buildroot.git
4 years agopackage/pcre: bump to version 8.44
Fabrice Fontaine [Tue, 25 Feb 2020 21:28:39 +0000 (22:28 +0100)]
package/pcre: bump to version 8.44

- Update first patch
- Update hash of license file (update in year)
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/sed: bump to version 4.8
Fabrice Fontaine [Mon, 24 Feb 2020 21:24:40 +0000 (22:24 +0100)]
package/sed: bump to version 4.8

Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/upmpdcli: bump to version 1.4.6
Fabrice Fontaine [Mon, 24 Feb 2020 21:17:39 +0000 (22:17 +0100)]
package/upmpdcli: bump to version 1.4.6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agosupport/scripts/pkg-stats: iterate over CVEs in streaming
Titouan Christophe [Thu, 20 Feb 2020 18:27:23 +0000 (19:27 +0100)]
support/scripts/pkg-stats: iterate over CVEs in streaming

The NVD files that are used to build the list of CVEs affecting
Buildroot packages are quite large (a few hundreds MB of json),
and cause the pkg-stats scripts to have a huge memory footprint
(a few GB with Python 2.7).

However, because we only need to iterate on CVE items one by one,
we can process them in streaming (ie decoding one CVE at a time
from the JSON representation). Because the json module from the
python standard library does not support such a mode of operation,
we switch to the third-party package ijson, which is compatible
with both Python 2 and Python3.

To run the script with these modifications, one should install
the ijson python package. This can be done with pip:
`pip install ijson`. On Debian based distributions, this can
also be done with the apt package manager:
`apt install python-ijson`.

Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Tested-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/kmod: bump to version 27
Fabrice Fontaine [Sun, 23 Feb 2020 17:01:06 +0000 (18:01 +0100)]
package/kmod: bump to version 27

- Drop second and third patches (already in version)
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/avahi: bump to version 0.8
Jörg Krause [Thu, 20 Feb 2020 09:15:26 +0000 (10:15 +0100)]
package/avahi: bump to version 0.8

This bump also includes:
 * Drop upstream security patch which is included in the new version
 * Unconditionally disable support for Qt5 [1] (same as Qt3 and Qt4)
 * Drop dependency on host-inttool, as avahi switched to host-gettext [2]
 * Conditionally enable support for libevent [3]

[1] https://github.com/lathiat/avahi/commit/5dbb32767ae3f5a371cfbd04b4e3a9a634b8efc4
[2] https://github.com/lathiat/avahi/commit/3d5a0c68057e2ed76187a0bb565baaa10d566003
[3] https://github.com/lathiat/avahi/commit/998e20cd76927ce978fb5676820a38308e21f45d

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/kodi-visualisation-fishbmc: remove opengl dependency
Bernd Kuhls [Sun, 23 Feb 2020 17:36:46 +0000 (18:36 +0100)]
package/kodi-visualisation-fishbmc: remove opengl dependency

The addon can also be used with OpenGLES:
https://github.com/xbmc/visualization.fishbmc/blob/Leia/CMakeLists.txt

Updated project URL forgotten in
https://git.buildroot.net/buildroot/commit/?id=4726e93c63d51fe287c62628a9c71c04517d727c

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/sispmctl: bump to version 4.2
Fabrice Fontaine [Sun, 23 Feb 2020 18:32:17 +0000 (19:32 +0100)]
package/sispmctl: bump to version 4.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/gobject-introspection: add missing newline at end of wrappers
Yann E. MORIN [Sun, 23 Feb 2020 20:22:52 +0000 (21:22 +0100)]
package/gobject-introspection: add missing newline at end of wrappers

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/smartmontools: fix build without stack-protector
Fabrice Fontaine [Sun, 23 Feb 2020 15:36:38 +0000 (16:36 +0100)]
package/smartmontools: fix build without stack-protector

Fixes:
 - http://autobuild.buildroot.org/results/0de9f2a69fa2a39164211299f8a429d2fec6935a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/{mesa3d, mesa3d-headers}: bump version to 20.0.0
Bernd Kuhls [Sun, 23 Feb 2020 10:32:57 +0000 (11:32 +0100)]
package/{mesa3d, mesa3d-headers}: bump version to 20.0.0

Added optional dependency to zstd present due to upstream commit:
https://cgit.freedesktop.org/mesa/mesa/commit/?id=a8d941091f72923561a6c58b46ccb264b6a0e205

Replaced MESA_EGL_NO_X11_HEADERS define with EGL_NO_X11 due to upstream
commit:
https://cgit.freedesktop.org/mesa/mesa/commit/?id=6202a13b71e18dc31ba7e2f4ea915b67eacc1ddb

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/smartmontools: bump to version 7.1
Fabrice Fontaine [Sat, 22 Feb 2020 22:08:55 +0000 (23:08 +0100)]
package/smartmontools: bump to version 7.1

- systemd optional dependency has been added in version 7.0
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/gobject-introspection: depend on python3
Adam Duskett [Sat, 22 Feb 2020 21:31:42 +0000 (13:31 -0800)]
package/gobject-introspection: depend on python3

Currently, the Config.in file has the line:
select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON

This line is incorrect as gobject-introspection does not support python2.
Instead, remove the select line and make python3 a dependency with a new
message that explains that gobject-introspection requires python3.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - move the explanations from the commit log to the code
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libeXosip2: bump to version 5.1.1
Gilles Talis [Sat, 22 Feb 2020 16:35:29 +0000 (17:35 +0100)]
package/libeXosip2: bump to version 5.1.1

- Removed patch that was applied upstream
- Removed AUTORECONF request that came with patch
- Updated library's download name

Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libosip2: bump to version 5.1.1
Gilles Talis [Sat, 22 Feb 2020 16:35:28 +0000 (17:35 +0100)]
package/libosip2: bump to version 5.1.1

Removed patch that was applied upstream

Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/gobject-introspection: new package
Adam Duskett [Tue, 11 Feb 2020 16:34:04 +0000 (08:34 -0800)]
package/gobject-introspection: new package

GObject introspection is a middleware layer between C
libraries (using GObject) and language bindings. The C library
can be scanned at compile time and generate a metadata file,
in addition to the actual native C library. Then at runtime,
language bindings can read this metadata and automatically
provide bindings to call into the C library.

There's an XML format called GIR used by GObject-Introspection.
The purpose of it is to provide a standard structure to access the complete
available API that a library or other unit of code exports. It's
language-agnostic using namespaces to separate core, language, or
library-specific functionality.

Cross-compiling gobject-introspection is not an easy task. The main issue is
that in the process of creating the XML files, gobject-introspection must first
run and scan the binary, which, if the binary is cross-compiled, would not
typically be possible from the host system.

Because of this limitation, we use several wrappers to call instead first out
qemu, which runs the native scanner to create the binaries.

There are seven total patches and four different wrapper files needed to
successfully cross-compile and run this package, many of them are from
open-embedded, but one of them is of my own doing.

1) Revert a previous, incomplete attempt at adding cross-compiling support.

2) Add support for cross-compiling with meson.

3) Disable tests.

4) Add an option to use a binary wrapper; this patch will force giscanner to
   use a wrapper executable to run binaries it's producing, instead of
   attempting to run them from the host.

5) Add an option to use an LDD wrapper, again, useful for cross-compiled
   environments.

6) Add a --lib-dirs-envar option to pass to giscanner. (See patch for details.)

7) Add rpath-links to ccompiler: when passing the PACKAGE_GIR_EXTRA_LIBS_PATH
   to the ccompiler.py script, ccompiler.py needs to add -Wl,-rpath-link to the
   environment for the package to correctly link against the passed on paths.

8) Ignore error return codes from ldd-wrapper because prelink-rtld returns 127
   when it can't find a library, which breaks subprocess.check_output().

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Tested-by: Yegor Yefremov <yegorslists@googlemail.com>
Tested-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
  - host-prelink-cross has no Kconfig entry
  - reorder dependencies for arch deps first
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/pkgconf: prepend sysroot paths to common gobject-introspection utils
Adam Duskett [Tue, 11 Feb 2020 16:34:03 +0000 (08:34 -0800)]
package/pkgconf: prepend sysroot paths to common gobject-introspection utils

Many autotools packages call pkg-conf to inquire as to where the following
utilities are:

g_ir_scanner
g_ir_compiler
g_ir_generate

Because gobject uses wrappers to call qemu, prepending the sysroot to the paths
of these compilers is necessary.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/prelink-cross: new package
Adam Duskett [Tue, 11 Feb 2020 16:34:02 +0000 (08:34 -0800)]
package/prelink-cross: new package

Prelink-cross emulates a runtime linker for a given sysroot. This is
necessary to allow gobject-introspection to build its typelib files
during cross-compiling.

We're using a sha1 on the cross_prelink branch, as we need the
RTLD-enabled variant of prelink-cross.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - drop HOST_ prefix for inherited variables
  - fix licensing info to "or-later"
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/gdb: depend on libiberty
Adam Duskett [Tue, 11 Feb 2020 16:34:01 +0000 (08:34 -0800)]
package/gdb: depend on libiberty

If present, GDB may use a system installed libiberty. As such, we must ensure
that host-libiberty is installed first.

Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libiberty: new package
Adam Duskett [Tue, 11 Feb 2020 16:34:00 +0000 (08:34 -0800)]
package/libiberty: new package

Some packages, like prelink-cross, want to use libiberty but do not bundle
their own instance (which is good!).

However, libiberty is made for being bundled in packages: all GNU
packages that use libiberty (gcc, Binutils, gdb, et al...) all have their own
bundled variant. This common practice means that there is no official upstream
for libiberty, the closest being as part of the combined Binutils-gdb tree.

So we introduce a new host-only package, that installs just libiberty from a
Binutils released tarball.

Again, as packages usually bundle libiberty, it usually only installs a static
version. Furthermore, it does not obey the usual --enable-shared and
--disable-static flags; it only ever builds a static version.

Furthermore, -fPIC is not used with this library, but some packages may pick it
to build shared objects. This behavior is the case for host-gdb, for example,
which accidentally picks that library instead of its internal one.

So, rather than fix the various gdb versions and variants we can use, we ensure
that the libiberty we install is usable in shared objects, and we always build
before host-gdb.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
[yann.morin.1998@free.fr:
  - fix DL_SUBDIR for a host-only package
  - add licensing info
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/gensio: bump to version 1.5.2
James Hilliard [Mon, 17 Feb 2020 07:33:59 +0000 (00:33 -0700)]
package/gensio: bump to version 1.5.2

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/mpd: bump version to 0.21.20
Jörg Krause [Mon, 17 Feb 2020 07:56:19 +0000 (08:56 +0100)]
package/mpd: bump version to 0.21.20

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/openfpgaloader: new package
Jean Burgat [Tue, 18 Feb 2020 08:32:47 +0000 (09:32 +0100)]
package/openfpgaloader: new package

openFPGALoader is a tool for programming FPGA.

Signed-off-by: Jean Burgat <jeanburgat33@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/avahi: drop most of the AVAHI_CONF_ENV vars
Jörg Krause [Tue, 18 Feb 2020 09:46:00 +0000 (10:46 +0100)]
package/avahi: drop most of the AVAHI_CONF_ENV vars

Most are legacy from when the package was added and not really necessary.

This commit is based on dropping the CONF_ENV vars in libgtk2 [1].

[1] https://git.buildroot.net/buildroot/commit/package/libgtk2/libgtk2.mk?id=4d80cbdf6c2c186da26f36575d6635604f00d29a

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/libubootenv: bump to version ba952d0
Pierre-Jean Texier [Tue, 18 Feb 2020 20:47:19 +0000 (21:47 +0100)]
package/libubootenv: bump to version ba952d0

This includes the following changes:

ba952d0 BUG: variable lists not released in close()
690f868 Variables are not removed when loading from file
9e3586a Make sure there's no file descriptor leakage in case of error
03647c4 Check config file defines a non-zero Sector size
3b2d4f1 Check environment size from fw_env.config

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/uacme: bump version to 1.0.22
Nicola Di Lieto [Tue, 18 Feb 2020 20:12:17 +0000 (21:12 +0100)]
package/uacme: bump version to 1.0.22

Signed-off-by: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/libiio: bump to version 0.19
Pierre-Jean Texier [Tue, 18 Feb 2020 20:52:08 +0000 (21:52 +0100)]
package/libiio: bump to version 0.19

See full changelog https://github.com/analogdevicesinc/libiio/releases/tag/v0.19

Also remove patch applied upstream

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoUpdate for 2020.02-rc1
Peter Korsgaard [Tue, 18 Feb 2020 22:31:02 +0000 (23:31 +0100)]
Update for 2020.02-rc1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoCHANGES: update with recent changes
Peter Korsgaard [Tue, 18 Feb 2020 22:04:09 +0000 (23:04 +0100)]
CHANGES: update with recent changes

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libsigrok: explain why host-doxygen is needed
Fabrice Fontaine [Tue, 18 Feb 2020 19:06:03 +0000 (20:06 +0100)]
package/libsigrok: explain why host-doxygen is needed

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/owfs: fixup Python sysconfigdata for per-package directories
Thomas Petazzoni [Mon, 17 Feb 2020 23:55:22 +0000 (00:55 +0100)]
package/owfs: fixup Python sysconfigdata for per-package directories

This is needed so that building the owfs Python module uses the gcc
from owfs per-package directory, and not the one from the python
per-package directory.

Fixes:

  http://autobuild.buildroot.net/results/0d582dda367507991a4c38141db36b0fa8e47e67/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/pkg-python: fix for per-package directories
Thomas Petazzoni [Mon, 17 Feb 2020 23:50:47 +0000 (00:50 +0100)]
package/pkg-python: fix for per-package directories

With per-package directory support, Python external modules are
causing a problem: the _sysconfigdata.py module installed by the
Python interpreter contains a number of paths that are relative to the
current package per-package directory, i.e python or python3. For
example:

'BLDSHARED': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-gcc -shared',
'CC': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-gcc',
'CXX': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-g++',
etc.

These paths are problematic, because it means that the wrong compiler
gets used when building external Python modules: instead of using the
compiler from the external Python module per-package host directory,
it uses the one from the 'python' or 'python3' per-package host
directory. Due to this, any native dependency needed by the external
Python module is not found, even though it is properly present in the
current package per-package directory.

Of course, the problem occurs with both target Python modules and host
Python modules.

To fix this, we simply rewrite those paths in _sysconfigdata.py before
building a Python package.

Interestingly, until now, the _sysconfidata.py that was used during
the build was the one from $(TARGET_DIR), which is a bit unusual: it
is more common to use files from $(STAGING_DIR) during the build
process. So this commit changes the PYTHON_PATH and PYTHON3_PATH
variables so that they point to $(STAGING_DIR), which makes the
_sysconfigdata.py fixup in $(STAGING_DIR) effective.

Fixes:

  http://autobuild.buildroot.net/results/a24b0555fd4261b50dc3986635c30717d9cbe764/ (python-psycopg2)
  http://autobuild.buildroot.net/results/080fa893e1b0e7a8c8a31ac1c98eb8871b97264d/ (python-alsaaudio)
  http://autobuild.buildroot.net/results/79bc070f98d6d9d8ef78df12b248cdc7d0e405c3/ (python-lxml)
  and many more Python packages that use native code with a native library

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/apache: fix build with per-package directory support
Thomas Petazzoni [Mon, 17 Feb 2020 23:46:39 +0000 (00:46 +0100)]
package/apache: fix build with per-package directory support

When APR_INCLUDEDIR and APU_INCLUDEDIR point to the same directory,
Apache builds properly. However, with per-package directory support,
they point to different directories, and APU_INCLUDEDIR contains both
the APR headers and the APU headers.

Due to this, the Apache Makefile logic to generate its exports.c file
leads to duplicate definitions, because the APR headers are considered
twice: once from APR_INCLUDEDIR, once from APU_INCLUDEDIR.

We fix this by introducing a patch to the Apache build system.

In addition, apr provides a special libtool script that gets used by
apr-util and apache. apr-util already had a fixup for this, but apache
did not, which was causing the gcc from apr-util per-package
directories be used during the apache build, causing build failures.

To fix this, we adjust this libtool script to point to the correct
tools in apache's per-package directories.

There are no autobuilder failures for this, because Apache needs
apr-util, and apr-util currently fails to build when
BR2_PER_PACKAGE_DIRECTORIES=y.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/apr-util: fix build with per-package directories
Thomas Petazzoni [Mon, 17 Feb 2020 23:46:38 +0000 (00:46 +0100)]
package/apr-util: fix build with per-package directories

With per-package directories support enabled, the build of apr-util
fails, for two reasons:

 - The rules.mk file is generated by the 'apr' package, and then
   copied into the 'apr-util' source directory. This is done by the
   'apr-util' build process. Unfortunately, this rules.mk file has a
   number of hardcoded paths: to the compiler and to the libtool
   script.

   Due to this, the compiler from the 'apr' per-package directory gets
   used. But this compiler uses the 'apr' package sysroot, which does
   not have all the dependencies of the 'apr-util' package, causing
   the build to fail because <expat.h> is not found.

 - Similarly, the libtool script itself has some hardcoded paths,
   which make it use the compiler/linker from the 'apr' per-package
   directory, so it does not find the expat library.

We fix both issues by doing the necessary replacement in both rules.mk
and libtool.

Fixes:

  http://autobuild.buildroot.net/results/2a67b5d58f79348e20a972125e4797eff5585716/

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/cog: add patch fixing cog segfault
James Hilliard [Tue, 18 Feb 2020 08:43:39 +0000 (01:43 -0700)]
package/cog: add patch fixing cog segfault

Fixes:
Thread 1 "cog" received signal SIGSEGV, Segmentation fault.
xkb_state_update_mask (state=0x0, base_mods=0, latched_mods=0, locked_mods=0, base_group=base_group@entry=0, latched_group=latched_group@entry=0, locked_group=0) at ../src/state.c:814
814     prev_components = state->components;

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/libxml2: add upstream security fix for CVE-2019-20388
Thomas De Schampheleire [Tue, 18 Feb 2020 09:31:34 +0000 (10:31 +0100)]
package/libxml2: add upstream security fix for CVE-2019-20388

Fixes CVE-2019-20388: xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10
allows an xmlSchemaValidateStream memory leak.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/pulseview: depends on host gcc >= 4.9
Fabrice Fontaine [Sun, 16 Feb 2020 18:06:13 +0000 (19:06 +0100)]
package/pulseview: depends on host gcc >= 4.9

Commit 88bb278d5ac790bee0c3a438464da82ee7625cff forgot to propagate the
new host gcc >= 4.9 dependency from BR2_PACKAGE_LIBSIGROKCXX

Fixes:
 - http://autobuild.buildroot.org/results/5dc9dc95d0534b35e2443c120162b5176edafe0b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/nodejs: security bump to version 12.16.0
Peter Korsgaard [Mon, 17 Feb 2020 22:38:49 +0000 (23:38 +0100)]
package/nodejs: security bump to version 12.16.0

Fixes the following security issues (12.15.0):

- CVE-2019-15606: HTTP header values do not have trailing OWS trimmed

- CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding
  header

- CVE-2019-15604: Remotely trigger an assertion on a TLS server with a
  malformed certificate string

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

On top of this, 12.16.0 brings a number of changes and bugfixes.

Update the license hash for an addition of the (MIT) licensing terms for the
uvwsai module:

+
+- uvwasi, located at deps/uvwasi, is licensed as follows:
+  """
+    MIT License
+
+    Copyright (c) 2019 Colin Ihrig and Contributors
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE.
+  """

While we are at it, adjust the white space in the .hash function to match
the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/qpdf: fix build with gcc 4.8
Fabrice Fontaine [Mon, 17 Feb 2020 21:46:01 +0000 (22:46 +0100)]
package/qpdf: fix build with gcc 4.8

Fixes:
 - http://autobuild.buildroot.org/results/ad7fb68ae87850a85509eed80fd0cae8721b10c5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/gutenprint: add back the hook for creating the m4local directory
Fabrice Fontaine [Mon, 17 Feb 2020 22:52:02 +0000 (23:52 +0100)]
package/gutenprint: add back the hook for creating the m4local directory

Commit 64c42c5e2c26261e26c3548c86b02f55d12f341b removed the hook for
creating the m4local directory with the assumption that it would be
created because the first include is treated in a special way if it
doesn't exists

However, this assumption was wrong as m4local is the second include, the
first one is m4 (which already exists in the archive). So put back the
hook. The other solutions would be to patch:
 - Makefile.{am,in} to remove m4local
 - configure.ac and Makefile.{am,in} to add m4local before m4
However, both solutions don't seem to be upstreamable

Fixes:
 - http://autobuild.buildroot.org/results/e40313c6ec193d6156e26eff62303545fba09413

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agocore: fix packages-file-list.txt after an incremental build
Thomas De Schampheleire [Fri, 14 Feb 2020 19:57:33 +0000 (20:57 +0100)]
core: fix packages-file-list.txt after an incremental build

The package instrumentation step 'step_pkg_size' is populating the files:
    output/build/packages-file-list.txt
    output/build/packages-file-list-staging.txt
    output/build/packages-file-list-host.txt
by comparing the list of files before and after installation of a package,
with some clever tricks to detect changes to existing files etc.

As an optimization, instead of gathering this list before and after each
package, where the 'after-state' of one package is the same as the
'before-state' of the next package, only the 'after-state' is used and
is shared between packages.

This works fine, except at the end of the build, as explained next.

In the target-finalize step, many files will be touched. For example, files
like /etc/hosts, /etc/os-release, but also all object files that are
stripped, and all files touched by post-build scripts or created by rootfs
overlays. This means that the 'after-state' of the last package does not
reflect the actual situation after target-finalize is run.

For a single complete build this poses no problem. But, if one incrementally
rebuilds a package after the initial build, e.g. with 'make foo-rebuild',
then all changes that happened in target-finalize at the end of the initial
build (the 'after-state' of the last package built) will be detected as
changes caused by the rebuild of package foo. As a result, all these files
will incorrectly be treated as 'owned' by package foo.

Correct this situation by capturing a new state at the end of
target-finalize, so that the 'before-state' of an incremental build will be
correct.

Note: the reasoning above talks about packages-file-list.txt and
target-finalize, but also applies to
packages-file-list-staging.txt/staging-finalize and
packages-file-list-host.txt/host-finalize.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/run-tests: reorder imports
Yegor Yefremov [Thu, 13 Feb 2020 10:09:05 +0000 (11:09 +0100)]
support/run-tests: reorder imports

Reorder imports using the isort utility to fix a warning from pylint3:

wrong-import-order: standard import "import multiprocessing" should be
placed before "import nose2"

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage.nfs-utils: drop extra empty line
Yann E. MORIN [Mon, 17 Feb 2020 08:37:59 +0000 (09:37 +0100)]
package.nfs-utils: drop extra empty line

Commit 12c0f68caf (package/nfs-utils: bump version to 2.4.3) added an
extra empty line, causing check-package to whine:

    package/nfs-utils/nfs-utils.mk:27: consecutive empty lines

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agoconfigs/qemu{x86, x86_64}: add a serial console
Romain Naour [Sun, 9 Feb 2020 18:03:22 +0000 (19:03 +0100)]
configs/qemu{x86, x86_64}: add a serial console

The current Buildroot defconfigs for qemu_x86 and qemu_x86_64
instantiate a console on tty1, which appears on QEMU's
graphical window. Add a console on the serial port (ttyS0) to
be used later for gitlab testing.

This change is need since the script used for gitlab testing
needs to use a serial output with pexpect.

This change is similar to the one made for raspberrypi [1] to
handle HDMI and serial console:

This requires three changes:
 1. have two 'console=' entries in the kernel command line: tty1,
    then ttyS0;
 2. change BR2_TARGET_GENERIC_GETTY_PORT to "console", so it starts
    a getty on the last console= passed to the kernel, ttyS0;
 3. add a new getty on tty1 to the generated inittab.

Step 2 is actually obtained by removing BR2_TARGET_GENERIC_GETTY_PORT
entirely from the defconfigs, since "console" is the default value.

Step 3 requires a post-build script since the Buildroot makefiles can
configure only one console.

Note: instead of simply adding a new getty on ttyS0 (which would
work) this patch actually changes BR2_TARGET_GENERIC_GETTY_PORT to
instantiate a console on UART, then adds back tty1 via
post-build.sh. This is done only to avoid the "GENERIC_SERIAL" comment
where we instantiate a console on QEMU graphical window, then
instantiate a really-serial console on another line.

The result is these two inittab lines:

  console::respawn:/sbin/getty -L  console 0 vt100 # GENERIC_SERIAL
  tty1::respawn:/sbin/getty -L  tty1 0 vt100 # QEMU graphical window

[1] 20878a1017e2bf7eb8c5f870dc6d2641493cb0f9

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoconfigs/qemu_pcc_mac99: build host-qemu for runtime testing
Romain Naour [Sun, 9 Feb 2020 18:03:20 +0000 (19:03 +0100)]
configs/qemu_pcc_mac99: build host-qemu for runtime testing

The commit [1] added host-qemu package for each qemu defconfig
for gitlab runtime testing.

[1] 29e1cb88844614c40846540e22cf83aa9e52674f

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Joel Stanley <joel@jms.id.au>
Acked-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoconfigs/qemu_ppc_mac99_defconfig: add usual comments for Kconfig symbols
Romain Naour [Sun, 9 Feb 2020 18:03:19 +0000 (19:03 +0100)]
configs/qemu_ppc_mac99_defconfig: add usual comments for Kconfig symbols

This defconfig was generated by savedefconfig but we usually
use a manually modified defconfig to add some comments for
Kconfig symbols.

No content change intended.

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Joel Stanley <joel@jms.id.au>
Acked-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/janus-gateway: bump version to 0.8.1
Adam Duskett [Mon, 3 Feb 2020 10:29:27 +0000 (02:29 -0800)]
package/janus-gateway: bump version to 0.8.1

Other changes:
  - Update License hash which properly adds the OpenSSL exception.

Tested with Debian 8:

br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]:   OK
 br-arm-cortex-m4-full [3/6]:   SKIPPED
        br-x86-64-musl [4/6]:   OK
    br-arm-full-static [5/6]:   SKIPPED
          sourcery-arm [6/6]:   OK

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/qemu: Bump to version 4.2.0
Adam Duskett [Sat, 8 Feb 2020 21:15:10 +0000 (13:15 -0800)]
package/qemu: Bump to version 4.2.0

Other changes:
  - Remove upstream patches
  - Update COPYING.LIB hash as upstream updated the file to match the new LGPL
    2.1 license from upstream. See:
    https://github.com/qemu/qemu/commit/f0d44cc4462f112bce5ec556e87eff4eec682e39

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Tested-by: Romain Naour <romain.naour@gmail.com>
[Peter: change libssh2 to libssh as pointed out by Vincent Fazio]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/nfs-utils: bump version to 2.4.3
Giulio Benetti [Mon, 10 Feb 2020 12:03:53 +0000 (13:03 +0100)]
package/nfs-utils: bump version to 2.4.3

Bump to version 2.4.3 of nfs-utils.  All patches have been upstreamed, so
drop them all.  It now needs rpcgen built by host-nfs-utils, to do this
let's pass its path to --with-rpcgen= instead of 'internal'.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
[Peter: drop AUTORECONF, explicitly depend on host-nfs-utils]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/minicom: bump version
Giulio Benetti [Sun, 9 Feb 2020 20:44:56 +0000 (21:44 +0100)]
package/minicom: bump version

For a minor fix.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/glslsandbox-player: remove 'v' prefix
Fabrice Fontaine [Sun, 9 Feb 2020 21:28:25 +0000 (22:28 +0100)]
package/glslsandbox-player: remove 'v' prefix

Fixes version parsing for release-monitoring.org support

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/run-tests: check for empty sequences in a pythonic way
Yegor Yefremov [Thu, 13 Feb 2020 10:09:06 +0000 (11:09 +0100)]
support/run-tests: check for empty sequences in a pythonic way

According to PEP8 empty sequences should be checked as booleans.

Fixes the following PEP8 warning:
Do not use `len(SEQUENCE)` to determine if a sequence is empty

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years ago{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series
Peter Korsgaard [Sat, 15 Feb 2020 18:37:13 +0000 (19:37 +0100)]
{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agolinux: use correct conditional for wireguard kernel config fixup
Peter Korsgaard [Sat, 15 Feb 2020 18:20:20 +0000 (19:20 +0100)]
linux: use correct conditional for wireguard kernel config fixup

Commit de591c5c3a93 (package/wireguard-linux-compat: new package) split up
the wireguard package in wireguard-tools and wireguard-linux-compat, but
forgot to update the conditional in linux.mk, so the kernel config fixups
needed for wireguard are no longer applied.

Update the conditional to use the BR2_PACKAGE_WIREGUARD_LINUX_COMPAT symbol
instead.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/wireguard-linux-compat: bump version to 0.0.20200215
Peter Korsgaard [Sat, 15 Feb 2020 18:20:19 +0000 (19:20 +0100)]
package/wireguard-linux-compat: bump version to 0.0.20200215

Fixes a regression introduced in 0.0.20200214.  For details, see the
announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-February/005014.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libgpg-error: bump to version 1.37
Fabrice Fontaine [Sat, 15 Feb 2020 11:27:34 +0000 (12:27 +0100)]
package/libgpg-error: bump to version 1.37

- Remove patch (already in version)
- Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-cython: bump to version 0.29.15
James Hilliard [Thu, 13 Feb 2020 06:12:35 +0000 (23:12 -0700)]
package/python-cython: bump to version 0.29.15

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-simplejson: bump to version 3.17.0
James Hilliard [Thu, 13 Feb 2020 05:56:08 +0000 (22:56 -0700)]
package/python-simplejson: bump to version 3.17.0

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-pyyaml: bump to version 5.3
James Hilliard [Thu, 13 Feb 2020 05:51:31 +0000 (22:51 -0700)]
package/python-pyyaml: bump to version 5.3

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-pyopenssl: bump to version 19.1.0
James Hilliard [Thu, 13 Feb 2020 05:46:12 +0000 (22:46 -0700)]
package/python-pyopenssl: bump to version 19.1.0

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/gensio: bump to version 1.5.1
Fabrice Fontaine [Wed, 12 Feb 2020 18:06:53 +0000 (19:06 +0100)]
package/gensio: bump to version 1.5.1

- Update indentation of hash file (2 spaces)
- This will fix a build failure without threads thanks to
  https://github.com/cminyard/gensio/commit/8918de5b30f90b826c48064e9ee92304b63ffe85
  and associated upstream patch

Fixes:
 - http://autobuild.buildroot.org/results/e94d0e0b46afc1223a74bcc471909f4adef0d6f3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libtorrent-rasterbar: bump to version 1.2.4
Fabrice Fontaine [Wed, 12 Feb 2020 19:49:16 +0000 (20:49 +0100)]
package/libtorrent-rasterbar: bump to version 1.2.4

Update indentation of hash file (two spaces)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-six: bump to version 1.14.0
James Hilliard [Thu, 13 Feb 2020 03:16:18 +0000 (20:16 -0700)]
package/python-six: bump to version 1.14.0

License hash change is due to date update.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-cryptography: bump to version 2.8
James Hilliard [Thu, 13 Feb 2020 03:04:52 +0000 (20:04 -0700)]
package/python-cryptography: bump to version 2.8

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/wpewebkit: security bump to version 2.26.4
Peter Korsgaard [Sat, 15 Feb 2020 15:09:28 +0000 (16:09 +0100)]
package/wpewebkit: security bump to version 2.26.4

Fixes the following security issues:

- CVE-2020-3862: Impact: A malicious website may be able to cause a denial
  of service.  Description: A denial of service issue was addressed with
  improved memory handling.

- CVE-2020-3864: Impact: A DOM object context may not have had a unique
  security origin.  Description: A logic issue was addressed with improved
  validation.

- CVE-2020-3865: Impact: A top-level DOM object context may have incorrectly
  been considered secure.  Description: A logic issue was addressed with
  improved validation.

- CVE-2020-3867: Impact: Processing maliciously crafted web content may lead
  to universal cross site scripting.  Description: A logic issue was
  addressed with improved state management.

- CVE-2020-3868: Impact: Processing maliciously crafted web content may lead
  to arbitrary code execution.  Description: Multiple memory corruption
  issues were addressed with improved memory handling.

For more details, see the advisory:
https://wpewebkit.org/security/WSA-2020-0002.html

While we are at it, adjust the white space in the .hash function to match
the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/wpewebkit: needs >= GCC 7
Peter Korsgaard [Sat, 15 Feb 2020 15:09:27 +0000 (16:09 +0100)]
package/wpewebkit: needs >= GCC 7

CMakeLists.txt contains a toolchain check:

if (${CMAKE_CXX_COMPILER_ID} STREQUAL "GNU")
    if (${CMAKE_CXX_COMPILER_VERSION} VERSION_LESS "7.3.0")
        message(FATAL_ERROR "GCC 7.3 or newer is required to build WebKit. Use a newer GCC version or Clang.")
    endif ()
endif ()

So bump the toolchain dependency to >= GCC 7.  The check is really about >=
7.3.0, but we do not have such detailed version checks.  Given that GCC
7.3.0 was released in January 2018 (and 7.1.0 in May 2017), most external
GCC 7.x toolchains probably use >= 7.3.0.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/webkitgtk: security bump to version 2.26.4
Peter Korsgaard [Sat, 15 Feb 2020 15:09:26 +0000 (16:09 +0100)]
package/webkitgtk: security bump to version 2.26.4

Fixes the following security issues:

- CVE-2020-3862: Impact: A malicious website may be able to cause a denial
  of service.  Description: A denial of service issue was addressed with
  improved memory handling.

- CVE-2020-3864: Impact: A DOM object context may not have had a unique
  security origin.  Description: A logic issue was addressed with improved
  validation.

- CVE-2020-3865: Impact: A top-level DOM object context may have incorrectly
  been considered secure.  Description: A logic issue was addressed with
  improved validation.

- CVE-2020-3867: Impact: Processing maliciously crafted web content may lead
  to universal cross site scripting.  Description: A logic issue was
  addressed with improved state management.

- CVE-2020-3868: Impact: Processing maliciously crafted web content may lead
  to arbitrary code execution.  Description: Multiple memory corruption
  issues were addressed with improved memory handling.

For more details, see the advisory:
https://webkitgtk.org/security/WSA-2020-0002.html

While we are at it, adjust the white space in the .hash function to match
the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/webkitgtk: needs >= GCC 7
Peter Korsgaard [Sat, 15 Feb 2020 15:09:25 +0000 (16:09 +0100)]
package/webkitgtk: needs >= GCC 7

CMakeLists.txt contains a toolchain check:

if (${CMAKE_CXX_COMPILER_ID} STREQUAL "GNU")
    if (${CMAKE_CXX_COMPILER_VERSION} VERSION_LESS "7.3.0")
        message(FATAL_ERROR "GCC 7.3 or newer is required to build WebKit. Use a newer GCC version or Clang.")
    endif ()
endif ()

So bump the toolchain dependency to >= GCC 7.  The check is really about >=
7.3.0, but we do not have such detailed version checks.  Given that GCC
7.3.0 was released in January 2018 (and 7.1.0 in May 2017), most external
GCC 7.x toolchains probably use >= 7.3.0.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libcurl: rename curl binary config symbol
Baruch Siach [Mon, 10 Feb 2020 12:06:59 +0000 (14:06 +0200)]
package/libcurl: rename curl binary config symbol

Package optional or choice config symbols are usually prefixed with the
package config symbol name. Rename BR2_PACKAGE_CURL to
BR2_PACKAGE_LIBCURL_CURL to conform.

Update references to the old name.

Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/mfgtools: fix build issue related to __time64_t
Gary Bisson [Tue, 11 Feb 2020 15:04:45 +0000 (16:04 +0100)]
package/mfgtools: fix build issue related to __time64_t

The tool fails to build on recent distros due to conflicting declaration
of __time64_t. Adding a check around the declaration to avoid
redefinition.

Patch not submitted upstream as the tool is not supported by NXP
anymore[1].

Fixes:
http://autobuild.buildroot.net/results/ca4498ad21a96ba2a38ca2467dadffdbb516355b/

[1] https://github.com/NXPmicro/mfgtools/pull/104

Signed-off-by: Gary Bisson <bisson.gary@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agodocs/manual: describe the new <pkg>_IGNORE_CVES variable
Thomas Petazzoni [Sat, 15 Feb 2020 12:44:17 +0000 (13:44 +0100)]
docs/manual: describe the new <pkg>_IGNORE_CVES variable

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/scripts/pkg-stats: add support for CVE reporting
Thomas Petazzoni [Sat, 15 Feb 2020 12:44:16 +0000 (13:44 +0100)]
support/scripts/pkg-stats: add support for CVE reporting

This commit extends the pkg-stats script to grab information about the
CVEs affecting the Buildroot packages.

To do so, it downloads the NVD database from
https://nvd.nist.gov/vuln/data-feeds in JSON format, and processes the
JSON file to determine which of our packages is affected by which
CVE. The information is then displayed in both the HTML output and the
JSON output of pkg-stats.

To use this feature, you have to pass the new --nvd-path option,
pointing to a writable directory where pkg-stats will store the NVD
database. If the local database is less than 24 hours old, it will not
re-download it. If it is more than 24 hours old, it will re-download
only the files that have really been updated by upstream NVD.

Packages can use the newly introduced <pkg>_IGNORE_CVES variable to
tell pkg-stats that some CVEs should be ignored: it can be because a
patch we have is fixing the CVE, or because the CVE doesn't apply in
our case.

>From an implementation point of view:

 - A new class CVE implement most of the required functionalities:
   - Downloading the yearly NVD files
   - Reading and extracting relevant data from these files
   - Matching Packages against a CVE

 - The statistics are extended with the total number of CVEs, and the
   total number of packages that have at least one CVE pending.

 - The HTML output is extended with these new details. There are no
   changes to the code generating the JSON output because the existing
   code is smart enough to automatically expose the new information.

This development is a collective effort with Titouan Christophe
<titouan.christophe@railnova.eu> and Thomas De Schampheleire
<thomas.de_schampheleire@nokia.com>.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/{mesa3d, mesa3d-headers}: bump version to 19.3.4
Bernd Kuhls [Fri, 14 Feb 2020 17:21:16 +0000 (18:21 +0100)]
package/{mesa3d, mesa3d-headers}: bump version to 19.3.4

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/rocksdb: add gflags optional dependency
Fabrice Fontaine [Fri, 14 Feb 2020 16:44:10 +0000 (17:44 +0100)]
package/rocksdb: add gflags optional dependency

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/mono: fix build with powerpc
Fabrice Fontaine [Fri, 14 Feb 2020 16:38:51 +0000 (17:38 +0100)]
package/mono: fix build with powerpc

Fixes:
 - http://autobuild.buildroot.org/results/fff0dd08f71facbe367d982d19158ee084ae8047

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/wireguard-linux-compat: bump version to 0.0.20200214
Peter Korsgaard [Fri, 14 Feb 2020 16:16:21 +0000 (17:16 +0100)]
package/wireguard-linux-compat: bump version to 0.0.20200214

Includes misc fixes. For details, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-February/005013.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/postgresql: security bump to version 12.2
Peter Korsgaard [Fri, 14 Feb 2020 08:39:10 +0000 (09:39 +0100)]
package/postgresql: security bump to version 12.2

Fixes the following security issues:

- CVE-2020-1720: ALTER ... DEPENDS ON EXTENSION is missing authorization checks
  https://www.postgresql.org/about/news/2011/

Update the license hash for a change in copyright years:
-Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
+Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/screen: bump version to 4.8.0
Peter Korsgaard [Fri, 14 Feb 2020 07:27:01 +0000 (08:27 +0100)]
package/screen: bump version to 4.8.0

Fixes a memory corruption issue in OSC 49 handling.  Notice that this is
only enabled if screen is built with --enable-rxvt_osc, which isn't the case
in Buildroot. From the release notes:

As last fix, fixes potential memory overwrite of quite big size (~768
bytes), and even though I'm not sure about potential exploitability of
that issue, I highly recommend everyone to upgrade as soon as possible.
This issue is present at least since v.4.2.0 (haven't checked earlier).

https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html

Upstream changed the gnu.org URLs to use HTTPS, so adjust
0005-rename-sched_h.patch to match.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoDEVELOPERS: add Romain Naour for toolchain topic
Romain Naour [Thu, 13 Feb 2020 22:29:13 +0000 (23:29 +0100)]
DEVELOPERS: add Romain Naour for toolchain topic

The first time I worked on the Buildroot's toolchain infra
was to add support for the Sourcery Codebench Standard
(licenced) edition toolchain (from Mentor Graphics) for
x86 target [1]. The series was rejected though.

But the knowledge gained from this work served to refactor
the toolchain-external infra in Buildroot [2].

Nowadays, I'm using toolchains-builder project to do
some toolchain build testing to keep GNU tools up to date
in Buildroot.

[1] http://lists.busybox.net/pipermail/buildroot/2014-November/112036.html
[2] http://lists.busybox.net/pipermail/buildroot/2016-October/175433.html
[3] https://gitlab.com/kubu93/toolchains-builder/

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoDEVELOPERS: add Romain Naour for Qemu defconfigs
Romain Naour [Thu, 13 Feb 2020 21:54:54 +0000 (22:54 +0100)]
DEVELOPERS: add Romain Naour for Qemu defconfigs

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoDEVELOPERS: add Romain Naour for test_glxinfo test
Romain Naour [Thu, 13 Feb 2020 21:47:38 +0000 (22:47 +0100)]
DEVELOPERS: add Romain Naour for test_glxinfo test

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/testing/glxinfo: explicitely enable GLX
Romain Naour [Thu, 13 Feb 2020 21:40:45 +0000 (22:40 +0100)]
support/testing/glxinfo: explicitely enable GLX

Since [1], the GLX support is enabled by BR2_PACKAGE_MESA3D_OPENGL_GLX
symbol.

Since [2], only one swrast provider can be built.
Keep BR2_PACKAGE_MESA3D_DRI_DRIVER_SWRAST.

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/400391349

[1] 5cb821d5635626b7327d5d704555c412e5ed5a1f
[2] 09a0a285076f544de335efc74c8904e464576575

Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/ncdu: bump to version 1.14.2
Gilles Talis [Thu, 13 Feb 2020 20:52:58 +0000 (21:52 +0100)]
package/ncdu: bump to version 1.14.2

Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libmicrohttpd: bump to version 0.9.70
Gilles Talis [Thu, 13 Feb 2020 20:52:57 +0000 (21:52 +0100)]
package/libmicrohttpd: bump to version 0.9.70

Bugfix release. For details, see the release notes:
https://lists.gnu.org/archive/html/libmicrohttpd/2020-02/msg00006.html

Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libhttpparser: bump to version 2.9.3
Gilles Talis [Thu, 13 Feb 2020 20:52:56 +0000 (21:52 +0100)]
package/libhttpparser: bump to version 2.9.3

Also dropped patch that was pushed upstream

Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/go: bump version to 1.13.8
Peter Korsgaard [Thu, 13 Feb 2020 20:35:27 +0000 (21:35 +0100)]
package/go: bump version to 1.13.8

Includes fixes to the runtime, the crypto/x509, and net/http
packages.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/dovecot: security bump to version 2.3.9.3
Peter Korsgaard [Thu, 13 Feb 2020 20:19:32 +0000 (21:19 +0100)]
package/dovecot: security bump to version 2.3.9.3

Fixes the following security issues:

- CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and
  lmtp processes
  lib-smtp doesn't handle truncated command parameters properly, resulting
  in infinite loop taking 100% CPU for the process.  This happens for LMTP
  (where it doesn't matter so much) and also for submission-login where
  unauthenticated users can trigger it.

- CVE-2020-7957: Specially crafted mail can crash snippet generation
  Snippet generation crashes if:
  - message is large enough that message-parser returns multiple body
    blocks
  - The first block(s) don't contain the full snippet (e.g.  full of
    whitespace)
  - input ends with '>'

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/parted: disable on uclibc
Fabrice Fontaine [Thu, 13 Feb 2020 22:36:44 +0000 (23:36 +0100)]
package/parted: disable on uclibc

Like postgreSQL (and imagemagick), parted does not build against uClibc
with locales enabled, due to an uClibc bug, see
http://lists.uclibc.org/pipermail/uclibc/2014-April/048326.html:

In file included from atari.c:42:
atari.c: In function 'atr_part_correct':
atari.c:221:9: error: dereferencing pointer to incomplete type 'struct __uclibc_locale_struct'
  return isalnum_l(part->id[0], atr_c_locale)
         ^~~~~~~~~

So disable parted on uclibc

Fixes:
 - http://autobuild.buildroot.org/results/992518d340a9f32a0721d6e66936850c4c3ef2e4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/udisks: add locale dependency
Fabrice Fontaine [Thu, 13 Feb 2020 22:36:43 +0000 (23:36 +0100)]
package/udisks: add locale dependency

Commit b5f0c6efb24826641719c493382211e5d768417b forgot to propagate new
locale dependency from parted to udisks

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python-pyparted: add locale dependency
Fabrice Fontaine [Thu, 13 Feb 2020 22:36:42 +0000 (23:36 +0100)]
package/python-pyparted: add locale dependency

Commit b5f0c6efb24826641719c493382211e5d768417b forgot to propagate new
locale dependency from parted to python-pyparted

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libsigrok: drop remnants of autoreconf
Yann E. MORIN [Sun, 9 Feb 2020 15:12:40 +0000 (16:12 +0100)]
package/libsigrok: drop remnants of autoreconf

libsigrok has not needed autoreconf since b428801934 (package/libsigrok:
bump version to 0.4.0), 4 years ago now.

As such, we no longer need the autoreconf options, nor the dependency on
the autoconf archive.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bartosz Golaszewski <brgl@bgdev.pl>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Tested-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/sdl2: fix build without threads
Fabrice Fontaine [Tue, 11 Feb 2020 21:44:27 +0000 (22:44 +0100)]
package/sdl2: fix build without threads

- Drop first patch (not needed since bump to version 2.0.10 and
  https://github.com/spurious/SDL-mirror/commit/2601ef1f2d7f998c1d276d1b06cac4ed7feba2e1)
- Add a new patch to fix an outstanding build failure

Fixes:
 - http://autobuild.buildroot.org/results/7f7712c5bd47de4a3fcec1e0d0526fd5a3ecd532

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/eudev: Fix monitor starting for kernels w/o CONFIG_SHMEM
Joel Stanley [Mon, 10 Feb 2020 06:47:42 +0000 (17:17 +1030)]
package/eudev: Fix monitor starting for kernels w/o CONFIG_SHMEM

When the kernel has CONFIG_SHMEM disabled, /dev is a ramfs (instead of a
tmpfs) and the name_to_handle_at system call is not supported. This
causes eudev's monitor application to exit on startup.

Upstream eudev has added this fix which is not yet part of a release.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/kodi-screensaver-asteroids: bump version to 2.3.2
Bernd Kuhls [Thu, 6 Feb 2020 18:19:40 +0000 (19:19 +0100)]
package/kodi-screensaver-asteroids: bump version to 2.3.2

Switched _LICENSE_FILES to debian/copyright.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/kodi-peripheral-steamcontroller: bump version
Bernd Kuhls [Thu, 6 Feb 2020 18:19:39 +0000 (19:19 +0100)]
package/kodi-peripheral-steamcontroller: bump version

Switched _LICENSE_FILES to debian/copyright.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/kodi-peripheral-joystick: bump version to 1.4.9-Leia
Bernd Kuhls [Thu, 6 Feb 2020 18:19:38 +0000 (19:19 +0100)]
package/kodi-peripheral-joystick: bump version to 1.4.9-Leia

Switched _LICENSE_FILES to debian/copyright.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/kodi-inputstream-rtmp: bump version to 2.0.8-Leia
Bernd Kuhls [Thu, 6 Feb 2020 18:19:37 +0000 (19:19 +0100)]
package/kodi-inputstream-rtmp: bump version to 2.0.8-Leia

Switched _LICENSE_FILES to debian/copyright.

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/rocksdb: switch to generic-package
Fabrice Fontaine [Tue, 4 Feb 2020 21:13:48 +0000 (22:13 +0100)]
package/rocksdb: switch to generic-package

Switch from cmake-package to generic-package to allow rocksdb to run the
./build_tools/build_detect_platform script and detect compiler options
such as C++17 support for -faligned-new

First patch needs to be updated and second patch can be dropped

Fixes:
 - http://autobuild.buildroot.org/results/22c9909c0d20e3871775f3874f7723910d7e5a41
 - http://autobuild.buildroot.org/results/ab7b2bc9e9653a7093d8b27d4445c28993572ca4

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/sqlcipher: enable back libressl
Fabrice Fontaine [Thu, 13 Feb 2020 20:09:15 +0000 (21:09 +0100)]
package/sqlcipher: enable back libressl

libressl support has been fixed since version 3.4.2 and
https://github.com/sqlcipher/sqlcipher/commit/ce489ebb4788207f27b1641f8d2bfe6b65462260

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/sqlcipher: security bump to version 4.3.0
Fabrice Fontaine [Thu, 13 Feb 2020 18:41:48 +0000 (19:41 +0100)]
package/sqlcipher: security bump to version 4.3.0

>From https://www.zetetic.net/blog/2019/08/14/defcon-sqlite-attacks:

"We strongly recommend that all applications upgrade to SQLCipher 4.2.0
to take advantage of the latest security updates, especially if an
application interacts with non-encrypted databases using SQLCipher."

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>