As spotted by Danomi during review of "libssh2: security bump to version
1.9.0" (https://patchwork.ozlabs.org/patch/1148776), it seems that
the tarball from github and libssh2.org/download are not the same. One
of the difference is that LIBSSH2_VERSION in include/libssh2.h is set to
"1.9.0_DEV" in github tarball whereas it is set to "1.9.0" in
libssh2.org/download.
So switch site to https://www.libssh2.org/download to get "official"
release
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cc3da232e4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2019-13115: In libssh2 before 1.9.0,
kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c
has an integer overflow that could lead to an out-of-bounds read in the
way packets are read from the server. A remote attacker who compromises
a SSH server may be able to disclose sensitive information or cause a
denial of service condition on the client system when a user connects to
the server. This is related to an _libssh2_check_length mistake, and is
different from the various issues fixed in 1.8.1, such as CVE-2019-3855.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit dea6f1f303)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit [1] Peter said he will use BOBCAT for
jaguar cpus. But JAGUAR was used instead.
Use BOBCAT as openblas target for JAGUAR cpus since
it is not listed in openblas's target list [2].
[1] 5e6fa93483
[2] https://github.com/xianyi/OpenBLAS/blob/release-0.3.0/TargetList.txt
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ac9c865a10)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
A carefully constructed commit object with a very large number
of parents may lead to potential out-of-bounds writes or
potential denial of service.
The ProgramData configuration file is always read for compatibility
with Git for Windows and Portable Git installations. The ProgramData
location is not necessarily writable only by administrators, so we
now ensure that the configuration file is owned by the administrator
or the current user.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bee5ab6c9d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Acked-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 22b7f96752)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
batman_adv.h and list.h are licensed under MIT
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5aea15be98)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
batman_adv.h is licensed under MIT
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6db83bf6bc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes:
- go1.11.10 (released 2019/05/06) includes fixes to the runtime and the
linker
- go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package
- go1.11.12 (released 2019/07/08) includes fixes to the compiler and the
linker
- go1.11.13 (released 2019/08/13) includes security fixes to the net/http
and net/url packages
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Andy Kennedy (andy.kennedy@adtran.com)<mailto:andy.kennedy@adtran.com>
The e-mail address you entered couldn't be found. Please check the
recipient's e-mail address and try to resend the message. If the
problem continues, please contact your helpdesk.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bbb8ad687f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
<scjthm@live.com>: host live-com.olc.protection.outlook.com[104.47.5.33] said:
550 5.5.0 Requested action not taken: mailbox unavailable.
[HE1EUR02FT033.eop-EUR02.prod.protection.outlook.com] (in reply to RCPT TO
command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9b0dde4073)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
<marcin.nowakowski@imgtec.com>: host
mxa-00376f01.gslb.pphosted.com[185.132.180.163] said: 550 5.1.1 User
Unknown (in reply to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bd3f2f04eb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
<eswierk@skyportsystems.com>: host aspmx.l.google.com[108.177.127.27] said:
550-5.1.1 The email account that you tried to reach does not exist. Please
try 550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1
https://support.google.com/mail/?p=NoSuchUser 33si1105652eds.275 - gsmtp
(in reply to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6906b53d41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
His e-mail address @imgtec.com is bouncing:
<abhilash.tuse@imgtec.com>: host
mxa-00376f01.gslb.pphosted.com[185.132.180.163] said: 550 5.1.1 User
Unknown (in reply to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e78528f8a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add dnet-config to LIBDNET_CONFIG_SCRIPTS so this script can be used by
applications such as tcpreplay
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3a4b68278a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Config.in, we put 'depends' lines before 'select' lines, as reported
by check-package.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/273215267
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 71d68f2431)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
qt5enginio requires SSL support in qt5base. However, the SSL support
in qt5base is a bit annoying: while it can be provided by either
openssl or libressl for Qt latest, it can only be provided by
libressl for Qt 5.6.
Fabrice Fontaine initially proposed [0] a dependency on
BR2_PACKAGE_QT5BASE_OPENSSL, and a long discussion
followed. Ultimately, we found the dependency to not be nice, as it
required users to know that they need to enable some SSL
implementation to be able to enable qt5enginio.
The current solution enables BR2_PACKAGE_OPENSSL (the virtual
package), which can be either openssl or libressl. This choice was
done under the assumption that we anyway don't test Qt 5.6 in the
autobuilders. However, this is incorrect: Qt latest needs gcc >= 4.8
on host and target, and we have configurations in the autobuilders
that don't meet this requirement, and therefore build Qt 5.6, and face
a build issue due to OpenSSL being used instead of LibreSSL.
After additional thinking, this commit simply gets back to the
original solution proposed by Fabrice: a "depends on". We simply add
Config.in comments to help the user in knowing what is missing to
enable qt5enginio.
An alternate solution would have been to disallow selecting qt5enginio
when Qt 5.6 is used. But fixing the qt5enginio build is also needed
for the LTS branch, and we can't drop qt5enginio on Qt 5.6 in the LTS
branch, as that could bother users.
Fixes:
http://autobuild.buildroot.net/results/227d4b9e2b48c5b3f2dcf0fad9eefa2816c1eb0c/
[0] https://patchwork.ozlabs.org/patch/1053883/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 035540b64a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Remove patch (already in version)
- Update site to get the latest version
- Update hash of license file (update in year, new file and author)
- Remove !(BR2_TOOLCHAIN_USES_UCLIBC && !BR2_USE_MMU) dependency,
__register_at_fork availability is correclty checked since
b0ebb0d4c2
- Includes Several security related fixes for nlist() reported by Daniel
Hodson and one by Coverity Scan, see
https://lists.freedesktop.org/archives/libbsd/2019-August/000229.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1f6c7d6e0f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
- Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames
(oss-fuzz-bug 15975). The earlier fix around the same location needed
one thought more. Actually, another though was needed, oss-fuzz-bug 16009
documents the incomplete fix.
- Fix an invalid write of one zero byte for empty ID3v2 frames that demand
de-unsyncing (oss-fuzz-bug 16050).
- Fix dynamic build with gcc -fsanitize=address (check for all dl functions
before deciding that separate -ldl is not needed).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b907d344d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From https://www.mpg123.de/cgi-bin/news.cgi:
Fixes a number of bugs found by OSS-Fuzz:
* Fix out-of-bounds reads in ID3 parser for unsynced frames.
(oss-fuzz-bug 15852)
* Fix out-of-bounds read for RVA2 frames with non-delimited identifier.
(oss-fuzz-bug 15852)
* Fix implementation-defined parsing of RVA2 values.
(oss-fuzz-bug 15862)
* Fix undefined parsing of APE header for skipping. Also prevent endless loop
on premature end of supposed APE header. (oss-fuzz-bug 15864)
* Fix some syntax to make pedantic compiler happy.
The serious bugs trigger Denial of Service either via the nasty endless loop in
supposed APE tags or by crashes if the invalid reads hit a diagnostic by the OS
or, more likely, a security mechanism like the sanitizer instrumentation that
enabled finding the bugs.
I do not have CVE numbers for these bugs. I rather fix the bugs than name them.
Just update, will you?
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7291360fd8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-12900 and adds an additional fix for CVE-2019-12625.
Release notes:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 914ba20600)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Neil Brown no longer maintains mdadm. The old website refers to a stale
git repository. There is nothing else but this wiki page to serve as a
website.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 036dee02cd)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following additional bugs are fixed:
[18035] Fix pldd hang
[20568] Fix crash in _IO_wfile_sync
[24228] old x86 applications that use legacy libio crash on exit
[24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
[24744] io: Remove the copy_file_range emulation.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2017-7401: Incorrect interaction of the parse_packet() and
parse_part_sign_sha256() functions in network.c in collectd 5.7.1 and
earlier allows remote attackers to cause a denial of service (infinite
loop) of a collectd instance (configured with "SecurityLevel None" and
with empty "AuthFile" options) via a crafted UDP packet
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With collectd 5.5.0 the "libvirt plugin has been renamed to virt":
https://git.octo.it/?p=collectd.git;a=blob;f=ChangeLog;h=b0a997c53ac1a74bc39470bdd243f853fa095c9f;hb=refs/tags/collectd-5.5.0#l235
"virt" is already mentioned in COLLECTD_PLUGINS_DISABLE so we can just
remove "libvirt" to fix:
configure: WARNING: unrecognized options: [...] --disable-libvirt
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a8c80b72e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
lua plugin has been added in version 5.6.0 with
023092323c
Disabled it otherwise it'll be enabled if liblua is found
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 753bfec583)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When no filesystem is enabled, the $BINARIES_DIR is not created. Yet,
the post-image scripts are still run. When those want to generate an
image in there, they may fail as the dirctory does not exist (it did
exist before we started applying preparatory changes for top-level
parallel build, so scripts got to rely on that assumption).
Do in target-post-image as we do in the sdk rule: create the directory
before calling the scripts.
Signed-off-by: Brent Generous <bgenerous@impinj.com>
[yann.morin.1998@free.fr:
- create the directory before calling the scripts
- don't drop the creation in the sdk rule
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d57e73078a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When BR2_KERNEL_HEADERS_AS_KERNEL=y, we expect that the Linux kernel
headers code will be exactly the same as the Linux kernel code
itself. The code currently takes into account the patches defined by
BR2_LINUX_KERNEL_PATCH, but not the kernel patches that are stored in
linux's BR2_GLOBAL_PATCH_DIR.
So for example, the current qemu_riscv32_virt_defconfig has:
BR2_GLOBAL_PATCH_DIR="board/qemu/riscv32-virt/patches/"
With:
board/qemu/riscv32-virt/patches/
└── linux
└── 0001-Revert-riscv-Use-latest-system-call-ABI.patch
This patch gets properly applied when the Linux kernel is built, but
not when the linux-headers package is built.
This commit fixes that by making sure patches stored in the "linux"
BR2_GLOBAL_PATCH_DIR subdirectory are taken into account.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f79cebe6a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
python3 nowadays appends the triplet to the config-<version>m directory:
echo target/usr/lib/python3.7/config-*
target/usr/lib/python3.7/config-3.7m-powerpc-linux-gnu
Likewise, there is no longer a pyconfig.h:
ls target/usr/lib/python3.7/config-3.7m-powerpc-linux-gnu
config.c config.c.in install-sh libpython3.7m.a Makefile
makesetup python-config.py python.o Setup Setup.local
So adjust the removal logic to match. Use a wildcard rather than
$GNU_TARGET_NAME as buildroot and python3's idea of the triplet doesn't
always match (E.G. for musl/uclibc).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit b3424c8fc9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/cb4/cb49c539501342e45cbe5ade82e588fcdf51f05b
GCC commit 6834b83784dcf0364eb820e8 (multiarch support for non-glibc linux
systems), which is part of GCC 8+, changed the multiarch logic to use
$arch-linux-musl / $arch-linux-uclibc rather than $arch-linux-gnu.
This then causes the python3 configure script to error out:
checking for the platform triplet based on compiler characteristics... powerpc-linux-gnu
configure: error: internal configure error for the platform triplet, please file a bug report
http://autobuild.buildroot.net/results/cb4/cb49c539501342e45cbe5ade82e588fcdf51f05b
As it requires that the --print-multiarch output (if not empty) matches the
deduced triplet (which always uses -linux-gnu).
It isn't quite clear why --print-multiarch returns something for a
non-multiarch toolchain on some architectures (E.G. PowerPC), but as a
workaround, add a patch to rewrite the --print-multiarch output to match
older GCC versions to keep the configure script happy.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 38b28e48d8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
