Fixes the following security issues:
- bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to
avoid a potential race condition.
- bpo-41180: Add auditing events to the marshal module, and stop raising
code.__init__ events for every unmarshalled code object. Directly
instantiated code objects will continue to raise an event, and audit event
handlers should inspect or collect the raw marshal data. This reduces a
significant performance overhead when loading from .pyc files.
- bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to
get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This
copy is most used on Windows and macOS.
- bpo-43124: Made the internal putcmd function in smtplib sanitize input for
presence of \r and \n characters to avoid (unlikely) command injection.
https://www.python.org/downloads/release/python-397/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with fortran raised since bump to
version 4.0.0 in commit 366e7f1ecb and
99730f798b:
checking size of Fortran type(test_mpi_handle)... (cached) 4
checking alignment of Fortran type(test_mpi_handle)... configure: error: Can not determine alignment of type(test_mpi_handle) when cross-compiling
Fixes:
- http://autobuild.buildroot.org/results/86ffde2f67ffc0bfaeebe72fe742a5c241bc580b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Though several cross-compilation patches exist in buildroot's nginx
package dir they do not seem to address endianness.
The test program generated by the configure script compiles but fails
to run (as it is built for another architecture) but the script does
not distinguish between the failure to run the program and an
indication of certain endianness. As such the fallback of big-endian
is used. This setting then causes http2 headers (anything not in the
static dictionary) to come out as undecipherable trash on 64bit
targets (see ngx_http_v2_huff_encode_buf()).
This commit includes a patch to the configure script to allow a
`--force-endianness=big|little` flag as well as setting that flag in
buildroot's package makefile.
Signed-off-by: Nevo Hed <nhed+buildroot@starry.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Find libxcryt through pkg-config to avoid the following build failure:
/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/riscv64-buildroot-linux-musl/10.2.0/../../../../riscv64-buildroot-linux-musl/bin/ld: .libs/passverify.o: in function `.L30':
passverify.c:(.text+0x368): undefined reference to `crypt_checksalt'
Fixes:
- http://autobuild.buildroot.org/results/20b14e222b35c2d1269960075832b784ba81aa1a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Quoting https://www.php.net/
"This is a security fix release."
Changelog: https://www.php.net/ChangeLog-8.php#8.0.10
CVE-ID were not mentioned in any of the fixed bugs.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with nodejs raised since bump to version
12.22.5 in commit 7038b029d8:
../src/cares_wrap.cc:42:11: fatal error: ares_nameser.h: No such file or directory
42 | # include <ares_nameser.h>
| ^~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/a0f867d5e765fc1aa052de5e53ed350b3b20743f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- NodeJS passes NULL for addr and 0 for addrlen to
ares_parse_ptr_reply() on systems where malloc(0) returns NULL. This
would cause a crash.
- If ares_getaddrinfo() was terminated by an ares_destroy(), it would
cause a crash
- Crash in sortaddrinfo() if the list size equals 0 due to an unexpected
DNS response
- Expand number of escaped characters in DNS replies as per RFC1035 5.1
to prevent spoofing follow-up
- Perform validation on hostnames to prevent possible XSS due to
applications not performing valiation themselves
https://c-ares.haxx.se/changelog.html#1_17_2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Some 3rd party vendor toolchains have multiple files which match
these glob patterns. In this case, the shell script failed.
Switching to use find and xargs solves the issue.
Signed-off-by: Jonah Petri <jonah@petri.us>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
rwmem is small tool to read & write device registers. Some of the
features include:
- support mmaped and i2c devices
- addressing with 8/16/32/64 bit addresses
- accessing 8/16/32/64 bit memory locations
- little and big endian addressess and accesses
- bitfields
- address ranges
- register description database
Python bindings are disabled for now.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The Qt OPC UA module implements a Qt API to interact with OPC UA on
top of a 3rd party OPC UA stack.
The default is open62541, which is bundled by qt5opcua in version 1.0,
so we dont need to provide/depend on br's own open62541 package.
Another dependency is mbedtls, but it's optional.
Signed-off-by: Andreas Naumann <anaumann@ultratronik.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Vue Router is the official router for Vue.js.
Signed-off-by: Thomas Claveirole <thomas.claveirole@green-communications.fr>
[Arnout: use comment instead of submenu]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This tests build a bogus package that installs a binary built for the
host architecture into $(TARGET_DIR), which should cause a build
failure, at least as long as the host architecture isn't ARM.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
[yann.morin.1998@free.fr: drop uneeded subprocess import to fix flake8]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Some tests will need to grep through the build log to verify that some
features are working are expected. In order to allow them to open the
build log, we provide a new function called log_file_path(), which
returns the path to the log file if available.
We also use this function in open_log_file().
Note that open_log_file() cannot be used directly to grep through the
log file at the end of a build: because it opens in "a+" mode, it
greps starting from the end of the file.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since commit 39d334faa5 (package/pkg-qmake: add <pkg>_SYNC_QT_HEADERS
support), the qmake-package infra recognises said variable but the
manual has the wrong variable name, which is missing the "_QT" part.
We fix that by amending the manual to document the proper variable name.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
QT5_QT_CONF_FIXUP tweaks files for per-package directory build.
This is typically the kind of operation expected to be in
post-prepare hook.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
When using top level parallel build, independent qt5 packages may be
built in parallel. Because of their staging dirs being hardlinked, they
all use the same qt.conf file to manipulate during configure, while
another qt5 package might already use it. This leads to weird build failures
because the folders qmake is using are diverted in erratic ways.
Fix this by actually recreating a non-shared qt.conf file for every package.
Signed-off-by: Andreas Naumann <anaumann@ultratronik.de>
Reviewed-by: Herve Codina <herve.codina@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This release includes the following changes:
- New features
- New 'sessionResume' service-level option to allow or disallow session resumption
- Added support for the new SSL_set_options() values.
- Download fresh ca-certs.pem for each new release.
- Bugfixes
- Fixed 'redirect' with 'protocol'. This combination is not supported by 'smtp', 'pop3' and 'imap' protocols.
- Enforced minimum WIN32 log window size.
- Fixed support for password-protected private keys with OpenSSL 3.0 (thx to Dmitry Belyavskiy).
- Added missing TLS options supported in OpenSSL 1.1.1k.
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This release introduces meson build system support.
As meson files are only available in git, switch the location to
https://gitlab.freedesktop.org.
Add support for bash-completion.
Add an upstream patch fixing the compilation without gobject-intorspection.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Use BR2_PACKAGE_MESA3D_GBM instead of BR2_PACKAGE_MESA3D_OPENGL_EGL as
GBM can also be provided by a DRI driver
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The gitlab-ci support in test-pkg allows to parallelize the test-pkg
work into several gitlab jobs. It's much faster than local serialized
testing.
To trigger this, a developer will have to add, in the latest commit of
their branch, a token on its own line, followed by a configuration
fragment, e.g.:
test-pkg config:
SOME_OPTION=y
# OTHER_OPTION is not set
SOME_VARIABLE="some value"
This configuration fragment is used as input to test-pkg.
To be able to generate one job per test to run, we need the list of
tests in the parent pipeline, and the individual .config files (one per
test) in the child pipeline. We use the newly-introduced --prepare-only
mode to test-pkg, and collect all the generated .config files as
artefacts; those are inherited in the child pipeline via the
"needs::pipeline" and "needs::job" directives. This is a bit tricky,
and is best described by the Gitlab-CI documentation [0].
We also list those .config files to generate the actual list of jobs to
run in the child pipeline.
Notes:
- if the user provides an empty fragment, this is considered an error:
indeed, without a fragment (and the package name), there is no way
to know what to test;
- if that fragment yields an empty list of tests, then there is
nothing to test either, so that is also considered an error.
[0] https://docs.gitlab.com/ee/ci/yaml/README.html#artifact-downloads-to-child-pipelines
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[yann.morin.1998@free.fr:
- split the change to test-pkg to its own patch
- generate the actual yml snippet in support/scripts/generate-gitlab-ci-yml,
listing the .config files created by test-pkg
- some code-style-candies...
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Currently, running test-pkg is only done locally on the developers
machine.
In a follow up commit, we'll add the possibility to run test-pkg in a
gitlab-ci pipeline and, to speed things up, with one job per buildable
configuration.
As such, we will need to make sure that test-pkg only prepares the
configurations, and that it does not build them.
Add such a mode, with a new option, --prepare-only
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
libesmtp is an optional dependency (disabled by default) since version
0.10.0 and
8a35b429c6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Update STM32F469-disco configuration files to operate with new kernel.
Result of make tinyconfig was taken as a starting point to fit kernel
into flash memory.
Current setup kernel + rootfs fits in 1.6MB on-chip flash memory
Fixes:
- Move kernel to new flash bank due to growth of dtb size
- Fix kernel start address in bootloader
- Remove outdated path which doesn't affect normal operation mode
For better binary size optimization gcc LTO is turned on.
Signed-off-by: Yauheni Saldatsenka <eugentoo@gmail.com>
[Arnout:
- squash 3 patches into 1;
- remove unused dts file;
- move linux/linux.config to linux-xip.config;
- add a sentence to readme to say SD card is not needed.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This fixup is done at pkg-generic level for all packages.
So, it is no more needed in owfs package.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fixing _sysconfigdata*.{py,pyc} was previously done by python package
infrastructure. Some packages use python stuff without using python
package infrastructure.
These packages perform overwrites and need the specific python fixup
to fix them.
In order to be sure to fix all of these packages, the python fixup
is moved to the generic package infrastructure and applied to all
packages.
This follows the same principle as for the .la libtool files fixup.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
For per-package directories, we fixup the _sysconfigdata*.py files, so
that they get proper path pointing to the current package's direcotry
structure.
However, the corresponding, pre-compiled blobs _sysconfigdata*.pyc were
left around, and thus are inconsistent with their source. They might
also be regenerated when a package would install a python module; this
regeneration would trigger the soon-to-be-introduced overwrite
detection.
This commit simply removes _sysconfigdata*.pyc files; they will anyway
be regenerated by the PYTHON{,3}_CREATE_PYC_FILES target finalize hooks.
This is an efficient way to guarantee the consistency between the source
and precompiled versions, and to not trigger the overwrite detection.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
[yann.morin.1998@free.frs: reword the commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Find used by PKG_PYTHON_FIXUP_SYSCONFIGDATA can fail if directories
are not present. This failure is silently ignored because find is
on the LHS of a pipe.
This commit fixes the find failure. HOST_DIR is used as the starting
point and the search is filtered on the expected directories.
This commit also adds -print0 and the $(Q) verbosity flag as minor
changes.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
[yann.morin.1998@free.fr:
- split long line with the two -path options
- move "| xargs ..." onto its own line
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With BR2_REPRODUCIBLE, our 'fakedate' wrapper script will end up in
host/bin/date. Currently, it iterates over all the 'date' found in PATH,
until it finds one that is not the script itself, in an attempt to avoid
infinite recursion by calling itself again and again.
This heuristic works OK in Buildroot, because host/bin/ is first in the
PATH, and so that means the first entry in the PATH is skipped.
However, this is going to fail as soon as our wrapper is not the first
in the PATH. Indeed, in that situation, the current heuristic will stop
on the first 'date' in the PATH, as it is not the script itself, and
since our script was executed, that probably means the first 'date' was
itself a wrapper that ended up calling us. So, calling it again will
eventually trickle to calling us again, and thus creating the loop our
heuristic was made to avoid.
This situation currently does not occur in Buildroot, because host/bin/
is first, *and* we have no package that provide their own 'date' wrapper
during their build steps.
But when we generate an SDK with BR2_REPRODUCIBLE, then our wrapper
script will be in sdk/bin/, and there is no longer any guarantee this
comes first in the PATH, thus opening the possibility that another
buildsystem based on our SDK, but which has its own 'date' wrapper, will
trigger this infinite recursion.
We fix that by iterating, in reverse order, over all the 'date' we can
find in PATH, and when we find ourselves, then we know the one we found
in the iteration just before is the one that we should call.
'which -a' is old enough that we can expect it to be always available;
it has been present at least since Debian Squeeze, released 2011.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix build of xen with 64 bites time_t:
/tmp/instance-0/output-1/build/xen-4.14.2/tools/qemu-xen/hw/input/virtio-input-host.c: In function 'virtio_input_host_handle_status':
/tmp/instance-0/output-1/build/xen-4.14.2/tools/qemu-xen/hw/input/virtio-input-host.c:198:28: error: 'struct input_event' has no member named 'time'
198 | if (gettimeofday(&evdev.time, NULL)) {
| ^
Fixes:
- http://autobuild.buildroot.org/results/136ce42f44bf48d3db4eda7b1548bf7ac1b97d51
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following build failure on sparc raised since bump to version
1.77.0 in commit d39d8f7cee:
./boost/predef/architecture/sparc.h:37:38: error: missing ')' in expression
37 | # if !defined(BOOST_ARCH_SPARC) && (defined(__sparcv9) || defined(__sparc_v9__)
| ^
Fixes:
- http://autobuild.buildroot.org/results/c1f15e3a0cefb7e65e5288fb4564d59a3b06a0bd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This version bump is needed to pass the ATF test with
hardening option enabled (-fstack-protector-strong)
With the version v2.2, ATF fail due to undefined references:
./build/juno/release/bl2u/arm_tzc400.o: In function `arm_tzc400_setup':
arm_tzc400.c:(.text.arm_tzc400_setup+0x10): undefined reference to `__stack_chk_guard'
arm_tzc400.c:(.text.arm_tzc400_setup+0x18): undefined reference to `__stack_chk_guard'
arm_tzc400.c:(.text.arm_tzc400_setup+0xb8): undefined reference to `__stack_chk_guard'
arm_tzc400.c:(.text.arm_tzc400_setup+0xcc): undefined reference to `__stack_chk_fail'
Since commit ccac9a5bbb, Buildroot no
longer forces ENABLE_STACK_PROTECTOR. However, we rely on the ATF build
system to handle it correctly, and this wasn't the case in v2.2.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/1524842591
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
When BR2_REPRODUCIBLE is set and host-coreutils needs to be built, the
fakedate script installed to 'host/bin/date' will be overwritten by
host-coreutils.
Besides, we do not need our host-coreutils for 'date' at all; we really
rely on the host system to provide it.
Unconditionally disable installing the 'date' binary in host-coreutils.
Note that we explicitly request only ln and realpath to be installed,
but the coreutils buildsystem does not strictly obey to that, as was
already noticed in 885e6fdb8a (package/coreutils: introduce a host
variant), which added that comment above HOST_COREUTILS_CONF_OPTS:
# Explicitly install ln and realpath, which we *are* insterested in.
# A lot of other programs still get installed, however, but disabling
# them does not gain much at build time, and is a loooong list that is
# difficult to maintain...
So, we also update that comment to explain why we still anyway disable
installation of 'date'.
Signed-off-by: Conrad Ratschan <conrad.ratschan@collins.com>
[yann.morin.1998@free.fr:
- unconditionally disable installing date
- extend comment and commit log to explain why we need
--enable-no-install-program=date despite the existing
--enable-install-program=ln,realpath
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Sam Voss <sam.voss@collins.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[yann.morin.1998@free.fr:
- introduce BUSYBOX_INSTALL_TELNET_SERVICE
- move _INSTALL_INIT_SYSTEMD alphabetically between openrc and sysv
- drop the comment about Type=simple (Arnout)
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since version 2.1.3 ubihealthd can be enabled without of ubifs-utils.
This also fixes usability of enabling BR2_PACKAGE_MTD_UBIHEALTHD.
BR2_PACKAGE_MTD_UBIFS_UTILS is a blind option. The only way to enable it
is to enable BR2_PACKAGE_MTD_MKFSUBIFS that selects it. ubihealthd
dependency on BR2_PACKAGE_MTD_UBIFS_UTILS makes enabling it unintuitive.
Cc: Markus Mayer <mmayer@broadcom.com>
Cc: Matt Weber <matthew.weber@collins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Build fails since bump to version 3.1.7 in commit
011f31ee24 because config.h.in is older
than aclocal.m4:
make[1]: Entering directory '/tmp/instance-4/output-1/build/ipmiutil-3.1.7'
(CDPATH="${ZSH_VERSION+.}:" && cd . && autoheader)
/bin/bash: autoheader: command not found
Fixes:
- http://autobuild.buildroot.org/results/2005af881726473f2cda176e90c1e41e4baea67c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
resync the version with glibc package.
Dropped 2 patches (fixes backported from previous releases),
rebased 2 which are kept (only line numbers changed).
Suggested-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
[Arnout: resolve conflicts]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>