CVE-2017-15873: Integer overflow in decompress_bunzip2.c leads to a read
access violation
CVE-2017-15874: Integer overflow in decompress_unlzma.c leads to a read
access violation
Cc: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The QT5TOOLS_SOURCE variable uses mismatch QT5BASE_VERSION variable.
This commit fixes the typo by using the appropriate QT5TOOLS_VERSION
variable.
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Qt Enginio has been bumped to 1.6.3 with Qt 5.6.3.
This new version follows the Qt release number and has only one change
since 1.6.2[1].
[1]: e447818458
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The QT53D_SOURCE variable uses mismatch QT5SVG_VERSION variable.
This commit fixes the typo by using the appropriate QT53D_VERSION
variable.
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CVE-2017-8872: An attackers can cause a denial of service (buffer
over-read) or information disclosure.
Patch from the upstream bug tracker.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
from https://www.postgresql.org/about/news/1829/
[1] CVE-2018-1052: Fix the processing of partition keys containing multiple
expressions
[2] CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are
non-world-readable
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This fixes the following check-package warning:
./package/rust-bin/rust-bin.mk:27: expected indent with tabs
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues according to NEWS:
CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
to the allocation of too much memory. (This is not a security bug per se,
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation of
the number of search path components. (This is not a security vulnerability
per se because no trust boundary is crossed if the fix for CVE-2017-1000366
has been applied, but it is mentioned here only because of the CVE
assignment.) Reported by Qualys.
CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
for AT_SECURE or SUID binaries could be used to load libraries from the
current directory.
CVE-2018-1000001: Buffer underflow in realpath function when getcwd function
succeeds without returning an absolute path due to unexpected behaviour of
the Linux kernel getcwd syscall. Reported by halfdog.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Make the detection of libnuma in the configure script consistent when
the numactl package is enabled.
ltp-testsuite does not currently take explicit enable/disable for
libnuma, so none are used. The next ltp-testsuite version will add these
options.
Cc: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes CVE-2017-15107: An attacker can craft an NSEC which wrongly proves
non-existence.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When generating a random configuration, also check the host
dependencies for that configuration and error out if it fails.
This is mainly intended for the autobuilders, so they don't try to
build a configuration for which the necessary host packages are not
installed.
Instead of erroring out, we could also generate a different random
config. However:
- When called for the autobuilders, the autobuild-run script will
anyway just attempt another build. The only difference is that a
warning will be printed in this autobuild log now. This warning
is in fact quite useful to hint that the autobuilder could benefit
from intalling this additional host package.
- When called manually, the user may in fact want to install the
missing host package and continue with the saved random config.
Fixes:
http://autobuild.buildroot.net/results/d7c/d7c12e873a71fef1e0b5e19cfad45024050614e1http://autobuild.buildroot.net/results/a0a/a0a105c1ec2d0517112b02932a85831d4b597b9fhttp://autobuild.buildroot.net/results/96c/96cc6cedc64c777e993671204809599a1498472a
and many others...
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CVE-2017-10790: NULL pointer dereference and crash when reading crafted
input
CVE-2018-6003: Stack exhaustion due to indefinite recursion during BER
decoding
Add license files hashes.
Cc: Stefan Fröberg <stefan.froberg@petroprogram.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Some packages build C++ 32bits host-tools and need the g++-multilib to
be installed on the build machine. As example, qt5webengine builds a C++
host-tool when target is 32bits.
Add the check for g++-multilib to the dependencies script; and update
the Dockerfile to install g++-multilib package.
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The current version of lightning doesn't build with recent versions of
binutils. Since this has been fixed upstream in a dot release, let's
bump to the upstream version that has the fix.
While at it, add a hash for the license file.
Fixes:
http://autobuild.buildroot.net/results/51424c044e11b89544824dbdf1af45b05b499ba4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes [1]:
keytable.c: In function 'test_event':
keytable.c:1351:12: error: 'EVIOCSCLOCKID' undeclared (first use in this function)
ioctl(fd, EVIOCSCLOCKID, &mode);
[1] http://autobuild.buildroot.net/results/8ba380471423bd2491e40103d7b1a45de1bd12ed
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To test the support for the Rust language, the following tests are added:
- building Rust compiler and Cargo from source.
- installing a pre-built Rust compiler and building Cargo from source.
For each test, a Rust test program is built and installed in the root file
system of a ARM vexpress QEMU system. The test is declared OK if the program can
be run properly from the test system.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add instructions for adding a package which uses Cargo as build system.
[Peter: fix indentation]
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This new package provides Cargo, the Rust official package manager.
Cargo is written in Rust and uses Cargo as its build system. It also
depends on other Rust packages.
Normally, a previously installed version of Cargo would be used to:
1. Fetch the dependencies.
2. Build the new version of Cargo, using the available Rust compiler.
But the fetching step prevents offline builds. So instead two features
of Cargo are leveraged: vendoring [1] and local registry.
First, a tarball of the build dependencies generated using `cargo
vendor` is fetched along with Cargo source code.
Then, the build process is as follows:
1. The tarball of the build dependencies is uncompressed in a local
registry.
2. A snapshot of Cargo, provided by cargo-bin, builds the final
version of Cargo.
3. A configuration file telling Cargo how to cross-compile programs for
the target is generated and installed.
Currently, only the host variant is provided.
[1] https://github.com/alexcrichton/cargo-vendor
[Peter: use src.fedoraproject.org, fix comment]
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Allow build of host variant of libhttpparser.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Allow build of host variant of libssh2, which depends on host-openssl.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This new package provides rustc, the compiler for the Rust programming
language, built from source.
Currently, only the host variant is built.
The Rust compiler uses LLVM as its backend: a copy of LLVM source code
is provided and CMake is used to build it. It is possible to use a
pre-built external copy. When LLVM/clang will be available in Buildroot,
it would be possible to benefit from this feature and thus decrease
build time.
LLVM is configured to generate code for x86, ARM, PowerPC and MIPS
architectures.
The Rust compiler uses Cargo as its build system and is written in Rust.
Therefore this package depends on cargo-bin and rust-bin.
The internal build process is as follows:
1. stage0 compiler, provided by rust-bin, is used to build stage1
compiler.
2. stage1 compiler builds the final Rust compiler (stage2 compiler)
and the standard library for the host architecture.
3. the standard library for the target architecture is built.
The target architecture to support is given by the GNU/LLVM target
triple. Rust supports some predefined targets [1]. As the build system
expects the triple to be in the form of <arch>-unknown-<system> and
Buildroot toolchain wrapper uses <arch>-buildroot-<system>, the package
Makefile uses $(RUST_TARGET_NAME) defined in the rustc package and uses
it instead of $(GNU_TARGET_NAME).
When compiling Rust code with this compiler, the generated program only
depends on the target C library, as it is statically linked to the Rust
standard library and any other code from Rust packages (a.k.a.
"crates").
If the jemalloc package is selected, support for this memory allocator
will be enabled in the target standard library.
The menuconfig entry for rustc is also updated to expose this provider.
[1] https://forge.rust-lang.org/platform-support.html
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This new package fetches a binary version of Cargo, suitable to
bootstrap the host variants of the Rust compiler and Cargo, the package
manager.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package provides a pre-built version of rustc, the compiler for the
Rust programming language, fetched from the upstream project.
A pre-built version of the standard library for the host as well as one
for the chosen target are also fetched and installed.
Only the host variant is provided to allow the user to cross-compile
Rust programs and run them on the target.
This package could also be used to provide a bootstrap compiler when building
Rust from source. So, in order to add it as a build dependency, the compiler and
standard libraries are only installed in $(HOST_DIR) if the package is
explicitly selected.
The menuconfig entry for rustc is also updated to expose this provider.
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The compiler for the Rust programming language is called rustc.
There is only one reference implementation for it, based on LLVM, from
the Rust project [1]. It can generate code for various architectures so
it can be labeled as a cross-compiler. But, as for GCC, building it
from source takes time.
So it would be sensible to have at least one package which provides it
as a pre-built version, fetched from the upstream project. Later another
package can be added, to build it from source code.
In addition to the compiler, the standard library for the host and/or
the target should also be fetched/built.
So, add a virtual package named rustc to enable support for multiple
providers.
Currently, only the host variant will be available to allow the user to
cross-compile Rust programs for the target.
[1] http://rust-lang.org
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Configure summary without this patch and without alsa-lib built before:
Extra tools required for testing and examples :
[...]
Have ALSA : ................... no
and with this patch
Extra tools required for testing and examples :
[...]
Have ALSA : ................... yes
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump U-Boot to 2018.01 version and kernel to 4.15.1.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As pointed out by Joel Stanley:
https://patchwork.ozlabs.org/patch/863011/
Github now longer provides the exact same tarball for the or1k musl-5.4.0
tarball, breaking the build. Even more, musl-5.4.0 is the name of a git
branch, not a tag.
Fix both problems by changing to the or1k-musl-5.4.0-20170218 tag, which
points to the exact same git commit.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Tested-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 233202597d, which
causes a lot of build failures. Part of the Python build process tries
to use os.replace(), which is only available since Python 3.3. It
should work if the host-python being built was used, but unfortunately
the system Python ends up being used, causing the build failure.
Fixes:
http://autobuild.buildroot.net/results/ed95a7ded6bd6c17bd0820b3a96862487b71eb2b/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Upstream changed to URL of the source tarball and removed SHA1SUMS.
Added license hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently, we refer to the latest version of the image, which means we
can't guarantee any reproducibility. Also, it measn we can't have a
separate images for the maintenance branches (especially the LTS) and
master.
Update the comment in the Dockerfile to create and push tagged images.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since we're now using a specific base image tag, we need to also use a
specific, stable repository to get additional packages from for this
image.
As such, use the Debian snapshot that matches the base image.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, we are using debian:stable, which is subject to change with
time, as new stable versions of Debian are released/updated.
Use the latest tagged stable release, stretch-20171210 as of today, as
the base distribution to use.
This will ease reproducible builds in the future.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>