot]
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a38d7cc9a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
DROPBEAR_SMALL_CODE could be only honored with bundled libtomcrypt
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf9b5522d1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, Dropbear's configure script enables hardening
flags. Unfortunately, the check for SSP only uses AC_COMPILE_IFELSE(),
and therefore doesn't properly test for the availability of libssp,
visible only at link time.
In addition, Buildroot passes its own hardening flags, depending on
various global options. So, we simply disable hardening flags in
Dropbear.
This fixes a build failure with non-SSP capable toolchains happening
since the bump to 2018.76.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b0aafef619)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
with this new version:
- "configure --enable-static" should now be used instead of
"make STATIC=1"
- any customised options should be put in localoptions.h
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2e035a9aec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
brltty has a very inventive buildsystem, where it internall runs
./configure for the build machine In doing so, it generates a list
of make variables to define what the build machine supports, like
it does for the target.
However, the build variables are generated with a convoluted sed
script that scans the target list, and appends _FOR_BUILD to each
target variables. Then, both lists are included from the Makefile,
on the assumption that the build variables will not clash with the
target variables.
Where it gets interesting, is that that sed script considers the
variables names to match '[A-Za-z][A-Za-z0-9_]*'
And there we see why ATSPI2_PACKAGE does not match: it contains a
digit.
So, some build variables will inevitably override target ones.
Fix that by simply expanding the matching regexp to allow digits
in variable names.
Fixes:
http://autobuild.buildroot.org/results/a37/a37782b3cfc1a96cc129db8fade20a36a7b2d470/http://autobuild.buildroot.org/results/97e/97edc6a47d2140968e84b409cdc960604e5896f2/
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Mario Lang <mlang@blind.guru>
Cc: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8909897ab3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a2e0003141)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2018-0497: Remote plaintext recovery on use of CBC based ciphersuites
through a timing side-channel
- CVE-2018-0498: Plaintext recovery on use of CBC based ciphersuites through
a cache based side-channel
For more info, see the advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7a7a159135)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We can't carry a mercurial patch, because the luarocks package is not
organised with the same layout as the upstream package source tree is.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Marcin Niestroj <m.niestroj@grinn-global.com>
Cc: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 27e0cad2da)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
Fixes CVE-2018-12115, also CVEs were fixed in included OpenSSL code
which do not use for the target build.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bfc5dc9920)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
eigen generates a pkg-config file which has a broken prefix
(@CMAKE_INSTALL_PREFIX@). This broken prefix causes an incorrect path when
other packages call pkg-config --cflags eigen.
This patch fixes the prefix in the generated eigen pc file, so projects
which depend on this pc file can now correctly find the eigen include
directory at build time.
Also correct the Cflags output to use the runtime prefix instead of the
build time STAGING_DIR, like we do elsewhere.
[Peter: drop backslashes, tweak commit message]
Signed-off-by: Matt Flax <flatmax@flatmax.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e477dc19b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump to the latest release of the 1.11.x LTS series as 1.10.x is no longer
supported upstream:
https://www.djangoproject.com/download/
Fixes the following security issues:
- CVE-2017-12794: Possible XSS in traceback section of technical 500 debug
page (1.11.5)
- CVE-2018-6188: Information leakage in AuthenticationForm (1.11.10)
- CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc
template filters (1.11.11)
- CVE-2018-7537: Denial-of-service possibility in truncatechars_html and
truncatewords_html template filters (1.11.11)
- CVE-2018-14574: Open redirect possibility in CommonMiddleware (1.11.15)
Also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ae977e9428)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
glibc-2.28 did quite some lifting in their headers, which breaks the
way some packages were detecting glibc, like gnulib.
However, packages do bundle gnulib (it was meant to be bundled),
and so does m4.
Since m4 hasn't seen the slightest commit since 2017-01-09, it is
bundling an old gnulib version, that predates glibc-2.28, and thus
breaks. It also means that upstream hasn't already fixed the issue.
Furthermore, as upstream is using a git submodule for gnulib, and
that the paths are not the same in the release tarball (in lib/)
and in the git tree (in gnulib/), we can't do a plain backport.
So, we selectively backport the two patches from gnulib upstream,
restricted to only the files that happen to be used in m4.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Reported-by: c32 on IRC
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c48f8a6462)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The threads dependency comment is currently shown even though the
toolchain supports threads, only because kernel build is disabled.
Merge the kernel and threads comments. This is similar to what we have
in other packages that need the kernel.
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f70b13a7cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-10906 - In fuse before versions 2.9.8 and 3.x before 3.2.5,
fusermount is vulnerable to a restriction bypass when SELinux is active.
This allows non-root users to mount a FUSE file system with the
'allow_other' mount option regardless of whether 'user_allow_other' is set
in the fuse configuration. An attacker may use this flaw to mount a FUSE
file system, accessible by other users, and trick them into accessing files
on that file system, possibly causing Denial of Service or other unspecified
effects.
And additionally:
- libfuse no longer segfaults when fuse_interrupted() is called outside the
event loop.
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount options
must now match a hard-coded whitelist. It is expected that this whitelist
covers all regular use-cases.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9c2bbc3fc9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 6288409642 ("libselinux: add
patch to fix build with gcc < 4.7") introduced a patch, but its file
name was incorrect, so it was never applied. In addition, the patch
was generated against the Git repository of SELinux, which includes
all projects, and therefore it doesn't apply to the libselinux source
code extracted from the tarball: the "libselinux/" component path
needs to be removed from the patch.
This commit fixes both problems, which should finally and really fix:
http://autobuild.buildroot.net/results/c3272566bb808e43bb77ec59cfe596f7e0fe9a64/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cb8d1743ca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
