Fix CVE-2022-21699: IPython (Interactive Python) is a command shell for
interactive computing in multiple programming languages, originally
developed for the Python programming language. Affected versions are
subject to an arbitrary code execution vulnerability achieved by not
properly managing cross user temporary files. This vulnerability allows
one user to run code as another on the same machine. All users are
advised to upgrade.
Also update indentation in hash file (two spaces)
https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
host-librsvg install a gdk-pixbuf module (aka plugin). As such, it needs
to update [0] the modules cache (a kind of registry of which modules are
installed and what the can handle). To that effect, it calls the utility
gdk-pixbuf-queryloaders, which generates the cache of existing modules.
gdk-pixbuf-queryloaders, from the gdk-pixbuf package, has been
configured to be relocatable. However, it still embeds the path to where
it was instaled, and thus where to look modules from. If it is run from
its install location, then gdk-pixbuf-queryloaders looks modules in that
location, and generates a modules cache with relative paths; otherwise,
it still looks at that location, but generates a cache with absolute
paths. In the later case, it will miss the modules that have not been
installed by gdk-pixbuf itself.
In the case of host-librsvg, that will miss the fact that librsvg just
happened to have installed a module. Further down the road, packages
that depend on host-librsvg, will get their PPD prepared, the path fixup
hook run, so that the cache properly points to the current package's
PPD, but the cache will not include the SVG module, which causes
failures to load CVG images:
Can't load file: Unrecognized image file format
So, we need to tell gdk-pixbuf-queryloaders where the module path is,
which restores the relativity of the paths it reports, by specifying the
modules path pointing to the current package's PPD, passed in the
environement variable GDK_PIXBUF_MODULEDIR.
We need to do that at install time, so that the SVG module is properly
listed in the cache, so that dependees can use it.
A temporary cache is also generated at build time, but its usefullness
is dubious; it seem to only be used by the test tool, which we do not
run. However, for consistency-sake, we also fix that.
Fixes:
- http://autobuild.buildroot.org/results/0e00059b09b4445eaaec1030997883187c6a80d6
[0] This will trigger file-overwrite detection in the future... But we
currently do not have infrastructure to properly handle such a cache.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: reword and extend an already-good commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
XDRIVER_XF86_VIDEO_ATI_CONF_OPTS is wrongly overridden in a conditional
since commit daa433bff6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Replace PYTHON_VERSION_MAJOR by PYTHON3_VERSION_MAJOR now that python2
has been dropped
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Replace PYTHON_VERSION_MAJOR by PYTHON3_VERSION_MAJOR now that python2
has been dropped. It should be noted that PYTHON_SITE_PKG was wrongly
set since the addition of the package in commit
4470bc9914
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-21712: twisted is an event-driven networking engine written
in Python. In affected versions twisted exposes cookies and
authorization headers when following cross-origin redirects. This issue
is present in the `twited.web.RedirectAgent` and `twisted.web.
BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There
are no known workarounds.
Update hash of license file (author added and update in year:
13aa59746aadfdf234777e65fbeed3)
https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvxhttps://github.com/twisted/twisted/releases/tag/twisted-22.1.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Make webkitgtk enable color management support if the lcms2 package has
been selected.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gdk-pixbuf is based on plugins (modules in gdk-pixbuf parlance) that are
provided either by the gdk-pixbuf package itself, or be installed by
third-party packages, like librsvg. At runtime, those plugins get loaded
by helper function in the gdk-pixbuf library.
The location where to find those modules is currently hard-coded at
build time, to the location where gdb-pixbuf is installed.. This means
that host-packages that install image-conversion utilities will try to
look in the path where gdk-pixbuf was installed.
With per-package directories, this fails to find any module that was
installed bu a third-party package. For example, the module for loading
an SVG provided by librsvg, so it is not present in the PPD of
gdk-pixbuf, and thus loading an SVG (e.g. to convert it to another
format, like adwaita-icon-theme does) will fail with:
Can't load file: Unrecognized image file format
However, gdk-pixbuf can be configured so as to look for the modules
relative to where the program is run from, rather than hard-coding the
location at build time. This is exactly what we need in the PPD case
Additionally, even without PPD, this would fail in a similar manner in
the SDK, as that can be relocated too.
So we unconditionally enable the relocatable option, but only for the
host variant (there is no reason to enable it for the target, as it is
not going to be relocated).
Fixes:
- http://autobuild.buildroot.org/results/0e00059b09b4445eaaec1030997883187c6a80d6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: reword the already-good commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issue:
- CVE-2021-45444: In zsh before 5.8.1, an attacker can achieve code
execution if they control a command output inside the prompt, as
demonstrated by a %F argument. This occurs because of recursive
PROMPT_SUBST expansion.
The 5.8.1 release is not listed in MD5SUM, so drop the md5 hash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This bump contains a single commit which fixes the following build
failure with Lua 5.4 raised since commit
4f9a565902:
In file included from lsyslog.c:11:
compat-5.3.h:402:4: error: #error "unsupported Lua version (i.e. not Lua 5.1, 5.2, or 5.3)"
402 | # error "unsupported Lua version (i.e. not Lua 5.1, 5.2, or 5.3)"
| ^~~~~
Also update indentation in hash file (two spaces)
Fixes:
- http://autobuild.buildroot.org/results/df2aabcf2ae07cad66b869ec4ac76702d2c32dc5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Tested-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure raised on uclibc and musl since the
addition of libexecinfo package in commit
eea8ba446c:
/home/peko/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/10.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: src/backtrace.o: in function `print_backtrace':
backtrace.c:(.text+0x37): undefined reference to `backtrace'
Fixes:
- http://autobuild.buildroot.org/results/74da4f4deab5f0ae9405d063ad52a5d4904a964d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog (since 2021.08.28, [1]):
e061299 wireless-regdb: Raise DFS TX power limit to 250 mW (24 dBm) for the US
2ce78ed wireless-regdb: Update regulatory rules for Croatia (HR) on 6GHz
0d39f4c wireless-regdb: Update regulatory rules for South Korea (KR)
acad231 wireless-regdb: Update regulatory rules for France (FR) on 6 and 60 GHz
ea83a82 wireless-regdb: add support for US S1G channels
4408149 wireless-regdb: add 802.11ah bands to world regulatory domain
5f3cadc wireless-regdb: Update regulatory rules for Spain (ES) on 6GHz
e0ac69b Revert "wireless-regdb: Update regulatory rules for South Korea (KR)"
40e5e80 wireless-regdb: Update regulatory rules for South Korea (KR)
e427ff2 wireless-regdb: Update regulatory rules for China (CN)
0970116 wireless-regdb: Update regulatory rules for the Netherlands (NL) on 6GHz
4dac44b wireless-regdb: update regulatory database based on preceding changes
[1] https://lore.kernel.org/linux-wireless/YhBCKWNw3IMfGs0L@ubuntu-x1/
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop APR_UTIL_FIX_{LIBTOOL,RULES_MK} which were added by commit
84b4c19e55 but is not needed since the
addition of PPD_FIXUP_PATHS in commit
b06294e989
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop APACHE_FIXUP_APR_LIBTOOL which was added by commit
b747c29c4e but is not needed since the
addition of PPD_FIXUP_PATHS in commit
b06294e989
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop APPARMOR_FIXUP_APXS which was added by commit
3c836e5420 but is not needed since the
addition of PPD_FIXUP_PATHS in commit
b06294e989
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Drop DOVECOT_PIGEONHOLE_FIXUP_DOVECOT_CONFIG added by commit
0901355c11 which is not needed since the
addition of PPD_FIXUP_PATHS in commit
b06294e989
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Security fixes:
#562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
sequences (e.g. from start tag names) to the XML
processing application on top of Expat can cause
arbitrary damage (e.g. code execution) depending
on how invalid UTF-8 is handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#561 CVE-2022-25236 -- Passing (one or more) namespace separator
characters in "xmlns[:prefix]" attribute values
made Expat send malformed tag names to the XML
processor on top of Expat which can cause
arbitrary damage (e.g. code execution) depending
on such unexpectable cases are handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
that could be triggered by e.g. a 2 megabytes
file with a large number of opening braces.
Expected impact is denial of service or potentially
arbitrary code execution.
#560 CVE-2022-25314 -- Fix integer overflow in function copyString;
only affects the encoding name parameter at parser creation
time which is often hardcoded (rather than user input),
takes a value in the gigabytes to trigger, and a 64-bit
machine. Expected impact is denial of service.
#559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
needs input in the gigabytes and a 64-bit machine.
Expected impact is denial of service or potentially
arbitrary code execution.
https://blog.hartwork.org/posts/expat-2-4-5-released/https://github.com/libexpat/libexpat/blob/R_2_4_5/expat/Changes
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
XDRIVER_XF86_VIDEO_MGA_CONF_OPTS is wrongly overridden in a conditional
since commit 105c7c7573
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
SOCKETCAND_CONF_OPTS is wrongly overridden in a conditional since commit
53e498da2f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
PERL_NETADDR_IP_CONF_OPTS is wrongly overridden in a conditional since
commit 86658b0b18
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
ARP_SCAN_CONF_OPTS is wrongly overriden in a conditional since commit
df578c86ed
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
PCRE_CONF_OPTS is wrongly overridden in a conditional since commit
9b28d48012
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following compile error:
In file included from include/bootm.h:10,
from tools/image-host.c:12:
include/image.h:1178:12: fatal error: openssl/evp.h: No such file or directory
1178 | # include <openssl/evp.h>
| ^~~~~~~~~~~~~~~
compilation terminated.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/2103784200
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
openssl is the default crypto backend since version 2.1.0 and
bc3d0feb5c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The patch 0001-Add-check-program-for-symver-attribute.patch, introduced
in 683e8387d0, touches a autoconf relevant file which causes a
configure --recheck in the make step without proper CONF_ENV.
Running autoreconf prevents this.
Signed-off-by: Moritz Bitsch <moritz@h6t.eu>
[yann.morin.1998@free.fr: add comment, add commit reference]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With python 2.x support dropped these variables no longer exist, so
unconditionally use the python3 variant.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
LIBICONV_CONF_OPTS is wrongly overridden in a conditional since commit
0d711a64d4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
URG_CONF_OPTS is wrongly overridden in a conditional since commit
d0433603e3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
XZ_CONF_OPTS is wrongly overridden in a conditional since commit
0dbc17abcb
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
LIBGSASL_CONF_OPTS is wrongly overridden in a conditional since commit
c4ff6bf227
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
PSMISC_CONF_OPTS is overridden in a conditional since commit
953b0f4de8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
LIBGLVND_CONF_OPTS are wrongly overridden in conditionals since the
addition of the package in commit
0378e2e5d9
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since this is a helper script there is not much reason to show the
command that's been issued. Furthermore, the incantation has been
slightly extended since the script was introduced.
The only interesting reason to print the command is to know what image
it is being spawned into. However, this is prominently displayed by
docker the first time the script is run, as it can't find the image
locally and has to fetch it first. Afterwards, users can still use
'docker image ls' to see what images they have locally.
So let's remove 'set -x' before running docker.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr: reword and expand commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Found by check-package:
package/libusb/0002-linux_usbfs-fix-maybe-uninitialized-error.patch:4: generate your patches with 'git format-patch -N'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixed a vulnerability in the EAP client implementation that was caused
by incorrectly handling early EAP-Success messages. It may allow to
bypass the client and in some scenarios even the server authentication,
or could lead to a denial-of-service attack. This vulnerability has been
registered as CVE-2021-45079:
https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-(cve-2021-45079).htmlhttps://github.com/strongswan/strongswan/releases/tag/5.9.5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Add -std=c99 to fix the following build failure with gcc 4.8 raised
since bump to version 3.7.1 in commit
cc27267ae4:
In file included from abort_handler_s.c:35:0:
safeclib_private.h:167:18: error: anonymous variadic macros were introduced in C99 [-Werror=variadic-macros]
#define slprintf(...) fprintf(stderr, __VA_ARGS__)
^
Fixes:
- http://autobuild.buildroot.org/results/5c3468585942879b47331e05058d25d324c8cc23
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Commit 471ecea5ee (core/show-info: 'name' only applies to packages)
removed the 'name' field for rootfs (really, for non-package) entries,
thus breaking the pkg-stats processing.
We fix that by excluding any entry that has no 'name', on the assumption
that if it has no name, it is not a package.
Reported-by: Xogium on IRC
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following build failure with gcc 4.8 raised since bump to
version 1.20.0 in commit 801131157d:
../gst-libs/gst/video/video-converter.c: In function 'convert_I420_v210':
../gst-libs/gst/video/video-converter.c:3771:7: error: 'for' loop initial declarations are only allowed in C99 mode
for (int j = width * 4 - 1; j >= 0; j--) {
^
Fixes:
- http://autobuild.buildroot.org/results/c4b1449f35debcbabff7e42abe239695d4ad4d21
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
harfbuzz is an optional dependency (which is enabled by default) since
version 2.0.18 and
328bbed78d
If harfbuzz is not disabled and not found, builtin harfbuzz is enabled
resulting in the following build failure without C++ since commit
f4da031a77 and
9a7ef3fb64:
configure: error: *** A compiler with support for C++11 language features is required.
Fixes:
- http://autobuild.buildroot.org/results/3fecb96a8063b1a28703682e9373714c1c9cfa24
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Disable builtin freetype2 which is enabled by default since bump to
version 2.0.18 in commit f4da031a77 and
834ec54127
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
FREETYPE_CONFIG is not used since version 2.0.15 and
50d72e5531
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Drop workaround added by commit bf899e50d8
because sudo natively supports pkg-config for searching openssl (which
is enabled by default) since version 1.9.2 and
4cadd54951
As a side-effect, this will fix the following build failure when openssl
is not installed on host (as LIBS is set before AX_PROG_CC_FOR_BUILD):
configure:8162: checking whether the C compiler works
configure:8184: /usr/bin/gcc -O2 -I/home/buildroot/autobuild/instance-2/output-1/host/include -I/home/buildroot/autobuild/instance-2/output-1/host/include -L/home/buildroot/autobuild/instance-2/output-1/host/lib -Wl,-rpath,/home/buildroot/autobuild/instance-2/output-1/host/lib conftest.c -L/home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lssl -L/home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -pthread -latomic -lcrypto -pthread -latomic >&5
/usr/bin/ld: skipping incompatible /home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libssl.a when searching for -lssl
/usr/bin/ld: skipping incompatible /home/buildroot/autobuild/instance-2/output-1/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libssl.a when searching for -lssl
/usr/bin/ld: cannot find -lssl
Fixes:
- http://autobuild.buildroot.org/results/7a5d4dd22343be46a5ddd1c1a1a8e1799517d564
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
