iconv.h is always included by mz_os_posix.c so select
BR2_PACKAGE_LIBICONV if !BR2_ENABLE_LOCALE
Fixes:
- No autobuilder failures
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 19806dab03)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
At the moment libnss assumes that every ARM has NEON extension but it's
not that way. So add a patch to make it aware of it and use native
functions in place of NEON optimized ones.
Fixes:
http://autobuild.buildroot.net/results/1342d305d1aeebef7af54a83afc094fda12421e2/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 166d6b1bce)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2019-10218:
Malicious servers can cause Samba client code to return filenames containing
path separators to calling code.
- CVE-2019-14833:
When the password contains multi-byte (non-ASCII) characters, the check
password script does not receive the full password string.
- CVE-2019-14847:
Users with the "get changes" extended access right can crash the AD DC LDAP
server by requesting an attribute using the range= syntax.
Release notes:
https://www.samba.org/samba/history/samba-4.9.15.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libsigrok optionally depends on libftdi1, not libftdi. This was already
the case for a long time, but until the recent commit 01b30e5d69, all
the configure options were wrong so it would use the automatic check for
availability of libftdi1. Now we pass the --with-libftdi option
explicitly, configure will fail if libftdi1 is not available.
Fixes:
- http://autobuild.buildroot.net/results/ec1f9f57944139b24738c1be529c4fc4b128a516
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 658388138c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
- CVE-2019-17596: Invalid DSA public keys can cause a panic in dsa.Verify.
In particular, using crypto/x509.Verify on a crafted X.509 certificate
chain can lead to a panic, even if the certificates don’t chain to a
trusted root. The chain can be delivered via a crypto/tls connection to a
client, or to a server that accepts and verifies client certificates.
net/http clients can be made to crash by an HTTPS server, while net/http
servers that accept client certificates will recover the panic and are
unaffected.
Upstream has not provided a go 1.11.x release with a fix for this, so
instead include the Debian backport of the upstream security fix from:
https://sources.debian.org/src/golang-1.11/1.11.6-1+deb10u3/debian/patches/0008-Fix-CVE-2019-17596.patch/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
If C++ is enabled, enable cxx exceptions, so libunwind will implement
_Unwind_GetIP which is used by mono (which already depends on C++)
Fixes:
- http://autobuild.buildroot.net/results/dbd64c89815d393a4e28b312d74fd80ee6de92da
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit d5bcb30cf9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Laurent reported that a short tutorial was missing in the manual to
explain how to reuse a Buildroot toolchain as external toolchain.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Laurent Guillier <laurent.guillier@smile.fr>
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Tested-by: Matt Weber <matthew.weber@rockwellcollins.com>
[Thomas: completely rewrite the thing]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f7b0b0ad73)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
"mount" from the "util-linux" package does expect the helper utilities
in "/sbin" and not "/usr/sbin". We use "--exec-prefix=/" to fix the
issue. The man-pages are then still installed under "/usr/share/man".
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Tested-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e7f32dc3c6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use pkg-config to retrieve static dependencies of libarchive in gvfs.mk
instead of patching configure.ac as upstream switched to meson
Fixes:
- http://autobuild.buildroot.org/results/486187bb7b8800f44a8c173af518b84e68e53584
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9b66547108)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerability:
- CVE-2019-18218: cdf_read_property_info in cdf.c in file through 5.37 does
not restrict the number of CDF_VECTOR elements, which allows a heap-based
buffer overflow (4-byte out-of-bounds write).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1c4584e47e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Retrieve upstream patch to fix build with BR2_PIC_PIE on x86
Fixes:
- http://autobuild.buildroot.org/results/b1252b7907944d227694ad8506de25881bf2ca04
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 41eadb1a9b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fd69562949)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
icu is required to build Q5tWebkit.
When UChar is defined as char16_t in ICU, then qtbase fails to detect ICU.
The issue is described https://bugreports.qt.io/browse/QTBUG-49586
Build fails with following error messages:
...
ustring.h:473:20: error: ‘UChar’ does not name a type
u_strCompare(const UChar *s1, int32_t length1,
^
^
make[2]: *** [Makefile:195: icu.o] Error 1
ICU disabled.
The ICU library support cannot be enabled.
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 89a82e7210)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On x86_64, we use the host compiler instead of the target compiler to
build kvm-unit-tests, because it is built with -m32 and our target
compiler doesn't support that.
However, the compiler on Arch Linux is broken: it *always* builds with
-fstack-protector, even when -ffreestanding is passed. However, when
-fnostdlib is passed at link time (which is normally the case when
building with -ffreestanding), it is not linked with the stack-protector
library. This leads to a link time error:
/usr/bin/ld: x86/realmode.o: in function `print_serial_u32':
.../x86/realmode.c:104: undefined reference to `__stack_chk_fail'
Since the entire package is built with -ffreestanding, it doesn't
support stack-protector at all. Therefore, simply pass
-fno-stack-protector explicitly on x86_64 to work around the bug in Arch
Linux.
Bug reported upstream: https://bugs.archlinux.org/task/64270
Fixes:
- http://autobuild.buildroot.org/results/e6f767755ffdb5ecc014eb5ad7519814f075a60e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c0ffd16e40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Openssl is required so that Gem can install ruby gems from secure websites.
ERROR: While executing gem ... (Gem::Exception)
Unable to require openssl, install OpenSSL and rebuild ruby (preferred) or
use non-HTTPS sources
Signed-off-by: Nicolas Carrier <nicolas.carrier@orolia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ed5549b987)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sox implements a custom mechanism to detect whether the toolchain has
SSP suport or not. In doing so, it explicitly tries to see if libssp.so
is present, in which case it unconditionally links with it, even though
the compiler, if left by itself, would have used the SSP support
provided by the C library.
However, with Buildroot, the SSP options are handled in our gcc
wrapper, so packages should just not bother with that.
It turns out that, when sox is configured with --disable-stack-protector,
it does not disable it, but really does nothing, which is good for us.
Currently, SSP is conditionally disabled in sox, under various
conditions: that the toolchain does not have SSP, or that it is one of
the know SSP-challenged (i.e. broken) toolchains. Those conditions dates
back tpo before our wrapper started handling that.
Remove all those conditions, unconditionally disable SSP in sox, and let
our gcc wrapper handle the SSP options.
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4653d273b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Buildroot, the internal toolchain backend uses the SSP support from
the C library, not that of gcc.
Some external toolchains come with SSP suport in gcc, which is
implemented in libssp.so, rather than in the C library.
When a toolchain even has both, it is up to the compiler to decide
whether it will link to libssp or use the support from the C library.
However, in the latter case, a (incorrectly written) package may decide
to explicitly link with libssp.so when it is available (even though the
compiler may have decided otherwise if left by itself). This is the case
for example with sox, which results in runtime failures, such as:
$ sox
sox: error while loading shared libraries: libssp.so.0: cannot open
shared object file: No such file or directory
Even if sox is wrong in doing so, the case for libssp-only toolchains is
still valid, and we must copy it as we copy other libs.
Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 971479ed62)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
SGI is gone (RIP). Use the github project as landing page.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f5ff55822d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes compilation issue in case memfd_create is a stub in libc.
Patch already merged in lxc master branch
(344b8ee293f4d3730a70a6ccaa03d7e4a516ae95).
Copy of the original commit log:
In case the internal memfd_create has to be used, make sure we don't
clash with the already existing memfd_create function from glibc.
This can happen if this glibc function is a stub. In this case, at
./configure time, the test for this function will return false, however
the declaration of that function is still available. This leads to
compilation errors.
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0d6b305e52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since <package>-rebuild implies <package>-reinstall and
<package>-reconfigure implies <package>-rebuild, it is confusing
to mention the make and make <package> commands when describing
the restart of the configuration, compilation and installation of
the package.
Therefore remove the ", followed by +make+ or +make <package>+"
portions in the "8.3. Understanding how to rebuild packages" section,
and add a new paragraph clarifying how to include the rebuilt package
in the filesystem image, if that is necessary.
Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9155d1a38d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security vulnerablities:
- CVE-2018-1000222: Libgd version 2.2.5 contains a Double Free Vulnerability
vulnerability in gdImageBmpPtr Function that can result in Remote Code
Execution . This attack appear to be exploitable via Specially Crafted
Jpeg Image can trigger double free
- CVE-2018-5711: gd_gif_in.c in the GD Graphics Library (aka libgd), as used
in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x
before 7.2.1, has an integer signedness error that leads to an infinite
loop via a crafted GIF file, as demonstrated by a call to the
imagecreatefromgif or imagecreatefromstring PHP function
- CVE-2019-11038: When using the gdImageCreateFromXbm() function in the GD
Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP
versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it
is possible to supply data that will cause the function to use the value
of uninitialized variable. This may lead to disclosing contents of the
stack that has been left there by previous code
- CVE-2019-6978: The GD Graphics Library (aka LibGD) 2.2.5 has a double free
in the gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 505a70edbe)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
NSS_ENABLE_ECC is not supported anymore, then remove it from our
libnss.mk file.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 8223904643)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2019-11756: Remove refcounting from sftk_FreeSession
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 551d81c079)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release fixes CVE-2019-9740, CVE-2019-9948, CVE-2019-15903.
Adjust 0002-Fix-get_python_inc-for-cross-compilation.patch for 2.7.17.
Remove the following patches (now on upstream):
* 0035-bpo-35907-CVE-2019-9948-urllib-rejects-local_file-sc.patch
* 0036-bpo-36216-Add-check-for-characters-in-netloc-that-no.patch
* 0037-3.7-bpo-36216-Only-print-test-messages-when-verbose-.patch
* 0038-bpo-36742-Fixes-handling-of-pre-normalization-charac.patch
* 0039-bpo-36742-Corrects-fix-to-handle-decomposition-in-us.patch
* 0040-2.7-bpo-36742-Fix-urlparse.urlsplit-error-message-fo.patch
* 0041-bpo-30458-Disallow-control-chars-in-http-URLs-GH-127.patch
Full release details at:
https://github.com/python/cpython/blob/v2.7.17/Misc/NEWS.d/2.7.17rc1.rst
run-tests results:
10:30:20 TestPython2 Starting
10:30:21 TestPython2 Building
10:37:37 TestPython2 Building done
10:37:47 TestPython2 Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 448.616s
OK
Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7df07cb611)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On uClibc up to at least v1.0.32, syscall() for x86_64 is defined in
libc/sysdeps/linux/x86_64/syscall.S as
syscall:
movq %rdi, %rax /* Syscall number -> rax. */
movq %rsi, %rdi /* shift arg1 - arg5. */
movq %rdx, %rsi
movq %rcx, %rdx
movq %r8, %r10
movq %r9, %r8
movq 8(%rsp),%r9 /* arg6 is on the stack. */
syscall /* Do the system call. */
cmpq $-4095, %rax /* Check %rax for error. */
jae __syscall_error /* Branch forward if it failed. */
ret /* Return to caller. */
And __syscall_error is defined in
libc/sysdeps/linux/x86_64/__syscall_error.c as
int __syscall_error(void) attribute_hidden;
int __syscall_error(void)
{
register int err_no __asm__ ("%rcx");
__asm__ ("mov %rax, %rcx\n\t"
"neg %rcx");
__set_errno(err_no);
return -1;
}
Notice that __syscall_error returns -1 as a 32-bit int in %rax, a 64-bit
register i.e. 0x00000000ffffffff (decimal 4294967295). When this value
is compared to -1 in _sys_chk_seccomp_flag_kernel() the result is false,
leading the function to always return 0.
Prevent the error by coercing the return value of syscall() to int in a
temporary variable before comparing it to -1. We could use just an (int)
cast but the variable makes the code more readable and the machine code
generated by the compiler is the same in both cases.
All other syscall() invocations were inspected and they either already
coerce the result to int or do not compare it to -1.
The same problem probably occurs on other 64-bit systems but so far only
x86_64 was tested.
A bug report is being submitted to uClibc.
Upstream status: https://github.com/seccomp/libseccomp/pull/175
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 440c7a9d9e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a BPF generation bug where the optimizer mistakenly identified
duplicate BPF code blocks.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d5787d1ab1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 0.53 has a fix for INVALIDATE and SHUTDOWN requests being
ignored.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Doug Kehn <rdkehn@yahoo.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2de1289282)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
These patches are already in qemu upstream under:
- 184943d827ce09375284e6fbb9fd5eeb9e369529
- 71ba74f67eaca21b0cc9d96f534ad3b9a7161400
They rename gettid() to sys_gettid() to avoid clash with glibc
Signed-off-by: Paulo Matos <pmatos@igalia.com>
Tested-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9dcca3ae40)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Required since the bump from 3.1.1.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1ef6d39565)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On uClibc-ng sysconf(_SC_LEVEL1_{I,D}CACHE_LINESIZE) returns -1, which
is a valid result, meaning that the limit is indeterminate. Add a patch
that handles this situation using fallback values instead of crashing
due to an assertion failure.
Upstream status:
https://lists.nongnu.org/archive/html/qemu-devel/2019-10/msg04115.html
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5e968678fd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
