Carlos Santos [Thu, 22 Mar 2018 20:27:52 +0000 (17:27 -0300)]
tpm2-tools: allow building without stack smashing protection (SSP)
Disable SSP if the toolchain does not support it. This must be done
explicitly because configure enables hardening by default but doesn't
contain a link test, so it doesn't detect when libssp is missing.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: add C++ dependency to config option] Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 22 Mar 2018 20:27:50 +0000 (17:27 -0300)]
tpm2-abrmd: allow building without stack smashing protection (SSP)
Disable SSP if the toolchain does not support it. This must be done
explicitly because configure.ac passes -fstack-protector-all to the
compiler but doesn't contain a link test, so it doesn't detect when
libssp is missing.
Carlos Santos [Thu, 22 Mar 2018 20:27:48 +0000 (17:27 -0300)]
tpm2-tss: allow building without stack smashing protection (SSP)
Disable SSP if the toolchain does not support it. This must be done
explicitly because configure.ac passes -fstack-protector-all to the
compiler but doesn't contain a link test, so it doesn't detect when
libssp is missing.
Peter Korsgaard [Thu, 22 Mar 2018 12:51:53 +0000 (13:51 +0100)]
efibootmgr: bump version
Drop 0001-dont-use-fshort-wchar-when-building.patch and
0003-Remove-extra-const-keywords-gcc-7-gripes-about.patch as they are now
upstream.
The upstream repo moved to the 'rhboot' github project, so adjust upstream
URL in .mk and help text to match.
Version 15 introduces build time configuration of the default EFI directory
(E.G. the subdirectory in the EFI system partition where the loader is
installed). This used to be hardcoded to redhat, but now a value must be
specified at build time. Given that, it is unlikely that people relied on
the default value so set it to the more sensible 'buildroot'.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 18 Mar 2018 14:40:08 +0000 (15:40 +0100)]
irssi: security bump to version 1.0.7
Fixes the following security issues:
Use after free when server is disconnected during netsplits. Incomplete fix
of CVE-2017-7191. Found by Joseph Bisch. (CWE-416, CWE-825) -
CVE-2018-7054 [2] was assigned to this issue.
Use after free when SASL messages are received in unexpected order. Found
by Joseph Bisch. (CWE-416, CWE-691) - CVE-2018-7053 [3] was assigned to
this issue.
Null pointer dereference when an “empty” nick has been observed by Irssi.
Found by Joseph Bisch. (CWE-476, CWE-475) - CVE-2018-7050 [4] was assigned
to this issue.
When the number of windows exceed the available space, Irssi would crash due
to Null pointer dereference. Found by Joseph Bisch. (CWE-690) -
CVE-2018-7052 [5] was assigned to this issue.
Certain nick names could result in out of bounds access when printing theme
strings. Found by Oss-Fuzz. (CWE-126) - CVE-2018-7051 [6] was assigned to
this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 15 Mar 2018 12:56:01 +0000 (09:56 -0300)]
tpm2-tools: new package
TPM (Trusted Platform Module) 2.0 CLI tools based on system API of
TPM2-TSS. These tools can be used to manage keys, perform
encryption/decryption/signing/etc crypto operations, and manage
non-volatile storage through a TPM2.0 HW implementation.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 15 Mar 2018 12:56:00 +0000 (09:56 -0300)]
tpm2-abrmd: new package
This is a system daemon implementing the TPM2 access broker (TAB) &
Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) is
implemented using Glib and the GObject system.
Communication between the daemon and clients using the TPM is done with
a combination of DBus and Unix pipes. DBus is used for discovery,
session management and the 'cancel', 'setLocality', and 'getPollHandles'
API calls (mostly these aren't yet implemented). Pipes are used to send
and receive TPM commands and responses (respectively) between client and
server.
The daemon owns the com.intel.tss2.Tabrmd name on dbus. It can be
configured to connect to either the system or the session bus.
The package also provides a client library for interacting with the
daemon via TPM Command Transmission Interface (TCTI). It is intended for
use with the SAPI library (libsapi) like any other TCTI.
[Peter: drop add default DAEMON_ARGS to init script, drop /etc/default file,
drop S30devtpmperms and fix permissions in S80tpm2-abrmd] Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Thu, 15 Mar 2018 12:55:58 +0000 (09:55 -0300)]
tmp2-tss: remove architecture restriction
Followingig a suggestion from Peter Korsgaard, remove the restriction to
x86 and x86_64. It is preferable to expose the package unless there is a
build time dependency on an architecture or the package is specific to a
certain SoC or board.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Sat, 17 Mar 2018 21:11:06 +0000 (23:11 +0200)]
make: fix build with glibc 2.27
glibc 2.27 changed _GNU_GLOB_INTERFACE_VERSION to 2. This triggers build
of the internal glob implementation in make. This internal
implementation needs the __alloca symbol that glibc does not define.
Add upstream patch that adds support for _GNU_GLOB_INTERFACE_VERSION 2.
Add host-pkgconf dependency for the PKG_CHECK_MODULES macro. This macro
is only used for guile, which we currently disable unconditionally. So
host-pkgconf is only needed now so that autoreconf generates a valid
configure script.
Yann E. MORIN [Thu, 15 Mar 2018 20:35:08 +0000 (21:35 +0100)]
core/instrumentation: shave minutes off the build time
As part of the build, we run some instrumentation hooks to gather
statistics about the usage of the target/, staging/ and host/
directories, so that we can generate reports for the user, that
shows:
- for each file, what package installed it,
- for each package,the size that it installed.
In so doing, we run a double md5 pass on all files of the affected
directories (before/after installation). These passes were mostly invisible
when we were only scanning target/, but has greatly increased in time now
that we also scan staging/ and host/ (but only in the corresponding _CMDS,
of course).
This md5 was mostly aimed at catching packages that would "cheat" with
mtime/atime/ctime somehow. They can't really cheat on md5, though [0].
Timings however speak for themselves, with this defconfig (slightly
biggish-but-still-manageable build) [1].
All instrumentation steps, using md5: 19min 27s
All instrumentation steps, using mtime: 14min 45s
No instrumentation step at all: 14min 31s
So, using mtime is an almost-5min improvement, i.e. about 25% faster,
while removing all instrumentation steps does not gain that much more...
So, we switch to using mtime, because in the end that's still good-enough
for our use-case: generating some graphs. It is not mission-critical, and
if a graph is slightly off, that's not a biggy. It can anyway be attributed
to a broken package's buildsystem, which should get fixed.
However, we lose the ability to track directories. Non-empty directories
can be tracked back by a bit of scripting, but empty directories are
simply not caught. If we were to also look for directories using mtime,
we would catch parents of installed files:
- /foo/bar/ exists
- a package installs /foo/bar/buz
- mtime of /foo/bar/ is changed to account for the new file in it.
So we do not track directories at all, and we lose empty directories.
The existing tracking was mostly happenstance, with the original
submission and comments not really accounting for a real use-case.
Now, we also change the way we handle symlinks. Previously, we would
hash the file pointed to by the symlink. Now, we only look at the mtime
of the symlink itself, which still detects modifications.
Eventually, this also means that we now no longer need to establish a
list before the install step; we can now simply run after the install
step, finding any files newer than the build stamp.
[0] Yeah, md5 is very weak, but we're not guarding against malicious
attacks, just about careless modifications.
Peter Korsgaard [Fri, 16 Mar 2018 21:35:29 +0000 (22:35 +0100)]
libvorbis: security bump to version 1.3.6
Fixes CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
Drop 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch and
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch as they are
now upstream, and add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Thu, 15 Mar 2018 18:06:19 +0000 (20:06 +0200)]
libcurl: security bump to version 7.59.0
CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.
https://curl.haxx.se/docs/adv_2018-9cd6.html
CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.
https://curl.haxx.se/docs/adv_2018-97a2.html
CVE-2018-1000122: When asked to transfer an RTSP URL, curl could
calculate a wrong data length to copy from the read buffer.
https://curl.haxx.se/docs/adv_2018-b047.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Jan Kundrát [Wed, 14 Mar 2018 16:58:40 +0000 (17:58 +0100)]
package/busybox: Unbreak the `tar` implementation
The `tar` implementation in Busybox 1.28.0 and 1.28.1 won't extract a
rootfs with some symlinks that appear to look "dangerous". This
completely (and silently!) breaks on-target updates via RAUC for me, for
example.
In the meanwhile, upstream already reverted the commit in question
(in their commit a84db18fc71d09e801df0ebca048d82e90b32c6a), so this
patch simply applies that revert in Buildroot. The fix has not made it
to a release, yet.
Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Bug: https://bugs.busybox.net/show_bug.cgi?id=8411
Bug: https://github.com/rauc/rauc/issues/249 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 12 Mar 2018 22:36:03 +0000 (23:36 +0100)]
pkg-virtual.mk: explicitly set <pkg>_VERSION / _SOURCE for robustness
Recently a build failure was reported which was traced back to to the fact
that the user had a TOOLCHAIN_VERSION environment variable set which leads
to a strange looking error message:
toolchain/toolchain/toolchain.mk:40: *** TOOLCHAIN_SITE cannot be empty when
TOOLCHAIN_SOURCE is not. Stop.
Environment variables automatically gets converted to make variables by GNU
make - E.G. from the manual
(https://www.gnu.org/software/make/manual/html_node/Environment.html):
Variables in make can come from the environment in which make is run. Every
environment variable that make sees when it starts up is transformed into a
make variable with the same name and value
So we end up in make with TOOLCHAIN_VERSION set to the value of the
environment variable. As virtual packages do not have a version, there is
no explicit TOOLCHAIN_VERSION = .. line in toolchain.mk overriding this
value, and the logic in package/pkg-generic.mk sets a default value for
TOOLCHAIN_SOURCE when TOOLCHAIN_VERSION is set, and finally errors out as
TOOLCHAIN_SITE isn't set.
As a workaround, explicitly set <pkg>_VERSION and <pkg>_SOURCE to the empty
string in the virtual package infrastructure.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This script comes from the kernel source, so ignore any code style
warnings for it in order to keep it as close as possible to the original
one, making synchronization between repos easier.
The option --exclude for flake8/pycodestyle is an absolute list and has
a default, so ideally the default values should be added too.
But the use cases for flake8 in the tree are:
- when developing a new script or changing an existing one, the
developer calls flake8 only on that script;
- in the GitLab job, a list of all Python files to be tested is created
and then passed to flake8.
None of these involve calling 'flake8' without parameters, so don't care
about adding the default value.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com> Cc: Marcus Folkesson <marcus.folkesson@gmail.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use the latest version of the tool because it is actively maintained.
But use a fixed version of the tool and its dependencies to get stable
results. It can be manually bumped from time to time.
Before installing any Python packages, ensure pip, setuptools, and wheel
are up to date as recommended in the docs [1].
Fix these warnings:
E122 continuation line missing indentation or outdented
E301 expected 1 blank line, found 0
E302 expected 2 blank lines, found 1
F401 'os' imported but unused
Fix these warnings:
E129 visually indented line with same indent as next logical line
E302 expected 2 blank lines, found 1
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com> Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Yann E. MORIN <yann.morin.1998@free.fr> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix these warnings:
E201 whitespace after '['
E202 whitespace before ']'
E501 line too long (138 > 132 characters)
-> isolate the common part of the external toolchain url in a variable
to make the long lines shorter and more readable.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com> Cc: Arnout Vandecappelle <arnout@mind.be> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2018-1057: Authenticated users might change any other users'
passwords, including administrative users and privileged service
accounts (eg Domain Controllers).
Giulio Benetti [Tue, 13 Mar 2018 16:08:08 +0000 (17:08 +0100)]
sunxi-mali-mainline-driver: bump version
For stop using cma.
git shortlog --invert-grep --grep travis --no-merges 94ccbc8924c12a818d61d36a4b389b74a89fde3c..
Maxime Ripard (1):
mali: Stop using the reserved-memory region to setup the fb area
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Tue, 13 Mar 2018 12:54:01 +0000 (14:54 +0200)]
uclibc-ng-test: fix build with musl and older kernel headers
musl libc provides its own system call macros, including
preadv2/pwritev2. Having these macros defined is not enough to determine
availability of other related macros in kernel headers.
Jan Kundrát [Mon, 12 Mar 2018 18:41:00 +0000 (19:41 +0100)]
cmake: Fix RPATH for host libraries built by CMake
The host shared libraries produced by CMake were missing a proper
DT_RPATH. That became a problem because the DT_RPATH handling is not
transitive by design.
Consider the following scenario:
- pkg-a provides a library (`liba`) which links to `libpcre`
- pkg-b provides a binary (`foo`) and a shared library (`libb`) which is
needed by that binary
- `libb` links to `liba`
- pkg-a and pkg-b are both built by CMake
In this scenario, `foo` is correctly marked with DT_RPATH pointing to
host/lib/, but that path is not used when (recursively) resolving PCRE's
symbols in `liba`. When attempting to run the `foo` binary, the linker
correctly finds both `liba` and `libb`, but it cannot find the
libpcre.so as built by Buildroot for host.
Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Tue, 13 Mar 2018 07:19:39 +0000 (09:19 +0200)]
trinity: fix build with glibc 2.27
glibc 2.27 added a system call wrapper for memfd_create() which collides
with the local definition of the same symbol in trinity. Add a patch to
detect the presence of memfd_create(), and avoid collision.
Stefan Becker [Mon, 12 Mar 2018 12:34:09 +0000 (14:34 +0200)]
uboot: fix build for older uboot source trees
The change in commit bf733342324b414a1142b57781504111f81c97ea only works
for newer uboot source trees. Add a check that scripts/dtc/libfdt
directory exists before making this change.
[Peter: add comment explaining why] Signed-off-by: Stefan Becker <chemobejk@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
docker-proxy is needed by docker-engine at runtime, and was
previously not included. This leads to the following error
when attempting to port-map ports to a container:
$ docker run -p 8080:8080 nginx
docker: Error response from daemon: driver failed programming external
connectivity on endpoint:
exec: "docker-proxy": executable file not found in $PATH.
Docker expects the docker-proxy binary to exist in the PATH.
Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add docker-proxy package to Buildroot. Needed by docker-engine at
runtime, and previously not included. This leads to the following error
when attempting to port-map ports to a container:
$ docker run -p 8080:8080 nginx
docker: Error response from daemon: driver failed programming external
connectivity on endpoint:
exec: "docker-proxy": executable file not found in $PATH.
Docker expects the docker-proxy binary to exist in the PATH.
Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
André Hentschel [Fri, 9 Mar 2018 10:20:42 +0000 (11:20 +0100)]
wine: Drop glibc requirement
I noticed it's not needed anymore, musl went upstream at some point and uClibc is now build with bessel functions:
https://git.buildroot.net/buildroot/commit/package/uclibc?id=de56d58e5d26d78161ca3b7a1a2a4decfe4e89db
Signed-off-by: André Hentschel <nerv@dawncrow.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Matt Weber [Fri, 9 Mar 2018 03:10:06 +0000 (21:10 -0600)]
configs/freescale_t1040d4rdb_defconfig: new board
The T1 QoriQ from NXP has had a few varients of RDB dev boards.
This target is against the latest D4RDB version. Any of the
other versions before D4RDB (plain RDB), may require backing off
the uboot version to SDK 1.6 and/or adjusting the kernel dtb used.
This board configuration provides an upstream kernel build which
has been verified to boot on target.
The target assumes the user still uses the NXP suggested prebuilts
in the SDK2.0 (last release for PowerPC). If a uboot rebuild is
required, the source for SDK2.0 can be found in the following repo.
Matt Weber [Fri, 9 Mar 2018 02:36:38 +0000 (20:36 -0600)]
configs/freescale_p1025twr_defconfig: new board
Replacing the p1010rdb, this board is based on the tower development
system still available by NXP. The board is setup to track upstream
Linux and has been bumped from 4.1 to 4.15 (compared to p1010).
The target does not build uboot and assumes the user still uses the NXP
suggested prebuilts in the SDK2.0 (last release for PowerPC). If a
uboot is required, the source for SDK2.0 can be found in the following
repo.
http://git.freescale.com/git/cgit.cgi/ppc/sdk/u-boot.git/tag/?id=fsl-sdk-v2.0-1703
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Vivien Didelot [Mon, 5 Mar 2018 17:15:04 +0000 (12:15 -0500)]
board/technologic/ts5x00: rename to ts5500
Rename the confusing and misleading ts5x00 directory to a real reference
platform name, ts5500. The readme.txt file already states the support
for both TS-5500 and TS-5400 platforms.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Vivien Didelot [Mon, 5 Mar 2018 17:15:03 +0000 (12:15 -0500)]
board/technologic/ts5x00: bump kernel to 4.14
Bump the 3.17 kernel used for the Technologic Systems TS-5500 platform
to the latest LTS kernel 4.14.
This fixes the ts5x00_defconfig build with GCC 6.x.
The linux-3.17.config file has been renamed to linux-4.14.config to
match the new kernel version, and its changes are the result of make
linux-update-defconfig. However only comments are affected.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
projects / coffee / buildroot.git / log