This is not yet part of any release.
coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of
representable values of type unsigned char" undefined behavior issue, which
might allow remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via a crafted image.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
These have been added to upstream git after 0.6.12 was released.
CVE-2017-7960 - The cr_input_new_from_uri function in cr-input.c in libcroco
0.6.11 and 0.6.12 allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted CSS file.
CVE-2017-7961 - The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco
0.6.11 and 0.6.12 has an "outside the range of representable values of type
long" undefined behavior issue, which might allow remote attackers to cause
a denial of service (application crash) or possibly have unspecified other
impact via a crafted CSS file.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2016-4806 - Web2py versions 2.14.5 and below was affected by Local File
Inclusion vulnerability, which allows a malicious intended user to
read/access web server sensitive files.
CVE-2016-4807 - Web2py versions 2.14.5 and below was affected by Reflected
XSS vulnerability, which allows an attacker to perform an XSS attack on
logged in user (admin).
CVE-2016-4808 - Web2py versions 2.14.5 and below was affected by CSRF (Cross
Site Request Forgery) vulnerability, which allows an attacker to trick a
logged in user to perform some unwanted actions i.e An attacker can trick an
victim to disable the installed application just by sending a URL to victim.
CVE-2016-10321 - web2py before 2.14.6 does not properly check if a host is
denied before verifying passwords, allowing a remote attacker to perform
brute-force attacks.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-7467 - minicom and prl-vzvncserver vt100.c escparms[] buffer
overflow.
For more details about the issue, see the nice writeup on oss-security:
http://www.openwall.com/lists/oss-security/2017/04/18/5
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Removing clear and reset from the busybox config when the ncurses tools
are enabled is not really needed.
Since commit 802bff9c42, the busybox install will not overwrite
existing programs. Therefore, the tools will be installed correctly
regardless of the order of the build:
- if busybox is built first, the clear and reset apps are installed,
but they will be overwritten by ncurses;
- if ncurses is built first, it will install the clear and reset apps,
and busybox will no longer install them.
We prefer not to modify the busybox configuration when not strictly
necessary, because it is surprising for the user that his configuration
is not applied. Clearly, it's not ideal that busybox is configured with
redundant apps, but if the user wants to shrink it, it's possible to
provide a custom config.
This partially reverts commit 33c72344a8.
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Cc: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Library is licensed under BSD-3-Clause. Some programs are licensed
under GPL-2.0+ while other are BSD-3-Clause. Annotate licenses with
components and improve readability of license strings when
conditionally specifying license for programs using := instead of +=.
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python-json-schema-validator supports Python 3, so there's no reason
to limit it to Python 2 only.
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Matthew Carruth <carruthm@gmail.com>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
python-versiontools supports Python 3, so there's no reason to limit
it to Python 2 only.
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Matthew Carruth <carruthm@gmail.com>
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit fixes another brown-paper-bag issue that I've introduced by
my following patch:
toolchain: Bump ARC tools to arc-2017.03-rc1
(5f8ef7e25c)
arc-2017.03-rc1 differs a bit from 2.28. And so corresponding
of-the-tree patch should be updated appropriately.
Fixes target binutils build for arc:
http://autobuild.buildroot.net/results/f67/f67c905979870936d8050a505b61186be6dad85d//
[Peter: tweak commit message]
Signed-off-by: Vlad Zakharov <vzakhar@synopsys.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove 0003-fix-build-with-have-gl.patch which is already included in
this release.
Remove --{enable|disable}-standard-gl configure option because it
doesn't exist.
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The check-package script when ran gave warnings on only using
one space before backslashes on all of these makefiles.
This patch cleans up all warnings related to the one space before
backslashes rule in the make files in the package directory.
Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The header was non-standard according to check-package.
Signed-off-by: Adam Duskett <aduskett@codeblue.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit bumps ARC toolchain to arc-2017.03-rc1
Please note that it is a release candidate and it might contain some
breakages, please don't use it for production builds.
Also I have updated patches for binutils as our source files in
binutils differ comparing to 2.28.
Signed-off-by: Vlad Zakharov <vzakhar@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Both packages are coupled, so both are bumped and build-tested.
The atomics' support patch is no longer needed, and neither is the
autoreconf option, and SPARC64 is no longer broken.
To make sure of this, one config of each of the following archs was
tested (base defconfig in parens):
- PowerPC (qemu_ppc_g3beige_defconfig)
- SPARC (qemu_sparc_ss10_defconfig)
- SPARC64 (qemu_sparc64_sun4u_defconfig)
Signed-off-by: Mario J. Rugiero <mrugiero@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The warning currently reads:
No board defconfig name specified, check your
BR2_TARGET_UBOOT_DEFCONFIG setting.
It should read:
No board defconfig name specified, check your
BR2_TARGET_UBOOT_BOARD_DEFCONFIG setting.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We have a host-util-linux, so we can use it to provide libblkid and
libuuid. This makes it consistent with the target package.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
In fact, uuidgen was never built because we pass --disable-libuuid. So
the option was a NOP.
Remove the license info for libuuid.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
[Arnout:
- do not remove --disable-uuidd - even though that is implied by
--disable-libuuid, it's better to be explicit about it;
- remove license info of libuuid]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We decided some time ago that config entries with 5 or more suboptions
should be turned into a menuconfig. e2fsprogs has many more than that.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
sf.net redirects to sourceforge.net, so directly use that as upstream
URL. Config.in.host already uses that URL.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
[Arnout: remove trailing /]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The curious ones will find the release notes here:
https://github.com/kergoth/tslib/releases
Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Drop upstream patch.
Add two more patches to deal with musl build issues.
Cc: Joris Lijssens <joris.lijssens@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Security fixes:
- CVE-2017-7468: switch off SSL session id when client cert is used
Full changelog: https://curl.haxx.se/changes.html
Removing 0001-CVE-2017-7407.patch. It's included in this release:
1890d59905
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Xenomai has many configure options that users may or may not want to set.
Providing individual Buildroot config options for every single one of them
is not maintainable.
Therefore, add a string option to allow the needed flexibility.
Important options, or those that have 'select/depends on' impact, can still
be turned into real Buildroot config options.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Thomas: rewrap Config.in help text.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>