Peter Korsgaard [Sun, 7 Jan 2018 21:46:29 +0000 (22:46 +0100)]
asterisk: security bump to version 14.6.2
Fixes the following security issues:
14.6.1:
* AST-2017-005 (applied to all released versions): The "strictrtp" option in
rtp.conf enables a feature of the RTP stack that learns the source address
of media for a session and drops any packets that do not originate from
the expected address. This option is enabled by default in Asterisk 11
and above. The "nat" and "rtp_symmetric" options for chan_sip and
chan_pjsip respectively enable symmetric RTP support in the RTP stack.
This uses the source address of incoming media as the target address of
any sent media. This option is not enabled by default but is commonly
enabled to handle devices behind NAT.
A change was made to the strict RTP support in the RTP stack to better
tolerate late media when a reinvite occurs. When combined with the
symmetric RTP support this introduced an avenue where media could be
hijacked. Instead of only learning a new address when expected the new
code allowed a new source address to be learned at all times.
If a flood of RTP traffic was received the strict RTPsupport would allow
the new address to provide media and with symmetric RTP enabled outgoing
traffic would be sent to this new address, allowing the media to be
hijacked. Provided the attacker continued to send traffic they would
continue to receive traffic as well.
* AST-2017-006 (applied to all released versions): The app_minivm module has
an “externnotify” program configuration option that is executed by the
MinivmNotify dialplan application. The application uses the caller-id
name and number as part of a built string passed to the OS shell for
interpretation and execution. Since the caller-id name and number can
come from an untrusted source, a crafted caller-id name or number allows
an arbitrary shell command injection.
* AST-2017-007 (applied only to 13.17.1 and 14.6.1): A carefully crafted URI
in a From, To or Contact header could cause Asterisk to crash
For more details, see the announcement:
https://www.asterisk.org/downloads/asterisk-news/asterisk-11252-13171-1461-116-cert17-1313-cert5-now-available-security
14.6.2:
* AST-2017-008: Insufficient RTCP packet validation could allow reading
stale buffer contents and when combined with the “nat” and “symmetric_rtp”
options allow redirecting where Asterisk sends the next RTCP report.
The RTP stream qualification to learn the source address of media always
accepted the first RTP packet as the new source and allowed what
AST-2017-005 was mitigating. The intent was to qualify a series of
packets before accepting the new source address.
For more details, see the announcement:
https://www.asterisk.org/downloads/asterisk-news/asterisk-11253-13172-1462-116-cert18-1313-cert6-now-available-security
Drop 0004-configure-in-cross-complation-assimne-eventfd-are-av.patch as this
is now handled differently upstream (by disabling eventfd for cross
compilation, see commit 2e927990b3d2 (eventfd: Disable during cross
compilation)). If eventfd support is needed then this should be submitted
upstream.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Jan Heylen [Thu, 4 Jan 2018 12:28:30 +0000 (13:28 +0100)]
toolchain: m68k coldfire is also affected by gcc bug 64735
Verified experimentally by using exception_ptr with m68k_cf5208 and
looking at the value of ATOMIC_INT_LOCK_FREE. ATOMIC_INT_LOCK_FREE=1,
so the issue is present. Also verified that gcc 7.x fixed it also for
cf5208.
Signed-off-by: Jan Heylen <jan.heylen@nokia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Jan Heylen [Thu, 4 Jan 2018 12:28:29 +0000 (13:28 +0100)]
package/pkg-cmake.mk: add note about BUILD_STATIC_LIBS
As BUILD_STATIC_LIBS is not a standard cmake variable (while
BUILD_SHARED_LIBS is) we shouldn't add it in pkg-cmake.mk, although
for some packages that would make sense. Therefore, add a note so we
don't forget about this abnormality.
Signed-off-by: Jan Heylen <jan.heylen@nokia.com>
[Thomas: rework the comment in the code.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
orangepi: drop custom post-build and post-image scripts
Currently in Orange Pi boards post-build script is used only to generate
U-Boot boot script and post-image script is used only to generate sdcard
image according to genimage configuration. However both those tasks can
now be handled by generic Buildroot tools:
- BR2_TARGET_UBOOT_BOOT_SCRIPT config options
- support/scripts/genimage.sh script
This patch drops custom scripts replacing them
by generic Buildroot tools.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Bernd Kuhls [Sun, 7 Jan 2018 17:07:38 +0000 (18:07 +0100)]
package/libdrm: adjust patch switching to pkg-config for libatomic_ops
In commit fa6c7d165971e1f70b9ac94bae9cd1fd9180c072 ("libdrm: fix
libatomic_ops linking"), a patch was added to switch to
PKG_CHECK_MODULES() to detect libatomic_ops instead of
AC_CHECK_HEADER.
However, as explained in
https://autotools.io/pkgconfig/pkg_check_modules.html:
"In contrast with almost all of the original macros, though, the default
action-if-not-found will end the execution with an error for not having
found the dependency."
This makes the configure script bail out when libatomic_ops is not
available, which is not what we want in libdrm's configure
script. This commit adjusts the PKG_CHECK_MODULES() call to avoid
failing.
Yair Ben Avraham [Tue, 19 Dec 2017 16:36:57 +0000 (18:36 +0200)]
tpm-tools: bump to version 1.3.9.1
This patch contains the following changes:
- Remove all three patches, they are included in upstream version
- Add locally calculated sha256 hash
- Remove <pkg>_STRIP_COMPONENTS = 2, there is no leading directory
- Remove <pkg>_AUTORECONF and <pkg>_GETTEXTIZE since all the patches are
being removed.
Signed-off-by: Yair Ben Avraham <yairba@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Yann E. MORIN [Wed, 3 Jan 2018 17:39:52 +0000 (18:39 +0100)]
core/infra: fix build on toolchain without C++
Autotools-based packages that do not need C++ but check for it, and use
libtool, will fail to configure on distros that lack /lib/cpp.
This is the case for example on Arch Linux, where expat fails to build
with:
configure: error: in `/home/dkc/src/buildroot/build/build/expat-2.2.4':
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
This is because libtool uses AC_PROC_CXXCPP, which can not be avoided,
and does require a cpp that passes some "sanity" checks (does not choke
on valid input, but does choke on invalid input). So we can use neither
/bin/false nor /bin/true...
We instead need something that can digest some basic C++ preprocessor
input. We can't use the target preprocessor: that does not work, because
it obviously has no C++ cupport:
arm-linux-cpp.br_real: error: conftest.cpp: C++ compiler not
installed on this system
We can however consider that the host machine does have a C++ compiler,
so we use the host' cpp, which is gcc's compiler wrapper that ends up
calling the host's C++ preprocessor.
That would give us a valid C++ preprocessor when we don't have one, in
fact. But autotools will then correctly fail anyway, because there is
indeed no C++ compiler at all, as we can see in this excerpt of a
configure log from expat:
checking whether we are using the GNU C++ compiler... no
checking whether false accepts -g... no
checking dependency style of false... none
checking how to run the C++ preprocessor... cpp
checking whether the false linker (/home/ymorin/dev/buildroot/O/host/bin/arm-linux-ld) supports shared libraries... yes
libtool.m4: error: problem compiling CXX test program
checking for false option to produce PIC... -DPIC
checking if false PIC flag -DPIC works... no
checking if false static flag works... no
checking if false supports -c -o file.o... no
checking if false supports -c -o file.o... (cached) no
checking whether the false linker (/home/ymorin/dev/buildroot/O/host/bin/arm-linux-ld) supports shared libraries... yes
So, using the host's C++ preprocessor (by way of gcc's wrapper) leads to
a working situation, where the end result is as expected.
Reported-by: Damien Riegel <damien.riegel@savoirfairelinux.com> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Damien Riegel <damien.riegel@savoirfairelinux.com> Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
libdnet is an optional dependency, it is only needed if nfq or ipq
module are enabled.
So, if libdnet and libnetfilter_queue are available, enable nfq module
and add a dependency to both packages otherwise disable nfq module.
Moreover, always disable ipq module as libipq is deprecated, it isn't
enable in iptables. Even if it was enabled, libipq.h can't be included
as it makes a reference to linux/netfilter_ipv4/ip_queue.h which is not
available anymore
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Gary Bisson [Fri, 5 Jan 2018 14:39:41 +0000 (15:39 +0100)]
imx-parser: bump to version 4.2.1, enable on AArch64
Changelog:
1. Upgrade EULA to v18
2. Bugfixes/Optimization
- Update HEVC PARSER 01.00.02/ APE PARSER 00.00.08/ MPEG2 PARSER 04.05.10
1. Delete the useless label in HEVC PARSER.
2. Fix 2 variables' not init in special case for APE PARSER.
3. Fix one struct's not init for MPEG2 PARSER.
- Fix one mp3 can't play on jb4.3_1.1.1-ga
ID3V2 contains a picture larger than 3MB, need to save ID3 data size
in self->m_dwID3V2Size to let parser skip it when starting playback.
- Fix creating parser error
When variable value is negative, if(bytesToRead) will return true,
modify this condition to if(bytesToRead > 0).
Note that this package now includes AARCH64 libraries for the upcoming
i.MX8 CPU family.
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Gary Bisson [Fri, 5 Jan 2018 14:39:38 +0000 (15:39 +0100)]
xdriver_xf86-video-imx-viv: bump to version 6.2.2.p0
The following xorg.conf was used in order to force the use of the
vivante module:
https://github.com/Freescale/meta-freescale/blob/master/recipes-graphics/xorg-xserver/xserver-xf86-config/mx6/xorg.conf
Note that the X server must be started with the "noreset" option to
avoid crashes when closing X apps.
Tested with:
# X -noreset &
# cd /usr/share/examples/viv_samples/vdk/
# DISPLAY=:0 ./tutorial7
Note that this package patch is removed as now upstream:
https://source.codeaurora.org/external/imx/xf86-video-imx-vivante/commit/?id=70ebd67c
Cc: Jérôme Pouiller <jezz@sysmic.org> Cc: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Gary Bisson [Fri, 5 Jan 2018 14:39:36 +0000 (15:39 +0100)]
imx-gpu-viv: bump to version 6.2.2.p0
New features:
- Added mutex protection for referencing gctSIGNAL in gckOS_MapSignal to
fix a MT race issue.
- Streamlined GPU address calculation base on MC20 (0/1) and MMU (0/1)
combinations.
- Fixed multiple Android HWC 2.0 rendering issues. Refined HWC 2.0 driver
implementation.
- Improved HWC2.0 composition performance by composing damaged regions
only.
- Enabled offline/online compiler IR assembly dump function for users.
- Implemented the direct rendering support (no-resolve) for Wayland
platform.
- Added EGL_EXT_buffer_age extension for Wayland and fbdev platforms.
- Updated wayland-viv protocol to support tile status sync from client
to server.
- Improved OpenCL 1.2 builtin function support with native GPU
instructions.
- Enabled OpenCL 1.2 API trace dump function controlled by VIV_TRACE
environment variable.
- Support for OpenGL4.0
- Cleaned up driver code issues reported by Klocwork and Coverity.
Full changelog:
http://git.freescale.com/git/cgit.cgi/imx/fsl-arm-yocto-bsp.git/tree/GraphicsChangeLogv6?h=imx-morty
Note that the apitrace tool and the G2D libraries are not part of the
package any longer, so the corresponding options are removed. The G2D
libraries are now provided by a separate package.
This package has been tested with both X11 and Framebuffer backends:
# cd /usr/share/examples/viv_samples/vdk/
# ./tutorial7
# gmem_info
... display memory use per PID ...
Also update packages that depended on g2d libraries to match new package
name.
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Gary Bisson [Fri, 5 Jan 2018 14:39:35 +0000 (15:39 +0100)]
imx-gpu-g2d: new package
Up until now, the G2D libraries were included inside the imx-gpu-viv
package. However, since next version of the i.MX will use a new
hardware IP to do 2D rendering (DPU), the GPU 2D libraries have been
separated from the 3D GPU package.
Tested with the following commands:
# /usr/share/examples/g2d_samples/g2d_multiblit_test
# /usr/share/examples/g2d_samples/g2d_overlay_test
# /usr/share/examples/g2d_samples/g2d_test
# gst-launch-1.0 videotestsrc ! imxg2dvideosink
Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Vincent Stehlé [Sat, 6 Jan 2018 17:15:53 +0000 (18:15 +0100)]
numactl: enable for aarch64
numactl works on aarch64 so enable it for that architecture.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net> Cc: Will Newton <will.newton@imgtec.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Kurt Van Dijck [Thu, 4 Jan 2018 10:10:51 +0000 (11:10 +0100)]
nilfs-utils: need NPTL threads
nilfs-utils use clock_nanosleep(), which comes with NPTL threads. We
keep the dependency on threads, because sem_open() is really related
to thread support. The dependency on NPTL for clock_nanosleep() might
be lifted in the future, as it seems to be a bug in uClibc-ng.
Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
[Thomas: update Config.in comment.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Stefan Fröberg [Wed, 29 Nov 2017 21:17:14 +0000 (23:17 +0200)]
zlib-ng: new package
zlib-ng, a fast Zlib replacement
Signed-off-by: Stefan Fröberg <stefan.froberg@petroprogram.com>
[Thomas: drop host variant.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Stefan Fröberg [Wed, 29 Nov 2017 21:17:13 +0000 (23:17 +0200)]
zlib: switch to a virtual package
The existing zlib package is renamed to libzlib, and zlib is turned
into a virtual package. This is done in preparation to the
introduction of zlib-ng as an alternative implementation.
Signed-off-by: Stefan Fröberg <stefan.froberg@petroprogram.com>
[Thomas: define BR2_PACKAGE_PROVIDES_HOST_ZLIB as suggested by Yann
E. Morin.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Yann E. MORIN [Thu, 28 Dec 2017 10:40:31 +0000 (11:40 +0100)]
fs/ubifs: spin-off ubi to be its own filesystem
Currently, the ubifs-in-ubi-image ("UBI image" thereafter) filesystem
is half an option of the ubifs filesystem, half a filesystem on its
own: the config options are options of the ubifs filesystem, but the
.mk code is in a separate .mk and registers a real filesystem.
Make it a full filesystem on its own, in its own directory tree.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Baruch Siach [Tue, 2 Jan 2018 11:42:23 +0000 (13:42 +0200)]
nilfs-utils: needs threads support
nilfs-utils uses the sem_* family of functions from the realtime
extension. Technically this is not part of pthreads. But in uClibc
enabling threads enables also UCLIBC_HAS_REALTIME.
Cc: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be> Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Make sure that the pie charts produced by 'graph-build' and 'graph-size'
targets are sorted on the size of each piece of the pie. Otherwise, making
visual analysis is difficult, as one needs to look at the legends of each
piece and do the sorting manually in their head.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Norbert Lange [Tue, 2 Jan 2018 17:39:25 +0000 (18:39 +0100)]
tcf-agent: new package
Signed-off-by: Norbert Lange <nolange79@gmail.com>
[Thomas: rename to tcf-agent, add missing dependency on BR2_USE_MMU.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Yann E. MORIN [Tue, 2 Jan 2018 20:04:12 +0000 (21:04 +0100)]
fs/iso9660: fix transparent (de)compression
It needs mkzftree from zisofs-tools, so we add a dependency to it, and
we call that one explicitly (to avoid using the one from the host in
PATH).
It also needs the the uncompressed kernel image, but because it is
already in target/ so it gets compressed by mkzftree. We have two
options:
- compress everything but the kernel image,
- compress everything, kernel included, and recopy it later.
We choose the latter, because it is the simplest solution. So, we always
define the kernel-copy hook, but only register it when needed.
Finally, it needs a kernel with support for transparent
(de)compression, so we update the existing test config.
Reported-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Yann E. MORIN [Tue, 2 Jan 2018 20:04:11 +0000 (21:04 +0100)]
package/zisofs-tools: new package
To support transparent (de)compression in iso9660, we need mkzftree,
which comes from zisofs_tools, biundled with cdrkit.
However, cdrkit is a cmake package, but zisofs_tools is an autotools
package, so we need a separate package just to get mkzftree, but it is
pretty lightweight.
We just need the host variant for now,so we just add that.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Thomas: add entry to DEVELOPERS file, rename to zisofs-tools.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Peter Seiderer [Mon, 18 Dec 2017 18:55:31 +0000 (19:55 +0100)]
libdrm: fix libatomic_ops linking
Add patch 0003-configure-Makefile.am-use-pkg-config-to-discover-lib.patch
provided by Thomas Petazzoni handling libatomic_ops linking when needed.
Fixes [1]:
CCLD etnaviv_cmd_stream_test
../../etnaviv/.libs/libdrm_etnaviv.so: undefined reference to `AO_store_full_emulation'
../../etnaviv/.libs/libdrm_etnaviv.so: undefined reference to `AO_fetch_compare_and_swap_emulation'
collect2: error: ld returned 1 exit status
Currently, meson will set the c_link_args and the cpp_link_args to the
value of TARGET_LDFLAGS, even when it's not defined.
This creates a malformed array ["",] which will break any package
building using meson/ninja.
We fix that by using an empty replacement when the corresponding values
are empty.
Reported-by: Adam Duskett <Adamduskett@outlook.com> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
[yann.morin.1998@free.fr: alternate implementation, suggested by Thomas] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Tested-by: Adam Duskett aduskett@gmail.com Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>