Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7289bdb475)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d70360eed5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bbc3fdea58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d6c03ac99e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 32935c020f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f93be77769)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
ZDI-CAN-22300: Heap-based buffer overflow in the AV1 codec parser when
handling certain malformed streams before GStreamer 1.22.8
https://gstreamer.freedesktop.org/security/sa-2023-0011.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7add923aed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0489447535)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 44820b6021)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 2631267648)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With upstram commit [1] (since version v0.1.0) the pipeline option 'raspberrypi'
was renamed to 'rpi/vc4'.
Change the buildroot option name from BR2_PACKAGE_LIBCAMERA_PIPELINE_RASPBERRYPI
to BR2_PACKAGE_LIBCAMERA_PIPELINE_RPI_VC4 (and add Config.in.legacy entry
accordingly) and move handling in Config.in/libcamer.mk to follow alphabetic
ordering.
Fixes:
.../build/libcamera-v0.1.0/meson.build:3:0: ERROR: Options "raspberrypi" are not in allowed choices: "all, auto, imx8-isi, ipu3, rkisp1, rpi/vc4, simple, uvcvideo, vimc"
[1] https://git.libcamera.org/libcamera/libcamera.git/commit/?id=726e9274ea95fa46352556d340c5793a8da51fcd
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 782d268aba)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit c9645fd29b.
Building libcamera-apps 1.3.0 with current libcamera 0.1.0 fails because
some of the symbols like controls::AeFlickerMode are not recognized.
According to my research, they have been introduced after libcamera 0.1.0
but there is no release version of libcamera newer than 0.1.0 available
to which we could bump.
Signed-off-by: Sebastian Bauer <mail@sebastianbauer.info>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bf7a1f10dd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since GDB 13.x and upstream commit
b686ecb5b10be9a33ab8f1bfdcff22eef920d1a5 ("gdb: link executables with
libtool"), gdb will be linked against the shared variants of libbfd
and libopcodes if they exist. However, this causes host gdb and target
gdb to not work, because our gdb package does not install libbfd and
libopcodes (to not clash with the ones potentially installed by
binutils).
In order to get around this, this commit proposes to get back to the
situation we had before GDB 13.x: libbfd and libopcodes are only
compiled as static libraries, so that they are linked directly inside
the gdb binary, avoiding the problem entirely.
This resolves:
# gdb --version
gdb: error while loading shared libraries: libopcodes-2.39.50.so: cannot open shared object file: No such file or directory
for target gdb, and:
$ ./host/bin/arm-linux-gdb --version
./host/bin/arm-linux-gdb: error while loading shared libraries: libopcodes-2.39.50.so: cannot open shared object file: No such file or directory
for host gdb.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit e5729d3008)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Use official tarball and so drop autoreconf
- Fix CVE-2023-6935, CVE-2023-6936 and CVE-2023-6937
https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0c4bd703a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
readline is not a dependency since bump to version 0.15.0 in commit
cbd06adac5 and
978b503840
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 95a5ed7545)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to
https://lists.x.org/archives/xorg-announce/2023-December/003437.html:
This release contains the fixes for CVE-2023-6377 and CVE-2023-6478
in today's security advisory:
https://lists.x.org/archives/xorg-announce/2023-December/003435.html
The release has only 10 commits compared to 23.2.2, all of which being
fixes, two of them being the security fixes. So it seems like bumping
the version is a reasonable trade-off vs. backporting the security
fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 078b8558b9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patches (already in version) and so drop autoreconf
- Fix the following security issues:
- CVE-2023-40660: Fix Potential PIN bypass
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling
encryption using symmetric keys
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 37eb68c9fb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A couple of bug fixes, including the following CVEs:
- CVE-2023-49465
- CVE-2023-49467
- CVE-2023-49468
https://github.com/strukturag/libde265/releases/tag/v1.0.15
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 158edd5aa9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A couple of build fixes and bug fixes detected by fuzzing.
Corrects these issues:
- CVE-2023-49462
- CVE-2023-49463
https://github.com/strukturag/libheif/releases/tag/v1.17.6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 01689a9a65)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️intel:onevpl_gpu_runtime is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/detail/7F7056CA-A41D-4AB5-B9CC-9DE24A27B8BA
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 312f4ab4c8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The issues have been fixed by commit
f1089391a8 ("package/google-breakpad/gen-syms.sh:
fix shellcheck warnings")
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/5815132933
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9212a719a5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The google-breakpad package uses stab.h which is not included in
uClibc, causing the following build error:
src/common/stabs_reader.cc:37:10: fatal error: stab.h: No such file or directory
37 | #include <stab.h>
| ^~~~~~~~
compilation terminated.
Fixes:
http://autobuild.buildroot.net/results/bba513b7c63a24a83805d2b989a9b95e5fe08e82/
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c20334d35c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following error when building with gcc 13.x:
‘uintptr_t’ is defined in header ‘<cstdint>’; did you forget to ‘#include <cstdint>’?
Fixes:
http://autobuild.buildroot.net/results/73f17ec308b6fd20dabdb7e391a3f67793a14d5b/
(which happens with the target google-breakpad, but the issue can
also happen when building host-google-breakpad if the host system
uses gcc 13.x)
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Thomas: use upstream fix, improve commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 08fa882d3c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes warning SC2068
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f1089391a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit d344ffe624 (configs/rock5b: add hash for custom uboot)
explicitly noted that the kernel was retrieved from a git-clone, so the
sha1 of the commit was enough to get what we expect.
However, that does not account for the fact that the upstream repository
can disapear or be temporarily unavailable (maliciously or not). In that
case, the kernel archive will be looked up on the backup mirror.
In that case, the download is via wget over https, which protects the
transport, but does not guarantee that the remote server serves the
expected archive.
The hash file was dropped when d344ffe624 was applied; restore it.
Since the defconfig now has hashes for all its downloads, enforce
checking hashes.
Signed-off-by: Kilian Zinnecker <kilian.zinnecker@mail.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9ebbfeff38)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The defconfig uses a custom uboot version, downloaded with wget, so we
weant to be sure that it does not get modified on the server, so we add
a hash for it.
The kernel we get from a git clone, so the sha1 of the commit is enough
to be sure that what we get is what we expect (because we do a local
tarball out of a git clone).
Since we only get a hash for uboot and not for the kernel, we don't
enable BR2_DOWNLOAD_FORCE_CHECK_HASHES.
Signed-off-by: Kilian Zinnecker <kilian.zinnecker@mail.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d344ffe624)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since upstream commit
eec95e3d5e1a4f2e13b1f6b34cc287475ca57daf ("backend/drm: use pnp.ids to
fetch EDID data"), the pnp.ids file from hwdata is parsed at build
time to generate a C source file. As per backend/drm/meson.build:
hwdata = dependency('hwdata', required: false, native: true)
if hwdata.found()
hwdata_dir = hwdata.get_variable(pkgconfig: 'pkgdatadir')
pnp_ids = files(hwdata_dir / 'pnp.ids')
else
pnp_ids = files('/usr/share/hwdata/pnp.ids')
endif
This is only needed when the DRM backend of wlroots is enabled, but
currently, Buildroot enables this backend unconditionally.
This failure can be reproduced using the following defconfig:
BR2_x86_64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_OSMESA_GALLIUM=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_WLROOTS=y
The issue was not caught in the autobuilders because the last
successful build of a configuration that includes wlroots dates back
from 2022-05-05, at which time Buildroot had wlroots 0.15.1.
This change in wlroots was introduced in wlroots 0.16.0, which means
that it's only since Buildroot bumped from 0.15.1 to 0.16.2 in
d6279bc82c ("package/wlroots: bump to
version 0.16.2") that the issue occurs. This commit is not yet in any
tagged release, so there is no need to backport this fix.
It should be noted that the proposed patch also installs pnp.ids to
the target filesystem, while it is in practice not needed at runtime
by wlroots. However, our current hwdata packaging doesn't allow
installing it only in staging, and since wlroots anyway implies we're
building a fairly heavy graphics stack, the size overhead of hwdata is
deemed to be an acceptable trade-off.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Thomas: further extend the commit log, with details gathered by Yann
and myself.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 50eed2060a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As described in the announcement, this fixes a security issue:
There is one security fix in this release:
- Fix for a newly discovered security issue known as the 'Terrapin'
attack, also numbered CVE-2023-48795. The issue affects widely-used
OpenSSH extensions to the SSH protocol: the ChaCha20+Poly1305
cipher system, and 'encrypt-then-MAC' mode.
In order to benefit from the fix, you must be using a fixed version
of PuTTY _and_ a server with the fix, so that they can agree to
adopt a modified version of the protocol. Alternatively, you may be
able to reconfigure PuTTY to avoid selecting any of the affected
modes.
If PuTTY 0.80 connects to an SSH server without the fix, it will
warn you if the initial protocol negotiation chooses an insecure
mode to run the connection in, so that you can abandon the
connection. If it's possible to alter PuTTY's configuration to
avoid the problem, then the warning message will tell you how to do
it.
https://lists.tartarus.org/pipermail/putty-announce/2023/000037.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 922132c39e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A change of data logging introduced in version 8.5.0 broke the build.
Add a patch to fix that.
Fixes:
http://autobuild.buildroot.net/results/c5b996696333c4ff1392dbb8e6b0edc9c5322ee4/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 088ac834b7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 CVEs affecting glibc according to the NVD database are considered as
not being security issues by upstream glibc developers:
* CVE-2010-4756: The glob implementation in the GNU C Library (aka
glibc or libc6) allows remote authenticated users to cause a denial
of service (CPU and memory consumption) via crafted glob expressions
that do not match any pathnames. glibc maintainers position: "That's
standard POSIX behaviour implemented by (e)glibc. Applications using
glob need to impose limits for themselves"
* CVE-2019-1010022: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may bypass stack guard
protection. The component is: nptl. The attack vector is: Exploit
stack buffer overflow vulnerability and use this bypass
vulnerability to bypass stack guard. NOTE: Upstream comments
indicate "this is being treated as a non-security bug and no real
threat. glibc maintainers position: "Not treated as a security issue
by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
* CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
current loaded library with malicious ELF file. The impact is: In
worst case attacker may evaluate privileges. The component is:
libld. The attack vector is: Attacker sends 2 ELF files to victim
and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
indicate "this is being treated as a non-security bug and no real
threat. glibc maintainers position: "Not treated as a security issue
by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
* CVE-2019-1010024: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may bypass ASLR using cache of
thread stack and heap. The component is: glibc. NOTE: Upstream
comments indicate "this is being treated as a non-security bug and
no real threat. glibc maintainers position: "Not treated as a
security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
* CVE-2019-1010025: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may guess the heap addresses of
pthread_created thread. The component is: glibc. NOTE: the vendor's
position is "ASLR bypass itself is not a vulnerability. Glibc
maintainers position: "Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit adaae82c58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As reported in bug 15895, the GLIBC_VERSION field having a value
looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it
prevents the CPE/CVE matching with the NVD database to work correctly.
This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from
GLIBC_VERSION, by extracting the base version.
Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have
clearly been fixed between 2.38 and
2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number
of other CVEs still affecting the glibc package, but they are not
related to this
2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range.
Fixes: #15895
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit af8c0e5c74)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Much like weston, this is a runtime dependency.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7e767c81a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d107888e38)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
