See https://security-tracker.debian.org/tracker/CVE-2018-20225 for the
rationale of ignoring this CVE. Things basically work as intended.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4.1.9 is affected by CVE-2023-36053, and 4.1.10 was released to fix
it. The changes between 4.1.9 and 4.1.10 are just:
f9a14b8f0668029fb7e0aebcae57b60dcec4a529 (tag: 4.1.10) [4.1.x] Bumped version for 4.1.10 release.
beb3f3d55940d9aa7198bf9d424ab74e873aec3d [4.1.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in EmailValidator and URLValidator.
3b48fe413f91612fb8c43fe9d489860d10c84bf7 [4.1.x] Added stub release notes for 4.1.10 and 3.2.20.
0e5948b8df5d25deb48a505cbf16f010d9dc603c [4.1.x] Fixed MultipleFileFieldTest.test_file_multiple_validation() test if Pillow isn't installed.
66e1e9b006618ba00e804d18bd90d3a9e94801b3 [4.1.x] Added CVE-2023-31047 to security archive.
d1385cc51b142b05b21b721d9d68fc461bc7241f [4.1.x] Post-release version bump.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit updates poppler to the latest version in the 22.x series,
with only has bug fixes. Here is the list of commits between 22.10.0
and 22.12.0:
df568263c51950ceed6f1fb42f80e99a2614c275 (tag: poppler-22.12.0) poppler 22.12.0
198dc1d0674c0a462668e6868c35b1ee0e731005 Form::addFontToDefaultResources: Be stubborn in finding a font we can use
a5952ab70716a2d4f792a943c2dcf3068f1d6885 Revert "CI: Fix Debian brokenness"
8fcaa7c622d24761a9ecb3922f95d072077d6f34 CI: Fix Debian brokenness
cc665f757af6b87dd245d36e079dd44d8d2d2182 (tag: poppler-22.11.0) poppler 22.11.0
a296982e1d5b4968b2bd044d80647ae6f9267526 Do not include a poppler/ file from a splash/ header
bc4a0d9a2abfcd75d9b0ee4be3f7600905fe6001 Form: Provide Unicode marker when ensuring fonts
111f38a722eedddd94faa52dda8c5e0da561fb41 Cairo: Update font after restore
907d05a6a141284aee22fbd16ab0a2fb4e0f2724 Fix crash in file that wants to do huge transparency group
e53f5aae3bce7d09788f2ad62be998895fb9807b PSOutputDev::setupResources: Fix stack overflow in malformed doc
a4ca3a96a6b1f65b335a1ea362e6c202e46ae055 topIdx can't be negative
e471f8e09bf2e38df0cf5df1acecbcca70685573 Init all the fields of JPXStreamPrivate
5190c0d4369bd9f501922585140be4ec736e24f2 No need to store smaskInData in priv
6263bb90b09326103b10e4c4edfbc5b84c884921 Page label ranges can't start in < 0
Note: this version bump does not include the fix for CVE-2023-34872,
so we still need the backported patch.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libdecor cannot be selected due to a circular dependency:
package/wayland/Config.in:1:error: recursive dependency detected!
package/wayland/Config.in:1: symbol BR2_PACKAGE_WAYLAND is selected by BR2_PACKAGE_LIBDECOR
package/libdecor/Config.in:1: symbol BR2_PACKAGE_LIBDECOR is selected by BR2_PACKAGE_MESA3D_DEMOS
package/mesa3d-demos/Config.in:1: symbol BR2_PACKAGE_MESA3D_DEMOS is selected by BR2_PACKAGE_PIGLIT
package/piglit/Config.in:1: symbol BR2_PACKAGE_PIGLIT depends on BR2_PACKAGE_WAFFLE_SUPPORTS_WAYLAND
package/waffle/Config.in:7: symbol BR2_PACKAGE_WAFFLE_SUPPORTS_WAYLAND depends on BR2_PACKAGE_WAYLAND
Without libdecor, the build fails since the bump of mesa3d-demos to
version 9.0.0 in 80304d9911:
"""
Run-time dependency libdecor-0 found: NO (tried pkgconfig and cmake)
Looking for a fallback subproject for the dependency libdecor-0
../output-1/build/mesa3d-demos-9.0.0/meson.build:88:17: ERROR: Automatic wrap-based subproject downloading is disabled
"""
Fixes:
http://autobuild.buildroot.net/results/8de50be8233f0133aadc26bda71b48d7ec329e04/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Needed for wayland support in mesa3d-demos.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Reviewed-by: Sebastian Weyer <sebastian.weyer@smile.fr>
Tested-by: Sebastian Weyer <sebastian.weyer@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of mesa3d-demos to version 9.0.0 in Buildroot commit
80304d9911, libxkbcommon is needed for
the wayland support. Without libxkbcommon, the build fails with:
Run-time dependency wayland-client, wayland-egl, xkbcommon found: NO (tried pkgconfig and cmake)
../output-1/build/mesa3d-demos-9.0.0/meson.build:62:14: ERROR: Dependency "wayland-client, wayland-egl, xkbcommon" not found, tried pkgconfig and cmake
Fixes:
http://autobuild.buildroot.net/results/1c01da4966b054de9c15f0eb3d738806c7d5d315/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Thomas: patch extracted from
https://patchwork.ozlabs.org/project/buildroot/patch/20230716145003.339645-2-bernd@kuhls.net/]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tracing is a development feature for debugging, profiling, and observing
QEMU execution. It does not make sense to enable it by default, so add a
config to enable the "log" tracing backend (the default one). Options to
select other backends may be added in the future.
Also pull a patch already reviewed upstream to install the trace events
file only if necessary:
https://patchwork.kernel.org/project/qemu-devel/patch/20230408010410.281263-1-casantos@redhat.com/
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The docs here:
https://wiki.qemu.org/ChangeLog/8.1#Build_Dependencies
Indicates:
It is recommended to install distlib as well, but the build process
tries to cope with its absence and it shouldn't be necessary.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
matrix-code from es2gears has been moved to util in version 9.0.0 [1]
so now es2gears is linked with mesa3d-demo libutil (idep_util).
But at the same time the dependency on glu (dep_glu) has been added
to libutil [2]. dep_glu requires opengl (FULL_GL) to build.
In order to keep the es2gears for egl only builds we have to
split the libutil files list to build readtex.c and showbuffer.c
only if opengl is available.
Add back dep_glu since it's used in util's meson.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4936948236https://gitlab.com/buildroot.org/buildroot/-/jobs/4936948042
[1] c33e2f731c
[2] ef24aae229
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
Reviewed-by: Julien Olivain <ju.o@free.fr>
Tested-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Following build failure occurs:
opasswd.c: In function 'compare_password':
opasswd.c:142:3: error: 'retval' undeclared (first use in this function); did you mean 'outval'?
142 | retval = outval != NULL && strcmp(outval, oldpass) == 0;
| ^~~~~~
| outval
Add a patch from upstream to fix it.
Happens since the update to 1.5.3 in Buildroot commit:
f8147e27cd
Fixes:
- http://autobuild.buildroot.net/results/576/576fc4b9ccbc6cff82569692bdec82192e89f036
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the edk2-non-osi commit to the one corresponding to version
edk2-stable202308 of edk2, based on the timestamps.
Cc: Dick Olsson <hi@senzilla.io>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the edk2-platforms commit to the one corresponding to version
edk2-stable202308 of edk2, based on the timestamps.
Cc: Dick Olsson <hi@senzilla.io>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For change log since version edk2-stable202305, see:
- https://github.com/tianocore/edk2/releases/tag/edk2-stable202308
The main motivations of this bump are the RISC-V QEMU Virt support
improvements (not yet supported in Buildroot).
Cc: Dick Olsson <hi@senzilla.io>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cleanup the implementation for reading lines by having files processed
in context managers and utilizing the iterable file object for line
reading (instead of needing to call `readlines()`).
Signed-off-by: James Knight <james.d.knight@live.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Notes:
- eglfs/vulkan is only implemented for eglfs_viv
(see stub implementation for QEglFSDeviceIntegration::createPlatformVulkanInstance()
in src/plugins/platforms/eglfs/api/qeglfsdeviceintegration.cpp and
real implementation for QEglFSVivIntegration::createPlatformVulkanInstance()
in src/plugins/platforms/eglfs/deviceintegration/eglfs_viv/qeglfsvivintegration.cpp)
- or for xcb (see QXcbIntegration::createPlatformVulkanInstance()
in src/plugins/platforms/xcb/qxcbintegration.cpp)
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Use $(VULKAN_HEADERS_VERSION) for VULKAN_TOOLS_VERSION as the vulkan packages
need to all be the same version.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Use $(VULKAN_HEADERS_VERSION) for VULKAN_LOADER_VERSION as the vulkan packages
need to all be the same version.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update the license hash as the license file is now located at LICENSE.md
isntead of LICENSE.txt, and add MIT to the list of licenses.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For change log, see [1].
A notable change is that the package changed its HKDF implementation
from the python-hkdf package to python-cryptography. See [2].
This commit reflect that change in the runtime dependencies. The
python-cryptography was already an indirect dependency; it is now a
direct one.
[1] https://github.com/magic-wormhole/magic-wormhole/blob/0.13.0/NEWS.md
[2] https://github.com/magic-wormhole/magic-wormhole/pull/456
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The magic-wormhole "receive" command can output "waiting" messages
when key receival or verification are longer than a predefined
timeout:
https://github.com/magic-wormhole/magic-wormhole/blob/0.13.0/src/wormhole/cli/cmd_receive.py#L135
The intent is to have an interactive user experience.
This behavior makes the runtime test unreliable as the test always
expect the sent message as the exact output. When the test execution
is slower, it sometimes get the "waiting" message instead of the
expected message.
Some test jobs are succeeding:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4968059737
while some other are failing.
magic-wormhole can override those timers with environment variables.
See:
https://github.com/magic-wormhole/magic-wormhole/blob/0.13.0/src/wormhole/cli/cmd_receive.py#L26
This commit sets those environment variable to larger values
(100 seconds instread of 1 by default), to make sure the test will
always pass.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4962923235
Reported-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Tested-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Backport an upstream patch fixing the build with binutils >= 2.38
for riscv's for Zicsr and Zifencei.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4987456149
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3b8e5b19ad)
[Peter: drop Makefile/Vagrantfile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3923a4fac8)
[Peter: drop Makefile change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
