async-timeout dependency was dropped upstream for Python 3.11 (see [1]).
[1] 1b5c9e1cb9
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit d39ca32388)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove packages which are no longer runtime-tested here.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 2aa3f61b5b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Select BR2_TARGET_UBOOT_NEEDS_OPENSSL to fix the following
build error:
include/image.h:1383:12: fatal error: openssl/evp.h: No such file or directory
Reported-by: Jan-Benedict Glaw <jbglaw@lug-owl.de>
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 044c38b71d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit adabd0b8b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update 002-vc4-add-meson-option-to-disable-optional-neon-suppor.patch to
fix an syntax error introduced by commit 'package/{mesa3d, mesa3d-headers}:
bump version to 23.1.0' ([1])
Fixes:
.../build/mesa3d-23.1.2/src/gallium/drivers/vc4/meson.build:87:76: ERROR:
Trying to compare values of different types (UserFeatureOption, str) using !=.
This was deprecated and undefined behavior previously and is as of 0.60.0 a hard error.
[1] https://git.buildroot.net/buildroot/commit/?id=e6203db11ed40122a2d9f29012db5683a7eb10d0
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit da19c18af2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
E-mails are bouncing:
<jose.pekkarinen@unikie.com>: host ASPMX.L.GOOGLE.com[74.125.133.26] said:
550-5.1.1 The email account that you tried to reach does not exist. Please
try 550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5206492d6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2023-32681: Unintended leak of Proxy-Authorization header
https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit c94922beac)
[Peter: mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 0b9efc991f ("linux: use BR2_MAKE") switched LINUX_MAKE to
$(BR2_MAKE). However, this also implicitly sets LINUX_KCONFIG_MAKE.
Thus, when host-make is being used in a build that has
PER_PACKAGE_DIRECTORIES enabled, the dotconfig step will try to use the
make instance from the host directory, but since it is not listed in
LINUX_KCONFIG_DEPENDENCIES, it won't be available yet at that point in
time.
Add an explicit dependency to LINUX_KCONFIG_DEPENDENCIES to have it
copied over early enough.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 66681bd4a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2023-23918: Node.js Permissions policies can be bypassed via
process.mainModule (High)
- CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto
library (Medium)
- CVE-2023-23920: Node.js insecure loading of ICU data through ICU\_DATA
environment variable (Low)
- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF
injection in host headers (Medium)
https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
- CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js
fetch API (Low)
https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases
Update LICENSE hash after an update of the openssl license snippet:
e7ed56f501
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit a240f9da85)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2023-32067: High. 0-byte UDP payload causes Denial of Service
- CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS
query IDs
- CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton()
- CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during
cross compilation
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 0afcfe5a48)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The autoconf-build system fails to properly detect vsnprintf
checking for vsnprintf... yes
checking whether vsnprintf is C99 compliant... no
which leads to a build error
snprintf.c:495:1: error: inlining failed in call to 'always_inline'
'rpl_vsnprintf.localalias': function not inlinable
Building with cmake fixes the problem:
-- Looking for vsnprintf
-- Looking for vsnprintf - found
The cmake build system has an option to disable checkmk, so we don't
need to remove it from target anymore.
Fixes:
http://autobuild.buildroot.net/results/e55/e5562513226de902dae642526165b1555a540144/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 6dfc789f4f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
hwdata provides a .pc file, which other packages can look up to find the
location where hwdata files are, and use them at build time.
This is the case for the upcoming libdisplay-info package, which
requires the hwdata's PNP IDs at build time.
However, installing the .pc file is not enough. Indeed, meson (which
libdisplay-info uses) will look for the corresponding data files in
datadir, which it locates relative to the sysroot, which is our staging.
So, we also need to install the hwdata files in staging.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit f36c57728a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2022-41751: Jhead 3.06.0.1 allows attackers to execute arbitrary OS
commands by placing them in a JPEG filename and then using the
regeneration -rgt50 option.
Update readme.txt hash after a minor tweak of the text:
a0eed69daa
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 39ffadd6ae)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Rebased two patches.
Changelog:
https://docs.python.org/release/3.11.4/whatsnew/changelog.html#python-3-11-4
Fixes the following security problems:
- gh-99889: Fixed a security in flaw in uu.decode() that could allow for
directory traversal based on the input if no out_file was specified.
- gh-104049: Do not expose the local on-disk location in directory
indexes produced by http.client.SimpleHTTPRequestHandler.
- gh-102153: urllib.parse.urlsplit() now strips leading C0 control and
space characters following the specification for URLs defined by WHATWG
in response to CVE-2023-24329. Patch by Illia Volochii.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b7b11d7e94)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Python-docker needs a working docker setup to do anything useful, so add it
to the existing docker_compose (which tests docker and docker-compose)
rather than adding a completely new test.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0bb63c6f5a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit d680db0ba7 (package/python-docker: bump to version 6.0.1) forgot
to add the new dependency on python-packaging, leading to runtime errors:
import docker
File "/usr/lib/python3.11/site-packages/docker/__init__.py", line 2, in <module>
File "/usr/lib/python3.11/site-packages/docker/api/__init__.py", line 2, in <module>
File "/usr/lib/python3.11/site-packages/docker/api/client.py", line 10, in <module>
File "/usr/lib/python3.11/site-packages/docker/auth.py", line 7, in <module>
File "/usr/lib/python3.11/site-packages/docker/utils/__init__.py", line 3, in <module>
File "/usr/lib/python3.11/site-packages/docker/utils/decorators.py", line 4, in <module>
File "/usr/lib/python3.11/site-packages/docker/utils/utils.py", line 9, in <module>
ModuleNotFoundError: No module named 'packaging'
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1dcabece6f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-0330:
A vulnerability in the lsi53c895a device affects the latest version of
qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs
like stack overflow or use-after-free.
See:
https://lists.gnu.org/archive/html/qemu-devel/2023-06/msg00221.html
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0adcc6d693)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
defconfig fragment to reproduce the issue:
BR2_PACKAGE_QEMU_ARCH_SUPPORTS_TARGET=y
BR2_PACKAGE_QEMU=y
BR2_PACKAGE_QEMU_SYSTEM=y
ERROR: Problem encountered: fdt not available but required by targets
aarch64-softmmu, arm-softmmu, i386-softmmu, loongarch64-softmmu,
microblaze-softmmu, microblazeel-softmmu, mips64el-softmmu,
nios2-softmmu, or1k-softmmu, ppc-softmmu, ppc64-softmmu,
riscv32-softmmu, riscv64-softmmu, rx-softmmu, x86_64-softmmu
Commit [1] select BR2_PACKAGE_QEMU_FDT for each individual emulator targets
but forgot to select is when BR2_PACKAGE_QEMU_CHOOSE_TARGETS is not set
(building for all targets).
Fixes:
http://autobuild.buildroot.org/results/e44/e444a02b899d325a9d99daed96b8cb96108383e7
[1] 44be514b21
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Carlos Santos <unixmania@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 59df3875b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
1.3.39:
- oss-fuzz: Several security fixes originating from oss-fuzz testing.
- ALL: Replace strcpy() with strlcpy(), replace strcat() with strlcat(),
replace sprintf() with snprintf(). Prefer using bounded string functions.
This change is made for the purpose of increasing safety than to address
any existing demonstrated concern.
1.3.40:
- DCX: Fixed heap overflow when writing more than 1023 scenes, and also
eliminated use of uninitialized memory.
Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
[Peter: mark as security fix, extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fd3ff0761c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libjxl requires cmake 3.19 since version v0.7 due to the
new behavior of cmake [1].
-- Configuring done
CMake Error at cmake/FindLCMS2.cmake:40 (add_library):
INTERFACE_LIBRARY targets may only have whitelisted properties. The
property "INCLUDE_DIRECTORIES" is not allowed.
Call Stack (most recent call first):
third_party/CMakeLists.txt:114 (find_package)
The portability issue has already been reported upstream [2].
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/4322819095
[1] afb998704e
[2] https://github.com/libjxl/libjxl/issues/1425
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some packages (e.g. libjxl) requires a quite recent cmake version,
that is not yet available in most distributions, especially those
LTS versions.
Currently, when we bump the minimum cmake version we require, it gets
bumped for all packages, regardless of their own minimum required
version, which means that a given configuration will trigger the
build of our host-cmake even if the packages that require it are not
enabled and those that are would be content with the system-provided
cmake.
Since host-cmake can take quite some time to build, this can get a
bit annoying to pay the price of a host-cmake build that would
otherwise not be needed.
Some packages even use an alternative build system when available
since they requires a more recent version of cmake than the our
minimum cmake version
(wpewebkit use Ninja: 78d499409f).
We introduce config options that packages can select to indicate
what minimal cmake version they require, and use that version as the
required minimal version required by the current configuration [0].
We would like to ensure that the currently selected minimum cmake
version is indeed lower (or equal) to the cmake version we package,
but that is not possible: dependencies.mk is parsed before we parse
packages, so we do not yet know the cmake version we have, and we
can't invert the parsing order as we need to know the required
dependencies before we parse packages (so that we can build their
dependency rules in Makefile). So we can only add comments in both
places, that refer to the other location.
[0] note that this is yet not optimal, as in such a case, host-cmake
would be in the dependency chain of all cmake-based packages, even
for those packages that do not require it. The optimum would be for
each package to gain such a dependency on an as-needed basis, but
this is by far more complex to achieve, and would only speed up
cases where a single package is built from scratch (e.g. with:
make clean; make foo), which is not worth optimising (yet?)
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
