buildroot.git
5 years agopackage/openjdk-bin: fix install
Fabrice Fontaine [Sun, 8 Mar 2020 17:37:37 +0000 (18:37 +0100)]
package/openjdk-bin: fix install

Create $(HOST_DIR)/bin and $(HOST_DIR)/lib otherwise build can fail on:

cp -dpfr /home/buildroot/autobuild/instance-2/output-1/build/host-openjdk-bin-13.0.2_8/bin/* /home/buildroot/autobuild/instance-2/output-1/per-package/host-openjdk-bin/host/bin/
cp: target '/home/buildroot/autobuild/instance-2/output-1/per-package/host-openjdk-bin/host/bin/' is not a directory
package/pkg-generic.mk:276: recipe for target '/home/buildroot/autobuild/instance-2/output-1/build/host-openjdk-bin-13.0.2_8/.stamp_host_installed' failed
make: *** [/home/buildroot/autobuild/instance-2/output-1/build/host-openjdk-bin-13.0.2_8/.stamp_host_installed] Error 1

Fixes:
 - http://autobuild.buildroot.org/results/28bcec0d28003c2784b6cd27039099c65bac3b96

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/qt5base: fix double-conversion compile for nios2
Peter Seiderer [Sun, 8 Mar 2020 17:18:04 +0000 (18:18 +0100)]
package/qt5base: fix double-conversion compile for nios2

Add double-conversion upstream patch to enable compile for nios2.

Fixes:

  http://autobuild.buildroot.net/results/19881951a328ff4df82b5753a23219eb634e86df

  ../3rdparty/double-conversion/include/double-conversion/utils.h:114:2: error: #error Target architecture was not detected as supported by Double-Conversion.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/php: fix build without zlib
Fabrice Fontaine [Sun, 8 Mar 2020 17:05:56 +0000 (18:05 +0100)]
package/php: fix build without zlib

Build will fail if zlib is not found and mysqlnd compression support
is not disabled since version 7.4.1 and
https://github.com/php/php-src/commit/ee4295b4ce421003c2e1d2af98066826deb23319

Fixes:
 - http://autobuild.buildroot.org/results/9496d81437dba55d22a03762dcfe60d632115ab5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/binutils: fix assertion failure in xtensa ld
Max Filippov [Fri, 6 Mar 2020 03:58:03 +0000 (19:58 -0800)]
package/binutils: fix assertion failure in xtensa ld

xtensa ld fails with the following message

  ld: BFD (GNU Binutils) 2.31.1 internal error, aborting at
  elf32-xtensa.c:3283 in elf_xtensa_finish_dynamic_sections

during domoticz package build. It happens because of mismatch between
the size allocated for dynamic relocations in the executable image and
the number of PLT relocations actually written to the image. The
mismatch is caused by the fact that undefined weak symbol is treated as
dynamic (and thus needing PLT relocation), but xtensa linker not
expecting that.

Fixes: http://autobuild.buildroot.net/results/7885705f1b1c0f31cf21b464150f5509929c1906/
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Backported from: e15a8da9c71336b06cb5f2706c3f6b7e6ddd95a3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/pppd: Add upstream security fix for CVE-2020-8597
Chris Packham [Fri, 6 Mar 2020 01:04:28 +0000 (14:04 +1300)]
package/pppd: Add upstream security fix for CVE-2020-8597

Apply patch from upstream and set PPPD_INGORE_CVES appropriately.

Signed-off-by: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/libnss: fix PowerPC build failure
Giulio Benetti [Thu, 27 Feb 2020 11:02:40 +0000 (12:02 +0100)]
package/libnss: fix PowerPC build failure

NSS assumes <sys/auvx.h> is always present but that's not true, so add a
patch to check if it exists or not.

Fixes:

  http://autobuild.buildroot.net/results/425ba828d30c2bd55ce9f4f00e67bc10d9de2867/

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/ser2net: S50ser2net: alsoc heck for new config file format
James Hilliard [Fri, 6 Mar 2020 23:25:01 +0000 (16:25 -0700)]
package/ser2net: S50ser2net: alsoc heck for new config file format

When running ser2net it looks for config files in the legacy conf
format and the new yaml format so we need to allow either in the
sysv init script.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agoCHANGES: update with recent changes
Peter Korsgaard [Sun, 8 Mar 2020 13:57:27 +0000 (14:57 +0100)]
CHANGES: update with recent changes

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/proftpd: add mod_cap option
Fabrice Fontaine [Sat, 7 Mar 2020 23:27:35 +0000 (00:27 +0100)]
package/proftpd: add mod_cap option

Add an option to enable or disable mod_cap and select libcap accordingly
instead of using bundled libcap which raise a build failure with headers
< 4.3 due to PR_CAP_AMBIENT and will be removed in version 1.3.7:
https://github.com/proftpd/proftpd/commit/8c845703fcf2c7978614784126bd074ffc4477f9

Fixes:
 - http://autobuild.buildroot.org/results/4d680d8204bdf1f3deec2c3eeb9a2d9e6eabe4d5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/spidermonkey: do not build the JavaScript shell, by default
Carlos Santos [Sun, 8 Mar 2020 03:21:28 +0000 (00:21 -0300)]
package/spidermonkey: do not build the JavaScript shell, by default

Add a configuration to enable the JavaScript shell (default off). So
far only libmozjs is required (by polkit) and the shell takes around
24MiB.

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/libvncserver: fix jpeg build without png or zlib
Fabrice Fontaine [Sun, 8 Mar 2020 10:02:14 +0000 (11:02 +0100)]
package/libvncserver: fix jpeg build without png or zlib

Fixes:
 - http://autobuild.buildroot.org/results/bcc701055dd5876005fa6f78f38500399394cd75

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/cups: store web-interface files under /usr/share/cups/doc-root
Alexey Lukyanchuk [Wed, 4 Mar 2020 07:21:02 +0000 (10:21 +0300)]
package/cups: store web-interface files under /usr/share/cups/doc-root

The web-interface files (~1.8MB) are by default installed under
/usr/share/doc/cups, which is unfortunate as Buildroot removes usr/share/doc
in target-finalize, breaking the webui.

As a fix, store the web-interface files under /usr/share/cups/doc-root,
similar to how it is done in Debian.

Signed-off-by: Alexey Lukyanchuk <skif@skif-web.ru>
[Peter: use --with-docdir, update description]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/bash: fix uclibc build without wchar
Fabrice Fontaine [Sun, 23 Feb 2020 11:54:42 +0000 (12:54 +0100)]
package/bash: fix uclibc build without wchar

Fixes:
 - http://autobuild.buildroot.org/results/298fb9c785e137bff432dd304eb56986e54ce3ed

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/piglit: fix GL tests
Fabrice Fontaine [Sat, 7 Mar 2020 19:06:29 +0000 (20:06 +0100)]
package/piglit: fix GL tests

Fixes:
 - http://autobuild.buildroot.org/results/3355e4dc02b07ccfd9fe9b5cafb70c01fc88c158

Add an upstream patch to ensure tests needing GLESv3 are only built when
that is available.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/libdrm: tests/amdgpu needs atomic_ops
Peter Seiderer [Sat, 7 Mar 2020 11:36:04 +0000 (12:36 +0100)]
package/libdrm: tests/amdgpu needs atomic_ops

Add patch to fix tests/amdpu dependency on atomic_ops.

Fixes:

  http://autobuild.buildroot.net/results/e29dae423f3f80d2c34dde9a125bd216a75ad1c0

  FAILED: tests/amdgpu/amdgpu_test
  .../host/bin/sparc-linux-gcc  -o tests/amdgpu/amdgpu_test 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/amdgpu_test.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/basic_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/bo_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/cs_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/vce_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/uvd_enc_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/vcn_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/deadlock_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/vm_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/ras_tests.c.o' 'tests/amdgpu/b9f2b1d@@amdgpu_test@exe/syncobj_tests.c.o' -Wl,--as-needed -Wl,--no-undefined -Wl,-O1 -Wl,--start-group libdrm.so.2.4.0 amdgpu/libdrm_amdgpu.so.1.0.0 .../host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libcunit.so -Wl,--end-group -pthread '-Wl,-rpath,$ORIGIN/../..:$ORIGIN/../../amdgpu' -Wl,-rpath-link,.../build/libdrm-2.4.100/build/ -Wl,-rpath-link,.../build/li
 bdrm-2.4.100/build/amdgpu
  .../host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/8.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: tests/amdgpu/b9f2b1d@@amdgpu_test@exe/bo_tests.c.o: undefined reference to symbol 'AO_fetch_compare_and_swap_emulation'
  .../host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/8.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: .../host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libatomic_ops.so.1: error adding symbols: DSO missing from command line

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/swupdate: do not store local build details in swupdate config file
Thomas Petazzoni [Fri, 6 Mar 2020 10:38:39 +0000 (11:38 +0100)]
package/swupdate: do not store local build details in swupdate config file

The SWUPDATE_SET_BUILD_OPTIONS macro sets a number of swupdate
configuration options with local build details, especially the
cross-compiler path and sysroot path.

This means that if one stores an swupdate defconfig file as part of
Buildroot, generated with "make swupdate-update-defconfig", it will
contain things like:

CONFIG_CROSS_COMPILE="/home/thomas/projets/buildroot/output/host/bin/arm-linux-"
CONFIG_SYSROOT="/home/thomas/projets/buildroot/output/host/arm-buildroot-linux-uclibcgnueabi/sysroot"

which obviously are not good, as they are specific to where the build
was done.

So instead this commit:

 - Uses the CROSS_COMPILE environment variable to pass the
   cross-compiler path.

 - Drops entirely the use of CONFIG_SYSROOT, since all it does is pass
   a --sysroot option to the compiler, which is not needed in the
   context of Buildroot.

 - Pass EXTRA_CFLAGS/EXTRA_LDFLAGS also through the environment.

Thanks to that the swupdate defconfig file no longer contains any
local build details, and can be re-used by different users of a given
Buildroot configuration.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/gst1-validate: disable introspection
Peter Seiderer [Sat, 7 Mar 2020 09:54:48 +0000 (10:54 +0100)]
package/gst1-validate: disable introspection

- disable introspection unconditionally (as already done for all
  other original gstreamer1 packages)
- use '=' instead of '+=' for the first usage of GST1_VALIDATE_CONF_OPTS

Fixes:

  http://autobuild.buildroot.net/results/e6e43fb85c71af9bb599ea8bbe2e805b392cf1ad

    GEN      GstValidate-1.0.gir
  Couldn't find include 'GstPbutils-1.0.gir' (search path: '['/nvmedata/autobuild/instance-6/output-1/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/bin/../share/gir-1.0', '/usr/share/gir-1.0', '/usr/share/gir-1.0', '/usr/share/gir-1.0', '/usr/share/gir-1.0', '/usr/share/gir-1.0', '/nvmedata/autobuild/instance-6/output-1/host/share', 'gir-1.0', '/nvmedata/autobuild/instance-6/output-1/host/share/gir-1.0', '/usr/share/gir-1.0']')
  make[5]: *** [Makefile:1612: GstValidate-1.0.gir] Error 1

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/libinput: bump version to 1.15.3
Peter Seiderer [Fri, 6 Mar 2020 20:08:47 +0000 (21:08 +0100)]
package/libinput: bump version to 1.15.3

For details see [1].

[1] https://lists.freedesktop.org/archives/wayland-devel/2020-March/041288.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/thrift: disable qt4
Fabrice Fontaine [Sat, 7 Mar 2020 09:22:30 +0000 (10:22 +0100)]
package/thrift: disable qt4

host-thrift can fail if a broken Qt4 is found on host:

CMake Error in lib/cpp/CMakeLists.txt:
  Imported target "Qt4::QtCore" includes non-existent path

    "/nvmedata/autobuild/instance-4/output-1/host/usr/mkspecs/default"

  in its INTERFACE_INCLUDE_DIRECTORIES.  Possible reasons include:

  * The path was deleted, renamed, or moved to another location.

  * An install or uninstall procedure did not complete successfully.

  * The installation package was faulty and references files it does not
  provide.

Fixes:
 - http://autobuild.buildroot.org/results/57cad5313896c868e99b0b9534678f1c83a386f2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/ruby: fix build on mips
Fabrice Fontaine [Fri, 28 Feb 2020 08:44:35 +0000 (09:44 +0100)]
package/ruby: fix build on mips

Fixes:
 - http://autobuild.buildroot.org/results/d0ab5334f195a400a6d6dd6c49e3c1a2001b2b70

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/guile: fix build without makeinfo
Fabrice Fontaine [Sat, 7 Mar 2020 10:00:07 +0000 (11:00 +0100)]
package/guile: fix build without makeinfo

Fixes:
 - http://autobuild.buildroot.org/results/9605aac6f760bfff190d0ab95fa50f65486ffe90

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/erlang-p1-acme: needs C++
Fabrice Fontaine [Sat, 7 Mar 2020 16:46:19 +0000 (17:46 +0100)]
package/erlang-p1-acme: needs C++

Fixes:
 - http://autobuild.buildroot.org/results/79310855f9a2abe569365ffd27e776f1a56dba2e

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/bcm2835: bump version to 1.62
Peter Seiderer [Mon, 2 Mar 2020 10:40:47 +0000 (11:40 +0100)]
package/bcm2835: bump version to 1.62

Changelog (since 1.60):
  - 1.61 2020-01-11 Fixed errors in the documentation for bcm2835_spi_write.
    Fixes issue seen on Raspberry Pi 4 boards where 64-bit off_t is used by
    default via -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64. The offset was
    being incorrectly converted, this way is clearer and fixes the problem.
    Contributed by Jonathan Perkin.
  - 1.62 2020-01-12 Fixed a problem that could cause compile failures with
    size_t and off_t

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/gstreamer1/gstreamer1: update tools comment
Peter Seiderer [Tue, 3 Mar 2020 16:58:48 +0000 (17:58 +0100)]
package/gstreamer1/gstreamer1: update tools comment

The tools option installs more than gst-launch and gst-inspect, so
simplify its prompt to just "install tools", and update the Config.in
help text. While at it, we list them alphabetically.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/libevdev: add host-python dependency
Peter Seiderer [Mon, 2 Mar 2020 15:09:05 +0000 (16:09 +0100)]
package/libevdev: add host-python dependency

Fixes:

  checking for a Python interpreter with version >= 2.6... none
  configure: error: no suitable Python interpreter found

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/mesa3d: fix nouveau std::isinf related compile failure
Peter Seiderer [Wed, 4 Mar 2020 11:00:50 +0000 (12:00 +0100)]
package/mesa3d: fix nouveau std::isinf related compile failure

Activate already existing mesa3d solution for the isinf compile
failure for uclibc based toolchains instead of using a custom
workaround.

- remove 0005-src-gallium-drivers-nouveau-codegen-nv50_ir_ra.cpp-p.patch
- add 0004-c99_math-import-isinf-for-uclibc-based-toolchains.patch

Fixes:
  http://autobuild.buildroot.net/results/cbefc5d4a4fefb674e596400fa1d2698cd89c5b3/
  http://autobuild.buildroot.net/results/dc974da012f53fa4ed3be616f937b0afae423d66/

  ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp: In member function 'bool nv50_ir::GCRA::simplify()':
  ../src/gallium/drivers/nouveau/codegen/nv50_ir_ra.cpp:1348:19: error: expected unqualified-id before '(' token
            if (std::isinf(bestScore)) {
                     ^

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/nodejs: bump version to v12.16.1
Adam Duskett [Tue, 3 Mar 2020 19:11:33 +0000 (11:11 -0800)]
package/nodejs: bump version to v12.16.1

Fixes a number of regressions introduced in v12.16.0:
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.16.1

Tested on Debian 9 and Ubuntu 18.04

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/libsndfile: fix CVE-2019-3832
Fabrice Fontaine [Wed, 4 Mar 2020 22:21:03 +0000 (23:21 +0100)]
package/libsndfile: fix CVE-2019-3832

It was discovered the fix for CVE-2018-19758 (libsndfile) was not
complete and still allows a read beyond the limits of a buffer in
wav_write_header() function in wav.c. A local attacker may use this flaw
to make the application crash.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/libsndfile: fix CVE-2018-19758
Fabrice Fontaine [Wed, 4 Mar 2020 22:21:02 +0000 (23:21 +0100)]
package/libsndfile: fix CVE-2018-19758

There is a heap-based buffer over-read at wav.c in wav_write_header in
libsndfile 1.0.28 that will cause a denial of service.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agoMakefile: work around a bug in newly released make 4.3
Yann E. MORIN [Wed, 4 Mar 2020 13:40:37 +0000 (14:40 +0100)]
Makefile: work around a bug in newly released make 4.3

Several users of rolling-release distributions have been reporting on
IRC that Buildroot is broken now that they have switched to the newly
released make 4.3.

It turns out that the constructs we use to generated and include the
internal br2-external related fragments is no longer working with
make-4.3.

Indeed, an upstream bug report [0] seems to imply that it so far was
working by chance. There has been no further feedback, whether this is
really considered a fix for a previous ill-defined behaviour, or an
actual regression...

In the meantime, we add a workaround, suggested in that same bug report,
that fixes the issue for make 4.3, and that should not break on older
make versions either (verified on all relevant versions: from 3.81,
3.82, 4.0, 4.1, and 4.2).

[0] https://savannah.gnu.org/bugs/?57676

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Mircea Gliga <mgliga@bitdefender.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/jhead: security bump to version 3.04
Fabrice Fontaine [Wed, 4 Mar 2020 21:45:32 +0000 (22:45 +0100)]
package/jhead: security bump to version 3.04

- Fix CVE-2019-1010301: jhead 3.03 is affected by: Buffer Overflow. The
  impact is: Denial of service. The component is: gpsinfo.c Line 151
  ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG
  file.
- Fix CVE-2019-1010302: jhead 3.03 is affected by: Incorrect Access
  Control. The impact is: Denial of service. The component is: iptc.c
  Line 122 show_IPTC(). The attack vector is: the victim must open a
  specially crafted JPEG file.
- Fix CVE-2019-19035: jhead 3.03 is affected by: heap-based buffer
  over-read. The impact is: Denial of service. The component is:
  ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is:
  Open a specially crafted JPEG file.
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/python-django: security bump to version 3.0.4
Peter Korsgaard [Wed, 4 Mar 2020 19:54:52 +0000 (20:54 +0100)]
package/python-django: security bump to version 3.0.4

Fixes the following security vulnerabilities:

- CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS
  functions and aggregates on Oracle.
  GIS functions and aggregates on Oracle were subject to SQL injection,
  using a suitably crafted tolerance.

For more details, see the advisory:
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/mesa3d: fix linux/kcmp.h related compile failure
Peter Seiderer [Mon, 2 Mar 2020 11:08:26 +0000 (12:08 +0100)]
package/mesa3d: fix linux/kcmp.h related compile failure

Add upstream patch [1].

Fixes:

  http://autobuild.buildroot.net/results/df5bcb8e4f6e98c4de347abbbe91e10a98047422

  ../src/util/os_file.c:37:24: fatal error: linux/kcmp.h: No such file or directory

[1] https://cgit.freedesktop.org/mesa/mesa/commit/?id=f7bfb10c69dfe48a91e35523cb5ee641bdbf6988

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agoutils/genrandconfig: drop outdated python-nfc check
Peter Korsgaard [Tue, 3 Mar 2020 22:59:20 +0000 (23:59 +0100)]
utils/genrandconfig: drop outdated python-nfc check

Commit 9ea528f84ba (package/python-nfc: bump to version 0.13.5) changed the
python-nfc package to download from github, so the package no longer needs
bzr on the host.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/fbgrab: bump version to 1.3.1 and update projct URL
Peter Seiderer [Wed, 4 Mar 2020 10:31:41 +0000 (11:31 +0100)]
package/fbgrab: bump version to 1.3.1 and update projct URL

- bump version to 1.3.1
  Changelog:
  * Incorrect alpha value when converting 32-bit framebuffers.
  * Documentation for github instead of own homepage.

- update project URL

Fixes bug 12606 ([1]).

[1] https://bugs.busybox.net/show_bug.cgi?id=12606

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Timo Ketola <timo.ketola@exertus.fi>
Acked-by: Timo Ketola <timo.ketola@exertus.fi>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/gst1-plugins-base: fix static linking
Peter Seiderer [Tue, 3 Mar 2020 16:30:45 +0000 (17:30 +0100)]
package/gst1-plugins-base: fix static linking

Add patch to fix static linking of tools.

Fixes:

  http://autobuild.buildroot.net/results/b33019b3c9ad856aced34215c69bb292b536e25e

  .../bin/ld: .../usr/lib/libgstreamer-1.0.a(gstplugin.c.o): in function `gst_plugin_register_func':
  gstplugin.c:(.text+0x3bc): undefined reference to `g_module_make_resident'
  .../bin/ld: .../usr/lib/libgstreamer-1.0.a(gstplugin.c.o): in function `_priv_gst_plugin_load_file_for_registry':
  gstplugin.c:(.text+0x1228): undefined reference to `g_module_supported'
  .../bin/ld: gstplugin.c:(.text+0x126c): undefined reference to `g_module_open'
  .../bin/ld: gstplugin.c:(.text+0x1368): undefined reference to `g_module_symbol'
  .../bin/ld: gstplugin.c:(.text+0x1494): undefined reference to `g_module_supported'
  .../bin/ld: gstplugin.c:(.text+0x17f4): undefined reference to `g_module_close'
  .../bin/ld: gstplugin.c:(.text+0x1a2c): undefined reference to `g_module_error'

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agoConfig.in: drop BR2_NEEDS_HOST_{JAVAC,JAR}
Peter Korsgaard [Tue, 3 Mar 2020 22:55:48 +0000 (23:55 +0100)]
Config.in: drop BR2_NEEDS_HOST_{JAVAC,JAR}

With classpath removed, no packages select these symbols any more - So drop
them and their corresponding logic in dependencies.sh / genrandconfig.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/classpath: drop package
James Hilliard [Mon, 2 Mar 2020 10:01:46 +0000 (03:01 -0700)]
package/classpath: drop package

This package has been abandoned by upstream since 2016 and has not
had a release since 2012. In addition the GNU Compiler for Java
that classpath was written to be used with has been removed as of
GCC 7.

It is no longer feasible to support classpath as it requires a java
compiler capable of producing java 1.5 compatible bytecode which is
not possible on hosts with a recent java compiler.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/jamvm: drop package
James Hilliard [Tue, 3 Mar 2020 22:12:58 +0000 (15:12 -0700)]
package/jamvm: drop package

JamVM has not had a release since 2014 and is unmaintained.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/zziplib: fix CVE-2018-17828
Fabrice Fontaine [Tue, 3 Mar 2020 20:16:22 +0000 (21:16 +0100)]
package/zziplib: fix CVE-2018-17828

Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to
overwrite arbitrary files via a .. (dot dot) in a zip file, because of
the function unzzip_cat in the bins/unzzipcat-mem.c file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/zziplib: fix CVE-2018-16548
Fabrice Fontaine [Tue, 3 Mar 2020 20:16:21 +0000 (21:16 +0100)]
package/zziplib: fix CVE-2018-16548

An issue was discovered in ZZIPlib through 0.13.69. There is a memory
leak triggered in the function __zzip_parse_root_directory in zip.c,
which will lead to a denial of service attack.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/patch: annotate CVE-2019-13638
Fabrice Fontaine [Tue, 3 Mar 2020 19:47:03 +0000 (20:47 +0100)]
package/patch: annotate CVE-2019-13638

GNU patch through 2.7.6 is vulnerable to OS shell command injection that
can be exploited by opening a crafted patch file that contains an ed
style diff payload with shell metacharacters. The ed editor does not
need to be present on the vulnerable system. This is different from
CVE-2018-1000156.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/patch: fix CVE-2019-13636
Fabrice Fontaine [Tue, 3 Mar 2020 19:47:02 +0000 (20:47 +0100)]
package/patch: fix CVE-2019-13636

In GNU patch through 2.7.6, the following of symlinks is mishandled in
certain cases other than input files. This affects inp.c and util.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/patch: fix CVE-2018-20969
Fabrice Fontaine [Tue, 3 Mar 2020 19:47:01 +0000 (20:47 +0100)]
package/patch: fix CVE-2018-20969

do_ed_script in pch.c in GNU patch through 2.7.6 does not block strings
beginning with a ! character. NOTE: this is the same commit as for
CVE-2019-13638, but the ! syntax is specific to ed, and is unrelated to
a shell metacharacter.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/patch: annotate CVE-2018-1000156
Fabrice Fontaine [Tue, 3 Mar 2020 19:47:00 +0000 (20:47 +0100)]
package/patch: annotate CVE-2018-1000156

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/patch: annote CVE-2018-6951
Fabrice Fontaine [Tue, 3 Mar 2020 19:46:59 +0000 (20:46 +0100)]
package/patch: annote CVE-2018-6951

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agoMakefile: remove bogus comment
Thomas Petazzoni [Tue, 3 Mar 2020 21:09:47 +0000 (22:09 +0100)]
Makefile: remove bogus comment

The comment "Check files that are touched by more than one package"
was previously located right before the calls to the check-uniq-files
script. However, this script and the logic calling it have been
removed in commit 2496189a4207173e4cd5bbab90256f911175ee57 ("core:
drop check-uniq-files"), so the comment no longer makes any sense:
let's drop it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/libvncserver: fix CVE-2019-15681
Fabrice Fontaine [Tue, 3 Mar 2020 19:02:32 +0000 (20:02 +0100)]
package/libvncserver: fix CVE-2019-15681

LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a
memory leak (CWE-655) in VNC server code, which allow an attacker to
read stack memory and can be abused for information disclosure. Combined
with another vulnerability, it can be used to leak stack memory and
bypass ASLR. This attack appear to be exploitable via network
connectivity. These vulnerabilities have been fixed in commit
d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agopackage/libvncserver: fix CVE-2018-20750
Fabrice Fontaine [Tue, 3 Mar 2020 19:02:31 +0000 (20:02 +0100)]
package/libvncserver: fix CVE-2018-20750

LibVNC through 0.9.12 contains a heap out-of-bounds write vulnerability
in libvncserver/rfbserver.c. The fix for CVE-2018-15127 was incomplete.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
5 years agoRevert "package/linux-firmware: add missing symlinks"
Yann E. MORIN [Tue, 3 Mar 2020 15:35:50 +0000 (16:35 +0100)]
Revert "package/linux-firmware: add missing symlinks"

This reverts commit 23d12793d54480617f4dd104bc70c53e80582fdb, which was
intended for the next branch, not master.

Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Antoine Tenart <antoine.tenart@bootlin.com>
Cc: Baruch Siach <baruch@tkos.co.il>
5 years agoUpdate for 2020.02-rc3
Peter Korsgaard [Mon, 2 Mar 2020 23:01:39 +0000 (00:01 +0100)]
Update for 2020.02-rc3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/rocksdb: fix C++ tests
Fabrice Fontaine [Mon, 24 Feb 2020 10:54:57 +0000 (11:54 +0100)]
package/rocksdb: fix C++ tests

This will fix a build failure on xtensa and nios2 that missed
-faligned-new

Fixes:
 - http://autobuild.buildroot.org/results/58bf25a16984c4d5f3ce0e26a56712410b67c53a
 - http://autobuild.buildroot.org/results/718fee3d20ef00ffa5c3e617a036cf2b82c97411

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/libvncserver: fix pkg-config file
Fabrice Fontaine [Fri, 28 Feb 2020 12:17:17 +0000 (13:17 +0100)]
package/libvncserver: fix pkg-config file

This will fix a build failure with vlc and without zlib

Fixes:
 - http://autobuild.buildroot.org/results/7d5f5980f1ba248a1d95b380d422eaeeaca265f8

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agosupport/scripts/pkg-stats: clear multiprocessing pools after use
Titouan Christophe [Sun, 1 Mar 2020 21:25:28 +0000 (22:25 +0100)]
support/scripts/pkg-stats: clear multiprocessing pools after use

During the CVE checking phase, we can still see a huge amount of
Python processes (actually 128) running on the host, even though
the CVE step is entirely ran in the main thread.

These are actually the worker processes spawned to check for the
packages URL statuses and the latest versions from release-monitoring.
This is because of an issue in Python's multiprocessing implementation:
https://bugs.python.org/issue34172

The problem was already there before the CVE matching step was
introduced, but because pkg-stat was terminating right after the
release-monitoring step, it went unnoticed.

Also, do not hold a reference to the multiprocessing pool from
the Package class, as this is not needed.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agosupport/scripts/pkg-stats: decode subprocess output for python3
Titouan Christophe [Sun, 1 Mar 2020 21:18:48 +0000 (22:18 +0100)]
support/scripts/pkg-stats: decode subprocess output for python3

In Python 3, the functions from the subprocess module return bytes
(and no longer strings as in Python 2), which must be decoded for
further text operations.

Now, pkg-stats can be run in Python 3.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/taglib: fix CVE-2018-11439
Fabrice Fontaine [Sun, 1 Mar 2020 20:37:59 +0000 (21:37 +0100)]
package/taglib: fix CVE-2018-11439

The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLib
1.11.1 allows remote attackers to cause information disclosure
(heap-based buffer over-read) via a crafted audio file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/taglib: fix CVE-2017-12678
Fabrice Fontaine [Sun, 1 Mar 2020 20:37:58 +0000 (21:37 +0100)]
package/taglib: fix CVE-2017-12678

In TagLib 1.11.1, the rebuildAggregateFrames function in
id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted audio file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/python-multidict: bump to version 4.7.5
James Hilliard [Mon, 2 Mar 2020 09:43:33 +0000 (02:43 -0700)]
package/python-multidict: bump to version 4.7.5

Bugfix release, fixing a number of issues. From the CHANGES file:

- Fixed creating and updating of MultiDict from a sequence of pairs and
  keyword arguments.  Previously passing a list argument modified it
  inplace, and other sequences caused an error.
  https://github.com/aio-libs/multidict/issues/457

- Fixed comparing with mapping: an exception raised in the __len__ method caused raising a SyntaxError.
  https://github.com/aio-libs/multidict/issues/459

- Fixed comparing with mapping: all exceptions raised in the __getitem__
  method were silenced.
  https://github.com/aio-libs/multidict/issues/460>

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agolinux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series
Peter Korsgaard [Mon, 2 Mar 2020 21:49:20 +0000 (22:49 +0100)]
linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/qt5tools: hide qdoc with llvm dependencies
Yann E. MORIN [Fri, 28 Feb 2020 14:00:54 +0000 (15:00 +0100)]
package/qt5tools: hide qdoc with llvm dependencies

Building qdoc requires a llvm and clang for the host.

However, there is a limitation in the llvm and clang packages in
Buildroot, which makes it impossible to have a host variant without
a target variant.

So, propagate the dependencies of the target llvm and clang, to ensure
we can only have a host-llvm and -clang packages that are correctly
built.

Note that we do propagate all of the dependencies (instead of just the
architecture part), to be consistent.

Reported-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Julien Corjon <corjon.j@ecagroup.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/elf2flt: remove backported patch
Romain Naour [Thu, 27 Feb 2020 22:19:22 +0000 (23:19 +0100)]
package/elf2flt: remove backported patch

The patch added by [1] to fix a segfault with elf2flt when binutils
2.33.1 is used on ARM, introduce a regression with previous binutils
version on m68k and ARM.

Theses issues has been reported upstream [2] [3] but there is no
definitive solution.

The binutils 2.33.1 has been disabled for configurations using
BR2_BINFMT_FLAT by the previous commit, so we can safely remove
the patch.

Fixes:
[acpica-20191018]
http://autobuild.buildroot.net/results/81ee33eb606062a62765d95b66a26f130d280c53
[augeas-1.12.0]
http://autobuild.buildroot.net/results/4e1f7f335d2c853e2a5e6ad96c14157ba8f003c7
[cairo-1.16.0]
http://autobuild.buildroot.net/results/976d99bc9b052f8d9429e666ac7fff7768ffff6b
[fontconfig-2.13.1]
http://autobuild.buildroot.net/results/4a5a8cb6411d709acb7ea8c83b3c8e45fdc0a10b
[gptfdisk-1.0.4]
http://autobuild.buildroot.net/results/6db5f9d8663730a54b04c1e624438095598b2573
[libopenssl-1.1.1d]
http://autobuild.buildroot.net/results/acf87e81130e85e7fb05edf5f6dedf095f16e226
[mimic-1.1.0]
http://autobuild.buildroot.net/results/61f53630ed85ee0d0d6dbf71012db77f4d7986ad
Maybe more...

[1] 2b064f86b6a0fd683f307b51f12d9d919fcaa386
[2] https://github.com/uclinux-dev/elf2flt/pull/16
[3] https://github.com/uclinux-dev/elf2flt/issues/12

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/binutils: disable binutils >= 2.33.1 for configurations using BR2_BINFMT_FLAT
Romain Naour [Thu, 27 Feb 2020 22:19:21 +0000 (23:19 +0100)]
package/binutils: disable binutils >= 2.33.1 for configurations using BR2_BINFMT_FLAT

The patch added by [1] to fix a segfault with elf2flt when binutils
2.33.1 is used on ARM, introduce a regression with previous binutils
version on m68k and ARM.

Theses issues has been reported upstreme [2] [3].

For now, disable binutils >= 2.33.1 for configurations using
BR2_BINFMT_FLAT.

[1] 2b064f86b6a0fd683f307b51f12d9d919fcaa386
[2] https://github.com/uclinux-dev/elf2flt/pull/16
[3] https://github.com/uclinux-dev/elf2flt/issues/12

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/python-setuptools-scm-git-archive: depends on python-setuptools-scm
Yegor Yefremov [Wed, 5 Feb 2020 10:13:36 +0000 (11:13 +0100)]
package/python-setuptools-scm-git-archive: depends on python-setuptools-scm

python-setuptools-scm-git-archive requires python-setuptools-scm package so
add it to its dependencies.

Fixes:
http://autobuild.buildroot.net/results/b356c948cf2b22534ca333cfe34dee31371c0007

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/lxc: cgroups: initialize cpuset properly
Romain Naour [Sun, 1 Mar 2020 21:06:09 +0000 (22:06 +0100)]
package/lxc: cgroups: initialize cpuset properly

The tests.package.test_lxc.TestLxc failure on gitlab
is similar to the issue reported by [1] and fixed by [2].

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255988

[1] https://github.com/NixOS/nixpkgs/issues/75467#issuecomment-569386159
[2] https://github.com/lxc/lxc/pull/3109

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Jérôme Pouiller <jezz@sysmic.org>
Cc: Patrick Havelange <patrick.havelange@essensium.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/mosquitto: bump to v1.6.9
Titouan Christophe [Mon, 2 Mar 2020 10:15:59 +0000 (11:15 +0100)]
package/mosquitto: bump to v1.6.9

mosquitto 1.6.9 is a bugfix release, see the announcement:
https://mosquitto.org/blog/2020/02/version-1-6-9-released/

Also update the indentation of the hash file to 2 spaces,
and add URL of the GPG signature in hash file comment.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/wireshark: security bump to v3.2.2
Titouan Christophe [Mon, 2 Mar 2020 10:34:17 +0000 (11:34 +0100)]
package/wireshark: security bump to v3.2.2

This fixes the following CVEs:
 - CVE-2020-9428:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the EAP dissector could crash. This was addressed in
   epan/dissectors/packet-eap.c by using more careful sscanf parsing.

 - CVE-2020-9429:
   In Wireshark 3.2.0 to 3.2.1, the WireGuard dissector could crash.
   This was addressed in epan/dissectors/packet-wireguard.c by
   handling the situation where a certain data structure intentionally
   has a NULL value.

 - CVE-2020-9430:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the WiMax DLMAP dissector could crash.
   This was addressed in plugins/epan/wimax/msg_dlmap.c by validating
   a length field.

 - CVE-2020-9431:
   In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
   the LTE RRC dissector could leak memory. This was addressed in
   epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/systemd: also fix rpath for machine-id-setup
Yann E. MORIN [Sun, 1 Mar 2020 07:21:52 +0000 (08:21 +0100)]
package/systemd: also fix rpath for machine-id-setup

Fixes: #12576
Reported-by: Melanie <melanie@trash-mail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/systemd: also fix rpath for nspawn
Yann E. MORIN [Sat, 29 Feb 2020 14:43:16 +0000 (15:43 +0100)]
package/systemd: also fix rpath for nspawn

Fixes:
    http://autobuild.buildroot.org/results/e03ae6a3209eea00459b94cee9c10fd4f2184fec/

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <aduskett@gmail.com>
Cc: Jérémy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/libvorbis: annote CVE-2018-10393
Fabrice Fontaine [Sun, 1 Mar 2020 18:02:26 +0000 (19:02 +0100)]
package/libvorbis: annote CVE-2018-10393

bark_noise_hybridmp in psy.c in Xiph.Org libvorbis 1.3.6 has a
stack-based buffer over-read.

Same patch as for CVE-2017-14160

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - update 0001-*.patch to also reference CVE-2018-10393
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/libvorbis: fix CVE-2018-10392
Fabrice Fontaine [Sun, 1 Mar 2020 18:02:25 +0000 (19:02 +0100)]
package/libvorbis: fix CVE-2018-10392

mapping0_forward in mapping0.c in Xiph.Org libvorbis 1.3.6 does not
validate the number of channels, which allows remote attackers to cause
a denial of service (heap-based buffer overflow or over-read) or
possibly have unspecified other impact via a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/blktrace: fix CVE-2018-10689
Fabrice Fontaine [Sun, 1 Mar 2020 17:45:29 +0000 (18:45 +0100)]
package/blktrace: fix CVE-2018-10689

blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and
Android, has a buffer overflow in the dev_map_read function in
btt/devmap.c because the device and devno arrays are too small, as
demonstrated by an invalid free when using the btt program with a
crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agosupport/testing: test_systemd.py: add linux fragment to enable CONFIG_BINFMT_MISC
Romain Naour [Sun, 1 Mar 2020 16:26:47 +0000 (17:26 +0100)]
support/testing: test_systemd.py: add linux fragment to enable CONFIG_BINFMT_MISC

While investigating [1] one units failed due to missing kernel option
CONFIG_BINFMT_MISC needed by "proc-sys-fs-binfmt_misc.mount" service.

It's because the kernel support autofs4 but not MISC binaries.

Since the systemd test infra use the default defconfig (vexpress),
we need to provide a linux fragment to enable CONFIG_BINFMT_MISC.

[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr:
  - move the kernel config with the others in conf/
]
Tested-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/systemd: random-seed: add missing header for GRND_NONBLOCK
Romain Naour [Sun, 1 Mar 2020 16:26:46 +0000 (17:26 +0100)]
package/systemd: random-seed: add missing header for GRND_NONBLOCK

GRND_NONBLOCK has been introduced with the 3.17 kernel version [1]
while adding getrandom(2) system call.

The header missing_random.h is needed for random-seed.c when building
with old toolchain, such Sourcery CodeBench ARM 2014.05 (kernel headers
3.13).

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c6e9d6f38894798696f23c8084ca7edbf16ee895

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/pure-ftpd: fix CVE-2020-9365
Fabrice Fontaine [Sat, 29 Feb 2020 20:34:16 +0000 (21:34 +0100)]
package/pure-ftpd: fix CVE-2020-9365

An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) read
has been detected in the pure_strcmp function in utils.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/pure-ftpd: fix CVE-2019-20176
Fabrice Fontaine [Sat, 29 Feb 2020 20:34:15 +0000 (21:34 +0100)]
package/pure-ftpd: fix CVE-2019-20176

In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
listdir function in ls.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/openjpeg: fix CVE-2020-8112
Fabrice Fontaine [Sat, 29 Feb 2020 20:24:42 +0000 (21:24 +0100)]
package/openjpeg: fix CVE-2020-8112

opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through
2020-01-28 has a heap-based buffer overflow in the qmfbid==1 case, a
different issue than CVE-2020-6851.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/openjpeg: fix CVE-2020-6851
Fabrice Fontaine [Sat, 29 Feb 2020 20:24:41 +0000 (21:24 +0100)]
package/openjpeg: fix CVE-2020-6851

OpenJPEG through 2.3.1 has a heap-based buffer overflow in
opj_t1_clbl_decode_processor in openjp2/t1.c because of lack of
opj_j2k_update_image_dimensions validation.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/openjpeg: fix CVE-2019-12973
Fabrice Fontaine [Sat, 29 Feb 2020 20:24:40 +0000 (21:24 +0100)]
package/openjpeg: fix CVE-2019-12973

In OpenJPEG 2.3.1, there is excessive iteration in the
opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could
leverage this vulnerability to cause a denial of service via a crafted
bmp file. This issue is similar to CVE-2018-6616.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/emlog: annotate CVE-2019-16868 and CVE-2019-17073
Fabrice Fontaine [Sat, 29 Feb 2020 20:45:48 +0000 (21:45 +0100)]
package/emlog: annotate CVE-2019-16868 and CVE-2019-17073

CVE-2019-16868 and CVE-2019-17073 are misclassified (by our CVE tracker)
as affecting emlog, while in fact it affects http://www.emlog.net.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/linux-firmware: add missing symlinks
James Hilliard [Thu, 27 Feb 2020 15:43:54 +0000 (08:43 -0700)]
package/linux-firmware: add missing symlinks

As of upstream commit 9cfefbd7fbdaa5ae769e3061c463f8345d146fb7
we must manually create symlinks as they are no longer present
in the archive but created at installation.

Fixes:
    http://autobuild.buildroot.net/results/46fdacbe4064d72aaafa9f52741121d8e4fe64ab/

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/shellinabox: fix CVE-2018-16789
Fabrice Fontaine [Sat, 29 Feb 2020 22:55:11 +0000 (23:55 +0100)]
package/shellinabox: fix CVE-2018-16789

libhttp/url.c in shellinabox through 2.20 has an implementation flaw in
the HTTP request parsing logic. By sending a crafted multipart/form-data
HTTP request, an attacker could exploit this to force shellinaboxd into
an infinite loop, exhausting available CPU resources and taking the
service down.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/suricata: fix CVE-2019-18792
Fabrice Fontaine [Sat, 29 Feb 2020 22:46:43 +0000 (23:46 +0100)]
package/suricata: fix CVE-2019-18792

An issue was discovered in Suricata 5.0.0. It is possible to
bypass/evade any tcp based signature by overlapping a TCP segment with a
fake FIN packet. The fake FIN packet is injected just before the PUSH
ACK packet we want to bypass. The PUSH ACK packet (containing the data)
will be ignored by Suricata because it overlaps the FIN packet (the
sequence and ack number are identical in the two packets). The client
will ignore the fake FIN packet because the ACK flag is not set. Both
linux and windows clients are ignoring the injected packet.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/libcgroup: fix CVE-2018-14348
Fabrice Fontaine [Sat, 29 Feb 2020 22:30:18 +0000 (23:30 +0100)]
package/libcgroup: fix CVE-2018-14348

libcgroup up to and including 0.41 creates /var/log/cgred with mode 0666
regardless of the configured umask, leading to disclosure of information

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agoconfigs:nitrogen{6sx, 6x, 7, 8m}: fix typo in kernel headers version
Romain Naour [Sat, 29 Feb 2020 22:45:46 +0000 (23:45 +0100)]
configs:nitrogen{6sx, 6x, 7, 8m}: fix typo in kernel headers version

A typo has been introduced during the last version bump [1].

[1] 00252b101a86ef136fc4afc045ba16324cbccb3b

Fixes:
[nitrogen6sx]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255632
[nitrogen6x]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255635
[nitrogen7]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255638
[nitrogen6m8]
https://gitlab.com/buildroot.org/buildroot/-/jobs/454255640

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Gary Bisson <bisson.gary@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/exiv2: annotate CVE-2019-13504
Fabrice Fontaine [Sat, 29 Feb 2020 21:32:02 +0000 (22:32 +0100)]
package/exiv2: annotate CVE-2019-13504

CVE-2019-13504 is misclassified (by our CVE tracker) as affecting
version 0.27.2, while in fact both commits that fixed this issue are
already in this version: bd0afe039043 and 54f0bebca032.

(From: https://security-tracker.debian.org/tracker/CVE-2019-13504)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/exiv2: fix CVE-2019-20421
Fabrice Fontaine [Sat, 29 Feb 2020 21:32:04 +0000 (22:32 +0100)]
package/exiv2: fix CVE-2019-20421

In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input
file can result in an infinite loop and hang, with high CPU consumption.
Remote attackers could leverage this vulnerability to cause a denial of
service via a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/cairo: fix CVE-2018-19876
Fabrice Fontaine [Sat, 29 Feb 2020 20:00:16 +0000 (21:00 +0100)]
package/cairo: fix CVE-2018-19876

Add an upstream patch to fix CVE-2018-19876: cairo 1.16.0, in
cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a
free function incompatible with WebKit's fastMalloc, leading to an
application crash with a "free(): invalid pointer" error.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/rdesktop: add xlib_libXrandr optional dependency
Fabrice Fontaine [Sat, 29 Feb 2020 19:35:01 +0000 (20:35 +0100)]
package/rdesktop: add xlib_libXrandr optional dependency

xlib_libXrandr is an optional dependency since version 1.7.0 and
https://github.com/rdesktop/rdesktop/commit/6ee9faeffcd9dd2e4c262d732e15a3a02278578d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/exiv2: fix CVE-2019-17402
Fabrice Fontaine [Sat, 29 Feb 2020 21:32:03 +0000 (22:32 +0100)]
package/exiv2: fix CVE-2019-17402

Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in
types.cpp when called from Exiv2::Internal::CiffDirectory::readDirectory
in crwimage_int.cpp, because there is no validation of the relationship
of the total size to the offset and size.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/rdesktop: security bump to version 1.8.6
Fabrice Fontaine [Sat, 29 Feb 2020 18:10:08 +0000 (19:10 +0100)]
package/rdesktop: security bump to version 1.8.6

- Fix CVE-2019-15682: RDesktop version 1.8.4 contains multiple
  out-of-bound access read vulnerabilities in its code, which results in
  a denial of service (DoS) condition. This attack appear to be
  exploitable via network connectivity. These issues have been fixed in
  version 1.8.5
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/openrc: remove keymaps units if kbd package is not selected
Carlos Santos [Sat, 29 Feb 2020 18:26:21 +0000 (15:26 -0300)]
package/openrc: remove keymaps units if kbd package is not selected

keymaps and save-keymaps require kbd_mode and dumpkeys, respectively, so
remove them if the kbd package is not selected (e.g. devices with serial
console, only).

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Tested-by: Adam Duskett <aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - expand to three commands to match the existing hook
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/qpdf: fix comment
Fabrice Fontaine [Sat, 29 Feb 2020 19:07:01 +0000 (20:07 +0100)]
package/qpdf: fix comment

Commit 3f9bcc01b3ef94c8f138b6dccc861d9e222de5ef forgot to update comment

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/qpdf: needs wchar
Fabrice Fontaine [Sat, 29 Feb 2020 13:01:30 +0000 (14:01 +0100)]
package/qpdf: needs wchar

Upstream was not too keen [0] on applying fixes for toolchains without
wchar, so just require that.

The sole user selecting qpdf already depends on wchar, so update the
comment accordingly.

[0] https://github.com/qpdf/qpdf/pull/405#issuecomment-592971907

Fixes:
 - http://autobuild.buildroot.org/results/99c82d4775ed44bd04d0a48188ff590dcba73d69

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: drop the patch, add the dependency]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/openrc: fix post-install-target addition
Carlos Santos [Sat, 29 Feb 2020 18:18:07 +0000 (15:18 -0300)]
package/openrc: fix post-install-target addition

OPENRC_POST_TARGET_INSTALL_HOOKS -> OPENRC_POST_INSTALL_TARGET_HOOKS

Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/boost: annotate _IGNORE_CVES for CVE-2009-3654
Fabrice Fontaine [Sat, 29 Feb 2020 09:46:09 +0000 (10:46 +0100)]
package/boost: annotate _IGNORE_CVES for CVE-2009-3654

This CVE does not affect the boost package, but is misclassified by our
CVS tracker. As per the advisory:

    Unspecified vulnerability in Boost before 6.x-1.03, a module for
    Drupal, allows remote attackers to create new webroot directories
    via unknown attack vectors.

Ignore the CVS, and expand a comment to explain it.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: expand the comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
5 years agopackage/libgdiplus: backport of fix for GifQuantizeBuffer
Heiko Thiery [Fri, 28 Feb 2020 09:19:43 +0000 (10:19 +0100)]
package/libgdiplus: backport of fix for GifQuantizeBuffer

In newer version of giflib the GifQuantizeBuffer code was removed.

libgdiplus included the needed function by their own:
(https://github.com/mono/libgdiplus/pull/575).

This patch will become obsolete once libgdiplus is bumped to version 6.x.

Fixes:
http://autobuild.buildroot.net/results/46c5cf068cf9ea50e53491870d9dbf3f134c8c22

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/openrc: needs kmod
Yann E. MORIN [Fri, 28 Feb 2020 20:25:52 +0000 (21:25 +0100)]
package/openrc: needs kmod

openrc provides scripts that have been written for the big-gun kmod, and
so use options unknown to the busybox' provided applets:

  - Busybox modprobe does not have a "--first-time" option,
  - the "--verbose" option is just "-v",
  - the "--use-blacklist" option is just "-b". Also blacklist support is
    not selected in our default busybox configuration.

One of two options, is to "fix" or "adapt" openrc's scripts to busybox,
which means for the openrc package to go peek into files from the
busybox package, which is not nice, and can't work because that is not
available by the time we scan our Makefiles.

The other option, which this patch implements, is to just add a
dependency onto kmod and its tools.

Reported-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/pkg-generic.mk: in image install, print message before pre-hooks
Thomas Petazzoni [Fri, 28 Feb 2020 15:04:20 +0000 (16:04 +0100)]
package/pkg-generic.mk: in image install, print message before pre-hooks

In all steps, we print the message indicating the start of the step
using the MESSAGE macro before running pre-hooks. Except in the image
installation step, where the message is printed after the pre-hooks.

Let's fix this inconsistency.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/exim: fix systemd service binary path
Pascal de Bruijn [Fri, 28 Feb 2020 08:25:39 +0000 (09:25 +0100)]
package/exim: fix systemd service binary path

modern versions of exim are installed into sbin not bin

Signed-off-by: Pascal de Bruijn <p.debruijn@unilogic.nl>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5 years agopackage/libarchive: security bump to version 3.4.2
Fabrice Fontaine [Fri, 28 Feb 2020 22:12:34 +0000 (23:12 +0100)]
package/libarchive: security bump to version 3.4.2

- Fix CVE-2020-9308: archive_read_support_format_rar5.c in libarchive
  before 3.4.2 attempts to unpack a RAR5 file with an invalid or
  corrupted header (such as a header size of zero), leading to a SIGSEGV
  or possibly unspecified other impact.
- use --with-nettle to enable nettle support, see
  https://github.com/libarchive/libarchive/commit/f96a71144b7725ca4a94d84bd27d7dca8c2f58d2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - drop new optional dependency to mbedtsl, forced off for now
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>