Commit Graph

71632 Commits

Author SHA1 Message Date
Peter Korsgaard
6711c8231a docs/website: Update for 2023.11.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-01 14:44:47 +01:00
Peter Korsgaard
880e3ea32c Update for 2023.11.2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f05246df4f)
[Peter: drop Makefile change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-01 14:42:14 +01:00
Fabrice Fontaine
64dbf7ff6a package/libpthsem: fix build with autoconf >= 2.72
Move fi statement where it belongs to fix the following build failure
raised since bump of autoconf to version 2.72 in commit
524f353602:

checking for stack setup via makecontext... ./configure: line 15863: syntax error near unexpected token `;;'

Fixes: 524f353602
 - http://autobuild.buildroot.org/results/013e0d3f72582ce3675f65786c014518682d703b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-01 09:25:16 +01:00
Fabrice Fontaine
6ee61ef95b utils/genrandconfig: fix BR2_TOOLCHAIN_BARE_METAL_BUILDROOT_ARCH
Commit b7232c51dd added default setting
for bare-metal toolchain arch but unfortunately it used configlines.add
instead of configlines.append resulting in the following build failure:

/bin/sh: line 8: /home/autobuild/autobuild/instance-1/output-1/per-package/host-gcc-bare-metal/host/bin/-ar: No such file or directory

While at it, also append /n for consistency

Fixes: b7232c51dd
 - http://autobuild.buildroot.org/results/95ac565653ddb5c14ec71470c32a34ad10b048cb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-03-01 09:13:34 +01:00
Yann E. MORIN
5f253e3e04 support/scripts/cve: fix running on older ijson versions
Commit 22b6945552 (support/scripts/cve.py: switch from NVD to FKIE for
the JSON files) had to change the decompressor from gz to xz, as the new
location is using xz compression.

That commit mentioned that it was spawning an external xz process to do
the decompression, on the pretence that "there is no xz decompressor in
Python stdlib."

Before version 3.1, ijson.items() only accepted a file-like object as
input (that file-like object could yield bytes() or str(), both were
supported). Starting with version 3.1, ijson.items() also accepts that
it be directly passed bytes() or str() directly. subprocess.check_output()
means we are now passing bytes() to ijson.items(), so it fails on ijson
versions before 3.1, with failures such as:

    [...]
      File "/usr/lib/python3/dist-packages/ijson/backends/python.py", line 25, in Lexer
        if type(f.read(0)) == bytetype:
    AttributeError: 'bytes' object has no attribute 'read'

Ubuntu 20.04, on which the pkg-stats run to generate the daily report,
only has ijson 2.3. More recent distros have more recent versions of
ijson, like Fedora 39 that has 3.2.3, recent enough to support being fed
bytes(). Commit 22b6945552 was tested on Fedora 39, so did not catch
the issue.

However, the reasoning in 22b6945552 is wrong: there *is* the lzma
module, at least since python 3.3 (that is, aeons ago), which is able to
read xz-compressed files; it also has an API similar to the gzip module,
and can provide a file-like object that exposes the decompressed data.

So, do just that: provide an lzma-wrapped file-like object to ijson, so
that we can eventually recover our daily reports that everything is
broken! :-]

Note that this construct still works on recent versions!

Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-29 18:47:16 +01:00
Fabrice Fontaine
bd5d1f5b6a package/libheif: fix libjpeg build
libheif raises the following build failure with libjpeg since bump to
version 1.17.5 in commit 5714126eda and
ebd13a20b8

/home/buildroot/autobuild/instance-3/output-1/build/libheif-1.17.5/libheif/plugins/encoder_jpeg.cc: In function 'heif_error jpeg_encode_image(void*, const heif_image*, heif_image_input_class)':
/home/buildroot/autobuild/instance-3/output-1/build/libheif-1.17.5/libheif/plugins/encoder_jpeg.cc:366:37: error: invalid conversion from 'long unsigned int*' to 'size_t*' {aka 'unsigned int*'} [-fpermissive]
  366 |   jpeg_mem_dest(&cinfo, &outbuffer, &outlength);
      |                                     ^~~~~~~~~~
      |                                     |
      |                                     long unsigned int*

Fixes:
 - http://autobuild.buildroot.org/results/8ca909564c8dabe28ad08c96ebbc04b25592e727

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-29 17:07:16 +01:00
Marcus Hoffmann
aa443e8251 package/ccache: disable building tests
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-29 17:05:59 +01:00
Yann E. MORIN
4983f9e73e support/scripts/pkg-stats: fix running on older python versions
Commit f71d9f49e5 (support/scripts/pkg-stats: fix datetime deprecation
warning) forgot to consider that the datetime.UTC suggested by python
3.12, was only introduced with python 3.11.

However, we are still generating the daily report on a python 3.8
version, which fails at runtime:
    AttributeError: module 'datetime' has no attribute 'UTC'

It turns out that datetime.UTC is just an alias for datetime.timezone.utc,
which seems to have existed since before python3...

Use datetime.timezone.utc instead of its alias.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-29 17:04:29 +01:00
Yann E. MORIN
75a3562324 support/scripts/pkg-stats: sort CVEs in HTML output
While the old NVD JSON feed provided data files where the CVEs were
sorted by ID, the new feed from FKIE does not have sorted CVEs.

Add a method to sort a list of CVE IDs (i.e. CVE ID strings, not CVE
objects!), and use that when emiting the HTML output.

The JSON output need not be sorted, because it is supposed to be used
for post-processing, and we do not care about the ordering there; a
consumer interested in sorting should sort on their side.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2024-02-28 20:16:54 +01:00
Yann E. MORIN
54f8d97c91 support/scripts/pkg-stats: adapt to NVD v2 json format
Commit 22b6945552 (support/scripts/cve.py: switch from NVD to FKIE for
the JSON files) missed the fact that the layout of the FKIE data files
are different from the original NVD ones. They are formatted according
to the NVD v2 API.

Most differences are relatively trivial fields renaming, and those are
easily spotted in this patch.

There is however one key difference in the layout of the configurations.
Where the NVD had "configurations" as an object with a "nodes" key, the
FKIE has a "configurations" as a list of objects with a single "nodes"
key; i.e. it is one-level deeper.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2024-02-28 20:12:08 +01:00
Yann E. MORIN
f71d9f49e5 support/scripts/pkg-stats: fix datetime deprecation warning
Abide by the warning reported with python 3.12:

    .../support/scripts/pkg-stats:1289: DeprecationWarning:
    datetime.datetime.utcnow() is deprecated and scheduled for removal
    in a future version. Use timezone-aware objects to represent
    datetimes in UTC: datetime.datetime.now(datetime.UTC).

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
2024-02-28 20:11:13 +01:00
Peter Korsgaard
c7b52c3ccf package/python3: security bump to version 3.11.8
Fixes the following security issue:

gh-113659: Skip .pth files with names starting with a dot or hidden file
attribute
https://github.com/python/cpython/issues/113659

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-28 19:09:32 +01:00
Yann E. MORIN
c20b2ae4ec package/openssh: fix dependencies with refpolicy
Commit 2c5a82a29c (package/openssh: select linux-pam if refpolicy
upstream is selected) did not account for the linux-pam dependencies
before selecting it, causing unmet dependencies warnings (unfortunately,
not errors), such as:

    $ KCONFIG_SEED=0xCF227CF4 make randconfig
    WARNING: unmet direct dependencies detected for BR2_PACKAGE_LINUX_PAM
      Depends on [n]: BR2_ENABLE_LOCALE [=n] && BR2_USE_WCHAR [=n] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 [=y]
      Selected by [y]:
      - BR2_PACKAGE_OPENSSH [=y] && BR2_USE_MMU [=y] && BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION [=y]

2c5a82a29c made the choice of having openssl bear the responsibility
to select linux-pam when the upstream refpolicy version was enabled.
Semantically however, the responsibility really lies within refpolicy
itself, since that's what imposes linux-pam to openssh.

Move the select to refpolicy and drop it from openssh. Then, ensure that
linux-pam is only selected when it is available.

That means that one may get an openssh that is not linked against
linux-pam, when the linux-pam dependencies are not met; refpolicy (by
way of libsepol) also has a more stringent requirement on gcc version
than linux-pam, so most probably the missing dependencies would be
locale, wchar, or a static build. We consider that situation to be a
corner case that we do not want to address.

In the future, we may have more similar situations, whereby refpolicy
would impose other packages be linked with otherwise optional
dependencies. If (when) that were (will be) the case, then the proposed
mechanism would quickly become ugly; we could then re-assess a nicer way
to do that. Until then, this is good ebough.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <adam.duskett@amarulasolutions.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-28 12:23:57 +01:00
Fabrice Fontaine
13083cf8c0 package/erlang: fix build with autoconf 2.72
Use ERLANG_FIX_AUTOCONF_VERSION to fix the following build failure
raised since bump of autoconf to version 2.72 in commit
524f353602:

ERROR: autoconf of version 2.72 found in path! You need to have autoconf of version 2.71 in path.

Fixes: 524f353602
 - http://autobuild.buildroot.org/results/c9e8df3427fca9e8e75488e32bca18e81009238c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-27 23:24:05 +01:00
Fabrice Fontaine
433c4fd38b package/poco: bump to version 1.13.2
This bump will fix the following build failure raised since bump of
expat to version 2.6.0 in commit
9dad5e7d7f thanks to
75f7042b70:

src/ParserEngine.cpp: In member function 'void Poco::XML::ParserEngine::init()':
src/ParserEngine.cpp:510:17: error: 'XML_SetBillionLaughsAttackProtectionMaximumAmplification' was not declared in this scope; did you mean 'setBillionLaughsAttackProtectionMaximumAmplification'?
  510 |                 XML_SetBillionLaughsAttackProtectionMaximumAmplification(_parser, _maximumAmplificationFactor);
      |                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

https://github.com/pocoproject/poco/blob/poco-1.13.2-release/CHANGELOG

Fixes: 9dad5e7d7f
 - http://autobuild.buildroot.org/results/7fad881f85d3b89abdee35388088965f05ead277

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-27 23:23:31 +01:00
Laurent Badel
67f6d1dad2 package/micropython: update PCRE dependency to PCRE2
micropython-lib/unix-ffi/re/re.py uses libpcre2-8 since commit d8e163b.
Thus, update micropython package to select the PCRE2 package instead of PCRE.

Signed-off-by: Laurent Badel <laurentbadel@eaton.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-27 23:22:57 +01:00
Sen Hastings
4533e42622 support/scripts/pkg-stats: make current version cell scrollable
Currently, when the version string is "too long", it is arbitrarily
truncated.

This works well for commit hashes, because usually the truncation is
long enough to provide a short hash that is still unique in the
upstream VCS.

However, there are non-hash-like versions strings that get truncated
and wihch the discriminant part is toward the end.

Yet, adapting the version cell to the widest versions string (most
probably a git hash) is not very interesting; the table is already very
large.

Make the cell with the version string scrollable: we get to keep the
best of both worlds: a narrow version cell, and a full-length version
string that can be copy-pasted if needed.

Signed-off-by: Sen Hastings <sen@hastings.org>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-25 18:45:32 +01:00
Peter Korsgaard
7a9ba7a71e Update for 2024.02-rc1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-25 12:43:07 +01:00
Fabrice Fontaine
bedcd1cd39 package/libcurl: fix libpsl static build
Fix the following static build failure with libpsl raised since bump to
version 8.6.0 in commit 5cee6b6be6:

configure:28830: /home/autobuild/autobuild/instance-6/output-1/host/bin/aarch64_be-buildroot-linux-musl-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O3 -g0 -static -Werror-implicit-function-declaration -Wno-system-headers -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -I/home/autobuild/autobuild/instance-6/output-1/host/aarch64_be-buildroot-linux-musl/sysroot/usr/include  -static -L/home/autobuild/autobuild/instance-6/output-1/host/bin/../aarch64_be-buildroot-linux-musl/sysroot/usr/lib  -L/home/autobuild/autobuild/instance-6/output-1/host/aarch64_be-buildroot-linux-musl/sysroot/usr/lib conftest.c -lpsl  -lmbedtls -lmbedx509 -lmbedcrypto -lz  -latomic >&5
/home/autobuild/autobuild/instance-6/output-1/host/lib/gcc/aarch64_be-buildroot-linux-musl/11.4.0/../../../../aarch64_be-buildroot-linux-musl/bin/ld: /home/autobuild/autobuild/instance-6/output-1/host/bin/../aarch64_be-buildroot-linux-musl/sysroot/usr/lib/libpsl.a(psl.c.o): in function `is_public_suffix':
psl.c:(.text+0x2a8): undefined reference to `idn2_lookup_u8'

[...]

checking for library containing psl_builtin... no
configure: error: libpsl was not found

Fixes: 5cee6b6be6
 - http://autobuild.buildroot.org/results/1fb15e1a99472c403d0d3b1a688902f32e78d002

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-25 08:53:34 +01:00
Fabrice Fontaine
044752f563 package/redis-plus-plus: needs threads
redis-plus-plus unconditonally uses mutex and so needs threads since its
addition in commit c46df9de21 and
1fa8f6bbfb:

In file included from /home/autobuild/autobuild/instance-5/output-1/build/redis-plus-plus-1.3.10/src/sw/redis++/connection_pool.h:27,
                 from /home/autobuild/autobuild/instance-5/output-1/build/redis-plus-plus-1.3.10/src/sw/redis++/connection_pool.cpp:17:
/home/autobuild/autobuild/instance-5/output-1/build/redis-plus-plus-1.3.10/src/sw/redis++/sentinel.h:95:10: error: 'mutex' in namespace 'std' does not name a type
   95 |     std::mutex _mutex;
      |          ^~~~~

Fixes: c46df9de21
 - http://autobuild.buildroot.org/results/cc4c54134e8a522b4c028aab4266f47cf862e2a9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-25 08:52:46 +01:00
Ahmad Fatoum
b89648b4d0 boot/barebox: install all barebox images if none were specified
When selecting barebox in menuconfig, BR2_TARGET_BAREBOX_IMAGE_FILE will
be empty by default, which causes Buildroot to install whatever the
barebox-flash-image symlink points at for barebox versions >= v2012.10.0.

This is an outdated fallback, because barebox-flash-image is only valid
when the barebox build produces a single binary. Virtually all new
defconfigs added in the last couple of years are multiconfig
(CONFIG_PBL_IMAGE=y) however, meaning that a single imx_v7_defconfig
or multi_v8_defconfig will produce many images that support different
boards or even platforms.

As there is no single valid target for barebox-flash-image to point at
in this case, this symlink will point at a non-existing
'multi-image-build' to alert the user to this fact.

As replacement for barebox-flash-image, barebox commit 550cf79c216a
("Make list of flash images and fix link all single image cases") first
released with v2015.12.0 creates a barebox-flash-images file with a list
of all images built by barebox.

Have buildroot use that file as a fallback before trying
barebox-flash-image to have a fallback that works for any recent barebox
defconfig as well.

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-25 08:47:21 +01:00
Julien Olivain
9047058cd8 support/testing: add sox runtime test
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-25 08:44:22 +01:00
Fabrice Fontaine
4350d485a4 package/gdal: deflate64 needs libzlib
deflate64 unconditionally uses FAR since its addition with
d6baebcc73
resulting in the following build failure with zlib-ng since bump to
version 3.8.2 in commit d2e349301b:

In file included from /home/autobuild/autobuild/instance-2/output-1/build/gdal-3.8.2/frmts/zlib/contrib/infback9/infback9.c:6:
/home/autobuild/autobuild/instance-2/output-1/build/gdal-3.8.2/frmts/zlib/contrib/infback9/minified_zutil.h:46:17: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'uchf'
   46 | typedef uch FAR uchf;
      |                 ^~~~

Fixes: d2e349301b
 - http://autobuild.buildroot.org/results/8b55108dee4faa98c234d00a1a22b62ed948e8d3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-25 08:41:34 +01:00
Bernd Kuhls
d8982b02b6 package/php: bump version to 8.2.16
Changelog: https://www.php.net/ChangeLog-8.php#8.2.16
Release notes: https://www.php.net/releases/8_2_16.php

Updated license hash due to copyright year bump:
2575e6b88c

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-25 08:38:17 +01:00
Fabrice Fontaine
bd00f0072c package/prboom: fix build with autoconf >= 2.72
Set ac_cv_type_gid_t=yes to avoid the following build failure raised
since bump of autoconf to version 2.72 in commit
524f353602:

In file included from i_network.c:37:
../../config.h:207:15: error: two or more data types in declaration specifiers
  207 | #define gid_t int
      |               ^~~

Fixes: 524f353602
 - http://autobuild.buildroot.org/results/0d74517129130e6f26dc8c8aacae175ed8bd4b54

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 18:15:31 +01:00
Fabrice Fontaine
120cb19056 package/s390-tools: disable cargo
Set HAVE_CARGO=0 to avoid the following build failures raised since bump
to version 2.29.0 in commit 68df203366 and
e6add997eb:

error: could not compile `pvsecret` (bin "pvsecret") due to previous error

[...]

ERROR: architecture for "/usr/bin/pvsecret" is "AArch64", should be "IBM S/390"

Fixes: 68df203366
 - http://autobuild.buildroot.org/results/22035cb4d8e251f9930a7d529b91b128919252bb
 - http://autobuild.buildroot.org/results/99be6d3b2bab7c952ce02853f54924c5219aecc1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 18:14:09 +01:00
Fabrice Fontaine
01f24d041d package/tio: needs threads
tio needs threads since version 2.4 and
93e6efc001
resulting in the following build failure since bump to version 2.7 in
commit 4b33d7a47d:

In file included from /home/autobuild/autobuild/instance-7/output-1/host/riscv64-buildroot-linux-uclibc/sysroot/usr/include/stdio.h:27,
                 from ../src/tty.c:23:
/home/autobuild/autobuild/instance-7/output-1/host/riscv64-buildroot-linux-uclibc/sysroot/usr/include/features.h:218:5: warning: #warning requested reentrant code, but thread support was disabled [-Wcpp]
  218 | #   warning requested reentrant code, but thread support was disabled
      |     ^~~~~~~
../src/tty.c:43:10: fatal error: pthread.h: No such file or directory
   43 | #include <pthread.h>
      |          ^~~~~~~~~~~

Fixes: 4b33d7a47d
 - http://autobuild.buildroot.org/results/9b20ff06a0ad24b7e7f4750ebe64e2077e36164a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 18:11:10 +01:00
Peter Korsgaard
fb6274f5de Revert "package/python3: bump version to 3.12.1"
This reverts commit 36e635d2d5.

Python 3.12 is still causing too many build failures, so revert for 2024.02.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 11:34:40 +01:00
Peter Korsgaard
7bae4ea6ee Revert "package/python3: fix install when tk is disabled"
This reverts commit 687b96db4d.

Python 3.12 is still causing too many build failures, so revert for 2024.02.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 11:33:11 +01:00
Bernd Kuhls
a4a0ecacea package/samba4: bump version to 4.19.5
Release notes: https://www.samba.org/samba/history/samba-4.19.5.html

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 11:17:08 +01:00
Fabrice Fontaine
02ecb096ad package/nodejs: security bump to version 20.11.1
- Fix CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017,
  CVE-2023-46809, CVE-2024-21891, CVE-2024-21890 and CVE-2024-22025

- LICENSE hash changed due to two things:
  * c-ares vendored dependency license got updated [1]. This is unused
    by buildroot though anyway
  * base64 vendored library license updated copyright years and sorted
    contributor names [2], [3]

- This bump will fix the following build failure raised since bump of
  python to version 3.12.1 in commit 36e635d2d5
  thanks to
  95534ad82f
  6557c1c9b1:

Traceback (most recent call last):
  File "/home/autobuild/autobuild/instance-2/output-1/build/host-nodejs-src-20.9.0/configure.py", line 17, in <module>
    from distutils.version import StrictVersion
ModuleNotFoundError: No module named 'distutils'

https://github.com/nodejs/node/blob/v20.11.1/CHANGELOG.md

[1] https://github.com/c-ares/c-ares/pull/556
[2] 2e8ad2aec2
[3] d7bca2bb29

Fixes: 36e635d2d5
 - http://autobuild.buildroot.org/results/8b38bc4b7879a0349c1305e2fcb458a0cfd04a93

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-By: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 11:15:51 +01:00
Fabrice Fontaine
66cfd29e97 package/c-ares: security bump to version 1.27.0
Fix CVE-2024-25629: Reading malformatted /etc/resolv.conf,
/etc/nsswitch.conf or the HOSTALIASES file could result in a crash.

https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q
https://github.com/c-ares/c-ares/releases/tag/cares-1_27_0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 11:15:20 +01:00
Vincent Fazio
fbedcfa221 package/gcc: remove orphaned 10.4.0 patch
Shortly before GCC 10.4.0 was dropped in d37a8f3a2, commit 4ce0dacb6 was
merged and introduced a patch to 10.4.0 that was not accounted for by
the patch that dropped 10.4.0 support.

Fixes: d37a8f3a2 ("package/gcc: remove gcc 10.x")
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 11:13:25 +01:00
Marcus Hoffmann
bd2f99246c package/libuv: security bump to version 1.48
Fixes: CVE-2024-24806 / GHSA-f74f-cvh7-c6q6 [1]

Release Notes: https://github.com/libuv/libuv/releases/tag/v1.48.0
Full Changelog: https://github.com/libuv/libuv/blob/v1.48.0/ChangeLog

[1]: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6

Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 11:12:53 +01:00
Bernd Kuhls
05ca551c3b {linux, linux-headers}: bump 4.19.x / 5.{4, 10, 15}.x / 6.{1, 6}.x series
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-24 11:12:27 +01:00
Fabrice Fontaine
900bd80e9b package/zlib-ng: fix arm build
zlib-ng usage uses CMAKE_C_COMPILER_TARGET which is non-standard and
is not supposed to be used by the CMakeLists.txt machinery of a
particular package.

Indeed, [1] specifies that:

  Some compiler drivers are inherently cross-compilers, such as clang
  and QNX qcc. These compiler drivers support a command-line argument
  to specify the target to cross-compile for.

buildroot is not using clang nor QNX qcc.
[2] also refers to this variable only for clang [3] and QNX [4].

Therefore, zlib-ng's usage of this variable is a bit of a hack, and it's
actually why it works when passed as an argument, because they are in
fact not supposed to use this variable.

So set CMAKE_C_COMPILER_TARGET to BR2_ARCH to fix the following arm
build failure raised since bump to version 2.0.6 in commit
d2249821d3:

-- Detecting C compile features - done
-- Arch not recognized, falling back to cmake arch: 'l'
-- Basearch 'l' not recognized, defaulting to 'x86'.
-- Basearch of 'l' has been detected as: 'x86'

[...]

/home/buildroot/autobuild/instance-0/output-1/build/zlib-ng-2.1.3/arch/x86/x86_features.c:17:12: fatal error: cpuid.h: No such file or directory
   17 | #  include <cpuid.h>
      |            ^~~~~~~~~

[1] https://cmake.org/cmake/help/latest/variable/CMAKE_LANG_COMPILER_TARGET.html
[2] https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html
[3] https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html#cross-compiling-using-clang
[4] https://cmake.org/cmake/help/latest/manual/cmake-toolchains.7.html#cross-compiling-for-qnx

Fixes: d2249821d3
 - http://autobuild.buildroot.org/results/1551aa69be19239a8d8e081f033e4027d679ab8f
 - http://autobuild.buildroot.org/results/075d704c0f11710353bac43478e4501addcd747d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 21:15:39 +01:00
Yann E. MORIN
5aade5ced5 package/sudo: drop legacy, useless, and broken post-configure hook
Commit b9e89b340e (sudo: bump version) introduced the explicit build
of mksigname and mksiglist as host tools, as they were required to run
on the build machine, to generate C code then used to build the target
program.

This is now failing to build since the bump to sudo 1.9.15p5 in commit
c87746afef (package/sudo: security bump to version 1.9.15p5)
(lines manually wrapped and slightly elided for ease of reviewing):

    /usr/bin/cpp \
        -I/home/ymorin/dev/buildroot/O/master/per-package/sudo/host/include \
        -I../../include \
        -I../.. \
        ./sys_signame.h \
    | /usr/bin/sed -e '1,/^int sudo_end_of_headers;/d' -e '/^#/d' > mksigname.h
    In file included from /usr/include/features.h:394,
                     from /usr/include/sys/types.h:25,
                     from ./sys_signame.h:4:
    /usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64"
       26 | #   error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64"
          |     ^~~~~
    /usr/bin/gcc -I../../include -I../.. -I. -I. \
        -D_PATH_SUDO_CONF=\"/etc/sudo.conf\"
        -I/home/ymorin/dev/buildroot/O/master/per-package/sudo/host/include \
        -DDEFAULT_TEXT_DOMAIN=\"sudo\" \
        -O2 \
        -I/home/ymorin/dev/buildroot/O/master/per-package/sudo/host/include \
        ./mksigname.c -o mksigname
    In file included from /usr/include/features.h:394,
                     from /usr/include/bits/libc-header-start.h:33,
                     from /usr/include/stdlib.h:26,
                     from ./mksigname.c:27:
    /usr/include/features-time64.h:26:5: error: #error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64"
       26 | #   error "_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64"
          |     ^~~~~
    make[2]: *** [Makefile:263: mksigname] Error 1

The core of the issue has not been really identified, but it turns out
that neither mksiglist nor mksignames is used during the build. This has
been tested with a minimal sudo with no option, and with a sudo with all
options enabled (linux-pam, zlib, opensldap, and openssl), with the
three types of C libraries (glibc, musl, and uClibc-ng).

Digging in the sudo buildsystem did not reveal an obvious reason when
those would be needed either.

Drop the hook now it seems it is no longer used and is atually breaking
the build.

Fixes: http://autobuild.buildroot.org/results/72f/72ff18fb9b41394a29006f881ee1fbea67a66a09/

Note that there is a second issue in there: the call to the host cpp
fails, but since it is on the LHS of a pipe, the error is lost, as the
RHS of the pipe (the sed call) succeeds; a fix for that will be sent
in a separate patch.

Reported-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@aperture.us>
2024-02-21 21:08:23 +01:00
Julien Olivain
a2e08963a2 package/highway: bump to version 1.1.0
For release note, see [1].

This commit removes the package patch, as it is now included in this new
release.

LICENSE-BSD3 hash changed, due to reformatting. See [2].

[1] https://github.com/google/highway/releases/tag/1.1.0
[2] edc35d14c7

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 19:02:22 +01:00
Romain Naour
ec344d6013 DEVELOPERS: add Romain Naour for am574x_idk_defconfig
The DEVELOPERS entry was missing.

Fixes: 35eb74c634 ("configs/am574x_idk_defconfig: new defconfig")
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 19:00:58 +01:00
Michael Vetter
1c32cdd545 package/libstrophe: bump to version 0.13.1
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 18:57:14 +01:00
Fabrice Fontaine
3b2bea40ab package/cegui: fix build with libxml2 >= 2.12
Fix the following build failure raised since bump of libxml2 to version
2.12.1 in commit d8ac52108c:

/home/buildroot/autobuild/instance-1/output-1/build/cegui-00b4e1fe174da53b7ed726ab5970ba51bd5b5ee0/cegui/src/XMLParserModules/Libxml2/XMLParser.cpp: In member function 'virtual void CEGUI::LibxmlParser::parseXML(CEGUI::XMLHandler&, const CEGUI::RawDataContainer&, const CEGUI::String&, bool)':
/home/buildroot/autobuild/instance-1/output-1/build/cegui-00b4e1fe174da53b7ed726ab5970ba51bd5b5ee0/cegui/src/XMLParserModules/Libxml2/XMLParser.cpp:111:40: error: invalid conversion from 'const xmlError*' {aka 'const _xmlError*'} to 'xmlError*' {aka '_xmlError*'} [-fpermissive]
  111 |         xmlError* err = xmlGetLastError();
      |                         ~~~~~~~~~~~~~~~^~
      |                                        |
      |                                        const xmlError* {aka const _xmlError*}

Fixes: d8ac52108c
 - http://autobuild.buildroot.org/results/b239b7b03542311e311e4612e9b811c154302a6e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 18:41:48 +01:00
Peter Korsgaard
f42004a046 boot/shim: security bump to version 15.8
Fixes the following security issues:

CVE-2023-40546 mok: fix LogError() invocation
CVE-2023-40547 - avoid incorrectly trusting HTTP headers
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries

https://github.com/rhboot/shim/tree/15.8

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 18:22:07 +01:00
Adrian Perez de Castro
9a7a7f3d13 package/wpewebkit: update ARM NEON patch for 2.42.x
Update patch to compile correctly with newer versions of GCC, which
has gotten stricter about the placement of the alignas() attribute.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[yann.morin.1998@free.fr: update .checkpackageignore]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 18:20:07 +01:00
Adrian Perez de Castro
5275e14125 package/wpewebkit: security bump to version 2.42.5
Fixes the following security issues:

https://wpewebkit.org/security/WSA-2024-0001.html

- CVE-2024-23222: Processing maliciously crafted web content may lead to
  arbitrary code execution. Apple is aware of a report that this issue
  may have been exploited. Description: A type confusion issue was
  addressed with improved checks.

- CVE-2024-23206: A maliciously crafted webpage may be able to
  fingerprint the user. Description: An access issue was addressed with
  improved access restrictions.

- CVE-2024-23213: Processing web content may lead to arbitrary code
  execution. Description: The issue was addressed with improved memory
  handling.

Add an upstream post-2.42.5 patch to fix an issue with an invalid
backport causing a build issue.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 18:19:52 +01:00
Frank Vanbever
d4b065e35c package/libmodsecurity: security bump to 3.0.12
The project has been transferred from Trustwave (SpiderLabs) to OWASP, hence the
change in URLs. The upstream CPE vendor ID will likely also change in the future
but the upstream is still working on this [1].

- Fixes:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1019

[1] https://github.com/owasp-modsecurity/ModSecurity/issues/3083

Signed-off-by: Frank Vanbever <frank.vanbever@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 18:09:35 +01:00
Romain Naour
a9990552eb support/testing: TestCheckPackage: update expected strings
Commit dfed5acb56 ("utils/check-package: use https for the manual URL")
replaced the default url to the Buildroot manual while it was used
by TestCheckPackage test.

Update TestCheckPackage with https url.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/6224243484

Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-21 18:04:43 +01:00
Kadambini Nema
59e2a8ed5a package/google-breakpad: fix missing include error
src/common/module.cc: In member function ‘bool google_breakpad::Module::AddFunction(Function*)’:
src/common/module.cc:194:52: error: ‘find_if’ is not a member of ‘std’; did you mean ‘find’?
  194 |     FunctionSet::iterator existing_function = std::find_if(
      |                                                    ^~~~~~~
      |                                                    find
Makefile:8309: recipe for target 'src/common/tools_mac_dump_syms_dump_syms_mac-module.o' failed

This error is seen on gcc-14.

https://chromium-review.googlesource.com/c/breakpad/breakpad/+/5137658
https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-devtools/breakpad/breakpad/0001-Fixed-missing-include-for-std-find_if.patch

Signed-off-by: Kadambini Nema <kadambini.nema@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-20 22:17:39 +01:00
Kadambini Nema
5c86121d88 package/dos2unix: bump to version 7.5.2
- Update hash of the COPYING.txt (update in year)

Signed-off-by: Kadambini Nema <kadambini.nema@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-20 22:15:24 +01:00
Marcus Hoffmann
43ae599c9e package/c-ares: bump to version 1.26.0
Changelog: https://c-ares.org/changelog.html#1_26_0

Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-20 22:04:02 +01:00
Martin Kepplinger
fb4f154dad package/tslib: bump version to 1.23
Release notes from https://github.com/libts/tslib/releases :

This release includes libts version 0.10.5 and the following changes:

 *  new filter module: module crop
 *  some build and security fixes
 *  improved release procedure

Signed-off-by: Martin Kepplinger <martink@posteo.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-20 22:03:58 +01:00