Peter Korsgaard [Sat, 31 Mar 2018 06:11:55 +0000 (08:11 +0200)]
nodejs: security bump to version 8.11.1
Fixes the following security issues:
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
website could use a DNS rebinding attack to trick a web browser to bypass
same-origin-policy checks and allow HTTP connections to localhost or to
hosts on the local network, potentially to an open inspector port as a
debugger, therefore gaining full code execution access. The inspector now
only allows connections that have a browser Host value of localhost or
localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths could
be used to cause a denial of service if an attacker were able to have a
specially crafted path string passed through one of the impacted 'path'
module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
Node.js HTTP parser allowed for spaces inside Content-Length header
values. Such values now lead to rejected connections in the same way as
non-numeric values.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f02604553bc3c8449d6a112818f038e99abbdaf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sat, 31 Mar 2018 12:52:50 +0000 (14:52 +0200)]
support/check-uniq-files: support weird locales and filenames
Currently, when a filename contains characters not representable in the
user's locale, we fail hard, especially when the host python is python3.
This is because python2 and python3 handle encoding/decoding strings
differently, with python3 presumable doing the right thing, but it
breaks on some systems, while python2 presumable does the wrong thing,
but it works everywhere. (Just joking, obviously...)
Part of the issue being that the csv reader in python2 is broken with
UTF8.
We fix the issue by ditching the csv reader, and simply read the file in
binary mode, manually partitioning the lines on the first comma.
Then, we use the binary-encoded (really, un-encoded) package names and
filenames as values and keys, respectively.
Finally, for each filename or package we need to print, we try to decode
them with the defaults for the user settings, but catch any decoding
exception and fall back to dumping the raw, binary values. Which codec
is used by default differs between Python version, but in all cases
something sane is printed at least.
Thanks a lot to Arnout for the live help doing this patch. :-)
Thomas Petazzoni [Sat, 31 Mar 2018 06:47:09 +0000 (08:47 +0200)]
support/config-fragments/autobuild: fix SSP in br-nios2-glibc
Commit c8680956819fae8776d7bd6d1f0e67a7b6436672 ("toolchain: fix
detection of SSP support") fixed the SSP check so that it does the
correct thing for nios2 toolchains. While this commit fixed the
description of the Sourcery NIOSII toolchain, it didn't fix the
description for the autobuilders of the br-nios2-glibc toolchain,
causing some build failures. This commit adjusts br-nios2-glibc.config
to indicate that the toolchain doesn't have SSP support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0e4de0f2db5f7a252d4b8a4cac752fac9ca2deb3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Tue, 27 Mar 2018 11:00:22 +0000 (13:00 +0200)]
core: alternate solution to disable C++
Some packages that use libtool really need some love to be able to
disable C++ support.
This is because libtool will want to call AC_PROG_CXXCPP as soon as CXX
is set non-empty to something different from 'no'. Then, AC_PROG_CXXCPP
will want a C++ preprocessor that works on valid input *and* fail on
invalid input.
So, providing 'false' as the C++ compiler will then require that we do
have a working C++ preprocessor. Which is totally counter-productive
since we do not have a C++ compiler to start with...
bd39d11d2e (core/infra: fix build on toolchain without C++) was a
previous attempt at fixing this, by using the host's C++ preprocessor.
However, that is very incorrect (that's my code, I can say so!) because
the set of defines will most probably be different for the host and the
target, thus causing all sorts of trouble. For example, on ARM we'd have
to include different headers for soft-float vs hard-float, which is
decided based on a macro, which is not defined for x86, and thus may
redirect to the wrong (and missing) header.
Instead, we notice that libtool uses the magic value 'no' to decide that
a C++ compiler is not available, in which case it skips the call to
AC_PROG_CXXCPP.
Given that 'no' is not provided by any package in Debian and
derivatives, as well as in Fedora, we can assume that no system will
have an executable called 'no'. Hence, we use that as a magic value to
disable C++ detection altogether.
Fixes: #10846 (again) Reported-by: Damien Riegel <damien.riegel@savoirfairelinux.com> Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Damien Riegel <damien.riegel@savoirfairelinux.com> Cc: Peter Seiderer <ps.report@gmx.net> Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Tested-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4cd1ab15886a408b897104709ff87f15cc88ba16) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 29 Mar 2018 14:52:09 +0000 (16:52 +0200)]
libopenssl: security bump to version 1.0.2o
Fixes the following security issues:
Constructed ASN.1 types with a recursive definition could exceed the stack
(CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack.
There are no such structures used within SSL/TLS that come from untrusted
sources so this is considered safe.
Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each
byte. This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the
security claims of the scheme. The module can only be compiled by the HP-UX
assembler, so that only HP-UX PA-RISC targets are affected.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
This issue has been reported in a previous OpenSSL security advisory and a
fix was provided for OpenSSL 1.0.2. Due to the low severity no fix was
released at that time for OpenSSL 1.1.0. The fix is now available in
OpenSSL 1.1.0h.
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH1024 are considered just feasible, because most of the
work necessary to deduce information about a private key may be performed
offline. The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the server
would have to share the DH1024 private key among multiple clients, which is
no longer an option since CVE-2016-0701.
This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
For more details, see https://www.openssl.org/news/secadv/20180327.txt
The copyright year changed in LICENSE, so adjust the hash to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6938c219d80e2267f8e25f3fc37f955ab723cc55) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 6205b75873c (sngrep: gnutls support also needs libgcrypt) ensured
that --with-gnutls is only used when both gnutls and libgcrypt are enabled,
but it didn't ensure libgcrypt gets built before sngrep or told the
configure script where to find libgcrypt-config, breaking the build.
Fix both issues.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ae7d59eaae1c55d707b2a70437a84c280f598572) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Mon, 26 Mar 2018 20:23:02 +0000 (23:23 +0300)]
xerces: add upstream security fix
CVE-2017-12627: dereference of a NULL pointer while processing the path
to the DTD.
xerces 3.2.1 includes this patch. But this version also added
AC_RUN_IFELSE to its configure script, making cross compilation harder.
Switching to cmake is also problematic since the minimum required cmake
version is 3.2.0. The host dependencies check currently allows minimum
cmake version 3.1.
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 142c8cc8d525f687ce199cc0163d48892e8a81f7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Trent Piepho [Thu, 15 Mar 2018 21:47:33 +0000 (14:47 -0700)]
Config.in: Document BR2_CCACHE_DIR override
This variable, like BR2_DL_DIR, is designed to be overridable from the
environment. Unlike BR2_DL_DIR, it is not documented as such in the
Config.in help text. Do so now.
Signed-off-by: Trent Piepho <tpiepho@impinj.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ad980ccc3639baa2e517c4d36e836b71ab9f5b8f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Stefan Becker <chemobejk@gmail.com> Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ef3304dabc1aef5c1035359211b1c3ca5d07eb3b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Anssi Hannula [Thu, 8 Mar 2018 14:25:09 +0000 (16:25 +0200)]
systemd: do not use host system-uid/gid ranges
systemd meson.build uses values from host /etc/login.defs if
system-uid-max and system-gid-max build options are not explicitly
specified.
Avoid that by setting system-uid-max and system-gid-max to 999 which is
the systemd default if SYSTEM_UID_MAX and SYSTEM_GID_MAX are not set in
/etc/login.defs.
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi> Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 183d2097ffef5d8d7e1ac07d3b613ecacdd8c876) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
busybox: disable PAM in the config if linux-pam is not selected
Currently there is only logic to enable PAM when linux-pam is selected.
However, busybox will fail to build with PAM enabled if the linux-pam
package has not been built before. So we should forcibly disable PAM in
busybox in that case.
Normally this is not an issue since our default busybox config doesn't
have PAM enabled. However, if you enable linux-pam, then save the
busybox config to a custom configuration file, then disable linux-pam
again, and then do a "make clean; make", the build will fail. A more
practical situation where this can occur is when the same custom
busybox config is used in a Buildroot config with and without
linux-pam.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0876b023663377bc3a24c80399f447c1f2afe0c1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Carlos Santos [Sun, 25 Mar 2018 03:59:52 +0000 (00:59 -0300)]
toolchain: fix detection of SSP support
GCC issues a warning message if -fstack-protector is passed but SSP is
not available, so in order to force the compilation to fail we must also
pass -Werror.
All external toolchains were verified. The only one whose configuration
incorrectly selected BR2_TOOLCHAIN_HAS_SSP was CodeSourcery NIOSII.
Signed-off-by: Carlos Santos <casantos@datacom.ind.br> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c8680956819fae8776d7bd6d1f0e67a7b6436672) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sun, 25 Mar 2018 20:03:51 +0000 (22:03 +0200)]
package/libss7: propagate dependency from dahdi-tools
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 76e6837cd670449740f21015a406d722e089a084) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Tue, 20 Mar 2018 15:56:57 +0000 (17:56 +0200)]
qemu: fix build with glibc 2.27
glibc version 2.27 added a wrapper for the memfd_create system call. The
wrapper prototype collides with a static declaration of memfd_create.
Add upstream patch to correctly detect the glibc provided memfd_create
definition.
Fabio Estevam [Sat, 10 Mar 2018 22:45:37 +0000 (19:45 -0300)]
configs/imxsabre: Fix U-Boot parallel build issue
Sometimes imximage throws the following error:
MKIMAGE u-boot-dtb.imx
Error: No BOOT_FROM tag in board/freescale/mx6sxsabresd/imximage.cfg.cfgtmp
arch/arm/imx-common/Makefile:91: recipe for target 'u-boot-dtb.imx' failed
Later on, when running mkimage for the u-boot.imx it will succeed in
finding the IVT offset.
Looks like some race condition happening during parallel build when
processing mkimage for u-boot-dtb.imx and u-boot.imx.
A proper fix still needs to be implemented, but as a workaround let's
remove the error when the IVT offset is not found.
It is useful to have such message, especially during bring-up phase,
but the build error that it causes is severe, so better avoid the
build error for now.
The error checking can be re-implemented later when we have a proper
fix.
Signed-off-by: Joel Stanley <joel@jms.id.au> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b383e4bf4151b9232b2e66f0d6ae822546576a5) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 19 Mar 2018 21:40:05 +0000 (22:40 +0100)]
tremor: security bump to fix CVE-2018-5146
Prevent out-of-bounds write in codebook decoding.
Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.
Upstream has migrated from subversion to git, so change to git and bump the
version to include the fix for CVE-2018-5146.
While we're at it, also add a hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 80266c95052024381898cada4c51d44207fddd80) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 18 Mar 2018 20:14:49 +0000 (21:14 +0100)]
linux-headers: bump 4.{4,9}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 50cd46b39f4af495a4c9d15f0e5d3df272e33c7c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 18 Mar 2018 14:40:08 +0000 (15:40 +0100)]
irssi: security bump to version 1.0.7
Fixes the following security issues:
Use after free when server is disconnected during netsplits. Incomplete fix
of CVE-2017-7191. Found by Joseph Bisch. (CWE-416, CWE-825) -
CVE-2018-7054 [2] was assigned to this issue.
Use after free when SASL messages are received in unexpected order. Found
by Joseph Bisch. (CWE-416, CWE-691) - CVE-2018-7053 [3] was assigned to
this issue.
Null pointer dereference when an “empty” nick has been observed by Irssi.
Found by Joseph Bisch. (CWE-476, CWE-475) - CVE-2018-7050 [4] was assigned
to this issue.
When the number of windows exceed the available space, Irssi would crash due
to Null pointer dereference. Found by Joseph Bisch. (CWE-690) -
CVE-2018-7052 [5] was assigned to this issue.
Certain nick names could result in out of bounds access when printing theme
strings. Found by Oss-Fuzz. (CWE-126) - CVE-2018-7051 [6] was assigned to
this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 181ef8a1d01ddfa2be0b59ea85eb8902b0ce12c0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Thu, 15 Mar 2018 20:35:08 +0000 (21:35 +0100)]
core/instrumentation: shave minutes off the build time
As part of the build, we run some instrumentation hooks to gather
statistics about the usage of the target/, staging/ and host/
directories, so that we can generate reports for the user, that
shows:
- for each file, what package installed it,
- for each package,the size that it installed.
In so doing, we run a double md5 pass on all files of the affected
directories (before/after installation). These passes were mostly invisible
when we were only scanning target/, but has greatly increased in time now
that we also scan staging/ and host/ (but only in the corresponding _CMDS,
of course).
This md5 was mostly aimed at catching packages that would "cheat" with
mtime/atime/ctime somehow. They can't really cheat on md5, though [0].
Timings however speak for themselves, with this defconfig (slightly
biggish-but-still-manageable build) [1].
All instrumentation steps, using md5: 19min 27s
All instrumentation steps, using mtime: 14min 45s
No instrumentation step at all: 14min 31s
So, using mtime is an almost-5min improvement, i.e. about 25% faster,
while removing all instrumentation steps does not gain that much more...
So, we switch to using mtime, because in the end that's still good-enough
for our use-case: generating some graphs. It is not mission-critical, and
if a graph is slightly off, that's not a biggy. It can anyway be attributed
to a broken package's buildsystem, which should get fixed.
However, we lose the ability to track directories. Non-empty directories
can be tracked back by a bit of scripting, but empty directories are
simply not caught. If we were to also look for directories using mtime,
we would catch parents of installed files:
- /foo/bar/ exists
- a package installs /foo/bar/buz
- mtime of /foo/bar/ is changed to account for the new file in it.
So we do not track directories at all, and we lose empty directories.
The existing tracking was mostly happenstance, with the original
submission and comments not really accounting for a real use-case.
Now, we also change the way we handle symlinks. Previously, we would
hash the file pointed to by the symlink. Now, we only look at the mtime
of the symlink itself, which still detects modifications.
Eventually, this also means that we now no longer need to establish a
list before the install step; we can now simply run after the install
step, finding any files newer than the build stamp.
[0] Yeah, md5 is very weak, but we're not guarding against malicious
attacks, just about careless modifications.
Peter Korsgaard [Fri, 16 Mar 2018 21:35:29 +0000 (22:35 +0100)]
libvorbis: security bump to version 1.3.6
Fixes CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
Drop 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch and
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch as they are
now upstream, and add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eca03d677448000f9c5387e8359c116508e03f79) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b67b65b3bab01f8dc3b06a3af69bdc8537b55ed8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Thu, 15 Mar 2018 18:06:19 +0000 (20:06 +0200)]
libcurl: security bump to version 7.59.0
CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.
https://curl.haxx.se/docs/adv_2018-9cd6.html
CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.
https://curl.haxx.se/docs/adv_2018-97a2.html
CVE-2018-1000122: When asked to transfer an RTSP URL, curl could
calculate a wrong data length to copy from the read buffer.
https://curl.haxx.se/docs/adv_2018-b047.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bf3476e5b1527ac91c0a12949be7da5253ea66c1) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 12 Mar 2018 22:36:03 +0000 (23:36 +0100)]
pkg-virtual.mk: explicitly set <pkg>_VERSION / _SOURCE for robustness
Recently a build failure was reported which was traced back to to the fact
that the user had a TOOLCHAIN_VERSION environment variable set which leads
to a strange looking error message:
toolchain/toolchain/toolchain.mk:40: *** TOOLCHAIN_SITE cannot be empty when
TOOLCHAIN_SOURCE is not. Stop.
Environment variables automatically gets converted to make variables by GNU
make - E.G. from the manual
(https://www.gnu.org/software/make/manual/html_node/Environment.html):
Variables in make can come from the environment in which make is run. Every
environment variable that make sees when it starts up is transformed into a
make variable with the same name and value
So we end up in make with TOOLCHAIN_VERSION set to the value of the
environment variable. As virtual packages do not have a version, there is
no explicit TOOLCHAIN_VERSION = .. line in toolchain.mk overriding this
value, and the logic in package/pkg-generic.mk sets a default value for
TOOLCHAIN_SOURCE when TOOLCHAIN_VERSION is set, and finally errors out as
TOOLCHAIN_SITE isn't set.
As a workaround, explicitly set <pkg>_VERSION and <pkg>_SOURCE to the empty
string in the virtual package infrastructure.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 32d2de2a6fb823a8eacb02d203b260c729522837) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2018-1057: Authenticated users might change any other users'
passwords, including administrative users and privileged service
accounts (eg Domain Controllers).
Baruch Siach [Tue, 13 Mar 2018 12:54:01 +0000 (14:54 +0200)]
uclibc-ng-test: fix build with musl and older kernel headers
musl libc provides its own system call macros, including
preadv2/pwritev2. Having these macros defined is not enough to determine
availability of other related macros in kernel headers.
Jan Kundrát [Mon, 12 Mar 2018 18:41:00 +0000 (19:41 +0100)]
cmake: Fix RPATH for host libraries built by CMake
The host shared libraries produced by CMake were missing a proper
DT_RPATH. That became a problem because the DT_RPATH handling is not
transitive by design.
Consider the following scenario:
- pkg-a provides a library (`liba`) which links to `libpcre`
- pkg-b provides a binary (`foo`) and a shared library (`libb`) which is
needed by that binary
- `libb` links to `liba`
- pkg-a and pkg-b are both built by CMake
In this scenario, `foo` is correctly marked with DT_RPATH pointing to
host/lib/, but that path is not used when (recursively) resolving PCRE's
symbols in `liba`. When attempting to run the `foo` binary, the linker
correctly finds both `liba` and `libb`, but it cannot find the
libpcre.so as built by Buildroot for host.
Signed-off-by: Jan Kundrát <jan.kundrat@cesnet.cz> Reviewed-by: Samuel Martin <s.martin49@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7d43534625ac06ae01987113e912ffaf1aec2302) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Martin Bark [Thu, 8 Mar 2018 16:16:41 +0000 (16:16 +0000)]
package/libhttpparser: bump version to 2.8.0
Signed-off-by: Martin Bark <martin@barkynet.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4a646da62850a6e4e38d422988e1c5bd123943cd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Martin Bark [Thu, 8 Mar 2018 16:16:40 +0000 (16:16 +0000)]
package/c-ares: bump version to 1.14.0
Signed-off-by: Martin Bark <martin@barkynet.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 103855a2e0ef04851cd460176c31393589ceb1de) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Martin Bark [Thu, 8 Mar 2018 16:16:39 +0000 (16:16 +0000)]
package/libuv: bump version to 1.19.2
Signed-off-by: Martin Bark <martin@barkynet.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2d2dbca68b32ec040ecd00728f3e2b9bfc484222) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Stefan Becker [Mon, 12 Mar 2018 12:34:09 +0000 (14:34 +0200)]
uboot: fix build for older uboot source trees
The change in commit bf733342324b414a1142b57781504111f81c97ea only works
for newer uboot source trees. Add a check that scripts/dtc/libfdt
directory exists before making this change.
[Peter: add comment explaining why] Signed-off-by: Stefan Becker <chemobejk@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f437bf547ca44849db4578c31707afdd96b85018) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
docker-proxy is needed by docker-engine at runtime, and was
previously not included. This leads to the following error
when attempting to port-map ports to a container:
$ docker run -p 8080:8080 nginx
docker: Error response from daemon: driver failed programming external
connectivity on endpoint:
exec: "docker-proxy": executable file not found in $PATH.
Docker expects the docker-proxy binary to exist in the PATH.
Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8d125cd9f646420467aa1426ebb45078eb815ef7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add docker-proxy package to Buildroot. Needed by docker-engine at
runtime, and previously not included. This leads to the following error
when attempting to port-map ports to a container:
$ docker run -p 8080:8080 nginx
docker: Error response from daemon: driver failed programming external
connectivity on endpoint:
exec: "docker-proxy": executable file not found in $PATH.
Docker expects the docker-proxy binary to exist in the PATH.
Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 81750410033ab5ebeec8257d80297f05e9534f36) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Vivien Didelot [Mon, 5 Mar 2018 17:15:05 +0000 (12:15 -0500)]
DEVELOPERS: add myself as the ts5500 maintainer
Add a new entry for myself listing the TS-5500 board directory and
defconfig file.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 79586d2ed5c47a59a3142678e9c414c74589194f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Vivien Didelot [Mon, 5 Mar 2018 17:15:04 +0000 (12:15 -0500)]
board/technologic/ts5x00: rename to ts5500
Rename the confusing and misleading ts5x00 directory to a real reference
platform name, ts5500. The readme.txt file already states the support
for both TS-5500 and TS-5400 platforms.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9f17540b170395d5c29eb111bfcacdb2540a2fb0) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Vivien Didelot [Mon, 5 Mar 2018 17:15:03 +0000 (12:15 -0500)]
board/technologic/ts5x00: bump kernel to 4.14
Bump the 3.17 kernel used for the Technologic Systems TS-5500 platform
to the latest LTS kernel 4.14.
This fixes the ts5x00_defconfig build with GCC 6.x.
The linux-3.17.config file has been renamed to linux-4.14.config to
match the new kernel version, and its changes are the result of make
linux-update-defconfig. However only comments are affected.
Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6461d76992ec2ceffabd7a5ccb59bb707ea2cb0a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
uboot-tools: backport patch fixing build failure with libfdt-devel installed
U-Boot host programs fail to build when libfdt-devel is installed
system-wide, with errors like this:
HOSTCC tools/aisimage.o
In file included from tools/../include/../lib/libfdt/libfdt.h:10:0,
from tools/../include/libfdt.h:1,
from tools/fdt_host.h:11,
from tools/imagetool.h:24,
from tools/aisimage.c:8:
/usr/include/libfdt_env.h:70:30: error: conflicting types for ‘fdt64_t’
typedef uint64_t FDT_BITWISE fdt64_t;
^~~~~~~
In file included from <command-line>:0:0:
././include/libfdt_env.h:19:16: note: previous declaration of ‘fdt64_t’ was here
typedef __be64 fdt64_t;
^~~~~~~
In file included from ././include/libfdt_env.h:12:0,
from <command-line>:0:
/usr/include/libfdt_env.h:90:24: error: expected ‘)’ before ‘x’
static inline uint32_t fdt32_to_cpu(fdt32_t x)
^
This commit backports an upstream patch that fixes this problem.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1cbfc94c5a0ac4120925aa8c7337eb7957dc4678) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
uboot: fix build when libfdt-devel is installed system-wide
When libfdt-devel is installed system-wide, the build of U-Boot host
programs currently fails with lots of:
HOSTCC tools/aisimage.o
In file included from tools/../include/../lib/libfdt/libfdt.h:10:0,
from tools/../include/libfdt.h:1,
from tools/fdt_host.h:11,
from tools/imagetool.h:24,
from tools/aisimage.c:8:
/usr/include/libfdt_env.h:70:30: error: conflicting types for ‘fdt64_t’
typedef uint64_t FDT_BITWISE fdt64_t;
^~~~~~~
In file included from <command-line>:0:0:
././include/libfdt_env.h:19:16: note: previous declaration of ‘fdt64_t’ was here
typedef __be64 fdt64_t;
^~~~~~~
In file included from ././include/libfdt_env.h:12:0,
from <command-line>:0:
/usr/include/libfdt_env.h:90:24: error: expected ‘)’ before ‘x’
static inline uint32_t fdt32_to_cpu(fdt32_t x)
^
This commit adds a fixup in the U-Boot code to fix this problem. The
fixup is equivalent to applying upstream commit
http://git.denx.de/?p=u-boot.git;a=commitdiff;h=e0d20dc1521e74b82dbd69be53a048847798a90a,
but we can't use a patch for the uboot package, since people are using
arbitrary versions.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bf733342324b414a1142b57781504111f81c97ea) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Martin Bark [Thu, 8 Mar 2018 16:16:38 +0000 (16:16 +0000)]
package/nodejs: bump version to 8.10.0
See https://nodejs.org/en/blog/release/v8.10.0/
Signed-off-by: Martin Bark <martin@barkynet.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit df33aae5f59eaaf40e800acdfefc83e57216ffe8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f124c2f0765b1098f86cca71f2df18d1788cba57) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Timo Ketola [Thu, 8 Mar 2018 10:42:33 +0000 (12:42 +0200)]
fbgrab: Fix some problems in the patch metadata
The patch description was missing Upstream-Status tag. It was given in the
commit which added this patch but not in the patch itself as should be.
Signed-off-by tag accidentally didn't follow the usual format.
Signed-off-by: Timo Ketola <timo.ketola@exertus.fi> Reviewed-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1a0b4b2be2c76b836f4461fcf59f5e95dcd8549b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Timo Ketola [Thu, 8 Mar 2018 08:28:37 +0000 (10:28 +0200)]
DEVELOPERS: Add myself as a maintainer of fbgrab
Daniel's address is bouncing and my touch on fbgrab is now the most
recent one.
Signed-off-by: Timo Ketola <timo.ketola@exertus.fi> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8ea3dd2d6258cabecaa5796d58bce31d94abe056) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Timo Ketola [Thu, 8 Mar 2018 07:22:05 +0000 (09:22 +0200)]
fbgrab: add patch fixing pixel format report
When verbosive, fbgrab reports pixel format. Green and blue offset and
msb_right fields are accidentally swapped there. This commit adds a patch
which straightens them up.
Signed-off-by: Timo Ketola <timo.ketola@exertus.fi> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5be0b3440e81aa364fb337b5e981f3396bdf8e02) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Wed, 7 Mar 2018 21:51:24 +0000 (22:51 +0100)]
support/check-bin-arch: exclude kernel modules for merged /usr
When using a merged /usr, the kernel module path is really
/usr/lib/modules, as /lib is a symlink to usr/lib .
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b9a57442d0a234b03585235f516d755372f29b3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some packages (mostly, out-of-tree) may want to install binary blobs for
another architecture, outside the locations we currently exclude, like
in /opt or whatever...
Add support in check-bin-arch to accept any arbitrary location, that
individual package can each request to excude from the check, when they
are installed.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Peter Korsgaard <peter@korsgaard.com> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 01d90f0d093ff16ab3c1a9466430cee6fb7842d8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig fails to build with gcc 6.x, even though we switched to
using gcc 6.x as the default gcc version in May 2017.
It hasn't been updated since April 2017, and the original submitter,
Fabio Porcedda said:
Unfortunately a newer kernel doesn't boot and I don't have the time
to fix the issue. If having a defconfig that doesn't build on gcc
6.x is unacceptable feel free to remove it.
So, let's get rid of this defconfig, which will remove the following
build error:
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 13fb1c49128d4c039fc23fcf32317008862f8b4b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 6 Mar 2018 15:46:51 +0000 (16:46 +0100)]
linux: Config.in: correct typo in kernel compression format help text
s/build/built/.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d233cc72c4b901f1ea0ae4ce895ff665bd0b78d9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Wed, 7 Mar 2018 06:59:41 +0000 (08:59 +0200)]
ntp: fix build without SSP support
In version 4.2.8p11 ntp changed its configure script build hardening
parameter to '--with-hardenfile'. Update the parameter name to avoid
-fstack-protector-all when the toolchain does not support this option.
Baruch Siach [Tue, 6 Mar 2018 17:00:47 +0000 (19:00 +0200)]
ntp: security bump to version 4.2.8p11
Fixed or improved security issues:
CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
malicious authenticated peer can create arbitrarily-many ephemeral
associations in order to win the clock selection algorithm
CVE-2018-7182: Buffer read overrun leads to undefined behavior and
information leak
configs/ts4900: explicitly specify Linux kernel version
The ts4900 defconfig currently fails to build because it selects
kernel headers 4.12, but doesn't specify a kernel version, and
therefore 4.15 is built causing the following error:
Incorrect selection of kernel headers: expected 4.12.x, got 4.15.x
In commit 7c3a7d808e751d4b608a4c50a0ae4d13dedebab7 ("configs/ts4900:
bump kernel version to 4.12"), when this defconfig was switched from
using a vendor provided kernel to the mainline kernel, the kernel
version was no longer explicitly specified.
Since this commit indicated 4.12, and the kernel headers version
selected is also 4.12, we also use that as the fixed kernel version.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a3f2e977cdda32ceea9b6e445066fc9d1ab2bdd2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 41dca854e641044a01402897a34518c4cab5095a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b732fed265203a6c112007982c1ea601892f900f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e9151fd0be5369302933c9f0f26f97008786552d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 63bab546562bf69add47f01ea9c6f361d7b8f041) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 770a75600ccfa0be6ec783340c2cd6cc9cfa3a72) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3575f84c4e53964fc0ffb53ec7eca362c1c3973e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3982d28cfbdcaf34a844fdce63ef68634adcf79f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d329ec701e1c78171528139c0c6757cdca18e94d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 11f07c20081fdbac6b56f81b7d03b717184fda30) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ddbfee735e9bf13ebe6bec28790d18579ec37837) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e929742b84651ffee8a81a1bfe014a0c9772ebf4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>