Commit Graph

38960 Commits

Author SHA1 Message Date
Peter Korsgaard
40f4191f2a mcookie: correct wrong memset argument
Fixes #10216

Building mcookie generates a warning about possible wrong arguments to
memset:

mcookie.c:207:26: warning: argument to ‘sizeof’ in ‘memset’ call is the same expression
  as the destination; did you mean to dereference it? [-Wsizeof-pointer-memaccess]
     memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */

ctx is a pointer to a structure, so the code should use the size of the
structure and not the size of the pointer when it tries to clear the
structure, similar to how it got fixed upstream back in 2009:

https://git.kernel.org/pub/scm/utils/util-linux/util-linux.git/commit/lib/md5.c?id=6596057175c6ed342dc20e85eae8a42eb29b629f

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:57:19 +01:00
Thomas Petazzoni
6f1c11f79a lz4: install programs as well as libraries
Prior to commit 8ad38a4fc2
("package/lz4: bump version to r131"), the lz4 package was installing
both libraries and programs, but this commit changed the behavior to
only install libraries.

The contributor might have been confused by the fact that the build
command was "$(MAKE) ... -C $(@D) liblz4", suggesting that only the
library was built. But since the install command was "$(MAKE) ... -C
$(@D) install", the programs were effectively built as part of the
install step, and installed as well.

Since it makes sense for lz4 to also installs its programs, this
commit adjusts the package accordingly.

It is worth mentioning that using the "all" target during the build
step is important. Indeed, otherwise the programs/Makefile has a
"default" target that doesn't build everything (especially the lz4c
program) and it end up being built as part of the install step, due to
how the makefile dependencies are handled in the lz4 project. To make
sure that everything gets built during the build step, we explicitly
use the "all" target.

Fixes bug #9996

Reported-by: Jamin Collins <jamin.collins@gmail.com>
Initial-analysis-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:55:43 +01:00
Fabrice Fontaine
bdfb180d58 cjson: bump to version 1.7.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:54:31 +01:00
Fabrice Fontaine
3a2b604169 boinc: bump to version 7.8.5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:54:28 +01:00
Baruch Siach
d5381b820f libsodium: bump to version 1.0.16
Add pgp signature reference.

Cc: Frank Hunleth <fhunleth@troodon-software.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:54:20 +01:00
Baruch Siach
97ec1ddd5a gnupg2: bump to version 2.2.4
Add license hash.

Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:53:56 +01:00
Baruch Siach
bf0f8fae14 libgcrypt: bump to version 1.8.2
Add license hash.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:53:49 +01:00
Baruch Siach
c4e1ca283b e2fsprogs: bump to version 1.43.8
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:53:37 +01:00
Martin Kepplinger
bc8098ebbb tslib: update to 1.15
As usual, https://github.com/kergoth/tslib/releases has the changelog
summary.

This release includes a new plugin "invert" that is being built by
default; so we add that to the list of statically compiled in plugins
for static builds.

Signed-off-by: Martin Kepplinger <martink@posteo.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-12 19:53:00 +01:00
Thomas Petazzoni
84e835ea92 busybox: don't remove S01logging when CONFIG_SYSLOGD is disabled
The current busybox.mk explicitly removes S01logging if CONFIG_SYSLOGD
is disabled in the Busybox configuration. However:

 - This causes the removal of the S01logging script potentially
   installed by another package (currently syslog-ng, rsyslog and
   sysklogd can all install a S01logging script).

 - We generally don't try to clean-up stuff that we may have installed
   in a previous make invocation and that is no longer needed
   following a configuration change.

Fixes bug #10176

Reported-by: Karl Krach <mail@kkrach.de>
Fix-provided-by: Karl Krach <mail@kkrach.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-10 23:03:59 +01:00
Thomas Petazzoni
28d5ca9c96 package/kmsxx: don't install static libraries when BR2_SHARED_STATIC_LIBS=y
The kmsxx build system can only build either shared libraries *or*
static libraries, not both. Therefore, the build currently fails when
BR2_SHARED_STATIC_LIBS=y because we try to install the static
libraries, that haven't been built.

We fix this by not installing the static libraries when
BR2_SHARED_STATIC_LIBS=y, making BR2_SHARED_STATIC_LIBS=y essentially
the same as BR2_SHARED_LIBS=y for this package.

Fixes bug #10331.

Reported-by:  Frederic MATHIEU <frederic.mathieu@dualis.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-10 22:19:14 +01:00
Thomas Petazzoni
054a2f2e49 xfsprogs: fix upstream submission link
The oss.sgi.com mailing list archives are no longer available, point
to spinics.net instead.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-10 21:00:28 +01:00
Thomas Petazzoni
c427ce4d9f package/avahi: fix typo in avahi_tmpfiles.conf
There is an obvious typo in avahi_tmpfiles.conf: avahi-autoipd is
badly spelled.

Fixes bug #10641.

Reported-by: Michael Heinemann <posted@heine.so>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-10 20:53:58 +01:00
Bernd Kuhls
19ab5952fa package/intel-microcode: security bump to version 20180108
Quoting releasenote:

"Intel Processor Microcode Package for Linux
20180108 Release

-- Updates upon 20171117 release --
IVT C0          (06-3e-04:ed) 428->42a
SKL-U/Y D0      (06-4e-03:c0) ba->c2
BDW-U/Y E/F     (06-3d-04:c0) 25->28
HSW-ULT Cx/Dx   (06-45-01:72) 20->21
Crystalwell Cx  (06-46-01:32) 17->18
BDW-H E/G       (06-47-01:22) 17->1b
HSX-EX E0       (06-3f-04:80) 0f->10
SKL-H/S R0      (06-5e-03:36) ba->c2
HSW Cx/Dx       (06-3c-03:32) 22->23
HSX C0          (06-3f-02:6f) 3a->3b
BDX-DE V0/V1    (06-56-02:10) 0f->14
BDX-DE V2       (06-56-03:10) 700000d->7000011
KBL-U/Y H0      (06-8e-09:c0) 62->80
KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80
KBL-H/S B0      (06-9e-09:2a) 5e->80
CFL U0          (06-9e-0a:22) 70->80
CFL B0          (06-9e-0b:02) 72->80
SKX H0          (06-55-04:b7) 2000035->200003c
GLK B0          (06-7a-01:01) 1e->22"

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-10 20:16:34 +01:00
Bernd Kuhls
c425a925b4 package/{mesa3d, mesa3d-headers}: bump version to 17.3.2
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-10 20:15:56 +01:00
Francois Perrad
ae0ffc2f04 configs/olimex_a20_olinuxino_lime*: bump Linux and U-Boot versions
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-10 19:54:41 +01:00
Adrian Perez de Castro
4c5bc08ba3 webkitgtk: security bump to version 2.18.5
This is a maintenance release of the current stable WebKitGTK+ version,
which contains mitigations for CVE-2017-5753 and CVE-2017-5715, the
vulnerabilities known as the "Spectre" attack. It also contains a fix
which allows building the reference documentation with newer gtk-doc
versions.

Release notes can be found in the announcement:

  https://webkitgtk.org/2018/01/10/webkitgtk2.18.5-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-10 19:53:58 +01:00
Fabio Estevam
f932dc9626 linux-headers: bump 4.{4, 9, 14}.x series
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-10 19:53:49 +01:00
Fabio Estevam
b52d8100a0 linux: bump default to version 4.14.13
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-10 19:53:41 +01:00
Evgeniy Didin
c208203618 toolchain: bump ARC prebuild toolchain to arc-2017.09
There might be subtle differences between uClibc configuration
compared to Buildroot's one.

Native RPC now is disabled because uClinc-ng has removed it.

Signed-off-by: Evgeniy Didin <didin@synopsys.com>
Cc: Alexey Brodkin <abrodkin@synopsys.com>
Cc: arc-buildroot@synopsys.com
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-09 10:07:14 +01:00
Thomas Petazzoni
4f4af171d8 python-networkmanager: remove default <pkg>_SOURCE variable
<pkg>-<pkg-version>.tar.gz is the default value, so there's no need to
explicitly specify it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-09 09:47:43 +01:00
Thomas Petazzoni
20dd7b8fa8 daq: remove default <pkg>_SOURCE variable
<pkg>-<pkg-version>.tar.gz is the default value, so there's no need to
explicitly specify it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-09 09:46:47 +01:00
Peter Korsgaard
e7652635fa fs/tar: add option for lz4 compression
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 23:44:08 +01:00
Peter Korsgaard
0952579754 fs/ext2: add option for lz4 compression
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 23:44:04 +01:00
Peter Korsgaard
2c7c71825f fs/cpio: add option for lz4 compression
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 23:44:00 +01:00
Peter Korsgaard
51fa8d8e28 fs/common.mk: support lz4 compression
Similar to the other compressors.  Notice that we use the -l (legacy format)
for Linux kernel initrd compatibility.

Lz4 decompression is supported by the Linux kernel since 3.11.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 23:43:58 +01:00
Arnout Vandecappelle (Essensium/Mind)
390780d562 dependencies: correct dependencies for top-level parallel build
Commit 4932c8a7cc introduced the
core-dependencies target to make sure that the dependencies.sh script
runs before we attempt to compile any host tool, so that the absence of
a compiler is properly detected. However, this relied on the
left-to-right evaluation of dependencies. This will no longer be true
when we enable top-level parallel build.

Fix this by letting DEPENDENCIES_HOST_PREREQ depend on
core-dependencies.

Note that it is not possible to remove the
dependencies <- core-dependencies. Indeed, it is possible that
DEPENDENCIES_HOST_PREREQ is completely empty, and in that case we still
need to check core-dependencies.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 23:37:59 +01:00
Arnout Vandecappelle (Essensium/Mind)
42decc07ce core-dependencies: remove unneeded HOSTCC
dependencies.sh uses HOSTCC_NOCCACHE directly, and this variable is
exported from the top-level Makefile, so there is no need to pass
HOSTCC to it. HOSTCC is not used at all in dependencies.sh.

Thus, we also no longer need to apply the HOSTCC override for
core-dependencies. The core-depencies rule doesn't use HOSTCC or
HOSTCXX.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 23:37:54 +01:00
Olivier Schonken
917de0f732 cups-filters: new package
Signed-off-by: Olivier Schonken <olivier.schonken@gmail.com>
[Thomas:
 - add missing select BR2_PACKAGE_JPEG
 - use jpeg instead of libjpeg
 - sort selects alphabetically
 - fix Config.in comment dependencies.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 23:35:56 +01:00
Olivier Schonken
c93f56d465 libjpeg: add pkg-config file for libjpeg
Signed-off-by: Olivier Schonken <olivier.schonken@gmail.com>
[Thomas: change to automatically set the version in the generated .pc file.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 22:01:04 +01:00
Thomas Petazzoni
06608f7e0b CHANGES: update after removal of source-check
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 21:26:55 +01:00
Maxime Hadjinlian
bf28a165d9 pkg-{download, generic}: remove source-check
This feature is not used by anyone in the core developpers and makes a
drastic simplification of the pkg-download infrastructure harder.

The future patch will move much of what's in the current pkg-download.mk
file into the dl-wrapper which is a shell script.

Signed-off-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 21:25:46 +01:00
Peter Seiderer
4d6b8ea78d libopenssl: do not leak the compiler path (reproducible builds)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 21:06:56 +01:00
Fabrice Fontaine
4fbd28e217 rygel: fix UI build
Add a patch to avoid failing on a configure error if UI example can't be
built if libgtk3 is available but not gst1-plugins-base (gstreamer-video
is only needed for UI example, not for rygel UI)

Fixes:
 - http://autobuild.buildroot.net/results/6c659aadfc418c0a27a93284eb34d75e2b0dc169

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 20:57:25 +01:00
Norbert Lange
d606788935 tcf-agent: disable package for powerpc64
Fails to build, disable powerpc64 until upstream fixed it

Fixes:
  http://autobuild.buildroot.net/results/5088f6efd44ce9b081c2c7825a7005a9cb60799d

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 20:57:25 +01:00
Peter Korsgaard
4f13dc362d asterisk: security bump to version 14.7.5
Fixes the following security issues:

* AST-2017-014: Crash in PJSIP resource when missing a contact header A
  select set of SIP messages create a dialog in Asterisk.  Those SIP
  messages must contain a contact header.  For those messages, if the header
  was not present and using the PJSIP channel driver, it would cause
  Asterisk to crash.  The severity of this vulnerability is somewhat
  mitigated if authentication is enabled.  If authentication is enabled a
  user would have to first be authorized before reaching the crash point.

For more details, see the announcement:
https://www.asterisk.org/downloads/asterisk-news/asterisk-13185-1475-1515-and-1318-cert2-now-available-security

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 20:56:46 +01:00
Fabio Estevam
a24ed4127e linux-headers: bump 3.2.x series
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 09:16:55 +01:00
Matt Weber
fce137b343 execline: fix hash "sha" type spelling
sah256 -> sha256

Fixes:
http://autobuild.buildroot.net/results/9d0/9d054a26d7833353efbe49c984a7cb66d77b1d0c/

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 09:16:54 +01:00
Peter Korsgaard
522111f81c ntp: does not work with libressl
Fixes #10556

The --with-crypto handling in ntp only works with libopenssl, not with
libressl, where it ends up with compilation issues like:

ntp_control.c:(.text+0x64): undefined reference to `EVP_MD_CTX_new'
ntp_control.c:(.text+0x10c): undefined reference to `EVP_MD_CTX_free'
libntpd.a(ntp_crypto.o): In function `bighash':
ntp_crypto.c:(.text+0x2e8): undefined reference to `EVP_MD_CTX_new'
ntp_crypto.c:(.text+0x328): undefined reference to `EVP_MD_CTX_free'
libntpd.a(ntp_crypto.o): In function `crypto_verify':
ntp_crypto.c:(.text+0x6cc): undefined reference to `EVP_MD_CTX_new'
ntp_crypto.c:(.text+0x710): undefined reference to `EVP_MD_CTX_free'
ntp_crypto.c:(.text+0x72c): undefined reference to `EVP_MD_CTX_free'

So ensure we only pass --with-crypto when libopenssl is used.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 09:16:51 +01:00
Yann E. MORIN
17cd914917 utils/test-pkg: always run a global legal-info
Instead of limiting it to the package under test, we run it globally.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-08 09:16:50 +01:00
Trent Piepho
09dd9d1755 ncurses: install 256 color terminfo files unconditionally
There are three 256 color terminfo files that buildroot only installs
if ncurses is configured with wide character support, which also
enables ext-color. There is a fourth 256 color terminfo file that does
not depend on wchar suport and is always installed.

This changes that to always install all four 256 color terminfo files.

When ncurses has ext-colors enabled,it allows 256 fg and bg colors at
the same time. Without ext-colors, it is still possible to use the 256
color terminfo files and one can get a combination of fb and bg colors
that equals up to 256, e.g. 256 fg colors on one background or 16 fg
and 16 bg colors.

In short, the 256 color files work fine without wchar or ext-color
support and support more colors than the normal xterm, etc.  terminfo
files. It's common today for the default terminal to use
xterm-256color and it's nice if thinks like vim and top work out of
the box.

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 23:52:20 +01:00
Romain Naour
265b4edc7e package/enlightenment: bump to 0.22.1
See https://www.enlightenment.org/news/e22_release and
https://www.enlightenment.org/news/e0.22.1_release

Switch to the meson build system.

The autotools build system has been removed upstream by commit
https://git.enlightenment.org/core/enlightenment.git/commit/?id=bd8828204779509a2f47fffc4031abcab2b34d79

Signed-off-by: Romain Naour <romain.naour@gmail.com>
[Thomas: use --option=value everywhere.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 23:48:43 +01:00
Matt Weber
b6314a1811 cjson: update LICENSE hash for 1.7.0
No change to the contents but indentation.

Fixes:
http://autobuild.buildroot.net/results/626/626f01bb2e769914d471e70665f7f2909e1f5fe2/

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 23:47:45 +01:00
Peter Korsgaard
3f1d2c6c74 asterisk: security bump to version 14.6.2
Fixes the following security issues:

14.6.1:

* AST-2017-005 (applied to all released versions): The "strictrtp" option in
  rtp.conf enables a feature of the RTP stack that learns the source address
  of media for a session and drops any packets that do not originate from
  the expected address.  This option is enabled by default in Asterisk 11
  and above.  The "nat" and "rtp_symmetric" options for chan_sip and
  chan_pjsip respectively enable symmetric RTP support in the RTP stack.
  This uses the source address of incoming media as the target address of
  any sent media.  This option is not enabled by default but is commonly
  enabled to handle devices behind NAT.

  A change was made to the strict RTP support in the RTP stack to better
  tolerate late media when a reinvite occurs.  When combined with the
  symmetric RTP support this introduced an avenue where media could be
  hijacked.  Instead of only learning a new address when expected the new
  code allowed a new source address to be learned at all times.

  If a flood of RTP traffic was received the strict RTPsupport would allow
  the new address to provide media and with symmetric RTP enabled outgoing
  traffic would be sent to this new address, allowing the media to be
  hijacked.  Provided the attacker continued to send traffic they would
  continue to receive traffic as well.

* AST-2017-006 (applied to all released versions): The app_minivm module has
  an “externnotify” program configuration option that is executed by the
  MinivmNotify dialplan application.  The application uses the caller-id
  name and number as part of a built string passed to the OS shell for
  interpretation and execution.  Since the caller-id name and number can
  come from an untrusted source, a crafted caller-id name or number allows
  an arbitrary shell command injection.

* AST-2017-007 (applied only to 13.17.1 and 14.6.1): A carefully crafted URI
  in a From, To or Contact header could cause Asterisk to crash

For more details, see the announcement:
https://www.asterisk.org/downloads/asterisk-news/asterisk-11252-13171-1461-116-cert17-1313-cert5-now-available-security

14.6.2:

* AST-2017-008: Insufficient RTCP packet validation could allow reading
  stale buffer contents and when combined with the “nat” and “symmetric_rtp”
  options allow redirecting where Asterisk sends the next RTCP report.

  The RTP stream qualification to learn the source address of media always
  accepted the first RTP packet as the new source and allowed what
  AST-2017-005 was mitigating.  The intent was to qualify a series of
  packets before accepting the new source address.

For more details, see the announcement:
https://www.asterisk.org/downloads/asterisk-news/asterisk-11253-13172-1462-116-cert18-1313-cert6-now-available-security

Drop 0004-configure-in-cross-complation-assimne-eventfd-are-av.patch as this
is now handled differently upstream (by disabling eventfd for cross
compilation, see commit 2e927990b3d2 (eventfd: Disable during cross
compilation)).  If eventfd support is needed then this should be submitted
upstream.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 23:47:44 +01:00
Peter Korsgaard
aebdb1cd4b irssi: security bump to version 1.0.6
>From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt):

Multiple vulnerabilities have been located in Irssi.

(a) When the channel topic is set without specifying a sender, Irssi
    may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)

    CVE-2018-5206 was assigned to this issue.

(b) When using incomplete escape codes, Irssi may access data beyond
    the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5205 was assigned to this issue.

(c) A calculation error in the completion code could cause a heap
    buffer overflow when completing certain strings. (CWE-126) Found
    by Joseph Bisch.

    CVE-2018-5208 was assigned to this issue.

(d) When using an incomplete variable argument, Irssi may access data
    beyond the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5207 was assigned to this issue.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 23:47:43 +01:00
Jan Heylen
dc1be64377 opentracing-cpp: new package
Signed-off-by: Jan Heylen <jan.heylen@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 23:16:27 +01:00
Jan Heylen
98b3b83fb5 toolchain: m68k coldfire is also affected by gcc bug 64735
Verified experimentally by using exception_ptr with m68k_cf5208 and
looking at the value of ATOMIC_INT_LOCK_FREE. ATOMIC_INT_LOCK_FREE=1,
so the issue is present. Also verified that gcc 7.x fixed it also for
cf5208.

Signed-off-by: Jan Heylen <jan.heylen@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 21:56:59 +01:00
Jan Heylen
2d0058e2d3 package/pkg-cmake.mk: add note about BUILD_STATIC_LIBS
As BUILD_STATIC_LIBS is not a standard cmake variable (while
BUILD_SHARED_LIBS is) we shouldn't add it in pkg-cmake.mk, although
for some packages that would make sense. Therefore, add a note so we
don't forget about this abnormality.

See: https://cmake.org/cmake/help/v3.8/manual/cmake-variables.7.html#variables-that-change-behavior

Signed-off-by: Jan Heylen <jan.heylen@nokia.com>
[Thomas: rework the comment in the code.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 21:54:27 +01:00
Jan Heylen
7022190c4b rabbitmq-c: don't pass BUILD_SHARED_LIBS
The BUILD_SHARED_LIBS option is already handled by the cmake-package
infrastructure, so there is no need to pass it at the package level.

Signed-off-by: Jan Heylen <jan.heylen@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 21:38:54 +01:00
Sergey Matyukevich
a0eecad195 orangepi: drop custom post-build and post-image scripts
Currently in Orange Pi boards post-build script is used only to generate
U-Boot boot script and post-image script is used only to generate sdcard
image according to genimage configuration. However both those tasks can
now be handled by generic Buildroot tools:
- BR2_TARGET_UBOOT_BOOT_SCRIPT config options
- support/scripts/genimage.sh script

This patch drops custom scripts replacing them
by generic Buildroot tools.

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2018-01-07 21:37:20 +01:00