aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update for 2020.02.32020.02.3Gravatar Peter Korsgaard2020-06-032-2/+30
| | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/perl: fix README hashGravatar Fabrice Fontaine2020-06-021-7/+7
| | | | | | | | | | | | | | | | | Commit d5c7c9dabb94d64855b8c0383e77d01b890f85c3 forgot to update README hash (year, github issue tracker): https://github.com/Perl/perl5/commit/9802995490251df92faf7a0dd5c7114ad8146bd3 https://github.com/Perl/perl5/commit/b9e2183386fadc0979b46e024365ceab56a369aa Also update indentation (two spaces) Fixes: - http://autobuild.buildroot.org/results/3b124aca123207460a9d025f5afd23f5f67fbf18 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit bf9a5cd2af304aa2cdfdd163dddba649a34344bd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/perl: bump to version 5.30.2Gravatar Francois Perrad2020-06-022-8/+8
| | | | | | | | | | | | | | | | | Fixes the build issue with gcc-10: http://autobuild.buildroot.net/results/412/4128b1add1edd8fdf6e8f29e659873de26eaead1/ As mentioned in the changelog: - Configuration and Compilation GCC 10 is now supported by Configure. https://perldoc.pl/perl5302delta Signed-off-by: Francois Perrad <francois.perrad@gadz.org> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d5c7c9dabb94d64855b8c0383e77d01b890f85c3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 6}.x seriesGravatar Peter Korsgaard2020-06-023-11/+11
| | | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit e0f5cc8f66c44088cc858ab97e460e7f4d06faf3) [Peter: drop 5.5.x / 5.6.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: cleanup rockwellcollins.com maintainersGravatar Matt Weber2020-06-021-12/+1
| | | | | | | Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 9740b9bcdd9167195498393098e89915ee564691) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/glib-networking: security bump to version 2.62.4Gravatar Fabrice Fontaine2020-06-022-5/+5
| | | | | | | | | | | | | | | | | | - Fix CVE-2020-13645: In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host. - Update indentation in hash file (two spaces) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [Peter: bump to 2.62.4 rather than 2.64.3] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8f3d361f5ccbb43270f9e69bf6ac472698d3722e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libusb-compat: set LIBUSB_1_0_SONAMEGravatar Fabrice Fontaine2020-06-021-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | LIBUSB_1_0_SONAME is detected since version 0.1.6 and https://github.com/libusb/libusb-compat-0.1/commit/b6f5a2fe12ca19d658d7180e106254b31cf1f8f5 The detection mechanism is based on sed, here are the more relevant parts: shrext_regexp=`echo "$shrext_cmds" | sed 's/\./\\\\./'` [...] [AS_VAR_SET([ac_Lib_SONAME], [`ldd conftest$ac_exeext | grep 'lib[$2]'$shrext_regexp | sed 's/^@<:@ \t@:>@*lib[$2]'$shrext_regexp'/lib[$2]'$shrext_regexp'/;s/@<:@ \t@:>@.*$//'`])]) However, this mechanism is broken with sed 4.7 and will return the following 'silent' error: checking for SONAME of libusb-1.0... sed: -e expression #1, char 40: Invalid back reference unknown Moreover, it also raises the following build failure on one of the autobuilder because an empty line is added to LIBUSB_1_0_SONAME: checking for SONAME of libusb-1.0... checking libusb-1.0.so.0 checking for GNU extensions of errno.h... no configure: WARNING: cache variable au_cv_lib_soname_LIBUSB_1_0 contains a newline checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating libusb.pc config.status: creating libusb-config config.status: creating Makefile config.status: creating libusb/Makefile config.status: creating examples/Makefile config.status: creating config.h config.status: executing depfiles commands config.status: executing libtool commands config.status: executing default commands configure: WARNING: unrecognized options: --disable-gtk-doc, --disable-gtk-doc-html, --disable-doc, --disable-docs, --disable-documentation, --with-xmlto, --with-fop, --enable-ipv6, --disable-nls configure: WARNING: cache variable au_cv_lib_soname_LIBUSB_1_0 contains a newline [7m>>> libusb-compat 0.1.7 Building[27m PATH="/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/host/bin:/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/host/sbin:/accts/mlweber1/bin:/accts/mlweber1/libexec/git-core:/accts/mlweber1/usr/bin:/accts/mlweber1/usr/local/bin:/accts/mlweber1/bin:/accts/mlweber1/libexec/git-core:/accts/mlweber1/usr/bin:/accts/mlweber1/usr/local/bin:/accts/mlweber1/bin:/accts/mlweber1/libexec/git-core:/accts/mlweber1/usr/bin:/accts/mlweber1/usr/local/bin:/accts/mlweber1/bin:/accts/mlweber1/libexec/git-core:/accts/mlweber1/usr/bin:/accts/mlweber1/usr/local/bin:/accts/mlweber1/bin:/accts/mlweber1/libexec/git-core:/accts/mlweber1/usr/bin:/accts/mlweber1/usr/local/bin:/accts/mlweber1/bin:/accts/mlweber1/libexec/git-core:/accts/mlweber1/usr/bin:/accts/mlweber1/usr/local/bin:/accts/mlweber1/bin:/accts/mlweber1/libexec/git-core:/accts/mlweber1/usr/bin:/accts/mlweber1/usr/local/bin:/accts/mlweber1/bin:/accts/mlweber1/libexec/git-core:/accts/mlweber1/usr/bin:/accts/mlweber1 /usr/local/bin:/usr/lib64/qt-3.3/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin" /usr/bin/make -j8 -C /usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/build/libusb-compat-0.1.7/ make[1]: Entering directory `/usr/lfs/hdd_v1/rc-buildroot-test/scripts/instance-0/output-1/build/libusb-compat-0.1.7' Makefile:284: *** missing separator. Stop. We could patch patch m4/au_check_lib_soname.m4 to fix the mechanism however this is difficult without reproducing the autobuilder failure and upstream seems dead so just set LIBUSB_1_0_SONAME Fixes: - http://autobuild.buildroot.org/results/12d771d85d30594929cfe3e1c783fc70857e7f5f Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [yann.morin.1998@free.fr: extract the actual SONAME from the library] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 3a9261ddd917007e19b56b4bfe48ccc0861dd716) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/linux-headers: add support for CIP kernel versions with same-as-kernelGravatar Yann E. MORIN2020-06-021-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the linux-headers are configured to use the same source as the kernel (BR2_KERNEL_HEADERS_AS_KERNEL), and the kernel is configured to be one of the two CIP versions (BR2_LINUX_KERNEL_LATEST_CIP_VERSION or BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION), the build fails if the kernel sources are not already downloaded: $ cat defconfig BR2_LINUX_KERNEL=y BR2_LINUX_KERNEL_LATEST_CIP_VERSION=y $ make defconfig BR2_DEFCONFIG=$pwd)/defconfig $ make linux-headers-source >>> linux-headers 4.19.118-cip25 Downloading --2020-05-13 19:28:44-- https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.19.118-cip25.tar.xz Resolving cdn.kernel.org (cdn.kernel.org)... 2a04:4e42:1d::432, 151.101.121.176 Connecting to cdn.kernel.org (cdn.kernel.org)|2a04:4e42:1d::432|:443... connected. HTTP request sent, awaiting response... 404 Not Found 2020-05-13 19:28:45 ERROR 404: Not Found. make[1]: *** [package/pkg-generic.mk:171: /home/ymorin/dev/buildroot/O/build/linux-headers-4.19.118-cip25/.stamp_downloaded] Error 1 make: *** [Makefile:23: _all] Error 2 We fix that by adding yet another duplication of information out of the linux.mk, to use the CIP-specific git tree where to get the archives as snapshots. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit d25a5724c02a79049b9cf17a24c5f5c0ff010b2a) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dtc: bump version to 1.6.0Gravatar Julien Olivain2020-06-022-5/+5
| | | | | | | | | | | | | | | | | When host compiler is gcc 10 (for example on Fedora 32), dtc 1.5.1 fail to build with the error: /usr/bin/ld: dtc-parser.tab.o:(.bss+0x20): multiple definition of `yylloc'; dtc-lexer.lex.o:(.bss+0x0): first defined here collect2: error: ld returned 1 exit status dtc 1.6.0 fixes this issue in the commit: https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/?id=0e9225eb0dfec51def612b928d2f1836b092bc7e Also adopt new spacing convention in .hash files (two spaces). Signed-off-by: Julien Olivain <juju@cotds.org> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 198db470a73c14191915f8374362bc2a8b08c2bf) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gcc/9.3.0: fix host-gcc-final when ccache is usedGravatar Romain Naour2020-06-021-0/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As reported by several Buildroot users [1][2][3], the gcc build may fail while running selftests makefile target. The problem only occurs when ccache is used with gcc 9 and 10, probably due to a race condition. While debuging with "make -p" we can notice that s-selftest-c target contain only "cc1" as dependency instead of cc1 and SELFTEST_DEPS [4]. s-selftest-c: cc1 While the build is failing, the s-selftest-c dependencies recipe is still running and reported as a bug by make. "Dependencies recipe running (THIS IS A BUG)." A change [5] in gcc 9 seems to introduce the problem since we can't reproduce this problem with gcc 8. As suggested by Yann E. MORIN [6], move SELFTEST_DEPS before including language makefile fragments. With the fix applied, the s-seltest-c dependency contains SELFTEST_DEPS value. s-selftest-c: cc1 xgcc specs stmp-int-hdrs ../../gcc/testsuite/selftests [1] http://lists.busybox.net/pipermail/buildroot/2020-May/282171.html [2] http://lists.busybox.net/pipermail/buildroot/2020-May/282766.html [3] https://github.com/cirosantilli/linux-kernel-module-cheat/issues/108 [4] https://gcc.gnu.org/git/?p=gcc.git;a=blob;f=gcc/c/Make-lang.in;h=bfae6fd2549c4f728816cd355fa9739dcc08fcde;hb=033eb5671769a4c681a44aad08a454e667e08502#l120 [5] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=033eb5671769a4c681a44aad08a454e667e08502 [6] http://lists.busybox.net/pipermail/buildroot/2020-May/283213.html Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: Ben Dakin-Norris <ben.dakin-norris@navtechradar.com> Cc: Maxim Kochetkov <fido_max@inbox.ru> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 58ecbbc3ef18c43ae1c02a5c4bf30aa7ef2d8092) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/sysrepo: fix SysV init scriptGravatar Heiko Thiery2020-06-021-3/+3
| | | | | | | | | | | | | | | | | | | | | | | The current script (S51sysrepo-plugind) is not able to stop the daemon. Possible options to fix the problem: A) By adding the "-m -p $PIDFILE" option to start the pid file will be created but it will not contain the correct PID used by the daemon. This is obviously because the daemon forks. B) By not starting the daemon in background (sysrepo-plugind -d) and let do it by start-stop-daemon with "-b" option. But then the log messages of the daemon will not longer ends in the syslog but to stderr. C) Start the daemon without a pidfile and stop the daemon with the "-x" option. The only valid option is C to fix that. Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> [yann.morin.1998@free.fr: introduce EXECUTABLE] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 1a14a838eaa88ae683bf8c0cb0ae6cc7e1d10d49) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: remove Carlos SantosGravatar Carlos Santos2020-06-021-21/+0
| | | | | | | | | Goodbye! Signed-off-by: Carlos Santos <unixmania@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit ae417368f52518735dfce6c83d8e064298e6d0dd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/xen: security bump to version 4.13.1Gravatar Fabrice Fontaine2020-06-022-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Fix CVE-2020-11739: An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service or possibly gain privileges because of missing memory barriers in read-write unlock paths. The read-write unlock paths don't contain a memory barrier. On Arm, this means a processor is allowed to re-order the memory access with the preceding ones. In other words, the unlock may be seen by another processor before all the memory accesses within the "critical" section. As a consequence, it may be possible to have a writer executing a critical section at the same time as readers or another writer. In other words, many of the assumptions (e.g., a variable cannot be modified after a check) in the critical sections are not safe anymore. The read-write locks are used in hypercalls (such as grant-table ones), so a malicious guest could exploit the race. For instance, there is a small window where Xen can leak memory if XENMAPSPACE_grant_table is used concurrently. A malicious guest may be able to leak memory, or cause a hypervisor crash resulting in a Denial of Service (DoS). Information leak and privilege escalation cannot be excluded. - Fix CVE-2020-11740: An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not scrubbed. - Fix CVE-2020-11741: An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling) to obtain sensitive information about other guests, cause a denial of service, or possibly gain privileges. For guests for which "active" profiling was enabled by the administrator, the xenoprof code uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a potential adversary: it trusts the guest not to modify buffer size information or modify head / tail pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out. - Fix CVE-2020-11742: An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy handling where success may be returned to the caller without any action taken. In particular, the status fields of individual operations are left uninitialised, and may result in errant behaviour in the caller of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller without doing anything, which may cause crashes or other incorrect behaviour. - Fix CVE-2020-11743: An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service because of a bad error path in GNTTABOP_map_grant. Grant table operations are expected to return 0 for success, and a negative number for errors. Some misplaced brackets cause one error path to return 1 instead of a negative value. The grant table code in Linux treats this condition as success, and proceeds with incorrectly initialised state. A buggy or malicious guest can construct its grant table in such a way that, when a backend domain tries to map a grant, it hits the incorrect error path. This will crash a Linux based dom0 or backend domain. https://xenproject.org/downloads/xen-project-archives/xen-project-4-13-series/xen-project-4-13-1 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 0caabc8cda933b32660867b270151451f77b6e14) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* boot/arm-trusted-firmware: ignore licencing check for user defined official ↵Gravatar Romain Naour2020-06-021-0/+2
| | | | | | | | | | | | | | | | | | | | | | version The commit [1] "licensing info is only valid for v1.4" fixed the legal-info issues when a custom ATF tarball or a version from git is used. But we need to ignore licencing for a used defined official ATF version. Althougt the ATF version are licensed under BSD-3-Clause, the license file can be updated between version (for example between v1.4 and v2.0). Ignore the licencing check if the user provide a custom official version. [1] d1a61703f728340ec894c367398d2a3a394a3360 Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: Yann E. MORIN <yann.morin.1998@free.fr> [yann.morin.1998@free.fr: use positive logic with the _LATEST option] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 36c0a0c65647bebe1050a2f9a7005fb44c24cf56) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mp4v2: fix build with gcc <= 5Gravatar Fabrice Fontaine2020-06-021-0/+50
| | | | | | | | | | | Fixes: - http://autobuild.buildroot.org/results/14937c96a82fb3d10e5d83bd7b2905b846fb09f9 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> [yann.morin.1998@free.fr: expand the patch' commit log] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 9b91147545ab24c7fd23f9b052d95f0813f22d1c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/{fmc,fmlib}: change repository locationGravatar Yann E. MORIN2020-06-022-2/+4
| | | | | | | | | | | | | | | | | Now that Freescale has been wholly swallowed into NXP, the public-facing git repositories that were hosting those two packages are no longer available. Fortunately, they had been mirrored on Code Aurora forge (a Linux Foundation project, so relatively stable and trustworthy), which has the tags we need, and that generates the exact same archives. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Matthew Weber <matthew.weber@rockwellcollins.com> Reviewed-by: Matthew Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3bfe849189881d4872b5949739f91b1ed01b6622) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mp4v2: security bump to version 4.1.3Gravatar Fabrice Fontaine2020-06-014-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Switch site to an active fork - Send patch upstream - Update indentation in hash file (two spaces) - Fix the following CVEs: - CVE-2018-14054: A double free exists in the MP4StringProperty class in mp4property.cpp in MP4v2 2.0.0. A dangling pointer is freed again in the destructor once an exception is triggered. Fixed by https://github.com/TechSmith/mp4v2/commit/f09cceeee5bd7f783fd31f10e8b3c440ccf4c743 - CVE-2018-14325: In MP4v2 2.0.0, there is an integer underflow (with resultant memory corruption) when parsing MP4Atom in mp4atom.cpp. Fixed by https://github.com/TechSmith/mp4v2/commit/e475013c6ef78093055a02b0d035eda0f9f01451 - CVE-2018-14326: In MP4v2 2.0.0, there is an integer overflow (with resultant memory corruption) when resizing MP4Array for the ftyp atom in mp4array.h. Fixed by https://github.com/TechSmith/mp4v2/commit/70d823ccd8e2d7d0ed9e62fb7e8983d21e6acbeb - CVE-2018-14379: MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the MP4ItemAtom data type in a certain case where MP4DataAtom is required, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted MP4 file, because access to the data structure has different expectations about layout as a result of this type confusion. Fixed by https://github.com/TechSmith/mp4v2/commit/73f38b4296aeb38617fa3923018bb78671c3b833 - CVE-2018-14403: MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substrings of atom names, leading to use of an inappropriate data type for associated atoms. The resulting type confusion can cause out-of-bounds memory access. Fixed by https://github.com/TechSmith/mp4v2/commit/51cb6b36f6c8edf9f195d5858eac9ba18b334a16 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 0a860f21e1b8004ee937c20d54d29a5e66f96651) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/gnupg: fix build with gcc 10Gravatar Thomas Petazzoni2020-06-011-0/+156
| | | | | | | | | | | | | | | | This commit backports an upstream patch made for gnupg2 into gnupg, in order to fix build failures with gcc 10 due to the use of -fno-common. Due to the code differences between upstream gnupg2 and the old gnupg 1.x, the backport is in fact more a rewrite than an actual backport. Fixes: http://autobuild.buildroot.net/results/496a18833505dc589f7ae58f2c7e5fe80fe9af79/ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 75e82c42c6a4612c7385a32dcb82ca9cb5d866bd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/efl: fix -fno-common build failureGravatar Heiko Thiery2020-06-011-0/+222
| | | | | | | | | | | | | | | Added upstream patch for fixing build failure when using GCC10 as a host compiler (-fno-common is now default). Fixes: http://autobuild.buildroot.net/results/47f/47fcf9bceba029accdcf159236addea3cb03f12f/ Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> Reviewed-by: Romain Naour <romain.naour@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit fa96dfa6288652fedf650b1f6e39b4b1de0ef51b) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/erlang: fix -fno-common build failureGravatar Heiko Thiery2020-06-011-0/+54
| | | | | | | | | | | Added upstream patch for fixing build failure when using GCC10 as a host compiler (-fno-common is now default). Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 73f4ad304f8a654dd3359e73f33ed463389218fa) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* board/freescale: increase the vfat sizeGravatar Fabio Estevam2020-06-011-1/+1
| | | | | | | | | | | | | | | | | The default iamge size is 32MiB, which is quite low by today's standards. Besides, the AArch64 kernels are relatively big, which leaves not much room, if at all, for users to experiment on the default image. Increase the vfat size to a more reasonable 64MiB. Note that users who derive an in-tree defconfig for their own case will allways hit any arbitarary size we put here, so they will anyway have to also derive this template for their own use-cases. Signed-off-by: Fabio Estevam <festevam@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 7d804aba66fbed7df6cf0caa845b6c52f7ff1f7e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/audit: fix -fno-common build failureGravatar Heiko Thiery2020-06-011-0/+28
| | | | | | | | | | | | | | | Added upstream patch for fixing build failure when using GCC10 as a host compiler (-fno-common is now default). Fixes: http://autobuild.buildroot.net/results/c4b/c4bba80e9fc476247c7ba28850831c6a8edd559f/build-end.log Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> Reviewed-by: Romain Naour <romain.naour@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit e7323e9d54ee9fc8a0c4af5f4198ac6024cc6b53) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/leveldb: fix detection of the snappy libraryGravatar Thomas Petazzoni2020-06-011-0/+98
| | | | | | | | | | | | | | Pull a patch pending in an upstream pull request to fix the detection of the snappy library when we are in static linking configurations. Fixes: https://bugs.busybox.net/show_bug.cgi?id=12671 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit a26d6338fb47765de6e20fdead044ed6e69cc7ae) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/leveldb: turn snappy into an optional dependencyGravatar Thomas Petazzoni2020-06-012-2/+4
| | | | | | | | | | | snappy is not a mandatory dependency to build leveldb. Back when it was introduced in Buildroot, as of version 1.18, the build logic already made snappy an optional dependency. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 39ef24f8bbe44d7850179f10fe0ab7e08e06059d) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mesa3d: propagate missing libdrm-freedreno depsGravatar James Hilliard2020-06-011-0/+6
| | | | | | | | | | | Libdrm freedreno depends on BR2_arm || BR2_aarch64 || BR2_aarch64_be as such we need to propagate those dependencies to mesa's gallium freedreno driver. Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 00c1a8c34f7340c2db6eee82cd8d3f5e6ea62577) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/prosody: use correct bit32 packageGravatar James Hilliard2020-06-011-1/+1
| | | | | | | | | | | | | According to https://prosody.im/doc/depends#bitop the correct bitop package to use with prosody for Lua 5.1 is: https://luarocks.org/modules/siffiejoe/bit32 As such replace BR2_PACKAGE_LUABITOP with BR2_PACKAGE_LUA_BIT32 Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit fa84c176c2148a60103e850204180f86aa5baa73) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* {linux, linux-headers}: bump 4.{4, 9, 14, 19}.x / 5.{4, 6}.x seriesGravatar Peter Korsgaard2020-06-013-11/+11
| | | | | | | Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 8a12ddaa295ee4919bf294900b96362ee8cb4f78) [Peter: drop 5.5.x / 5.6.x bump] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/lrzip: fix hashGravatar Fabrice Fontaine2020-05-311-1/+1
| | | | | | | | | | | | Hash was not updated by commit 18079e20a712c4a7d539ead52b0a0c725ec7f7e2 Fixes: - http://autobuild.buildroot.org/results/0f7179ed4706f05551af330d7f12b3efaeffd278 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit b6aaed0cee95e61fc7714215199b6e344ba8c409) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/lrzip: bump to 7f3bf46203bf45ea115d8bd9f310ea219be88af4Gravatar Fabrice Fontaine2020-05-312-2/+2
| | | | | | | | | | | | | This bump contains only one commit that fix a build failure with asm: https://github.com/ckolivas/lrzip/commit/844b8c057c8c7372ca41ad2efdbf849f45c24506 Fixes: - http://autobuild.buildroot.org/results/800d8a97966ef75dbf20e85ec8a02766ba02cc76 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 18079e20a712c4a7d539ead52b0a0c725ec7f7e2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/qemu: remove csky forkGravatar Romain Naour2020-05-316-16/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | We have a qemu fork for csky cpus [1] but since qemu version bump to 4.2.0 [2] and libssh2/libssh change the csky build is broken. The csky fork is based on Qemu 3.0.0 but unlike autotools packages any unknown option is handled as error. Since we don't want to support all options from previous qemu release and the github repository has been removed [3] and the only remaining archive is located on http://sources.buildroot.net, remove the qemu csky fork as suggested by [4]. [1] https://git.buildroot.net/buildroot/commit/?id=f816e5b276f1ef15840bec6667f1e8219717ab7d [2] https://git.buildroot.net/buildroot/commit/?id=0ea17054ce7dfc54efca5634133cef786445e7b1 [3] https://github.com/c-sky/qemu [4] http://lists.busybox.net/pipermail/buildroot/2020-May/281885.html Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: Guo Ren <ren_guo@c-sky.com> Cc: Peter Korsgaard <peter@korsgaard.com> [Peter: move patches out of 4.2.0 subdir] Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 58af9a70cc0f195116dedb3fd0e2ca5b4fec9e70) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/speexdsp+tremor: switch to new git repositoryGravatar Yann E. MORIN2020-05-312-2/+2
| | | | | | | | | | The original git server on git.xiph.org died, and the Xiph project has now moved on to host their repositories on gitlab.comn instead. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 97551eb176cd75419e3520ea94f184e3220980cd) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package: don't use BR2_KERNEL_MIRROR for git downloadsGravatar Yann E. MORIN2020-05-312-2/+2
| | | | | | | | | | | | | | | The git repositories are not served on the kernel.org CDN: fatal: repository 'https://cdn.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/' not found Switch to explicitly use the git.kernel.org server. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Matt Weber <matthew.weber@rockwellcollins.com> Cc: Cyril Bur <cyrilbur@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit fb57a54cf8d56fb9a32a3d632346c58eb58177b4) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ffmpeg: bump version to 4.2.3Gravatar Bernd Kuhls2020-05-313-41/+5
| | | | | | | | | Removed patch included in upstream release, reformatted hashes. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit c5e932613eaed02d983af1889d2280f493b1a20e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/wireshark: security bump to version 3.2.4Gravatar Fabrice Fontaine2020-05-312-4/+4
| | | | | | | | | | | | Fix CVE-2020-13164: In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the NFS dissector could crash. This was addressed in epan/dissectors/packet-nfs.c by preventing excessive recursion, such as for a cycle in the directory graph on a filesystem. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 39bfd504102dce2166e9d9e1377744debde64b38) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* docs/manual: new chapter on release engineeringGravatar Joachim Nilsson2020-05-312-0/+36
| | | | | | | | | Describe release engineering and development phases of the project. Signed-off-by: Joachim Nilsson <troglobit@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit de2b78143c4316c6a6a07d44d74298d307609dd2) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/ltrace: directly use s.b.o to fetch the archiveGravatar Yann E. MORIN2020-05-311-1/+8
| | | | | | | | | | | | | | | | | During the migration from alioth to gitlab, the git repository for ltrace was not migrated. There is a repository on gitlab.com, owned by the debian maintainer, but that repository does not contain the sha1 we know of: https://gitlab.com/cespedes/ltrace s.b.o. is the only known location so far to host the archive, so switch to it. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 982728364141c4369003b1dbdc24e51428be6b39) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bind: security bump to version 9.11.19Gravatar Peter Korsgaard2020-05-312-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | Fixes the following security issues: - (9.11.18) DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574] - (9.11.19) To prevent exhaustion of server resources by a maliciously configured domain, the number of recursive queries that can be triggered by a request before aborting recursion has been further limited. Root and top-level domain servers are no longer exempt from the max-recursion-queries limit. Fetches for missing name server address records are limited to 4 for any domain. This issue was disclosed in CVE-2020-8616. [GL #1388] - (9.11.19) Replaying a TSIG BADTIME response as a request could trigger an assertion failure. This was disclosed in CVE-2020-8617. [GL #1703] Also update the COPYRIGHT hash for a change of copyright year and adjust the spacing for the new agreements. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 89a5d2162762490727c515692baa1257ba73179e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* packages/systemd: fix double getty on consoleGravatar Jérémy Rosen2020-05-311-19/+27
| | | | | | | | | | | | | | | | | | | | | | When selecting "console" for the automatic getty, the buildroot logic would collide with systemd's internal console detection logic, resulting in two getty being started on the console. This commit fixes that by doing nothing when "console" is selected and letting systemd-getty-generator deal with starting the proper getty. Note that if something other than the console is selected * Things will work properly, even if the selected terminal is also the console * A getty will still be started on the console. This is what systemd has been doing on buildroot since the beginning. it could be disabled but I left it for backward compatibility Fixes: #12361 Signed-off-by: Jérémy Rosen <jeremy.rosen@smile.fr> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 26c32d933eb4d841b7fbe9c1e0b61cef89665b15) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot: security bump to version 2.3.10.1Gravatar Fabrice Fontaine2020-05-313-37/+5
| | | | | | | | | | | | | | | | | | | | | - Fix CVE-2020-10957: In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. - Fix CVE-2020-10958: In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. - Fix CVE-2020-10967: In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. - Drop first patch (already in version) and so autoreconf - Update indentation in hash file (two spaces) Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 03fbb81b8bab7bad135b59267533be7688babe39) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/dovecot: drop first patchGravatar Fabrice Fontaine2020-05-313-33/+1
| | | | | | | | | | First patch is not needed since version 2.3.0 and https://github.com/dovecot/core/commit/08259c1f206026ca9b9f4b4e97603943c6093def Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit 6d7df70016d51c4813c77095705cf8a0e3e1c09e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/freerdp: security bump to version 2.1.1Gravatar Fabrice Fontaine2020-05-312-3/+3
| | | | | | | | | | | | | | | | | | | >From ChangeLog: - CVE: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage - CVE: GHSL-2020-101 OOB Read in security_fips_decrypt due to uninitialized value - CVE: GHSL-2020-102 OOB Write in crypto_rsa_common - Enforce synchronous legacy RDP encryption count (#6156) - Fixed some leaks and crashes missed in 2.1.0 - Removed dynamic channel listener limits - Lots of resource cleanup fixes (clang sanitizers) https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit cb6eb5db792016751ab01b5dda04536ec65169c3) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: remove python-pycryptoGravatar Fabrice Fontaine2020-05-311-1/+0
| | | | | | | | | | Commit 7ef76ed32fcd447391e26d33a555ff5dab6dc48e forgot to remove python-pycrypto entry from DEVELOPERS Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit a00db9f80819982348e64834f76048c2c8381f40) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/vboot-utils: fix -fno-common build failureGravatar Heiko Thiery2020-05-311-0/+50
| | | | | | | | | | | | | | | | Added upstream patch for fixing build failure when using GCC10 as a host compiler (-fno-common is now default). Fixes: http://autobuild.buildroot.net/results/aca662d9fd7052f3b361b731cd266edb3b6c41b0 http://autobuild.buildroot.net/results/6546b284cf306a2fde3c69d67daf9aacffa9e143 http://autobuild.buildroot.net/results/db20bb3c11a1a9558a5d8021015c6915f99097c8 Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 19f726b9888f1bc4bb6284f2bcc417f5598c7723) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-pycrypto: remove packageGravatar Romain Naour2020-05-316-86/+7
| | | | | | | | | | | | | | | | | | | | This package doesn't work with Python 3.8 since the code contains time.clock() that was deprecated in Python 3.3 and removed in Python 3.8. Instead of applying non upstream patches from Fedora [1], python-pycrypto was replaced by python-pycryptodomex for crda and optee-os package. Now we can remove safely this package. [1] http://lists.busybox.net/pipermail/buildroot/2020-April/280683.html Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/498144209 Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 7ef76ed32fcd447391e26d33a555ff5dab6dc48e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/crda: replace pycrypto by pycryptodomexGravatar Romain Naour2020-05-312-12/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | >From [1]: "PyCryptodome is a fork of PyCrypto, which is not maintained any more (the last release dates back to 2013 [2]). It exposes almost the same API, but there are a few incompatibilities [3]." [1] https://github.com/OP-TEE/optee_os/commit/90ad2450436fdd9fc0d28a3f92f3fbcfd89a38f0 [2] https://pypi.org/project/pycrypto/#history [3] https://pycryptodome.readthedocs.io/en/latest/src/vs_pycrypto.html Update the patch 0001-crda-support-python-3-in-utils-key2pub.py.patch since it add pycrypto. >From [4] "CRDA is no longer needed as of kernel v4.15 since commit 007f6c5e6eb45 ("cfg80211: support loading regulatory database as firmware file") added support to use the kernel's firmware request API which looks for the firmware on /lib/firmware. Because of this CRDA is legacy software for older kernels. It will continue to be maintained." [4] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/crda.git/tree/README?id=9856751feaf7b102547cea678a5da6c94252d83d#n8 Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 8d05237b6018d5389e4381b38d874f447137f987) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/python-pycryptodomex: add host variantGravatar Romain Naour2020-05-311-0/+1
| | | | | | | | | | | | | | | | | | | | Adding a host variant will allow to replace host-python-pycrypto by host-python-pycryptodomex for the crda and optee-os packages. From [1]: "PyCryptodome is a fork of PyCrypto, which is not maintained any more (the last release dates back to 2013 [2]). It exposes almost the same API, but there are a few incompatibilities [3]." [1] https://github.com/OP-TEE/optee_os/commit/90ad2450436fdd9fc0d28a3f92f3fbcfd89a38f0 [2] https://pypi.org/project/pycrypto/#history [3] https://pycryptodome.readthedocs.io/en/latest/src/vs_pycrypto.html Signed-off-by: Romain Naour <romain.naour@gmail.com> Cc: James Hilliard <james.hilliard1@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 3db1e5fbcbde9f78f9cac99614fefc243545094e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* DEVELOPERS: add Stephan Hoffmann for libhttpserverGravatar Stephan Hoffmann2020-05-291-0/+1
| | | | | | | | | | I added this package while working for Grandcentrix but am willing to maintain it further. Signed-off-by: Stephan Hoffmann <sho@relinux.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 6cff75415781deda1414fe22827400a7c334de6c) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/mariadb: security bump to 10.3.23Gravatar Ryan Coe2020-05-293-37/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add two spaces in hash file. Remove patch 0002 as it has been applied upstream. Release notes: https://mariadb.com/kb/en/library/mariadb-10323-release-notes/ Changelog: https://mariadb.com/kb/en/library/mariadb-10323-changelog/ Fixes the following security vulnerabilities: CVE-2020-2752 - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. CVE-2020-2812 - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVE-2020-2814 - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.6.47 and prior, 5.7.28 and prior and 8.0.18 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVE-2020-2760 - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. Signed-off-by: Ryan Coe <bluemrp9@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> (cherry picked from commit 285986ae5970d13090a27aba6b88743efd696158) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/libexif: security bump to version 0.6.22Gravatar Fabrice Fontaine2020-05-298-360/+6
| | | | | | | | | | | | | | | | | | | | - Switch site to github - Drop patches (already in version) - Fix the following CVEs: - CVE-2020-13114: Time consumption DoS when parsing canon array markers - CVE-2020-13113: Potential use of uninitialized memory - CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes - CVE-2020-0093: read overflow - CVE-2020-12767: fixed division by zero https://github.com/libexif/libexif/releases/tag/libexif-0_6_22-release Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit ca0547ffeaea77b1b59ddcf77a2f3713167f8a7e) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
* package/bison: make installation relocatableGravatar Thomas Petazzoni2020-05-292-0/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | Our current host-bison installation is not relocatable, so if you generate the SDK, and install it in a different location, bison will no longer work with failures such as: bison: /home/user/buildroot/output/host/share/bison/m4sugar/m4sugar.m4: cannot open: No such file or directory This particular issue is already resolved upstream by the addition of "relocatable" support, which we enable using --enable-relocatable. Once this issue is fixed, a second one pops up: the path to the m4 program itself is also hardcoded. So we add a patch to fix that as well. The patch has been submitted upstream, which have requested for further refinements not applicable to the Buildroot context; in the meantime, we carry that patch. Fixes: https://bugs.busybox.net/show_bug.cgi?id=12656 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [yann.morin.1998@free.fr: add reference to the upstream submission] Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> (cherry picked from commit 78e78071128ccf2dba8cf76b00b1beb0c5f3e538) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>