aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* config-fragments: drop old crosstool-ng toolchainsGravatar Peter Korsgaard2019-03-178-83/+1
| | | | | | | | | | | | | | | | | | These toolchains are very old and cause a number of autobuilder failures that doesn't happen with more recent toolchains: Fixes (glibc 2.18 does not provide O_TMPFILE): http://autobuild.buildroot.net/results/c49e8361a1d4406eefd8fc1b35c8e5b061aa403b Fixes (x86 toolchain built without libquadmath): http://autobuild.buildroot.net/results/2d9724f169ccd60c7feb1cb549f1e2e1e9219ac3/ Use Codesourcery ARM toolchain (GCC 4.8.3) to provide a test with a old GCC version. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d9874121479e9c7f7dae6e755760615de85bd181) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* go: explicitly disable modules to avoid unintended network lookupGravatar Christian Stewart2019-03-171-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Go "modules" refers to the dependency fetching, verification (hashing), and version control system built into Go as of 1.11. It is not desirable to have Go modules enabled in Buildroot in the normal case, as Buildroot manages downloading the sources, and third party dependency managers are typically not used. In the absence of the GO111MODULE environment variable, the Go compiler will correctly compile using the "vendor" version of dependencies downloaded by Buildroot during the compilation process for Go-based packages. However, if the user sets the GO111MODULE=on environment variable, the Go compiler will download the Go dependencies for Buildroot packages, using the modules system. This is potentially unintended behavior from user environment variables. This commit sets the GO111MODULE=off variable in the Go target and host compilation environments, disabling Go modules support for Buildroot mainline packages. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f7a2870dd1fef9ee41e78ea1bcbb2ec61e82eb67) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libraw: security bump to version 0.19.2Gravatar Fabrice Fontaine2019-03-172-4/+4
| | | | | | | | | | - Fixes CVE-2018-5815 and CVE-2018-5816 - README has been renamed into README.md Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 23fd8458fd55166044a476934f51ba3d29fb1745) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/devmem2: Fix DEVMEM2_SITE variableGravatar Xavier Ruppen2019-03-172-2/+2
| | | | | | | | | | The old free-electrons.com URL does not seem to work anymore, resulting in the package failing to build. Use bootlin.com instead. Signed-off-by: Xavier Ruppen <xruppen@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 408b48b5c58e478a615e50f94989576c133ea8d1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19, 20}.x seriesGravatar Peter Korsgaard2019-03-172-6/+6
| | | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit cbf1d861fadb491eee6e3686019d8f67d7f4ad85) [Peter: drop 4.19.x/4.20.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/runc: blacklist Codesourcery ARM toolchainGravatar Peter Korsgaard2019-03-173-0/+6
| | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/018e309caa0fc662aa2993e47b2037fb6c569011/ This toolchain uses glibc 2.18, which does not provide O_TMPFILE support. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit ce76a989022baa6395b874ed44b9246bba053f8a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* runc: depend on linux headers >= 3.11 for O_TMPFILEGravatar Christian Stewart2019-03-173-5/+11
| | | | | | | | | | | | | | | | | | | Fixes: http://autobuild.buildroot.net/results/63e9d88ae5177541be463f1e2aafec59aa410479 Add dependency on headers >= 3.11 for O_TMPFILE, used by runc after the fix for CVE-2019-5736 and propagate to the reverse dependencies of runc. Notice that C library support for O_TMPFILE is also needed, which was added in glibc 2.19 and musl 0.9.15. Signed-off-by: Christian Stewart <christian@paral.in> [Peter: squash series, extend commit message, mention C library dependency, fix indentation] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 905e976a6af224b3ed015c46fcea2d717c155f55) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/systemd: add upstream security fixesGravatar Baruch Siach2019-03-162-0/+247
| | | | | | | | | | | | CVE-2019-6454: systemd (PID1) crash with specially crafted D-Bus message from unprivileged user Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Cc: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit c12b32ba46bf959d884af7340c24f3981a34693f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/iproute2: backport patch to fix compilation under glibc < 2.18Gravatar Thomas De Schampheleire2019-03-161-0/+39
| | | | | | | | | | | | | When compiling iproute2 using a toolchain containing glibc 2.17 and older, it fails due to a missing definition of AF_VSOCK. Add a submitted and accepted upstream patch to fix this issue. Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Reviewed-by: Petr Vorel <petr.vorel@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a669c0f2f58e47bef4b7c2863cd1ee587befb662) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/botan: link with libatomic when neededGravatar Fabrice Fontaine2019-03-151-0/+7
| | | | | | | | | | | | | | | | | | On some architectures, atomic built-ins are provided by the libatomic library from gcc. Linking with libatomic is therefore necessary, otherwise the build fails with: sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line This is often for example the case on sparcv8 32 bit. Fixes: - http://autobuild.buildroot.org/results/a442734c570e4a02854014d831ba3aab9f592430 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ae7ba64501a7f2bb80dd5b2ea99fae747cc8b1eb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/tor: security bump to 0.3.4.11Gravatar Peter Korsgaard2019-03-152-2/+2
| | | | | | | | | | | Release notes: https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312 Fixes CVE-2019-8955: KIST can write above outbuf highwater mark https://trac.torproject.org/projects/tor/ticket/29168 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gdb: disable inprocess-agent in static buildGravatar Fabrice Fontaine2019-03-131-0/+5
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/b40bdbca6669a81301fca523e982dbc9584a4e65 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 2a01a328195090c45d2b2407680cbf567f547643) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/perl: security bump to version 5.26.3Gravatar Peter Korsgaard2019-02-252-8/+8
| | | | | | | | | | | | | | | | | Fixes the following security issues: - [CVE-2018-12015] Directory traversal in module Archive::Tar - [CVE-2018-18311] Integer overflow leading to buffer overflow and segmentation fault - [CVE-2018-18312] Heap-buffer-overflow write in S_regatom (regcomp.c) - [CVE-2018-18313] Heap-buffer-overflow read in S_grok_bslash_N (regcomp.c) - [CVE-2018-18314] Heap-buffer-overflow write in S_regatom (regcomp.c) For more details, see perldelta: https://metacpan.org/changes/release/SHAY/perl-5.26.3 Bump perlcross to 1.2.2 for perl 5.26.3 support. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gcc: enable __cxa_atexitGravatar Alexey Brodkin2019-02-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is what GCC manual says [1]: -------------------------->8---------------------- --enable-__cxa_atexit Define if you want to use __cxa_atexit, rather than atexit, to register C++ destructors for local statics and global objects. This is essential for fully standards-compliant handling of destructors, but requires __cxa_atexit in libc. This option is currently only available on systems with GNU libc ... -------------------------->8---------------------- Important disadvantages of a simple atexit() are that [2]: -------------------------->8---------------------- 1999 C Standard only requires that the implementation support 32 registered functions, although most implementations support many more. More important it does not deal at all with the ability in most implementations to remove DSOs from a running program image by calling dlclose prior to program termination. -------------------------->8---------------------- Also it seems like all libc's we support in Buildroot (Glibc, uClibc and musl) support __cxa_at_exit() so enable it unconditionally. FWIW if we look around we'll see: 1. In OpenEmbedded it is enabled for everything except gcc-cross-initial: [3], [4] 2. In Crosstool-NG it is enabled by default: [5] 3. In OpenWrt it is disabled only for uClibc, otherwise enabled: [6] So I think we should be good with it as well. [1] https://gcc.gnu.org/install/configure.html [2] https://itanium-cxx-abi.github.io/cxx-abi/abi.html#dso-dtor-motivation [3] https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-devtools/gcc/gcc-configure-common.inc#L59 [4] https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-devtools/gcc/gcc-cross-initial.inc#L23 [5] https://github.com/crosstool-ng/crosstool-ng/blob/master/config/cc/gcc.in#L270 [6] https://github.com/openwrt/openwrt/blob/master/toolchain/gcc/common.mk#L170 Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com> Cc: Nicolas Cavallari <Nicolas.Cavallari@green-communications.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Mark Corbin <mark.corbin@embecosm.com> Cc: Romain Naour <romain.naour@gmail.com> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Bernd Kuhls <bernd.kuhls@t-online.de> Cc: Claudiu Zissulescu <claziss@synopsys.com> Cc: Cupertino Miranda <cmiranda@synopsys.com> Cc: Vineet Gupta <vgupta@synopsys.com> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3e53b5198349c4d31f59c95aefece14ed6543933) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* Update for 2018.11.32018.11.3Gravatar Peter Korsgaard2019-02-232-2/+32
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* board/pc: fix typo in board/pc/post-build.shGravatar Grégoire Delattre2019-02-231-1/+1
| | | | | | | Signed-off-by: Grégoire Delattre <gregoire.delattre@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9f1256e1aae0a1e91e033d51b968415adec117bf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/reaver: fix build on m68kGravatar Fabrice Fontaine2019-02-231-0/+32
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/935c038b921ffa0f185571de41223e4c201e964b Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 26d072978982137c9f09abe3c7bfbfd2a13efc64) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: security bump to version 9.11.5-P4Gravatar Peter Korsgaard2019-02-232-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - named could crash during recursive processing of DNAME records when deny-answer-aliases was in use. This flaw is disclosed in CVE-2018-5740. [GL #387] - When recursion is enabled but the allow-recursion and allow-query-cache ACLs are not specified, they should be limited to local networks, but they were inadvertently set to match the default allow-query, thus allowing remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309] - Code change #4964, intended to prevent double signatures when deleting an inactive zone DNSKEY in some situations, introduced a new problem during zone processing in which some delegation glue RRsets are incorrectly identified as needing RRSIGs, which are then created for them using the current active ZSK for the zone. In some, but not all cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3 chain, but incompletely -- this can result in a broken chain, affecting validation of proof of nonexistence for records in the zone. [GL #771] - named could crash if it managed a DNSSEC security root with managed-keys and the authoritative zone rolled the key to an algorithm not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] - named leaked memory when processing a request with multiple Key Tag EDNS options present. ISC would like to thank Toshifumi Sakaguchi for bringing this to our attention. This flaw is disclosed in CVE-2018-5744. [GL #772] - Zone transfer controls for writable DLZ zones were not effective as the allowzonexfr method was not being called for such zones. This flaw is disclosed in CVE-2019-6465. [GL #790] For more details, see the release notes: http://ftp.isc.org/isc/bind9/9.11.5-P4/RELEASE-NOTES-bind-9.11.5-P4.html Change the upstream URL to HTTPS as the webserver uses HSTS: >>> bind 9.11.5-P4 Downloading URL transformed to HTTPS due to an HSTS policy Update the hash of the license file to account for a change of copyright year: -Copyright (C) 1996-2018 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2019 Internet Systems Consortium, Inc. ("ISC") Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 12f644e2c52336579df74ac59089dc2aa0469c2b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/unzip: add security and bug fix patches from DebianGravatar Baruch Siach2019-02-232-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Debian bug #741384: Buffer overflow Debian bug #744212: Buffer overflow CVE-2014-8139: CRC32 verification heap-based overflow CVE-2014-8140: Out-of-bounds write issue in test_compr_eb() CVE-2014-8141: Out-of-bounds read issues in getZip64Data() CVE-2014-9636: Heap overflow CVE-2015-7696: Heap overflow when extracting password-protected archive CVE-2015-7697: Infinite loop when extracting password-protected archive Red Hat Bugzilla #1260944: Unsigned overflow on invalid input Debian bug #842993: Do not ignore Unix Timestamps CVE-2014-9913: Buffer overflow CVE-2016-9844: Buffer overflow in zipinfo CVE-2018-1000035: Buffer overflow in password protected ZIP archives Cc: Luca Ceresoli <luca@lucaceresoli.net> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 872561cd5b35d0516338cd2530a4ac1236d3efb1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dtc: additional fix of include guards for older u-bootGravatar Thomas De Schampheleire2019-02-221-4/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With recent dtc but old u-boot, compilation issues occur related to libfdt. These problems really are u-boot issue since it does not properly set include paths so that its own headers are included. Nevertheless, since the u-boot version is typically decided by users and stuck at some version provided by a SoC or board vendor, it is not feasible to fix those old versions. Instead, already several fixes were made in the past, in Buildroot. See commits: c7ffd8a75d5 "package/dtc: fix include guards for older kernel/u-boot" f437bf547ca "uboot: fix build for older uboot source trees" bf733342324 "uboot: fix build when libfdt-devel is installed system-wide" 0bf80e4bcd5 "uboot: ensure host includes are searched before system default includes" b15a7a62d3f "uboot: revert "uboot: use local libfdt.h"" baae5156ce3 "uboot: use local fdt headers" 3a6573ccee2 "uboot: use local libfdt.h" Commit c7ffd8a75d55e24d793106eabbb80964ab91081f fixes the problem caused by dtc having changed their include guards from _FOO_H to FOO_H (leading underscore removed). Old u-boot would still use _FOO_H, which (combined with host-dtc headers that use FOO_H) would cause the inclusion of two different copies of the same nominal include file, e.g. libfdt.h or libfdt_env.h, causing 'error: redefinition of xxx' compilation issues. The fix sets the 'new' include guard when the 'old' one is detected, preventing a second inclusion of the same nominal file. For some u-boot versions, however, this change not only needs to be made in libfdt.h and libfdt_env.h, but also in 'fdt.h'. Update the dtc patch to do just that. Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 4c24006b0e403d786c1a2d7bcb4127440cc13b32) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/proftpd: prevent openssl pthread detectionGravatar Matt Weber2019-02-221-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The proftpd configure script doesn't use pkg-config to detect openssl libraries. Instead, it just adds -lcrypto. Since openssl may be linked with pthread, it tries to detect that by calling 'openssl version -f', which gives the arguments with which openssl was compiled. Since the openssl executable used is either host-openssl or the system installed openssl, the output of 'openssl version -f' is useless in Buildroot context. If the target toolchain doesn't have threads support, it will wrongly pick up -pthread from host-openssl. Fortunately there is a simple workaround: --without-openssl-cmdline says that there is no openssl executable and skips the test, so -pthread is not added. It turns out -pthread is never needed, even in static linking cases, because openssl/libressl puts the thread support in a separate object file that only gets linked in if the program actually uses threads (which proftpd doesn't). Fixes: http://autobuild.buildroot.net/results/9c25c3cb3cf93b76c0538c5376a803641bf6575b Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> [Rewrite commit log, after additional analysis and testing] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 51bb23652fbb5597d10cf2dc49948f9405c5619b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/swupdate: update license filesGravatar Fabrice Fontaine2019-02-222-3/+7
| | | | | | | | | | | | | | | | COPYING contains only the license for GPL-2.0 so use the new license files that have been added in the Licenses directory since version 2018.03 and https://github.com/sbabic/swupdate/commit/32c1f98eaca69e362be074197f84a59d994c0876 Also update GPL-2.0+ to "GPL-2.0+ with OpenSSL exception" and add Exceptions file, see: https://github.com/sbabic/swupdate/commit/66d0dbe80f49eb49f8999c9d738579651fc38134 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit d5f4b3621d46b4e8a9e1f6ab6e639dd98da560db) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/imagemagick: fixup help text layoutGravatar Yann E. MORIN2019-02-221-2/+2
| | | | | | | Signed-off-by: "Yann E. MORIN" <yann.morin@orange.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 858d2e9a27444b6321821a1fd1856564e68d31cc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: update email address for Gary BissonGravatar Gary Bisson2019-02-221-1/+1
| | | | | | | Signed-off-by: Gary Bisson <bisson.gary@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 74693e09ae6dc5954839a431b4779dcefaf37a6d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* systemd: Remove instance name usage in a non-template unit fileGravatar Gervais, Francois2019-02-221-1/+1
| | | | | | | | | | | | | | | console-getty.service is not a template unit file (it doesn't have the @ specifier), so %I doesn't get properly expanded in it. Thus, getty startup will fail due to invalid options and no getty prompt is launched on the console. Fixes: No getty prompt on boot Signed-off-by: Francois Gervais <fgervais@distech-controls.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 77c057939ddb669a65f4f10d9e927ad958d516cb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/poco: disable build for riscvGravatar Baruch Siach2019-02-221-1/+1
| | | | | | | | | | | | | | | poco does not support the riscv target. Fixes: http://autobuild.buildroot.net/results/9a8/9a8213c502df53222eafc3ecd2fcfa36db20950b/ http://autobuild.buildroot.net/results/dd4/dd48cac70e8cb697b42ee51561902df81edcea40/ http://autobuild.buildroot.net/results/030/030c6cc8e2a59b015f8f3793d76234a2ef4ab772/ Cc: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit 0737f48c5f8f502cd16123c5251d4ccaaee900ee) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/postgresql: bump to version 11.2Gravatar Peter Korsgaard2019-02-222-6/+6
| | | | | | | | | | | | | | | | | | | | | Fixes a long standing fsync issue and a number of other bugs: https://www.postgresql.org/docs/11/release-11-2.html https://wiki.postgresql.org/wiki/Fsync_Errors The hash of the license file is only changed due to a year update: -Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group +Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: Peter Seiderer <ps.report@gmx.net> [Thomas: update commit log to explain why the license file hash has changed, as repoted by Peter Seiderer] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d04a1efcb56cbdc9b906d375fdebe30f00c9d752) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/log4cplus: link with libatomic when neededGravatar Fabrice Fontaine2019-02-221-0/+4
| | | | | | | | | | | | | | | | | | On some architectures, atomic binutils are provided by the libatomic library from gcc. Linking with libatomic is therefore necessary, otherwise the build fails with: sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line This is often for example the case on sparcv8 32 bit. Fixes: - http://autobuild.buildroot.org/results/16e360cb91afff7655f459a3d1fb906ca48f8464 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit a2fee08208b28aa53268721b675172052d26f335) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/xenomai: fix build with gcc 8Gravatar Fabrice Fontaine2019-02-221-0/+91
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/3a53f54476828ee878602da9adddf1e1e70f7a69 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 85b3d8006be61ba9540cbd684c6d961544e35366) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/safeclib: fix build with gcc 7Gravatar Fabrice Fontaine2019-02-221-0/+62
| | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/f4fe6bf54d213ca75bc1f16df61f8f92e648288e Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit ed5aa81b5156fefcf948c1412c3ae3d4f7595fb8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* linux: don't check hashes for user-supplied patchesGravatar Yann E. MORIN2019-02-221-0/+3
| | | | | | | | | | | | | | | We have virtually no way to know the hashes for user-supplied patches, so we should just ignore them. Reported-by: Simon van der Veldt <simon.vanderveldt@gmail.com> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Peter Korsgaard <peter@korsgaard.com> Tested-by: Simon van der Veldt <simon.vanderveldt@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3ae8dab9e91055b6f674b0287bcb8b1aa90d16e0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/qt5/qt5base: handle sse2/sse3/ssse3/sse4.1/sse4.2/avx/avx2 configurationGravatar Peter Seiderer2019-02-221-0/+19
| | | | | | | | | | | | | | The Qt configure auto detection (and announced runtime detection feature) failes (see e.g. [1]), so override the configuration with the buildroot determined settings. [1] http://lists.busybox.net/pipermail/buildroot/2019-January/241862.html Reported-by: David Picard <dplamp@gmx.com> Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 8f9009e5bd14fac29038bf6728c1e019d2b2ffc7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/pulseaudio: fix S50pulseaudio init scriptGravatar Peter Seiderer2019-02-221-2/+9
| | | | | | | | | | | | | | | | | | - fix the following start warnings: W: [pulseaudio] main.c: Running in system mode, but --disallow-exit not set. W: [pulseaudio] main.c: Running in system mode, but --disallow-module-loading not set. N: [pulseaudio] main.c: Running in system mode, forcibly disabling SHM mode. N: [pulseaudio] main.c: Running in system mode, forcibly disabling exit idle time. - fix the following stop error: E: [pulseaudio] main.c: Failed to kill daemon: No such process Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 597b529927db0b43f9f0d533c27ddfcae4845c9f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/madplay: fix static buildGravatar Fabrice Fontaine2019-02-212-2/+26
| | | | | | | | | | | | | | Add a patch to use pkg-config to find id3tag dependency (-lz) Fixes: - http://autobuild.buildroot.org/results/5e4882ddacf205a92a3ff1e79649cf16e4b6c0ae Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [Arnout: add comment to AUTORECONF to refer to the patch] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit da304a832b9a0f5f5ef62c244f67e5f5ae39748e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libid3tag: fix id3tag.pcGravatar Fabrice Fontaine2019-02-211-0/+1
| | | | | | | | | | Add -lz to id3tag.pc, this fix is needed to be able to use pkg-config in madplay to find id3tag dependencies Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit aa813cd9ac029a8373070ac2c1479dd9aa32ce59) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libid3tag: add .pc file and install to staging hookGravatar Jörg Krause2019-02-212-0/+18
| | | | | | | | | | | | | | | | | | The MPD project dropped autotools support in version 0.21.x in favor of meson. While adapting the package to the meson build infrastructure, the recognition of libid3tag failed, as only pkg-config is used to detect the library. Note, that the version bump of the mpd package to 0.21.x is not submitted, yet. To help finding the build system to detect libid3tag with pkg-config properly, add a .pc file and install it to staging. This is exactly what Debian and Fedora do as well. Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> (cherry picked from commit d6b68e6b6a81985ff5bcb9836d0d02c1fbed3e47) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/madplay: add hash for license filesGravatar Fabrice Fontaine2019-02-211-0/+2
| | | | | | | Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit c4211a7d64a7756bee15b88e8211511d5bbd4c27) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/madplay: needs autoreconfGravatar Fabrice Fontaine2019-02-213-110/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | madplay uses a very old configure script. When the toolchain lacks C++ and the build machine lacks /lib/cpp, this old configure script fails because it can't find a C++ preprocessor that is valid: checking for arm-buildroot-linux-uclibcgnueabi-g++... no checking whether we are using the GNU C++ compiler... no checking whether no accepts -g... no checking dependency style of no... none checking how to run the C++ preprocessor... /lib/cpp configure: error: C++ preprocessor "/lib/cpp" fails sanity check See `config.log' for more details. This is yet another case that was tentatively fixed by bd39d11d2e (core/infra: fix build on toolchain without C++), further amended by 4cd1ab15886 (core: alternate solution to disable C++). However, this only works on libtool scripts that are recent enough, and thus we need to autoreconf to get it. We also need to patch configure.ac so that it does not fail on the missing, GNU-specific files: NEWS, AUTHORS, and Changelog. Finally, remove also patch on ltmain.sh and MADPLAY_LIBTOOL_PATCH=NO as autoreconf will create an up to date ltmain.sh Fixes: - http://autobuild.buildroot.org/results/fc927de0e9a42095789fb0a631d5facf14076f6e Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit c05cc5de868cc5af27afdb1451e30fcd1ecb2856) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-django: security bump to version 2.1.7Gravatar Peter Korsgaard2019-02-212-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format() If django.utils.numberformat.format() – used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters – received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format(). To avoid this, decimals with more than 200 digits are now formatted using scientific notation. https://docs.djangoproject.com/en/2.1/releases/2.1.6/ 2.1.6 contained a packaging error, fixed by 2.1.7: https://docs.djangoproject.com/en/2.1/releases/2.1.7/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 653f86c0e91847dd8841837b650e2e966b59dd78) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libgpiod: bump version to v1.2.1Gravatar Bartosz Golaszewski2019-02-212-2/+2
| | | | | | | | | This is a bugfix release fixing two problems with C++ bindings. Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 92f34e8fe297b740709a32aa49de58985783e95d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19, 20}.x seriesGravatar Peter Korsgaard2019-02-212-6/+6
| | | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e4bbdeec9d2a9e46041d48d14fe45dcca03bb480) [Peter: drop 4.19.x/4.20.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/efivar: needs host gcc >= 4.8Gravatar Thomas Petazzoni2019-02-212-4/+9
| | | | | | | | | | | | | | | | | | | The efivar code compiled for the host machine uses __builtin_bswap16(), which is only available starting from gcc 4.8: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=52624 So let's add a dependency on host gcc >= 4.8 to efivar and its unique reverse dependency, efibootmgr. Fixes: http://autobuild.buildroot.net/results/48ba906bb6f4dc0c8af43ec11be64f7168dd62fd/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 2135e869a04e95da2372074884eb3f55fd728352) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* utils/scanpypi: protect against zip-slip vulnerability in zip/tar handlingGravatar Peter Korsgaard2019-02-211-0/+18
| | | | | | | | | | | | | | | | | | For details, see https://github.com/snyk/zip-slip-vulnerability Older python versions do not validate that the extracted files are inside the target directory. Detect and error out on evil paths before extracting .zip / .tar file. Given the scope of this (zip issue was fixed in python 2.7.4, released 2013-04-06, scanpypi is only used by a developer when adding a new python package), the security impact is fairly minimal, but it is good to get it fixed anyway. Reported-by: Bas van Schaik <security-reports@semmle.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit a83e30ad63e00d6c81a6409161c2d3010d98d373) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/docker-containerd: fix typo in uclibc dependencyGravatar Thomas Petazzoni2019-02-211-1/+1
| | | | | | | | | | | | | | | | | | Commit 6e3f7fbc072c88ab344f2ffa39e402464b566f19 ("package/runc: add upstream security fix for CVE-2019-5736") added a dependency of docker-containerd to uclibc (inherited from runc), but the depends on has a typo that makes it ineffective. Due to this, docker-containerd can still be selected in uClibc configurations, causing runc to be build, and failing to build due fexecve() being missing in uClibc. Fixes: http://autobuild.buildroot.net/results/64ecdb1e007106fdb05979b10b42b90591255504/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 17c7b9337989092ee3659aaa01fb508efd144c16) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/runc: add upstream security fix for CVE-2019-5736Gravatar Peter Korsgaard2019-02-214-6/+347
| | | | | | | | | | | | | | | | | | | | | | | | | The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: * Creating a new container using an attacker-controlled image. * Attaching (docker exec) into an existing container which the attacker had previous write access to. For more details, see the advisory: https://www.openwall.com/lists/oss-security/2019/02/11/2 The fix for this issue uses fexecve(3), which isn't available on uClibc, so add a dependency on !uclibc to runc and propagate to the reverse dependencies (containerd/docker-engine). Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6e3f7fbc072c88ab344f2ffa39e402464b566f19) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/runc: bump to version 1.0.0-rc6Gravatar Christian Stewart2019-02-212-3/+2
| | | | | | | | | | | | | | | | | | | | | Previously, a specific commit hash from the Docker runc.installer was used to determine the required runc version for the Docker Engine. This old commit hash used was a untagged pre-1.0.0 release of runc, closer to an earlier release candidate. The runc version used in the Debian distribution is not the pinned version previously used by Buildroot. It is the latest release candidate. The latest release candidate is known to be compatible with the Docker Engine, and there is no justification for pinning to an older RC anymore. This commit bumps to the latest RC, 1.0.0-rc6. A v1.0.0 is expected soon. Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 247bb52b9c87bbf6535928fdba7df6efd8d165ff) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ghostscript: add upstream security fixesGravatar Baruch Siach2019-02-216-0/+1715
| | | | | | | | | | | | CVE-2019-6116: Remote code execution. https://www.openwall.com/lists/oss-security/2019/01/23/5 Cc: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 2e060d64e21a8f4dd8943acdbc3e1e563df13aba) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libarchive: add upstream security fixesGravatar Baruch Siach2019-02-212-0/+124
| | | | | | | | | | | | CVE-2019-1000019: Crash when parsing some 7zip archives. CVE-2019-1000020: A corrupted or malicious ISO9660 image can cause read_CE() to loop forever. Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0526c9f7819722b2deebf7a15821689ac4ead56a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sqlcipher: force libopensslGravatar Matt Weber2019-02-211-0/+1
| | | | | | | | | | | | | | | | v3.2.0 has a bug in the configure step which causes it to fail when being built against libressl. As libopenssl is selected as the default, the autobuilders have not uncovered this failure. The issue has been confirmed in LTS 2018.02.10 (probably broken prior to that as well) and is not related to the Openssl bump to 1.1.x. Thread with more details http://lists.busybox.net/pipermail/buildroot/2019-February/243133.html Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 886f3109a55dccab3fac884d5f0fecd767edd4f0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/jpeg-turbo: add upstream security fixesGravatar Baruch Siach2019-02-212-0/+90
| | | | | | | | | | | | | | | CVE-2018-20330: Integer overflow causing segfault occurred when attempting to load a BMP file with more than 1 billion pixels using the `tjLoadImage()` function. CVE-2018-19664: Buffer overrun occurred when attempting to decompress a specially-crafted malformed JPEG image to a 256-color BMP using djpeg. Cc: Murat Demirten <mdemirten@yh.com.tr> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit f60925beda57b67d0ce9c8bd5fc4b237f09e2024) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>