License hash change due to year update:
afe2280fd3
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add support for new drm(libdrm) option.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patches which are now upstream.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
sources are now hosted on github
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Even though Qt6 support using a bundled sqlite, in Buildroot, we
always prefer to use non-bundled libraries when possible.
Signed-off-by: Jesse Van Gavere <jesseevg@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update to a new major release which brings in improvements and a few
new features. Release notes:
https://webkitgtk.org/2022/09/16/webkitgtk2.38.0-released.html
This release also includes security fixes for CVE-2022-32886,
CVE-2022-32891, and CVE-2022-32912. Accompanying security advisory:
https://webkitgtk.org/security/WSA-2022-0009.html
The CMake option to build the documentation has been renamed from
ENABLE_GTK_DOC to ENABLE_DOCUMENTATION, therefore update the build
recipe accordingly. Option USE_LIBNOTIFY is no longer available, as
WebKit now uses the notification portal D-Bus API directly without
relying on libnotify. Lastly, version 2.38.0 introduces a new WebRTC
implementation based on GstWebRTC which is left disabled for now to
keep the existing status quo (WebRTC not available), and adding an
option to enable it can be done in a follow-up patch.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The patches have been used by Alpine for 5 months now and they were
posted on the Busybox mailing list mid-July with no review or comment.
According to Ariadne Conill[1] - though NVD CVSS 3.x Base Score seems to
disagree - this has a low security impact so we could probably just wait
for upstream to merge the patches or implement it the way they want.
Considering those patches have been public for 5 months and upstream
hasn't acted until now, let's take the patches from the mailing list
anyway as there's no indication the CVEs will be fixed upstream soon.
[1] https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This fixes CVE-2022-30065 by backporting a patch from the master branch.
Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
NetworkManager supports compiling against either NSS or GnuTLS and in
fact upstream defaults to NSS if both are available and no choice is
specified. Providing a choice can shrink images slightly if some other
package is already pulling in NSS but GnuTLS is not otherwise required.
Since a crypto provider is required and to maintain backwards
compatibility, select GnuTLS when NSS is not selected.
In keeping with the upstream default, choose NSS when both libraries are
available.
Signed-off-by: John Keeping <john@metanate.com>
[Peter: rework to the meson equivalent]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer
over-read.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
These tools are required for debug scenarios where the debug
happens in-target.
Signed-off-by: Nuno Gonçalves <nunojpg@gmail.com>
[Arnout: install to target in case this option is selected]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
udhcpc default script can handle staticroutes but it is missing from the
default ifupdown options.
Signed-off-by: Remi Jouannet <remi.jouannet@outscale.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit af494d92d3 (utils/genrandconfig: disable libopenssl without
atomics) intorduced a code-style issue that flake8 does not like:
$ make check-flake8
utils/genrandconfig:253:8: E713 test for membership should be 'not in'
1 E713 test for membership should be 'not in'
Fixes: af494d92d3https://gitlab.com/buildroot.org/buildroot/-/jobs/3045260108
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
As explained in bug #14796, there are situations where the seccomp based
sandboxing in openssh can get confused, leading to connection issues.
As explained by Thomas in the bug report:
glibc does not care about the kernel headers when deciding whether to
try the clock_gettime64() syscall or not: it always use it, and if that
fails at runtime, it falls back to clock_gettime(). This is how glibc
ends up using clock_gettime64() even if your kernel does not support it.
On the other hand, the OpenSSL seccomp code relies on kernel headers to
decide whether the clock_gettime64() syscall should be in the allowed
list of syscalls or not.
So when you are in a situation where glibc is recent, but your kernel is
older, you get into precisely the problem you have: glibc tries to use
clock_gettime64, but OpenSSH seccomp configuration prevents that, which
does not allow glibc to gracefully fallback to clock_gettime (as seccomp
is configured to kill the process on filter violations).
As a workaround, add a _OPENSSH_SANDBOX option (defaulting to y) to
decide if sandboxing should be used or not.
--with-sandbox expects the type of sandboxing to use, and if not
specified, will use the first one available in a list: pledge, systrace,
darwin, seccomp, capsicum, rlimit. On Linux, only seccomp and rlimit are
available, and rlimit probably does not bring much security-wise, so in
all practical matters, on Linux, sandboxing uses seccomp or there is no
sandboxing, so let's just disable sandboxing when we do not want to use
seccomp, and let configure detect seccomp when we request sandboxing.
Fixes (works around) #14796
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: add § about sandboxing types]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Commit b936a95d02 (package/openssh: bump to version 9.0p1) dropped the
patch touching m4/openssh.m4, but forgot to remove autoreconf. Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libopenssl needs atomic or the build will fail (e.g. on sparcv8 without
libatomic):
${LDCMD:-/nvmedata/autobuild/instance-7/output-1/host/bin/sparc-buildroot-linux-uclibc-gcc} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O0 -g2 -g2 -L. \
-o apps/openssl apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_client.o apps/s_server.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/storeutl.o apps/ts.o apps/verify.o apps/version.o apps/x509.o \
apps/libapps.a -lssl -lcrypto -ldl
/nvmedata/autobuild/instance-7/output-1/host/lib/gcc/sparc-buildroot-linux-uclibc/10.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: ./libssl.so: undefined reference to `__atomic_fetch_sub_4'
It should be noted that openssl3 has added OPENSSL_DEV_NO_ATOMICS but
"this is intended for internal development only, to check the
refcounting is properly coded. It should never become a configuration
option, hence the name of the macro.":
503d4745a1
Atomics are not available in Buildroot if:
- architecture is 32 bit and something other than ARM or xtensa, and
- GCC < 4.8 or no threads or FLAT.
The nothreads case can theoretically happen in many different
situations, but in practice nobody disables threads. So the only
interesting case is the FLAT case. Since ARM and RISC-V 64 both have
atomics intrinsics, that leaves just m68k NOMMU as FLAT. So this is
truly a corner case.
The proper solution would be to patch GCC to also provide libatomic in
those cases.
- For nothreads, atomics are in fact not needed, so libatomic can simply
be implemented as stubs.
- For FLAT, it's probably just a matter of having a match to uclinux in
libatomic/configure.tgt.
Again, though, this happens only in such niche cases that it's not worth
working on it.
Fixes:
- http://autobuild.buildroot.org/results/bce526d538f43a541fdfbc0c9b4a7cecebbbc539
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
libexpat before 2.4.9 (which is still not released) has a use-after-free
in the doContent function in xmlparse.c.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
The conditions in the target CPU choice mostly use negative logic, i.e.
"depends on !<something>". This makes it more difficult to understand
exactly on which ARCH variants the CPU _is_ supported. Therefore, change
all of the conditions to positive logic.
Since there is no little-endian variant of the 32-bit PowerPC, the
conditions are:
!BR2_ARCH_IS_64 <==> BR2_powerpc
!BR2_powerpc64le <==> BR2_powerpc || BR2_powerpc64
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>