Security related fixes:
This flaw is caused by loading data from external sources (file, custom ctx,
etc) and are hard to validate before calling libgd APIs:
- fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)
- bug #248, fix Out-Of-Bounds Read in read_image_tga
- gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132)
Using application provided parameters, in these cases invalid data causes
the issues:
- Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)
- fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128)
- improve color check for CropThreshold
The build system now enables -Wall and -Werror by default, so pass
--disable-werror to disable that. Notice that this issue has been fixed
upstream post-2.2.3:
https://github.com/libgd/libgd/issues/339
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changed _SITE url to the upstream project site because Sourceforge does
not provide the tarball for 1.2.10 as of now.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
enca and libguess options have been dropped so adjust accordingly.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Riemann-c-client is a C client library for the Riemann monitoring system,
providing a convenient and simple API, high test coverage and a copyleft
license, along with API and ABI stability.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump Linux kernel versio to 4.9 and U-Boot to 2016.11.
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2016-8859 - fixes a serious under-allocation bug in regexec due to
integer overflow.
Drop upstream patch.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a build failure with the PPS patchset since libva isn't populated.
Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For some architectures, like Xtensa or HPPA, ld from binutils requires
the output file to be a regular file, as mentioned in a bug report on
the mailing list [1].
So, use a dummy file as output file for ld, instead of /dev/null, when
trying to detect some libraries at configuration time.
Fixes http://autobuild.buildroot.net/results/288/288fc31cd10ffe3cd93371c7be37d79452a91768/
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=19526
Signed-off-by: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Even though 'CONFIG_USB=n' does the job, let's switch to the more
standard way for disabling a Kconfig symbol.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The target variant depends on BR2_HOST_ONLY which is just like BROKEN
(i.e not defined anywere). BR2_HOST_ONLY was introduced by [1] back in
2010 and nobody seems to need it. So remove intltool for the target.
[1] 0b876d3977
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV allows the Broadcom wireless driver
to be automatically loaded on boot.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump kernel to version 4.9 and U-Boot to 2016.11.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream commit a8c696bf09d8151323f6e99348c4bc8989f829c8 makes ifup and
ifdown individually selectable, but forgets to update the dependency to
IFUPDOWN_UDHCPC_CMD_OPTIONS, so it is not selectable anymore.
Add a patch which fixes the dependency by checking for IFUP or IFDOWN,
instead of the obsolete IFUPDOWN.
Upstream status: Pending
http://lists.busybox.net/pipermail/busybox/2016-December/085034.html
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 44a563dbc0 bumps busybox to version
1.26.0, but does not update the minimal configuration file. There is at
least one issue using the old configuration with the newer busybox:
* IFUPDOWN is split into IFUP and IFDOWN in version 1.26.0
Update the minimal configuration file by loading the busybox.config file
and saving it back.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 44a563dbc0 bumps busybox to version
1.26.0, but does not update the configuration file. There is at least
one issue using the old configuration with the newer busybox:
* IFUPDOWN is split into IFUP and IFDOWN in version 1.26.0
Update the configuration file by loading the busybox.config file and
saving it back.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV allows the Broadcom wireless driver
to be automatically loaded on boot.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a NULL pointer dereference bug in png_set_text_2()
CVE not assigned yet.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The patch did contain the correct newlines, but they got stripped by
patchwork so now the patch no longer applies.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The LUAROCKS_TARGET_FINALIZE_HOOKS is not running, so detritus is being left
in /usr/lib/luarocks. This is because host-luarocks is built by being a
dependency in the luarocks package infrastructure, not by being selected by
kconfig symbol. This means that the $(PKG)_KCONFIG_VAR in pkg-generic.mk is
not met, and (HOST_)LUAROCKS_TARGET_FINALIZE_HOOKS is not added to the
global TARGET_FINALIZE_HOOKS.
This mod fixes this issue by adding the host-luarocks hook directly
to TARGET_FINALIZE_HOOKS when either lua or luajit is enabled.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV allows the Broadcom wireless driver
to be automatically loaded on boot.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use mainline 4.9 instead of a custom kernel based on NXP 4.1.
As mx7 boots in non-secure mode in mainline kernel, change the
U-Boot target to "warp7".
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The tar --no-recursion option is position sensitive. It only affects following
file listing options. Move --no-recursion before the -T option to make it
effective. This fixes duplication of entries in the generated rootfs.tar
archive.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Keep BR2_TOOLCHAIN_HAS_BINUTILS_BUG_19405 since it's not fixed in
Binutils 2.26.
Runtime tested with an experimental version of Qemu 2.7 for Nios2.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Recently, the autoconf macros for libtool started using '/usr/bin/file'
to determine the type of library that is generated by the toolchain.
Packages that use this recent version of the libtool autoconf macros
will fail in a rather dramatic way when /usr/bin/file is not present
on the host: the package will still build but no shared library is
generated, which in turn may cause build failures in other packages
that link with it.
For example, libpng's configure determines that it is not possible to
build a shared library on MIPS64 because the expected output from 'file'
is not present. Therefore, only a static libpng.a is built. Later,
bandwithd links with -lpng but it doesn't use the pkg-config's
Private-Libs (because it's not linking statically) and it doesn't have
access to the NEEDED reference from the shared library. Therefore, it
doesn't link with zlib and fails with
pngrutil.c:(.text+0x55c): undefined reference to `inflate'
We cant use host-file because it is itself an autotools package and is
itself using libtool, so this would be a chicken-n-egg problem. Besides,
the libtool script really wants to call /usr/bin/file, so it would not
even find our host-file anyway.
So, just require that '/usr/bin/file' is present on the host.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>