git.libre-soc.org Git - buildroot.git/log

package/trace-cmd: bump to version 2.9.5

Update to version 2.9.5 and remove local patches that have been upstreamed.

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/trace-cmd: fix build for Sparc64

Trace-cmd needs -fPIC for Sparc64 platform otherwise it fails on linking,
so add -fPIC to CFLAGS when building for such platform.

Fixes;
http://autobuild.buildroot.net/results/c59/c596f6308b7f4d44d9ba009ed0c395396fc72f47/

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libxkbcommon: change homepage/download url to https

- change homepage url to https (and remove trailing slash)
- change download url to https

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/grpc: bump version to 1.40

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/minicom: drop autoreconf

autoreconf (and so AM_ICONV) is not needed since commit
2df32e0d4437b422175089edf1917219656fccef

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/dovecot: drop host-gettext

AM_ICONV is not needed since drop of autoreconf in commit
03fbb81b8bab7bad135b59267533be7688babe39

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/fio: bump to version 3.28

This will fix the following build failure with kernel >= 5.14 thanks to
https://github.com/axboe/fio/commit/382975557e632efb506836bc1709789e615c9094:

In file included from crc/../os/os.h:39,
                 from crc/crc32c-arm64.c:2:
crc/../os/os-linux.h:17:10: fatal error: linux/raw.h: No such file or directory
   17 | #include <linux/raw.h>
      |          ^~~~~~~~~~~~~

Fixes:
- http://autobuild.buildroot.org/results/d85c044263c76ff7ef0fe47921d893a472954da9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libyang: security bump to version 1.0.240

Fixes the following security issues:

- CVE-2021-28902: In function read_yin_container() in libyang <= v1.0.225,
  it doesn't check whether the value of retval->ext[r] is NULL.  In some
  cases, it can be NULL, which leads to the operation of
  retval->ext[r]->flags that results in a crash.

- CVE-2021-28903: A stack overflow in libyang <= v1.0.225 can cause a denial
  of service through function lyxml_parse_mem().  lyxml_parse_elem()
  function will be called recursively, which will consume stack space and
  lead to crash.

- CVE-2021-28904: In function ext_get_plugin() in libyang <= v1.0.225, it
  doesn't check whether the value of revision is NULL.  If revision is NULL,
  the operation of strcmp(revision, ext_plugins[u].revision) will lead to a
  crash.

- CVE-2021-28905: In function lys_node_free() in libyang <= v1.0.225, it
  asserts that the value of node->module can't be NULL.  But in some cases,
  node->module can be null, which triggers a reachable assertion (CWE-617).

- CVE-2021-28906: In function read_yin_leaf() in libyang <= v1.0.225, it
  doesn't check whether the value of retval->ext[r] is NULL.  In some cases,
  it can be NULL, which leads to the operation of retval->ext[r]->flags that
  results in a crash.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/fetchmail: security bump to version 6.4.22

Fixes the following security issues:

- CVE-2021-39272: Fetchmail before 6.4.22 fails to enforce STARTTLS session
  encryption in some circumstances, such as a certain situation with IMAP
  and PREAUTH.
  https://www.fetchmail.info/fetchmail-SA-2021-02.txt

Update COPYING hash for a clarification of the license situation with
openssl 3.x (which is Apache 2.0 licensed):

https://gitlab.com/fetchmail/fetchmail/-/commit/8eed56c21ca5bbdf3c00aaf74d807bcad8713ba9

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libinput: bump version to 1.19.0

- add new optional wayland, wayland-protocoll and libx11 dependencies
in case the debug gui is enabled (libgtk3 available)

For details see [1], [2].

[1] https://lists.freedesktop.org/archives/wayland-devel/2021-September/041971.html
[2] https://lists.freedesktop.org/archives/wayland-devel/2021-September/041977.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libxkbcommon: bump version to 1.3.1

For details (since 1.1.0) see [1]

[1] https://lists.freedesktop.org/archives/wayland-devel/2021-April/041762.html
[2] https://lists.freedesktop.org/archives/wayland-devel/2021-May/041816.html
[3] https://lists.freedesktop.org/archives/wayland-devel/2021-September/041976.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/iwd: bump version to 1.17

- Changelog (since 1.14, from [1]):

  ver 1.17:
    Fix issue with sending additional and vendor IEs.
    Fix issue with IE ordering for 802.11-2020 support.
    Fix issue with frequency update on channel switch events.
    Fix issue with drivers and handling of IF_OPER_UP setting.

  ver 1.16:
    Fix issue with writing provisioning files with a passphrase.
    Add support for Authenticator & Supplicant RSN Extension elements.
    Add support for handling Transition Disable info.
    Add support for SAE Hash-to-Element feature.

  ver 1.15:
    Add support for FT-over-DS procedure with multiple BSS.
    Add support for estimation of VHT RX data rate.
    Add support for exporting Daemon information.

[1] https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/ChangeLog

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/openresolv: bump version to 3.12.0

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/ell: bump version to 0.43

- Changelog (since 0.41, from [1]):

  ver 0.43:
    Add support for DHCP Rapid Commit feature.
    Add support for DHCP authoritative mode feature.

  ver 0.42:
    Add support for constant time security functions.
    Add support for manipulating DHCP leases.

[1] https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ChangeLog

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/feh: bump version to 3.7.1

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/botan: fix boost dependency

only build --with-boost when both required modules (filesystem and system) are
also selected.

Fixes:
http://autobuild.buildroot.net/results/4fbf2a63f9ddfbc540ce7dabd10964b311477c06

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/apitrace: fix build with glibc >= 2.34

Fix the following build failure with glibc >= 2.34:

/tmp/instance-0/output-1/host/lib/gcc/s390x-buildroot-linux-gnu/10.3.0/../../../../s390x-buildroot-linux-gnu/bin/ld: CMakeFiles/egltrace.dir/dlsym.cpp.o: in function `dlsym':
dlsym.cpp:(.text+0x34): undefined reference to `__libc_dlopen_mode'
/tmp/instance-0/output-1/host/lib/gcc/s390x-buildroot-linux-gnu/10.3.0/../../../../s390x-buildroot-linux-gnu/bin/ld: dlsym.cpp:(.text+0x46): undefined reference to `__libc_dlsym'

Fixes:
- http://autobuild.buildroot.org/results/ac5e5b1e30249ae0fb8b9179338b47c60c026bcc

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/pv: bump to version 1.6.20

- Drop patch (already in version)
- Update indentation in hash file (two spaces)

https://github.com/a-j-wood/pv/releases/tag/v1.6.19
https://github.com/a-j-wood/pv/releases/tag/v1.6.20

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/erlang: ignore Windows specific CVE-2021-29221

CVE-2021-29221 is a Windows specific issue:

A local privilege escalation vulnerability was discovered in Erlang/OTP
prior to version 23.2.3. By adding files to an existing installation's
directory, a local attacker could hijack accounts of other users running
Erlang programs or possibly coerce a service running with "erlsrv.exe" to
execute arbitrary code as Local System. This can occur only under specific
conditions on Windows with unsafe filesystem permissions.

So ignore it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/botan: add upstream security fix for CVE-2021-40529

Fixes the following security issue:

- CVE-2021-40529: The ElGamal implementation in Botan through 2.18.1, as
  used in Thunderbird and other products, allows plaintext recovery because,
  during interaction between two cryptographic libraries, a certain
  dangerous combination of the prime defined by the receiver's public key,
  the generator defined by the receiver's public key, and the sender's
  ephemeral exponents can lead to a cross-configuration attack against
  OpenPGP

For more details, see the upstream bug and issue writeup:
- https://github.com/randombit/botan/pull/2790
- https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/nodejs: security bump to version 12.22.6

Fixes the following security issues:

- CVE-2021-37701: Arbitrary File Creation/Overwrite via insufficient symlink
  protection due to directory cache poisoning using symbolic links

- CVE-2021-37712: Arbitrary File Creation/Overwrite via insufficient symlink
  protection due to directory cache poisoning using symbolic links

- CVE-2021-37713: Arbitrary File Creation/Overwrite on Windows via
  insufficient relative path sanitization

- CVE-2021-39134: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist

- CVE-2021-39135: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-interpipe: bump version to 1.1.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-python: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst-omx: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gstreamer1-editing-services: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-rtsp-server: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-vaapi: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-libav: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-devtools: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-plugins-ugly: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-plugins-bad: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-plugins-good: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gst1-plugins-base: bump version to 1.18.5

- delete 0002-gstgl-Fix-build-when-Meson-0.58.0rc1.patch
(from upstream [1])

[1] https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/commit/90903917a8185e0f9add7af8153ae2fc9875fdcb

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gstreamer1: bump version to 1.18.5

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/glmark2: bumped to latest version

Fixes a segfault happening on Raspberry Pi4 on the fourth test

Signed-off-by: David Corbeil <david.corbeil@dynonavionics.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/imlib2: bump version to 1.7.3

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/links: bump version to 2.24

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libqmi: bump version to 1.30.2

Drop patch from this release.

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/bind: bump version to 9.11.35

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/wayland-protocols: bump version to 1.23

- convert to meson (as no configure script is provided, alternative
would be to enable autoreconf)
- disable tests

For details (since 1.21) see [1], [2].

[1] https://lists.freedesktop.org/archives/wayland-devel/2021-September/041972.html
[2] https://lists.freedesktop.org/archives/wayland-devel/2021-September/041979.html

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/lxc: bump to version 4.0.10

https://discuss.linuxcontainers.org/t/lxc-4-0-10-has-been-released/11618
https://discuss.linuxcontainers.org/t/lxc-4-0-9-lts-has-been-released/10999

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/gerbera: bump to version 1.9.1

https://github.com/gerbera/gerbera/blob/v1.9.1/ChangeLog.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/runc: bump to version 1.0.2

https://github.com/opencontainers/runc/releases/tag/v1.0.2
https://github.com/opencontainers/runc/releases/tag/v1.0.1
https://github.com/opencontainers/runc/releases/tag/v1.0.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/bison: bump version to 3.8.1

For details see [1] and [2].

[1] https://lists.gnu.org/archive/html/info-gnu/2021-09/msg00006.html
[2] https://fossies.org/linux/bison/ChangeLog

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libxcrypt: bump to version 4.4.26

This bump contains a single change to fix the following build failure
with Microblaze raised since bump to version 4.4.25 in commit
a071bec0a0cd928443223132d47564c90bc64713:

lib/crypt-gensalt-static.c:33:1: error: symver is only supported on ELF platforms
33 | SYMVER_crypt_gensalt;
| ^~~~~~~~~~~~~~~~~~~~

Update hash of LICENSING due to new file being added with
https://github.com/besser82/libxcrypt/commit/4ab5f672eb6fb43c9bd83060ef48f90decd4989c

https://github.com/besser82/libxcrypt/blob/v4.4.26/NEWS

Fixes:
- http://autobuild.buildroot.org/results/4766bfce9813b7f321369ec45298d16cd6dc251a

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/seatd: bump to version 0.6.2

Update seatd to version 0.6.2, which makes the patches unnecessary (they
have all been integrated in 0.6.0) and fixes a number of bugs. Some
Meson build options have been renamed, so the build recipe is updated
accordingly, too.

Release notes:

  https://git.sr.ht/~kennylevinsen/seatd/refs/0.6.0
  https://git.sr.ht/~kennylevinsen/seatd/refs/0.6.1
  https://git.sr.ht/~kennylevinsen/seatd/refs/0.6.2

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/containerd: security bump to version 1.4.9

- Fix CVE-2021-32760:
https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w
- Update indentation in hash file (two spaces)

https://github.com/containerd/containerd/releases/tag/v1.4.9
https://github.com/containerd/containerd/releases/tag/v1.4.8
https://github.com/containerd/containerd/releases/tag/v1.4.7
https://github.com/containerd/containerd/releases/tag/v1.4.6
https://github.com/containerd/containerd/releases/tag/v1.4.5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libiio: fix compile without thread support

- fix compile without thread support (add configure option
  '-DNO_THREADS=ON' as requested)

Fixes:

  - http://autobuild.buildroot.net/results/2cca5952e7d677cd0d5fa97aa1a7bf3e722df3a2

  CMake Error at CMakeLists.txt:409 (message):
    Unable to find pthread dependency.

    If you want to disable multi-threading support, set NO_THREADS=ON.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libvirt: security bump to version 7.7.0

- storage: Unlock pool objects on ACL check failures in
  storagePoolLookupByTargetPath (CVE-2021-3667)

  A logic bug in storagePoolLookupByTargetPath where the storage pool
  object was left locked after a failure of the ACL check could
  potentially deprive legitimate users access to a storage pool object
  by users who don't have access.

- svirt: fix MCS label generation (CVE-2021-3631)

  A flaw in the way MCS labels were generated could result in a VM's
  resource not being fully protected from access by another VM were
  it to be compromised. https://gitlab.com/libvirt/libvirt/-/issues/153

- Disable Cloud-Hypervisor driver added by
  https://gitlab.com/libvirt/libvirt/-/commit/56fbabf1a1e272c6cc50adcb603996cf8e94ad08

- Update indentation in hash file (two spaces)

https://gitlab.com/libvirt/libvirt/-/blob/v7.7.0/NEWS.rst

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libvirt: add libnl optional dependency

libnl is an optional dependency (which is enabled by default) since the
addition of the package in commit
ccfc90e1010e42e6529afae3a5ea8bf7226dabc1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libvirt: disable docs and tests

Disable docs and tests which are enabled since the addition of the
package in commit ccfc90e1010e42e6529afae3a5ea8bf7226dabc1

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/openjdk{-bin}: bump versions to 11.0.12+7 and 16.0.2+7

As the github repository has changed from github.com/AdoptOpenJDK/ to
github.com/adoptium, both versions are updated in the same patch.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/qt5location: fix musl compile (pthread_getname_np)

- pthread_getname_np not available with musl libc, add patch to disable
  usage for musl (patch inspired/ported from [1])

Fixes:

  - http://autobuild.buildroot.net/results/ed372a4a8e50d9e20be589eeda40c92888d709bc

  platform/default/thread.cpp: In function ‘std::string mbgl::platform::getCurrentThreadName()’:
  platform/default/thread.cpp:14:5: error: ‘pthread_getname_np’ was not declared in this scope; did you mean ‘pthread_setname_np’?
     14 |     pthread_getname_np(pthread_self(), name, sizeof(name));
        |     ^~~~~~~~~~~~~~~~~~
        |     pthread_setname_np

    [1] https://github.com/void-linux/void-packages/blob/e64dd67f43c409d2b2db08214084e842d92ad620/srcpkgs/qt5/patches/0014-musl-set_thread_name_np.patch

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: add uClibc]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

board/freescale: add support for Image.gz to post-image

For the i.MX8 often an Image.gz is built. With these changes, if
BR2_LINUX_KERNEL_IMAGEGZ=y, the correct Image.gz file is now put into
the generated image instead of falling back to the non-existent zImage.

Signed-off-by: Hanspeter Portner <dev@open-music-kontrollers.ch>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libkrb5: fix CVE-2021-37750

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before
1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in
kdc/do_tgs_req.c via a FAST inner body that lacks a server field.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/apache: security bump to version 2.4.49

Fix CVE-2021-33193: A crafted method sent through HTTP/2 will bypass
validation and be forwarded by mod_proxy, which can lead to request
splitting or cache poisoning. This issue affects Apache HTTP Server
2.4.17 to 2.4.48.

https://github.com/apache/httpd/blob/2.4.49/CHANGES

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

boot/barebox: bump version to 2021.08.0

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/kodi: fix selection of dependencies

Commit 148e695e3756 (package/kodi: bump version to 19.0-Matrix) extended
the set of required libraries for various "platform" backends, by
selecting those libraries from the blind options. For example, we have:

    config BR2_PACKAGE_KODI_PLATFORM_SUPPORTS_GBM
        bool
        default y
        depends on [...]
        select BR2_PACKAGE_LIBINPUT
        [...]

However, that option is true as soon as the requirements are met (the
depends on), even when Kodi itself is not enabled.

This means that extra libraries are pulled in to the build, even when
not required.

We fix that by moving the actual selects to the main symbol, along with
the proper conditions. This means that we have two lines that select
libxbcommon, under two different conditions; we could make that a single
select, but the codition would need to be on two lines anyway, so meh...

This is not an ideal solution, because it is a bit ugly, but:
1) adding three new blind options just for the select is kinda extreme
    and superfluous;
2) our Kodi packaging is already a bit ugly anyway.

Fixes: #14206
Reported-by: Thomas Ruschival <t.ruschival@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>

fs/iso9660: switch from cdrkit to xorriso to build ISO9660 images

In order to add support for EFI-compatible ISO9660 images in future
patches, this commit switch the ISO9660 logic to use xorriso instead of
cdrkit. Indeed the genimageiso tool from cdrkit doesn't have the
--efi-boot option needed to generate an image compatible with EFI BIOS.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[yann.morin.1998@free.fr: drop superfluous tool name from variable]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/xorriso: build host variant with zlib support

We will soon use xorriso in the ISO9660 image generation support, and
this requires having zlib support in host-xorriso.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

docs/website: update for 2021.02.5

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Update for 2021.02.5

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 767a2da72fc1690fde33b665851f20492ba5cd75)
[Peter: drop Makefile change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

docs/website: update for 2021.05.2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Update for 2021.05.2

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3466797cedb15097924bf207774d11a79d03a9ac)
[Peter: drop Makefile change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/m4: bump to version 1.4.19

Remove upstream patches.

COPYING hash changed because the URLs were converted to https.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/libressl: bump to version 3.3.4

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/perl-type-tiny: bump to version 1.012004

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/perl-libwww-perl: bump to version 6.56

License hash changed due to removal of EOL whitespace and spelling
fixes.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/perl-io-socket-ssl: bump to version 2.072

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/polkit: drop dbus build dependency

Drop dbus build dependency to avoid the following build failure since
commit 1db13226394ff7e6f5e7ca643e275f35d6c633bb if systemd-polkit is
enabled:

package/dbus/dbus.mk:124: *** Recursive variable 'DBUS_FINAL_RECURSIVE_DEPENDENCIES' references itself (eventually). Stop.

Fixes:
- http://autobuild.buildroot.org/results/0e038fae0f5fc2db3e85be05db4612e4f2395e35

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libexif: fix build with gcc 4.8

Fix the following build failure with gcc 4.8 raised since bump to
version 0.6.23 in commit e2f805097611b4828d2cba6168472aac6dedeafe:

exif-gps-ifd.c: In function 'exif_get_gps_tag_info':
exif-gps-ifd.c:62:3: error: 'for' loop initial declarations are only allowed in C99 mode
for (int i = 0; i < sizeof(exif_gps_ifd_tags) / sizeof(ExifGPSIfdTagInfo); ++i) {
^
exif-gps-ifd.c:62:3: note: use option -std=c99 or -std=gnu99 to compile your code

Fixes:
- http://autobuild.buildroot.org/results/7dd222e06d1e6611449fb8fe7516817c9ad43d65

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/x11r7/xapp_xeyes: add xlib_libXi mandatory dependency

Build fails since commit c47ebe7aeb70015614ff1d477dc1a71e8c161425
because xlib_libXi is a mandatory dependency since version 1.2.0 and
https://gitlab.freedesktop.org/xorg/app/xeyes/-/commit/420c2d8517246c9e422739cadb7acb29e35a3bed:

configure: error: Package requirements (xi >= 1.7 x11 xt xext xmu xproto >= 7.0.17) were not met:

Package 'xi', required by 'virtual:world', not found

Fixes:
- http://autobuild.buildroot.org/results/896f45fb9eadcd235aeab096db479ee0aa5d0860

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: split multi-line dependency]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/x11r7/xapp_xeyes: xrender is optional, not mandatory

xrender is optional, not mandatory since its addition in version 1.0.99:
https://gitlab.freedesktop.org/xorg/app/xeyes/-/commit/5e825a140f4022b88dd7a1a20a9a01b653f1a95c

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

boot/uboot: fix hook to copy imx firmware files

Simplification has broken it. Fix it again.

Fixes: af99e7a5f3863049 ("boot/uboot: copy IMX firmware files to uboot package dir")
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/libmaxminddb: bump to version 1.6.0

https://github.com/maxmind/libmaxminddb/releases/tag/1.6.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/pcre: fix license hash

Commit 0e5a901d3141a3d7e477f0fb79e8f6a748f06449 forgot to update license
hash (updates in year and email)

Fixes:
- http://autobuild.buildroot.org/results/045cd98a4067f1314deb66f52240d2db2000ec4d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/fdk-aac: bump to version 2.0.2

Update indentation in hash file (two spaces)

https://github.com/mstorsjo/fdk-aac/releases/tag/v2.0.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/python-pillow: security bump to version 8.3.2

- Fix CVE-2021-23437 Raise ValueError if color specifier is too long
- Fix 6-byte OOB read in FliDecode
- Update indentation in hash file (two spaces)

https://github.com/python-pillow/Pillow/releases/tag/8.3.2

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/gd: security bump to version 2.3.3

- Fix CVE-2021-40145: ** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD
  Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE:
  the vendor's position is "The GD2 image format is a proprietary image
  format of libgd. It has to be regarded as being obsolete, and should
  only be used for development and testing purposes."
- Drop patch (already in version)
- Update hash of COPYING (duplicate merged and title added with
  https://github.com/libgd/libgd/commit/82d260950589563a1af9c56f4ce5fde843a695ae
  https://github.com/libgd/libgd/commit/6013c7bcf6eb795dba584f92d3824ebd3ae60202)

https://github.com/libgd/libgd/releases/tag/gd-2.3.3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/pcre: bump to version 8.45

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/luaposix: bump to version 35.1

diff LICENSE:
-Copyright (C) 2006-2020 luaposix authors
+Copyright (C) 2006-2021 luaposix authors

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/{mesa3d, mesa3d-headers}: bump version to 21.1.8

Release notes:
https://lists.freedesktop.org/archives/mesa-announce/2021-September/000644.html

Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/fluidsynth: bump to version 2.2.3

For change log since v2.2.2, see:
- https://github.com/FluidSynth/fluidsynth/releases/tag/v2.2.3

./utils/test-pkg --package fluidsynth
6 builds, 2 skipped, 0 build failed, 0 legal-info failed

Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libxcrypt: security bump to version 4.4.25

- Fix several issues found by Covscan in the testsuite. These include:
  - CWE-170: String not null terminated (STRING_NULL)
  - CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST)
  - CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
  - CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH)
  - CWE-573: Missing varargs init or cleanup (VARARGS)
  - CWE-687: Argument cannot be negative (NEGATIVE_RETURNS)
- Update hash of LICENSING due to files being updated with:
  https://github.com/besser82/libxcrypt/commit/44e9eb57b462cfbaeb085cea0e308511565f4a12
  https://github.com/besser82/libxcrypt/commit/578271c3776a442fa55ac5f5ea83c7dc83ede979

https://github.com/besser82/libxcrypt/blob/v4.4.25/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/stress-ng: bump to version 0.13.1

This will fix the following build failure with glibc >= 2.34 thanks to
https://github.com/ColinIanKing/stress-ng/commit/7c4f74761089177127c2cfe6685b7886aa231885

core-helper.c: In function 'stress_sighandler':
core-helper.c:1340:31: error: storage size of 'stack' isn't constant
1340 | static uint8_t MLOCKED_DATA stack[SIGSTKSZ + STACK_ALIGNMENT];
| ^~~~~

https://github.com/ColinIanKing/stress-ng/blob/V0.13.01/debian/changelog

Fixes:
- http://autobuild.buildroot.org/results/3c2d624d1af776162978a6a72343bc04448d2885

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/botan: bump to version 2.18.1

Drop patches (already in version)

https://github.com/randombit/botan/blob/2.18.1/news.rst

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libssh2: bump to version 1.10.0

- Drop patches (already in version) and so autoreconf
- Update hash of COPYING due to updates in year and authors with
  https://github.com/libssh2/libssh2/commit/53ff2e6da450ac1801704b35b3360c9488161342
  https://github.com/libssh2/libssh2/commit/c998f79384116e9f6633cb69c2731c60d3a442bb
  https://github.com/libssh2/libssh2/commit/635caa90787220ac3773c1d5ba11f1236c22eae8
- Update indentation in hash file (two spaces)

https://www.libssh2.org/changes.html#1.10.0

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/vim: security bump to version 8.2.3432

- Fix CVE-2021-3770: vim is vulnerable to Heap-based Buffer Overflow
- Update hash of README.txt due to changes not related to license:
https://github.com/vim/vim/commit/f2a44e5c48b029666ded556e2ab052dfc1266d62
https://github.com/vim/vim/commit/89a9c159f23fb7b3e24e6d09068adfc24a73afcb

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libssh: security bump to version 0.9.6

Fix CVE-2021-3634: A flaw has been found in libssh in versions prior to
0.9.6. The SSH protocol keeps track of two shared secrets during the
lifetime of the session. One of them is called secret_hash and the other
session_id. Initially, both of them are the same, but after key
re-exchange, previous session_id is kept and used as an input to new
secret_hash. Historically, both of these buffers had shared length
variable, which worked as long as these buffers were same. But the key
re-exchange operation can also change the key exchange method, which can
be based on hash of different size, eventually creating "secret_hash" of
different size than the session_id has. This becomes an issue when the
session_id memory is zeroed or when it is used again during second key
re-exchange.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/libexif: security bump to version 0.6.23

- Drop patches (already in version)
- Fix some more denial of service (compute time or stack exhaustion)
counter-measures added that avoid minutes of decoding time with
malformed files found by OSS-Fuzz

https://github.com/libexif/libexif/releases/tag/v0.6.23

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/protobuf: update github url

protobuf moved from the google org to protocolbuffers in 2018.
There is a redirect but we should use the official url.

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/bluez5_utils: fix build

pause() is defined in glibc since the very early times; it appears in
upstream commit 28f540f45bba (initial import) in 1995 [0].

Bluez has been defining a function named pause() for ages too, since
comit caab74c97542 (media: Implement new callbacks for pass-through
operations) in 2013 [1]

With the recent bump to glibc 2.34.xxx, the build now fails because the
two pause() clash:

    profiles/audio/media.c:1284:13: error: conflicting types for 'pause'
     1284 | static bool pause(void *user_data)
          |             ^~~~~
    In file included from /tmp/instance-0/output-1/per-package/bluez5_utils/host/s390x-buildroot-linux-gnu/sysroot/usr/include/bits/sigstksz.h:24,
                     from /tmp/instance-0/output-1/per-package/bluez5_utils/host/s390x-buildroot-linux-gnu/sysroot/usr/include/signal.h:328,
                     from /tmp/instance-0/output-1/per-package/bluez5_utils/host/bin/../s390x-buildroot-linux-gnu/sysroot/usr/include/glib-2.0/glib/gbacktrace.h:36,
                     from /tmp/instance-0/output-1/per-package/bluez5_utils/host/bin/../s390x-buildroot-linux-gnu/sysroot/usr/include/glib-2.0/glib.h:34,
                     from profiles/audio/media.c:21:
    /tmp/instance-0/output-1/per-package/bluez5_utils/host/s390x-buildroot-linux-gnu/sysroot/usr/include/unistd.h:489:12: note: previous declaration of 'pause' was here
      489 | extern int pause (void);
          |            ^~~~~

The culprit is indeed glibc 2.34, as can be seen in this result matrix:

         \   bluez5_utils
    glibc \  5.60  |  5.61
    -------\-------+--------
    2.33   |  OK   |   OK
    -------+-------+--------
    2.34   |  KO   |   KO

Even though we first bumped to glibc 2.34, then to blues5_utils 5.61,
we did not notice build issues with bluez5_utils 5.60 because the two
bumps were too close to each other for the failure to trigger in the
autobuilders.

The underlying reason that pause() is now causing issues with glibc 2.34
is not obvious: glibc is a big beast, and finding such issues is not
easy. However, we can see that the pause() provided by NPTL has been
dropped in favour of the generic one, so maybe this is causing symbol
visibility or weakness to change or something...

We fix that by renaming the local pause() in bluez5_utils with a
namespace-prefix, like some other functions there already have.

Fixes:
  - http://autobuild.buildroot.org/results/c4f/c4fbface34be8815838fd7201621d7a8fddd32c5/
  - http://autobuild.buildroot.org/results/62b/62b88740f19fbe4a1ad7959dc141d539eb88c1f8/

[0] https://sourceware.org/git/?p=glibc.git;a=commit;h=28f540f45bbacd939bfd07f213bcad2bf730b1bf
[1] https://github.com/bluez/bluez/commit/caab74c97542a56b591f0b16b44ab6ba4b40f0f5

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: extend commit log with the glibc culprit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/boost: anotate patches

* add changelog and Signed-off-by to patches
* use correct name for patch 0002

Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/bluez-tools: bump to version f65321736475429316f07ee94ec0deac8e46ec4a

Minor fixes:
- build with gcc 10 (drop patch)
- correct the signal handler registration bt-agent

Other changes:
- remove incorrectly handled error argument from device_* calls
- add UUID for SIMAccess

Signed-off-by: Jan Havran <havran.jan@email.cz>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/uhd: needs boost math

Lots of uhd components (e.g. examples, USRP1, USRP2) needs boost math
(i.e. https://github.com/EttusResearch/uhd/search?q=boost%3A%3Amath)
resulting in build failures since commit
c577eac16eaae515973faf3013da197516bfd391

Fixes:
- http://autobuild.buildroot.org/results/70f6db101c9d35cdd88da602a863ddf35706fd7d
- http://autobuild.buildroot.org/results/5b28591b4c4a7ae4cc6d428c42d96db138ef3ee7

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/pulseaudio: needs xdg SELinux module

xdg is needed (and can't be make optional as it is unconditionally used
in pulseaudio.fc) to fix the following build failure raised since commit
bf44a11cf67fde4ba96928a2a4196103b7ec4ef3:

Compiling targeted policy.33
env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
policy/modules/apps/pulseaudio.te:44:ERROR 'attribute xdg_config_type is not declared' at token ';' on line 317285:
#line 44
typeattribute pulseaudio_xdg_config_t xdg_config_type;
checkpolicy: error(s) encountered while parsing configuration
make[1]: *** [Rules.monolithic:79: policy.33] Error 1

Fixes:
- http://autobuild.buildroot.org/results/818219c0f722080d9f6ef778fdc50e34dd4187ab

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

package/rwmem: needs wchar

rwmmem needs wchar because of fmt dependency since its addition in
commit 51a282bcb8dfc26d3a27723383c5a1767653a19d

Fixes:
- http://autobuild.buildroot.org/results/1c06c27d70aae8bdb39ae43fbe74896e536293c6

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

boot/uboot: fix check-package

Fix check-package issues introduced with commit af99e7a5f386
(boot/uboot: copy IMX firmware files to uboot package dir).

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/pipewire: add option to build examples

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>

package/pipewire: bump to version 0.3.35

Update download to use official gitlab source url.

Drop patches that are now upstream.

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>