Titouan Christophe [Tue, 2 Mar 2021 08:12:41 +0000 (09:12 +0100)]
package/redis: security bump to v6.0.12
From the release notes:
(https://github.com/redis/redis/blob/6.0.12/00-RELEASENOTES)
================================================================================
Redis 6.0.11 Released Mon Feb 22 16:13:23 IST 2021
================================================================================
Upgrade urgency: SECURITY if you use 32bit build of redis (see bellow), LOW
otherwise.
Integer overflow on 32-bit systems (CVE-2021-21309):
Redis 4.0 or newer uses a configurable limit for the maximum supported bulk
input size. By default, it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a large request from a client
may trigger several integer overflow scenarios, which would result with buffer
overflow and heap corruption.
================================================================================
Redis 6.0.12 Released Mon Mar 1 17:29:52 IST 2021
================================================================================
Upgrade urgency: LOW, fixes a compilation issue.
Bug fixes:
* Fix compilation error on non-glibc systems if jemalloc is not used (#8533)
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 1 Mar 2021 19:32:16 +0000 (20:32 +0100)]
{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 10}.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 27 Feb 2021 08:25:22 +0000 (09:25 +0100)]
package/gstreamer1/gst1-plugins-bad: add sctp option
sctp unconditionnally uses __sync_*_4 intrinsics in
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/blob/master/ext/sctp/usrsctp/usrsctplib/user_atomic.h
As a result, this will raise the following build failure with bootlin
sparc toolchain:
/srv/storage/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/9.3.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: ext/sctp/usrsctp/libusrsctp-static.a(usrsctplib_user_socket.c.o): in function `usrsctp_conninput':
user_socket.c:(.text+0x3004): undefined reference to `__sync_fetch_and_add_4'
sctp uses an internal version of usrsctp (which is not available in
buildroot) and is available since version 1.15.1:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/
e2f06326eac7c3c7fa9c0d5baf4bf9673fc93376
Fixes:
- http://autobuild.buildroot.org/results/
981b11ae9746d1eef40c1797398c4f6c16f005bd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Francois Perrad [Mon, 1 Mar 2021 12:24:35 +0000 (13:24 +0100)]
package/prosody: security bump to 0.11.8
From the release notes:
https://blog.prosody.im/prosody-0.11.8-released/
This release also fixes a security issue, where channel binding, which
connects the authentication layer (i.e. SASL) with the security layer (i.e.
TLS) to detect man-in-the-middle attacks, could be used on connections
encrypted with TLS 1.3, despite the holy texts declaring this undefined.
https://issues.prosody.im/1542
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Peter: mark as security bump, expand commit text]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Sun, 28 Feb 2021 21:49:39 +0000 (22:49 +0100)]
configs: rename a bunch of friendlyarm boards
We have defconfigs for quite a few friendlyarm boards, but the
naming for the defconfigs for those boards is inconsistent: some
start with 'friendlyarm_' while others don't.
Although the number of boards starting with 'friendlyarm_' is
less than those which do not, we still choose to rename the
boards so all have the 'friendlyarm_' prefix.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chakra Divi <chakra@openedev.com>
Cc: Davide Viti <zinosat@gmail.com>
Cc: Marek Belisko <marek.belisko@open-nandra.com>
Cc: Suniel Mahesh <sunil@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Sat, 27 Feb 2021 15:54:13 +0000 (16:54 +0100)]
package/util-linux: disable runuser for the host build
runuser allows running commands as another user, but needs to run as
root to be able to setuid(). But Buildroot does not require running as
root, and so runuser can't be used.
Incientally, that fixes host build in case unsuitable libs are found on
the system:
http://lists.busybox.net/pipermail/buildroot/2021-February/304261.html
Reported-by: GA K <guyarkam@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- expand the commit log with a more fundamental explanation that
runuser can't be used anyway
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 27 Feb 2021 19:26:39 +0000 (20:26 +0100)]
package/tpm2-pkcs11: needs threads
tpm2-pkcs11 fails to build without threads since its addition with
commit
42db2c7236c2249ec02608ed714fa6f95e36161b
Fixes:
- http://autobuild.buildroot.org/results/
8218776da34cc4a20663ae6737ad7727b12d8cd2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Mon, 1 Mar 2021 16:49:10 +0000 (17:49 +0100)]
package/privoxy: security bump to version 3.0.32
Privoxy 3.0.32 fixes a number of security issues:
- Security/Reliability:
- ssplit(): Remove an assertion that could be triggered with a
crafted CGI request.
Commit
2256d7b4d67. OVE-
20210203-0001.
Reported by: Joshua Rogers (Opera)
- cgi_send_banner(): Overrule invalid image types. Prevents a
crash with a crafted CGI request if Privoxy is toggled off.
Commit
e711c505c48. OVE-
20210206-0001.
Reported by: Joshua Rogers (Opera)
- socks5_connect(): Don't try to send credentials when none are
configured. Fixes a crash due to a NULL-pointer dereference
when the socks server misbehaves.
Commit
85817cc55b9. OVE-
20210207-0001.
Reported by: Joshua Rogers (Opera)
- chunked_body_is_complete(): Prevent an invalid read of size two.
Commit
a912ba7bc9c. OVE-
20210205-0001.
Reported by: Joshua Rogers (Opera)
- Obsolete pcre: Prevent invalid memory accesses with an invalid
pattern passed to pcre_compile(). Note that the obsolete pcre code
is scheduled to be removed before the 3.0.33 release. There has been
a warning since 2008 already.
Commit
28512e5b624. OVE-
20210222-0001.
Reported by: Joshua Rogers (Opera)
for more details, see the announcement:
https://www.openwall.com/lists/oss-security/2021/02/28/1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Mon, 22 Feb 2021 07:13:01 +0000 (08:13 +0100)]
package/ushare: bump to version 2.1
Fix SOAP action responses which are broken since the switch to latest
version of libupnp (1.14.x) in version 2.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 1 Mar 2021 17:48:40 +0000 (18:48 +0100)]
package/jbig2dec: add JBIG2DEC_CPE_ID_VENDOR
cpe:2.3:a:artifex:jbig2dec is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aartifex%3Ajbig2dec
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 1 Mar 2021 17:42:39 +0000 (18:42 +0100)]
package/putty: add PUTTY_CPE_ID_VENDOR
cpe:2.3:a:putty:putty is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aputty%3Aputty
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 1 Mar 2021 17:37:01 +0000 (18:37 +0100)]
package/python-urllib3: add CPE variables
cpe:2.3:a:python:urllib3 is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Aurllib3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 1 Mar 2021 17:27:27 +0000 (18:27 +0100)]
package/python3: add CPE variables
cpe:2.3:a:python:python is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Apython%3Apython
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 1 Mar 2021 17:22:03 +0000 (18:22 +0100)]
package/python-aiohttp-session: add CPE variables
cpe:2.3:a:aiohttp-session_project:aiohttp-session is a valid CPE
identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aaiohttp-session_project%3Aaiohttp-session
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 1 Mar 2021 16:48:18 +0000 (17:48 +0100)]
package/libbsd: add LIBBSD_CPE_ID_VENDOR
cpe:2.3:a:freedesktop:libbsd is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Afreedesktop%3Alibbsd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Titouan Christophe [Mon, 1 Mar 2021 15:19:07 +0000 (16:19 +0100)]
package/mosquitto: bump to v2.0.8
Mosquitto 2.0.8 is bugfix release. See the announcement:
https://mosquitto.org/blog/2021/02/version-2-0-8-released/
Signed-off-by: Titouan Christophe <titouanchristophe@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Christian Stewart [Mon, 1 Mar 2021 11:59:03 +0000 (03:59 -0800)]
package/openssh: security bump to version 8.4p1
Fixes CVE-2020-15778: scp in OpenSSH through 8.3p1 allows command injection in
the scp.c toremote function, as demonstrated by backtick characters in the
destination argument. NOTE: the vendor reportedly has stated that they
intentionally omit validation of "anomalous argument transfers" because that
could "stand a great chance of breaking existing workflows."
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 27 Feb 2021 19:44:42 +0000 (20:44 +0100)]
package/haproxy: bump to version 2.2.9
https://www.mail-archive.com/haproxy@formilux.org/msg39744.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 27 Feb 2021 17:34:56 +0000 (18:34 +0100)]
Update for 2021.02-rc3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 27 Feb 2021 12:38:44 +0000 (13:38 +0100)]
package/python-aiohttp: security bump to version 3.7.4
Fixes the following security issue:
CVE-2021-21330: Open redirect vulnerability in aiohttp
(normalize_path_middleware middleware)
Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async
HTTP client/server framework, is prone to an open redirect vulnerability. A
maliciously crafted link to an aiohttp-based web-server could redirect the
browser to a different website.
For more details, see the advisory:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-v6wp-4m6f-gcjg
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 27 Feb 2021 09:04:24 +0000 (10:04 +0100)]
package/libglib2: security bump to version 2.66.7
- Fix CVE-2021-27218: An issue was discovered in GNOME GLib before
2.66.7 and 2.67.x before 2.67.4. If g_byte_array_new_take() was called
with a buffer of 4GB or more on a 64-bit platform, the length would be
truncated modulo 2**32, causing unintended length truncation.
- Fix CVE-2021-27219: An issue was discovered in GNOME GLib before
2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an
integer overflow on 64-bit platforms due to an implicit cast from 64
bits to 32 bits. The overflow could potentially lead to memory
corruption.
https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.7/NEWS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 27 Feb 2021 09:32:41 +0000 (10:32 +0100)]
package/openntpd: add OPENNTPD_CPE_ID_VENDOR
cpe:2.3:a:openntpd:openntpd is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aopenntpd%3Aopenntpd
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Fri, 26 Feb 2021 23:13:17 +0000 (00:13 +0100)]
package/openldap: add upstream security fix for CVE-2021-27212
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion
failure in slapd can occur in the issuerAndThisUpdateCheck function via a
crafted packet, resulting in a denial of service (daemon exit) via a short
timestamp. This is related to schema_init.c and checkTime.
For more details, see the bugtracker:
https://bugs.openldap.org/show_bug.cgi?id=9454
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Fri, 26 Feb 2021 23:22:55 +0000 (00:22 +0100)]
package/screen: add security fix for CVE-2021-26937
encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a
denial of service (invalid write access and application crash) or possibly
have unspecified other impact via a crafted UTF-8 character sequence.
For more details, see the oss-security discussion:
https://www.openwall.com/lists/oss-security/2021/02/09/3
So far no fix has been added to upstream git, and a number of early proposed
fixes caused regressions, so pull the security fix from the screen 4.8.0-5
Debian package.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Seiderer [Fri, 19 Feb 2021 23:02:56 +0000 (00:02 +0100)]
package/imagemagick: disable remaining config options (heic, jxl, openjp2)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Fri, 19 Feb 2021 23:02:55 +0000 (00:02 +0100)]
package/imagemagick: add optional libraw support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Fri, 19 Feb 2021 23:02:54 +0000 (00:02 +0100)]
package/imagemagick: add optional zstd support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Fri, 19 Feb 2021 23:02:53 +0000 (00:02 +0100)]
package/imagemagick: add optional libzip support
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Seiderer [Fri, 19 Feb 2021 23:02:52 +0000 (00:02 +0100)]
package/imagemagick: security bump to version 7.0.10-62
Fixes the following security issue:
CVE-2021-20176: A divide-by-zero flaw was found in ImageMagick 6.9.11-57 and
7.0.10-57 in gem.c. This flaw allows an attacker who submits a crafted file
that is processed by ImageMagick to trigger undefined behavior through a
division by zero. The highest threat from this vulnerability is to system
availability.
For more details, see the bugtracker:
https://github.com/ImageMagick/ImageMagick/issues/3077
- bump version to 7.0.10-62
- update license file hash (copyright year update)
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: mention security fix]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Markus Mayer [Fri, 26 Feb 2021 20:08:21 +0000 (12:08 -0800)]
package/readline: disable bracketed paste by default
As of readline 8.1, "bracketed paste" is enabled by default. However,
the feature causes control characters to appear in captured (telnet)
session output. This can throw off pattern matching if the output is to
be processed by scripts.
Let's keep the previous default of leaving this feature disabled and
provide a configuration option for users to enable it.
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
[yann.morin.1998@free.fr:
- explicit enable/disable
- no indentation in conditional block
- rewrap help text
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Sat, 20 Feb 2021 17:21:02 +0000 (18:21 +0100)]
package/qemu: disable tests
tests/fp/fp-bench.c use fenv.h that is not always provided
by the libc (uClibc).
To workaround this issue, add an new meson option to
disable tests while building Qemu.
Fixes:
http://autobuild.buildroot.net/results/
53f5d8baa994d599b9da013ee643b82353366ec3/build-end.log
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 21 Feb 2021 17:59:02 +0000 (18:59 +0100)]
package/botan: avoid empty -l
Add upstream patch to fix upstream commit
af63fe89228172e5a395f7e6491fae3bfa9da4b1 which was added to buildroot in
commit
d71de4143d7a8554929f2a1e9731f83a4cf85fd3
Fixes:
- http://autobuild.buildroot.org/results/
801007860b7787b28b2b2e3611b59350034a3694
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sun, 21 Feb 2021 18:58:12 +0000 (19:58 +0100)]
package/libuwsc: disable example
BUILD_EXAMPLE=OFF is already passed by cmake-package
Fixes:
- http://autobuild.buildroot.org/results/
f5256d5a3a86112f008506f1910d0600c491a2a0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sun, 21 Feb 2021 19:59:01 +0000 (20:59 +0100)]
package/brltty: fix build with gcc < 5
Fix build of brltty in version 6.2 with gcc < 5
Fixes:
- http://autobuild.buildroot.org/results/
b758c6ffc7a14b24d5482e65ba6f90bc046ebd01
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: do an actual backport]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sun, 21 Feb 2021 20:14:52 +0000 (21:14 +0100)]
package/babeltrace2: link with libatomic if needed
Fix build of babeltrace2 in version 2.0.3 with Bootlin SPARC uclibc
toolchain added with commit
1348c569d0cb7f67eca30f170b782aa8b51cc259
Fixes:
- http://autobuild.buildroot.org/results/
31770bf70f9ce4e3be8fb310d084b214820c6829
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sun, 21 Feb 2021 20:29:44 +0000 (21:29 +0100)]
package/elfutils: link with libatomic if needed
Fix build of elfutils 0.181 with Bootlin SPARC uclibc toolchain added
with commit
1348c569d0cb7f67eca30f170b782aa8b51cc259
Fixes:
- http://autobuild.buildroot.org/results/
31ce9e3861c6229a7869a15d322f5d2f5bfc6165
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Mon, 22 Feb 2021 17:00:48 +0000 (18:00 +0100)]
package/intel-mediasdk: disable samples and tutorials
Disable samples and tutorials which are enabled by default and fail to
build with gcc 10 without upstream commit:
https://github.com/Intel-Media-SDK/MediaSDK/commit/
c7d40371eb0c2042261fe1f91a364f69a1457235
Fixes:
- http://autobuild.buildroot.org/results/
9ee28e5dc0b2ba854766d9bc82b95c28be2722d3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Thu, 25 Feb 2021 10:26:33 +0000 (11:26 +0100)]
package/nodejs: security bump to version v12.21.0
Fixes the following security issues:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when
too many connection attempts with an 'unknownProtocol' are established.
This leads to a leak of file descriptors. If a file descriptor limit is
configured on the system, then the server is unable to accept new
connections and prevent the process also from opening, e.g. a file. If no
file descriptor limit is configured, then this lead to an excessive memory
usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when
the whitelist includes “localhost6”. When “localhost6” is not present in
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e.,
over network. If the attacker controls the victim's DNS server or can spoof
its responses, the DNS rebinding protection can be bypassed by using the
“localhost6” domain. As long as the attacker uses the “localhost6” domain,
they can still apply the attack described in CVE-2018-7160.
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Andreas Klinger [Tue, 23 Feb 2021 18:04:37 +0000 (19:04 +0100)]
package/ply: build needs flex and bison
Building needs flex and bison installed on the host system.
Fixes:
http://autobuild.buildroot.net/results/
7cfe75725f4746367f2870ee9545f31ba56f6ec1
Signed-off-by: Andreas Klinger <ak@it-klinger.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 21 Feb 2021 18:21:39 +0000 (19:21 +0100)]
package/screen: add SCREEN_CPE_ID_VENDOR
cpe:2.3:a:gnu:screen is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Agnu%3Ascreen
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 21 Feb 2021 18:11:31 +0000 (19:11 +0100)]
package/xterm: add XTERM_CPE_ID_VENDOR
cpe:2.3:a:invisible-island:xterm is a valid CPE identifier for this
package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Ainvisible-island%3Axterm
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 23 Feb 2021 13:50:31 +0000 (14:50 +0100)]
package/python3: security bump to version 3.9.2
Fixes the following security issue:
- CVE-2021-23336: urllib.parse.parse_qsl(): Web cache poisoning - `; ` as a
query args separator
https://bugs.python.org/issue42967
And fixes a number of issues. For details, see the changelog:
https://docs.python.org/release/3.9.2/whatsnew/changelog.html
Drop the now upstreamed security patch and update the license hash for a
change of copyright year:
-2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Python Software Foundation;
+2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Python Software Foundation;
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Vincent Fazio [Fri, 19 Feb 2021 21:21:54 +0000 (15:21 -0600)]
support/download: drop sub-second precision in tarball creation
Some download backends, like svn, will provide timestamps with a
sub-second precision, e.g.
$ svn info --show-item last-changed-date [...]
2021-02-19T20:22:34.889717Z
However, the PAX headers do not accept sub-second precision, leading to
failure to download from subversion:
tar: Time stamp is out of allowed range
tar: Exiting with failure status due to previous errors
make[1]: *** [package/pkg-generic.mk:148: [...]/build/subversion-
1886712/.stamp_downloaded] Error 1
Fix that by massaging the timestamp to drop the sub-second part. We
do that in the generic helper, rather than the svn backend, so that
all callers to the generic helper benefit from this, as this is more
an internal details of the tarball limitations, than of the backends
themselves.
Reported-by: Roosen Henri <Henri.Roosen@ginzinger.com>
Signed-off-by: Vincent Fazio <vfazio@xes-inc.com>
[yann.morin.1998@free.fr:
- add Henri as reporter
- move it out of the svn backend, and to the generic helper
- reword the commit log accordingly
- use an explicit time format rather than -Iseconds
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Thu, 18 Feb 2021 08:22:26 +0000 (09:22 +0100)]
package/bind: security bump to version 9.11.28
Fixes the following security issue:
- CVE-2020-8625: When tkey-gssapi-keytab or tkey-gssapi-credential was
configured, a specially crafted GSS-TSIG query could cause a buffer
overflow in the ISC implementation of SPNEGO (a protocol enabling
negotiation of the security mechanism to use for GSSAPI authentication).
This flaw could be exploited to crash named. Theoretically, it also
enabled remote code execution, but achieving the latter is very difficult
in real-world conditions
For details, see the advisory:
https://kb.isc.org/docs/cve-2020-8625
In addition, 9.11.26-27 fixed a number of issues, see the release notes for
details:
https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html
Drop now upstreamed patches, update the GPG key for the 2021-2022 variant
and update the COPYRIGHT hash for a change of year:
-Copyright (C) 1996-2020 Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2021 Internet Systems Consortium, Inc. ("ISC")
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Ryan Barnett [Sun, 21 Feb 2021 22:38:27 +0000 (16:38 -0600)]
package/fakeroot: fix glibc detection on patch for new wrappers
Commit
f45925a951318e9e53bead80b363e004301adc6f add the patch:
0003-libfakeroot.c-add-wrappers-for-new-glibc-2.33-symbol.patch
which allowed fakeroot to be compiled with GLIBC 2.33 or above.
However, this introduce a bug for building with a non-GLIBC based
toolchain as a GLIBC macro - __GLIBC_PREREQ - is used on the same line
as the detection of GLIBC.
Fix this by backporting the fix to this incorrect macro from upstream
commit:
https://salsa.debian.org/clint/fakeroot/-/commit/
8090dffdad8fda86dccd47ce7a7db8840bdf7d7b
CC: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Stefan Ott [Sun, 21 Feb 2021 00:47:50 +0000 (01:47 +0100)]
package/unbound: bump to version 1.13.1
This release contains a number of bug fixes. There is added support
for the EDNS Padding option (RFC7830 and RFC8467), and the EDNS NSID
option (RFC 5001). Unbound control has added commands to enable and
disable rpz processing. Reply callbacks have a start time passed to
them that can be used to calculate time, these are callbacks for
response processing. With the option serve-original-ttl the TTL served
in responses is the original, not counted down, value, for when in
front of authority service.
https://github.com/NLnetLabs/unbound/releases/tag/release-1.13.1
Signed-off-by: Stefan Ott <stefan@ott.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Seiderer [Sat, 20 Feb 2021 23:12:24 +0000 (00:12 +0100)]
package/irqbalance: fix irqbalance/irqbalance-ui socket communication
Add patch to fix irqbalance/irqbalance-ui socket communication by
fixing uint64_t printf format usage.
Fixes:
$ irqbalance-ui
Invalid data sent. Unexpected token: (null)TYPE
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
- do an actual backport as upstream applied the patch
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Scott Fan [Sat, 20 Feb 2021 16:27:14 +0000 (00:27 +0800)]
package/open62541: fix library version definition
Manually specified version must start with letter 'v',
otherwise, the generated version macro will be zero
in the <build_dir>/src_generated/open62541/config.h file:
#define UA_OPEN62541_VER_MAJOR 0
#define UA_OPEN62541_VER_MINOR 0
#define UA_OPEN62541_VER_PATCH 0
Reference from the following link:
https://open62541.org/doc/current/building.html
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Sat, 20 Feb 2021 16:56:04 +0000 (17:56 +0100)]
support/scripts/boot-qemu-image.py: properly catch timeout
As reported on IRC by sephthir, the gitlab test of the defconfig
qemu_sparc_ss10_defconfig doesn't error out while the system
is not working properly.
This is because we explicitly wait for the timeout as an expected
condition, but do not check for it. Indeed, pexpect.expect() returns
the index of the matching condition in the list of expected conditions,
but we just ignore the return code, so we are not able to differentiate
between a successful login (or prompt) from a timeout.
By default, pexepect.expect() raises the pexpect.TIMEOUT exception on a
timeout, and we are already prepared to catch and handle that exception.
But because pexpect.TIMEOUT is passed as an expected condition, the
exception is not raised.
Remove pexpect.TIMEOUT from the list of expected conditions, so that the
exception is properly raised again, and so that we can catch it.
The qemu_sparc_ss10_defconfig is already fixed by
4d16e6f5324f0285f51bfbb5a3503584f3b3ad12.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Jugurtha BELKALEM <jugurtha.belkalem@smile.fr>
[yann.morin.1998@free.fr: reword commit log]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Seiderer [Sat, 20 Feb 2021 16:33:48 +0000 (17:33 +0100)]
package/irqbalance: fix sysv startup script (add mkdir /run/irqbalance)
- add mkdir -p /run/irqbalance to sysv startup script needed to
create socket /run/irqbalance/irqbalance<pid>.sock
Fixes:
- Bug 13541 [1]
daemon.warn /usr/sbin/irqbalance: Daemon couldn't be bound to the file-based socket.
[1] https://bugs.busybox.net/show_bug.cgi?id=13541
Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr: only create in start case]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Seiderer [Sat, 20 Feb 2021 16:33:49 +0000 (17:33 +0100)]
package/irqbalance: fix systemd startup script (add RuntimeDirectory)
- add RuntimeDirectory=irqbalance to create /run/irqbalanace needed to
create socket /run/irqbalance/irqbalance<pid>.sock
Fixes:
- Bug 13541 [1]
/usr/sbin/irqbalance[158]: Daemon couldn't be bound to the file-based socket.
[1] https://bugs.busybox.net/show_bug.cgi?id=13541
Reported-by: Alfredo Pons Menargues <alfredo.pons@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Scott Fan [Sat, 20 Feb 2021 16:43:31 +0000 (00:43 +0800)]
DEVELOPERS: remove Scott Fan
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni [Tue, 16 Feb 2021 21:45:12 +0000 (22:45 +0100)]
utils/scanpypi: use python3 explicitly
scanpypi is python3 compatible. In addition, it executes the setup.py
of Python modules to extract the relevant information. Since these are
more and more commonly using python3 constructs, using "python" to run
scanpypi causes problems on systems that have python2 installed as
python, when trying to parse setup.py scripts with python3 constructs.
Fixes part of #13516.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Jörg Krause [Wed, 17 Feb 2021 07:44:02 +0000 (08:44 +0100)]
package/taglib: drop config options to enable MP4/ASF support
Both options where removed in git commit
dd846904cbc1ef3ee628d77f0c9df88ef8967816
back in year 2011.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
[yann.morin.1998@free.fr: drop the legacy handling]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Wed, 17 Feb 2021 23:24:11 +0000 (00:24 +0100)]
package/rust: disable ninja
Ninja has recently be enabled as the default build system to build
llvm fork for rust compiler [1]. But we can still use Make if
"ninja = false" is provided in config.toml.
Ninja support can be enabled by a following patch.
[1] https://github.com/rust-lang/rust/commit/
30b7dac745b1555cd96f41977f7d24435cbe7fa2
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
1019386205
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Eric Le Bihan <eric.le.bihan.dev@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bartosz Bilas [Thu, 18 Feb 2021 17:59:05 +0000 (18:59 +0100)]
package/cegui: use plain assignemnt for first _CONF_OPTS
Commit
689b9c1a7cf5 (package/cegui: disable xerces support) added
an unconditional assignment to _CONF_OPTS before all the conditional
ones, but used the append-assignment instead of the traditional plain
assignment.
Fix that by removing the append-assignment.
Use that opportunity to also move the first item of this multi-line
assignment, to its own line.
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
[yann.morin.1998@free.fr:
- reference the exact commit that introduce the issue
- also move the first item to its own line
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Fri, 19 Feb 2021 09:59:41 +0000 (10:59 +0100)]
package/python-django: security bump to version 3.0.13
Fixes the following security issue:
- CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()
Django contains a copy of urllib.parse.parse_qsl() which was added to
backport some security fixes. A further security fix has been issued
recently such that parse_qsl() no longer allows using ; as a query
parameter separator by default. Django now includes this fix. See
bpo-42967 for further details.
For more details, see the advisory:
https://www.djangoproject.com/weblog/2021/feb/19/security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 19 Feb 2021 19:38:24 +0000 (20:38 +0100)]
package/botan: fix build with -latomic
Static build with toolchains needing -latomic (e.g sparc) is broken
since version 2.17.0 and
https://github.com/randombit/botan/commit/
88af81b88976d9a1293280f68df597220ab42767
Fixes:
- http://autobuild.buildroot.org/results/
5c03ee53a34a3cdb409cffcda76e5cc2c723778b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 19 Feb 2021 19:30:30 +0000 (20:30 +0100)]
package/libselinux: fix build with musl 1.2.2
Fixes:
- http://autobuild.buildroot.org/results/
34b010e76d65cf1d79ef53207cbc00a86674e17a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
John Keeping [Fri, 19 Feb 2021 12:18:27 +0000 (12:18 +0000)]
package/libusb: apply upstream patch to fix descriptor parsing
v1.0.24 of libusb has a bug in the Linux backend where it fails to
enumerate any device with more than one configuration. Backport the
upstream patch which fixes this as otherwise libusb based applications
are unable to communicate with any devices advertising more than one
configuration.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Wed, 17 Feb 2021 20:04:31 +0000 (21:04 +0100)]
docs/website: update for 2020.02.11
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 17 Feb 2021 19:36:28 +0000 (20:36 +0100)]
Update for 2020.02.11
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit
08e03785d3812c085c438a6040ccedc3e9f5809d)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 17 Feb 2021 18:44:35 +0000 (19:44 +0100)]
docs/website: update for 2020.11.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 17 Feb 2021 18:24:35 +0000 (19:24 +0100)]
Update for 2020.11.3
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit
610e67b1fc4ac44e0c4a7ba437c917ad6d63f481)
[Peter: drop Makefile changes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 17 Feb 2021 16:50:16 +0000 (17:50 +0100)]
Update for 2021.02-rc2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Wed, 17 Feb 2021 06:49:49 +0000 (07:49 +0100)]
package/perl-extutils-pkgconfig: set PATH to BR_PATH
Set PATH to BR_PATH to allow perl-extutils-pkgconfig to find pkg-config
binary
Fixes:
- http://autobuild.buildroot.org/results/
d87787fbf2a8cb9bbaa3b59d1e8004ad1459536a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 16 Feb 2021 19:31:34 +0000 (20:31 +0100)]
package/libopenssl: security bump to version 1.1.1j
Fixes the following security issues:
- CVE-2021-23841: Null pointer deref in X509_issuer_and_serial_hash()
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.
- CVE-2021-23839: Incorrect SSLv2 rollback protection
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2
with a server that is configured to support both SSLv2 and more recent SSL
and TLS versions then a check is made for a version rollback attack when
unpadding an RSA signature. Clients that support SSL or TLS versions
greater than SSLv2 are supposed to use a special form of padding. A
server that supports greater than SSLv2 is supposed to reject connection
attempts from a client where this special form of padding is present,
because this indicates that a version rollback has occurred (i.e. both
client and server support greater than SSLv2, and yet this is the version
that is being requested).
The implementation of this padding check inverted the logic so that the
connection attempt is accepted if the padding is present, and rejected if
it is absent. This means that such as server will accept a connection if
a version rollback attack has occurred. Further the server will
erroneously reject a connection if a normal SSLv2 connection attempt is
made.
OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable
to this issue. The underlying error is in the implementation of the
RSA_padding_check_SSLv23() function. This also affects the
RSA_SSLV23_PADDING padding mode used by various other functions. Although
1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still
exists, as does the RSA_SSLV23_PADDING padding mode. Applications that
directly call that function or use that padding mode will encounter this
issue. However since there is no support for the SSLv2 protocol in 1.1.1
this is considered a bug and not a security issue in that version.
- CVE-2021-23840: Integer overflow in CipherUpdate
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may
overflow the output length argument in some cases where the input length
is close to the maximum permissable length for an integer on the platform.
In such cases the return value from the function call will be 1
(indicating success), but the output length value will be negative. This
could cause applications to behave incorrectly or crash.
For more details, see the advisory:
https://www.openssl.org/news/secadv/
20210216.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Heiko Thiery [Thu, 11 Feb 2021 09:29:10 +0000 (10:29 +0100)]
support/scripts/pkg-stats: add ignored_cves to json output
Add the list of <pkg>_IGNORE_CVES to the json output to show that we have a
known cause (available patch or the CVE is not valid for our package
configuration) that a affected CVE is not reported.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Fri, 12 Feb 2021 09:15:10 +0000 (10:15 +0100)]
package/openblas: fix detection of gfortran compiler
The compiler detection since openblas 0.3.8 added support for gcc 10, but
this broke detection of compilers created with crosstool-ng, or other
toolchains that have a package version containing a version like x.y.z where
at least one of x, y or z have more than one digit, for example
"Crosstool-NG 1.24.0".
See the reported issue for more details [1].
Backport the upstream patch that fixes it.
[1] https://github.com/xianyi/OpenBLAS/issues/3099
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Fri, 12 Feb 2021 09:15:09 +0000 (10:15 +0100)]
package/openblas: allow disabling multithreading
Buildroot would automatically enable multithreading in OpenBLAS if the
architecture supports it. However, one may want to avoid OpenBLAS creating
threads itself and configure single-threaded operation. To accommodate this
use case, add a config option for multithreading.
When multithreading is disabled but OpenBLAS functions are called in the
same application by multiple threads, then locking is mandatory. The
USE_LOCKING flag was added in version 0.3.7 with following release note:
a new option USE_LOCKING was added to ensure thread safety when OpenBLAS
itself is built without multithreading but will be called from multiple
threads.
However, if one knows that OpenBLAS will only be called from single-threaded
applications, then passing USE_LOCKING is not necessary, so make it a config
option too.
When multithreading is enabled, locking is implicitly enabled inside
openblas, so only provide the locking option when multithreading is
disabled.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sun, 7 Feb 2021 19:57:33 +0000 (20:57 +0100)]
package/flashrom: fix build on riscv
Retrieve an upstream patch to fix build with riscv as it fails to
retrieve architecture due to "Use sigaction with SA_RESTART instead"
being caught before riscv:
exec: export LC_ALL=C ; { /home/fabrice/buildroot/output/host/bin/riscv32-linux-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -E archtest.c 2>/dev/null | grep -v ^# | grep ' | cut -f 2 -d' ; }
Use sigaction with SA_RESTART instead
riscv
Fixes:
- http://autobuild.buildroot.org/results/
61ac6c9bfcd3bd9306aa49faf47b9f16e5abe846
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fabrice Fontaine [Sun, 7 Feb 2021 17:56:12 +0000 (18:56 +0100)]
package/gdk-pixbuf: fix static build
Fix static build failure which is raised since the switch to
meson-package in commit
a7b51ed3013c919b293deb95299e33363fb9df70
Fixes:
- http://autobuild.buildroot.org/results/
6cd54c497f5d19342ec94ece713547b887e4c02d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: add link to upstream MR]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Peter Korsgaard [Tue, 16 Feb 2021 19:16:50 +0000 (20:16 +0100)]
package/wpewebkit: bump version to 2.30.5
Bugfix release, fixing a number of issues:
- Fix RunLoop objects leaked in worker threads.
- Fix JavaScriptCore AArch64 LLInt build with JIT disabled.
- Use Internet Explorer quirk for Google Docs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 16 Feb 2021 19:16:49 +0000 (20:16 +0100)]
package/webkitgtk: security bump to version 2.30.5
Fixes the following security issue:
- CVE-2020-13558: Processing maliciously crafted web content may lead to
arbitrary code execution. Description: A use after free issue in the
AudioSourceProviderGStreamer class was addressed with improved memory
management
For more details, see the advisory:
https://webkitgtk.org/security/WSA-2021-0001.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 12 Feb 2021 06:39:44 +0000 (07:39 +0100)]
package/perl-gd: provide gd options
Now that gdlib-config is gone, provide the GD options otherwise perl-gd
will assume that everything is available:
$features = 'GD_GIF GD_GIFANIM GD_OPENPOLYGON GD_ZLIB GD_PNG GD_FREETYPE GD_FONTCONFIG GD_JPEG GD_XPM GD_TIFF GD_WEBP';
Also, while at it, also make some of the dependencies as optional as
suggested by François Perrad
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Tested-by: Francois Perrad <francois.perrad@gadz.org> (with
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fabrice Fontaine [Fri, 12 Feb 2021 06:39:43 +0000 (07:39 +0100)]
package/perl-gd: needs perl-extutils-pkgconfig
Commit
3a291be2e89bc64388c10dae50233c751a86733d forgot to add
perl-extutils-pkgconfig dependency
Fixes:
- http://autobuild.buildroot.org/results/
e590f1990180eae21512b23b884755e105a4c588
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fabrice Fontaine [Fri, 12 Feb 2021 06:39:42 +0000 (07:39 +0100)]
package/perl-extutils-pkgconfig: new package
host-perl-extutils-pkgconfig is needed by perl-gd to find gd in version
2.3.0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: Francois Perrad <francois.perrad@gadz.org>
[Arnout:
- remove Config.in - it's host-only
- add DEVELOPERS entry
- use HOST_PERL_EXTUTILS_PKGCONFIG_DEPENDENCIES]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Peter Korsgaard [Mon, 15 Feb 2021 18:57:09 +0000 (19:57 +0100)]
package/tzdate: use classic 'fat' format for uClibc/glibc compatibility
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
1019385940
FAIL: test_run (tests.core.test_timezone.TestGlibcNonDefaultLimitedTimezone)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/builds/buildroot.org/buildroot/support/testing/tests/core/test_timezone.py", line 66, in test_run
self.assertEqual(tz[0].strip(), "EST")
AssertionError: '' != 'EST'
Commit
7868289fd5348 (package/zic: bump version to 2020f) bumped the zic
version to 2020f, which changed the default output format from the classic
"fat" format to the new "slim" format:
https://github.com/eggert/tz/commit/
6ba6f2117b95eab345a7ed9159cef939e30c4cd3
The slim format is unfortunately not supported by glibc < 2.28 or uClibc, so
explicitly request the classic "fat" format.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Thomas De Schampheleire [Tue, 16 Feb 2021 14:20:07 +0000 (15:20 +0100)]
package/uboot-tools: depend on u-boot when selected
Currently, the envimage creation logic only depends on u-boot when the
user does not specify a custom envimage source via
BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE. This assumes that the
user-provided envimage source is not coming from the u-boot source
tree.
But especially given the fact that the envimage creation logic used to
be part of the u-boot package, this is a realistic scenario: users may
have provided a value of BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE
based on $(UBOOT_DIR), e.g.:
$(UBOOT_DIR)/board/foo-vendor/bar-board/env.txt
Therefore, always add the u-boot dependency if u-boot is selected, for
either case of custom or default envimage source.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[Thomas: re-organize code a bit.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Arnout Vandecappelle (Essensium/Mind) [Tue, 16 Feb 2021 20:12:33 +0000 (21:12 +0100)]
support/scripts/cpedb.py: remove import pickle
pickle is no longer used since
09a71e6a75636
Fixes:
support/scripts/cpedb.py:7:1: F401 'pickle' imported but unused
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fabrice Fontaine [Sun, 10 Jan 2021 19:06:16 +0000 (20:06 +0100)]
package/gstreamer1/gst1-python: needs gst1-plugins-base
gst1-plugins-base is a mandatory dependency since at least version
1.9.90 and
https://github.com/GStreamer/gst-python/commit/
16f971226df1980b58ebde330123debaaf3b53d0
Fixes:
- http://autobuild.buildroot.org/results/
48b22c66c3a610d70931b9adfd6e5082bb3ff3d1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 15 Feb 2021 17:28:48 +0000 (18:28 +0100)]
package/lcms2: disable tiff
tiff is only used by tificc sample and upstream rejected the patch to
fix the static build failure because "adding pkg-config dependency for a
sample is an overkill": https://github.com/mm2/Little-CMS/pull/244
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Mon, 15 Feb 2021 17:28:47 +0000 (18:28 +0100)]
Revert "package/lcms2: fix static building with tiff"
This reverts commit
7e4f054d2347708c9e22fe84c1d5f374d5b343cd.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:32 +0000 (14:54 +0100)]
package/collectd: add 'synproxy' option
The synproxy plugin exists since 5.8.0 and is enabled by default in
collectd.
Add an option in Buildroot, disabled by default.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:31 +0000 (14:54 +0100)]
package/collectd: add 'logparser' option
The logparser plugin is new since 5.11.0 and enabled by default in
collectd.
Add an option in Buildroot, disabled by default.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:30 +0000 (14:54 +0100)]
package/collectd: add 'mdevents' option
The mdevents plugin is new since 5.12.0 and enabled by default in
collectd.
Add an option in Buildroot, disabled by default.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 13:54:28 +0000 (14:54 +0100)]
package/collectd: add 'infiniband' option
The infiniband plugin is new since 5.12.0 and enabled by default in
collectd.
Add an option in Buildroot, disabled by default.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 15 Feb 2021 19:27:56 +0000 (20:27 +0100)]
package/orc: fix powerpc build with headers < 4.11
Autobuilder failures are raised with bootlin toolchains but it affects
orc since version 0.4.30
Fixes:
- http://autobuild.buildroot.org/results/
0821e96cba3e455edd47b87485501d892fc7ac6a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 11:58:01 +0000 (12:58 +0100)]
package/ebtables: install symlink to ebtables-legacy
Since the upgrade of ebtables from 2.0.10-4 to 2.0.11, there no longer is an
'ebtables' binary. It has been renamed to 'ebtables-legacy' and moved from
'/sbin' to '/usr/sbin'. This change is part of the upstream change to
integrate the functionality of ebtables (and arptables) in the iptables
package, using the nf_tables kernel backend [1].
Unfortunately, the renaming (and move) of the original 'ebtables' binary
breaks existing scripts that are calling 'ebtables' or '/sbin/ebtables'.
Therefore, add a symlink from the original path to 'ebtables-legacy'.
However, do not provide this symlink if BR2_PACKAGE_IPTABLES_NFTABLES is
enabled. In this case, the iptables package will build the new equivalent
of ebtables -- a symlink to ebtables-legacy would cause conflicts.
[1] https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Acked-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas De Schampheleire [Tue, 16 Feb 2021 12:50:30 +0000 (13:50 +0100)]
package/tcpdump: remove duplicated binary
Since tcpdump 4.99.0, the 'tcpdump' binary is no longer installed in
/usr/sbin but in /usr/bin. This change invalidates the Buildroot hook
'TCPDUMP_REMOVE_DUPLICATED_BINARY', causing a fairly large rootfs size
increase as a result.
Update the path inside this hook.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:56 +0000 (09:07 +0100)]
package/mongoose: add MONGOOSE_CPE_ID_VENDOR
cpe:2.3:a:cesanta:mongoose is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acesanta%3Amongoose
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:55 +0000 (09:07 +0100)]
package/mongoose: security bump to version 7.1
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta
Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via
connection request after exhausting memory pool.
- Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS
server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable
to remote OOB write attack via connection request after exhausting
memory pool.
- Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS
server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB
write attack via connection request after exhausting memory pool.
https://github.com/cesanta/mongoose/releases/tag/7.1
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 16 Feb 2021 08:07:54 +0000 (09:07 +0100)]
package/mongoose: fix activation of openssl/mbedtls
MG_ENABLE_SSL and MG_SSL_IF have been dropped since version 7.0 and
https://github.com/cesanta/mongoose/commit/
f2fba1d2004c5ddf2fc0a7ca8dc75b5f78feed85
So use the new MG_ENABLE_OPENSSL and MG_ENABLE_MBEDTLS variables
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Tue, 16 Feb 2021 08:44:16 +0000 (09:44 +0100)]
DEVELOPERS: drop Rahul Jain, user no longer exists
<rahul.jain@imgtec.com>: host mxa-
00376f01.gslb.pphosted.com[185.132.180.163]
said: 550 5.1.1 User Unknown (in reply to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Tue, 16 Feb 2021 08:30:21 +0000 (09:30 +0100)]
DEVELOPERS: drop Guillaume Gardet, domain no longer exists
The oliseo.fr domain no longer responds to SMTP requests:
smtplib.SMTPRecipientsRefused: {'Guillaume Gardet <guillaume.gardet@oliseo.fr>': (550, b'5.1.2 <guillaume.gardet@oliseo.fr>: Recipient address rejected: Domain not found')}
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Jörg Krause [Mon, 15 Feb 2021 13:47:31 +0000 (14:47 +0100)]
package/fakeroot: add upstream patches to fix glibc 2.33 compatibility
Glibc 2.33 removed `_STAT_VER`. On host machines, which updated to glibc
2.33, building host-fakeroot breaks:
```
In file included from communicate.h:20,
from libfakeroot.c:60:
libfakeroot.c: In function ‘chown’:
libfakeroot.c:99:40: error: ‘_STAT_VER’ undeclared (first use in this function)
99 | #define INT_NEXT_STAT(a,b) NEXT_STAT64(_STAT_VER,a,b)
```
The issue has been discussed on some package maintainer threads, e.g.:
https://bugs.archlinux.org/task/69572
https://bugzilla.redhat.com/show_bug.cgi?id=
1889862#c13
A patch series was prepared by Ilya Lipnitskiy which included two other
patches not related to the glibc 2.33 compatibility issue and submitted as
merge request for upstream:
https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg57280.html
Upstream accepted the merge request:
https://salsa.debian.org/clint/fakeroot/-/merge_requests/10
Note, that this patch series only contains the necessay patches for glibc
2.33 compatibility.
Tested on my Arch Linux machine, building a UBIFS/OverlayFS-based root
filesystem for an i.MX6ULL target board.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Tested-by: Bartosz Bilas <b.bilas@grinn-global.com>
[Peter: drop patch numbering (PATCH x/y) as pointed out by check-package]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 15 Feb 2021 17:26:36 +0000 (18:26 +0100)]
package/libgpg-error: fix build without threads
Fix build without threads of libgpg-error in version >= 1.40
Fixes:
- http://autobuild.buildroot.org/results/
3344c96e5627a9327b0eabe0b27f34490bbabc0d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Mon, 15 Feb 2021 17:45:43 +0000 (18:45 +0100)]
package/ne10: disable unit tests and examples
Unit tests fail to build with gcc 10 on:
[100%] Linking C executable NE10_dsp_unit_test_smoke
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-none-linux-gnu/10.2.1/../../../../aarch64-none-linux-gnu/bin/ld: CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_suite_fft_float32.c.o:(.bss+0x0): multiple definition of `seatest_simple_test_result'; CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_main.c.o:(.bss+0x0): first defined here
So just disable them and, while at it, also disable examples which are
also enabled by default
Fixes:
- http://autobuild.buildroot.org/results/
c658d52668825c26a15d6ac3ca538472cad5cd78
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Michael Vetter [Mon, 15 Feb 2021 10:45:28 +0000 (11:45 +0100)]
package/jasper: security bump version to 2.0.25
Changes:
* Fix memory-related bugs in the JPEG-2000 codec resulting from
attempting to decode invalid code streams. (#264, #265)
This fix is associated with CVE-2021-26926 and CVE-2021-26927.
* Fix wrong return value under some compilers (#260)
* Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259)
Signed-off-by: Michael Vetter <jubalh@iodoru.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Sat, 13 Feb 2021 22:19:48 +0000 (23:19 +0100)]
support/scripts/cpedb.py: drop CPE XML database caching
Currently, the CPE XML database is parsed into a Python dict, which is
then pickled into a local file, to speed up the processing of further
invocations.
However, it turns out that since the initial implementation, we have
switched the XML parsing from the out of tree xmltodict module to the
standard ElementTree one, which has made the parsing much faster. The
pickle caching only saves 6 seconds, on something that takes more than
13 minutes total.
In addition, this pickle caching consumes a significant amount of RAM,
causing the Python process to be OOM-killed on a server with 4 GB of
RAM.
So let's just drop this caching entirely.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>