Commit Graph

54631 Commits

Author SHA1 Message Date
Fabrice Fontaine
276f1e0a89 package/linux-pam: bump to version 1.5.1
- Drop patches (already in version) and so autoreconf
- cracklib is not a dependency since
  d702ff714c

https://github.com/linux-pam/linux-pam/releases/tag/v1.5.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-27 17:47:33 +01:00
Fabrice Fontaine
854ea9a98e package/efl: fix build with wepb
webpdemux support in webp is mandatory since version 1.25.0 and
df06418b6f

Fixes:
 - http://autobuild.buildroot.org/results/736357e669c35bd56e818c0c7fabd1b455f40a5f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-26 17:10:02 +01:00
Peter Korsgaard
6ca12d89f1 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 9}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-26 17:00:44 +01:00
Thomas Petazzoni
3950c53cd0 support/testing/tests/core/test_cpeid: new test
This commit adds a number of test cases to verify that the CPE_ID_*
variables are properly handled by the generic package infrastructure
and that the "make show-info" JSON output matches what we expect.

A total of 5 different example packages are used to exercise different
scenarios of CPE_ID_* variables usage.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-26 16:36:56 +01:00
Thomas Petazzoni
c02d465274 package/pkg-utils.mk: expose CPE ID in show-info when available
This commit exposes a new per-package property in the "make show-info"
JSON output: "cpe-id", which exists when a valid CPE ID is available
for the package.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-26 16:36:35 +01:00
Thomas Petazzoni
db24c08bea docs/manual: document <pkg>_CPE_ID variables
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-26 16:35:18 +01:00
Matt Weber
97a54c33c9 package/pkg-generic.mk: add CPE ID related package variables
Currently, the match between Buildroot packages and CVEs is solely
based on the package names. Unfortunately, as one can imagine, there
isn't necessarily a strict mapping between Buildroot package names,
and how software projects are referenced in the National Vulnerability
Database (NVD) which we use.

The NVD has defined the concept of CPE (Common Platform Enumeration)
identifiers, which uniquely identifies software components based on
string looking like this:

  cpe:2.3🅰️netsurf-browser:libnsbmp:0.1.2:*:*:*:*:*:*:*

In particular, this CPE identifier contains a vendor name (here
"netsurf-browser"), a product name (here "libnsbmp") and a version
(here "0.1.2").

This patch series introduces the concept of CPE ID in Buildroot, where
each package can be associated to a CPE ID. A package can define one
or several of:

 - <pkg>_CPE_ID_VENDOR
 - <pkg>_CPE_ID_PRODUCT
 - <pkg>_CPE_ID_VERSION
 - <pkg>_CPE_ID_VERSION_MINOR
 - <pkg>_CPE_ID_PREFIX

If one or several of those variables are defined, then the
<pkg>_CPE_ID will be defined by the generic package infrastructure as
follows:

  $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_NAME):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_VERSION_MINOR):*:*:*:*:*:*

<pkg>_CPE_ID_* variables that are not explicitly specified by the
package will carry a default value defined by the generic package
infrastructure.

If a package is happy with the default <pkg>_CPE_ID, and therefore
does not need to define any of <pkg>_CPE_ID_{VENDOR,PRODUCT,...}, it
can set <pkg>_CPE_ID_VALID = YES.

If any of the <pkg>_CPE_ID_{VENDOR,PRODUCT,...} variables are defined
by the package, then <pkg>_CPE_ID_VALID = YES will be set by the
generic package infrastructure.

Then, it's only if <pkg>_CPE_ID_VALID = YES that a <pkg>_CPE_ID will
be defined. Indeed, we want to be able to distinguish packages for
which the CPE ID information has been checked and is considered valid,
from packages for which the CPE ID information has never been
verified. For this reason, we cannot simply define a default value
for <pkg>_CPE_ID.

The <pkg>_CPE_ID_* values for the host package are inherited from the
same variables of the corresponding target package, as we normally do
for most package variables.

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-26 16:33:37 +01:00
Thomas Petazzoni
1ff7f003e1 support/scripts/cve.py: properly match CPEs with version '*'
Currently, when the version encoded in a CPE is '-', we assume all
versions are affected, but when it's '*' with no further range
information, we assume no version is affected.

This doesn't make sense, so instead, we handle '*' and '-' in the same
way. If there's no version information available in the CVE CPE ID, we
assume all versions are affected.

This increases quite a bit the number of CVEs and package affected:

-    "total-cves": 302,
-    "pkg-cves": 100,
+    "total-cves": 597,
+    "pkg-cves": 135,

For example, CVE-2007-4476 has a CPE ID of:

    cpe:2.3🅰️gnu:tar:*:*:*:*:*:*:*:*

So it should be taken into account. In this specific case, it is
combined with an AND with CPE ID
cpe:2.3suse:suse_linux:10:*:enterprise_server:*:*:*:*:* but since
we don't support this kind of matching, we'd better be on the safe
side, and report this CVE as affecting tar, do an analysis of the CVE
impact, and document it in TAR_IGNORE_CVES.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-26 16:31:37 +01:00
Peter Seiderer
1672e25010 package/thermald: fix time_t related compile failure
Add upstream patch [1] to fix (musl) time_t related compile failure.

Fixes:

  - https://bugs.busybox.net/show_bug.cgi?id=13336

  src/thd_trip_point.cpp: In member function ‘bool cthd_trip_point::thd_trip_point_check(int, unsigned int, int, bool*)’:
  src/thd_trip_point.cpp:250:19: error: format ‘%ld’ expects argument of type ‘long int’, but argument 6 has type ‘time_t’ {aka ‘long long int’} [-Werror=format=]
    250 |      thd_log_info("Too early to act zone:%d index %d tm %ld\n",
        |                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    251 |        zone_id, cdev->thd_cdev_get_index(),
    252 |        tm - cdevs[i].last_op_time);
        |        ~~~~~~~~~~~~~~~~~~~~~~~~~~
        |           |
        |           time_t {aka long long int}
  src/thermald.h:82:57: note: in definition of macro ‘thd_log_info’
     82 | #define thd_log_info(...) g_log(NULL, G_LOG_LEVEL_INFO, __VA_ARGS__)
        |                                                         ^~~~~~~~~~~
  src/thd_trip_point.cpp:250:59: note: format string is defined here
    250 |      thd_log_info("Too early to act zone:%d index %d tm %ld\n",
        |                                                         ~~^
        |                                                           |
        |                                                           long int
        |                                                         %lld

[1] a7136682b9.patch

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 22:48:13 +01:00
Heiko Thiery
2d38c5a4e5 package/openrc: add upstream security fix for CVE-2018-21269
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 22:46:15 +01:00
Heiko Thiery
9d40f49dbb package/openrc: fix build with gcc 10
Fixes:
 - https://bugs.busybox.net/show_bug.cgi?id=13331

Cc: mscdex@mscdex.net
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 22:44:01 +01:00
Paul Cercueil
210e9b7b24 package/cage: package does not require locale support
Drop dependency on BR2_ENABLE_LOCALE, which was marked as a dependency
of wlroots, but wlroots does not depend on it anymore.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 22:42:09 +01:00
Paul Cercueil
ae9d6fc6f4 package/wlroots: package does not require locale support
Drop dependency on BR2_ENABLE_LOCALE, which was marked as a dependency of
libinput which is selected by wlroots.  However, libinput does not depend on
BR2_ENABLE_LOCALE since commit bef6b92b67 (package/libinput: remove
dependency on BR2_ENABLE_LOCALE).

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 22:41:57 +01:00
Peter Korsgaard
d5abf5ff61 package/xinetd: add upstream security fix for CVE-2013-4342
xinetd does not enforce the user and group configuration directives for
TCPMUX services, which causes these services to be run as root and makes it
easier for remote attackers to gain privileges by leveraging another
vulnerability in a service.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 22:36:52 +01:00
Bartosz Bilas
d5e3e1144e package/python-pip: needs hashlib module
Without hashlib module pip returns the following errors:

# pip
ValueError: unsupported hash type sha224
ERROR:root:code for hash sha256 was not found.
Traceback (most recent call last):
  File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
  File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha256
ERROR:root:code for hash sha384 was not found.
Traceback (most recent call last):
  File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
  File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha384
ERROR:root:code for hash sha512 was not found.
Traceback (most recent call last):
  File "/usr/lib/python2.7/hashlib.py", line 147, in <module>
  File "/usr/lib/python2.7/hashlib.py", line 97, in __get_builtin_constructor
ValueError: unsupported hash type sha512
Traceback (most recent call last):
  File "/usr/bin/pip", line 11, in <module>
    load_entry_point('pip==20.0.2', 'console_scripts', 'pip')()
  File "/usr/lib/python2.7/site-packages/pip/_internal/cli/main.py", line 73, in main
  File "/usr/lib/python2.7/site-packages/pip/_internal/commands/__init__.py", line 96, in create_command
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
  File "/usr/lib/python2.7/site-packages/pip/_internal/commands/install.py", line 24, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_internal/cli/req_command.py", line 15, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_internal/index/package_finder.py", line 21, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_internal/index/collector.py", line 12, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/requests/__init__.py", line 43, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/__init__.py", line 7, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connectionpool.py", line 29, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/connection.py", line 40, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/__init__.py", line 7, in <module>
  File "/usr/lib/python2.7/site-packages/pip/_vendor/urllib3/util/ssl_.py", line 8, in <module>
ImportError: cannot import name md5

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 22:35:30 +01:00
Peter Korsgaard
f7fc4bf1b9 package/ncurses: mark CVE-2019-1759{4, 5} as fixed by 20191012 patch
According to the NVE data, these are fixes in the 20191012 patch - So mark
them as such.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 08:53:35 +01:00
Fabrice Fontaine
27af87813e package/spandsp: disable MMX on i686
MMX raises the following build failure on i686:

gsm0610_rpe.c: In function 'gsm0610_rpe_encoding':
gsm0610_rpe.c:132:5: error: invalid 'asm': invalid constraints for operand
     __asm__ __volatile__(
     ^~~~~~~

Fixes:
 - http://autobuild.buildroot.org/results/3e986c3109c392afe47fc98446a2563ac9776cf6
 - http://autobuild.buildroot.org/results/00ed4a4285b35d8ec0be09217e5b503e4820d971

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-23 08:52:47 +01:00
Ismael Luceno
3f2ccb4682 package/axel: bump version to 2.17.10
Signed-off-by: Ismael Luceno <ismael@iodev.co.uk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 22:32:17 +01:00
Peter Seiderer
f457760f54 package/wireless-regdb: bump version to 2020.11.20
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 16:57:22 +01:00
Fabrice Fontaine
0279850fef package/jpeg-turbo: fix license hash
Commit 105d61c850 forgot to update hash of
LICENSE.md (update in year:
00607ec260)

While at it, also update indentation in hash file (two spaces)

Fixes:
 - http://autobuild.buildroot.org/results/66fb5c0171af73d4c1c93241b285fac8f8f494f7

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:38:15 +01:00
Peter Korsgaard
9b92253b7a package/libkrb5: security bump to version 1.18.3
Fixes the following security issues:

- CVE-2020-28196: MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before
  1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message
  because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite
  lengths lacks a recursion limit.

Also fix .hash file indentation.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:32:57 +01:00
Fabrice Fontaine
74cce093b0 package/jpeg-turbo: bump to version 2.0.6
Update hash of README.ijg (URLs updated and Usenet info removed with
26e3aedbe5)

https://sourceforge.net/projects/libjpeg-turbo/files/2.0.6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:32:25 +01:00
Peter Korsgaard
8a683a54cc package/raptor: fix CVE-2017-18926
raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF
Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the
XML writer, leading to heap-based buffer overflows (sometimes seen in
raptor_qname_format_as_xml).

For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2020/11/13/1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:31:36 +01:00
Peter Korsgaard
b473ad2ec2 package/xen: add XSA-333..344 security fixes
Fixes the following security issues:

- XSA-333: x86 pv: Crash when handling guest access to MSR_MISC_ENABLE
  (CVE-2020-25602)
  https://xenbits.xenproject.org/xsa/advisory-333.html

- XSA-334: Missing unlock in XENMEM_acquire_resource error path
  (CVE-2020-25598)
  https://xenbits.xenproject.org/xsa/advisory-334.html

- XSA-336: race when migrating timers between x86 HVM vCPU-s
  (CVE-2020-25604)
  https://xenbits.xenproject.org/xsa/advisory-336.html

- XSA-337: PCI passthrough code reading back hardware registers
  (CVE-2020-25595)
  https://xenbits.xenproject.org/xsa/advisory-337.html

- XSA-338: once valid event channels may not turn invalid (CVE-2020-25597)
  https://xenbits.xenproject.org/xsa/advisory-338.html

- XSA-339: x86 pv guest kernel DoS via SYSENTER (CVE-2020-25596)
  https://xenbits.xenproject.org/xsa/advisory-339.html

- XSA-340: Missing memory barriers when accessing/allocating an event
  channel (CVE-2020-25603)
  https://xenbits.xenproject.org/xsa/advisory-340.html

- XSA-342: out of bounds event channels available to 32-bit x86 domains
  (CVE-2020-25600)
  https://xenbits.xenproject.org/xsa/advisory-342.html

- XSA-343: races with evtchn_reset() (CVE-2020-25599)
  https://xenbits.xenproject.org/xsa/advisory-343.html

- XSA-344: lack of preemption in evtchn_reset() / evtchn_destroy()
  (CVE-2020-25601)
  https://xenbits.xenproject.org/xsa/advisory-344.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:31:29 +01:00
Fabrice Fontaine
189880db3a package/abootimg: fix host build
Commit 05b11e24c3 wrongly added
ABOOTIMG_HOST_DEPENDENCIES instead of HOST_ABOOTIMG_DEPENDENCIES

Fixes:
 - http://autobuild.buildroot.org/results/c13b5424cec151cd3ad71b1cb38d6ad8ff68afa0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:30:56 +01:00
Peter Seiderer
55e28a526e package/libxkbcommon: bump version to 1.0.2
For details see [1].

[1] https://lists.freedesktop.org/archives/wayland-devel/2020-November/041659.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:28:56 +01:00
Fabrice Fontaine
6ca1b3ee2a package/cdrkit: fix static build with libmagic
libmagic is an optional dependency of gensoimage that can raise the
following build failure:

/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: /home/buildroot/autobuild/instance-0/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libmagic.a(compress.o): in function `uncompressbuf':
compress.c:(.text+0x7bc): undefined reference to `lzma_auto_decoder'
/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: compress.c:(.text+0x828): undefined reference to `lzma_code'
/home/buildroot/autobuild/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/8.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: compress.c:(.text+0x848): undefined reference to `lzma_end'
collect2: error: ld returned 1 exit status
genisoimage/CMakeFiles/genisoimage.dir/build.make:628: recipe for target 'genisoimage/genisoimage' failed

Fixes:
 - http://autobuild.buildroot.org/results/7e06edc363817c9c9a1687ec89e9984a90a2012d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:27:39 +01:00
Peter Korsgaard
09caefda2a package/musl: add upstream security fix for CVE-2020-28928
The wcsnrtombs function has been found to have multiple bugs in handling of
destination buffer size when limiting the input character count, which can
lead to infinite loop with no forward progress (no overflow) or writing past
the end of the destination buffer.

For more details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/11/20/4

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:27:12 +01:00
Fabrice Fontaine
c4ea32d006 package/monkey: drop wrong comment
Commit 5fea6e2a2f forgot to remove the
generic-package comment

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:26:49 +01:00
Adrian Perez de Castro
445b03fb9b package/wpewebkit: bump to version 2.30.3
This is a minor release which solved a build issues and fixes a number
of rendering issues. Release notes:

  https://wpewebkit.org/release/wpewebkit-2.30.3.html

Patch "0002-WebProcess-InjectedBundle-fix-compile-without-video-.patch"
can be removed because a similar fix is included in this release.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:25:55 +01:00
Adrian Perez de Castro
4485b58356 package/webkitgtk: bump to version 2.30.3
This is a minor release which solved a build issues and fixes a number
of rendering issues. Release notes:

  https://webkitgtk.org/2020/11/20/webkitgtk2.30.3-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:25:45 +01:00
Baruch Siach
1b1c049af2 support/dependencies: clarify intended use of host bison/flex
We should not rely on host installed bison/flex for target code. This
ensures better reproducibility of generated code.

http://lists.busybox.net/pipermail/buildroot/2020-November/296786.html

Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:24:12 +01:00
Peter Korsgaard
c356b20ba8 package/python-flask-cors: security bump to version 3.0.9
Fixes the following security issue:

- CVE-2020-25032: An issue was discovered in Flask-CORS (aka CORS Middleware
  for Flask) before 3.0.9.  It allows ../ directory traversal to access
  private resources because resource matching does not ensure that pathnames
  are in a canonical format.

Also drop outdated md5 checksum and fix .hash indentation.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-20 18:18:30 +01:00
Mike Frampton
05b11e24c3 package/abootimg: add host build
Enabling package host build for abootimg so that boot images can be
created for boards which boot from this format.

Signed-off-by: Mike Frampton <mikeframpo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-19 23:09:06 +01:00
Mike Frampton
7c51fc3897 package/qcom-db410c-firmware: new package
Installs the required Wifi/BT firmware blobs for the Qualcomm
Dragonboard 410c SBC.

Signed-off-by: Mike Frampton <mikeframpo@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-19 23:00:57 +01:00
Fabrice Fontaine
3ff1a64497 package/radvd: fix build without stack-protector
Commit 6e85ab4449 forgot to manage the new
--{with,without}-stack-protector option which has been added with
f2cb35449f
and is enabled by default

Fixes:
 - http://autobuild.buildroot.org/results/e778df96f0a382a5b119724ee69f956ad455c452

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-19 22:58:20 +01:00
Jeff Zignego
90b9f1f881 package/qt5/qt5base: fix typo for syslog support
Fix typo from 109df4deba that added this
option.

Signed-off-by: Jeff Zignego <jzignego@hedcontrols.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-11-19 22:56:21 +01:00
Peter Seiderer
ff60c4c533 package/libcamera: fix BR2_PACKAGE_LIBCAMERA_ARCH_SUPPORTS handling
Fix BR2_PACKAGE_LIBCAMERA_ARCH_SUPPORTS handling, change from
'depends on BR2_m68k' to 'depends on !BR2_m68k'.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-11-19 19:37:56 +01:00
Michael Nosthoff
4c8a6d3aa6 package/gvfs: show warning when BR2_STATIC_LIBS=y
Commit 4266c9f54f (package/gvfs: needs dynamic library) updated the
dependency of gvfs, but inverted the comment dependency, causing it to only
be shown if !static - Fix that.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Reviewed-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-18 17:58:14 +01:00
Fabrice Fontaine
b359d0e7e5 package/c-ares: fix install
c-ares 1.17.0 removed install of ares_dns.h which will result in build
failures with libeXosip and resiprocate

Fixes:
 - http://autobuild.buildroot.org/results/51573434303118fd92f32819e038971edee8bc28
 - http://autobuild.buildroot.org/results/cbf158f0c037d44ef293a8804d18c84e3b731059

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-18 10:48:11 +01:00
Fabrice Fontaine
c9ca2a596e package/jpeg-turbo: fix license hash
Commit 105d61c850 forgot to update hash of
LICENSE.md (update in year:
00607ec260)

While at it, also update indentation in hash file (two spaces)

Fixes:
 - http://autobuild.buildroot.org/results/66fb5c0171af73d4c1c93241b285fac8f8f494f7

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-18 10:47:58 +01:00
Pierre-Jean Texier
248c2e909e DEVELOPERS: update email address for Pierre-Jean Texier
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 23:51:24 +01:00
Fabrice Fontaine
c0cd4a700a package/uhd: fix typo
Replace ENABLE_DPKD by ENABLE_DPDK to fix the following error:

  Manually-specified variables were not used by the project:

    BUILD_DOC
    BUILD_DOCS
    BUILD_EXAMPLE
    BUILD_EXAMPLES
    BUILD_TEST
    BUILD_TESTING
    BUILD_TESTS
    ENABLE_DPKD

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 23:50:01 +01:00
Heiko Thiery
afc112b0e4 utils/getdeveloperlib.py: fix issue with hasfile()
pkg-stats is not able anymore to set the developers for defconfigs and
packages. This issue is introduced with
ae86067a15. The hasfile() method from
Developer object tries to check an absolute path against a relative path.

Convert the filepath to be checked also into an absolute path.

Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 23:47:01 +01:00
Fabrice Fontaine
a3f58a74e0 package/ipsec-tools: drop package
Extract from http://ipsec-tools.sourceforge.net:

"The development of ipsec-tools has been ABANDONED.

ipsec-tools has security issues, and you should not use it. Please
switch to a secure alternative!"

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 22:19:45 +01:00
Fabrice Fontaine
32455cb735 package/qdecoder: bump to version 12.0.8
Update indentation in hash file (two spaces)

https://github.com/wolkykim/qdecoder/releases/tag/v12.0.8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 22:13:20 +01:00
Vincent Stehlé
31f915eaa9 package/pixz: bump version to v1.0.7
- Update the hash accordingly.
- Remove a patch, as its fix is in this new version of pixz.

Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 22:08:48 +01:00
Julien Olivain
c52fedf063 package/linux-backports: bump version to 5.8
Attempting to compile this package with newer Kernel version (e.g. v5.4)
fails with message:

   Generating local configuration database from kernel ...Kernel version parse failed!

Upgrading the package to 5.8 fixes this issue. Anyways, v4.4 is now
rather old and beat the very purpose of having newer drivers in older
kernels.

Since backports tag v4.14-rc4-1, the requirement on minimal kernel
version changed from 3.0 to 3.10. See commit [1]. The minimal kernel
version check is changed accordingly.

License files are also updated: the linux backports package copies the
license files from the kernel version used for its generation. v5.8 is
now "GPL-2.0 WITH Linux-syscall-note". However, there is no such SPDX
identifier (contrary to what is said in the COPYING file), so we keep it
as GPL-2.0 (which also keeps it aligned to what we have in linux.mk).

[1] https://git.kernel.org/pub/scm/linux/kernel/git/backports/backports.git/commit/?id=a0d05f9f9ca50ea8b1d60726fac6b54167257e76

Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
[yann.morin.1998@free.fr: keep license as GPL-2.0, like for linux]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-11-17 22:01:34 +01:00
Yann E. MORIN
982e2a177d Merge branch 'master' into next
* master: (125 commits)
  package/jpeg-turbo: security bump to version 2.0.5
  package/modem-manager: bump to version 1.14.8
  package/c-ares: security bump to version 1.17.0
  docs/website: update for 2020.02.8
  Update for 2020.02.8
  docs/website: update for 2020.08.2
  Update for 2020.08.2
  package/qemu: fix build with 64 bits time_t
  package/harfbuzz: fix build without threads
  boot/uboot: fix custom repo error message
  package/numactl: needs -fPIC
  package/dovecot-pigeonhole: fix build with per-package directories
  package/libpam-tacplus: remove duplicate LIBPAM_TACPLUS_AUTORECONF
  package/openntpd: needs host-bison
  package/xorriso: fix host option
  DEVELOPERS: drop Trent Piepho
  package/postgresql: security bump to version 12.5
  package/redis: security bump to version 6.0.9
  Revert "package/linux-backports: bump version to 5.8"
  package/linux-backports: bump version to 5.8
  ...
2020-11-17 21:51:22 +01:00
Heiko Stuebner
105d61c850 package/jpeg-turbo: security bump to version 2.0.5
Fixes the following security issue:

- CVE-2020-13790: ibjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based
  buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input
  file

For more details, see the release notes:
https://github.com/libjpeg-turbo/libjpeg-turbo/releases/tag/2.0.5

Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
[Peter: mark as security bump / extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-17 21:39:13 +01:00