Yann E. MORIN [Sat, 13 May 2017 08:27:36 +0000 (10:27 +0200)]
package/gpsd: do not interact with systemd on install
When building on a systemd-based host for a systemd-based target, gpsd's
buildsystem will try to tell systemd to reload the its configuration and
recreate the entire dependency tree of services.
Of course, this can not work when run as a user:
>>> gpsd 3.16 Installing to target
==== AUTHENTICATING FOR org.freedesktop.systemd1.reload-daemon ===
Authentication is required to reload the systemd state.
Authenticating as: root
Password:
In fact, this does not even mean anything in cross-compilation.
Fortunately, upstream has already fixed their sin, so we backport it
(tweaked to apply onto 3.16).
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 0d0fcfa443754ed33ab81b52dd22c5e89ea45c24) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The "mul" instruction does not have a suffix that indicates the width of
the data being multiplied. When the data is passed in a register, there
is no need to specify the width, but with some gcc versions, the data is
passed as a memory reference, and therefore the assembler does not know
the width of the data to be multiplied. It causes the following build
failure:
x86/hyperv_clock.c: Assembler messages:
x86/hyperv_clock.c:21: Error: no instruction mnemonic suffix given and no register operands; can't size instruction
Since the data being multiplied is 64 bit, we explicitly specify the
instruction as being "mulq".
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit bdadcf593d5308fcc1c8e767b7c2af8ae5aa9144) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Mon, 8 May 2017 21:11:49 +0000 (23:11 +0200)]
package/efl: fix unmet dependencies
EFL's elput selects libinput but forgot to propagate its dependencies.
Which requires they be propagated further to a second sub-option, then
to a third one.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Romain Naour <romain.naour@openwide.fr>
[Thomas: fix typoes.]
[Peter: fix more typoes] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 31bd2b46a83f6009518935e11b4136668bd4d330) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By default, qwt build a shared library, but when BR2_STATIC_LIBS is set
compilation failed with errors like :
__uClibc_main.c:(.text+0x164): undefined reference to `__fini_array_end'
__uClibc_main.c:(.text+0x168): undefined reference to `__fini_array_start'
__uClibc_main.c:(.text+0x16c): undefined reference to `__fini_array_start'
This patch disable QwtDll to build a static library when BR2_STATIC_LIBS=y.
sudo: fix static linking with openldap having openssl support
If we are building sudo statically and openldap was linked with openssl,
then when we link sudo with openldap we need to specify the openssl
libs, otherwise it will fail with "undefined reference" errors.
Thomas Petazzoni [Thu, 11 May 2017 07:46:40 +0000 (09:46 +0200)]
efibootmgr: backport upstream patch to fix build with gcc 6.x
efibootmgr was built with -fshort-wchar, which causes gcc to use
2-byte wchar_t instead of the normal 4-byte wchar_t. But this doesn't
work anymore with gcc 6.x, as it causes a build failure:
/home/test/autobuild/run/instance-3/output/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-gnueabihf/6.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: warning: efibootmgr.o uses 2-byte wchar_t yet the output is to use 4-byte wchar_t; use of wchar_t values across objects may fail
/home/test/autobuild/run/instance-3/output/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-gnueabihf/6.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: warning: efi.o uses 2-byte wchar_t yet the output is to use 4-byte wchar_t; use of wchar_t values across objects may fail
/home/test/autobuild/run/instance-3/output/host/opt/ext-toolchain/bin/../lib/gcc/arm-buildroot-linux-gnueabihf/6.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: warning: unparse_path.o uses 2-byte wchar_t yet the output is to use 4-byte wchar_t; use of wchar_t values across objects may fail
Upstream solution was do simply drop -fshort-wchar:
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 3e254b82c77f5b91907ee96e9cb053ac65cca00b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 4860e05a63bf01156466a1a8007de38e2839501a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sat, 6 May 2017 20:26:10 +0000 (22:26 +0200)]
package/libubox: fix lua module install path
The LUAPATH variable is only used when installing the lua module, and
cmake knows very well how to do out-of-tree isntalls, so there is no
reason to include the staging path in LUAPATH, which will cause our
post-install sanity checks to kick in and whine:
libubox: installs files in /home/lhk/workspace/orangepi/host/usr/a
rm-buildroot-linux-gnueabihf/sysroot//home/lhk/workspace/orangepi
As for libuci, just pass the runtime LUAPATH.
Fixes #9856
Reported-by: linhuikui@gmail.com Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit be3645a58ad1ee3961c4da1b2f72f5835629303a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Danomi Manchego [Sat, 6 May 2017 00:51:18 +0000 (20:51 -0400)]
dbus: fix dbus symlink removal
There was already a post-build hook to delete the /var/lib/dbus symlink
created by buildroot after the package's own installation, to prevent
a dbus installation error during "make dbus-rebuild". However, this
misses the case for when one might delete the .stamp_target_installed
file manually, outside of dbus-rebuild. This can be fixed by changing
the post-build hook to a pre-install hook. This seems appropriate,
since it is really addressing an installation issue, not a build issue.
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c2d6c4ac3277e545ef27b3d4f3e6d94e50d76256) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Fri, 5 May 2017 19:08:26 +0000 (21:08 +0200)]
package/kyua: fix unmet dependencies
lutok is a lua module, so it depends on ! static libs. However, the
dependency is implicit, being done because the lua modules are sourced
globally under an if-block, and thus it is not easy to find that
dependency.
Propagate that dependency to kyua, which was missing it (because it is
not a lua module, so was missing the dependency).
[Peter: also update toolchain comment] Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Cc: Sebastien Bourdelin <sebastien.bourdelin@savoirfairelinux.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a65da16f630cea87fd0527ce73df0b529b73946c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the download, which currently times out on ftp://.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 2068c7c6a810cdaf55240faf15c226ce3b308f1b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 3 May 2017 19:36:29 +0000 (21:36 +0200)]
linux-headers: bump 4.{4,9,10}.x series
[Peter: drop 4.10.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 15a31470b0381fc0a77cafbc5ed63c8578a163ff) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Removing clear and reset from the busybox config when the ncurses tools
are enabled is not really needed.
Since commit 802bff9c42, the busybox install will not overwrite
existing programs. Therefore, the tools will be installed correctly
regardless of the order of the build:
- if busybox is built first, the clear and reset apps are installed,
but they will be overwritten by ncurses;
- if ncurses is built first, it will install the clear and reset apps,
and busybox will no longer install them.
We prefer not to modify the busybox configuration when not strictly
necessary, because it is surprising for the user that his configuration
is not applied. Clearly, it's not ideal that busybox is configured with
redundant apps, but if the user wants to shrink it, it's possible to
provide a custom config.
Peter Korsgaard [Mon, 1 May 2017 18:57:08 +0000 (20:57 +0200)]
linux-headers: bump 4.4.x series to 4.4.65
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0d18d1d9c0dd8173eee918b30761548c19b6bfdc) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sun, 30 Apr 2017 19:36:02 +0000 (21:36 +0200)]
freetype: add upstream security fixes for CVE-2017-8105 and CVE-2017-8287
Add upstream post-2.7.1 commits (except for ChangeLog modifications) fixing
the following security issues:
CVE-2017-8105 - FreeType 2 before 2017-03-24 has an out-of-bounds write
caused by a heap-based buffer overflow related to the
t1_decoder_parse_charstrings function in psaux/t1decode.c.
CVE-2017-8287 - FreeType 2 before 2017-03-26 has an out-of-bounds write
caused by a heap-based buffer overflow related to the
t1_builder_close_contour function in psaux/psobjs.c.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6d557ac0133618fe4fe1d417bf584e21ef208871) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 28 Apr 2017 07:49:30 +0000 (09:49 +0200)]
ghostscript: add upstream security fixes for CVE-2017-8291
CVE-2017-8291 - Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass
and remote command execution via a "/OutputFile (%pipe%" substring in a
crafted .eps document that is an input to the gs program, as exploited in
the wild in April 2017.
For more details, see https://bugzilla.suse.com/show_bug.cgi?id=1036453
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 874becfd019bc8f4e126684d08c4164e984b11c3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 27 Apr 2017 07:37:18 +0000 (09:37 +0200)]
python-django: security bump to version 1.10.7
Fixes the following security issues:
Since 1.10.3:
CVE-2016-9013 - User with hardcoded password created when running tests on
Oracle
Marti Raudsepp reported that a user with a hardcoded password is created
when running tests with an Oracle database.
CVE-2016-9014 - DNS rebinding vulnerability when DEBUG=True
Aymeric Augustin discovered that Django does not properly validate the Host
header against settings.ALLOWED_HOSTS when the debug setting is enabled. A
remote attacker can take advantage of this flaw to perform DNS rebinding
attacks.
Since 1.10.7:
CVE-2017-7233 - Open redirect and possible XSS attack via user-supplied
numeric redirect URLs
It was discovered that is_safe_url() does not properly handle certain
numeric URLs as safe. A remote attacker can take advantage of this flaw to
perform XSS attacks or to use a Django server as an open redirect.
CVE-2017-7234 - Open redirect vulnerability in django.views.static.serve()
Phithon from Chaitin Tech discovered an open redirect vulnerability in the
django.views.static.serve() view. Note that this view is not intended for
production use.
Cc: Oli Vogt <oli.vogt.pub01@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3a66a81b7a9db8e45f15fa63cc0670d158003d5a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-0553: An elevation of privilege vulnerability in libnl could enable a
local malicious application to execute arbitrary code within the context of
the Wi-Fi service
Peter Korsgaard [Wed, 26 Apr 2017 21:58:14 +0000 (23:58 +0200)]
tiff: add upstream security fixes
Add upstream post-4.0.7 commits (except for ChangeLog modifications) fixing
the following security issues:
CVE-2016-10266 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted TIFF
image, related to libtiff/tif_read.c:351:22.
CVE-2016-10267 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (divide-by-zero error and application crash) via a crafted TIFF
image, related to libtiff/tif_ojpeg.c:816:8.
CVE-2016-10269 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (heap-based buffer over-read) or possibly have unspecified other
impact via a crafted TIFF image, related to "READ of size 512" and
libtiff/tif_unix.c:340:2.
CVE-2016-10270 - LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (heap-based buffer over-read) or possibly have unspecified other
impact via a crafted TIFF image, related to "READ of size 8" and
libtiff/tif_read.c:523:22.
CVE-2017-5225 - LibTIFF version 4.0.7 is vulnerable to a heap buffer
overflow in the tools/tiffcp resulting in DoS or code execution via a
crafted BitsPerSample value.
CVE-2017-7592 - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7
has a left-shift undefined behavior issue, which might allow remote
attackers to cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted image.
CVE-2017-7593 - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata
is properly initialized, which might allow remote attackers to obtain
sensitive information from process memory via a crafted image.
CVE-2017-7594 - The OJPEGReadHeaderInfoSecTablesDcTable function in
tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of
service (memory leak) via a crafted image.
CVE-2017-7595 - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7
allows remote attackers to cause a denial of service (divide-by-zero error
and application crash) via a crafted image.
CVE-2017-7598 - tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers
to cause a denial of service (divide-by-zero error and application crash)
via a crafted image.
CVE-2017-7601 - LibTIFF 4.0.7 has a "shift exponent too large for 64-bit
type long" undefined behavior issue, which might allow remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact via a crafted image.
CVE-2017-7602 - LibTIFF 4.0.7 has a signed integer overflow, which might
allow remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted image.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 030fe340af365b834c15142f862e0de6d5f95737) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 26 Apr 2017 12:57:13 +0000 (14:57 +0200)]
icu: add upstream security fix for utf-8 handling
Fixes:
CVE-2017-7867 - International Components for Unicode (ICU) for C/C++ before
2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
related to the utf8TextAccess function in common/utext.cpp and the
utext_setNativeIndex* function.
CVE-2017-7868 - International Components for Unicode (ICU) for C/C++ before
2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow
related to the utf8TextAccess function in common/utext.cpp and the
utext_moveIndex32* function.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0135204868e4888cf162755a90087b10b40093ed) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 26 Apr 2017 11:52:14 +0000 (13:52 +0200)]
libsndfile: security bump to version 1.0.28
Fixes:
CVE-2017-7585 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
stack-based buffer overflow via a specially crafted FLAC file.
CVE-2017-7586 - In libsndfile before 1.0.28, an error in the "header_read()"
function (common.c) when handling ID3 tags can be exploited to cause a
stack-based buffer overflow via a specially crafted FLAC file.
CVE-2017-7741 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
segmentation violation (with write memory access) via a specially crafted
FLAC file during a resample attempt, a similar issue to CVE-2017-7585.
CVE-2017-7742 - In libsndfile before 1.0.28, an error in the
"flac_buffer_copy()" function (flac.c) can be exploited to cause a
segmentation violation (with read memory access) via a specially crafted
FLAC file during a resample attempt, a similar issue to CVE-2017-7585.
Dop undocumented patch adjusting SUBDIRS in Makefile.in as it no longer
applies. Instead pass --disable-full-suite to disable man pages,
documentation and programs, as that was presumably the reason for the patch.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c363e070d8ee036052fbcadd153d8c39ce0db55b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 25 Apr 2017 15:35:54 +0000 (17:35 +0200)]
imagemagick: add upstream security fix for CVE-2017-7606
This is not yet part of any release.
coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of
representable values of type unsigned char" undefined behavior issue, which
might allow remote attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via a crafted image.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 665560856edfcdd18b2053e26bc8a44754dffca2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 25 Apr 2017 14:16:59 +0000 (16:16 +0200)]
libcroco: add upstream security fixes
These have been added to upstream git after 0.6.12 was released.
CVE-2017-7960 - The cr_input_new_from_uri function in cr-input.c in libcroco
0.6.11 and 0.6.12 allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted CSS file.
CVE-2017-7961 - The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco
0.6.11 and 0.6.12 has an "outside the range of representable values of type
long" undefined behavior issue, which might allow remote attackers to cause
a denial of service (application crash) or possibly have unspecified other
impact via a crafted CSS file.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 52bfb4b1ce25d870f9bab72d285f326ec7d0ad77) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 25 Apr 2017 13:44:23 +0000 (15:44 +0200)]
python-web2py: security bump to version 2.14.6
CVE-2016-4806 - Web2py versions 2.14.5 and below was affected by Local File
Inclusion vulnerability, which allows a malicious intended user to
read/access web server sensitive files.
CVE-2016-4807 - Web2py versions 2.14.5 and below was affected by Reflected
XSS vulnerability, which allows an attacker to perform an XSS attack on
logged in user (admin).
CVE-2016-4808 - Web2py versions 2.14.5 and below was affected by CSRF (Cross
Site Request Forgery) vulnerability, which allows an attacker to trick a
logged in user to perform some unwanted actions i.e An attacker can trick an
victim to disable the installed application just by sending a URL to victim.
CVE-2016-10321 - web2py before 2.14.6 does not properly check if a host is
denied before verifying passwords, allowing a remote attacker to perform
brute-force attacks.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a534030c6e67ff0319f8af2b55fe977a06f17dfd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 027a0d5b61326da318fb916ff52324b9f238d768) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Jörg Krause [Thu, 16 Mar 2017 14:32:01 +0000 (15:32 +0100)]
libsamplerate: security bump to version 0.1.9
libsamplerate is relicensed under the 2 clause BSD license.
Fixes CVE-2017-7697 - In libsamplerate before 0.1.9, a buffer over-read
occurs in the calc_output_single function in src_sinc.c via a crafted audio
file.
For more details, see:
https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/
[Peter: add CVE info] Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bcdaf4ca8482f0ecb02ee828ce0d3b16f724e9eb) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Including fixes for the following security issues:
XSA-191: x86 null segments not always treated as unusable (CVE-2016-9386)
XSA-192: x86 task switch to VM86 mode mis-handled (CVE-2016-9382)
XSA-193: x86 segment base write emulation lacking canonical address checks
(CVE-2016-9385)
XSA-194: guest 32-bit ELF symbol table load leaking host data (CVE-2016-9384)
XSA-195: x86 64-bit bit test instruction emulation broken (CVE-2016-9383)
XSA-196: x86 software interrupt injection mis-handled
(CVE-2016-9377 CVE-2016-9378)
XSA-197: qemu incautious about shared ring processing (CVE-2016-9381)
XSA-198: delimiter injection vulnerabilities in pygrub
(CVE-2016-9379 CVE-2016-9380)
XSA-199: qemu ioport array overflow (CVE-2016-9637)
XSA-200: x86 CMPXCHG8B emulation fails to ignore operand size override
Files (CVE-2016-9932)
XSA-201: ARM guests may induce host asynchronous abort
(CVE-2016-9815 CVE-2016-9816 CVE-2016-9817 CVE-2016-9818)
XSA-202: x86 PV guests may be able to mask interrupts (CVE-2016-10024)
XSA-203: x86: missing NULL pointer check in VMFUNC emulation (CVE-2016-10025)
XSA-204: x86: Mishandling of SYSCALL singlestep during emulation
(CVE-2016-10013)
XSA-207: memory leak when destroying guest without PT devices
XSA-208: oob access in cirrus bitblt copy (CVE-2017-2615)
XSA-209: cirrus_bitblt_cputovideo does not check if memory region is safe
(CVE-2017-2620)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
No board defconfig name specified, check your
BR2_TARGET_UBOOT_DEFCONFIG setting.
It should read:
No board defconfig name specified, check your
BR2_TARGET_UBOOT_BOARD_DEFCONFIG setting.
Signed-off-by: Christian Stewart <christian@paral.in> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit b7f095920a147c58f07b18f1b68553a1af03ae75) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/libunwind: disable for x86 with uClibc toolchain
libunwind use sigreturn() while building for x86 [1] but this function
is not available with uClibc-ng.
This throw a warning during libunwind build:
In file included from x86/Los-linux.c:4:0:
x86/Gos-linux.c: In function ‘_ULx86_local_resume’:
x86/Gos-linux.c:298:7: warning: implicit declaration of function ‘sigreturn’ [-Wimplicit-function-declaration]
sigreturn (sc);
^
But any program trying to link against libunwind-generic.so fail to build:
[...]usr/lib/libunwind-generic.so: undefined reference to `sigreturn'
collect2: error: ld returned 1 exit status
Disable libunwind for x86 target when uClibc-ng is used.
package/hiredis: fix install step for static build only
The previous patch [1] didn't take into acount the static build only
scenario. It tries to unconditionally install a shared library.
Handle the install step like for bzip2 package: install the shared
library only if BR2_SHARED_LIBS or BR2_SHARED_STATIC_LIBS is set and
install the static library only if BR2_STATIC_LIBS or
BR2_SHARED_STATIC_LIBS is set.
Matt Weber [Fri, 14 Apr 2017 03:20:47 +0000 (22:20 -0500)]
busybox: preserve ncurses progs/tools
The ncurses package installs a full version of clear and reset(tset)
tools. Preserve these by disabling the options in the busybox config
file. This removes the need for ncurses to depend on busybox for solely
ordering of target install.
This commit resolves the following python circular dependency with python.
busybox -> libselinux -> python3 -> ncurses -> busybox
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[Thomas: minor tweaks.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 33c72344a8686a136c1da6a056ed6c0945bbf8b7) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Security Fixes:
- rndc "" could trigger an assertion failure in named. This flaw is
disclosed in (CVE-2017-3138). [RT #44924]
- Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed in
CVE-2017-3137. [RT #44734]
- dns64 with break-dnssec yes; can result in an assertion failure. This
flaw is disclosed in CVE-2017-3136. [RT #44653]
- If a server is configured with a response policy zone (RPZ) that
rewrites an answer with local data, and is also configured for DNS64
address mapping, a NULL pointer can be read triggering a server
crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
- A coding error in the nxdomain-redirect feature could lead to an
assertion failure if the redirection namespace was served from a
local authoritative data source such as a local zone or a DLZ instead
of via recursive lookup. This flaw is disclosed in CVE-2016-9778.
[RT #43837]
- named could mishandle authority sections with missing RRSIGs,
triggering an assertion failure. This flaw is disclosed in
CVE-2016-9444. [RT #43632]
- named mishandled some responses where covering RRSIG records were
returned without the requested data, resulting in an assertion
failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
- named incorrectly tried to cache TKEY records which could trigger an
assertion failure when there was a class mismatch. This flaw is
disclosed in CVE-2016-9131. [RT #43522]
- It was possible to trigger assertions when processing responses
containing answers of type DNAME. This flaw is disclosed in
CVE-2016-8864. [RT #43465]
package/hiredis: fix installation logic of library
While testing minetest with libhiredis library, the game crached due to
missing libhiredis.so.0.13 library.
The hiredis.mk doesn't use "make install" because "make install" depends
on building both the shared and static libraries, which fails in
static-only scenarios.
However, the installation logic in hiredis.mk is bogus: it installs the
library as libhiredis.so, while its SONAME is libhiredis.so.0.13. We fix
this by using the same logic as the one done by the package "make
install" process: install the library as libhiredis.so.0.13, and create
libhiredis.so as a symbolic link to it.
While at it:
- Install the library 0755, this is more common.
- Do not create $(TARGET_DIR)/usr/lib, since $(INSTALL) -D will create
the necessary directories for the destination path.
Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Thomas: rework to use the same installation logic as the one from
hiredis "make install".] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 96daacb720cffe1f83259462bef9d3da92925cd9) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In 2010 commit 32d319e6f "gst-plugins-base: ensure <stdint.h> is used"
introduced a typo (missing backslash) that made the code ineffective.
It can be confirmed by looking at the output of:
$ make printvars | grep '^GST_PLUGINS_BASE_CONF_ENV\|^FT2_CONFIG'
FT2_CONFIG=/bin/false ac_cv_header_stdint_t="stdint.h"
GST_PLUGINS_BASE_CONF_ENV=
Add the missing backslash to fix the code.
While at it, fix the indentation to use one tab instead of two.
The (end of the) diff of config.log confirms the code is still needed
when the host has freetype-config installed:
@@ -1674,10 +1674,8 @@
configure:21882: checking for emmintrin.h
configure:21882: result: no
configure:21894: checking for stdint types
-configure:21917: /tmp/gst/output/host/usr/bin/i686-pc-linux-gnu-gcc -std=gnu99 -c conftest.c >&5
-configure:21917: $? = 0
configure:21961: result: stdint.h (shortcircuit)
-configure:22348: result: make use of stdint.h in _stdint.h (assuming C99 compatible system)
+configure:22348: result: make use of stdint.h in _stdint.h
configure:22359: checking for localtime_r
configure:22359: /tmp/gst/output/host/usr/bin/i686-pc-linux-gnu-gcc -std=gnu99 -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c >&5
configure:22359: $? = 0
@@ -2468,8 +2466,7 @@
Package 'freetype2', required by 'world', not found
configure:31257: result: no
configure:31298: checking for freetype-config
-configure:31316: found /usr/bin/freetype-config
-configure:31329: result: /usr/bin/freetype-config
+configure:31329: result: /bin/false
configure:31339: checking for FreeType - version >= 2.0.9
configure:31427: result: yes
configure:32250: creating ./config.status
@@ -2789,7 +2786,7 @@
ac_cv_objext='o'
ac_cv_path_EGREP='/bin/grep -E'
ac_cv_path_FGREP='/bin/grep -F'
-ac_cv_path_FT2_CONFIG='/usr/bin/freetype-config'
+ac_cv_path_FT2_CONFIG='/bin/false'
ac_cv_path_GMSGFMT='/tmp/gst/output/host/usr/bin/msgfmt'
ac_cv_path_GREP='/bin/grep'
ac_cv_path_MSGFMT='/tmp/gst/output/host/usr/bin/msgfmt'
@@ -2818,7 +2815,6 @@
ac_cv_prog_cxx_g='yes'
ac_cv_prog_make_make_set='yes'
ac_cv_stdint_message='using gnu compiler i686-pc-linux-gnu-gcc (Sourcery CodeBench Lite 2012.09-62) 4.7.2'
-ac_cv_stdint_result='(assuming C99 compatible system)'
ac_cv_sys_file_offset_bits='no'
ac_cv_sys_largefile_CC='no'
ac_cv_sys_largefile_source='no'
@@ -2965,9 +2961,9 @@
EXEEXT=''
FFLAGS=' -Os '
FGREP='/bin/grep -F'
-FT2_CFLAGS='-I/usr/include/freetype2'
-FT2_CONFIG='/usr/bin/freetype-config'
-FT2_LIBS='-lfreetype'
+FT2_CFLAGS=''
+FT2_CONFIG='/bin/false'
+FT2_LIBS=''
GCOV=''
GCOV_CFLAGS=''
GCOV_LIBS=''
Detected by check-package.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com> Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit c07a46b0ceef9e909b5274f08d00064a5d3410a4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
passdb/userdb dict: Don't double-expand %variables in keys. If dict
was used as the authentication passdb, using specially crafted
%variables in the username could be used to cause DoS (CVE-2017-2669)
Full ChangeLog 2.2.29 (including CVE fix):
https://www.dovecot.org/list/dovecot-news/2017-April/000341.html
Full ChangeLog 2.2.29.1 (some fixes forgotten in the 2.2.29 release):
Until now, the host toolchain was used to build syslinux, as it was
not possible to build a 32-bit syslinux with a x86-64 toolchain.
However, syslinux requires gnu-efi, and gnu-efi is built using the
target toolchain. Mixing different toolchains doesn't work well, so
this commit changes the syslinux package to use the target toolchain
for syslinux as well. This is made possible by patches
0003-Fix-ldlinux.elf-Not-enough-room-for-program-headers-.patch and
0004-memdisk-Force-ld-output-format-to-32-bits.patch.
Since syslinux also contains some utilities that have to run on the
host, those have to continue being built with the host toolchain,
which requires patch 0005-utils-Use-the-host-toolchain-to-build.patch.
Patch 0006-lzo-Use-the-host-toolchain-for-prepcore.patch is about
building prepcore, another utility with the host toolchain as it is
required at build-time.
This was tested using a Buildroot's built x86_64 toolchain, and
checked that the output binaries are 32-bits. It was tested as well if
they actually boot on hardware.
Signed-off-by: Benoît Allard <benoit.allard@greenbone.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6e432d5ecb46959f3c27dbbca48e41512bb40a70) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In preparation for the addition of more patches to the syslinux
package, reformat the two existing patches as proper Git formatted
patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 34da6a65adae8463149a28c560926f3349142c2a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 7 Apr 2017 14:28:59 +0000 (16:28 +0200)]
icu: legal-info: refer to the real license file
License.html now just contains the string:
The ICU license is now in plain text format, see <a href="./LICENSE">LICENSE</a>.
Update links and software appropriately.
So refer directly to that file instead.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d2ea2479e5061c9d48b7ee544271828563e83da8) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 7 Apr 2017 14:28:58 +0000 (16:28 +0200)]
freetype: legal-info: include docs/LICENSE.TXT
LICENSE.TXT gives an overview and explains in detail that freetype is dual
licensed under the FTL and GPLv2+, so also include it in the license files.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 2843b970e749db28eb06d0c5968a60bc006c9747) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In 2010 commit 32d319e6f "gst-plugins-base: ensure <stdint.h> is used"
introduced a typo (missing backslash) that made the code ineffective.
In 2013 commit f8e7fdcd3 "gst1-plugins-base: add gstreamer1 base
plugins" copied the code.
It can be confirmed by looking at the output of:
$ make printvars | grep '^GST1_PLUGINS_BASE_CONF_ENV\|^FT2_CONFIG'
FT2_CONFIG=/bin/false ac_cv_header_stdint_t="stdint.h"
GST1_PLUGINS_BASE_CONF_ENV=
Direct use of freetype was dropped in version 1.7.2 by upstream [1], so
remove the code instead of fixing it.
Found using [2]:
check-package --include-only Indent $(find * -type f)
and manually removed.
Our patch adding nios2 support to libnspr uses the built-in compiler
define "nios2". However, this doesn't work with C++11, where only the
__nios2__ define is available. Since __nios2__ is always available,
use that instead:
Patch 0001-nios2.patch is therefore changed to use __nios2__ (the rest
of the change noise is due to using quilt to format the patch). Patch
0002-microblaze.patch is simply updated to apply correctly on top of
the modified 0001-nios2.patch.
This fixes the build of the poppler library on nios2. It is built with
-std=c++11, and includes nspr headers (through nss), causing a build
issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 9a521546ed553d2be23740bbf1a7aa05bce9eb09) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Due to a mistake, the Microblaze patch was adding another #elif
defined(nios2), which doesn't make any sense. This commit gets rid of
it.
The rest of the noise in the change is due to the use of quilt to
generate the patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 7039c4d456259ca2c2708be16ebea98a82adee3f) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Matt Weber [Tue, 4 Apr 2017 02:06:11 +0000 (21:06 -0500)]
libselinux: query for python site-packages dir directly
With the bump to version 2.6, the following commit needs
to be taken into consideration for overloading paths.
https://github.com/SELinuxProject/selinux/commit/8162f10e670da963eb65ccf1e7de69ea85aba30d
The PYLIBVER is no longer used and the PYTHONLIBDIR is
renamed to PYSITEDIR with slightly different pathing.
More details can be found in the issue ticket which was
marked as a non-issue after analysis that a Buildroot fix
was the resolution.
https://github.com/SELinuxProject/selinux/issues/51
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit 6a6ce10eba24d43412aada7df7de2ab78e8ffee2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 22 Mar 2017 23:04:56 +0000 (00:04 +0100)]
gst-ffmpeg: work-around bogus configure logic on SPARC
The libav version built into the gst-ffmpeg code produces a bogus
binary on SPARC, which causes the following error of the
check-bin-arch script:
ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstffmpeg.so is Sparc v8+, should be Sparc
ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstpostproc.so is Sparc v8+, should be Sparc
ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstffmpegscale.so is Sparc v8+, should be Sparc
The problem is the following bit of code in
gst-lib/ext/libav/configure:
elif enabled sparc; then
enabled vis && check_asm vis '"pdist %f0, %f0, %f0"' -mcpu=ultrasparc &&
add_cflags -mcpu=ultrasparc -mtune=ultrasparc
I.e, it checks if the architecture supports the pdist
instruction... but forces -mcpu to ultrasparc while doing so. So it's
like "let's see if this Ultrasparc instruction exists when I force the
compiler to think I'm using Ultrasparc", which is non-sensical. This
has been fixed later on in libav upstream:
However, this commit cannot be backported as-is since the shell
function check_inline_asm did not exist in the old libav version
bundled in gst-ffmpeg.
Therefore, we take the simpler route of disabling the VIS
optimizations on SPARCv8 and Leon3.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit d2b73875c3b8a6ec518c1424eaf92c1257fa40aa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/tyrian: fixes compilation with static libs
Has been tested with: "./support/scripts/test-pkg -c tyrian.cfg -p opentyrian" Fixes: http://autobuild.buildroot.net/results/0e2345db82b33f591958fc0f72ad914adafe0522
and some similar previous build failure.
Thanks Thomas for the tip ;-).
Signed-off-by: Julien BOIBESSOT <julien.boibessot@armadeus.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit dd99f2cb7d10f20568cab22c498a9e1831b5a351) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 30 Mar 2017 21:03:35 +0000 (23:03 +0200)]
audiofile: add security patch for CVE-2017-6839
Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka
audiofile) 0.3.6 allows remote attackers to cause a denial of service
(crash) via a crafted file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 844a7c6281eb442881330a5d36d5a0719f2870bf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 30 Mar 2017 21:03:34 +0000 (23:03 +0200)]
audiofile: add security patch for CVE-2017-6831
Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in
Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
denial of service (crash) via a crafted file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bd5f84d301c4e74ca200a9336eca88468ec0e1f3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-6830: A heap-based buffer overflow in the alaw2linear_buf function
in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.
CVE-2017-6834: A heap-based buffer overflow in the ulaw2linear_buf function
in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.
CVE-2017-6836: A heap-based buffer overflow in the Expand3To4Module::run
function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka
audiofile) 0.3.6 allows remote attackers to cause a denial of service
(crash) via a crafted file.
CVE-2017-6838: Integer overflow in sfcommands/sfconvert.c in Audio File
Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
service (crash) via a crafted file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4a1a8277bba490d227f413e218138e39f1fe1203) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 30 Mar 2017 21:03:32 +0000 (23:03 +0200)]
audiofile: add security patch for CVE-2017-6829
The decodeSample function in IMA.cpp in Audio File Library (aka audiofile)
0.3.6 allows remote attackers to cause a denial of service (crash) via a
crafted file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 434890df2a7c131b40fec1c49e6239972ab299d2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2017-6827: A heap-based buffer overflow in the
MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka
libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have
unspecified impact via a crafted audio file.
CVE-2017-6828: A Heap-based buffer overflow in the readValue function in
FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6
allows remote attackers to have unspecified impact via a crafted WAV file.
CVE-2017-6832: A Heap-based buffer overflow in the decodeBlock in
MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.
CVE-2017-6833: The runPull function in libaudiofile/modules/BlockCodec.cpp
in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause
a denial of service (divide-by-zero error and crash) via a crafted file.
CVE-2017-6835: The reset1 function in libaudiofile/modules/BlockCodec.cpp in
Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
denial of service (divide-by-zero error and crash) via a crafted file.
CVE-2017-6837: WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows
remote attackers to cause a denial of service (crash) via vectors related to
a large number of coefficients.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cc00bde57fc20d11f8fa4e8ec5f193c091714c55) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>