The 3.5.x has been promoted to stable, hence 3.4.x is deprecated and
3.3.x kept as old-stable.
libdane now specifies LGPLv2.1+ so drop the README kludge (which is also
gone regarding licensing).
libunistring is a new dependency, even though gnutls ships a builtin version
we prefer to use unbundled to avoid duplication with other users and target
size growth.
Fixes:
GNUTLS-SA-2017-01 - It was found using the OSS-FUZZ fuzzer
infrastructure that decoding a specially crafted X.509 certificate with
Proxy Certificate Information extension present could lead to a double
free.
GNUTLS-SA-2017-02 - It was found using the OSS-FUZZ fuzzer
infrastructure that decoding a specially crafted OpenPGP certificate
could lead to heap and stack overflows.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2016-8707 (Fix possible buffer overflow when writing
compressed TIFFS). This CVE fix is included since 7.0.3-9:
http://git.imagemagick.org/repos/ImageMagick/commit/fde5f55af94f189f16958535a9c22b439d71ac93
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 9 Jan 2017 10:56:54 +0000 (11:56 +0100)]
mysql: propagate common dependencies to toplevel config
Commit 3d707d2b (mysql: rename package to oracle-mysql, make a virtual
package) introduced a user selectable virtual BR2_PACKAGE_MYSQL package, but
didn't propagate the (common) dependencies of the two variants to it, so the
virtual package can now be selected even though neither of the variants are
available.
As several packages enable mysql support when BR2_PACKAGE_MYSQL is selected,
this causes a number of autobuilder issues:
Fix it by propagating the common dependencies of the two variants to the
virtual package to ensure it cannot be enabled unless at least one of them
are available.
Also move the toolchain comment outside the conditional so it is visible
when mysql isn't available.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabio Estevam [Sun, 8 Jan 2017 12:18:25 +0000 (10:18 -0200)]
gst1-plugins-bad: Add kmssink support
Add support for the KMS video sink element. From the Gstreamer 1.10
release notes:
"New element kmssink to render video using Direct Rendering Manager (DRM)
and Kernel Mode Setting (KMS) subsystems in the Linux kernel. It is oriented
to be used mostly in embedded systems."
Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 9 Jan 2017 08:54:01 +0000 (09:54 +0100)]
qextserialport: really disable target (and not staging) install for static builds
Commit f09b33a0a (qextserialport: fix static build) adjusted the logic for
static builds, but the change contained a typo - It disabled
_INSTALL_STAGING for static builds, not _INSTALL_TARGET.
The autobuilders didn't detect this as nothing links against qextserialport
(so the missing staging install didn't cause issues) and the target install
command was only defined for !static.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Sat, 7 Jan 2017 08:12:17 +0000 (09:12 +0100)]
pkg-perl: set PERL_USE_UNSAFE_INC
Recent perls are built with the `default_inc_excludes_dot` option.
As many CPAN modules rely on '.' in @INC, the toolchain
must set `PERL_USE_UNSAFE_INC`.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Ecore will reach 'upower' using D-Bus system bus in order to detect if
the system state changes and let applications know about the power
state such as low battery or AC power in order to optimize their power
consumption.
For host this is not needed and would not work, since output/host DBus
declares its own output/host/var/run/dbus/system_bus_socket, which has
no dbus-daemon and thus no services in it.
For target it's optional and only installed if BR2_PACKAGE_UPOWER=y,
otherwise it prints error messages about missing upower service.
Peter Korsgaard [Sun, 8 Jan 2017 08:24:50 +0000 (09:24 +0100)]
bash: add upstream fixes to patch level 5
We unfortunately cannot easily download these because of the file names (not
ending in patch) and patch format (p0), so convert to p1 format and include
in package/bash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Marcus Hoffmann [Thu, 5 Jan 2017 19:27:09 +0000 (20:27 +0100)]
docs: Add bc to required tools
We check for bc under required packages. It should be listed as such in the
docs.
Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Sun, 1 Jan 2017 10:07:53 +0000 (12:07 +0200)]
alsa-utils: disable manpages generation from reStructured text
The alsaucm man page rst source file is missing in the tarball. When rst2man
is detected on the host, build fails:
make[2]: *** No rule to make target 'alsaucm.1', needed by 'all-am'. Stop.
Upstream added[1] the missing file to the tarball to fix this issue. But since
we don't need the manpage to begin with, just disable rst2man to shorten build
time by a few milliseconds.
The clamav configure script by default checks for old zlib versions with
known vulnerabilities and errors out if found:
configure: error: The installed zlib version may contain a security bug.
Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this
check with --disable-zlib-vcheck but DO NOT REPORT any stability issues
then!
The check is unfortunately not very robust as it simply checks for a version
string matching '1.2.1' (which 1.2.10 does):
Peter Korsgaard [Tue, 3 Jan 2017 14:42:52 +0000 (15:42 +0100)]
gd: security bump to version 2.2.3
Security related fixes:
This flaw is caused by loading data from external sources (file, custom ctx,
etc) and are hard to validate before calling libgd APIs:
- fix php bug 72339, Integer Overflow in _gd2GetHeader (CVE-2016-5766)
- bug #248, fix Out-Of-Bounds Read in read_image_tga
- gd: Buffer over-read issue when parsing crafted TGA file (CVE-2016-6132)
Using application provided parameters, in these cases invalid data causes
the issues:
- Integer overflow error within _gdContributionsAlloc() (CVE-2016-6207)
- fix php bug 72494, invalid color index not handled, can lead to crash ( CVE-2016-6128)
- improve color check for CropThreshold
The build system now enables -Wall and -Werror by default, so pass
--disable-werror to disable that. Notice that this issue has been fixed
upstream post-2.2.3:
https://github.com/libgd/libgd/issues/339
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 28 Dec 2016 22:18:05 +0000 (23:18 +0100)]
riemann-c-client: new package
Riemann-c-client is a C client library for the Riemann monitoring system,
providing a convenient and simple API, high test coverage and a copyleft
license, along with API and ABI stability.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Eric Le Bihan [Fri, 30 Dec 2016 21:55:10 +0000 (22:55 +0100)]
skalibs: make ld use dummy file when configuring
For some architectures, like Xtensa or HPPA, ld from binutils requires
the output file to be a regular file, as mentioned in a bug report on
the mailing list [1].
So, use a dummy file as output file for ld, instead of /dev/null, when
trying to detect some libraries at configuration time.
Romain Naour [Sat, 31 Dec 2016 15:33:28 +0000 (16:33 +0100)]
package/intltool: remove target variant
The target variant depends on BR2_HOST_ONLY which is just like BROKEN
(i.e not defined anywere). BR2_HOST_ONLY was introduced by [1] back in
2010 and nobody seems to need it. So remove intltool for the target.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Reviewed-by: Maxime Hadjinlian <maxime.hadjinlian@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Jörg Krause [Thu, 29 Dec 2016 20:23:40 +0000 (21:23 +0100)]
package/busybox: add patch to fix dependency for IFUPDOWN_UDHCPC_CMD_OPTIONS
Upstream commit a8c696bf09d8151323f6e99348c4bc8989f829c8 makes ifup and
ifdown individually selectable, but forgets to update the dependency to
IFUPDOWN_UDHCPC_CMD_OPTIONS, so it is not selectable anymore.
Add a patch which fixes the dependency by checking for IFUP or IFDOWN,
instead of the obsolete IFUPDOWN.
Commit 44a563dbc04ec8e51c5262201cd1745617055b78 bumps busybox to version
1.26.0, but does not update the minimal configuration file. There is at
least one issue using the old configuration with the newer busybox:
* IFUPDOWN is split into IFUP and IFDOWN in version 1.26.0
Update the minimal configuration file by loading the busybox.config file
and saving it back.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Jörg Krause [Thu, 29 Dec 2016 20:23:38 +0000 (21:23 +0100)]
package/busybox: update configuration file
Commit 44a563dbc04ec8e51c5262201cd1745617055b78 bumps busybox to version
1.26.0, but does not update the configuration file. There is at least
one issue using the old configuration with the newer busybox:
* IFUPDOWN is split into IFUP and IFDOWN in version 1.26.0
Update the configuration file by loading the busybox.config file and
saving it back.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Danomi Manchego [Sat, 24 Dec 2016 01:50:55 +0000 (20:50 -0500)]
luarocks: fix target-finalize hook processing
The LUAROCKS_TARGET_FINALIZE_HOOKS is not running, so detritus is being left
in /usr/lib/luarocks. This is because host-luarocks is built by being a
dependency in the luarocks package infrastructure, not by being selected by
kconfig symbol. This means that the $(PKG)_KCONFIG_VAR in pkg-generic.mk is
not met, and (HOST_)LUAROCKS_TARGET_FINALIZE_HOOKS is not added to the
global TARGET_FINALIZE_HOOKS.
This mod fixes this issue by adding the host-luarocks hook directly
to TARGET_FINALIZE_HOOKS when either lua or luajit is enabled.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>