New toolchains have been released, with the following changes:
- The bleeding-edge toolchains are based on gcc 13.2, binutils 2.41,
gdb 14.1, kernel headers 5.10, glibc 2.38, musl 1.2.4 or uclibc-ng
1.0.45.
- The stable toolchains are based on gcc 12.3, binutils 2.40, gdb
13.2, kernel headers 4.14, glibc 2.38, musl 1.2.4 or uclibc-ng
1.0.45.
- The glibc version is no longer affected by CVE-2023-4911
- The gdb build has been fixed to no longer rely on uninstalled
libbfd.so and libopcodes.so libraries
- The zlib library, which was incorrectly present in the toolchain
sysroot, is gone, fixing various build failures encountered with
2023.08 toolchains.
- There are now toolchains for m68k 68xxx based on uclibc and musl in
addition to glibc, which was already supported
The careful reviewer will notice that a number of
depends on !BR2_ARCH_NEEDS_GCC_AT_LEAST_14
are being added to the toolchains that use gcc 13.x, as per
a0d2a5cfec
("support/scripts/gen-bootlin-toolchains: generate
BR2_ARCH_NEEDS_GCC_AT_LEAST_X guard").
All 214 test cases were successfully run:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1120323562
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since commit
a0d2a5cfec ("support/scripts/gen-bootlin-toolchains:
generate BR2_ARCH_NEEDS_GCC_AT_LEAST_X guard"), the
gen-bootlin-toolchains script will generate references to
BR2_ARCH_NEEDS_GCC_AT_LEAST_X including potentially against the "next"
version of gcc.
Indeed, a toolchain using gcc 13.x should have a "depends on
!BR2_ARCH_NEEDS_GCC_AT_LEAST_14" so that once some architectures that
require gcc 14.x are added, such toolchains are not made visible.
In order for this to work, we must have the
BR2_ARCH_NEEDS_GCC_AT_LEAST_x symbol ready for the N+1 version of gcc
compared to the latest one we support.
As we're supporting up to gcc 13.x right now, let's introduce the
symbol BR2_ARCH_NEEDS_GCC_AT_LEAST_14 so that gcc 13.x toolchains can
be marked depends on !BR2_ARCH_NEEDS_GCC_AT_LEAST_14.
The other alternative would be to make the gen-bootlin-toolchains a
bit smarter, and not emit this depends on
!BR2_ARCH_NEEDS_GCC_AT_LEAST_14 if BR2_ARCH_NEEDS_GCC_AT_LEAST_14 does
not exist. But this would require re-running the script when
BR2_ARCH_NEEDS_GCC_AT_LEAST_14 which we are unlikely to do. While
today, when the script is invoked, the usual check-symbols complains
and reminds us that BR2_ARCH_NEEDS_GCC_AT_LEAST_14 should be added, so
we remember to do it right away.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since commit 5770a645a3 ("package/qt5:
bump packages to latest kde submodule versions"), the
QT_HEADERS_SYNC_HOOK hook no longer calls the syncqt.pl script, so
host-perl is no longer needed as a dependency of running this
hook (and as a dependency of building Qt).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
qt6base installs things in /usr/mkspecs, but also the soon to be added
qt6core5compat, and the existing package qwt as well.
So let's move the removal of /usr/mkspecs in target-finalize, where we
already remove lots of development-related directories, using a
target-finalize hook in the qt6base package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr: make it a qt6base target-finalize hook]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
BR2_DOWNLOAD_FORCE_CHECK_HASHES currently has the following
dependency:
depends on BR2_GLOBAL_PATCH_DIR != ""
However, strictly speaking checking all hashes does not necessarily
require using BR2_GLOBAL_PATCH_DIR, as long as you don't use custom
versions.
But more importantly:
- Having this dependency means that this options is hidden when people
don't use BR2_GLOBAL_PATCH_DIR. Instead the option should always be
made visible, encouraging people to turn it on.
- The Config.in comment was there to mitigate this previous argument,
but this comment then shows up all the time when you have an empty
global patch dir.
This seems over-complicated, and it sounds much easier to have the
option unconditionally available, and visible, and clarify in its help
text that in order to this to work fully with custom package versions,
BR2_GLOBAL_PATCH_DIR can be used to provide extra hash files.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- fix typo noticed by Peter K.
- reword kast sentence after review by Peter K.
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixes the following security issue:
ZDI-CAN-22300: Heap-based buffer overflow in the AV1 codec parser when
handling certain malformed streams before GStreamer 1.22.8
https://gstreamer.freedesktop.org/security/sa-2023-0011.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With upstram commit [1] (since version v0.1.0) the pipeline option 'raspberrypi'
was renamed to 'rpi/vc4'.
Change the buildroot option name from BR2_PACKAGE_LIBCAMERA_PIPELINE_RASPBERRYPI
to BR2_PACKAGE_LIBCAMERA_PIPELINE_RPI_VC4 (and add Config.in.legacy entry
accordingly) and move handling in Config.in/libcamer.mk to follow alphabetic
ordering.
Fixes:
.../build/libcamera-v0.1.0/meson.build:3:0: ERROR: Options "raspberrypi" are not in allowed choices: "all, auto, imx8-isi, ipu3, rkisp1, rpi/vc4, simple, uvcvideo, vimc"
[1] https://git.libcamera.org/libcamera/libcamera.git/commit/?id=726e9274ea95fa46352556d340c5793a8da51fcd
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This reverts commit c9645fd29b.
Building libcamera-apps 1.3.0 with current libcamera 0.1.0 fails because
some of the symbols like controls::AeFlickerMode are not recognized.
According to my research, they have been introduced after libcamera 0.1.0
but there is no release version of libcamera newer than 0.1.0 available
to which we could bump.
Signed-off-by: Sebastian Bauer <mail@sebastianbauer.info>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit adds a libsoup patch that fixes the build with libxml2
2.12, only due to a missing header inclusion. The patch cannot be
submitted upstream as libsoup2 is unmaintained, and libsoup3 no longer
has the problematic XMLRPC code.
Fixes:
http://autobuild.buildroot.net/results/4c3152720d64b204101e1611442e535b14adc41c/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
After adding GDB 14.x and making GDB 13.x the new default, let's drop
support for GDB 11.x.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Following the addition of GDB 14.x, let's make GDB 13.x the default.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
All patches are still relevant, and have been rebased on top of GDB
14.1.
GDB 14.1 now needs mpfr unconditionally, so it is added as a
dependency of host-gdb, and of gdb when the full debugger is built.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- add comment about selecting mpfr for 14.x or later
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
A few package or config removals have been introduced after the 2023.11
release, but there entries were still added to the list of options
removed in 2023.11.
The affected commits are:
64a5831679 package/libmpd: remove package
f93380ab1a package/gmpc: remove package
6d8c7aecbb package/flickcurl: remove package
f6acde11ab package/onevpl: rename package to libvpl
fffb245f66 package/linux-headers: drop 6.5.x option
Introduce the 2024.02 section and move the 2023.11 one to where it
belongs.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since GDB 13.x and upstream commit
b686ecb5b10be9a33ab8f1bfdcff22eef920d1a5 ("gdb: link executables with
libtool"), gdb will be linked against the shared variants of libbfd
and libopcodes if they exist. However, this causes host gdb and target
gdb to not work, because our gdb package does not install libbfd and
libopcodes (to not clash with the ones potentially installed by
binutils).
In order to get around this, this commit proposes to get back to the
situation we had before GDB 13.x: libbfd and libopcodes are only
compiled as static libraries, so that they are linked directly inside
the gdb binary, avoiding the problem entirely.
This resolves:
# gdb --version
gdb: error while loading shared libraries: libopcodes-2.39.50.so: cannot open shared object file: No such file or directory
for target gdb, and:
$ ./host/bin/arm-linux-gdb --version
./host/bin/arm-linux-gdb: error while loading shared libraries: libopcodes-2.39.50.so: cannot open shared object file: No such file or directory
for host gdb.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libsoup3 is supported since
c3455def2e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Use official tarball and so drop autoreconf
- Fix CVE-2023-6935, CVE-2023-6936 and CVE-2023-6937
https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
readline is not a dependency since bump to version 0.15.0 in commit
cbd06adac5 and
978b503840
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to
https://lists.x.org/archives/xorg-announce/2023-December/003437.html:
This release contains the fixes for CVE-2023-6377 and CVE-2023-6478
in today's security advisory:
https://lists.x.org/archives/xorg-announce/2023-December/003435.html
The release has only 10 commits compared to 23.2.2, all of which being
fixes, two of them being the security fixes. So it seems like bumping
the version is a reasonable trade-off vs. backporting the security
fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Following the removal of gmpc, we can drop libmpd as well, which was
apparently developed/maintained by the same group of people. The URL
in Config.in, http://gmpcwiki.sarine.nl/index.php?title=Libmpd, no
longer works, and no new alternative upstream was found.
The reference MPD client library is libmpdclient, which is still
maintained.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This package is unmaintained upstream:
- The URL in our Config.in,
http://gmpcwiki.sarine.nl/index.php?title=GMPC, no longer works
- https://github.com/DaveDavenport/gmpc says it's unmaintained
- The official lists of MPD clients at
https://www.musicpd.org/clients/ says it's maintained, and points at
http://gmpclient.org/, which is no longer owned by the developers of
GMPC.
- It still uses libsoup (2) which we want to get rid of at some
point.
- It was added by Gustavo Zacarias, and no version bumped occurred
since 2011.
So let's kill this package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz,
which is signed and thus has different checksum than "Source code (tar.gz)"
generated by github. Therefore different URL needs to be used to get
correct checksum.
Fixes:
http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c
Fixes: 32da4422f9 ("package/iputils: bump version to 20231222")
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Drop patches (already in version) and so drop autoreconf
- Fix the following security issues:
- CVE-2023-40660: Fix Potential PIN bypass
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling
encryption using symmetric keys
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
A couple of bug fixes, including the following CVEs:
- CVE-2023-49465
- CVE-2023-49467
- CVE-2023-49468
https://github.com/strukturag/libde265/releases/tag/v1.0.15
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
A couple of build fixes and bug fixes detected by fuzzing.
Corrects these issues:
- CVE-2023-49462
- CVE-2023-49463
https://github.com/strukturag/libheif/releases/tag/v1.17.6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
