Fixes:
CVE-2017-8372 - The mad_layer_III function in layer3.c in Underbit MAD
libmad 0.15.1b, if NDEBUG is omitted, allows remote attackers to cause a
denial of service (assertion failure and application exit) via a crafted
audio file.
CVE-2017-8373 - The mad_layer_III function in layer3.c in Underbit MAD
libmad 0.15.1b allows remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly have
unspecified other impact via a crafted audio file.
CVE-2017-8374 - The mad_bit_skip function in bit.c in Underbit MAD libmad
0.15.1b allows remote attackers to cause a denial of service (heap-based
buffer over-read and application crash) via a crafted audio file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove non-existant configure options:
--disable-sphinx-doc:
Even if it looks like there is some code for that in configure.ac, it
seems that is not taken into account and that configure option is not
even recognized.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The dtls plugin needs openssl, so move it down to the "plugins with external
dependencies" section to match the rest of the plugins.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove non-existant or unnecessary configure options:
--disable-oggtest, --disable-vorbistest:
It looks like these options will be taken into account by ogg.m4 and
vorbis.m4 only when ogg and vobis are enabled. However, according to
the code on those m4 files these two options are disabled by default.
--disable-gio_unix_2_0:
I don't know where this option comes from.
--disable-freetypetest:
183610c035
[Peter: add rawparse plugin]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
0001 patch already included in this release:
159e3c3f08
0002 patch already included in this release:
152217064f
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
0001 patch already included in this release:
c893882fd9
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the WebRTC plugin option was introduced in commit
ee267886bc ("gst1-plugins-bad: enable
webrtc plugin"), it was incorrect added as "webrtc", while the actual
name of the plugin and corresponding configure option is "webrtcdsp".
This commit therefore fixes the .mk file to use the correct name. And
also, since we want to keep Buildroot option consistent with the name
of the GStreamer plugins, it renames the Config.in option as well, and
introduces the necessary Config.in.legacy handling.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a package for pixz (pronounced pixie), a parallel, indexing version of
xz.
See https://github.com/vasi/pixz
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Even though no timezone implicitly means UTC, systemd is not all that
happy when it does not have a timezone set. This is all fine on a RW
filesystem because systemd will create a symlink on its own (to
Etc/UTC), but not so much on a RO filesystem, causing all kind of
issues at boot time (up to the point that the system is unusable).
We fix that by requiring that the timezone is actually set. The check is
done by verifying that the timezone file is an actual file; if not set,
the test would find a directory and would thus fail.
Update the help entry accordingly.
Also fix indentation in tzdata.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Richard Braun <rbraun@sceen.net>
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Cc: Martin Bark <martin@barkynet.com>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The tz package mixes its own variable with the one from the tzdata
package...
Fix the variable name in tz.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Alexandre BELLONI <alexandre.belloni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
ext filesystems can use a block size of 1024, 2048, or 4096 bytes, the
former being interesting to store small files, while the latter being
more intersting to store bigger files.
So far, we were using the default, which was to use a 1024-byte block.
Continue doing so (for now...).
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
No option is conditional anymore, so just collate them into a single
assignment.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The previous default, zero, just meant "use the default value of the
filesystem generator", which happened to be 5% (the traditional value
for all ext-creating tools we've ever seen).
So, change the new default accordingly to 5%.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
... since passing an empty string is equivalent to not setting a label.
And fix the syntax highlighting in some editors...
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
... since zero also means auto for the mke2img script, now.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Currently, leaving the number of inodes to be autocalculated requires
the user to not specify the -i option at all.
Also accept zero as meaning auto; this will help simplify the ext2.mk
code a little bit.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
libsepol has a pretty peculiar interpretation of DESTDIR and PREFIX.
PREFIX is not consistently used: some installation paths are forced to
$(DESTDIR)/usr/... . Also, the shared lib symlink is forced to ../../lib
(i.e. assumes it's installed under /usr). For these reasons, the host
build and install commands are a bit unusual: they use DESTDIR instead
of PREFIX, DESTDIR points to $(HOST_DIR) without /usr, and some
additional fixup is needed to correct the installation directory of
libsepol.so.1 and the symlink to it.
This can be simplified quite a lot by passing both DESTDIR and PREFIX,
and including the /usr part in both. The symlink still has to be fixed,
but that's much simpler.
Note that a side effect is that the man pages are now installed under
$(HOST_DIR)/usr/usr/man. While not very nice, we don't really care
about man pages. In addition, this will resolve itself when we later
move $(HOST_DIR)/usr to $(HOST_DIR).
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Sometimes $(1)/$($(PKG)_ERLANG_LIBDIR) is used, sometimes
$(1)$($(PKG)_ERLANG_LIBDIR). Make this consistent, with /. Therefore,
remove the leading / from $($(PKG)_ERLANG_LIBDIR).
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The individual binaries option of busybox allows for the applets
that would usually be symlinks to be built as individual applications
that link against a shared library.
This feature is needed for SELinux to allow the applications to run
under the correct SELinux context.
The patch being added allows the individual applications to be
installed and will be upstreamed to the busybox developers.
The initial work for this change was done by Thomas Petazzoni
<thomas.petazzoni@free-electrons.com>.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
[Thomas:
- add help text in Config.in option.
- rename BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES to
BUSYBOX_SET_INDIVIDUAL_BINARIES to be consistent with other
variables.
- call BUSYBOX_INSTALL_INDIVIDUAL_BINARIES in
BUSYBOX_INSTALL_TARGET_CMDS, not in BUSYBOX_INSTALL_INIT_SYSV.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Arnout:
- revert to the "optional file" approach in makedevs;
- reword Config.in comment text to match our usual pattern;
- abbreviate comment about how suid applets are found a little;
- all applets are optional (each one may have been unselected from the
busybox config).]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas: remove /usr/share/udhcpc/default.script from BUSYBOX_PERMISSIONS.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Add the 'F' file type to makedevs, that allows a file to be optional.
With this option, the line is just silently skipped if the file doesn't
exist (or is not a regular file).
This is useful for _PERMISSIONS where the file can be configured out
by package-specific configuration that is not directly handled by
Buildroot, like busybox.
Cc: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Cc: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The utils provided by this package were formerly packaged with libva.
Libva contained a patch not to compile mpeg2vldemo to reduce
dependencies by avoiding C++, this patch is not moved to this package.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
pngquant's homegrown configure script doesn't understand CC with a
space, so we can't use ccache with it. Only the host variant is
affected: for the target, we call ccache from the toolchain-wrapper so
it's transparent to the configure script.
This wasn't seen in the autobuilders since they never enable
BR2_CCACHE.
To test, use any configuration and do
make BR2_CCACHE=y host-pngquant
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: Mention that openssl is a runtime dependency,
Add license info as noted by Romain, add gpl-2.0.txt,
Add comment explaining the missing build step,
Use install -t for x509-types files]
Signed-off-by: Julien Viard de Galbert <julien@vdg.name>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/1c6/1c69c77d7b378f6f76790fb5ca0078d0db0c40f8
devmem2 is a single C file that is downloaded as-is, and we patch it.
We also use that file as the license file.
Thus, the file when it is downloaded has a specific hash, but when
saved by legal-info, it has a different hash.
However, we can't store two different hashes for the same _filename_
with different content.
So, we extract the license file as a pre-patch hook, and store it in a
separate file, for which we can now add a hash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/e1b/e1b3dee917f5ab3961f3dea006720431444d0ef5/
cache-calibrator is a single C file that is downloaded as-is, and we
patch it. We also use that file as the license file.
Thus, the file when it is downloaded has a specific hash, but when
saved by legal-info, it has a different hash.
However, we can't store two different hashes for the same _filename_
with different content.
So, we extract the license file as a pre-patch hook, and store it in a
separate file, for which we can now add a hash.
[Peter: add autobuilder reference]
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Stephan Hoffmann <sho@relinux.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
- Avoid memset(NULL, 0, 0) to calm down the paranoid.
- Fix bug 252, invalid read of size 1 in ID3v2 parser due to forgotten
offset from the frame flag bytes (unnoticed in practice for a long time).
Fuzzers are in the house again. This one got CVE-2017-10683.
https://sourceforge.net/p/mpg123/bugs/252/
- Avoid a mostly harmless conditional jump depending on uninitialised
fr->lay in compute_bpf() (mpg123_position()) when track is not ready yet.
- Fix undefined shifts on signed long mask in layer3.c (worked in practice,
never right in theory). Code might be a bit faster now, even. Thanks to
Agostino Sarubbo for reporting.
dlopen() is now directly used to load output modules (and the
--with-modules-suffix option has been removed), so adjust the modules logic
to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before
2017-06-29, allows out-of-bounds heap memory write due to calling memcpy()
with a wrong size, leading to a denial of service (application crash) or
possibly code execution.
https://trac.videolan.org/vlc/ticket/18467
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libpwquality adds cracklib to its _DEPENDENCIES, but forgot to select it in
Config.in, leading to build failures if cracklib isn't explicitly enabled:
Makefile:536: *** cracklib is in the dependency chain of libpwquality that
has added it to its _DEPENDENCIES variable without selecting it or depending
on it from Config.in. Stop.
No autobuilder references as this error happens before build-time.log is
written, causing the autobuilder to ignore the build result.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: use sha256 in example]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This will help catch a change of license even if the filename does
not change.
For now, a missing hash for the license files is not a fatal error, to
let people catch up and add them. When we switch to make it mandatory,
we can simplify the code by just removing the case statement.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This will be useful when checking the hashes of the license files.
[Peter: use '.' as buildroot directory so /buildroot.hash isn't checked]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, the per-package legal-info is mostly silent, but we're soon
to add a check for the hashes of the license files.
In that case, and when there is a hash mis-match, we want a user to know
what package had a changed license file.
So, we add a call to MESSAGE to display the package we're currently
saving the legal-info of, like so:
>>> busybox 1.26.2 Collecting legal info
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, we check that the filenames in hash lists do not contain
a slash '/' character, because all we are checking so far are the
downloaded archives, and we explicitly need the filename to not contain
a directory component at all.
However, we're soon to also check the hashes of the license files in
packages sources, and those license files may be at any arbitrary
directory-depth in the packages source tree.
[Peter: Remove reference to files with same basename]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Cc: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Acked-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Using -ef to check for the same file is nicer than relying on a magic
symlink-to-fakedate.
Notice that -ef isn't stricly posix (but supported by bash/dash/zsh), so
I've changed the shebang to /bin/bash.
While we are at it, restructure the logic to do a single exec at the end
instead of handling the epoch/!epoch cases differently for simplicity.
With that out of the way we can directly install it as $HOST/usr/bin/date
instead of the fakedate / date symlink.
[Peter: drop IFS=: change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
