Fixes CVE-2014-8148 - If a system service installs unsafe security
policy rules that allow arbitrary method calls then this prevents memory
consumption and possible privilege escalation via
UpdateActivationEnvironment.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed
from "prefer static libraries when possible" to "use only static
libraries". The former semantic didn't make much sense, since the user
had absolutely no control/idea of which package would use static
libraries, and which packages would not. Therefore, for quite some
time, we have been starting to enforce that BR2_PREFER_STATIC_LIB
should really build everything with static libraries.
As a consequence, this patch renames BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS, and adjust the Config.in option accordingly.
This also helps preparing the addition of other options to select
shared, shared+static or just static.
Note that we have verified that this commit can be reproduced by
simply doing a global rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Fixes:
CVE-2014-7824 - Denial of service via incomplete fix for CVE-2014-3636
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix indent for LIBFOO_USERS and LIBFOO_PERMISSIONS as per the manual example.
Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It belongs to the package.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Remove --localstatedir=/var from all autotools packages where it is no longer
needed.
Also remove --localstatedir=/var/lib/dhcp from package dhcp. localstatedir is
used by dhcp to set the default directory for the leases files. This can also
be done by setting --with-*-lease-file=/var/lib/dhcp/*, which is done in
dhcp.mk.
A custom --localstatedir is left in:
* proftpd.mk
* mysql.mk
This is safe to do:
One of the good thing with autoconf is that if you pass:
--localstatedir=/var ... --localstatedir=/var/something
Then /var/something will be used. So, we can set --localstatedir=/var
by default in the infrastructure, and still have certain packages doing
weird things override it. [Thanks to Thomas Petazzoni]
Signed-off-by: Jörg Krause <jkrause@posteo.de>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The Buildroot coding style defines one space around make assignments and
does not align the assignment symbols.
This patch does a bulk fix of offending packages. The package
infrastructures (or more in general assignments to calculated variable
names, like $(2)_FOO) are not touched.
Alignment of line continuation characters (\) is kept as-is.
The sed command used to do this replacement is:
find * -name "*.mk" | xargs sed -i \
-e 's#^\([A-Z0-9a-z_]\+\)\s*\([?:+]\?=\)\s*$#\1 \2#'
-e 's#^\([A-Z0-9a-z_]\+\)\s*\([?:+]\?=\)\s*\([^\\]\+\)$#\1 \2 \3#'
-e 's#^\([A-Z0-9a-z_]\+\)\s*\([?:+]\?=\)\s*\([^\\ \t]\+\s*\\\)\s*$#\1 \2 \3#'
-e 's#^\([A-Z0-9a-z_]\+\)\s*\([?:+]\?=\)\(\s*\\\)#\1 \2\3#'
Brief explanation of this command:
^\([A-Z0-9a-z_]\+\) a regular variable at the beginning of the line
\([?:+]\?=\) any assignment character =, :=, ?=, +=
\([^\\]\+\) any string not containing a line continuation
\([^\\ \t]\+\s*\\\) string, optional whitespace, followed by a
line continuation character
\(\s*\\\) optional whitespace, followed by a line
continuation character
Hence, the first subexpression handles empty assignments, the second
handles regular assignments, the third handles regular assignments with
line continuation, and the fourth empty assignments with line
continuation.
This expression was tested on following test text: (initial tab not
included)
FOO = spaces before
FOO = spaces before and after
FOO = tab before
FOO = tab and spaces before
FOO = tab after
FOO = tab and spaces after
FOO = spaces and tab after
FOO = \
FOO = bar \
FOO = bar space \
FOO = \
GENIMAGE_DEPENDENCIES = host-pkgconf libconfuse
FOO += spaces before
FOO ?= spaces before and after
FOO :=
FOO =
FOO =
FOO =
FOO =
$(MAKE1) CROSS_COMPILE=$(TARGET_CROSS) -C
AT91BOOTSTRAP3_DEFCONFIG = \
AXEL_DISABLE_I18N=--i18n=0
After this bulk change, following manual fixups were done:
- fix line continuation alignment in cegui06 and spice (the sed
expression leaves the number of whitespace between the value and line
continuation character intact, but the whitespace before that could have
changed, causing misalignment.
- qt5base was reverted, as this package uses extensive alignment which
actually makes the code more readable.
Finally, the end result was manually reviewed.
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Cc: Yann E. Morin <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2014-3635 - Buffer access with incorrect length value
CVE-2014-3636 - Allocation of file descriptors or handles
without limits or throttling
CVE-2014-3637 - Missing release of file descriptor or handle after
effective lifetime
CVE-2014-3638 - Algorithmic complexity
CVE-2014-3639 - Allocation of file descriptors or handles without
limits or throttling
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Enable systemd support if systemd is selected as init system (require
systemd compatibility libraries).
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This fixes a problem in other packages when they link against dbus. For
instance, with the dnsmasq package:
/buildroot/output/host/usr/bin/mipsel-ctng-linux-uclibc-gcc --static
-lidn -o dnsmasq cache.o rfc1035.o util.o option.o forward.o network.o
dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o helper.o
tftp.o log.o conntrack.o dhcp6.o rfc3315.o dhcp-common.o outpacket.o
radv.o slaac.o auth.o ipset.o domain.o dnssec.o blockdata.o
-L/buildroot/output/host/usr/mipsel-buildroot-linux-uclibc/sysroot/usr/lib
-ldbus-1 -lpthread
-L/buildroot/output/host/usr/mipsel-buildroot-linux-uclibc/sysroot/usr/lib
-lidn -liconv
-L/buildroot/output/host/usr/mipsel-buildroot-linux-uclibc/sysroot/usr/lib
-llua -lm -Wl,-Bstatic -lhogweed
-L/buildroot/output/host/usr/mipsel-buildroot-linux-uclibc/sysroot/usr/lib
-lnettle -lgmp -Wl,-Bdynamic -Wl,-Bstatic -lgmp -Wl,-Bdynamic
/buildroot/output/host/usr/mipsel-buildroot-linux-uclibc/sysroot/usr/lib/libpthread.a(init.os):
In function `__pthread_initialize_minimal_internal':
init.c:(.text+0x26c): undefined reference to `__libc_setup_tls'
collect2: error: ld returned 1 exit status
make[2]: *** [dnsmasq] Error 1
make[2]: Leaving directory
`/buildroot/output/build/dnsmasq-2.71/src'
When dnsmasq tries to link against dbus it checks the dbus pkgconfig
file to obtain the LIBS that it need to pass to the linker. In the dbus
.pc file you have "-ldbus-1 -lpthread" because -lpthread was used when
building dbus. If you use -pthread when you build dbus, then you will
have -pthread in the dbus .pc file as well.
-lpthread means that we want to link with a library called pthread.
-pthread is a compiler option which will do whatever is needed to be
done to compile with the pthreads standards so that it works.
Fixes:
http://autobuild.buildroot.net/results/7cd/7cdab3b6f74dbfde965300a51e58a377ba30602b/
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It's there for some historical reason and breaks libpcap with dbus
support for static linkage scenarios (like the one used by tcpreplay).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream removed support for libxml2 as xml backend, select expat
unconditionally.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since we are changing the default dbus user, make sure this user is
consistently created.
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This finally removes the BR2_HAVE_DEVFILES option, that was used to
install/keep development files on target. With the recent migration of
the internal backend to the package infrastructure, we had anyway lost
the ability to build gcc for the target, and install the uClibc
development files on the target.
[Peter: also remove support/scripts/copy.sh]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
If you use a custom target skeleton with no /var/lib directory,
then the symlink installation in dbus.mk will fail. This patch
fixes this issue by creating /var/lib before creating a symlink
there.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Fixes http://autobuild.buildroot.net/results/5963d35b8933c452b8574c964e407c23a5d0412f
The microblaze toolchain has sys/inotify.h, but doesn't provide inotify_rm_*
functions, so disable inotify support.
Also disable the legacy dnotify support (which is used when inotify support
is disabled) as it has bitrotten upstream and no longer builds.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Fixes security issues:
- CVE-2012-3524: Don't access environment variables (fd.o #52202)
Thanks to work and input from Colin Walters, Simon McVittie,
Geoffrey Thomas, and others.
- Be more careful about monotonic time vs. real time, fixing
DBUS_COOKIE_SHA1 spec-compliance (fd.o #48580, David Zeuthen)
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Thanks to the pkgparentdir and pkgname functions, we can rewrite the
AUTOTARGETS macro in a way that avoids the need for each package to
repeat its name and the directory in which it is present.
[Peter: pkgdir->pkgparentdir]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
--program-prefix is now set in the auto-target infrastructure.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@anciens.enib.fr>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Now that we have libtool-2.2.x patch support, we can get rid of a bunch
of _LIBTOOL_PATH = NO, fixing (potential) cross link issues.
Notice: php not changed, as it uses a very old 1.5 version for the
embedded sqlite, where our buildroot-libtool-v1.5.patch doesn't apply.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
If /etc/init.d does not exist, we need to be sure that the dbus
startup script is installed at the right place.
Signed-off-by: Lionel Landwerlin <llandwerlin@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Now that <pkg>_INSTALL_TARGET_OPT always defaults to
'DESTDIR=$(TARGET_DIR) install', we can remove the
<pkg>_INSTALL_TARGET_OPT definition from a lot of packages.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>