This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/278489410
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/278489367
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/278489328
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/278489329
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig tries to build an ARM Trusted Firmware version that
needs an ARM32 toolchain, which is not available as the platform is an
ARM64 one. The correct solution for this is to have a package in
Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in
time for the 2019.08 release.
In order to not release 2019.08 with a broken defconfig, let's remove
it. It can be re-added later once the ARM32 bare-metal toolchain
problem has been resolved.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/278489325
Cc: Shyam Saini <shyam.saini@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the ts4800_defconfig has been removed, the ts4800-mrboot package
is no longer useful, therefore we drop it.
Cc: Patrick Keroulas <patrick.keroulas@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig has been failing to build since we switched the default
gcc version to gcc 8.x, as the Linux kernel version is too old and
doesn't contain the necessary fixes to build with gcc >= 8.x.
Despite several pings to the original submitter of the defconfig
(which is not listed in MAINTAINERS), no fix has been sent, so it is
time to drop this defconfig before the 2019.08 release.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/278489442
Cc: Patrick Keroulas <patrick.keroulas@savoirfairelinux.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit 1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed[1] is merged, a
new build failure occurs when selecting packages which needs
python-numpy as dependency.
This fix a build issue[2] by adding the correct reverse dependencies
to the following packages :
- gnuradio (for python support)
- opencv3 (for python support)
- piglit
- python-matplotlib
So :
- adding to every listed packages
`depends on !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)`
and add a comment to explain what happend.
[1] https://git.buildroot.net/buildroot/commit/?id=1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed
[2] http://autobuild.buildroot.org/results/b76/b76b6cf9602bcf5df69a7276762eab54cf74007b
Signed-off-by: Alexandre PAYEN <alexandre.payen@smile.fr>
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Damien DUVAL <damien.duval@smile.fr>
Cc: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669,
CVE-2019-8673, CVE-2019-8676, CVE-2019-8678, CVE-2019-8680,
CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8687,
CVE-2019-8688, CVE-2019-8689, and CVE-2019-8690.
This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes are available at:
https://wpewebkit.org/release/wpewebkit-2.24.3.html
The detailed security advisory can be found at:
https://wpewebkit.org/security/WSA-2019-0004.html
Patch "0001-Build-failure-after-r243644-in-GTK-Li.patch" is now unneeded
because it is one of the build fixes included in this release.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8676,
CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and
CVE-2019-8688.
This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes at:
https://webkitgtk.org/2019/08/28/webkitgtk2.24.4-released.html
The detailed security advisory can be found at:
https://webkitgtk.org/security/WSA-2019-0004.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old 3.10.x based vendor kernel does not build correctly with gcc 8.x.
While there is basic s500 support in the mainline kernel, there is not yet a
mmc driver so it isn't quite a replacement yet.
Stick to the vender kernel for now and revert back to gcc 7.x, hopefully
mainline support will be more complete once gcc 7.x gets dropped.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Added all hashes provided by upstream and license hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream does not provide a sha512 hash anymore.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116876.html
Fixes
* CVE-2019-11500: ManageSieve protocol parser does not properly handle
NUL byte when scanning data in quoted strings, leading to out of
bounds heap memory writes. Found by Nick Roessler and Rafi Rubin.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://dovecot.org/pipermail/dovecot/2019-August/116874.html
Fixes
* CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes. Found by Nick Roessler and Rafi Rubin.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib
in Python 3.x through 3.7.3. CRLF injection is possible if the attacker
controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the query string after a ?
character) followed by an HTTP header or a Redis command.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16872: A flaw was found in qemu Media Transfer Protocol (MTP). The
code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and
directories in usb_mtp_object_readdir doesn't consider that the underlying
filesystem may have changed since the time lstat(2) was called in
usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write
access to the host filesystem shared with a guest can use this property to
navigate the host filesystem in the context of the QEMU process and read any
file the QEMU process has access to. Access to the filesystem may be local
or via a network share protocol such as CIFS.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security fixes:
CVE-2019-13057: Fixed slapd to restrict rootDN proxyauthz to its own databases
CVE-2019-13565: Fixed slapd to initialize SASL SSF per connection
Full changelog:
https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
[Peter: fix sha256 hash line]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
- Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames
(oss-fuzz-bug 15975). The earlier fix around the same location needed
one thought more. Actually, another though was needed, oss-fuzz-bug 16009
documents the incomplete fix.
- Fix an invalid write of one zero byte for empty ID3v2 frames that demand
de-unsyncing (oss-fuzz-bug 16050).
- Fix dynamic build with gcc -fsanitize=address (check for all dl functions
before deciding that separate -ldl is not needed).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes: https://www.videolan.org/developers/vlc-branch/NEWS
Fixes the following security bugs:
* Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
* Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
* Fix a read buffer overflow in the FAAD decoder
* Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
* Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
* Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
* Fix a use after free in the ASF demuxer (CVE-2019-14533)
* Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
* Fix a null dereference in the dvdnav demuxer
* Fix a null dereference in the ASF demuxer (CVE-2019-14534)
* Fix a null dereference in the AVI demuxer
* Fix a division by zero in the CAF demuxer (CVE-2019-14498)
* Fix a division by zero in the ASF demuxer (CVE-2019-14535)
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
Security: when using HTTP/2 a client might cause excessive memory
consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).
For details, see the advisory:
https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
uClibc doesn't build with the upstream binutils 2.32.x and gcc or1k
port due to the following error:
LD libuClibc-1.0.31.so
/opt/openrisc--uclibc--bleeding-edge-1/lib/gcc/or1k-buildroot-linux-uclibc/9.2.0/../../../../or1k-buildroot-linux-uclibc/bin/ld:
libc/libc_so.a(or1k_clone.os): pc-relative relocation against dynamic symbol
__syscall_error
See:
https://gitlab.com/kubu93/toolchains-builder/-/jobs/270854456
This error message come from a new check in binutils 2.32.x:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=f2c1801f6255a3f9f483ae2f07c7d7da0ddae4af
This issue has been reported on the uClibc-ng mailing list:
https://mailman.uclibc-ng.org/pipermail/devel/2019-August/001885.html
Since gcc 9.1 needs binutils 2.32.x or later to build successfully for
or1k, there is no binutils version left that can build gcc 9.1 and
uClibc.
For now, disable uClibc if gcc 9.1 is used for or1k.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
[Arnout: invert the logic, like in the rest of the file]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
With binutils 2.30.x or 2.31.x, the assembler doesn't
support the code generated by gcc 9.1:
Error: junk at end of line `l.movhi r17,gotoffha(.LC0)'
gotoffha is supported by binutils since version 2.32 [1].
It was added by the ork1 gcc port merged into gcc 9.x [2].
So, for or1k we can select gcc 9.x only if binutils 2.32
(or later) is selected.
Tested using qemu_or1k_defconfig and selecting musl libc,
binutils 2.32 and gcc 9.1.
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=1c4f3780f7d939402cfe555007ebff45c8e38951
[2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=d61fdfe71cfd42aa6454f2267a48c97820918fe3
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Waldemar Brodkorb <mail@waldemar-brodkorb.de>
[Arnout: invert the logic, like in the rest of the file]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
- Add a patch to fix cross-compilation
- Fix the following CVEs:
- SQUID-2019:6 (CVE-2019-13345), Jul 12, 2019
Fixed from 4.8
Multiple Cross-Site Scripting issues in cachemgr.cgi
- SQUID-2019:5 (CVE-2019-12527), Jul 12, 2019
Fixed from 4.8
Heap Overflow issue in HTTP Basic Authentication processing
- SQUID-2019:3 (CVE-2019-12525), Jul 12, 2019
Fixed from 4.8
Denial of Service in HTTP Digest Authentication processing
- SQUID-2019:2 (CVE-2019-12529), Jul 12, 2019
Fixed from 4.8
Denial of Service in HTTP Basic Authentication processing
- SQUID-2019:1 (CVE-2019-12824), Jul 12, 2019
Fixed from 4.8
Denial of Service issue in cachemgr.cgi
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For post-1.12.8 fixes. From the release notes:
go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and
math/big packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2019-14697: musl libc 1.1.23 and earlier x87 float stack imbalance
For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2019/08/05/6
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There is a typo in the handling of the
BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_DISPMANX option: we're adding
dispmax to GST1_PLUGINS_BASE_WINSYS_LIST, which causes the following
build failure:
meson.build:1:0: ERROR: Options "dispmax" are not in allowed choices: "x11, wayland, win32, cocoa, dispmanx, viv-fb, gbm, auto"
We fix this by using the proper option name, "dispmanx" instead of the
slightly incorrect "dispmax".
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
/etc/quagga is listed in QUAGGA_PERMISSIONS, but is only created when
some of the quagga sub-options are enabled. When none of those
sub-options are enabled, /etc/quagga is not created, causing a build
failure when the filesystem images are created:
makedevs: line 1: recursive failed for /home/thomas/projets/outputs/quagga-minimal/build/buildroot-fs/tar/target/etc/quagga: No such file or directory
Since it is too cumbersome to maintain which sub-options exactly lead
to /etc/quagga being created, simply create /etc/quagga
unconditionally. It will simply be empty when the quagga package
doesn't install anything in it.
For the record, here is the list of files installed in /etc/quagga
when all quagga sub-options are enabled:
bgpd.conf.sample bgpd.conf.sample2 isisd.conf.sample
ospf6d.conf.sample ospfd.conf.sample pimd.conf.sample
ripd.conf.sample ripngd.conf.sample vtysh.conf.sample
zebra.conf.sample
Fixes:
http://autobuild.buildroot.net/results/cdb66589909fd3996186f7db7d1f19a3b03d58a0/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
0.49.4, has a heap-based buffer overflow because a certain
"Private->RunningCode - 2" array index is not checked. This will lead
to a denial of service or possibly unspecified other impact.
- Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
triggers a divide-by-zero exception in the decoder function DGifSlurp
in dgif_lib.c if the height field of the ImageSize data structure is
equal to zero.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As spotted by Danomi during review of "libssh2: security bump to version
1.9.0" (https://patchwork.ozlabs.org/patch/1148776), it seems that
the tarball from github and libssh2.org/download are not the same. One
of the difference is that LIBSSH2_VERSION in include/libssh2.h is set to
"1.9.0_DEV" in github tarball whereas it is set to "1.9.0" in
libssh2.org/download.
So switch site to https://www.libssh2.org/download to get "official"
release
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 3e5926555b ("package/{mesa3d,
mesa3d-headers}: bump version to 17.1.2"), the dependency of VC4 on
BR2_arm was changed to BR2_ARM_CPU_HAS_NEON, which the reasoning that
upstream commit
https://cgit.freedesktop.org/mesa/mesa/commit/?h=17.1&id=4d30024238efa829cabc72c1601beeee18c3dbf2
made NEON mandatory. However, this commit (including its commit log)
clearly shows that there is compile-time detection on whether you're
using ARMv6 or ARMv7, and simply says there is no runtime detection
for that (which usually isn't very important in the context of
Buildroot). So, the VC4 driver can be used on ARMv6
RaspberryPis. Therefore, this commit reverts to the BR2_arm
dependency.
Note: while there are some ARMv7 without NEONs, all ARMv7 RaspberryPi
platforms do have NEON, so the compile-time checks done in the VC4
driver are good enough.
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=12126
Cc: Sahaj Sarup <sahajsarup@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The pigpio package installs programs and libraries to target, but does
not install the libraries and its headers to staging, while they may
be used by other packages. Let's install them, as was requested in bug
Fixes:
https://bugs.busybox.net/show_bug.cgi?id=11741
Cc: vishalbhalani89@gmail.com
Cc: ivan.nazarenko@gmail.com
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
