Python 2 is EOL sice 2020 [1], it's still available on distros, but may not
be installed by default (as being replaced by python3).
Thus remove compatibility imports:
from __future__ import print_function
from __future__ import absolute_import
Tested with python3 -m py_compile.
[1] https://www.python.org/doc/sunset-python-2/
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
A heap buffer overflow vulnerability in msadpcm_decode_block of libsndfile
1.0.30 allows attackers to execute arbitrary code via a crafted WAV file.
https://nvd.nist.gov/vuln/detail/CVE-2021-3246
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes the following security issues:
- CVE-2021-22945: UAF and double-free in MQTT sending
When sending data to an MQTT server, libcurl could in some circumstances
erroneously keep a pointer to an already freed memory area and both use
that again in a subsequent call to send data and also free it again.
https://curl.se/docs/CVE-2021-22945.html
- CVE-2021-22946: Protocol downgrade required TLS bypassed
A user can tell curl to require a successful upgrade to TLS when speaking
to an IMAP, POP3 or FTP server (--ssl-reqd on the command line or
CURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL with libcurl).
This requirement could be bypassed if the server would return a properly
crafted but perfectly legitimate response.
This flaw would then make curl silently continue its operations without
TLS contrary to the instructions and expectations, exposing possibly
sensitive data in clear text over the network.
https://curl.se/docs/CVE-2021-22946.html
- CVE-2021-22947: STARTTLS protocol injection via MITM
When curl connects to an IMAP, POP3, SMTP or FTP server to exchange data
securely using STARTTLS to upgrade the connection to TLS level, the server
can still respond and send back multiple responses before the TLS upgrade.
Such multiple "pipelined" responses are cached by curl. curl would then
upgrade to TLS but not flush the in-queue of cached responses and instead
use and trust the responses it got before the TLS handshake as if they
were authenticated.
Using this flaw, it allows a Man-In-The-Middle attacker to first inject
the fake responses, then pass-through the TLS traffic from the legitimate
server and trick curl into sending data back to the user thinking the
attacker's injected data comes from the TLS-protected server.
Over POP3 and IMAP an attacker can inject fake response data.
https://curl.se/docs/CVE-2021-22947.html
In addition, 7.79.1 fixes a number of regressions in 7.79.0:
https://daniel.haxx.se/blog/2021/09/22/curl-7-79-1-patched-up-and-ready/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The file access protection built into Ghostscript proved insufficient for
the "%pipe%" PostScript device, when combined with Ghostscript's requirement
to be able to create and control temporary files in the conventional
temporary file directories (for example, "/tmp" or "/temp). This exploit is
restricted to Unix-like systems (i.e., it doesn't affect Windows). The most
severe claimed results are only feasible if the exploit is run as a "high
privilege" user (root/superuser level) \u2013 a practice we would discourage
under any circumstances.
For more details, see the advisory:
https://ghostscript.com/CVE-2021-3781.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Lynx through 2.8.9 mishandles the userinfo subcomponent of a URI, which
allows remote attackers to discover cleartext credentials because they may
appear in SNI data.
https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
Upstream unfortunately does not provide a public VCS (only source
snapshots), so fetch the security patch from Debian.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Includes a number of bugfixes and the security fixes up to xsa-384:
https://xenproject.org/downloads/xen-project-archives/xen-project-4-14-series/xen-project-4-14-3/
Drop the now upstream
0002-libs-foreignmemory-Fix-osdep_xenforeignmemory_map-prototype.patch, and
renumber the remaining patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This is a minor release which provides fixes for CVE-2021-30858 and
a number of other potential security issues without an associated CVE.
Patch "0001-Add-ldp-and-stp-support-for-FP-registers-plus-some-b.patch"
is deleted as it has been included in this release.
Full release notes can be found at:
https://webkitgtk.org/2021/09/17/webkitgtk2.32.4-released.html
An accompanying security advisory has been published at:
https://webkitgtk.org/security/WSA-2021-0005.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This is a minor release which provides fixes for CVE-2021-30858 and
a number of other potential security issues without an associated CVE.
Patch "0001-Add-ldp-and-stp-support-for-FP-registers-plus-some-b.patch"
is deleted as it has been included in this release.
Full release notes can be found at:
https://wpewebkit.org/release/wpewebkit-2.32.4.html
An accompanying security advisory has been published at:
https://wpewebkit.org/security/WSA-2021-0005.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
- SECURITY: Stop splitting on unicode separators in git references,
which could be maliciously used to install a different revision on the
repository. (#9827)
- Update hash of LICENSE.txt (update in year)
- Update indentation in hash file (two spaces)
https://pip.pypa.io/en/stable/news/#v21-2-4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
python-protobuf no longer supports python2, so depend on
BR2_PACKAGE_PYTHON3. Reverse dependencies already depend on
python3.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following build failure with uclibc-ng raised since bump to
version 1.17 in commit 9badccc9d4:
/home/giuliobenetti/autobuild/run/instance-3/output-1/host/lib/gcc/xtensa-buildroot-linux-uclibc/10.3.0/../../../../xtensa-buildroot-linux-uclibc/bin/ld: src/sae.o: in function `sae_rx_authenticate':
sae.c:(.text+0xd74): undefined reference to `reallocarray'
Fixes:
- http://autobuild.buildroot.org/results/c6d3f86282c44645b4f1c61882dc63ccfc8eb35a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The gdbinit supplied by Buildroot does two things:
A. specify the sysroot where gdb can find shared libraries
B. mark the sysroot as a 'safe path' for its auto-load feature, to make sure
that pretty printers for libstdc++.so are added automatically (see commit
6fb3216a80)
When debugging a core file, and the gdbinit file is specified via '-x'
rather than '-ix', then the order of these settings matters: If you first
set the sysroot, then gdb will immediately start finding the shared
libraries it needs for the core file, detect libstdc++ and its associated
libstdc++-gdb.py file, then give a big warning about safe paths:
warning: File ".../i686-buildroot-linux-gnu/sysroot/lib/libstdc++.so.6.0.24-gdb.py"
auto-loading has been declined by your `auto-load safe-path' set
to "$debugdir:$datadir/auto-load".
To enable execution of this file add
add-auto-load-safe-path .../i686-buildroot-linux-gnu/sysroot/lib/libstdc++.so.6.0.24-gdb.py
line to your configuration file "/home/me/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/me/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
and the pretty printing code is not loaded. This is because the second
line from the gdbinit file was not yet parsed at this point.
By changing the order (first configuring the safe path, then setting the
sysroot), this issue does not appear and everything is as expected.
Note that when '-ix' were used instead of '-x' to pass the gdbinit file to
gdb, then the order would not matter, because the entire gdbinit file would
be parsed before considering the core file.
However, even though the Buildroot manual now suggests '-ix', users may not
have noticed this change and continue to use '-x'.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
A gdbinit file passed via '-x' will be read _after_ parsing any
object/core file passed on the command-line. In cross-compilation context,
this is particularly a problem when loading a core file, because without the
'sysroot' specified in the gdbinit file, it will give a lot of warnings,
like:
warning: .dynamic section for "/lib/libstdc++.so.6" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/librt.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libm.so.6" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libgcc_s.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libc.so.6" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/ld-linux.so.2" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libanl.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libdl.so.2" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libpthread.so.0" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/usr/lib/libz.so.1" is not at the expected address (wrong library or version mismatch?)
warning: .dynamic section for "/lib/libnss_files.so.2" is not at the expected address (wrong library or version mismatch?)
warning: Could not load shared library symbols for 17 libraries, e.g. [...]
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
In contrast, the '-ix' option will load the specified gdbinit file _before_
parsing object/core files. This will remove said warnings.
See also: https://sourceware.org/bugzilla/show_bug.cgi?id=28330
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The example media-session pipewire session manager requires
pipewire to be built with examples enabled, add support for
enabling this while depending on examples being enabled.
To simplify adding support for additional session managers in
the future such as wireplumber we pass a comma separated list
to the -Dsession-managers meson config option. This also will
ensure that systemd services that depend on media-session are
only installed if media-session support is enabled.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
To avoid spending some time to build the x86_64 toolchain (~20min),
switch to corei7 cpu (Nahalem) and use the prebuilt Bootlin toolchain.
We have to use the "stable" Bootlin toolchain to use the same kernel version
for the toolchain kernel headers and the running kernel.
With the "bleeding-edge" toolchain we have the "kernel too old" issue
(running kernel 4.19 vs kernel headers 5.4)
Runtime tested locally.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Switch from the Buildroot internal toolchain for armv5 to
the prebuilt Bootlin external toolchain.
The test doesn't require to build a toolchain, there was
no prebuilt glibc toolchain recent enough at the time this
test has been introduced.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This test already use builtin kernel provided by the testsuite infra:
self.emulator.boot(arch="armv7",
kernel="builtin",
options=["-initrd", img])
But a second kernel is build from the its defconfig. This second kernel
is not used by the test.
The TestRust (using BR2_PACKAGE_HOST_RUST=y) is really long to build,
save some cpu time by removing the kernel build.
This unused kernel (based on 4.11.3 release) doesn't even build with
host gcc >= 10.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The kernel 4.19.79 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
The issue was fixed in 4.19.114 [2]
Bump to the latest 4.19.x version.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
[2] http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=621f2ded601546119fabccd1651b1ae29d26cd38
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The kernel 5.5.7 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
But we can't just update this test to the next linux kernel LTS 5.10.y since
the minimum gcc version has been updated to gcc 4.9 since 5.8 kernel [2]
and the Sourcery CodeBench ARM 2014.05 is used (gcc 4.8 based).
Enable arm cortex A9 and VFP support to switch to the ARM arm prebuilt
toolchain (the Bootlin toolchain could be used).
While at it use the prebuilt buildin kernel for the vexpress target
recently updated to 5.10.7.
Fixes:
https://gitlab.com/kubu93/buildroot/-/jobs/1564202094
[1] https://gcc.gnu.org/gcc-10/porting_to.html
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6ec4476ac82512f09c94aff5972654b70f3772b2
[3] 3cf2782906
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The kernel 4.16.7 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Bump to the next LTS release.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The kernel 4.16.7 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Bump to the next LTS release.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The kernel 4.11.3 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Bump to the next LTS release.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The kernel 4.11.3 curently used by the test doesn't build with host
gcc >= 10 due the gcc default -fno-common. See GCC 10 porting guide [1].
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Bump to the next LTS release.
[1] https://gcc.gnu.org/gcc-10/porting_to.html
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Update to version 0.10.1, which fixes the build when the DRM platform
module is enabled, fixes handling of absolute pointer events, and makes
the headless platform optional.
Although the headless platform is optional, Buildroot keeps it enabled
unconditionally (as previously) because the wpebackend-fdo dependency
is always needed anyway because Buildroot does not include any other
WPE backend.
Release notes:
https://wpewebkit.org/release/cog-0.10.1.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Also create a pipewire user, which is used for systemd service. There is
no sysvinit start script at the moment, but if there were, it should
also take care of changing the uid to pipewire before starting the
daemon.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Add simple mixer python bindings to build when "Python support for
alsa-lib" is active. smixer-python is the only python module which
exists in alsa-lib. It is compatible with Python2 and Python3.
Signed-off-by: Illia Bitkov <illia.bitkov@mind.be>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Added patch fixes linkage of libgc with external libtomic-ops.
Mono uses bundeled bdwgc which doesn't link external libatomic-ops.
Patch is a fix cherry-picked from bdwgc upstream.
Problem found on ARMv5 processors, on newer ARM processors
it uses header based functions and doesn't need built library.
Error:
/home/buildroot/autobuild/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-uclibcgnueabi/9.3.0/../../../../arm-buildroot-linux-uclibcgnueabi/bin/ld: ../../external/bdwgc/.libs/libgc.a(gc.o): in function `GC_steal_mark_stack':
gc.c:(.text+0x2020): undefined reference to `AO_store_full_emulation'
Fixes:
http://autobuild.buildroot.net/results/ebc54e5dea63aca21a4072d294fdede41de559c7http://autobuild.buildroot.net/results/6d10a4bd43fbc9c1d3fa26d5eef394c8023cb85f
Signed-off-by: Illia Bitkov <illia.bitkov@mind.be>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
license is now LGPL-3.0+ for both talloc and pytalloc. Therefore, remove
pytalloc.h from the license files.
Signed-off-by: David GOUARIN <david.gouarin@thalesgroup.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
If the toolchain does not have threads (e.g. br-arm-full-nothread),
compilation fails:
In file included from /home/fail/br-test-pkg/br-arm-full-nothread/build/libressl-3.3.3/crypto/cryptlib.c:117:
/home/fail/br-test-pkg/br-arm-full-nothread/build/libressl-3.3.3/crypto/../include/compat/pthread.h:114:15: fatal error: pthread.h: No such file or directory
114 | #include_next <pthread.h>
| ^~~~~~~~~~~
compilation terminated.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
COPYING was updated with a copy of the openssl licence since libgit2 now
include openssl headers so it can dlopen it:
openssl: dynamically load libssl and symbols (optionally)
Provide an interface around OpenSSL to dynamically load the
libraries and symbols, so that users can distribute a libgit2
library that is not linked directly against OpenSSL. This enables
users to target multiple distributions with a single binary.
This mechanism is optional and disabled by default. Configure cmake
with -DUSE_HTTPS=OpenSSL-Dynamic to use it.
We do not use that option so the headers are not even used, plus the
headers are not installed on the target anyway, so this patch includes
no license changes.
Upstream also stopped providing release tarballs, relying on
github-generated tarballs instead.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
