This is a maintenance release that includes improvements and bug fixes.
https://github.com/wolkykim/qlibc/releases/tag/v2.4.6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2de6538320)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 49f661e548)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The POLKIT_IGNORE_CVES variable was missing a "S",
therefore the CVE still showed up in the wrong column.
Signed-off-by: Daniel Lang <d.lang@abatec.at>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 58e60a3213)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Using a custom Xtensa configuration requires an overlay that provides
that configuration; not providing an overlay is like using the default
configuration, BR2_xtensa_fsf, so there would be no point in that case
in requesting a custom configuraiton.
Make providing an overlay mandatory for custom configurations.
Fixes:
http://autobuild.buildroot.org/results/f0b/f0ba47d2534aeb3cc2921124aa639ae3aa072b9b
xtensa-buildroot-linux-uclibc/bin/ld: ldso/ldso/ld-uClibc_so.a(ldso.oS): compiled for a big endian system and target is little endian
[1] https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=include/xtensa-config.h;hb=2ee5e4300186a92ad73f1a1a64cb918dc76c8d67#l28
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Max Filippov <jcmvbkbc@gmail.com>
[yann.morin.1998@free.fr:
- always require an overlay for custom configurations, not just for
little endian ones
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4cbf733691)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use the mainline ATF as it supports the Pine64 ROCKPro64 board.
Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/2812054016
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 0d198311b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/gcc/11.3.0/0005-rs6000-Improve-.machine.patch:4: generate your patches with 'git format-patch -N'
package/gcc/11.3.0/0006-rs6000-Do-not-use-rs6000_cpu-for-.machine-ppc-and-pp.patch:4: generate your patches with 'git format-patch -N'
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 4124d47b0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
lots of fixes but most importantly:
- don't allow unknown operational/admin states (CVE-2022-29799, CVE-2022-29800)
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 40a1c141b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gcc 11.3.0 contains a backported patch [1] that introduce
a regression for old powerpc cpus like the powerpc 7400 (G4).
The glibc crash the init process due to a wrong asm machine
directive (.machine).
Run /sbin/init as init process
init[1]: segfault (11) at 7369693e nip 6f6e08 lr 6f6a68 code 1 in libc.so.6[690000+18f000]
init[1]: code: 280a000c 41c1ffe0 811edb80 554a103a 7d48502e 7d4a4214 7d4903a6 4e800420
init[1]: code: 2c08007a 4bffffbc 89290000 5529103a <7d2a482e> 2c090000 41c2ff78 7fe4fb78
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
Backport two patches from the gcc-11 stable branch (the upcoming gcc
11.4.0).
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=3cb53c10831be59d967d9dce8e7980fee4703500
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/2976071284
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Joel Stanley <joel@jms.id.au>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b42c6b2475)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following security vulnerabilities:
- [Low] Fault injection attack on RAM via Rowhammer leads to ECDSA key
disclosure. Users doing operations with private ECC keys such as
server side TLS connections and creating ECC signatures, who also
have hardware that could be targeted with a sophisticated Rowhammer
attack should update the version of wolfSSL and compile using the
macro WOLFSSL_CHECK_SIG_FAULTS.
- [Low] In wolfSSL version 5.3.0 if compiled with
--enable-session-ticket and the client has non-empty session cache,
with TLS 1.2 there is the possibility oàf a man in the middle passing
a large session ticket to the client and causing a crash due to an
invalid free. There is also the potential for a malicious TLS 1.3
server to crash a client in a similar manner except in TLS 1.3 it is
not susceptible to a man in the middle attack. Users on the client
side with –enable-session-ticket compiled in and using wolfSSL
version 5.3.0 should update their version of wolfSSL.
- [Low] If using wolfSSL_clear to reset a WOLFSSL object (vs the normal
wolfSSL_free/wolfSSL_new) it can result in runtime issues. This
exists with builds using the wolfSSL compatibility layer
(--enable-opnesslextra) and only when the application is making use
of wolfSSL_clear instead of SSL_free/SSL_new. In the case of a TLS
1.3 resumption, after continuing to use the WOLFSSH object after
having called wolfSSL_clear, an application could crash. It is
suggested that users calling wolfSSL_clear update the version of
wolfSSL used.
- Potential DoS attack on DTLS 1.2. In the case of receiving a
malicious plaintext handshake message at epoch 0 the connection will
enter an error state reporting a duplicate message. This affects both
server and client side. Users that have DTLS enabled and in use
should update their version of wolfSSL to mitigate the potential for
a DoS attack.
https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1891419db3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Improved DNS rebinding attack protection.
- Fixed a potential crash in SSDP request parsing.
- Drop patch (already in version)
https://sourceforge.net/projects/minidlna/files/minidlna/1.3.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7713f6dd98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the README:
dhcpcd-9 defaults the run directory to `/var/run/dhcpcd` instead of
`/var/run` and the prefix of dhcpcd has been removed from the files.
Make it so.
Signed-off-by: Konstantin Menyaev <KAMenyaev@sberdevices.ru>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f73718ce5e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5.17.x is EOL.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2bc9cac446)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- gh-92888: Fix memoryview use after free when accessing the backing buffer
in certain cases.
- gh-87389: http.server: Fix an open redirection vulnerability in the HTTP
server when an URI path starts with //.
Release notes:
https://docs.python.org/release/3.10.6/whatsnew/changelog.html#python-3-10-6-final
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
[Peter: Mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f4cbf417b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following error on calling mqtt.publish():
File "/usr/lib/python3.10/site-packages/paho/mqtt/publish.py", line 222, in single
multiple([msg], hostname, port, client_id, keepalive, will, auth, tls,
File "/usr/lib/python3.10/site-packages/paho/mqtt/publish.py", line 126, in multiple
if not isinstance(msgs, collections.Iterable):
AttributeError: module 'collections' has no attribute 'Iterable'
Backported from https://github.com/eclipse/paho.mqtt.python/pull/497/
This was deprecated in python 3.9 and stopped working in python 3.10
Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2526a2f51f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openssl is an optional dependency since version 1.5.13 and
ee1cfe3bf9
which must be handled through pkg-config to avoid static build failure
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit c72795e3d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While building host-rust with a musl based toolchain without C++ compiler,
the build fail since libunwind bundled in rust sources needs a C++ compiler.
cargo:warning=i686-buildroot-linux-musl-gcc.br_real: error: [...]/host-rust-1.62.0/src/llvm-project/libunwind/src/Unwind-EHABI.cpp: C++ compiler not installed on this system
Note: the issues can't be reproduced with a glibc based toolchain
without C++ probaly due to extra steps required to support musl libc.
We could add the C++ dependency direclty to host-rustc but it would
requires adding the C++ reverse dependencies to all rust packages.
Instread, we add the C++ dependency to BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS
only when a musl toolchain is used. So we can still install a prebuilt
rust compiler but without the rust standard library (rust-std).
Usually we should not add toolchain dependencies in a _ARCH_SUPPORTS option but
BR2_PACKAGE_HOST_RUSTC_TARGET_TIER... options contains already some
BR2_TOOLCHAIN_USES_GLIBC or BR2_TOOLCHAIN_USES_MUSL.
Fixes:
http://autobuild.buildroot.org/results/636/636fb39c8f1b8c05e4ca451ac506cd63c7166d82
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Nicolas Tran <nicolas.tran@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8520058ac0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a bug-fix release, fixing a $edit_headers bug on MacOS, along
with a few other small bugs. It also tightens the $query_command parser
to accept a single tab between fields, and changes $pager to accept a %s
expando.
https://gitlab.com/muttmua/mutt/-/blob/mutt-2-2-7-rel/ChangeLog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 628f3dc54c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The script "utils/check-package" checks that patch email prefix are
not be numbered. See:
https://git.buildroot.org/buildroot/tree/utils/checkpackagelib/lib_patch.py?h=2022.08-rc1#n42
The error message recommends to generate patches to be included in
Buildroot with the command 'git format-patch -N'.
The patch policy section in the Buildroot manual does mention that.
This commit adds a note about that requirement.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5ac1b1866d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure:
In file included from libavcodec/ppc/audiodsp.c:31:
libavcodec/ppc/audiodsp.c: In function 'scalarproduct_int16_altivec':
./libavutil/ppc/util_altivec.h:123:5: error: implicit declaration of function 'vec_vsx_ld'; did you mean 'vec_vslh'? [-Werror=implicit-function-declaration]
123 | vec_vsx_ld(offset, b)
| ^~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/b772d285f978ff9bc3b07872d009633c943f20b1
VSX is indeed an extension to AltiVec, so having VSX implies having
AltiVec [0], so we can condition the altivec support on LE, on VSX being
available.
To be noted, however, is that ffmpeg has a configre switch dedicated to VSX:
--enable-vsx. We do not add support for that here, as we are just fixing
the AltiVec support. Adding VSX configure flag is left as an excercise for
a future feature addition.
[0] https://en.wikipedia.org/wiki/AltiVec#VSX_(Vector_Scalar_Extension)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
- add comment in .mk
- exend commit log to explain VSX implies AltiVec
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a26ab27397)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
tools needs C++ since the addition of the package in commit
27ad470d7d resulting in the following
build failure:
no -DHAVE_CONFIG_H -I. -I.. -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I../include -I../master -Wall -DREV=`if test -s ../revision; then cat ../revision; else hg id -i .. 2>/dev/null || echo "unknown"; fi` -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Ofast -g0 -c -o ethercat-Command.o `test -f 'Command.cpp' || echo './'`Command.cpp
/bin/bash: line 1: no: command not found
Fixes:
- http://autobuild.buildroot.org/results/89d096006839f32a3d03786e69e51ec3c5ea70f6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: move it before package's options]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 014ebc394d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-2652: Depending on the way the format strings in the card
label are crafted it's possible to leak kernel stack memory. There is
also the possibility for DoS due to the v4l2loopback kernel module
crashing when providing the card label on request (reproduce e.g. with
many %s modifiers in a row).
https://github.com/umlaeute/v4l2loopback/blob/v0.12.7/ChangeLog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 922fb6ac85)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-46784: In Squid 3.x through 3.5.28, 4.x through 4.17, and
5.x before 5.6, due to improper buffer management, a Denial of Service
can occur when processing long Gopher server responses.
https://github.com/squid-cache/squid/security/advisories/GHSA-f5cp-6rh3-284w
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d3ef301f0c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-46828: In libtirpc before 1.3.3rc1, remote attackers could
exhaust the file descriptors of a process that uses libtirpc because
idle TCP connections are mishandled. This can, in turn, lead to an
svc_run infinite loop without accepting new connections.
https://sourceforge.net/projects/libtirpc/files/libtirpc/1.3.3/Release-1.3.3.txt/download
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 408888a29b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2022-29154: An issue was discovered in rsync before 3.2.5 that
allows malicious remote servers to write arbitrary files inside the
directories of connecting peers. The server chooses which
files/directories are sent to the client. However, the rsync client
performs insufficient validation of file names. A malicious rsync
server (or Man-in-The-Middle attacker) can overwrite arbitrary files
in the rsync client target directory and subdirectories (for example,
overwrite the .ssh/authorized_keys file).
- Drop patches (already in version)
- Update hash of COPYING (make openssl license exception clearer by
having it at the top and use modern links in COPYING:
dde4695136)
https://github.com/WayneD/rsync/blob/v3.2.5/NEWS.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ae2807821d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The upstream commit 7a01882eb37e7504e2450f474d0cc8db60ed26c2
("common: Kconfig.boot: Add FIT_PRINT config option") introduce
CONFIG_FIT_PRINT and make fit_print_contents() empty if it was
not enabled.
Adding CONFIG_FIT_PRINT=y to UBOOT_TOOLS_MAKE_OPTS does not help
while CONFIG_FIT_PRINT=y affects Makefiles only, not C sources.
Add "#define CONFIG_FIT_PRINT 1" to autoconf.h if FIT_SUPPORT enabled.
It would be better to convert uboot-tools to kconfig infrastructure so
we can use KCONFIG_ENABLE_OPT etc. However, that's a much bigger change
and not suitable for backporting to stable branches. Therefore, for now,
take the simple approach of updating autoconf.h.
Signed-off-by: Atsushi Nemoto <atsushi.nemoto@sord.co.jp>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 2ebf652589)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a custom case to make sure that a random configuration with an empty
version for aufs-util doesn't fail.
Fixes:
- http://autobuild.buildroot.org/results/e242cf66a02983bcf6e95b37f8e458bd18aee683
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fee46b54e7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When enable DM for SPL binary, the DTB part of SPL may not 4 bytes aligned.
If u-boot-spl is not aligned, the offset of the DDR firmware is not 4
byte aligned when u-boot-spl-ddr.bin is created. This causes the ddr
firmware to not be loaded correctly at boot.
See imx-mkimage commit
https://source.codeaurora.org/external/imx/imx-mkimage/commit/?id=bba038d893046b44683182dba540f104dab80fe7
for the imx-mkimage details.
Signed-off-by: Bram Vlerick <bram.vlerick@openpixelsystems.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 81aa9e7b8b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SIMD needs VSX with little endian to avoid the following build failure:
In file included from /nvmedata/autobuild/instance-12/output-1/build/jpeg-turbo-2.1.3/simd/powerpc/jccolor-altivec.c:25:
/nvmedata/autobuild/instance-12/output-1/build/jpeg-turbo-2.1.3/simd/powerpc/jccolext-altivec.c: In function 'jsimd_rgb_ycc_convert_altivec':
/nvmedata/autobuild/instance-12/output-1/build/jpeg-turbo-2.1.3/simd/powerpc/jsimd_altivec.h:93:26: warning: implicit declaration of function 'vec_vsx_ld'; did you mean 'vec_vsl'? [-Wimplicit-function-declaration]
93 | #define VEC_LD(a, b) vec_vsx_ld(a, b)
| ^~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/be6d5ad0cee4ee19eb25e595d44555a1af6e073b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 701e6f34e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In case of an unexpected error, we currently only print the exception as
an str(). For example, the recent issue with the glibc version check
only reported:
TypeError: cannot use a string pattern on a bytes-like object
That does not help in fixing the issue; the exception text is also not
usually very user-friendly either anyway.
We change the reporting to print the traceback, which in the glibc
version check mentioned above, the error is reported as:
Traceback (most recent call last):
File "./utils/genrandconfig", line 740, in <module>
ret = gen_config(args)
File "./utils/genrandconfig", line 676, in gen_config
if not is_toolchain_usable(configfile, toolchainconfig):
File "./utils/genrandconfig", line 186, in is_toolchain_usable
if StrictVersion('2.14') > StrictVersion(glibc_version):
File "/usr/lib/python3.8/distutils/version.py", line 40, in __init__
self.parse(vstring)
File "/usr/lib/python3.8/distutils/version.py", line 135, in parse
match = self.version_re.match(vstring)
TypeError: cannot use a string pattern on a bytes-like object
With this, the error is much easier to pinpoint (it's the last one that
is not in a system module).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b6bfa3f744)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Unless explicitly told otherwise, subprocess.check_output() returns
bytes objects [0].
When we try to check the C library version (to check the Linaro
toolchain is usable), genrandconfig currently fails with:
TypeError: cannot use a string pattern on a bytes-like object
So, as suggested in the python documentation, decocde() the output of
subprocess.check_output() before we can use it.
[0] https://docs.python.org/3/library/subprocess.html#subprocess.check_output
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 12e4f7c5c4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
