Create a new user 'sudotest' to validate that sudo really works (i.e.
properly has setuid).
Creating the user and adding it to sudoers is done at runtime, otherwise
we'd need to add extra files to the config which complicates things a
little bit.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Bump kernel to version 5.12.2.
- Bump U-Boot to version 2021.04.
While at it, switch U-Boot to the Kconfig build system and add some more
comments to the defconfig.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Bump kernel to version 5.12.2.
- Bump U-Boot to version 2021.04.
While at it, enable VFPv3 with 32 registers (instead of 16) and add a few
comments to the defconfig.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When building host-cryptsetup, if tmpfiles.d support is enabled then the
install step tries to install /usr/lib/tmpfiles.d/cryptsetup.conf
globally on the host system.
Even if the tmpfiles.d config were installed correctly in the host
directory, nothing would ever run these rules, so disable this feature
via configure.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release includes security fixes:
- CVE-2021-28965: XML round-trip vulnerability in REXML
- CVE-2021-28966: Path traversal in Tempfile on Windows
https://www.ruby-lang.org/en/news/2021/04/05/ruby-3-0-1-released/
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
unrecoverable panic when reading a very large header (over 7MB on 64-bit
architectures, or over 4MB on 32-bit ones). Transport and Client are
vulnerable and the program can be made to crash by a malicious server.
Server is not vulnerable by default, but can be if the default max header
of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
in which case the program can be made to crash by a malicious client.
https://github.com/golang/go/issues/45710
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- bpo-43434: Creating a sqlite3.Connection object now also produces a
sqlite3.connect auditing event. Previously this event was only produced
by sqlite3.connect() calls. Patch by Erlend E. Aasland.
- bpo-43882: The presence of newline or tab characters in parts of a URL
could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG
urllib.parse() now removes ASCII newlines and tabs from URLs, preventing
such attacks.
- bpo-43472: Ensures interpreter-level audit hooks receive the
cpython.PyInterpreterState_New event when called through the
_xxsubinterpreters module.
- bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
address strings. Leading zeros are ambiguous and interpreted as octal
notation by some libraries. For example the legacy function
socket.inet_aton() treats leading zeros as octal notatation. glibc
implementation of modern inet_pton() does not accept any leading zeros.
For a while the ipaddress module used to accept ambiguous leading zeros.
- bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on the
client side and needs remote attackers to control the HTTP server.
- bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
and generator code/frame attribute access.
https://www.python.org/downloads/release/python-395/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit extends the beaglev_defconfig and its documentation to
build the low-level firmware, and to explain how to reflash it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[yann.morin.1998@free.fr: use typoed-name for beaglev-ddrlnit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This packages allows to build the first stage bootloader used on the
BeagleV, which is used even before the DDR initialization and
OpenSBI/U-Boot. Yes, "secondboot" is strange for what is the first
stage bootloader, but that's the upstream name.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[yann.morin.1998@free.fr:
- add hash file
- commit is HEAD only right now, so don't reference HEAD
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit adds a package for the DDR initialization code used on the
BeagleV platform.
The typo in the package name is upstream's typo, and we just keep it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[yann.morin.1998@free.fr:
- upstream name is beaglev_ddrlnit, not *init (keep their typo)
- rename package and variables accordingly
- the referenced commit is no longer the HEAD of said branch
- add a hash file
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit adds a new package for a prebuilt bare-metal toolchain for
RISC-V 64-bit. Indeed, some bootloader/firmware for the BeagleV (and
potentially later for other platforms?) do not build with a
Linux-capable toolchain.
This uses a pre-built toolchain from SiFive, precompiled for x86-64,
so all packages using this toolchain must have the appropriate
BR2_HOSTARCH dependency.
This package is modeled after package/arm-gnu-a-toolchain/, which
package a pre-built ARM32 bare-metal toolchain.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit introduces support for the RISC-V based BeagleV platform,
which uses a Starfive JH7100.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
[yann.morin.1998@free.fr: use: eval $(make printvars)]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Until now, whenever a BR2_TARGET_OPENSBI_PLAT value was specified,
opensbi.mk was assuming that both fw_jump and fw_dynamic would be
produced. However, this is not the case: the OpenSBI per-platform
config.mk can decide which image to build.
As an example, the config.mk for VIC7100-based BeagleV only enables
producing the fw_payload image.
This commit adds three options to enable the installation of images:
one for fw_jump, one for fw_dynamic, one for fw_payload.
The options for fw_jump and fw_dynamic are "default y" when
BR2_TARGET_OPENSBI_PLAT is not empty, to preserve existing behavior.
The option for fw_payload is forcefully selected when either Linux or
U-Boot are selected as payloads.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libfribidi is an optional dependency (enabled by default) since version
0.8.0 and
17974582e6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Bartosz Bilas<b.bilas@grinn-global.com>
Reviewed-by: Bartosz Bilas<b.bilas@grinn-global.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fix CVE-2021-20208: A flaw was found in cifs-utils in versions before
6.13. A user when mounting a krb5 CIFS file system from within a
container can use Kerberos credentials of the host. The highest threat
from this vulnerability is to data confidentiality and integrity.
https://lists.samba.org/archive/samba-technical/2021-April/136467.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit 057e27029c (package/openjdk{, -bin}: bump latest to version
16.0.1+9) partially switched over to using the Github repository (which
is the new official publication channel for OpenJDK).
However, only the JDK16 was switched, because of concerns about a change
in the hash of Github-generated archives for the JDK11, due to a missing
Hg-related file on Github.
But as Arnout put it:
There's a trivial workaround: drop OPENJDK_SOURCE = .... That way,
the tarball name becomes openjdk-... instead of jdk-... and it's a
different file.
There is indeed no good reason to force a non-default filename for the
archive, so we do drop it.
As a consequence, we can fully switch over to Github for openjdk, using
the new version scheme. Of course the hash changes, but it is a new
file, so that's OK.
The filename for the JDK16 changes, but the content does not change, so
the hash does not change.
For consistency, the version scheme is also applied to openjdk-bin. Even
though it was already using Github, using that new version scheme also
allows to commonalise the variables too. The archives are the exact
same: no change in filename or content, so no hash to fixup.
Reported-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
cc: Adam Duskett <aduskett@gmail.com>
Tested-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Django 3.0.x is EOL, so move to 3.2.x which is the new LTS release. For
details of the changes and update instructions, see the announcement:
https://www.djangoproject.com/weblog/2021/apr/06/django-32-released/
Fixes the following security issues:
- CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of
the SQLPanel for Django Debug Toolbar >= 0.10.0
With Django Debug Toolbar 0.10.0 and above, attackers are able to execute
SQL by changing the raw_sql input of the SQL explain, analyze or select
forms and submitting the form. This is a high severity issue for anyone
using the toolbar in a production environment. Generally the Django Debug
Toolbar team only maintains the latest version of django-debug-toolbar,
but an exception was made because of the high severity of this issue.
The GitHub Security Advisory can be found here:
https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj
- CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal
via uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is
now applied. Specifically, empty file names and paths with dot segments
will be rejected.
This issue has low severity, according to the Django security policy.
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+
On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you
used values with newlines in HTTP response, you could suffer from header
injection attacks. Django itself wasn't vulnerable because HttpResponse
prohibits newlines in HTTP headers.
Moreover, the URLField form field which uses URLValidator silently removes
newlines and tabs on Python 3.9.5+, so the possibility of newlines
entering your data only existed if you are using this validator outside of
the form fields.
This issue was introduced by the bpo-43882 fix.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sometimes, post-build or post-image scripts need to reinvoke
Buildroot's make, for example to execute "make printvars".
However, so far post-build/image/fakeroot can't trivially run printvars
in a way that worked for both in-tree and out-of-tree builds. Indeed:
* "make printvars" would work for in-tree builds, but not out of tree
builds
* "make -C ${O} printvars" would work for out-of-tree builds, but not
in-tree builds
* "make -C ${BR2_CONFIG%/*} printvars" works in both cases, but it is
a bit cryptic, and two maintainers did not even immediately think of
it
In order to solve this, this commit exposes $(CONFIG_DIR) to
post-build/image/fakeroot scripts, through the EXTRA_ENV variable.
The documentation is updated accordingly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- reference BR2_CONFIG as an exemple
- slightly reword the commit log accordingly
- move the doc for CONFIG_DIR next to that of BR2_CONFIG
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Email addresses are all live and some of us will start contributing
with the new collins.com domain.
Signed-off-by: Matthew Weber <matthew.weber@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When introducing OpenJDK to buildroot, the OpenJDK project did not put
releases on their GitHub page. Since then, the OpenJDK developers have
not only added OpenJDK releases to Github, they are starting to phase
out adding releases to their public-facing mercurial repository.
Compare the following URLs:
https://wiki.openjdk.java.net/display/JDKUpdates/JDK+14uhttps://wiki.openjdk.java.net/display/JDKUpdates/JDK+15uhttps://wiki.openjdk.java.net/display/JDKUpdates/JDK+16u
With JDK14, only the mercurial repository is listed. With OpenJDK15,
both the GitHub and mercurial repository are listed. Finally, with
OpenJDK16, only the GitHub repository is listed.
For consistency's sake, and for the version bump of JDK latest from 14
to 16 do the following:
- Change the repository for OpenJDK14 to point to the official GitHub
repository,
- In order to simplify and reuse the GitHub URL, modify the
OPENJDK_VERSION_MAJOR and OPENJDK_VERSION_MINOR definitions to only
include a single number for the MAJOR definition.
- Change openjdk-bin.mk to also use the same format as the openjdk.mk
file
Unfortunately, we can't yet do the switch for OpenJDK11: the Github
repository is missing a Mercurial-related file, so that the archive
for OpenJDK11 11.0.11+9 would change from the one we already have on
s.b.o and that people would alreay have locally, and we'd have a hash
mismatch, either on master, or on all pur previous relases. OpenJDK11
just got a new release mere hours ago (as of this writing), but it
hasn't yet trickled down to AdoptOpenJDK/openjdk11-binaries, so we
can't do the bump just yet...
Add a note to the OpenJDK11 case, to prepare the migration to Github
with the next version bump.
Finally, remove upstreamed patch 0001-fix-gcc-10-support.patch as it's
no longer needed.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
- meld the github switch and 14->16 bump together
- drop the github switch for 11 9because hash mismatch)
- expand commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Disable parallel build as it seems to be totally broken:
/bin/bash: line 0: cd: /home/buildroot/autobuild/instance-2/output-1/build/coremark-pro-1.1.2743/builds/linux64/gcc64/obj/bench/core: No such file or directory
/bin/sh: 1: cd: can't cd to /home/buildroot/autobuild/instance-1/output-1/build/coremark-pro-1.1.2743/builds/linux/gcc/obj/bench/fp/loops/SP
Fixes:
- http://autobuild.buildroot.org/results/7ba5e209772af7037fc735ea174d3fc3eaf46f4b
- http://autobuild.buildroot.org/results/32b51bb9eda7899b6cc331f10a860644bd6004fa
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This will fix a build failure with gcc 10
- Update indentation in hash file (two spaces)
- Drop INSTALL_SYSCONFDIR, INSTALL_WEBROOTDIR and WITH_SYSTEM_MALLOC
(not available since
df145932e3)
- Set WITHOUT_HEADERS to ON because headers are not needed and to avoid
the following build failure:
CMake Error at include/cmake_install.cmake:46 (file):
file INSTALL cannot find
"/home/fabrice/buildroot/output/build/monkey-f54856ce250c4e25735434dc75717a4b7fbfc45b/include/mk_core.h":
No such file or directory.
Call Stack (most recent call first):
cmake_install.cmake:69 (include)
Upstream is aware than the lack of release is an issue but no comments
since 2018: https://github.com/monkey/monkey/issues/276
Fixes:
- http://autobuild.buildroot.org/results/0b723937ca048228082d040100f6e6324ac8300b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
spa (i.e. plugins which can be disabled but also tools which can't be
disabled) fails to build on gcc 4.8 since bump to version 0.3.26 in
commit a6d88d3ba5:
In file included from ../spa/include/spa/pod/builder.h:34:0,
from ../spa/include/spa/param/audio/format-utils.h:34,
from ../spa/plugins/audioconvert/test-audioadapter.c:36:
../spa/include/spa/utils/hook.h:57:50: error: initializer element is not constant
#define SPA_CALLBACKS_INIT(_funcs,_data) (struct spa_callbacks){ _funcs, _data, }
^
Fixes:
- http://autobuild.buildroot.org/results/e7a36ec7166a287667572e5140685e6371a9f107
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Kernel 4.16.7 is old enough to produce the "multiple definition of `yylloc'"
error which is fixed in newer versions.
Bump the test kernel version from 4.16.7 to 5.10.34 to prevent this error wwhen
building the test image.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
containerd is now an independent project from Docker.
This commit renames the Buildroot package from docker-containerd to containerd,
adding a entry in Config.in.legacy accordingly.
containerd is an industry-standard container runtime with an emphasis on
simplicity, robustness and portability. It is available as a daemon for Linux
and Windows, which can manage the complete container lifecycle of its host
system: image transfer and storage, container execution and supervision,
low-level storage and network attachments, etc.
https://containerd.io
Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout:
- fix alphabetical ordering in package/Config.in
- also do rename in DEVELOPERS
- squash in second patch
]
Put back legacy comment for BR2_ENABLE_SSP which was dropped with commit
810ba387be
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Some libraries (libGL.so, vivante_dri.so, libEGL.so, libgbm_viv.so) are
linked against libdrm so select libdrm package.
Fixes: 8283e838f0 ("package/freescale-imx/imx-gpu-viv: bump to version 6.4.3.p1.2")
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Reviewed-by: Gary Bisson <gary.bisson@boundarydevices.com>
Tested-by: Gary Bisson <gary.bisson@boundarydevices.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Since bump to version 3.09 in commit
28b4947ed8, build fails on:
[100%] Linking CXX shared library libBulletRoboticsGUI.so
/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc64-buildroot-linux-gnu/9.3.0/../../../../sparc64-buildroot-linux-gnu/bin/ld: cannot find -lBulletExampleBrowserLib
Upstream is aware of this issue and recommends to avoid changing any
options: https://github.com/bulletphysics/bullet3/issues/3143
So don't disable bullet3 and demos apps ...
Fixes:
- http://autobuild.buildroot.org/results/1721df8b0859656f7420b0b166d1ca635e5ddc74
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: remove the options instead of setting to ON]
Fixes:
.../x86_64-buildroot-linux-gnu/bin/ld: .../host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libtomcrypt.a(md5.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
when building a shared library that links with libtomcrypt. Our only
internal user dropbear doesn't do this, so there are no autobuilder
failures.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
- Bump kernel to version 5.11.16.
We remove the hardcoded ttyAMA0 and rely on the firmware to discover our
console. This enables serial console on systems, which do not have an Arm
pl011 UART.
We switch to GPT disklabel and discover our root filesystem using its
PARTLABEL. This enables booting from more media, such as HDD, SD card or
USB.
We update the readme, which hinted that ACPI was mandatory. This is not
strictly the case as we can also boot with a dtb and/or a U-Boot based
firmware, with no ACPI. While at it, mention EBBR, SystemReady and explain
how to build and use a U-Boot-based qemu firmware.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Erico Nunes <nunes.erico@gmail.com>
Reviewed-by: Erico Nunes <nunes.erico@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Test that the TAICLOCK and TCP servers are working.
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: indent config lines more]
Test that s6-rc service database compilation is working.
Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: indent config lines more]