- May 29, 2020
-
-
Fabrice Fontaine authored
- Switch site to an active fork - Send patch upstream - Update indentation in hash file (two spaces) - Fix the following CVEs: - CVE-2018-14054: A double free exists in the MP4StringProperty class in mp4property.cpp in MP4v2 2.0.0. A dangling pointer is freed again in the destructor once an exception is triggered. Fixed by https://github.com/TechSmith/mp4v2/commit/f09cceeee5bd7f783fd31f10e8b3c440ccf4c743 - CVE-2018-14325: In MP4v2 2.0.0, there is an integer underflow (with resultant memory corruption) when parsing MP4Atom in mp4atom.cpp. Fixed by https://github.com/TechSmith/mp4v2/commit/e475013c6ef78093055a02b0d035eda0f9f01451 - CVE-2018-14326: In MP4v2 2.0.0, there is an integer overflow (with resultant memory corruption) when resizing MP4Array for the ftyp atom in mp4array.h. Fixed by https://github.com/TechSmith/mp4v2/commit/70d823ccd8e2d7d0ed9e62fb7e8983d21e6acbeb - CVE-2018-14379: MP4Atom::factory in mp4atom.cpp in MP4v2 2.0.0 incorrectly uses the MP4ItemAtom data type in a certain case where MP4DataAtom is required, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted MP4 file, because access to the data structure has different expectations about layout as a result of this type confusion. Fixed by https://github.com/TechSmith/mp4v2/commit/73f38b4296aeb38617fa3923018bb78671c3b833 - CVE-2018-14403: MP4NameFirstMatches in mp4util.cpp in MP4v2 2.0.0 mishandles substrings of atom names, leading to use of an inappropriate data type for associated atoms. The resulting type confusion can cause out-of-bounds memory access. Fixed by https://github.com/TechSmith/mp4v2/commit/51cb6b36f6c8edf9f195d5858eac9ba18b334a16 Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
Fix the following CVEs: - CVE-2019-17533: Mat_VarReadNextInfo4 in mat4.c in MATIO 1.5.17 omits a certain '\0' character, leading to a heap-based buffer over-read in strdup_vprintf when uninitialized memory is accessed. - CVE-2019-20017: A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 in mat5.c in matio 1.5.17. - CVE-2019-20018: A stack-based buffer over-read was discovered in ReadNextCell in mat5.c in matio 1.5.17. - CVE-2019-20020: A stack-based buffer over-read was discovered in ReadNextStructField in mat5.c in matio 1.5.17. - CVE-2019-20052: A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 because SafeMulDims does not consider the rank==0 case. Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
- May 28, 2020
-
-
Thomas Petazzoni authored
This commit backports an upstream patch made for gnupg2 into gnupg, in order to fix build failures with gcc 10 due to the use of -fno-common. Due to the code differences between upstream gnupg2 and the old gnupg 1.x, the backport is in fact more a rewrite than an actual backport. Fixes: http://autobuild.buildroot.net/results/496a18833505dc589f7ae58f2c7e5fe80fe9af79/ Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-
Romain Naour authored
Installing qt5declarative examples on fast/fast/multicore machines sometimes failes with a variation of the following error messages: - Cannot touch [...]/chapter5-listproperties/app.qml: No such file or directory - Error copying [...]/chapter2-methods/app.qml: Destination file exists Fix it by using OTHER_FILES instead of a seperate qml files install target to fix the race between install_target, install_qml and install_sources. Fixes: - https://gitlab.com/buildroot.org/buildroot/-/jobs/565470221 Signed-off-by:
Romain Naour <romain.naour@gmail.com> [Reworked patch and commit log] Signed-off-by:
Peter Seiderer <ps.report@gmx.net> Reviewed-by:
Romain Naour <romain.naour@gmail.com> Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-
- May 27, 2020
-
-
Heiko Thiery authored
Added upstream patch for fixing build failure when using GCC10 as a host compiler (-fno-common is now default). Fixes: http://autobuild.buildroot.net/results/47f/47fcf9bceba029accdcf159236addea3cb03f12f/ Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by:
Heiko Thiery <heiko.thiery@gmail.com> Reviewed-by:
Romain Naour <romain.naour@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Heiko Thiery authored
Added upstream patch for fixing build failure when using GCC10 as a host compiler (-fno-common is now default). Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by:
Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Yegor Yefremov authored
In version 5.6 a minor change was made to this file, stating tht "[a]ll contributions to the Linux Kernel are subject to this COPYING file", and hence the hash changed. We can update the hash, because the licensing information is only accounted for the "latest" version, so the hash change will not impact older kernel versions as the user would have to switch to a non-latest kernel. Signed-off-by:
Yegor Yefremov <yegorslists@googlemail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
- May 26, 2020
-
-
Fabrice Fontaine authored
This patch was wrongly removed when bumping the version to 1.4.0 in commit 6976f312 Fixes: - http://autobuild.buildroot.org/results/7a53a59dd08c043f371bea967c3b450a7bddcde8 Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Fabio Estevam authored
The default iamge size is 32MiB, which is quite low by today's standards. Besides, the AArch64 kernels are relatively big, which leaves not much room, if at all, for users to experiment on the default image. Increase the vfat size to a more reasonable 64MiB. Note that users who derive an in-tree defconfig for their own case will allways hit any arbitarary size we put here, so they will anyway have to also derive this template for their own use-cases. Signed-off-by:
Fabio Estevam <festevam@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Romain Naour authored
As reported by Nicolas Carrier on the Buildroot mailing list [1], there is a new build issue while building a program which interacts with the u-boot environment. This program uses the headers of the ubootenv library provided by uboot-tools. This is an upstream change from uboot [2] adding "#include <env.h>" to fw_env.h. Adding env.h require a board configuration to build. But only fw_env.h header is installed in the staging directory by uboot-tools package, but since it now include env.h the build is broken because env.h is missing from the staging directory. It's seems an upstream bug since env_set() is not used in fw_env tool. Nicolas removed env.h from fw_env tool and fixed it's build issue. This problem is present since uboot v2019.10, so the uboot version present in Buildroot 2020.02 is affected. It's probably not a problem for upstream uboot but it's a problem for uboot-tools package that build uboot tools without a board configuration for the target. [1] http://lists.busybox.net/pipermail/buildroot/2020-April/280307.html [2] https://gitlab.denx.de/u-boot/u-boot/-/commit/9fb625ce05539fe6876a59ce1dcadb76b33c6f6e Reported-by:
Nicolas Carrier <nicolas.carrier@orolia.com> Signed-off-by:
Romain Naour <romain.naour@gmail.com> [yann.morin.1998@free.fr: add URL to upstream commit] Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Heiko Thiery authored
Added upstream patch for fixing build failure when using GCC10 as a host compiler (-fno-common is now default). Fixes: http://autobuild.buildroot.net/results/c4b/c4bba80e9fc476247c7ba28850831c6a8edd559f/build-end.log Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by:
Heiko Thiery <heiko.thiery@gmail.com> Reviewed-by:
Romain Naour <romain.naour@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Thomas Petazzoni authored
Pull a patch pending in an upstream pull request to fix the detection of the snappy library when we are in static linking configurations. Fixes: https://bugs.busybox.net/show_bug.cgi?id=12671 Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Thomas Petazzoni authored
snappy is not a mandatory dependency to build leveldb. Back when it was introduced in Buildroot, as of version 1.18, the build logic already made snappy an optional dependency. Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
James Hilliard authored
Libdrm freedreno depends on BR2_arm || BR2_aarch64 || BR2_aarch64_be as such we need to propagate those dependencies to mesa's gallium freedreno driver. Signed-off-by:
James Hilliard <james.hilliard1@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
James Hilliard authored
According to https://prosody.im/doc/depends#bitop the correct bitop package to use with prosody for Lua 5.1 is: https://luarocks.org/modules/siffiejoe/bit32 As such replace BR2_PACKAGE_LUABITOP with BR2_PACKAGE_LUA_BIT32 Signed-off-by:
James Hilliard <james.hilliard1@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Thomas Petazzoni authored
So far in 2020, Logilin and Tap2Open made some financial donations to the Buildroot Association, so let's thank them on our sponsors page. Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-
Fabrice Fontaine authored
Hash was not updated by commit 18079e20 Fixes: - http://autobuild.buildroot.org/results/0f7179ed4706f05551af330d7f12b3efaeffd278 Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Peter Korsgaard authored
Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
- May 25, 2020
-
-
Heiko Thiery authored
With commit 89f5e989 support for reproducible archives was added. Thus archives generated from svn do no longer needs to be added to BR_NO_CHECK_HASH_FOR. Cc: Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by:
Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Fabrice Fontaine authored
This bump contains only one commit that fix a build failure with asm: https://github.com/ckolivas/lrzip/commit/844b8c057c8c7372ca41ad2efdbf849f45c24506 Fixes: - http://autobuild.buildroot.org/results/800d8a97966ef75dbf20e85ec8a02766ba02cc76 Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Romain Naour authored
We have a qemu fork for csky cpus [1] but since qemu version bump to 4.2.0 [2] and libssh2/libssh change the csky build is broken. The csky fork is based on Qemu 3.0.0 but unlike autotools packages any unknown option is handled as error. Since we don't want to support all options from previous qemu release and the github repository has been removed [3] and the only remaining archive is located on http://sources.buildroot.net, remove the qemu csky fork as suggested by [4]. [1] https://git.buildroot.net/buildroot/commit/?id=f816e5b276f1ef15840bec6667f1e8219717ab7d [2] https://git.buildroot.net/buildroot/commit/?id=0ea17054ce7dfc54efca5634133cef786445e7b1 [3] https://github.com/c-sky/qemu [4] http://lists.busybox.net/pipermail/buildroot/2020-May/281885.html Signed-off-by:
Romain Naour <romain.naour@gmail.com> Cc: Guo Ren <ren_guo@c-sky.com> Cc: Peter Korsgaard <peter@korsgaard.com> [Peter: move patches out of 4.2.0 subdir] Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Yann E. MORIN authored
The author has completely ripped off the git tree, so the sources are no longer available, with that message: "Please look for alternatives for wiringPi" And indeed there is a better alternative, using the kernel GPIO subsystem and drivers. Note that queezelite looses that functionality now, but upstream squeezelite has done changes to do without wiringpi (hint for an upgrade?). Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr> Cc: Peter Seiderer <ps.report@gmx.net> Cc: Hiroshi Kawashima <kei-k@ca2.so-net.ne.jp> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Yann E. MORIN authored
The original git server on git.xiph.org died, and the Xiph project has now moved on to host their repositories on gitlab.comn instead. Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Yann E. MORIN authored
The git repositories are not served on the kernel.org CDN: fatal: repository 'https://cdn.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/ ' not found Switch to explicitly use the git.kernel.org server. Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr> Cc: Matt Weber <matthew.weber@rockwellcollins.com> Cc: Cyril Bur <cyrilbur@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Bernd Kuhls authored
Removed patch included in upstream release, reformatted hashes. Signed-off-by:
Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
Fix CVE-2020-13164: In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the NFS dissector could crash. This was addressed in epan/dissectors/packet-nfs.c by preventing excessive recursion, such as for a cycle in the directory graph on a filesystem. Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
Fixes: - http://autobuild.buildroot.org/results/6dc82572ae1369aa5c9954b6e61777766c5aa3b4 Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Joachim Nilsson authored
Describe release engineering and development phases of the project. Signed-off-by:
Joachim Nilsson <troglobit@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Yann E. MORIN authored
During the migration from alioth to gitlab, the git repository for ltrace was not migrated. There is a repository on gitlab.com, owned by the debian maintainer, but that repository does not contain the sha1 we know of: https://gitlab.com/cespedes/ltrace s.b.o. is the only known location so far to host the archive, so switch to it. Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Cc: Peter Korsgaard <peter@korsgaard.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Peter Korsgaard authored
Fixes the following security issues: - (9.11.18) DNS rebinding protection was ineffective when BIND 9 is configured as a forwarding DNS server. Found and responsibly reported by Tobias Klein. [GL #1574] - (9.11.19) To prevent exhaustion of server resources by a maliciously configured domain, the number of recursive queries that can be triggered by a request before aborting recursion has been further limited. Root and top-level domain servers are no longer exempt from the max-recursion-queries limit. Fetches for missing name server address records are limited to 4 for any domain. This issue was disclosed in CVE-2020-8616. [GL #1388] - (9.11.19) Replaying a TSIG BADTIME response as a request could trigger an assertion failure. This was disclosed in CVE-2020-8617. [GL #1703] Also update the COPYRIGHT hash for a change of copyright year and adjust the spacing for the new agreements. Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
- May 22, 2020
-
-
Jérémy Rosen authored
When selecting "console" for the automatic getty, the buildroot logic would collide with systemd's internal console detection logic, resulting in two getty being started on the console. This commit fixes that by doing nothing when "console" is selected and letting systemd-getty-generator deal with starting the proper getty. Note that if something other than the console is selected * Things will work properly, even if the selected terminal is also the console * A getty will still be started on the console. This is what systemd has been doing on buildroot since the beginning. it could be disabled but I left it for backward compatibility Fixes: #12361 Signed-off-by:
Jérémy Rosen <jeremy.rosen@smile.fr> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Fabrice Fontaine authored
- Fix CVE-2020-10957: In Dovecot before 2.3.10.1, unauthenticated sending of malformed parameters to a NOOP command causes a NULL Pointer Dereference and crash in submission-login, submission, or lmtp. - Fix CVE-2020-10958: In Dovecot before 2.3.10.1, a crafted SMTP/LMTP message triggers an unauthenticated use-after-free bug in submission-login, submission, or lmtp, and can lead to a crash under circumstances involving many newlines after a command. - Fix CVE-2020-10967: In Dovecot before 2.3.10.1, remote unauthenticated attackers can crash the lmtp or submission process by sending mail with an empty localpart. - Drop first patch (already in version) and so autoreconf - Update indentation in hash file (two spaces) Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
First patch is not needed since version 2.3.0 and https://github.com/dovecot/core/commit/08259c1f206026ca9b9f4b4e97603943c6093def Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Stefan Ott authored
Fixes the following security vulnerabilities: CVE-2020-12662: Unbound can be tricked into amplifying an incoming query into a large number of queries directed to a target. CVE-2020-12663: Malformed answers from upstream name servers can be used to make Unbound unresponsive. Signed-off-by:
Stefan Ott <stefan@ott.net> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Peter Korsgaard authored
Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Fabrice Fontaine authored
>From ChangeLog: - CVE: GHSL-2020-100 OOB Read in ntlm_read_ChallengeMessage - CVE: GHSL-2020-101 OOB Read in security_fips_decrypt due to uninitialized value - CVE: GHSL-2020-102 OOB Write in crypto_rsa_common - Enforce synchronous legacy RDP encryption count (#6156) - Fixed some leaks and crashes missed in 2.1.0 - Removed dynamic channel listener limits - Lots of resource cleanup fixes (clang sanitizers) https://github.com/FreeRDP/FreeRDP/blob/2.1.1/ChangeLog Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
- May 21, 2020
-
-
Fabrice Fontaine authored
Commit 7ef76ed3 forgot to remove python-pycrypto entry from DEVELOPERS Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
Fabrice Fontaine authored
Fixes: - http://autobuild.buildroot.org/results/874433d8cb30d21332f23024081a8b6d7b3254ae Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-
Heiko Thiery authored
Added upstream patch for fixing build failure when using GCC10 as a host compiler (-fno-common is now default). Fixes: http://autobuild.buildroot.net/results/aca662d9fd7052f3b361b731cd266edb3b6c41b0 http://autobuild.buildroot.net/results/6546b284cf306a2fde3c69d67daf9aacffa9e143 http://autobuild.buildroot.net/results/db20bb3c11a1a9558a5d8021015c6915f99097c8 Cc: Romain Naour <romain.naour@gmail.com> Signed-off-by:
Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-
Romain Naour authored
This package doesn't work with Python 3.8 since the code contains time.clock() that was deprecated in Python 3.3 and removed in Python 3.8. Instead of applying non upstream patches from Fedora [1], python-pycrypto was replaced by python-pycryptodomex for crda and optee-os package. Now we can remove safely this package. [1] http://lists.busybox.net/pipermail/buildroot/2020-April/280683.html Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/498144209 Signed-off-by:
Romain Naour <romain.naour@gmail.com> Cc: James Hilliard <james.hilliard1@gmail.com> Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-