Fixes CVE-2017-2885: stack based buffer overflow with HTTP Chunked Encoding
For more details, see
https://bugzilla.gnome.org/show_bug.cgi?id=785774
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0f5398f0e6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2017-6362: Double-free in gdImagePngPtr()
CVE-2017-7890: Buffer over-read into uninitialized memory
Drop patches no more needed:
0001-gdlib-config.patch: @LIBICONV@ is nowadays correct AC_SUBST'ed by
configure
0002-gd_bmp-fix-build-with-uClibc.patch: upstream uses ceil() since
6913dd3cd2
While we're at it, add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3b85d24c1d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The USE_MMU dependency was missing from the chain of dependencies.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6c9ffcae10)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-1000249 - Stack buffer overflow with a specially crafted
.notes section in an ELF binary file.
For more details, see: http://www.openwall.com/lists/oss-security/2017/09/05/3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 89a38e6397)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-9800: Arbitrary code execution on clients through malicious
svn+ssh URLs in svn:externals and svn:sync-from-url
For more details, see
http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c6b793779c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
minnowboard_max-graphical_defconfig has the line "BR_TARGET_GRUB2=y",
but this currently has no effect because BR_TARGET_GRUB2 cannot be
selected without BR2_TOOLCHAIN_BUILDROOT_WCHAR=y, which is not set by
default.
The minnowboard max defconfig was updated to fix this problem, but the
graphical variant was not updated alongside it.
Signed-off-by: Nicholas Sielicki <sielicki@yandex.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f27c1b82cd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The galileo_defconfig has the line "BR_TARGET_GRUB2=y", but this
currently has no effect because BR_TARGET_GRUB2 cannot be selected
without BR2_TOOLCHAIN_BUILDROOT_WCHAR=y, which is not set by default.
Signed-off-by: Nicholas Sielicki <sielicki@yandex.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit ca622d6222)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The kernel used so far for the galileo boards would not successfully
build with GCC versions greater than 5.
See: https://github.com/mdr78/Linux-x1000/pull/2
Signed-off-by: Nicholas Sielicki <sielicki@yandex.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 62ec0af5fb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Init script use /var/lock/subsys/netplugd but directory
/var/lock/subsys can be missing.
Signed-off-by: Julien Corjon <corjon.j@ecagroup.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c81c6d8f3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit c96b8675ea
("support/scripts/check-bin-arch: ignore symbolic links") was bogus,
because it tested ${f}, which is the relative path of the file inside
${TARGET_DIR}, so we end up testing if ${f} on the system is a
symbolic link.
This commit fixes that by testing ${TARGET_DIR}/${f}.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit cb0f3fa13f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit da32b49f00
("instrumentation: extend packages-file-list.txt with symlinks and
directories"), the packages-file-list.txt also contains symbolic
links. Therefore, check-bin-arch is now also checking symbolic links.
However, symbolic links in $(TARGET_DIR) can have absolute path as
targets, such as:
$ ls -l output/target/sbin/ifdown
lrwxrwxrwx 1 thomas thomas 10 Sep 3 15:55 output/target/sbin/ifdown -> /sbin/ifup
Therefore, we are now potentially checking a host binary, which
obviously makes check-bin-arch fail.
This commit changes check-bin-arch to ignore symbolic links. Indeed,
we have two cases:
- The symbolic link really points to something that will in the
rootfs (such as /sbin/ifup above). In this case, /sbin/ifup will be
checked separately by check-bin-arch.
- The symbolic link doesn't point to something that will be in the
rootfs, and that is not a problem from the perspective of
check-bin-arch, which checks the architecture of target binaries.
Fixes:
http://autobuild.buildroot.net/results/16d384a0183d477646ac7692feb65f00dde7d068/
(vim)
http://autobuild.buildroot.net/results/50429c0f63a8befff9e20899327b9a8d754d99be/
(ifupdown)
http://autobuild.buildroot.net/results/1db65973e782bfa61abcbccd3501bfd235f77288/
(gawk)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c96b8675ea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gnupg2 migrated to libusb-1.0 in version 2.1.12.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 65818acad6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Provide the path to HOST_DIR for libxml, libxslt and libiconv like for
the target variant to avoid a build issue on host where /bin is a
symlink to /usr/bin.
Indeed, the configure script use a custom m4 macro XSTAR_LIB_CHECK to
find xml2-config:
XSTAR_LIB_CHECK([LIBXML], [xml2-config])
This macro come from a local m4 file m4/xstar-check-libs.m4 where it
use:
AC_PATH_PROG(LIBXXX()_CONFIG, xxx_config(),
[], [$LIBXXX()_PREFIX/bin$PATH_SEPARATOR$PATH]
Since no prefix seems to be defined by $LIBXXX()_PREFIX, AC_PATH_PROG
look by itself at /bin/ for xml2-config. So the PATH variable set
by Buildroot containing HOST_DIR/bin is ignored.
The wrong xml2-config is used during the build and the build fail
when no xml2 headers are installed on the host.
Fixes:
src/xml_C14N.c:12:31: fatal error : libxml/xmlversion.h : No such file or directory
#include <libxml/xmlversion.h>
^
In file included from src/trans.c:4:0:
src/trans.h:32:30: fatal error : libxml/xmlmemory.h : No such file or directory
#include <libxml/xmlmemory.h>
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
[Thomas: remove french messages from the commit log, drop
--with-libiconv-prefix option, since we don't have a libiconv
dependency for the host.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0d8247947e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Kernel help-text states, "The ext4 filesystem requires that this feature
be enabled <...> otherwise, it will refuse to mount in the read-write
mode any filesystems that use the huge_file feature, which is enabled by
default by mke2fs.ext4."
If the rootfs is to be (re)mounted rw at boot, this must be set for the
system to successfully come up.
Signed-off-by: Nicholas Sielicki <sielicki@yandex.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 3b7d75748b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With the recent NLS rework, BR2_ENABLE_NLS doesn't imply the absense of --disable-nls, so
configure may fail with:
configure: error: "The gtk client cannot be built without nls support. Try adding either --enable-nls or --without-gtk"
So adjust the dependencies to use BR2_SYSTEM_ENABLE_NLS instead.
As mentioned by Arnout, an alternative solution could be to explicitly pass
--enable-nls as the stub functions are now available everywhere - But I went
with the dependency for consistency reasons.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following configure issue:
checking for GTK... no
configure: error: Package requirements (gtk+-3.0 >= 3.4.0
glib-2.0 >= 2.32.0
gio-2.0 >= 2.26.0,
gmodule-2.0 >= 2.32.0
gthread-2.0 >= 2.32.0) were not met:
libgtk2 support was dropped in commit cdd71c642724 ((trunk gtk) #4970 remove
deprecated GTK+ API calls, raise GTK+ dependency to 3.2) which was part of
transmission-2.61.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot currently packages version 1.18 of simics, which is quite
out of date, and does not compile with Linux 4.12+. The latest package
v1.22 supports recent kernels, however that is not publicly available
anymore like the older versions.
In fact Simics is now moving away from the simicsfs kernel module, as
the kernel module has required too much maintenance work. Users should
move to the new user mode Simics agent instead. Therefore, we drop the
corresponding package from Buildroot.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
grub2 fails to configure when BR2_SSP_ALL is enabled, with the following
configure error:
checking whether -fno-asynchronous-unwind-tables works... yes
checking whether -fno-unwind-tables works... yes
checking for target linking format... unknown
configure: error: no suitable link format found
This can be worked around by enforcing -fno-stack-protector in the
package CFLAGS in a way that overrides the SSP flag, as is already done
for the valgrind package.
Fixes bug #10261.
Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
Reported-by: Dr I J Ormshaw <ian_ormshaw@waters.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2017-0379: Mitigate a local side-channel attack on Curve25519
dubbed "May the Fourth be With You".
As we are close to release, don't update to the latest 1.8.1 version,
but to a maintenance release from the 1.7 branch.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Mitigate a flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster". For details see
<https://eprint.iacr.org/2017/627>. [CVE-2017-7526]
Switch to https site for better firewall compatibility and security.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
clock_gettime is defined locally, and calls pth_int_time, which
in turn calls clock_gettime.
The USB backend shouldn't overrule clock_gettime in the first place.
This patch fixes this endless recursion by removing the local defition.
Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Commit 1b974425 (MIPS: add support for M6201 cores) explained that the
new core was not supported by upstream gcc, and as of gcc-8-trunk
that's still the case.
Ditto for 3cfbeb83 (MIPS: add support for P6600 cores).
This means that we currently allow to build an internal tolchain for
those cores, yet we have no suitable gcc version.
Disable the internal backend in this case.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2017-12865: stack overflow in dns proxy feature.
Cc: Martin Bark <martin@barkynet.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
A lot of packages expect an egl.pc to decide that EGL is available. So,
provide one.
As suggested by Alexandre, use the one from nvidia-tegra23 as template.
Reported-by: Alexandre Maumené <alexandre@maumene.org>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Alexandre Maumené <alexandre@maumene.org>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Do not mark .service file executable, otherwise systemd
will give us a warning about it.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Do not mark .service file executable, otherwise systemd
will give us a warning about it.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Do not mark .service file executable, otherwise systemd
will give us a warning about it.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
