Carlos Santos [Sat, 29 Feb 2020 18:18:07 +0000 (15:18 -0300)]
 
package/openrc: fix post-install-target addition
OPENRC_POST_TARGET_INSTALL_HOOKS -> OPENRC_POST_INSTALL_TARGET_HOOKS
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 29 Feb 2020 09:46:09 +0000 (10:46 +0100)]
 
package/boost: annotate _IGNORE_CVES for CVE-2009-3654
This CVE does not affect the boost package, but is misclassified by our
CVS tracker. As per the advisory:
    Unspecified vulnerability in Boost before 6.x-1.03, a module for
    Drupal, allows remote attackers to create new webroot directories
    via unknown attack vectors.
Ignore the CVS, and expand a comment to explain it.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: expand the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Heiko Thiery [Fri, 28 Feb 2020 09:19:43 +0000 (10:19 +0100)]
 
package/libgdiplus: backport of fix for GifQuantizeBuffer
In newer version of giflib the GifQuantizeBuffer code was removed.
libgdiplus included the needed function by their own:
(https://github.com/mono/libgdiplus/pull/575).
This patch will become obsolete once libgdiplus is bumped to version 6.x.
Fixes:
http://autobuild.buildroot.net/results/
46c5cf068cf9ea50e53491870d9dbf3f134c8c22
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Fri, 28 Feb 2020 20:25:52 +0000 (21:25 +0100)]
 
package/openrc: needs kmod
openrc provides scripts that have been written for the big-gun kmod, and
so use options unknown to the busybox' provided applets:
  - Busybox modprobe does not have a "--first-time" option,
  - the "--verbose" option is just "-v",
  - the "--use-blacklist" option is just "-b". Also blacklist support is
    not selected in our default busybox configuration.
One of two options, is to "fix" or "adapt" openrc's scripts to busybox,
which means for the openrc package to go peek into files from the
busybox package, which is not nice, and can't work because that is not
available by the time we scan our Makefiles.
The other option, which this patch implements, is to just add a
dependency onto kmod and its tools.
Reported-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Fri, 28 Feb 2020 15:04:20 +0000 (16:04 +0100)]
 
package/pkg-generic.mk: in image install, print message before pre-hooks
In all steps, we print the message indicating the start of the step
using the MESSAGE macro before running pre-hooks. Except in the image
installation step, where the message is printed after the pre-hooks.
Let's fix this inconsistency.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pascal de Bruijn [Fri, 28 Feb 2020 08:25:39 +0000 (09:25 +0100)]
 
package/exim: fix systemd service binary path
modern versions of exim are installed into sbin not bin
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 28 Feb 2020 22:12:34 +0000 (23:12 +0100)]
 
package/libarchive: security bump to version 3.4.2
- Fix CVE-2020-9308: archive_read_support_format_rar5.c in libarchive
  before 3.4.2 attempts to unpack a RAR5 file with an invalid or
  corrupted header (such as a header size of zero), leading to a SIGSEGV
  or possibly unspecified other impact.
- use --with-nettle to enable nettle support, see
  https://github.com/libarchive/libarchive/commit/
f96a71144b7725ca4a94d84bd27d7dca8c2f58d2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - drop new optional dependency to mbedtsl, forced off for now
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 29 Feb 2020 09:18:51 +0000 (10:18 +0100)]
 
package/lxc: fix build with ultrasparc
Fixes:
 - http://autobuild.buildroot.org/results/
17c2319850f02f24da6fbef9656c07f86fdc5a3a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 29 Feb 2020 11:31:32 +0000 (12:31 +0100)]
 
package/libssh2: fix CVE-2019-17498
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in
packet.c has an integer overflow in a bounds check, enabling an attacker
to specify an arbitrary (out-of-bounds) offset for a subsequent memory
read. A crafted SSH server may be able to disclose sensitive information
or cause a denial of service condition on the client system when a user
connects to the server.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 29 Feb 2020 10:17:43 +0000 (11:17 +0100)]
 
package/poco: PDF needs XML, JSON and Util
PDF needs XML, JSON and Util since version 1.9.0 and
https://github.com/pocoproject/poco/commit/
c5acb2ac27a81a429e146780769f965e8284cadc
Fixes:
 - http://autobuild.buildroot.org/results/
294b604a0e37aafbe085f0e6f0d1a83ab110c3a4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 29 Feb 2020 13:34:37 +0000 (14:34 +0100)]
 
package/dnsmasq: fix CVE-2019-14834
A vulnerability was found in dnsmasq before version 2.81, where the
memory leak allows remote attackers to cause a denial of service
(memory consumption) via vectors involving DHCP response creation.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 28 Feb 2020 23:26:26 +0000 (00:26 +0100)]
 
package/lz4: security bump to version 1.9.2
- Fix CVE-2019-17543: LZ4 before 1.9.2 has a heap-based buffer overflow
  in LZ4_write32 (related to LZ4_compress_destSize), affecting
  applications that call LZ4_compress_fast with a large input. (This
  issue can also lead to data corruption.) NOTE: the vendor states "only
  a few specific / uncommon usages of the API are at risk."
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 28 Feb 2020 23:18:00 +0000 (00:18 +0100)]
 
package/squid: security bump to version 4.10
Drop patch (already in version)
Update indentation of hash file (two spaces)
Fix the following issues:
 - CVE-2020-8517: Buffer Overflow issue in ext_lm_group_acl helper.
 - CVE-2019-12528: Information Disclosure issue in FTP Gateway.
 - CVE-2020-8449, CVE-2020-8450: Improper Input Validation issues in
   HTTP Request processing.
 - CVE-2019-18679: Information Disclosure issue in HTTP Digest
   Authentication.
 - CVE-2019-18678: HTTP Request Splitting issue in HTTP message
   processing.
 - CVE-2019-18677: Cross-Site Request Forgery issue in HTTP Request
   processing.
 - CVE-2019-12523, CVE-2019-18676: Multiple issues in URI processing.
 - CVE-2019-12526: Heap Overflow issue in URN processing.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 28 Feb 2020 22:45:08 +0000 (23:45 +0100)]
 
package/zsh: security bump to version 5.8
- Fix CVE-2019-20044: In Zsh before 5.8, attackers able to execute
  commands can regain privileges dropped by the --no-PRIVILEGED option.
  Zsh fails to overwrite the saved uid, so the original privileges can
  be restored by executing MODULE_PATH=/dir/with/module zmodload with a
  module that calls setuid().
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 28 Feb 2020 22:29:27 +0000 (23:29 +0100)]
 
package/ntfs-3g: annotate _IGNORE_CVES for the included security patch
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Thu, 27 Feb 2020 23:15:27 +0000 (00:15 +0100)]
 
package/linknx: host-pkgconf is mandatory
host-pkgconf is a mandatory dependency, this will fix per-package build
Fixes:
 - http://autobuild.buildroot.org/results/
cfda0ce53165bb22b691b5b6510f0ab096a41e17
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Michael Fischer [Thu, 27 Feb 2020 10:30:55 +0000 (11:30 +0100)]
 
DEVELOPERS: add Michael Fischer for gnuplot and sdl2
Signed-off-by: Michael Fischer <mf@go-sys.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Wed, 26 Feb 2020 19:43:44 +0000 (20:43 +0100)]
 
package/pkg-generic: make file list logic parallel build compatible
The current solution used to collect the list of files installed by
packages does not work for top-level parallel build. Indeed, we rely
on a file created after the installation of the previous package to
build the list of files installed by the current package.
This works well when packages are built sequentially, but badly fails
when using top-level parallel build.
More specifically, top-level parallel build can fail with:
comm: /home/thomas/buildroot/output/build/.files-list-host.new: No such file or directory
Because that file has been removed concurrently by the build process
of another package.
This commit reworks the logic in a very straight-forward way. Before
the installation of each package, we store the list of files that are
already installed and store it in the package build directory. After
the installation of each package, we store again that list of files,
calculate the difference with the before file, and store that as the
list of files installed by that package, still in the package build
directory.
At the end of the build, in target-finalize we collect all the
collected information into the global package file lists, that
continue to be installed in the same location as before, with the same
name.
There are however some differences:
 (1) The files are no longer ordered in build order, but by alphabetic
     ordering of packages. Indeed, "build order" no longer makes any
     sense in the context of top-level parallel build.
 (2) Some files which were incorrectly tracked are no longer
     tracked. For example, the toolchain package is a target package,
     but it installs files in $(HOST_DIR). In the previous logic, the
     files installed by the toolchain package in $(HOST_DIR) were
     incorrectly affected to the next host package that was installed
     after the toolchain package. With our new logic, those files are
     no longer tracked at all. To fix this, we would have to change
     the logic to scan HOST_DIR/TARGET_DIR/STAGING_DIR for all
     installation steps, not just for the install-host, install-target
     and install-staging steps respecitively. But the result was
     already incorrect anyway, and therefore this should be fixed
     separately.
Note that the check_bin_arch hook needs to be adjusted: it was using
the global package-file-list.txt file, but this file is now created
only at the very end of the build. So instead, we use the current
package .file-list.txt file to know which packages have been installed
by the current package in $(TARGET_DIR).
Fixes:
  http://autobuild.buildroot.net/results/
4e60fa31b1cd08bc7fdf9c5dd3a3f4941e029ba3/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Wed, 26 Feb 2020 19:43:43 +0000 (20:43 +0100)]
 
package/pkg-generic.mk: simplify step_pkg_size
Use the same trick in step_pkg_size as the one used in check_bin_arch:
factorize the two $(filter ...) calls into one, checking in one step
the step and whether it's the beginning or end of the step.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 27 Feb 2020 08:22:13 +0000 (09:22 +0100)]
 
package/python3: bump to version 3.8.2
Bugfix release, fixing a number of issues.  For details, see the
announcement:
https://docs.python.org/release/3.8.2/whatsnew/changelog.html#python-3-8-2-final
Adjust the spacing in the hash file and update the hash of the license file
for a change in copyright years:
-2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019 Python Software Foundation;
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation;
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Giulio Benetti [Thu, 27 Feb 2020 11:18:54 +0000 (12:18 +0100)]
 
package/git: make _BUG_ condition more clear
As pointed by Peter combined condition of the 2 gcc bugs is potentially
wrong, but as Thomas pointed in this case it's not harmful. Let's fix it
anyway since it's basically wrong even it doesn't cause harm.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yegor Yefremov [Mon, 24 Feb 2020 10:12:52 +0000 (11:12 +0100)]
 
package/swig: create a legacy symlink for swig3.0
The host-swig package installs the swig binary as 'swig' and adds a
swig<major> symlink (E.G.  swig4.0).  This causes issues for older software
which may not know about the 4.0 version of swig, E.G.  CMake 3.10.x
contains the following swig detection logic:
find_program(SWIG_EXECUTABLE NAMES swig3.0 swig2.0 swig)
If the host has a 3.x or 2.x variant of swig installed, then that will be
used instead of our host-swig.
As a workaround, also add a swig3.0 symlink so our host-swig will be used.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Peter: reworded]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 27 Feb 2020 13:54:56 +0000 (14:54 +0100)]
 
package/proftpd: security bump to version 1.3.6c
Fixes the following security issues:
- CVE-2020-9273: In ProFTPD 1.3.7, it is possible to corrupt the memory pool
  by interrupting the data transfer channel.  This triggers a use-after-free
  in alloc_pool in pool.c, and possible remote code execution.
And additionally, fixes a number of other issues.  For details, see the
release notes:
https://github.com/proftpd/proftpd/blob/1.3.6/RELEASE_NOTES
This also bumps the bundled libcap, so
0001-fix-kernel-header-capability-version.patch can be dropped.
While we are at it, adjust the white space in the .hash function to match
the new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Thu, 27 Feb 2020 07:11:49 +0000 (08:11 +0100)]
 
configs/beaglebone_qt5_defconfig: kernel builds needs host-openssl
Similar to the fix for the base beaglebone defconfig in commit 
38912a61be
(configs/beaglebone: kernel builds needs host-openssl), the qt5 variant uses
the same kernel, so also needs host-openssl.
Fixes:
914 scripts/extract-cert.c:21:25: fatal error: openssl/bio.h: No such file or directory
915  #include <openssl/bio.h>
https://gitlab.com/buildroot.org/buildroot/-/jobs/
451176891
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Thu, 27 Feb 2020 07:07:22 +0000 (08:07 +0100)]
 
configs/{at91, atmel}*_defconfig: move to bluez5_utils
Commit 
61a813339af43 (package/bluez_utils: drop package) removed
bluez-utils, but forgot to update the defconfigs.  Fix them by changing to
bluez5-utils instead.
Fixes https://gitlab.com/buildroot.org/buildroot/-/jobs/
451176867 and many
others.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Wed, 26 Feb 2020 22:19:11 +0000 (23:19 +0100)]
 
package/docker-compose: update patch to allow all pyyaml 5.x versions
The recent bump of python-pyyaml to version 5.3 causes a runtime
failure in docker-compose:
pkg_resources.ContextualVersionConflict: (PyYAML 5.3 (/usr/lib/python3.8/site-packages), Requirement.parse('PyYAML<5.2,>=3.10'), {'docker-compose'})
https://gitlab.com/buildroot.org/buildroot/-/jobs/
442151461
Fix it by adjusting 0003-support-PyYAML-up-to-5.1-version.patch to
allow all pyyaml 5.x versions, similar to what upstream has done
post-1.24.1:
https://github.com/docker/compose/commit/
c818bfc62c0574009175d832c1a8a2857bf1b1bf
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
John Keeping [Wed, 19 Feb 2020 11:25:59 +0000 (11:25 +0000)]
 
package/util-linux: disable systemd for host build
When building host-util-linux, the systemdsystemunitdir is set to the
real host directory, so the install step fails with:
/usr/bin/install: cannot remove '/usr/lib/systemd/system/fstrim.service': Permission denied
/usr/bin/install: cannot remove '/usr/lib/systemd/system/fstrim.timer': Permission denied
Since we don't need systemd support in host-util-linux, unconditionally
disable it for the host build.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Thu, 20 Feb 2020 02:18:56 +0000 (03:18 +0100)]
 
board/freescale: use correct ahab-container.img file name
Commit 
3f8ace002831a01ed6aec59b704bd92c8a3b957f
("board/freescale/common/imx: add support for i.MX8") had its
conflicts incorrectly tweaked when applied to Buildroot. The
ahab-container.img is installed with this name (ahab-container.img) by
the imx-firmware package, and not mx8qm-ahab-container.img or
mx8qx-ahab-container.img.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Julien Olivain <juju@cotds.org>
Tested-by: Julien Olivain <juju@cotds.org>
Reported-by: Fabio Estevam <festevam@gmail.com>
Tested-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Wed, 19 Feb 2020 23:37:47 +0000 (00:37 +0100)]
 
package/brltty: use host pkg-config when building host tools
brltty builds host tools which rely on the expat library, and
pkg-config is used to detect the expat library.
Since commit 
cd16e18584066d2817d3acb3822e173f9f23455e ("pkgconf:
always keep system libs"), the wrapper script added
--keep-system-libs, which adds a -L$(STAGING_DIR)/usr/lib to the
pkg-config results instead of just -lexpat. So, previously, by chance,
the pkg-config result for the target expat was "good enough" for the
host expat as well. But now that -L$(STAGING_DIR)/usr/lib is added, it
breaks the build in all sort of ways as obviously building host
binaries with the library search path pointing to $(STAGING_DIR) is
not a good idea.
To fix that, this commit adjusts the brltty build system so that the
PKG_CONFIG_FOR_BUILD variable is used when using pkg-config to build
host binaries.
Fixes:
  http://autobuild.buildroot.net/results/
5a64dfb845389882c366b6c91aaf5868c090a802/
Many thanks to the initial work from Fabrice Fontaine at
http://patchwork.ozlabs.org/patch/
1238163/ which provided an initial
starting point for this investigation.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Giulio Benetti [Thu, 20 Feb 2020 15:40:04 +0000 (16:40 +0100)]
 
package/git: fix build failure due to gcc bug 93847
The git package exhibits gcc bug 93847 when built for the Nios2
architecture with optimization enabled, which causes a build failure.
As done for other packages in Buildroot work around this gcc bug by
setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_93847=y.
Fixes:
http://autobuild.buildroot.net/results/
e225e62ea2d48660df4110790664f0c3306c1ea9/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Giulio Benetti [Thu, 20 Feb 2020 15:40:03 +0000 (16:40 +0100)]
 
toolchain: introduce BR2_TOOLCHAIN_HAS_GCC_BUG_93847
git package fails to build for the Nios2 architecture with optimization
enabled with gcc < 9.x:
http://autobuild.buildroot.net/results/924/
92484c49b655e4aa78ca52f124c6d8f605b9d06b/
It's been reported upstream:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93847
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bernd Kuhls [Mon, 24 Feb 2020 17:44:17 +0000 (18:44 +0100)]
 
package/kodi-inputstream-adaptive: update LICENSE_FILES
Use LICENSE.GPL instead of src/main.cpp.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Alexey Lukyanchuk [Tue, 25 Feb 2020 12:29:13 +0000 (15:29 +0300)]
 
package/aufs: add support for linux 5.x
Signed-off-by: Alexey Lukyanchuk <skif@skif-web.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Wed, 26 Feb 2020 16:18:34 +0000 (17:18 +0100)]
 
Update for 2020.02-rc2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pascal de Bruijn [Wed, 26 Feb 2020 08:28:18 +0000 (09:28 +0100)]
 
package/fail2ban: The (host-python3) 2to3 utility needs to be present
During _POST_PATCH_HOOKS _DEPENDANCIES aren't guaranteed to be built,
however during _PRE_CONFIGURE_HOOKS they should be built.
Should fix:
http://autobuild.buildroot.net/results/
dd8e225e2a49cfa6735bed11459007003a37c137/
http://autobuild.buildroot.net/results/
e688c3652bd474ac682984e2e5947701942f0f57/
Cc: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Tue, 25 Feb 2020 22:56:51 +0000 (14:56 -0800)]
 
package/systemd: bump version to 244.3
For additional post-244 fixes.
Update the hash of the README after commit 
faba5b2b (Revert "Drop dbus
activation stub service") changed a comment about dbus:
-       dbus >= 1.11.0 (strictly speaking optional, but recommended)
+       dbus >= 1.4.0 (strictly speaking optional, but recommended)
+               NOTE: If using dbus < 1.9.18, you should override the default
+               policy directory (--with-dbuspolicydir=/etc/dbus-1/system.d).
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 26 Feb 2020 14:45:32 +0000 (15:45 +0100)]
 
package/qt5: drop 5.6 support
As discussed during the FOSDEM2019 develop days, Qt 5.6 is very old (5.6.3
was released in September 2017, and 5.6.x became EOL in March 2019), so drop
it before the new Buildroot LTS release:
https://elinux.org/Buildroot:DeveloperDaysFOSDEM2019#Qt5_versions_to_support:_keep_5.6_or_a_newer_LTS.3F
And add legacy handling for it.
There are a number of places where code checks for
BR2_PACKAGE_QT5_VERSION_LATEST, so leave that as a blind option for now to
not break the build.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pascal de Bruijn [Wed, 26 Feb 2020 08:53:32 +0000 (09:53 +0100)]
 
package/linux-tools: filter debugging symbols for hyperv
Workaround for:
ld: hv_vss_daemon.o: unable to initialize decompress status for section .debug_info
ld: hv_vss_daemon.o: unable to initialize decompress status for section .debug_info
hv_vss_daemon.o: file not recognized: File format not recognized
Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Wed, 26 Feb 2020 12:49:19 +0000 (13:49 +0100)]
 
package/minicom: fix static linking with ncurses
Fixes:
 - http://autobuild.buildroot.org/results/
d3edbab1f2cd0f7b790e2559dc8d489497ae02f3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 25 Feb 2020 16:22:28 +0000 (17:22 +0100)]
 
{linux, linux-headers}: bump 4.19.x / 5.4.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Tue, 25 Feb 2020 22:13:56 +0000 (23:13 +0100)]
 
package/armadillo: fix license
License is Apache-2.0 since version 7.800:
http://arma.sourceforge.net/license.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Romain Naour [Tue, 25 Feb 2020 21:22:13 +0000 (22:22 +0100)]
 
Config.in: add BR2_HOST_GCC_AT_LEAST_9
Fedora 30 switched to GCC 9.x. [1]
[1] https://fedoraproject.org/wiki/Changes/GCC9
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sun, 23 Feb 2020 23:20:05 +0000 (00:20 +0100)]
 
package/kvm-unit-tests: fix build with SSP
Add a patch to correct a typo in the Makefile, so -fno-stack-protector /
-fno-stack-protector-all are really used.  With this applied, kvm-unit-tests
will always be built without SSP as intented by upstream.  This will fix the
build on ppc64 with SSP that started to fail for an unknown reason since
November 27th.
Moreover, the Arch Linux workaround could also be removed in a follow-up
patch.
Fixes:
 - http://autobuild.buildroot.org/results/
ad689b08173548af21dd1fb0e827fd561de6dfef
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 24 Feb 2020 20:58:50 +0000 (21:58 +0100)]
 
package/fluidsynth: bump to version 2.1.1
- This will fix a static build failure with readline thanks to
  https://github.com/FluidSynth/fluidsynth/commit/
c538c9fa7e392ce16c3354696e7dc7781a78a300
- Update indentation of hash file (two spaces)
Fixes:
 - http://autobuild.buildroot.org/results/
88609eefe55af2ca50d43e17d3424b923528b07a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Carlos Santos [Mon, 24 Feb 2020 11:41:34 +0000 (08:41 -0300)]
 
package/skeleton-init-openrc: fix root filesystem ro/rw remount
The regular expressions used in the sed commands assumes that there is a
space after '/dev/root' but the skeleton file contains a tab. Use a more
flexible '[[:blank:]]', instead.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Francois Gervais [Fri, 21 Feb 2020 14:40:23 +0000 (09:40 -0500)]
 
package/rcw: allow not having custom rcwi files
A project could quite possibly have a custom rcw file
that does not rely on any custom rcw include files (rcwi).
Allow the build to succeed if this is the case.
Signed-off-by: Francois Gervais <fgervais@distech-controls.com>
[yann.morin.1998@free.fr: install includes in a separate hook]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Seiderer [Fri, 21 Feb 2020 07:33:31 +0000 (08:33 +0100)]
 
package/qt5/qt5webengine: fix translations target install path
Through the evolution of the qt5webengine package patch ([1], [2])
until the initial commit ([3]) the translations target install
path got mangled resulting in a double trailing qtwebengine_locales
path:
  /usr/translations/qtwebengine_locales/qtwebengine_locales
Instead of:
  /usr/translations/qtwebengine_locales
Fixes the translations runtime access failure resulting in the
following warning:
  WARNING:resource_bundle_qt.cpp(116): locale_file_path.empty() for locale
[1] http://lists.busybox.net/pipermail/buildroot/2015-July/132010.html
[2] https://patchwork.ozlabs.org/patch/640633
[3] https://git.buildroot.net/buildroot/commit/?id=
89080bac9bc47946a09c1e74f2f872363bf6785b
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Seiderer [Fri, 21 Feb 2020 08:08:55 +0000 (09:08 +0100)]
 
package/libinput: bump version to 1.15.2
For details see [1].
[1] https://lists.freedesktop.org/archives/wayland-devel/2020-February/041227.html
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sun, 23 Feb 2020 17:29:02 +0000 (18:29 +0100)]
 
package/openvmtools: fix build with NLS
Fixes:
 - http://autobuild.buildroot.org/results/
e0e7ed448df8bdd6cb13a0989d7a6c7dbaa5bc4e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Yann E. MORIN [Sun, 23 Feb 2020 18:21:39 +0000 (19:21 +0100)]
 
Revert "package/smartmontools: fix build without stack-protector"
This reverts commit 
dc171f123c6b320c4930ba00debeb34fede82d99, which was
aimed at the next branch, not master.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sun, 23 Feb 2020 15:36:38 +0000 (16:36 +0100)]
 
package/smartmontools: fix build without stack-protector
Fixes:
 - http://autobuild.buildroot.org/results/
0de9f2a69fa2a39164211299f8a429d2fec6935a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Carlos Santos [Sun, 23 Feb 2020 10:59:12 +0000 (07:59 -0300)]
 
package/busybox: fix individual binaries installation
Call BUSYBOX_INSTALL_INDIVIDUAL_BINARIES in BUSYBOX_INSTALL_TARGET_CMDS,
not in BUSYBOX_INSTALL_INIT_SYSV. This should have been done in commit
b1e07d6d796e67a980d4a05d04c64f00162245ff but was somehow lost during the
review/aply process.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yegor Yefremov [Mon, 10 Feb 2020 09:11:49 +0000 (10:11 +0100)]
 
support/testing: add libftdi1 test case
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yegor Yefremov [Mon, 10 Feb 2020 09:11:48 +0000 (10:11 +0100)]
 
package/libftdi1: fix unresolved symbol issue
GCC later than 5.x produce _fdti1.so file with an undefined
symbol str2charp_size due to C99 inline semantics change. So
remove this keyword.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[yann.morin.1998@free.fr: add upstream status]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Giulio Benetti [Thu, 20 Feb 2020 21:18:55 +0000 (22:18 +0100)]
 
package/at: fix parallel build failure
Add a patch to finally fix parallel build failure. Patch is pending
upstream:
https://salsa.debian.org/debian/at/merge_requests/14
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Thu, 20 Feb 2020 21:45:30 +0000 (22:45 +0100)]
 
package/tpm2-tss: bump to version 2.3.3
Bugfix release, fixing a number of issues:
- Fixed mixing salted and unsalted sessions in the same ESAPI context
- Removed use of VLAs from TPML marshal code
- Added check for object node before calling compute_session_value function
- Fixed auth calculation in Esys_StartAuthSession called with optional parameters
- Fixed compute_encrypted_salt error handling in Esys_StartAuthSession
- Fixed exported symbols map for libtss2-mu
The 2.3.3 tarball accidently contains a Makefile-fuzz-generated.am with
content from a fuzz testing run (rather than an empty file as in earlier
releases), confusing autoreconf together with our
0001-configure-Only-use-CXX-when-fuzzing.patch.
Work around that by adding a post-patch hook to truncate the file.  The
issue has been reported upstream and the release logic has been changed to
ensure this does not happen again for future releases:
https://github.com/tstruk/tpm2-tss/commit/
d163041e3bafa23c0be89c82a99b8501634ebdb4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Baruch Siach [Fri, 21 Feb 2020 05:34:42 +0000 (07:34 +0200)]
 
docs/manual: clarify the <PKG>_PATCH_DEPENDENCIES guarantee
Unlike <PKG>_DEPENDENCIES, <PKG>_PATCH_DEPENDENCIES only guarantees
extract and patch of listed dependencies, not build. Make this subtlety
more explicit in the documentation.
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
[yann.morin.1998@free.fr: slight fix]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 21 Feb 2020 21:56:46 +0000 (22:56 +0100)]
 
package/mbedtls: security bump to version 2.16.5
- Fix potential memory overread when performing an ECDSA signature
   operation. The overread only happens with cryptographically low
   probability (of the order of 2^-n where n is the bitsize of the
   curve) unless the RNG is broken, and could result in information
   disclosure or denial of service (application crash or extra resource
   consumption).
 - To avoid a side channel vulnerability when parsing an RSA private
   key, read all the CRT parameters from the DER structure rather than
   reconstructing them.
 - Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 22 Feb 2020 21:33:28 +0000 (22:33 +0100)]
 
package/luv: fix build with gcc 4.8
Fixes:
 - http://autobuild.buildroot.org/results/
83b34e606b128546da8a70836d039090e334a1ec
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: mark patch accepted upstream]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Giulio Benetti [Sat, 22 Feb 2020 21:44:39 +0000 (22:44 +0100)]
 
package/libsvgtiny: fix parallel build
Fix previous commit[1] which purpose was to fix parallel build. It
didn't work since it assigned $(MAKE1) to LIBSVGTINY_MAKE, but this is a
generic-package and building is done using $(MAKE), then LIBSVGTINY_MAKE
was ignored. Let's substitute instead $(MAKE) with $(MAKE1) in
LIBSVGTINY_BUILD_CMDS.
[1]:
https://git.buildroot.net/buildroot/commit/?id=
26d67a2599d6c88facd5178de853fa355244e7c2
Fixes:
http://autobuild.buildroot.net/results/67d/
67d341c0cc272323d6e231a20796a6848c21d760/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
  - use $(MAKE1) in all three step
  - move comment out of the define
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yann E. MORIN [Sat, 22 Feb 2020 10:38:47 +0000 (11:38 +0100)]
 
infra: don't be verbose when calling the instrumentation steps
Commit 
509db3b88a added calls to (parts of) the instrumentation steps.
However, those calls are echoed, unlike the other places where we call
them (in the package infra).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Acked-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Romain Naour [Wed, 19 Feb 2020 19:10:13 +0000 (20:10 +0100)]
 
package/mesa3d: gbm needs a DRI driver or a Gallium driver w/ EGL
src/gbm/
cd6bfad@@gbm at sha/main_backend.c.o: In function `_gbm_create_device':
backend.c:(.text+0x38): undefined reference to `gbm_dri_backend'
backend.c:(.text+0x40): undefined reference to `gbm_dri_backend'
backend.c:(.text+0x74): undefined reference to `gbm_dri_backend'
backend.c:(.text+0x78): undefined reference to `gbm_dri_backend'
collect2: error: ld returned 1 exit status
This issue has been trigged since [1]:
"package/mesa3d: add option to configure gbm support"
Before the patch, the gbm support was autodetected by meson and enabled
only when at least one dri driver was enabled [2].
On the Buildroot side, the gbm support was explicitely enabled only when
BR2_PACKAGE_MESA3D_OPENGL_EGL was set.
We have two cases:
- At least one DRI driver.
- No DRI driver but one Gallium w/ EGL enable (EGL selected or not by the
  Gallium driver). In this case the meson build system set with_dri to true
  (even if no DRI driver is enabled) to use the builtin:egl_dri2 [3].
The gbm's meson build system seems to handle the case where no dri driver is
enabled [4] but it still use main/backend.c source file [6] that use
gbm_dri_backend [7]. So with_dri2 must always be set.
Probably a missing check in meson.build:
 if with_gbm and not with_dri
   error('GBM backend needs a dri driver or a gallium driver w/ EGL support.')
 endif
Add a dependency on GBM option:
 depends on BR2_PACKAGE_MESA3D_DRI_DRIVER \
         || (BR2_PACKAGE_MESA3D_GALLIUM_DRIVER && BR2_PACKAGE_MESA3D_OPENGL_EGL)
Fixes:
http://autobuild.buildroot.net/results/
b9b6281983388dc22d929887d653da3db60f1f2c
[1] 
b6c051acf787c804e732bc58ba8d7e440701a168
[2] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/meson.build#L348
[3] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/meson.build#L212
[4] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/src/gbm/meson.build#L37
[5] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/src/gbm/meson.build#L24
[6] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/src/gbm/main/backend.c#L38
[7] http://lists.busybox.net/pipermail/buildroot/2020-February/274425.html
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[yann.morin.1998@free.fr: fix dependency of comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 22 Feb 2020 09:50:35 +0000 (10:50 +0100)]
 
package/bash: fix build on uclibc
Fixes:
 - http://autobuild.buildroot.org/results/
2ae2eca969e6d1febcacb8b0423ced3aad7505a2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 22 Feb 2020 09:50:34 +0000 (10:50 +0100)]
 
package/bash: add upstream patches
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Sat, 22 Feb 2020 16:01:01 +0000 (17:01 +0100)]
 
package/mesa3d: select gbm if no glx, no egl and no osmesa-classic
This issue has been trigged since [1]:
"package/mesa3d: add option to configure gbm support"
Before the patch, the gbm support was autodetected by meson and enabled
only when at least one dri driver was enabled [2].
On the Buildroot side, the gbm support was explicitely enabled only when
BR2_PACKAGE_MESA3D_OPENGL_EGL was set.
Now, the gbm support is explicitely disabled but the meson build system
check if at least one option OpenGL GLX or OpenGL EGL or GBM or
OSMesa (classic) library is enabled [3].
The previous behavious was to enable GBM when GLX, EGL and OSMesa are
disabled. So select GBM symbol for this case.
Fixes:
http://autobuild.buildroot.net/results/
a14f329560f8022f7ba8ec43ad8eed84e005d226
[1] 
b6c051acf787c804e732bc58ba8d7e440701a168
[2] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/meson.build#L348
[3] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/meson.build#L449
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Sat, 22 Feb 2020 18:10:40 +0000 (19:10 +0100)]
 
package/jpeg-turbo: force fPIC for shared libraries
When BR2_SSP_ALL is set, there is a link issue due to missing -fPIC in CFLAGS.
Set CMAKE_POSITION_INDEPENDENT_CODE=ON to add it.
This is a similar fix as for gtest package [1]
[1] https://git.buildroot.net/buildroot/commit/?id=
2026621f3c60167aa8ba48e658be1b214d1347d7
Fixes:
http://autobuild.buildroot.net/results/e1f/
e1f164cee16b037c0232fdda40fc16caf8f0c0af
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Murat Demirten <mdemirten@yh.com.tr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Gilles Talis [Sat, 22 Feb 2020 16:35:30 +0000 (17:35 +0100)]
 
DEVELOPERS: add Gilles Talis for libosip2 and libeXosip2
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Carlos Santos [Sat, 22 Feb 2020 14:47:06 +0000 (11:47 -0300)]
 
package/radvd: disable by default in systemd preset-all
We don't provide a configuration file, so disable radvd by default.
Update the help message with instructions on how to enable radvd at
build time with systemd.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bernd Kuhls [Thu, 20 Feb 2020 22:33:39 +0000 (23:33 +0100)]
 
package/php: security bump version to 7.4.3
Changelog: https://www.php.net/ChangeLog-7.php#7.4.3
Fixes CVE-2020-7061, CVE-2020-7062 & CVE-2020-7063.
Removed patch applied upstream:
https://github.com/php/php-src/commit/
f0f5c415a6e0abc40514f97113deb52a343174ee
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Thu, 20 Feb 2020 22:10:26 +0000 (23:10 +0100)]
 
toolchain/external: fix SSP help texts for custom toolchains
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni [Thu, 20 Feb 2020 02:01:16 +0000 (03:01 +0100)]
 
Config.in: ensure BR2_SSP_STRONG can only be selected if supported
This commit ensures that BR2_SSP_STRONG cannot be chosen if the
toolchain doesn't support strong SSP.
Fixes:
  http://autobuild.buildroot.net/results/
cba93a681d10692c4e4c5584e4c962bd18a608d4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni [Thu, 20 Feb 2020 02:01:15 +0000 (03:01 +0100)]
 
toolchain/toolchain-external/toolchain-external-custom: add option to indicate SSP_STRONG support
This commit adds a user-visible option
BR2_TOOLCHAIN_EXTERNAL_HAS_SSP_STRONG, which will allow the user to
indicate if the custom external toolchain does or does not have
SSP_STRONG support. Depending on this, the user will be able to use
(or not) the BR2_SSP_STRONG option.
Checking if what the user said is true or not about this is already
done in toolchain/toolchain-external/pkg-toolchain-external.mk:
        $$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC),$(BR2_SSP_OPTION))
If the user selects BR2_SSP_STRONG, this will check if
-fstack-protector-strong is really supported.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni [Thu, 20 Feb 2020 02:01:14 +0000 (03:01 +0100)]
 
toolchain: add hidden BR2_TOOLCHAIN_HAS_SSP_STRONG boolean
This will allow toolchain to indicate if they support
-fstack-protector-strong or not.
Whenever the gcc version is >= 4.9, we always have SSP_STRONG support
if we have SSP support. However, some toolchains older than gcc 4.9
might have backported SSP_STRONG support, which is why we cannot rely
just on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9.
Having this "default" value allows to avoid adding a "select
BR2_TOOLCHAIN_HAS_SSP_STRONG" in the internal toolchain logic plus in
almost external toolchains. But it allows custom external toolchains
that are pre-4.9 to potentially declare that they support strong SSP.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yann E. MORIN [Thu, 20 Feb 2020 21:54:53 +0000 (22:54 +0100)]
 
package/sdbusplus: fix indentation
Fix a check-package error introduce by 
6bf74ce3db (package/sdbusplus:
create m4 directory before autoreconf):
    package/sdbusplus/sdbusplus.mk:29: expected indent with tabs
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: John Faith <jfaith@impinj.com>
Cc: Michael Walle <michael@walle.cc>
Arnout Vandecappelle (Essensium/Mind) [Wed, 5 Feb 2020 15:08:42 +0000 (16:08 +0100)]
 
docs/website: add commercial support section
Add a section to the support page for commercial support.
Add Mind, Bootlin and Smile in that section.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Titouan Christophe [Thu, 20 Feb 2020 18:27:23 +0000 (19:27 +0100)]
 
support/scripts/pkg-stats: iterate over CVEs in streaming
The NVD files that are used to build the list of CVEs affecting
Buildroot packages are quite large (a few hundreds MB of json),
and cause the pkg-stats scripts to have a huge memory footprint
(a few GB with Python 2.7).
However, because we only need to iterate on CVE items one by one,
we can process them in streaming (ie decoding one CVE at a time
from the JSON representation). Because the json module from the
python standard library does not support such a mode of operation,
we switch to the third-party package ijson, which is compatible
with both Python 2 and Python3.
To run the script with these modifications, one should install
the ijson python package. This can be done with pip:
`pip install ijson`. On Debian based distributions, this can
also be done with the apt package manager:
`apt install python-ijson`.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Tested-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:02:02 +0000 (17:02 +0100)]
 
package/ipsec-tools: annotate _IGNORE_CVES for the included security patches
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:02:01 +0000 (17:02 +0100)]
 
package/vorbis-tools: annotate _IGNORE_CVES for the included security patches
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:02:00 +0000 (17:02 +0100)]
 
package/libtomcrypt: annotate _IGNORE_CVES for the included security patches
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:01:59 +0000 (17:01 +0100)]
 
package/libsndfile: annotate _IGNORE_CVES for the included security patches
Also mark CVE-2018-13419 as disputed.
[Peter: add dispute link as suggested by Thomas]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:01:58 +0000 (17:01 +0100)]
 
package/audiofile: annotate _IGNORE_CVES for the included security patches
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Michael Walle [Mon, 10 Feb 2020 19:11:30 +0000 (20:11 +0100)]
 
package/sdbusplus: create m4 directory before autoreconf
Commit 
d255b67972b4b7f27572581fe0c8c8aa03d850c8 fixed the handling of
the a package local m4/ directory which might be missing. But this
only works if it is the very first argument. But for this package this
is not possible because we already occupy this with the extra include
directory for autoconf-archive. Bring back the hook to create the m4/
directory to fix this.
Fixes:
  http://autobuild.buildroot.net/results/
dc907421a343b8523b14fc9a846e0caf7abe630c/
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Mon, 10 Feb 2020 16:58:24 +0000 (17:58 +0100)]
 
package/erlang: patch the tarball
Remove the lib/ssl/src/deps directory before configuring the package.
Otherwise, during the compilation of the ssl app, it may fails by
looking for logger.hrl in the wrong location (bootstrap/lib/kernel
instead of lib/kernel).
Fixes:
  http://autobuild.buildroot.net/results/
97606fcd11eaf0822b58a9532c5325601d43eaac/
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Tested-by: Frank Vanbever <frank.vanbever@essensium.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Andreas Naumann [Mon, 17 Feb 2020 21:23:28 +0000 (22:23 +0100)]
 
package/qwt: add missing qt5svg dependency
Signed-off-by: Andreas Naumann <anaumann@ultratronik.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Tue, 18 Feb 2020 15:01:00 +0000 (16:01 +0100)]
 
Makefile: don't recreate staging symlink if it exists
Create the staging symlink the same way as the host symlink. This means
using a make dependency rather than recreating it every time.
In coreutils versions below 8.27, re-creation of symbolic links was not
atomic. This means that there is a period in time where the existing link is
removed, before the new one is created. In coreutils 8.27 this was fixed,
see [1]. Note that CentOS 7 ships with coreutils 8.22.
In the following scenario, this is a problem:
- an application is compiled using the sysroot prepared by Buildroot and
  links against Xenomai userspace libraries, but its build process is steered
  from outside of Buildroot
- to know the correct flags, the application makefile uses the 'xeno-config'
  file to request them, and passes DESTDIR=/buildroot/output/staging
- the xeno-config responds with flags based on the path
  '/buildroot/output/staging/...'
- while the application build is ongoing, a 'make' happens in Buildroot,
  causing the 'staging' symlink to be recreated (even though it already
  existed)
- when exactly at this time, the application calls the compiler with -I
  flags pointing to output/staging, the build fails with:
  -I/buildroot/output/staging/usr/include/xenomai/mercury: Error:  ^ is not a directory
  -I/buildroot/output/staging/usr/include/xenomai: Error:  ^ is not a directory
  -I/buildroot/output/staging/usr/include/xenomai/xenomai: Error:  ^ is not a directory
  -I/buildroot/output/staging/usr/include/xenomai/psos: Error:  ^ is not a directory
  Failed: ** ^ *
Work around this problem by only creating the staging symlink once, similar
to how the host symlink (if any) is created.
See also commit 
d0f4f95e390bcb1c953efa125f5277a8a235396e which changed the
way these symlinks are made. The reasoning in this commit is to move away
from the 'dirs' target.
[1] https://github.com/coreutils/coreutils/commit/
376967889ed7ed561e46ff6d88a66779db62737a
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Tue, 18 Feb 2020 15:00:59 +0000 (16:00 +0100)]
 
Makefile: use HOST_DIR_SYMLINK instead of hardcoding
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Tue, 18 Feb 2020 23:36:46 +0000 (00:36 +0100)]
 
package/libxml2: properly set LIBXML2_IGNORE_CVES
The libxml2 package has two patches that fix the two CVEs affecting
libxml2 in version 2.9.10, so let's use LIBXML2_IGNORE_CVES to ensure
these CVEs are no longer reported by pkg-stats.
Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Tue, 18 Feb 2020 23:35:26 +0000 (00:35 +0100)]
 
support/scripts/pkg-stats: properly ignore CVEs in <pkg>_IGNORE_CVES
It seems like throughout the series that the CVE pkg-stats support
went through, the support for ignoring CVEs in the per-package
<pkg>_IGNORE_CVES variable was forgotten.
Let's re-introduce this, which is now very simple thanks to the CVE
class, its .identifier() propertly and the .is_cve_ignored() method of
the Package class
Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 16 Feb 2020 14:52:04 +0000 (15:52 +0100)]
 
package/libupnpp: remove unneeded static workaround
libupnpp uses pkg-config since version 0.15.1 and
https://opensourceprojects.eu/p/libupnpp/code/ci/
3dc44417e868b9b4417cbc15f8173e0a2e142b17
so remove unneeded static workaround
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Tue, 18 Feb 2020 22:31:02 +0000 (23:31 +0100)]
 
Update for 2020.02-rc1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 18 Feb 2020 22:04:09 +0000 (23:04 +0100)]
 
CHANGES: update with recent changes
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 18 Feb 2020 19:06:03 +0000 (20:06 +0100)]
 
package/libsigrok: explain why host-doxygen is needed
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 17 Feb 2020 23:55:22 +0000 (00:55 +0100)]
 
package/owfs: fixup Python sysconfigdata for per-package directories
This is needed so that building the owfs Python module uses the gcc
from owfs per-package directory, and not the one from the python
per-package directory.
Fixes:
  http://autobuild.buildroot.net/results/
0d582dda367507991a4c38141db36b0fa8e47e67/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 17 Feb 2020 23:50:47 +0000 (00:50 +0100)]
 
package/pkg-python: fix for per-package directories
With per-package directory support, Python external modules are
causing a problem: the _sysconfigdata.py module installed by the
Python interpreter contains a number of paths that are relative to the
current package per-package directory, i.e python or python3. For
example:
'BLDSHARED': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-gcc -shared',
'CC': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-gcc',
'CXX': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-g++',
etc.
These paths are problematic, because it means that the wrong compiler
gets used when building external Python modules: instead of using the
compiler from the external Python module per-package host directory,
it uses the one from the 'python' or 'python3' per-package host
directory. Due to this, any native dependency needed by the external
Python module is not found, even though it is properly present in the
current package per-package directory.
Of course, the problem occurs with both target Python modules and host
Python modules.
To fix this, we simply rewrite those paths in _sysconfigdata.py before
building a Python package.
Interestingly, until now, the _sysconfidata.py that was used during
the build was the one from $(TARGET_DIR), which is a bit unusual: it
is more common to use files from $(STAGING_DIR) during the build
process. So this commit changes the PYTHON_PATH and PYTHON3_PATH
variables so that they point to $(STAGING_DIR), which makes the
_sysconfigdata.py fixup in $(STAGING_DIR) effective.
Fixes:
  http://autobuild.buildroot.net/results/
a24b0555fd4261b50dc3986635c30717d9cbe764/ (python-psycopg2)
  http://autobuild.buildroot.net/results/
080fa893e1b0e7a8c8a31ac1c98eb8871b97264d/ (python-alsaaudio)
  http://autobuild.buildroot.net/results/
79bc070f98d6d9d8ef78df12b248cdc7d0e405c3/ (python-lxml)
  and many more Python packages that use native code with a native library
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 17 Feb 2020 23:46:39 +0000 (00:46 +0100)]
 
package/apache: fix build with per-package directory support
When APR_INCLUDEDIR and APU_INCLUDEDIR point to the same directory,
Apache builds properly. However, with per-package directory support,
they point to different directories, and APU_INCLUDEDIR contains both
the APR headers and the APU headers.
Due to this, the Apache Makefile logic to generate its exports.c file
leads to duplicate definitions, because the APR headers are considered
twice: once from APR_INCLUDEDIR, once from APU_INCLUDEDIR.
We fix this by introducing a patch to the Apache build system.
In addition, apr provides a special libtool script that gets used by
apr-util and apache. apr-util already had a fixup for this, but apache
did not, which was causing the gcc from apr-util per-package
directories be used during the apache build, causing build failures.
To fix this, we adjust this libtool script to point to the correct
tools in apache's per-package directories.
There are no autobuilder failures for this, because Apache needs
apr-util, and apr-util currently fails to build when
BR2_PER_PACKAGE_DIRECTORIES=y.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 17 Feb 2020 23:46:38 +0000 (00:46 +0100)]
 
package/apr-util: fix build with per-package directories
With per-package directories support enabled, the build of apr-util
fails, for two reasons:
 - The rules.mk file is generated by the 'apr' package, and then
   copied into the 'apr-util' source directory. This is done by the
   'apr-util' build process. Unfortunately, this rules.mk file has a
   number of hardcoded paths: to the compiler and to the libtool
   script.
   Due to this, the compiler from the 'apr' per-package directory gets
   used. But this compiler uses the 'apr' package sysroot, which does
   not have all the dependencies of the 'apr-util' package, causing
   the build to fail because <expat.h> is not found.
 - Similarly, the libtool script itself has some hardcoded paths,
   which make it use the compiler/linker from the 'apr' per-package
   directory, so it does not find the expat library.
We fix both issues by doing the necessary replacement in both rules.mk
and libtool.
Fixes:
  http://autobuild.buildroot.net/results/
2a67b5d58f79348e20a972125e4797eff5585716/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
James Hilliard [Tue, 18 Feb 2020 08:43:39 +0000 (01:43 -0700)]
 
package/cog: add patch fixing cog segfault
Fixes:
Thread 1 "cog" received signal SIGSEGV, Segmentation fault.
xkb_state_update_mask (state=0x0, base_mods=0, latched_mods=0, locked_mods=0, base_group=base_group@entry=0, latched_group=latched_group@entry=0, locked_group=0) at ../src/state.c:814
814	    prev_components = state->components;
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Tue, 18 Feb 2020 09:31:34 +0000 (10:31 +0100)]
 
package/libxml2: add upstream security fix for CVE-2019-20388
Fixes CVE-2019-20388: xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10
allows an xmlSchemaValidateStream memory leak.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sun, 16 Feb 2020 18:06:13 +0000 (19:06 +0100)]
 
package/pulseview: depends on host gcc >= 4.9
Commit 
88bb278d5ac790bee0c3a438464da82ee7625cff forgot to propagate the
new host gcc >= 4.9 dependency from BR2_PACKAGE_LIBSIGROKCXX
Fixes:
 - http://autobuild.buildroot.org/results/
5dc9dc95d0534b35e2443c120162b5176edafe0b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Mon, 17 Feb 2020 22:38:49 +0000 (23:38 +0100)]
 
package/nodejs: security bump to version 12.16.0
Fixes the following security issues (12.15.0):
- CVE-2019-15606: HTTP header values do not have trailing OWS trimmed
- CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding
  header
- CVE-2019-15604: Remotely trigger an assertion on a TLS server with a
  malformed certificate string
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
On top of this, 12.16.0 brings a number of changes and bugfixes.
Update the license hash for an addition of the (MIT) licensing terms for the
uvwsai module:
+
+- uvwasi, located at deps/uvwasi, is licensed as follows:
+  """
+    MIT License
+
+    Copyright (c) 2019 Colin Ihrig and Contributors
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE.
+  """
While we are at it, adjust the white space in the .hash function to match
the new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>