Release notes: https://www.samba.org/samba/history/samba-4.9.5.html
Fixes CVE-2019-3824:
ldb: Out of bound read in ldb_wildcard_compare
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e7d67faac5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Do not check for C++ compiler as C++ support has been disabled since
commit dd4d3c18d6 otherwise
build will fail on toolchains without a working C++ compiler:
checking how to run the C++ preprocessor... /lib/cpp
configure: error: in `/data/buildroot/buildroot-test/instance-1/output/build/beecrypt-4.2.1':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
Fixes:
- http://autobuild.buildroot.org/results/3c79cc68f1b088ad24daf7f9bd70718d702be577
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6255c81623)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
rcrt1.o is a new startup for "static-pie" apps, and only needed for
building, should not end up in the target filesystem.
Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit de5fef8c04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With the arrival of linux v5.0, we need yet another condition to set
_SITE correctly. Instead of continuing this madness, solve the problem
generically: use v2.6 for 2.6.*, and use the number before the first dot
in the other cases.
While we're at it, remove the comment which has been incorrect since
80d7b68167 (7 years ago).
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Tested-by: Adam Duskett <aduskett@gmail.com>
Reviewed-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4ed7246a59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rc kernels after v3.x are no longer available in the testing
subdirectory. Instead they should be fetched from cgit.
Commit ff4cccbdcf did this for linux
itself, now we also do it for linux-headers.
When fetched from cgit, .tar.xz can't be used. Adding this to the
existing condition is not so simple, so refactor how _SOURCE is set:
simply set it explicitly in each branch of the condition. While more
verbose (it is repeated 4 times), it's easier to understand and to
maintain.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1b94e8dcb3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The optional dbus dependency of libpcap creates a circular dependency
chain:
$ make libpcap-show-recursive-depends
Recursion detected for : systemd
which is a dependency of: dbus
which is a dependency of: libpcap
which is a dependency of: iptables
which is a dependency of: systemd
make: *** [package/libpcap/libpcap.mk:55: libpcap-show-recursive-depends] Error 1
Of all these dependencies the one of libpcap on dbus seems to be less
useful. Drop it.
Fixes:
http://autobuild.buildroot.net/results/0b5d18bff816cbcee11e8645449701722d956de5/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b01d463c14)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7
inadvertently responds to IPv6 unicast queries with source addresses
that are not on-link, which allows remote attackers to cause a denial
of service (traffic amplification) and may cause information leakage
by obtaining potentially sensitive information from the responding
device via port-5353 UDP packets.
Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e17adf1c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We unfortunately cannot easily download these because of the file names (not
ending in patch) and patch format (p0), so convert to p1 format and include
in package/bash with the following script:
j=1; for i in 19 20 21 22 23; do
file=$(printf '%04d-patch44-0%d.patch' $j $i)
cat > $file << EOF
>From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
EOF
curl https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i | \
sed -e 's|^\*\*\* \.\./|*** |' -e 's|^--- |--- b/|' >> $file
j=$(( j + 1 ))
done
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 87a8f5f51c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release fixes the following issue with new kernels:
kexec --load bzImage --reuse-cmdline
Unhandled rela relocation: R_X86_64_PLT32
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 254384e769)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
kexec has fully support of ppc64 platform:
https://www.kernel.org/doc/Documentation/kdump/kdump.txt
Signed-off-by: Artem Senichev <artemsen@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 46a4af5214)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
amdgpu test uses fork() so disable amdgpu without MMU
Fixes:
- http://autobuild.buildroot.org/results/8d6194982c1080e173fcef8212fb06e6dc275d58
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9972dc2e82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Set the GOCACHE environment variable properly.
It was previously unset, and defaults to $HOME/.cache/go-build.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3909423f1c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Current git contains fixes for a number of post-2.3.0 security issues:
git shortlog --no-merges -i --grep cve --grep overflow --grep zero v2.3.0..
Even Rouault (2):
Avoid out-of-bounds write overflow due to uint32 overflow computation on images with huge dimensions.
color_apply_icc_profile: avoid potential heap buffer overflow
Hugo Lefeuvre (4):
convertbmp: fix issues with zero bitmasks
jp3d/jpwl convert: fix write stack buffer overflow
jp2: convert: fix null pointer dereference
convertbmp: detect invalid file dimensions early
Karol Babioch (2):
jp3d: Replace sprintf() by snprintf() in volumetobin()
opj_mj2_extract: Check provided output prefix for length
Stefan Weil (1):
Fix some potential overflow issues (#1161)
Young_X (5):
[MJ2] To avoid divisions by zero / undefined behaviour on shift
[JPWL] fix CVE-2018-16375
[JPWL] imagetotga(): fix read heap buffer overflow if numcomps < 3 (#987)
[JPWL] opj_compress: reorder checks related to code block dimensions to avoid potential int overflow
[JP3D] To avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423
ichlubna (1):
openjp3d: Int overflow fixed (#1159)
setharnold (1):
fix unchecked integer multiplication overflow
Drop now upstreamed 0004-install-static-lib.patch.
Add a hash for the LICENSE file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a5e8c81875)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bugfix release, fixing a number of issues discovered post-1.5.7
https://mosquitto.org/blog/2019/02/version-1-5-8-released/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 24cc2eaa33)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
php-7.3.3 fixes a number of security issues (no CVE known, bugtracker issues
not yet public): https://secure.php.net/ChangeLog-7.php#7.3.3
Drop 0004-OPcache-flock-mechanism-is-obviously-linux-so-force-.patch as the
flock detection has been removed since commit 9222702633 (Avoid dependency
on "struct flock" fields order.)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b821ae3d63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has
an out-of-bounds read because memcpy is misused.
CVE-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a
stack-based buffer over-read, related to file_printf and file_vprintf.
Update license files hashes; removal of trailing white spaces.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 14d6e6df7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libsapi was renamed to libtss2-sys in tpm2-tss library:
5f0ab55d4e
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8f297cc033)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since tpm2-tss version 2.0.0, tpm2 libraries have been renamed.
libsapi renamed to libtss2-sys
5f0ab55d4e
libtcti-device renamed to libtss2-tcti-device
libtcti-socket renamed to libtss2-tcti-mssim
b8584accbd
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fb9c137660)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, logger component is enabled if log4cpp is found
Moreover, it should be noted that log4cpp is now mandatory in latest
upstream:
d242896120
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 50e1d12e07)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As stated in SConstruct, the altivec runtime test breaks
cross-compilation: "This checks for an altivec optimization we use in
full text search. Different versions of gcc appear to put output bytes
in different parts of the output vector produced by vec_vbpermq. This
configure check looks to see which format the compiler produces. NOTE:
This breaks cross compiles, as it relies on checking runtime
functionality for the environment we're in."
Fixes:
- http://autobuild.buildroot.org/results/162198617979a83b66f70ed6013251942ed04d67
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9fd193141)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mongodb (like gnuradio) needs host-python2 however there is no way to
enforce this so add a dependency on !BR2_PACKAGE_PYTHON3.
Indeed, if BR2_PACKAGE_PYTHON3 is selected, then buildroot will only
build and install host-python-typing for host-python3.
This issue was not raised in the previous version of mongodb as
host-scons was the only dependency however we now have
host-python-typing and host-python-pyyaml dependencies and it
does not seem right to enforce python2 on those packages
Fixes:
- http://autobuild.buildroot.org/results/693bdba2c01a1b69f56d6ee75094a6a0fc3f40b4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: propagate dependency to Config.in comment]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bf57446a0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: test BR2_PACKAGE_QT5BASE instead of BR2_PACKAGE_QT5, just for
consistency with the package we add to the DEPENDENCIES variable.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d04b12d19e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
musl does not provide inx/outx API for ARM arch, so use
io memory access via pointers which is actually done this
way in glibc/ulibc.
Fixes:
http://autobuild.buildroot.net/results/bf10cbe40c0f672c34db72e4eea4c168d5932bd4/
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d12d3969d1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch fixes the build issue reported by autobuilder [0].
/home/naourr/work/instance-2/output/build/qt5webkit-5.9.1/Source/WebCore//.obj/platform/leveldb/LevelDBDatabase.o: In function
`WebCore::LevelDBDatabase::openInMemory(WebCore::LevelDBComparator const*)':
LevelDBDatabase.cpp.text._ZN7WebCore15LevelDBDatabase12openInMemoryEPKNS_17LevelDBComparatorE+0x34): undefined reference to `leveldb::NewMemEnv(leveldb::Env*)'
collect2: error: ld returned 1 exit status
make[3]: *** [Makefile.api:97: ../lib/libQt5WebKit.so.5.9.1]
Error 1
The issue happens when both packages leveldb and qt5webkit are enabled.
QtWebKit builds its own copy of leveldb [1] (as a third-party) if the
system does not provided it (i.e. buildroot). It builds it differently
and this is the origin of that issue. Instead of using the Makefile
provided by leveldb [2], QtWebKit uses qmake to build that library [3].
The missing symbol issue happens because the symbol leveldb::NewMemEnv
is bundled in the static library libmemenv.a (aside libleveldb.so).
This static library consists of this single symbol which is like an
extra that is built but *NOT* shipped by default at installation in the
staging directory. Unfortunatly, that symbol is required later by
WebCore [4].
The copy built by QtWebKit is an all-in-one library including both
libleveldb and libmemenv; thus QtWebKit links against libleveldb only.
Also, the linker finds the buildroot's copy first (not the third-party):
that explains why it is complaining about a missing symbol. That copy
does not have the symbol leveldb::NewMemEnv.
Fortunatly, QtWebKit provides a facility to link against the system
leveldb package. The qmake flag WEBKIT_CONFIG+=use_system_leveldb tells
Qt5WebKit to link against libleveldb *AND* libmemenv [5].
To fix that issue, this commit selects the package leveldb that now
installs the libmemenv static library and its header. It ensures that
QtWebKit has everything it needs to be built. It also sets the
appropriate qmake configure flags to tell QtWebKit to use the leveldb
copy built by buildroot instead of the bundled one.
[0]: http://autobuild.buildroot.net/results/46033e82adf592c3b92c6d50cfaf45bd58beeaa4
[1]: https://github.com/qt/qtwebkit/tree/5.9/Source/ThirdParty/leveldb
[2]: https://github.com/qt/qtwebkit/blob/5.9/Source/ThirdParty/leveldb/Makefile#L167-L169
[3]: https://github.com/qt/qtwebkit/blob/5.9/Source/ThirdParty/leveldb/Target.pri#L80
[4]: https://github.com/qt/qtwebkit/blob/5.9/Source/WebCore/platform/leveldb/LevelDBDatabase.cpp#L185
[5]: https://github.com/qt/qtwebkit/blob/5.9/Source/WebCore/WebCore.pri#L254
[6]: 739c25100e
Signed-off-by: Gaël PORTAY <gael.portay@collabora.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 2d7c746ed8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The project's static libraries are not compiled with the -fPIC compiler
flag. This prevents dynamic libraries to link against those libraries.
This commit adds a patch that sets the -fPIC compiler flag to the list of
CFLAGS/CXXFLAGS.
The project now generates position independant code for all of its
outputs (i.e. not limited anymore to its shared libraries).
Fixes:
/home/gportay/src/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-amd-linux-gnu/6.2.0/../../../../x86_64-amd-linux-gnu/bin/ld: /home/gportay/src/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libmemenv.a(memenv.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/home/gportay/src/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libmemenv.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Signed-off-by: Gaël PORTAY <gael.portay@collabora.com>
[Arnout: renumber patch]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 088f261dbb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The project builds a tiny static library that consists of a single
symbol which creates an in-memory LevelDB database.
That library is not installed by default and may be used by other
projects.
This commit installs in the staging directory the libmemenv.a static
library and the memenv.h header file.
Signed-off-by: Gaël PORTAY <gael.portay@collabora.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 16f847340d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
apexsink does not build with OpenSSL 1.1.x so remove this option
especially because there is no more apexsink option in gstreamer1 (since
version 1.12)
Fixes:
- http://autobuild.buildroot.org/results/a29e8a8509190fc4b3c419dae2301cf72a601f62
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c8421565b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes a hang due to SIGCHLD not being handled correctly by
vsftpd. The patch comes from fedora and didn't make its way to
upstream yet.
More information about the bug can be found in:
- https://bugzilla.redhat.com/show_bug.cgi?id=1198259
Signed-off-by: Abdelmalek Benelouezzane <abdelmalek.benelouezzane@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 498dff7ea1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
zbar can be built statically since commit
fc4a6abfa6 so remove the dynamic library
dependency from BR2_PACKAGE_GST_PLUGINS_BAD_ZBAR
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ec9b3aec53)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch to resolve CVE-2019-5747 which affects versions prior
to 1.30.0
More information can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2019-5747
This applies to both master and 2019.02
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a49e8f34ff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch to resolve CVE-2018-20679 which affects versions prior
to 1.30.0
More information can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2018-20679
This applies to both master and 2019.02
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d65d1d066b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There was a missing double quotes that would prevent the service from
starting.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Acked-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 93321e5f16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#11716
Latest release is 2019.02.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 964d525970)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
flashrom uses its own internal DMI decoder since version 0.9.8 and
4c6d3a4b73
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7edb1e1c29)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>