Baruch Siach [Sat, 24 Mar 2018 21:43:23 +0000 (00:43 +0300)]
xfsprogs: fix build with older kernel headers
xfsprogs uses a local definition of struct fsxattr when the kernel
provided one in linux/fs.h is too old. The preprocessor trickery that
allows to include linux/fs.h without colliding with the local
definitions breaks when source files include linux/fs.h on their own.
Add a patch that removes these local includes.
Baruch Siach [Tue, 20 Mar 2018 15:56:57 +0000 (17:56 +0200)]
qemu: fix build with glibc 2.27
glibc version 2.27 added a wrapper for the memfd_create system call. The
wrapper prototype collides with a static declaration of memfd_create.
Add upstream patch to correctly detect the glibc provided memfd_create
definition.
Fabio Estevam [Sat, 10 Mar 2018 22:45:37 +0000 (19:45 -0300)]
configs/imxsabre: Fix U-Boot parallel build issue
Sometimes imximage throws the following error:
MKIMAGE u-boot-dtb.imx
Error: No BOOT_FROM tag in board/freescale/mx6sxsabresd/imximage.cfg.cfgtmp
arch/arm/imx-common/Makefile:91: recipe for target 'u-boot-dtb.imx' failed
Later on, when running mkimage for the u-boot.imx it will succeed in
finding the IVT offset.
Looks like some race condition happening during parallel build when
processing mkimage for u-boot-dtb.imx and u-boot.imx.
A proper fix still needs to be implemented, but as a workaround let's
remove the error when the IVT offset is not found.
It is useful to have such message, especially during bring-up phase,
but the build error that it causes is severe, so better avoid the
build error for now.
The error checking can be re-implemented later when we have a proper
fix.
Add the woff2 package to Builroot. This is needed by webkitgtk from
version 2.20.0 onwards. WebKitGTK+ used to bundle a copy of the library,
but it stopped doing so now that the upstream is has been making
releases.
[Peter: fix license hash] Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add the brotli package to Buildroot. This is needed by woff2, which in
turn is needed by webkitgtk from version 2.20.0 onwards. WebKitGTK+ used
to bundle a copy of the library, but it stopped doing so now that the
upstream has started making releases.
[Peter: fix license hash] Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Fri, 23 Mar 2018 17:00:30 +0000 (14:00 -0300)]
tpm2-tss: fix build with musl
Add a missing <sys/select.h> inclusion, needed for the definition of the
fd_set type. This patch can't be sent upstream because the changed file
does not exist anymore on the master branch.
Baruch Siach [Tue, 20 Mar 2018 12:34:57 +0000 (14:34 +0200)]
xfsprogs: fix build with libunistring
The latest xfsprogs bump to version 4.15.1 added an optional dependency
on libunistring. Make sure we build libunistring before xfsprogs.
xfsprogs also added -lunistring to its make dependency. This does not
work very well with cross compilation because make does not know about
sysroot. Add a patch to remove this dependency.
To make shared only link with libunistring work, we also need to extend
the -static-libtool-libs patch to cover xfs_scrub as well.
Peter Korsgaard [Fri, 23 Mar 2018 09:57:41 +0000 (10:57 +0100)]
efivar: bump version
Drop 0001-Use-z-muldefs-to-avoid-the-multiple-definitions-bug-.patch and
0003-Remove-some-extra-const-that-gcc-complains-about.patch as they are now
upstream.
The upstream repo moved to the 'rhboot' github project, so adjust upstream
URL in .mk and help text to match.
Drop dependency on !musl as it is now support since e04281e60cf0d
(makeguids: Ensure compatibility with other libcs).
Drop BINTARGETS workaround as this is fixed since 6c674283697 (Don't build
static by default).
Drop popt dependency as it is no longer needed since 1aec5e7891 (Replace
popt usage with getopt_long in efivar.c).
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 22 Mar 2018 20:27:52 +0000 (17:27 -0300)]
tpm2-tools: allow building without stack smashing protection (SSP)
Disable SSP if the toolchain does not support it. This must be done
explicitly because configure enables hardening by default but doesn't
contain a link test, so it doesn't detect when libssp is missing.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: add C++ dependency to config option] Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 22 Mar 2018 20:27:50 +0000 (17:27 -0300)]
tpm2-abrmd: allow building without stack smashing protection (SSP)
Disable SSP if the toolchain does not support it. This must be done
explicitly because configure.ac passes -fstack-protector-all to the
compiler but doesn't contain a link test, so it doesn't detect when
libssp is missing.
Carlos Santos [Thu, 22 Mar 2018 20:27:48 +0000 (17:27 -0300)]
tpm2-tss: allow building without stack smashing protection (SSP)
Disable SSP if the toolchain does not support it. This must be done
explicitly because configure.ac passes -fstack-protector-all to the
compiler but doesn't contain a link test, so it doesn't detect when
libssp is missing.
Peter Korsgaard [Thu, 22 Mar 2018 12:51:53 +0000 (13:51 +0100)]
efibootmgr: bump version
Drop 0001-dont-use-fshort-wchar-when-building.patch and
0003-Remove-extra-const-keywords-gcc-7-gripes-about.patch as they are now
upstream.
The upstream repo moved to the 'rhboot' github project, so adjust upstream
URL in .mk and help text to match.
Version 15 introduces build time configuration of the default EFI directory
(E.G. the subdirectory in the EFI system partition where the loader is
installed). This used to be hardcoded to redhat, but now a value must be
specified at build time. Given that, it is unlikely that people relied on
the default value so set it to the more sensible 'buildroot'.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 18 Mar 2018 14:40:08 +0000 (15:40 +0100)]
irssi: security bump to version 1.0.7
Fixes the following security issues:
Use after free when server is disconnected during netsplits. Incomplete fix
of CVE-2017-7191. Found by Joseph Bisch. (CWE-416, CWE-825) -
CVE-2018-7054 [2] was assigned to this issue.
Use after free when SASL messages are received in unexpected order. Found
by Joseph Bisch. (CWE-416, CWE-691) - CVE-2018-7053 [3] was assigned to
this issue.
Null pointer dereference when an “empty” nick has been observed by Irssi.
Found by Joseph Bisch. (CWE-476, CWE-475) - CVE-2018-7050 [4] was assigned
to this issue.
When the number of windows exceed the available space, Irssi would crash due
to Null pointer dereference. Found by Joseph Bisch. (CWE-690) -
CVE-2018-7052 [5] was assigned to this issue.
Certain nick names could result in out of bounds access when printing theme
strings. Found by Oss-Fuzz. (CWE-126) - CVE-2018-7051 [6] was assigned to
this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 15 Mar 2018 12:56:01 +0000 (09:56 -0300)]
tpm2-tools: new package
TPM (Trusted Platform Module) 2.0 CLI tools based on system API of
TPM2-TSS. These tools can be used to manage keys, perform
encryption/decryption/signing/etc crypto operations, and manage
non-volatile storage through a TPM2.0 HW implementation.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 15 Mar 2018 12:56:00 +0000 (09:56 -0300)]
tpm2-abrmd: new package
This is a system daemon implementing the TPM2 access broker (TAB) &
Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) is
implemented using Glib and the GObject system.
Communication between the daemon and clients using the TPM is done with
a combination of DBus and Unix pipes. DBus is used for discovery,
session management and the 'cancel', 'setLocality', and 'getPollHandles'
API calls (mostly these aren't yet implemented). Pipes are used to send
and receive TPM commands and responses (respectively) between client and
server.
The daemon owns the com.intel.tss2.Tabrmd name on dbus. It can be
configured to connect to either the system or the session bus.
The package also provides a client library for interacting with the
daemon via TPM Command Transmission Interface (TCTI). It is intended for
use with the SAPI library (libsapi) like any other TCTI.
[Peter: drop add default DAEMON_ARGS to init script, drop /etc/default file,
drop S30devtpmperms and fix permissions in S80tpm2-abrmd] Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 15 Mar 2018 12:55:58 +0000 (09:55 -0300)]
tmp2-tss: remove architecture restriction
Followingig a suggestion from Peter Korsgaard, remove the restriction to
x86 and x86_64. It is preferable to expose the package unless there is a
build time dependency on an architecture or the package is specific to a
certain SoC or board.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Sat, 17 Mar 2018 21:11:06 +0000 (23:11 +0200)]
make: fix build with glibc 2.27
glibc 2.27 changed _GNU_GLOB_INTERFACE_VERSION to 2. This triggers build
of the internal glob implementation in make. This internal
implementation needs the __alloca symbol that glibc does not define.
Add upstream patch that adds support for _GNU_GLOB_INTERFACE_VERSION 2.
Add host-pkgconf dependency for the PKG_CHECK_MODULES macro. This macro
is only used for guile, which we currently disable unconditionally. So
host-pkgconf is only needed now so that autoreconf generates a valid
configure script.
Yann E. MORIN [Thu, 15 Mar 2018 20:35:08 +0000 (21:35 +0100)]
core/instrumentation: shave minutes off the build time
As part of the build, we run some instrumentation hooks to gather
statistics about the usage of the target/, staging/ and host/
directories, so that we can generate reports for the user, that
shows:
- for each file, what package installed it,
- for each package,the size that it installed.
In so doing, we run a double md5 pass on all files of the affected
directories (before/after installation). These passes were mostly invisible
when we were only scanning target/, but has greatly increased in time now
that we also scan staging/ and host/ (but only in the corresponding _CMDS,
of course).
This md5 was mostly aimed at catching packages that would "cheat" with
mtime/atime/ctime somehow. They can't really cheat on md5, though [0].
Timings however speak for themselves, with this defconfig (slightly
biggish-but-still-manageable build) [1].
All instrumentation steps, using md5: 19min 27s
All instrumentation steps, using mtime: 14min 45s
No instrumentation step at all: 14min 31s
So, using mtime is an almost-5min improvement, i.e. about 25% faster,
while removing all instrumentation steps does not gain that much more...
So, we switch to using mtime, because in the end that's still good-enough
for our use-case: generating some graphs. It is not mission-critical, and
if a graph is slightly off, that's not a biggy. It can anyway be attributed
to a broken package's buildsystem, which should get fixed.
However, we lose the ability to track directories. Non-empty directories
can be tracked back by a bit of scripting, but empty directories are
simply not caught. If we were to also look for directories using mtime,
we would catch parents of installed files:
- /foo/bar/ exists
- a package installs /foo/bar/buz
- mtime of /foo/bar/ is changed to account for the new file in it.
So we do not track directories at all, and we lose empty directories.
The existing tracking was mostly happenstance, with the original
submission and comments not really accounting for a real use-case.
Now, we also change the way we handle symlinks. Previously, we would
hash the file pointed to by the symlink. Now, we only look at the mtime
of the symlink itself, which still detects modifications.
Eventually, this also means that we now no longer need to establish a
list before the install step; we can now simply run after the install
step, finding any files newer than the build stamp.
[0] Yeah, md5 is very weak, but we're not guarding against malicious
attacks, just about careless modifications.
Peter Korsgaard [Fri, 16 Mar 2018 21:35:29 +0000 (22:35 +0100)]
libvorbis: security bump to version 1.3.6
Fixes CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
Drop 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch and
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch as they are
now upstream, and add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Thu, 15 Mar 2018 18:06:19 +0000 (20:06 +0200)]
libcurl: security bump to version 7.59.0
CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.
https://curl.haxx.se/docs/adv_2018-9cd6.html
CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.
https://curl.haxx.se/docs/adv_2018-97a2.html
CVE-2018-1000122: When asked to transfer an RTSP URL, curl could
calculate a wrong data length to copy from the read buffer.
https://curl.haxx.se/docs/adv_2018-b047.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>