Warn the developer in the case the same config is declared more than
once in the same Config.in file.
But take into account the conditional code that lets the config be
visible and warn only when it is declared more than once in the same
conditions.
For instance, do not warn for:
if BR2_PACKAGE_BUSYBOX
config BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
endif
if !BR2_PACKAGE_BUSYBOX # kconfig doesn't support else
config BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
endif
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4bbda72743)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently using this minimal .config:
BR2_PACKAGE_MEDIAART_BACKEND_GDK_PIXBUF=y
triggers:
*** Legacy options removed in 2018.05 ***
[ ] libmediaart none backend option renamed (NEW)
[*] libmediaart gdk-pixbuf backend option renamed
[*] libmediaart qt backend option renamed
Commit "8553b39887 libmediaart: rename options to have proper prefix",
part of the 2018.05 release had a copy&paste error.
As stated in the beginning of the file:
The oldest symbols will be removed again after about two years.
But while we carry these legacy symbols, let's fix the typo.
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 316e149611)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
deamon -> daemon
At same time, in Config.in.legacy fix other typos in the same help text:
spae -> space
monolitic -> monolithic
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6a9feaabbc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
seperate is a common misspelling of separate
Fix all the typos in the tree that are not related to patch files.
CHANGES
seperate -> separate, in the list of changes
Config.in.legacy
seperate -> separate, in option name and help texts
package/leafnode2/leafnode2.mk
seperate -> separate, in a comment
system/Config.in
seperated -> separated, in a help text
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4092d2a354)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The yajl repository has both a branch and a tag names 2.1.0. Because of
this, when we use the usual github URL [1], github doesn't return a
tarball but rather an ASCII string:
the given path has multiple possibilities: #<Git::Ref:0x00007f193bebe4d8>, #<Git::Ref:0x00007f193bebd858>
This obviously (and fortunately) leads to a hash check failure.
To make sure we get the tag and not the branch, we should use a URL that
explicitly asks for refs/tags/2.1.0 [2]. We can't change VERSION to
include refs/tags, because that also affects the _SOURCE default, the
contents of the tarball, the CPE ID and the release-monitoring access.
Therefore, add the refs/tags/ prefix to the github helper call.
[1] https://github.com/lloyd/yajl/archive/2.1.0/yajl-2.1.0.tar.gz
[1] https://github.com/lloyd/yajl/archive/refs/tags/2.1.0/yajl-2.1.0.tar.gz
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 5be76a39d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Barebox makes use of the same variables as the linux kernel does for
handling reproducible build -- KBUILD_BUILD_HOST,
KBUILD_BUILD_TIMESTAMP, KBUILD_BUILD_USER. This patch sets the proper
variables based on linux/linux.mk, and passes them to the make
invocation when building, to ensure a reproducible build is possible
when BR2_REPRODUCIBLE is enabled.
Signed-off-by: Casey Reeves <casey@xogium.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c90bd74ebb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Set MOREFLAGS instead of overriding CFLAGS to avoid the following build
failure raised since commit 94b66fb49c:
/home/autobuild/autobuild/instance-6/output-1/host/lib/gcc/x86_64-buildroot-linux-uclibc/11.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: /tmp/ccabb8cF.o: relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC
Fixes:
- http://autobuild.buildroot.org/results/953133575d8c13266f1450fa545e70e4a518508d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bfef88762d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
utf8proc is an optional dependency since version 2.3 and
6c94774b70
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 1f618aa388)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2023-23456: A heap-based buffer overflow issue was discovered in
UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to
cause a denial of service (abort) via a crafted file.
Fix CVE-2023-23457: A Segmentation fault was found in UPX in
PackLinuxElf64::invert_pt_dynamic() in p_lx_elf.cpp. An attacker with a
crafted input file allows invalid memory address access that could lead
to a denial of service.
https://github.com/upx/upx/blob/v4.0.2/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 02befac8f9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patch (already in version)
- cmake must be used since
c7d8b6fed1
- ucl and zlib are directly included in upx since
61e1366122https://github.com/upx/upx/blob/v4.0.1/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1567516d89)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable pcre to avoid the following build failure if pcre-config is
found on host raised since bump to version 2.9.7 in commit
42e34cf10f:
/home/thomas/autobuild/instance-0/output-1/per-package/modsecurity2/host/bin/../lib/gcc/mips64el-buildroot-linux-gnu/11.3.0/../../../../mips64el-buildroot-linux-gnu/bin/ld: cannot find -lpcre: No such file or directory
Fixes:
- http://autobuild.buildroot.org/results/f4864f8cc1d07e357f6e5f8302c19ae94e9cf3af
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 06af305874)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2023-24021: Incorrect handling of '\0' bytes in file uploads
in ModSecurity before 2.9.7 may allow for Web Application Firewall
bypasses and buffer overflows on the Web Application Firewall when
executing rules that read the FILES_TMP_CONTENT collection.
- host-pkgconf is mandatory and used to find libxml2 since
baa38ddbaf
- pcre2 is supported since:
8fc0b519b7https://github.com/SpiderLabs/ModSecurity/blob/v2.9.7/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 42e34cf10f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A null pointer dereference issue was discovered in functions op_get_data
and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 allows
attackers to cause denial of service or other unspecified impacts.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ae65870e65)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas reported that m68k fails to build when enabling BR2_PACKAGE_GDB.
It fails when building gdb for the target with the following error:
elf2flt: ERROR: text=0x3c826 overlaps data=0x256e0 ?
It turns out that the gdb binary has another problematic input section
(.gcc_except_table), which causes elf2flt to try to append to the .text
output section, after it has already moved on with appending sections
to the .data output section.
elf2flt cannot append to a previous output section once it has moved on
to another output section.
Update the existing elf2flt patch to also add an exception for
.gcc_except_table.
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Niklas Cassel <niklas.cassel@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f6f15e85b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: André Zwing <nerv@dawncrow.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6c8cda8c94)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://github.com/signalwire/freeswitch/releases/tag/v1.10.8
Removed two patches which are included in upstream release,
renumbered remaining patch.
Removed libs/apr-util/LICENSE due to upstream removal of bundled
apr-util package.
Added fix to disable pcap detection, otherwise /usr/bin/pcap-config
can be picked-up which breaks building freeswitch.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b8230ab64)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with libressl raised since bump to
version 3.5.2 in commit 8b216927db:
crypto/hash/hmac_ossl.c: In function 'srtp_hmac_alloc':
crypto/hash/hmac_ossl.c:88:55: error: invalid application of 'sizeof' to incomplete type 'HMAC_CTX' {aka 'struct hmac_ctx_st'}
88 | pointer = (uint8_t *)srtp_crypto_alloc(sizeof(HMAC_CTX) +
| ^~~~~~~~
crypto/hash/hmac_ossl.c:97:9: warning: implicit declaration of function 'HMAC_CTX_init'; did you mean 'HMAC_CTX_new'? [-Wimplicit-function-declaration]
97 | HMAC_CTX_init(new_hmac_ctx);
| ^~~~~~~~~~~~~
| HMAC_CTX_new
crypto/hash/hmac_ossl.c: In function 'srtp_hmac_dealloc':
crypto/hash/hmac_ossl.c:130:5: warning: implicit declaration of function 'HMAC_CTX_cleanup' [-Wimplicit-function-declaration]
130 | HMAC_CTX_cleanup(hmac_ctx);
| ^~~~~~~~~~~~~~~~
crypto/hash/hmac_ossl.c:133:40: error: invalid application of 'sizeof' to incomplete type 'HMAC_CTX' {aka 'struct hmac_ctx_st'}
133 | octet_string_set_to_zero(a, sizeof(HMAC_CTX) + sizeof(srtp_auth_t));
| ^~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/e696ead9ffffa5bb80928d75607bfbb9b263d3c6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e4a762bf7f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Switch to github helper due to lack of upstream-provided tarball.
Needed for upcoming bump of freeswitch to version 1.10.9.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 8bb962724e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Needed for upcoming bump of freeswitch to version 1.10.9.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6e09e7987b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disables tests to avoid the following build failure with
BR2_SHARED_STATIC_LIBS:
[ 42%] Linking C executable teststring
../libks.so.1: undefined reference to `dlsym'
Fixes:
- http://autobuild.buildroot.org/results/e61a683928795402375165adf686687f3305e0c2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 267e39413e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The -e switch makes the script terminate on error from
start-stop-daemon, rendering unreachable the code that checks the exit
status.
There is no need in the -e switch in the first place either, as the
script takes care of errors handling.
Signed-off-by: Sergey Organov <sorganov@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 28ca1da234)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4.9.x / 6.0.x is now EOL.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit def789059a)
[Peter: drop 6.1.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Low. Stack overflow in ares_set_sortlist() which is used during c-ares
initialization and typically provided by an administrator and not an end
user.
https://c-ares.org/changelog.html#1_19_0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 121a9d3649)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
CVE-2022-4743: A potential memory leak issue was discovered in SDL2 in
GLES_CreateTexture() function in SDL_render_gles.c. The vulnerability
allows an attacker to cause a denial of service attack.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes build error not yet found by autobuilders
-- System type: Linux
CMake Error at cmake/scripts/linux/ArchSetup.cmake:42 (message):
Unknown CPU: riscv32
using this defconfig:
BR2_riscv=y
BR2_RISCV_32=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_PACKAGE_KODI=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_PYTHON3_PY_ONLY=y
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 39886a434a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes build error not yet found by autobuilders
-- System type: Linux
CMake Error at cmake/scripts/linux/ArchSetup.cmake:42 (message):
Unknown CPU: or1k
with this defconfig:
BR2_or1k=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_OPENRISC_UCLIBC_STABLE=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_PACKAGE_KODI=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_PYTHON3_PY_ONLY=y
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 86fac589fb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Disable neon support when not available.
Fixes build error not yet found by autobuilders
/tmp/cc8LvPwi.s: Assembler messages:
/tmp/cc8LvPwi.s:28: Error: selected processor does not support `vldmia r1,{ q4-q7 }' in ARM mode
/tmp/cc8LvPwi.s:29: Error: selected processor does not support `vldmia r0,{ q8-q11 }' in ARM mode
/tmp/cc8LvPwi.s:30: Error: selected processor does not support `vmul.f32 q0,q8,d8[0]' in ARM mode
/tmp/cc8LvPwi.s:31: Error: selected processor does not support `vmul.f32 q1,q8,d10[0]' in ARM mode
/tmp/cc8LvPwi.s:32: Error: selected processor does not support `vmul.f32 q2,q8,d12[0]' in ARM mode
/tmp/cc8LvPwi.s:33: Error: selected processor does not support `vmul.f32 q3,q8,d14[0]' in ARM mode
/tmp/cc8LvPwi.s:34: Error: selected processor does not support `vmla.f32 q0,q9,d8[1]' in ARM mode
/tmp/cc8LvPwi.s:35: Error: selected processor does not support `vmla.f32 q1,q9,d10[1]' in ARM mode
/tmp/cc8LvPwi.s:36: Error: selected processor does not support `vmla.f32 q2,q9,d12[1]' in ARM mode
/tmp/cc8LvPwi.s:37: Error: selected processor does not support `vmla.f32 q3,q9,d14[1]' in ARM mode
/tmp/cc8LvPwi.s:38: Error: selected processor does not support `vmla.f32 q0,q10,d9[0]' in ARM mode
/tmp/cc8LvPwi.s:39: Error: selected processor does not support `vmla.f32 q1,q10,d11[0]' in ARM mode
/tmp/cc8LvPwi.s:40: Error: selected processor does not support `vmla.f32 q2,q10,d13[0]' in ARM mode
/tmp/cc8LvPwi.s:41: Error: selected processor does not support `vmla.f32 q3,q10,d15[0]' in ARM mode
/tmp/cc8LvPwi.s:42: Error: selected processor does not support `vmla.f32 q0,q11,d9[1]' in ARM mode
/tmp/cc8LvPwi.s:43: Error: selected processor does not support `vmla.f32 q1,q11,d11[1]' in ARM mode
/tmp/cc8LvPwi.s:44: Error: selected processor does not support `vmla.f32 q2,q11,d13[1]' in ARM mode
/tmp/cc8LvPwi.s:45: Error: selected processor does not support `vmla.f32 q3,q11,d15[1]' in ARM mode
/tmp/cc8LvPwi.s:46: Error: selected processor does not support `vstmia r0,{ q0-q3 }' in ARM mode
with this defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV5_EABI_UCLIBC_STABLE=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_PACKAGE_KODI=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_PYTHON3_PY_ONLY=y
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2952832a40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may
allow local users to infer whether any file exists, even within a
protected directory tree, because "Failed to open" often indicates that
a file does not exist, whereas "does not refer to a network namespace
path" often indicates that a file exists. NOTE: this is different from
CVE-2018-6556 because the CVE-2018-6556 fix design was based on the
premise that "we will report back to the user that the open() failed but
the user has no way of knowing why it failed"; however, in many
realistic cases, there are no plausible reasons for failing except that
the file does not exist.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2022-40899: An issue discovered in Python Charmers Future 0.18.2
and earlier allows remote attackers to cause a denial of service via
crafted Set-Cookie header from malicious web server.
https://github.com/PythonCharmers/python-future/releases/tag/v0.18.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 51eb81ddcf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2023-22742: when compiled with BR2_PACKAGE_LIBSSH2,
libgit2 fails to verify SSH keys by default.
https://github.com/libgit2/libgit2/blob/v1.5.1/docs/changelog.md
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cc47da516c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It includes an option to build a command line program that can be used
to replace git in simple cases.
The upcoming sha256 repository support made them steal the sha256 code
from RFC6234, hence the license change.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7c8e34f4d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libgit2 is currently a library without any reverse dependencies so the
missing atomic symbols do not cause build failures yet.
libgit2 uses the atomics intrinsics on gcc >= 4.7 and the sync
intrinsics on previous gcc versions. Since gcc 4.9 is the new
minimum, ignore the sync intrinsics requirements.
The next version of libgit2 will also build a binary, which will
expose the problem.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e992a3e771)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
git added restrictions on config files to fix CVE 2022-24765. libgit2
adopted these changes for compatibility reasons, even if the vuln is
not exploitable in libgit2.
https://github.com/libgit2/libgit2/releases/tag/v1.4.3
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 01ee7f84fb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Licence changes mostly concern vendored dependencies (that buildroot does
not use) and a new bundled PRNG used to reimplement mkstemp() - added
CC0 license for that.
Some buildsystem options also changed:
- THREADSAFE is now USE_THREADS
- BUILD_CLAR is now BUILD_TESTS, which the cmake infra already give.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ba8c268e00)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6e0ba6bfc2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
* CVE-2022-41903:
git log has the ability to display commits using an arbitrary
format with its --format specifiers. This functionality is also
exposed to git archive via the export-subst gitattribute.
When processing the padding operators (e.g., %<(, %<|(, %>(,
%>>(, or %><( ), an integer overflow can occur in
pretty.c::format_and_pad_commit() where a size_t is improperly
stored as an int, and then added as an offset to a subsequent
memcpy() call.
This overflow can be triggered directly by a user running a
command which invokes the commit formatting machinery (e.g., git
log --format=...). It may also be triggered indirectly through
git archive via the export-subst mechanism, which expands format
specifiers inside of files within the repository during a git
archive.
This integer overflow can result in arbitrary heap writes, which
may result in remote code execution.
* CVE-2022-23521:
gitattributes are a mechanism to allow defining attributes for
paths. These attributes can be defined by adding a `.gitattributes`
file to the repository, which contains a set of file patterns and
the attributes that should be set for paths matching this pattern.
When parsing gitattributes, multiple integer overflows can occur
when there is a huge number of path patterns, a huge number of
attributes for a single pattern, or when the declared attribute
names are huge.
These overflows can be triggered via a crafted `.gitattributes` file
that may be part of the commit history. Git silently splits lines
longer than 2KB when parsing gitattributes from a file, but not when
parsing them from the index. Consequentially, the failure mode
depends on whether the file exists in the working tree, the index or
both.
This integer overflow can result in arbitrary heap reads and writes,
which may result in remote code execution.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
remove merged patch
diff LICENSE.md
- Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
+ Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler
- Copyright (c) 2008-2018, Dave Benson and the protobuf-c authors.
+ Copyright (c) 2008-2022, Dave Benson and the protobuf-c authors.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f095f5a8be)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
License file renamed and year updated with
0ed92e6165d02ba52fa4https://www.sudo.ws/releases/stable/#1.9.11p2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9b7f8da96b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Set XXH_NO_INLINE_HINTS to marks all internal functions as static,
giving the compiler full control on whether to inline or not. This will
fix the following build failure raised since bump to version 0.8.1 in
commit 5dbdb2535c:
In file included from xxhash.c:43:
In function 'XXH3_accumulate',
inlined from 'XXH3_hashLong_internal_loop' at xxhash.h:4390:9,
inlined from 'XXH3_hashLong_64b_internal' at xxhash.h:4453:5,
inlined from 'XXH3_hashLong_64b_withSecret' at xxhash.h:4473:12,
inlined from 'XXH3_64bits_internal' at xxhash.h:4554:12,
inlined from 'XXH3_64bits_withSecret' at xxhash.h:4570:12:
xxhash.h:4196:1: error: inlining failed in call to 'always_inline' 'XXH3_accumulate_512_scalar': function not considered for inlining
4196 | XXH3_accumulate_512_scalar(void* XXH_RESTRICT acc,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/f2c52238df97cc4c13117d8dc1423235231a094c
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 94b66fb49c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, mkfs.erofs will use the current date to set some metadata
in the filesystem it generates, and will also use generate a random UUID
for that filesystem. This is not reproducible.
When BR2_REPRODUCIBLE is selected, set the filesystem timestamps to
$SOURCE_DATE_EPOCH, and the filesystem UUID to the nil uuid (as good
as any other arbitrary one).
Signed-off-by: Casey Reeves <casey@xogium.me>
[yann.morin.1998@free.fr:
- one multi-line assignment, not two
- slightly rephrase the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ac5ecaf868)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go mod vendor caches downloaded modules to the Go module cache, which
defaults to $GOPATH/pkg/mod - But can be overridden with the GOMODCACHE
environment variable:
https://go.dev/ref/mod#module-cache
So explicitly set GOMODCACHE= for reproducibility.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 162f656884)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
