Fabrice Fontaine [Sun, 23 Feb 2020 15:36:38 +0000 (16:36 +0100)]
package/smartmontools: fix build without stack-protector
Fixes:
- http://autobuild.buildroot.org/results/
0de9f2a69fa2a39164211299f8a429d2fec6935a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Carlos Santos [Sun, 23 Feb 2020 10:59:12 +0000 (07:59 -0300)]
package/busybox: fix individual binaries installation
Call BUSYBOX_INSTALL_INDIVIDUAL_BINARIES in BUSYBOX_INSTALL_TARGET_CMDS,
not in BUSYBOX_INSTALL_INIT_SYSV. This should have been done in commit
b1e07d6d796e67a980d4a05d04c64f00162245ff but was somehow lost during the
review/aply process.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yegor Yefremov [Mon, 10 Feb 2020 09:11:49 +0000 (10:11 +0100)]
support/testing: add libftdi1 test case
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yegor Yefremov [Mon, 10 Feb 2020 09:11:48 +0000 (10:11 +0100)]
package/libftdi1: fix unresolved symbol issue
GCC later than 5.x produce _fdti1.so file with an undefined
symbol str2charp_size due to C99 inline semantics change. So
remove this keyword.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[yann.morin.1998@free.fr: add upstream status]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Giulio Benetti [Thu, 20 Feb 2020 21:18:55 +0000 (22:18 +0100)]
package/at: fix parallel build failure
Add a patch to finally fix parallel build failure. Patch is pending
upstream:
https://salsa.debian.org/debian/at/merge_requests/14
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Peter Korsgaard [Thu, 20 Feb 2020 21:45:30 +0000 (22:45 +0100)]
package/tpm2-tss: bump to version 2.3.3
Bugfix release, fixing a number of issues:
- Fixed mixing salted and unsalted sessions in the same ESAPI context
- Removed use of VLAs from TPML marshal code
- Added check for object node before calling compute_session_value function
- Fixed auth calculation in Esys_StartAuthSession called with optional parameters
- Fixed compute_encrypted_salt error handling in Esys_StartAuthSession
- Fixed exported symbols map for libtss2-mu
The 2.3.3 tarball accidently contains a Makefile-fuzz-generated.am with
content from a fuzz testing run (rather than an empty file as in earlier
releases), confusing autoreconf together with our
0001-configure-Only-use-CXX-when-fuzzing.patch.
Work around that by adding a post-patch hook to truncate the file. The
issue has been reported upstream and the release logic has been changed to
ensure this does not happen again for future releases:
https://github.com/tstruk/tpm2-tss/commit/
d163041e3bafa23c0be89c82a99b8501634ebdb4
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Baruch Siach [Fri, 21 Feb 2020 05:34:42 +0000 (07:34 +0200)]
docs/manual: clarify the <PKG>_PATCH_DEPENDENCIES guarantee
Unlike <PKG>_DEPENDENCIES, <PKG>_PATCH_DEPENDENCIES only guarantees
extract and patch of listed dependencies, not build. Make this subtlety
more explicit in the documentation.
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
[yann.morin.1998@free.fr: slight fix]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Fri, 21 Feb 2020 21:56:46 +0000 (22:56 +0100)]
package/mbedtls: security bump to version 2.16.5
- Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the
curve) unless the RNG is broken, and could result in information
disclosure or denial of service (application crash or extra resource
consumption).
- To avoid a side channel vulnerability when parsing an RSA private
key, read all the CRT parameters from the DER structure rather than
reconstructing them.
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 22 Feb 2020 21:33:28 +0000 (22:33 +0100)]
package/luv: fix build with gcc 4.8
Fixes:
- http://autobuild.buildroot.org/results/
83b34e606b128546da8a70836d039090e334a1ec
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: mark patch accepted upstream]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Giulio Benetti [Sat, 22 Feb 2020 21:44:39 +0000 (22:44 +0100)]
package/libsvgtiny: fix parallel build
Fix previous commit[1] which purpose was to fix parallel build. It
didn't work since it assigned $(MAKE1) to LIBSVGTINY_MAKE, but this is a
generic-package and building is done using $(MAKE), then LIBSVGTINY_MAKE
was ignored. Let's substitute instead $(MAKE) with $(MAKE1) in
LIBSVGTINY_BUILD_CMDS.
[1]:
https://git.buildroot.net/buildroot/commit/?id=
26d67a2599d6c88facd5178de853fa355244e7c2
Fixes:
http://autobuild.buildroot.net/results/67d/
67d341c0cc272323d6e231a20796a6848c21d760/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[yann.morin.1998@free.fr:
- use $(MAKE1) in all three step
- move comment out of the define
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yann E. MORIN [Sat, 22 Feb 2020 10:38:47 +0000 (11:38 +0100)]
infra: don't be verbose when calling the instrumentation steps
Commit
509db3b88a added calls to (parts of) the instrumentation steps.
However, those calls are echoed, unlike the other places where we call
them (in the package infra).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Acked-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Romain Naour [Wed, 19 Feb 2020 19:10:13 +0000 (20:10 +0100)]
package/mesa3d: gbm needs a DRI driver or a Gallium driver w/ EGL
src/gbm/
cd6bfad@@gbm at sha/main_backend.c.o: In function `_gbm_create_device':
backend.c:(.text+0x38): undefined reference to `gbm_dri_backend'
backend.c:(.text+0x40): undefined reference to `gbm_dri_backend'
backend.c:(.text+0x74): undefined reference to `gbm_dri_backend'
backend.c:(.text+0x78): undefined reference to `gbm_dri_backend'
collect2: error: ld returned 1 exit status
This issue has been trigged since [1]:
"package/mesa3d: add option to configure gbm support"
Before the patch, the gbm support was autodetected by meson and enabled
only when at least one dri driver was enabled [2].
On the Buildroot side, the gbm support was explicitely enabled only when
BR2_PACKAGE_MESA3D_OPENGL_EGL was set.
We have two cases:
- At least one DRI driver.
- No DRI driver but one Gallium w/ EGL enable (EGL selected or not by the
Gallium driver). In this case the meson build system set with_dri to true
(even if no DRI driver is enabled) to use the builtin:egl_dri2 [3].
The gbm's meson build system seems to handle the case where no dri driver is
enabled [4] but it still use main/backend.c source file [6] that use
gbm_dri_backend [7]. So with_dri2 must always be set.
Probably a missing check in meson.build:
if with_gbm and not with_dri
error('GBM backend needs a dri driver or a gallium driver w/ EGL support.')
endif
Add a dependency on GBM option:
depends on BR2_PACKAGE_MESA3D_DRI_DRIVER \
|| (BR2_PACKAGE_MESA3D_GALLIUM_DRIVER && BR2_PACKAGE_MESA3D_OPENGL_EGL)
Fixes:
http://autobuild.buildroot.net/results/
b9b6281983388dc22d929887d653da3db60f1f2c
[1]
b6c051acf787c804e732bc58ba8d7e440701a168
[2] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/meson.build#L348
[3] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/meson.build#L212
[4] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/src/gbm/meson.build#L37
[5] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/src/gbm/meson.build#L24
[6] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/src/gbm/main/backend.c#L38
[7] http://lists.busybox.net/pipermail/buildroot/2020-February/274425.html
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[yann.morin.1998@free.fr: fix dependency of comment]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 22 Feb 2020 09:50:35 +0000 (10:50 +0100)]
package/bash: fix build on uclibc
Fixes:
- http://autobuild.buildroot.org/results/
2ae2eca969e6d1febcacb8b0423ced3aad7505a2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Fabrice Fontaine [Sat, 22 Feb 2020 09:50:34 +0000 (10:50 +0100)]
package/bash: add upstream patches
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Sat, 22 Feb 2020 16:01:01 +0000 (17:01 +0100)]
package/mesa3d: select gbm if no glx, no egl and no osmesa-classic
This issue has been trigged since [1]:
"package/mesa3d: add option to configure gbm support"
Before the patch, the gbm support was autodetected by meson and enabled
only when at least one dri driver was enabled [2].
On the Buildroot side, the gbm support was explicitely enabled only when
BR2_PACKAGE_MESA3D_OPENGL_EGL was set.
Now, the gbm support is explicitely disabled but the meson build system
check if at least one option OpenGL GLX or OpenGL EGL or GBM or
OSMesa (classic) library is enabled [3].
The previous behavious was to enable GBM when GLX, EGL and OSMesa are
disabled. So select GBM symbol for this case.
Fixes:
http://autobuild.buildroot.net/results/
a14f329560f8022f7ba8ec43ad8eed84e005d226
[1]
b6c051acf787c804e732bc58ba8d7e440701a168
[2] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/meson.build#L348
[3] https://gitlab.freedesktop.org/mesa/mesa/blob/19.3/meson.build#L449
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Tested-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Sat, 22 Feb 2020 18:10:40 +0000 (19:10 +0100)]
package/jpeg-turbo: force fPIC for shared libraries
When BR2_SSP_ALL is set, there is a link issue due to missing -fPIC in CFLAGS.
Set CMAKE_POSITION_INDEPENDENT_CODE=ON to add it.
This is a similar fix as for gtest package [1]
[1] https://git.buildroot.net/buildroot/commit/?id=
2026621f3c60167aa8ba48e658be1b214d1347d7
Fixes:
http://autobuild.buildroot.net/results/e1f/
e1f164cee16b037c0232fdda40fc16caf8f0c0af
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Murat Demirten <mdemirten@yh.com.tr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Gilles Talis [Sat, 22 Feb 2020 16:35:30 +0000 (17:35 +0100)]
DEVELOPERS: add Gilles Talis for libosip2 and libeXosip2
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Carlos Santos [Sat, 22 Feb 2020 14:47:06 +0000 (11:47 -0300)]
package/radvd: disable by default in systemd preset-all
We don't provide a configuration file, so disable radvd by default.
Update the help message with instructions on how to enable radvd at
build time with systemd.
Signed-off-by: Carlos Santos <unixmania@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Bernd Kuhls [Thu, 20 Feb 2020 22:33:39 +0000 (23:33 +0100)]
package/php: security bump version to 7.4.3
Changelog: https://www.php.net/ChangeLog-7.php#7.4.3
Fixes CVE-2020-7061, CVE-2020-7062 & CVE-2020-7063.
Removed patch applied upstream:
https://github.com/php/php-src/commit/
f0f5c415a6e0abc40514f97113deb52a343174ee
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Thu, 20 Feb 2020 22:10:26 +0000 (23:10 +0100)]
toolchain/external: fix SSP help texts for custom toolchains
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni [Thu, 20 Feb 2020 02:01:16 +0000 (03:01 +0100)]
Config.in: ensure BR2_SSP_STRONG can only be selected if supported
This commit ensures that BR2_SSP_STRONG cannot be chosen if the
toolchain doesn't support strong SSP.
Fixes:
http://autobuild.buildroot.net/results/
cba93a681d10692c4e4c5584e4c962bd18a608d4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni [Thu, 20 Feb 2020 02:01:15 +0000 (03:01 +0100)]
toolchain/toolchain-external/toolchain-external-custom: add option to indicate SSP_STRONG support
This commit adds a user-visible option
BR2_TOOLCHAIN_EXTERNAL_HAS_SSP_STRONG, which will allow the user to
indicate if the custom external toolchain does or does not have
SSP_STRONG support. Depending on this, the user will be able to use
(or not) the BR2_SSP_STRONG option.
Checking if what the user said is true or not about this is already
done in toolchain/toolchain-external/pkg-toolchain-external.mk:
$$(Q)$$(call check_toolchain_ssp,$$(TOOLCHAIN_EXTERNAL_CC),$(BR2_SSP_OPTION))
If the user selects BR2_SSP_STRONG, this will check if
-fstack-protector-strong is really supported.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni [Thu, 20 Feb 2020 02:01:14 +0000 (03:01 +0100)]
toolchain: add hidden BR2_TOOLCHAIN_HAS_SSP_STRONG boolean
This will allow toolchain to indicate if they support
-fstack-protector-strong or not.
Whenever the gcc version is >= 4.9, we always have SSP_STRONG support
if we have SSP support. However, some toolchains older than gcc 4.9
might have backported SSP_STRONG support, which is why we cannot rely
just on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9.
Having this "default" value allows to avoid adding a "select
BR2_TOOLCHAIN_HAS_SSP_STRONG" in the internal toolchain logic plus in
almost external toolchains. But it allows custom external toolchains
that are pre-4.9 to potentially declare that they support strong SSP.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Yann E. MORIN [Thu, 20 Feb 2020 21:54:53 +0000 (22:54 +0100)]
package/sdbusplus: fix indentation
Fix a check-package error introduce by
6bf74ce3db (package/sdbusplus:
create m4 directory before autoreconf):
package/sdbusplus/sdbusplus.mk:29: expected indent with tabs
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: John Faith <jfaith@impinj.com>
Cc: Michael Walle <michael@walle.cc>
Arnout Vandecappelle (Essensium/Mind) [Wed, 5 Feb 2020 15:08:42 +0000 (16:08 +0100)]
docs/website: add commercial support section
Add a section to the support page for commercial support.
Add Mind, Bootlin and Smile in that section.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Acked-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Titouan Christophe [Thu, 20 Feb 2020 18:27:23 +0000 (19:27 +0100)]
support/scripts/pkg-stats: iterate over CVEs in streaming
The NVD files that are used to build the list of CVEs affecting
Buildroot packages are quite large (a few hundreds MB of json),
and cause the pkg-stats scripts to have a huge memory footprint
(a few GB with Python 2.7).
However, because we only need to iterate on CVE items one by one,
we can process them in streaming (ie decoding one CVE at a time
from the JSON representation). Because the json module from the
python standard library does not support such a mode of operation,
we switch to the third-party package ijson, which is compatible
with both Python 2 and Python3.
To run the script with these modifications, one should install
the ijson python package. This can be done with pip:
`pip install ijson`. On Debian based distributions, this can
also be done with the apt package manager:
`apt install python-ijson`.
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Reviewed-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Tested-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:02:02 +0000 (17:02 +0100)]
package/ipsec-tools: annotate _IGNORE_CVES for the included security patches
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:02:01 +0000 (17:02 +0100)]
package/vorbis-tools: annotate _IGNORE_CVES for the included security patches
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:02:00 +0000 (17:02 +0100)]
package/libtomcrypt: annotate _IGNORE_CVES for the included security patches
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:01:59 +0000 (17:01 +0100)]
package/libsndfile: annotate _IGNORE_CVES for the included security patches
Also mark CVE-2018-13419 as disputed.
[Peter: add dispute link as suggested by Thomas]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Wed, 19 Feb 2020 16:01:58 +0000 (17:01 +0100)]
package/audiofile: annotate _IGNORE_CVES for the included security patches
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Michael Walle [Mon, 10 Feb 2020 19:11:30 +0000 (20:11 +0100)]
package/sdbusplus: create m4 directory before autoreconf
Commit
d255b67972b4b7f27572581fe0c8c8aa03d850c8 fixed the handling of
the a package local m4/ directory which might be missing. But this
only works if it is the very first argument. But for this package this
is not possible because we already occupy this with the extra include
directory for autoconf-archive. Bring back the hook to create the m4/
directory to fix this.
Fixes:
http://autobuild.buildroot.net/results/
dc907421a343b8523b14fc9a846e0caf7abe630c/
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Johan Oudinet [Mon, 10 Feb 2020 16:58:24 +0000 (17:58 +0100)]
package/erlang: patch the tarball
Remove the lib/ssl/src/deps directory before configuring the package.
Otherwise, during the compilation of the ssl app, it may fails by
looking for logger.hrl in the wrong location (bootstrap/lib/kernel
instead of lib/kernel).
Fixes:
http://autobuild.buildroot.net/results/
97606fcd11eaf0822b58a9532c5325601d43eaac/
Signed-off-by: Johan Oudinet <johan.oudinet@gmail.com>
Tested-by: Frank Vanbever <frank.vanbever@essensium.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Andreas Naumann [Mon, 17 Feb 2020 21:23:28 +0000 (22:23 +0100)]
package/qwt: add missing qt5svg dependency
Signed-off-by: Andreas Naumann <anaumann@ultratronik.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Tue, 18 Feb 2020 15:01:00 +0000 (16:01 +0100)]
Makefile: don't recreate staging symlink if it exists
Create the staging symlink the same way as the host symlink. This means
using a make dependency rather than recreating it every time.
In coreutils versions below 8.27, re-creation of symbolic links was not
atomic. This means that there is a period in time where the existing link is
removed, before the new one is created. In coreutils 8.27 this was fixed,
see [1]. Note that CentOS 7 ships with coreutils 8.22.
In the following scenario, this is a problem:
- an application is compiled using the sysroot prepared by Buildroot and
links against Xenomai userspace libraries, but its build process is steered
from outside of Buildroot
- to know the correct flags, the application makefile uses the 'xeno-config'
file to request them, and passes DESTDIR=/buildroot/output/staging
- the xeno-config responds with flags based on the path
'/buildroot/output/staging/...'
- while the application build is ongoing, a 'make' happens in Buildroot,
causing the 'staging' symlink to be recreated (even though it already
existed)
- when exactly at this time, the application calls the compiler with -I
flags pointing to output/staging, the build fails with:
-I/buildroot/output/staging/usr/include/xenomai/mercury: Error: ^ is not a directory
-I/buildroot/output/staging/usr/include/xenomai: Error: ^ is not a directory
-I/buildroot/output/staging/usr/include/xenomai/xenomai: Error: ^ is not a directory
-I/buildroot/output/staging/usr/include/xenomai/psos: Error: ^ is not a directory
Failed: ** ^ *
Work around this problem by only creating the staging symlink once, similar
to how the host symlink (if any) is created.
See also commit
d0f4f95e390bcb1c953efa125f5277a8a235396e which changed the
way these symlinks are made. The reasoning in this commit is to move away
from the 'dirs' target.
[1] https://github.com/coreutils/coreutils/commit/
376967889ed7ed561e46ff6d88a66779db62737a
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Tue, 18 Feb 2020 15:00:59 +0000 (16:00 +0100)]
Makefile: use HOST_DIR_SYMLINK instead of hardcoding
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas Petazzoni [Tue, 18 Feb 2020 23:36:46 +0000 (00:36 +0100)]
package/libxml2: properly set LIBXML2_IGNORE_CVES
The libxml2 package has two patches that fix the two CVEs affecting
libxml2 in version 2.9.10, so let's use LIBXML2_IGNORE_CVES to ensure
these CVEs are no longer reported by pkg-stats.
Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Tue, 18 Feb 2020 23:35:26 +0000 (00:35 +0100)]
support/scripts/pkg-stats: properly ignore CVEs in <pkg>_IGNORE_CVES
It seems like throughout the series that the CVE pkg-stats support
went through, the support for ignoring CVEs in the per-package
<pkg>_IGNORE_CVES variable was forgotten.
Let's re-introduce this, which is now very simple thanks to the CVE
class, its .identifier() propertly and the .is_cve_ignored() method of
the Package class
Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 16 Feb 2020 14:52:04 +0000 (15:52 +0100)]
package/libupnpp: remove unneeded static workaround
libupnpp uses pkg-config since version 0.15.1 and
https://opensourceprojects.eu/p/libupnpp/code/ci/
3dc44417e868b9b4417cbc15f8173e0a2e142b17
so remove unneeded static workaround
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Tue, 18 Feb 2020 22:31:02 +0000 (23:31 +0100)]
Update for 2020.02-rc1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Tue, 18 Feb 2020 22:04:09 +0000 (23:04 +0100)]
CHANGES: update with recent changes
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Tue, 18 Feb 2020 19:06:03 +0000 (20:06 +0100)]
package/libsigrok: explain why host-doxygen is needed
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 17 Feb 2020 23:55:22 +0000 (00:55 +0100)]
package/owfs: fixup Python sysconfigdata for per-package directories
This is needed so that building the owfs Python module uses the gcc
from owfs per-package directory, and not the one from the python
per-package directory.
Fixes:
http://autobuild.buildroot.net/results/
0d582dda367507991a4c38141db36b0fa8e47e67/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 17 Feb 2020 23:50:47 +0000 (00:50 +0100)]
package/pkg-python: fix for per-package directories
With per-package directory support, Python external modules are
causing a problem: the _sysconfigdata.py module installed by the
Python interpreter contains a number of paths that are relative to the
current package per-package directory, i.e python or python3. For
example:
'BLDSHARED': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-gcc -shared',
'CC': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-gcc',
'CXX': '/home/thomas/projets/buildroot/output/per-package/python/host/bin/arm-linux-g++',
etc.
These paths are problematic, because it means that the wrong compiler
gets used when building external Python modules: instead of using the
compiler from the external Python module per-package host directory,
it uses the one from the 'python' or 'python3' per-package host
directory. Due to this, any native dependency needed by the external
Python module is not found, even though it is properly present in the
current package per-package directory.
Of course, the problem occurs with both target Python modules and host
Python modules.
To fix this, we simply rewrite those paths in _sysconfigdata.py before
building a Python package.
Interestingly, until now, the _sysconfidata.py that was used during
the build was the one from $(TARGET_DIR), which is a bit unusual: it
is more common to use files from $(STAGING_DIR) during the build
process. So this commit changes the PYTHON_PATH and PYTHON3_PATH
variables so that they point to $(STAGING_DIR), which makes the
_sysconfigdata.py fixup in $(STAGING_DIR) effective.
Fixes:
http://autobuild.buildroot.net/results/
a24b0555fd4261b50dc3986635c30717d9cbe764/ (python-psycopg2)
http://autobuild.buildroot.net/results/
080fa893e1b0e7a8c8a31ac1c98eb8871b97264d/ (python-alsaaudio)
http://autobuild.buildroot.net/results/
79bc070f98d6d9d8ef78df12b248cdc7d0e405c3/ (python-lxml)
and many more Python packages that use native code with a native library
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 17 Feb 2020 23:46:39 +0000 (00:46 +0100)]
package/apache: fix build with per-package directory support
When APR_INCLUDEDIR and APU_INCLUDEDIR point to the same directory,
Apache builds properly. However, with per-package directory support,
they point to different directories, and APU_INCLUDEDIR contains both
the APR headers and the APU headers.
Due to this, the Apache Makefile logic to generate its exports.c file
leads to duplicate definitions, because the APR headers are considered
twice: once from APR_INCLUDEDIR, once from APU_INCLUDEDIR.
We fix this by introducing a patch to the Apache build system.
In addition, apr provides a special libtool script that gets used by
apr-util and apache. apr-util already had a fixup for this, but apache
did not, which was causing the gcc from apr-util per-package
directories be used during the apache build, causing build failures.
To fix this, we adjust this libtool script to point to the correct
tools in apache's per-package directories.
There are no autobuilder failures for this, because Apache needs
apr-util, and apr-util currently fails to build when
BR2_PER_PACKAGE_DIRECTORIES=y.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Mon, 17 Feb 2020 23:46:38 +0000 (00:46 +0100)]
package/apr-util: fix build with per-package directories
With per-package directories support enabled, the build of apr-util
fails, for two reasons:
- The rules.mk file is generated by the 'apr' package, and then
copied into the 'apr-util' source directory. This is done by the
'apr-util' build process. Unfortunately, this rules.mk file has a
number of hardcoded paths: to the compiler and to the libtool
script.
Due to this, the compiler from the 'apr' per-package directory gets
used. But this compiler uses the 'apr' package sysroot, which does
not have all the dependencies of the 'apr-util' package, causing
the build to fail because <expat.h> is not found.
- Similarly, the libtool script itself has some hardcoded paths,
which make it use the compiler/linker from the 'apr' per-package
directory, so it does not find the expat library.
We fix both issues by doing the necessary replacement in both rules.mk
and libtool.
Fixes:
http://autobuild.buildroot.net/results/
2a67b5d58f79348e20a972125e4797eff5585716/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
James Hilliard [Tue, 18 Feb 2020 08:43:39 +0000 (01:43 -0700)]
package/cog: add patch fixing cog segfault
Fixes:
Thread 1 "cog" received signal SIGSEGV, Segmentation fault.
xkb_state_update_mask (state=0x0, base_mods=0, latched_mods=0, locked_mods=0, base_group=base_group@entry=0, latched_group=latched_group@entry=0, locked_group=0) at ../src/state.c:814
814 prev_components = state->components;
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Tue, 18 Feb 2020 09:31:34 +0000 (10:31 +0100)]
package/libxml2: add upstream security fix for CVE-2019-20388
Fixes CVE-2019-20388: xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10
allows an xmlSchemaValidateStream memory leak.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Sun, 16 Feb 2020 18:06:13 +0000 (19:06 +0100)]
package/pulseview: depends on host gcc >= 4.9
Commit
88bb278d5ac790bee0c3a438464da82ee7625cff forgot to propagate the
new host gcc >= 4.9 dependency from BR2_PACKAGE_LIBSIGROKCXX
Fixes:
- http://autobuild.buildroot.org/results/
5dc9dc95d0534b35e2443c120162b5176edafe0b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Peter Korsgaard [Mon, 17 Feb 2020 22:38:49 +0000 (23:38 +0100)]
package/nodejs: security bump to version 12.16.0
Fixes the following security issues (12.15.0):
- CVE-2019-15606: HTTP header values do not have trailing OWS trimmed
- CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding
header
- CVE-2019-15604: Remotely trigger an assertion on a TLS server with a
malformed certificate string
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
On top of this, 12.16.0 brings a number of changes and bugfixes.
Update the license hash for an addition of the (MIT) licensing terms for the
uvwsai module:
+
+- uvwasi, located at deps/uvwasi, is licensed as follows:
+ """
+ MIT License
+
+ Copyright (c) 2019 Colin Ihrig and Contributors
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
+ """
While we are at it, adjust the white space in the .hash function to match
the new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Mon, 17 Feb 2020 21:46:01 +0000 (22:46 +0100)]
package/qpdf: fix build with gcc 4.8
Fixes:
- http://autobuild.buildroot.org/results/
ad7fb68ae87850a85509eed80fd0cae8721b10c5
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fabrice Fontaine [Mon, 17 Feb 2020 22:52:02 +0000 (23:52 +0100)]
package/gutenprint: add back the hook for creating the m4local directory
Commit
64c42c5e2c26261e26c3548c86b02f55d12f341b removed the hook for
creating the m4local directory with the assumption that it would be
created because the first include is treated in a special way if it
doesn't exists
However, this assumption was wrong as m4local is the second include, the
first one is m4 (which already exists in the archive). So put back the
hook. The other solutions would be to patch:
- Makefile.{am,in} to remove m4local
- configure.ac and Makefile.{am,in} to add m4local before m4
However, both solutions don't seem to be upstreamable
Fixes:
- http://autobuild.buildroot.org/results/
e40313c6ec193d6156e26eff62303545fba09413
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Thomas De Schampheleire [Fri, 14 Feb 2020 19:57:33 +0000 (20:57 +0100)]
core: fix packages-file-list.txt after an incremental build
The package instrumentation step 'step_pkg_size' is populating the files:
output/build/packages-file-list.txt
output/build/packages-file-list-staging.txt
output/build/packages-file-list-host.txt
by comparing the list of files before and after installation of a package,
with some clever tricks to detect changes to existing files etc.
As an optimization, instead of gathering this list before and after each
package, where the 'after-state' of one package is the same as the
'before-state' of the next package, only the 'after-state' is used and
is shared between packages.
This works fine, except at the end of the build, as explained next.
In the target-finalize step, many files will be touched. For example, files
like /etc/hosts, /etc/os-release, but also all object files that are
stripped, and all files touched by post-build scripts or created by rootfs
overlays. This means that the 'after-state' of the last package does not
reflect the actual situation after target-finalize is run.
For a single complete build this poses no problem. But, if one incrementally
rebuilds a package after the initial build, e.g. with 'make foo-rebuild',
then all changes that happened in target-finalize at the end of the initial
build (the 'after-state' of the last package built) will be detected as
changes caused by the rebuild of package foo. As a result, all these files
will incorrectly be treated as 'owned' by package foo.
Correct this situation by capturing a new state at the end of
target-finalize, so that the 'before-state' of an incremental build will be
correct.
Note: the reasoning above talks about packages-file-list.txt and
target-finalize, but also applies to
packages-file-list-staging.txt/staging-finalize and
packages-file-list-host.txt/host-finalize.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yegor Yefremov [Thu, 13 Feb 2020 10:09:05 +0000 (11:09 +0100)]
support/run-tests: reorder imports
Reorder imports using the isort utility to fix a warning from pylint3:
wrong-import-order: standard import "import multiprocessing" should be
placed before "import nose2"
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yann E. MORIN [Mon, 17 Feb 2020 08:37:59 +0000 (09:37 +0100)]
package.nfs-utils: drop extra empty line
Commit
12c0f68caf (package/nfs-utils: bump version to 2.4.3) added an
extra empty line, causing check-package to whine:
package/nfs-utils/nfs-utils.mk:27: consecutive empty lines
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Romain Naour [Sun, 9 Feb 2020 18:03:22 +0000 (19:03 +0100)]
configs/qemu{x86, x86_64}: add a serial console
The current Buildroot defconfigs for qemu_x86 and qemu_x86_64
instantiate a console on tty1, which appears on QEMU's
graphical window. Add a console on the serial port (ttyS0) to
be used later for gitlab testing.
This change is need since the script used for gitlab testing
needs to use a serial output with pexpect.
This change is similar to the one made for raspberrypi [1] to
handle HDMI and serial console:
This requires three changes:
1. have two 'console=' entries in the kernel command line: tty1,
then ttyS0;
2. change BR2_TARGET_GENERIC_GETTY_PORT to "console", so it starts
a getty on the last console= passed to the kernel, ttyS0;
3. add a new getty on tty1 to the generated inittab.
Step 2 is actually obtained by removing BR2_TARGET_GENERIC_GETTY_PORT
entirely from the defconfigs, since "console" is the default value.
Step 3 requires a post-build script since the Buildroot makefiles can
configure only one console.
Note: instead of simply adding a new getty on ttyS0 (which would
work) this patch actually changes BR2_TARGET_GENERIC_GETTY_PORT to
instantiate a console on UART, then adds back tty1 via
post-build.sh. This is done only to avoid the "GENERIC_SERIAL" comment
where we instantiate a console on QEMU graphical window, then
instantiate a really-serial console on another line.
The result is these two inittab lines:
console::respawn:/sbin/getty -L console 0 vt100 # GENERIC_SERIAL
tty1::respawn:/sbin/getty -L tty1 0 vt100 # QEMU graphical window
[1]
20878a1017e2bf7eb8c5f870dc6d2641493cb0f9
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Sun, 9 Feb 2020 18:03:20 +0000 (19:03 +0100)]
configs/qemu_pcc_mac99: build host-qemu for runtime testing
The commit [1] added host-qemu package for each qemu defconfig
for gitlab runtime testing.
[1]
29e1cb88844614c40846540e22cf83aa9e52674f
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Joel Stanley <joel@jms.id.au>
Acked-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Sun, 9 Feb 2020 18:03:19 +0000 (19:03 +0100)]
configs/qemu_ppc_mac99_defconfig: add usual comments for Kconfig symbols
This defconfig was generated by savedefconfig but we usually
use a manually modified defconfig to add some comments for
Kconfig symbols.
No content change intended.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Joel Stanley <joel@jms.id.au>
Acked-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Mon, 3 Feb 2020 10:29:27 +0000 (02:29 -0800)]
package/janus-gateway: bump version to 0.8.1
Other changes:
- Update License hash which properly adds the OpenSSL exception.
Tested with Debian 8:
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: SKIPPED
sourcery-arm [6/6]: OK
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Adam Duskett [Sat, 8 Feb 2020 21:15:10 +0000 (13:15 -0800)]
package/qemu: Bump to version 4.2.0
Other changes:
- Remove upstream patches
- Update COPYING.LIB hash as upstream updated the file to match the new LGPL
2.1 license from upstream. See:
https://github.com/qemu/qemu/commit/
f0d44cc4462f112bce5ec556e87eff4eec682e39
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Tested-by: Romain Naour <romain.naour@gmail.com>
[Peter: change libssh2 to libssh as pointed out by Vincent Fazio]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Giulio Benetti [Mon, 10 Feb 2020 12:03:53 +0000 (13:03 +0100)]
package/nfs-utils: bump version to 2.4.3
Bump to version 2.4.3 of nfs-utils. All patches have been upstreamed, so
drop them all. It now needs rpcgen built by host-nfs-utils, to do this
let's pass its path to --with-rpcgen= instead of 'internal'.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
Tested-by: Petr Vorel <petr.vorel@gmail.com>
[Peter: drop AUTORECONF, explicitly depend on host-nfs-utils]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Giulio Benetti [Sun, 9 Feb 2020 20:44:56 +0000 (21:44 +0100)]
package/minicom: bump version
For a minor fix.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sun, 9 Feb 2020 21:28:25 +0000 (22:28 +0100)]
package/glslsandbox-player: remove 'v' prefix
Fixes version parsing for release-monitoring.org support
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Yegor Yefremov [Thu, 13 Feb 2020 10:09:06 +0000 (11:09 +0100)]
support/run-tests: check for empty sequences in a pythonic way
According to PEP8 empty sequences should be checked as booleans.
Fixes the following PEP8 warning:
Do not use `len(SEQUENCE)` to determine if a sequence is empty
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 15 Feb 2020 18:37:13 +0000 (19:37 +0100)]
{linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.4.x series
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 15 Feb 2020 18:20:20 +0000 (19:20 +0100)]
linux: use correct conditional for wireguard kernel config fixup
Commit
de591c5c3a93 (package/wireguard-linux-compat: new package) split up
the wireguard package in wireguard-tools and wireguard-linux-compat, but
forgot to update the conditional in linux.mk, so the kernel config fixups
needed for wireguard are no longer applied.
Update the conditional to use the BR2_PACKAGE_WIREGUARD_LINUX_COMPAT symbol
instead.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 15 Feb 2020 18:20:19 +0000 (19:20 +0100)]
package/wireguard-linux-compat: bump version to 0.0.
20200215
Fixes a regression introduced in 0.0.
20200214. For details, see the
announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-February/005014.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Sat, 15 Feb 2020 11:27:34 +0000 (12:27 +0100)]
package/libgpg-error: bump to version 1.37
- Remove patch (already in version)
- Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
James Hilliard [Thu, 13 Feb 2020 06:12:35 +0000 (23:12 -0700)]
package/python-cython: bump to version 0.29.15
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
James Hilliard [Thu, 13 Feb 2020 05:56:08 +0000 (22:56 -0700)]
package/python-simplejson: bump to version 3.17.0
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
James Hilliard [Thu, 13 Feb 2020 05:51:31 +0000 (22:51 -0700)]
package/python-pyyaml: bump to version 5.3
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
James Hilliard [Thu, 13 Feb 2020 05:46:12 +0000 (22:46 -0700)]
package/python-pyopenssl: bump to version 19.1.0
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Wed, 12 Feb 2020 18:06:53 +0000 (19:06 +0100)]
package/gensio: bump to version 1.5.1
- Update indentation of hash file (2 spaces)
- This will fix a build failure without threads thanks to
https://github.com/cminyard/gensio/commit/
8918de5b30f90b826c48064e9ee92304b63ffe85
and associated upstream patch
Fixes:
- http://autobuild.buildroot.org/results/
e94d0e0b46afc1223a74bcc471909f4adef0d6f3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Wed, 12 Feb 2020 19:49:16 +0000 (20:49 +0100)]
package/libtorrent-rasterbar: bump to version 1.2.4
Update indentation of hash file (two spaces)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
James Hilliard [Thu, 13 Feb 2020 03:16:18 +0000 (20:16 -0700)]
package/python-six: bump to version 1.14.0
License hash change is due to date update.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
James Hilliard [Thu, 13 Feb 2020 03:04:52 +0000 (20:04 -0700)]
package/python-cryptography: bump to version 2.8
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 15 Feb 2020 15:09:28 +0000 (16:09 +0100)]
package/wpewebkit: security bump to version 2.26.4
Fixes the following security issues:
- CVE-2020-3862: Impact: A malicious website may be able to cause a denial
of service. Description: A denial of service issue was addressed with
improved memory handling.
- CVE-2020-3864: Impact: A DOM object context may not have had a unique
security origin. Description: A logic issue was addressed with improved
validation.
- CVE-2020-3865: Impact: A top-level DOM object context may have incorrectly
been considered secure. Description: A logic issue was addressed with
improved validation.
- CVE-2020-3867: Impact: Processing maliciously crafted web content may lead
to universal cross site scripting. Description: A logic issue was
addressed with improved state management.
- CVE-2020-3868: Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.
For more details, see the advisory:
https://wpewebkit.org/security/WSA-2020-0002.html
While we are at it, adjust the white space in the .hash function to match
the new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 15 Feb 2020 15:09:27 +0000 (16:09 +0100)]
package/wpewebkit: needs >= GCC 7
CMakeLists.txt contains a toolchain check:
if (${CMAKE_CXX_COMPILER_ID} STREQUAL "GNU")
if (${CMAKE_CXX_COMPILER_VERSION} VERSION_LESS "7.3.0")
message(FATAL_ERROR "GCC 7.3 or newer is required to build WebKit. Use a newer GCC version or Clang.")
endif ()
endif ()
So bump the toolchain dependency to >= GCC 7. The check is really about >=
7.3.0, but we do not have such detailed version checks. Given that GCC
7.3.0 was released in January 2018 (and 7.1.0 in May 2017), most external
GCC 7.x toolchains probably use >= 7.3.0.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 15 Feb 2020 15:09:26 +0000 (16:09 +0100)]
package/webkitgtk: security bump to version 2.26.4
Fixes the following security issues:
- CVE-2020-3862: Impact: A malicious website may be able to cause a denial
of service. Description: A denial of service issue was addressed with
improved memory handling.
- CVE-2020-3864: Impact: A DOM object context may not have had a unique
security origin. Description: A logic issue was addressed with improved
validation.
- CVE-2020-3865: Impact: A top-level DOM object context may have incorrectly
been considered secure. Description: A logic issue was addressed with
improved validation.
- CVE-2020-3867: Impact: Processing maliciously crafted web content may lead
to universal cross site scripting. Description: A logic issue was
addressed with improved state management.
- CVE-2020-3868: Impact: Processing maliciously crafted web content may lead
to arbitrary code execution. Description: Multiple memory corruption
issues were addressed with improved memory handling.
For more details, see the advisory:
https://webkitgtk.org/security/WSA-2020-0002.html
While we are at it, adjust the white space in the .hash function to match
the new agreements.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Sat, 15 Feb 2020 15:09:25 +0000 (16:09 +0100)]
package/webkitgtk: needs >= GCC 7
CMakeLists.txt contains a toolchain check:
if (${CMAKE_CXX_COMPILER_ID} STREQUAL "GNU")
if (${CMAKE_CXX_COMPILER_VERSION} VERSION_LESS "7.3.0")
message(FATAL_ERROR "GCC 7.3 or newer is required to build WebKit. Use a newer GCC version or Clang.")
endif ()
endif ()
So bump the toolchain dependency to >= GCC 7. The check is really about >=
7.3.0, but we do not have such detailed version checks. Given that GCC
7.3.0 was released in January 2018 (and 7.1.0 in May 2017), most external
GCC 7.x toolchains probably use >= 7.3.0.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Baruch Siach [Mon, 10 Feb 2020 12:06:59 +0000 (14:06 +0200)]
package/libcurl: rename curl binary config symbol
Package optional or choice config symbols are usually prefixed with the
package config symbol name. Rename BR2_PACKAGE_CURL to
BR2_PACKAGE_LIBCURL_CURL to conform.
Update references to the old name.
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gary Bisson [Tue, 11 Feb 2020 15:04:45 +0000 (16:04 +0100)]
package/mfgtools: fix build issue related to __time64_t
The tool fails to build on recent distros due to conflicting declaration
of __time64_t. Adding a check around the declaration to avoid
redefinition.
Patch not submitted upstream as the tool is not supported by NXP
anymore[1].
Fixes:
http://autobuild.buildroot.net/results/
ca4498ad21a96ba2a38ca2467dadffdbb516355b/
[1] https://github.com/NXPmicro/mfgtools/pull/104
Signed-off-by: Gary Bisson <bisson.gary@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Sat, 15 Feb 2020 12:44:17 +0000 (13:44 +0100)]
docs/manual: describe the new <pkg>_IGNORE_CVES variable
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Thomas Petazzoni [Sat, 15 Feb 2020 12:44:16 +0000 (13:44 +0100)]
support/scripts/pkg-stats: add support for CVE reporting
This commit extends the pkg-stats script to grab information about the
CVEs affecting the Buildroot packages.
To do so, it downloads the NVD database from
https://nvd.nist.gov/vuln/data-feeds in JSON format, and processes the
JSON file to determine which of our packages is affected by which
CVE. The information is then displayed in both the HTML output and the
JSON output of pkg-stats.
To use this feature, you have to pass the new --nvd-path option,
pointing to a writable directory where pkg-stats will store the NVD
database. If the local database is less than 24 hours old, it will not
re-download it. If it is more than 24 hours old, it will re-download
only the files that have really been updated by upstream NVD.
Packages can use the newly introduced <pkg>_IGNORE_CVES variable to
tell pkg-stats that some CVEs should be ignored: it can be because a
patch we have is fixing the CVE, or because the CVE doesn't apply in
our case.
>From an implementation point of view:
- A new class CVE implement most of the required functionalities:
- Downloading the yearly NVD files
- Reading and extracting relevant data from these files
- Matching Packages against a CVE
- The statistics are extended with the total number of CVEs, and the
total number of packages that have at least one CVE pending.
- The HTML output is extended with these new details. There are no
changes to the code generating the JSON output because the existing
code is smart enough to automatically expose the new information.
This development is a collective effort with Titouan Christophe
<titouan.christophe@railnova.eu> and Thomas De Schampheleire
<thomas.de_schampheleire@nokia.com>.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bernd Kuhls [Fri, 14 Feb 2020 17:21:16 +0000 (18:21 +0100)]
package/{mesa3d, mesa3d-headers}: bump version to 19.3.4
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 14 Feb 2020 16:44:10 +0000 (17:44 +0100)]
package/rocksdb: add gflags optional dependency
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Fri, 14 Feb 2020 16:38:51 +0000 (17:38 +0100)]
package/mono: fix build with powerpc
Fixes:
- http://autobuild.buildroot.org/results/
fff0dd08f71facbe367d982d19158ee084ae8047
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 14 Feb 2020 16:16:21 +0000 (17:16 +0100)]
package/wireguard-linux-compat: bump version to 0.0.
20200214
Includes misc fixes. For details, see the announcement:
https://lists.zx2c4.com/pipermail/wireguard/2020-February/005013.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 14 Feb 2020 08:39:10 +0000 (09:39 +0100)]
package/postgresql: security bump to version 12.2
Fixes the following security issues:
- CVE-2020-1720: ALTER ... DEPENDS ON EXTENSION is missing authorization checks
https://www.postgresql.org/about/news/2011/
Update the license hash for a change in copyright years:
-Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
+Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Fri, 14 Feb 2020 07:27:01 +0000 (08:27 +0100)]
package/screen: bump version to 4.8.0
Fixes a memory corruption issue in OSC 49 handling. Notice that this is
only enabled if screen is built with --enable-rxvt_osc, which isn't the case
in Buildroot. From the release notes:
As last fix, fixes potential memory overwrite of quite big size (~768
bytes), and even though I'm not sure about potential exploitability of
that issue, I highly recommend everyone to upgrade as soon as possible.
This issue is present at least since v.4.2.0 (haven't checked earlier).
https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html
Upstream changed the gnu.org URLs to use HTTPS, so adjust
0005-rename-sched_h.patch to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Thu, 13 Feb 2020 22:29:13 +0000 (23:29 +0100)]
DEVELOPERS: add Romain Naour for toolchain topic
The first time I worked on the Buildroot's toolchain infra
was to add support for the Sourcery Codebench Standard
(licenced) edition toolchain (from Mentor Graphics) for
x86 target [1]. The series was rejected though.
But the knowledge gained from this work served to refactor
the toolchain-external infra in Buildroot [2].
Nowadays, I'm using toolchains-builder project to do
some toolchain build testing to keep GNU tools up to date
in Buildroot.
[1] http://lists.busybox.net/pipermail/buildroot/2014-November/112036.html
[2] http://lists.busybox.net/pipermail/buildroot/2016-October/175433.html
[3] https://gitlab.com/kubu93/toolchains-builder/
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Thu, 13 Feb 2020 21:54:54 +0000 (22:54 +0100)]
DEVELOPERS: add Romain Naour for Qemu defconfigs
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Thu, 13 Feb 2020 21:47:38 +0000 (22:47 +0100)]
DEVELOPERS: add Romain Naour for test_glxinfo test
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Romain Naour [Thu, 13 Feb 2020 21:40:45 +0000 (22:40 +0100)]
support/testing/glxinfo: explicitely enable GLX
Since [1], the GLX support is enabled by BR2_PACKAGE_MESA3D_OPENGL_GLX
symbol.
Since [2], only one swrast provider can be built.
Keep BR2_PACKAGE_MESA3D_DRI_DRIVER_SWRAST.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/
400391349
[1]
5cb821d5635626b7327d5d704555c412e5ed5a1f
[2]
09a0a285076f544de335efc74c8904e464576575
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gilles Talis [Thu, 13 Feb 2020 20:52:58 +0000 (21:52 +0100)]
package/ncdu: bump to version 1.14.2
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gilles Talis [Thu, 13 Feb 2020 20:52:57 +0000 (21:52 +0100)]
package/libmicrohttpd: bump to version 0.9.70
Bugfix release. For details, see the release notes:
https://lists.gnu.org/archive/html/libmicrohttpd/2020-02/msg00006.html
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Gilles Talis [Thu, 13 Feb 2020 20:52:56 +0000 (21:52 +0100)]
package/libhttpparser: bump to version 2.9.3
Also dropped patch that was pushed upstream
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 13 Feb 2020 20:35:27 +0000 (21:35 +0100)]
package/go: bump version to 1.13.8
Includes fixes to the runtime, the crypto/x509, and net/http
packages.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Peter Korsgaard [Thu, 13 Feb 2020 20:19:32 +0000 (21:19 +0100)]
package/dovecot: security bump to version 2.3.9.3
Fixes the following security issues:
- CVE-2020-7046: Truncated UTF-8 can be used to DoS submission-login and
lmtp processes
lib-smtp doesn't handle truncated command parameters properly, resulting
in infinite loop taking 100% CPU for the process. This happens for LMTP
(where it doesn't matter so much) and also for submission-login where
unauthenticated users can trigger it.
- CVE-2020-7957: Specially crafted mail can crash snippet generation
Snippet generation crashes if:
- message is large enough that message-parser returns multiple body
blocks
- The first block(s) don't contain the full snippet (e.g. full of
whitespace)
- input ends with '>'
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fabrice Fontaine [Thu, 13 Feb 2020 22:36:44 +0000 (23:36 +0100)]
package/parted: disable on uclibc
Like postgreSQL (and imagemagick), parted does not build against uClibc
with locales enabled, due to an uClibc bug, see
http://lists.uclibc.org/pipermail/uclibc/2014-April/048326.html:
In file included from atari.c:42:
atari.c: In function 'atr_part_correct':
atari.c:221:9: error: dereferencing pointer to incomplete type 'struct __uclibc_locale_struct'
return isalnum_l(part->id[0], atr_c_locale)
^~~~~~~~~
So disable parted on uclibc
Fixes:
- http://autobuild.buildroot.org/results/
992518d340a9f32a0721d6e66936850c4c3ef2e4
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>