aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update for 2017.05.22017.05.22017.05.xGravatar Peter Korsgaard2017-07-272-2/+25
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* tcpdump: security bump to 4.9.1Gravatar Thomas De Schampheleire2017-07-262-3/+3
| | | | | | | | | | | | | Fixes CVE-2017-11108/Fix bounds checking for STP Changelog: http://www.tcpdump.org/tcpdump-changes.txt [Peter: add signature link as suggested by Baruch] Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e58888571416c78eb3fad74e364418e33acbd94e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* webkitgtk: security bump to version 2.16.6Gravatar Peter Korsgaard2017-07-262-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2017-7018 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7030 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7034 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7037 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7039 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7046 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7048 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7055 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7056 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7061 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site. CVE-2017-7064 - An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. The issue involves the "WebKit" component. It allows attackers to bypass intended memory-read restrictions via a crafted app. For more details, see the announcement: https://webkitgtk.org/2017/07/24/webkitgtk2.16.6-released.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: "Adrian Perez de Castro" <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b5582d54a4e0035cf3b9cee57f10906276e8f4d6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* dieharder: fix link issue with inline function not declared staticGravatar Julien Viard de Galbert2017-07-251-0/+65
| | | | | | | | | | | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/b629754c6a820446ff38df8202ea1ed0041bc4ac http://autobuild.buildroot.net/results/e02325e06866618d9d3ee90600dc3326465c56a1 http://autobuild.buildroot.net/results/c1db73dcb25ea1db4be0f9d6ce2bf2d02f5bd5bb http://autobuild.buildroot.net/results/bd93120ee7cbfeb4fe7cbcd7f845f131743caf05 http://autobuild.buildroot.net/results/273ba504de31bc17fd41e91ee5d6c0b34797a4f9 http://autobuild.buildroot.net/results/37920b26f9c4853a0d620eb4a33b50b53e548888 http://autobuild.buildroot.net/results/ee668405ed234fbbd644a01d49e8d9d41d216cf6 http://autobuild.buildroot.net/results/5b76d62ad03d0cbe483792b32ea14ce7d7432983 http://autobuild.buildroot.net/results/cf08d42be8fcb659d59288e2cedf3f18b660e8a6 http://autobuild.buildroot.net/results/e1309fd2eea5daf854f4314b92ec441092239cd5 Signed-off-by: Julien Viard de Galbert <julien@vdg.name> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 21133ada326c87627f7bdee4493d8086587c3cca) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* orc: update project urlGravatar Peter Seiderer2017-07-251-1/+1
| | | | | | | | | The original url http://code.entropywave.com/orc is dead (server not found). Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 036d235ade6a7577493385c97c63c599cdbcb735) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* bind: bump version to bugfix release 9.11.1-P3Gravatar Peter Korsgaard2017-07-252-3/+4
| | | | | | | | | | | | | | BIND 9.11.1-P3 addresses a TSIG regression introduced in the 9.11.1-P2 security bump: https://lists.isc.org/pipermail/bind-announce/2017-July/001057.html Also add a hash for the license file while we're at it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit c237f1d1c5447af3b967304d7929cf115ea1aa5d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/x265: disable altivec on ppc64Gravatar Bernd Kuhls2017-07-251-0/+6
| | | | | | | | | | | | | Disable altivec support until gcc problems are fixed: https://bitbucket.org/multicoreware/x265/issues/320/fail-to-build-on-power8-le#comment-34076791 Fixes http://autobuild.buildroot.net/results/419/41910d44ff98c60a6bb9fd3b6a10bd4d0b98d646/ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 4f3fd7460c7cb004cc4f7f75451d3901098910af) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/heimdal: security bump to version 7.4.0Gravatar Bernd Kuhls2017-07-252-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes security bugs CVE-2017-11103 & CVE-2017-6594 Changed upstream tarball location as noted in the release notes: http://www.h5l.org/releases.html?show=7.4.0 --with-db-type-preference= is needed to fix a build error: CCLD otp ../../lib/otp/.libs/libotp.a(otp_db.o): In function `otp_get_internal': otp_db.c:(.text+0x32): undefined reference to `__roken_dbm_fetch' otp_db.c:(.text+0xd9): undefined reference to `__roken_dbm_store' ../../lib/otp/.libs/libotp.a(otp_db.o): In function `otp_db_open': otp_db.c:(.text+0x1c9): undefined reference to `__roken_dbm_open' ../../lib/otp/.libs/libotp.a(otp_db.o): In function `otp_db_close': otp_db.c:(.text+0x205): undefined reference to `__roken_dbm_close' ../../lib/otp/.libs/libotp.a(otp_db.o): In function `otp_delete': otp_db.c:(.text+0x23e): undefined reference to `__roken_dbm_delete' ../../lib/otp/.libs/libotp.a(otp_db.o): In function `otp_put': otp_db.c:(.text+0x388): undefined reference to `__roken_dbm_store' collect2: error: ld returned 1 exit status Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 02770ce47d6c358c959410e87c5218170d2e08e7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/aespipe: fix host compileGravatar Bernd Kuhls2017-07-251-0/+10
| | | | | | | | | | | | | | | | | | | | | | | Building host-aespipe fails on Debian stretch at linking stage: /usr/bin/gcc -L/home/buildroot/br6/output/host/lib -L/home/buildroot/br6/output/host/usr/lib -Wl,-rpath,/home/buildroot/br6/output/host/usr/lib -o aespipe aespipe.o aes-amd64.o md5-amd64.o md5-2x-amd64.o aes-intel64.o sha512.o rmd160.o /usr/bin/ld: aes-amd64.o: relocation R_X86_64_32S against `.rodata' can not be used when making a shared object; recompile with -fPIC The same problem apparently exists on recent Ubuntu and Gentoo. Fix is also used in Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837393 [Peter: add comment explaining why] [Arnout: use host-cc-option to discover if -no-pie is available; cfr. 57b628a932b9b4a3c4bf80f4c82a81da5adcb173] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 00ecd72c28f103fc7d166f718db81a8b6c4919fa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/Makefile.in: add host-cc-option macroGravatar Arnout Vandecappelle2017-07-251-0/+21
| | | | | | | | | | This macro allows to test if HOSTCC supports a specific option. It is needed to pass '-no-pie' on recent Debian, Ubuntu and Gentoo hosts. Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 91a08ecc998ae232ea6f3525540ed129d8176d18) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* efibootmgr: fix build with gcc 7.xGravatar Thomas Petazzoni2017-07-251-0/+51
| | | | | | | | | | | | Now that the build of efivar with gcc 7.x has been fixed by commit 0ca30170345a81f5f21e4ef4424b1f186cde1988 ("efivar: fix build with gcc 7"), efibootmgr fails similarly with gcc 7.x. This commit backports an upstream patch that fixes this issue. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit cefdd6546010e160985de2daa2ef70a952d081f6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ffmpeg: disable build of nvidia hardware acceleration supportGravatar Bernd Kuhls2017-07-251-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | ffmpeg always enables support for nvenc/cuda even if their support libraries are not present: External libraries providing hardware acceleration: cuda cuvid nvenc [...] Enabled hwaccels: h264_cuvid mjpeg_cuvid mpeg2_cuvid vc1_cuvid vp9_cuvid hevc_cuvid mpeg1_cuvid mpeg4_cuvid vp8_cuvid This leads to a crash in freeswitch git master when transcoding video streams on a system without nvidia hardware: 2017-07-22 15:06:27.306760 [INFO] avcodec.c:1077 initializing encoder 352x288 2017-07-22 15:06:27.306760 [NOTICE] avcodec.c:828 NVENC HW CODEC ENABLED This patch disables the support of nvidia hardware acceleration support for now until the needed packages are added to buildroot. For details about this please refer to https://developer.nvidia.com/ffmpeg Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 3b6fa452f6ee20f54e47fdc3106620ff258f13b7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ffmpeg: add optional support for alsa-libGravatar Bernd Kuhls2017-07-251-0/+6
| | | | | | | | | | | | | ffmpeg has optional support for alsa as input and/or output device: http://git.videolan.org/?p=ffmpeg.git;a=blob;f=configure;h=23823e3b7012d847b614bd43316fb614676bedb2;hb=refs/heads/release/3.3#l2987 Problem was found while fixing http://autobuild.buildroot.net/results/7ba/7ba485532fcab74928246a8f95dba7e5eea9d4a5/ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit ca06ba2d2a673cf750ac92a4e61e7cba037a339e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libtirpc: security bump to version 1.0.2Gravatar Bernd Kuhls2017-07-257-78/+13
| | | | | | | | | | | | | | | Fixes CVE-2017-8779: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commitdiff;h=dd9c7cf4f8f375c6d641b760d124650c418c2ce3 Rebased patches 0001, 0002 & 0006. Removed patch 0007, applied upstream: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=4f1503e84b2f7bd229a097335e52fb8203f5bb0b Renumbered patch 0008. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 49a2bb396c95ba9ae66cd11fc175bb687449364c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* libtirpc: Fix build error due to missing stdint.h inclusionGravatar Dmitrii Kolesnichenko2017-07-251-0/+31
| | | | | | | | | | | | | | | | | | | | | | | Add patch to fix following error: | ../../libtirpc-1.0.1/src/xdr_sizeof.c:93:13: error: 'uintptr_t' undeclared (first use in this function); did you mean '__intptr_t'? | if (len < (uintptr_t)xdrs->x_base) { | ^~~~~~~~~ This error occurs with the latest glibc master version (during the testing I had glibc commit 92bd70fb85bce57ac47ba5d8af008736832c955a), but doesn't occur with version 2.25. Patch includes stdint.h to provide uintptr_t. It has been submitted upstream: https://sourceforge.net/p/libtirpc/mailman/message/35850276/ Signed-off-by: Dmitrii Kolesnichenko <dmitrii@synopsys.com> [Thomas: reformat as Git formatted patch.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit b3998dc00ff26c4848b4439ba301502faf8f1995) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* libmemcached: fix build with gcc 7.xGravatar Thomas Petazzoni2017-07-251-0/+30
| | | | | | | | | | | | | | This commit adds a patch to the libmemcached package that fixes the build with gcc 7.x. Since libmemcached is barely maintained upstream, the patch comes from the Fedora packages. Fixes: http://autobuild.buildroot.net/results/872b8e0e6a24cbc96e3ad9e0b8b47acdf6160ce0/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 8786ac28058aa553cfa8adc176952143af630af6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* collectd: fix build with gcc 7.xGravatar Thomas Petazzoni2017-07-251-0/+87
| | | | | | | | | | | | | This commit backports an upstream collectd patch that fixes a build issue with gcc 7.x. Fixes: http://autobuild.buildroot.net/results/2441e2a69d013a6376a90d375e15991e8cb816bd/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 9ac88f318a9cdc4cdc1bcfe6a190b46b650cb3cc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4, 9, 11, 12}.x seriesGravatar Fabio Estevam2017-07-251-3/+3
| | | | | | | | [Peter: Drop 4.12.x bump] Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 6e97747666a4e9b73fba332437a1b9a3f6472b1b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* webkitgtk: Remove patch uneeded for the current versionGravatar Adrián Pérez de Castro2017-07-251-53/+0
| | | | | | | | | | Version 2.16.5 of WebKitGTK+ already includes the fix added by the removed patch, which is now unneeded. Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 6b2804f396ad27e1d99079a8d1fbe1f51cb4cf5d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-zigbee: fix build with gcc 7Gravatar Baruch Siach2017-07-251-0/+1
| | | | | | | | | | | | | | Disable -Werror to avoid the fatal result of new gcc 7 format string warnings. Fixes: http://autobuild.buildroot.net/results/29c/29c72bc38042305310576be945c721b2fad95894/ http://autobuild.buildroot.net/results/a7d/a7d38d72834b94291eaff159da277b11e2f9d63a/ http://autobuild.buildroot.net/results/cfe/cfed5176075f0cb9e2f56ebef10f5d6c352baf10/ Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit e1bebe18e54ad634bd6151445f009aa53038d765) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* uboot-tools: disable libfdt swig wrapper for hostGravatar Jörg Krause2017-07-211-1/+5
| | | | | | | | | | | | | | | | | | | | Commit f4891c398e599f18bbf41eb33885930431f5e1c8 [1] added a workaround to disable the build of the python libfdt module if swig is available on the host. This workaround is also necessary when building the host uboot-tools. Note, that the issue was introduced in upstream commit 1905c8fc711a527ff10550425498bc77e4db9ac3 [2] and released in version U-Boot version 2017.03 and fixed in version 2017.07 (see [3]). [1] https://git.busybox.net/buildroot/commit/package/uboot-tools?h=master&id=f4891c398e599f18bbf41eb33885930431f5e1c8 [2] http://git.denx.de/?p=u-boot.git;a=commit;h=1905c8fc711a527ff10550425498bc77e4db9ac3 [3] http://patchwork.ozlabs.org/patch/787412/ Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Acked-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* .gitlab-ci.yml: use the Buildroot CI image published on Docker HubGravatar Arnout Vandecappelle2017-07-202-24/+2
| | | | | | | Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit d2a151cea0a9066015b9e6c1fb714a84faffec0f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* protobuf: don't download patch from GithubGravatar Carlos Santos2017-07-203-3/+145
| | | | | | | | Patches downloaded from Github are not stable, so bring them in the tree. Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* iproute2: correct licenseGravatar Baruch Siach2017-07-191-1/+1
| | | | | | | | | Source files license headers include the GPL "or ... any later version" language. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit b1b962274bb363eeba492d3a3f4fc1ff3ea252c1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* arch/arm: fix -mcpu default values for AArch64Gravatar Yann E. MORIN2017-07-191-9/+3
| | | | | | | | | | | | | We have to specify the -mcpu value, even in 64-bit mode. For AArch64, +fp and +simd are the default, so they are totally useless. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 9d06e91df85a2f02dd10dcac6a37a19da11b13aa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* expat: fix build on and for kernel older than 3.17Gravatar Baruch Siach2017-07-191-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | The expat build system now fails when the getrandom() system call is not supported. This affect both host and target builds. Define XML_POOR_ENTROPY for target kernels older than 3.17 to fix the build. For the host package define XML_POOR_ENTROPY unconditionally since we have no easy way to know the host kernel version. Note that expat will still use getrandom() on the host when it is available, we don't make security any worse. Fixes (host): http://autobuild.buildroot.net/results/928/928dc2b56d931da84055fdfe78929d1f956de53b/ http://autobuild.buildroot.net/results/ee9/ee90d0a456cbce4c7f22e5f61006612bd9ba30d5/ http://autobuild.buildroot.net/results/dac/dac7231242123ae3dcaa6bbdd65b44fe8d8cb20c/ Fixes (target): http://autobuild.buildroot.net/results/308/308e830219fdfebb5aa6aef51c1dc784254998f6/ http://autobuild.buildroot.net/results/73f/73fa946b0a2205e946ad414079f88e4bdb416f00/ http://autobuild.buildroot.net/results/9d7/9d7bad22ace7fa211b31d752a2255e07cede68be/ [Peter: also use HOST_CPPFLAGS] Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 5242701f3aa8426cdf2cc9a176ef06194db93d5f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* expat: security bump to version 2.2.2Gravatar Baruch Siach2017-07-193-36/+5
| | | | | | | | | | | | | | Changes (security fixes): [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; resulted in NULL dereference, previously Drop upstream patch. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b3eca095003aecde94414fd1f01a831f1af198ec) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* qt5base: fix qthash error attribute(target("+crc")) is unknownGravatar Peter Seiderer2017-07-191-0/+44
| | | | | | | | | | | | | | | Add patch 0005-Fix-error-attribute-target-crc-is-unknown.patch. Upstream: https://codereview.qt-project.org/200171 Fixes buildroot Bug 9916 ([1]). [1] https://bugs.busybox.net/show_bug.cgi?id=9916 Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit a9e053b5a8b4195aaddd97db98b0ba3dcf788638) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* binutils/2.27: backport patch to enable CRC instructions on supported ↵Gravatar Peter Seiderer2017-07-191-0/+88
| | | | | | | | | ARMv8-A CPUs Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit d558ca17138331b1f3a9d780ced07671e0f0a185) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* libosip2: add upstream security fixGravatar Peter Korsgaard2017-07-191-0/+30
| | | | | | | | | | Fixes CVE-2016-10324 - In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the osip_clrncpy() function defined in osipparser2/osip_port.c. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d8a806e2b81d6f76fa2636a554cd2fbf2fff38ef) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{4, 9, 11, 12}.x seriesGravatar Fabio Estevam2017-07-191-3/+3
| | | | | | | | [Peter: Drop 4.12.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a78c0935d90e10d140326b2757471b16ff8462ca) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* pulseaudio: add optional dependency on bluez5_utilsGravatar Calin Crisan2017-07-191-0/+1
| | | | | | | | | | | | | | The pulseaudio configure script autodetects the presence of bluez 4.x and 5.x packages on the system and will exclude the bluetooth-related modules in their absence. This commit ensures that bluez5_utils, if selected, are installed before pulseaudio. The same already happens for bluez_utils (4.x). Signed-off-by: Calin Crisan <ccrisan at gmail dot com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 9e03dd1cefffd553def74e0f3955839dd2450208) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* gcc: fix build of libsanitizer in gcc 4.9 and 5.x on PowerPCGravatar Matt Weber2017-07-192-0/+72
| | | | | | | | | | | | | | | | | | | | | | | libsanitizer in gcc fails to build on PowerPC with gcc versions 4.9 and 5.x used in conjunction with glibc 2.25, with the following error: ../../../../gcc-host/libsanitizer/asan/asan_linux.cc: In function 'bool __asan::AsanInterceptsSignal(int)': ../../../../gcc-host/libsanitizer/asan/asan_linux.cc:222:20: error: 'SIGSEGV' was not declared in this scope return signum == SIGSEGV && common_flags()->handle_segv; This commit adds a patch that has been submitted to upstream gcc (https://patchwork.ozlabs.org/patch/725596/) but not merged. The patch is no longer needed with gcc 6.x and later because the code has been reworked. Fixes Buildroot bug #10061 Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> [Thomas: rework commit log.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 5c90f6a7b68ebdc43ea72b763ec98a0a300c57a1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/rpi-firmware: install missing libraryGravatar Yann E. MORIN2017-07-191-0/+2
| | | | | | | | | | | | | | | | The vcdbg utility is linked to a few libraries, which so far were all provided by the rpi-userland package. But a not-so-recent bump of rpi-firmware pulled in a vcdbg that is linked to an additional library, which is not privided by rpi-userland, so we must install it. Reported-by: cluelessperson on #buildroot Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit a3da7980eb4744248b0f83e07cfdb42ae82ccf6f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* tiff: add upstream security fix for CVE-2017-10688Gravatar Peter Korsgaard2017-07-191-0/+70
| | | | | | | | | | | Fixes CVE-2017-10688 - n LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 544ac6bca09edabb587db42ccb3ae51df58a3a56) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* tiff: bump version to 4.0.8Gravatar Vicente Olivert Riera2017-07-1915-763/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Patch 0001 already included in this release: https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 Patch 0002 already included in this release: https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Patch 0003 already included in this release: https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20da86 Patch 0004 already included in this release: https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 Patch 0005 already included in this release: https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7 Patch 0006 already included in this release: https://github.com/vadz/libtiff/commit/48780b4fcc425cddc4ef8ffdf536f96a0d1b313b Patch 0007 already included in this release: https://github.com/vadz/libtiff/commit/d60332057b9575ada4f264489582b13e30137be1 Patch 0008 already included in this release: https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b Patch 0009 already included in this release: https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1 Patch 0010 already included in this release: https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122 Patch 0011 already included in this release: https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 Patch 0012 already included in this release: https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490 Patch 0013 already included in this release: https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4 Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 3301fbb516992db94e3481690074640d2db9773b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* spice: add upstream security fixes for CVE-2017-7506Gravatar Peter Korsgaard2017-07-193-0/+154
| | | | | | | | | | | | | Fixes CVE-2017-7506 - Possible buffer overflow via invalid monitor configurations. For more details, see: https://marc.info/?l=oss-security&m=150001782924095 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 31bd29fe093a258755929a23d764b02323fcdc46) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/samba4: security bump to version 4.5.12Gravatar Bernd Kuhls2017-07-192-2/+2
| | | | | | | | | | | | | | | | | | | | Fixes CVE-2017-11103: All versions of Samba from 4.0.0 onwards using embedded Heimdal Kerberos are vulnerable to a man-in-the-middle attack impersonating a trusted server, who may gain elevated access to the domain by returning malicious replication or authorization data. Samba binaries built against MIT Kerberos are not vulnerable. https://www.samba.org/samba/history/samba-4.5.12.html [Peter: add CVE info] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f97510659f914ee51c0f32e82664179a69ab17ba) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/pcre: security bump to version 8.41Gravatar Bernd Kuhls2017-07-194-83/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Removed patches 0003 & 0004, applied upstream. Fixes the following security issues: CVE-2017-7244 - The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file. CVE-2017-7245 - Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. CVE-2017-7246 - Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. [Peter: add CVE info] Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit bc6a84bb3d05e0d752ecf59bb35ac827e9b76185) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* libxml-parser-perl: add LICENSE_FILESGravatar Ben Leinweber2017-07-191-0/+1
| | | | | | | | | | | | There is copyright information in the top level README file. Use this file as the license file which will be included by the `legal-info` build rule. Signed-off-by: Ben Leinweber <bleinweber@spaceflight.com> Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 730da52edc45f2b72fc1d522ff184276d20c8b0d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux-headers: bump 4.{9,11,12}.x seriesGravatar Fabio Estevam2017-07-191-2/+2
| | | | | | | | [Drop 4.12.x change] Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 8e95c2e9ca72d39823a0ef72c69590da0ca8b140) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/apache: security bump to version 2.4.27Gravatar Bernd Kuhls2017-07-192-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2017-9788 - Uninitialized memory reflection in mod_auth_digest The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments. by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault. CVE-2017-9789 - Read after free in mod_http2 When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour. Announcement: http://www.apache.org/dist/httpd/Announcement2.4.html Release notes: http://www.apache.org/dist/httpd/CHANGES_2.4.27 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit cf9b7cedac14de7cf5650589bf4c37635b5438a9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* mpg123: security bump to version 1.25.2Gravatar Peter Korsgaard2017-07-192-2/+5
| | | | | | | | | | | | | | | | | | | | >From the release notes: - Extend pow tables for layer III to properly handle files with i-stereo and 5-bit scalefactors. Never observed them for real, just as fuzzed input to trigger the read overflow. Note: This one goes on record as CVE-2017-11126, calling remote denial of service. While the accesses are out of bounds for the pow tables, they still are safely within libmpg123's memory (other static tables). Just wrong values are used for computation, no actual crash unless you use something like GCC's AddressSanitizer, nor any information disclosure. - Avoid left-shifts of negative integers in layer I decoding. While we're at it, add a hash for the license file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 474daa20f8da2a677250146e8ee1652206923ee8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* webkitgtk: select libgcryptGravatar Adrián Pérez de Castro2017-07-192-1/+3
| | | | | | | | | | | | | Libgrcrypt is a direct dependency of WebKitGTK+, and as such it should be selected. Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> [Thomas: add missing dependency on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit b61c805fcaf8980a3dbcd23c444660f7f5327ecf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* webkitgtk: bump to version 2.16.5Gravatar Adrián Pérez de Castro2017-07-192-5/+5
| | | | | | | | | | | | This simply updates to the latest stable release. WebKitGTK+ versions in the 2.1x series avoid bumping the dependencies in order to allow distributions to provide updates, therefore no new dependencies are needed. Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 23c0872442e025dd2fc6f143c1bbce6a5a7c0964) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* php: security bump to version 7.1.7Gravatar Peter Korsgaard2017-07-192-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2017-7890 - Buffer over-read into uninitialized memory. The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c (which can be reached with a call to the imagecreatefromstring() function) uses constant-sized color tables of size 3 * 256, but does not zero-out these arrays before use. CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229 - Out-of-bonds access in oniguruma regexp library. CVE-2017-11144 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission. CVE-2017-11145 - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, lack of a bounds check in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to an ext/date/lib/parse_date.c out-of-bounds read affecting the php_parse_date function. CVE-2017-11146 - In PHP through 5.6.31, 7.x through 7.0.21, and 7.1.x through 7.1.7, lack of bounds checks in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-11145. While we're at it, add a hash for the license file. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 91f4c9d41209a19d16c9b7813facdea2e32e2015) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/php: bump version to 7.1.6Gravatar Bernd Kuhls2017-07-192-2/+2
| | | | | | | Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 0b5d531e6d6c79d4165d4f8f2d1e1d848bfcf7a6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* xserver_xorg-server: add upstream security fixes for CVE-2017-10971 / 10972Gravatar Peter Korsgaard2017-07-1912-0/+615
| | | | | | | | | | | | | | | | | | | | | | | | | | Add upstream patches fixing the following security issues: CVE-2017-10971: The endianess handling for X Events assumed a fixed size of X Event structures and had a specific 32 byte stack buffer for that. However "GenericEvents" can have any size, so if the events were sent in the wrong endianess, this stack buffer could be overflowed easily. So authenticated X users could overflow the stack in the X Server and with the X server usually running as root gaining root prileveges. CVE-2017-10972: An information leak out of the X server due to an uninitialized stack area when swapping event endianess. For more details, see the advisory: http://www.openwall.com/lists/oss-security/2017/07/06/6 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 2015d83dd5dbc6832df9d1082a58b7cc0b9fb0ab) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* efivar: fix build with gcc 7Gravatar Baruch Siach2017-07-191-0/+47
| | | | | | | | | | | | | | | Add upstream patch fixing a warning that breaks the build because of -Werror. Fixes: http://autobuild.buildroot.net/results/33a/33adc3ef139d6814aef4c92ae0bcc4c810ab0b86/ http://autobuild.buildroot.net/results/e7d/e7d80e823e13edc6698148244553bd90367bcd03/ http://autobuild.buildroot.net/results/3b6/3b61246f8b04a332d1c61732f0eb6e50ea8ca366/ Cc: Erico Nunes <nunes.erico@gmail.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 0ca30170345a81f5f21e4ef4424b1f186cde1988) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* manual: patches are not applied for SITE_METHOD = localGravatar Arnout Vandecappelle2017-07-192-1/+5
| | | | | | | | | | | | | | | | | | We had several remarks on the mailing list of users that were surprised that patches were not applied for packages whose SITE_METHOD is local. So document this. Note that for OVERRIDE_SRCDIR itself it is already documented: When Buildroot finds that for a given package, an <pkg>_OVERRIDE_SRCDIR has been defined, it will no longer attempt to download, extract and patch the package. Instead, it will directly use the source code available in in the specified directory. Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> (cherry picked from commit 0611045c42373f0049a5f95bcbea91bbb22b0e27) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>