buildroot.git
4 years agopackage/intel-mediasdk: disable samples and tutorials
Fabrice Fontaine [Mon, 22 Feb 2021 17:00:48 +0000 (18:00 +0100)]
package/intel-mediasdk: disable samples and tutorials

Disable samples and tutorials which are enabled by default and fail to
build with gcc 10 without upstream commit:
https://github.com/Intel-Media-SDK/MediaSDK/commit/c7d40371eb0c2042261fe1f91a364f69a1457235

Fixes:
 - http://autobuild.buildroot.org/results/9ee28e5dc0b2ba854766d9bc82b95c28be2722d3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/nodejs: security bump to version v12.21.0
Peter Korsgaard [Thu, 25 Feb 2021 10:26:33 +0000 (11:26 +0100)]
package/nodejs: security bump to version v12.21.0

Fixes the following security issues:

CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion

Affected Node.js versions are vulnerable to denial of service attacks when
too many connection attempts with an 'unknownProtocol' are established.
This leads to a leak of file descriptors.  If a file descriptor limit is
configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g.  a file.  If no
file descriptor limit is configured, then this lead to an excessive memory
usage and cause the system to run out of memory.

CVE-2021-22884: DNS rebinding in --inspect

Affected Node.js versions are vulnerable to denial of service attacks when
the whitelist includes “localhost6”.  When “localhost6” is not present in
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
over network.  If the attacker controls the victim's DNS server or can spoof
its responses, the DNS rebinding protection can be bypassed by using the
“localhost6” domain.  As long as the attacker uses the “localhost6” domain,
they can still apply the attack described in CVE-2018-7160.

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/ply: build needs flex and bison
Andreas Klinger [Tue, 23 Feb 2021 18:04:37 +0000 (19:04 +0100)]
package/ply: build needs flex and bison

Building needs flex and bison installed on the host system.

Fixes:
http://autobuild.buildroot.net/results/7cfe75725f4746367f2870ee9545f31ba56f6ec1

Signed-off-by: Andreas Klinger <ak@it-klinger.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/screen: add SCREEN_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 21 Feb 2021 18:21:39 +0000 (19:21 +0100)]
package/screen: add SCREEN_CPE_ID_VENDOR

cpe:2.3:a:gnu:screen is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Ascreen

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/xterm: add XTERM_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 21 Feb 2021 18:11:31 +0000 (19:11 +0100)]
package/xterm: add XTERM_CPE_ID_VENDOR

cpe:2.3:a:invisible-island:xterm is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ainvisible-island%3Axterm

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/python3: security bump to version 3.9.2
Peter Korsgaard [Tue, 23 Feb 2021 13:50:31 +0000 (14:50 +0100)]
package/python3: security bump to version 3.9.2

Fixes the following security issue:

- CVE-2021-23336: urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a
  query args separator
  https://bugs.python.org/issue42967

And fixes a number of issues. For details, see the changelog:
https://docs.python.org/release/3.9.2/whatsnew/changelog.html

Drop the now upstreamed security patch and update the license hash for a
change of copyright year:

-2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation;
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation;

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/download: drop sub-second precision in tarball creation
Vincent Fazio [Fri, 19 Feb 2021 21:21:54 +0000 (15:21 -0600)]
support/download: drop sub-second precision in tarball creation

Some download backends, like svn, will provide timestamps with a
sub-second precision, e.g.

    $ svn info --show-item last-changed-date [...]
    2021-02-19T20:22:34.889717Z

However, the PAX headers do not accept sub-second precision, leading to
failure to download from subversion:

    tar: Time stamp is out of allowed range
    tar: Exiting with failure status due to previous errors
    make[1]: *** [package/pkg-generic.mk:148: [...]/build/subversion-1886712/.stamp_downloaded] Error 1

Fix that by massaging the timestamp to drop the sub-second part. We
do that in the generic helper, rather than the svn backend, so that
all callers to the generic helper benefit from this, as this is more
an internal details of the tarball limitations, than of the backends
themselves.

Reported-by: Roosen Henri <Henri.Roosen@ginzinger.com>
Signed-off-by: Vincent Fazio <vfazio@xes-inc.com>
[yann.morin.1998@free.fr:
  - add Henri as reporter
  - move it out of the svn backend, and to the generic helper
  - reword the commit log accordingly
  - use an explicit time format rather than -Iseconds
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/bind: security bump to version 9.11.28
Peter Korsgaard [Thu, 18 Feb 2021 08:22:26 +0000 (09:22 +0100)]
package/bind: security bump to version 9.11.28

Fixes the following security issue:

- CVE-2020-8625: When tkey-gssapi-keytab or tkey-gssapi-credential was
  configured, a specially crafted GSS-TSIG query could cause a buffer
  overflow in the ISC implementation of SPNEGO (a protocol enabling
  negotiation of the security mechanism to use for GSSAPI authentication).
  This flaw could be exploited to crash named.  Theoretically, it also
  enabled remote code execution, but achieving the latter is very difficult
  in real-world conditions

For details, see the advisory:
https://kb.isc.org/docs/cve-2020-8625

In addition, 9.11.26-27 fixed a number of issues, see the release notes for
details:
https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html

Drop now upstreamed patches, update the GPG key for the 2021-2022 variant
and update the COPYRIGHT hash for a change of year:

-Copyright (C) 1996-2020  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2021  Internet Systems Consortium, Inc. ("ISC")

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/fakeroot: fix glibc detection on patch for new wrappers
Ryan Barnett [Sun, 21 Feb 2021 22:38:27 +0000 (16:38 -0600)]
package/fakeroot: fix glibc detection on patch for new wrappers

Commit f45925a951318e9e53bead80b363e004301adc6f add the patch:

0003-libfakeroot.c-add-wrappers-for-new-glibc-2.33-symbol.patch

which allowed fakeroot to be compiled with GLIBC 2.33 or above.
However, this introduce a bug for building with a non-GLIBC based
toolchain as a GLIBC macro - __GLIBC_PREREQ - is used on the same line
as the detection of GLIBC.

Fix this by backporting the fix to this incorrect macro from upstream
commit:

https://salsa.debian.org/clint/fakeroot/-/commit/8090dffdad8fda86dccd47ce7a7db8840bdf7d7b

CC: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/unbound: bump to version 1.13.1
Stefan Ott [Sun, 21 Feb 2021 00:47:50 +0000 (01:47 +0100)]
package/unbound: bump to version 1.13.1

This release contains a number of bug fixes. There is added support
for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID
option (RFC 5001). Unbound control has added commands to enable and
disable rpz processing. Reply callbacks have a start time passed to
them that can be used to calculate time, these are callbacks for
response processing. With the option serve-original-ttl the TTL served
in responses is the original, not counted down, value, for when in
front of authority service.

https://github.com/NLnetLabs/unbound/releases/tag/release-1.13.1

Signed-off-by: Stefan Ott <stefan@ott.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/irqbalance: fix irqbalance/irqbalance-ui socket communication
Peter Seiderer [Sat, 20 Feb 2021 23:12:24 +0000 (00:12 +0100)]
package/irqbalance: fix irqbalance/irqbalance-ui socket communication

Add patch to fix irqbalance/irqbalance-ui socket communication by
fixing uint64_t printf format usage.

Fixes:

  $ irqbalance-ui
  Invalid data sent.  Unexpected token: (null)TYPE

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
  - do an actual backport as upstream applied the patch
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/open62541: fix library version definition
Scott Fan [Sat, 20 Feb 2021 16:27:14 +0000 (00:27 +0800)]
package/open62541: fix library version definition

Manually specified version must start with letter 'v',
otherwise, the generated version macro will be zero
in the <build_dir>/src_generated/open62541/config.h file:
  #define UA_OPEN62541_VER_MAJOR 0
  #define UA_OPEN62541_VER_MINOR 0
  #define UA_OPEN62541_VER_PATCH 0

Reference from the following link:
https://open62541.org/doc/current/building.html

Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agosupport/scripts/boot-qemu-image.py: properly catch timeout
Romain Naour [Sat, 20 Feb 2021 16:56:04 +0000 (17:56 +0100)]
support/scripts/boot-qemu-image.py: properly catch timeout

As reported on IRC by sephthir, the gitlab test of the defconfig
qemu_sparc_ss10_defconfig doesn't error out while the system
is not working properly.

This is because we explicitly wait for the timeout as an expected
condition, but do not check for it. Indeed, pexpect.expect() returns
the index of the matching condition in the list of expected conditions,
but we just ignore the return code, so we are not able to differentiate
between a successful login (or prompt) from a timeout.

By default, pexepect.expect() raises the pexpect.TIMEOUT exception on a
timeout, and we are already prepared to catch and handle that exception.
But because pexpect.TIMEOUT is passed as an expected condition, the
exception is not raised.

Remove pexpect.TIMEOUT from the list of expected conditions, so that the
exception is properly raised again, and so that we can catch it.

The qemu_sparc_ss10_defconfig is already fixed by
4d16e6f5324f0285f51bfbb5a3503584f3b3ad12.

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/irqbalance: fix sysv startup script (add mkdir /run/irqbalance)
Peter Seiderer [Sat, 20 Feb 2021 16:33:48 +0000 (17:33 +0100)]
package/irqbalance: fix sysv startup script (add mkdir /run/irqbalance)

- add mkdir -p /run/irqbalance to sysv startup script needed to
  create socket /run/irqbalance/irqbalance<pid>.sock

Fixes:

  - Bug 13541 [1]

  daemon.warn /usr/sbin/irqbalance: Daemon couldn't be bound to the file-based socket.

[1] https://bugs.busybox.net/show_bug.cgi?id=13541

Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: only create in start case]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/irqbalance: fix systemd startup script (add RuntimeDirectory)
Peter Seiderer [Sat, 20 Feb 2021 16:33:49 +0000 (17:33 +0100)]
package/irqbalance: fix systemd startup script (add RuntimeDirectory)

- add RuntimeDirectory=irqbalance to create /run/irqbalanace needed to
  create socket /run/irqbalance/irqbalance<pid>.sock

Fixes:

  - Bug 13541 [1]

  /usr/sbin/irqbalance[158]: Daemon couldn't be bound to the file-based socket.

[1] https://bugs.busybox.net/show_bug.cgi?id=13541

Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agoDEVELOPERS: remove Scott Fan
Scott Fan [Sat, 20 Feb 2021 16:43:31 +0000 (00:43 +0800)]
DEVELOPERS: remove Scott Fan

Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agoutils/scanpypi: use python3 explicitly
Thomas Petazzoni [Tue, 16 Feb 2021 21:45:12 +0000 (22:45 +0100)]
utils/scanpypi: use python3 explicitly

scanpypi is python3 compatible. In addition, it executes the setup.py
of Python modules to extract the relevant information. Since these are
more and more commonly using python3 constructs, using "python" to run
scanpypi causes problems on systems that have python2 installed as
python, when trying to parse setup.py scripts with python3 constructs.

Fixes part of #13516.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/taglib: drop config options to enable MP4/ASF support
Jörg Krause [Wed, 17 Feb 2021 07:44:02 +0000 (08:44 +0100)]
package/taglib: drop config options to enable MP4/ASF support

Both options where removed in git commit dd846904cbc1ef3ee628d77f0c9df88ef8967816
back in year 2011.

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
[yann.morin.1998@free.fr: drop the legacy handling]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/rust: disable ninja
Romain Naour [Wed, 17 Feb 2021 23:24:11 +0000 (00:24 +0100)]
package/rust: disable ninja

Ninja has recently be enabled as the default build system to build
llvm fork for rust compiler [1]. But we can still use Make if
"ninja = false" is provided in config.toml.

Ninja support can be enabled by a following patch.

[1] https://github.com/rust-lang/rust/commit/30b7dac745b1555cd96f41977f7d24435cbe7fa2

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1019386205

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/cegui: use plain assignemnt for first _CONF_OPTS
Bartosz Bilas [Thu, 18 Feb 2021 17:59:05 +0000 (18:59 +0100)]
package/cegui: use plain assignemnt for first _CONF_OPTS

Commit 689b9c1a7cf5 (package/cegui: disable xerces support) added
an unconditional assignment to _CONF_OPTS before all the conditional
ones, but used the append-assignment instead of the traditional plain
assignment.

Fix that by removing the append-assignment.

Use that opportunity to also move the first item of this multi-line
assignment, to its own line.

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr:
  - reference the exact commit that introduce the issue
  - also move the first item to its own line
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/python-django: security bump to version 3.0.13
Peter Korsgaard [Fri, 19 Feb 2021 09:59:41 +0000 (10:59 +0100)]
package/python-django: security bump to version 3.0.13

Fixes the following security issue:

- CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

  Django contains a copy of urllib.parse.parse_qsl() which was added to
  backport some security fixes.  A further security fix has been issued
  recently such that parse_qsl() no longer allows using ; as a query
  parameter separator by default.  Django now includes this fix.  See
  bpo-42967 for further details.

For more details, see the advisory:
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/botan: fix build with -latomic
Fabrice Fontaine [Fri, 19 Feb 2021 19:38:24 +0000 (20:38 +0100)]
package/botan: fix build with -latomic

Static build with toolchains needing -latomic (e.g sparc) is broken
since version 2.17.0 and
https://github.com/randombit/botan/commit/88af81b88976d9a1293280f68df597220ab42767

Fixes:
 - http://autobuild.buildroot.org/results/5c03ee53a34a3cdb409cffcda76e5cc2c723778b

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libselinux: fix build with musl 1.2.2
Fabrice Fontaine [Fri, 19 Feb 2021 19:30:30 +0000 (20:30 +0100)]
package/libselinux: fix build with musl 1.2.2

Fixes:
 - http://autobuild.buildroot.org/results/34b010e76d65cf1d79ef53207cbc00a86674e17a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/libusb: apply upstream patch to fix descriptor parsing
John Keeping [Fri, 19 Feb 2021 12:18:27 +0000 (12:18 +0000)]
package/libusb: apply upstream patch to fix descriptor parsing

v1.0.24 of libusb has a bug in the Linux backend where it fails to
enumerate any device with more than one configuration.  Backport the
upstream patch which fixes this as otherwise libusb based applications
are unable to communicate with any devices advertising more than one
configuration.

Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agodocs/website: update for 2020.02.11
Peter Korsgaard [Wed, 17 Feb 2021 20:04:31 +0000 (21:04 +0100)]
docs/website: update for 2020.02.11

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoUpdate for 2020.02.11
Peter Korsgaard [Wed, 17 Feb 2021 19:36:28 +0000 (20:36 +0100)]
Update for 2020.02.11

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 08e03785d3812c085c438a6040ccedc3e9f5809d)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agodocs/website: update for 2020.11.3
Peter Korsgaard [Wed, 17 Feb 2021 18:44:35 +0000 (19:44 +0100)]
docs/website: update for 2020.11.3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoUpdate for 2020.11.3
Peter Korsgaard [Wed, 17 Feb 2021 18:24:35 +0000 (19:24 +0100)]
Update for 2020.11.3

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 610e67b1fc4ac44e0c4a7ba437c917ad6d63f481)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoUpdate for 2021.02-rc2
Peter Korsgaard [Wed, 17 Feb 2021 16:50:16 +0000 (17:50 +0100)]
Update for 2021.02-rc2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/perl-extutils-pkgconfig: set PATH to BR_PATH
Fabrice Fontaine [Wed, 17 Feb 2021 06:49:49 +0000 (07:49 +0100)]
package/perl-extutils-pkgconfig: set PATH to BR_PATH

Set PATH to BR_PATH to allow perl-extutils-pkgconfig to find pkg-config
binary

Fixes:
 - http://autobuild.buildroot.org/results/d87787fbf2a8cb9bbaa3b59d1e8004ad1459536a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libopenssl: security bump to version 1.1.1j
Peter Korsgaard [Tue, 16 Feb 2021 19:31:34 +0000 (20:31 +0100)]
package/libopenssl: security bump to version 1.1.1j

Fixes the following security issues:

- CVE-2021-23841: Null pointer deref in X509_issuer_and_serial_hash()

  The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate.  However it fails to correctly
  handle any errors that may occur while parsing the issuer field (which
  might occur if the issuer field is maliciously constructed).  This may
  subsequently result in a NULL pointer deref and a crash leading to a
  potential denial of service attack.

  The function X509_issuer_and_serial_hash() is never directly called by
  OpenSSL itself so applications are only vulnerable if they use this
  function directly and they use it on certificates that may have been
  obtained from untrusted sources.

- CVE-2021-23839: Incorrect SSLv2 rollback protection

  OpenSSL 1.0.2 supports SSLv2.  If a client attempts to negotiate SSLv2
  with a server that is configured to support both SSLv2 and more recent SSL
  and TLS versions then a check is made for a version rollback attack when
  unpadding an RSA signature.  Clients that support SSL or TLS versions
  greater than SSLv2 are supposed to use a special form of padding.  A
  server that supports greater than SSLv2 is supposed to reject connection
  attempts from a client where this special form of padding is present,
  because this indicates that a version rollback has occurred (i.e.  both
  client and server support greater than SSLv2, and yet this is the version
  that is being requested).

  The implementation of this padding check inverted the logic so that the
  connection attempt is accepted if the padding is present, and rejected if
  it is absent.  This means that such as server will accept a connection if
  a version rollback attack has occurred.  Further the server will
  erroneously reject a connection if a normal SSLv2 connection attempt is
  made.

  OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable
  to this issue.  The underlying error is in the implementation of the
  RSA_padding_check_SSLv23() function.  This also affects the
  RSA_SSLV23_PADDING padding mode used by various other functions.  Although
  1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still
  exists, as does the RSA_SSLV23_PADDING padding mode.  Applications that
  directly call that function or use that padding mode will encounter this
  issue.  However since there is no support for the SSLv2 protocol in 1.1.1
  this is considered a bug and not a security issue in that version.

- CVE-2021-23840: Integer overflow in CipherUpdate

  Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
  overflow the output length argument in some cases where the input length
  is close to the maximum permissable length for an integer on the platform.
  In such cases the return value from the function call will be 1
  (indicating success), but the output length value will be negative.  This
  could cause applications to behave incorrectly or crash.

For more details, see the advisory:
https://www.openssl.org/news/secadv/20210216.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/scripts/pkg-stats: add ignored_cves to json output
Heiko Thiery [Thu, 11 Feb 2021 09:29:10 +0000 (10:29 +0100)]
support/scripts/pkg-stats: add ignored_cves to json output

Add the list of <pkg>_IGNORE_CVES to the json output to show that we have a
known cause (available patch or the CVE is not valid for our package
configuration) that a affected CVE is not reported.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/openblas: fix detection of gfortran compiler
Thomas De Schampheleire [Fri, 12 Feb 2021 09:15:10 +0000 (10:15 +0100)]
package/openblas: fix detection of gfortran compiler

The compiler detection since openblas 0.3.8 added support for gcc 10, but
this broke detection of compilers created with crosstool-ng, or other
toolchains that have a package version containing a version like x.y.z where
at least one of x, y or z have more than one digit, for example
"Crosstool-NG 1.24.0".

See the reported issue for more details [1].

Backport the upstream patch that fixes it.

[1] https://github.com/xianyi/OpenBLAS/issues/3099

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/openblas: allow disabling multithreading
Thomas De Schampheleire [Fri, 12 Feb 2021 09:15:09 +0000 (10:15 +0100)]
package/openblas: allow disabling multithreading

Buildroot would automatically enable multithreading in OpenBLAS if the
architecture supports it. However, one may want to avoid OpenBLAS creating
threads itself and configure single-threaded operation. To accommodate this
use case, add a config option for multithreading.

When multithreading is disabled but OpenBLAS functions are called in the
same application by multiple threads, then locking is mandatory. The
USE_LOCKING flag was added in version 0.3.7 with following release note:

    a new option USE_LOCKING was added to ensure thread safety when OpenBLAS
    itself is built without multithreading but will be called from multiple
    threads.

However, if one knows that OpenBLAS will only be called from single-threaded
applications, then passing USE_LOCKING is not necessary, so make it a config
option too.

When multithreading is enabled, locking is implicitly enabled inside
openblas, so only provide the locking option when multithreading is
disabled.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/flashrom: fix build on riscv
Fabrice Fontaine [Sun, 7 Feb 2021 19:57:33 +0000 (20:57 +0100)]
package/flashrom: fix build on riscv

Retrieve an upstream patch to fix build with riscv as it fails to
retrieve architecture due to "Use sigaction with SA_RESTART instead"
being caught before riscv:

exec: export LC_ALL=C ; { /home/fabrice/buildroot/output/host/bin/riscv32-linux-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -E archtest.c 2>/dev/null | grep -v ^# | grep ' | cut -f 2 -d' ; }
Use sigaction with SA_RESTART instead
riscv

Fixes:
 - http://autobuild.buildroot.org/results/61ac6c9bfcd3bd9306aa49faf47b9f16e5abe846

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
4 years agopackage/gdk-pixbuf: fix static build
Fabrice Fontaine [Sun, 7 Feb 2021 17:56:12 +0000 (18:56 +0100)]
package/gdk-pixbuf: fix static build

Fix static build failure which is raised since the switch to
meson-package in commit a7b51ed3013c919b293deb95299e33363fb9df70

Fixes:
 - http://autobuild.buildroot.org/results/6cd54c497f5d19342ec94ece713547b887e4c02d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: add link to upstream MR]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
4 years agopackage/wpewebkit: bump version to 2.30.5
Peter Korsgaard [Tue, 16 Feb 2021 19:16:50 +0000 (20:16 +0100)]
package/wpewebkit: bump version to 2.30.5

Bugfix release, fixing a number of issues:

- Fix RunLoop objects leaked in worker threads.
- Fix JavaScriptCore AArch64 LLInt build with JIT disabled.
- Use Internet Explorer quirk for Google Docs.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/webkitgtk: security bump to version 2.30.5
Peter Korsgaard [Tue, 16 Feb 2021 19:16:49 +0000 (20:16 +0100)]
package/webkitgtk: security bump to version 2.30.5

Fixes the following security issue:

- CVE-2020-13558: Processing maliciously crafted web content may lead to
  arbitrary code execution.  Description: A use after free issue in the
  AudioSourceProviderGStreamer class was addressed with improved memory
  management

For more details, see the advisory:
https://webkitgtk.org/security/WSA-2021-0001.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/perl-gd: provide gd options
Fabrice Fontaine [Fri, 12 Feb 2021 06:39:44 +0000 (07:39 +0100)]
package/perl-gd: provide gd options

Now that gdlib-config is gone, provide the GD options otherwise perl-gd
will assume that everything is available:

$features = 'GD_GIF GD_GIFANIM GD_OPENPOLYGON GD_ZLIB GD_PNG GD_FREETYPE GD_FONTCONFIG GD_JPEG GD_XPM GD_TIFF GD_WEBP';

Also, while at it, also make some of the dependencies as optional as
suggested by François Perrad

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Francois Perrad <francois.perrad@gadz.org> (with
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
4 years agopackage/perl-gd: needs perl-extutils-pkgconfig
Fabrice Fontaine [Fri, 12 Feb 2021 06:39:43 +0000 (07:39 +0100)]
package/perl-gd: needs perl-extutils-pkgconfig

Commit 3a291be2e89bc64388c10dae50233c751a86733d forgot to add
perl-extutils-pkgconfig dependency

Fixes:
 - http://autobuild.buildroot.org/results/e590f1990180eae21512b23b884755e105a4c588

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
4 years agopackage/perl-extutils-pkgconfig: new package
Fabrice Fontaine [Fri, 12 Feb 2021 06:39:42 +0000 (07:39 +0100)]
package/perl-extutils-pkgconfig: new package

host-perl-extutils-pkgconfig is needed by perl-gd to find gd in version
2.3.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Francois Perrad <francois.perrad@gadz.org>
[Arnout:
 - remove Config.in - it's host-only
 - add DEVELOPERS entry
 - use HOST_PERL_EXTUTILS_PKGCONFIG_DEPENDENCIES]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
4 years agopackage/tzdate: use classic 'fat' format for uClibc/glibc compatibility
Peter Korsgaard [Mon, 15 Feb 2021 18:57:09 +0000 (19:57 +0100)]
package/tzdate: use classic 'fat' format for uClibc/glibc compatibility

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1019385940

FAIL: test_run (tests.core.test_timezone.TestGlibcNonDefaultLimitedTimezone)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builds/buildroot.org/buildroot/support/testing/tests/core/test_timezone.py", line 66, in test_run
    self.assertEqual(tz[0].strip(), "EST")
AssertionError: '' != 'EST'

Commit 7868289fd5348 (package/zic: bump version to 2020f) bumped the zic
version to 2020f, which changed the default output format from the classic
"fat" format to the new "slim" format:

https://github.com/eggert/tz/commit/6ba6f2117b95eab345a7ed9159cef939e30c4cd3

The slim format is unfortunately not supported by glibc < 2.28 or uClibc, so
explicitly request the classic "fat" format.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
4 years agopackage/uboot-tools: depend on u-boot when selected
Thomas De Schampheleire [Tue, 16 Feb 2021 14:20:07 +0000 (15:20 +0100)]
package/uboot-tools: depend on u-boot when selected

Currently, the envimage creation logic only depends on u-boot when the
user does not specify a custom envimage source via
BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE. This assumes that the
user-provided envimage source is not coming from the u-boot source
tree.

But especially given the fact that the envimage creation logic used to
be part of the u-boot package, this is a realistic scenario: users may
have provided a value of BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE
based on $(UBOOT_DIR), e.g.:

    $(UBOOT_DIR)/board/foo-vendor/bar-board/env.txt

Therefore, always add the u-boot dependency if u-boot is selected, for
either case of custom or default envimage source.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Thomas: re-organize code a bit.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agosupport/scripts/cpedb.py: remove import pickle
Arnout Vandecappelle (Essensium/Mind) [Tue, 16 Feb 2021 20:12:33 +0000 (21:12 +0100)]
support/scripts/cpedb.py: remove import pickle

pickle is no longer used since 09a71e6a75636

Fixes:
support/scripts/cpedb.py:7:1: F401 'pickle' imported but unused

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
4 years agopackage/gstreamer1/gst1-python: needs gst1-plugins-base
Fabrice Fontaine [Sun, 10 Jan 2021 19:06:16 +0000 (20:06 +0100)]
package/gstreamer1/gst1-python: needs gst1-plugins-base

gst1-plugins-base is a mandatory dependency since at least version
1.9.90 and
https://github.com/GStreamer/gst-python/commit/16f971226df1980b58ebde330123debaaf3b53d0

Fixes:
 - http://autobuild.buildroot.org/results/48b22c66c3a610d70931b9adfd6e5082bb3ff3d1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/lcms2: disable tiff
Fabrice Fontaine [Mon, 15 Feb 2021 17:28:48 +0000 (18:28 +0100)]
package/lcms2: disable tiff

tiff is only used by tificc sample and upstream rejected the patch to
fix the static build failure because "adding pkg-config dependency for a
sample is an overkill": https://github.com/mm2/Little-CMS/pull/244

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoRevert "package/lcms2: fix static building with tiff"
Fabrice Fontaine [Mon, 15 Feb 2021 17:28:47 +0000 (18:28 +0100)]
Revert "package/lcms2: fix static building with tiff"

This reverts commit 7e4f054d2347708c9e22fe84c1d5f374d5b343cd.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/collectd: add 'synproxy' option
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:32 +0000 (14:54 +0100)]
package/collectd: add 'synproxy' option

The synproxy plugin exists since 5.8.0 and is enabled by default in
collectd.

Add an option in Buildroot, disabled by default.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/collectd: add 'logparser' option
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:31 +0000 (14:54 +0100)]
package/collectd: add 'logparser' option

The logparser plugin is new since 5.11.0 and enabled by default in
collectd.

Add an option in Buildroot, disabled by default.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/collectd: add 'mdevents' option
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:30 +0000 (14:54 +0100)]
package/collectd: add 'mdevents' option

The mdevents plugin is new since 5.12.0 and enabled by default in
collectd.

Add an option in Buildroot, disabled by default.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/collectd: add 'infiniband' option
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:28 +0000 (14:54 +0100)]
package/collectd: add 'infiniband' option

The infiniband plugin is new since 5.12.0 and enabled by default in
collectd.

Add an option in Buildroot, disabled by default.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/orc: fix powerpc build with headers < 4.11
Fabrice Fontaine [Mon, 15 Feb 2021 19:27:56 +0000 (20:27 +0100)]
package/orc: fix powerpc build with headers < 4.11

Autobuilder failures are raised with bootlin toolchains but it affects
orc since version 0.4.30

Fixes:
 - http://autobuild.buildroot.org/results/0821e96cba3e455edd47b87485501d892fc7ac6a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/ebtables: install symlink to ebtables-legacy
Thomas De Schampheleire [Tue, 16 Feb 2021 11:58:01 +0000 (12:58 +0100)]
package/ebtables: install symlink to ebtables-legacy

Since the upgrade of ebtables from 2.0.10-4 to 2.0.11, there no longer is an
'ebtables' binary. It has been renamed to 'ebtables-legacy' and moved from
'/sbin' to '/usr/sbin'. This change is part of the upstream change to
integrate the functionality of ebtables (and arptables) in the iptables
package, using the nf_tables kernel backend [1].

Unfortunately, the renaming (and move) of the original 'ebtables' binary
breaks existing scripts that are calling 'ebtables' or '/sbin/ebtables'.
Therefore, add a symlink from the original path to 'ebtables-legacy'.

However, do not provide this symlink if BR2_PACKAGE_IPTABLES_NFTABLES is
enabled. In this case, the iptables package will build the new equivalent
of ebtables -- a symlink to ebtables-legacy would cause conflicts.

[1] https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/tcpdump: remove duplicated binary
Thomas De Schampheleire [Tue, 16 Feb 2021 12:50:30 +0000 (13:50 +0100)]
package/tcpdump: remove duplicated binary

Since tcpdump 4.99.0, the 'tcpdump' binary is no longer installed in
/usr/sbin but in /usr/bin. This change invalidates the Buildroot hook
'TCPDUMP_REMOVE_DUPLICATED_BINARY', causing a fairly large rootfs size
increase as a result.

Update the path inside this hook.

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/mongoose: add MONGOOSE_CPE_ID_VENDOR
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:56 +0000 (09:07 +0100)]
package/mongoose: add MONGOOSE_CPE_ID_VENDOR

cpe:2.3:a:cesanta:mongoose is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acesanta%3Amongoose

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/mongoose: security bump to version 7.1
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:55 +0000 (09:07 +0100)]
package/mongoose: security bump to version 7.1

- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
  Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
  connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
  to remote OOB write attack via connection request after exhausting
  memory pool.
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
  server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
  write attack via connection request after exhausting memory pool.

https://github.com/cesanta/mongoose/releases/tag/7.1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/mongoose: fix activation of openssl/mbedtls
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:54 +0000 (09:07 +0100)]
package/mongoose: fix activation of openssl/mbedtls

MG_ENABLE_SSL and MG_SSL_IF have been dropped since version 7.0 and
https://github.com/cesanta/mongoose/commit/f2fba1d2004c5ddf2fc0a7ca8dc75b5f78feed85

So use the new MG_ENABLE_OPENSSL and MG_ENABLE_MBEDTLS variables

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoDEVELOPERS: drop Rahul Jain, user no longer exists
Thomas Petazzoni [Tue, 16 Feb 2021 08:44:16 +0000 (09:44 +0100)]
DEVELOPERS: drop Rahul Jain, user no longer exists

<rahul.jain@imgtec.com>: host mxa-00376f01.gslb.pphosted.com[185.132.180.163]
    said: 550 5.1.1 User Unknown (in reply to RCPT TO command)

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agoDEVELOPERS: drop Guillaume Gardet, domain no longer exists
Thomas Petazzoni [Tue, 16 Feb 2021 08:30:21 +0000 (09:30 +0100)]
DEVELOPERS: drop Guillaume Gardet, domain no longer exists

The oliseo.fr domain no longer responds to SMTP requests:

smtplib.SMTPRecipientsRefused: {'Guillaume Gardet <guillaume.gardet@oliseo.fr>': (550, b'5.1.2 <guillaume.gardet@oliseo.fr>: Recipient address rejected: Domain not found')}

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/fakeroot: add upstream patches to fix glibc 2.33 compatibility
Jörg Krause [Mon, 15 Feb 2021 13:47:31 +0000 (14:47 +0100)]
package/fakeroot: add upstream patches to fix glibc 2.33 compatibility

Glibc 2.33 removed `_STAT_VER`. On host machines, which updated to glibc
2.33, building host-fakeroot breaks:

```
In file included from communicate.h:20,
                 from libfakeroot.c:60:
libfakeroot.c: In function ‘chown’:
libfakeroot.c:99:40: error: ‘_STAT_VER’ undeclared (first use in this function)
   99 | #define INT_NEXT_STAT(a,b) NEXT_STAT64(_STAT_VER,a,b)
```

The issue has been discussed on some package maintainer threads, e.g.:
https://bugs.archlinux.org/task/69572
https://bugzilla.redhat.com/show_bug.cgi?id=1889862#c13

A patch series was prepared by Ilya Lipnitskiy which included two other
patches not related to the glibc 2.33 compatibility issue and submitted as
merge request for upstream:
https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg57280.html

Upstream accepted the merge request:
https://salsa.debian.org/clint/fakeroot/-/merge_requests/10

Note, that this patch series only contains the necessay patches for glibc
2.33 compatibility.

Tested on my Arch Linux machine, building a UBIFS/OverlayFS-based root
filesystem for an i.MX6ULL target board.

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Tested-by: Bartosz Bilas <b.bilas@grinn-global.com>
[Peter: drop patch numbering (PATCH x/y) as pointed out by check-package]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libgpg-error: fix build without threads
Fabrice Fontaine [Mon, 15 Feb 2021 17:26:36 +0000 (18:26 +0100)]
package/libgpg-error: fix build without threads

Fix build without threads of libgpg-error in version >= 1.40

Fixes:
 - http://autobuild.buildroot.org/results/3344c96e5627a9327b0eabe0b27f34490bbabc0d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/ne10: disable unit tests and examples
Fabrice Fontaine [Mon, 15 Feb 2021 17:45:43 +0000 (18:45 +0100)]
package/ne10: disable unit tests and examples

Unit tests fail to build with gcc 10 on:

[100%] Linking C executable NE10_dsp_unit_test_smoke
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-none-linux-gnu/10.2.1/../../../../aarch64-none-linux-gnu/bin/ld: CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_suite_fft_float32.c.o:(.bss+0x0): multiple definition of `seatest_simple_test_result'; CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_main.c.o:(.bss+0x0): first defined here

So just disable them and, while at it, also disable examples which are
also enabled by default

Fixes:
 - http://autobuild.buildroot.org/results/c658d52668825c26a15d6ac3ca538472cad5cd78

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/jasper: security bump version to 2.0.25
Michael Vetter [Mon, 15 Feb 2021 10:45:28 +0000 (11:45 +0100)]
package/jasper: security bump version to 2.0.25

Changes:

* Fix memory-related bugs in the JPEG-2000 codec resulting from
  attempting to decode invalid code streams. (#264, #265)
  This fix is associated with CVE-2021-26926 and CVE-2021-26927.
* Fix wrong return value under some compilers (#260)
* Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259)

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agosupport/scripts/cpedb.py: drop CPE XML database caching
Thomas Petazzoni [Sat, 13 Feb 2021 22:19:48 +0000 (23:19 +0100)]
support/scripts/cpedb.py: drop CPE XML database caching

Currently, the CPE XML database is parsed into a Python dict, which is
then pickled into a local file, to speed up the processing of further
invocations.

However, it turns out that since the initial implementation, we have
switched the XML parsing from the out of tree xmltodict module to the
standard ElementTree one, which has made the parsing much faster. The
pickle caching only saves 6 seconds, on something that takes more than
13 minutes total.

In addition, this pickle caching consumes a significant amount of RAM,
causing the Python process to be OOM-killed on a server with 4 GB of
RAM.

So let's just drop this caching entirely.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/ply: fix dependencies of comment for dependencies
Yann E. MORIN [Sun, 14 Feb 2021 08:22:16 +0000 (09:22 +0100)]
package/ply: fix dependencies of comment for dependencies

Commits ca1afcb2171f (package/ply: needs headers >= 4.14) and
debe9eb13ebd (package/ply: needs dynamic library) added restrictions
on the availability of ply. The first forgot to add a comment, and
the second mis-handled the dependency on the headers version.

Indeed, we want the comment to show the requirement on the headers
version (since that is not a hardware dependency).

Fix this comment to include the headers version, and fix the condition
accordingly.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Andreas Klinger <ak@it-klinger.de>
4 years agopackage/dnsmasq: bump version to 2.84
Peter Seiderer [Wed, 10 Feb 2021 23:16:40 +0000 (00:16 +0100)]
package/dnsmasq: bump version to 2.84

Bugfix release, fixing a regression introduced in 2.83.  For more details,
see the announcement:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014640.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8fcdd2023ee6bc2efd96a3b43fec103f2afa0e2f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/mpd: fix build of GenParseName
Fabrice Fontaine [Mon, 1 Feb 2021 07:41:01 +0000 (08:41 +0100)]
package/mpd: fix build of GenParseName

Fix build of GenParseName which has been added in version 0.22:
https://github.com/MusicPlayerDaemon/MPD/commit/fa45a8adfa44f6bc815ae7428770112c15c76d73

Fixes:
 - http://autobuild.buildroot.org/results/871e1362c44e5b68a149e6a5dd3caf99ea0d904a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/libgeos: fix build failure due to Gcc Bug 68485
Giulio Benetti [Fri, 12 Feb 2021 22:42:38 +0000 (23:42 +0100)]
package/libgeos: fix build failure due to Gcc Bug 68485

Package libgeos manifests Microblaze Gcc Bug 68485 resulting in a build
failure due to an Internal Compiler Error.

As done for other packages in Buildroot work around this Gcc Bug by
setting optimization to -O0 if BR2_TOOLCHAIN_HAS_GCC_BUG_68485=y.

Fixes:
http://autobuild.buildroot.net/results/0da/0daa6b259aea5381fad86d01e6dd026b1c8ad073/

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/wireshark: security bump to version 3.4.3
Fabrice Fontaine [Fri, 12 Feb 2021 21:57:24 +0000 (22:57 +0100)]
package/wireshark: security bump to version 3.4.3

The following vulnerabilities have been fixed:
 - wnpa-sec-2021-01 USB HID dissector memory leak. Bug 17124.
   CVE-2021-22173.
 - wnpa-sec-2021-02 USB HID dissector crash. Bug 17165. CVE-2021-22174.

https://www.wireshark.org/docs/relnotes/wireshark-3.4.3.html

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agosupport/testing: TestATFAllwinner needs python3 for u-boot
Sergey Matyukevich [Sat, 13 Feb 2021 18:22:30 +0000 (21:22 +0300)]
support/testing: TestATFAllwinner needs python3 for u-boot

New U-Boot version needs Python 3.x for pylibfdt.

Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/1019385909

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/lcms2: fix static building with tiff
Fabrice Fontaine [Fri, 12 Feb 2021 20:00:06 +0000 (21:00 +0100)]
package/lcms2: fix static building with tiff

Strangely enough, we have only one build failure on the autobuilder even
if lcms2 never used pkg-config to retrieve static dependencies of tiff
(which also depends on xz since 2016)

Fixes:
 - http://autobuild.buildroot.org/results/07c5ca780bcdbfcd7cad6502345f1553ce17bdc3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/ply: needs dynamic library
Andreas Klinger [Sat, 13 Feb 2021 19:05:23 +0000 (20:05 +0100)]
package/ply: needs dynamic library

ply builds and installs a library. Some objects that go in that library
are tagged with a 'section' attribute (excerpt):

    __attribute__((section("providers")))

Later on, it references the bounds of that section, with the canonical
__start and __stop markers, which will eventually be created by the
linker:

    extern struct provider __start_providers;
    extern struct provider __stop_providers;

Sections only exists in an ELF file, and a static library id not an ELF.
So, when creating a static library, the markers are not created. Thus,
when linking the final executable, the link fails because of missing
symbols:

    .../powerpc-buildroot-linux-uclibc/bin/ld: ../libply/.libs/libply.a(libply_la-provider.o): in function `provider_get':
    provider.c:(.text+0xe): undefined reference to `__start_providers'
    .../powerpc-buildroot-linux-uclibc/bin/ld: provider.c:(.text+0x12): undefined reference to `__stop_providers'
    .../powerpc-buildroot-linux-uclibc/bin/ld: provider.c:(.text+0x2a): undefined reference to `__start_providers'
    .../powerpc-buildroot-linux-uclibc/bin/ld: provider.c:(.text+0x32): undefined reference to `__stop_providers'

So, conceptually, ply can not build in static-only.

Fixes:
 - http://autobuild.buildroot.net/results/3a586241d37614b644ff6c4674ae28df2b22fdf8

Signed-off-by: Andreas Klinger <ak@it-klinger.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/fetchmail: set FETCHMAIL_CPE_ID_VENDOR
Fabrice Fontaine [Fri, 12 Feb 2021 21:45:24 +0000 (22:45 +0100)]
package/fetchmail: set FETCHMAIL_CPE_ID_VENDOR

cpe:2.3:a:fetchmail:fetchmail is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afetchmail%3Afetchmail

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/fail2ban: add FAIL2BAN_CPE_ID_VENDOR
Fabrice Fontaine [Fri, 12 Feb 2021 21:39:02 +0000 (22:39 +0100)]
package/fail2ban: add FAIL2BAN_CPE_ID_VENDOR

cpe:2.3:a:fail2ban:fail2ban is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afail2ban%3Afail2ban

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
4 years agopackage/file: set FILE_CPE_ID_VALID
Fabrice Fontaine [Fri, 12 Feb 2021 21:52:35 +0000 (22:52 +0100)]
package/file: set FILE_CPE_ID_VALID

cpe:2.3:a:file_project:file is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afile_project%3Afile

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/x11vnc: set X11VNC_CPE_ID_VALID
Fabrice Fontaine [Fri, 12 Feb 2021 20:28:36 +0000 (21:28 +0100)]
package/x11vnc: set X11VNC_CPE_ID_VALID

cpe:2.3:a:x11vnc_project:x11vnc is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ax11vnc_project%3Ax11vnc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/axel: set AXEL_CPE_ID_VALID
Fabrice Fontaine [Fri, 12 Feb 2021 20:06:59 +0000 (21:06 +0100)]
package/axel: set AXEL_CPE_ID_VALID

cpe:2.3:a:axel_project:axel is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaxel_project%3Aaxel

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/postgresql: security bump version to 13.2
Bernd Kuhls [Fri, 12 Feb 2021 17:34:16 +0000 (18:34 +0100)]
package/postgresql: security bump version to 13.2

Release notes:
https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/

Fixes CVE-2021-3393 & CVE-2021-20229.

Updated license hash due to copyright year bump:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c09f6882d6f78bde26fcc1e1a3da11c274de596a

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agodocs/website: mention Bootlin Buildroot training courses
Thomas Petazzoni [Thu, 11 Feb 2021 15:05:01 +0000 (16:05 +0100)]
docs/website: mention Bootlin Buildroot training courses

Our documentation page already mentions the open-source and freely
available training materials from Bootlin on Buildroot.

It turns out that we now have online training courses accessible to
public registration, which makes them accessible to a wider
audience. It probably makes sense to mention them alongside the
training materials.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agouboot: fix binman with a new dependency
Francois Perrad [Fri, 15 Jan 2021 17:01:56 +0000 (18:01 +0100)]
uboot: fix binman with a new dependency

since 2021.01, tools/binman is broken.
tools/binman/control.py imports pkg_resources
the module pkg_resources is supplied by setuptools,
so this new dependency is required.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/xterm: security bump to version 366
Peter Korsgaard [Thu, 11 Feb 2021 18:09:43 +0000 (19:09 +0100)]
package/xterm: security bump to version 366

Fixes the following security issue:

CVE-2021-27135: xterm through Patch #365 allows remote attackers to cause a
denial of service (segmentation fault) or possibly have unspecified other
impact via a crafted UTF-8 character sequence.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/subversion: security bump to version 1.14.1
Peter Korsgaard [Thu, 11 Feb 2021 14:18:37 +0000 (15:18 +0100)]
package/subversion: security bump to version 1.14.1

Fixes the following security issue:

CVE-2020-17525: Remote unauthenticated denial-of-service in Subversion
mod_authz_svn

Subversion's mod_authz_svn module will crash if the server is using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile option
and a client sends a request for a non-existing repository URL.

For more details, see the advisory:
https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/can-utils: enable build using musl libc
Diego Hurtado de Mendoza [Wed, 10 Feb 2021 09:13:19 +0000 (10:13 +0100)]
package/can-utils: enable build using musl libc

From commit 20fb6d3288f3c9aac7975e505d9a25f21f64bdf9 this package was
disabled for musl because can-utils used the error() glibc extension
at that time.

Since then, can-utils fixed compilation on musl by replacing this
error() calls with err().
https://github.com/linux-can/can-utils/pull/163/commits/791b6de78673f005e9748983231f7260f6b69e99

This commit disables the musl check.

Signed-off-by: Diego Hurtado de Mendoza <diego.hdmp@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/guile: link with libatomic if needed
Fabrice Fontaine [Mon, 8 Feb 2021 06:46:26 +0000 (07:46 +0100)]
package/guile: link with libatomic if needed

Fix build of guile 3.0.4 with Bootlin SPARC uclibc toolchain added with
commit 1348c569d0cb7f67eca30f170b782aa8b51cc259

Fixes:
 - http://autobuild.buildroot.org/results/a72d8e14854f9c6c9632e856019a3eb8ec4818b6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/kodi: remove dependency to libsamplerate
Bernd Kuhls [Wed, 10 Feb 2021 17:40:23 +0000 (18:40 +0100)]
package/kodi: remove dependency to libsamplerate

This package is not needed anymore since 2014:
https://github.com/xbmc/xbmc/commit/e36e4f0e2a46764d0c4341a5caf50cae6f772504

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/protobuf: remove target version of 'protoc'
Thomas De Schampheleire [Thu, 11 Feb 2021 10:40:01 +0000 (11:40 +0100)]
package/protobuf: remove target version of 'protoc'

The tool 'protoc' and its associated library libprotoc.so are only
needed during development, to convert a protocol buffer definition in the
associated code for a specific code language.

Buildroot does not officially support creating a development environment on
target, so remove these files to reduce disk usage by more than 1.5 MB
(stripped, uncompressed).

Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoconfigs/avenger96_defconfig: linux build needs host-openssl
Peter Korsgaard [Thu, 11 Feb 2021 13:23:11 +0000 (14:23 +0100)]
configs/avenger96_defconfig: linux build needs host-openssl

Fixes the gitlab build:
https://gitlab.com/buildroot.org/buildroot/-/jobs/1019385566/

  HOSTCC  scripts/extract-cert
scripts/extract-cert.c:21:25: fatal error: openssl/bio.h: No such file or directory

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/kodi-inputstream-adaptive: update project URL
Bernd Kuhls [Thu, 11 Feb 2021 19:43:56 +0000 (20:43 +0100)]
package/kodi-inputstream-adaptive: update project URL

Reference: https://github.com/xbmc/repo-binary-addons/pull/143

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/netopeer2: cleanup shm files after installation
Heiko Thiery [Sat, 6 Feb 2021 10:57:35 +0000 (11:57 +0100)]
package/netopeer2: cleanup shm files after installation

On install step the host tool syrepoctl is used to install some YANG
modules. Unfortunatly syrepoctl creates some files in /dev/shm folder and
does not cleanup afterwards. This files can be incompatible depending on
the used sysrepo version. This causes autobuilder failures when updating
the package [1].

To make sure we can remove this leftovers of sysrepoctl we specify a
build specific SYSREPO_SHM_PREFIX. With this the files can deleted safely
after installation is completed. This also ensures that concurrent
parallel builds will not affected mutualy.

The prfix must be unique between concurrent builds, so we use the build
directory ($(CONFIG_DIR)) to discriminate builds. It must also be unique
between top-level parallel package builds, so we also use the name of
the current package to discriminate.

Fixes:
 [1] http://autobuild.buildroot.net/results/6e559c4f98b7ed93d7b5af638264e907492a6532/

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Co-Developed-by: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr:
  - also use the package name as discriminant
  - expand commit log accordingly
  - rename the variable to start with the package name
  - explain why we clean up before as well
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/netopeer2: add dependency to host-sysrepo
Heiko Thiery [Sat, 6 Feb 2021 10:57:37 +0000 (11:57 +0100)]
package/netopeer2: add dependency to host-sysrepo

The sysrepoctl executable from the host-sysrepo package is used to
install YANG modules during installation. So add the dependency here.
Also make sure we use this executable by setting the make environment
variable SYSREPOCTL_EXECUTABLE. Otherwise a system wide installed
sysrepoctl would be used that is not what we want.

Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/docker-cli: bump to version 20.10.3
Christian Stewart [Wed, 10 Feb 2021 23:52:03 +0000 (15:52 -0800)]
package/docker-cli: bump to version 20.10.3

Client fixes:

 - Check contexts before importing them to reduce risk of extracted files escaping context store

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/docker-engine: security bump to version 20.10.3
Christian Stewart [Wed, 10 Feb 2021 23:52:02 +0000 (15:52 -0800)]
package/docker-engine: security bump to version 20.10.3

Security fixes:

 - CVE-2021-21285 Prevent an invalid image from crashing docker daemon
 - CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state
 - Ensure AppArmor and SELinux profiles are applied when building with BuildKit

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/go: bump to version 1.15.8
Christian Stewart [Wed, 10 Feb 2021 23:25:46 +0000 (15:25 -0800)]
package/go: bump to version 1.15.8

go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package.

https://golang.org/doc/go1.15

Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agoutils/getdeveloperlib.py: reduce Cc: list based on package infras
Thomas Petazzoni [Wed, 10 Feb 2021 08:01:35 +0000 (09:01 +0100)]
utils/getdeveloperlib.py: reduce Cc: list based on package infras

When a developer has package/pkg-<infra>.mk assigned to him/her in the
DEVELOPERS file, this has 3 implications:

 (1) Patches adding new packages using this infrastructure are Cc'ed
     to this developer. This is done by the analyze_patch() function,
     which matches the regexp r"^\+\$\(eval
     \$\((host-)?([^-]*)-package\)\)$" in the patch, i.e where an
     added line contains a reference to the infra maintained by the
     developer.

 (2) Patches touching the package/pkg-<infra>.mk file itself are Cc'ed
     to this developer.

 (3) Any patch touching a package using this infra are also Cc'ed to
     this developer.

Point (3) causes a significant amount of patches to be sent to
developers who have package/pkg-generic.mk and
package/pkg-autotools.mk assigned to them in the DEVELOPERS
file. Basically, all patches touching generic or autotools packages
get CC'ed to such developers, which causes a massive amount of patches
to be received.

So this patch adjusts the getdeveloperlib.py to drop point (3), but
preserves point (1) and (2). Indeed, it makes sense to be Cc'ed on new
package additions (to make a review that they use the package
infrastructure correctly), and it makes sense to be Cc'ed on patches
that touch the infrastructure code itself.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
4 years agopackage/ngircd: add NGIRCD_CPE_ID_VENDOR
Fabrice Fontaine [Tue, 9 Feb 2021 20:39:12 +0000 (21:39 +0100)]
package/ngircd: add NGIRCD_CPE_ID_VENDOR

cpe:2.3:a:barton:ngircd is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Abarton%3Angircd

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/shadowsocks-libev: add SHADOWSOCKS_LIBEV_CPE_ID_VENDOR
Fabrice Fontaine [Sun, 7 Feb 2021 13:58:21 +0000 (14:58 +0100)]
package/shadowsocks-libev: add SHADOWSOCKS_LIBEV_CPE_ID_VENDOR

cpe:2.3:a:shadowsocks:shadowsocks-libev is a valid CPE identifier for
this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ashadowsocks%3Ashadowsocks-libev

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/tinydtls: add TINYDTLS_CPE_ID_VENDOR
Fabrice Fontaine [Tue, 9 Feb 2021 20:42:36 +0000 (21:42 +0100)]
package/tinydtls: add TINYDTLS_CPE_ID_VENDOR

cpe:2.3:a:eclipse:tinydtls is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aeclipse%3Atinydtls

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/upx: set UPX_CPE_ID_VALID
Fabrice Fontaine [Tue, 9 Feb 2021 20:45:53 +0000 (21:45 +0100)]
package/upx: set UPX_CPE_ID_VALID

cpe:2.3:a:upx_project:upx is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aupx_project%3Aupx

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/matio: set MATIO_CPE_ID_VALID
Fabrice Fontaine [Tue, 9 Feb 2021 20:58:45 +0000 (21:58 +0100)]
package/matio: set MATIO_CPE_ID_VALID

cpe:2.3:a:matio_project:matio is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Amatio_project%3Amatio

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
4 years agopackage/libvncserver: set LIBVNCSERVER_CPE_ID_VALID
Fabrice Fontaine [Tue, 9 Feb 2021 20:28:45 +0000 (21:28 +0100)]
package/libvncserver: set LIBVNCSERVER_CPE_ID_VALID

cpe:2.3:a:libvncserver_project:libvncserver is a valid CPE identifier
for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alibvncserver_project%3Alibvncserver

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>