As the github repository has changed from github.com/AdoptOpenJDK/ to
github.com/adoptium, both versions are updated in the same patch.
Security fixes
JD K-8256157: Improve bytecode assembly
JDK-8256491: Better HTTP transport
JDK-8258432, CVE-2021-2341: Improve file transfers
JDK-8260453: Improve Font Bounding
JDK-8260960: Signs of jarsigner signing
JDK-8260967, CVE-2021-2369: Better jar file validation
JDK-8262380: Enhance XML processing passes
JDK-8262403: Enhanced data transfer
JDK-8262410: Enhanced rules for zones
JDK-8262477: Enhance String Conclusions
JDK-8262967: Improve Zip file support
JDK-8264066, CVE-2021-2388: Enhance compiler validation
JDK-8264079: Improve abstractions
JDK-8264460: Improve NTLM support
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit baaf71b9bb)
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- pthread_getname_np not available with musl libc, add patch to disable
usage for musl (patch inspired/ported from [1])
Fixes:
- http://autobuild.buildroot.net/results/ed372a4a8e50d9e20be589eeda40c92888d709bc
platform/default/thread.cpp: In function ‘std::string mbgl::platform::getCurrentThreadName()’:
platform/default/thread.cpp:14:5: error: ‘pthread_getname_np’ was not declared in this scope; did you mean ‘pthread_setname_np’?
14 | pthread_getname_np(pthread_self(), name, sizeof(name));
| ^~~~~~~~~~~~~~~~~~
| pthread_setname_np
[1] e64dd67f43/srcpkgs/qt5/patches/0014-musl-set_thread_name_np.patch
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: add uClibc]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 4c8ec58504)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before
1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in
kdc/do_tgs_req.c via a FAST inner body that lacks a server field.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b9646b18bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-33193: A crafted method sent through HTTP/2 will bypass
validation and be forwarded by mod_proxy, which can lead to request
splitting or cache poisoning. This issue affects Apache HTTP Server
2.4.17 to 2.4.48.
https://github.com/apache/httpd/blob/2.4.49/CHANGES
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 868367222b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 148e695e37 (package/kodi: bump version to 19.0-Matrix) extended
the set of required libraries for various "platform" backends, by
selecting those libraries from the blind options. For example, we have:
config BR2_PACKAGE_KODI_PLATFORM_SUPPORTS_GBM
bool
default y
depends on [...]
select BR2_PACKAGE_LIBINPUT
[...]
However, that option is true as soon as the requirements are met (the
depends on), even when Kodi itself is not enabled.
This means that extra libraries are pulled in to the build, even when
not required.
We fix that by moving the actual selects to the main symbol, along with
the proper conditions. This means that we have two lines that select
libxbcommon, under two different conditions; we could make that a single
select, but the codition would need to be on two lines anyway, so meh...
This is not an ideal solution, because it is a bit ugly, but:
1) adding three new blind options just for the select is kinda extreme
and superfluous;
2) our Kodi packaging is already a bit ugly anyway.
Fixes: #14206
Reported-by: Thomas Ruschival <t.ruschival@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
(cherry picked from commit b80c488d04)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure with gcc 4.8 raised since bump to
version 0.6.23 in commit e2f8050976:
exif-gps-ifd.c: In function 'exif_get_gps_tag_info':
exif-gps-ifd.c:62:3: error: 'for' loop initial declarations are only allowed in C99 mode
for (int i = 0; i < sizeof(exif_gps_ifd_tags) / sizeof(ExifGPSIfdTagInfo); ++i) {
^
exif-gps-ifd.c:62:3: note: use option -std=c99 or -std=gnu99 to compile your code
Fixes:
- http://autobuild.buildroot.org/results/7dd222e06d1e6611449fb8fe7516817c9ad43d65
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 039de9a291)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-23437 Raise ValueError if color specifier is too long
- Fix 6-byte OOB read in FliDecode
- Update indentation in hash file (two spaces)
https://github.com/python-pillow/Pillow/releases/tag/8.3.2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a7919e68a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD
Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE:
the vendor's position is "The GD2 image format is a proprietary image
format of libgd. It has to be regarded as being obsolete, and should
only be used for development and testing purposes."
- Drop patch (already in version)
- Update hash of COPYING (duplicate merged and title added with
82d26095056013c7bcf6)
https://github.com/libgd/libgd/releases/tag/gd-2.3.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a052ecb5b8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix several issues found by Covscan in the testsuite. These include:
- CWE-170: String not null terminated (STRING_NULL)
- CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST)
- CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
- CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH)
- CWE-573: Missing varargs init or cleanup (VARARGS)
- CWE-687: Argument cannot be negative (NEGATIVE_RETURNS)
- Update hash of LICENSING due to files being updated with:
44e9eb57b4578271c377https://github.com/besser82/libxcrypt/blob/v4.4.25/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a071bec0a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-3770: vim is vulnerable to Heap-based Buffer Overflow
- Update hash of README.txt due to changes not related to license:
f2a44e5c4889a9c159f2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c3198cd414)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-3634: A flaw has been found in libssh in versions prior to
0.9.6. The SSH protocol keeps track of two shared secrets during the
lifetime of the session. One of them is called secret_hash and the other
session_id. Initially, both of them are the same, but after key
re-exchange, previous session_id is kept and used as an input to new
secret_hash. Historically, both of these buffers had shared length
variable, which worked as long as these buffers were same. But the key
re-exchange operation can also change the key exchange method, which can
be based on hash of different size, eventually creating "secret_hash" of
different size than the session_id has. This becomes an issue when the
session_id memory is zeroed or when it is used again during second key
re-exchange.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 88cb451446)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Drop patches (already in version)
- Fix some more denial of service (compute time or stack exhaustion)
counter-measures added that avoid minutes of decoding time with
malformed files found by OSS-Fuzz
https://github.com/libexif/libexif/releases/tag/v0.6.23
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e2f8050976)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
protobuf moved from the google org to protocolbuffers in 2018.
There is a redirect but we should use the official url.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 107103ef91)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a7864c4ff4)
[Peter: drop 5.13.x / 5.14.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openjdk needs host gcc >= 4.9 since bump to version 16.0.1+9 in commit
057e27029c and
2a8f92e7e7:
configure: Using gcc BuildC compiler version 4.8.5 [cc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)]
configure: Using gcc BuildC++ compiler version 4.8.5 [g++ (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)]
configure: Using gcc build linker version 2.27 [GNU ld version 2.27-44.base.el7]
[...]
g++: error: unrecognized command line option '-std=c++14'
Add a dependency on host gcc >= 4.9 for the OpenJDK 16 version only, so
that users can still use OpenJDK 11 on older distributions.
Fixes:
- http://autobuild.buildroot.org/results/7072308d148ccb8237180729551df65c87a76f11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: limit the dependency to OpenJDK 16]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0e5a1f7757)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Force relative file path resolution of DEVELOPERS file entries to use
forward-slash separators since pattern matching assumes forward slashes.
This is to help permit uses invoking `get-developers` on Platforms where
`os.sep` may not be a forward slash.
Signed-off-by: James Knight <james.d.knight@live.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit eb75d71b80)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix MKIMAGE_ARCH handling to avoid the following build failure:
/home/buildroot/autobuild/instance-0/output-1/build/host-uboot-tools-2021.07/tools/mkimage -C none -A openrisc -T script -d /home/buildroot/autobuild/instance-0/output-1/boot_script.txt /home/buildroot/autobuild/instance-0/output-1/build/host-uboot-tools-2021.07/tools/boot.scr
Invalid architecture, supported are:
alpha Alpha
arc ARC
arm ARM
arm64 AArch64
avr32 AVR32
blackfin Blackfin
ia64 IA64
invalid Invalid ARCH
m68k M68K
microblaze MicroBlaze
mips MIPS
mips64 MIPS 64 Bit
nds32 NDS32
nios2 NIOS II
or1k OpenRISC 1000
powerpc PowerPC
riscv RISC-V
s390 IBM S390
sandbox Sandbox
sh SuperH
sparc SPARC
sparc64 SPARC 64 Bit
x86 Intel x86
x86_64 AMD x86_64
xtensa Xtensa
Strangely enough, we only have autobuilder failures since July 2021 even
as or1k has been used since the addition of openriscv support in 2012:
3ddcaccda3
For x86_64, we incorrectly mangle it to x86.
Finally, the comment about mips64 is wrong: mips64 *is* a valid
archtecture, and we anyway had no code to tweak that case.
Fixes:
- http://autobuild.buildroot.org/results/c3f0f2a3fb87d74bfdaccf9b94c66f0b5bae7520
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: extend commit log for mips64 and x86_64]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5e8804d4e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following static build failure on musl which is raised because
the "Check for directory libraries" in configure wrongly adds -DNO_DIR
when no directory library is needed:
/tmp/instance-0/output-1/host/bin/arm-buildroot-linux-musleabihf-gcc -c -D_FILE_OFFSET_BITS=64 -O2 -g0 -static -I. -DUNIX -DUIDGID_NOT_16BIT -DBZIP2_SUPPORT -DLARGE_FILE_SUPPORT -DUNICODE_SUPPORT -DNO_MKTIME -DNO_DIR -DHAVE_DIRENT_H -DHAVE_TERMIOS_H unix/unix.c
unix/unix.c:70:14: error: conflicting types for 'DIR'
70 | typedef FILE DIR;
| ^~~
Fixes:
- http://autobuild.buildroot.org/results/83a6e0c8c4ad026cb0261246e3b1a80d754454bd
Patch not sent upstream since upstream is dead.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ea0a4c610d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
environment-setup uses BASH_SOURCE which is bash specific. For other
shells, this variable is empty, leading to an error message and empty
SDK_PATH.
Zsh Uses $0. Unfortunately POSIX is not specifying how exactly $0
should behave when in sourced (or using special dot utility). So other
shell support have to be implemented in different manner.
Signed-off-by: Krzysztof Kanas <kkanas@fastmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 65cee90cc3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the website depends on the webserver being enabled we should
add a config option for it and make the website depend on that.
We should also ensure that the mongoose(webserver) config is present.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 25b0645aa4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This needs to be set properly so that services work correctly.
Enable disable automatically based on BR2_PACKAGE_SYSTEMD state.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 85062dcefc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This ensures all tools/libraries will be properly installed.
Update SWUPDATE_BUILD_CMDS param ordering for consistency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 08de8f500e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The swupdate services do not depend on
BR2_PACKAGE_SWUPDATE_INSTALL_WEBSITE, so install them unconditionally.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit cbeaef0f95)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In buildroot, stripping for the target is configured and implemented
with the global `BR2_STRIP_strip` option that drive the stripping in
the target-finalize step.
So, we explicitly disable stripping at build time for swupdate.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1833c710ce)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
alsa unconditionally uses seq since version 0.2.90 and
818fb9e904
which will result in the following build failure since commit
a6d88d3ba5:
In file included from ../spa/plugins/alsa/alsa-seq-bridge.c:44:
../spa/plugins/alsa/alsa-seq.h:71:2: error: unknown type name 'snd_seq_addr_t'
71 | snd_seq_addr_t addr;
| ^~~~~~~~~~~~~~
Fixes:
- http://autobuild.buildroot.org/results/65e3a9185b3b84ad78cd05f788f741b8734d2bbc
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 6409ea4c22)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The URL pointing to phytec.de is obsolete and not even used by
Buildroot.
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit fde22d8c77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
sox also provides one or more libraries with headers, so also install
sox to staging.
Signed-off-by: Adrian Amaglio <nainformatique@gresille.org>
[Giulio: reword commit log]
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
- further refine commit log
- move assignment in a more sensible location
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit b6ff11fd9d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
gr-pager (labeled 'gr-flex' in our menuconfig) is not available since
bump to version 3.8.0.0 in commit 0d6a7b2981 (package/gnuradio: bump
to version 3.8.0.0) and upstream commit:
2d2caa205f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5045cab63d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-40346: An integer overflow exists in HAProxy 2.0 through 2.5 in
the htx_add_header() can be exploited to perform an HTTP request smuggling
attack, allowing an attacker to bypass all configured http-request HAProxy
ACLs and possibly other ACLs.
For more details, see the advisory:
https://www.mail-archive.com/haproxy@formilux.org/msg41114.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/4d48694dd5c19ddfc2bdc9639bf26c3182678639/
Git-style patches with renames are not supported by apply-patches.sh on
stable, so regenerate the patch with --no-renames. The header file has
changed post-1.17.2, so rebase the patch on the release to fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip
package, as well as bug fixes to the archive/zip, go/internal/gccgoimporter,
html/template, net/http, and runtime/pprof packages.
https://golang.org/doc/devel/release#go1.16.minor
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1279d2b132)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Explicitly indicate the file encoding to UTF-8 for the DEVELOPERS
document. This prevents Unicode decoding errors when printing E-Mail
entries with Unicode characters on systems using an alternative default
encoding (e.g. 'CP1252').
This corrects the following observed error:
$ ./utils/get-developers outgoing/*
Traceback (most recent call last):
File "utils\get-developers", line 105, in <module>
__main__()
File "utils\get-developers", line 47, in __main__
devs = getdeveloperlib.parse_developers()
File "...\buildroot\utils\getdeveloperlib.py", line 239, in parse_developers
for line in f:
File "...\Python<ver>\lib\encodings\cp1252.py", line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 6659: character maps to <undefined>
Signed-off-by: James Knight <james.d.knight@live.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9f127cc420)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mosquitto 2.0.12 is a security and bugfix release, notably:
* Fix possible DoS in the broker with MQTTv5
* Fix CVE-2020-13849
* Fix CVE-2021-34434
Read the full announcement on
https://mosquitto.org/blog/2021/08/version-2-0-12-released/
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d333eab3f0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
