package/mediastreamer: bump to version 4.3.1

- Drop first patch (already in version)
- Update second patch
- License is GPL-3.0+ since version 4.3.0 and
  https://gitlab.linphone.org/BC/public/mediastreamer2/commit/85094197cfaaaa8768a86562a0bce9d3d738d2da
- Switch to cmake-package and so drop third patch as autotools is not
  updated anymore (and fails to build due to missing po/Makefile.in.in)
- Add a mandatory dependency to mbedtls (to enable crypto support in
  bctoolbox)
- Add bcg729, jpegturbo, libgsm, libpcap, libsrtp and zxing-cpp optional
  dependencies
- Add a dependency on dynamic library as no pkg-config calls are done in
  cmake (static build with ffmepg and opus will fail for example)
- Drop libupnp optional dependency (not available anymore)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Merge branch 'next'

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Kickoff 2020.05 cycle

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

docs/website/news.html: add 2020.02 announcement link

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/bearssl: fix BR2_SHARED_STATIC_LIBS case

Reported-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Update for 2020.02

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/ser2net: fix gensio detection with openssl enabled and static

Add openssl linker flags via LIBS to fix configure gensio
library detection.

Fixes:

  http://autobuild.buildroot.net/results/66e0d3e0a2a8dc5a62c267d16a53216f0f2ce8dd

  checking gensio/gensio.h usability... yes
  checking gensio/gensio.h presence... yes
  checking for gensio/gensio.h... yes
  checking for str_to_gensio in -lgensio... no
  configure: error: libgensio won't link, please install gensio dev package

The build/ser2net-4.1.1/config.log files states:

  .../arm-buildroot-linux-uclibcgnueabi/bin/ld: .../host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libgensio.a(gensio_filter_ssl.o): in function `gensio_do_ssl_init':
  gensio_filter_ssl.c:(.text+0x34): undefined reference to `OPENSSL_init_ssl'

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/gr-osmosdr: disable documentation

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/qemu: Fix a regression in semihosting

The Buildroot's gitlab testing infra reported a build issue
with the qemu_arm_vexpress_tz_defconfig due to host-python3
modules issues [1]. Thoses issues has been fixed by the
previous patch.

But the defconfig doesn't boot with the current master
(2020.02-rc3).

It turn out that is an Qemu 4.2.0 regression that was
fixed upstream by [2]. This issue was found by using
git bisect old/new.

Fixes:
$ ../host/bin/qemu-system-arm -machine virt -machine secure=on -cpu cortex-a15 -smp 1 -s -m 1024 -d unimp -serial stdio -netdev user,id=vmnic -device virtio-net-device,netdev=vmnic -semihosting-config enable,target=native -bios bl1.bin
NOTICE:  Booting Trusted Firmware
NOTICE:  BL1: v2.0(release):2020.02-rc3-43-g9abf171ea6
NOTICE:  BL1: Built : 12:44:52, Mar  8 2020
ERROR:   Failed to load BL2 firmware.

After fixing host-python3 issue from [1]

[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/456818689
[2] https://github.com/qemu/qemu/commit/21bf9b06cb6d07c6cc437dfd47b47b28c2bb79db

Signed-off-by: Adrien Grassein <adrien.grassein@smile.fr>
[Romain:
  - improve commit log
  - add upstream link
]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Cc: Gerome Burlats <gerome.burlats@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/optee-test: add upstream patch to work with python 3.x

Fixes:
TypeError: cannot use a str to initialize an array with typecode 'B'
  File "../../scripts/file_to_c.py", line 32, in main
    for x in array.array("B", inf.read()):
    for x in array.array("B", inf.read()):
TypeError: cannot use a str to initialize an array with typecode 'B'
TypeError: cannot use a str to initialize an array with typecode 'B'

Signed-off-by: Romain Naour <romain.naour@smile.fr>
[Peter: reword commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

configs/qemu_arm_vexpress_tz_defconfig: optee needs host-python3 w/ modules

optee-os needs host-python-pycrypto build for python3. The only way we can
force building host-python modules for python3 is to select python3 package
for the target.

Since we want to avoid adding more host-python3-<modules>
(host-python-pycrypto host-python-pyelftools), select python3 package
even if it's not used.

This problem will be fixed as soon as python2 is removed.

Fixes:
File "scripts/pem_to_pub_c.py", line 24, in main
from Crypto.PublicKey import RSA
ImportError: No module named 'Crypto'

https://gitlab.com/buildroot.org/buildroot/-/jobs/456818689

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/openvmtools: fix musl build with libfuse

Fixes:
 - http://autobuild.buildroot.org/results/4eba7c4585d318efdb9b965d58d879426588aa14

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/openjdk-bin: fix install

Create $(HOST_DIR)/bin and $(HOST_DIR)/lib otherwise build can fail on:

cp -dpfr /home/buildroot/autobuild/instance-2/output-1/build/host-openjdk-bin-13.0.2_8/bin/* /home/buildroot/autobuild/instance-2/output-1/per-package/host-openjdk-bin/host/bin/
cp: target '/home/buildroot/autobuild/instance-2/output-1/per-package/host-openjdk-bin/host/bin/' is not a directory
package/pkg-generic.mk:276: recipe for target '/home/buildroot/autobuild/instance-2/output-1/build/host-openjdk-bin-13.0.2_8/.stamp_host_installed' failed
make: *** [/home/buildroot/autobuild/instance-2/output-1/build/host-openjdk-bin-13.0.2_8/.stamp_host_installed] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/28bcec0d28003c2784b6cd27039099c65bac3b96

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/qt5base: fix double-conversion compile for nios2

Add double-conversion upstream patch to enable compile for nios2.

Fixes:

  http://autobuild.buildroot.net/results/19881951a328ff4df82b5753a23219eb634e86df

  ../3rdparty/double-conversion/include/double-conversion/utils.h:114:2: error: #error Target architecture was not detected as supported by Double-Conversion.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/php: fix build without zlib

Build will fail if zlib is not found and mysqlnd compression support
is not disabled since version 7.4.1 and
https://github.com/php/php-src/commit/ee4295b4ce421003c2e1d2af98066826deb23319

Fixes:
 - http://autobuild.buildroot.org/results/9496d81437dba55d22a03762dcfe60d632115ab5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/binutils: fix assertion failure in xtensa ld

xtensa ld fails with the following message

  ld: BFD (GNU Binutils) 2.31.1 internal error, aborting at
  elf32-xtensa.c:3283 in elf_xtensa_finish_dynamic_sections

during domoticz package build. It happens because of mismatch between
the size allocated for dynamic relocations in the executable image and
the number of PLT relocations actually written to the image. The
mismatch is caused by the fact that undefined weak symbol is treated as
dynamic (and thus needing PLT relocation), but xtensa linker not
expecting that.

Fixes: http://autobuild.buildroot.net/results/7885705f1b1c0f31cf21b464150f5509929c1906/
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Backported from: e15a8da9c71336b06cb5f2706c3f6b7e6ddd95a3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/pppd: Add upstream security fix for CVE-2020-8597

Apply patch from upstream and set PPPD_INGORE_CVES appropriately.

Signed-off-by: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/ortp: bump to version 4.3.1

- License is GPL-3.0+ since version 4.3.0 and
  https://gitlab.linphone.org/BC/public/ortp/commit/6b925368588ce0fc64a9762dbe86041151e8450a
- Switch to cmake-package

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/bctoolbox: bump to version 4.3.1

- Refresh patch
- libiconv is needed without locale since version 4.3.0 and
  https://github.com/BelledonneCommunications/bctoolbox/commit/d5713996c2ae100594ebf319c54d95297b02a2e1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/bearssl: new package

BearSSL is an implementation of the SSL/TLS protocol (RFC 5246) written
in C

https://bearssl.org

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libnss: fix PowerPC build failure

NSS assumes <sys/auvx.h> is always present but that's not true, so add a
patch to check if it exists or not.

Fixes:

  http://autobuild.buildroot.net/results/425ba828d30c2bd55ce9f4f00e67bc10d9de2867/

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/python-httplib2: bump to version 0.17.0

PKG-INFO hash change is due to version bump.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/opencv3: bump to version 4.2.0

We need to set -DPROTOBUF_UPDATE_FILES=ON otherwise our protobuf
headers will be incompatible.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/systemd: add userdb support

systemd-userdbd is a system service that multiplexes user/group lookups
to all local services that provide JSON user/group record definitions
to the system. In addition it synthesizes JSON user/group records from
classic UNIX/glibc NSS user/group records in order to provide full
backwards compatibility.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/systemd: add repart support

systemd-repart grows and adds partitions to a partition table, based on
the configuration files described in repart.d.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/systemd: add dns-over-tls support

Set default-dns-over-tls to opportunistic when dns-over-tls is enabled
as it should be fully backwards compatible. The DNSOverTLS config in
resolved.conf can be used to override default-dns-over-tls.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/ser2net: S50ser2net: alsoc heck for new config file format

When running ser2net it looks for config files in the legacy conf
format and the new yaml format so we need to allow either in the
sysv init script.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

CHANGES: update with recent changes

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/proftpd: add mod_cap option

Add an option to enable or disable mod_cap and select libcap accordingly
instead of using bundled libcap which raise a build failure with headers
< 4.3 due to PR_CAP_AMBIENT and will be removed in version 1.3.7:
https://github.com/proftpd/proftpd/commit/8c845703fcf2c7978614784126bd074ffc4477f9

Fixes:
 - http://autobuild.buildroot.org/results/4d680d8204bdf1f3deec2c3eeb9a2d9e6eabe4d5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/spidermonkey: do not build the JavaScript shell, by default

Add a configuration to enable the JavaScript shell (default off). So
far only libmozjs is required (by polkit) and the shell takes around
24MiB.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libvncserver: fix jpeg build without png or zlib

Fixes:
 - http://autobuild.buildroot.org/results/bcc701055dd5876005fa6f78f38500399394cd75

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/cups: store web-interface files under /usr/share/cups/doc-root

The web-interface files (~1.8MB) are by default installed under
/usr/share/doc/cups, which is unfortunate as Buildroot removes usr/share/doc
in target-finalize, breaking the webui.

As a fix, store the web-interface files under /usr/share/cups/doc-root,
similar to how it is done in Debian.

Signed-off-by: Alexey Lukyanchuk <skif@skif-web.ru>
[Peter: use --with-docdir, update description]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/bash: fix uclibc build without wchar

Fixes:
 - http://autobuild.buildroot.org/results/298fb9c785e137bff432dd304eb56986e54ce3ed

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/piglit: fix GL tests

Fixes:
 - http://autobuild.buildroot.org/results/3355e4dc02b07ccfd9fe9b5cafb70c01fc88c158

Add an upstream patch to ensure tests needing GLESv3 are only built when
that is available.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libdrm: tests/amdgpu needs atomic_ops

Add patch to fix tests/amdpu dependency on atomic_ops.

Fixes:

  http://autobuild.buildroot.net/results/e29dae423f3f80d2c34dde9a125bd216a75ad1c0

  FAILED: tests/amdgpu/amdgpu_test
  .../host/bin/sparc-linux-gcc  -o tests/amdgpu/amdgpu_test 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/amdgpu_test.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/basic_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/bo_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/cs_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/vce_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/uvd_enc_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/vcn_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/deadlock_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/vm_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/ras_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/syncobj_tests.c.o' -Wl,--as-needed -Wl,--no-undefined -Wl,-O1 -Wl,--start-group libdrm.so.2.4.0 amdgpu/libdrm_amdgpu.so.1.0.0 .../host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libcunit.so -Wl,--end-group -pthread '-Wl,-rpath,$ORIGIN/../..:$ORIGIN/../../amdgpu' -Wl,-rpath-link,.../build/libdrm-2.4.100/build/ -Wl,-rpath-link,.../build/li
 bdrm-2.4.100/build/amdgpu
  .../host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/8.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: tests/amdgpu/b9f2b1d@@amdgpu_test@exe/bo_tests.c.o: undefined reference to symbol 'AO_fetch_compare_and_swap_emulation'
  .../host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/8.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: .../host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libatomic_ops.so.1: error adding symbols: DSO missing from command line

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/swupdate: do not store local build details in swupdate config file

The SWUPDATE_SET_BUILD_OPTIONS macro sets a number of swupdate
configuration options with local build details, especially the
cross-compiler path and sysroot path.

This means that if one stores an swupdate defconfig file as part of
Buildroot, generated with "make swupdate-update-defconfig", it will
contain things like:

CONFIG_CROSS_COMPILE="/home/thomas/projets/buildroot/output/host/bin/arm-linux-"
CONFIG_SYSROOT="/home/thomas/projets/buildroot/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot"

which obviously are not good, as they are specific to where the build
was done.

So instead this commit:

 - Uses the CROSS_COMPILE environment variable to pass the
   cross-compiler path.

 - Drops entirely the use of CONFIG_SYSROOT, since all it does is pass
   a --sysroot option to the compiler, which is not needed in the
   context of Buildroot.

 - Pass EXTRA_CFLAGS/EXTRA_LDFLAGS also through the environment.

Thanks to that the swupdate defconfig file no longer contains any
local build details, and can be re-used by different users of a given
Buildroot configuration.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/gst1-validate: disable introspection

- disable introspection unconditionally (as already done for all
  other original gstreamer1 packages)
- use '=' instead of '+=' for the first usage of GST1_VALIDATE_CONF_OPTS

Fixes:

  http://autobuild.buildroot.net/results/e6e43fb85c71af9bb599ea8bbe2e805b392cf1ad

    GEN      GstValidate-1.0.gir
  Couldn't find include 'GstPbutils-1.0.gir' (search path: '['/nvmedata/autobuild/instance-6/output-1/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/bin/../share/gir-1.0', '/usr/share/gir-1.0', '/usr/share/gir-1.0', '/usr/share/gir-1.0', '/usr/share/gir-1.0', '/usr/share/gir-1.0', '/nvmedata/autobuild/instance-6/output-1/host/share', 'gir-1.0', '/nvmedata/autobuild/instance-6/output-1/host/share/gir-1.0', '/usr/share/gir-1.0']')
  make[5]: *** [Makefile:1612: GstValidate-1.0.gir] Error 1

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libinput: bump version to 1.15.3

For details see [1].

[1] https://lists.freedesktop.org/archives/wayland-devel/2020-March/041288.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/thrift: disable qt4

host-thrift can fail if a broken Qt4 is found on host:

CMake Error in lib/cpp/CMakeLists.txt:
  Imported target "Qt4::QtCore" includes non-existent path

    "/nvmedata/autobuild/instance-4/output-1/host/usr/mkspecs/default"

  in its INTERFACE_INCLUDE_DIRECTORIES.  Possible reasons include:

  * The path was deleted, renamed, or moved to another location.

  * An install or uninstall procedure did not complete successfully.

  * The installation package was faulty and references files it does not
  provide.

Fixes:
 - http://autobuild.buildroot.org/results/57cad5313896c868e99b0b9534678f1c83a386f2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/connman: remove _GNU_SOURCE patch

Not needed any more.

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/connman: add iptables/nftables selection

This allows to use nftables instead of the default iptables.

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/connman: bump to 1.38

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/connman: re-organize configure options and dependencies

Use style typical for Buildroot.

Suggested-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/ruby: fix build on mips

Fixes:
 - http://autobuild.buildroot.org/results/d0ab5334f195a400a6d6dd6c49e3c1a2001b2b70

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/guile: fix build without makeinfo

Fixes:
 - http://autobuild.buildroot.org/results/9605aac6f760bfff190d0ab95fa50f65486ffe90

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/systemd: bump to version 245

Disabled new modules for now.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/erlang-p1-acme: needs C++

Fixes:
 - http://autobuild.buildroot.org/results/79310855f9a2abe569365ffd27e776f1a56dba2e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: add list of status checks to the json output

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: set status to 'na' for virtual packages

If there is no infra set or infra is virtual the status is set to 'na'.

This is done for the follwing checks:
 - license
 - license-files
 - hash
 - hash-license
 - patches
 - version

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: add defconfig support

Scan configs directory and create Defconfig objects.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: store pkg dir path

This value can be used for later processing.

In the buildroot-stats application this is used to create links pointing
to the git repo of buildroot.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: add package count to stats

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: add package status

Unify the status check information. The status is stored in a tuple. The
first entry is the status that can be 'ok', 'warning' or 'error'. The
second entry is a verbose message.

The following checks are performed:
- url: status of the URL check
- license: status of the license presence check
- license-files: status of the license file check
- hash: status of the hash file presence check
- patches: status of the patches count check
- pkg-check: status of the check-package script result
- developers: status if a package has developers in the DEVELOPERS file
- version: status of the version check

With that status information the following variables are replaced:
has_license, has_license_files, has_hash, url_status

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: store licences of package

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: set developers info

Use the function 'parse_developers' function from getdeveloperlib that
collect the information about the developers and the files they
maintain. Then set the maintainer(s) to each package.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: store patch files for the package

Remove the patch_count attribute and use a class property instead.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: store latest version in a dict

This patch changes the type of the latest_version variable to a dict.
This is for better readability/usability of the data. With this the json
output is more descriptive in later processing of the json output.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

support/scripts/pkg-stats: clear multiprocessing pools after use

During the CVE checking phase, we can still see a huge amount of
Python processes (actually 128) running on the host, even though
the CVE step is entirely ran in the main thread.

These are actually the worker processes spawned to check for the
packages URL statuses and the latest versions from release-monitoring.
This is because of an issue in Python's multiprocessing implementation:
https://bugs.python.org/issue34172

The problem was already there before the CVE matching step was
introduced, but because pkg-stat was terminating right after the
release-monitoring step, it went unnoticed.

Also, do not hold a reference to the multiprocessing pool from
the Package class, as this is not needed.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

support/scripts/pkg-stats: decode subprocess output for python3

In Python 3, the functions from the subprocess module return bytes
(and no longer strings as in Python 2), which must be decoded for
further text operations.

Now, pkg-stats can be run in Python 3.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

support/scripts/pkg-stats: properly ignore CVEs in <pkg>_IGNORE_CVES

It seems like throughout the series that the CVE pkg-stats support
went through, the support for ignoring CVEs in the per-package
<pkg>_IGNORE_CVES variable was forgotten.

Let's re-introduce this, which is now very simple thanks to the CVE
class, its .identifier() propertly and the .is_cve_ignored() method of
the Package class

Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/bcm2835: bump version to 1.62

Changelog (since 1.60):
  - 1.61 2020-01-11 Fixed errors in the documentation for bcm2835_spi_write.
    Fixes issue seen on Raspberry Pi 4 boards where 64-bit off_t is used by
    default via -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64. The offset was
    being incorrectly converted, this way is clearer and fixes the problem.
    Contributed by Jonathan Perkin.
  - 1.62 2020-01-12 Fixed a problem that could cause compile failures with
    size_t and off_t

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

boot/opensbi: bump to version 0.6

Tested with qemu_riscv32_virt_defconfig and
qemu_riscv64_virt_defconfig using Buildroot host-qemu 4.2.0.

Signed-off-by: Mark Corbin <mark@dibsco.co.uk>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/gstreamer1/gstreamer1: update tools comment

The tools option installs more than gst-launch and gst-inspect, so
simplify its prompt to just "install tools", and update the Config.in
help text. While at it, we list them alphabetically.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/gstreamer1/gst1-plugins-base: add tools option

Add tools option to disable building/installing of gst-discoverer,
gst-device-monitor and gst-play command line tools (similar to
BR2_PACKAGE_GSTREAMER1_INSTALL_TOOLS).

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/fswebcam: bump to latest version

Bump to latest git version.

Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

configs/freescale_imx8qmmek: new defconfig

This patch documents the Buildroot support for the NXP i.MX8QM MEK board.

You will find a reference to the board on nxp.com:
https://www.nxp.com/design/development-boards/i.mx-evaluation-and-development-boards/i.mx-8quadmax-multisensory-enablement-kit-mek:MCIMX8QM-CPU

You can also find the get started guide here:
https://www.nxp.com/document/guide/get-started-with-the-i.mx-8quadmax-mek:GS-iMX-8QM-MEK

Signed-off-by: Maeva Manuel <maeva.manuel@oss.nxp.com>
Tested-by: Julien Olivain <julien.olivain@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/freescale-imx/firmware-imx: add support for i.MX8QM

Signed-off-by: Maeva Manuel <maeva.manuel@oss.nxp.com>
Tested-by: Julien Olivain <julien.olivain@oss.nxp.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libevdev: convert to meson

- drop legacy patch 0001-configure-add-disable-runtime-tests-option.patch
  and use -Dtests=disabled instead

- drop host-pkgconf dependency as pkgconf is only used in case tests
  are enabled to find the check package (checked via meson output -
  no 'Found pkg-config' - and via strace)

- update host-python dependency to host-python3 as the script
  libevdev/make-event-names.py which is used to generate the
  header file event-names.h is updated to python3:
  '#!/usr/bin/env python3'
  This made no difference with autotools build as the script
  was called with '$(PYTHON) libevdev/make-event-names.py'.

  We use BR2_PYTHON3_HOST_DEPENDENCY instead of depending on
  host-python3, to use any available Python 3.x interpreter on the
  build machine instead of building our own, if possible.

- add patch to fix tools compile with older toolchains adding
  the local include path (only the meson build is affected)

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libevdev: bump version to 1.9.0

And update hash file formatting (2 spaces).

For details see [1] and [2].

[1] https://lists.freedesktop.org/archives/input-tools/2020-February/001529.html
[2] https://lists.freedesktop.org/archives/input-tools/2020-March/001530.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libevdev: add host-python dependency

Fixes:

  checking for a Python interpreter with version >= 2.6... none
  configure: error: no suitable Python interpreter found

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libevdev: add host-python dependency

Fixes:

  checking for a Python interpreter with version >= 2.6... none
  configure: error: no suitable Python interpreter found

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/libite: bump version to 2.1.2

The hash for LICENSE has changed due to the copyright being updated and
the note about licensing types has been moved to the bottom.

The hash for chomp.c has been changed due to the copyright being updated and
code changes in that file.

Changelog:
https://github.com/troglobit/libite/releases/tag/v2.1.2

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/inadyn: bump version to 2.6

Changelog:
https://github.com/troglobit/inadyn/releases/tag/v2.6

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/inadyn: remove dependency on libite

The dependency for libite was removed in upstream commit e27bfbf
dating back a couple of years.

Signed-off-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/ipset: bump to version 7.6

See full changelog http://ipset.netfilter.org/changelog.html

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/wayland-protocols: bump to version 1.20

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/linux-firmware: add option for Microchip VSC85xx networking PHYs

This patch adds an option to support installing firmware files for the
Microchip/Microsemi VSC85xx networking PHY family.

There is a mismatch between Linux and Linux-firmware on the name of the
PHY (Microchip vs Microsemi), due to the acquisition of Microsemi by
Microchip. We chose here the name in Linux-firmware, but mentioned the
other one in the Kconfig help of the option.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/linux-firmware: fix special cases of symlinks

Some symlinks were not created correctly when installing the
Linux-firmware package. This patch fixes the support for all symlinks of
the form:

  a/foo -> bar
  a/foo -> b/bar
  a/foo -> ../b/bar

With this patch all forms of symlinks described in the WHENCE file
should be supported, whether they are in nested directories, or in
non-existing ones.

As some symlinks could be in directories that do not exist, we must
maje sure to canonicalize the path before testing the linked-to file.

We compared the symlinks installed pre-20200122 to what we have now, and
it seems we're handling all of them with this patch.

Fixes: 55df4059d24b ("package/linux-firmware: fix symlink support")
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
[yann.morin.1998@free.fr:
  - use readlink in canonicalize-missing mode, to avoid
    creating-then-removing directories
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Antoine Tenart <antoine.tenart@bootlin.com>
Reviewed-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/mesa3d: fix nouveau std::isinf related compile failure

Activate already existing mesa3d solution for the isinf compile
failure for uclibc based toolchains instead of using a custom
workaround.

- remove 0005-src-gallium-drivers-nouveau-codegen-nv50_ir_ra.cpp-p.patch
- add 0004-c99_math-import-isinf-for-uclibc-based-toolchains.patch

Fixes:
  http://autobuild.buildroot.net/results/cbefc5d4a4fefb674e596400fa1d2698cd89c5b3/
  http://autobuild.buildroot.net/results/dc974da012f53fa4ed3be616f937b0afae423d66/

  ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp: In member function 'bool nv50_ir::GCRA::simplify()':
  ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1348:19: error: expected unqualified-id before '(' token
            if (std::isinf(bestScore)) {
                     ^

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/nodejs: bump version to v12.16.1

Fixes a number of regressions introduced in v12.16.0:
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.16.1

Tested on Debian 9 and Ubuntu 18.04

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libsndfile: fix CVE-2019-3832

It was discovered the fix for CVE-2018-19758 (libsndfile) was not
complete and still allows a read beyond the limits of a buffer in
wav_write_header() function in wav.c. A local attacker may use this flaw
to make the application crash.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libsndfile: fix CVE-2018-19758

There is a heap-based buffer over-read at wav.c in wav_write_header in
libsndfile 1.0.28 that will cause a denial of service.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Makefile: work around a bug in newly released make 4.3

Several users of rolling-release distributions have been reporting on
IRC that Buildroot is broken now that they have switched to the newly
released make 4.3.

It turns out that the constructs we use to generated and include the
internal br2-external related fragments is no longer working with
make-4.3.

Indeed, an upstream bug report [0] seems to imply that it so far was
working by chance. There has been no further feedback, whether this is
really considered a fix for a previous ill-defined behaviour, or an
actual regression...

In the meantime, we add a workaround, suggested in that same bug report,
that fixes the issue for make 4.3, and that should not break on older
make versions either (verified on all relevant versions: from 3.81,
3.82, 4.0, 4.1, and 4.2).

[0] https://savannah.gnu.org/bugs/?57676

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Mircea Gliga <mgliga@bitdefender.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/jhead: security bump to version 3.04

- Fix CVE-2019-1010301: jhead 3.03 is affected by: Buffer Overflow. The
  impact is: Denial of service. The component is: gpsinfo.c Line 151
  ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG
  file.
- Fix CVE-2019-1010302: jhead 3.03 is affected by: Incorrect Access
  Control. The impact is: Denial of service. The component is: iptc.c
  Line 122 show_IPTC(). The attack vector is: the victim must open a
  specially crafted JPEG file.
- Fix CVE-2019-19035: jhead 3.03 is affected by: heap-based buffer
  over-read. The impact is: Denial of service. The component is:
  ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is:
  Open a specially crafted JPEG file.
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/python-django: security bump to version 3.0.4

Fixes the following security vulnerabilities:

- CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS
  functions and aggregates on Oracle.
  GIS functions and aggregates on Oracle were subject to SQL injection,
  using a suitably crafted tolerance.

For more details, see the advisory:
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/mesa3d: fix linux/kcmp.h related compile failure

Add upstream patch [1].

Fixes:

  http://autobuild.buildroot.net/results/df5bcb8e4f6e98c4de347abbbe91e10a98047422

  ../src/util/os_file.c:37:24: fatal error: linux/kcmp.h: No such file or directory

[1] https://cgit.freedesktop.org/mesa/mesa/commit/?id=f7bfb10c69dfe48a91e35523cb5ee641bdbf6988

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

utils/genrandconfig: drop outdated python-nfc check

Commit 9ea528f84ba (package/python-nfc: bump to version 0.13.5) changed the
python-nfc package to download from github, so the package no longer needs
bzr on the host.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/fbgrab: bump version to 1.3.1 and update projct URL

- bump version to 1.3.1
  Changelog:
  * Incorrect alpha value when converting 32-bit framebuffers.
  * Documentation for github instead of own homepage.

- update project URL

Fixes bug 12606 ([1]).

[1] https://bugs.busybox.net/show_bug.cgi?id=12606

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Timo Ketola <timo.ketola@exertus.fi>
Acked-by: Timo Ketola <timo.ketola@exertus.fi>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-plugins-base: fix static linking

Add patch to fix static linking of tools.

Fixes:

  http://autobuild.buildroot.net/results/b33019b3c9ad856aced34215c69bb292b536e25e

  .../bin/ld: .../usr/lib/libgstreamer-1.0.a(gstplugin.c.o): in function `gst_plugin_register_func':
  gstplugin.c:(.text+0x3bc): undefined reference to `g_module_make_resident'
  .../bin/ld: .../usr/lib/libgstreamer-1.0.a(gstplugin.c.o): in function `_priv_gst_plugin_load_file_for_registry':
  gstplugin.c:(.text+0x1228): undefined reference to `g_module_supported'
  .../bin/ld: gstplugin.c:(.text+0x126c): undefined reference to `g_module_open'
  .../bin/ld: gstplugin.c:(.text+0x1368): undefined reference to `g_module_symbol'
  .../bin/ld: gstplugin.c:(.text+0x1494): undefined reference to `g_module_supported'
  .../bin/ld: gstplugin.c:(.text+0x17f4): undefined reference to `g_module_close'
  .../bin/ld: gstplugin.c:(.text+0x1a2c): undefined reference to `g_module_error'

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Config.in: drop BR2_NEEDS_HOST_{JAVAC,JAR}

With classpath removed, no packages select these symbols any more - So drop
them and their corresponding logic in dependencies.sh / genrandconfig.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/classpath: drop package

This package has been abandoned by upstream since 2016 and has not
had a release since 2012. In addition the GNU Compiler for Java
that classpath was written to be used with has been removed as of
GCC 7.

It is no longer feasible to support classpath as it requires a java
compiler capable of producing java 1.5 compatible bytecode which is
not possible on hosts with a recent java compiler.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/jamvm: drop package

JamVM has not had a release since 2014 and is unmaintained.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/mini-snmpd: bump to version 1.6

Drop both patches:

 - 0001-Prepend-zero-byte-before-unsigned-integers.patch is upstream
   as of 949ae648bf7c654b8fae607a0988bfa672607156

 - 0002-mib.c-allow-unsigned-integers-to-have-an-extra-byte.patch is
   upstream as of

Use the systemd unit file provided by the upstream project instead of
our own, just add an /etc/default/ file to add the -a option to
preserve the same behavior.

This new version now needs pkg-config.

v1.6 changelog:

Bug fix release.

- Fix #16: regression in ifTable for point-to-point interfaces
- Fix #17: major memory leak in Linux backend
- Fix #18: consistent timeout handling in .conf file and command line

v1.5 changelog:

Major feature release.  Support for TCP-MIB, UDP-MIB, IP-MIB,
ifXTable with 64-bit counters.

- Majority of new features from [NDM Systems][]
- CVE fixes from [Cisco Talos Intelligence Group][talos]

- Add support for ifXTable (64-bit counters), from NDM Systems
- Add support for TCP-MIB, from NDM Systems
- Add support for UDP-MIB, from NDM Systems
- Add support for IP-MIB, from NDM Systems
- Add support for ifType
- Add support for ifMtu
- Binary and man page renamed: `mini_snmpd` --> `mini-snmpd`
- New command line option `-l LEVEL` replaces `--verbose`
- New command line option `-v` to show program version
- Create PID file when daemon is ready to receive signals
- Add support for systemd unit file on Linux
- Add support for /etc/mini-snmpd.conf, disabled by default

- CVE-2020-6060: Fix stack overflow in client connection handler
- CVE-2020-6059: Fix out-of-bounds read in parsing of SNMP packet
- CVE-2020-6058: Fix out-of-bounds read in parsing of SNMP packet
- Let `-s` flag control use of syslog, when running in foreground
- Removed all (known) GNU:isms; i.e., `__progname` and `%m`

Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/python-jinja2: fix async removal paths

Fixes:
http://autobuild.buildroot.net/results/dd5/dd5f151b2c9872476ab63c529468d0b37a0374f5/

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/zziplib: fix CVE-2018-17828

Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to
overwrite arbitrary files via a .. (dot dot) in a zip file, because of
the function unzzip_cat in the bins/unzzipcat-mem.c file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/zziplib: fix CVE-2018-16548

An issue was discovered in ZZIPlib through 0.13.69. There is a memory
leak triggered in the function __zzip_parse_root_directory in zip.c,
which will lead to a denial of service attack.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/patch: annotate CVE-2019-13638

GNU patch through 2.7.6 is vulnerable to OS shell command injection that
can be exploited by opening a crafted patch file that contains an ed
style diff payload with shell metacharacters. The ed editor does not
need to be present on the vulnerable system. This is different from
CVE-2018-1000156.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/patch: fix CVE-2019-13636

In GNU patch through 2.7.6, the following of symlinks is mishandled in
certain cases other than input files. This affects inp.c and util.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/patch: fix CVE-2018-20969

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings
beginning with a ! character. NOTE: this is the same commit as for
CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to
a shell metacharacter.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/patch: annotate CVE-2018-1000156

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>