aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Thomas Petazzoni <thomas.petazzoni@bootlin.com>2019-02-13 22:47:01 +0100
committerGravatar Thomas Petazzoni <thomas.petazzoni@bootlin.com>2019-02-13 22:47:01 +0100
commitc79fd35241d3accf614bb791439db04e101db3ce (patch)
tree62464daf53f728bddc3a55585ceadfdf292f0c67
parent6ff3da375bf951ed458b502058cb8beb5b9b994e (diff)
parent23a288533340c9dd6d5b337ec9c27e96decaf252 (diff)
downloadbuildroot-c79fd35241d3accf614bb791439db04e101db3ce.tar.gz
buildroot-c79fd35241d3accf614bb791439db04e101db3ce.tar.bz2
Merge tag '2019.02-rc1' into next
Release 2019.02-rc1
-rw-r--r--CHANGES150
-rw-r--r--Config.in.legacy6
-rw-r--r--DEVELOPERS1
-rw-r--r--Makefile4
-rwxr-xr-xboard/pc/post-build.sh2
-rw-r--r--board/qemu/arm-versatile/patches/linux/versatile-nommu.patch73
-rw-r--r--board/qemu/xtensa-lx60/linux-nommu.config1
-rw-r--r--configs/qemu_aarch64_virt_defconfig6
-rw-r--r--configs/qemu_arm_versatile_defconfig6
-rw-r--r--configs/qemu_arm_versatile_nommu_defconfig6
-rw-r--r--configs/qemu_arm_vexpress_defconfig6
-rw-r--r--configs/qemu_m68k_mcf5208_defconfig6
-rw-r--r--configs/qemu_m68k_q800_defconfig6
-rw-r--r--configs/qemu_microblazebe_mmu_defconfig6
-rw-r--r--configs/qemu_microblazeel_mmu_defconfig6
-rw-r--r--configs/qemu_mips32r2_malta_defconfig6
-rw-r--r--configs/qemu_mips32r2el_malta_defconfig6
-rw-r--r--configs/qemu_mips32r6_malta_defconfig6
-rw-r--r--configs/qemu_mips32r6el_malta_defconfig6
-rw-r--r--configs/qemu_mips64_malta_defconfig6
-rw-r--r--configs/qemu_mips64el_malta_defconfig6
-rw-r--r--configs/qemu_mips64r6_malta_defconfig6
-rw-r--r--configs/qemu_mips64r6el_malta_defconfig6
-rw-r--r--configs/qemu_nios2_10m50_defconfig6
-rw-r--r--configs/qemu_or1k_defconfig6
-rw-r--r--configs/qemu_ppc64_e5500_defconfig4
-rw-r--r--configs/qemu_ppc64_pseries_defconfig6
-rw-r--r--configs/qemu_ppc64le_pseries_defconfig6
-rw-r--r--configs/qemu_ppc_g3beige_defconfig6
-rw-r--r--configs/qemu_ppc_mpc8544ds_defconfig6
-rw-r--r--configs/qemu_ppc_virtex_ml507_defconfig6
-rw-r--r--configs/qemu_sh4_r2d_defconfig6
-rw-r--r--configs/qemu_sh4eb_r2d_defconfig6
-rw-r--r--configs/qemu_sparc64_sun4u_defconfig6
-rw-r--r--configs/qemu_sparc_ss10_defconfig6
-rw-r--r--configs/qemu_x86_64_defconfig6
-rw-r--r--configs/qemu_x86_defconfig6
-rw-r--r--configs/qemu_xtensa_lx60_defconfig6
-rw-r--r--configs/qemu_xtensa_lx60_nommu_defconfig6
-rw-r--r--docs/website/download.html22
-rw-r--r--docs/website/news.html23
-rw-r--r--package/Config.in1
-rw-r--r--package/brcm-patchram-plus/0001-src-main.c-fix-build-on-SPARC.patch64
-rw-r--r--package/brcm-patchram-plus/brcm-patchram-plus.hash4
-rw-r--r--package/brcm-patchram-plus/brcm-patchram-plus.mk4
-rw-r--r--package/docker-cli/docker-cli.hash2
-rw-r--r--package/docker-cli/docker-cli.mk2
-rw-r--r--package/docker-containerd/Config.in5
-rw-r--r--package/docker-containerd/docker-containerd.hash2
-rw-r--r--package/docker-containerd/docker-containerd.mk2
-rw-r--r--package/docker-engine/0001-Fix-faulty-runc-version-commit-scrape.patch45
-rw-r--r--package/docker-engine/Config.in5
-rw-r--r--package/docker-engine/docker-engine.hash2
-rw-r--r--package/docker-engine/docker-engine.mk2
-rw-r--r--package/ghostscript/0002-Sanitize-op-stack-for-error-conditions.patch176
-rw-r--r--package/ghostscript/0003-Any-transient-procedures-that-call-.force-operators.patch441
-rw-r--r--package/ghostscript/0004-Bug700317-Fix-logic-for-an-older-change.patch31
-rw-r--r--package/ghostscript/0005-Harden-some-uses-of-.force-operators.patch135
-rw-r--r--package/ghostscript/0006-Undefine-a-bunch-of-gs_fonts.ps-specific-procs.patch587
-rw-r--r--package/ghostscript/0007-Remove-.forcedef-and-harden-.force-ops-more.patch345
-rw-r--r--package/googlefontdirectory/googlefontdirectory.mk9
-rw-r--r--package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch51
-rw-r--r--package/jpeg-turbo/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch39
-rw-r--r--package/libarchive/0005-iso9660-Fail-when-expected-Rockridge-extensions-is-m.patch62
-rw-r--r--package/libarchive/0006-7zip-fix-crash-when-parsing-certain-archives.patch62
-rw-r--r--package/libupnp18/0001-configure.ac-fix-build-with-openssl.patch51
-rw-r--r--package/libupnp18/libupnp18.mk3
-rw-r--r--package/libva-utils/0002-Fix-build-failure-when-x11-support-is-disabled.patch33
-rw-r--r--package/libva-utils/libva-utils.mk1
-rw-r--r--package/libyaml/libyaml.mk1
-rw-r--r--package/mongodb/0001-ssl_manager.cpp-fix-build-with-gcc-7-and-fpermissive.patch55
-rw-r--r--package/mongodb/Config.in40
-rw-r--r--package/mongodb/mongodb.hash4
-rw-r--r--package/mongodb/mongodb.mk92
-rw-r--r--package/openssh/0002-upstream-Sanitize-scp-filenames-via-snmprintf.-To-do.patch275
-rw-r--r--package/openssh/0003-upstream-check-in-scp-client-that-filenames-sent-dur.patch186
-rw-r--r--package/opentracing-cpp/Config.in6
-rw-r--r--package/python-pyyaml/python-pyyaml.mk2
-rw-r--r--package/python-typing/python-typing.mk1
-rw-r--r--package/runc/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch338
-rw-r--r--package/runc/Config.in5
-rw-r--r--package/sg3_utils/0002-src-Makefile.am-add-missing-RT_LIB-for-sg_turs.patch29
-rw-r--r--package/sg3_utils/sg3_utils.mk2
-rw-r--r--package/sqlcipher/0001-Support-OpenSSL-1.1.0-and-prior.patch97
-rw-r--r--package/sqlcipher/0002-Guard-OpenSSL-init-and-cleanup-routines-on-versions-.patch42
-rw-r--r--package/sqlcipher/0003-correct-compliation-under-openssl-1.1.x.patch48
-rw-r--r--package/sqlcipher/Config.in1
-rw-r--r--package/systemd/systemd.mk16
-rw-r--r--support/testing/tests/package/test_docker_compose.py13
-rwxr-xr-xutils/scanpypi18
90 files changed, 3672 insertions, 237 deletions
diff --git a/CHANGES b/CHANGES
index 188b88dfd8..215f8e323d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,153 @@
+2019.02-rc1, released February 13th, 2019
+
+ Fixes all over the tree and new features.
+
+
+ Dependencies:
+
+ Require Python >= 2.7 as it is needed for E.G. building
+ libglib2.
+
+ Ensure GNU gzip is used for reproducible tarballs (instead of
+ pigz)
+
+
+ Infrastucture:
+
+ Ensure the PLATFORM and OS environment variables are not set,
+ as they cause build issues for some packages.
+
+ The package list infrastructure now correctly handles packages
+ installing files with old mtime.
+
+ Add a config option to force all optional host utilities to be
+ built, even if suitable versions are available on the build
+ machine.
+
+ graph-build-time: Also show time spent downloading
+
+ Download: fixes for SSH/SCP support
+
+ Ensure user provided permissions override permissions from
+ packages.
+
+ SDK: Fix handling of relative symlinks (targets starting with
+ '.' or '..')
+
+ BR2_SYSTEM_DEFAULT_PATH setting to customize the default path
+ for processes.
+
+ The custom skeleton logic will now populate the needed /bin,
+ /lib, /sbin directories/symlinks if not present. Merged /usr
+ can now be used with a custom skeleton.
+
+ Rootfs overlays can now override symbolic links from
+ packages. This was disabled to ensure the correct symbolic
+ links are present when merged /usr is used. Instead validate
+ that the rootfs overlays do not include invalid /bin, /sbin
+ and /lib entries.
+
+ The waf infrastructure now support the <pkg>_SUBDIR variable,
+ similar to the other package types.
+
+ cmake: Also set CMAKE_SYSTEM_VERSION in toolchainfile.cmake
+
+ Various improvements to the meson infrastructure.
+
+ Luarocks: A Buildroot addon has been added to automate
+ creating a Buildroot package from luarocks, similar to
+ scancpan and scanpypi.
+
+ scanpypi: protect against zip-slip vulnerability in zip/tar
+ handling
+
+ check-package: fix Python 3 support
+
+ get-developers: Fix behaviour when called from elsewhere than
+ the toplevel directory.
+
+ pkg-stats: Show latest upstream version of each package, based
+ on data from release-monitoring.org
+
+ kconfig: Fix for make linux-menuconfig / uboot-menuconfig from
+ a clean tree when ccache is enabled.
+
+ Default to sha256 password encoding, drop md5 support.
+
+
+ Architecture:
+
+ Support for RISC-V 32bit architecture, ARM A55, 75 and Saphira
+ variants, MIPS support for mips32r3, mips64r3 and Marvell
+ Octeon II/III variants.
+
+
+ Toolchain:
+
+ ARC toolchain 2018.09, ARM 8.2-2018.11, Codescape IMG/MTI MIPS
+ 2018.09-02, MUSL 1.1.21, GCC 6.5.0 / 7.4.0, GDB 8.2.1
+
+
+ Packages:
+
+ openssl: Bump to 1.1.1x series, bringing TLSv1.3 support and
+ long term support.
+
+ fftw: Split into fftw-{single,double,long-double,quad}
+ packages for the different data precision options.
+
+ libcurl: Now has explicit TLS backend selection options.
+
+ linux: Support building device tree blobs with the -@ option
+ for device tree overlays.
+
+ weston: The weston-imx i.MX variant is now used when
+ imx-gpu-viv is enabled
+
+ pkgconf: Update to 1.5.3, which brings support for
+ --define-prefix (used by GStreamer)
+
+ Add host-python3-setuptools package to handle host python
+ packages needing python3 with setuptools support.
+
+
+ New defconfigs: Aarch64 EFI, Orangepi one plus, Orangepi lite
+ 2, QEMU RISC-V 32bit virt, Rock64
+
+
+ New packages: brcm-patchram-plus, clinfo, cunit, docker-cli,
+ erlang-p1-eimp, exempi, fail2ban, fftw-double,
+ fftw-double-long, fftw-quad, fftw-single, gerbera, grpc,
+ gst1-shark, intel-gmmlib, iwd, kf5-kcoreaddons, libeastl,
+ libpackagekite, libtorrent-rasterbar, lua-std-debug,
+ lua-std-normalize, mini-snmpd, netsurf, pamtester, pcm-tools,
+ python-aiodns, python-aiohttp, python-aiohttp-jinja2,
+ python-aiohttp-remotes, python-aiohttp-security,
+ python-aiohttp-session, python-aiohttpd-sse, python-aiojobs,
+ python-cchardet, python-pycares, python-sentry-sdk,
+ python-wtforms, python3-setuptools, rcw, rtc-tools, shim,
+ utp_com, vmtouch, websocketpp
+
+ Removed packages: fftw, lua 5.2.x, luacrypto, perl-time-hires,
+ python-pyqt, qt, qtuio, tn5250
+
+ Issues resolved (http://bugs.uclibc.org):
+
+ #10851: Patch to handle numpad Enter key properly
+ #11066: x11r7 X11 S40xorg leads to a black screen on QEMU x86..
+ #11126: Bash Shell Programming using Buildroot
+ #11426: pps-tools bash dependency
+ #11476: stdio2.h error invalid use of __builtin_va_arg_pack
+ #11536: dt-utils building fails with glibc 2.28
+ #11546: open-vm-tools with glibc 2.28
+ #11566: Fix init script
+ #11576: Unable to start apache with event MPM on raspberry pi 3
+ #11591: [pkgconf 1.5.3] xserver OpenGL support is missing
+ #11606: libjpeg has no Config.in
+ #11616: 2018.02.09 fails to build libzlib with full RELRO..
+ #11656: Custom device tree and u-boot boot.scr not integrated..
+ #11666: Touchscreen with (Py)Qt5 should use tslib instead of evdev
+
2018.11.2, Released January 30th, 2019
Important / security related fixes.
diff --git a/Config.in.legacy b/Config.in.legacy
index 80bab04448..25b48fba82 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -207,12 +207,6 @@ config BR2_PACKAGE_GNURADIO_QTGUI
help
The gr-qtgui option was removed.
-config BR2_PACKAGE_MONGODB
- bool "mongodb package removed"
- select BR2_LEGACY
- help
- The mongodb package was removed.
-
config BR2_PACKAGE_LUACRYPTO
bool "luacrypto package removed"
select BR2_LEGACY
diff --git a/DEVELOPERS b/DEVELOPERS
index 45b59de276..1aee2cfcc2 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -797,6 +797,7 @@ F: package/libxslt/
F: package/mbedtls/
F: package/minissdpd/
F: package/minizip/
+F: package/mongodb/
F: package/motion/
F: package/mutt/
F: package/ncmpc/
diff --git a/Makefile b/Makefile
index 0d2659c46e..f736ecfb3e 100644
--- a/Makefile
+++ b/Makefile
@@ -92,9 +92,9 @@ all:
.PHONY: all
# Set and export the version string
-export BR2_VERSION := 2019.02-git
+export BR2_VERSION := 2019.02-rc1
# Actual time the release is cut (for reproducible builds)
-BR2_VERSION_EPOCH = 1543701000
+BR2_VERSION_EPOCH = 1550044800
# Save running make version since it's clobbered by the make package
RUNNING_MAKE_VERSION := $(MAKE_VERSION)
diff --git a/board/pc/post-build.sh b/board/pc/post-build.sh
index 346f29ab6a..b245cc00c6 100755
--- a/board/pc/post-build.sh
+++ b/board/pc/post-build.sh
@@ -7,4 +7,4 @@ BOARD_DIR=$(dirname "$0")
cp -f "$BOARD_DIR/grub-bios.cfg" "$TARGET_DIR/boot/grub/grub.cfg"
# Copy grub 1st stage to binaries, required for genimage
-cp -f "$HOST_DIR/lib/grub/i387-pc/boot.img" "$BINARIES_DIR"
+cp -f "$HOST_DIR/lib/grub/i386-pc/boot.img" "$BINARIES_DIR"
diff --git a/board/qemu/arm-versatile/patches/linux/versatile-nommu.patch b/board/qemu/arm-versatile/patches/linux/versatile-nommu.patch
index 883bd0de6e..a2c0962f85 100644
--- a/board/qemu/arm-versatile/patches/linux/versatile-nommu.patch
+++ b/board/qemu/arm-versatile/patches/linux/versatile-nommu.patch
@@ -1,10 +1,30 @@
+From 4ac4324dcdaf237aa34545b3795acb2e5c42d10e Mon Sep 17 00:00:00 2001
+From: Waldemar Brodkorb <wbx@openadk.org>
+Date: Fri, 1 Feb 2019 11:36:20 +0100
+Subject: [PATCH] arm-versatile-nommu: Linux patch
+
+Originally made by Waldemar Brodkorb <wbx@openadk.org> from LKML.
+
Signed-Off-by: Waldemar Brodkorb <wbx@openadk.org>
-From LKML.
+[Gerome: reformated as a Git patch]
+Signed-off-by: Gerome Burlats <gerome.burlats@smile.fr>
+[Romain: fix Waldemar's authorship in Git patch]
+Signed-off-by: Romain Naour <romain.naour@smile.fr>
+---
+ arch/arm/Kconfig | 11 +++++++++++
+ arch/arm/Kconfig.debug | 3 ++-
+ arch/arm/include/asm/mach/map.h | 1 +
+ arch/arm/mach-versatile/Kconfig | 5 +++--
+ arch/arm/mach-versatile/Makefile.boot | 3 +++
+ arch/arm/mach-versatile/versatile_dt.c | 4 ++++
+ 6 files changed, 24 insertions(+), 3 deletions(-)
+ create mode 100644 arch/arm/mach-versatile/Makefile.boot
-diff -Nur linux-4.15.13.orig/arch/arm/Kconfig linux-4.15.13/arch/arm/Kconfig
---- linux-4.15.13.orig/arch/arm/Kconfig 2018-03-24 11:02:53.000000000 +0100
-+++ linux-4.15.13/arch/arm/Kconfig 2018-04-01 03:47:33.415078244 +0100
-@@ -355,6 +355,17 @@
+diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
+index e8cd55a5b04c..fc2dbff70394 100644
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -353,6 +353,17 @@ config ARM_SINGLE_ARMV7M
select SPARSE_IRQ
select USE_OF
@@ -22,10 +42,11 @@ diff -Nur linux-4.15.13.orig/arch/arm/Kconfig linux-4.15.13/arch/arm/Kconfig
config ARCH_EBSA110
bool "EBSA-110"
select ARCH_USES_GETTIMEOFFSET
-diff -Nur linux-4.15.13.orig/arch/arm/Kconfig.debug linux-4.15.13/arch/arm/Kconfig.debug
---- linux-4.15.13.orig/arch/arm/Kconfig.debug 2018-03-24 11:02:53.000000000 +0100
-+++ linux-4.15.13/arch/arm/Kconfig.debug 2018-04-01 03:47:33.416078232 +0100
-@@ -1795,7 +1795,8 @@
+diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
+index f6fcb8a79889..92fc637d3db8 100644
+--- a/arch/arm/Kconfig.debug
++++ b/arch/arm/Kconfig.debug
+@@ -1843,7 +1843,8 @@ config DEBUG_UNCOMPRESS
config UNCOMPRESS_INCLUDE
string
default "debug/uncompress.h" if ARCH_MULTIPLATFORM || ARCH_MSM || \
@@ -35,10 +56,11 @@ diff -Nur linux-4.15.13.orig/arch/arm/Kconfig.debug linux-4.15.13/arch/arm/Kconf
default "mach/uncompress.h"
config EARLY_PRINTK
-diff -Nur linux-4.15.13.orig/arch/arm/include/asm/mach/map.h linux-4.15.13/arch/arm/include/asm/mach/map.h
---- linux-4.15.13.orig/arch/arm/include/asm/mach/map.h 2018-03-24 11:02:53.000000000 +0100
-+++ linux-4.15.13/arch/arm/include/asm/mach/map.h 2018-04-01 03:47:17.587276119 +0100
-@@ -62,6 +62,7 @@
+diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h
+index 9b7c328fb207..b1fe9c8b5c3e 100644
+--- a/arch/arm/include/asm/mach/map.h
++++ b/arch/arm/include/asm/mach/map.h
+@@ -62,6 +62,7 @@ extern int ioremap_page(unsigned long virt, unsigned long phys,
#else
#define iotable_init(map,num) do { } while (0)
#define vm_reserve_area_early(a,s,c) do { } while (0)
@@ -46,9 +68,10 @@ diff -Nur linux-4.15.13.orig/arch/arm/include/asm/mach/map.h linux-4.15.13/arch/
#endif
#endif
-diff -Nur linux-4.15.13.orig/arch/arm/mach-versatile/Kconfig linux-4.15.13/arch/arm/mach-versatile/Kconfig
---- linux-4.15.13.orig/arch/arm/mach-versatile/Kconfig 2018-03-24 11:02:53.000000000 +0100
-+++ linux-4.15.13/arch/arm/mach-versatile/Kconfig 2018-04-01 03:47:33.417078219 +0100
+diff --git a/arch/arm/mach-versatile/Kconfig b/arch/arm/mach-versatile/Kconfig
+index f5c275434d6c..06ad999d5978 100644
+--- a/arch/arm/mach-versatile/Kconfig
++++ b/arch/arm/mach-versatile/Kconfig
@@ -1,7 +1,8 @@
# SPDX-License-Identifier: GPL-2.0
config ARCH_VERSATILE
@@ -60,16 +83,19 @@ diff -Nur linux-4.15.13.orig/arch/arm/mach-versatile/Kconfig linux-4.15.13/arch/
select ARM_AMBA
select ARM_TIMER_SP804
select ARM_VIC
-diff -Nur linux-4.15.13.orig/arch/arm/mach-versatile/Makefile.boot linux-4.15.13/arch/arm/mach-versatile/Makefile.boot
---- linux-4.15.13.orig/arch/arm/mach-versatile/Makefile.boot 1970-01-01 01:00:00.000000000 +0100
-+++ linux-4.15.13/arch/arm/mach-versatile/Makefile.boot 2018-04-01 03:47:25.644175394 +0100
+diff --git a/arch/arm/mach-versatile/Makefile.boot b/arch/arm/mach-versatile/Makefile.boot
+new file mode 100644
+index 000000000000..eacfc3f5c33e
+--- /dev/null
++++ b/arch/arm/mach-versatile/Makefile.boot
@@ -0,0 +1,3 @@
+# Empty file waiting for deletion once Makefile.boot isn't needed any more.
+# Patch waits for application at
+# http://www.arm.linux.org.uk/developer/patches/viewpatch.php?id=7889/1 .
-diff -Nur linux-4.15.13.orig/arch/arm/mach-versatile/versatile_dt.c linux-4.15.13/arch/arm/mach-versatile/versatile_dt.c
---- linux-4.15.13.orig/arch/arm/mach-versatile/versatile_dt.c 2018-03-24 11:02:53.000000000 +0100
-+++ linux-4.15.13/arch/arm/mach-versatile/versatile_dt.c 2018-04-01 03:47:10.913359555 +0100
+diff --git a/arch/arm/mach-versatile/versatile_dt.c b/arch/arm/mach-versatile/versatile_dt.c
+index 3c8d39c12909..8cfa05a37295 100644
+--- a/arch/arm/mach-versatile/versatile_dt.c
++++ b/arch/arm/mach-versatile/versatile_dt.c
@@ -37,7 +37,11 @@
#include <asm/mach/map.h>
@@ -82,3 +108,6 @@ diff -Nur linux-4.15.13.orig/arch/arm/mach-versatile/versatile_dt.c linux-4.15.1
#define __io_address(n) ((void __iomem __force *)IO_ADDRESS(n))
/*
+--
+2.14.5
+
diff --git a/board/qemu/xtensa-lx60/linux-nommu.config b/board/qemu/xtensa-lx60/linux-nommu.config
index 10f7ee125c..8077645eec 100644
--- a/board/qemu/xtensa-lx60/linux-nommu.config
+++ b/board/qemu/xtensa-lx60/linux-nommu.config
@@ -6,6 +6,7 @@ CONFIG_XTENSA_VARIANT_CUSTOM_NAME="dc233c"
# CONFIG_XTENSA_VARIANT_MMU is not set
CONFIG_XTENSA_UNALIGNED_USER=y
CONFIG_PREEMPT=y
+CONFIG_MEMMAP_CACHEATTR=0x2cccccc7
CONFIG_KERNEL_LOAD_ADDRESS=0x00003000
# CONFIG_PCI is not set
CONFIG_XTENSA_PLATFORM_XTFPGA=y
diff --git a/configs/qemu_aarch64_virt_defconfig b/configs/qemu_aarch64_virt_defconfig
index a7b097ef40..638e18beb7 100644
--- a/configs/qemu_aarch64_virt_defconfig
+++ b/configs/qemu_aarch64_virt_defconfig
@@ -11,13 +11,13 @@ BR2_TARGET_ROOTFS_EXT2=y
BR2_TARGET_ROOTFS_EXT2_4=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
diff --git a/configs/qemu_arm_versatile_defconfig b/configs/qemu_arm_versatile_defconfig
index 348b91bc96..ce7cb5efe4 100644
--- a/configs/qemu_arm_versatile_defconfig
+++ b/configs/qemu_arm_versatile_defconfig
@@ -10,13 +10,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/arm-versatile/linux.config"
BR2_LINUX_KERNEL_DTS_SUPPORT=y
diff --git a/configs/qemu_arm_versatile_nommu_defconfig b/configs/qemu_arm_versatile_nommu_defconfig
index 910c382439..81fb5b6ca4 100644
--- a/configs/qemu_arm_versatile_nommu_defconfig
+++ b/configs/qemu_arm_versatile_nommu_defconfig
@@ -21,13 +21,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/arm-versatile/linux-nommu.config"
BR2_LINUX_KERNEL_DTS_SUPPORT=y
diff --git a/configs/qemu_arm_vexpress_defconfig b/configs/qemu_arm_vexpress_defconfig
index 34a50aa8d5..66f198ac5d 100644
--- a/configs/qemu_arm_vexpress_defconfig
+++ b/configs/qemu_arm_vexpress_defconfig
@@ -13,13 +13,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
BR2_LINUX_KERNEL_DTS_SUPPORT=y
BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca9"
diff --git a/configs/qemu_m68k_mcf5208_defconfig b/configs/qemu_m68k_mcf5208_defconfig
index 8f8d0a048a..44fd918ec0 100644
--- a/configs/qemu_m68k_mcf5208_defconfig
+++ b/configs/qemu_m68k_mcf5208_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_INITRAMFS=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/m68k-mcf5208/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_m68k_q800_defconfig b/configs/qemu_m68k_q800_defconfig
index d9238b650f..0dd90a97b3 100644
--- a/configs/qemu_m68k_q800_defconfig
+++ b/configs/qemu_m68k_q800_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/m68k-q800/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_microblazebe_mmu_defconfig b/configs/qemu_microblazebe_mmu_defconfig
index 3055a0f8cd..95fdfeda6c 100644
--- a/configs/qemu_microblazebe_mmu_defconfig
+++ b/configs/qemu_microblazebe_mmu_defconfig
@@ -10,13 +10,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttyUL0"
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/microblazebe-mmu/linux.config"
BR2_LINUX_KERNEL_LINUX_BIN=y
diff --git a/configs/qemu_microblazeel_mmu_defconfig b/configs/qemu_microblazeel_mmu_defconfig
index 073a7173fa..7400dafa5f 100644
--- a/configs/qemu_microblazeel_mmu_defconfig
+++ b/configs/qemu_microblazeel_mmu_defconfig
@@ -10,13 +10,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttyUL0"
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/microblazeel-mmu/linux.config"
BR2_LINUX_KERNEL_LINUX_BIN=y
diff --git a/configs/qemu_mips32r2_malta_defconfig b/configs/qemu_mips32r2_malta_defconfig
index d07bc11003..0ee7a58888 100644
--- a/configs/qemu_mips32r2_malta_defconfig
+++ b/configs/qemu_mips32r2_malta_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/mips32r2-malta/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_mips32r2el_malta_defconfig b/configs/qemu_mips32r2el_malta_defconfig
index 55e68b1fdc..075088df82 100644
--- a/configs/qemu_mips32r2el_malta_defconfig
+++ b/configs/qemu_mips32r2el_malta_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/mips32r2el-malta/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_mips32r6_malta_defconfig b/configs/qemu_mips32r6_malta_defconfig
index 5802393368..b0bf94ce7b 100644
--- a/configs/qemu_mips32r6_malta_defconfig
+++ b/configs/qemu_mips32r6_malta_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/mips32r6-malta/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_mips32r6el_malta_defconfig b/configs/qemu_mips32r6el_malta_defconfig
index 93e2a86509..077d836da3 100644
--- a/configs/qemu_mips32r6el_malta_defconfig
+++ b/configs/qemu_mips32r6el_malta_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/mips32r6el-malta/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_mips64_malta_defconfig b/configs/qemu_mips64_malta_defconfig
index 99b457a9f8..12502eac6a 100644
--- a/configs/qemu_mips64_malta_defconfig
+++ b/configs/qemu_mips64_malta_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/mips64-malta/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_mips64el_malta_defconfig b/configs/qemu_mips64el_malta_defconfig
index f2dacbd760..5ddb759bbe 100644
--- a/configs/qemu_mips64el_malta_defconfig
+++ b/configs/qemu_mips64el_malta_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/mips64el-malta/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_mips64r6_malta_defconfig b/configs/qemu_mips64r6_malta_defconfig
index d291213db7..bfa32f657e 100644
--- a/configs/qemu_mips64r6_malta_defconfig
+++ b/configs/qemu_mips64r6_malta_defconfig
@@ -10,13 +10,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/mips64r6-malta/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_mips64r6el_malta_defconfig b/configs/qemu_mips64r6el_malta_defconfig
index 4740bdee28..2fd855d79b 100644
--- a/configs/qemu_mips64r6el_malta_defconfig
+++ b/configs/qemu_mips64r6el_malta_defconfig
@@ -10,13 +10,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/mips64r6el-malta/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_nios2_10m50_defconfig b/configs/qemu_nios2_10m50_defconfig
index cff219257a..d7e7c335a3 100644
--- a/configs/qemu_nios2_10m50_defconfig
+++ b/configs/qemu_nios2_10m50_defconfig
@@ -1,10 +1,10 @@
BR2_nios2=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_DEFCONFIG="10m50"
BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/nios2-10m50/linux.fragment"
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
diff --git a/configs/qemu_or1k_defconfig b/configs/qemu_or1k_defconfig
index 636a0d25b1..3fc53f4186 100644
--- a/configs/qemu_or1k_defconfig
+++ b/configs/qemu_or1k_defconfig
@@ -5,12 +5,12 @@ BR2_or1k=y
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4,16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4,19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/or1k/linux.config"
diff --git a/configs/qemu_ppc64_e5500_defconfig b/configs/qemu_ppc64_e5500_defconfig
index 7a325a5070..59b8636918 100644
--- a/configs/qemu_ppc64_e5500_defconfig
+++ b/configs/qemu_ppc64_e5500_defconfig
@@ -6,12 +6,12 @@ BR2_powerpc_e5500=y
BR2_TARGET_GENERIC_GETTY_PORT="ttyS0"
# Linux headers same as the kernel
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_DEFCONFIG="corenet64_smp"
BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/ppc64-e5500/linux.fragment"
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
diff --git a/configs/qemu_ppc64_pseries_defconfig b/configs/qemu_ppc64_pseries_defconfig
index d2d69f1c3c..5f55b246f7 100644
--- a/configs/qemu_ppc64_pseries_defconfig
+++ b/configs/qemu_ppc64_pseries_defconfig
@@ -10,12 +10,12 @@ BR2_TARGET_GENERIC_GETTY_PORT="hvc0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_DEFCONFIG="pseries"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_ppc64le_pseries_defconfig b/configs/qemu_ppc64le_pseries_defconfig
index 9a85f76dd9..8356e4e250 100644
--- a/configs/qemu_ppc64le_pseries_defconfig
+++ b/configs/qemu_ppc64le_pseries_defconfig
@@ -10,12 +10,12 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_DEFCONFIG="pseries_le"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_ppc_g3beige_defconfig b/configs/qemu_ppc_g3beige_defconfig
index 451a9b52d8..4b2f3ed2fe 100644
--- a/configs/qemu_ppc_g3beige_defconfig
+++ b/configs/qemu_ppc_g3beige_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/ppc-g3beige/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_ppc_mpc8544ds_defconfig b/configs/qemu_ppc_mpc8544ds_defconfig
index 38e41a7fa2..d6ebef7561 100644
--- a/configs/qemu_ppc_mpc8544ds_defconfig
+++ b/configs/qemu_ppc_mpc8544ds_defconfig
@@ -9,13 +9,13 @@ BR2_SYSTEM_DHCP="eth0"
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/ppc-mpc8544ds/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_ppc_virtex_ml507_defconfig b/configs/qemu_ppc_virtex_ml507_defconfig
index 6824afca3c..c71465dd56 100644
--- a/configs/qemu_ppc_virtex_ml507_defconfig
+++ b/configs/qemu_ppc_virtex_ml507_defconfig
@@ -6,8 +6,8 @@ BR2_powerpc_440=y
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Use soft float
BR2_SOFT_FLOAT=y
@@ -15,7 +15,7 @@ BR2_SOFT_FLOAT=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/ppc-virtex-ml507/linux.config"
BR2_LINUX_KERNEL_VMLINUX=y
diff --git a/configs/qemu_sh4_r2d_defconfig b/configs/qemu_sh4_r2d_defconfig
index ec4a91c999..e194d7ecf2 100644
--- a/configs/qemu_sh4_r2d_defconfig
+++ b/configs/qemu_sh4_r2d_defconfig
@@ -11,13 +11,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttySC1"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Linux kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/sh4-r2d/linux.config"
BR2_LINUX_KERNEL_ZIMAGE=y
diff --git a/configs/qemu_sh4eb_r2d_defconfig b/configs/qemu_sh4eb_r2d_defconfig
index e7dbd46a2b..f1aad8b64f 100644
--- a/configs/qemu_sh4eb_r2d_defconfig
+++ b/configs/qemu_sh4eb_r2d_defconfig
@@ -10,13 +10,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttySC1"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Linux kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/sh4eb-r2d/linux.config"
BR2_LINUX_KERNEL_ZIMAGE=y
diff --git a/configs/qemu_sparc64_sun4u_defconfig b/configs/qemu_sparc64_sun4u_defconfig
index baa8dbfb59..f4da2bc08d 100644
--- a/configs/qemu_sparc64_sun4u_defconfig
+++ b/configs/qemu_sparc64_sun4u_defconfig
@@ -9,12 +9,12 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Linux kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/sparc64-sun4u/linux.config"
diff --git a/configs/qemu_sparc_ss10_defconfig b/configs/qemu_sparc_ss10_defconfig
index 9943781a5b..e027b73ebf 100644
--- a/configs/qemu_sparc_ss10_defconfig
+++ b/configs/qemu_sparc_ss10_defconfig
@@ -9,12 +9,12 @@ BR2_SYSTEM_DHCP="eth0"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Linux kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/sparc-ss10/linux.config"
diff --git a/configs/qemu_x86_64_defconfig b/configs/qemu_x86_64_defconfig
index 12b30bf764..afa2396931 100644
--- a/configs/qemu_x86_64_defconfig
+++ b/configs/qemu_x86_64_defconfig
@@ -9,12 +9,12 @@ BR2_TARGET_GENERIC_GETTY_PORT="tty1"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86_64/linux.config"
diff --git a/configs/qemu_x86_defconfig b/configs/qemu_x86_defconfig
index 985ff32b44..3441ad5cb1 100644
--- a/configs/qemu_x86_defconfig
+++ b/configs/qemu_x86_defconfig
@@ -10,12 +10,12 @@ BR2_TARGET_GENERIC_GETTY_PORT="tty1"
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux.config"
diff --git a/configs/qemu_xtensa_lx60_defconfig b/configs/qemu_xtensa_lx60_defconfig
index a735c991c7..6bf48a2ada 100644
--- a/configs/qemu_xtensa_lx60_defconfig
+++ b/configs/qemu_xtensa_lx60_defconfig
@@ -11,13 +11,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttyS0"
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/xtensa-lx60/linux.config"
BR2_LINUX_KERNEL_IMAGE_TARGET_CUSTOM=y
diff --git a/configs/qemu_xtensa_lx60_nommu_defconfig b/configs/qemu_xtensa_lx60_nommu_defconfig
index f4d6837bc1..5ff9646270 100644
--- a/configs/qemu_xtensa_lx60_nommu_defconfig
+++ b/configs/qemu_xtensa_lx60_nommu_defconfig
@@ -15,13 +15,13 @@ BR2_TARGET_GENERIC_GETTY_PORT="ttyS0"
# BR2_TARGET_ROOTFS_TAR is not set
BR2_TARGET_ROOTFS_INITRAMFS=y
-# Linux headers same as kernel, a 4.16 series
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_16=y
+# Linux headers same as kernel, a 4.19 series
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_19=y
# Kernel
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.16.7"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.19.16"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/xtensa-lx60/linux-nommu.config"
BR2_LINUX_KERNEL_IMAGE_TARGET_CUSTOM=y
diff --git a/docs/website/download.html b/docs/website/download.html
index e089ad57e6..52c8b1d565 100644
--- a/docs/website/download.html
+++ b/docs/website/download.html
@@ -75,38 +75,38 @@
<p><a href="/downloads/buildroot-2018.11.2.tar.bz2.sign">PGP signature</a></p>
</div>
</div>
-<!--
- <h3 style="text-align: center;">Latest release candidate: <b>2018.11-rc3</b></h3>
+
+ <h3 style="text-align: center;">Latest release candidate: <b>2019.02-rc1</b></h3>
<div class="row mt centered">
<div class="col-sm-6">
<div class="flip-container center-block" ontouchstart="this.classList.toggle('hover');">
<div class="flipper">
<div class="front">
- <a href="/downloads/buildroot-2018.11-rc3.tar.gz"><img src="images/zip.png" width="180" alt=""></a>
+ <a href="/downloads/buildroot-2019.02-rc1.tar.gz"><img src="images/zip.png" width="180" alt=""></a>
</div>
<div class="back">
- <a href="/downloads/buildroot-2018.11-rc3.tar.gz"><img src="images/zip.png" width="180" alt=""></a>
+ <a href="/downloads/buildroot-2019.02-rc1.tar.gz"><img src="images/zip.png" width="180" alt=""></a>
</div>
</div>
</div>
- <h3><a href="/downloads/buildroot-2018.11-rc3.tar.gz">buildroot-2018.11-rc3.tar.gz</a></h3>
- <p><a href="/downloads/buildroot-2018.11-rc3.tar.gz.sign">PGP signature</a></p>
+ <h3><a href="/downloads/buildroot-2019.02-rc1.tar.gz">buildroot-2019.02-rc1.tar.gz</a></h3>
+ <p><a href="/downloads/buildroot-2019.02-rc1.tar.gz.sign">PGP signature</a></p>
</div>
<div class="col-sm-6">
<div class="flip-container center-block" ontouchstart="this.classList.toggle('hover');">
<div class="flipper">
<div class="front">
- <a href="/downloads/buildroot-2018.11-rc3.tar.bz2"><img src="images/package.png" width="180" alt=""></a>
+ <a href="/downloads/buildroot-2019.02-rc1.tar.bz2"><img src="images/package.png" width="180" alt=""></a>
</div>
<div class="back">
- <a href="/downloads/buildroot-2018.11-rc3.tar.bz2"><img src="images/package.png" width="180" alt=""></a>
+ <a href="/downloads/buildroot-2019.02-rc1.tar.bz2"><img src="images/package.png" width="180" alt=""></a>
</div>
</div>
</div>
- <h3><a href="/downloads/buildroot-2018.11-rc3.tar.bz2">buildroot-2018.11-rc3.tar.bz2</a></h3>
- <p><a href="/downloads/buildroot-2018.11-rc3.tar.bz2.sign">PGP signature</a></p>
+ <h3><a href="/downloads/buildroot-2019.02-rc1.tar.bz2">buildroot-2019.02-rc1.tar.bz2</a></h3>
+ <p><a href="/downloads/buildroot-2019.02-rc1.tar.bz2.sign">PGP signature</a></p>
</div>
</div>
@@ -114,7 +114,7 @@
<a href="/downloads/">http://buildroot.net/downloads/</a>.
</div>
</div>
--->
+
<div class="panel panel-primary">
<div class="panel-heading">Source code</div>
<div class="panel-body">
diff --git a/docs/website/news.html b/docs/website/news.html
index 6f7ebad5d7..d72c6b7fcf 100644
--- a/docs/website/news.html
+++ b/docs/website/news.html
@@ -9,6 +9,29 @@
<h2>News</h2>
<ul class="timeline">
+ <li class="timeline-inverted">
+ <div class="timeline-badge"><i class="glyphicon glyphicon-thumbs-up"></i></div>
+ <div class="timeline-panel">
+ <div class="timeline-heading">
+ <h4 class="timeline-title">2019.02-rc1 released</h4>
+ <p><small class="text-muted"><i class="glyphicon glyphicon-time"></i>13 February 2019</small></p>
+ </div>
+ <div class="timeline-body">
+ <p>We have a new release candidate! Lots of changes all over the
+ tree, see the
+ <a href="http://git.buildroot.net/buildroot/plain/CHANGES?id=2019.02-rc1">CHANGES</a>
+ file for details.
+ </p>
+
+ <p>Head to the <a href="/downloads/">downloads page</a> to pick up the
+ <a href="/downloads/buildroot-2019.02-rc1.tar.bz2">2019.02-rc1
+ release candidate</a>, and report any problems found to the
+ <a href="support.html">mailing list</a> or
+ <a href="https://bugs.buildroot.org">bug tracker</a>.</p>
+ </div>
+ </div>
+ </li>
+
<li>
<div class="timeline-badge"><i class="glyphicon glyphicon-thumbs-up"></i></div>
<div class="timeline-panel">
diff --git a/package/Config.in b/package/Config.in
index 1b5d5c9d7f..3f968498f4 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1215,6 +1215,7 @@ menu "Database"
source "package/leveldb/Config.in"
source "package/libgit2/Config.in"
source "package/libpqxx/Config.in"
+ source "package/mongodb/Config.in"
source "package/mysql/Config.in"
source "package/postgresql/Config.in"
source "package/redis/Config.in"
diff --git a/package/brcm-patchram-plus/0001-src-main.c-fix-build-on-SPARC.patch b/package/brcm-patchram-plus/0001-src-main.c-fix-build-on-SPARC.patch
deleted file mode 100644
index 5567284cdf..0000000000
--- a/package/brcm-patchram-plus/0001-src-main.c-fix-build-on-SPARC.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 8ff9d421372a7cb780fbafd8b1d556ee549bf109 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Fri, 8 Feb 2019 23:21:04 +0100
-Subject: [PATCH] src/main.c: fix build on SPARC
-
-On SPARC, the definitions of B2500000, B3000000, B3500000 and B4000000
-are not necessarily available, so use those values only if defined in
-the kernel headers.
-
-It fixes SPARC build failures such as:
-main.c:382:13: error: 'B2500000' undeclared here (not in a function)
- { 2500000, B2500000 },
- ^~~~~~~~
-main.c:383:13: error: 'B3000000' undeclared here (not in a function)
- { 3000000, B3000000 },
- ^~~~~~~~
-main.c:385:13: error: 'B3500000' undeclared here (not in a function)
- { 3500000, B3500000 },
- ^~~~~~~~
-main.c:386:13: error: 'B4000000' undeclared here (not in a function)
- { 4000000, B4000000 }
-
-Fixes:
- - http://autobuild.buildroot.org/results/f7012c08c935c3a6ccae50b84170190af5cd5cba
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: https://github.com/AsteroidOS/brcm-patchram-plus/pull/1]
----
- src/main.c | 18 +++++++++++++-----
- 1 file changed, 13 insertions(+), 5 deletions(-)
-
-diff --git a/src/main.c b/src/main.c
-index 040cfe1..17c5191 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -378,12 +378,20 @@ tBaudRates baud_rates[] = {
- { 1000000, B1000000 },
- { 1152000, B1152000 },
- { 1500000, B1500000 },
-- { 2000000, B2000000 },
-- { 2500000, B2500000 },
-- { 3000000, B3000000 },
-+ { 2000000, B2000000 }
-+#ifdef B2500000
-+ ,{ 2500000, B2500000 }
-+#endif
-+#ifdef B3000000
-+ ,{ 3000000, B3000000 }
-+#endif
- #ifndef __CYGWIN__
-- { 3500000, B3500000 },
-- { 4000000, B4000000 }
-+#ifdef B3500000
-+ ,{ 3500000, B3500000 }
-+#endif
-+#ifdef B4000000
-+ ,{ 4000000, B4000000 }
-+#endif
- #endif
- };
-
---
-2.14.1
-
diff --git a/package/brcm-patchram-plus/brcm-patchram-plus.hash b/package/brcm-patchram-plus/brcm-patchram-plus.hash
index fb7a91f114..f6910e714b 100644
--- a/package/brcm-patchram-plus/brcm-patchram-plus.hash
+++ b/package/brcm-patchram-plus/brcm-patchram-plus.hash
@@ -1,3 +1,3 @@
# locally computed
-sha256 7d63f3a0c79cb5d187a0f2647734601f9c97d4eb8e545ce9ace7653c1f3f9a58 brcm-patchram-plus-94fb127e614b19a9a95561b8c1a0716e2e1e6293.tar.gz
-sha256 3bbeac0dc9f456695e692687c9d90a3c4ffc0253b0476d487d8cede207a8dc5b src/main.c
+sha256 febad69fbc9185b4c6a31188cf381fd280b88d93cb7f5a40dfdbab9c599c29a7 brcm-patchram-plus-95b7b6916d661a4da3f9c0adf52d5e1f4f8ab042.tar.gz
+sha256 26324f5c563b7e338c2876c8abe90c3681c1e9a6163fc59b494c94ad6493eda4 COPYING
diff --git a/package/brcm-patchram-plus/brcm-patchram-plus.mk b/package/brcm-patchram-plus/brcm-patchram-plus.mk
index 511ec991bc..329571d9a9 100644
--- a/package/brcm-patchram-plus/brcm-patchram-plus.mk
+++ b/package/brcm-patchram-plus/brcm-patchram-plus.mk
@@ -4,10 +4,10 @@
#
################################################################################
-BRCM_PATCHRAM_PLUS_VERSION = 94fb127e614b19a9a95561b8c1a0716e2e1e6293
+BRCM_PATCHRAM_PLUS_VERSION = 95b7b6916d661a4da3f9c0adf52d5e1f4f8ab042
BRCM_PATCHRAM_PLUS_SITE = $(call github,AsteroidOS,brcm-patchram-plus,$(BRCM_PATCHRAM_PLUS_VERSION))
BRCM_PATCHRAM_PLUS_LICENSE = Apache-2.0
-BRCM_PATCHRAM_PLUS_LICENSE_FILES = src/main.c
+BRCM_PATCHRAM_PLUS_LICENSE_FILES = COPYING
BRCM_PATCHRAM_PLUS_AUTORECONF = YES
$(eval $(autotools-package))
diff --git a/package/docker-cli/docker-cli.hash b/package/docker-cli/docker-cli.hash
index 03322a4f6d..9782f34baa 100644
--- a/package/docker-cli/docker-cli.hash
+++ b/package/docker-cli/docker-cli.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 3e578406dead2fc72c4b52f77db39dc779fa8b460352116c06f1ae29219bd8c2 docker-cli-v18.09.0.tar.gz
+sha256 29f3a435bfcd52dbe26f6315ee92bffc0220a537608935a2c3870f6b729fc16e docker-cli-v18.09.2.tar.gz
sha256 2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0 LICENSE
diff --git a/package/docker-cli/docker-cli.mk b/package/docker-cli/docker-cli.mk
index c73caa2652..c3dd536937 100644
--- a/package/docker-cli/docker-cli.mk
+++ b/package/docker-cli/docker-cli.mk
@@ -4,7 +4,7 @@
#
################################################################################
-DOCKER_CLI_VERSION = v18.09.0
+DOCKER_CLI_VERSION = v18.09.2
DOCKER_CLI_SITE = $(call github,docker,cli,$(DOCKER_CLI_VERSION))
DOCKER_CLI_WORKSPACE = gopath
diff --git a/package/docker-containerd/Config.in b/package/docker-containerd/Config.in
index 851345f73e..bdb5dd7b80 100644
--- a/package/docker-containerd/Config.in
+++ b/package/docker-containerd/Config.in
@@ -3,6 +3,7 @@ config BR2_PACKAGE_DOCKER_CONTAINERD
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_PACKAGE_TOOLCHAIN_USES_UCLIBC # runc
depends on BR2_USE_MMU # util-linux
select BR2_PACKAGE_RUNC # runtime dependency
select BR2_PACKAGE_UTIL_LINUX # runtime dependency
@@ -27,8 +28,8 @@ config BR2_PACKAGE_DOCKER_CONTAINERD_DRIVER_BTRFS
endif
-comment "docker-containerd needs a toolchain w/ threads"
+comment "docker-containerd needs a glibc or musl toolchain w/ threads"
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on BR2_USE_MMU
- depends on !BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAIN_USES_UCLIBC
diff --git a/package/docker-containerd/docker-containerd.hash b/package/docker-containerd/docker-containerd.hash
index 52bf8e03d2..cae88f40e2 100644
--- a/package/docker-containerd/docker-containerd.hash
+++ b/package/docker-containerd/docker-containerd.hash
@@ -1,3 +1,3 @@
# Computed locally
-sha256 a2780aca4d72bb8aced14ca9de99bdc9a90bdaacb06c5ddd8378a66443c1d70f docker-containerd-v1.2.1.tar.gz
+sha256 ff4c2ad680c9e2484e335868a54b0c1ea49d9165dd5b38b64ef7d9dacf2b96b4 docker-containerd-v1.2.3.tar.gz
sha256 4bbe3b885e8cd1907ab4cf9a41e862e74e24b5422297a4f2fe524e6a30ada2b4 LICENSE
diff --git a/package/docker-containerd/docker-containerd.mk b/package/docker-containerd/docker-containerd.mk
index 12f2324a8c..9088c17660 100644
--- a/package/docker-containerd/docker-containerd.mk
+++ b/package/docker-containerd/docker-containerd.mk
@@ -4,7 +4,7 @@
#
################################################################################
-DOCKER_CONTAINERD_VERSION = v1.2.1
+DOCKER_CONTAINERD_VERSION = v1.2.3
DOCKER_CONTAINERD_SITE = $(call github,containerd,containerd,$(DOCKER_CONTAINERD_VERSION))
DOCKER_CONTAINERD_LICENSE = Apache-2.0
DOCKER_CONTAINERD_LICENSE_FILES = LICENSE
diff --git a/package/docker-engine/0001-Fix-faulty-runc-version-commit-scrape.patch b/package/docker-engine/0001-Fix-faulty-runc-version-commit-scrape.patch
new file mode 100644
index 0000000000..dc47a8f9ef
--- /dev/null
+++ b/package/docker-engine/0001-Fix-faulty-runc-version-commit-scrape.patch
@@ -0,0 +1,45 @@
+From 324e7be4b252c13002bca6a9d82e7b2e43664634 Mon Sep 17 00:00:00 2001
+From: Christian Stewart <christian@paral.in>
+Date: Mon, 26 Nov 2018 22:59:32 -0800
+Subject: [PATCH] Fix faulty runc version commit scrape
+
+This commit replaces faulty logic to determine the runc version commit hash.
+
+The original logic takes the second line of the output of "runc --version" and
+does not work if there are a different number of lines printed from the command
+than expected. The buildroot version of runc outputs two lines instead of the
+expected three, causing the error:
+
+unknown output format: runc version commit: ...
+
+This patch replaces this logic with a simple scan of the "runc --version"
+output, searching for the "runc version commit" prefixed line.
+
+Signed-off-by: Christian Stewart <christian@paral.in>
+---
+ daemon/info_unix.go | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/daemon/info_unix.go b/daemon/info_unix.go
+index 60b2f99870..688a510796 100644
+--- a/daemon/info_unix.go
++++ b/daemon/info_unix.go
+@@ -32,10 +32,11 @@ func (daemon *Daemon) fillPlatformInfo(v *types.Info, sysInfo *sysinfo.SysInfo)
+ defaultRuntimeBinary := daemon.configStore.GetRuntime(v.DefaultRuntime).Path
+ if rv, err := exec.Command(defaultRuntimeBinary, "--version").Output(); err == nil {
+ parts := strings.Split(strings.TrimSpace(string(rv)), "\n")
+- if len(parts) == 3 {
+- parts = strings.Split(parts[1], ": ")
+- if len(parts) == 2 {
+- v.RuncCommit.ID = strings.TrimSpace(parts[1])
++ for _, pt := range parts {
++ ptKv := strings.Split(pt, ":")
++ if strings.HasSuffix(strings.TrimSpace(ptKv[0]), "commit") {
++ v.RuncCommit.ID = strings.TrimSpace(ptKv[1])
++ break
+ }
+ }
+
+--
+2.18.1
+
diff --git a/package/docker-engine/Config.in b/package/docker-engine/Config.in
index 2a0c130fce..3c97310484 100644
--- a/package/docker-engine/Config.in
+++ b/package/docker-engine/Config.in
@@ -3,6 +3,7 @@ config BR2_PACKAGE_DOCKER_ENGINE
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_TOOLCHAIN_USES_UCLIBC # docker-containerd -> runc
depends on BR2_USE_MMU # docker-containerd
select BR2_PACKAGE_DOCKER_CONTAINERD # runtime dependency
select BR2_PACKAGE_DOCKER_PROXY # runtime dependency
@@ -49,8 +50,8 @@ config BR2_PACKAGE_DOCKER_ENGINE_DRIVER_VFS
endif
-comment "docker-engine needs a toolchain w/ threads"
+comment "docker-engine needs a glibc or musl toolchain w/ threads"
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
- depends on !BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAIN_USES_UCLIBC
depends on BR2_USE_MMU
diff --git a/package/docker-engine/docker-engine.hash b/package/docker-engine/docker-engine.hash
index 1e3939f240..fe7b0d3b94 100644
--- a/package/docker-engine/docker-engine.hash
+++ b/package/docker-engine/docker-engine.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 b5278b3f2b460ea61f47833abd2a844f348b4518e73f309294ad178c205a48e1 docker-engine-v18.09.0.tar.gz
+sha256 4babbcbc3e1d7750c61a1e5bee29bd206256948961feaac5b44cabb0c70a50a6 docker-engine-v18.09.2.tar.gz
sha256 2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0 LICENSE
diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk
index aae44ab6df..e2f59666df 100644
--- a/package/docker-engine/docker-engine.mk
+++ b/package/docker-engine/docker-engine.mk
@@ -4,7 +4,7 @@
#
################################################################################
-DOCKER_ENGINE_VERSION = v18.09.0
+DOCKER_ENGINE_VERSION = v18.09.2
DOCKER_ENGINE_SITE = $(call github,docker,engine,$(DOCKER_ENGINE_VERSION))
DOCKER_ENGINE_LICENSE = Apache-2.0
diff --git a/package/ghostscript/0002-Sanitize-op-stack-for-error-conditions.patch b/package/ghostscript/0002-Sanitize-op-stack-for-error-conditions.patch
new file mode 100644
index 0000000000..7909cfec70
--- /dev/null
+++ b/package/ghostscript/0002-Sanitize-op-stack-for-error-conditions.patch
@@ -0,0 +1,176 @@
+From a1de1e6ab51ab37a17975aad1193f2523e7e7e84 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 5 Dec 2018 12:22:13 +0000
+Subject: [PATCH] Sanitize op stack for error conditions
+
+We save the stacks to an array and store the array for the error handler to
+access.
+
+For SAFER, we traverse the array, and deep copy any op arrays (procedures). As
+we make these copies, we check for operators that do *not* exist in systemdict,
+when we find one, we replace the operator with a name object (of the form
+"/--opname--").
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 13b0a36f818
+
+ psi/int.mak | 3 +-
+ psi/interp.c | 8 ++++++
+ psi/istack.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ psi/istack.h | 3 ++
+ 4 files changed, 91 insertions(+), 1 deletion(-)
+
+diff --git a/psi/int.mak b/psi/int.mak
+index 6ab5bf0069dd..6b349cb042dd 100644
+--- a/psi/int.mak
++++ b/psi/int.mak
+@@ -204,7 +204,8 @@ $(PSOBJ)iparam.$(OBJ) : $(PSSRC)iparam.c $(GH)\
+ $(PSOBJ)istack.$(OBJ) : $(PSSRC)istack.c $(GH) $(memory__h)\
+ $(ierrors_h) $(gsstruct_h) $(gsutil_h)\
+ $(ialloc_h) $(istack_h) $(istkparm_h) $(istruct_h) $(iutil_h) $(ivmspace_h)\
+- $(store_h) $(INT_MAK) $(MAKEDIRS)
++ $(store_h) $(icstate_h) $(iname_h) $(dstack_h) $(idict_h) \
++ $(INT_MAK) $(MAKEDIRS)
+ $(PSCC) $(PSO_)istack.$(OBJ) $(C_) $(PSSRC)istack.c
+
+ $(PSOBJ)iutil.$(OBJ) : $(PSSRC)iutil.c $(GH) $(math__h) $(memory__h) $(string__h)\
+diff --git a/psi/interp.c b/psi/interp.c
+index 6dc0ddae1b3c..aa5779c51420 100644
+--- a/psi/interp.c
++++ b/psi/interp.c
+@@ -761,6 +761,7 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
+ uint size = ref_stack_count(pstack) - skip;
+ uint save_space = ialloc_space(idmemory);
+ int code, i;
++ ref *safety, *safe;
+
+ if (size > 65535)
+ size = 65535;
+@@ -778,6 +779,13 @@ copy_stack(i_ctx_t *i_ctx_p, const ref_stack_t * pstack, int skip, ref * arr)
+ make_null(&arr->value.refs[i]);
+ }
+ }
++ if (pstack == &o_stack && dict_find_string(systemdict, "SAFETY", &safety) > 0 &&
++ dict_find_string(safety, "safe", &safe) > 0 && r_has_type(safe, t_boolean) &&
++ safe->value.boolval == true) {
++ code = ref_stack_array_sanitize(i_ctx_p, arr, arr);
++ if (code < 0)
++ return code;
++ }
+ ialloc_set_space(idmemory, save_space);
+ return code;
+ }
+diff --git a/psi/istack.c b/psi/istack.c
+index 8fe151fa5628..f1a3e511534d 100644
+--- a/psi/istack.c
++++ b/psi/istack.c
+@@ -27,6 +27,10 @@
+ #include "iutil.h"
+ #include "ivmspace.h" /* for local/global test */
+ #include "store.h"
++#include "icstate.h"
++#include "iname.h"
++#include "dstack.h"
++#include "idict.h"
+
+ /* Forward references */
+ static void init_block(ref_stack_t *pstack, const ref *pblock_array,
+@@ -294,6 +298,80 @@ ref_stack_store_check(const ref_stack_t *pstack, ref *parray, uint count,
+ return 0;
+ }
+
++int
++ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr)
++{
++ int i, code;
++ ref obj, arr2;
++ ref *pobj2;
++ gs_memory_t *mem = (gs_memory_t *)idmemory->current;
++
++ if (!r_is_array(sarr) || !r_has_type(darr, t_array))
++ return_error(gs_error_typecheck);
++
++ for (i = 0; i < r_size(sarr); i++) {
++ code = array_get(mem, sarr, i, &obj);
++ if (code < 0)
++ make_null(&obj);
++ switch(r_type(&obj)) {
++ case t_operator:
++ {
++ int index = op_index(&obj);
++
++ if (index > 0 && index < op_def_count) {
++ const byte *data = (const byte *)(op_index_def(index)->oname + 1);
++ if (dict_find_string(systemdict, (const char *)data, &pobj2) <= 0) {
++ byte *s = gs_alloc_bytes(mem, strlen((char *)data) + 5, "ref_stack_array_sanitize");
++ if (s) {
++ s[0] = '\0';
++ strcpy((char *)s, "--");
++ strcpy((char *)s + 2, (char *)data);
++ strcpy((char *)s + strlen((char *)data) + 2, "--");
++ }
++ else {
++ s = (byte *)data;
++ }
++ code = name_ref(imemory, s, strlen((char *)s), &obj, 1);
++ if (code < 0) make_null(&obj);
++ if (s != data)
++ gs_free_object(mem, s, "ref_stack_array_sanitize");
++ }
++ }
++ else {
++ make_null(&obj);
++ }
++ ref_assign(darr->value.refs + i, &obj);
++ break;
++ }
++ case t_array:
++ case t_shortarray:
++ case t_mixedarray:
++ {
++ int attrs = r_type_attrs(&obj) & (a_write | a_read | a_execute | a_executable);
++ /* We only want to copy executable arrays */
++ if (attrs & (a_execute | a_executable)) {
++ code = ialloc_ref_array(&arr2, attrs, r_size(&obj), "ref_stack_array_sanitize");
++ if (code < 0) {
++ make_null(&arr2);
++ }
++ else {
++ code = ref_stack_array_sanitize(i_ctx_p, &obj, &arr2);
++ }
++ ref_assign(darr->value.refs + i, &arr2);
++ }
++ else {
++ ref_assign(darr->value.refs + i, &obj);
++ }
++ break;
++ }
++ default:
++ ref_assign(darr->value.refs + i, &obj);
++ }
++ }
++ return 0;
++}
++
++
+ /*
+ * Store the top 'count' elements of a stack, starting 'skip' elements below
+ * the top, into an array, with or without store/undo checking. age=-1 for
+diff --git a/psi/istack.h b/psi/istack.h
+index 051dcbe216cf..54be405adfb3 100644
+--- a/psi/istack.h
++++ b/psi/istack.h
+@@ -129,6 +129,9 @@ int ref_stack_store(const ref_stack_t *pstack, ref *parray, uint count,
+ uint skip, int age, bool check,
+ gs_dual_memory_t *idmem, client_name_t cname);
+
++int
++ref_stack_array_sanitize(i_ctx_t *i_ctx_p, ref *sarr, ref *darr);
++
+ /*
+ * Pop the top N elements off a stack.
+ * The number must not exceed the number of elements in use.
+--
+2.20.1
+
diff --git a/package/ghostscript/0003-Any-transient-procedures-that-call-.force-operators.patch b/package/ghostscript/0003-Any-transient-procedures-that-call-.force-operators.patch
new file mode 100644
index 0000000000..f4c1db11f0
--- /dev/null
+++ b/package/ghostscript/0003-Any-transient-procedures-that-call-.force-operators.patch
@@ -0,0 +1,441 @@
+From f0397dbfbe5eea325613ff375b30eb0db5551ffe Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Thu, 13 Dec 2018 15:28:34 +0000
+Subject: [PATCH] Any transient procedures that call .force* operators
+
+(i.e. for conditionals or loops) make them executeonly.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 2db98f9c661
+
+ Resource/Init/gs_diskn.ps | 2 +-
+ Resource/Init/gs_dps1.ps | 4 ++--
+ Resource/Init/gs_fntem.ps | 4 ++--
+ Resource/Init/gs_fonts.ps | 12 ++++++------
+ Resource/Init/gs_init.ps | 4 ++--
+ Resource/Init/gs_lev2.ps | 11 ++++++-----
+ Resource/Init/gs_pdfwr.ps | 2 +-
+ Resource/Init/gs_res.ps | 4 ++--
+ Resource/Init/gs_setpd.ps | 2 +-
+ Resource/Init/pdf_base.ps | 13 ++++++++-----
+ Resource/Init/pdf_draw.ps | 16 +++++++++-------
+ Resource/Init/pdf_font.ps | 6 +++---
+ Resource/Init/pdf_main.ps | 4 ++--
+ Resource/Init/pdf_ops.ps | 7 ++++---
+ 14 files changed, 49 insertions(+), 42 deletions(-)
+
+diff --git a/Resource/Init/gs_diskn.ps b/Resource/Init/gs_diskn.ps
+index fd694bc44b5a..8bf20542040d 100644
+--- a/Resource/Init/gs_diskn.ps
++++ b/Resource/Init/gs_diskn.ps
+@@ -51,7 +51,7 @@ systemdict begin
+ mark 5 1 roll ] mark exch { { } forall } forall ]
+ //systemdict /.searchabledevs 2 index .forceput
+ exch .setglobal
+- }
++ } executeonly
+ if
+ } .bind executeonly odef % must be bound and hidden for .forceput
+
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index ec5db61b9f03..4fae2839940c 100644
+--- a/Resource/Init/gs_dps1.ps
++++ b/Resource/Init/gs_dps1.ps
+@@ -78,7 +78,7 @@ level2dict begin
+ .currentglobal
+ { % Current mode is global; delete from local directory too.
+ //systemdict /LocalFontDirectory .knownget
+- { 1 index .forceundef } % LocalFontDirectory is readonly
++ { 1 index .forceundef } executeonly % LocalFontDirectory is readonly
+ if
+ }
+ { % Current mode is local; if there was a shadowed global
+@@ -126,7 +126,7 @@ level2dict begin
+ }
+ ifelse
+ } forall
+- pop counttomark 2 idiv { .forceundef } repeat pop % readonly
++ pop counttomark 2 idiv { .forceundef } executeonly repeat pop % readonly
+ }
+ if
+ //SharedFontDirectory exch .forcecopynew pop
+diff --git a/Resource/Init/gs_fntem.ps b/Resource/Init/gs_fntem.ps
+index c1f7651f18cc..6eb672a6840e 100644
+--- a/Resource/Init/gs_fntem.ps
++++ b/Resource/Init/gs_fntem.ps
+@@ -401,12 +401,12 @@ currentdict end def
+ .forceput % FontInfo can be read-only.
+ pop % bool <font>
+ exit
+- } if
++ } executeonly if
+ dup /FontInfo get % bool <font> <FI>
+ /GlyphNames2Unicode /Unicode /Decoding findresource
+ .forceput % FontInfo can be read-only.
+ exit
+- } loop
++ } executeonly loop
+ exch setglobal
+ } .bind executeonly odef % must be bound and hidden for .forceput
+
+diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
+index 803faca4918d..290da0cd6819 100644
+--- a/Resource/Init/gs_fonts.ps
++++ b/Resource/Init/gs_fonts.ps
+@@ -374,7 +374,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ /.setnativefontmapbuilt { % set whether we've been run
+ dup type /booleantype eq {
+ systemdict exch /.nativefontmapbuilt exch .forceput
+- }
++ } executeonly
+ {pop}
+ ifelse
+ } .bind executeonly odef
+@@ -1007,11 +1007,11 @@ $error /SubstituteFont { } put
+ { 2 index gcheck currentglobal
+ 2 copy eq {
+ pop pop .forceput
+- } {
++ } executeonly {
+ 5 1 roll setglobal
+ dup length string copy
+ .forceput setglobal
+- } ifelse
++ } executeonly ifelse
+ } .bind executeonly odef % must be bound and hidden for .forceput
+
+ % Attempt to load a font from a file.
+@@ -1084,7 +1084,7 @@ $error /SubstituteFont { } put
+ .FontDirectory 3 index .forceundef % readonly
+ 1 index (r) file .loadfont .FontDirectory exch
+ /.setglobal .systemvar exec
+- }
++ } executeonly
+ { .loadfont .FontDirectory
+ }
+ ifelse
+@@ -1105,7 +1105,7 @@ $error /SubstituteFont { } put
+ dup 3 index .fontknownget
+ { dup /PathLoad 4 index .putgstringcopy
+ 4 1 roll pop pop pop //true exit
+- } if
++ } executeonly if
+
+ % Maybe the file had a different FontName.
+ % See if we can get a FontName from the file, and if so,
+@@ -1134,7 +1134,7 @@ $error /SubstituteFont { } put
+ ifelse % Stack: origfontname fontdict
+ exch pop //true exit
+ % Stack: fontdict
+- }
++ } executeonly
+ if pop % Stack: origfontname fontdirectory path
+ }
+ if pop pop % Stack: origfontname
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index d733124b96d1..56c0bd268b53 100644
+--- a/Resource/Init/gs_init.ps
++++ b/Resource/Init/gs_init.ps
+@@ -2357,7 +2357,7 @@ SAFER { .setsafeglobal } if
+ % Update the copy of the user parameters.
+ mark .currentuserparams counttomark 2 idiv {
+ userparams 3 1 roll .forceput % userparams is read-only
+- } repeat pop
++ } executeonly repeat pop
+ % Turn on idiom recognition, if available.
+ currentuserparams /IdiomRecognition known {
+ /IdiomRecognition //true .definepsuserparam
+@@ -2376,7 +2376,7 @@ SAFER { .setsafeglobal } if
+ % Remove real system params from pssystemparams.
+ mark .currentsystemparams counttomark 2 idiv {
+ pop pssystemparams exch .forceundef
+- } repeat pop
++ } executeonly repeat pop
+ } if
+
+ % Set up AlignToPixels :
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 44fe61956659..0f0d57331c23 100644
+--- a/Resource/Init/gs_lev2.ps
++++ b/Resource/Init/gs_lev2.ps
+@@ -154,7 +154,8 @@ end
+ % protect top level of parameters that we copied
+ dup type dup /arraytype eq exch /stringtype eq or { readonly } if
+ /userparams .systemvar 3 1 roll .forceput % userparams is read-only
+- } {
++ } executeonly
++ {
+ pop pop
+ } ifelse
+ } forall
+@@ -224,7 +225,7 @@ end
+ % protect top level parameters that we copied
+ dup type dup /arraytype eq exch /stringtype eq or { readonly } if
+ //pssystemparams 3 1 roll .forceput % pssystemparams is read-only
+- }
++ } executeonly
+ { pop pop
+ }
+ ifelse
+@@ -934,7 +935,7 @@ mark
+ dup /PaintProc get
+ 1 index /Implementation known not {
+ 1 index dup /Implementation //null .forceput readonly pop
+- } if
++ } executeonly if
+ exec
+ }.bind odef
+
+@@ -958,7 +959,7 @@ mark
+ dup /PaintProc get
+ 1 index /Implementation known not {
+ 1 index dup /Implementation //null .forceput readonly pop
+- } if
++ } executeonly if
+ /UNROLLFORMS where {/UNROLLFORMS get}{false}ifelse not
+ %% [CTM] <<Form>> PaintProc .beginform -
+ {
+@@ -1005,7 +1006,7 @@ mark
+ %% Form dictioanry using the /Implementation key).
+ 1 dict dup /FormID 4 -1 roll put
+ 1 index exch /Implementation exch .forceput readonly pop
+- }
++ } executeonly
+ ifelse
+ }
+ {
+diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps
+index 58e75d3a4831..b425103d1cf3 100644
+--- a/Resource/Init/gs_pdfwr.ps
++++ b/Resource/Init/gs_pdfwr.ps
+@@ -650,7 +650,7 @@ currentdict /.pdfmarkparams .undef
+ } ifelse
+ } bind .makeoperator .forceput
+ systemdict /.pdf_hooked_DSC_Creator //true .forceput
+- } if
++ } executeonly if
+ pop
+ } if
+ } {
+diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
+index 8eb8bb0e5829..d9b34599e7c2 100644
+--- a/Resource/Init/gs_res.ps
++++ b/Resource/Init/gs_res.ps
+@@ -152,7 +152,7 @@ setglobal
+ % use .forceput / .forcedef later to replace the dummy,
+ % empty .Instances dictionary with the real one later.
+ readonly
+- } {
++ }{
+ /defineresource cvx /typecheck signaloperror
+ } ifelse
+ } bind executeonly odef
+@@ -424,7 +424,7 @@ status {
+ % As noted above, Category dictionaries are read-only,
+ % so we have to use .forcedef here.
+ /.Instances 1 index .forcedef % Category dict is read-only
+- } if
++ } executeonly if
+ }
+ { .LocalInstances dup //.emptydict eq
+ { pop 3 dict localinstancedict Category 2 index put
+diff --git a/Resource/Init/gs_setpd.ps b/Resource/Init/gs_setpd.ps
+index e22597ebb5f3..7875d1f2f131 100644
+--- a/Resource/Init/gs_setpd.ps
++++ b/Resource/Init/gs_setpd.ps
+@@ -634,7 +634,7 @@ NOMEDIAATTRS {
+ SETPDDEBUG { (Rolling back.) = pstack flush } if
+ 3 index 2 index 3 -1 roll .forceput
+ 4 index 1 index .knownget
+- { 4 index 3 1 roll .forceput }
++ { 4 index 3 1 roll .forceput } executeonly
+ { 3 index exch .undef }
+ ifelse
+ } bind executeonly odef
+diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps
+index b45e9803165e..73127296c221 100644
+--- a/Resource/Init/pdf_base.ps
++++ b/Resource/Init/pdf_base.ps
+@@ -130,26 +130,29 @@ currentdict /num-chars-dict .undef
+
+ /.pdfexectoken { % <count> <opdict> <exectoken> .pdfexectoken ?
+ PDFDEBUG {
+- pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } if
++ pdfdict /PDFSTEPcount known not { pdfdict /PDFSTEPcount 1 .forceput } executeonly if
+ PDFSTEP {
+ pdfdict /PDFtokencount 2 copy .knownget { 1 add } { 1 } ifelse .forceput
+ PDFSTEPcount 1 gt {
+ pdfdict /PDFSTEPcount PDFSTEPcount 1 sub .forceput
+- } {
++ } executeonly
++ {
+ dup ==only
+ ( step # ) print PDFtokencount =only
+ ( ? ) print flush 1 //false .outputpage
+ (%stdin) (r) file 255 string readline {
+ token {
+ exch pop pdfdict /PDFSTEPcount 3 -1 roll .forceput
+- } {
++ } executeonly
++ {
+ pdfdict /PDFSTEPcount 1 .forceput
+- } ifelse % token
++ } executeonly ifelse % token
+ } {
+ pop /PDFSTEP //false def % EOF on stdin
+ } ifelse % readline
+ } ifelse % PDFSTEPcount > 1
+- } {
++ } executeonly
++ {
+ dup ==only () = flush
+ } ifelse % PDFSTEP
+ } if % PDFDEBUG
+diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
+index 6b0ba93e1e73..40c6ac80acce 100644
+--- a/Resource/Init/pdf_draw.ps
++++ b/Resource/Init/pdf_draw.ps
+@@ -1118,14 +1118,14 @@ currentdict end readonly def
+ pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+- } ifelse
++ } executeonly ifelse
+ }
+ {
+ currentglobal pdfdict gcheck .setglobal
+ pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+- } ifelse
++ } executeonly ifelse
+ end
+ } ifelse
+ } loop
+@@ -1141,14 +1141,14 @@ currentdict end readonly def
+ pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+- } ifelse
++ } executeonly ifelse
+ }
+ {
+ currentglobal pdfdict gcheck .setglobal
+ pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+- } ifelse
++ } executeonly ifelse
+ } if
+ pop
+
+@@ -2350,9 +2350,10 @@ currentdict /last-ditch-bpc-csp undef
+ /IncrementAppearanceNumber {
+ pdfdict /AppearanceNumber .knownget {
+ 1 add pdfdict /AppearanceNumber 3 -1 roll .forceput
+- }{
++ } executeonly
++ {
+ pdfdict /AppearanceNumber 0 .forceput
+- } ifelse
++ } executeonly ifelse
+ }bind executeonly odef
+
+ /MakeAppearanceName {
+@@ -2510,7 +2511,8 @@ currentdict /last-ditch-bpc-csp undef
+ %% want to preserve it.
+ pdfdict /.PreservePDFForm false .forceput
+ /q cvx /execform cvx 5 -2 roll
+- }{
++ } executeonly
++ {
+ /q cvx /PDFexecform cvx 5 -2 roll
+ } ifelse
+
+diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps
+index bea9ea95ad1d..4cd62b9d9bb4 100644
+--- a/Resource/Init/pdf_font.ps
++++ b/Resource/Init/pdf_font.ps
+@@ -714,7 +714,7 @@ currentdict end readonly def
+ pop pop pop
+ currentdict /.stackdepth .forceundef
+ currentdict /.dstackdepth .forceundef
+- }
++ } executeonly
+ {pop pop pop}
+ ifelse
+
+@@ -1232,7 +1232,7 @@ currentdict /eexec_pdf_param_dict .undef
+ (\n **** Warning: Type 3 glyph has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n)
+ pdfformatwarning
+ pdfdict /.Qqwarning_issued //true .forceput
+- } if
++ } executeonly if
+ Q
+ } repeat
+ Q
+@@ -2016,7 +2016,7 @@ currentdict /CMap_read_dict undef
+ /CIDFallBack /CIDFont findresource
+ } if
+ exit
+- } if
++ } executeonly if
+ } if
+ } if
+
+diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
+index 00da47a48711..37e69b39ac98 100644
+--- a/Resource/Init/pdf_main.ps
++++ b/Resource/Init/pdf_main.ps
+@@ -2701,14 +2701,14 @@ currentdict /PDF2PS_matrix_key undef
+ pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+- } ifelse
++ } executeonly ifelse
+ }
+ {
+ currentglobal pdfdict gcheck .setglobal
+ pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+- } ifelse
++ } executeonly ifelse
+ } if
+ } if
+ pop
+diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps
+index 8672d617f363..aa0964139a56 100644
+--- a/Resource/Init/pdf_ops.ps
++++ b/Resource/Init/pdf_ops.ps
+@@ -184,14 +184,14 @@ currentdict /gput_always_allow .undef
+ pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+- } ifelse
++ } executeonly ifelse
+ }
+ {
+ currentglobal pdfdict gcheck .setglobal
+ pdfdict /.Qqwarning_issued //true .forceput
+ .setglobal
+ pdfformaterror
+- } ifelse
++ } executeonly ifelse
+ } if
+ } bind executeonly odef
+
+@@ -439,7 +439,8 @@ currentdict /gput_always_allow .undef
+ dup type /booleantype eq {
+ .currentSMask type /dicttype eq {
+ .currentSMask /Processed 2 index .forceput
+- } {
++ } executeonly
++ {
+ .setSMask
+ }ifelse
+ }{
+--
+2.20.1
+
diff --git a/package/ghostscript/0004-Bug700317-Fix-logic-for-an-older-change.patch b/package/ghostscript/0004-Bug700317-Fix-logic-for-an-older-change.patch
new file mode 100644
index 0000000000..65ebd44df2
--- /dev/null
+++ b/package/ghostscript/0004-Bug700317-Fix-logic-for-an-older-change.patch
@@ -0,0 +1,31 @@
+From af9a9dceb7be7df743d55c4d078a1ae846b6f556 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Sat, 15 Dec 2018 09:08:32 +0000
+Subject: [PATCH] Bug700317: Fix logic for an older change
+
+Unlike almost every other function in gs, dict_find_string() returns 1 on
+success 0 or <0 on failure. The logic for this case was wrong.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 99f13091a3
+
+ psi/interp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psi/interp.c b/psi/interp.c
+index aa5779c51420..f6c45bbe24dc 100644
+--- a/psi/interp.c
++++ b/psi/interp.c
+@@ -703,7 +703,7 @@ again:
+ * i.e. it's an internal operator we have hidden
+ */
+ code = dict_find_string(systemdict, (const char *)bufptr, &tobj);
+- if (code < 0) {
++ if (code <= 0) {
+ buf[0] = buf[1] = buf[rlen + 2] = buf[rlen + 3] = '-';
+ rlen += 4;
+ bufptr = buf;
+--
+2.20.1
+
diff --git a/package/ghostscript/0005-Harden-some-uses-of-.force-operators.patch b/package/ghostscript/0005-Harden-some-uses-of-.force-operators.patch
new file mode 100644
index 0000000000..f5a70ac467
--- /dev/null
+++ b/package/ghostscript/0005-Harden-some-uses-of-.force-operators.patch
@@ -0,0 +1,135 @@
+From b197ea0e528c20b7ee67785c50b4e06e0aa990f8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 18 Dec 2018 10:42:10 +0000
+Subject: [PATCH] Harden some uses of .force* operators
+
+by adding a few immediate evalutions
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 59d8f4deef90
+
+ Resource/Init/gs_dps1.ps | 4 ++--
+ Resource/Init/gs_fonts.ps | 20 ++++++++++----------
+ Resource/Init/gs_init.ps | 6 +++---
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index 4fae2839940c..b75ea14e77a3 100644
+--- a/Resource/Init/gs_dps1.ps
++++ b/Resource/Init/gs_dps1.ps
+@@ -74,7 +74,7 @@ level2dict begin
+ } odef
+ % undefinefont has to take local/global VM into account.
+ /undefinefont % <fontname> undefinefont -
+- { .FontDirectory 1 .argindex .forceundef % FontDirectory is readonly
++ { //.FontDirectory 1 .argindex .forceundef % FontDirectory is readonly
+ .currentglobal
+ { % Current mode is global; delete from local directory too.
+ //systemdict /LocalFontDirectory .knownget
+@@ -85,7 +85,7 @@ level2dict begin
+ % definition, copy it into the local directory.
+ //systemdict /SharedFontDirectory .knownget
+ { 1 index .knownget
+- { .FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
++ { //.FontDirectory 2 index 3 -1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse } % readonly
+ if
+ }
+ if
+diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
+index 290da0cd6819..c13a2fcc2d43 100644
+--- a/Resource/Init/gs_fonts.ps
++++ b/Resource/Init/gs_fonts.ps
+@@ -516,7 +516,7 @@ buildfontdict 3 /.buildfont3 cvx put
+ if
+ }
+ if
+- dup .FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
++ dup //.FontDirectory 4 -2 roll { .growput } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
+ % If the font originated as a resource, register it.
+ currentfile .currentresourcefile eq { dup .registerfont } if
+ readonly
+@@ -943,7 +943,7 @@ $error /SubstituteFont { } put
+ % Try to find a font using only the present contents of Fontmap.
+ /.tryfindfont { % <fontname> .tryfindfont <font> true
+ % <fontname> .tryfindfont false
+- .FontDirectory 1 index .fontknownget
++ //.FontDirectory 1 index .fontknownget
+ { % Already loaded
+ exch pop //true
+ }
+@@ -975,7 +975,7 @@ $error /SubstituteFont { } put
+ { % Font with a procedural definition
+ exec % The procedure will load the font.
+ % Check to make sure this really happened.
+- .FontDirectory 1 index .knownget
++ //.FontDirectory 1 index .knownget
+ { exch pop //true exit }
+ if
+ }
+@@ -1081,11 +1081,11 @@ $error /SubstituteFont { } put
+ % because it's different depending on language level.
+ .currentglobal exch /.setglobal .systemvar exec
+ % Remove the fake definition, if any.
+- .FontDirectory 3 index .forceundef % readonly
+- 1 index (r) file .loadfont .FontDirectory exch
++ //.FontDirectory 3 index .forceundef % readonly
++ 1 index (r) file .loadfont //.FontDirectory exch
+ /.setglobal .systemvar exec
+ } executeonly
+- { .loadfont .FontDirectory
++ { .loadfont //.FontDirectory
+ }
+ ifelse
+ % Stack: fontname fontfilename fontdirectory
+@@ -1119,8 +1119,8 @@ $error /SubstituteFont { } put
+ % Stack: origfontname fontdirectory filefontname fontdict
+ 3 -1 roll pop
+ % Stack: origfontname filefontname fontdict
+- dup /FontName get dup FontDirectory exch .forceundef
+- GlobalFontDirectory exch .forceundef
++ dup /FontName get dup //.FontDirectory exch .forceundef
++ /GlobalFontDirectory .systemvar exch .forceundef
+ dup length dict .copydict dup 3 index /FontName exch put
+ 2 index exch definefont
+ exch
+@@ -1176,10 +1176,10 @@ currentdict /.putgstringcopy .undef
+ {
+ {
+ pop dup type /stringtype eq { cvn } if
+- .FontDirectory 1 index known not {
++ //.FontDirectory 1 index known not {
+ 2 dict dup /FontName 3 index put
+ dup /FontType 1 put
+- .FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
++ //.FontDirectory 3 1 roll { put } systemdict /superexec known {//superexec}{1183615869 internaldict /superexec get exec} ifelse % readonly
+ } {
+ pop
+ } ifelse
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index 56c0bd268b53..d9a0829f7f97 100644
+--- a/Resource/Init/gs_init.ps
++++ b/Resource/Init/gs_init.ps
+@@ -1168,8 +1168,8 @@ errordict /unknownerror .undef
+ }ifelse
+ }forall
+ noaccess pop
+- systemdict /.setsafeerrors .forceundef
+- systemdict /.SAFERERRORLIST .forceundef
++ //systemdict /.setsafeerrors .forceundef
++ //systemdict /.SAFERERRORLIST .forceundef
+ } bind executeonly odef
+
+ SAFERERRORS {.setsafererrors} if
+@@ -2114,7 +2114,7 @@ currentdict /tempfilepaths undef
+
+ /.locksafe {
+ .locksafe_userparams
+- systemdict /getenv {pop //false} .forceput
++ //systemdict /getenv {pop //false} .forceput
+ % setpagedevice has the side effect of clearing the page, but
+ % we will just document that. Using setpagedevice keeps the device
+ % properties and pagedevice .LockSafetyParams in agreement even
+--
+2.20.1
+
diff --git a/package/ghostscript/0006-Undefine-a-bunch-of-gs_fonts.ps-specific-procs.patch b/package/ghostscript/0006-Undefine-a-bunch-of-gs_fonts.ps-specific-procs.patch
new file mode 100644
index 0000000000..4bbdef9dd1
--- /dev/null
+++ b/package/ghostscript/0006-Undefine-a-bunch-of-gs_fonts.ps-specific-procs.patch
@@ -0,0 +1,587 @@
+From 5628be1c41d23298aa5fce2f6dd48e2eb81f4be1 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 9 Jan 2019 14:24:07 +0000
+Subject: [PATCH] Undefine a bunch of gs_fonts.ps specific procs
+
+Also reorder and add some immediate evaluation, so it still works with the
+undefining.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 2768d1a6dddb
+
+ Resource/Init/gs_dps1.ps | 3 +-
+ Resource/Init/gs_fonts.ps | 275 +++++++++++++++++++++-----------------
+ Resource/Init/gs_res.ps | 6 +-
+ 3 files changed, 156 insertions(+), 128 deletions(-)
+
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index b75ea14e77a3..8700c8cb304b 100644
+--- a/Resource/Init/gs_dps1.ps
++++ b/Resource/Init/gs_dps1.ps
+@@ -67,7 +67,8 @@ level2dict begin
+
+ /selectfont % <fontname> <size> selectfont -
+ {
+- { 1 .argindex findfont
++ {
++ 1 .argindex findfont
+ 1 index dup type /arraytype eq { makefont } { scalefont } ifelse
+ setfont pop pop
+ } stopped { /selectfont .systemvar $error /errorname get signalerror } if
+diff --git a/Resource/Init/gs_fonts.ps b/Resource/Init/gs_fonts.ps
+index c13a2fcc2d43..056223544340 100644
+--- a/Resource/Init/gs_fonts.ps
++++ b/Resource/Init/gs_fonts.ps
+@@ -100,7 +100,7 @@ userdict /.nativeFontmap .FontDirectory maxlength dict put
+ { 2 index token not
+ { (Fontmap entry for ) print 1 index =only
+ ( ends prematurely! Giving up.) = flush
+- {.loadFontmap} 0 get 1 .quit
++ {//.loadFontmap exec} 0 get 1 .quit
+ } if
+ dup /; eq { pop 3 index 3 1 roll .growput exit } if
+ pop
+@@ -202,6 +202,14 @@ NOFONTPATH { /FONTPATH () def } if
+ { pop }
+ { /FONTPATH (GS_FONTPATH) getenv not { () } if def }
+ ifelse
++
++% The following are dummy definitions that, if we have a FONTPATH, will
++% be replaced in the following section.
++% They are here so immediately evaulation will work, and allow them to
++% undefined at the bottom of the file.
++/.scanfontbegin{} bind def
++/.scanfontdir {} bind def
++
+ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ /FONTPATH [ FONTPATH .pathlist ] def
+
+@@ -242,12 +250,12 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ /.scanfontbegin
+ { % Construct the table of all file names already in Fontmap.
+ currentglobal //true setglobal
+- .scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength
++ //.scanfontdict dup maxlength Fontmap length 2 add .max .setmaxlength
+ Fontmap
+ { exch pop
+ { dup type /stringtype eq
+- { .splitfilename pop .fonttempstring copy .lowerstring cvn
+- .scanfontdict exch //true put
++ { //.splitfilename exec pop //.fonttempstring copy //.lowerstring exec cvn
++ //.scanfontdict exch //true put
+ }
+ { pop
+ }
+@@ -280,9 +288,9 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ /txt //true
+ .dicttomark def
+ /.scan1fontstring 8192 string def
+-% %%BeginFont: is not per Adobe documentation, but a few fonts have it.
++% BeginFont: is not per Adobe documentation, but a few fonts have it.
+ /.scanfontheaders [(%!PS-Adobe*) (%!FontType*) (%%BeginFont:*)] def
+-0 .scanfontheaders { length .max } forall 6 add % extra for PFB header
++0 //.scanfontheaders { length .max } forall 6 add % extra for PFB header
+ /.scan1fontfirst exch string def
+ /.scanfontdir % <dirname> .scanfontdir -
+ { currentglobal exch //true setglobal
+@@ -291,10 +299,10 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ 0 0 0 4 -1 roll % found scanned files
+ { % stack: <fontcount> <scancount> <filecount> <filename>
+ exch 1 add exch % increment filecount
+- dup .splitfilename .fonttempstring copy .lowerstring
++ dup //.splitfilename exec //.fonttempstring copy //.lowerstring exec
+ % stack: <fontcount> <scancount> <filecount+1> <filename>
+ % <BASE> <ext>
+- .scanfontskip exch known exch .scanfontdict exch known or
++ //.scanfontskip exch known exch //.scanfontdict exch known or
+ { pop
+ % stack: <fontcount> <scancount> <filecount+1>
+ }
+@@ -309,7 +317,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ % On some platforms, the file operator will open directories,
+ % but an error will occur if we try to read from one.
+ % Handle this possibility here.
+- dup .scan1fontfirst { readstring } .internalstopped
++ dup //.scan1fontfirst { readstring } .internalstopped
+ { pop pop () }
+ { pop }
+ ifelse
+@@ -322,7 +330,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ { dup length 6 sub 6 exch getinterval }
+ if
+ % Check for font file headers.
+- //false .scanfontheaders
++ //false //.scanfontheaders
+ { 2 index exch .stringmatch or
+ }
+ forall exch pop
+@@ -335,7 +343,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ { exch copystring exch
+ DEBUG { ( ) print dup =only flush } if
+ 1 index .definenativefontmap
+- .splitfilename pop //true .scanfontdict 3 1 roll .growput
++ //.splitfilename exec pop //true //.scanfontdict 3 1 roll .growput
+ % Increment fontcount.
+ 3 -1 roll 1 add 3 1 roll
+ }
+@@ -352,7 +360,7 @@ FONTPATH length 0 eq { (%END FONTPATH) .skipeof } if
+ }
+ ifelse
+ }
+- .scan1fontstring filenameforall
++ //.scan1fontstring filenameforall
+ QUIET
+ { pop pop pop }
+ { ( ) print =only ( files, ) print =only ( scanned, ) print
+@@ -422,7 +430,6 @@ systemdict /NONATIVEFONTMAP known .setnativefontmapbuilt
+ //true .setnativefontmapbuilt
+ } ifelse
+ } bind def
+-currentdict /.setnativefontmapbuilt .forceundef
+
+ % Create the dictionary that registers the .buildfont procedure
+ % (called by definefont) for each FontType.
+@@ -526,7 +533,8 @@ buildfontdict 3 /.buildfont3 cvx put
+ % We use this only for explicitly aliased fonts, not substituted fonts:
+ % we think this matches the observed behavior of Adobe interpreters.
+ /.aliasfont % <name> <font> .aliasfont <newFont>
+- { .currentglobal 3 1 roll dup .gcheck .setglobal
++ {
++ currentglobal 3 1 roll dup gcheck setglobal
+ % <bool> <name> <font>
+ dup length 2 add dict % <bool> <name> <font> <dict>
+ dup 3 -1 roll % <bool> <name> <dict> <dict> <font>
+@@ -541,7 +549,7 @@ buildfontdict 3 /.buildfont3 cvx put
+ % whose FontName is a local non-string, if someone passed a
+ % garbage value to findfont. In this case, just don't
+ % call definefont at all.
+- 2 index dup type /stringtype eq exch .gcheck or 1 index .gcheck not or
++ 2 index dup type /stringtype eq exch gcheck or 1 index gcheck not or
+ { pop % <bool> <name> <dict>
+ 1 index dup type /stringtype eq { cvn } if
+ % <bool> <name> <dict> <name1>
+@@ -566,10 +574,11 @@ buildfontdict 3 /.buildfont3 cvx put
+ % Don't bind in definefont, since Level 2 redefines it.
+ /definefont .systemvar exec
+ }
+- { /findfont cvx {.completefont} .errorexec pop exch pop
++ {
++ /findfont cvx {.completefont} //.errorexec exec pop exch pop
+ }
+ ifelse
+- exch .setglobal
++ exch setglobal
+ } odef % so findfont will bind it
+
+ % Define .loadfontfile for loading a font. If we recognize Type 1 and/or
+@@ -669,10 +678,19 @@ buildfontdict 3 /.buildfont3 cvx put
+ [(Cn) 4] [(Cond) 4] [(Narrow) 4] [(Pkg) 4] [(Compr) 4]
+ [(Serif) 8] [(Sans) -8]
+ ] readonly def
++
++/.fontnamestring { % <fontname> .fontnamestring <string|name>
++ dup type dup /nametype eq {
++ pop .namestring
++ } {
++ /stringtype ne { pop () } if
++ } ifelse
++} bind def
++
+ /.fontnameproperties { % <int> <string|name> .fontnameproperties
+ % <int'>
+- .fontnamestring
+- .substituteproperties {
++ //.fontnamestring exec
++ //.substituteproperties {
+ 2 copy 0 get search {
+ pop pop pop dup length 1 sub 1 exch getinterval 3 -1 roll exch {
+ dup 0 ge { or } { neg not and } ifelse
+@@ -710,13 +728,7 @@ buildfontdict 3 /.buildfont3 cvx put
+ % <other> .nametostring <other>
+ dup type /nametype eq { .namestring } if
+ } bind def
+-/.fontnamestring { % <fontname> .fontnamestring <string|name>
+- dup type dup /nametype eq {
+- pop .namestring
+- } {
+- /stringtype ne { pop () } if
+- } ifelse
+-} bind def
++
+ /.substitutefontname { % <fontname> <properties> .substitutefontname
+ % <altname|null>
+ % Look for properties and/or a face name in the font name.
+@@ -724,7 +736,7 @@ buildfontdict 3 /.buildfont3 cvx put
+ % base font; otherwise, use the default font.
+ % Note that the "substituted" font name may be the same as
+ % the requested one; the caller must check this.
+- exch .fontnamestring {
++ exch //.fontnamestring exec {
+ defaultfontname /Helvetica-Oblique /Helvetica-Bold /Helvetica-BoldOblique
+ /Helvetica-Narrow /Helvetica-Narrow-Oblique
+ /Helvetica-Narrow-Bold /Helvetica-Narrow-BoldOblique
+@@ -734,12 +746,12 @@ buildfontdict 3 /.buildfont3 cvx put
+ } 3 1 roll
+ % Stack: facelist properties fontname
+ % Look for a face name.
+- .substitutefaces {
++ //.substitutefaces {
+ 2 copy 0 get search {
+ pop pop pop
+ % Stack: facelist properties fontname [(pattern) family properties]
+ dup 2 get 4 -1 roll or 3 1 roll
+- 1 get .substitutefamilies exch get
++ 1 get //.substitutefamilies exch get
+ 4 -1 roll pop 3 1 roll
+ } {
+ pop pop
+@@ -748,7 +760,7 @@ buildfontdict 3 /.buildfont3 cvx put
+ 1 index length mod get exec
+ } bind def
+ /.substitutefont { % <fontname> .substitutefont <altname>
+- dup 0 exch .fontnameproperties .substitutefontname
++ dup 0 exch //.fontnameproperties exec .substitutefontname
+ % Only accept fonts known in the Fontmap.
+ Fontmap 1 index known not
+ {
+@@ -814,7 +826,7 @@ FAKEFONTS not { (%END FAKEFONTS) .skipeof } if
+ counttomark 1 sub { .aliasfont } repeat end
+ % <fontname> mark <font>
+ exch pop exch pop
+-} odef
++} bind odef
+ /findfont {
+ .findfont
+ } bind def
+@@ -860,7 +872,7 @@ FAKEFONTS not { (%END FAKEFONTS) .skipeof } if
+ } {
+ dup .substitutefont
+ 2 copy eq { pop defaultfontname } if
+- .checkalias
++ //.checkalias exec
+ QUIET not {
+ SHORTERRORS {
+ (%%[) print 1 index =only
+@@ -886,8 +898,8 @@ $error /SubstituteFont { } put
+ //null 0 1 FONTPATH length 1 sub {
+ FONTPATH 1 index get //null ne { exch pop exit } if pop
+ } for dup //null ne {
+- dup 0 eq { .scanfontbegin } if
+- FONTPATH 1 index get .scanfontdir
++ dup 0 eq { //.scanfontbegin exec} if
++ FONTPATH 1 index get //.scanfontdir exec
+ FONTPATH exch //null put //true
+ } {
+ pop //false
+@@ -897,11 +909,10 @@ $error /SubstituteFont { } put
+ % scanning of FONTPATH.
+ /.dofindfont { % mark <fontname> .dofindfont % mark <alias> ... <font>
+ .tryfindfont not {
+-
+ % We didn't find the font. If we haven't scanned
+ % all the directories in FONTPATH, scan the next one
+ % now and look for the font again.
+- .scannextfontdir {
++ //.scannextfontdir exec {
+ % Start over with an empty alias list.
+ counttomark 1 sub { pop } repeat % mark <fontname>
+ .dofindfont
+@@ -927,6 +938,7 @@ $error /SubstituteFont { } put
+ } if
+ % Substitute for the font. Don't alias.
+ % Same stack as at the beginning of .dofindfont.
++
+ $error /SubstituteFont get exec
+ %
+ % igorm: I guess the surrounding code assumes that .stdsubstfont
+@@ -935,72 +947,11 @@ $error /SubstituteFont { } put
+ % used in .dofindfont and through .stdsubstfont
+ % just to represent a simple iteration,
+ % which accumulates the aliases after the mark.
+- .stdsubstfont
++ //.stdsubstfont exec
+ } ifelse
+ } ifelse
+ } if
+ } bind def
+-% Try to find a font using only the present contents of Fontmap.
+-/.tryfindfont { % <fontname> .tryfindfont <font> true
+- % <fontname> .tryfindfont false
+- //.FontDirectory 1 index .fontknownget
+- { % Already loaded
+- exch pop //true
+- }
+- {
+- dup Fontmap exch .knownget
+- { //true //true }
+- { % Unknown font name. Look for a file with the
+- % same name as the requested font.
+- dup .tryloadfont
+- { exch pop //true //false }
+- {
+- % if we can't load by name check the native font map
+- dup .nativeFontmap exch .knownget
+- { //true //true }
+- { //false //false } ifelse
+- } ifelse
+- } ifelse
+-
+- { % Try each element of the Fontmap in turn.
+- pop
+- //false exch % (in case we exhaust the list)
+- % Stack: fontname false fontmaplist
+- { exch pop
+- dup type /nametype eq
+- { % Font alias
+- .checkalias .tryfindfont exit
+- }
+- { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and
+- { % Font with a procedural definition
+- exec % The procedure will load the font.
+- % Check to make sure this really happened.
+- //.FontDirectory 1 index .knownget
+- { exch pop //true exit }
+- if
+- }
+- { % Font file name
+- //true .loadfontloop { //true exit } if
+- }
+- ifelse
+- }
+- ifelse //false
+- }
+- forall
+- % Stack: font true -or- fontname false
+- { //true
+- }
+- { % None of the Fontmap entries worked.
+- % Try loading a file with the same name
+- % as the requested font.
+- .tryloadfont
+- }
+- ifelse
+- }
+- if
+- }
+- ifelse
+- } bind def
+
+ % any user of .putgstringcopy must use bind and executeonly
+ /.putgstringcopy % <dict> <name> <string> .putgstringcopy -
+@@ -1014,25 +965,6 @@ $error /SubstituteFont { } put
+ } executeonly ifelse
+ } .bind executeonly odef % must be bound and hidden for .forceput
+
+-% Attempt to load a font from a file.
+-/.tryloadfont { % <fontname> .tryloadfont <font> true
+- % <fontname> .tryloadfont false
+- dup .nametostring
+- % Hack: check for the presence of the resource machinery.
+- /.genericrfn where {
+- pop
+- pop dup .fonttempstring /FontResourceDir getsystemparam .genericrfn
+- {//false .loadfontloop} .internalstopped {//false} if {
+- //true
+- } {
+- dup .nametostring
+- {//true .loadfontloop} .internalstopped {//false} if
+- } ifelse
+- } {
+- {//true .loadfontloop} .internalstopped {//false} if
+- } ifelse
+-} bind def
+-
+ /.loadfontloop { % <fontname> <filename> <libflag> .loadfontloop
+ % <font> true
+ % -or-
+@@ -1102,7 +1034,7 @@ $error /SubstituteFont { } put
+ } if
+
+ % Check to make sure the font was actually loaded.
+- dup 3 index .fontknownget
++ dup 3 index //.fontknownget exec
+ { dup /PathLoad 4 index .putgstringcopy
+ 4 1 roll pop pop pop //true exit
+ } executeonly if
+@@ -1113,7 +1045,7 @@ $error /SubstituteFont { } put
+ exch dup % Stack: origfontname fontdirectory path path
+ (r) file .findfontname
+ { % Stack: origfontname fontdirectory path filefontname
+- 2 index 1 index .fontknownget
++ 2 index 1 index //.fontknownget exec
+ { % Yes. Stack: origfontname fontdirectory path filefontname fontdict
+ dup 4 -1 roll /PathLoad exch .putgstringcopy
+ % Stack: origfontname fontdirectory filefontname fontdict
+@@ -1136,7 +1068,7 @@ $error /SubstituteFont { } put
+ % Stack: fontdict
+ } executeonly
+ if pop % Stack: origfontname fontdirectory path
+- }
++ } executeonly
+ if pop pop % Stack: origfontname
+
+ % The font definitely did not load correctly.
+@@ -1150,7 +1082,87 @@ $error /SubstituteFont { } put
+
+ } bind executeonly odef % must be bound and hidden for .putgstringcopy
+
+-currentdict /.putgstringcopy .undef
++% Attempt to load a font from a file.
++/.tryloadfont { % <fontname> .tryloadfont <font> true
++ % <fontname> .tryloadfont false
++ dup //.nametostring exec
++ % Hack: check for the presence of the resource machinery.
++ /.genericrfn where {
++ pop
++ pop dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn
++ {//false .loadfontloop} .internalstopped {//false} if {
++ //true
++ } {
++ dup //.nametostring exec
++ {//true .loadfontloop} .internalstopped {//false} if
++ } ifelse
++ } {
++ {//true .loadfontloop} .internalstopped {//false} if
++ } ifelse
++} bind def
++
++% Try to find a font using only the present contents of Fontmap.
++/.tryfindfont { % <fontname> .tryfindfont <font> true
++ % <fontname> .tryfindfont false
++ //.FontDirectory 1 index //.fontknownget exec
++ { % Already loaded
++ exch pop //true
++ }
++ {
++ dup Fontmap exch .knownget
++ { //true //true }
++ { % Unknown font name. Look for a file with the
++ % same name as the requested font.
++ dup //.tryloadfont exec
++ { exch pop //true //false }
++ {
++ % if we can't load by name check the native font map
++ dup .nativeFontmap exch .knownget
++ { //true //true }
++ { //false //false } ifelse
++ } ifelse
++ } ifelse
++
++ { % Try each element of the Fontmap in turn.
++ pop
++ //false exch % (in case we exhaust the list)
++ % Stack: fontname false fontmaplist
++ { exch pop
++ dup type /nametype eq
++ { % Font alias
++ //.checkalias exec
++ .tryfindfont exit
++ }
++ { dup dup type dup /arraytype eq exch /packedarraytype eq or exch xcheck and
++ { % Font with a procedural definition
++ exec % The procedure will load the font.
++ % Check to make sure this really happened.
++ //.FontDirectory 1 index .knownget
++ { exch pop //true exit }
++ if
++ }
++ { % Font file name
++ //true .loadfontloop { //true exit } if
++ }
++ ifelse
++ }
++ ifelse //false
++ }
++ forall
++ % Stack: font true -or- fontname false
++ { //true
++ }
++ { % None of the Fontmap entries worked.
++ % Try loading a file with the same name
++ % as the requested font.
++ //.tryloadfont exec
++ }
++ ifelse
++ }
++ if
++ }
++ ifelse
++ } bind def
+
+ % Define a procedure to load all known fonts.
+ % This isn't likely to be very useful.
+@@ -1192,9 +1204,9 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
+ /.loadinitialfonts
+ { NOFONTMAP not
+ { /FONTMAP where
+- { pop [ FONTMAP .pathlist ]
++ { pop [ FONTMAP //.pathlist exec]
+ { dup VMDEBUG findlibfile
+- { exch pop .loadFontmap }
++ { exch pop //.loadFontmap exec }
+ { /undefinedfilename signalerror }
+ ifelse
+ }
+@@ -1208,7 +1220,7 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
+ pop pop
+ defaultfontmap_content { .definefontmap } forall
+ } {
+- .loadFontmap
++ //.loadFontmap exec
+ } ifelse
+ } {
+ pop pop
+@@ -1272,3 +1284,18 @@ FAKEFONTS { exch } if pop def % don't bind, .current/setglobal get redefined
+ { .makemodifiedfont
+ dup /FontName get exch definefont pop
+ } bind def
++
++% Undef these, not needed outside this file
++[
++ % /.fonttempstring /.scannextfontdir - are also used in gs_res.ps, so are undefined there
++ % /.fontnameproperties - is used in pdf_font.ps
++ % /.scanfontheaders - used in gs_cff.ps, gs_ttf.ps
++ /.loadfontloop /.tryloadfont /.findfont /.pathlist /.loadFontmap /.lowerstring
++ /.splitfilename /.scanfontdict /.scanfontbegin
++ /.scanfontskip /.scan1fontstring
++ /.scan1fontfirst /.scanfontdir
++ /.setnativefontmapbuilt /.aliasfont
++ /.setloadingfont /.substitutefaces /.substituteproperties /.substitutefamilies
++ /.nametostring /.fontnamestring /.checkalias /.fontknownget /.stdsubstfont
++ /.putgstringcopy
++] {systemdict exch .forceundef} forall
+diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
+index d9b34599e7c2..fd7eaf953ae9 100644
+--- a/Resource/Init/gs_res.ps
++++ b/Resource/Init/gs_res.ps
+@@ -961,7 +961,7 @@ userdict /.localcsdefaults //false put
+ dup type /nametype eq { .namestring } if
+ dup type /stringtype ne { //false exit } if
+ % Check the resource directory.
+- dup .fonttempstring /FontResourceDir getsystemparam .genericrfn
++ dup //.fonttempstring /FontResourceDir getsystemparam .genericrfn
+ status {
+ pop pop pop pop //true exit
+ } if
+@@ -969,7 +969,7 @@ userdict /.localcsdefaults //false put
+ % as the font.
+ findlibfile { closefile //true exit } if
+ % Scan a FONTPATH directory and try again.
+- .scannextfontdir not { //false exit } if
++ //.scannextfontdir exec not { //false exit } if
+ } loop
+ } bind def
+
+@@ -1008,7 +1008,7 @@ currentdict /.fontstatusaux .undef
+ } ifelse
+ } bind executeonly
+ /ResourceForAll {
+- { .scannextfontdir not { exit } if } loop
++ { //.scannextfontdir exec not { exit } if } loop
+ /Generic /Category findresource /ResourceForAll get exec
+ } bind executeonly
+ /.ResourceFileStatus {
+--
+2.20.1
+
diff --git a/package/ghostscript/0007-Remove-.forcedef-and-harden-.force-ops-more.patch b/package/ghostscript/0007-Remove-.forcedef-and-harden-.force-ops-more.patch
new file mode 100644
index 0000000000..8c21c34ede
--- /dev/null
+++ b/package/ghostscript/0007-Remove-.forcedef-and-harden-.force-ops-more.patch
@@ -0,0 +1,345 @@
+From ba2336b3b1ca5cfe1e67dbe37a084c9644a65ac7 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Fri, 11 Jan 2019 13:36:36 +0000
+Subject: [PATCH] Remove .forcedef, and harden .force* ops more
+
+Remove .forcedef and replace all uses with a direct call to .forceput instead.
+
+Ensure every procedure (named and trasient) that calls .forceput is
+executeonly.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 49c8092da88e
+
+ Resource/Init/gs_dps1.ps | 15 +++++++-----
+ Resource/Init/gs_init.ps | 28 ++++++++-------------
+ Resource/Init/gs_lev2.ps | 51 +++++++++++++++++++--------------------
+ Resource/Init/gs_ll3.ps | 5 ++--
+ Resource/Init/gs_res.ps | 29 +++++++++++-----------
+ Resource/Init/gs_statd.ps | 4 +--
+ 6 files changed, 63 insertions(+), 69 deletions(-)
+
+diff --git a/Resource/Init/gs_dps1.ps b/Resource/Init/gs_dps1.ps
+index 8700c8cb304b..3d2cf7a1ad01 100644
+--- a/Resource/Init/gs_dps1.ps
++++ b/Resource/Init/gs_dps1.ps
+@@ -33,14 +33,17 @@ systemdict begin
+
+ /SharedFontDirectory .FontDirectory .gcheck
+ { .currentglobal //false .setglobal
++ currentdict
+ /LocalFontDirectory .FontDirectory dup maxlength dict copy
+- .forcedef % LocalFontDirectory is local, systemdict is global
++ .forceput % LocalFontDirectory is local, systemdict is global
+ .setglobal .FontDirectory
+- }
+- { /LocalFontDirectory .FontDirectory
+- .forcedef % LocalFontDirectory is local, systemdict is global
++ } executeonly
++ {
++ currentdict
++ /LocalFontDirectory .FontDirectory
++ .forceput % LocalFontDirectory is local, systemdict is global
+ 50 dict
+- }
++ }executeonly
+ ifelse def
+
+ end % systemdict
+@@ -55,7 +58,7 @@ level2dict begin
+ { //SharedFontDirectory }
+ { /LocalFontDirectory .systemvar } % can't embed ref to local VM
+ ifelse .forceput pop % LocalFontDirectory is local, systemdict is global
+- } .bind odef
++ } .bind executeonly odef
+ % Don't just copy (load) the definition of .setglobal:
+ % it gets redefined for LL3.
+ /setshared { /.setglobal .systemvar exec } odef
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index d9a0829f7f97..45bebf479bae 100644
+--- a/Resource/Init/gs_init.ps
++++ b/Resource/Init/gs_init.ps
+@@ -54,7 +54,7 @@ systemdict exch
+ dup /userdict
+ currentdict dup 200 .setmaxlength % userdict
+ .forceput % userdict is local, systemdict is global
+- }
++ } executeonly
+ if begin
+
+ % Define dummy local/global operators if needed.
+@@ -299,13 +299,6 @@ QUIET not { printgreeting flush } if
+ 1 index exch .makeoperator def
+ } .bind def
+
+-% Define a special version of def for storing local objects into global
+-% dictionaries. Like .forceput, this exists only during initialization.
+-/.forcedef { % <key> <value> .forcedef -
+- 1 .argindex pop % check # of args
+- currentdict 3 1 roll .forceput
+-} .bind odef
+-
+ % Define procedures for accessing variables in systemdict and userdict
+ % regardless of the contents of the dictionary stack.
+ /.systemvar { % <name> .systemvar <value>
+@@ -347,7 +340,7 @@ DELAYBIND
+ }
+ ifelse
+ } .bind def
+-} if
++} executeonly if
+
+ %**************** BACKWARD COMPATIBILITY ****************
+ /hwsizedict mark /HWSize //null .dicttomark readonly def
+@@ -655,7 +648,7 @@ currentdict /.typenames .undef
+ /ifelse .systemvar
+ ] cvx executeonly
+ exch .setglobal
+-} odef
++} executeonly odef
+ systemdict /internaldict dup .makeinternaldict .makeoperator
+ .forceput % proc is local, systemdict is global
+
+@@ -1093,7 +1086,7 @@ def
+
+ % Define $error. This must be in local VM.
+ .currentglobal //false .setglobal
+-/$error 40 dict .forcedef % $error is local, systemdict is global
++currentdict /$error 40 dict .forceput % $error is local, systemdict is global
+ % newerror, errorname, command, errorinfo,
+ % ostack, estack, dstack, recordstacks,
+ % binary, globalmode,
+@@ -1112,8 +1105,8 @@ end
+ % Define errordict similarly. It has one entry per error name,
+ % plus handleerror. However, some astonishingly badly written PostScript
+ % files require it to have at least one empty slot.
+-/errordict ErrorNames length 3 add dict
+-.forcedef % errordict is local, systemdict is global
++currentdict /errordict ErrorNames length 3 add dict
++.forceput % errordict is local, systemdict is global
+ .setglobal % back to global VM
+ % gserrordict contains all the default error handling methods, but unlike
+ % errordict it is noaccess after creation (also it is in global VM).
+@@ -1273,8 +1266,9 @@ end
+ (END PROCS) VMDEBUG
+
+ % Define the font directory.
++currentdict
+ /FontDirectory //false .setglobal 100 dict //true .setglobal
+-.forcedef % FontDirectory is local, systemdict is global
++.forceput % FontDirectory is local, systemdict is global
+
+ % Define the encoding dictionary.
+ /EncodingDirectory 16 dict def % enough for Level 2 + PDF standard encodings
+@@ -2333,7 +2327,6 @@ SAFER { .setsafeglobal } if
+ //systemdict /UndefinePostScriptOperators get exec
+ //systemdict /UndefinePDFOperators get exec
+ //systemdict /.forcecopynew .forceundef % remove temptation
+- //systemdict /.forcedef .forceundef % ditto
+ //systemdict /.forceput .forceundef % ditto
+ //systemdict /.undef .forceundef % ditto
+ //systemdict /.forceundef .forceundef % ditto
+@@ -2368,9 +2361,9 @@ SAFER { .setsafeglobal } if
+ % (and, if implemented, context switching).
+ .currentglobal //false .setglobal
+ mark userparams { } forall .dicttomark readonly
+- /userparams exch .forcedef % systemdict is read-only
++ currentdict exch /userparams exch .forceput % systemdict is read-only
+ .setglobal
+-} if
++} executeonly if
+ /.currentsystemparams where {
+ pop
+ % Remove real system params from pssystemparams.
+@@ -2458,7 +2451,6 @@ end
+ DELAYBIND not {
+ systemdict /.bindnow .undef % We only need this for DELAYBIND
+ systemdict /.forcecopynew .undef % remove temptation
+- systemdict /.forcedef .undef % ditto
+ systemdict /.forceput .undef % ditto
+ systemdict /.forceundef .undef % ditto
+ } if
+diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps
+index 0f0d57331c23..9c0c3a6fc485 100644
+--- a/Resource/Init/gs_lev2.ps
++++ b/Resource/Init/gs_lev2.ps
+@@ -304,31 +304,30 @@ end
+ psuserparams exch /.checkFilePermitparams load put
+ .setglobal
+
+-pssystemparams begin
+- /CurDisplayList 0 .forcedef
+- /CurFormCache 0 .forcedef
+- /CurInputDevice () .forcedef
+- /CurOutlineCache 0 .forcedef
+- /CurOutputDevice () .forcedef
+- /CurPatternCache 0 .forcedef
+- /CurUPathCache 0 .forcedef
+- /CurScreenStorage 0 .forcedef
+- /CurSourceList 0 .forcedef
+- /DoPrintErrors //false .forcedef
+- /JobTimeout 0 .forcedef
+- /LicenseID (LN-001) .forcedef % bogus
+- /MaxDisplayList 140000 .forcedef
+- /MaxFormCache 100000 .forcedef
+- /MaxImageBuffer 524288 .forcedef
+- /MaxOutlineCache 65000 .forcedef
+- /MaxPatternCache 100000 .forcedef
+- /MaxUPathCache 300000 .forcedef
+- /MaxScreenStorage 84000 .forcedef
+- /MaxSourceList 25000 .forcedef
+- /PrinterName product .forcedef
+- /RamSize 4194304 .forcedef
+- /WaitTimeout 40 .forcedef
+-end
++pssystemparams
++dup /CurDisplayList 0 .forceput
++dup /CurFormCache 0 .forceput
++dup /CurInputDevice () .forceput
++dup /CurOutlineCache 0 .forceput
++dup /CurOutputDevice () .forceput
++dup /CurPatternCache 0 .forceput
++dup /CurUPathCache 0 .forceput
++dup /CurScreenStorage 0 .forceput
++dup /CurSourceList 0 .forceput
++dup /DoPrintErrors //false .forceput
++dup /JobTimeout 0 .forceput
++dup /LicenseID (LN-001) .forceput % bogus
++dup /MaxDisplayList 140000 .forceput
++dup /MaxFormCache 100000 .forceput
++dup /MaxImageBuffer 524288 .forceput
++dup /MaxOutlineCache 65000 .forceput
++dup /MaxPatternCache 100000 .forceput
++dup /MaxUPathCache 300000 .forceput
++dup /MaxScreenStorage 84000 .forceput
++dup /MaxSourceList 25000 .forceput
++dup /PrinterName product .forceput
++dup /RamSize 4194304 .forceput
++ /WaitTimeout 40 .forceput
+
+ % Define the procedures for handling comment scanning. The names
+ % %ProcessComment and %ProcessDSCComment are known to the interpreter.
+@@ -710,7 +709,7 @@ pop % currentsystemparams
+ /statusdict currentdict def
+
+ currentdict end
+-/statusdict exch .forcedef % statusdict is local, systemdict is global
++currentdict exch /statusdict exch .forceput % statusdict is local, systemdict is global
+
+ % The following compatibility operators are in systemdict. They are
+ % defined here, rather than in gs_init.ps, because they require the
+diff --git a/Resource/Init/gs_ll3.ps b/Resource/Init/gs_ll3.ps
+index c86721f39fc0..881af44e9fd2 100644
+--- a/Resource/Init/gs_ll3.ps
++++ b/Resource/Init/gs_ll3.ps
+@@ -521,9 +521,8 @@ end
+ % Define additional user and system parameters.
+ /HalftoneMode 0 .definepsuserparam
+ /MaxSuperScreen 1016 .definepsuserparam
+-pssystemparams begin % read-only, so use .forcedef
+- /MaxDisplayAndSourceList 160000 .forcedef
+-end
++% read-only, so use .forceput
++pssystemparams /MaxDisplayAndSourceList 160000 .forceput
+
+ % Define the IdiomSet resource category.
+ { /IdiomSet } {
+diff --git a/Resource/Init/gs_res.ps b/Resource/Init/gs_res.ps
+index fd7eaf953ae9..0b4e0514b2a1 100644
+--- a/Resource/Init/gs_res.ps
++++ b/Resource/Init/gs_res.ps
+@@ -41,10 +41,10 @@ level2dict begin
+ % However, Ed Taft of Adobe says their interpreters don't implement this
+ % either, so we aren't going to worry about it for a while.
+
+-currentglobal //false setglobal systemdict begin
+- /localinstancedict 5 dict
+- .forcedef % localinstancedict is local, systemdict is global
+-end //true setglobal
++currentglobal //false setglobal
++ systemdict /localinstancedict 5 dict
++ .forceput % localinstancedict is local, systemdict is global
++//true setglobal
+ /.emptydict 0 dict readonly def
+ setglobal
+
+@@ -149,7 +149,7 @@ setglobal
+ dup [ exch 0 -1 ] exch
+ .Instances 4 2 roll put
+ % Make the Category dictionary read-only. We will have to
+- % use .forceput / .forcedef later to replace the dummy,
++ % use .forceput / .forceput later to replace the dummy,
+ % empty .Instances dictionary with the real one later.
+ readonly
+ }{
+@@ -304,7 +304,8 @@ systemdict begin
+ dup () ne {
+ .file_name_directory_separator concatstrings
+ } if
+- 2 index exch //false .file_name_combine not {
++ 2 index exch //false
++ .file_name_combine not {
+ (Error: .default_resource_dir returned ) print exch print ( that can't combine with ) print =
+ /.default_resource_dir cvx /configurationerror signalerror
+ } if
+@@ -317,14 +318,14 @@ currentdict /pssystemparams known not {
+ pssystemparams begin
+ .default_resource_dir
+ /FontResourceDir (Font) .resource_dir_name
+- readonly .forcedef % pssys'params is r-o
++ readonly currentdict 3 1 roll .forceput % pssys'params is r-o
+ /GenericResourceDir () .resource_dir_name
+- readonly .forcedef % pssys'params is r-o
++ readonly currentdict 3 1 roll .forceput % pssys'params is r-o
+ pop % .default_resource_dir
+ /GenericResourcePathSep
+- .file_name_separator readonly .forcedef % pssys'params is r-o
+- (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forcedef % pssys'params is r-o
+- (%diskGenericResourceDir) cvn (/Resource/) readonly .forcedef % pssys'params is r-o
++ .file_name_separator readonly currentdict 3 1 roll .forceput % pssys'params is r-o
++ currentdict (%diskFontResourceDir) cvn (/Resource/Font/) readonly .forceput % pssys'params is r-o
++ currentdict (%diskGenericResourceDir) cvn (/Resource/) readonly .forceput % pssys'params is r-o
+ end
+ end
+
+@@ -422,8 +423,8 @@ status {
+ .Instances dup //.emptydict eq {
+ pop 3 dict
+ % As noted above, Category dictionaries are read-only,
+- % so we have to use .forcedef here.
+- /.Instances 1 index .forcedef % Category dict is read-only
++ % so we have to use .forceput here.
++ currentdict /.Instances 2 index .forceput % Category dict is read-only
+ } executeonly if
+ }
+ { .LocalInstances dup //.emptydict eq
+@@ -441,7 +442,7 @@ status {
+ { /defineresource cvx /typecheck signaloperror
+ }
+ ifelse
+-} .bind executeonly .makeoperator % executeonly to prevent access to .forcedef
++} .bind executeonly .makeoperator % executeonly to prevent access to .forceput
+ /UndefineResource
+ { { dup 2 index .knownget
+ { dup 1 get 1 ge
+diff --git a/Resource/Init/gs_statd.ps b/Resource/Init/gs_statd.ps
+index 20d4c96c4f8f..b6a76590dd09 100644
+--- a/Resource/Init/gs_statd.ps
++++ b/Resource/Init/gs_statd.ps
+@@ -21,10 +21,10 @@ systemdict begin
+ % We make statusdict a little larger for Level 2 stuff.
+ % Note that it must be allocated in local VM.
+ .currentglobal //false .setglobal
+- /statusdict 91 dict .forcedef % statusdict is local, sys'dict global
++ currentdict /statusdict 91 dict .forceput % statusdict is local, sys'dict global
+ % To support the Level 2 job control features,
+ % serverdict must also be in local VM.
+- /serverdict 10 dict .forcedef % serverdict is local, sys'dict global
++ currentdict /serverdict 10 dict .forceput % serverdict is local, sys'dict global
+ .setglobal
+ end
+
+--
+2.20.1
+
diff --git a/package/googlefontdirectory/googlefontdirectory.mk b/package/googlefontdirectory/googlefontdirectory.mk
index cf918ac4ae..8773390f0c 100644
--- a/package/googlefontdirectory/googlefontdirectory.mk
+++ b/package/googlefontdirectory/googlefontdirectory.mk
@@ -11,22 +11,21 @@ GOOGLEFONTDIRECTORY_FONTS = \
$(call qstrip,$(BR2_PACKAGE_GOOGLEFONTDIRECTORY_FONTS))
ifneq ($(filter apache/%,$(GOOGLEFONTDIRECTORY_FONTS)),)
-GOOGLEFONTDIRECTORY_LICENSE += Apache-2.0
+GOOGLEFONTDIRECTORY_ALL_LICENSES += Apache-2.0
GOOGLEFONTDIRECTORY_LICENSE_FILES += $(addsuffix /LICENSE.txt,$(filter apache/%,$(GOOGLEFONTDIRECTORY_FONTS)))
endif
ifneq ($(filter ofl/%,$(GOOGLEFONTDIRECTORY_FONTS)),)
-GOOGLEFONTDIRECTORY_LICENSE += OFL-1.1
+GOOGLEFONTDIRECTORY_ALL_LICENSES += OFL-1.1
GOOGLEFONTDIRECTORY_LICENSE_FILES += $(addsuffix /OFL.txt,$(filter ofl/%,$(GOOGLEFONTDIRECTORY_FONTS)))
endif
ifneq ($(filter ufl/%,$(GOOGLEFONTDIRECTORY_FONTS)),)
-GOOGLEFONTDIRECTORY_LICENSE += UFL-1.1
+GOOGLEFONTDIRECTORY_ALL_LICENSES += UFL-1.1
GOOGLEFONTDIRECTORY_LICENSE_FILES += $(addsuffix /LICENCE.txt,$(filter ufl/%,$(GOOGLEFONTDIRECTORY_FONTS)))
endif
-# check-package OverriddenVariable
-GOOGLEFONTDIRECTORY_LICENSE := $(subst $(space),$(comma)$(space),$(GOOGLEFONTDIRECTORY_LICENSE))
+GOOGLEFONTDIRECTORY_LICENSE = $(subst $(space),$(comma)$(space),$(GOOGLEFONTDIRECTORY_ALL_LICENSES))
define GOOGLEFONTDIRECTORY_INSTALL_TARGET_CMDS
$(foreach d,$(GOOGLEFONTDIRECTORY_FONTS), \
diff --git a/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch b/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch
new file mode 100644
index 0000000000..a10fcf62af
--- /dev/null
+++ b/package/jpeg-turbo/0001-tjLoadImage-Fix-int-overflow-segfault-w-big-BMP.patch
@@ -0,0 +1,51 @@
+From 3d9c64e9f8aa1ee954d1d0bb3390fc894bb84da3 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 1 Jan 2019 18:57:36 -0600
+Subject: [PATCH] tjLoadImage(): Fix int overflow/segfault w/big BMP
+
+Fixes #304
+
+[baruch: drop the ChangeLog.md hunk]
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 3d9c64e9f8aa
+
+ ChangeLog.md | 4 ++++
+ turbojpeg.c | 9 ++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/turbojpeg.c b/turbojpeg.c
+index 90a9ce6a0be8..3f7cd640677f 100644
+--- a/turbojpeg.c
++++ b/turbojpeg.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C)2009-2018 D. R. Commander. All Rights Reserved.
++ * Copyright (C)2009-2019 D. R. Commander. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+@@ -1960,7 +1960,8 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
+ int align, int *height, int *pixelFormat,
+ int flags)
+ {
+- int retval = 0, tempc, pitch;
++ int retval = 0, tempc;
++ size_t pitch;
+ tjhandle handle = NULL;
+ tjinstance *this;
+ j_compress_ptr cinfo = NULL;
+@@ -2013,7 +2014,9 @@ DLLEXPORT unsigned char *tjLoadImage(const char *filename, int *width,
+ *pixelFormat = cs2pf[cinfo->in_color_space];
+
+ pitch = PAD((*width) * tjPixelSize[*pixelFormat], align);
+- if ((dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
++ if ((unsigned long long)pitch * (unsigned long long)(*height) >
++ (unsigned long long)((size_t)-1) ||
++ (dstBuf = (unsigned char *)malloc(pitch * (*height))) == NULL)
+ _throwg("tjLoadImage(): Memory allocation failure");
+
+ if (setjmp(this->jerr.setjmp_buffer)) {
+--
+2.20.1
+
diff --git a/package/jpeg-turbo/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch b/package/jpeg-turbo/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch
new file mode 100644
index 0000000000..3e4e5bd082
--- /dev/null
+++ b/package/jpeg-turbo/0002-wrbmp.c-Don-t-allow-quantization-w-non-RGB-CS.patch
@@ -0,0 +1,39 @@
+From f8cca819a4fb42aafa5f70df43c45e8c416d716f Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 1 Jan 2019 20:32:40 -0600
+Subject: [PATCH] wrbmp.c: Don't allow quantization w/ non-RGB CS
+
+If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will
+set cinfo->output_components to 1, and if cinfo->out_color_space is not
+RGB (or extended RGB), hilarity will ensue.
+
+Fixes #305
+
+[baruch: drop the ChangeLog.md hunk]
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit f8cca819a4
+
+ ChangeLog.md | 4 ++++
+ wrbmp.c | 5 +++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/wrbmp.c b/wrbmp.c
+index 4bf81426b0ef..239f64eb3c3f 100644
+--- a/wrbmp.c
++++ b/wrbmp.c
+@@ -502,8 +502,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2,
+ dest->pub.put_pixel_rows = put_gray_rows;
+ else
+ dest->pub.put_pixel_rows = put_pixel_rows;
+- } else if (cinfo->out_color_space == JCS_RGB565 ||
+- cinfo->out_color_space == JCS_CMYK) {
++ } else if (!cinfo->quantize_colors &&
++ (cinfo->out_color_space == JCS_RGB565 ||
++ cinfo->out_color_space == JCS_CMYK)) {
+ dest->pub.put_pixel_rows = put_pixel_rows;
+ } else {
+ ERREXIT(cinfo, JERR_BMP_COLORSPACE);
+--
+2.20.1
+
diff --git a/package/libarchive/0005-iso9660-Fail-when-expected-Rockridge-extensions-is-m.patch b/package/libarchive/0005-iso9660-Fail-when-expected-Rockridge-extensions-is-m.patch
new file mode 100644
index 0000000000..bd36ce4b53
--- /dev/null
+++ b/package/libarchive/0005-iso9660-Fail-when-expected-Rockridge-extensions-is-m.patch
@@ -0,0 +1,62 @@
+From 8312eaa576014cd9b965012af51bc1f967b12423 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 1 Jan 2019 17:10:49 +1100
+Subject: [PATCH] iso9660: Fail when expected Rockridge extensions is missing
+
+A corrupted or malicious ISO9660 image can cause read_CE() to loop
+forever.
+
+read_CE() calls parse_rockridge(), expecting a Rockridge extension
+to be read. However, parse_rockridge() is structured as a while
+loop starting with a sanity check, and if the sanity check fails
+before the loop has run, the function returns ARCHIVE_OK without
+advancing the position in the file. This causes read_CE() to retry
+indefinitely.
+
+Make parse_rockridge() return ARCHIVE_WARN if it didn't read an
+extension. As someone with no real knowledge of the format, this
+seems more apt than ARCHIVE_FATAL, but both the call-sites escalate
+it to a fatal error immediately anyway.
+
+Found with a combination of AFL, afl-rb (FairFuzz) and qsym.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 8312eaa57601
+
+ libarchive/archive_read_support_format_iso9660.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_iso9660.c b/libarchive/archive_read_support_format_iso9660.c
+index 28acfefbba8a..bad8f1dfef3a 100644
+--- a/libarchive/archive_read_support_format_iso9660.c
++++ b/libarchive/archive_read_support_format_iso9660.c
+@@ -2102,6 +2102,7 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
+ const unsigned char *p, const unsigned char *end)
+ {
+ struct iso9660 *iso9660;
++ int entry_seen = 0;
+
+ iso9660 = (struct iso9660 *)(a->format->data);
+
+@@ -2257,8 +2258,16 @@ parse_rockridge(struct archive_read *a, struct file_info *file,
+ }
+
+ p += p[2];
++ entry_seen = 1;
++ }
++
++ if (entry_seen)
++ return (ARCHIVE_OK);
++ else {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Tried to parse Rockridge extensions, but none found");
++ return (ARCHIVE_WARN);
+ }
+- return (ARCHIVE_OK);
+ }
+
+ static int
+--
+2.20.1
+
diff --git a/package/libarchive/0006-7zip-fix-crash-when-parsing-certain-archives.patch b/package/libarchive/0006-7zip-fix-crash-when-parsing-certain-archives.patch
new file mode 100644
index 0000000000..bad33d9526
--- /dev/null
+++ b/package/libarchive/0006-7zip-fix-crash-when-parsing-certain-archives.patch
@@ -0,0 +1,62 @@
+From 65a23f5dbee4497064e9bb467f81138a62b0dae1 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 1 Jan 2019 16:01:40 +1100
+Subject: [PATCH] 7zip: fix crash when parsing certain archives
+
+Fuzzing with CRCs disabled revealed that a call to get_uncompressed_data()
+would sometimes fail to return at least 'minimum' bytes. This can cause
+the crc32() invocation in header_bytes to read off into invalid memory.
+
+A specially crafted archive can use this to cause a crash.
+
+An ASAN trace is below, but ASAN is not required - an uninstrumented
+binary will also crash.
+
+==7719==ERROR: AddressSanitizer: SEGV on unknown address 0x631000040000 (pc 0x7fbdb3b3ec1d bp 0x7ffe77a51310 sp 0x7ffe77a51150 T0)
+==7719==The signal is caused by a READ memory access.
+ #0 0x7fbdb3b3ec1c in crc32_z (/lib/x86_64-linux-gnu/libz.so.1+0x2c1c)
+ #1 0x84f5eb in header_bytes (/tmp/libarchive/bsdtar+0x84f5eb)
+ #2 0x856156 in read_Header (/tmp/libarchive/bsdtar+0x856156)
+ #3 0x84e134 in slurp_central_directory (/tmp/libarchive/bsdtar+0x84e134)
+ #4 0x849690 in archive_read_format_7zip_read_header (/tmp/libarchive/bsdtar+0x849690)
+ #5 0x5713b7 in _archive_read_next_header2 (/tmp/libarchive/bsdtar+0x5713b7)
+ #6 0x570e63 in _archive_read_next_header (/tmp/libarchive/bsdtar+0x570e63)
+ #7 0x6f08bd in archive_read_next_header (/tmp/libarchive/bsdtar+0x6f08bd)
+ #8 0x52373f in read_archive (/tmp/libarchive/bsdtar+0x52373f)
+ #9 0x5257be in tar_mode_x (/tmp/libarchive/bsdtar+0x5257be)
+ #10 0x51daeb in main (/tmp/libarchive/bsdtar+0x51daeb)
+ #11 0x7fbdb27cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
+ #12 0x41dd09 in _start (/tmp/libarchive/bsdtar+0x41dd09)
+
+This was primarly done with afl and FairFuzz. Some early corpus entries
+may have been generated by qsym.
+
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: commit 65a23f5dbee
+
+ libarchive/archive_read_support_format_7zip.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_7zip.c b/libarchive/archive_read_support_format_7zip.c
+index bccbf896603b..b6d1505d372e 100644
+--- a/libarchive/archive_read_support_format_7zip.c
++++ b/libarchive/archive_read_support_format_7zip.c
+@@ -2964,13 +2964,7 @@ get_uncompressed_data(struct archive_read *a, const void **buff, size_t size,
+ if (zip->codec == _7Z_COPY && zip->codec2 == (unsigned long)-1) {
+ /* Copy mode. */
+
+- /*
+- * Note: '1' here is a performance optimization.
+- * Recall that the decompression layer returns a count of
+- * available bytes; asking for more than that forces the
+- * decompressor to combine reads by copying data.
+- */
+- *buff = __archive_read_ahead(a, 1, &bytes_avail);
++ *buff = __archive_read_ahead(a, minimum, &bytes_avail);
+ if (bytes_avail <= 0) {
+ archive_set_error(&a->archive,
+ ARCHIVE_ERRNO_FILE_FORMAT,
+--
+2.20.1
+
diff --git a/package/libupnp18/0001-configure.ac-fix-build-with-openssl.patch b/package/libupnp18/0001-configure.ac-fix-build-with-openssl.patch
new file mode 100644
index 0000000000..6a09821dae
--- /dev/null
+++ b/package/libupnp18/0001-configure.ac-fix-build-with-openssl.patch
@@ -0,0 +1,51 @@
+From c70d326f3ae88aa2dca903fb17a1f18d3b45a2ca Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Fri, 8 Feb 2019 16:45:32 +0100
+Subject: [PATCH] configure.ac: fix build with openssl
+
+- Add a call to PKG_CHECK_MODULES to get openssl libraries and its
+ dependencies if openssl support is enabled
+- Add OPENSSL_LIBS to libupnp.pc.in so that applications linking with
+ pupnp (such as mpd) will be able to retrieve openssl libraries
+
+Fixes:
+ - http://autobuild.buildroot.org/results/a4148e516070b79816769f3443fc24d6d8192073
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status: https://github.com/mrjimenez/pupnp/pull/105]
+---
+ configure.ac | 5 +++++
+ libupnp.pc.in | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 670d363..190b30c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -722,6 +722,11 @@ AC_COMPILE_IFELSE(
+ AC_MSG_ERROR([pthread_rwlock_t not available])])])
+ echo "-------------------------------------------------------------------------------"
+
++if test "x$enable_open_ssl" = xyes ; then
++ PKG_CHECK_MODULES(OPENSSL, libssl,
++ [LIBS="$LIBS $OPENSSL_LIBS" CFLAGS="$CFLAGS $OPENSSL_CFLAGS"],
++ [AC_MSG_ERROR([openssl not found])])
++fi
+
+ AC_CONFIG_FILES([
+ Makefile
+diff --git a/libupnp.pc.in b/libupnp.pc.in
+index bd2d7b3..54cba90 100644
+--- a/libupnp.pc.in
++++ b/libupnp.pc.in
+@@ -6,6 +6,6 @@ includedir=@includedir@
+ Name: libupnp
+ Description: Linux SDK for UPnP Devices
+ Version: @VERSION@
+-Libs: @PTHREAD_CFLAGS@ @PTHREAD_LIBS@ -L${libdir} -lupnp -lixml
++Libs: @PTHREAD_CFLAGS@ @PTHREAD_LIBS@ -L${libdir} -lupnp -lixml @OPENSSL_LIBS@
+ Cflags: @PTHREAD_CFLAGS@ -I${includedir}/upnp
+
+--
+2.14.1
+
diff --git a/package/libupnp18/libupnp18.mk b/package/libupnp18/libupnp18.mk
index 13536b8f7a..5154be5316 100644
--- a/package/libupnp18/libupnp18.mk
+++ b/package/libupnp18/libupnp18.mk
@@ -11,11 +11,12 @@ LIBUPNP18_CONF_ENV = ac_cv_lib_compat_ftime=no
LIBUPNP18_INSTALL_STAGING = YES
LIBUPNP18_LICENSE = BSD-3-Clause
LIBUPNP18_LICENSE_FILES = COPYING
+# We're patching configure.ac
+LIBUPNP18_AUTORECONF = YES
ifeq ($(BR2_PACKAGE_OPENSSL),y)
LIBUPNP18_CONF_OPTS += --enable-open-ssl
LIBUPNP18_DEPENDENCIES += host-pkgconf openssl
-LIBUPNP18_CONF_ENV += LIBS="`$(PKG_CONFIG_HOST_BINARY) --libs libssl libcrypto`"
else
LIBUPNP18_CONF_OPTS += --disable-open-ssl
endif
diff --git a/package/libva-utils/0002-Fix-build-failure-when-x11-support-is-disabled.patch b/package/libva-utils/0002-Fix-build-failure-when-x11-support-is-disabled.patch
new file mode 100644
index 0000000000..b14b662abf
--- /dev/null
+++ b/package/libva-utils/0002-Fix-build-failure-when-x11-support-is-disabled.patch
@@ -0,0 +1,33 @@
+From ad66d3c202eb72ac5808f13a0489ac836dc55aac Mon Sep 17 00:00:00 2001
+From: Bernd Kuhls <bernd.kuhls@t-online.de>
+Date: Mon, 11 Feb 2019 20:31:42 +0100
+Subject: [PATCH] Fix build failure when x11 support is disabled
+
+Patch suggested on upstream bug tracker:
+https://github.com/intel/libva-utils/issues/150#issuecomment-462059528
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ Makefile.am | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index d28175a..12da79e 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -24,10 +24,10 @@ ACLOCAL_AMFLAGS = -I m4 ${ACLOCAL_FLAGS}
+
+ AUTOMAKE_OPTIONS = foreign
+
+-SUBDIRS = common decode encode vainfo videoprocess vendor/intel vendor/intel/sfcsample
++SUBDIRS = common decode encode vainfo videoprocess vendor/intel
+
+ if USE_X11
+-SUBDIRS += putsurface
++SUBDIRS += putsurface vendor/intel/sfcsample
+ else
+ if USE_WAYLAND
+ SUBDIRS += putsurface
+--
+2.20.1
+
diff --git a/package/libva-utils/libva-utils.mk b/package/libva-utils/libva-utils.mk
index fab3894b18..be857bb4f1 100644
--- a/package/libva-utils/libva-utils.mk
+++ b/package/libva-utils/libva-utils.mk
@@ -10,6 +10,7 @@ LIBVA_UTILS_SITE = https://github.com/intel/libva-utils/releases/download/$(LIBV
LIBVA_UTILS_LICENSE = MIT
LIBVA_UTILS_LICENSE_FILES = COPYING
# 0001-check-ssp.patch
+# 0002-Fix-build-failure-when-x11-support-is-disabled.patch
LIBVA_UTILS_AUTORECONF = YES
LIBVA_UTILS_DEPENDENCIES = host-pkgconf libva
diff --git a/package/libyaml/libyaml.mk b/package/libyaml/libyaml.mk
index 26e318736c..dc7368a168 100644
--- a/package/libyaml/libyaml.mk
+++ b/package/libyaml/libyaml.mk
@@ -12,3 +12,4 @@ LIBYAML_LICENSE = MIT
LIBYAML_LICENSE_FILES = LICENSE
$(eval $(autotools-package))
+$(eval $(host-autotools-package))
diff --git a/package/mongodb/0001-ssl_manager.cpp-fix-build-with-gcc-7-and-fpermissive.patch b/package/mongodb/0001-ssl_manager.cpp-fix-build-with-gcc-7-and-fpermissive.patch
new file mode 100644
index 0000000000..b4b1746682
--- /dev/null
+++ b/package/mongodb/0001-ssl_manager.cpp-fix-build-with-gcc-7-and-fpermissive.patch
@@ -0,0 +1,55 @@
+From 362be06fc16a5ad0f9e9aa90cc763c5242e8e35c Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Sat, 9 Feb 2019 12:41:45 +0100
+Subject: [PATCH] ssl_manager.cpp: fix build with gcc 7 and -fpermissive
+
+Change prototype of DERToken::parse function from
+parse(ConstDataRange cdr, size_t* outLength);
+to parse(ConstDataRange cdr, uint64_t* outLength);
+
+Otherwise, we got the following error:
+
+src/mongo/util/net/ssl_manager.cpp: In static member function 'static mongo::StatusWith<mongo::{anonymous}::DERToken> mongo::{anonymous}::DERToken::parse(mongo::ConstDataRange, size_t*)':
+src/mongo/util/net/ssl_manager.cpp:575:79: error: invalid conversion from 'size_t* {aka unsigned int*}' to 'long unsigned int*' [-fpermissive]
+ if (mongoUnsignedAddOverflow64(tagAndLengthByteCount, derLength, outLength) ||
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status: https://github.com/mongodb/mongo/pull/1296]
+---
+ src/mongo/util/net/ssl_manager.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
+index b93ebe84a4..3511eb5d99 100644
+--- a/src/mongo/util/net/ssl_manager.cpp
++++ b/src/mongo/util/net/ssl_manager.cpp
+@@ -782,7 +782,7 @@ public:
+ *
+ * Returns a DERToken which consists of the (tag, length, value) tuple.
+ */
+- static StatusWith<DERToken> parse(ConstDataRange cdr, size_t* outLength);
++ static StatusWith<DERToken> parse(ConstDataRange cdr, uint64_t* outLength);
+
+ private:
+ DERType _type{DERType::EndOfContent};
+@@ -799,7 +799,7 @@ struct DataType::Handler<DERToken> {
+ size_t length,
+ size_t* advanced,
+ std::ptrdiff_t debug_offset) {
+- size_t outLength;
++ uint64_t outLength;
+
+ auto swPair = DERToken::parse(ConstDataRange(ptr, length), &outLength);
+
+@@ -844,7 +844,7 @@ StatusWith<std::string> readDERString(ConstDataRangeCursor& cdc) {
+ }
+
+
+-StatusWith<DERToken> DERToken::parse(ConstDataRange cdr, size_t* outLength) {
++StatusWith<DERToken> DERToken::parse(ConstDataRange cdr, uint64_t* outLength) {
+ const size_t kTagLength = 1;
+ const size_t kTagLengthAndInitialLengthByteLength = kTagLength + 1;
+
+--
+2.14.1
+
diff --git a/package/mongodb/Config.in b/package/mongodb/Config.in
new file mode 100644
index 0000000000..969b8e062f
--- /dev/null
+++ b/package/mongodb/Config.in
@@ -0,0 +1,40 @@
+# from https://docs.mongodb.com/manual/installation/#supported-platforms
+config BR2_PACKAGE_MONGODB_ARCH_SUPPORTS
+ bool
+ # ARM needs LDREX/STREX, so ARMv6+
+ default y if BR2_arm && !BR2_ARM_CPU_ARMV4 && !BR2_ARM_CPU_ARMV5
+ default y if BR2_aarch64 || BR2_powerpc64 || BR2_x86_64
+
+config BR2_PACKAGE_MONGODB
+ bool "mongodb"
+ depends on BR2_PACKAGE_MONGODB_ARCH_SUPPORTS
+ depends on BR2_TOOLCHAIN_USES_GLIBC # needs glibc malloc_usable_size
+ depends on BR2_USE_WCHAR
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on BR2_INSTALL_LIBSTDCPP
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_6
+ select BR2_PACKAGE_BOOST
+ select BR2_PACKAGE_BOOST_FILESYSTEM
+ select BR2_PACKAGE_BOOST_IOSTREAMS
+ select BR2_PACKAGE_BOOST_PROGRAM_OPTIONS
+ select BR2_PACKAGE_BOOST_SYSTEM
+ select BR2_PACKAGE_PCRE
+ select BR2_PACKAGE_SNAPPY
+ select BR2_PACKAGE_SQLITE
+ select BR2_PACKAGE_YAML_CPP
+ select BR2_PACKAGE_ZLIB
+ help
+ MongoDB is a cross-platform document-oriented database
+ (NoSQL).
+
+ It uses JSON-like documents with dynamic schemas (BSON),
+ making the integration of data in certain types of
+ applications easier and faster.
+
+ https://www.mongodb.org/
+
+comment "mongodb needs a glibc toolchain w/ wchar, threads, C++, gcc >= 6"
+ depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
+ !BR2_INSTALL_LIBSTDCPP || !BR2_TOOLCHAIN_USES_GLIBC || \
+ !BR2_TOOLCHAIN_GCC_AT_LEAST_6
+ depends on BR2_PACKAGE_MONGODB_ARCH_SUPPORTS
diff --git a/package/mongodb/mongodb.hash b/package/mongodb/mongodb.hash
new file mode 100644
index 0000000000..916323d7c1
--- /dev/null
+++ b/package/mongodb/mongodb.hash
@@ -0,0 +1,4 @@
+# Locally computed:
+sha256 5db85f06b2a0b2ae393339a4aed1366928aaef2b46c7c32826fa87c3217dc6f7 mongodb-r4.0.6.tar.gz
+sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 APACHE-2.0.txt
+sha256 09d99ca61eb07873d5334077acba22c33e7f7d0a9fa08c92734e0ac8430d6e27 LICENSE-Community.txt
diff --git a/package/mongodb/mongodb.mk b/package/mongodb/mongodb.mk
new file mode 100644
index 0000000000..e420ecb41d
--- /dev/null
+++ b/package/mongodb/mongodb.mk
@@ -0,0 +1,92 @@
+################################################################################
+#
+# mongodb
+#
+################################################################################
+
+MONGODB_VERSION_BASE = 4.0.6
+MONGODB_VERSION = r$(MONGODB_VERSION_BASE)
+MONGODB_SITE = $(call github,mongodb,mongo,$(MONGODB_VERSION))
+
+MONGODB_LICENSE = Apache-2.0 (drivers), SSPL (database)
+MONGODB_LICENSE_FILES = APACHE-2.0.txt LICENSE-Community.txt
+
+MONGODB_DEPENDENCIES = \
+ boost \
+ host-python-cheetah \
+ host-python-pyyaml \
+ host-python-typing \
+ host-scons \
+ pcre \
+ snappy \
+ sqlite \
+ yaml-cpp \
+ zlib
+
+MONGODB_SCONS_TARGETS = mongod mongos
+
+MONGODB_SCONS_ENV = CC="$(TARGET_CC)" CXX="$(TARGET_CXX)" \
+ -j"$(PARALLEL_JOBS)"
+
+MONGODB_SCONS_OPTS = \
+ --disable-warnings-as-errors \
+ --use-system-boost \
+ --use-system-pcre \
+ --use-system-snappy \
+ --use-system-sqlite \
+ --use-system-yaml \
+ --use-system-zlib
+
+# need to pass mongo version when not building from git repo
+MONGODB_SCONS_OPTS += MONGO_VERSION=$(MONGODB_VERSION_BASE)-
+
+# WiredTiger database storage engine only supported on 64 bits
+ifeq ($(BR2_ARCH_IS_64),y)
+MONGODB_SCONS_OPTS += --wiredtiger=on
+else
+MONGODB_SCONS_OPTS += --wiredtiger=off
+endif
+
+# JavaScript scripting engine and tcmalloc supported only on
+# x86/x86-64 systems. Mongo target is a shell interface that
+# depends on the javascript engine, so it will also only be
+# built on x86/x86-64 systems.
+ifeq ($(BR2_i386)$(BR2_x86_64),y)
+MONGODB_SCONS_OPTS += --js-engine=mozjs --allocator=tcmalloc
+MONGODB_SCONS_TARGETS += mongo
+else
+MONGODB_SCONS_OPTS += --js-engine=none --allocator=system
+endif
+
+ifeq ($(BR2_PACKAGE_LIBCURL),y)
+MONGODB_DEPENDENCIES += libcurl
+MONGODB_SCONS_OPTS += --enable-free-mon=on
+else
+MONGODB_SCONS_OPTS += --enable-free-mon=off
+endif
+
+ifeq ($(BR2_PACKAGE_OPENSSL),y)
+MONGODB_DEPENDENCIES += openssl
+MONGODB_SCONS_OPTS += \
+ --ssl \
+ --ssl-provider=openssl
+endif
+
+define MONGODB_BUILD_CMDS
+ (cd $(@D); \
+ $(SCONS) \
+ $(MONGODB_SCONS_ENV) \
+ $(MONGODB_SCONS_OPTS) \
+ $(MONGODB_SCONS_TARGETS))
+endef
+
+define MONGODB_INSTALL_TARGET_CMDS
+ (cd $(@D); \
+ $(SCONS) \
+ $(MONGODB_SCONS_ENV) \
+ $(MONGODB_SCONS_OPTS) \
+ --prefix=$(TARGET_DIR)/usr \
+ install)
+endef
+
+$(eval $(generic-package))
diff --git a/package/openssh/0002-upstream-Sanitize-scp-filenames-via-snmprintf.-To-do.patch b/package/openssh/0002-upstream-Sanitize-scp-filenames-via-snmprintf.-To-do.patch
new file mode 100644
index 0000000000..e5d137ef11
--- /dev/null
+++ b/package/openssh/0002-upstream-Sanitize-scp-filenames-via-snmprintf.-To-do.patch
@@ -0,0 +1,275 @@
+From 5979bdfeca813dd7e997a1edb0f928d77ce70304 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Wed, 23 Jan 2019 08:01:46 +0000
+Subject: [PATCH] upstream: Sanitize scp filenames via snmprintf. To do this we
+ move
+
+the progressmeter formatting outside of signal handler context and have the
+atomicio callback called for EINTR too. bz#2434 with contributions from djm
+and jjelen at redhat.com, ok djm@
+
+OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status (openssh-portable): backported from commit 8976f1c4b27
+---
+ atomicio.c | 20 ++++++++++++++-----
+ progressmeter.c | 53 ++++++++++++++++++++++---------------------------
+ progressmeter.h | 3 ++-
+ scp.c | 1 +
+ sftp-client.c | 16 ++++++++-------
+ 5 files changed, 51 insertions(+), 42 deletions(-)
+
+diff --git a/atomicio.c b/atomicio.c
+index f854a06f5f50..d91bd7621c12 100644
+--- a/atomicio.c
++++ b/atomicio.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
++/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2006 Damien Miller. All rights reserved.
+ * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
+@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
+ res = (f) (fd, s + pos, n - pos);
+ switch (res) {
+ case -1:
+- if (errno == EINTR)
++ if (errno == EINTR) {
++ /* possible SIGALARM, update callback */
++ if (cb != NULL && cb(cb_arg, 0) == -1) {
++ errno = EINTR;
++ return pos;
++ }
+ continue;
+- if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READ_COMPARISON
+ (void)poll(&pfd, 1, -1);
+ #endif
+@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
+ res = (f) (fd, iov, iovcnt);
+ switch (res) {
+ case -1:
+- if (errno == EINTR)
++ if (errno == EINTR) {
++ /* possible SIGALARM, update callback */
++ if (cb != NULL && cb(cb_arg, 0) == -1) {
++ errno = EINTR;
++ return pos;
++ }
+ continue;
+- if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READV_COMPARISON
+ (void)poll(&pfd, 1, -1);
+ #endif
+diff --git a/progressmeter.c b/progressmeter.c
+index fe9bf52e4c90..add462dde500 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
++/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2003 Nils Nordman. All rights reserved.
+ *
+@@ -31,6 +31,7 @@
+
+ #include <errno.h>
+ #include <signal.h>
++#include <stdarg.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <time.h>
+@@ -39,6 +40,7 @@
+ #include "progressmeter.h"
+ #include "atomicio.h"
+ #include "misc.h"
++#include "utf8.h"
+
+ #define DEFAULT_WINSIZE 80
+ #define MAX_WINSIZE 512
+@@ -61,7 +63,7 @@ static void setscreensize(void);
+ void refresh_progress_meter(void);
+
+ /* signal handler for updating the progress meter */
+-static void update_progress_meter(int);
++static void sig_alarm(int);
+
+ static double start; /* start progress */
+ static double last_update; /* last progress update */
+@@ -74,6 +76,7 @@ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ static int win_size; /* terminal window size */
+ static volatile sig_atomic_t win_resized; /* for window resizing */
++static volatile sig_atomic_t alarm_fired;
+
+ /* units for format_size */
+ static const char unit[] = " KMGT";
+@@ -126,9 +129,17 @@ refresh_progress_meter(void)
+ off_t bytes_left;
+ int cur_speed;
+ int hours, minutes, seconds;
+- int i, len;
+ int file_len;
+
++ if ((!alarm_fired && !win_resized) || !can_output())
++ return;
++ alarm_fired = 0;
++
++ if (win_resized) {
++ setscreensize();
++ win_resized = 0;
++ }
++
+ transferred = *counter - (cur_pos ? cur_pos : start_pos);
+ cur_pos = *counter;
+ now = monotime_double();
+@@ -158,16 +169,11 @@ refresh_progress_meter(void)
+
+ /* filename */
+ buf[0] = '\0';
+- file_len = win_size - 35;
++ file_len = win_size - 36;
+ if (file_len > 0) {
+- len = snprintf(buf, file_len + 1, "\r%s", file);
+- if (len < 0)
+- len = 0;
+- if (len >= file_len + 1)
+- len = file_len;
+- for (i = len; i < file_len; i++)
+- buf[i] = ' ';
+- buf[file_len] = '\0';
++ buf[0] = '\r';
++ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
++ file_len * -1, file);
+ }
+
+ /* percent of transfer done */
+@@ -228,22 +234,11 @@ refresh_progress_meter(void)
+
+ /*ARGSUSED*/
+ static void
+-update_progress_meter(int ignore)
++sig_alarm(int ignore)
+ {
+- int save_errno;
+-
+- save_errno = errno;
+-
+- if (win_resized) {
+- setscreensize();
+- win_resized = 0;
+- }
+- if (can_output())
+- refresh_progress_meter();
+-
+- signal(SIGALRM, update_progress_meter);
++ signal(SIGALRM, sig_alarm);
++ alarm_fired = 1;
+ alarm(UPDATE_INTERVAL);
+- errno = save_errno;
+ }
+
+ void
+@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+ bytes_per_second = 0;
+
+ setscreensize();
+- if (can_output())
+- refresh_progress_meter();
++ refresh_progress_meter();
+
+- signal(SIGALRM, update_progress_meter);
++ signal(SIGALRM, sig_alarm);
+ signal(SIGWINCH, sig_winch);
+ alarm(UPDATE_INTERVAL);
+ }
+@@ -286,6 +280,7 @@ stop_progress_meter(void)
+ static void
+ sig_winch(int sig)
+ {
++ signal(SIGWINCH, sig_winch);
+ win_resized = 1;
+ }
+
+diff --git a/progressmeter.h b/progressmeter.h
+index bf179dca6518..8f6678060195 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
++/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2002 Nils Nordman. All rights reserved.
+ *
+@@ -24,4 +24,5 @@
+ */
+
+ void start_progress_meter(const char *, off_t, off_t *);
++void refresh_progress_meter(void);
+ void stop_progress_meter(void);
+diff --git a/scp.c b/scp.c
+index 4f3fdcd3db89..4a342a63873c 100644
+--- a/scp.c
++++ b/scp.c
+@@ -585,6 +585,7 @@ scpio(void *_cnt, size_t s)
+ off_t *cnt = (off_t *)_cnt;
+
+ *cnt += s;
++ refresh_progress_meter();
+ if (limit_kbps > 0)
+ bandwidth_limit(&bwlimit, s);
+ return 0;
+diff --git a/sftp-client.c b/sftp-client.c
+index 4986d6d8d291..2bc698f868bc 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
+ {
+ struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
+
+- bandwidth_limit(bwlimit, amount);
++ refresh_progress_meter();
++ if (bwlimit != NULL)
++ bandwidth_limit(bwlimit, amount);
+ return 0;
+ }
+
+@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
+ iov[1].iov_base = (u_char *)sshbuf_ptr(m);
+ iov[1].iov_len = sshbuf_len(m);
+
+- if (atomiciov6(writev, conn->fd_out, iov, 2,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
++ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
+ sshbuf_len(m) + sizeof(mlen))
+ fatal("Couldn't send packet: %s", strerror(errno));
+
+@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
+
+ if ((r = sshbuf_reserve(m, 4, &p)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (atomicio6(read, conn->fd_in, p, 4,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
++ if (atomicio6(read, conn->fd_in, p, 4, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
+ if (errno == EPIPE || errno == ECONNRESET)
+ fatal("Connection closed");
+ else
+@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
+
+ if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (atomicio6(read, conn->fd_in, p, msg_len,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
++ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
+ != msg_len) {
+ if (errno == EPIPE)
+ fatal("Connection closed");
+--
+2.20.1
+
diff --git a/package/openssh/0003-upstream-check-in-scp-client-that-filenames-sent-dur.patch b/package/openssh/0003-upstream-check-in-scp-client-that-filenames-sent-dur.patch
new file mode 100644
index 0000000000..98ce5cd876
--- /dev/null
+++ b/package/openssh/0003-upstream-check-in-scp-client-that-filenames-sent-dur.patch
@@ -0,0 +1,186 @@
+From f853123eda6b279a87be48e18bbea8dec82a94f2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 26 Jan 2019 22:41:28 +0000
+Subject: [PATCH] upstream: check in scp client that filenames sent during
+
+remote->local directory copies satisfy the wildcard specified by the user.
+
+This checking provides some protection against a malicious server
+sending unexpected filenames, but it comes at a risk of rejecting wanted
+files due to differences between client and server wildcard expansion rules.
+
+For this reason, this also adds a new -T flag to disable the check.
+
+reported by Harry Sintonen
+fix approach suggested by markus@;
+has been in snaps for ~1wk courtesy deraadt@
+
+OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status (openssh-portable): backported from commit 8976f1c4b2
+---
+ scp.1 | 12 +++++++++++-
+ scp.c | 37 +++++++++++++++++++++++++++++--------
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/scp.1 b/scp.1
+index 0e5cc1b2d675..397e7709195a 100644
+--- a/scp.1
++++ b/scp.1
+@@ -18,7 +18,7 @@
+ .Nd secure copy (remote file copy program)
+ .Sh SYNOPSIS
+ .Nm scp
+-.Op Fl 346BCpqrv
++.Op Fl 346BCpqrTv
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+@@ -208,6 +208,16 @@ to use for the encrypted connection.
+ The program must understand
+ .Xr ssh 1
+ options.
++.It Fl T
++Disable strict filename checking.
++By default when copying files from a remote host to a local directory
++.Nm
++checks that the received filenames match those requested on the command-line
++to prevent the remote end from sending unexpected or unwanted files.
++Because of differences in how various operating systems and shells interpret
++filename wildcards, these checks may cause wanted files to be rejected.
++This option disables these checks at the expense of fully trusting that
++the server will not send unexpected filenames.
+ .It Fl v
+ Verbose mode.
+ Causes
+diff --git a/scp.c b/scp.c
+index 4a342a63873c..7b0a08efb274 100644
+--- a/scp.c
++++ b/scp.c
+@@ -94,6 +94,7 @@
+ #include <dirent.h>
+ #include <errno.h>
+ #include <fcntl.h>
++#include <fnmatch.h>
+ #include <limits.h>
+ #include <locale.h>
+ #include <pwd.h>
+@@ -375,14 +376,14 @@ void verifydir(char *);
+ struct passwd *pwd;
+ uid_t userid;
+ int errs, remin, remout;
+-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
++int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
+
+ #define CMDNEEDS 64
+ char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
+
+ int response(void);
+ void rsource(char *, struct stat *);
+-void sink(int, char *[]);
++void sink(int, char *[], const char *);
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(int, char *[]);
+@@ -421,8 +422,9 @@ main(int argc, char **argv)
+ addargs(&args, "-oRemoteCommand=none");
+ addargs(&args, "-oRequestTTY=no");
+
+- fflag = tflag = 0;
+- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
++ fflag = Tflag = tflag = 0;
++ while ((ch = getopt(argc, argv,
++ "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) {
+ switch (ch) {
+ /* User-visible flags. */
+ case '1':
+@@ -501,9 +503,13 @@ main(int argc, char **argv)
+ setmode(0, O_BINARY);
+ #endif
+ break;
++ case 'T':
++ Tflag = 1;
++ break;
+ default:
+ usage();
+ }
++ }
+ argc -= optind;
+ argv += optind;
+
+@@ -534,7 +540,7 @@ main(int argc, char **argv)
+ }
+ if (tflag) {
+ /* Receive data. */
+- sink(argc, argv);
++ sink(argc, argv, NULL);
+ exit(errs != 0);
+ }
+ if (argc < 2)
+@@ -792,7 +798,7 @@ tolocal(int argc, char **argv)
+ continue;
+ }
+ free(bp);
+- sink(1, argv + argc - 1);
++ sink(1, argv + argc - 1, src);
+ (void) close(remin);
+ remin = remout = -1;
+ }
+@@ -968,7 +974,7 @@ rsource(char *name, struct stat *statp)
+ (sizeof(type) != 4 && sizeof(type) != 8))
+
+ void
+-sink(int argc, char **argv)
++sink(int argc, char **argv, const char *src)
+ {
+ static BUF buffer;
+ struct stat stb;
+@@ -984,6 +990,7 @@ sink(int argc, char **argv)
+ unsigned long long ull;
+ int setimes, targisdir, wrerrno = 0;
+ char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
++ char *src_copy = NULL, *restrict_pattern = NULL;
+ struct timeval tv[2];
+
+ #define atime tv[0]
+@@ -1008,6 +1015,17 @@ sink(int argc, char **argv)
+ (void) atomicio(vwrite, remout, "", 1);
+ if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+ targisdir = 1;
++ if (src != NULL && !iamrecursive && !Tflag) {
++ /*
++ * Prepare to try to restrict incoming filenames to match
++ * the requested destination file glob.
++ */
++ if ((src_copy = strdup(src)) == NULL)
++ fatal("strdup failed");
++ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
++ *restrict_pattern++ = '\0';
++ }
++ }
+ for (first = 1;; first = 0) {
+ cp = buf;
+ if (atomicio(read, remin, cp, 1) != 1)
+@@ -1112,6 +1130,9 @@ sink(int argc, char **argv)
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ }
++ if (restrict_pattern != NULL &&
++ fnmatch(restrict_pattern, cp, 0) != 0)
++ SCREWUP("filename does not match request");
+ if (targisdir) {
+ static char *namebuf;
+ static size_t cursize;
+@@ -1149,7 +1170,7 @@ sink(int argc, char **argv)
+ goto bad;
+ }
+ vect[0] = xstrdup(np);
+- sink(1, vect);
++ sink(1, vect, src);
+ if (setimes) {
+ setimes = 0;
+ if (utimes(vect[0], tv) < 0)
+--
+2.20.1
+
diff --git a/package/opentracing-cpp/Config.in b/package/opentracing-cpp/Config.in
index ebcce35aa8..ff3067b7d1 100644
--- a/package/opentracing-cpp/Config.in
+++ b/package/opentracing-cpp/Config.in
@@ -2,6 +2,7 @@ config BR2_PACKAGE_OPENTRACING_CPP
bool "opentracing-cpp"
depends on BR2_INSTALL_LIBSTDCPP
depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_STATIC_LIBS
depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 # C++11
depends on !BR2_TOOLCHAIN_HAS_GCC_BUG_64735 # exception_ptr
help
@@ -9,8 +10,9 @@ config BR2_PACKAGE_OPENTRACING_CPP
http://opentracing.io
-comment "opentracing-cpp needs a toolchain w/ C++, threads, gcc >= 4.8"
- depends on !BR2_INSTALL_LIBSTDCPP || !BR2_TOOLCHAIN_HAS_THREADS || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_8
+comment "opentracing-cpp needs a toolchain w/ C++, threads, dynamic library, gcc >= 4.8"
+ depends on !BR2_INSTALL_LIBSTDCPP || !BR2_TOOLCHAIN_HAS_THREADS \
+ || BR2_STATIC_LIBS || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_8
comment "opentracing-cpp needs exception_ptr"
depends on BR2_TOOLCHAIN_HAS_GCC_BUG_64735
diff --git a/package/python-pyyaml/python-pyyaml.mk b/package/python-pyyaml/python-pyyaml.mk
index 95f0f0bb9e..b73b4356a0 100644
--- a/package/python-pyyaml/python-pyyaml.mk
+++ b/package/python-pyyaml/python-pyyaml.mk
@@ -11,5 +11,7 @@ PYTHON_PYYAML_SETUP_TYPE = distutils
PYTHON_PYYAML_LICENSE = MIT
PYTHON_PYYAML_LICENSE_FILES = LICENSE
PYTHON_PYYAML_DEPENDENCIES = libyaml
+HOST_PYTHON_PYYAML_DEPENDENCIES = host-libyaml
$(eval $(python-package))
+$(eval $(host-python-package))
diff --git a/package/python-typing/python-typing.mk b/package/python-typing/python-typing.mk
index acb5316129..663227dfc9 100644
--- a/package/python-typing/python-typing.mk
+++ b/package/python-typing/python-typing.mk
@@ -12,3 +12,4 @@ PYTHON_TYPING_LICENSE = Python-2.0, others
PYTHON_TYPING_LICENSE_FILES = LICENSE
$(eval $(python-package))
+$(eval $(host-python-package))
diff --git a/package/runc/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch b/package/runc/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch
new file mode 100644
index 0000000000..a0bc7ba300
--- /dev/null
+++ b/package/runc/0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch
@@ -0,0 +1,338 @@
+From 0a8e4117e7f715d5fbeef398405813ce8e88558b Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Wed, 9 Jan 2019 13:40:01 +1100
+Subject: [PATCH] nsenter: clone /proc/self/exe to avoid exposing host binary
+ to container
+
+There are quite a few circumstances where /proc/self/exe pointing to a
+pretty important container binary is a _bad_ thing, so to avoid this we
+have to make a copy (preferably doing self-clean-up and not being
+writeable).
+
+We require memfd_create(2) -- though there is an O_TMPFILE fallback --
+but we can always extend this to use a scratch MNT_DETACH overlayfs or
+tmpfs. The main downside to this approach is no page-cache sharing for
+the runc binary (which overlayfs would give us) but this is far less
+complicated.
+
+This is only done during nsenter so that it happens transparently to the
+Go code, and any libcontainer users benefit from it. This also makes
+ExtraFiles and --preserve-fds handling trivial (because we don't need to
+worry about it).
+
+Fixes: CVE-2019-5736
+Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ libcontainer/nsenter/cloned_binary.c | 268 +++++++++++++++++++++++++++++++++++
+ libcontainer/nsenter/nsexec.c | 11 ++
+ 2 files changed, 279 insertions(+)
+ create mode 100644 libcontainer/nsenter/cloned_binary.c
+
+diff --git a/libcontainer/nsenter/cloned_binary.c b/libcontainer/nsenter/cloned_binary.c
+new file mode 100644
+index 00000000..c8a42c23
+--- /dev/null
++++ b/libcontainer/nsenter/cloned_binary.c
+@@ -0,0 +1,268 @@
++/*
++ * Copyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>
++ * Copyright (C) 2019 SUSE LLC
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++#define _GNU_SOURCE
++#include <unistd.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <stdbool.h>
++#include <string.h>
++#include <limits.h>
++#include <fcntl.h>
++#include <errno.h>
++
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/vfs.h>
++#include <sys/mman.h>
++#include <sys/sendfile.h>
++#include <sys/syscall.h>
++
++/* Use our own wrapper for memfd_create. */
++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
++# define SYS_memfd_create __NR_memfd_create
++#endif
++#ifdef SYS_memfd_create
++# define HAVE_MEMFD_CREATE
++/* memfd_create(2) flags -- copied from <linux/memfd.h>. */
++# ifndef MFD_CLOEXEC
++# define MFD_CLOEXEC 0x0001U
++# define MFD_ALLOW_SEALING 0x0002U
++# endif
++int memfd_create(const char *name, unsigned int flags)
++{
++ return syscall(SYS_memfd_create, name, flags);
++}
++#endif
++
++/* This comes directly from <linux/fcntl.h>. */
++#ifndef F_LINUX_SPECIFIC_BASE
++# define F_LINUX_SPECIFIC_BASE 1024
++#endif
++#ifndef F_ADD_SEALS
++# define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
++# define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
++#endif
++#ifndef F_SEAL_SEAL
++# define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
++# define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
++# define F_SEAL_GROW 0x0004 /* prevent file from growing */
++# define F_SEAL_WRITE 0x0008 /* prevent writes */
++#endif
++
++#define RUNC_SENDFILE_MAX 0x7FFFF000 /* sendfile(2) is limited to 2GB. */
++#ifdef HAVE_MEMFD_CREATE
++# define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
++# define RUNC_MEMFD_SEALS \
++ (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
++#endif
++
++static void *must_realloc(void *ptr, size_t size)
++{
++ void *old = ptr;
++ do {
++ ptr = realloc(old, size);
++ } while(!ptr);
++ return ptr;
++}
++
++/*
++ * Verify whether we are currently in a self-cloned program (namely, is
++ * /proc/self/exe a memfd). F_GET_SEALS will only succeed for memfds (or rather
++ * for shmem files), and we want to be sure it's actually sealed.
++ */
++static int is_self_cloned(void)
++{
++ int fd, ret, is_cloned = 0;
++
++ fd = open("/proc/self/exe", O_RDONLY|O_CLOEXEC);
++ if (fd < 0)
++ return -ENOTRECOVERABLE;
++
++#ifdef HAVE_MEMFD_CREATE
++ ret = fcntl(fd, F_GET_SEALS);
++ is_cloned = (ret == RUNC_MEMFD_SEALS);
++#else
++ struct stat statbuf = {0};
++ ret = fstat(fd, &statbuf);
++ if (ret >= 0)
++ is_cloned = (statbuf.st_nlink == 0);
++#endif
++ close(fd);
++ return is_cloned;
++}
++
++/*
++ * Basic wrapper around mmap(2) that gives you the file length so you can
++ * safely treat it as an ordinary buffer. Only gives you read access.
++ */
++static char *read_file(char *path, size_t *length)
++{
++ int fd;
++ char buf[4096], *copy = NULL;
++
++ if (!length)
++ return NULL;
++
++ fd = open(path, O_RDONLY | O_CLOEXEC);
++ if (fd < 0)
++ return NULL;
++
++ *length = 0;
++ for (;;) {
++ int n;
++
++ n = read(fd, buf, sizeof(buf));
++ if (n < 0)
++ goto error;
++ if (!n)
++ break;
++
++ copy = must_realloc(copy, (*length + n) * sizeof(*copy));
++ memcpy(copy + *length, buf, n);
++ *length += n;
++ }
++ close(fd);
++ return copy;
++
++error:
++ close(fd);
++ free(copy);
++ return NULL;
++}
++
++/*
++ * A poor-man's version of "xargs -0". Basically parses a given block of
++ * NUL-delimited data, within the given length and adds a pointer to each entry
++ * to the array of pointers.
++ */
++static int parse_xargs(char *data, int data_length, char ***output)
++{
++ int num = 0;
++ char *cur = data;
++
++ if (!data || *output != NULL)
++ return -1;
++
++ while (cur < data + data_length) {
++ num++;
++ *output = must_realloc(*output, (num + 1) * sizeof(**output));
++ (*output)[num - 1] = cur;
++ cur += strlen(cur) + 1;
++ }
++ (*output)[num] = NULL;
++ return num;
++}
++
++/*
++ * "Parse" out argv and envp from /proc/self/cmdline and /proc/self/environ.
++ * This is necessary because we are running in a context where we don't have a
++ * main() that we can just get the arguments from.
++ */
++static int fetchve(char ***argv, char ***envp)
++{
++ char *cmdline = NULL, *environ = NULL;
++ size_t cmdline_size, environ_size;
++
++ cmdline = read_file("/proc/self/cmdline", &cmdline_size);
++ if (!cmdline)
++ goto error;
++ environ = read_file("/proc/self/environ", &environ_size);
++ if (!environ)
++ goto error;
++
++ if (parse_xargs(cmdline, cmdline_size, argv) <= 0)
++ goto error;
++ if (parse_xargs(environ, environ_size, envp) <= 0)
++ goto error;
++
++ return 0;
++
++error:
++ free(environ);
++ free(cmdline);
++ return -EINVAL;
++}
++
++static int clone_binary(void)
++{
++ int binfd, memfd;
++ ssize_t sent = 0;
++
++#ifdef HAVE_MEMFD_CREATE
++ memfd = memfd_create(RUNC_MEMFD_COMMENT, MFD_CLOEXEC | MFD_ALLOW_SEALING);
++#else
++ memfd = open("/tmp", O_TMPFILE | O_EXCL | O_RDWR | O_CLOEXEC, 0711);
++#endif
++ if (memfd < 0)
++ return -ENOTRECOVERABLE;
++
++ binfd = open("/proc/self/exe", O_RDONLY | O_CLOEXEC);
++ if (binfd < 0)
++ goto error;
++
++ sent = sendfile(memfd, binfd, NULL, RUNC_SENDFILE_MAX);
++ close(binfd);
++ if (sent < 0)
++ goto error;
++
++#ifdef HAVE_MEMFD_CREATE
++ int err = fcntl(memfd, F_ADD_SEALS, RUNC_MEMFD_SEALS);
++ if (err < 0)
++ goto error;
++#else
++ /* Need to re-open "memfd" as read-only to avoid execve(2) giving -EXTBUSY. */
++ int newfd;
++ char *fdpath = NULL;
++
++ if (asprintf(&fdpath, "/proc/self/fd/%d", memfd) < 0)
++ goto error;
++ newfd = open(fdpath, O_RDONLY | O_CLOEXEC);
++ free(fdpath);
++ if (newfd < 0)
++ goto error;
++
++ close(memfd);
++ memfd = newfd;
++#endif
++ return memfd;
++
++error:
++ close(memfd);
++ return -EIO;
++}
++
++int ensure_cloned_binary(void)
++{
++ int execfd;
++ char **argv = NULL, **envp = NULL;
++
++ /* Check that we're not self-cloned, and if we are then bail. */
++ int cloned = is_self_cloned();
++ if (cloned > 0 || cloned == -ENOTRECOVERABLE)
++ return cloned;
++
++ if (fetchve(&argv, &envp) < 0)
++ return -EINVAL;
++
++ execfd = clone_binary();
++ if (execfd < 0)
++ return -EIO;
++
++ fexecve(execfd, argv, envp);
++ return -ENOEXEC;
++}
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index 28269dfc..7750af35 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -534,6 +534,9 @@ void join_namespaces(char *nslist)
+ free(namespaces);
+ }
+
++/* Defined in cloned_binary.c. */
++extern int ensure_cloned_binary(void);
++
+ void nsexec(void)
+ {
+ int pipenum;
+@@ -549,6 +552,14 @@ void nsexec(void)
+ if (pipenum == -1)
+ return;
+
++ /*
++ * We need to re-exec if we are not in a cloned binary. This is necessary
++ * to ensure that containers won't be able to access the host binary
++ * through /proc/self/exe. See CVE-2019-5736.
++ */
++ if (ensure_cloned_binary() < 0)
++ bail("could not ensure we are a cloned binary");
++
+ /* Parse all of the netlink configuration. */
+ nl_parse(pipenum, &config);
+
+--
+2.11.0
+
diff --git a/package/runc/Config.in b/package/runc/Config.in
index fd5dee7c5b..47c850ef30 100644
--- a/package/runc/Config.in
+++ b/package/runc/Config.in
@@ -3,13 +3,14 @@ config BR2_PACKAGE_RUNC
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_TOOLCHAIN_USES_UCLIBC # no fexecve
help
runC is a CLI tool for spawning and running containers
according to the OCP specification.
https://github.com/opencontainers/runc
-comment "runc needs a toolchain w/ threads"
+comment "runc needs a glibc or musl toolchain toolchain w/ threads"
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS && \
BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS
- depends on !BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_TOOLCHAN_USES_UCLIBC
diff --git a/package/sg3_utils/0002-src-Makefile.am-add-missing-RT_LIB-for-sg_turs.patch b/package/sg3_utils/0002-src-Makefile.am-add-missing-RT_LIB-for-sg_turs.patch
new file mode 100644
index 0000000000..34a4e114ec
--- /dev/null
+++ b/package/sg3_utils/0002-src-Makefile.am-add-missing-RT_LIB-for-sg_turs.patch
@@ -0,0 +1,29 @@
+From 68b0591cf37760e09e358533bbcecf36eddfceed Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Sun, 10 Feb 2019 14:46:41 +0100
+Subject: [PATCH] src/Makefile.am: add missing @RT_LIB@ for sg_turs
+
+The sg_turs program uses clock_gettime(), so it should link against
+librt, as provided by @RT_LIB@.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 881cf29..0eba680 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -170,7 +170,7 @@ sg_test_rwbuf_LDADD = ../lib/libsgutils2.la
+
+ sg_timestamp_LDADD = ../lib/libsgutils2.la
+
+-sg_turs_LDADD = ../lib/libsgutils2.la
++sg_turs_LDADD = ../lib/libsgutils2.la @RT_LIB@
+
+ sg_unmap_LDADD = ../lib/libsgutils2.la
+
+--
+2.20.1
+
diff --git a/package/sg3_utils/sg3_utils.mk b/package/sg3_utils/sg3_utils.mk
index b3a79d68ee..79521fd06e 100644
--- a/package/sg3_utils/sg3_utils.mk
+++ b/package/sg3_utils/sg3_utils.mk
@@ -14,7 +14,7 @@ SG3_UTILS_LICENSE := $(SG3_UTILS_LICENSE), GPL-2.0+ (programs), BSD-3-Clause (pr
endif
SG3_UTILS_LICENSE_FILES = COPYING BSD_LICENSE
-# Patching configure.ac
+# Patching configure.ac/Makefile.am
SG3_UTILS_AUTORECONF = YES
# install the libsgutils2 library
diff --git a/package/sqlcipher/0001-Support-OpenSSL-1.1.0-and-prior.patch b/package/sqlcipher/0001-Support-OpenSSL-1.1.0-and-prior.patch
new file mode 100644
index 0000000000..4fa3e3c768
--- /dev/null
+++ b/package/sqlcipher/0001-Support-OpenSSL-1.1.0-and-prior.patch
@@ -0,0 +1,97 @@
+From 43f71fa7b4c6a20f4078b9098369abb8d38a5617 Mon Sep 17 00:00:00 2001
+From: Nick Parker <nparker@zetetic.net>
+Date: Fri, 9 Dec 2016 11:47:39 -0600
+Subject: [PATCH] Support OpenSSL 1.1.0 and prior
+
+(cherry picked from commit 939c83a007e4724436c3955ae2afd8b11b92d867)
+Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
+---
+ src/crypto_openssl.c | 53 +++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 38 insertions(+), 15 deletions(-)
+
+diff --git a/src/crypto_openssl.c b/src/crypto_openssl.c
+index 150ab92..6822325 100644
+--- a/src/crypto_openssl.c
++++ b/src/crypto_openssl.c
+@@ -47,6 +47,29 @@ static unsigned int openssl_external_init = 0;
+ static unsigned int openssl_init_count = 0;
+ static sqlite3_mutex* openssl_rand_mutex = NULL;
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++static HMAC_CTX *HMAC_CTX_new(void)
++{
++ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
++ if (ctx != NULL) {
++ HMAC_CTX_init(ctx);
++ }
++ return ctx;
++}
++
++// Per 1.1.0 (https://wiki.openssl.org/index.php/1.1_API_Changes)
++// HMAC_CTX_free should call HMAC_CTX_cleanup, then EVP_MD_CTX_Cleanup.
++// HMAC_CTX_cleanup internally calls EVP_MD_CTX_cleanup so these
++// calls are not needed.
++static void HMAC_CTX_free(HMAC_CTX *ctx)
++{
++ if (ctx != NULL) {
++ HMAC_CTX_cleanup(ctx);
++ OPENSSL_free(ctx);
++ }
++}
++#endif
++
+ static int sqlcipher_openssl_add_random(void *ctx, void *buffer, int length) {
+ #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
+ sqlite3_mutex_enter(openssl_rand_mutex);
+@@ -143,14 +166,14 @@ static int sqlcipher_openssl_random (void *ctx, void *buffer, int length) {
+ }
+
+ static int sqlcipher_openssl_hmac(void *ctx, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out) {
+- HMAC_CTX hctx;
+ unsigned int outlen;
+- HMAC_CTX_init(&hctx);
+- HMAC_Init_ex(&hctx, hmac_key, key_sz, EVP_sha1(), NULL);
+- HMAC_Update(&hctx, in, in_sz);
+- HMAC_Update(&hctx, in2, in2_sz);
+- HMAC_Final(&hctx, out, &outlen);
+- HMAC_CTX_cleanup(&hctx);
++ HMAC_CTX* hctx = HMAC_CTX_new();
++ if(hctx == NULL) return SQLITE_ERROR;
++ HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha1(), NULL);
++ HMAC_Update(hctx, in, in_sz);
++ HMAC_Update(hctx, in2, in2_sz);
++ HMAC_Final(hctx, out, &outlen);
++ HMAC_CTX_free(hctx);
+ return SQLITE_OK;
+ }
+
+@@ -160,18 +183,18 @@ static int sqlcipher_openssl_kdf(void *ctx, const unsigned char *pass, int pass_
+ }
+
+ static int sqlcipher_openssl_cipher(void *ctx, int mode, unsigned char *key, int key_sz, unsigned char *iv, unsigned char *in, int in_sz, unsigned char *out) {
+- EVP_CIPHER_CTX ectx;
+ int tmp_csz, csz;
+-
+- EVP_CipherInit(&ectx, ((openssl_ctx *)ctx)->evp_cipher, NULL, NULL, mode);
+- EVP_CIPHER_CTX_set_padding(&ectx, 0); // no padding
+- EVP_CipherInit(&ectx, NULL, key, iv, mode);
+- EVP_CipherUpdate(&ectx, out, &tmp_csz, in, in_sz);
++ EVP_CIPHER_CTX* ectx = EVP_CIPHER_CTX_new();
++ if(ectx == NULL) return SQLITE_ERROR;
++ EVP_CipherInit_ex(ectx, ((openssl_ctx *)ctx)->evp_cipher, NULL, NULL, NULL, mode);
++ EVP_CIPHER_CTX_set_padding(ectx, 0); // no padding
++ EVP_CipherInit_ex(ectx, NULL, NULL, key, iv, mode);
++ EVP_CipherUpdate(ectx, out, &tmp_csz, in, in_sz);
+ csz = tmp_csz;
+ out += tmp_csz;
+- EVP_CipherFinal(&ectx, out, &tmp_csz);
++ EVP_CipherFinal_ex(ectx, out, &tmp_csz);
+ csz += tmp_csz;
+- EVP_CIPHER_CTX_cleanup(&ectx);
++ EVP_CIPHER_CTX_free(ectx);
+ assert(in_sz == csz);
+ return SQLITE_OK;
+ }
+--
+1.9.1
+
diff --git a/package/sqlcipher/0002-Guard-OpenSSL-init-and-cleanup-routines-on-versions-.patch b/package/sqlcipher/0002-Guard-OpenSSL-init-and-cleanup-routines-on-versions-.patch
new file mode 100644
index 0000000000..1585b8d450
--- /dev/null
+++ b/package/sqlcipher/0002-Guard-OpenSSL-init-and-cleanup-routines-on-versions-.patch
@@ -0,0 +1,42 @@
+From 6b4dbecbcfe35d36fea264c04c41b338852d4e88 Mon Sep 17 00:00:00 2001
+From: Nick Parker <nparker@zetetic.net>
+Date: Wed, 1 Mar 2017 15:35:43 -0600
+Subject: [PATCH] Guard OpenSSL init and cleanup routines on versions less
+ than 1.1.0
+
+(cherry picked from commit 1c495b933cee3381f1ea6a70edcbcda1754d7409)
+Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
+
+Conflicts:
+ src/crypto_openssl.c
+---
+ src/crypto_openssl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/crypto_openssl.c b/src/crypto_openssl.c
+index 6822325..09bc2a2 100644
+--- a/src/crypto_openssl.c
++++ b/src/crypto_openssl.c
+@@ -102,7 +102,9 @@ static int sqlcipher_openssl_activate(void *ctx) {
+
+ if(openssl_init_count == 0 && openssl_external_init == 0) {
+ /* if the library was not externally initialized, then should be now */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ OpenSSL_add_all_algorithms();
++#endif
+ }
+
+ #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
+@@ -131,7 +133,9 @@ static int sqlcipher_openssl_deactivate(void *ctx) {
+ Note: this code will only be reached if OpensSSL_add_all_algorithms()
+ is called by SQLCipher internally. This should prevent SQLCipher from
+ "cleaning up" openssl when it was initialized externally by the program */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_cleanup();
++#endif
+ }
+ #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
+ sqlite3_mutex_free(openssl_rand_mutex);
+--
+1.9.1
+
diff --git a/package/sqlcipher/0003-correct-compliation-under-openssl-1.1.x.patch b/package/sqlcipher/0003-correct-compliation-under-openssl-1.1.x.patch
new file mode 100644
index 0000000000..b15fabcbec
--- /dev/null
+++ b/package/sqlcipher/0003-correct-compliation-under-openssl-1.1.x.patch
@@ -0,0 +1,48 @@
+From 3da532754fb2bb7d379d4386a8c3339742edfb0b Mon Sep 17 00:00:00 2001
+From: Stephen Lombardo <sjlombardo@zetetic.net>
+Date: Wed, 10 Oct 2018 15:55:49 -0400
+Subject: [PATCH] correct compliation under openssl 1.1.x
+
+(cherry picked from commit 57ea35296ce7f2c1c93ce79194eea19a008b69ae)
+Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
+
+Conflicts:
+ src/crypto_openssl.c
+---
+ src/crypto_openssl.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/crypto_openssl.c b/src/crypto_openssl.c
+index 09bc2a2..57a1104 100644
+--- a/src/crypto_openssl.c
++++ b/src/crypto_openssl.c
+@@ -47,7 +47,7 @@ static unsigned int openssl_external_init = 0;
+ static unsigned int openssl_init_count = 0;
+ static sqlite3_mutex* openssl_rand_mutex = NULL;
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
+ static HMAC_CTX *HMAC_CTX_new(void)
+ {
+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+@@ -102,7 +102,7 @@ static int sqlcipher_openssl_activate(void *ctx) {
+
+ if(openssl_init_count == 0 && openssl_external_init == 0) {
+ /* if the library was not externally initialized, then should be now */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
+ OpenSSL_add_all_algorithms();
+ #endif
+ }
+@@ -133,7 +133,7 @@ static int sqlcipher_openssl_deactivate(void *ctx) {
+ Note: this code will only be reached if OpensSSL_add_all_algorithms()
+ is called by SQLCipher internally. This should prevent SQLCipher from
+ "cleaning up" openssl when it was initialized externally by the program */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
+ EVP_cleanup();
+ #endif
+ }
+--
+1.9.1
+
diff --git a/package/sqlcipher/Config.in b/package/sqlcipher/Config.in
index 332754b15a..b26bc7709f 100644
--- a/package/sqlcipher/Config.in
+++ b/package/sqlcipher/Config.in
@@ -3,6 +3,7 @@ config BR2_PACKAGE_SQLCIPHER
depends on !BR2_PACKAGE_SQLITE
depends on BR2_TOOLCHAIN_HAS_THREADS
select BR2_PACKAGE_OPENSSL
+ select BR2_PACKAGE_OPENSSL_FORCE_LIBOPENSSL
help
SQLCipher is an SQLite extension that provides 256 bits AES
encryption of database files. Note that it is a fork of
diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index f9df66b039..7a46a50ed3 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -10,6 +10,7 @@ SYSTEMD_LICENSE = LGPL-2.1+, GPL-2.0+ (udev), Public Domain (few source files, s
SYSTEMD_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1 README
SYSTEMD_INSTALL_STAGING = YES
SYSTEMD_DEPENDENCIES = \
+ $(if $(BR2_PACKAGE_BASH_COMPLETION),bash-completion) \
host-gperf \
host-intltool \
kmod \
@@ -23,7 +24,6 @@ SYSTEMD_CONF_OPTS += \
-Dblkid=true \
-Dman=false \
-Dima=false \
- -Dlibcryptsetup=false \
-Defi=false \
-Dgnu-efi=false \
-Dldconfig=false \
@@ -57,6 +57,13 @@ else
SYSTEMD_CONF_OPTS += -Daudit=false
endif
+ifeq ($(BR2_PACKAGE_CRYPTSETUP),y)
+SYSTEMD_DEPENDENCIES += cryptsetup
+SYSTEMD_CONF_OPTS += -Dlibcryptsetup=true
+else
+SYSTEMD_CONF_OPTS += -Dlibcryptsetup=false
+endif
+
ifeq ($(BR2_PACKAGE_ELFUTILS),y)
SYSTEMD_DEPENDENCIES += elfutils
SYSTEMD_CONF_OPTS += -Delfutils=true
@@ -117,6 +124,13 @@ else
SYSTEMD_CONF_OPTS += -Dpam=false
endif
+ifeq ($(BR2_PACKAGE_VALGRIND),y)
+SYSTEMD_DEPENDENCIES += valgrind
+SYSTEMD_CONF_OPTS += -Dvalgrind=true
+else
+SYSTEMD_CONF_OPTS += -Dvalgrind=false
+endif
+
ifeq ($(BR2_PACKAGE_XZ),y)
SYSTEMD_DEPENDENCIES += xz
SYSTEMD_CONF_OPTS += -Dxz=true
diff --git a/support/testing/tests/package/test_docker_compose.py b/support/testing/tests/package/test_docker_compose.py
index 8bf3ae00b5..de53a3da14 100644
--- a/support/testing/tests/package/test_docker_compose.py
+++ b/support/testing/tests/package/test_docker_compose.py
@@ -4,19 +4,12 @@ import infra.basetest
class TestDockerCompose(infra.basetest.BRTest):
- config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
+ config = \
"""
BR2_x86_64=y
BR2_x86_core2=y
- BR2_TOOLCHAIN_EXTERNAL=y
- BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
- BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
- BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-x86-64-core2-full-2018.05.tar.bz2"
- BR2_TOOLCHAIN_EXTERNAL_GCC_6=y
- BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_16=y
- BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
- # BR2_TOOLCHAIN_EXTERNAL_HAS_THREADS_DEBUG is not set
- BR2_TOOLCHAIN_EXTERNAL_CXX=y
+ BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
+ BR2_KERNEL_HEADERS_4_19=y
BR2_SYSTEM_DHCP="eth0"
BR2_ROOTFS_POST_BUILD_SCRIPT="{}"
BR2_ROOTFS_POST_SCRIPT_ARGS="{}"
diff --git a/utils/scanpypi b/utils/scanpypi
index a75d696222..bdce6924b6 100755
--- a/utils/scanpypi
+++ b/utils/scanpypi
@@ -225,6 +225,22 @@ class BuildrootPackage():
self.filename = self.used_url['filename']
self.url = self.used_url['url']
+ def check_archive(self, members):
+ """
+ Check archive content before extracting
+
+ Keyword arguments:
+ members -- list of archive members
+ """
+ # Protect against https://github.com/snyk/zip-slip-vulnerability
+ # Older python versions do not validate that the extracted files are
+ # inside the target directory. Detect and error out on evil paths
+ evil = [e for e in members if os.path.relpath(e).startswith(('/', '..'))]
+ if evil:
+ print('ERROR: Refusing to extract {} with suspicious members {}'.format(
+ self.filename, evil))
+ sys.exit(1)
+
def extract_package(self, tmp_path):
"""
Extract the package contents into a directrory
@@ -249,6 +265,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg)
+ self.check_archive(as_zipfile.namelist())
as_zipfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".zip")[0]
else:
@@ -264,6 +281,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg)
+ self.check_archive(as_tarfile.getnames())
as_tarfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".tar")[0]