buildroot.git
4 years agopackage/libvncserver: fix CVE-2019-15681
Fabrice Fontaine [Tue, 3 Mar 2020 19:02:32 +0000 (20:02 +0100)]
package/libvncserver: fix CVE-2019-15681

LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a
memory leak (CWE-655) in VNC server code, which allow an attacker to
read stack memory and can be abused for information disclosure. Combined
with another vulnerability, it can be used to leak stack memory and
bypass ASLR. This attack appear to be exploitable via network
connectivity. These vulnerabilities have been fixed in commit
d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/libvncserver: fix CVE-2018-20750
Fabrice Fontaine [Tue, 3 Mar 2020 19:02:31 +0000 (20:02 +0100)]
package/libvncserver: fix CVE-2018-20750

LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability
in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoRevert "package/linux-firmware: add missing symlinks"
Yann E. MORIN [Tue, 3 Mar 2020 15:35:50 +0000 (16:35 +0100)]
Revert "package/linux-firmware: add missing symlinks"

This reverts commit 23d12793d54480617f4dd104bc70c53e80582fdb, which was
intended for the next branch, not master.

Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Antoine Tenart <antoine.tenart@bootlin.com>
Cc: Baruch Siach <baruch@tkos.co.il>
4 years agoUpdate for 2020.02-rc3
Peter Korsgaard [Mon, 2 Mar 2020 23:01:39 +0000 (00:01 +0100)]
Update for 2020.02-rc3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/rocksdb: fix C++ tests
Fabrice Fontaine [Mon, 24 Feb 2020 10:54:57 +0000 (11:54 +0100)]
package/rocksdb: fix C++ tests

This will fix a build failure on xtensa and nios2 that missed
-faligned-new

Fixes:
 - http://autobuild.buildroot.org/results/58bf25a16984c4d5f3ce0e26a56712410b67c53a
 - http://autobuild.buildroot.org/results/718fee3d20ef00ffa5c3e617a036cf2b82c97411

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libvncserver: fix pkg-config file
Fabrice Fontaine [Fri, 28 Feb 2020 12:17:17 +0000 (13:17 +0100)]
package/libvncserver: fix pkg-config file

This will fix a build failure with vlc and without zlib

Fixes:
 - http://autobuild.buildroot.org/results/7d5f5980f1ba248a1d95b380d422eaeeaca265f8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/scripts/pkg-stats: clear multiprocessing pools after use
Titouan Christophe [Sun, 1 Mar 2020 21:25:28 +0000 (22:25 +0100)]
support/scripts/pkg-stats: clear multiprocessing pools after use

During the CVE checking phase, we can still see a huge amount of
Python processes (actually 128) running on the host, even though
the CVE step is entirely ran in the main thread.

These are actually the worker processes spawned to check for the
packages URL statuses and the latest versions from release-monitoring.
This is because of an issue in Python's multiprocessing implementation:
https://bugs.python.org/issue34172

The problem was already there before the CVE matching step was
introduced, but because pkg-stat was terminating right after the
release-monitoring step, it went unnoticed.

Also, do not hold a reference to the multiprocessing pool from
the Package class, as this is not needed.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/scripts/pkg-stats: decode subprocess output for python3
Titouan Christophe [Sun, 1 Mar 2020 21:18:48 +0000 (22:18 +0100)]
support/scripts/pkg-stats: decode subprocess output for python3

In Python 3, the functions from the subprocess module return bytes
(and no longer strings as in Python 2), which must be decoded for
further text operations.

Now, pkg-stats can be run in Python 3.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/taglib: fix CVE-2018-11439
Fabrice Fontaine [Sun, 1 Mar 2020 20:37:59 +0000 (21:37 +0100)]
package/taglib: fix CVE-2018-11439

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib
1.11.1 allows remote attackers to cause information disclosure
(heap-based buffer over-read) via a crafted audio file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/taglib: fix CVE-2017-12678
Fabrice Fontaine [Sun, 1 Mar 2020 20:37:58 +0000 (21:37 +0100)]
package/taglib: fix CVE-2017-12678

In TagLib 1.11.1, the rebuildAggregateFrames function in
id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted audio file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-multidict: bump to version 4.7.5
James Hilliard [Mon, 2 Mar 2020 09:43:33 +0000 (02:43 -0700)]
package/python-multidict: bump to version 4.7.5

Bugfix release, fixing a number of issues. From the CHANGES file:

- Fixed creating and updating of MultiDict from a sequence of pairs and
  keyword arguments.  Previously passing a list argument modified it
  inplace, and other sequences caused an error.
  https://github.com/aio-libs/multidict/issues/457

- Fixed comparing with mapping: an exception raised in the __len__ method caused raising a SyntaxError.
  https://github.com/aio-libs/multidict/issues/459

- Fixed comparing with mapping: all exceptions raised in the __getitem__
  method were silenced.
  https://github.com/aio-libs/multidict/issues/460>

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agolinux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series
Peter Korsgaard [Mon, 2 Mar 2020 21:49:20 +0000 (22:49 +0100)]
linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/qt5tools: hide qdoc with llvm dependencies
Yann E. MORIN [Fri, 28 Feb 2020 14:00:54 +0000 (15:00 +0100)]
package/qt5tools: hide qdoc with llvm dependencies

Building qdoc requires a llvm and clang for the host.

However, there is a limitation in the llvm and clang packages in
Buildroot, which makes it impossible to have a host variant without
a target variant.

So, propagate the dependencies of the target llvm and clang, to ensure
we can only have a host-llvm and -clang packages that are correctly
built.

Note that we do propagate all of the dependencies (instead of just the
architecture part), to be consistent.

Reported-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Julien Corjon <corjon.j@ecagroup.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/elf2flt: remove backported patch
Romain Naour [Thu, 27 Feb 2020 22:19:22 +0000 (23:19 +0100)]
package/elf2flt: remove backported patch

The patch added by [1] to fix a segfault with elf2flt when binutils
2.33.1 is used on ARM, introduce a regression with previous binutils
version on m68k and ARM.

Theses issues has been reported upstream [2] [3] but there is no
definitive solution.

The binutils 2.33.1 has been disabled for configurations using
BR2_BINFMT_FLAT by the previous commit, so we can safely remove
the patch.

Fixes:
[acpica-20191018]
http://autobuild.buildroot.net/results/81ee33eb606062a62765d95b66a26f130d280c53
[augeas-1.12.0]
http://autobuild.buildroot.net/results/4e1f7f335d2c853e2a5e6ad96c14157ba8f003c7
[cairo-1.16.0]
http://autobuild.buildroot.net/results/976d99bc9b052f8d9429e666ac7fff7768ffff6b
[fontconfig-2.13.1]
http://autobuild.buildroot.net/results/4a5a8cb6411d709acb7ea8c83b3c8e45fdc0a10b
[gptfdisk-1.0.4]
http://autobuild.buildroot.net/results/6db5f9d8663730a54b04c1e624438095598b2573
[libopenssl-1.1.1d]
http://autobuild.buildroot.net/results/acf87e81130e85e7fb05edf5f6dedf095f16e226
[mimic-1.1.0]
http://autobuild.buildroot.net/results/61f53630ed85ee0d0d6dbf71012db77f4d7986ad
Maybe more...

[1] 2b064f86b6a0fd683f307b51f12d9d919fcaa386
[2] https://github.com/uclinux-dev/elf2flt/pull/16
[3] https://github.com/uclinux-dev/elf2flt/issues/12

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/binutils: disable binutils >= 2.33.1 for configurations using BR2_BINFMT_FLAT
Romain Naour [Thu, 27 Feb 2020 22:19:21 +0000 (23:19 +0100)]
package/binutils: disable binutils >= 2.33.1 for configurations using BR2_BINFMT_FLAT

The patch added by [1] to fix a segfault with elf2flt when binutils
2.33.1 is used on ARM, introduce a regression with previous binutils
version on m68k and ARM.

Theses issues has been reported upstreme [2] [3].

For now, disable binutils >= 2.33.1 for configurations using
BR2_BINFMT_FLAT.

[1] 2b064f86b6a0fd683f307b51f12d9d919fcaa386
[2] https://github.com/uclinux-dev/elf2flt/pull/16
[3] https://github.com/uclinux-dev/elf2flt/issues/12

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-setuptools-scm-git-archive: depends on python-setuptools-scm
Yegor Yefremov [Wed, 5 Feb 2020 10:13:36 +0000 (11:13 +0100)]
package/python-setuptools-scm-git-archive: depends on python-setuptools-scm

python-setuptools-scm-git-archive requires python-setuptools-scm package so
add it to its dependencies.

Fixes:
http://autobuild.buildroot.net/results/b356c948cf2b22534ca333cfe34dee31371c0007

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/lxc: cgroups: initialize cpuset properly
Romain Naour [Sun, 1 Mar 2020 21:06:09 +0000 (22:06 +0100)]
package/lxc: cgroups: initialize cpuset properly

The tests.package.test_lxc.TestLxc failure on gitlab
is similar to the issue reported by [1] and fixed by [2].

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255988

[1] https://github.com/NixOS/nixpkgs/issues/75467#issuecomment-569386159
[2] https://github.com/lxc/lxc/pull/3109

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Jérôme Pouiller <jezz@sysmic.org>
Cc: Patrick Havelange <patrick.havelange@essensium.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/mosquitto: bump to v1.6.9
Titouan Christophe [Mon, 2 Mar 2020 10:15:59 +0000 (11:15 +0100)]
package/mosquitto: bump to v1.6.9

mosquitto 1.6.9 is a bugfix release, see the announcement:
https://mosquitto.org/blog/2020/02/version-1-6-9-released/

Also update the indentation of the hash file to 2 spaces,
and add URL of the GPG signature in hash file comment.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/wireshark: security bump to v3.2.2
Titouan Christophe [Mon, 2 Mar 2020 10:34:17 +0000 (11:34 +0100)]
package/wireshark: security bump to v3.2.2

This fixes the following CVEs:
 - CVE-2020-9428:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the EAP dissector could crash. This was addressed in
   epan/dissectors/packet-eap.c by using more careful sscanf parsing.

 - CVE-2020-9429:
   In Wireshark 3.2.0 to 3.2.1, the WireGuard dissector could crash.
   This was addressed in epan/dissectors/packet-wireguard.c by
   handling the situation where a certain data structure intentionally
   has a NULL value.

 - CVE-2020-9430:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the WiMax DLMAP dissector could crash.
   This was addressed in plugins/epan/wimax/msg_dlmap.c by validating
   a length field.

 - CVE-2020-9431:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the LTE RRC dissector could leak memory. This was addressed in
   epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/systemd: also fix rpath for machine-id-setup
Yann E. MORIN [Sun, 1 Mar 2020 07:21:52 +0000 (08:21 +0100)]
package/systemd: also fix rpath for machine-id-setup

Fixes: #12576
Reported-by: Melanie <melanie@trash-mail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/systemd: also fix rpath for nspawn
Yann E. MORIN [Sat, 29 Feb 2020 14:43:16 +0000 (15:43 +0100)]
package/systemd: also fix rpath for nspawn

Fixes:
    http://autobuild.buildroot.org/results/e03ae6a3209eea00459b94cee9c10fd4f2184fec/

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libvorbis: annote CVE-2018-10393
Fabrice Fontaine [Sun, 1 Mar 2020 18:02:26 +0000 (19:02 +0100)]
package/libvorbis: annote CVE-2018-10393

bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a
stack-based buffer over-read.

Same patch as for CVE-2017-14160

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - update 0001-*.patch to also reference CVE-2018-10393
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libvorbis: fix CVE-2018-10392
Fabrice Fontaine [Sun, 1 Mar 2020 18:02:25 +0000 (19:02 +0100)]
package/libvorbis: fix CVE-2018-10392

mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not
validate the number of channels, which allows remote attackers to cause
a denial of service (heap-based buffer overflow or over-read) or
possibly have unspecified other impact via a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/blktrace: fix CVE-2018-10689
Fabrice Fontaine [Sun, 1 Mar 2020 17:45:29 +0000 (18:45 +0100)]
package/blktrace: fix CVE-2018-10689

blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and
Android, has a buffer overflow in the dev_map_read function in
btt/devmap.c because the device and devno arrays are too small, as
demonstrated by an invalid free when using the btt program with a
crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agosupport/testing: test_systemd.py: add linux fragment to enable CONFIG_BINFMT_MISC
Romain Naour [Sun, 1 Mar 2020 16:26:47 +0000 (17:26 +0100)]
support/testing: test_systemd.py: add linux fragment to enable CONFIG_BINFMT_MISC

While investigating [1] one units failed due to missing kernel option
CONFIG_BINFMT_MISC needed by "proc-sys-fs-binfmt_misc.mount" service.

It's because the kernel support autofs4 but not MISC binaries.

Since the systemd test infra use the default defconfig (vexpress),
we need to provide a linux fragment to enable CONFIG_BINFMT_MISC.

[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr:
  - move the kernel config with the others in conf/
]
Tested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/systemd: random-seed: add missing header for GRND_NONBLOCK
Romain Naour [Sun, 1 Mar 2020 16:26:46 +0000 (17:26 +0100)]
package/systemd: random-seed: add missing header for GRND_NONBLOCK

GRND_NONBLOCK has been introduced with the 3.17 kernel version [1]
while adding getrandom(2) system call.

The header missing_random.h is needed for random-seed.c when building
with old toolchain, such Sourcery CodeBench ARM 2014.05 (kernel headers
3.13).

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c6e9d6f38894798696f23c8084ca7edbf16ee895

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/pure-ftpd: fix CVE-2020-9365
Fabrice Fontaine [Sat, 29 Feb 2020 20:34:16 +0000 (21:34 +0100)]
package/pure-ftpd: fix CVE-2020-9365

An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read
has been detected in the pure_strcmp function in utils.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/pure-ftpd: fix CVE-2019-20176
Fabrice Fontaine [Sat, 29 Feb 2020 20:34:15 +0000 (21:34 +0100)]
package/pure-ftpd: fix CVE-2019-20176

In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
listdir function in ls.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/openjpeg: fix CVE-2020-8112
Fabrice Fontaine [Sat, 29 Feb 2020 20:24:42 +0000 (21:24 +0100)]
package/openjpeg: fix CVE-2020-8112

opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through
2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a
different issue than CVE-2020-6851.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/openjpeg: fix CVE-2020-6851
Fabrice Fontaine [Sat, 29 Feb 2020 20:24:41 +0000 (21:24 +0100)]
package/openjpeg: fix CVE-2020-6851

OpenJPEG through 2.3.1 has a heap-based buffer overflow in
opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
opj_j2k_update_image_dimensions validation.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/openjpeg: fix CVE-2019-12973
Fabrice Fontaine [Sat, 29 Feb 2020 20:24:40 +0000 (21:24 +0100)]
package/openjpeg: fix CVE-2019-12973

In OpenJPEG 2.3.1, there is excessive iteration in the
opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could
leverage this vulnerability to cause a denial of service via a crafted
bmp file. This issue is similar to CVE-2018-6616.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/emlog: annotate CVE-2019-16868 and CVE-2019-17073
Fabrice Fontaine [Sat, 29 Feb 2020 20:45:48 +0000 (21:45 +0100)]
package/emlog: annotate CVE-2019-16868 and CVE-2019-17073

CVE-2019-16868 and CVE-2019-17073 are misclassified (by our CVE tracker)
as affecting emlog, while in fact it affects http://www.emlog.net.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/linux-firmware: add missing symlinks
James Hilliard [Thu, 27 Feb 2020 15:43:54 +0000 (08:43 -0700)]
package/linux-firmware: add missing symlinks

As of upstream commit 9cfefbd7fbdaa5ae769e3061c463f8345d146fb7
we must manually create symlinks as they are no longer present
in the archive but created at installation.

Fixes:
    http://autobuild.buildroot.net/results/46fdacbe4064d72aaafa9f52741121d8e4fe64ab/

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/shellinabox: fix CVE-2018-16789
Fabrice Fontaine [Sat, 29 Feb 2020 22:55:11 +0000 (23:55 +0100)]
package/shellinabox: fix CVE-2018-16789

libhttp/url.c in shellinabox through 2.20 has an implementation flaw in
the HTTP request parsing logic. By sending a crafted multipart/form-data
HTTP request, an attacker could exploit this to force shellinaboxd into
an infinite loop, exhausting available CPU resources and taking the
service down.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/suricata: fix CVE-2019-18792
Fabrice Fontaine [Sat, 29 Feb 2020 22:46:43 +0000 (23:46 +0100)]
package/suricata: fix CVE-2019-18792

An issue was discovered in Suricata 5.0.0. It is possible to
bypass/evade any tcp based signature by overlapping a TCP segment with a
fake FIN packet. The fake FIN packet is injected just before the PUSH
ACK packet we want to bypass. The PUSH ACK packet (containing the data)
will be ignored by Suricata because it overlaps the FIN packet (the
sequence and ack number are identical in the two packets). The client
will ignore the fake FIN packet because the ACK flag is not set. Both
linux and windows clients are ignoring the injected packet.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libcgroup: fix CVE-2018-14348
Fabrice Fontaine [Sat, 29 Feb 2020 22:30:18 +0000 (23:30 +0100)]
package/libcgroup: fix CVE-2018-14348

libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666
regardless of the configured umask, leading to disclosure of information

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agoconfigs:nitrogen{6sx, 6x, 7, 8m}: fix typo in kernel headers version
Romain Naour [Sat, 29 Feb 2020 22:45:46 +0000 (23:45 +0100)]
configs:nitrogen{6sx, 6x, 7, 8m}: fix typo in kernel headers version

A typo has been introduced during the last version bump [1].

[1] 00252b101a86ef136fc4afc045ba16324cbccb3b

Fixes:
[nitrogen6sx]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255632
[nitrogen6x]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255635
[nitrogen7]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255638
[nitrogen6m8]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255640

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Gary Bisson <bisson.gary@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/exiv2: annotate CVE-2019-13504
Fabrice Fontaine [Sat, 29 Feb 2020 21:32:02 +0000 (22:32 +0100)]
package/exiv2: annotate CVE-2019-13504

CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
version 0.27.2, while in fact both commits that fixed this issue are
already in this version: bd0afe039043 and 54f0bebca032.

(From: https://security-tracker.debian.org/tracker/CVE-2019-13504)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/exiv2: fix CVE-2019-20421
Fabrice Fontaine [Sat, 29 Feb 2020 21:32:04 +0000 (22:32 +0100)]
package/exiv2: fix CVE-2019-20421

In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
file can result in an infinite loop and hang, with high CPU consumption.
Remote attackers could leverage this vulnerability to cause a denial of
service via a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/cairo: fix CVE-2018-19876
Fabrice Fontaine [Sat, 29 Feb 2020 20:00:16 +0000 (21:00 +0100)]
package/cairo: fix CVE-2018-19876

Add an upstream patch to fix CVE-2018-19876: cairo 1.16.0, in
cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a
free function incompatible with WebKit's fastMalloc, leading to an
application crash with a "free(): invalid pointer" error.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/rdesktop: add xlib_libXrandr optional dependency
Fabrice Fontaine [Sat, 29 Feb 2020 19:35:01 +0000 (20:35 +0100)]
package/rdesktop: add xlib_libXrandr optional dependency

xlib_libXrandr is an optional dependency since version 1.7.0 and
https://github.com/rdesktop/rdesktop/commit/6ee9faeffcd9dd2e4c262d732e15a3a02278578d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/exiv2: fix CVE-2019-17402
Fabrice Fontaine [Sat, 29 Feb 2020 21:32:03 +0000 (22:32 +0100)]
package/exiv2: fix CVE-2019-17402

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory
in crwimage_int.cpp, because there is no validation of the relationship
of the total size to the offset and size.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/rdesktop: security bump to version 1.8.6
Fabrice Fontaine [Sat, 29 Feb 2020 18:10:08 +0000 (19:10 +0100)]
package/rdesktop: security bump to version 1.8.6

- Fix CVE-2019-15682: RDesktop version 1.8.4 contains multiple
  out-of-bound access read vulnerabilities in its code, which results in
  a denial of service (DoS) condition. This attack appear to be
  exploitable via network connectivity. These issues have been fixed in
  version 1.8.5
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/openrc: remove keymaps units if kbd package is not selected
Carlos Santos [Sat, 29 Feb 2020 18:26:21 +0000 (15:26 -0300)]
package/openrc: remove keymaps units if kbd package is not selected

keymaps and save-keymaps require kbd_mode and dumpkeys, respectively, so
remove them if the kbd package is not selected (e.g. devices with serial
console, only).

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - expand to three commands to match the existing hook
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/qpdf: fix comment
Fabrice Fontaine [Sat, 29 Feb 2020 19:07:01 +0000 (20:07 +0100)]
package/qpdf: fix comment

Commit 3f9bcc01b3ef94c8f138b6dccc861d9e222de5ef forgot to update comment

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/qpdf: needs wchar
Fabrice Fontaine [Sat, 29 Feb 2020 13:01:30 +0000 (14:01 +0100)]
package/qpdf: needs wchar

Upstream was not too keen [0] on applying fixes for toolchains without
wchar, so just require that.

The sole user selecting qpdf already depends on wchar, so update the
comment accordingly.

[0] https://github.com/qpdf/qpdf/pull/405#issuecomment-592971907

Fixes:
 - http://autobuild.buildroot.org/results/99c82d4775ed44bd04d0a48188ff590dcba73d69

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: drop the patch, add the dependency]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/openrc: fix post-install-target addition
Carlos Santos [Sat, 29 Feb 2020 18:18:07 +0000 (15:18 -0300)]
package/openrc: fix post-install-target addition

OPENRC_POST_TARGET_INSTALL_HOOKS -> OPENRC_POST_INSTALL_TARGET_HOOKS

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/boost: annotate _IGNORE_CVES for CVE-2009-3654
Fabrice Fontaine [Sat, 29 Feb 2020 09:46:09 +0000 (10:46 +0100)]
package/boost: annotate _IGNORE_CVES for CVE-2009-3654

This CVE does not affect the boost package, but is misclassified by our
CVS tracker. As per the advisory:

    Unspecified vulnerability in Boost before 6.x-1.03, a module for
    Drupal, allows remote attackers to create new webroot directories
    via unknown attack vectors.

Ignore the CVS, and expand a comment to explain it.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: expand the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libgdiplus: backport of fix for GifQuantizeBuffer
Heiko Thiery [Fri, 28 Feb 2020 09:19:43 +0000 (10:19 +0100)]
package/libgdiplus: backport of fix for GifQuantizeBuffer

In newer version of giflib the GifQuantizeBuffer code was removed.

libgdiplus included the needed function by their own:
(https://github.com/mono/libgdiplus/pull/575).

This patch will become obsolete once libgdiplus is bumped to version 6.x.

Fixes:
http://autobuild.buildroot.net/results/46c5cf068cf9ea50e53491870d9dbf3f134c8c22

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/openrc: needs kmod
Yann E. MORIN [Fri, 28 Feb 2020 20:25:52 +0000 (21:25 +0100)]
package/openrc: needs kmod

openrc provides scripts that have been written for the big-gun kmod, and
so use options unknown to the busybox' provided applets:

  - Busybox modprobe does not have a "--first-time" option,
  - the "--verbose" option is just "-v",
  - the "--use-blacklist" option is just "-b". Also blacklist support is
    not selected in our default busybox configuration.

One of two options, is to "fix" or "adapt" openrc's scripts to busybox,
which means for the openrc package to go peek into files from the
busybox package, which is not nice, and can't work because that is not
available by the time we scan our Makefiles.

The other option, which this patch implements, is to just add a
dependency onto kmod and its tools.

Reported-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/pkg-generic.mk: in image install, print message before pre-hooks
Thomas Petazzoni [Fri, 28 Feb 2020 15:04:20 +0000 (16:04 +0100)]
package/pkg-generic.mk: in image install, print message before pre-hooks

In all steps, we print the message indicating the start of the step
using the MESSAGE macro before running pre-hooks. Except in the image
installation step, where the message is printed after the pre-hooks.

Let's fix this inconsistency.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/exim: fix systemd service binary path
Pascal de Bruijn [Fri, 28 Feb 2020 08:25:39 +0000 (09:25 +0100)]
package/exim: fix systemd service binary path

modern versions of exim are installed into sbin not bin

Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libarchive: security bump to version 3.4.2
Fabrice Fontaine [Fri, 28 Feb 2020 22:12:34 +0000 (23:12 +0100)]
package/libarchive: security bump to version 3.4.2

- Fix CVE-2020-9308: archive_read_support_format_rar5.c in libarchive
  before 3.4.2 attempts to unpack a RAR5 file with an invalid or
  corrupted header (such as a header size of zero), leading to a SIGSEGV
  or possibly unspecified other impact.
- use --with-nettle to enable nettle support, see
  https://github.com/libarchive/libarchive/commit/f96a71144b7725ca4a94d84bd27d7dca8c2f58d2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - drop new optional dependency to mbedtsl, forced off for now
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/lxc: fix build with ultrasparc
Fabrice Fontaine [Sat, 29 Feb 2020 09:18:51 +0000 (10:18 +0100)]
package/lxc: fix build with ultrasparc

Fixes:
 - http://autobuild.buildroot.org/results/17c2319850f02f24da6fbef9656c07f86fdc5a3a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libssh2: fix CVE-2019-17498
Fabrice Fontaine [Sat, 29 Feb 2020 11:31:32 +0000 (12:31 +0100)]
package/libssh2: fix CVE-2019-17498

In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in
packet.c has an integer overflow in a bounds check, enabling an attacker
to specify an arbitrary (out-of-bounds) offset for a subsequent memory
read. A crafted SSH server may be able to disclose sensitive information
or cause a denial of service condition on the client system when a user
connects to the server.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/poco: PDF needs XML, JSON and Util
Fabrice Fontaine [Sat, 29 Feb 2020 10:17:43 +0000 (11:17 +0100)]
package/poco: PDF needs XML, JSON and Util

PDF needs XML, JSON and Util since version 1.9.0 and
https://github.com/pocoproject/poco/commit/c5acb2ac27a81a429e146780769f965e8284cadc

Fixes:
 - http://autobuild.buildroot.org/results/294b604a0e37aafbe085f0e6f0d1a83ab110c3a4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/dnsmasq: fix CVE-2019-14834
Fabrice Fontaine [Sat, 29 Feb 2020 13:34:37 +0000 (14:34 +0100)]
package/dnsmasq: fix CVE-2019-14834

A vulnerability was found in dnsmasq before version 2.81, where the
memory leak allows remote attackers to cause a denial of service
(memory consumption) via vectors involving DHCP response creation.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/lz4: security bump to version 1.9.2
Fabrice Fontaine [Fri, 28 Feb 2020 23:26:26 +0000 (00:26 +0100)]
package/lz4: security bump to version 1.9.2

- Fix CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow
  in LZ4_write32 (related to LZ4_compress_destSize), affecting
  applications that call LZ4_compress_fast with a large input. (This
  issue can also lead to data corruption.) NOTE: the vendor states "only
  a few specific / uncommon usages of the API are at risk."
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/squid: security bump to version 4.10
Fabrice Fontaine [Fri, 28 Feb 2020 23:18:00 +0000 (00:18 +0100)]
package/squid: security bump to version 4.10

Drop patch (already in version)
Update indentation of hash file (two spaces)

Fix the following issues:
 - CVE-2020-8517: Buffer Overflow issue in ext_lm_group_acl helper.
 - CVE-2019-12528: Information Disclosure issue in FTP Gateway.
 - CVE-2020-8449, CVE-2020-8450: Improper Input Validation issues in
   HTTP Request processing.
 - CVE-2019-18679: Information Disclosure issue in HTTP Digest
   Authentication.
 - CVE-2019-18678: HTTP Request Splitting issue in HTTP message
   processing.
 - CVE-2019-18677: Cross-Site Request Forgery issue in HTTP Request
   processing.
 - CVE-2019-12523, CVE-2019-18676: Multiple issues in URI processing.
 - CVE-2019-12526: Heap Overflow issue in URN processing.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/zsh: security bump to version 5.8
Fabrice Fontaine [Fri, 28 Feb 2020 22:45:08 +0000 (23:45 +0100)]
package/zsh: security bump to version 5.8

- Fix CVE-2019-20044: In Zsh before 5.8, attackers able to execute
  commands can regain privileges dropped by the --no-PRIVILEGED option.
  Zsh fails to overwrite the saved uid, so the original privileges can
  be restored by executing MODULE_PATH=/dir/with/module zmodload with a
  module that calls setuid().
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/ntfs-3g: annotate _IGNORE_CVES for the included security patch
Fabrice Fontaine [Fri, 28 Feb 2020 22:29:27 +0000 (23:29 +0100)]
package/ntfs-3g: annotate _IGNORE_CVES for the included security patch

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/linknx: host-pkgconf is mandatory
Fabrice Fontaine [Thu, 27 Feb 2020 23:15:27 +0000 (00:15 +0100)]
package/linknx: host-pkgconf is mandatory

host-pkgconf is a mandatory dependency, this will fix per-package build

Fixes:
 - http://autobuild.buildroot.org/results/cfda0ce53165bb22b691b5b6510f0ab096a41e17

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoDEVELOPERS: add Michael Fischer for gnuplot and sdl2
Michael Fischer [Thu, 27 Feb 2020 10:30:55 +0000 (11:30 +0100)]
DEVELOPERS: add Michael Fischer for gnuplot and sdl2

Signed-off-by: Michael Fischer <mf@go-sys.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/pkg-generic: make file list logic parallel build compatible
Thomas Petazzoni [Wed, 26 Feb 2020 19:43:44 +0000 (20:43 +0100)]
package/pkg-generic: make file list logic parallel build compatible

The current solution used to collect the list of files installed by
packages does not work for top-level parallel build. Indeed, we rely
on a file created after the installation of the previous package to
build the list of files installed by the current package.

This works well when packages are built sequentially, but badly fails
when using top-level parallel build.

More specifically, top-level parallel build can fail with:

comm: /home/thomas/buildroot/output/build/.files-list-host.new: No such file or directory

Because that file has been removed concurrently by the build process
of another package.

This commit reworks the logic in a very straight-forward way. Before
the installation of each package, we store the list of files that are
already installed and store it in the package build directory. After
the installation of each package, we store again that list of files,
calculate the difference with the before file, and store that as the
list of files installed by that package, still in the package build
directory.

At the end of the build, in target-finalize we collect all the
collected information into the global package file lists, that
continue to be installed in the same location as before, with the same
name.

There are however some differences:

 (1) The files are no longer ordered in build order, but by alphabetic
     ordering of packages. Indeed, "build order" no longer makes any
     sense in the context of top-level parallel build.

 (2) Some files which were incorrectly tracked are no longer
     tracked. For example, the toolchain package is a target package,
     but it installs files in $(HOST_DIR). In the previous logic, the
     files installed by the toolchain package in $(HOST_DIR) were
     incorrectly affected to the next host package that was installed
     after the toolchain package. With our new logic, those files are
     no longer tracked at all. To fix this, we would have to change
     the logic to scan HOST_DIR/TARGET_DIR/STAGING_DIR for all
     installation steps, not just for the install-host, install-target
     and install-staging steps respecitively. But the result was
     already incorrect anyway, and therefore this should be fixed
     separately.

Note that the check_bin_arch hook needs to be adjusted: it was using
the global package-file-list.txt file, but this file is now created
only at the very end of the build. So instead, we use the current
package .file-list.txt file to know which packages have been installed
by the current package in $(TARGET_DIR).

Fixes:

  http://autobuild.buildroot.net/results/4e60fa31b1cd08bc7fdf9c5dd3a3f4941e029ba3/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/pkg-generic.mk: simplify step_pkg_size
Thomas Petazzoni [Wed, 26 Feb 2020 19:43:43 +0000 (20:43 +0100)]
package/pkg-generic.mk: simplify step_pkg_size

Use the same trick in step_pkg_size as the one used in check_bin_arch:
factorize the two $(filter ...) calls into one, checking in one step
the step and whether it's the beginning or end of the step.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python3: bump to version 3.8.2
Peter Korsgaard [Thu, 27 Feb 2020 08:22:13 +0000 (09:22 +0100)]
package/python3: bump to version 3.8.2

Bugfix release, fixing a number of issues.  For details, see the
announcement:

https://docs.python.org/release/3.8.2/whatsnew/changelog.html#python-3-8-2-final

Adjust the spacing in the hash file and update the hash of the license file
for a change in copyright years:

-2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019 Python Software Foundation;
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation;

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/git: make _BUG_ condition more clear
Giulio Benetti [Thu, 27 Feb 2020 11:18:54 +0000 (12:18 +0100)]
package/git: make _BUG_ condition more clear

As pointed by Peter combined condition of the 2 gcc bugs is potentially
wrong, but as Thomas pointed in this case it's not harmful. Let's fix it
anyway since it's basically wrong even it doesn't cause harm.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/swig: create a legacy symlink for swig3.0
Yegor Yefremov [Mon, 24 Feb 2020 10:12:52 +0000 (11:12 +0100)]
package/swig: create a legacy symlink for swig3.0

The host-swig package installs the swig binary as 'swig' and adds a
swig<major> symlink (E.G.  swig4.0).  This causes issues for older software
which may not know about the 4.0 version of swig, E.G.  CMake 3.10.x
contains the following swig detection logic:

find_program(SWIG_EXECUTABLE NAMES swig3.0 swig2.0 swig)

If the host has a 3.x or 2.x variant of swig installed, then that will be
used instead of our host-swig.

As a workaround, also add a swig3.0 symlink so our host-swig will be used.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Peter: reworded]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/proftpd: security bump to version 1.3.6c
Peter Korsgaard [Thu, 27 Feb 2020 13:54:56 +0000 (14:54 +0100)]
package/proftpd: security bump to version 1.3.6c

Fixes the following security issues:

- CVE-2020-9273: In ProFTPD 1.3.7, it is possible to corrupt the memory pool
  by interrupting the data transfer channel.  This triggers a use-after-free
  in alloc_pool in pool.c, and possible remote code execution.

And additionally, fixes a number of other issues.  For details, see the
release notes:

https://github.com/proftpd/proftpd/blob/1.3.6/RELEASE_NOTES

This also bumps the bundled libcap, so
0001-fix-kernel-header-capability-version.patch can be dropped.

While we are at it, adjust the white space in the .hash function to match
the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoconfigs/beaglebone_qt5_defconfig: kernel builds needs host-openssl
Peter Korsgaard [Thu, 27 Feb 2020 07:11:49 +0000 (08:11 +0100)]
configs/beaglebone_qt5_defconfig: kernel builds needs host-openssl

Similar to the fix for the base beaglebone defconfig in commit 38912a61be
(configs/beaglebone: kernel builds needs host-openssl), the qt5 variant uses
the same kernel, so also needs host-openssl.

Fixes:

914 scripts/extract-cert.c:21:25: fatal error: openssl/bio.h: No such file or directory
915  #include <openssl/bio.h>

https://gitlab.com/buildroot.org/buildroot/-/jobs/451176891

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoconfigs/{at91, atmel}*_defconfig: move to bluez5_utils
Peter Korsgaard [Thu, 27 Feb 2020 07:07:22 +0000 (08:07 +0100)]
configs/{at91, atmel}*_defconfig: move to bluez5_utils

Commit 61a813339af43 (package/bluez_utils: drop package) removed
bluez-utils, but forgot to update the defconfigs.  Fix them by changing to
bluez5-utils instead.

Fixes https://gitlab.com/buildroot.org/buildroot/-/jobs/451176867 and many
others.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/docker-compose: update patch to allow all pyyaml 5.x versions
Peter Korsgaard [Wed, 26 Feb 2020 22:19:11 +0000 (23:19 +0100)]
package/docker-compose: update patch to allow all pyyaml 5.x versions

The recent bump of python-pyyaml to version 5.3 causes a runtime
failure in docker-compose:

pkg_resources.ContextualVersionConflict: (PyYAML 5.3 (/usr/lib/python3.8/site-packages), Requirement.parse('PyYAML<5.2,>=3.10'), {'docker-compose'})

https://gitlab.com/buildroot.org/buildroot/-/jobs/442151461

Fix it by adjusting 0003-support-PyYAML-up-to-5.1-version.patch to
allow all pyyaml 5.x versions, similar to what upstream has done
post-1.24.1:

https://github.com/docker/compose/commit/c818bfc62c0574009175d832c1a8a2857bf1b1bf

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/util-linux: disable systemd for host build
John Keeping [Wed, 19 Feb 2020 11:25:59 +0000 (11:25 +0000)]
package/util-linux: disable systemd for host build

When building host-util-linux, the systemdsystemunitdir is set to the
real host directory, so the install step fails with:

/usr/bin/install: cannot remove '/usr/lib/systemd/system/fstrim.service': Permission denied
/usr/bin/install: cannot remove '/usr/lib/systemd/system/fstrim.timer': Permission denied

Since we don't need systemd support in host-util-linux, unconditionally
disable it for the host build.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoboard/freescale: use correct ahab-container.img file name
Thomas Petazzoni [Thu, 20 Feb 2020 02:18:56 +0000 (03:18 +0100)]
board/freescale: use correct ahab-container.img file name

Commit 3f8ace002831a01ed6aec59b704bd92c8a3b957f
("board/freescale/common/imx: add support for i.MX8") had its
conflicts incorrectly tweaked when applied to Buildroot. The
ahab-container.img is installed with this name (ahab-container.img) by
the imx-firmware package, and not mx8qm-ahab-container.img or
mx8qx-ahab-container.img.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Julien Olivain <juju@cotds.org>
Tested-by: Julien Olivain <juju@cotds.org>
Reported-by: Fabio Estevam <festevam@gmail.com>
Tested-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/brltty: use host pkg-config when building host tools
Thomas Petazzoni [Wed, 19 Feb 2020 23:37:47 +0000 (00:37 +0100)]
package/brltty: use host pkg-config when building host tools

brltty builds host tools which rely on the expat library, and
pkg-config is used to detect the expat library.

Since commit cd16e18584066d2817d3acb3822e173f9f23455e ("pkgconf:
always keep system libs"), the wrapper script added
--keep-system-libs, which adds a -L$(STAGING_DIR)/usr/lib to the
pkg-config results instead of just -lexpat. So, previously, by chance,
the pkg-config result for the target expat was "good enough" for the
host expat as well. But now that -L$(STAGING_DIR)/usr/lib is added, it
breaks the build in all sort of ways as obviously building host
binaries with the library search path pointing to $(STAGING_DIR) is
not a good idea.

To fix that, this commit adjusts the brltty build system so that the
PKG_CONFIG_FOR_BUILD variable is used when using pkg-config to build
host binaries.

Fixes:

  http://autobuild.buildroot.net/results/5a64dfb845389882c366b6c91aaf5868c090a802/

Many thanks to the initial work from Fabrice Fontaine at
http://patchwork.ozlabs.org/patch/1238163/ which provided an initial
starting point for this investigation.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/git: fix build failure due to gcc bug 93847
Giulio Benetti [Thu, 20 Feb 2020 15:40:04 +0000 (16:40 +0100)]
package/git: fix build failure due to gcc bug 93847

The git package exhibits gcc bug 93847 when built for the Nios2
architecture with optimization enabled, which causes a build failure.

As done for other packages in Buildroot work around this gcc bug by
setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_93847=y.

Fixes:
http://autobuild.buildroot.net/results/e225e62ea2d48660df4110790664f0c3306c1ea9/

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agotoolchain: introduce BR2_TOOLCHAIN_HAS_GCC_BUG_93847
Giulio Benetti [Thu, 20 Feb 2020 15:40:03 +0000 (16:40 +0100)]
toolchain: introduce BR2_TOOLCHAIN_HAS_GCC_BUG_93847

git package fails to build for the Nios2 architecture with optimization
enabled with gcc < 9.x:
http://autobuild.buildroot.net/results/924/92484c49b655e4aa78ca52f124c6d8f605b9d06b/

It's been reported upstream:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93847

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/kodi-inputstream-adaptive: update LICENSE_FILES
Bernd Kuhls [Mon, 24 Feb 2020 17:44:17 +0000 (18:44 +0100)]
package/kodi-inputstream-adaptive: update LICENSE_FILES

Use LICENSE.GPL instead of src/main.cpp.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/aufs: add support for linux 5.x
Alexey Lukyanchuk [Tue, 25 Feb 2020 12:29:13 +0000 (15:29 +0300)]
package/aufs: add support for linux 5.x

Signed-off-by: Alexey Lukyanchuk <skif@skif-web.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoUpdate for 2020.02-rc2
Peter Korsgaard [Wed, 26 Feb 2020 16:18:34 +0000 (17:18 +0100)]
Update for 2020.02-rc2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/fail2ban: The (host-python3) 2to3 utility needs to be present
Pascal de Bruijn [Wed, 26 Feb 2020 08:28:18 +0000 (09:28 +0100)]
package/fail2ban: The (host-python3) 2to3 utility needs to be present

During _POST_PATCH_HOOKS _DEPENDANCIES aren't guaranteed to be built,
however during _PRE_CONFIGURE_HOOKS they should be built.

Should fix:
http://autobuild.buildroot.net/results/dd8e225e2a49cfa6735bed11459007003a37c137/
http://autobuild.buildroot.net/results/e688c3652bd474ac682984e2e5947701942f0f57/

Cc: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/systemd: bump version to 244.3
Adam Duskett [Tue, 25 Feb 2020 22:56:51 +0000 (14:56 -0800)]
package/systemd: bump version to 244.3

For additional post-244 fixes.

Update the hash of the README after commit faba5b2b (Revert "Drop dbus
activation stub service") changed a comment about dbus:

-       dbus >= 1.11.0 (strictly speaking optional, but recommended)
+       dbus >= 1.4.0 (strictly speaking optional, but recommended)
+               NOTE: If using dbus < 1.9.18, you should override the default
+               policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/qt5: drop 5.6 support
Peter Korsgaard [Wed, 26 Feb 2020 14:45:32 +0000 (15:45 +0100)]
package/qt5: drop 5.6 support

As discussed during the FOSDEM2019 develop days, Qt 5.6 is very old (5.6.3
was released in September 2017, and 5.6.x became EOL in March 2019), so drop
it before the new Buildroot LTS release:

https://elinux.org/Buildroot:DeveloperDaysFOSDEM2019#Qt5_versions_to_support:_keep_5.6_or_a_newer_LTS.3F

And add legacy handling for it.

There are a number of places where code checks for
BR2_PACKAGE_QT5_VERSION_LATEST, so leave that as a blind option for now to
not break the build.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/linux-tools: filter debugging symbols for hyperv
Pascal de Bruijn [Wed, 26 Feb 2020 08:53:32 +0000 (09:53 +0100)]
package/linux-tools: filter debugging symbols for hyperv

Workaround for:

ld: hv_vss_daemon.o: unable to initialize decompress status for section .debug_info
ld: hv_vss_daemon.o: unable to initialize decompress status for section .debug_info
hv_vss_daemon.o: file not recognized: File format not recognized

Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/minicom: fix static linking with ncurses
Fabrice Fontaine [Wed, 26 Feb 2020 12:49:19 +0000 (13:49 +0100)]
package/minicom: fix static linking with ncurses

Fixes:
 - http://autobuild.buildroot.org/results/d3edbab1f2cd0f7b790e2559dc8d489497ae02f3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years ago{linux, linux-headers}: bump 4.19.x / 5.4.x series
Peter Korsgaard [Tue, 25 Feb 2020 16:22:28 +0000 (17:22 +0100)]
{linux, linux-headers}: bump 4.19.x / 5.4.x series

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/armadillo: fix license
Fabrice Fontaine [Tue, 25 Feb 2020 22:13:56 +0000 (23:13 +0100)]
package/armadillo: fix license

License is Apache-2.0 since version 7.800:
http://arma.sourceforge.net/license.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoConfig.in: add BR2_HOST_GCC_AT_LEAST_9
Romain Naour [Tue, 25 Feb 2020 21:22:13 +0000 (22:22 +0100)]
Config.in: add BR2_HOST_GCC_AT_LEAST_9

Fedora 30 switched to GCC 9.x. [1]

[1] https://fedoraproject.org/wiki/Changes/GCC9

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/kvm-unit-tests: fix build with SSP
Fabrice Fontaine [Sun, 23 Feb 2020 23:20:05 +0000 (00:20 +0100)]
package/kvm-unit-tests: fix build with SSP

Add a patch to correct a typo in the Makefile, so -fno-stack-protector /
-fno-stack-protector-all are really used.  With this applied, kvm-unit-tests
will always be built without SSP as intented by upstream.  This will fix the
build on ppc64 with SSP that started to fail for an unknown reason since
November 27th.

Moreover, the Arch Linux workaround could also be removed in a follow-up
patch.

Fixes:
 - http://autobuild.buildroot.org/results/ad689b08173548af21dd1fb0e827fd561de6dfef

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/fluidsynth: bump to version 2.1.1
Fabrice Fontaine [Mon, 24 Feb 2020 20:58:50 +0000 (21:58 +0100)]
package/fluidsynth: bump to version 2.1.1

- This will fix a static build failure with readline thanks to
  https://github.com/FluidSynth/fluidsynth/commit/c538c9fa7e392ce16c3354696e7dc7781a78a300
- Update indentation of hash file (two spaces)

Fixes:
 - http://autobuild.buildroot.org/results/88609eefe55af2ca50d43e17d3424b923528b07a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/skeleton-init-openrc: fix root filesystem ro/rw remount
Carlos Santos [Mon, 24 Feb 2020 11:41:34 +0000 (08:41 -0300)]
package/skeleton-init-openrc: fix root filesystem ro/rw remount

The regular expressions used in the sed commands assumes that there is a
space after '/dev/root' but the skeleton file contains a tab. Use a more
flexible '[[:blank:]]', instead.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/rcw: allow not having custom rcwi files
Francois Gervais [Fri, 21 Feb 2020 14:40:23 +0000 (09:40 -0500)]
package/rcw: allow not having custom rcwi files

A project could quite possibly have a custom rcw file
that does not rely on any custom rcw include files (rcwi).

Allow the build to succeed if this is the case.

Signed-off-by: Francois Gervais <fgervais@distech-controls.com>
[yann.morin.1998@free.fr: install includes in a separate hook]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/qt5/qt5webengine: fix translations target install path
Peter Seiderer [Fri, 21 Feb 2020 07:33:31 +0000 (08:33 +0100)]
package/qt5/qt5webengine: fix translations target install path

Through the evolution of the qt5webengine package patch ([1], [2])
until the initial commit ([3]) the translations target install
path got mangled resulting in a double trailing qtwebengine_locales
path:
  /usr/translations/qtwebengine_locales/qtwebengine_locales
Instead of:
  /usr/translations/qtwebengine_locales

Fixes the translations runtime access failure resulting in the
following warning:

  WARNING:resource_bundle_qt.cpp(116): locale_file_path.empty() for locale

[1] http://lists.busybox.net/pipermail/buildroot/2015-July/132010.html
[2] https://patchwork.ozlabs.org/patch/640633
[3] https://git.buildroot.net/buildroot/commit/?id=89080bac9bc47946a09c1e74f2f872363bf6785b

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/libinput: bump version to 1.15.2
Peter Seiderer [Fri, 21 Feb 2020 08:08:55 +0000 (09:08 +0100)]
package/libinput: bump version to 1.15.2

For details see [1].

[1] https://lists.freedesktop.org/archives/wayland-devel/2020-February/041227.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/openvmtools: fix build with NLS
Fabrice Fontaine [Sun, 23 Feb 2020 17:29:02 +0000 (18:29 +0100)]
package/openvmtools: fix build with NLS

Fixes:
 - http://autobuild.buildroot.org/results/e0e7ed448df8bdd6cb13a0989d7a6c7dbaa5bc4e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoRevert "package/smartmontools: fix build without stack-protector"
Yann E. MORIN [Sun, 23 Feb 2020 18:21:39 +0000 (19:21 +0100)]
Revert "package/smartmontools: fix build without stack-protector"

This reverts commit dc171f123c6b320c4930ba00debeb34fede82d99, which was
aimed at the next branch, not master.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/smartmontools: fix build without stack-protector
Fabrice Fontaine [Sun, 23 Feb 2020 15:36:38 +0000 (16:36 +0100)]
package/smartmontools: fix build without stack-protector

Fixes:
 - http://autobuild.buildroot.org/results/0de9f2a69fa2a39164211299f8a429d2fec6935a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/busybox: fix individual binaries installation
Carlos Santos [Sun, 23 Feb 2020 10:59:12 +0000 (07:59 -0300)]
package/busybox: fix individual binaries installation

Call BUSYBOX_INSTALL_INDIVIDUAL_BINARIES in BUSYBOX_INSTALL_TARGET_CMDS,
not in BUSYBOX_INSTALL_INIT_SYSV. This should have been done in commit
b1e07d6d796e67a980d4a05d04c64f00162245ff but was somehow lost during the
review/aply process.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agosupport/testing: add libftdi1 test case
Yegor Yefremov [Mon, 10 Feb 2020 09:11:49 +0000 (10:11 +0100)]
support/testing: add libftdi1 test case

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libftdi1: fix unresolved symbol issue
Yegor Yefremov [Mon, 10 Feb 2020 09:11:48 +0000 (10:11 +0100)]
package/libftdi1: fix unresolved symbol issue

GCC later than 5.x produce _fdti1.so file with an undefined
symbol str2charp_size due to C99 inline semantics change. So
remove this keyword.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[yann.morin.1998@free.fr: add upstream status]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>