Without this patch, it is not possible to allocate PTYs when a generated
rootfs image with a recent glibc and systemd is launched as a container on
an RHEL7 system via machinectl/systemd-nspawn. The container boots, but
`machinectl login mycontainer` fails. The culprit is /dev/pts/ptmx with
0000 perms.
On a typical system, there are two `ptmx` devices. One is provided by the
devpts at /dev/pts/ptmx and it is typically not directly accessed from
userspace. The other one which actually *is* opened by processes is
/dev/ptmx. Kernel's documentation says these days that /dev/ptmx should be
either a symlink, or a bind mount of the /dev/pts/ptmx from devpts.
When a container is launched via machinectl/machined/systemd-nspawn, the
container manager prepares a root filesystem so that the container can live
in an appropriate namespace (this is similar to what initramfs is doing on
x86 desktops). During these preparations, systemd-nspawn mounts a devpts
instance using a correct ptmxmode=0666 within the container-to-be's
/dev/pts, and it adds a compatibility symlink at /dev/ptmx. However, once
systemd takes over as an init in the container,
/lib/systemd/systemd-remount-fs applies mount options from /etc/fstab to
all fileystems. Because the buildroot's template used to not include the
ptmxmode=... option, a default value of 0000 was taking an effect which in
turn led to not being able to allocate any pseudo-terminals.
The relevant kernel option was introduced upstream in commit 1f8f1e29 back
in 2009. The oldest linux-headers referenced from buildroot's config is
3.0, and that version definitely has that commit. Mount options that are
not understood by the system are anyway ignored, so backward
compatibility is preserved.
Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas: fix commit title, adjust commit log.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This package provides a userspace library that allows easy use of crypto
interfaces exposed by the kernel.
A git tip is used instead of the last official release, as autotools
support and cross-compilation fixes have been added only very recently.
Signed-off-by: Marcin Nowakowski <marcin.nowakowski@imgtec.com>
Reviewed-by: Rahul Bedarkar <rahul.bedarkar@imgtec.com>
[Thomas:
- Change sub-option prompt to "build test applications"
- Be more specific about the license: the library is under BSD-3c only,
while the programs are under BSD-3c or GPLv2.
- Explicitly disable programs when BR2_PACKAGE_LIBKCAPI_APPS is not
enabled.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This patch builds and installs Qt examples for declarative module.
It proceeds the same way as others Qt5 modules. Samples are installed
under /usr/lib/qt/examples/qml directory (/usr/lib/qt/examples/quick for
quick).
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Some users may want to build the s6-rc service database offline using a
post-build script. So make the host variant visible in menuconfig.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This is still required when building libepoxy against mesa egl without
x11 (GL).
Mesa needs a preprocessor define to avoid including X11 headers and
since this is not forwarded into epoxy.pc for other
libraries/applicatons that link against it it will fail.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The 1.2.x branch is no longer maintained, so remove it since it's
likely security-vulnerable.
mbedtls is the modern replacement which was renamed from polarssl when
ARM bought them up.
However major releases broke API so polarssl 1.2.x isn't always
interchangeable with polarssl/mbedtls 1.3.x (interim mixed naming
because of new ownership) or newer 2.x series.
Fortunately we don't have any package in the tree that uses polarssl
exclusively.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Thomas:
- Remove entry in DEVELOPERS file for this package. Noticed by Arnout.
- Remove comment in bctoolbox.mk that no longer makes sense after
polarssl removal. Noticed by Arnout.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- rebase 0001-Adjust-for-buildroot-build.patch
- delete 0002-include-asm-ioctl.h-directly-for-_IOC_SIZEBITS.patch
(all changes are incorporated into wiringpi-2.44)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Recent versions of fakeroot have grown support for acl. We don't really
need this since we don't use acls in Buildroot. However, it turns out
that "cp -a" does something funky with acls, with the result that
fakeroot without acl support looses the ownership and permissions on
the copied file. "cp -a" may be (is even likely to be) used in a
BR2_ROOTFS_POST_FAKEROOT_SCRIPT, so we need to support this.
Note that host-acl itself depends on host-attr, so this pulls in two
extra packages in each build. The impact on build time is about 10s.
Cc: Andreas Naumann <dev@andin.de>
Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We need host-acl to fix issues with fakeroot.
Unfortunately, all the hacks (except the .la fixup) have to be repeated.
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Cc: Andreas Naumann <dev@andin.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The acl build system doesn't use automake, therefore it is broken. It
doesn't use the CFLAGS passed by configure. Work around this by passing
CFLAGS in the environment. The makefiles append to CFLAGS, so this
works.
This issue hasn't led to build failures, but it is visible e.g. when
stack protector is enabled: the stack protector options are not applied
to acl. Also debug and optimisation options aren't applied.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The previous fix [1] reinroduced the issue fixed by [2].
So keep gl_cv_func_gettimeofday_clobber=no in GDB_CONF_ENV
and GDB_MAKE_ENV.
Fixes:
http://autobuild.buildroot.net/results/ec6/ec60d436bd34a4f37b664e4124d7f0c96e90a1be
[1] faf38b78ae
[2] 560334bb2a
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The license is actually closer to ISC than MIT, E.G.:
https://opensource.org/licenses/ISC
vs
https://opensource.org/licenses/MIT
>From COPYING:
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the names of Digital or MIT not be
used in advertising or publicity pertaining to distribution of the
software without specific, written prior permission.
E.G. this is very similar to the normal ISC text which has been extended
with a BSD-3c style advertisinc clause. Both are permissive licenses, but
it is more correct to call it ISC-like.
Notice: As pointed out by Rahul Bedarkar, this may actually be more closely
related to the OpenBSD template license:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD
But that is also based on the ISC license, so calling it ISC-like is still
correct.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As noticed by Rahul Bedarkar, the cairo library is LGPLv2.1 only
(not LGPLv2.1+) or MPLv1.1.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libsamplerate is relicensed under the 2 clause BSD license.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add upstream patch for CVE-2017-6429: Buffer overflow when reading crafted
pcap file with large packets.
https://github.com/appneta/tcpreplay/issues/278
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Many packages are provided under MPL v1.1 and v2.0. Document it under
License abbreviations section.
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Rahul Bedarkar <rahul.bedarkar@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Many packages are provided under ISC license. Document it under License
abbreviations section.
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Rahul Bedarkar <rahul.bedarkar@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2017-2784 - Freeing of memory allocated on stack when validating a
public key with a secp224k1 curve.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2017-3302 - C client library for MySQL (libmysqlclient.so) has
use-after-free defect which can cause crash of applications using that MySQL
client.
CVE-2017-3313 - Difficult to exploit vulnerability allows low privileged
attacker with logon to the infrastructure where MySQL Server executes to
compromise MySQL Server. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to all
MySQL Server accessible data.
And a number of important, but non-security related fixes:
MDEV-11842: Fix a 10.1.21 regression with failed INSERT, BEFORE INSERT
triggers, and columns with no default value
MDEV-12075: Fix a 10.1.21 regression in the InnoDB data file extension code
For details, see the release notes:
https://mariadb.com/kb/en/mariadb/mariadb-10122-release-notes/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now the code checks for PR_SET_NO_NEW_PRIVS before using it, so the kernel
headers dependency can be removed.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security fixes:
- Fix several out of bounds reads in the OpenPGP parser
- Fix handling of OpenPGP reserved tag (should be rejected)
- Fix various crashes from malformed packages with invalid tags
Release notes:
http://rpm.org/wiki/Releases/4.13.0.1
This patch also switches from GitHub to rpm.org since the last one seems
to be more up-to-date.
[Peter: use RPM_VERSION_MAJOR as suggested by Jerzy Grzegorek]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Notice that this fixes a security issue:
CWE-416 (use after free condition during netjoin processing). No CVE
assigned yet:
https://irssi.org/security/irssi_sa_2017_03.txt
But the 0.8.x series is not believed to be vulnerable to this specific
issue. From the advisory:
Affected versions
-----------------
Irssi up to and including 1.0.1
We believe Irssi 0.8.21 and prior are not affected since a different
code path causes the netjoins to be flushed prior to reaching the use
after free condition.
Openssl is no longer optional, so select it and drop the enable/disable
handling.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
kmscube repository has been moved to freedesktop.org, so
update the URL accordingly.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Since kmscube upstream commit a2dc60cf05b704 ("Add m4/.gitignore")
there is no need to manually create the m4 directory anymore, so
simply remove KMSCUBE_POST_PATCH_HOOKS.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
If building on a machine with MATLAB installed, the MATLAB bindings will
default to ON, which is not the desired behavior for a cross build.
The bindings are designed to be called from within MATLAB, and we are
not currently running MATLAB on buildroot-generated targets.
This does not preclude the use of the bindings from a host connecting
over the network backend (assuming libiio on the host has the bindings
enabled).
Signed-off-by: Matthew Fornero <mfornero@mathworks.com>
Acked-By: Paul Cercueil <paul.cercueil@analog.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
SPL is the name used for spl on i.MX6, so update the same on
BR2_TARGET_UBOOT_SPL_NAME help text.
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
[Thomas: rewrap Config.in help text.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>