Fixes the following security issue:
ZDI-CAN-22300: Heap-based buffer overflow in the AV1 codec parser when
handling certain malformed streams before GStreamer 1.22.8
https://gstreamer.freedesktop.org/security/sa-2023-0011.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
With upstram commit [1] (since version v0.1.0) the pipeline option 'raspberrypi'
was renamed to 'rpi/vc4'.
Change the buildroot option name from BR2_PACKAGE_LIBCAMERA_PIPELINE_RASPBERRYPI
to BR2_PACKAGE_LIBCAMERA_PIPELINE_RPI_VC4 (and add Config.in.legacy entry
accordingly) and move handling in Config.in/libcamer.mk to follow alphabetic
ordering.
Fixes:
.../build/libcamera-v0.1.0/meson.build:3:0: ERROR: Options "raspberrypi" are not in allowed choices: "all, auto, imx8-isi, ipu3, rkisp1, rpi/vc4, simple, uvcvideo, vimc"
[1] https://git.libcamera.org/libcamera/libcamera.git/commit/?id=726e9274ea95fa46352556d340c5793a8da51fcd
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This reverts commit c9645fd29b.
Building libcamera-apps 1.3.0 with current libcamera 0.1.0 fails because
some of the symbols like controls::AeFlickerMode are not recognized.
According to my research, they have been introduced after libcamera 0.1.0
but there is no release version of libcamera newer than 0.1.0 available
to which we could bump.
Signed-off-by: Sebastian Bauer <mail@sebastianbauer.info>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit adds a libsoup patch that fixes the build with libxml2
2.12, only due to a missing header inclusion. The patch cannot be
submitted upstream as libsoup2 is unmaintained, and libsoup3 no longer
has the problematic XMLRPC code.
Fixes:
http://autobuild.buildroot.net/results/4c3152720d64b204101e1611442e535b14adc41c/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
After adding GDB 14.x and making GDB 13.x the new default, let's drop
support for GDB 11.x.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Following the addition of GDB 14.x, let's make GDB 13.x the default.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
All patches are still relevant, and have been rebased on top of GDB
14.1.
GDB 14.1 now needs mpfr unconditionally, so it is added as a
dependency of host-gdb, and of gdb when the full debugger is built.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- add comment about selecting mpfr for 14.x or later
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
A few package or config removals have been introduced after the 2023.11
release, but there entries were still added to the list of options
removed in 2023.11.
The affected commits are:
64a5831679 package/libmpd: remove package
f93380ab1a package/gmpc: remove package
6d8c7aecbb package/flickcurl: remove package
f6acde11ab package/onevpl: rename package to libvpl
fffb245f66 package/linux-headers: drop 6.5.x option
Introduce the 2024.02 section and move the 2023.11 one to where it
belongs.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Since GDB 13.x and upstream commit
b686ecb5b10be9a33ab8f1bfdcff22eef920d1a5 ("gdb: link executables with
libtool"), gdb will be linked against the shared variants of libbfd
and libopcodes if they exist. However, this causes host gdb and target
gdb to not work, because our gdb package does not install libbfd and
libopcodes (to not clash with the ones potentially installed by
binutils).
In order to get around this, this commit proposes to get back to the
situation we had before GDB 13.x: libbfd and libopcodes are only
compiled as static libraries, so that they are linked directly inside
the gdb binary, avoiding the problem entirely.
This resolves:
# gdb --version
gdb: error while loading shared libraries: libopcodes-2.39.50.so: cannot open shared object file: No such file or directory
for target gdb, and:
$ ./host/bin/arm-linux-gdb --version
./host/bin/arm-linux-gdb: error while loading shared libraries: libopcodes-2.39.50.so: cannot open shared object file: No such file or directory
for host gdb.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
libsoup3 is supported since
c3455def2e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Use official tarball and so drop autoreconf
- Fix CVE-2023-6935, CVE-2023-6936 and CVE-2023-6937
https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
readline is not a dependency since bump to version 0.15.0 in commit
cbd06adac5 and
978b503840
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to
https://lists.x.org/archives/xorg-announce/2023-December/003437.html:
This release contains the fixes for CVE-2023-6377 and CVE-2023-6478
in today's security advisory:
https://lists.x.org/archives/xorg-announce/2023-December/003435.html
The release has only 10 commits compared to 23.2.2, all of which being
fixes, two of them being the security fixes. So it seems like bumping
the version is a reasonable trade-off vs. backporting the security
fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Following the removal of gmpc, we can drop libmpd as well, which was
apparently developed/maintained by the same group of people. The URL
in Config.in, http://gmpcwiki.sarine.nl/index.php?title=Libmpd, no
longer works, and no new alternative upstream was found.
The reference MPD client library is libmpdclient, which is still
maintained.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This package is unmaintained upstream:
- The URL in our Config.in,
http://gmpcwiki.sarine.nl/index.php?title=GMPC, no longer works
- https://github.com/DaveDavenport/gmpc says it's unmaintained
- The official lists of MPD clients at
https://www.musicpd.org/clients/ says it's maintained, and points at
http://gmpclient.org/, which is no longer owned by the developers of
GMPC.
- It still uses libsoup (2) which we want to get rid of at some
point.
- It was added by Gustavo Zacarias, and no version bumped occurred
since 2011.
So let's kill this package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Upstream in release 20231222 shipped self generated iputils-20231222.tar.gz,
which is signed and thus has different checksum than "Source code (tar.gz)"
generated by github. Therefore different URL needs to be used to get
correct checksum.
Fixes:
http://autobuild.buildroot.net/results/e9b39e142d5f56bf589253a10ed4722dbbda375c
Fixes: 32da4422f9 ("package/iputils: bump version to 20231222")
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
- Drop patches (already in version) and so drop autoreconf
- Fix the following security issues:
- CVE-2023-40660: Fix Potential PIN bypass
- CVE-2023-40661: Important dynamic analyzers reports
- CVE-2023-4535: Out-of-bounds read in MyEID driver handling
encryption using symmetric keys
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
A couple of bug fixes, including the following CVEs:
- CVE-2023-49465
- CVE-2023-49467
- CVE-2023-49468
https://github.com/strukturag/libde265/releases/tag/v1.0.15
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
A couple of build fixes and bug fixes detected by fuzzing.
Corrects these issues:
- CVE-2023-49462
- CVE-2023-49463
https://github.com/strukturag/libheif/releases/tag/v1.17.6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
