git.libre-soc.org Git - buildroot.git/log

package/at-spi2-core: fix build with meson 0.50.0

Add upstream patch [1] to fix build with meson 0.50.0 (as suggested
by Thomas Petazzoni ).

Fixes [2]:

atspi/meson.build:60:0: ERROR: Subdir keyword must not be an absolute path.

[1] https://github.com/GNOME/at-spi2-core/commit/44a812ea51223d82f21a098a2d45fcc5c329ce7a.patch
[1] http://autobuild.buildroot.net/results/83250522c79b5749fc8236ba2b0e873a12747413

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

boot/riscv-pk: deprecate riscv-pk and BBL

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

configs/qemu_riscv*_virt: use OpenSBI by default

Use OpenSBI by default instead of riscv-pk (BBL).

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

boot/opensbi: new package

OpenSBI is a much improved alternative to BBL (riscv-pk). Add OpenSBI
support to buildroot.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
[Thomas:
- disable target installation, as we install nothing
- enable staging installation
- enable images installation only when needed
- improve the comment about the staging installation]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

board/qemu/riscv32-virt: simplify the linux config

Reduce the config fragment to the bare minimum to enable 32-bit
support. This means we are as close as possible to the arch
defconfig.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

board/qemu/riscv32-virt: convert Linux defconfig into a fragment

Convert the config to the arch defconfig plus a fragment. When this
fragment is applied we will generate the same config as we previously
did.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/liburcu: bump version to 0.10.2

This includes a fix that might delay application startup
considerably (11486a15008b9).

Adapted the patch to point to the correct file.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/uftp: fix compilation with openssl

Build fails with -lssl but succeeds with -lcrypto, also thats how it is
linked by default in 'makefile'.

Fixes:

http://autobuild.buildroot.net/results/01a455ddcbc16cd2111352d22bf6603842df4ab2

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/fetchmail: fix shared build

Update second patch to fix shared build

Fixes:
- http://autobuild.buildroot.org/results/c27b9c82e68ade29b45dc84ecce5fe6653fbb7da

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/paho-mqtt-cpp: new package

Signed-off-by: Refik Tuzakli <refik.tuzakli@savronik.com.tr>
[Thomas:
- add missing dependency on BR2_TOOLCHAIN_HAS_GCC_BUG_64735 and
   corresponding Config.in comment
- add missing dependency on BR2_INSTALL_LIBSTDCPP and update
   Config.in comment
- add comment to explain why -DTHREADS_PTHREAD_ARG=OFF is passed in
   CONF_OPTS]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/{openjdk,openjdk-bin}: bump version to 12+33

Because one package relies on the other, bump both at the same time.

Other changes:
- Drop --with-cpu-port=aarch64 option as it is no longer a valid option.
(See https://openjdk.java.net/jeps/340)
- Add xlib_libXrandr as a dependency.

Tested with:
./support/testing/run-tests -s -o ./output/ -d dl tests.package.test_openjdk.TestOpenJdk

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/graph-depends: use the new make-based dependency tree

Now that we can get the whole dependency tree from make, use it to
speed up things considerably.

So far, we had three functions to get the dependencies information:
get_depends(), get_rdepends(), and, somehow unrelated, get_version().

Because of the way %-show-{,r}depends works, getting the dependency tree
was expensive, the three functions all took a set of packages for which
to get the dependencies, in an attempt to limit the time it took to get
that tree, but we still had to call these functions iteratively, until
they returned no new dependency. This was pretty costly.

Now, getting the tree is much, much less costly, and we can get the
whole tree as cheaply as we previously got only the first-level
dependencies.

Furthermore, we can now also get the version information at the same
time, and that also brings in whether the package is virtual or not,
target or host.

So, we drop all three helper functions, and replace them with a single
one that returns all that information in one go: full dependency trees
(direct and reverse), per-package type, and per-package version.

Note: since commit 2d29fd96a (pkg-virtual: remove VERSION/SOURCE),
virtual packages are no longer reported as having a 'virtual' version,
so have since been displayed as regular packages in the graphs. Although
noone complained, this patch incidentally restores the initial
behaviour, and virtual packages are now correctly displayed as such
again.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/graph-depends: don't eliminate mandatory deps for reverse graphs

We we simplify the dependency graph, we try to remove so-called
mandatory dependencies from each package, and for each mandatory that
was thus removed, reattach it to the root-package of the graph.

This was made so that mandatory dependencies (which are dependencies of
all packages, or at least of a lot of packages) do not clutter the
dependency graph, but that they are still shown in the graph, as
dependencies of the root package.

However, these mandatory dependencies are only _direct_ dependencies.
As such, it does not make sense to reattach a mandatory dependency when
doing a reverse graph. Worse, it can actually be incorrect.

For example, 'skeleton' is a mandatory dependency, and as such is
removed from all packages. But when doing a reverse graph, skeleton is
now in the dependency chain of, e.g. skeleton-init-none; it should then
not be removed.

In short: the notion of mandatory dependencies does not make sense in
the case of a reverse graph.

Consequently, skip over the mandatory dependency removal when doing a
reverse graph.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/pkg-generic: mark some rule PHONY

The %-graph-rdepends should be marked PHONY, as the %-graph-depends is.

The %-show-dependency-tree should also be a PHONY rule, because it does
not actually create a file. Furthermore, to avoid the "Nothing to be
done for .." message, give that rule an actual recipe that just does
nothing.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/odhcp6c: add optional libubox dependency

libubox dependency has been added in
https://github.com/openwrt/odhcp6c/commit/33a2ba1c14eb5447326945c120e0b64a587ed151

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/odhcp6c: bump to version d2e247d8d87ecf8c60fcf0acdad05667bd379521

- Remove patch (already in version)
- Add hash for license file

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/busybox: version bump to 1.30.1

Update from version 1.29.3 to 1.30.1. The new version
includes the removed patches.

Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/ffmpeg: bump to version 4.1.2

FFserver is not supported anymore
Remove patch 0001: fixed upstream in cae6f806a6367c7760ab6ed059d343d4a8eebd56
Remove patch 0002 to 0004: accepted upstream

Signed-off-by: Louis-Paul Cordier <lpdev@cordier.org>
[Bernd: bump to 4.1.2]
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Revert "gst1-libav: switch to unbundled"

This reverts commit 5dcb8aa0ba46e16b929c7c7fc9cea2d6c26201f4.

This patch re-enables the usage of bundled ffmpeg code because
gst1-libav 1.14.x is blocking the bump to ffmpeg 4.x.

A fix to build the bundled ffmpeg code on arm/aarch64 was added.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/fetchmail: use pkg-config to find openssl

openssl can have multiples dependencies such as libatomic on sparcv8
32 bits so drop first patch and add a new patch to use pkg-config

Fixes:
- http://autobuild.buildroot.org/results/58e5aa7c6ba8fe7474071d7a3cba6ed3a1b4cff4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libgpiod: bump version to v1.3

This is a new minor release. Changes are summarized in NEWS.

Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/owfs: add optional libftdi dependency

ftdi support has been added in version 3.1p2 and
https://github.com/owfs/owfs/commit/2982df8ca648bd9cec4d820151046b044ef504e0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libftdi1: fix libftdi1-config

Add libftdi1-config to LIBFTDI1_CONFIG_SCRIPTS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/owfs: drop unneeded first patch

Patch is not needed since version 3.1p2 and
https://github.com/owfs/owfs/commit/2982df8ca648bd9cec4d820151046b044ef504e0
because localtime_r is now correctly checked

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/openjdk: restrict to support architectures

This list is taken from make/autoconf/platform.m4 and fixes
http://autobuild.buildroot.net/results/df7/df7f393ec62f0e38034837ffa591ac5af424c373
http://autobuild.buildroot.net/results/c57/c5782d6b52516d07469adf6600d4fc69c4016157
http://autobuild.buildroot.net/results/f36/f36b96c91604dda021ee05dd0a79c4f7e89e5a5b

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[Thomas:
- rename option to BR2_PACKAGE_OPENJDK_ARCH_SUPPORTS
- actually use it in the Config.in comments]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/gerbera: fix static build with ffmpeg

Fixes:
- http://autobuild.buildroot.org/results/2b99fabd798db84a0fce26ad696c58e54c6ff626
- http://autobuild.buildroot.org/results/95e410e5ab34c6d4626a58f97c0d2d5e6829a300

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xutil_makedepend: bump version to 1.0.6

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_xtrans: bump version to 1.4.0

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_libxkbfile: bump version to 1.1.0

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_libXxf86dga: bump version to 1.1.5

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_libXvMC: bump version to 1.0.11

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_libXrandr: bump version to 1.5.2

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_libXmu: bump version to 1.1.3

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_libXft: bump version to 2.3.3

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_libXext: bump version to 1.3.4

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xdriver_xf86-video-ati: bump version to 19.0.1

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xdriver_xf86-video-amdgpu: bump version to 19.0.1

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xapp_x11perf: bump version to 1.6.1

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

putty: security bump to version 0.71

CVE-2019-9894: A remotely triggerable memory overwrite in RSA key
exchange can occur before host key verification.

CVE-2019-9895: A remotely triggerable buffer overflow exists in any kind
of server-to-client forwarding.

CVE-2019-9897: Multiple denial-of-service attacks that can be triggered
by writing to the terminal.

CVE-2019-9898: Potential recycling of random numbers used in
cryptography.

Disable static build for now. When building statically configure defines
NO_GSSAPI. Build with NO_GSSAPI is currently broken. The issue has been
reported upstream.

Cc: Alexander Dahl <post@lespocky.de>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libcpprestsdk: add optional brotli dependency

Official brotli support has been added in version 2.10.8 and
https://github.com/Microsoft/cpprestsdk/commit/f3824aa8d01705656e7ee4c0c49ae6980c868b20

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/intel-gmmlib: needs dynamic library

Fixes:
- http://autobuild.buildroot.org/results/0121befb9b4ba6cffc47ce7f861ed81077fc900f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/dropbear: add upstream patch fixing TTY mode reset regression

2019.77 added a regression related to resetting TTY mode on exit. Add an
upstream patch to fix it.

For more details, see the mailing list:
https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2019q1/002157.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/moarvm: bump to version 2019.03

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/radvd: bump to version 2.18

Add hash for license file

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/dropbear: bump version to 2019.77

Drop patches as they are now upstream.  Add a hash for the license file.

Verified that runtime test still works:

./support/testing/run-tests -o tests.package.test_dropbear
20:42:44 TestDropbear                             Starting
20:42:45 TestDropbear                             Building
20:44:18 TestDropbear                             Building done
20:44:24 TestDropbear                             Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 100.727s

OK

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xlib_libXdmcp: security bump version to 1.1.3

Fixes CVE-2017-2625:
https://lists.x.org/archives/xorg-announce/2019-March/002974.html

Added all hashes provided by upstream and license hash.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/asterisk: security bump to version 16.2.1

Fixes the following security issue:

AST-2019-001: Remote crash vulnerability with SDP protocol violation
When Asterisk makes an outgoing call, a very specific SDP protocol violation
by the remote party can cause Asterisk to crash (CVE-2019-7251)

https://downloads.asterisk.org/pub/security/AST-2019-001.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

configs/freescale_imx8mqevk: bump packages to imx_4.14.78_1.0.0_ga

Bump kernel, U-Boot and ATF packages to the NXP imx_4.14.78_1.0.0_ga
release.

Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/supertux: fix build on powerpc64le

Fixes:
- http://autobuild.buildroot.org/results/c484079b2736eb3c21adff257f3e3ab1acc67f9a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/keepalived: fix build with kernel < 4.1

Fixes:
- http://autobuild.buildroot.org/results/a33433abeb122cfb15f7f21ab777e84040bdcb8b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

lvm2: Update to 2.02.183

In particular update to solve an issue where LVM would fail to
initialise LVM devices when asynchronous IO was not available and it
would fail to fall back to synchronous IO. [0][1]

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1650652
[1] https://github.com/open-power/petitboot/issues/60

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/eigen: bump to 3.3.7

Bumped the version of eigen to 3.3.7, which fixes issues when compiling with GCC7 (notably int-in-bool-context errors, fixed in 3.3.5), in addition to various other issues noted in the eigen change logs: http://eigen.tuxfamily.org/index.php?title=ChangeLog
Legal hashes are unchanged in 3.3.7

Signed-off-by: Reed Nightingale <reed.nightingale@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/qt5base: fix xkbcommon option

- Qt 5.6: according to configure --help the command line option to
  enable x11 xkbcommon support is '-system-xkbcommon-x11'

- Qt 5.12: according to configure --help the command line option to
  enable xkbcommon support is '-xkbcommon'

Fixes [1]:

  ERROR: Invalid value given for boolean command line option 'xkbcommon'.

[1] http://autobuild.buildroot.net/results/87076d03bb92a9940447ca80fc1f202e35ef39da

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libopenssl: bump to version 1.1.1b

Drop patches 4..6 as they are now upstream.

Update the hash of the license file as the copyright dates changed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libseccomp: security bump to version 2.4.0

>From the advisory:

Jann Horn  identified a problem in current versions of
libseccomp where the library did not correctly generate 64-bit syscall
argument comparisons using the arithmetic operators (LT, GT, LE, GE).
Jann has done a search using codesearch.debian.net and it would appear
that only systemd and Tor are using libseccomp in such a way as to
trigger the bad code.  In the case of systemd this appears to affect
the socket address family and scheduling class filters.  In the case
of Tor it appears that the bad filters could impact the memory
addresses passed to mprotect(2).

The libseccomp v2.4.0 release fixes this problem, and should be a
direct drop-in replacement for previous v2.x releases.

https://www.openwall.com/lists/oss-security/2019/03/15/1

v2.4.0 adds a new scmp_api_level utility, so update 0001-remove-static.patch
to match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

gummiboot: Add to DEVELOPERS file

Signed-off-by: Esben Haabendal <esben@haabendal.dk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libssh2: security bump to latest git

Bump the version to latest git to fix the following security issues:

CVE-2019-3855
Possible integer overflow in transport read allows out-of-bounds write
URL: https://www.libssh2.org/CVE-2019-3855.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch

CVE-2019-3856
Possible integer overflow in keyboard interactive handling allows
out-of-bounds write
URL: https://www.libssh2.org/CVE-2019-3856.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch

CVE-2019-3857
Possible integer overflow leading to zero-byte allocation and out-of-bounds
write
URL: https://www.libssh2.org/CVE-2019-3857.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch

CVE-2019-3858
Possible zero-byte allocation leading to an out-of-bounds read
URL: https://www.libssh2.org/CVE-2019-3858.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3858.patch

CVE-2019-3859
Out-of-bounds reads with specially crafted payloads due to unchecked use of
`_libssh2_packet_require` and `_libssh2_packet_requirev`
URL: https://www.libssh2.org/CVE-2019-3859.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3859.patch

CVE-2019-3860
Out-of-bounds reads with specially crafted SFTP packets
URL: https://www.libssh2.org/CVE-2019-3860.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3860.patch

CVE-2019-3861
Out-of-bounds reads with specially crafted SSH packets
URL: https://www.libssh2.org/CVE-2019-3861.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3861.patch

CVE-2019-3862
Out-of-bounds memory comparison
URL: https://www.libssh2.org/CVE-2019-3862.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3862.patch

CVE-2019-3863
Integer overflow in user authenicate keyboard interactive allows
out-of-bounds writes
URL: https://www.libssh2.org/CVE-2019-3863.html
Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.txt

Drop 0003-openssl-fix-dereferencing-ambiguity-potentially-caus.patch as that
is now upstream.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/libfuse: Install udev rules and set permissions

This fixes some omissions from the installation.

Install the udev rules.

Tell buildroot about the fuse device.

Apply setuid permissions on the fusermount tool.

Signed-off-by: Norbert Lange <norbert.lange@andritz.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

Revert "package/meson: bump version to 0.50.0"

This reverts commit 114e9dcd28e1001b74689215ec669b8940dc3ea9.
Indeed, there is major issue with this version because c_std is not
passed anymore when cross-compiling:
https://github.com/mesonbuild/meson/issues/5097

As a result, some meson packages (at least systemd, libmpdclient,
glib-networking) fail to build

Fixes:
- http://autobuild.buildroot.org/results/9eae2181fb3fcfe12481e5496b7d87c0dcd109eb
- http://autobuild.buildroot.org/results/e828c7925d9247e14d8a8694febfee8ce6c86e81
- http://autobuild.buildroot.org/results/031aee7cf12ad882727eb2da5e953fd8813b52e2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

system/skeleton: remove password expiration from shadow

The fields in /etc/shadow were set as follows:

root::10933:0:99999:7:::

This sets the date of last password change to Jan 1, 2000, the minimum
password age to 0 days, the maximum password age to near-infinity, and a
warning period of 7 days. In practice, this means the password never
expires. So all of this is quite useless.

On the other hand, mkusers creates lines without all of these options.
It just sets ::::: which disables password expiration completely.

To make things consistent, do the same for the skeleton entries.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/optee-test: fix dependency in TAs build

Fix TA build command to build TA libraries before TAs.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

boot/arm-trusted-firmware: support debug mode

When the trusted firmware is built with debug support (DEBUG defined),
the generated images are located in a different path compared to a
build without debug support. The non debug images are located in
generated directory build/<platform>/release/ while the debug images
are located in generated directory build/<platform>/debug/.

This change introduces the boolean option
BR2_TARGET_ARM_TRUSTED_FIRMWARE_DEBUG to define whether the release or
debug configuration is used to build trusted firmware.

Note that enabling trusted firmware debug support using
BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="... DEBUG=1 ..."
would not work since Buildroot will try to copy the generated files
from the wrong path.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

boot/arm-trusted-firmware: add support for using OP-TEE as BL32

This change allows one to build trusted firmware (TF-A) with OP-TEE as
BL32 secure payload.

When BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_DEFAULT is enabled TF-A
builds a BL32 stage according the TF-A configuration directive. If
these specify no BL32 stage then TF-A will build without BL32
support. This is the default configuration and reflects TF-A legacy
integration in BR.

When BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE is enabled TF-A builds
with support for the OP-TEE OS as BL32.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
[Thomas: rename config options, simplify option prompts, and rework
option description.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

boot/arm-trusted-firmware: support 32bit Arm targets

This change allows one to build the TF-A (Trusted Firmware A) for
32bit architectures Armv7 and Armv8 platforms. TF-A supports these
configuration since release v1.5.

Change dependency on BR2_aarch64 into a dependency on either
BR2_ARM_CPU_ARMV8A/BR2_ARM_CPU_ARMV7A to better define
the target architectures supported by the package.

Set package configuration directive ARM_ARCH_MAJOR according to
BR2_ARM_CPU_ARMV8A/BR2_ARM_CPU_ARMV7A. Set package configuration
directive ARCH based on BR2_aarch64/BR2_arm.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

gummiboot: fix compatibility with newer glibc versions

Signed-off-by: Esben Haabendal <esben@haabendal.dk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

gummiboot: upgrade to last commit before being removed

This upgrades to version 48 plus the last commits done after that.
Note, that after that, gummiboot is officially dead, so there will
be no more upstream commits after this.

For various reasons, there are still users of gummiboot, so let's base our
work on the latest gummiboot "version".

Signed-off-by: Esben Haabendal <esben@haabendal.dk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

gummiboot: use new official upstream git repository

Signed-off-by: Esben Haabendal <esben@haabendal.dk>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/jq: security bump to version 1.6

- Fix CVE-2015-8863 and CVE-2016-4074:
https://github.com/stedolan/jq/issues/1406
- Add hash for license file
- Disable oniguruma (enabled by default)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libuv: bump to version 1.27.0

Signed-off-by: Asaf Kahlon <asafka7@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/uftp: openssl is optional, not mandatory

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/uftp: fix openssl static linking

Fixes:
- http://autobuild.buildroot.org/results/051cfd993b65830c34e675d797e241c272b6f35a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/mariadb: security bump to version 10.3.13

Release notes:
https://mariadb.com/kb/en/library/mariadb-10313-release-notes/

Changelog:
https://mariadb.com/kb/en/mariadb-10313-changelog/

Fixes the following security vulnerabilities:

CVE-2019-2510 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: InnoDB). Supported versions that are affected are 5.7.24 and
prior and 8.0.13 and prior. Easily exploitable vulnerability allows high
privileged attacker with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can result in
unauthorized ability to cause a hang or frequently repeatable crash
(complete DOS) of MySQL Server.

CVE-2019-2537 - Vulnerability in the MySQL Server component of Oracle MySQL
(subcomponent: Server: DDL). Supported versions that are affected are 5.6.42
and prior, 5.7.24 and prior and 8.0.13 and prior. Easily exploitable
vulnerability allows high privileged attacker with network access via
multiple protocols to compromise MySQL Server. Successful attacks of this
vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of MySQL Server.

Note that the hash for README.md changed due to Travis CI and Appveyor CI
updates.

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/gesftpserver: bump version to latest stable

By default, gesftpserver wants to treat al warnings as errors, but there
is an actual warning in the release, so we quiesce that by not treating
warnings as errors.

We also backport a patch from upstream, to fix the ordering of some
fields when sending file attributes.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libpcap: fix bluez5_utils-headers dependency

Commit c46afc37dc877f1e94ffde0d77585290711b27ec changed bluez5-utils
dependency by bluez5_utils-headers without replacing the test on
BR2_PACKAGE_BLUEZ5_UTILS by BR2_PACKAGE_BLUEZ5_UTILS_HEADERS

Fix this mistake and also add a select on
BR2_PACKAGE_BLUEZ5_UTILS_HEADERS if BR2_PACKAGE_BLUEZ5_UTILS is set
so the user does not have to do it

Fixes:
- http://autobuild.buildroot.org/results/c6828df1f3782564451ddd4187ff026679bf37d8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/angularjs: fix license file hash

The update of angularjs to 1.7.8 in commit
00dcde3eb12d194d31356fd6e54c0328acd371a1 broke legal-info for this
package, because the hash of the license file changed.

In fact, we are using angular.js as the license file and obviously it
is likely to change between each release. The new angular.js still
specifies a MIT license, so we can update the license file hash.

Fixes:

http://autobuild.buildroot.net/results/0b8ad8d8384d605c2230e862548ccaba1f06d9b0/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libglib2: add optional dependency in libselinux

If libselinux is selected, explicitly set --enable-selinux in the
configure options and build the library first.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

linux: allow BR2_LINUX_KERNEL_IMAGE on RISC-V

We will need to build Image files for OpenSBI so allow that now.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/uftp: needs MMU, threads and wchar

Fixes:
- http://autobuild.buildroot.org/results/47dd067dfdcaae99d50216f59ea6af115d8f1e1e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/qt5: bump latest version to 5.12.2

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/angularjs: bump version to 1.7.8

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/meson: bump version to 0.50.0

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/keepalived: drop autoreconf

Commit 78d4ddbf3b416885d2e99b32363b174755f9bb30 removed all patches so
autoreconf is not needed anymore

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

configs/qemu_riscv64_virt: re-order options

Fix the config layout, no functional change.

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

configs/qemu_riscv32_virt: upgrade to 4.20 kernel

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/glibc: update glibc version for RISC-V 32-bit

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/gst1-plugins-bad: add webrtc option

- remove old webrtc Config.in.legacy entry introduced by [1] (misnamed
webrtc option was introduced with 2017.02, renamed to webrtcdsp for
2017.08 and although backported to 2017.02.4)

[1] https://git.buildroot.net/buildroot/commit/?id=4c06d2490a07f0b88f42c56c7409899fd2f5608a

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Revert "package/binutils: install libiberty for host build"

This reverts commit 7ec7ba54055919d89afc93606794d161505fa2d8, as it
causes build failures of host-gdb:

/usr/bin/ld: /home/buildroot/autobuild/instance-0/output/host/lib/libiberty.a(cplus-dem.o): relocation R_X86_64_PC32 against symbol `_sch_istable' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value

Indeed, the host-gdb build picks up the libiberty installed in
$(HOST_DIR) instead of using its own internal version. This needs to
be addressed before we can make host-binutils install libiberty in
$(HOST_DIR).

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Revert "package/prelink-cross: new package"

This reverts commit 0bb0f2ba849dac9208d3a5a4107b8edd5ee46a1e, because
using "host-binutils" is not correct as it should only be used with
internal toolchains, and not external toolchains.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/kf5-modemmanager-qt: link with libatomic when needed

On some architectures, atomic binutils are provided by the libatomic
library from gcc. Linking with libatomic is therefore necessary,
otherwise the build fails with:

sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line

This is often for example the case on sparcv8 32 bit.

Fixes:
- http://autobuild.buildroot.org/results/b941a3deaa57cac79f1686d47ca6ababf2f0d5e4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/qpdf: bump to version 8.4.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/python-pylibftdi: bump to version 0.17.0

Add hash for license file

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Revert "package/python-ipython: bump to version 7.3.0"

This reverts commit bc516052593947a067c98956931df9df31ee3195.
which adds a dependency on python3 as well as adddtional python runtime
modules. So revert this patch to polish a better bump.

Fixes:
- http://autobuild.buildroot.org/results/7d765d2b15bfe72b05de62e86a01d57f1696c837
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/binutils: upstream fixes for 2.31.1

Combining musl and binutils 2.31.1 will produce static applications
that crash immediately. This commit picks up 3 upstream commits to
remedy this.

See https://sourceware.org/bugzilla/show_bug.cgi?id=23428

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/nodejs: link with libatomic when needed

Fixes:
- http://autobuild.buildroot.net/results/804951467d3f5b212bd33b95dc8fe9c6f5f63838

Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/nodejs: correct license file hash

The LICENSE file in nodejs 10.15.3 updated to include additional
3rd party licenses.

Fixes:
- http://autobuild.buildroot.net/results/4bf66b9f05e9d04171156e44c7dd87619e429747
- http://autobuild.buildroot.net/results/a65776ba1045f12263a686933eb6a4b5d6ff7333
- http://autobuild.buildroot.net/results/aab619106a7d763f45e95a7ae3d85816fb4a6512
- http://autobuild.buildroot.net/results/bb6cb93f323be22e4c0efc05011042526c01f62c

Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/python-aiorwlock: bump to version 0.6.0

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/python-aiojobs: drop aiohttp dependency

aiohttp isn't a required dependency for aiojobs

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libpcap: fix bluez circular dependency

The optional bluez_utils dependency of libpcap creates a circular
dependency:

$ make dbus-show-recursive-depends

Recursion detected for : systemd
which is a dependency of: dbus
which is a dependency of: bluez_utils
which is a dependency of: libpcap
which is a dependency of: iptables
which is a dependency of: systemd
make: *** [package/dbus/dbus.mk:121: dbus-show-recursive-depends] Error 1

Drop support for bluez_utils. For bluez5_utils, which also depends on
dbus, we only need the headers in the bluez5_utils-headers package. Use
that to break the circular dependency.

Fixes:
http://autobuild.buildroot.net/results/9c3/9c3ee798fa6bb501a20a7892c0b085d2b279b664/

Suggested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/zlog: bump to version ccf8c36e918d6f3c7e6fe9e36eedf8583014c5c9

- Remove patches (already in version)
- Add hash for license file

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/grpc: update to 1.18.0

Bump version. Freshen a patch that had a conflict.

Remove duplicate env setting.

Add comment about the hack being used to get gRPC to use the buildroot
c-ares library. Otherwise it looks like the cmake env settings are out
of date vs what the gRPC build documentation says to use.

Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>