CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has
an out-of-bounds read because memcpy is misused.
CVE-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a
stack-based buffer over-read, related to file_printf and file_vprintf.
Update license files hashes; removal of trailing white spaces.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 14d6e6df7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libsapi was renamed to libtss2-sys in tpm2-tss library:
5f0ab55d4e
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8f297cc033)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since tpm2-tss version 2.0.0, tpm2 libraries have been renamed.
libsapi renamed to libtss2-sys
5f0ab55d4e
libtcti-device renamed to libtss2-tcti-device
libtcti-socket renamed to libtss2-tcti-mssim
b8584accbd
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fb9c137660)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, logger component is enabled if log4cpp is found
Moreover, it should be noted that log4cpp is now mandatory in latest
upstream:
d242896120
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 50e1d12e07)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As stated in SConstruct, the altivec runtime test breaks
cross-compilation: "This checks for an altivec optimization we use in
full text search. Different versions of gcc appear to put output bytes
in different parts of the output vector produced by vec_vbpermq. This
configure check looks to see which format the compiler produces. NOTE:
This breaks cross compiles, as it relies on checking runtime
functionality for the environment we're in."
Fixes:
- http://autobuild.buildroot.org/results/162198617979a83b66f70ed6013251942ed04d67
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9fd193141)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mongodb (like gnuradio) needs host-python2 however there is no way to
enforce this so add a dependency on !BR2_PACKAGE_PYTHON3.
Indeed, if BR2_PACKAGE_PYTHON3 is selected, then buildroot will only
build and install host-python-typing for host-python3.
This issue was not raised in the previous version of mongodb as
host-scons was the only dependency however we now have
host-python-typing and host-python-pyyaml dependencies and it
does not seem right to enforce python2 on those packages
Fixes:
- http://autobuild.buildroot.org/results/693bdba2c01a1b69f56d6ee75094a6a0fc3f40b4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: propagate dependency to Config.in comment]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bf57446a0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: test BR2_PACKAGE_QT5BASE instead of BR2_PACKAGE_QT5, just for
consistency with the package we add to the DEPENDENCIES variable.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d04b12d19e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
musl does not provide inx/outx API for ARM arch, so use
io memory access via pointers which is actually done this
way in glibc/ulibc.
Fixes:
http://autobuild.buildroot.net/results/bf10cbe40c0f672c34db72e4eea4c168d5932bd4/
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d12d3969d1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch fixes the build issue reported by autobuilder [0].
/home/naourr/work/instance-2/output/build/qt5webkit-5.9.1/Source/WebCore//.obj/platform/leveldb/LevelDBDatabase.o: In function
`WebCore::LevelDBDatabase::openInMemory(WebCore::LevelDBComparator const*)':
LevelDBDatabase.cpp.text._ZN7WebCore15LevelDBDatabase12openInMemoryEPKNS_17LevelDBComparatorE+0x34): undefined reference to `leveldb::NewMemEnv(leveldb::Env*)'
collect2: error: ld returned 1 exit status
make[3]: *** [Makefile.api:97: ../lib/libQt5WebKit.so.5.9.1]
Error 1
The issue happens when both packages leveldb and qt5webkit are enabled.
QtWebKit builds its own copy of leveldb [1] (as a third-party) if the
system does not provided it (i.e. buildroot). It builds it differently
and this is the origin of that issue. Instead of using the Makefile
provided by leveldb [2], QtWebKit uses qmake to build that library [3].
The missing symbol issue happens because the symbol leveldb::NewMemEnv
is bundled in the static library libmemenv.a (aside libleveldb.so).
This static library consists of this single symbol which is like an
extra that is built but *NOT* shipped by default at installation in the
staging directory. Unfortunatly, that symbol is required later by
WebCore [4].
The copy built by QtWebKit is an all-in-one library including both
libleveldb and libmemenv; thus QtWebKit links against libleveldb only.
Also, the linker finds the buildroot's copy first (not the third-party):
that explains why it is complaining about a missing symbol. That copy
does not have the symbol leveldb::NewMemEnv.
Fortunatly, QtWebKit provides a facility to link against the system
leveldb package. The qmake flag WEBKIT_CONFIG+=use_system_leveldb tells
Qt5WebKit to link against libleveldb *AND* libmemenv [5].
To fix that issue, this commit selects the package leveldb that now
installs the libmemenv static library and its header. It ensures that
QtWebKit has everything it needs to be built. It also sets the
appropriate qmake configure flags to tell QtWebKit to use the leveldb
copy built by buildroot instead of the bundled one.
[0]: http://autobuild.buildroot.net/results/46033e82adf592c3b92c6d50cfaf45bd58beeaa4
[1]: https://github.com/qt/qtwebkit/tree/5.9/Source/ThirdParty/leveldb
[2]: https://github.com/qt/qtwebkit/blob/5.9/Source/ThirdParty/leveldb/Makefile#L167-L169
[3]: https://github.com/qt/qtwebkit/blob/5.9/Source/ThirdParty/leveldb/Target.pri#L80
[4]: https://github.com/qt/qtwebkit/blob/5.9/Source/WebCore/platform/leveldb/LevelDBDatabase.cpp#L185
[5]: https://github.com/qt/qtwebkit/blob/5.9/Source/WebCore/WebCore.pri#L254
[6]: 739c25100e
Signed-off-by: Gaël PORTAY <gael.portay@collabora.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 2d7c746ed8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The project's static libraries are not compiled with the -fPIC compiler
flag. This prevents dynamic libraries to link against those libraries.
This commit adds a patch that sets the -fPIC compiler flag to the list of
CFLAGS/CXXFLAGS.
The project now generates position independant code for all of its
outputs (i.e. not limited anymore to its shared libraries).
Fixes:
/home/gportay/src/buildroot/output/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-amd-linux-gnu/6.2.0/../../../../x86_64-amd-linux-gnu/bin/ld: /home/gportay/src/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libmemenv.a(memenv.o): relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
/home/gportay/src/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libmemenv.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Signed-off-by: Gaël PORTAY <gael.portay@collabora.com>
[Arnout: renumber patch]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 088f261dbb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The project builds a tiny static library that consists of a single
symbol which creates an in-memory LevelDB database.
That library is not installed by default and may be used by other
projects.
This commit installs in the staging directory the libmemenv.a static
library and the memenv.h header file.
Signed-off-by: Gaël PORTAY <gael.portay@collabora.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 16f847340d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
apexsink does not build with OpenSSL 1.1.x so remove this option
especially because there is no more apexsink option in gstreamer1 (since
version 1.12)
Fixes:
- http://autobuild.buildroot.org/results/a29e8a8509190fc4b3c419dae2301cf72a601f62
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c8421565b1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes a hang due to SIGCHLD not being handled correctly by
vsftpd. The patch comes from fedora and didn't make its way to
upstream yet.
More information about the bug can be found in:
- https://bugzilla.redhat.com/show_bug.cgi?id=1198259
Signed-off-by: Abdelmalek Benelouezzane <abdelmalek.benelouezzane@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 498dff7ea1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
zbar can be built statically since commit
fc4a6abfa6 so remove the dynamic library
dependency from BR2_PACKAGE_GST_PLUGINS_BAD_ZBAR
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ec9b3aec53)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch to resolve CVE-2019-5747 which affects versions prior
to 1.30.0
More information can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2019-5747
This applies to both master and 2019.02
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a49e8f34ff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch to resolve CVE-2018-20679 which affects versions prior
to 1.30.0
More information can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2018-20679
This applies to both master and 2019.02
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d65d1d066b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There was a missing double quotes that would prevent the service from
starting.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Tested-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Acked-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 93321e5f16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes#11716
Latest release is 2019.02.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 964d525970)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
flashrom uses its own internal DMI decoder since version 0.9.8 and
4c6d3a4b73
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7edb1e1c29)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This change bumps libiio, to version 0.15.
This version is currently the most stable version in the series. It
contains several fixes over 0.14.
0.16 & 0.17 have been released but they have some issues with backwards
compatibility, so they are not yet recommended.
Changelog for version 0.15 (over 0.14).
Link:
https://github.com/analogdevicesinc/libiio/releases/tag/v0.15
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8478bd526f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If libsoxr is build statically against libavutil other applications
needs to know that they must link with `-lavutil` when building in a
static context.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit d81870ae81.
The patch attempts to fix static linking with libsoxr when it build with
avutils. The `Libs.private` field should not contain the full absolute path to
the static library, but only the link flags for private libraries, e.g
`-lm`.
Buildroots pkg-config prepends the sysroot to the value found in `Libs.private`
resulting in a malformed linker flag if libavutil is found:
```
-L/home/test/autobuild/run/instance-3/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lsoxr
/home/test/autobuild/run/instance-3/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/home/test/autobuild/run/instance-3/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libavutil.a
```
.. or if libavutils is not found:
```
-L/home/test/autobuild/run/instance-1/output/host/bin/../arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib -lsoxr AVUTIL_LIBRARIES-NOTFOUND
```
Revert this commit and replace the patch by a follow-up patch which only
adds `-lavutil` to `Libs.private` in case it is found and used by
libsoxr.
Fixes:
http://autobuild.buildroot.net/results/6eb4e2c9bd3884ab0152ddf873c20e62f0941181/http://autobuild.buildroot.net/results/07207b0a58a08bf7c2cb78345a58244b5e6aab0e/
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot built with systemd fails to open a login prompt on the
serial port when /dev/console is specified as BR2_TARGET_GENERIC_GETTY_PORT
(which is its default value):
systemd[1]: dev-console.device: Job dev-console.device/start timed out.
systemd[1]: Timed out waiting for device /dev/console.
systemd[1]: Dependency failed for Serial Getty on console.
systemd[1]: serial-getty@console.service: Job serial-getty@console.service/start failed with result 'dependency'.
systemd[1]: dev-console.device: Job dev-console.device/start failed with result 'timeout'.
systemd[1]: Reached target Login Prompts.
systemd[1]: Reached target Multi-User System.
According to this issue on Github [1], serial-getty@.service should
not be instantiated on /dev/console, console-getty@.service should
be used instead. This stems from the fact that there should be no
dependency on /dev/console.
[1] https://github.com/systemd/systemd/issues/10914
Signed-off-by: Xavier Ruppen <xruppen@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[Peter: drop SERVICE variable as suggested by Yann]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit c110e48cec disabled openssl support
on QT 5.6, this has the side-effect of breaking the build of cutelyst
because cutelyst does not manage build with QT_NO_SSL, see:
https://github.com/cutelyst/cutelyst/issues/159
This bump fixes the issue by bumping cutelyst to version 2.7.0 and by
removing the uneeded select on BR2_PACKAGE_OPENSSL
Fixes:
- http://autobuild.buildroot.org/results/4299221429713ace25fc234abeb81697bc410647
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit c110e48cec disabled openssl support
on QT 5.6, this has the side-effect of breaking the build of
python-pyqt5 because support of openssl is enabled on python-pyqt5 if
BR2_PACKAGE_OPENSSL is selected
To fix this issue, add a new BR2_PACKAGE_QT5BASE_OPENSSL option in
qt5base and use it in python-pyqt5
Fixes:
- http://autobuild.buildroot.org/results/e92991308d47649cecc4084e41ab5711ec96831f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: make _OPENSSL a blind option, add libressl logic for 5.6.x]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
LibreSSL build is successful with shared linkage, but not default dlopen().
Also adds patch for successful compilation by using -fpermissive.
Signed-off-by: James Grant <jamesg@zaltys.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On some architectures, atomic builtins are provided by the libatomic
library from gcc. Linking with libatomic is therefore necessary,
otherwise the build fails with:
sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line
Fixes:
- http://autobuild.buildroot.net/results/a003ad5324a0c0f55cb8db5d3e5d69bd21999e16/
- http://autobuild.buildroot.net/results/464602175d026d135125e5baa00e0729aec7a931/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
[Peter: add dependency on sync or atomic builtins in Config, addd comment]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Go "modules" refers to the dependency fetching, verification (hashing), and
version control system built into Go as of 1.11.
It is not desirable to have Go modules enabled in Buildroot in the normal case,
as Buildroot manages downloading the sources, and third party dependency
managers are typically not used.
In the absence of the GO111MODULE environment variable, the Go compiler will
correctly compile using the "vendor" version of dependencies downloaded by
Buildroot during the compilation process for Go-based packages.
However, if the user sets the GO111MODULE=on environment variable, the Go
compiler will download the Go dependencies for Buildroot packages, using the
modules system. This is potentially unintended behavior from user environment
variables.
This commit sets the GO111MODULE=off variable in the Go target and host
compilation environments, disabling Go modules support for Buildroot mainline
packages.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fixes CVE-2018-5815 and CVE-2018-5816
- README has been renamed into README.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old free-electrons.com URL does not seem to work anymore,
resulting in the package failing to build. Use bootlin.com instead.
Signed-off-by: Xavier Ruppen <xruppen@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some python packages seem to use underscores in inconsistent ways. We can
attempt to normalize these by always using dashes for the buildroot name and
attempting to autodetect the correct metadata name format.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
