Commit Graph

45223 Commits

Author SHA1 Message Date
Peter Korsgaard
d74dfcc913 package/busybox/udhcpc.script: fix domain search comment
The domain search option is from RFC3397, not RFC3359 (which is about TLV
codepoints), so fix that.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 67a52f6fc9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:33:10 +02:00
Alexey Brodkin
1ee3ea40c9 busybox: Enable domain search list support in udhcpc
This is useful in networks with internal resources as it allows
to use much shorter names.

E.g. instead of "server.internal.company.com" it's possible
to use just "server" if DHCP server is configured with:
---------------------------->8-----------------------
option domain-search "internal.company.com";
---------------------------->8-----------------------

This improvement consists of 2 parts:

1. Enable handling of RFC3397 so DHCP client is ready for processing
   corresponding data from DHCP server.

2. Some DHCP servers always send out search list if it is set in server's
   configuration and some servers only provide search list if client
   asks for that (sending list of options it expects to get).

   And exactly for those stubborn DHCP servers we need to add "-O search"
   to udhcp's command line via CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS.

Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Cc: Ignacy Gawedzki <ignacy.gawedzki@green-communications.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 80291c3e9c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:31:56 +02:00
Fabrice Fontaine
ad22667c10 package/elfutils: fix build with glibc < 2.16
Fixes:
 - autobuild.buildroot.net/results/1053e2b4b51bc225c4a1a29c93946101a7a53be9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dde53fd59e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:29:19 +02:00
Fabrice Fontaine
667d5cb73d package/elfutils: security bump to version 0.176
Fixes CVE-2018-18310: An invalid memory address dereference was
discovered in dwfl_segment_report_module.c in libdwfl in elfutils
through v0.174. The vulnerability allows attackers to cause a denial of
service (application crash) with a crafted ELF file, as demonstrated by
consider_notes.

Fixes CVE-2018-18520: An Invalid Memory Address Dereference exists in
the function elf_end in libelf in elfutils through v0.174. Although
eu-size is intended to support ar files inside ar files,
handle_ar in size.c closes the outer ar file before handling all inner
entries. The vulnerability allows attackers to cause a denial of service
(application crash) with a crafted ELF file.

Fixes CVE-2018-18521: Divide-by-zero vulnerabilities in the function
arlib_add_symbols() in arlib.c in elfutils 0.174 allow remote attackers
to cause a denial of service (application crash) with a crafted ELF
file, as demonstrated by eu-ranlib, because a zero sh_entsize is
mishandled.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 725531fc32)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:29:09 +02:00
Giulio Benetti
0701c33e7a package/prboom: work around gcc bug 85180
With Microblaze Gcc version < 8.x the build hangs due to gcc bug
85180: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180. The bug
shows up when building prboom with optimization but not when building
with -O0. To work around this, if BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y we
force using -O0.

Fixes:
http://autobuild.buildroot.net/results/e72/e72a2070ab7e9a093c3c70002ee94ee57a6154f6/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 801c83da19)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:27:03 +02:00
Giulio Benetti
010c898226 package/prboom: avoid using hardcoded optimization flags
Package prboom builds using -O2 flag ignoring Buildroot settings, this
is due to the fact that -O2 is appended at the end of compiler flags.

Remove -O2 from 'configure.ac' file and set PRBOOM_AUTORECONF to YES,
this way CFLAGS_OPTS will contain Buildroot TARGET_CFLAGS.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 34bcc4c6b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 22:26:55 +02:00
Giulio Benetti
c5616fc1f0 package/qt5/qt5base: build with correct optimization
Qt5 has predefined optimization flags depending if you're building for
size, for debug etc. These flags are defined in
mkspecs/common/gcc-base.conf:

QMAKE_CFLAGS_OPTIMIZE      = -O2
QMAKE_CFLAGS_OPTIMIZE_FULL = -O3
QMAKE_CFLAGS_OPTIMIZE_DEBUG = -Og
QMAKE_CFLAGS_OPTIMIZE_SIZE = -Os

Then, in common/features/default_post.prf, they add those flags to
QMAKE_CFLAGS_RELEASE/QMAKE_CXXFLAGS_RELEASE depending on various build
options (optimize_size, optimize_full, optimize_debug):

optimize_size {
    !isEmpty(QMAKE_CFLAGS_OPTIMIZE):!isEmpty(QMAKE_CFLAGS_OPTIMIZE_SIZE)  {
        QMAKE_CFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
        QMAKE_CXXFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
        QMAKE_CFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_SIZE
        QMAKE_CXXFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_SIZE
    }
} else: optimize_full {
    !isEmpty(QMAKE_CFLAGS_OPTIMIZE):!isEmpty(QMAKE_CFLAGS_OPTIMIZE_FULL)  {
        QMAKE_CFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
        QMAKE_CXXFLAGS_RELEASE -= $$QMAKE_CFLAGS_OPTIMIZE
        QMAKE_CFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_FULL
        QMAKE_CXXFLAGS_RELEASE += $$QMAKE_CFLAGS_OPTIMIZE_FULL
    }
}

Since this default_post.prf is included *after* our qmake.conf file,
these flags override our optimizations flags, which is not good.

However, our qmake.conf file is included *after* gcc-base.conf, so we
can simply reset those variables to have the empty value, and our
optimization flags will be used.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Thomas: completely change the approach, by simply resetting the
QMAKE_CFLAGS_OPTIMIZE_* variables in qmake.conf]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 7c0aa83527)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:39:01 +02:00
Giulio Benetti
269e14f89f package/qt5/qt5base: drop wrong optimization flag
In qmake.conf.in has been left 'QMAKE_CXXFLAGS_RELEASE += -O3' but this
leads to not use Buildroot CXXFLAGS when building in release
mode(without debugging symbols). So let's remove it to let Qt5 to follow
Buildroot optimization flags like other packages do.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0650c4c7a3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:35:12 +02:00
Alexandre PAYEN
b096a2ae06 package/python-numpy: fix run-time failure with clapack
The numpy build system attempts to find lapack/blas at build time. It
tries a lot of different implementations, e.g. lapack, openblas, atlas,
... It is possible to help this automatic discovery by specifying
libraries to load in site.cfg and/or by setting environment variables
BLAS and LAPACK.

Unfortunately, the build system's logic is really hard to understand and
it's fragile. For example, regardless of what is specified as libraries
to load, it *will* try to find libblas.so and liblapack.so. However,
when something is specified explicitly in site.cfg, it will use a
different code path.

It turns out that when we specified the blas and lapack libraries
explicitly, as is done now, the build system logic will assume (without
checking) that cblas is used. This causes calls to cblas_* to be linked
in - again without checking, because numpy contains a copy of the header
and it uses dlopen to load it. clapack, however, does *not* provide
cblas (although it does provide a library libblas.so, but no
libcblas.so). Therefore, when importing numpy at runtime, we get an
error like:

ImportError: /usr/lib/python3.7/site-packages/numpy/core/_multiarray_umath.cpython-37m-arm-linux-gnueabihf.so: undefined symbol: cblas_sgemm

The initial attempt to fix this added cblas to the libraries. This
happens to work because apparently the entire libraries line is ignored
when a non-existing library is added to it (remember, clapack does not
provide libcblas).

Another attempt was to set BLAS=None in the environment. This didn't
have any effect. Setting both BLAS=None and LAPACK=None does disable
lapack and blas, but then we don't use clapack at all.

In fact, it is not necessary to provide a libraries line at all: the
build system will attempt to find liblapack, libblas and libcblas
without any help.

Therefore, remove the libraries line from site.cfg and remove
PYTHON_NUMPY_SITE_CFG_LIBS.

Note that the paths to staging's /usr/include and /usr/lib need to be
specified explicitly. Indeed, the numpy build system doesn't use the
compiler to check the presence/absence of includes and libraries; it
searches the paths itself. It also hardcodes paths to /usr/lib etc, but
this is something that will be tackled in a separate commit.

Note that there is another problem: both lapack and clapack provide
libblas.so and liblapack.so. This will be handled in a later commit.

Also, openblas provides a cblas implementation in libopenblas.so, so
there should be a dependency on openblas to make sure numpy can find it.
This part is not entirely clear yet, so it will also be handled in a
separate commit.

Runtime testing is essential to be able to track this kind of issue, so
that is something that will be added in a separate commit as well.

Fixes:
http://lists.busybox.net/pipermail/buildroot/2019-June/252380.html

Initial patch from Giulio Benetti :
[v1] http://patchwork.ozlabs.org/patch/1100100/
[v2] http://patchwork.ozlabs.org/patch/1100208/

Signed-off-by: Alexandre PAYEN <alexandre.payen@smile.fr>
Cc: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 4c2b6978f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:30:20 +02:00
Fabrice Fontaine
ec29b6b180 package/vte: needs host-intltool
Fixes:
 - http://autobuild.buildroot.org/results/30a8032ebba5a30bacd321c407a1d0734fadf757

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 82fc6379f0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:17:41 +02:00
Peter Korsgaard
d13cc2b4f2 package/imagemagick: fix host build for old distributions
Fixes:
http://autobuild.buildroot.net/results/5f0/5f0b85033e800c9eebc46812592966ec6826bb5d/

imagemagick uses clock_gettime, which was provided by librt rather than libc
in glibc < 2.17 - Causing link errors.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 273427f928)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:07:32 +02:00
Arnout Vandecappelle (Essensium/Mind)
419af2f0ca package/Config.in: remove double /
Detected by check-package, which gets confused by it.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 651524db3a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 23:05:57 +02:00
Titouan Christophe
dee9e6800a package/mosquitto: fix typo in Config.in
Introduced in ea989ad2b2

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 22f3c69149)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-29 22:56:16 +02:00
Peter Korsgaard
86f86a724b package/python3-urllib: security bump to version 1.24.3
Fixes the following security vulnerability:

CVE-2019-9740: An issue was discovered in urllib2 in Python 2.x through
2.7.16 and urllib in Python 3.x through 3.7.3.  CRLF injection is possible
if the attacker controls a url parameter, as demonstrated by the first
argument to urllib.request.urlopen with \r\n (specifically in the query
string after a ?  character) followed by an HTTP header or a Redis command.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-28 17:14:40 +02:00
Arnout Vandecappelle (Essensium/Mind)
99468e399d package/quagga: fix static linking with getopt
quagga has its own copy of getopt_long() instead of using the system's,
and this copy also defines the opterr and optind variables. Obviously,
this is only apparent when linking statically.

This problem can easily be avoided by making sure that getopt() itself
is defined too. This way, there is no reason any more to pull in libc's
getopt() and the corresponding definitions of opterr and optind. Note
that getopt() itself is pulled in by netsnmp, not by quagga itself.

Fortunately, there's a REALLY_NEED_PLAIN_GETOPT flag that we can define
to make sure getopt() does get built by quagga. We can safely do this
unconditionally (instead of only when BR2_PACKAGE_QUAGGA_SNMP and
BR2_STATIC_LIBS are enabled): without netsnmp, getopt() will simply not
be used, and with dynamic libs there's no risk of conflicts anyway.

Fixes:
http://autobuild.buildroot.net/results/0ac598c2259a8d7e8b72d4e8ed95079675b31b84

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d7215f2bbb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-22 17:32:27 +02:00
Bernd Kuhls
3d140b8702 package/php: security bump version to 7.3.8
Release notes: https://www.php.net/ChangeLog-7.php#7.3.8

Fixes CVE-2019-11042 & CVE-2019-11041

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b9833c6f52)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-22 17:29:07 +02:00
Fabrice Fontaine
0211f1b83e package/cloop: needs _GNU_SOURCE
host-cloop needs _GNU_SOURCE for loff_t otherwise build fails with gcc
8.3.0 on:
extract_compressed_fs.c: In function 'main':
extract_compressed_fs.c:55:2: error: unknown type name 'loff_t'; did you mean 'off_t'?
  loff_t *offsets;

Fixes:
 - No autobuilder failures

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit edf97df877)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-21 14:41:50 +02:00
Vincent Stehlé
6fee778121 qemu: fix host virtfs option
Fix the build of host-qemu with virtfs enabled: fix a typo in makefile
conditional and add a dependency on host-libcap as that is a dependency of
virtfs support:

    if test "$virtfs" != no && test "$cap" = yes && test "$attr" = yes ; then
      virtfs=yes

The virtfs configuration option was added by commit e0f49e6484
("package/qemu: add option to enable virtual filesystem in host qemu").

Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 499dfc9410)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-21 14:37:19 +02:00
Peter Korsgaard
64a9777ef1 package/python-django: security bump to version 2.1.11
Fixes the following security issues:

CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator

If django.utils.text.Truncator's chars() and words() methods were passed the
html=True argument, they were extremely slow to evaluate certain inputs due
to a catastrophic backtracking vulnerability in a regular expression.  The
chars() and words() methods are used to implement the truncatechars_html and
truncatewords_html template filters, which were thus vulnerable.

The regular expressions used by Truncator have been simplified in order to
avoid potential backtracking issues.  As a consequence, trailing punctuation
may now at times be included in the truncated output.

CVE-2019-14233: Denial-of-service possibility in strip_tags()

Due to the behavior of the underlying HTMLParser,
django.utils.html.strip_tags() would be extremely slow to evaluate certain
inputs containing large sequences of nested incomplete HTML entities.  The
strip_tags() method is used to implement the corresponding striptags
template filter, which was thus also vulnerable.

strip_tags() now avoids recursive calls to HTMLParser when progress removing
tags, but necessarily incomplete HTML entities, stops being made.

Remember that absolutely NO guarantee is provided about the results of
strip_tags() being HTML safe.  So NEVER mark safe the result of a
strip_tags() call without escaping it first, for example with
django.utils.html.escape().

CVE-2019-14234: SQL injection possibility in key and index lookups for
JSONField/HStoreField

Key and index lookups for django.contrib.postgres.fields.JSONField and key
lookups for django.contrib.postgres.fields.HStoreField were subject to SQL
injection, using a suitably crafted dictionary, with dictionary expansion,
as the **kwargs passed to QuerySet.filter().

CVE-2019-14235: Potential memory exhaustion in
django.utils.encoding.uri_to_iri()

If passed certain inputs, django.utils.encoding.uri_to_iri could lead to
significant memory usage due to excessive recursion when re-percent-encoding
invalid UTF-8 octet sequences.

uri_to_iri() now avoids recursion when re-percent-encoding invalid UTF-8
octet sequences.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-21 14:28:07 +02:00
Thomas Petazzoni
996994f8f2 package/webkitgtk: remove upstreamed patch
The bump of webkitgtk to 2.24.3 in commit
3ff05d9094 forgot to drop a patch that
was upstreamed, and is now part of 2.24.3, causing a build failure, so
let's drop this patch.

Fixes:

  http://autobuild.buildroot.net/results/4d7bffd20344f06ca719b7c8083b81053b255aa5/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d069301d63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 23:52:05 +02:00
Giulio Benetti
9be0bf7c97 package/git: work around gcc bug 85180
With Microblaze Gcc version < 8.x the build hangs due to gcc bug
85180: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180. The bug
shows up when building git with optimization but not when building with
-O0. To work around this, if BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y we force
using -O0.

Fixes:

  http://autobuild.buildroot.net/results/7ad/7adff001631053ae5a3cb3e176d321f6a2d3cceb/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7c7c0e4406)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 21:22:41 +02:00
Giulio Benetti
dfced0ad88 package/proj: fix build failure due to gcc bug 68485
The proj package exhibits gcc bug 68485 when built for the Microblaze
architecture with optimization enabled, which causes a build failure.

As done for other packages in Buildroot work around this gcc bug by
setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y.

Fixes:

http://autobuild.buildroot.net/results/e61/e61bd55067071415223e523a81de3c2e9cafea6f/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Tested-by: Zoltan Gyarmati <zgyarmati@zgyarmati.de>
Acked-by: Zoltan Gyarmati <zgyarmati@zgyarmati.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c99665cde7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 21:20:59 +02:00
Fabrice Fontaine
155161e1f0 package/libgtk3: fix build with NLS
Fixes:
 - No autobuilder failures yet

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 360cf8f0fd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:42:29 +02:00
Peter Korsgaard
c2db88cc17 package/subversion: security bump to version 1.9.12
Fixes the following security issues:

CVE-2018-11782: Remotely triggerable DoS vulnerability in svnserve
'get-deleted-rev'
https://subversion.apache.org/security/CVE-2018-11782-advisory.txt

CVE-2019-0203: Remote unauthenticated denial-of-service in Subversion
svnserve
https://subversion.apache.org/security/CVE-2019-0203-advisory.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7695a02244)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:38:57 +02:00
Fabrice Fontaine
0d32dfa9b3 package/gtkperf: add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2d734349a6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:35:54 +02:00
Fabrice Fontaine
0c354c3503 package/gtkperf: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/747469b359dd05cfa05b4295958f8a8175166cfe

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ae337151ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:35:50 +02:00
Giulio Benetti
c37f0e4210 package/libnss: use correct CFLAGS and LDFLAGS
Currently libnss is configured with BUILD_OPT=1 and due to that that
it doesn't take into account Buildroot TARGET_CFLAGS nor
TARGET_LDFLAGS resulting in pre-chosen optimizations and debugging
symbols being used.

We can't pass TARGET_CFLAGS through CFLAGS or similar otherwise other
internal libnss one will be overwritten (i.e. -fPIC), so we prefer to
append TARGET_CFLAGS at the end of Linux.mk as well as TARGET_LDFLAGS
according to internal libnss Makefile system's names. And obviously
remove BUILD_OPT=1 from BUILD_VARS.

This reveals hidden bugs when building with -Os due to bogus
uninitialized warnings from gcc turned into errors because of -Werror,
so we explicitly pass NSS_ENABLE_WERROR=0 to avoid the use of -Werror.

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
[Thomas: drop the libnss patches, and pass NSS_ENABLE_WERROR instead]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit 5e787b0014)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:34:13 +02:00
Fabrice Fontaine
adbfa7ba0c package/libshout: move site to https
Move site from http to https as HTTP URL now returns
"301 Moved Permanently"

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e7609a80b6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:31:55 +02:00
Fabrice Fontaine
8b56fa79cb package/expect: bump to version 5.45.4
* exp_inter.c: [https://sourceforge.net/p/expect/patches/22/]
Fix interact bug - handle reads of 0 length on
non-blocking channels by explicitly checking if the channel
is non-blocking. Fix by Jack Bates.

* expect.c: [https://sourceforge.net/p/expect/patches/21/]
Fix eof bug introduced with previous bug fix - ensure that data
received just before an eof is processed. Fix by Sergei Golovan.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6fffbffb6f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:30:04 +02:00
Yann E. MORIN
2caf7dbab8 package/qt5: change upstream location
Upstream pushes their delivery archives in to places:
    https://download.qt.io/official_releases/
    https://download.qt.io/archive/

After a while, only the latter remains, whith the former being pruned
actively to contain only officially supported versions.

Switch to using the archive location, as it has everything, even the
latest versions.

Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 675d38dd65)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:28:35 +02:00
Peter Korsgaard
cb46d24784 package/xen: security bump to version 4.11.2
The 4.11.2 release brings a large number of fixes:

https://xenproject.org/downloads/xen-project-archives/xen-project-4-11-series/xen-project-4-11-2/

Including a number of security fixes:

XSA-284: grant table transfer issues on large hosts
XSA-285: race with pass-through device hotplug
XSA-287: x86: steal_page violates page_struct access discipline
XSA-288: x86: Inconsistent PV IOMMU discipline
XSA-290: missing preemption in x86 PV page table unvalidation
XSA-291: x86/PV: page type reference counting issue with failed IOMMU update
XSA-292: x86: insufficient TLB flushing when using PCID
XSA-293: x86: PV kernel context switch corruption
XSA-294: x86 shadow: Insufficient TLB flushing when using PCID
XSA-295: Unlimited Arm Atomics Operations
XSA-297: Microarchitectural Data Sampling speculative side channel

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2905569284)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 16:27:34 +02:00
Peter Korsgaard
14aab69703 package/asterisk: security bump to version 16.4.1
Fixes the following security issues:

CVE-2019-12827: A specially crafted SIP in-dialog MESSAGE message can cause
Asterisk to crash:

https://downloads.asterisk.org/pub/security/AST-2019-002.html

CVE-2019-13161: When T.38 faxing is done in Asterisk a T.38 reinvite may be
sent to an endpoint to switch it to T.38.  If the endpoint responds with an
improperly formatted SDP answer including both a T.38 UDPTL stream and an
audio or video stream containing only codecs not allowed on the SIP peer or
user a crash will occur.  The code incorrectly assumes that there will be at
least one common codec when T.38 is also in the SDP answer:

https://downloads.asterisk.org/pub/security/AST-2019-003.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2cb389deca)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 15:55:49 +02:00
Peter Korsgaard
ecfffe3a68 {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{1, 2}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cb60af6002)
[Peter: drop 5.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-20 15:54:43 +02:00
Bernd Kuhls
ca6e89f01d package/exim: security bump to version 4.92.1
Fixes CVE-2019-13917:
http://www.exim.org/static/doc/security/CVE-2019-13917.txt

d185889f47
added new code to "Prebuild the data structure for builtin macros".

This function needs a host-built binary called macro_predef, it depends
on host-berkeleydb, host-pcre and optionally on host-openssl.

With an openssl-enabled exim the host build of macro_predef will fail
if host-openssl is missing:

/usr/bin/gcc -DMACRO_PREDEF macro_predef.c
In file included from hash.h:14,
                 from exim.h:485,
                 from macro_predef.c:11:
sha_ver.h:37:12: fatal error: openssl/ssl.h: No such file or directory

because macro_predef also has the an optional dependency on openssl:
https://github.com/Exim/exim/blob/exim-4.92%2Bfixes/src/src/macro_predef.c#L130

Removed patches applied upstream:
0004: 98913c8ea2
0005: cf3cd30606
0007: 7ea1237c78 (diff-58af16fe62ea674adf1730edc078d175R6243)

Added patch to fix uClibc build.

Added license hash, switched _SITE to https.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1d3fe88d08)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:32:14 +02:00
Bernd Kuhls
e5bf1e4ec2 package/berkeleydb: add host variant
Needed for the upcoming Exim security version bump.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d4ec3c1596)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:31:38 +02:00
Simon Rowe
daba307f15 package/openvmtools: use libtirpc when toolchain has no native RPC
openvmtools detects and uses an external RPC library if RPC is not
supported by the toolchain C library, so let's select package/libtirpc
when necessary.

Signed-off-by: Simon Rowe <simon.rowe@citrix.com>
[Thomas: add missing dependency on libtirpc]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

(cherry picked from commit d006737faa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:28:52 +02:00
Bernd Kuhls
6fbf182cf2 package/proftpd: add upstream security fix for CVE-2019-12815
Added license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 49dac76dec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:26:30 +02:00
Romain Naour
6de4281d56 package/opencv3: allow to use pkg-config while cross-compiling
Since version 3.4.1 [1], opencv disable pkg-config while cross-compiling to
avoid host headers/libraries poisoning.

Due to this, opencv fail to detect ffmpeg, gstreamer and gtk dependencies
even if	the corresponding support is requested by
BR2_PACKAGE_OPENCV3_WITH_{FFMPEG,GSTREAMER,GTK2,GTK3}.

Maybe other dependencies are affected by this issue...

While configuring opencv we can notice the following messages:
"-- OpenCV disables pkg-config to avoid using of host libraries. Consider using PKG_CONFIG_LIBDIR to specify target SYSROOT"
"-- Can't find ffmpeg - 'pkg-config' utility is missing"

As the result ffmpeg and gstreamer are not enabled:
--   Video I/O:
--     FFMPEG:                      NO
--       avcodec:                   NO
--       avformat:                  NO
--       avutil:                    NO
--       swscale:                   NO
--       avresample:                NO
--     GStreamer:                   NO
--     libv4l/libv4l2:              NO
--     v4l/v4l2:                    linux/videodev2.h

We can fixes this by adding a new option OPENCV_ENABLE_PKG_CONFIG=ON

--   Video I/O:
--     FFMPEG:                      YES
--       avcodec:                   YES (ver 58.35.100)
--       avformat:                  YES (ver 58.20.100)
--       avutil:                    YES (ver 56.22.100)
--       swscale:                   YES (ver 5.3.100)
--       avresample:                YES (ver 4.0.0)
--     GStreamer:
--       base:                      YES (ver 1.16.0)
--       video:                     YES (ver 1.16.0)
--       app:                       YES (ver 1.16.0)
--       riff:                      YES (ver 1.16.0)
--       pbutils:                   YES (ver 1.16.0)
--     libv4l/libv4l2:              NO
--     v4l/v4l2:                    linux/videodev2.h

Add host-pkgconf in the dependencies.

If there is a path poisoning issue, it will be detected by the toolchain
paranoid wrapper.

[1] c4f9ff0285

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Samuel Martin <s.martin49@gmail.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 41f5ee957c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:25:36 +02:00
Fabrice Fontaine
5a6b43a24e package/libgtk2: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/20644475a745c04fec4a87c639bd13e4f333805a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 81c126bc8f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:24:35 +02:00
Yann E. MORIN
85fde0b805 boot/arm-trusted-firmware: licensing info is only valid for v1.4
The licensing information, and especially the name of the license file,
is known only for the official v1.4 version. For example, in later
versions, the license file has been renamed.

Since we can't be sure of the licensing information for custom versions,
or for versions from git, define that only for the known v1.4 version.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d1a61703f7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:23:31 +02:00
Fabrice Fontaine
573839e6b6 package/dovecot: add linux-pam optional dependency
Fixes:
 - http://autobuild.buildroot.org/results/bba0d54cab164d77caf7161596b22602875a7a85

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9ff28a4410)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:20:51 +02:00
Fabrice Fontaine
d949a95916 package/libvips: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/cd61be84dc9781ea645f7667c2bd29908484692f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b96acd52af)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:20:01 +02:00
Giulio Benetti
629750b0de package/x11r7/xlib_libXfont: work around gcc bug 85180
With Microblaze Gcc version < 8.x the build hangs due to gcc bug
85180: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85180. The bug
shows up when building xlib_libXfont with optimization but not when
building with -O0. To work around this, if
BR2_TOOLCHAIN_HAS_GCC_BUG_85180=y we force using -O0.

Fixes:
http://autobuild.buildroot.net/results/7c6/7c64becbf06a1e00e41b7ddb95dd0c65bf364eb7/

Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6910e723a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:19:07 +02:00
Adam Duskett
65238de101 package/x11r7/xlib_libXfont: add license hash
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit d4aa2b041d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:19:01 +02:00
Pierre-Jean Texier
a2429eee6f package/libcurl: bump to version 7.65.3
A very small fix for the progress meter regression in 7.65.2.

See https://curl.haxx.se/mail/lib-2019-07/0052.html

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3fac250944)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:17:23 +02:00
Pierre-Jean Texier
08639370d5 package/libcurl: bump to version 7.65.2
Contains a number of fixes for issues discovered post-7.65.1.
For details, see full changelog:

https://curl.haxx.se/changes.html#7_65_2

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 28e91cf3a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:17:21 +02:00
Alex Xu
ce4be55c44 package/python-idna: select unicodedata support in python interpreter
idna requires unicodedata:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "usr/lib/python3.7/site-packages/idna/__init__.py", line 2, in <module>
  File "usr/lib/python3.7/site-packages/idna/core.py", line 3, in <module>
ModuleNotFoundError: No module named 'unicodedata'

Signed-off-by: Alex Xu <alex_y_xu@yahoo.ca>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9177475111)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:14:23 +02:00
Fabrice Fontaine
31781233bb package/connman-gtk: add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 49928a5ff8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:13:01 +02:00
Fabrice Fontaine
4318a8179b package/connman-gtk: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/30b775323b4780b35a163100097952eff232339e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2b4d843daf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:12:59 +02:00
Atharva Lele
bcf15a35cc Makefile: don't export GZIP environment variable
We export GZIP = -n so that GZIP does not record original
name and timestamps. However..

GZIP environment variable is deprecated and soon will not be
supported in future GZIP versions. GZIP suggests the use of a
wrapper to pass options globally but it might be difficult to
implement in Buildroot. For now, we don't export the variable
and fix reproducibility issues per package as they show up in
Autobuilder.

Signed-off-by: Atharva Lele <itsatharva@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d590b37633)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-04 19:10:21 +02:00