Commit Graph

44612 Commits

Author SHA1 Message Date
Fabrice Fontaine
c4a74eae16 package/libftdi1: fix libftdi1-config
Add libftdi1-config to LIBFTDI1_CONFIG_SCRIPTS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7eea3ae224)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:35:10 +01:00
Fabrice Fontaine
6474c6a02f package/owfs: drop unneeded first patch
Patch is not needed since version 3.1p2 and
2982df8ca6
because localtime_r is now correctly checked

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ff75269b9a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:34:56 +01:00
Fabrice Fontaine
e5377e9545 package/gerbera: fix static build with ffmpeg
Fixes:
 - http://autobuild.buildroot.org/results/2b99fabd798db84a0fce26ad696c58e54c6ff626
 - http://autobuild.buildroot.org/results/95e410e5ab34c6d4626a58f97c0d2d5e6829a300

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8795cb2082)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:32:26 +01:00
Baruch Siach
5cfc8b4686 package/putty: fix build with uClibc
Add patches fixing a number of build issues with uClibc. The issue fixed
in patch #2 has been reported upstream. Patch #3 has been suggested by
upstream but not applied yet.

Drop the _SUBDIR assignment. The configure script moved to top level
directory since upstream commit a947c49bec3 from 2014. This allows
AUTORECONF to find configure.ac.

Fixes:
http://autobuild.buildroot.net/results/801/801e2b2909363b5dcd9735362bb921e017569edc/
http://autobuild.buildroot.net/results/398/3984c6cdd3398645c8ad98bbe23af9090cf4bfcf/
http://autobuild.buildroot.net/results/632/632f93046f9cceffd9b604911542426c10967e0f/

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 35b72be8fe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:24:50 +01:00
Baruch Siach
dc7e68c8dd package/putty: enable static build
Add upstream patch fixing build when NO_GSSAPI is defined which is the
case on static builds.

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a6f73f3d26)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:24:40 +01:00
Baruch Siach
709ae653f3 putty: security bump to version 0.71
CVE-2019-9894: A remotely triggerable memory overwrite in RSA key
exchange can occur before host key verification.

CVE-2019-9895: A remotely triggerable buffer overflow exists in any kind
of server-to-client forwarding.

CVE-2019-9897: Multiple denial-of-service attacks that can be triggered
by writing to the terminal.

CVE-2019-9898: Potential recycling of random numbers used in
cryptography.

Disable static build for now. When building statically configure defines
NO_GSSAPI. Build with NO_GSSAPI is currently broken. The issue has been
reported upstream.

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6f47c0a43)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-28 10:24:19 +01:00
Fabrice Fontaine
1d45e1b5bb package/intel-gmmlib: needs dynamic library
Fixes:
 - http://autobuild.buildroot.org/results/0121befb9b4ba6cffc47ce7f861ed81077fc900f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 735bedd0d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 23:06:44 +01:00
Bernd Kuhls
a6a3768a2f package/x11r7/xlib_libXdmcp: security bump version to 1.1.3
Fixes CVE-2017-2625:
https://lists.x.org/archives/xorg-announce/2019-March/002974.html

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8a60253925)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 23:04:11 +01:00
Peter Korsgaard
54c54e1655 package/asterisk: security bump to version 16.2.1
Fixes the following security issue:

AST-2019-001: Remote crash vulnerability with SDP protocol violation
When Asterisk makes an outgoing call, a very specific SDP protocol violation
by the remote party can cause Asterisk to crash (CVE-2019-7251)

https://downloads.asterisk.org/pub/security/AST-2019-001.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 391a1e5df7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 23:02:14 +01:00
Fabrice Fontaine
45e5cdcf2f package/supertux: fix build on powerpc64le
Fixes:
 - http://autobuild.buildroot.org/results/c484079b2736eb3c21adff257f3e3ab1acc67f9a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8867e95a21)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 23:01:21 +01:00
Samuel Mendoza-Jonas
00eb766a92 lvm2: Update to 2.02.183
In particular update to solve an issue where LVM would fail to
initialise LVM devices when asynchronous IO was not available and it
would fail to fall back to synchronous IO. [0][1]

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1650652
[1] https://github.com/open-power/petitboot/issues/60

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ba9442dfe3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 23:00:28 +01:00
Reed Nightingale
e47fa646dc package/eigen: bump to 3.3.7
Bumped the version of eigen to 3.3.7, which fixes issues when compiling with GCC7 (notably int-in-bool-context errors, fixed in 3.3.5), in addition to various other issues noted in the eigen change logs: http://eigen.tuxfamily.org/index.php?title=ChangeLog
Legal hashes are unchanged in 3.3.7

Signed-off-by: Reed Nightingale <reed.nightingale@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 06a1ff4fd3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 22:58:42 +01:00
Peter Korsgaard
2fb549c388 package/libseccomp: security bump to version 2.4.0
>From the advisory:

Jann Horn  identified a problem in current versions of
libseccomp where the library did not correctly generate 64-bit syscall
argument comparisons using the arithmetic operators (LT, GT, LE, GE).
Jann has done a search using codesearch.debian.net and it would appear
that only systemd and Tor are using libseccomp in such a way as to
trigger the bad code.  In the case of systemd this appears to affect
the socket address family and scheduling class filters.  In the case
of Tor it appears that the bad filters could impact the memory
addresses passed to mprotect(2).

The libseccomp v2.4.0 release fixes this problem, and should be a
direct drop-in replacement for previous v2.x releases.

https://www.openwall.com/lists/oss-security/2019/03/15/1

v2.4.0 adds a new scmp_api_level utility, so update 0001-remove-static.patch
to match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 02300786c2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 22:49:59 +01:00
Peter Korsgaard
b5735379c5 package/libssh2: security bump to latest git
Bump the version to latest git to fix the following security issues:

CVE-2019-3855
 Possible integer overflow in transport read allows out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3855.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch

CVE-2019-3856
 Possible integer overflow in keyboard interactive handling allows
 out-of-bounds write
 URL: https://www.libssh2.org/CVE-2019-3856.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch

CVE-2019-3857
 Possible integer overflow leading to zero-byte allocation and out-of-bounds
 write
 URL: https://www.libssh2.org/CVE-2019-3857.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch

CVE-2019-3858
 Possible zero-byte allocation leading to an out-of-bounds read
 URL: https://www.libssh2.org/CVE-2019-3858.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch

CVE-2019-3859
 Out-of-bounds reads with specially crafted payloads due to unchecked use of
 `_libssh2_packet_require` and `_libssh2_packet_requirev`
 URL: https://www.libssh2.org/CVE-2019-3859.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

CVE-2019-3860
 Out-of-bounds reads with specially crafted SFTP packets
 URL: https://www.libssh2.org/CVE-2019-3860.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch

CVE-2019-3861
 Out-of-bounds reads with specially crafted SSH packets
 URL: https://www.libssh2.org/CVE-2019-3861.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch

CVE-2019-3862
 Out-of-bounds memory comparison
 URL: https://www.libssh2.org/CVE-2019-3862.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch

CVE-2019-3863
 Integer overflow in user authenicate keyboard interactive allows
 out-of-bounds writes
 URL: https://www.libssh2.org/CVE-2019-3863.html
 Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.txt

Drop 0003-openssl-fix-dereferencing-ambiguity-potentially-caus.patch as that
is now upstream.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f4f7dd9557)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 22:31:53 +01:00
Fabrice Fontaine
1f464e0314 package/jq: security bump to version 1.6
- Fix CVE-2015-8863 and  CVE-2016-4074:
  https://github.com/stedolan/jq/issues/1406
- Add hash for license file
- Disable oniguruma (enabled by default)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3a026d650c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 22:25:27 +01:00
Ryan Coe
4716f1a94b package/mariadb: security bump to version 10.3.13
Release notes:
https://mariadb.com/kb/en/library/mariadb-10313-release-notes/

Changelog:
https://mariadb.com/kb/en/mariadb-10313-changelog/

Fixes the following security vulnerabilities:

CVE-2019-2510 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.7.24 and
prior and 8.0.13 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.

CVE-2019-2537 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are 5.6.42
and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.

Note that the hash for README.md changed due to Travis CI and Appveyor CI
updates.

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f389df2334)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 16:00:04 +01:00
Adam Duskett
ed3c3f26f7 package/libglib2: add optional dependency in libselinux
If libselinux is selected, explicitly set --enable-selinux in the
configure options and build the library first.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8f43ec6ce8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:59:15 +01:00
Alistair Francis
427742a029 linux: allow BR2_LINUX_KERNEL_IMAGE on RISC-V
We will need to build Image files for OpenSBI so allow that now.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a3a4d4d4d3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:57:57 +01:00
Fabrice Fontaine
249e67e10b package/kf5-modemmanager-qt: link with libatomic when needed
On some architectures, atomic binutils are provided by the libatomic
library from gcc. Linking with libatomic is therefore necessary,
otherwise the build fails with:

sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line

This is often for example the case on sparcv8 32 bit.

Fixes:
 - http://autobuild.buildroot.org/results/b941a3deaa57cac79f1686d47ca6ababf2f0d5e4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3cb7546d95)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:55:20 +01:00
Norbert Lange
4d6a0e4d7a package/binutils: upstream fixes for 2.31.1
Combining musl and binutils 2.31.1 will produce static applications
that crash immediately. This commit picks up 3 upstream commits to
remedy this.

See https://sourceware.org/bugzilla/show_bug.cgi?id=23428

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0c34e138b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:40:46 +01:00
James Hilliard
5113a17c33 package/python-aiojobs: drop aiohttp dependency
aiohttp isn't a required dependency for aiojobs

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 53e3860a0e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:39:22 +01:00
Fabrice Fontaine
b9896bd300 package/libpcap: fix bluez5_utils-headers dependency
Commit c46afc37dc changed bluez5-utils
dependency by bluez5_utils-headers without replacing the test on
BR2_PACKAGE_BLUEZ5_UTILS by BR2_PACKAGE_BLUEZ5_UTILS_HEADERS

Fix this mistake and also add a select on
BR2_PACKAGE_BLUEZ5_UTILS_HEADERS if BR2_PACKAGE_BLUEZ5_UTILS is set
so the user does not have to do it

Fixes:
 - http://autobuild.buildroot.org/results/c6828df1f3782564451ddd4187ff026679bf37d8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3033e83d12)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:34:39 +01:00
Baruch Siach
f20b18f66a package/libpcap: fix bluez circular dependency
The optional bluez_utils dependency of libpcap creates a circular
dependency:

$ make dbus-show-recursive-depends

Recursion detected for  : systemd
which is a dependency of: dbus
which is a dependency of: bluez_utils
which is a dependency of: libpcap
which is a dependency of: iptables
which is a dependency of: systemd
make: *** [package/dbus/dbus.mk:121: dbus-show-recursive-depends] Error 1

Drop support for bluez_utils. For bluez5_utils, which also depends on
dbus, we only need the headers in the bluez5_utils-headers package. Use
that to break the circular dependency.

Fixes:
http://autobuild.buildroot.net/results/9c3/9c3ee798fa6bb501a20a7892c0b085d2b279b664/

Suggested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c46afc37dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:31:41 +01:00
Fabrice Fontaine
d56572e447 package/fltk: add optional xlib_libXrender dependency
xlib_libXrender is enabled by default and has been added since version
1.3.4-1 and
a6c4b29a18

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 65895f36ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 15:29:01 +01:00
Yann E. MORIN
f5a48dfe27 package/pkg-generic: tweak only .la files that need it
Currently, when we tweak the .la files, we do so unconditionally on all
.la files, even those we already fixed in a previous run.

This has the nasty side effect that each .la file will be reported as
being touched by all packages that are installed after the package that
actually installed said .la file.

Since we can't easily know what files were installed by a package (that
is an instrumentation hook, and comes after the mangling), we use a
trick (like is done in libtool?): we do mangle all files, each into a
temporary location; if the result is identical to the input, we remove
the temporary, while if the result differs from the output, we move
the temporary to replace the input.

Reported-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8623cc5deb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 14:52:20 +01:00
Michel Stempin
25e5c401fa package/x11r7/xdriver_xf86-video-fbdev: bump to version 0.5.0
Starting X manually resulted in a symbol error:
| Xorg: symbol lookup error: /usr/lib/xorg/modules/drivers/fbdev_drv.so: undefined symbol: shadowUpdatePackedWeak

This bug was reported against the fbdev driver, which is fixed
upstream in 0.5.0:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900317

Signed-off-by: Michel Stempin <michel.stempin@wanadoo.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9047503631)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 10:47:49 +01:00
Fabrice Fontaine
ef54e73682 package/cups: security bump to version 2.2.10
- Fixes CVE-2018-4700: Linux session cookies used a predictable random
  number seed: https://github.com/apple/cups/releases/tag/v2.2.10.
- Remove fifth patch (already in version)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 260d9e5342)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 10:44:42 +01:00
Vadim Kochan
6cfd314ed3 utils/test-pkg: generate package config if it is not specified
It is possible to generate one-line config for the package just by
normalize it to the form:

    BR2_PACKAGE_${pkg_replaced-to_and_uppercase}

it simplifes a bit of testing package where no additional config options
are needed.

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a946813dd5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-27 10:42:52 +01:00
Peter Korsgaard
18ae511d81 package/nodejs: security bump to version 8.15.1
Fixes the following security issues:

Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

For more details, see the CHANGELOG:
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-26 15:01:42 +01:00
Bernd Kuhls
59f9971694 package/samba4: security bump to version 4.9.5
Release notes: https://www.samba.org/samba/history/samba-4.9.5.html

Fixes CVE-2019-3824:
ldb: Out of bound read in ldb_wildcard_compare

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e7d67faac5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 22:23:19 +01:00
Fabrice Fontaine
3d0ad9cc82 package/gerbera: fix static build with curl and libidn2
Fixes:
 - http://autobuild.buildroot.org/results/be5893b507d22a23951efeea20c18642742cef5a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7553b6ad23)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 22:20:53 +01:00
Fabrice Fontaine
1d7ca92535 package/beecrypt: fix build without C++
Do not check for C++ compiler as C++ support has been disabled since
commit dd4d3c18d6 otherwise
build will fail on toolchains without a working C++ compiler:

checking how to run the C++ preprocessor... /lib/cpp
configure: error: in `/data/buildroot/buildroot-test/instance-1/output/build/beecrypt-4.2.1':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check

Fixes:
 - http://autobuild.buildroot.org/results/3c79cc68f1b088ad24daf7f9bd70718d702be577

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6255c81623)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 22:15:36 +01:00
Norbert Lange
5219bb25bf package/musl: remove rcrt1.o from target installation
rcrt1.o is a new startup for "static-pie" apps, and only needed for
building, should not end up in the target filesystem.

Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit de5fef8c04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 22:13:17 +01:00
Arnout Vandecappelle (Essensium/Mind)
bc31a761c5 linux{, -headers}: support downloads of v5+
With the arrival of linux v5.0, we need yet another condition to set
_SITE correctly. Instead of continuing this madness, solve the problem
generically: use v2.6 for 2.6.*, and use the number before the first dot
in the other cases.

While we're at it, remove the comment which has been incorrect since
80d7b68167 (7 years ago).

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Tested-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Tested-by: Adam Duskett <aduskett@gmail.com>
Reviewed-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4ed7246a59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:46:10 +01:00
Arnout Vandecappelle (Essensium/Mind)
7d0322fe3c package/linux-headers: fix support for -rc kernels
-rc kernels after v3.x are no longer available in the testing
subdirectory. Instead they should be fetched from cgit.

Commit ff4cccbdcf did this for linux
itself, now we also do it for linux-headers.

When fetched from cgit, .tar.xz can't be used. Adding this to the
existing condition is not so simple, so refactor how _SOURCE is set:
simply set it explicitly in each branch of the condition. While more
verbose (it is repeated 4 times), it's easier to understand and to
maintain.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1b94e8dcb3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:41:26 +01:00
Baruch Siach
d902c871d4 package/libpcap: disable dbus to break circular dependency
The optional dbus dependency of libpcap creates a circular dependency
chain:

$ make libpcap-show-recursive-depends

Recursion detected for  : systemd
which is a dependency of: dbus
which is a dependency of: libpcap
which is a dependency of: iptables
which is a dependency of: systemd
make: *** [package/libpcap/libpcap.mk:55: libpcap-show-recursive-depends] Error 1

Of all these dependencies the one of libpcap on dbus seems to be less
useful. Drop it.

Fixes:
http://autobuild.buildroot.net/results/0b5d18bff816cbcee11e8645449701722d956de5/

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b01d463c14)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:39:23 +01:00
Bernd Kuhls
48b328c195 package/x11r7/xapp_xdm: security bump to version 1.1.12
Fixes CVE-2013-2179.

Release notes:
https://lists.x.org/archives/xorg-announce/2019-March/002959.html

Added all license hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2776484107)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:23:31 +01:00
Artem Panfilov
853cff9679 package/avahi: add upstream security fix
Fixes CVE-2017-6519: avahi-daemon in Avahi through 0.6.32 and 0.7
inadvertently responds to IPv6 unicast queries with source addresses
that are not on-link, which allows remote attackers to cause a denial
of service (traffic amplification) and may cause information leakage
by obtaining potentially sensitive information from the responding
device via port-5353 UDP packets.

Signed-off-by: Artem Panfilov <panfilov.artyom@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e17adf1c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:20:59 +01:00
Peter Korsgaard
5c38c2ea3d package/bash: add upstream patches up to patch level 23
We unfortunately cannot easily download these because of the file names (not
ending in patch) and patch format (p0), so convert to p1 format and include
in package/bash with the following script:

j=1; for i in 19 20 21 22 23; do
    file=$(printf '%04d-patch44-0%d.patch' $j $i)
    cat > $file << EOF
>From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

EOF
    curl https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i | \
        sed -e 's|^\*\*\* \.\./|*** |' -e 's|^--- |--- b/|' >> $file

    j=$(( j + 1 ))
done

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 87a8f5f51c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:20:07 +01:00
Adrien Gallouët
14d2b53d41 package/kexec: update to 2.0.18
This release fixes the following issue with new kernels:

kexec --load bzImage --reuse-cmdline
Unhandled rela relocation: R_X86_64_PLT32

Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 254384e769)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:18:06 +01:00
Artem Senichev
272a6677ff package/kexec: enable powerpc64le platforms
kexec has fully support of ppc64 platform:
https://www.kernel.org/doc/Documentation/kdump/kdump.txt

Signed-off-by: Artem Senichev <artemsen@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 46a4af5214)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 21:18:00 +01:00
Fabrice Fontaine
8c16591d89 package/libdrm: amdgpu needs MMU
amdgpu test uses fork() so disable amdgpu without MMU

Fixes:
 - http://autobuild.buildroot.org/results/8d6194982c1080e173fcef8212fb06e6dc275d58

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9972dc2e82)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 20:11:02 +01:00
Christian Stewart
af99ecabd5 package/go: set GOCACHE to a host path
Set the GOCACHE environment variable properly.

It was previously unset, and defaults to $HOME/.cache/go-build.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3909423f1c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 19:00:22 +01:00
Peter Korsgaard
e3404b10ba package/openjpeg: security bump to latest git version
Current git contains fixes for a number of post-2.3.0 security issues:

git shortlog --no-merges -i --grep cve --grep overflow --grep zero v2.3.0..
Even Rouault (2):
      Avoid out-of-bounds write overflow due to uint32 overflow computation on images with huge dimensions.
      color_apply_icc_profile: avoid potential heap buffer overflow

Hugo Lefeuvre (4):
      convertbmp: fix issues with zero bitmasks
      jp3d/jpwl convert: fix write stack buffer overflow
      jp2: convert: fix null pointer dereference
      convertbmp: detect invalid file dimensions early

Karol Babioch (2):
      jp3d: Replace sprintf() by snprintf() in volumetobin()
      opj_mj2_extract: Check provided output prefix for length

Stefan Weil (1):
      Fix some potential overflow issues (#1161)

Young_X (5):
      [MJ2] To avoid divisions by zero / undefined behaviour on shift
      [JPWL] fix CVE-2018-16375
      [JPWL] imagetotga(): fix read heap buffer overflow if numcomps < 3 (#987)
      [JPWL] opj_compress: reorder checks related to code block dimensions to avoid potential int overflow
      [JP3D] To avoid divisions by zero / undefined behaviour on shift (CVE-2018-14423

ichlubna (1):
      openjp3d: Int overflow fixed (#1159)

setharnold (1):
      fix unchecked integer multiplication overflow

Drop now upstreamed 0004-install-static-lib.patch.

Add a hash for the LICENSE file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a5e8c81875)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 18:55:53 +01:00
Peter Korsgaard
a22fc3a0eb package/mosquitto: bump version to 1.5.8
Bugfix release, fixing a number of issues discovered post-1.5.7

https://mosquitto.org/blog/2019/02/version-1-5-8-released/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 24cc2eaa33)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 18:52:25 +01:00
Peter Korsgaard
99d8c1a07c package/php: security bump to version 7.3.3
php-7.3.3 fixes a number of security issues (no CVE known, bugtracker issues
not yet public): https://secure.php.net/ChangeLog-7.php#7.3.3

Drop 0004-OPcache-flock-mechanism-is-obviously-linux-so-force-.patch as the
flock detection has been removed since commit 9222702633 (Avoid dependency
on "struct flock" fields order.)

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b821ae3d63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:38:51 +01:00
Baruch Siach
c19f815add ntp: security bump to version 4.2.8p13
Fixes CVE-2019-8936: Crafted null dereference attack in authenticated
mode 6 packet.

Drop upstream patches.

Update COPYRIGHT file hash; text formatting (line width) changes.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7ffdc08f04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:36:23 +01:00
Baruch Siach
85c408fcc0 package/file: security bump to version 5.36
CVE-2019-8906: do_core_note in readelf.c in libmagic.a in file 5.35 has
an out-of-bounds read because memcpy is misused.

CVE-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a
stack-based buffer over-read, related to file_printf and file_vprintf.

Update license files hashes; removal of trailing white spaces.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 14d6e6df7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:34:01 +01:00
Fabrice Fontaine
5154f90009 package/wireshark: add optional spandsp dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ee772dad7b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:32:32 +01:00
Romain Naour
a0134c3606 package/tpm2-abrmd: rename libsapi to libtss2-sys in the help text
libsapi was renamed to libtss2-sys in tpm2-tss library:
5f0ab55d4e

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8f297cc033)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-03-25 17:30:35 +01:00