| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 03cdfea134bb74e32795b3cbc9689e70a78d61a8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A number of autobuilder failures are due to the fact that autobuilder
instances use old distributions, with old SSL certificates, and
therefore wget aborts with an error "The certificate of `xyz.org' is
not trusted.".
In order to avoid such failures that are not very interesting in the
context of the autobuilders, we pass --no-check-certificate to
wget. The integrity of the downloaded files is anyway verified by the
hashes, and this is only meant to be used in the context of
testing/CI, not in production.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 0866a280e40a7a2c7d7d50cc7e87c3f4652aff0a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security issues:
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
website could use a DNS rebinding attack to trick a web browser to bypass
same-origin-policy checks and allow HTTP connections to localhost or to
hosts on the local network, potentially to an open inspector port as a
debugger, therefore gaining full code execution access. The inspector now
only allows connections that have a browser Host value of localhost or
localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths could
be used to cause a denial of service if an attacker were able to have a
specially crafted path string passed through one of the impacted 'path'
module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
Node.js HTTP parser allowed for spaces inside Content-Length header
values. Such values now lead to rejected connections in the same way as
non-numeric values.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f02604553bc3c8449d6a112818f038e99abbdaf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, when a filename contains characters not representable in the
user's locale, we fail hard, especially when the host python is python3.
This is because python2 and python3 handle encoding/decoding strings
differently, with python3 presumable doing the right thing, but it
breaks on some systems, while python2 presumable does the wrong thing,
but it works everywhere. (Just joking, obviously...)
Part of the issue being that the csv reader in python2 is broken with
UTF8.
We fix the issue by ditching the csv reader, and simply read the file in
binary mode, manually partitioning the lines on the first comma.
Then, we use the binary-encoded (really, un-encoded) package names and
filenames as values and keys, respectively.
Finally, for each filename or package we need to print, we try to decode
them with the defaults for the user settings, but catch any decoding
exception and fall back to dumping the raw, binary values. Which codec
is used by default differs between Python version, but in all cases
something sane is printed at least.
Thanks a lot to Arnout for the live help doing this patch. :-)
Reported-by: Jaap Crezee <jaap@jcz.nl>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Jaap Crezee <jaap@jcz.nl>
[Arnout: commit log improvement]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5563a1c6a48716debe2983869ddb757318094dce)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4cd1ab158 (core: alternate solution to disable C++) made use of a
non-existent 'no' binary when C++ is not available in the toolchain.
However, some packages, like jimtcl as bundled in opeocd, really want to
find the binary that $CXX contains.
Revert openocd to use 'false' instead of 'no'.
Fixes:
http://autobuild.buildroot.org/results/cbd/cbd5ab97fb0659968ff628461130627cf1745955/
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5966e2dc54dfb19c5fde3a09d72f3abc6125c202)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 4cd1ab158 (core: alternate solution to disable C++) made use of a
non-existent 'no' binary when C++ is not available in the toolchain.
However, some packages, like jimtcl, really want to find the binary that
$CXX contains.
Revert jimtcl to use 'false' instead of 'no'.
Fixes:
http://autobuild.buildroot.org/results/54f/54f3df03551fbdf293d33dc1e3f08005faa15321/
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9feb6d982d7a5e3b61cc19ad9733dd3e737bf6a0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit c8680956819fae8776d7bd6d1f0e67a7b6436672 ("toolchain: fix
detection of SSP support") fixed the SSP check so that it does the
correct thing for nios2 toolchains. While this commit fixed the
description of the Sourcery NIOSII toolchain, it didn't fix the
description for the autobuilders of the br-nios2-glibc toolchain,
causing some build failures. This commit adjusts br-nios2-glibc.config
to indicate that the toolchain doesn't have SSP support.
Fixes:
http://autobuild.buildroot.net/results/6c44e328b7bffd8474d29d5bdf1ea109ec15f4ad/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0e4de0f2db5f7a252d4b8a4cac752fac9ca2deb3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
zstd is dual licensed under BSD-3-Clause or GPL-2.0 as per README.md
and source files license header.
Cc: Andrey Smirnov <andrew.smirnov@gmail.com>
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9b2f6548f8d2cad52fd3a5f81febf4818ee66304)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
As per COPYING file, opusinfo is licensed under GPL version 2.
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some packages that use libtool really need some love to be able to
disable C++ support.
This is because libtool will want to call AC_PROG_CXXCPP as soon as CXX
is set non-empty to something different from 'no'. Then, AC_PROG_CXXCPP
will want a C++ preprocessor that works on valid input *and* fail on
invalid input.
So, providing 'false' as the C++ compiler will then require that we do
have a working C++ preprocessor. Which is totally counter-productive
since we do not have a C++ compiler to start with...
bd39d11d2e (core/infra: fix build on toolchain without C++) was a
previous attempt at fixing this, by using the host's C++ preprocessor.
However, that is very incorrect (that's my code, I can say so!) because
the set of defines will most probably be different for the host and the
target, thus causing all sorts of trouble. For example, on ARM we'd have
to include different headers for soft-float vs hard-float, which is
decided based on a macro, which is not defined for x86, and thus may
redirect to the wrong (and missing) header.
Instead, we notice that libtool uses the magic value 'no' to decide that
a C++ compiler is not available, in which case it skips the call to
AC_PROG_CXXCPP.
Given that 'no' is not provided by any package in Debian and
derivatives, as well as in Fedora, we can assume that no system will
have an executable called 'no'. Hence, we use that as a magic value to
disable C++ detection altogether.
Fixes: #10846 (again)
Reported-by: Damien Riegel <damien.riegel@savoirfairelinux.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Damien Riegel <damien.riegel@savoirfairelinux.com>
Cc: Peter Seiderer <ps.report@gmx.net>
Cc: Vivien Didelot <vivien.didelot@savoirfairelinux.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4cd1ab15886a408b897104709ff87f15cc88ba16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security issues:
Constructed ASN.1 types with a recursive definition could exceed the stack
(CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack.
There are no such structures used within SSL/TLS that come from untrusted
sources so this is considered safe.
Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each
byte. This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the
security claims of the scheme. The module can only be compiled by the HP-UX
assembler, so that only HP-UX PA-RISC targets are affected.
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
This issue has been reported in a previous OpenSSL security advisory and a
fix was provided for OpenSSL 1.0.2. Due to the low severity no fix was
released at that time for OpenSSL 1.1.0. The fix is now available in
OpenSSL 1.1.0h.
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH1024 are considered just feasible, because most of the
work necessary to deduce information about a private key may be performed
offline. The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the server
would have to share the DH1024 private key among multiple clients, which is
no longer an option since CVE-2016-0701.
This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
For more details, see https://www.openssl.org/news/secadv/20180327.txt
The copyright year changed in LICENSE, so adjust the hash to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6938c219d80e2267f8e25f3fc37f955ab723cc55)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
http://autobuild.buildroot.net/results/f1c6494133806b9fc26ae3ce9e9c6a22fa2eda6f/
Commit 6205b75873c (sngrep: gnutls support also needs libgcrypt) ensured
that --with-gnutls is only used when both gnutls and libgcrypt are enabled,
but it didn't ensure libgcrypt gets built before sngrep or told the
configure script where to find libgcrypt-config, breaking the build.
Fix both issues.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ae7d59eaae1c55d707b2a70437a84c280f598572)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixes https://bugs.php.net/bug.php?id=75605, no CVE-ID yet.
Removed patch 0008, applied upstream. Re-numbered patch 0009.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 19e983a9540aa948d64423e63167aba2aff9fe41)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9ef8f6b061b552012b767b83c7b21e5e3fb9fff7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 02c40b31813e07d4e48c7a9c7dbce259d2c95a58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2017-12627: dereference of a NULL pointer while processing the path
to the DTD.
xerces 3.2.1 includes this patch. But this version also added
AC_RUN_IFELSE to its configure script, making cross compilation harder.
Switching to cmake is also problematic since the minimum required cmake
version is 3.2.0. The host dependencies check currently allows minimum
cmake version 3.1.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 142c8cc8d525f687ce199cc0163d48892e8a81f7)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This variable, like BR2_DL_DIR, is designed to be overridable from the
environment. Unlike BR2_DL_DIR, it is not documented as such in the
Config.in help text. Do so now.
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ad980ccc3639baa2e517c4d36e836b71ab9f5b8f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
http://autobuild.buildroot.org/results/4c439ee000354f90b4e59ee4006530f77263db47/
Signed-off-by: Stefan Becker <chemobejk@gmail.com>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ef3304dabc1aef5c1035359211b1c3ca5d07eb3b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd meson.build uses values from host /etc/login.defs if
system-uid-max and system-gid-max build options are not explicitly
specified.
Avoid that by setting system-uid-max and system-gid-max to 999 which is
the systemd default if SYSTEM_UID_MAX and SYSTEM_GID_MAX are not set in
/etc/login.defs.
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 183d2097ffef5d8d7e1ac07d3b613ecacdd8c876)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently there is only logic to enable PAM when linux-pam is selected.
However, busybox will fail to build with PAM enabled if the linux-pam
package has not been built before. So we should forcibly disable PAM in
busybox in that case.
Normally this is not an issue since our default busybox config doesn't
have PAM enabled. However, if you enable linux-pam, then save the
busybox config to a custom configuration file, then disable linux-pam
again, and then do a "make clean; make", the build will fail. A more
practical situation where this can occur is when the same custom
busybox config is used in a Buildroot config with and without
linux-pam.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0876b023663377bc3a24c80399f447c1f2afe0c1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fcgi license is covered by SPDX, the identifier however is not
obvious.
For details, see https://spdx.org/licenses/OML.html
[Peter: add spdx.org link]
Signed-off-by: Alexander Dahl <post@lespocky.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b13d9ab380704ba4faf1e0295885797cb3341336)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GCC issues a warning message if -fstack-protector is passed but SSP is
not available, so in order to force the compilation to fail we must also
pass -Werror.
All external toolchains were verified. The only one whose configuration
incorrectly selected BR2_TOOLCHAIN_HAS_SSP was CodeSourcery NIOSII.
Fixes:
http://autobuild.buildroot.net/results/ce8fe8ac9cf0db01ae15d476ea714ff176965cfb
http://autobuild.buildroot.net/results/09ce8f05e28c0219f499ce55130e896cae0c8b45
Signed-off-by: Carlos Santos <casantos@datacom.ind.br>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c8680956819fae8776d7bd6d1f0e67a7b6436672)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Following the removal of $(HOST_DIR)/usr, the symbolic link from
$(HOST_DIR)/bin/sam-ba/ to $(HOST_DIR)/opt/sam-ba/sam-ba was broken,
so we fix this.
In addition, sam-ba being prebuilt, it comes in two separates
binaries, one for x86 and the other for x86_64, so we take this into
account as well.
Signed-off-by: Joshua Henderson <joshua.henderson@microchip.com>
[Thomas:
- add spaces around = signs
- rework commit log.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b3b5608b47525799b0601d45939d3bae545fd124)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 76e6837cd670449740f21015a406d722e089a084)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following error occures in the udev init script because the kernel config
may optionally not include uevent_helper.
/etc/init.d/S10udev: line 47: can't create /proc/sys/kernel/hotplug: nonexistent directory
Work around this by not trying to access the destination if it's not available.
Signed-off-by: Joshua Henderson <joshua.henderson@microchip.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cbe725d755006e41a71180b5786fa9f52104f518)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d9534c816383ac45e75ae042b7c668406d9e8b1f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 988e4c827c0f3d33a018c7309e675b139980a4e5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Make sure that qemu uses libssh2 when libssh2 is enabled, for build
consistency.
Cc: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d769377a41e172e1963351c168c97a1212561133)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The libssh2.pc file did not contain the needed info for static link with
libssh2. Add a patch fixing that.
Fixes (qemu):
http://autobuild.buildroot.net/results/634/6346b25be2844f9ef722e52040ac1b43d9c38899/
Cc: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ebbf8746243ee4fa6b51a5a6afa8b14459b4178f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc version 2.27 added a wrapper for the memfd_create system call. The
wrapper prototype collides with a static declaration of memfd_create.
Add upstream patch to correctly detect the glibc provided memfd_create
definition.
Fixes:
http://autobuild.buildroot.net/results/b82/b825c0cd397424b1fc7fa87c580e1757dc25c588/
http://autobuild.buildroot.net/results/9aa/9aa3853d23c0dc72bf3632b4d66ae39f597f5250/
http://autobuild.buildroot.net/results/b13/b13039ba602b9d500b939d259816a39ba24e1ba2/
Cc: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Romain Naour <romain.naour@gmail.com>
Tested-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1d10e9dc8c96f37cf79e54bc250df88559789c63)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sometimes imximage throws the following error:
MKIMAGE u-boot-dtb.imx
Error: No BOOT_FROM tag in board/freescale/mx6sxsabresd/imximage.cfg.cfgtmp
arch/arm/imx-common/Makefile:91: recipe for target 'u-boot-dtb.imx' failed
Later on, when running mkimage for the u-boot.imx it will succeed in
finding the IVT offset.
Looks like some race condition happening during parallel build when
processing mkimage for u-boot-dtb.imx and u-boot.imx.
A proper fix still needs to be implemented, but as a workaround let's
remove the error when the IVT offset is not found.
It is useful to have such message, especially during bring-up phase,
but the build error that it causes is severe, so better avoid the
build error for now.
The error checking can be re-implemented later when we have a proper
fix.
This workaround has already been applied in mainline U-Boot:
http://git.denx.de/?p=u-boot.git;a=commit;h=b5b0e4e351e20a606de22db6a56ad6bc1e2aa8fd
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/59015347
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0c4bccf9e882ffead426051cfe76764dd2ecaf83)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog: http://www.apache.org/dist/httpd/CHANGES_2.4.33
Fixes CVE-2017-15710, CVE-2018-1283, CVE-2018-1303, CVE-2018-1301,
CVE-2017-15715, CVE-2018-1312, CVE-2018-1302.
Added license hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 65193bf3c93ec6922979907ce87fc82a73b25268)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes CVE-2018-6405 (upstream Github PR 964) and many others:
http://www.imagemagick.org/script/changelog.php
Added license hash.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 31086ea1de511b57e8377d9fa6b0fe7350b1e753)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 21070fb9aec363aa435dc48145eff3aad55032cb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b83a4d3d69d5daa871812bd4c4803acef789e318)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c2fe7b6bc88e89ae26d8ec37a5d190c9359de54b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
| |
powerpc-utils changed upstream git repositories again.
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1b383e4bf4151b9232b2e66f0d6ae822546576a5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prevent out-of-bounds write in codebook decoding.
Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.
Upstream has migrated from subversion to git, so change to git and bump the
version to include the fix for CVE-2018-5146.
While we're at it, also add a hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 80266c95052024381898cada4c51d44207fddd80)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Ninja understands the `-j` option which defines how many jobs are
run in parallel.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f7479b538a3e1548172ba256001ebd96f1e7076c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit cd0fd093523b558cdcf282c1d1497bc2a494f4e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ce2875e1cfc7898aaf71cd9f49828fbf8c5134a1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
| |
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 50cd46b39f4af495a4c9d15f0e5d3df272e33c7c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security issues:
Use after free when server is disconnected during netsplits. Incomplete fix
of CVE-2017-7191. Found by Joseph Bisch. (CWE-416, CWE-825) -
CVE-2018-7054 [2] was assigned to this issue.
Use after free when SASL messages are received in unexpected order. Found
by Joseph Bisch. (CWE-416, CWE-691) - CVE-2018-7053 [3] was assigned to
this issue.
Null pointer dereference when an “empty” nick has been observed by Irssi.
Found by Joseph Bisch. (CWE-476, CWE-475) - CVE-2018-7050 [4] was assigned
to this issue.
When the number of windows exceed the available space, Irssi would crash due
to Null pointer dereference. Found by Joseph Bisch. (CWE-690) -
CVE-2018-7052 [5] was assigned to this issue.
Certain nick names could result in out of bounds access when printing theme
strings. Found by Oss-Fuzz. (CWE-126) - CVE-2018-7051 [6] was assigned to
this issue.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 181ef8a1d01ddfa2be0b59ea85eb8902b0ce12c0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As part of the build, we run some instrumentation hooks to gather
statistics about the usage of the target/, staging/ and host/
directories, so that we can generate reports for the user, that
shows:
- for each file, what package installed it,
- for each package,the size that it installed.
In so doing, we run a double md5 pass on all files of the affected
directories (before/after installation). These passes were mostly invisible
when we were only scanning target/, but has greatly increased in time now
that we also scan staging/ and host/ (but only in the corresponding _CMDS,
of course).
This md5 was mostly aimed at catching packages that would "cheat" with
mtime/atime/ctime somehow. They can't really cheat on md5, though [0].
Timings however speak for themselves, with this defconfig (slightly
biggish-but-still-manageable build) [1].
host/ 20965 files 1.2GiB
staging/ 4715 files 333MiB
target/ 1801 files 44MiB
All instrumentation steps, using md5: 19min 27s
All instrumentation steps, using mtime: 14min 45s
No instrumentation step at all: 14min 31s
So, using mtime is an almost-5min improvement, i.e. about 25% faster,
while removing all instrumentation steps does not gain that much more...
So, we switch to using mtime, because in the end that's still good-enough
for our use-case: generating some graphs. It is not mission-critical, and
if a graph is slightly off, that's not a biggy. It can anyway be attributed
to a broken package's buildsystem, which should get fixed.
However, we lose the ability to track directories. Non-empty directories
can be tracked back by a bit of scripting, but empty directories are
simply not caught. If we were to also look for directories using mtime,
we would catch parents of installed files:
- /foo/bar/ exists
- a package installs /foo/bar/buz
- mtime of /foo/bar/ is changed to account for the new file in it.
So we do not track directories at all, and we lose empty directories.
The existing tracking was mostly happenstance, with the original
submission and comments not really accounting for a real use-case.
Now, we also change the way we handle symlinks. Previously, we would
hash the file pointed to by the symlink. Now, we only look at the mtime
of the symlink itself, which still detects modifications.
Eventually, this also means that we now no longer need to establish a
list before the install step; we can now simply run after the install
step, finding any files newer than the build stamp.
[0] Yeah, md5 is very weak, but we're not guarding against malicious
attacks, just about careless modifications.
[1] defconfig used for tests:
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_INIT_SYSTEMD=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_ETNAVIV=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_VC4=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_VIRGL=y
BR2_PACKAGE_MESA3D_DRI_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OSMESA=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_SYSTEMD_JOURNAL_GATEWAY=y
BR2_PACKAGE_SYSTEMD_BACKLIGHT=y
BR2_PACKAGE_SYSTEMD_BINFMT=y
BR2_PACKAGE_SYSTEMD_COREDUMP=y
BR2_PACKAGE_SYSTEMD_FIRSTBOOT=y
BR2_PACKAGE_SYSTEMD_HIBERNATE=y
BR2_PACKAGE_SYSTEMD_IMPORTD=y
BR2_PACKAGE_SYSTEMD_LOCALED=y
BR2_PACKAGE_SYSTEMD_LOGIND=y
BR2_PACKAGE_SYSTEMD_MACHINED=y
BR2_PACKAGE_SYSTEMD_POLKIT=y
BR2_PACKAGE_SYSTEMD_QUOTACHECK=y
BR2_PACKAGE_SYSTEMD_RANDOMSEED=y
BR2_PACKAGE_SYSTEMD_RFKILL=y
BR2_PACKAGE_SYSTEMD_SMACK_SUPPORT=y
BR2_PACKAGE_SYSTEMD_SYSUSERS=y
BR2_PACKAGE_SYSTEMD_VCONSOLE=y
[Peter: tweak commit message, use find -type l]
Reported-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Trent Piepho <tpiepho@impinj.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7fb6e782542fc440c2da226ec4525236d0508b77)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
Drop 0001-CVE-2017-14633-Don-t-allow-for-more-than-256-channel.patch and
0002-CVE-2017-14632-vorbis_analysis_header_out-Don-t-clea.patch as they are
now upstream, and add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit eca03d677448000f9c5387e8359c116508e03f79)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
--disable-rpath was added by m4/lib-link.m4 with autotools based
buildsystem. Now we use meson, we don't have such option anymore.
The autotools eet-eet and eldbus_codegen options are named respectively
eet and eldbus-codegen with meson.
Fixes:
WARNING: Unknown command line options: "eet-eet, eldbus_codegen, rpath"
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b582d137a121a456635d29735a27a0144a18b75e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 81c28e83ce2364512ef8741dc3a8dd39fe0f3fa9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2f55ca3a952c33267b6b13340b30da0ae4555eaa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
| |
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b67b65b3bab01f8dc3b06a3af69bdc8537b55ed8)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2018-1000120: curl could be fooled into writing a zero byte out of
bounds when curl is told to work on an FTP URL with the setting to only
issue a single CWD command, if the directory part of the URL contains a
"%00" sequence.
https://curl.haxx.se/docs/adv_2018-9cd6.html
CVE-2018-1000121: curl might dereference a near-NULL address when
getting an LDAP URL.
https://curl.haxx.se/docs/adv_2018-97a2.html
CVE-2018-1000122: When asked to transfer an RTSP URL, curl could
calculate a wrong data length to copy from the read buffer.
https://curl.haxx.se/docs/adv_2018-b047.html
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bf3476e5b1527ac91c0a12949be7da5253ea66c1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
