This minor release contains a number of fixes and improves the reliability
of the build system. Release notes:
https://wpewebkit.org/release/cog-0.8.1.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0965217c44)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package is affected from binutils bug 21464, since there is no
workaround, let's disable it.
Fixes:
http://autobuild.buildroot.net/results/3eb/3eb9f9d0f6d8274b2d19753c006bd83f7d536e3c/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4a26e01961)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Makefiles, variables are split, filtered, and otherwise mangled on
a space as a separator. In a shell, they will also be split on TABs.
We split and filter and iterate on variables in a lot of places, and
most importantly, spaces in PATH is very seldom tested, if at all, so
a lot of packages will not be working properly in such a situation.
For example, the config.guess contains constructs that are not resilient
to a space in PATH:
PATH=$PATH:/.attbin ; export PATH
Also, our fakedate will iterate over PATH:
for P in `echo $PATH | tr ':' ' '`; do
Those are only two cases, but the first means basically all
autotools-based packages are susceptible to subtle breakage.
Furthermore, Buildroot itself does not support that the top-level or
output directories are in a path with spaces anyway.
So, instead of chasing all cases that might be potentially broken,
let's just detect the case and bail out, like we already do when PATH
contains a \n, or when it contains the current working directory.
Reported-by: Dan Raymond <draymond@foxvalley.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e36974d9e8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
pcre is optional not mandatory since
98ec61436c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 754633fe8c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop Magick++-config, lettuce and ui options which are
not recognized since latest bump in commit
ca17e0c7a0 (back in 2018).
Indeed:
- Magick++-config is not used since
b025999b8a
- Experimental UI and lettuce modules have been dropped since
ccc1efdb89
Moreover, replace sconesite-image by image (broken since 2013 and
7693301fdb)
As UI and lettuce options are broken since a long time, it does not seem
useful to add entries in Config.in.legacy
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d3b818c3cf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This bugfix release solves a couple of leaks and sporadic crashes.
Release notes:
https://wpewebkit.org/release/wpebackend-fdo-1.8.1.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 252e7afb61)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package is affected from binutils bug 21464, since there is no
workaround, let's disable it.
Fixes:
http://autobuild.buildroot.net/results/908/9084cd777aefe0fa8235514c33767d8640ad7a5b/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9e71b6e2cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The OpenRISC binutils is affected by a linker bug (binutils bug 21464)
for which no workaround exists. This causes build breakage in a number
of packages, so this commit introduces a
BR2_TOOLCHAIN_HAS_BINUTILS_BUG_21464 option to identify this bug. As
all binutils versions are affected, this option is true whenever the
configuration targets OpenRISC.
The bug was already reported and it's been recently updated:
https://sourceware.org/bugzilla/show_bug.cgi?id=21464
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 227cefef41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c994860de5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
(compiled with OpenSSL support) is vulnerable to remote OOB write attack via
connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0
and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write
attack via connection request after exhausting memory pool.
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server
7.0 is vulnerable to remote OOB write attack via connection request after exhausting
memory pool.
See https://github.com/cesanta/mongoose/releases/tag/7.2
Signed-off-by: Pierre-Jean Texier <texier.pj2@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 20a0f60a2c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 36b8a8ba6b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://docs.docker.com/engine/release-notes/
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit eef5da1f77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security fix for CVE-2021-21334:
https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4
Other changes:
- Fix container create in CRI to prevent possible environment variable leak between containers
- Update shim server to return grpc NotFound error
- Add bounds on max oom_score_adj value for shim's AdjustOOMScore
- Update task manager to use fresh context when calling shim shutdown
- Update Docker resolver to avoid possible concurrent map access panic
- Update shim's log file open flags to avoid containerd hang on syscall open
- Fix incorrect usage calculation
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 43a766e92d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The license is BSD-2-Clause, not MIT.
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
[yann.morin.1998@free.fr: split off into its own commit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7b5d624bb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Details: https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html
As detailed in commit 7e64a050fb, it is
difficult to utilize the upstream patches directly, so a number of
patches include changes to generated files so that we don't need invoke
the gentpl.py script.
In addition to the security fixes, these required patches has been
backported:
f76a27996 efi: Make shim_lock GUID and protocol type public
04ae030d0 efi: Return grub_efi_status_t from grub_efi_get_variable()
ac5c93675 efi: Add a function to read EFI variables with attributes
d7e54b2e5 efi: Add secure boot detection
The following security issues are fixed:
CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted
ACPI tables when Secure Boot is enabled
CWE-184
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
GRUB2 enables the use of the command acpi even when Secure Boot is signaled by
the firmware. An attacker with local root privileges to can drop a small SSDT
in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT
then gets run by the kernel and it overwrites the kernel lock down configuration
enabling the attacker to load unsigned kernel modules and kexec unsigned code.
Reported-by: Máté Kukri
*******************************************************************************
CVE-2020-25632 grub2: Use-after-free in rmmod command
CWE-416
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload
a module used as dependency without checking if any other dependent module is
still loaded. This leads to an use-after-free scenario possibly allowing an
attacker to execute arbitrary code and by-pass Secure Boot protections.
Reported-by: Chris Coulson (Canonical)
*******************************************************************************
CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize()
CWE-787
6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
grub_usb_device_initialize() is called to handle USB device initialization. It
reads out the descriptors it needs from the USB device and uses that data to
fill in some USB data structures. grub_usb_device_initialize() performs very
little bounds checking and simply assumes the USB device provides sane values.
This behavior can trigger memory corruption. If properly exploited, this would
lead to arbitrary code execution allowing the attacker to by-pass Secure Boot
mechanism.
Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive)
*******************************************************************************
CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
CWE-121
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1kB stack
buffer for temporary storage without sufficient bounds checking. If the
function is called with a command line that references a variable with a
sufficiently large payload, it is possible to overflow the stack buffer,
corrupt the stack frame and control execution. An attacker may use this to
circumvent Secure Boot protections.
Reported-by: Chris Coulson (Canonical)
*******************************************************************************
CVE-2020-27779 grub2: The cutmem command allows privileged user to remove
memory regions when Secure Boot is enabled
CWE-285
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The GRUB2's cutmem command does not honor Secure Boot locking. This allows an
privileged attacker to remove address ranges from memory creating an
opportunity to circumvent Secure Boot protections after proper triage about
grub's memory layout.
Reported-by: Teddy Reed
*******************************************************************************
CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705
CWE-281
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro
specific flaw which made upstream in the mentioned version.
If certificates that signed GRUB2 are installed into db, GRUB2 can be booted
directly. It will then boot any kernel without signature validation. The booted
kernel will think it was booted in Secure Boot mode and will implement lock
down, yet it could have been tampered.
This flaw only affects upstream and distributions using the shim_lock verifier.
Reported-by: Dimitri John Ledkov (Canonical)
*******************************************************************************
CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
The option parser in GRUB2 allows an attacker to write past the end of
a heap-allocated buffer by calling certain commands with a large number
of specific short forms of options.
Reported-by: Daniel Axtens (IBM)
*******************************************************************************
CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of
space required for quoting
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu
rendering code performs a length calculation on the assumption that expressing
a quoted single quote will require 3 characters, while it actually requires
4 characters. This allow an attacker to corrupt memory by one byte for each
quote in the input.
Reported-by: Daniel Axtens (IBM)
*******************************************************************************
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1bad507220)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If PER_PACKAGE_DIRECTORIES=Y and using host-make package (because
BR2_FORCE_HOST_BUILD=Y or local make is too old) .stamp_dotconfig
target needs per-package/uboot/host/bin/host-make that doesn't
exist yet.
Add host-make into UBOOT_KCONFIG_DEPENDENCIES.
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 3cf8173e5c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
opkg-utils is a collection of bash and python scripts which require
additional commands/tools be available for the bash scripts. The full
list of dependencies that the opkg-util scripts require is:
bash
binutils
bzip2
coreutils
diffutils
findutils
grep
gzip
lz4
python3
sed
tar
xz
The Buildroot manual requires a few packages (bash, binutils, bzip2,
gzip, sed and tar) to be installed on the host system, so we need not
add those. Additionally, and even though they are not in that list,
that grep and find are also required (we already make extensive use of
both everywhere, so it is as good as them being in the list).
We have a host variant for coreutils, but only for systems that do not
already have a recent-enough one, i.e. that provides 'realpath' and
'ln --relative'. opkg-utils uses neither, so can rely on the ones on the
system.
Only add dependencies on the remaining host tools: diffutils, lz4, and
xz.
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
[yann.morin.1998@free.fr:
- drop excessive dependencies,
- reword the commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9521492bd0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 819637e0e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
opkg-utils is a package that only provides bash and python scripts.
Upon further inspection of the Makefile for the package, invoking
`make` only ever builds the manpage. The previous commit dropped the
installation of the manpage. This makes the build step unnecessary so
remove it.
Add a comment to explain the situation
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 05bf014f56)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When `make install` is run to install the opkg-utils scripts, it also
invokes building of the man page for opkg-build. The generation of the
man page requires `pod2man` executable which is a part of perl.
Since buildroot does not support man pages in the host directory,
patch the opkg-utils Makefile to separate the installation of man
pages and utility scripts.
With the options to install man pages and utils separately, only
install the opkg-utils scripts.
Signed-off-by: Ryan Barnett <ryan.barnett@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0424eee0ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Aufs has been deprecated for the purposes of Docker/containers since overlay2
became the mainline kernel module of choice.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8a99b47ec2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.15.9 (released 2021/03/10) includes security fixes to the encoding/xml
package. See the Go 1.15.9 milestone on our issue tracker for details.
go1.15.10 (released 2021/03/11) includes fixes to the compiler, the go
command, and the net/http, os, syscall, and time packages. See the Go
1.15.10 milestone on our issue tracker for details.
https://golang.org/doc/devel/release.html#go1.15.minor
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix a buffer overflow in mbedtls_mpi_sub_abs() when calculating
|A| - |B| where |B| is larger than |A| and has more limbs (so the
function should return MBEDTLS_ERR_MPI_NEGATIVE_VALUE). Only
applications calling mbedtls_mpi_sub_abs() directly are affected:
all calls inside the library were safe since this function is
only called with |A| >= |B|.
- Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem(). If MBEDTLS_MPI_MAX_SIZE is set to an odd
value the function might fail to write a private RSA keys of the
largest supported size.
- Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout() when given a file descriptor that is
beyond FD_SETSIZE.
- Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code.
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: fix the hash after upstream mess-up]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 694c7d3ece)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With the start-stop-daemon enabled (instead of the busybox applet),
stopping transmission emits spurious warnings:
$ /etc/init.d/S92transmission stop
Stopping bittorrent client transmission-daemon...
start-stop-daemon: warning: this system is not able to track process names
longer than 15 characters, please use --exec instead of --name.
Update our startup script to match what was done upstream 9 years ago:
https://trac.transmissionbt.com/ticket/4724https://trac.transmissionbt.com/wiki/Scripts/initd?action=diff&version=24&old_version=23
Partially fixes:
- https://bugs.busybox.net/show_bug.cgi?id=13576
Reported-by: ingineru_de_sistem@yahoo.com
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- reword commit log
- add reference to upstream ticket and changeset
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 45d326a08c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Buildroot, the SSP flags are passed via the wrapper, and only flags
supported by the toolchain will be used.
Add patch to remove '-fstack-protector-strong' compile flag.
Fixes:
.../aarch64-buildroot-linux-uclibc/bin/ld: runlevel.o: in function `main':
runlevel.c:(.text.startup+0x4): undefined reference to `__stack_chk_guard'
.../aarch64-buildroot-linux-uclibc/bin/ld: cannot find -lssp_nonshared
.../aarch64-buildroot-linux-uclibc/bin/ld: cannot find -lssp
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 50cbac5099)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since c043ecb20c (support/download: change format of archives
generated from svn), the svn backend uses the generic helper to
create reproducible archives.
That helper really does its job as expected, but the svn backend
is flawed in two ways:
- the first, most obvious breakage happens with versions older
than 1.9, as they do not support the '--show-item' option
for the 'info' action;
- the second is more involved, in that svn will by default
expand the old, legacy, deprecated, cumbersome CVS-style
keywords, in the form of revision marks like '$Date$' in a
C-style comment in a source file. These replacements are
done on checkout as well as on export, and they use local
settings, like the local locale and timezone.
This means that two people with different settings, will get
different sources when the svn-checkout or svn-export the same
revision from the same tree...
Needless to say that this is not very reproducible...
While the first is easily solved, the second is more involved.
We need to ensure that what source is used initially to compute
the hash, will also be the source that are used to check the hash.
There are basically two solutions:
1. we ensure the same environment, by forcing the timezone and
the locale to arbitrary values
2. we disable keyword expansion
For the first solution, this still leaves the possibility that we
miss some environment settings that have an impact on the keyword
expansion. It would mean that Yann's settings be used, as he did
introduce the hash for the only svn-downloaded package we have,
avrdude, settings which are:
TZ=Europe/Paris
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_GB.UTF-8"
LC_MONETARY="fr_FR.utf8"
LC_NUMERIC="fr_FR.utf8"
The second option means that the generated archives change. That
means we'd have to bump the archive version for svn downloads, and
that we update the hashes for all the svn-downloaded packages.
We chose to go with the second option, because this is what really
makes more sense, rather than hard-coding arbitrary values in the
environment. And we also have only one svn-downloaded package,
avrdude.
And thus, we're reaching the trigger for this change: avrdude is
impacted by the CVS-keyword expansion issue:
https://svn.savannah.gnu.org/viewvc/avrdude/trunk/avrdude/atmel-docs/EDBG/common/jquery/layout/jquery.layout.js?revision=1396&view=markup
which would give two different files when checked out on different
machines:
diff -durN foo/avrdude-r1450/avrdude/atmel-docs/EDBG/common/jquery/layout/jquery.layout.js bar/avrdude-r1450/avrdude/atmel-docs/EDBG/common/jquery/layout/jquery.layout.js
--- foo/avrdude-r1450/avrdude/atmel-docs/EDBG/common/jquery/layout/jquery.layout.js 2020-09-22 09:36:45.000000000 +0200
+++ bar/avrdude-r1450/avrdude/atmel-docs/EDBG/common/jquery/layout/jquery.layout.js 2020-09-22 09:36:45.000000000 +0200
@@ -1,6 +1,6 @@
/**
* @preserve jquery.layout 1.3.0 - Release Candidate 30.51
- * $Date: 2015-11-02 22:13:28 +0100 (Mon, 02 Nov 2015) $
+ * $Date: 2015-11-02 21:13:28 +0000 (Mon, 02 Nov 2015) $
* $Rev: 303005 $
*
* Copyright (c) 2012
@@ -4718,7 +4718,7 @@
/**
* jquery.layout.state 1.0
- * $Date: 2015-11-02 22:13:28 +0100 (Mon, 02 Nov 2015) $
+ * $Date: 2015-11-02 21:13:28 +0000 (Mon, 02 Nov 2015) $
*
* Copyright (c) 2010
* Kevin Dalman (http://allpro.net)
@@ -5074,7 +5074,7 @@
/**
* jquery.layout.buttons 1.0
- * $Date: 2015-11-02 22:13:28 +0100 (Mon, 02 Nov 2015) $
+ * $Date: 2015-11-02 21:13:28 +0000 (Mon, 02 Nov 2015) $
*
* Copyright (c) 2010
* Kevin Dalman (http://allpro.net)
@@ -5356,7 +5356,7 @@
/**
* jquery.layout.browserZoom 1.0
- * $Date: 2015-11-02 22:13:28 +0100 (Mon, 02 Nov 2015) $
+ * $Date: 2015-11-02 21:13:28 +0000 (Mon, 02 Nov 2015) $
*
* Copyright (c) 2012
* Kevin Dalman (http://allpro.net)
So we also update the hash for avrdude.
Fixes:
http://autobuild.buildroot.org/results/e3b/e3b0508047f32008ebfa83c5255ec5994b6af120/ (time issue)
http://autobuild.buildroot.org/results/48e/48e78e84b425e79cdb98c16ab40247a0fa7e9676/ (keyword expansion issue)
Reported-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Cc: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit c92be85e3a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The CPE variables are derived from the package upstream values, so they
must be set from the package values, not the other way around.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Christian Stewart <christian@paral.in>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 051ccfbaf1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since I'm the upstream maintainer and we use it for $DAYJOB, I'll adopt.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 9efacd4697)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SELinux support for mcelog is added by the admin/mcelog refpolicy
module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5337785981)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SELinux support for logrotate is added by the admin/logrotate refpolicy
module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bc96eb72e7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SELinux support for kismet is provided by the admin/kismet refpolicy
module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 32630e28d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SELinux support for the kexec-lite tool (which produces a kexec binary)
is added by the admin/kdump refpolicy module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit dbeb81542b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SELinux support for kexec and kdump is added by the admin/kdump
refpolicy module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 44670b4f4e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SELinux support for hwloc is added by the admin/hwloc refpolicy module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0604bba22e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Dmidecode provides 4 tools, for which support for SELinux is provided by
the admin/dmidecode refpolicy module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 205f03d1b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bridge-utils's brctl tool is supported by the admin/brctl SELinux
refpolicy module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e2683207a2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The alsa-utils package adds some tools that needs the proper module in
the SELinux refpolicy to work properly when SELinux is enabled on the
system.
Add support for the alsactl tool, through the use of the admin/alsa
module.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8a376df7f1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For details see [1].
[1] https://github.com/Irqbalance/irqbalance/releases/tag/v1.7.0
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit df18d209b4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since gcc version 10.x bug 60620 doesn't show anymore, so let's make it
enabled up to versino 10.x excluded.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit d8e6179807)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot ensures that all init-systems have a /run directory,
this should be the preferred location.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 52912b2cb0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot ensures that all init-systems have a /run directory,
this should be the preferred location.
Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9441b93ca4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a dependency on openssl upon BR2_PACKAGE_LIBOPENSSL=y to
enable some for OP-TEE embedded tests.
Building with libressl makes the optee-test test tool fail on a
certificate test; so we explicitly depend on libopenssl.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
[yann.morin.1998@free.fr:
- match the depenency to libopenssl, since that's is what is used in
the condition (BR2_PACKAGE_LIBOPENSSL)
- add a blurb to explain why libopenssl is used, not the virutal
openssl
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b2821ca786)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit ca1604388a updated the checksum of
the tarball, but failed to update the one of main.c, which serves as a
license file.
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7108838386)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable -Werror thanks to CFG_WERROR which is available since version
3.3.0 and
5355fdb841
to fix the following build failure with optee-client 3.11.0:
/home/giuliobenetti/autobuild/run/instance-2/output-1/build/optee-client-3.11.0/libckteec/src/pkcs11_processing.c: In function 'ck_create_object':
/home/giuliobenetti/autobuild/run/instance-2/output-1/build/optee-client-3.11.0/libckteec/src/pkcs11_processing.c:22:9: error: missing initializer for field 'buffer' of 'struct serializer' [-Werror=missing-field-initializers]
struct serializer obj = { };
^
Fixes:
- http://autobuild.buildroot.org/results/a3d663adb943aee814180f01d6e153b3309be962
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6a47e70743)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-3336: DoTls13CertificateVerify in tls13.c in wolfSSL before
4.7.0 does not cease processing for certain anomalous peer behavior
(sending an ED22519, ED448, ECC, or RSA signature without the
corresponding certificate). The client side is affected because
man-in-the-middle attackers can impersonate TLS 1.3 servers.
https://github.com/wolfSSL/wolfssl/releases/tag/v4.7.0-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
