Thomas Petazzoni [Wed, 10 Jan 2018 19:53:58 +0000 (20:53 +0100)]
package/avahi: fix typo in avahi_tmpfiles.conf
There is an obvious typo in avahi_tmpfiles.conf: avahi-autoipd is
badly spelled.
Fixes bug #10641.
Reported-by: Michael Heinemann <posted@heine.so> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c427ce4d9f54d9b6433969ecb0fc8a4a5a9ba9b5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains mitigations for CVE-2017-5753 and CVE-2017-5715, the
vulnerabilities known as the "Spectre" attack. It also contains a fix
which allows building the reference documentation with newer gtk-doc
versions.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4c5bc08ba3198075dcf6f96b34684d577cfe5a69) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 7 Jan 2018 21:03:18 +0000 (22:03 +0100)]
irssi: security bump to version 1.0.6
>From the advisory (https://irssi.org/security/irssi_sa_2018_01.txt):
Multiple vulnerabilities have been located in Irssi.
(a) When the channel topic is set without specifying a sender, Irssi
may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)
CVE-2018-5206 was assigned to this issue.
(b) When using incomplete escape codes, Irssi may access data beyond
the end of the string. (CWE-126) Found by Joseph Bisch.
CVE-2018-5205 was assigned to this issue.
(c) A calculation error in the completion code could cause a heap
buffer overflow when completing certain strings. (CWE-126) Found
by Joseph Bisch.
CVE-2018-5208 was assigned to this issue.
(d) When using an incomplete variable argument, Irssi may access data
beyond the end of the string. (CWE-126) Found by Joseph Bisch.
CVE-2018-5207 was assigned to this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit aebdb1cd4b4034542eb7c50fc4b6a265c5ba5c77) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Wed, 3 Jan 2018 17:39:52 +0000 (18:39 +0100)]
core/infra: fix build on toolchain without C++
Autotools-based packages that do not need C++ but check for it, and use
libtool, will fail to configure on distros that lack /lib/cpp.
This is the case for example on Arch Linux, where expat fails to build
with:
configure: error: in `/home/dkc/src/buildroot/build/build/expat-2.2.4':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
This is because libtool uses AC_PROC_CXXCPP, which can not be avoided,
and does require a cpp that passes some "sanity" checks (does not choke
on valid input, but does choke on invalid input). So we can use neither
/bin/false nor /bin/true...
We instead need something that can digest some basic C++ preprocessor
input. We can't use the target preprocessor: that does not work, because
it obviously has no C++ cupport:
arm-linux-cpp.br_real: error: conftest.cpp: C++ compiler not
installed on this system
We can however consider that the host machine does have a C++ compiler,
so we use the host' cpp, which is gcc's compiler wrapper that ends up
calling the host's C++ preprocessor.
That would give us a valid C++ preprocessor when we don't have one, in
fact. But autotools will then correctly fail anyway, because there is
indeed no C++ compiler at all, as we can see in this excerpt of a
configure log from expat:
checking whether we are using the GNU C++ compiler... no
checking whether false accepts -g... no
checking dependency style of false... none
checking how to run the C++ preprocessor... cpp
checking whether the false linker (/home/ymorin/dev/buildroot/O/host/bin/arm-linux-ld) supports shared libraries... yes
libtool.m4: error: problem compiling CXX test program
checking for false option to produce PIC... -DPIC
checking if false PIC flag -DPIC works... no
checking if false static flag works... no
checking if false supports -c -o file.o... no
checking if false supports -c -o file.o... (cached) no
checking whether the false linker (/home/ymorin/dev/buildroot/O/host/bin/arm-linux-ld) supports shared libraries... yes
So, using the host's C++ preprocessor (by way of gcc's wrapper) leads to
a working situation, where the end result is as expected.
Reported-by: Damien Riegel <damien.riegel@savoirfairelinux.com> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Damien Riegel <damien.riegel@savoirfairelinux.com> Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit bd39d11d2eaa679f09ab49fd3e4cd5511a168d1c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-15365 - Replication in sql/event_data_objects.cc occurs before ACL
checks.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ca1f2d266ddba2f530731e91ebbf792638cee8bb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 12 Oct 2017 23:33:32 +0000 (20:33 -0300)]
coreutils: expand list of files moved from /usr/bin to /bin
BusyBox installs kill, link, mktemp, nice and printenv on /bin, so
ensure that coreutils replaces them.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 443897bce4b01eae98155ac947d3387e6a2f289e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Fri, 29 Dec 2017 20:26:08 +0000 (21:26 +0100)]
tar: do not build SELinux support for host variant
If we don't explicitly disable SELinux support in the host-tar build,
it might pick up system-wide installed SELinux libraries, causing the
tar in HOST_DIR/bin/ to depend on the host SELinux libraries, which is
not desirable to make the SDK portable/relocatable.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 121807c08927c0a0d04c965beb6a8785ea89e47f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sat, 23 Dec 2017 16:15:40 +0000 (17:15 +0100)]
package/matchbox-lib: correctly fix the .pc file
First, the .pc file was so far fixed as a post-configure hook of the
matchbox-fakekey package, by directly tweaking the .pc file installed in
staging by matchbox-lib. That's uterly wrong and bad.
So, we move the fix to matchbox-lib.
Second, it was incorreclty tweaking the .pc file when xlib_libXft was
not enabled, because only then a path to staging was present.
Third, even when xlib_libXft was enabled, the tweaking was still wrong,
because unnecessary.
Fix all that.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 84a2645e5b2600d28d91005937c17bec554dd4d1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Marcus Folkesson [Wed, 27 Dec 2017 12:35:55 +0000 (13:35 +0100)]
libiio: fix libavahi-client dependency
Avahi needs avahi-daemon and D-Bus to build avahi-client.
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 18e00edb7796790b1ac1a0f6982ab8e25e27c691) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 30 Dec 2017 23:34:32 +0000 (00:34 +0100)]
nodejs: security bump to version 6.12.2
Fixes CVE-2017-15896 - Node.js was affected by OpenSSL vulnerability
CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake
failure. The result was that an active network attacker could send
application data to Node.js using the TLS or HTTP2 modules in a way that
bypassed TLS authentication and encryption.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Tue, 26 Dec 2017 13:19:21 +0000 (14:19 +0100)]
package/mfgtools: bump to 0.02
Bump mfgtools to include the fix [1] for the C++ build issue reported
by the autobuilders.
This bump include only 4 small commits fixing memory leak and this
build issue.
Remove CPOL.htm (removed upstream) from MFGTOOLS_LICENSE_FILES but CPOL
license is still valid.
Add the README.txt file to MFGTOOLS_LICENSE_FILES since it contains
licensing informations:
Licenses:
- CPOL: MfgToolLib/XmlLite.CPP and XmlLite.h
- BSD: Others.
This is a maintenance release of the current stable WebKitGTK+ version,
which contains fixes for CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, and
CVE-2017-13856. Additionally, this release brings improvements in the
WebDriver spec-compliance, plugs several memory leaks in its GStreamer based
multimedia backend, and fixes a bug when handling cookie removal.
More details about the security fixes are provided in the following
WebKitGTK+ Security Advisory report:
https://webkitgtk.org/security/WSA-2017-0010.html
Last but not least, this new release includes the fix for honoring the
CMAKE_BUILD_TYPE value from CMake toolchain files and the corresponding
patch is removed.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fbf6a483e00a87fb561fa5fe9a423c4a14867f50) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit e7f82694cfe98f659ff08b5834e32f8996ca55c5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 19 Dec 2017 11:56:28 +0000 (12:56 +0100)]
rsync: add upstream security fix for CVE-2017-16548
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
does not check for a trailing '\0' character in an xattr name, which allows
remote attackers to cause a denial of service (heap-based buffer over-read
and application crash) or possibly have unspecified other impact by sending
crafted data to the daemon.
For more details, see:
https://bugzilla.samba.org/show_bug.cgi?id=13112
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f33f1d848908975b513f852873ae4fdb2702183) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Damien Riegel [Mon, 18 Dec 2017 21:19:35 +0000 (16:19 -0500)]
lldpd: remove check on CXX compiler
lldpd currently depends on a C++ compiler to configure properly, but
the package doesn't select that option, so builds fail if
BR2_TOOLCHAIN_BUILDROOT_CXX is not selected with following errors:
checking how to run the C++ preprocessor... /lib/cpp
configure: error: in `/home/dkc/src/buildroot/build-zii/build/lldpd-0.9.4':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
This package actually builds fine without C++, so drop this check in
configure.ac. Attached patch has already been accepted upstream [1].
Peter Seiderer [Fri, 8 Dec 2017 21:29:52 +0000 (22:29 +0100)]
gdb: prevent installation of libbfd.so and libopcode.so
The gdb install target installs dynamic versions of libbfd and
libopcode, accidentally overwriting the binutils provided versions
(gdb itself links against the bundled static ones to avoid
version problems, so the dynamic ones are un-needed).
Prevent the installation by using the '--disable-install-libbfd'
configure option.
Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b54c7931952874a814e48df75093e13ad955604f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-10378 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Optimizer). Supported versions that are affected are
5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily
exploitable vulnerability allows low privileged attacker with network access
via multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server.
CVE-2017-10268 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: Replication). Supported versions that are affected are
5.5.57 and earlier, 5.6.37 and earlier and 5.7.19 and earlier. Difficult to
exploit vulnerability allows high privileged attacker with logon to the
infrastructure where MySQL Server executes to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized access to
critical data or complete access to all MySQL Server accessible data.
Signed-off-by: Ryan Coe <bluemrp9@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e299197a2c2a267d05e5ae7cb7298bce0faceb51) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Ryan Coe <bluemrp9@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit ff614db18e0b0f34a1ed14ef6bee4bae522039f4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 1d8de10c5fb36619708898a529977058886f31d1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more information, see the release notes:
https://www.wireshark.org/docs/relnotes/wireshark-2.2.11.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d2bc1e2bbbabc70f2e9436387b8a40ff96216372) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Johan Oudinet [Wed, 6 Dec 2017 14:47:53 +0000 (15:47 +0100)]
flann: Disable find package for HDF5
The HDF5 package is used by flann for testing purpose only and is
not part of buildroot packages. However, if present in the host, it will
be used and trigger the unsafe header/library path used in
cross-compilation error.
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit f6ee339e92360fc43ebe17928656c06634b09c97) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: drop 4.14.x bump] Signed-off-by: Fabio Estevam <festevam@gmail.com>
[Thomas: adjust commit description to mention the CVE being fixed.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 9f5178fa3495b5b59c4d86c2d1a6fca23bf4e6f3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 30 Nov 2017 00:07:01 +0000 (01:07 +0100)]
libcurl: security bump to version 7.57.0
Fixes the following security issues:
- CVE-2017-8816: NTLM buffer overflow via integer overflow
- CVE-2017-8817: FTP wildcard out of bounds read
- CVE-2017-8818: SSL out of buffer access
For more details, see the changelog:
https://curl.haxx.se/changes.html#7_57_0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fb2ed961988867ab77c48786075e03a6110d1d0a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Jerzy Grzegorek [Fri, 8 Dec 2017 19:39:01 +0000 (20:39 +0100)]
package/exim: change tarball compression to xz
Signed-off-by: Jerzy Grzegorek <jerzy.m.grzegorek@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7c42b5f38131ef19843301410e6e649c6173565d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Andrey Yurovsky [Tue, 28 Nov 2017 03:37:07 +0000 (19:37 -0800)]
support/scripts/size-stats: avoid divide-by-zero
Some packages (ex: skeleton-init-systemd) have a zero size so we cannot
divide by the package size. In that case make their percent zero
explicitly and avoid a ZeroDivisionError exception.
Signed-off-by: Andrey Yurovsky <yurovsky@gmail.com> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 88af7d330dec7b6386a9994d8e53900033d85903) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Danomi Manchego [Wed, 29 Nov 2017 02:55:24 +0000 (21:55 -0500)]
samba4: ensure that copied cache.txt is writable
If the Buildroot tree is read-only, then cache.txt is copied read-only into
the build directory, and the configuration step fails. Fix this in the
same way we do in other places, by opening permissions as we copy the file
using $(INSTALL).
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 832b2de3ba82d8b51c393f743ee86ad530829607) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
webkitgtk: Add upstream patch to ensure CMAKE_BUILD_TYPE is honored
Make WebKitGTK+ honor the value of CMAKE_BUILD_TYPE defined in the CMake
toolchain file by backporting the following upstream WebKit patch:
https://trac.webkit.org/changeset/225168
This reduces the generated binary sizes when building in "Release" mode
(BR2_ENABLE_DEBUG=n), for example when targeting ARMv8 the size reduction
is ~17 MiB.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit a49c69862a617617d05c23e5c64ddea1c665174f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Tue, 28 Nov 2017 16:06:51 +0000 (14:06 -0200)]
mtools: do not link to libbsd
If libbsd is found by the configuration process, mtools unnecessarily
adds a NEEDED field with libbsd to its dynamic section, but it does not
actually use anything from libbsd under Linux. The same may happen to
host-mtools if some libbsd package is installed on the host machine.
Prevent this by forcing configure to bypass the checking for the
existence of a gethostbyname function in libbsd.
I stumbled on this problem when I built host-mtools and later removed
libbsd to upgrade to Fedora 27, due to Bug 1504831[1]. The previously
built host/bin/mtools started to fail due to the missing libbsd.so.0.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f5ef363732fd6092b132cc21573efafea3f1d4ac) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Tue, 28 Nov 2017 15:23:21 +0000 (17:23 +0200)]
libevent: disable openssl for host
As host-libevent does not depend on host-openssl, it might attempt to
build against the host installed openssl. This does not work very well
on various hosts. Since we don't really need encryption support in
host-libevent just disable openssl support.
Disable build of example code as we already do for the target libevent.
Fabrice Fontaine [Sun, 26 Nov 2017 21:26:40 +0000 (22:26 +0100)]
linphone: add optional dependency on libupnp
linphone can optionally use libupnp, so this dependency should be
accounted for in linphone.mk. In addition, linphone is not compatible
with libupnp18, but misdetects it as a a proper libupnp, causing a
build failure.
The build failure with libupnp18 currently only happens on the next
branch (because libupnp18 has only been added there), but adding the
optional dependency on libupnp makes sense for the master branch
anyway.
Peter Korsgaard [Mon, 11 Dec 2017 09:17:22 +0000 (10:17 +0100)]
tor: security bump to version 0.2.9.14
Fixes the following securoty issues:
- CVE-2017-8819: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before
0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before
0.3.1.9, the replay-cache protection mechanism is ineffective for v2 onion
services, aka TROVE-2017-009. An attacker can send many INTRODUCE2 cells
to trigger this issue.
- CVE-2017-8820: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before
0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before
0.3.1.9, remote attackers can cause a denial of service (NULL pointer
dereference and application crash) against directory authorities via a
malformed descriptor, aka TROVE-2017-010.
- CVE-2017-8821: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before
0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before
0.3.1.9, an attacker can cause a denial of service (application hang) via
crafted PEM input that signifies a public key requiring a password, which
triggers an attempt by the OpenSSL library to ask the user for the
password, aka TROVE-2017-011.
- CVE-2017-8822: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before
0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before
0.3.1.9, relays (that have incompletely downloaded descriptors) can pick
themselves in a circuit path, leading to a degradation of anonymity, aka
TROVE-2017-012.
- CVE-2017-8823: In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before
0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before
0.3.1.9, there is a use-after-free in onion service v2 during intro-point
expiration because the expiring list is mismanaged in certain error cases,
aka TROVE-2017-013.
For more details, see the release notes:
https://lists.torproject.org/pipermail/tor-announce/2017-December/000147.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Tue, 21 Nov 2017 19:13:30 +0000 (20:13 +0100)]
Fix makefile include order by using sort/wildcard.
The 'include' directive in GNU make supports wildcards, but their
expansion has no defined sort order (GLOB_NOSORT is passed to glob()).
Usually this doesn't matter. However, there is at least one case where
it does make a difference: toolchain/*/*.mk includes both the
definitions of the external toolchain packages and
pkg-toolchain-external.mk, but pkg-toolchain-external.mk must be
included first.
For predictability, use ordered 'include $(sort $(wildcard ...))'
instead of unordered direct 'include */*.mk' everywhere.
Fixes [1] reported by Petr Vorel:
make: *** No rule to make target 'toolchain-external-custom', needed by '.../build/toolchain-external/.stamp_configured'. Stop.
Signed-off-by: Peter Seiderer <ps.report@gmx.net> Tested-by: Petr Vorel <petr.vorel@gmail.com>
[Arnout: also sort the one remaining include, of the external docs] Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit b9d2d4cb4ebc7a2290c4683dd9667b8f0a9e3cdf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
and the perl script section_generate.pl will create both the .c and .h
files in one go, but given the construct above, there can be two such
script that run in parallel, which can clobber the generated .c and/or
.h files.
So, make dvb-apps a MAKE1 package.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit ba6796c7ccb856fc34a7983c9ac031168f1e0b65) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Wed, 22 Nov 2017 21:08:28 +0000 (22:08 +0100)]
package/google-breakpad: replace references to 'struct ucontext' with 'ucontext_t'
In glibc, since
https://sourceware.org/git/?p=glibc.git;h=251287734e89a52da3db682a8241eb6bccc050c9
the 'struct ucontext' tag has been replaced with 'struct ucontext_t'.
The tag itself is anyway not POSIX - only the 'ucontext_t' typedef is
specified. And that type has existed since at least 1997 in glibc.
Therefore, replace references to 'struct ucontext' with 'ucontext_t',
which works in all versions of glibc, uClibc and musl.
Peter Seiderer [Mon, 20 Nov 2017 18:36:58 +0000 (19:36 +0100)]
localedef: fix xlocale.h related compile failure
Add upstream patch 'Don't include <xlocale.h>'.
Fixes Bug-10501 ([1]):
In file included from ./include/locale.h:1:0,
from /usr/include/libintl.h:103,
from ./include/libintl.h:2,
from glibc/locale/programs/charmap.c:25:
glibc/locale/locale.h:146:11: fatal error: xlocale.h: No such file or directory
# include <xlocale.h>
Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d5cc76c5314f58fa18001e9abce196c1ac4a28d1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 25 Nov 2017 23:30:09 +0000 (00:30 +0100)]
samba4: security bump to version 4.5.15
Fixes the following security issues:
- CVE-2017-14746:
All versions of Samba from 4.0.0 onwards are vulnerable to a use after
free vulnerability, where a malicious SMB1 request can be used to
control the contents of heap memory via a deallocated heap pointer. It
is possible this may be used to compromise the SMB server.
- CVE-2017-15275:
All versions of Samba from 3.6.0 onwards are vulnerable to a heap
memory information leak, where server allocated heap memory may be
returned to the client without being cleared.
There is no known vulnerability associated with this error, but
uncleared heap memory may contain previously used data that may help
an attacker compromise the server via other methods. Uncleared heap
memory may potentially contain password hashes or other high-value
data.
For more details, see the release notes:
https://www.samba.org/samba/history/samba-4.5.15.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Fri, 17 Nov 2017 15:14:16 +0000 (16:14 +0100)]
libfastjson: indicate explicitly which gcc -std option to use
This commit fixes the following build issue of libfastjson with old
enough compilers (4.8) and wchar disabled:
json_object.c: In function 'fjson_object_object_delete':
json_object.c:385:3: error: 'for' loop initial declarations are only allowed in C99 mode
for (int i = 0 ; i < FJSON_OBJECT_CHLD_PG_SIZE ; ++i) {
^
The code of libfastjson requires C99. If your compiler is recent
enough (gcc 5.x), then no problem, it is C99 by default, no additional
flags are needed.
If your compiler is older (for example gcc 4.8), then -std=c99 or
-std=gnu99 is explicitly needed to tell the compiler to accept C99
constructs. Testing the compiler for the availability of such flags is
done by libfastjson configure script. However, the test program used
by the configure script uses some wchar_t types, and therefore the
test checking for C99 availability fails on toolchains with wchar
disabled. From config.log:
configure:3928: checking for /home/test/buildroot/output/host/usr/bin/i586-buildroot-linux-uclibc-gcc option to accept ISO C99
[...]
configure:4077: /home/test/buildroot/output/host/usr/bin/i586-buildroot-linux-uclibc-gcc -std=gnu99 -c -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c >&5
conftest.c:54:3: error: unknown type name 'wchar_t'
const wchar_t *name;
^
So, just like we did in libv4l in commit f01396a158f14c53b781c35f7ff29da0bea8c8d6 ("libv4l: fix uclibc-ng
configure/compile"), let's hint directly the configure script that it
should use -std=gnu99. This fixes the build of libfastjson with old
compilers and wchar disabled.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 90430237ccdcc369d3e206fdd24266c0cad0dcb6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 16 Nov 2017 14:23:04 +0000 (15:23 +0100)]
qt5webkit: correct download URL and hash for 5.6 variant
Commit 06a4975d4bd03 (qt5: bump LTS version to 5.6.3) added an empty hash
for the 5.6.3 variant of qt5webkit, causing failures.
It also forgot to adjust the download URL as the qt5webkit tarballs are no
longer available under official_releases/ like the other submodules, but only
under community_releases/.
Fix both issues.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d4a119ccc42f5b93a2e33f99438a86cc5ee1fb00) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Tue, 14 Nov 2017 14:42:03 +0000 (09:42 -0500)]
libpjsip: fix ssl support
Currently, ssl support is implicitely disabled in the initial configure
options. This overrides the check for openssl below.
libpjsip is also currently only compatible with libopenssl. Change
the check to LIBOPENSSL instead of openssl, and depend on libopenssl.
[Peter: drop libopenssl change] Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 9e479e65dcf1582b20433ca1b120efb66e806a04) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Mon, 13 Nov 2017 19:23:49 +0000 (20:23 +0100)]
package/x11r7/xapp_xdriinfo: fix libgl dependency
Fixes
"mesa3d is in the dependency chain of xapp_xdriinfo that has added it
to its _DEPENDENCIES variable without selecting it or depending on it
from Config.in."
http://autobuild.buildroot.net/results/d8a/d8aeed2f64e21a277eb0bc5dc08d2339a14c682e/
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6d97e73257ffb9fddb8a57dc8d2933b79b86f4b0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Luca Ceresoli [Sat, 11 Nov 2017 23:06:31 +0000 (00:06 +0100)]
libpjsip: fix static build failures due to name clash
Several packages have a similar md5.c file, and each has a function
named byteReverse(). This generates link errors when building
statically ("multiple definition of `byteReverse'").
Fix by applying a patch from upstream:
https://trac.pjsip.org/repos/changeset/5688
Peter Korsgaard [Sun, 12 Nov 2017 13:43:11 +0000 (14:43 +0100)]
ruby: security bump to version 2.4.2
Fixed the following security issues:
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
CVE-2017-14064: Heap exposure in generating JSON
For more details, see the release notes:
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-4-2-released/
Drop now upstreamed rubygems patches and add hashes for the license files
while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f2c353054111b0398399ba1933a47d34441c875e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Alex Suykov [Tue, 7 Nov 2017 10:17:15 +0000 (12:17 +0200)]
vboot-utils: fix ARCH detection
The package includes some target-specific code that is irrelevant
in a host package but gets built anyway. The target for this code
must be one of the supported ChromeOS targets.
Supplied Makefile apparently relies on the environment to provide
a valid target, with a simple fallback to host arch. This breaks
the build if no value is provided and the host arch is not among
the supported ones.
Signed-off-by: Alex Suykov <alex.suykov@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit bbb25c3ad7b66e6882508e49028d1739732bca34) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Wed, 8 Nov 2017 12:00:33 +0000 (07:00 -0500)]
snmp++: security bump to v3.3.10
>From the changelong:
Set the FD_CLOEXEC flag on sockets, so they are not "leaked" to
spawned processes
Signed-off-by: Adam Duskett <aduskett@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6be1631bf27cb0d2aa6ddcbad835d614f33698e6) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Andrey Smirnov [Tue, 7 Nov 2017 20:04:42 +0000 (12:04 -0800)]
package/collectd: Specify FP layout based on endianness
Big-endian CPUs store floating point as big endian (at lest majority
of them do), so, in order for 'network' plugin to work correctly (and
potentially any user of htond() in collectd's codebase),
--with-fp-layout=endianflip as opposed to --with-fp-layout=nothing
needs to be specified during configuration phase.
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com> Reviewed-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit bdd8475b90fa46644149d34bf852b213ec60ce71) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 11 Nov 2017 10:44:56 +0000 (11:44 +0100)]
postgresql: security bump to version 9.6.6
Fixes the following security issues:
CVE-2017-12172: Start scripts permit database administrator to modify
root-owned files.
CVE-2017-15098: Memory disclosure in JSON functions.
CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT
privileges.
See the announcement for more details:
https://www.postgresql.org/about/news/1801/
While we're at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b97353f2b50add10971e8477ad0b4cede9244578) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a maintenance release of the current stable WebKitGTK+ version,
which contains a minor rendering fix, another for the WebDriver
implementation, and security fixes for CVE-2017-13798, CVE-2017-13788,
and CVE-2017-13803.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5ff18880e9647e446a3d720b7c6c74eed97ef0b4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>