buildroot.git
3 years agopackage/i2c-tools: add I2C_TOOLS_CPE_ID_VENDOR
Heiko Thiery [Tue, 1 Jun 2021 11:15:52 +0000 (13:15 +0200)]
package/i2c-tools: add I2C_TOOLS_CPE_ID_VENDOR

cpe:2.3:a:i2c-tools_project:i2c-tools is a valid CPE identifier for this
package:

https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ai2c-tools_project%3Ai2c-tools

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agouclibc: powerpc: fix PIE/PIC builds with secureplt enabled by default
Romain Naour [Tue, 1 Jun 2021 19:16:16 +0000 (21:16 +0200)]
uclibc: powerpc: fix PIE/PIC builds with secureplt enabled by default

Apply the fix provided by Yann Sionneau when secureplt is enabled
by default by gcc compiler along with PIE/PIC options.

"For the secure PLT to work in PIC, the r30 register needs to point to the GOT"

Fixes:
[qemu_ppc_e500mc_defconfig] https://gitlab.com/buildroot.org/buildroot/-/jobs/1255661606
[qemu_ppc_g3beige_defconfig] https://gitlab.com/buildroot.org/buildroot/-/jobs/1255661607
[qemu_ppc_mac99_defconfig] https://gitlab.com/buildroot.org/buildroot/-/jobs/1255661609

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Yann Sionneau <yann@sionneau.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agoConfig.in: disable PIC/PIE for Nios2
Romain Naour [Tue, 1 Jun 2021 19:00:21 +0000 (21:00 +0200)]
Config.in: disable PIC/PIE for Nios2

Recently in Buildroot the option BR2_PIC_PIE has been enabled by default along
with other hardening features [1]. Since then the nios2 defconfig
qemu_nios2_10m50_defconfig is failing to boot due to a segfault in init program:

Run /init as init process
  with arguments:
    /init
  with environment:
    HOME=/
    TERM=linux
Failed to execute /init (error -12)

See Buildroot build log and Qemu runtime test log in build artifacts [2].

Analyzing one of the binary with strace show that the problem occur
very early when starting the new process:

 # strace ./busybox
 execve("./busybox", ["./busybox"], 0x7f91ce90 /* 10 vars */) = -1 ENOMEM
(Cannot allocate memory)
 +++ killed by SIGSEGV +++

Several binutils/glibc/gcc version has been tested without any success.

The issue has been reported to the glibc mailing list but it can be a linker
or kernel bug [3].

For the Buildroot 2021.05 release, disable BR2_PIC_PIE until the problem is
found and fixed.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1285145889

[1] https://git.buildroot.net/buildroot/commit/?id=810ba387bec3c5b6904e8893fb4cb6f9d3717466
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/1285145889
[3] https://sourceware.org/pipermail/libc-alpha/2021-May/126912.html

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/hostapd: add upstream patch to fix CVE-2021-27803
Sam Voss [Tue, 1 Jun 2021 18:09:14 +0000 (13:09 -0500)]
package/hostapd: add upstream patch to fix CVE-2021-27803

Fixes the following:

- CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in
wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
discovery requests. It could result in denial of service or other impact
(potentially execution of arbitrary code), for an attacker within radio
range.

Signed-off-by: Sam Voss <sam.voss@collins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agoUpdate for 2021.05-rc3
Peter Korsgaard [Mon, 31 May 2021 21:29:41 +0000 (23:29 +0200)]
Update for 2021.05-rc3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/dhcp: security bump to version 4.4.2-P1
Peter Korsgaard [Sun, 30 May 2021 08:44:57 +0000 (10:44 +0200)]
package/dhcp: security bump to version 4.4.2-P1

Fixes the following security issue:

- CVE-2021-25217: A buffer overrun in lease file parsing code can be used to
  exploit a common vulnerability shared by dhcpd and dhclient

For details, see the advisory:
https://kb.isc.org/docs/cve-2021-25217

Update the LICENSE hash for a change of copyright years.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agodocs: move the IRC channel away from Freenode
Yann E. MORIN [Sat, 22 May 2021 19:40:56 +0000 (21:40 +0200)]
docs: move the IRC channel away from Freenode

Due to the recent events at Frenode [0], the channel has become a bit
unreliable (much spammed), and users have started to move away already,
as quite a few other projects have moved their IRC presence away from
Freenode.

There are a few alternatives. The first to spring to mind, is the new
Libera.Chat network [1], managed by the previous Freenode staff, so we
could expect quite a good experience there. However, it is a very young
network. The second well known alternative is the long-established OFTC,
which has been very reliable in its 20 years of existence.

So, let's move to OFTC, just because it has a track-record of robustness
(which Libera.Chat still has to build, for being young).

Note: there are a lot of other IRC networks, some very good too, but we
probably would be much off-topic on most of them.

[0] https://lwn.net/Articles/856543/
[1] https://libera.chat/
[2] https://www.oftc.net/

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Matthew Weber <matthew.weber@collins.com>
Acked-by: Heiko Thiery <heiko.thiery@gmail.com>
Acked-By: Vincent Fazio <vfazio@xes-inc.com>
Acked-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/strace: xtensa needs headers >= 5.0
Fabrice Fontaine [Sat, 29 May 2021 17:48:46 +0000 (19:48 +0200)]
package/strace: xtensa needs headers >= 5.0

xtensa support needs user_pt_regs since version 5.6 and
https://github.com/strace/strace/commit/2429c69961e2598902bded9c02dd601b362b66b4

However user_pt_regs is only available since kernel 5.0 and
https://github.com/torvalds/linux/commit/06fbac8e8971f2fa526e189304dd95ee62f39dbe

Fixes:
 - http://autobuild.buildroot.org/results/c6c4fb3b9098c5fc5dbe4415e2a9757fc775b746

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pkg-meson: always set b_pie to false
Fabrice Fontaine [Sat, 29 May 2021 08:48:36 +0000 (10:48 +0200)]
package/pkg-meson: always set b_pie to false

pipewire unconditionally enables b_pie since version 0.3.20 and
https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/abe73c9146cd223b40b22581b1fd58bc044c671e
which will raise the following build failure on m68k since commit
a6d88d3ba5e30e11f4d726f341bc56c1be7c71c9:

/srv/storage/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/m68k-buildroot-linux-uclibc/9.3.0/../../../../m68k-buildroot-linux-uclibc/bin/ld: /srv/storage/autobuild/run/instance-1/output-1/host/m68k-buildroot-linux-uclibc/sysroot/usr/lib/Scrt1.o: in function `lib_main':
(.text+0x4): undefined reference to `__shared_flat_add_library'

To fix this build failure, always set b_pie to false as PIE will be
enabled by toolchain/toolchain-wrapper.mk if needed

Fixes:
 - http://autobuild.buildroot.org/results/c258a2736661af8ea73abeda2503d8682e65f1e2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoRevert "package/pkg-meson: handle b_pie"
Yann E. MORIN [Sat, 29 May 2021 09:16:35 +0000 (11:16 +0200)]
Revert "package/pkg-meson: handle b_pie"

This reverts commit a8a147f6046f9d11d4685ddfa5c2a6a01f4d7219.

That commit incorrectly made use of BR2_TOOLCHAIN_SUPPORTS_PIE, when it
should have been using BR2_PIC_PIE.

Besides, another attempt is pending, that unconditionally disables it as
it will be set by the toolchain wrapper already.

For both reasons, revert rather than switch over to BR2_PIC_PIE.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pkg-meson: handle b_pie
Fabrice Fontaine [Fri, 28 May 2021 19:17:48 +0000 (21:17 +0200)]
package/pkg-meson: handle b_pie

pipewire unconditionally enables b_pie since version 0.3.20 and
https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/abe73c9146cd223b40b22581b1fd58bc044c671e
which will raise the following build failure on m68k since commit
a6d88d3ba5e30e11f4d726f341bc56c1be7c71c9:

/srv/storage/autobuild/run/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/m68k-buildroot-linux-uclibc/9.3.0/../../../../m68k-buildroot-linux-uclibc/bin/ld: /srv/storage/autobuild/run/instance-1/output-1/host/m68k-buildroot-linux-uclibc/sysroot/usr/lib/Scrt1.o: in function `lib_main':
(.text+0x4): undefined reference to `__shared_flat_add_library'

Fixes:
 - http://autobuild.buildroot.org/results/c258a2736661af8ea73abeda2503d8682e65f1e2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pipewire: alsa needs ucm
Fabrice Fontaine [Fri, 28 May 2021 20:15:28 +0000 (22:15 +0200)]
package/pipewire: alsa needs ucm

alsa unconditionally uses ucm since version 0.3.7 and
https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/1612f5e4d215bd5edf7d649d220b53ff1ed7c098
which will result in the following build failure since commit
a6d88d3ba5e30e11f4d726f341bc56c1be7c71c9:

../spa/plugins/alsa/acp/alsa-ucm.h:26:10: fatal error: alsa/use-case.h: No such file or directory
   26 | #include <alsa/use-case.h>
      |          ^~~~~~~~~~~~~~~~~

Fixes:
 - http://autobuild.buildroot.org/results/ef53534daf84397b4e22392f2a6be2c335819ab5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/nginx: add upstream CVE-2021-23017 security fix
Peter Korsgaard [Fri, 28 May 2021 09:23:13 +0000 (11:23 +0200)]
package/nginx: add upstream CVE-2021-23017 security fix

Fixes the following vulnerability:

- CVE-2021-23017: 1-byte memory overwrite in resolver

For more details, see the advisories:
https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
https://www.openwall.com/lists/oss-security/2021/05/25/5

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: annotate the patch, that it is a backport]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libcurl: security bump to version 7.77.0
Peter Korsgaard [Thu, 27 May 2021 21:35:31 +0000 (23:35 +0200)]
package/libcurl: security bump to version 7.77.0

Fixes the following security issues:

- CVE-2021-22897: schannel cipher selection surprise
  https://curl.se/docs/CVE-2021-22897.html

- CVE-2021-22898: TELNET stack contents disclosure
  https://curl.se/docs/CVE-2021-22898.html

- CVE-2021-22901: TLS session caching disaster
  https://curl.se/docs/CVE-2021-22901.html

Unconditionally disable the ldap(s) options.  These require external
libraries, but the options were ignored if the needed libraries weren't
available. This is now changed to be a fatal error since

https://github.com/curl/curl/commit/dae382a1a1481a94b708c82d5aa9fa7253084160

Additionally, add a post-7.77.0 upstream patch to fix compilation with
bearssl.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[yann.morin.1998@free.fr: annotate the patch, that it is a backport]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agodocs/website: update for 2021.05-rc2
Peter Korsgaard [Thu, 27 May 2021 21:41:23 +0000 (23:41 +0200)]
docs/website: update for 2021.05-rc2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/gdb: fix gdbserver build with m68k and uclibc
Fabrice Fontaine [Thu, 27 May 2021 05:57:29 +0000 (07:57 +0200)]
package/gdb: fix gdbserver build with m68k and uclibc

Allow to build gdbserver with m68k and uclibc. This patch is not needed
for version above 9.2 because build_gdbserver as been
moved to its own file since
https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=919adfe8409211c726c1d05b47ca59890ee648f1

This new file (gdbserver/configure.srv) does not seem to be affected by
this issue

Fixes:
 - http://autobuild.buildroot.org/results/f4d6d9d8418c0da48a3db4ad5a82e19bd16eae34

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/mpv: security bump to version 0.33.1
Fabrice Fontaine [Thu, 27 May 2021 07:04:23 +0000 (09:04 +0200)]
package/mpv: security bump to version 0.33.1

Fix CVE-2021-30145: A format string vulnerability in mpv through 0.33.0
allows user-assisted remote attackers to achieve code execution via a
crafted m3u playlist file.

https://github.com/mpv-player/mpv/releases/tag/v0.33.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/paho-mqtt-c: security bump to version 1.3.9
Fabrice Fontaine [Thu, 27 May 2021 06:05:13 +0000 (08:05 +0200)]
package/paho-mqtt-c: security bump to version 1.3.9

Old security issue not fixed:
https://github.com/eclipse/paho.mqtt.c/issues/1084

https://github.com/eclipse/paho.mqtt.c/milestone/16?closed=1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/boost: disable logs with riscv32
Fabrice Fontaine [Fri, 21 May 2021 20:03:23 +0000 (22:03 +0200)]
package/boost: disable logs with riscv32

boost logs can't be built with riscv32 because it unconditionally uses
__NR_futex:

libs/log/src/event.cpp: In member function 'void boost::log::v2_mt_posix::aux::futex_based_event::wait()':
libs/log/src/event.cpp:38:29: error: '__NR_futex' was not declared in this scope
   38 | #define BOOST_LOG_SYS_FUTEX __NR_futex
      |                             ^~~~~~~~~~

Fixes:
 - http://autobuild.buildroot.org/results/8c8135fd7c0517c66c9b3975c494da6d7934cc1b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/webkitgtk: disable gamepad support
Adrian Perez de Castro [Tue, 25 May 2021 12:44:41 +0000 (15:44 +0300)]
package/webkitgtk: disable gamepad support

Pass -DENABLE_GAMEPAD=OFF to CMake in order to disable support for the
gamepad API, which requires libmanette, a library that is not yet
available in Buildroot.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/pifmrds: always link with -lm
Fabrice Fontaine [Tue, 25 May 2021 05:44:27 +0000 (07:44 +0200)]
package/pifmrds: always link with -lm

Commit 888546e5273d77d49bec564a515e85d7acee6bdd wrongly removed linking
with -lm resulting in the following build failure:

/home/buildroot/autobuild/run/instance-3/output-1/host/bin/arm-linux-gnueabihf-gcc  -o pi_fm_rds rds.o waveforms.o pi_fm_rds.o fm_mpx.o control_pipe.o -L/home/buildroot/autobuild/run/instance-3/output-1/host/bin/../arm-buildroot-linux-gnueabihf/sysroot/usr/lib -lsndfile
/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arm-linux-gnueabihf/7.3.1/../../../../arm-linux-gnueabihf/bin/ld: fm_mpx.o: undefined reference to symbol 'cos@@GLIBC_2.4'
/home/buildroot/autobuild/run/instance-3/output-1/host/arm-buildroot-linux-gnueabihf/sysroot/lib/libm.so.6: error adding symbols: DSO missing from command line

Fixes:
 - http://autobuild.buildroot.org/results/b2a6e6fd77bf9071ce9f75fed1811be9ffe5366d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/libopenh264: fix mips32 build
Fabrice Fontaine [Mon, 24 May 2021 21:05:29 +0000 (23:05 +0200)]
package/libopenh264: fix mips32 build

Fix build failure with mips32 which is raised since the addition of
bootlin toolchains

Fixes:
 - http://autobuild.buildroot.org/results/cba3e9d0fd061cc3a92cb732bcdc2c7b66dbf6cb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/python-bluezero: select dbus
Fabrice Fontaine [Mon, 24 May 2021 18:56:17 +0000 (20:56 +0200)]
package/python-bluezero: select dbus

Build is broken since commit
8bdc5e7c4d975193b1e18999ed840507cea63bd6 because BR2_PACKAGE_DBUS_PYTHON
is selected without selecting BR2_PACKAGE_DBUS

Fixes:
 - http://autobuild.buildroot.org/results/378dd714940440b8f9db763479ae929e90e33b80

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoRevert "package/{protobuf, python-protobuf}: bump to version 3.17"
Yann E. MORIN [Mon, 24 May 2021 13:59:48 +0000 (15:59 +0200)]
Revert "package/{protobuf, python-protobuf}: bump to version 3.17"

This reverts commit 92332d31d590f731a55926166dd2da8181c8fcaf, which was
incorrectly applied to master instead of next.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/{protobuf, python-protobuf}: bump to version 3.17
Michael Nosthoff [Thu, 20 May 2021 13:28:40 +0000 (15:28 +0200)]
package/{protobuf, python-protobuf}: bump to version 3.17

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoutils/genrandconfig: drop hardening Config enables
Matthew Weber [Fri, 21 May 2021 13:17:52 +0000 (08:17 -0500)]
utils/genrandconfig: drop hardening Config enables

Since 810ba387bec3c5b, some form of these options are enable
by default. Specifically:

- Kept FORTIFY level 2 option as the default is now level 1.
- Removed all SSP options as the default now uses the best
  option based on toolchain support.
- Similar to SSP, for RELRO, the default now uses the best
  option based on toolchain support.
- Completely drop PIC PIE as it defaults =y

Signed-off-by: Matthew Weber <matthew.weber@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libffi: drop superfluous CPE_ID_VERSION
Yann E. MORIN [Mon, 24 May 2021 12:53:27 +0000 (14:53 +0200)]
package/libffi: drop superfluous CPE_ID_VERSION

The default for FOO_CPE_ID_VERSION is to default to FOO_VERSION, so drop
this superfluous definition.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: "Weber, Matthew L Collins" <Matthew.Weber@collins.com>
Reviewed-by: Matthew Weber <Matthew.Weber@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pifmrds: use pkg-config
Fabrice Fontaine [Sun, 23 May 2021 10:11:21 +0000 (12:11 +0200)]
package/pifmrds: use pkg-config

Use pkg-config to retrieve libsndfile dependencies

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/php-imagick: add CPE variables
Fabrice Fontaine [Sun, 23 May 2021 21:13:48 +0000 (23:13 +0200)]
package/php-imagick: add CPE variables

cpe:2.3:a:php:imagick is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aphp%3Aimagick

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libmspack: add CPE variables
Fabrice Fontaine [Sun, 23 May 2021 21:03:02 +0000 (23:03 +0200)]
package/libmspack: add CPE variables

cpe:2.3:a:kyzer:libmspack is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3:a:kyzer:libmspack

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/perl: add PERL_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 20:59:34 +0000 (22:59 +0200)]
package/perl: add PERL_CPE_ID_VENDOR

cpe:2.3:a:perl:perl is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aperl%3Aperl

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/findutils: add FINDUTILS_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 20:57:38 +0000 (22:57 +0200)]
package/findutils: add FINDUTILS_CPE_ID_VENDOR

cpe:2.3:a:gnu:findutils is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Afindutils

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/python-pillow: security bump to version 8.2.0
Fabrice Fontaine [Sat, 22 May 2021 17:41:59 +0000 (19:41 +0200)]
package/python-pillow: security bump to version 8.2.0

- Fix numerous CVEs:
  https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#security
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html#security
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html#security
  https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security
- Update license to HPND:
  https://github.com/python-pillow/Pillow/commit/81078e8a0d26c9094446a64aadfa8047b8af3484

https://pillow.readthedocs.io/en/stable/releasenotes/index.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/python-pillow: add webpmux support
Fabrice Fontaine [Sat, 22 May 2021 17:41:58 +0000 (19:41 +0200)]
package/python-pillow: add webpmux support

webpmux is an optional dependency since version 2.2.0 and
https://github.com/python-pillow/Pillow/commit/b4735f7829bb88c99071cd91b208aa6ffd2cba24

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: move into existing webp conditional block]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/python-pillow: add xcb support
Fabrice Fontaine [Sat, 22 May 2021 17:41:57 +0000 (19:41 +0200)]
package/python-pillow: add xcb support

libxcb is an optional dependency since version 7.1.0 and
https://github.com/python-pillow/Pillow/commit/3c39e6fcf6a11b18eec0d1c66710bcd35033d069

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/python-pillow: add lcms2 support
Fabrice Fontaine [Sat, 22 May 2021 17:41:56 +0000 (19:41 +0200)]
package/python-pillow: add lcms2 support

lcms2 is an optional dependency since version 2.3.0 and
https://github.com/python-pillow/Pillow/commit/6d9f34914021951bba42ffe5b6cd80147e7f538f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/expat: security bump to version 2.4.1
Fabrice Fontaine [Mon, 24 May 2021 07:34:30 +0000 (09:34 +0200)]
package/expat: security bump to version 2.4.1

Fix CVE-2013-0340 "Billion Laughs":
https://blog.hartwork.org/posts/cve-2013-0340-billion-laughs-fixed-in-expat-2-4-0/

https://github.com/libexpat/libexpat/blob/R_2_4_1/expat/Changes

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/qemu: fix build with latest binutils
Fabrice Fontaine [Sat, 22 May 2021 16:53:50 +0000 (18:53 +0200)]
package/qemu: fix build with latest binutils

Fixes:
 - http://autobuild.buildroot.org/results/c0881df995093036eb7579d870efcae3feb323aa

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libnids: drop LIBNIDS_IGNORE_CVES
Fabrice Fontaine [Sun, 23 May 2021 13:29:38 +0000 (15:29 +0200)]
package/libnids: drop LIBNIDS_IGNORE_CVES

NVD database has been updated:
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&seach_type=all&query=cpe:2.3:a:libnids_project:libnids:1.24:*:*:*:*:*:*:*

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/mini-snmpd: add CPE variables
Fabrice Fontaine [Sun, 23 May 2021 14:30:58 +0000 (16:30 +0200)]
package/mini-snmpd: add CPE variables

cpe:2.3:a:minisnmpd_project:minisnmpd is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aminisnmpd_project%3Aminisnmpd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/minissdpd: add MINISSDPD_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 14:27:17 +0000 (16:27 +0200)]
package/minissdpd: add MINISSDPD_CPE_ID_VENDOR

cpe:2.3:a:miniupnp_project:minissdpd is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aminiupnp_project%3Aminissdpd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/minidlna: add CPE variables
Fabrice Fontaine [Sun, 23 May 2021 14:24:11 +0000 (16:24 +0200)]
package/minidlna: add CPE variables

cpe:2.3:a:readymedia_project:readymedia is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Areadymedia_project%3Areadymedia

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/minizip: add MINIZIP_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 14:19:25 +0000 (16:19 +0200)]
package/minizip: add MINIZIP_CPE_ID_VENDOR

cpe:2.3:a:minizip_project:minizip is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aminizip_project%3Aminizip

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: fix typo MINZIP -> MINIZIP]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/netsurf: add NETSURF_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 14:11:35 +0000 (16:11 +0200)]
package/netsurf: add NETSURF_CPE_ID_VENDOR

cpe:2.3:a:netsurf-browser:netsurf is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Anetsurf-browser%3Anetsurf

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/opencv3: add CPE variables
Fabrice Fontaine [Sun, 23 May 2021 13:57:23 +0000 (15:57 +0200)]
package/opencv3: add CPE variables

cpe:2.3:a:opencv:opencv is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aopencv%3Aopencv

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/oprofile: add OPROFILE_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 13:52:14 +0000 (15:52 +0200)]
package/oprofile: add OPROFILE_CPE_ID_VENDOR

cpe:2.3:a:maynard_johnson:oprofile is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Amaynard_johnson%3Aoprofile

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libnids: add LIBNIDS_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 13:29:37 +0000 (15:29 +0200)]
package/libnids: add LIBNIDS_CPE_ID_VENDOR

cpe:2.3:a:libnids_project:libnids is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibnids_project%3Alibnids

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pipewire: needs dynamic library
Fabrice Fontaine [Sun, 23 May 2021 09:29:20 +0000 (11:29 +0200)]
package/pipewire: needs dynamic library

Since bump to version 0.3.26 in commit
a6d88d3ba5e30e11f4d726f341bc56c1be7c71c9, pipewire needs dynamic library
support for at least spa plugins (which can be disabled) and spa tools
(which can't be disabled)

Fixes:
 - http://autobuild.buildroot.org/results/ea05fa6ca39b1ac55e301e5c11d3a62080d36e9e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/hwloc: add optional dependencies to udev, libxml2, ncurses & numactl
Bernd Kuhls [Sun, 23 May 2021 09:43:46 +0000 (11:43 +0200)]
package/hwloc: add optional dependencies to udev, libxml2, ncurses & numactl

udev:
https://github.com/open-mpi/hwloc/blob/master/config/hwloc.m4#L626

libxml2:
https://github.com/open-mpi/hwloc/blob/master/config/hwloc.m4#L1273

ncurses:
https://github.com/open-mpi/hwloc/blob/master/config/hwloc_internal.m4#L340

numactl:
https://github.com/open-mpi/hwloc/blob/master/config/hwloc_internal.m4#L419

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[yann.morin.1998@free.fr: drop unconditional --disable-libxml2]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/p7zip: add P7ZIP_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 10:43:35 +0000 (12:43 +0200)]
package/p7zip: add P7ZIP_CPE_ID_VENDOR

cpe:2.3:a:7-zip:p7zip is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3A7-zip%3Ap7zip

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libical: add LIBICAL_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 10:39:48 +0000 (12:39 +0200)]
package/libical: add LIBICAL_CPE_ID_VENDOR

cpe:2.3:a:libical_project:libical is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibical_project%3Alibical

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/shellinabox: add SHELLINABOX_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 10:35:36 +0000 (12:35 +0200)]
package/shellinabox: add SHELLINABOX_CPE_ID_VENDOR

cpe:2.3:a:shellinabox_project:shellinabox is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ashellinabox_project%3Ashellinabox

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/blktrace: add BLKTRACE_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 23 May 2021 10:27:57 +0000 (12:27 +0200)]
package/blktrace: add BLKTRACE_CPE_ID_VENDOR

cpe:2.3:a:blktrace_project:blktrace is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ablktrace_project%3Ablktrace

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/lz4: add upstream security fix for CVE-2021-3520
Peter Korsgaard [Sun, 23 May 2021 09:52:39 +0000 (11:52 +0200)]
package/lz4: add upstream security fix for CVE-2021-3520

Fixes a potential memory corruption with negative memmove() size.  For
details, see (NVD not yet updated):

https://security-tracker.debian.org/tracker/CVE-2021-3520

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/imagemagick: security bump to version 7.0.11-13
Fabrice Fontaine [Sat, 22 May 2021 21:59:17 +0000 (23:59 +0200)]
package/imagemagick: security bump to version 7.0.11-13

Fix CVE-2021-20309 to CVE-2021-20313

https://github.com/ImageMagick/ImageMagick/blob/7.0.11-13/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/vlc: fix build with latest live555
Fabrice Fontaine [Sat, 22 May 2021 21:41:39 +0000 (23:41 +0200)]
package/vlc: fix build with latest live555

Fix build failure with live555 raised since commit
6ad1c7f12e57ab7c6f022470e0aacec442d14267

Fixes:
 - http://autobuild.buildroot.org/results/83170984f96238756c45bf1f4e542363afafd45f

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/msmtp: add MSMTP_CPE_ID_VENDOR
Fabrice Fontaine [Sat, 22 May 2021 20:42:09 +0000 (22:42 +0200)]
package/msmtp: add MSMTP_CPE_ID_VENDOR

cpe:2.3:a:marlam:msmtp is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Amarlam%3Amsmtp

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/mpv: add MPV_CPE_ID_VENDOR
Fabrice Fontaine [Sat, 22 May 2021 20:28:54 +0000 (22:28 +0200)]
package/mpv: add MPV_CPE_ID_VENDOR

cpe:2.3:a:mpv:mpv is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ampv%3Ampv

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pwgen: add PWGEN_CPE_ID_VENDOR
Fabrice Fontaine [Sat, 22 May 2021 20:25:22 +0000 (22:25 +0200)]
package/pwgen: add PWGEN_CPE_ID_VENDOR

cpe:2.3:a:pwgen_project:pwgen is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apwgen_project%3Apwgen

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pulseaudio: add PULSEAUDIO_CPE_ID_VENDOR
Fabrice Fontaine [Sat, 22 May 2021 20:21:56 +0000 (22:21 +0200)]
package/pulseaudio: add PULSEAUDIO_CPE_ID_VENDOR

cpe:2.3:a:pulseaudio:pulseaudio is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apulseaudio%3Apulseaudio

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/proxychains-ng: add PROXYCHAINS_NG_CPE_ID_VENDOR
Fabrice Fontaine [Sat, 22 May 2021 20:11:36 +0000 (22:11 +0200)]
package/proxychains-ng: add PROXYCHAINS_NG_CPE_ID_VENDOR

cpe:2.3:a:proxychains-ng_project:proxychains-ng is a valid CPE
identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aproxychains-ng_project%3Aproxychains-ng

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pigz: add PIGZ_CPE_ID_VENDOR
Fabrice Fontaine [Sat, 22 May 2021 17:58:03 +0000 (19:58 +0200)]
package/pigz: add PIGZ_CPE_ID_VENDOR

cpe:2.3:a:zlib:pigz is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Azlib%3Apigz

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/picocom: add PICOCOM_CPE_ID_VENDOR
Fabrice Fontaine [Sat, 22 May 2021 17:53:51 +0000 (19:53 +0200)]
package/picocom: add PICOCOM_CPE_ID_VENDOR

cpe:2.3:a:picocom_project:picocom is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apicocom_project%3Apicocom

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pngquant: add PNGQUANT_CPE_ID_VENDOR
Fabrice Fontaine [Sat, 22 May 2021 17:47:17 +0000 (19:47 +0200)]
package/pngquant: add PNGQUANT_CPE_ID_VENDOR

cpe:2.3:a:pngquant:pngquant is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apngquant%3Apngquant

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/pipewire: link with -latomic
Fabrice Fontaine [Sat, 22 May 2021 16:31:35 +0000 (18:31 +0200)]
package/pipewire: link with -latomic

Fix build failure which is raised since bump to version 0.3.26 in commit
a6d88d3ba5e30e11f4d726f341bc56c1be7c71c9

Fixes:
 - http://autobuild.buildroot.org/results/b5305e8e7dd1a5e8bfaba72b06251056ba7d1af1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/uhd: USRP1 needs gcc >= 4.9
Fabrice Fontaine [Sat, 22 May 2021 16:29:24 +0000 (18:29 +0200)]
package/uhd: USRP1 needs gcc >= 4.9

Commit c577eac16eaae515973faf3013da197516bfd391 forgot to add
dependencies of BR2_PACKAGE_UHD_USB to BR2_PACKAGE_UHD_USRP1

Fixes:
 - http://autobuild.buildroot.org/results/eaae6548fb536e2b0ea539c236cd7579e63fa21e

Note: threads dependency is already guaranteed as uhd itself depends on
NPTL already.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/llvm: include limits
Fabrice Fontaine [Sat, 22 May 2021 15:10:37 +0000 (17:10 +0200)]
package/llvm: include limits

Fix the following build failure:

In file included from /data/buildroot-autobuilder/instance-0/output-1/build/host-llvm-9.0.1/utils/benchmark/src/benchmark_register.cc:15:
/data/buildroot-autobuilder/instance-0/output-1/build/host-llvm-9.0.1/utils/benchmark/src/benchmark_register.h: In function 'void AddRange(std::vector<T>*, T, T, int)':
/data/buildroot-autobuilder/instance-0/output-1/build/host-llvm-9.0.1/utils/benchmark/src/benchmark_register.h:17:30: error: 'numeric_limits' is not a member of 'std'
   17 |   static const T kmax = std::numeric_limits<T>::max();
      |                              ^~~~~~~~~~~~~~

Fixes:
 - http://autobuild.buildroot.org/results/68581aad7c622a1fc74bb5556799e3c681425b2a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agoUpdate for 2021.05-rc2
Peter Korsgaard [Sat, 22 May 2021 13:42:38 +0000 (15:42 +0200)]
Update for 2021.05-rc2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
3 years agopackage/runc: security bump to version 1.0.0-rc95
Christian Stewart [Fri, 21 May 2021 20:15:17 +0000 (13:15 -0700)]
package/runc: security bump to version 1.0.0-rc95

Fixes CVE-2021-30465: runc 1.0.0-rc94 and earlier are vulnerable to a symlink
exchange attack whereby an attacker can request a seemingly-innocuous container
configuration that actually results in the host filesystem being bind-mounted
into the container, allowing for a container escape.

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/mutt: security bump to version 2.0.7
Fabrice Fontaine [Fri, 21 May 2021 18:57:29 +0000 (20:57 +0200)]
package/mutt: security bump to version 2.0.7

Fix CVE-2021-32055: Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt
2019-10-25 through 2021-05-04) has a $imap_qresync issue in which
imap/util.c has an out-of-bounds read in situations where an IMAP
sequence set ends with a comma. NOTE: the $imap_qresync setting for
QRESYNC is not enabled by default.

https://gitlab.com/muttmua/mutt/-/blob/mutt-2-0-7-rel/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/wireshark: security bump to version 3.4.5
Fabrice Fontaine [Fri, 21 May 2021 18:55:44 +0000 (20:55 +0200)]
package/wireshark: security bump to version 3.4.5

Fixes: CVE-2021-22207 Excessive memory consumption in MS-WSP dissector
in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service
via packet injection or crafted capture file

See also: https://www.wireshark.org/security/wnpa-sec-2021-04.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: add CVE reference]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/webkitgtk: select missing multimedia deps
Adrian Perez de Castro [Wed, 19 May 2021 21:38:27 +0000 (00:38 +0300)]
package/webkitgtk: select missing multimedia deps

Select a few missing multimedia related dependencies:

- BR2_PACKAGE_GST1_PLUGINS_GOOD_PLUGIN_AUTODETECT is needed for
  "autoaudiosink"; not having this element can cause a crash as
  it is used unconditionally.
- BR2_PACKAGE_GST1_PLUGINS_GOOD_PLUGIN_MATROSKA and
  BR2_PACKAGE_GST1_PLUGINS_GOOD_PLUGIN_VPX are needed for
  WebM video playback.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/wpewebkit: select gstreamer autoaudiosink
Adrian Perez de Castro [Wed, 19 May 2021 21:32:37 +0000 (00:32 +0300)]
package/wpewebkit: select gstreamer autoaudiosink

Select BR2_PACKAGE_GST1_PLUGINS_GOOD_PLUGIN_AUTODETECT when multimedia
support is enabled. This is needed at runtime to automatically select
a suitable audio output element, otherwise WebKit will crash at an
assertion due to the missing "autoaudiosink" element. More here:

  https://wpewebkit.org/about/faq.html#why-does-the-browser%2Flauncher-(e.g.-cog)-crash-when-trying-to-play-audio%3F

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/lvm2: drop legacy default
Yann E. MORIN [Fri, 21 May 2021 14:00:08 +0000 (16:00 +0200)]
package/lvm2: drop legacy default

Commit f289b1b36f5c (legacy: drop options removed more than 5 years ago
now) forgot to remove a legacy default.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/waylandpp: add dependency to BR2_INSTALL_LIBSTDCPP
Heiko Thiery [Fri, 21 May 2021 09:14:04 +0000 (11:14 +0200)]
package/waylandpp: add dependency to BR2_INSTALL_LIBSTDCPP

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
[yann.morin.1998@free.fr: propagate the dependency to kodi]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/python-bluezero: add recursive dependencies
Arnout Vandecappelle (Essensium/Mind) [Fri, 21 May 2021 09:12:30 +0000 (11:12 +0200)]
package/python-bluezero: add recursive dependencies

python-bluezero selects python-gobject but fails to include its arch and
toolchain dependencies. Add them now, as well as the corresponding
comment.

dbus-python also has some dependencies, but all of them are covered by
the python3 dependency, so don't bother with those.

Fixes: 8bdc5e7c4d975193b1e18999ed840507cea63bd6
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/python-bluezero: depends on dbus-python and python-gobject
Grzegorz Blach [Mon, 8 Feb 2021 00:55:42 +0000 (01:55 +0100)]
package/python-bluezero: depends on dbus-python and python-gobject

As of version 0.4.0 observer.py uses dbus-python (to comunicate with BlueZ)
instead of python-aioblescan. Thus, all modules now depend on dbus-python.

Signed-off-by: Grzegorz Blach <grzegorz@blach.pl>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/ebtables: fix runtime in case of BR2_KERNEL_64_USERLAND_32
Thomas De Schampheleire [Tue, 18 May 2021 07:46:27 +0000 (09:46 +0200)]
package/ebtables: fix runtime in case of BR2_KERNEL_64_USERLAND_32

ebtables 2.0.11 no longer works correctly when userland is 32-bit and the
kernel is 64-bit. This used to work correctly in version 2.0.10-4.

Problem is twofold:
- ebtables itself was broken and needs to be patched
- buildroot needs to pass the correct flag again to indicate when we are in
  this situation

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/mender: the dbus plugin requires libglib2
Adam Duskett [Thu, 20 May 2021 20:34:36 +0000 (13:34 -0700)]
package/mender: the dbus plugin requires libglib2

If libglib2 is not build before building the dbus plugin, mender fails to
compile with the following error:
Package 'gio-2.0', required by 'virtual:world', not found

 - Add a check for libglib2 in addition to dbus when enabling the dbus plugin.
 - Depend on libglib2 if both packages are selected.

Fixes:
http://autobuild.buildroot.org/results/1bc5893b88db08612059ad899c2bc3b2abb291fb

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/gcc: add upstream patches that introduce -mcmodel=large option for or1k
Giulio Benetti [Mon, 3 May 2021 11:13:44 +0000 (13:13 +0200)]
package/gcc: add upstream patches that introduce -mcmodel=large option for or1k

Let's add upstream patches introducing -mcmodel=large or1k gcc option that
works in conjunction with previous binutils patch. That option fix binutils
bug 21464[1] allowing to build libgeos with no problem. This way we can
consider buildroot toolchain binutils bug 21464 free.

[1]: https://sourceware.org/bugzilla/show_bug.cgi?id=21464

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: remove the PATCH M/N parts - cfr. check-package]

3 years agopackage/binutils: add upstream backported patches to support -mcmodel=large gcc option
Giulio Benetti [Mon, 3 May 2021 11:13:43 +0000 (13:13 +0200)]
package/binutils: add upstream backported patches to support -mcmodel=large gcc option

Add upstream backported patches that allows using -mcmodel=large gcc option
that in order allows fixing build failure due to binutils bug 21464:
https://sourceware.org/bugzilla/show_bug.cgi?id=21464

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: remove the PATCH M/N parts - cfr. check-package]

3 years agopackage/binutils: update or1k patches for plt link version with upstream
Giulio Benetti [Mon, 3 May 2021 11:13:42 +0000 (13:13 +0200)]
package/binutils: update or1k patches for plt link version with upstream

Actual patches are stubs suggested but now they are available as upstream.
So let's substitute them since they make part of a or1k patchset and next
patch will add the others.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[Arnout: remove the PATCH M/N parts - cfr. check-package]

3 years agopackage/dhcp: add host-gawk to global dependencies and build environment
Sergey Matyukevich [Thu, 20 May 2021 21:52:24 +0000 (00:52 +0300)]
package/dhcp: add host-gawk to global dependencies and build environment

DHCP package may silently fail to install binaries to the target image.
The problem occurs when buildroot output/host and build server provide
different flavors of awk. For instance, mawk on build server and gawk
in buildroot output/host. In this case isc-dhcp configure script detects
gawk in output/host and generates Makefiles specifying gawk without
absolute path. During Buildroot installation phase, those Makefiles
are used to install dhcp binaries. They attempt to use gawk without
absolute path. However build host does not have gawk.

To resolve the issue add host-gawk to dependencies and specify absolute
path to host-gawk in dhcp configure script using DHCP_CONF_ENV.

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/imx-gpu-viv: fix Config.in indentation
Arnout Vandecappelle (Essensium/Mind) [Fri, 21 May 2021 06:55:50 +0000 (08:55 +0200)]
package/imx-gpu-viv: fix Config.in indentation

As reported by check-package.

Fixes: 3d78dbace207b6b93416b27abcb85dbccde97a6b
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/wpa_supplicant: fix build with CVE-2021-30004 changes
Sergey Matyukevich [Thu, 20 May 2021 19:04:56 +0000 (22:04 +0300)]
package/wpa_supplicant: fix build with CVE-2021-30004 changes

Commit a8fbe67b9b16 ("package/wpa_supplicant: add upstream patch to fix
CVE-2021-30004") added security patch from hostapd upstream without
required ASN.1 helpers. Backport and adapt two commits from the
hostapd upstream to add missing headers and helpers.

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/assimp: depends on libzlib
Fabrice Fontaine [Thu, 28 Jan 2021 20:04:36 +0000 (21:04 +0100)]
package/assimp: depends on libzlib

assimp doesn't build with zlib-ng because Z_EXPORT and z_crc_t are used
by the bundled unzip source code

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/assimp: fix build on musl
Fabrice Fontaine [Thu, 28 Jan 2021 20:04:35 +0000 (21:04 +0100)]
package/assimp: fix build on musl

Fixes:
 - http://autobuild.buildroot.net/results/7c2db184ee200d1719308f38f42382bb39d8d5c6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agoRevert "package/assimp: fix static only build"
Fabrice Fontaine [Thu, 28 Jan 2021 20:04:34 +0000 (21:04 +0100)]
Revert "package/assimp: fix static only build"

This reverts commit b44b5cb265e3764169aa4856f40e8e2db55cba22.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agoRevert "package/assimp: fix musl zlib/zip related compile failure"
Fabrice Fontaine [Thu, 28 Jan 2021 20:04:33 +0000 (21:04 +0100)]
Revert "package/assimp: fix musl zlib/zip related compile failure"

This reverts commit b529a582ba4d7671597e95d7ab54ee652cbbc261 as it
raises a build failure with hiawatha because assimp installs its own
zlib library in staging directory.

Fixes:
 - http://autobuild.buildroot.org/results/9cac31962d48245a5579da692dbc9488292a397e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/libfuse3: add CPE variables
Fabrice Fontaine [Thu, 20 May 2021 19:31:54 +0000 (21:31 +0200)]
package/libfuse3: add CPE variables

cpe:2.3:a:libfuse_project:libfuse is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibfuse_project%3Alibfuse

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libfuse: add LIBFUSE_CPE_ID_VENDOR
Fabrice Fontaine [Thu, 20 May 2021 19:31:24 +0000 (21:31 +0200)]
package/libfuse: add LIBFUSE_CPE_ID_VENDOR

cpe:2.3:a:libfuse_project:libfuse is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibfuse_project%3Alibfuse

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: fix URL]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libeXosip2: add CPE variables
Fabrice Fontaine [Thu, 20 May 2021 19:15:34 +0000 (21:15 +0200)]
package/libeXosip2: add CPE variables

cpe:2.3:a:gnu:exosip is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Aexosip

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/less: add LESS_CPE_ID_VENDOR
Fabrice Fontaine [Thu, 20 May 2021 19:06:08 +0000 (21:06 +0200)]
package/less: add LESS_CPE_ID_VENDOR

cpe:2.3:a:gnu:less is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Aless

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/poco: add POCO_CPE_ID_VENDOR
Fabrice Fontaine [Thu, 20 May 2021 18:48:08 +0000 (20:48 +0200)]
package/poco: add POCO_CPE_ID_VENDOR

cpe:2.3:a:pocoproject:poco is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apocoproject%3Apoco

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/gd: fix addition of -liconv in gdlib.pc.in
Fabrice Fontaine [Tue, 27 Apr 2021 18:53:47 +0000 (20:53 +0200)]
package/gd: fix addition of -liconv in gdlib.pc.in

Static build of gnuplot with gd and libiconv is broken since bump to
version 2.3.1 in commit 970b2ca3cc3f927f679c871eeadb22ec110b0ed5:

/home/giuliobenetti/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/powerpc-buildroot-linux-uclibc/9.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld: /home/giuliobenetti/autobuild/run/instance-3/output-1/host/bin/../powerpc-buildroot-linux-uclibc/sysroot/usr/lib/libgd.a(gdkanji.o): in function `do_convert':
gdkanji.c:(.text+0x148): undefined reference to `libiconv_open'
/home/giuliobenetti/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/powerpc-buildroot-linux-uclibc/9.3.0/../../../../powerpc-buildroot-linux-uclibc/bin/ld: gdkanji.c:(.text+0x1d0): undefined reference to `libiconv'

This build failure is raised because LIBS has been replaced by
LIBS_PRIVATES in gdlib.pc.in since
https://github.com/libgd/libgd/commit/28ecfe77c817aff8ce56422d3e4e8533a281bc76

Fixes:
 - http://autobuild.buildroot.org/results/5ab5f4744adfd8d8be483204a9c7f59e34ce26c6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/dhcp: add host-gawk optional dependency
Heiko Thiery [Fri, 7 May 2021 09:43:05 +0000 (11:43 +0200)]
package/dhcp: add host-gawk optional dependency

On hosts where gawk is not available, it is not possible to build the
package with server option (BR2_PACKAGE_DHCP_SERVER).
The build goes through without errors but the binaries are not created
and installed. The reason is that autotools cannot find gawk.

Fixes: Bug 13781
Reported-by: Kay Jeschonneck <kay.jeschonneck@airbus.com>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
3 years agopackage/hostapd: fix build with CVE-2021-30004 changes
Sergey Matyukevich [Thu, 20 May 2021 05:48:53 +0000 (08:48 +0300)]
package/hostapd: fix build with CVE-2021-30004 changes

Commit d65586f45a22 ("package/hostapd: add upstream patch to fix
CVE-2021-30004") added security patch from hostapd upstream without
required ASN.1 helpers. Backport and adapt two commits from the
hostapd upstream to add missing headers and helpers.

Fixes:
http://autobuild.buildroot.net/results/8f56cf556efbf447633ce873a21635f5adbc3cd2/

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
[yann.morin.1998@free.fr: slightly reformat the patches]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/libraw: depends on BR2_TOOLCHAIN_HAS_SYNC_4
Fabrice Fontaine [Thu, 20 May 2021 06:47:29 +0000 (08:47 +0200)]
package/libraw: depends on BR2_TOOLCHAIN_HAS_SYNC_4

libraw needs __sync_fetch_and_add since version 0.20.0 and
https://github.com/LibRaw/LibRaw/commit/d1975cb0e055d2bfe58c9d845c9a3e57c346a2f9

This will fix the following build failure with imagemagick which is
raised since commit 2f47cfade4b298350d056f6d9a7525b837e2ba23:

/home/buildroot/autobuild/run/instance-0/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/9.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/run/instance-0/output-1/host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libraw_r.so: undefined reference to `__sync_fetch_and_add_4'

Fixes:
 - http://autobuild.buildroot.org/results/900df43bd418d2da0c3ec875db1c5564dd857e94

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/imx-gpu-viv: add dependency to BR2_INSTALL_LIBSTDCPP to examples
Heiko Thiery [Thu, 20 May 2021 06:54:29 +0000 (08:54 +0200)]
package/imx-gpu-viv: add dependency to BR2_INSTALL_LIBSTDCPP to examples

The examples require libstdc++.so.6 so add the required dependency to
the Config.in.

  ./tiger: error while loading shared libraries: libstdc++.so.6: cannot open shared object file: No such file or directory

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
3 years agopackage/bullet: needs threads
Fabrice Fontaine [Thu, 20 May 2021 06:58:26 +0000 (08:58 +0200)]
package/bullet: needs threads

Build without threads fails because demo apps are not disabled since
commit 5f154799b6ed772a0c028072996e110fac131508

Fixes:
 - http://autobuild.buildroot.org/results/9db945ce0709f4116d2c1c7544322144b6e473bb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>