The CVE-2004-2771 is already fixed by the Debian patch
0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch. The Debian patch
description is:
Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
more details.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
In commit
15972770cf ("package/heirloom-mailx:
security bump to version 12.5-5 from Debian"), we added CVE-2014-7844
in HEIRLOOM_MAILX_IGNORE_CVES, but with the wrong comment about it: it
is a different patch in the Debian stack of patches that fixes
it. Indeed the description of patch
0011-outof-Introduce-expandaddr-flag.patch is:
=====================================================================
Subject: [PATCH 1/4] outof: Introduce expandaddr flag
Document that address expansion is disabled unless the expandaddr
binary option is set.
This has been assigned CVE-2014-7844 for BSD mailx, but it is not
a vulnerability in Heirloom mailx because this feature was documented.
=====================================================================
See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
details.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
CVE-2023-31038 affects log4cxx only if ODBC is supported. While
CVE-2023-31038 has been fixed in newer versions of log4cxx, there is
quite a huge gap to do a version bump, and the commit that fixes
CVE-2023-31038 could not be identified.
Therefore, we want to rely on the fact that our log4cxx package does
not support ODBC: there is indeed no explicit dependency on our
unixodbc package in log4cxx.mk. However, log4cxx automatically detects
if ODBC is available and if it is, it uses it.
So what we do in this commit is backport an upstream commit, which
adds explicitly options to enable/disable ODBC and ESMTP support, and
we use them to (1) always disable ODBC and (2) explicitly
enable/disable ESMTP support.
Thanks to ODBC being disabled, we're not affected by CVE-2023-31038.
Of course, there is a potential regression for users who were relying
on the implicit unixodbc dependency, but as we could not identify the
commit fixing the CVE-2023-31038, this is the best we can do at the
moment.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Commit c1038fe47c renamed the patch, but didn't update
.checkpackageignore, leading to two failures:
.checkpackageignore:1055: ignored file package/openjdk/17.0.7+7/0001-Add-ARCv2-ISA-processors-support-to-Zero.patch is missing
package/openjdk/17.0.8+7/0001-Add-ARCv2-ISA-processors-support-to-Zero.patch:0: missing Upstream in the header (http://nightly.buildroot.org/#_additional_patch_documentation)
Rename the file in .checkpackageignore as well.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Grub 2.06 is affected by a number of CVEs, which have been fixed in
the master branch of Grub, but are not yet part of any release (there
is a 2.12-rc1 release, but nothing else between 2.06 and 2.12-rc1).
So this patch backports the relevant fixes for CVE-2022-28736,
CVE-2022-28735, CVE-2021-3695, CVE-2021-3696, CVE-2021-3697,
CVE-2022-28733, CVE-2022-28734, CVE-2022-2601 and CVE-2022-3775.
It should be noted that CVE-2021-3695, CVE-2021-3696, CVE-2021-3697
are not reported as affecting Grub by our CVE matching logic because
the NVD database uses an incorrect CPE ID in those CVEs: it uses
"grub" as the product instead of "grub2" like all other CVEs for
grub. This issue has been reported to the NVD maintainers.
This requires backporting a lot of patches, but jumping from 2.06 to
2.12-rc1 implies getting 592 commits, which is quite a lot.
All Grub test cases are working fine:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500585https://gitlab.com/tpetazzoni/buildroot/-/pipelines/984500679
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: fix check-package warning in patch 0002]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
The pcm-tools package contains a version.h with git attributes:
$ cat version.h
#define PCM_VERSION " ($Format:%ci ID=%h$)"
$ man 5 gitattributes
Creating an archive
export-subst
If the attribute export-subst is set for a file then Git
will expand several placeholders when adding this file to
an archive. The expansion depends on the availability of
a commit ID, i.e., if git-archive(1) has been given a tree
instead of a commit or a tag then no replacement will be
done. The placeholders are the same as those for the option
--pretty=format: of git-log(1), except that they need to be
wrapped like this: $Format:PLACEHOLDERS$ in the file. E.g.
the string $Format:%H$ will be replaced by the commit hash.
So, the archive generated by github has changed since we updated
pcm-tools in 2021-12-08 with commit d1d93d488c (package/pcm-tools:
bump to version 202110). The downlad was still OK in 2022-01-04 [0]
but has been failing at least since 202-08-25 [1].
Since the archive is generated on the github side, there is not much we
can do to fix this up.
We switch over to using git to do the download, and we generate the
archive localy, which we know is reproducible.
We fix the version.h so that it contains the same string as the backup
tarball we host on s.b.o.
There are three other files in pcm-tools that have git attributes, to
exclude them from the generated archive, all pertaining to CI/CD stuff:
.cirrus.yml export-ignore
.gitlab-ci.yml export-ignore
.travis.yml export-ignore
We don't remove them, because they have no impact on the build, and they
are anyway already present in the archive by the time we could act on it
anyway...
[0] http://autobuild.buildroot.org/results/127/1276a3d49c8848039f034e7f03632df365097e94/
[1] http://autobuild.buildroot.org/results/8bb/8bbf9c36af332bbf5e7c1abcbb594a0b231ef97e/
Reported-by: Woody Douglass <wdouglass@carnegierobotics.com>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Load sample script support/testing/tests/package/sample_nu.nu onto the
target and verify proper execution by nushell
Signed-off-by: Sebastian Weyer <sebastian.weyer@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Nushell is a shell - written in Rust - that makes use of the nushell
language to interact with the operating system
Signed-off-by: Sebastian Weyer <sebastian.weyer@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This fixes a problem with the build system that would make it fail to
use pkg-config to detect libssh2. It worked anyway because -lssh2
works.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update license info. COPYING hash updated because of added reference to
additional licenses. Licenses for local snprintf and getopt
implementations do not apply, since this code is not used for Linux
targets.
Add Tatu Ylonen Permissive license of the code in pseudo.c.
Add LGPL-2.0+ license text file.
Rename BSD-3-Clause text file and update hash because of text formatting
change.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
musl 1.2.4 removed the lseek64 function, but kept a definition of lseek64
when _LARGEFILE64_SOURCE is defined.
Add patch from upstream to kill the usage of lseek64.
There is no need to backport it to older Buildroot releases, because musl 1.2.4
is not part of any release.
Fixes:
- http://autobuild.buildroot.net/results/17f/17f4ea7d62581cf8c574deeb98e1785220d5bd3f
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
According to https://www.rarlab.com/vuln_rev3_names.html this package
is not affected by CVE-2023-40477.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Each time a new pipeline is triggered, some jobs may fail due to
temporary issue with a Gitlab runner (network, power supply, docker or
maintainance).
Most of the problems are "runner system failure" [1] and require to
retart each failed jobs manually by maintainers to complete the
pipeline with only real failures if any.
The "retry" keyword allows to configure how many times a job is retried
if it fails. "retry:when" allows to retry a failed job only on
specific failure types like "runner_system_failure".
While at it, retry a job if it failed due to a timeout failure (this
timeout means that the job was pending for more than 24h) [2].
Such timeout failures occur on pipelines testing each Buildroot's
defconfig since there is not enough gitlab runner available to build
all of them within 24h.
Retry only jobs that are more likely to wait for a runner
(generate-gitlab-ci-yml, runtime_test_base, defconfig_base and test_pkg).
[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/4936949397 (runner system failure)
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/4936949530 (timeout failure or the job got stuck)
https://docs.gitlab.com/ee/ci/yaml/#retrywhen
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add support for PineCube with:
- U-Boot 2022.04
- Linux 5.15.61
PineCube is a low-powered, open source IP camera
with the following specs:
- Allwinner S3 Cortex-A7
- 128 MiB DDR3
- 16 MiB SPI flash
- 5 MPx OV5640 camera
- MicroSD slot
- 10/100M Ethernet with passive PoE
- 802.11 b/g/n WiFi
- Bluetooth 4.1
- USB 2.0
- 26 pins GPIO header
- Microphone
- IR LEDs for night vision
Board homepage: https://www.pine64.org/cube/
Board wiki: https://wiki.pine64.org/wiki/PineCube
Signed-off-by: Jan Havran <havran.jan@email.cz>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In Python 3.12, support for 'distutils' is going to be dropped. In
preparation for this, this commit backports an upstream i2c-tools
patch that switches the build logic to 'setuptools', future-proofing
i2c-tools to the upcoming bump to Python 3.12.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Removed patch which is now included in upstream release.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patch which is now upstream.
Replace no longer supported --with-git-submodules config option with
new --disable-download option.
Replace no longer supported --meson config option with --python config
option. The configure script expects --python to point to the python
interpreter with the meson installation.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
While switching ATF to github, the BR2_TARGET_UBOOT_CUSTOM_GIT=y
symbol was not removed. Since then this defconfig fail to build
in gitlab-ci due to invalid defconfig check.
WARN: defconfig ./configs/freescale_imx6qsabresd_defconfig can't be used:
Missing: BR2_TARGET_UBOOT_CUSTOM_GIT=y
[1] dd42b159a5
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4889436612
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
uboot needs Python libfdt to build:
pylibfdt does not seem to be available with python3
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4839060137
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bugfix release, fixing a number of regressions in 2.0.16
From the changelog
(https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt)
2.0.17 - 2023-08-22
===================
Broker:
- Fix `max_queued_messages 0` stopping clients from receiving messages.
Closes#2879.
- Fix `max_inflight_messages` not being set correctly. Closes#2876.
Apps:
- Fix `mosquitto_passwd -U` backup file creation. Closes#2873.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bugfix release, fixing a number of regressions in 2.0.16
From the changelog
(https://github.com/eclipse/mosquitto/blob/master/ChangeLog.txt)
2.0.17 - 2023-08-22
===================
Broker:
- Fix `max_queued_messages 0` stopping clients from receiving messages.
Closes#2879.
- Fix `max_inflight_messages` not being set correctly. Closes#2876.
Apps:
- Fix `mosquitto_passwd -U` backup file creation. Closes#2873.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the package version to 2.42.0. For the full changelog, see the release
announcement at [1].
Link: https://lore.kernel.org/git/xmqqr0nwp8mv.fsf@gitster.g/ [1]
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Release notes:
https://forum.torproject.org/t/stable-release-0-4-8-4/8884
Removed all patches due to upstream commit adding compatibility with
LibreSSL 3.5:
f3dabd705f
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Release notes: https://www.han.de/~werner/ytree.html
Removed patch which was applied upstream in a slightly changed way.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In commit ee93213d18 (package/check: fix compile issue due to missing
source file), we switched from using the released tarball, to using the
autogenerated tarball from github.
However, that means that the filename of the archive did not change,
while its content did change. The hash was promptly updated, but that
means that the archive we cache on s.b.o (and possibly the one users
may also already have locally) will not match the new hash (and
conversely).
So we switch to using the sha1-hash of the commit corresponding to the
tag.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add local patch to allow to override CFLAGS and undefine
CONFIG_LITTLE_ENDIAN by default and use the correct endianness according
to target architecture.
Fixes:
http://autobuild.buildroot.net/results/fe67db3884573ef750eda9d0dccd5f97b3ae698e
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump qemu_arm_ebbr_defconfig and qemu_aarch64_ebbr_defconfig in sync:
- Bump Linux to v6.4.3
- Bump U-Boot to 2023.07.02
- Bump TF-A to v2.9
While at it, tune the documentation:
- Increase the amount of memory in the example commands to help run the
largest OS distributions.
- Update the link to the IR Guide to point at the latest version.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The docker image currently contains qemu-system-arm and
qemu-system-x86. Each package contains the 32bit and 64bit variants.
This has been sufficient for the time being.
The RISC-V ecosystem is growing rapidly. It is starting to become
mainstream. To increase the diversity in Buildroot runtime tests,
this commit adds the qemu-system-misc package in the Docker image,
in order to have the commands qemu-system-riscv{32,64}. This package
also contains other architectures (for example: microblaze, nios2,
s390x, xtensa, ...).
For Debian package details, see:
https://packages.debian.org/bullseye/qemu-system-misc
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
