Commit Graph

44693 Commits

Author SHA1 Message Date
Romain Naour
c6f30d355c package/linux-tools: some selftests needs tput
Some kernel-selftests are using tput program, so make sure that
BR2_PACKAGE_NCURSES_TARGET_PROGS is selected.

[linux-4.19 selftests]$ git grep tput
[...]
futex/run.sh:tput setf 7 || tput setaf 7
futex/run.sh:    tput sgr0

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 633e5121f8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-24 17:23:19 +02:00
Romain Naour
058c89f1e6 package/linux-tools: some selftests needs util-linux schedutils
Some kernel-selftests are using taskset program, so make sure that
BR2_PACKAGE_UTIL_LINUX_SCHEDUTILS is selected.

[linux-4.19 selftests]$ git grep taskset
bpf/test_progs.c:       assert(system("taskset 0x1 ./urandom_read 100000") == 0);
cpu-hotplug/cpu-on-off-test.sh: taskset -p 01 $$
cpufreq/main.sh:        taskset -p 01 $$
netfilter/nft_trans_stress.sh:        ip netns exec "$testns" taskset $mask ping -4 127.0.0.1 -fq > /dev/null &
netfilter/nft_trans_stress.sh:        ip netns exec "$testns" taskset $mask ping -6 ::1 -fq > /dev/null &
rcutorture/bin/jitter.sh:       if ! taskset -p $cpumask $$ > /dev/null 2>&1

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6af93482d7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-24 17:23:11 +02:00
Thomas De Schampheleire
05f41b5a43 package/syslog-ng: fix segfault on startup due to pthread_atfork
syslog-ng may segfault at startup (during library initialization, before
reaching main) in newer toolchains. I have witnessed it on aarch64 (but with
32-bit arm userland) with glibc 2.28.

Problem is described in syslog-ng issue  [1], which in turn leads to a
problem in 'ivykis' which is shipped with syslog-ng, see ivykis issue 
[2].

Root cause is that 'pthread_atfork' is used by ivykis but searched by its
configure script in libpthread_nonshared only. In newer toolchains, it seems
this symbol is in libc_nonshared.

Apply a patch someone proposed via pullrequest [3] to the ivykis project,
but which is at this moment not yet merged upstream.

[1] https://github.com/balabit/syslog-ng/issues/2263
[2] https://github.com/buytenh/ivykis/issues/15
[3] https://github.com/buytenh/ivykis/pull/16

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d1467eaa6b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-24 15:57:47 +02:00
Adam Duskett
3df4ea4694 package/python3: fix hash for license file
The year was updated.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf6615d801)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-24 15:53:08 +02:00
Adam Duskett
0012baabfc package/python3: security bump version to 3.7.3
Also remove upstream patch 0033.

Fixes the following security issues:

- bpo-36216: Changes urlsplit() to raise ValueError when the URL contains
  characters that decompose under IDNA encoding (NFKC-normalization) into
  characters that affect how the URL is parsed.

- bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module.  The
  cert parser did not handle CRL distribution points with empty DP or URI
  correctly.  A malicious or buggy certificate can result into segfault.
  Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of
  Cisco.

- bpo-35121: Don’t send cookies of domain A without Domain attribute to
  domain B when domain A is a suffix match of domain B while using a
  cookiejar with http.cookiejar.DefaultCookiePolicy policy.  Patch by
  Karthikeyan Singaravelan.

For more details, see the changelog:
https://docs.python.org/3.7/whatsnew/changelog.html#python-3-7-3-final

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6afc83b60f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-24 15:51:47 +02:00
Peter Korsgaard
1c5dd5d934 package/samba4: security bump to version 4.9.6
Fixes the following security vulnerabilities:

 - CVE-2019-3870:
   During the provision of a new Active Directory DC, some files in the private/
   directory are created world-writable.
   https://www.samba.org/samba/security/CVE-2019-3870.html

 - CVE-2019-3880:
   Authenticated users with write permission can trigger a symlink traversal to
   write or detect files outside the Samba share.
   https://www.samba.org/samba/security/CVE-2019-3880.html

For more details, see the release notes:
https://www.samba.org/samba/history/samba-4.9.6.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8a662ae308)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:29:00 +02:00
Baruch Siach
8db0d3901d package/ghostscript: security bump to version 9.27
Fixes CVE-2019-3835, CVE-2019-3838: A specially crafted PostScript file
could use these flaws to have access to the file system outside of the
constrains imposed by -dSAFER.

Drop upstream patches.

Use the make subst function to compute the download site from version.

Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 10a6ea5a30)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:27:09 +02:00
Fabrice Fontaine
2004e75d35 package/xserver_xorg-server: disable unit tests
Fixes:
 - http://autobuild.buildroot.org/results/95a5004c9245f1f90758631b02e17d3df12812ec

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c41d8ba066)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:26:19 +02:00
Giulio Benetti
89029b28b5 package/civetweb: fix linking failure caused by wrong argument passed to pkg-config
On commit 027a8b29f1 pkg-config has been
added to retrieve OpenSSL dependencies, but it's been passed `libssl`
instead of `openssl`, this makes fail some linking. Indeed we need
OpenSSL dependency, so let's use `openssl` with pkg-config.

Substitute `libssl` with `openssl`.

Fixes:

  http://autobuild.buildroot.net/results/b225425ee237852bd9fee4ca0b8d24f3e37d64f9/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e38641851a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:22:37 +02:00
Giulio Benetti
18f8a9d00c package/civetweb: fix link failure due to missing OpenSSL dependency
During linking one OpenSSL dependecy is missing(-latomic) on linking
library list.

- Substitute explicit library list with `pkg-config libssl` when
  BR2_PACKAGE_OPENSSL is enabled. In such way all needed libraries
  will be included in linking list.

- Add also `host-pkgconf` to CIVETWEB_DEPENDENCIES if
  BR2_PACKAGE_OPENSSL is enabled to make it available for previous
  point.

Fixes:

  http://autobuild.buildroot.net/results/b2e210bdefe84f4ec9cfda79a33d81788fb7e66c/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 027a8b29f1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:22:26 +02:00
Fabrice Fontaine
bc70d3b66d package/tor: fix static build with openssl and atomic
Update patch so -latomic (provided in LIBS) is added after openssl libs
(provided in $3)

Fixes:
 - http://autobuild.buildroot.org/results/4b90b7d02e354ebf3d8f95023547bf4a18e0165e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 73c04d9448)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:21:35 +02:00
Peter Korsgaard
0341ab3a75 package/tpm2-tss: add upstream patch to drop hardcoded -lgcrypt from tss2-esys.pc
tss2-esys.pc contains a hardcoded -lgcrypt even though the openssl crypto
backend (as in Buildroot) may be used, leading to linker errors when using
esys.

Given that tpm2-tss doesn't allow static linking, there is no need to
explicitly list the crypto library dependency.

Cherry pick an upstream patch to fix this.  Notice that the upstream patch
also changes the default crypto backend to openssl.  As this isn't stricly
needed (we explicitly configure for openssl) and requires autoreconv, drop
the configure.ac hunk from the patch.

https://github.com/tpm2-software/tpm2-tss/pull/1173

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 55c4f7ca4b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:20:34 +02:00
Peter Korsgaard
650c2a5dcf package/tpm2-tools: license is 3c BSD, not 2c
The license contains the "no endorsement" clause, so it should be listed as
BSD-3-Clause:

  * Neither the name of Intel Corporation nor the names of its contributors
    may be used to endorse or promote products derived from this software
    without specific prior written permission.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 92c7310d5b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:19:37 +02:00
Giulio Benetti
3db5c4ebb2 package/android-tools: host-android-tools need pkg-conf
Host version of this package needs pkg-conf the same way as target
package: for Makefiles library dependencies retrieving.

Fixes:

  http://autobuild.buildroot.net/results/8543eb3815a67747349a2e60654d19b9804a3a89/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8bd63b0b4a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:18:44 +02:00
Giulio Benetti
a0260950e8 package/android-tools: fix static linking failure due to OpenSSL dependencies
When static linking some dependency library can be missing
(i.e. -latomic for -lcrypto) on linking libraries list. This is
because when static linking libraries dependencies are not
transparently linked into binary.

To avoid moving libraries before/after one another or add new ones
that are not needed at all in the dynamic linking case, we use `pkg-config --libs
LIBRARY` where LIBRARY is the library we "probe" for its existence and
dependency.

In this commit, we:

- Remove 0005-fix-static-link-zlib.patch where -lcrypto and -lz were
  swapped, as it is no longer needed thanks to the following point.

- Replace it with 0005-Use-pkgconf-to-get-libs-deps.patch where
  -lcrypto has been substituted with `pkg-config --libs libcrypto`

- Add host-pkgconf to ANDROID_TOOLS_DEPENDENCIES

Fixes:

  http://autobuild.buildroot.net/results/d3d6679cfc8afe4467368bd3d31483172c1032de/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e4f77a2e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:18:35 +02:00
Anisse Astier
34cb21a209 DEVELOPERS: monitor pkg-golang.mk
Signed-off-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 89e5632c8d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:16:51 +02:00
Christian Stewart
1582640b18 DEVELOPERS: add Christian Stewart for package/pkg-golang
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4f2431fd9c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:16:43 +02:00
Sørensen, Stefan
5eee309aeb package/gnutls: security bump to 3.6.7.1
Fixes the following security issues:

 * CVE-2019-3836: It was discovered in gnutls before version 3.6.7 upstream
   that there is an uninitialized pointer access in gnutls versions 3.6.3 or
   later which can be triggered by certain post-handshake messages

 * CVE-2019-3829: A vulnerability was found in gnutls versions from 3.5.8
   before 3.6.7. A memory corruption (double free) vulnerability in the
   certificate verification API. Any client or server application that
   verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.

3.6.7.1 is identical to 3.6.7, but fixes a packaging issue in the release
tarball:

https://lists.gnutls.org/pipermail/gnutls-devel/2019-April/013086.html

HTTP URLs changed to HTTPS in COPYING, so update license hash.

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1dd5576ccb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:16:27 +02:00
Peter Korsgaard
eef631fe89 package/docker-cli: bump to version v18.09.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 426103703d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:14:15 +02:00
Peter Korsgaard
55688518cb package/docker-engine: bump to version v18.09.4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 37371ff4f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:14:08 +02:00
Peter Korsgaard
b642a660c5 package/docker-containerd: refer to official website
Containerd is no longer maintained under the docker github project and now
has an official website, so refer to that in the help text.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 638504bcdf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:13:59 +02:00
Peter Korsgaard
e562f33a9d package/docker-containerd: bump version to v1.2.5
Contains a number of bugfixes. For more details, see the announcement:

https://github.com/containerd/containerd/releases/tag/v1.2.5

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 20af865354)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:13:38 +02:00
Peter Korsgaard
4b57a7161b Revert "runc: depend on linux headers >= 3.11 for O_TMPFILE"
This reverts commit 905e976a6a.

With the bump to 1.0.0-rc7, runc no longer needs O_TMPFILE.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4b13a21692)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:12:07 +02:00
Peter Korsgaard
a0ab62a737 Revert "package/runc: blacklist Codesourcery ARM toolchain"
This reverts commit ce76a98902.

With the bump to 1.0.0-rc7, runc no longer needs O_TMPFILE.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 18fb2167f7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:09:14 +02:00
Peter Korsgaard
8c5de3f841 package/runc: bump to version 1.0.0-rc7
This includes an improved fix for CVE-2019-5736 without the ~10MB memory
overhead per container and with fallback code using mkostemp(3) when
O_TMPFILE isn't available.

For more details, see the announcement:
https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc7

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56f495a078)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 23:09:04 +02:00
Bernd Kuhls
e2825e92a9 package/php: security bump to version 7.3.4
Changelog: https://www.php.net/ChangeLog-7.php#7.3.4

Fixes these bugs, CVE-ID were not assigned yet:

    Fixed bug  (Heap-buffer-overflow in php_ifd_get32s).
    Fixed bug  (Heap-buffer-overflow in exif_iif_add_value).

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 614c1e2edd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:33:22 +02:00
Fabrice Fontaine
3d1cdb23f3 package/numactl: remove unneeded patches
Both patches are already included (a bit earlier in the file) in version
2.0.12, so drop the patches.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0fda716432)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:32:35 +02:00
Peter Korsgaard
a1d6549359 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.0.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ab5fbbd640)
[Peter: drop 5.0.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:31:44 +02:00
Francois Perrad
ea80b3ccbc package/copas: avoid to load module coxpocall with LuaJIT
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4fdbe7f9ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:29:35 +02:00
Christian Stewart
08209c67f4 boot/syslinux: fix build with binutils note gnu property section
Fixes 

This fixes the following build error with newer binutils:

  objcopy -O binary mbr.elf mbr.bin
  perl /build/syslinux/src/syslinux/mbr/checksize.pl mbr.bin
  mbr.bin: too big (452 > 440)

Corresponding bug reports:

 - https://bugs.archlinux.org/task/60405
 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906414

Strip the .note.gnu.property in the linker scripts for the MBRs.

Signed-off-by: Christian Stewart <christian@paral.in>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0ca17cdc92)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:28:25 +02:00
Francois Perrad
f64a25a099 package/wsapi: update coxpcall dependency
since version 1.7, coxpcall is only required with Lua 5.1

see, https://github.com/keplerproject/wsapi/pull/41

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b7b8a7f3ac)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:27:34 +02:00
Fabrice Fontaine
9b7ef67df9 package/sane-backends: security bump to version 1.0.27
- Switch site to gitlab
- Remove second patch (already in version)
- Use new --{with,without}-usb option
- Add hash for license file
- Fix CVE-2017-6318

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a911b7d229)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:25:13 +02:00
Peter Korsgaard
df9da3c39d package/wget: security bump to version 1.20.3
Fixes CVE-2019-5953: Buffer overflow vulnerability

For more details, see the announcement:
https://lists.gnu.org/archive/html/bug-wget/2019-04/msg00015.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d732da7a20)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:24:42 +02:00
Peter Korsgaard
55a098dc77 fs/common.mk: disable real chown calls in fakeroot
fakeroot by default forwards {f,l,}chown calls to libc and ignores
permission issues, which may cause issues when building in restricted
environments like user namespaces as set up with bubblewrap where a chown
call with a uid/gid not mapped in the user namespace instead returns EINVAL.
This error is not masked by fakeroot and returned to the caller, causing
failures.

There is no real reason to really perform the *chown calls in the context of
Buildroot (as the calls will likely just fail and files are not accessed
outside the fakeroot environment any way).

This forwarding can be disabled by setting the FAKEROOTDONTTRYCHOWN
environment variable, so set it when fakeroot is executed.

Reported-by: Esben Nielsen <nielsen.esben@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 655acd1df0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:23:37 +02:00
Carlos Santos
461465b4ec DEVELOPERS: stop monitoring aer-inject
I left DATACOM and will unlikely have access to the hardware required to
test the package.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c45394c1b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-14 22:23:22 +02:00
Samuel Mendoza-Jonas
7271600bd3 package/make: include patch for gl_lstat support
Include upstream commit 193f1e8 "glob: Do not assume glibc glob
internals". Without this if building glibc with host-make it will fail
with a segfault in make:

>>> glibc glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1 Building
PATH="/scratch/builds/host-make/host/bin:/scratch/builds/host-make/host/sbin:/home/sam/bin:/home/sam/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games"  /scratch/builds/host-make/host/bin/host-make -j25  -C /scratch/builds/host-make/build/glibc-glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1/build
/scratch/builds/host-make/host/bin/host-make -r PARALLELMFLAGS="" -C /scratch/builds/host-make/build/glibc-glibc-2.28-69-g1e5c5303a522764d7e9d2302a60e4a32cdb902f1 objdir=`pwd` all
Segmentation fault (core dumped)

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a07f69c817)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-06 09:14:37 +02:00
Carlos Santos
f7864e4e6e DEVELOPERS: use my personal email address
The current address will soon become invalid so drop it before the
messages start bouncing.

Change-Id: If631cedcaaa55d927d99b18ff299324e9d439cb0

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c2387c9604)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:49:28 +02:00
Peter Korsgaard
6bdad8417d utils/getdeveloperlib.py: print warnings/errors to stderr
Instead of stdout where it gets mixed with the normal output, confusing
software parsing the output (E.G. get-developers -e as git sendemail.ccCmd).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 83f82bd67a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:48:36 +02:00
Peter Korsgaard
17e2e102dc package/tpm2-tools: drop unused dbus / libglib2 dependencies
tpm2-tools does not need dbus or libglib2, so remove them and the
corresponding toolchain dependencies.

The confusion may have come from the upstream travis configuration, which
also builds tpm2-abrmd (which uses dbus+libglib2).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f63a58c350)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:48:29 +02:00
Peter Korsgaard
c0b8ab6dae package/tpm2-tools: bump version to 3.1.4
Fixes a number of issues discovered post-3.1.3, including a completely
broken -T option handling.  For details, see:
https://github.com/tpm2-software/tpm2-tools/releases/tag/3.1.4

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b7a36629d6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:47:22 +02:00
Peter Korsgaard
0050961283 package/tpm2-tss: bump version to 2.1.2
Fixes a number of issues discovered post-2.1.1. For details, see:
https://github.com/tpm2-software/tpm2-tss/releases/tag/2.1.2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2c47079d38)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:47:03 +02:00
Peter Korsgaard
2fc6b8ad5f package/webkitgtk: bump version to 2.22.7
2.22.7 contains a number of bugfixes. From the announcement:

 - Fix rendering of glyphs in Hebrew (and possibly other languages) when
   Unicode NFC normalization is used.

 - Fix several crashes and race conditions.

https://webkitgtk.org/2019/03/01/webkitgtk2.22.7-released.html

Change SITE to https as the webserver uses HSTS.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d484ba63b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:45:59 +02:00
Peter Korsgaard
78c2b9252b package/libfuse: bump version to 2.9.9
Contains a number of fixes for issues discovered post-2.9.8.  From the
release notes:

- Fixed readdir bug when non-zero offsets are given to filler and the
  filesystem client, after reading a whole directory, re-reads it from a
  non-zero offset e.g.  by calling seekdir followed by readdir.

https://github.com/libfuse/libfuse/releases/tag/fuse-2.9.9

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3b6d842fea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:33:02 +02:00
Peter Korsgaard
d09d5a8411 package/libfuse: only install udev rules if (e)udev is enabled
No point in installing udev rules if nothing will use it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4cba22bbfa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:32:46 +02:00
Norbert Lange
4c5958664e package/libfuse: Install udev rules and set permissions
This fixes some omissions from the installation.

Install the udev rules.

Tell buildroot about the fuse device.

Apply setuid permissions on the fusermount tool.

Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ea62ff85b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 22:32:39 +02:00
Peter Korsgaard
ef4aa12229 package/go: security bump to version 1.11.6
Fixes the following security vulnerability:

CVE-2019-9741: An issue was discovered in net/http in Go 1.11.5.  CRLF
injection is possible if the attacker controls a url parameter, as
demonstrated by the second argument to http.NewRequest with \r\n followed by
an HTTP header or a Redis command.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 21:56:19 +02:00
Peter Korsgaard
d54047a1e0 package/wget: security bump to version 1.20.2
From NEWS:

* Changes in Wget 1.20.2
** Fixed a buffer overflow vulnerability

For more details, see the announcement:
https://lists.gnu.org/archive/html/info-gnu/2019-04/msg00000.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c21d440c8a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:43:49 +02:00
Peter Korsgaard
9f1a21a29c package/apache: security bump to version 2.4.39
Fixes the following security vulnerabilities:

  *) SECURITY: CVE-2019-0197 (cve.mitre.org)
     mod_http2: fixes a possible crash when HTTP/2 was enabled for a http:
     host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
     request from http/1.1 to http/2 that was not the first request on a
     connection could lead to a misconfiguration and crash. Servers that
     never enabled the h2 protocol or only enabled it for https: and
     did not set "H2Upgrade on" are unaffected by this issue.
     [Stefan Eissing]

  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
     mod_http2: using fuzzed network input, the http/2 request
     handling could be made to access freed memory in string
     comparision when determining the method of a request and
     thus process the request incorrectly. [Stefan Eissing]

  *) SECURITY: CVE-2019-0211 (cve.mitre.org)
     MPMs unix: Fix a local priviledge escalation vulnerability by not
     maintaining each child's listener bucket number in the scoreboard,
     preventing unprivileged code like scripts run by/on the server (e.g. via
     mod_php) from modifying it persistently to abuse the priviledged main
     process.  [Charles Fol <folcharles gmail.com>, Yann Ylavic]

  *) SECURITY: CVE-2019-0196 (cve.mitre.org)
     mod_http2: using fuzzed network input, the http/2 request
     handling could be made to access freed memory in string
     comparision when determining the method of a request and
     thus process the request incorrectly. [Stefan Eissing]

  *) SECURITY: CVE-2019-0217 (cve.mitre.org)
     mod_auth_digest: Fix a race condition checking user credentials which
     could allow a user with valid credentials to impersonate another,
     under a threaded MPM.  PR 63124.  [Simon Kappel <simon.kappel axis.com>]

  *) SECURITY: CVE-2019-0215 (cve.mitre.org)
     mod_ssl: Fix access control bypass for per-location/per-dir client
     certificate verification in TLSv1.3.

  *) SECURITY: CVE-2019-0220 (cve.mitre.org)
     Merge consecutive slashes in URL's. Opt-out with
     `MergeSlashes OFF`. [Eric Covener]

For more details, see the CHANGES file:
https://www.apache.org/dist/httpd/CHANGES_2.4.39

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 556ad6c25b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:43:16 +02:00
Max Filippov
5a40c0126c package/binutils: fix loops relaxation in xtensa gas
Loop relaxation logic in xtensa gas may produce code in which LEND
register doesn't match actual zero overhead loop end. Fix relaxation
code so that it produces a literal or a pair of const16 instructions
with associated relocation record that works correctly in the presence
of other relaxations. This fixes crash in X11 server caused by window
movement.

Loop relaxation has limited of 32K range, this fix removes this
limitation.

Fixes:
http://autobuild.buildroot.net/results/e05522ce540f4ac23f9a3a8fec724694d9a23101/

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 2.32 patch]
(cherry picked from commit 197b5f9d1c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:42:41 +02:00
Fabrice Fontaine
e0f8bcf2dc package/gerbera: fix static build with openssl
Fixes:
 - http://autobuild.buildroot.org/results/10098c8972725d54b717ddc8ea41f4de5e5b066d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 38730bfdf6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-04-05 17:41:31 +02:00