Fixes:
CVE-2016-9317 - gdImageCreate() doesn't check for oversized images and
as such is prone to DoS vulnerabilities.
CVE-2016-6912 - double-free in gdImageWebPtr()
(without CVE):
Potential unsigned underflow in gd_interpolation.c
DOS vulnerability in gdImageCreateFromGd2Ctx()
Signed Integer Overflow gd_io.c
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
[Thomas:
- move condition to a different place in the .mk file, with other
similar conditions.
- add an 'else' clause to pass -no-libinput in order to explicitly
disable libinput support when the libinput package is not available.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
And tweak 0003-Sanitize-the-installation-process.patch for this new
release.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit bumps mono to version 4.6.2.16
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The efl Wayland support shouldn't select Wayland package itself. It must
be an user decision, so use "depends on" instead.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Reviewed-by: Gustavo Sverzut Barbieri <barbieri@profusion.mobi>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit bumps python pillow to 4.0.0 version
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 0.20.x does not depend on libglib2 anymore. Note, that the
dependency on MMU and Thread remain, as MPD uses fork() and thread
functionality.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#9576
When the path to a br2-external tree is relative, make enters an endless
recursive loop (paths elided for brevity):
$ make BR2_EXTERNAL=.. foo_defconfig
make[1]: stat: ../configs/../configs/../configs[...]/toto_defconfig: Filename too long
make[1]: *** No rule to make target '../configs/../configs/../configs[...]/toto_defconfig',
needed by '../configs/../configs/../configs[...]/toto_defconfig'. Stop.
Makefile:79: recipe for target '_all' failed
make: *** [_all] Error 2
It is a bit complex to understand the actual technical reason for this
never-ending expansion; it seems it happens in the code generated by the
percent_defconfig macro. Not sure why, though...
But the root cause is the relative path.
Just use absolute, canonical paths to br2-external trees. Always.
[Peter: add bugzilla reference]
Reported-by: outtierbert@gmail.com
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove patch not needed anymore: the bug has been fixed in this release.
Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On some architecture, "char" is signed (x86_64, nios2...) so the
compiler try to convert int 0xc2 and 0xba to a signed char.
This is an error since gcc6 (Wnarrowing).
cast string_ordinal init values.
Fixes:
http://autobuild.buildroot.net/results/bae/baef9888b1979d18171668a675985e3f3b45fda6
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/1d6/1d6bbef2cb0c8c2e00b6d7511814ff9ddb2e3073/http://autobuild.buildroot.net/results/4c7/4c7fc92a42405e25f41394fa44f5bdc27a4538c4/
Apperently if both icu and nodejs are enabled during the nodejs host build
the nodejs buildsystem gets confused by the icu version installed by
Buildroot (icu 58.2) and the one bundled with the nodejs source tree(icu
57), which ends up in linking-time errors as:
"""
undefined reference to
`icu_58::NumberFormat::format(icu_58::StringPiece,
icu_58::UnicodeString&, icu_58::FieldPositionIterator*, UErrorCode&)
const'
"""
(note the icu_58 in the symbol name while the bundled icu version is 57)
This patch disables the (not used) i18n support in the nodejs host build
config in order to fix the issue. The issue doesn't affect the target build of
nodejs.
[Peter: add autobuilder references]
Signed-off-by: Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Save some network bandwidth.
[Peter: use TSLIB_VERSION instead of hardcoding 1.3]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also...
- Fix a typo in Config.in
- Take into account the host's architecture to download the x86 or
x86_64 version. This makes the IA32 libs dependency in unnecessary.
[Peter: fix kernel headers comment as pointed out by Romain]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Also...
- Fix a typo in Config.in
- Take into account the host's architecture to download the x86 or
x86_64 version. This makes the IA32 libs dependency in unnecessary.
[Peter: fix kernel headers comment as pointed out by Romain]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a critical authentication vulnerability in the MQTT plugin
(CVE-2016-9877):
MQTT (MQ Telemetry Transport) connection authentication with a
username/password pair succeeds if an existing username is provided but the
password is omitted from the connection request. Connections that use TLS
with a client-provided certificate are not affected.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>