On older build systems with old coreutils, using relative symbolic link
(ln -r) does not work, and causes failed builds. Workaround is to use
normal symbolic link with a relative path. e.g. ../../$(BINDIR)
This fix is dependent on bumping cups-filters version to 1.20.1 because
of autotools issue with Makefile.am changes.
Fixes:
http://autobuild.buildroot.net/results/77a6369f3530a2a6a055f7fd664f1ad424274d77
Signed-off-by: Olivier Schonken <olivier.schonken@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ef60ef83c9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Rename the prompt string for consistency with the package directory
name.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b5da9637ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- (CVE-2018-7167): Fixes Denial of Service vulnerability where calling
Buffer.fill() could hang
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during
cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
See https://nodejs.org/en/blog/release/v8.11.3/ for more details
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 64baf3def7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
================================================================================
Redis 3.2.12 Released Wed Jun 13 12:43:01 CEST 2018
================================================================================
Upgrade urgency CRITICAL:
* Multilple security issues fixed.
* Backport of an older AOF fsync=always fix. Check 4.x release notes.
* Backport of a *SCAN bug. Sometimes elements could be missing from the scan.
* Other minor things.
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
For more details about the lua related security issues, see the blog:
http://antirez.com/news/119
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3bf2745a0f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
scancpan is now in utils not in supports/scripts
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f4b4f77e84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-10360: The do_core_note function in readelf.c in
libmagic.a in file 5.33 allows remote attackers to cause a denial of
service (out-of-bounds read and application crash) via a crafted ELF
file.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 89be4c7b0e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Added license hashes, added optional dependency to libseccomp provided
by upstream in this version bump.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit eacca09a8a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12015 - In Perl through 5.26.2, the Archive::Tar module
allows remote attackers to bypass a directory-traversal protection
mechanism, and overwrite arbitrary files, via an archive file containing a
symlink and a regular file with the same name.
Patch from
ae65651eab
with path rewritten to match perl tarball.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 66760f2734)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As noted in the sourceforge page, the project is not using sourceforge
anymore. Use the gitweb summary page instead.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a74a41d834)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Apply modifications made in recent commits:
- 456ea9871e busybox: add /dev/std{in, out, err} symlinks to inittab
- 13dbe73782 busybox: reduce number of mkdir calls in inittab
- 8a89d290d4 busybox: add an inittab entry to activate swap
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a3df894e83)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is a call to swapoff in the shutdown sequence, so call "swapon -a"
on startup. As stated in the swapon man page,
All devices marked as "swap" in /etc/fstab are made available, except
for those with the "noauto" option. Devices that are already being
used as swap are silently skipped.
So even if the system has some init script to start/stop swap (e.g. from
a rootfs ovelay) calling swapon/swapoff would be harmless.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d524cc7d9d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is a call to swapoff in the shutdown sequence, so call "swapon -a"
on startup. As stated in the swapon man page,
All devices marked as "swap" in /etc/fstab are made available, except
for those with the "noauto" option. Devices that are already being
used as swap are silently skipped.
So even if the system has some init script to start/stop swap (e.g. from
a rootfs ovelay) calling swapon/swapoff would be harmless.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d2a091c96b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some applications, e.g. bashs process subsitution feature, rely on the
convention of `/dev/fd` being a symbolic link to `/proc/self/fd`.
This symbolic link and his companions `/dev/std*` are created by (e)udev [1],
but not by mdev, resulting in the following error when using the following
expression:
```
bash: /dev/fd/62: No such file or directory
```
For the sake of simplicity, lets fix this by creating the symlinks in inittab.
It is only really needed if eudev isn't used, but it doesn't really hurt to
create them even if eudev will recreate them afterwards.
Note, that we do not create the symlink `/dev/core` as `/proc/kcore` is
not available on all platforms, e.g. ARM, and the feature is not much
appreciated [2].
[1] 8943501993/src/shared/dev-setup.c (L35-L40)
[2] https://lwn.net/Articles/45315/
[Peter: redirect errors to /dev/null for ro rootfs]
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6919fc5566)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some applications, e.g. bashs process subsitution feature, rely on the
convention of `/dev/fd` being a symbolic link to `/proc/self/fd`.
This symbolic link and his companions `/dev/std*` are created by (e)udev [1],
but not by mdev, resulting in the following error when using the following
expression:
```
bash: /dev/fd/62: No such file or directory
```
For the sake of simplicity, lets fix this by creating the symlinks in inittab.
It is only really needed if eudev isn't used, but it doesn't really hurt to
create them even if eudev will recreate them afterwards.
Note, that we do not create the symlink `/dev/core` as `/proc/kcore` is
not available on all platforms, e.g. ARM, and the feature is not much
appreciated [2].
[1] 8943501993/src/shared/dev-setup.c (L35-L40)
[2] https://lwn.net/Articles/45315/
[Peter: redirect output (errors) to /dev/null for ro rootfs]
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 456ea9871e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The default sysvinit inittab does two separate mkdir calls to create
/dev/pts and /dev/shm. Reduce this to call mkdir only once for both
directories.
This removes id "si3" but keeps ids "si4".."si9" intact rather than
renumbering them. This would just increase the turmoil without any
practical effect.
Based on commit e9db8122fb, by Florian La Roche <F.LaRoche@pilz.de>.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dc267db6ab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
triggerhappy uses pkg-config to detect the systemd library. Make sure it
uses the target pkg-config, not the host one.
Fixes build failure when the host has systemd pkg-config files:
.../host/bin/arm-linux-gcc -static th-cmd.o cmdsocket.o -lsystemd -o th-cmd
.../host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/6.4.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: cannot find -lsystemd
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b4a7145b0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12020: Unsanitized file names might cause injection of
terminal control characters into the status output of gnupg.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0647268416)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-12020: Unsanitized file names might cause injection of
terminal control characters into the status output of gnupg.
Cc: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b78a365b56)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The manual is GPL-2, and points to the COPYING file in the repository.
When we do a rendering of the manual for a specific version, that URL
is currently always poitning to the latest version of the COPYING file.
If we ever have to change the content of that file (e.g. to add a new
exception, more clarifications, a license change, or whatever), then
an old manual would point to that newer version, which would then be
incorrect.
Include the sha1 of the commit in the URL, so that the manual always
point to the tree at the time the manual was rendered, not the time
it is consulted. Contrary to the informative text above, use the full
sha1, not the shortened one.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Cc: Luca Ceresoli <luca@lucaceresoli.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 529219ba96)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-7225 - An issue was discovered in LibVNCServer through
0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize
msg.cct.length, leading to access to uninitialized and potentially sensitive
data or possibly unspecified other impact (e.g., an integer overflow) via
specially crafted VNC packets.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a4f7700f0b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Version 1.25.4 fixes CVE-2017-9545, for details see release notes:
http://www.mpg123.org/cgi-bin/news.cgi
Added upstream hashes.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cb67c1d55b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://mariadb.com/kb/en/mariadb-10133-release-notes/
Changelog: https://mariadb.com/kb/en/mariadb-10133-changelog/
Fixes the following security vulnerabilities:
CVE-2018-2782 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and
prior and 5.7.21 and prior. Easily exploitable vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
CVE-2018-2784 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and
prior and 5.7.21 and prior. Easily exploitable vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
CVE-2018-2787 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and
prior and 5.7.21 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server as well as unauthorized update, insert or
delete access to some of MySQL Server accessible data.
CVE-2018-2766 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.6.39 and
prior and 5.7.21 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.
CVE-2018-2755 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Replication). Supported versions that are affected
are 5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to
exploit vulnerability allows unauthenticated attacker with logon to the
infrastructure where MySQL Server executes to compromise MySQL Server.
Successful attacks require human interaction from a person other than the
attacker and while the vulnerability is in MySQL Server, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in takeover of MySQL Server.
CVE-2018-2819 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.5.59 and
prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2817 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2761 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Client programs). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to
exploit vulnerability allows unauthenticated attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2781 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2771 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Locking). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Difficult to
exploit vulnerability allows high privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of
this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.
CVE-2018-2813 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are
5.5.59 and prior, 5.6.39 and prior and 5.7.21 and prior. Easily exploitable
vulnerability allows low privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized read access to a subset of MySQL
Server accessible data.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5fbacdd59f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2017-5029
- Remove first patch (already in version)
- Add a dependency to host-pkgconf and remove libxml2 options: see
abf537ebb2
- Add hash for license file
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eca8704dcf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Executing "/etc/init.d/S29netplug start" multiple times resulted in
multiple instances of netplugd.
Pass "-p /var/run/netplug.pid" to netplugd, so it creates the PID file
that start-stop-daemon needs to know that netplugd is already running.
Also use the pid file to stop netplugd, instead of the daemon name.
Fixes https://bugs.busybox.net/show_bug.cgi?id=10661
Reported-by: Joachim Krueger <mail2k@web.de>
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3c6a5bdd3e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We are working to make all sysvinit scripts conformant to a pattern and
/etc/default/ seems to be a good choice, since 34 packages already get
optional configurations from files at that directory.
netplug still installs an init script at /etc/rc.d/init.d/. This will
be fixed in a future patch that will refactor the init scripts.
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4adaa581b2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The test doesn't make sense. It just exits without any error if the
binary doesn't exist, which is silly.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b77c9d265e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The PAGER environment variable is including a blank character at the
end. Remove this.
A for loop has been unsetting the variable inside the loop, this is only
needed once at the end of the loop.
Signed-off-by: Florian La Roche <F.LaRoche@pilz.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 903b8446a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The default busybox inittab does two separate mkdir calls
to create /dev/pts and /dev/shm. Reduce this to call mkdir
only once for both directories.
Signed-off-by: Florian La Roche <F.LaRoche@pilz.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 13dbe73782)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In busybox fix the S01logging usage text to
document the "reload" target.
Signed-off-by: Florian La Roche <F.LaRoche@pilz.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c7963858ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The package recipe uses a post-install hook to remove useless files from
$(TARGET_DIR)/etc/rc.d/init.d and $(TARGET_DIR)/etc/sysconfig. This may
damage packages that install useful files on those directories (such as
netplug, which installs $(TARGET_DIR)/etc/rc.d/init.d/netplugd).
In the future[1] we will reorganize the init scripts and possibly get
rid of /etc/rc.d and /etc/sysconfig but for the moment let's restrict
the file removal to those installed by audit.
1. http://lists.busybox.net/pipermail/buildroot/2018-May/221549.html
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 49844baf2f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since version 1.8.0, php-amqp needs a rabbitmq-c with openssl support:
https://github.com/pdezwart/php-amqp/issues/310
SSL support is disabled in rabbitmq-c if BR2_STATIC_LIBS is set however
don't add an unneeded !BR2_STATIC_LIBS dependency in Config.in as all
PHP External Extensions depends on !BR2_STATIC_LIBS
(see package/Config.in)
Fixes:
- http://autobuild.buildroot.net/results/b7c89bbbd0ca1df08dd7cbfc90c7b45dcf1fad05
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d93305744b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See https://nodejs.org/en/blog/release/v8.11.2/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1d4eb844e3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This issue only applies to kernels built with CONFIG_THUMB2=y, so reword the
comment to make that more clear.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d937f908f1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
