- Sep 01, 2019
-
-
Thomas Petazzoni authored
This defconfig tries to build an ARM Trusted Firmware version that needs an ARM32 toolchain, which is not available as the platform is an ARM64 one. The correct solution for this is to have a package in Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in time for the 2019.08 release. In order to not release 2019.08 with a broken defconfig, let's remove it. It can be re-added later once the ARM32 bare-metal toolchain problem has been resolved. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/278489410 Cc: Shyam Saini <shyam.saini@amarulasolutions.com> Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by:
Peter Korsgaard <peter@korsgaard.com>
-
Thomas Petazzoni authored
This defconfig tries to build an ARM Trusted Firmware version that needs an ARM32 toolchain, which is not available as the platform is an ARM64 one. The correct solution for this is to have a package in Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in time for the 2019.08 release. In order to not release 2019.08 with a broken defconfig, let's remove it. It can be re-added later once the ARM32 bare-metal toolchain problem has been resolved. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/278489367 Cc: Shyam Saini <shyam.saini@amarulasolutions.com> Signed-off-by:
-
Thomas Petazzoni authored
This defconfig tries to build an ARM Trusted Firmware version that needs an ARM32 toolchain, which is not available as the platform is an ARM64 one. The correct solution for this is to have a package in Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in time for the 2019.08 release. In order to not release 2019.08 with a broken defconfig, let's remove it. It can be re-added later once the ARM32 bare-metal toolchain problem has been resolved. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/278489328 Cc: Shyam Saini <shyam.saini@amarulasolutions.com> Signed-off-by:
-
Thomas Petazzoni authored
This defconfig tries to build an ARM Trusted Firmware version that needs an ARM32 toolchain, which is not available as the platform is an ARM64 one. The correct solution for this is to have a package in Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in time for the 2019.08 release. In order to not release 2019.08 with a broken defconfig, let's remove it. It can be re-added later once the ARM32 bare-metal toolchain problem has been resolved. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/278489329 Cc: Shyam Saini <shyam.saini@amarulasolutions.com> Signed-off-by:
-
Thomas Petazzoni authored
This defconfig tries to build an ARM Trusted Firmware version that needs an ARM32 toolchain, which is not available as the platform is an ARM64 one. The correct solution for this is to have a package in Buildroot for an ARM32 bare-metal toolchain, but this wasn't done in time for the 2019.08 release. In order to not release 2019.08 with a broken defconfig, let's remove it. It can be re-added later once the ARM32 bare-metal toolchain problem has been resolved. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/278489325 Cc: Shyam Saini <shyam.saini@amarulasolutions.com> Signed-off-by:
-
Thomas Petazzoni authored
Since the ts4800_defconfig has been removed, the ts4800-mrboot package is no longer useful, therefore we drop it. Cc: Patrick Keroulas <patrick.keroulas@savoirfairelinux.com> Signed-off-by:
-
Thomas Petazzoni authored
This defconfig has been failing to build since we switched the default gcc version to gcc 8.x, as the Linux kernel version is too old and doesn't contain the necessary fixes to build with gcc >= 8.x. Despite several pings to the original submitter of the defconfig (which is not listed in MAINTAINERS), no fix has been sent, so it is time to drop this defconfig before the 2019.08 release. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/278489442 Cc: Patrick Keroulas <patrick.keroulas@savoirfairelinux.com> Signed-off-by:
-
Alexandre PAYEN authored
Since commit 1aa59097[1] is merged, a new build failure occurs when selecting packages which needs python-numpy as dependency. This fix a build issue[2] by adding the correct reverse dependencies to the following packages : - gnuradio (for python support) - opencv3 (for python support) - piglit - python-matplotlib So : - adding to every listed packages `depends on !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)` and add a comment to explain what happend. [1] https://git.buildroot.net/buildroot/commit/?id=1aa59097e61d524bb55ab1fcd4fbe5098b3e0bed [2] http://autobuild.buildroot.org/results/b76/b76b6cf9602bcf5df69a7276762eab54cf74007b Signed-off-by:
Alexandre PAYEN <alexandre.payen@smile.fr> Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com> Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Damien DUVAL <damien.duval@smile.fr> Cc: Romain Naour <romain.naour@smile.fr> Reviewed-by:
Romain Naour <romain.naour@smile.fr> Signed-off-by:
-
- Aug 30, 2019
-
-
Bernd Kuhls authored
Release notes: https://www.php.net/archive/2019.php#2019-08-29-1 Changelog: https://www.php.net/ChangeLog-7.php#7.3.9 Fixes CVE-2019-13224 & CVE-2019-13225: https://bugs.mageia.org/show_bug.cgi?id=25380 Signed-off-by:
Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by:
-
Bernd Kuhls authored
Signed-off-by:
-
Adrian Perez de Castro authored
This is a minor release which includes fixes for CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669, CVE-2019-8673, CVE-2019-8676, CVE-2019-8678, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, and CVE-2019-8690. This release also contains many build fixes, a few media playback improvements, and a Web compatibility fix. For a complete list, the full release notes are available at: https://wpewebkit.org/release/wpewebkit-2.24.3.html The detailed security advisory can be found at: https://wpewebkit.org/security/WSA-2019-0004.html Patch "0001-Build-failure-after-r243644-in-GTK-Li.patch" is now unneeded because it is one of the build fixes included in this release. Signed-off-by:
Adrian Perez de Castro <aperez@igalia.com> Signed-off-by:
-
Adrian Perez de Castro authored
This is a minor release which includes fixes for CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8676, CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and CVE-2019-8688. This release also contains many build fixes, a few media playback improvements, and a Web compatibility fix. For a complete list, the full release notes at: https://webkitgtk.org/2019/08/28/webkitgtk2.24.4-released.html The detailed security advisory can be found at: https://webkitgtk.org/security/WSA-2019-0004.html Signed-off-by:
-
- Aug 29, 2019
-
-
Peter Korsgaard authored
The old 3.10.x based vendor kernel does not build correctly with gcc 8.x. While there is basic s500 support in the mainline kernel, there is not yet a mmc driver so it isn't quite a replacement yet. Stick to the vender kernel for now and revert back to gcc 7.x, hopefully mainline support will be more complete once gcc 7.x gets dropped. Signed-off-by:
-
- Aug 28, 2019
-
-
Bernd Kuhls authored
Added all hashes provided by upstream and license hash. Signed-off-by:
-
Bernd Kuhls authored
Upstream does not provide a sha512 hash anymore. Signed-off-by:
-
Peter Korsgaard authored
Signed-off-by: -
Bernd Kuhls authored
Release notes: https://dovecot.org/pipermail/dovecot/2019-August/116876.html Fixes * CVE-2019-11500: ManageSieve protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. Signed-off-by:
-
Bernd Kuhls authored
Release notes: https://dovecot.org/pipermail/dovecot/2019-August/116874.html Fixes * CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte when scanning data in quoted strings, leading to out of bounds heap memory writes. Found by Nick Roessler and Rafi Rubin. Signed-off-by:
-
Peter Korsgaard authored
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. Signed-off-by: -
Peter Korsgaard authored
Fixes the following security issues: CVE-2018-16872: A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS. Signed-off-by:
-
- Aug 27, 2019
-
-
Sørensen, Stefan authored
Security fixes: CVE-2019-13057: Fixed slapd to restrict rootDN proxyauthz to its own databases CVE-2019-13565: Fixed slapd to initialize SASL SSF per connection Full changelog: https://www.openldap.org/lists/openldap-announce/201907/msg00001.html Signed-off-by:
Stefan Sørensen <stefan.sorensen@spectralink.com> [Peter: fix sha256 hash line] Signed-off-by:
-
Bernd Kuhls authored
Release notes: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/master/releasenote Signed-off-by:
Carlos Santos <unixmania@gmail.com> Signed-off-by:
-
Peter Korsgaard authored
>From the release notes: - Fix an out-of-bounds read of maximal two bytes for truncated RVA2 frames (oss-fuzz-bug 15975). The earlier fix around the same location needed one thought more. Actually, another though was needed, oss-fuzz-bug 16009 documents the incomplete fix. - Fix an invalid write of one zero byte for empty ID3v2 frames that demand de-unsyncing (oss-fuzz-bug 16050). - Fix dynamic build with gcc -fsanitize=address (check for all dl functions before deciding that separate -ldl is not needed). Signed-off-by:
-
- Aug 25, 2019
-
-
Bernd Kuhls authored
Release notes: https://www.videolan.org/developers/vlc-branch/NEWS Fixes the following security bugs: * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) * Fix a read buffer overflow in the FAAD decoder * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) * Fix a use after free in the ASF demuxer (CVE-2019-14533) * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) * Fix a null dereference in the dvdnav demuxer * Fix a null dereference in the ASF demuxer (CVE-2019-14534) * Fix a null dereference in the AVI demuxer * Fix a division by zero in the CAF demuxer (CVE-2019-14498) * Fix a division by zero in the ASF demuxer (CVE-2019-14535) Signed-off-by:
-
Bernd Kuhls authored
Needed for security bump of vlc to 3.0.8: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=48f014768dc22ecad23d0e9f53c38805a3aff832 Signed-off-by:
-
Baruch Siach authored
strace does not support riscv32 yet. https://lists.strace.io/pipermail/strace-devel/2019-August/009068.html Fixes: http://autobuild.buildroot.net/results/912776cc1da1719806058516a2cc2a47c8dbad9b/ Cc: Mark Corbin <mark.corbin@embecosm.com> Signed-off-by:
Baruch Siach <baruch@tkos.co.il> Signed-off-by:
-
Bernd Kuhls authored
Release notes of this bugfix release: https://www.samba.org/samba/history/samba-4.10.7.html Removed 0005-disable_gnutls_build_fix.patch, applied upstream: https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=8128ceceb8702e596183dd509dd6f952a2f4efc2 Renumbered remaining patches. Signed-off-by:
-
Bernd Kuhls authored
Fixes CVE-2019-12900 and adds an additional fix for CVE-2019-12625. Release notes: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issues: Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). For details, see the advisory: https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html Signed-off-by:
-
- Aug 21, 2019
-
-
Romain Naour authored
uClibc doesn't build with the upstream binutils 2.32.x and gcc or1k port due to the following error: LD libuClibc-1.0.31.so /opt/openrisc--uclibc--bleeding-edge-1/lib/gcc/or1k-buildroot-linux-uclibc/9.2.0/../../../../or1k-buildroot-linux-uclibc/bin/ld: libc/libc_so.a(or1k_clone.os): pc-relative relocation against dynamic symbol __syscall_error See: https://gitlab.com/kubu93/toolchains-builder/-/jobs/270854456 This error message come from a new check in binutils 2.32.x: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=f2c1801f6255a3f9f483ae2f07c7d7da0ddae4af This issue has been reported on the uClibc-ng mailing list: https://mailman.uclibc-ng.org/pipermail/devel/2019-August/001885.html Since gcc 9.1 needs binutils 2.32.x or later to build successfully for or1k, there is no binutils version left that can build gcc 9.1 and uClibc. For now, disable uClibc if gcc 9.1 is used for or1k. Signed-off-by:
Romain Naour <romain.naour@gmail.com> Cc: Waldemar Brodkorb <mail@waldemar-brodkorb.de> [Arnout: invert the logic, like in the rest of the file] Signed-off-by:
Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
-
Romain Naour authored
With binutils 2.30.x or 2.31.x, the assembler doesn't support the code generated by gcc 9.1: Error: junk at end of line `l.movhi r17,gotoffha(.LC0)' gotoffha is supported by binutils since version 2.32 [1]. It was added by the ork1 gcc port merged into gcc 9.x [2]. So, for or1k we can select gcc 9.x only if binutils 2.32 (or later) is selected. Tested using qemu_or1k_defconfig and selecting musl libc, binutils 2.32 and gcc 9.1. [1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=1c4f3780f7d939402cfe555007ebff45c8e38951 [2] https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=d61fdfe71cfd42aa6454f2267a48c97820918fe3 Signed-off-by:
-
Pierre-Jean Texier authored
See https://lists.gnu.org/archive/html/libmicrohttpd/2019-08/msg00000.html Signed-off-by:
Pierre-Jean Texier <pjtexier@koncepto.io> Signed-off-by:
-
Commit 7792c4f1 introduced trailing whitespace. Remove it. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/276636839 Signed-off-by:
-
Fabrice Fontaine authored
- Add a patch to fix cross-compilation - Fix the following CVEs: - SQUID-2019:6 (CVE-2019-13345), Jul 12, 2019 Fixed from 4.8 Multiple Cross-Site Scripting issues in cachemgr.cgi - SQUID-2019:5 (CVE-2019-12527), Jul 12, 2019 Fixed from 4.8 Heap Overflow issue in HTTP Basic Authentication processing - SQUID-2019:3 (CVE-2019-12525), Jul 12, 2019 Fixed from 4.8 Denial of Service in HTTP Digest Authentication processing - SQUID-2019:2 (CVE-2019-12529), Jul 12, 2019 Fixed from 4.8 Denial of Service in HTTP Basic Authentication processing - SQUID-2019:1 (CVE-2019-12824), Jul 12, 2019 Fixed from 4.8 Denial of Service issue in cachemgr.cgi Signed-off-by:Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
-
- Aug 20, 2019
-
-
Peter Korsgaard authored
Signed-off-by: -
Peter Korsgaard authored
For post-1.12.8 fixes. From the release notes: go1.12.9 (released 2019/08/15) includes fixes to the linker, and the os and math/big packages. Signed-off-by: -
Peter Korsgaard authored
Fixes CVE-2019-14697: musl libc 1.1.23 and earlier x87 float stack imbalance For more details, see the oss-security discussion: https://www.openwall.com/lists/oss-security/2019/08/05/6 Signed-off-by:
-
Thomas Petazzoni authored
There is a typo in the handling of the BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_DISPMANX option: we're adding dispmax to GST1_PLUGINS_BASE_WINSYS_LIST, which causes the following build failure: meson.build:1:0: ERROR: Options "dispmax" are not in allowed choices: "x11, wayland, win32, cocoa, dispmanx, viv-fb, gbm, auto" We fix this by using the proper option name, "dispmanx" instead of the slightly incorrect "dispmax". Signed-off-by:
-
Thomas Petazzoni authored
/etc/quagga is listed in QUAGGA_PERMISSIONS, but is only created when some of the quagga sub-options are enabled. When none of those sub-options are enabled, /etc/quagga is not created, causing a build failure when the filesystem images are created: makedevs: line 1: recursive failed for /home/thomas/projets/outputs/quagga-minimal/build/buildroot-fs/tar/target/etc/quagga: No such file or directory Since it is too cumbersome to maintain which sub-options exactly lead to /etc/quagga being created, simply create /etc/quagga unconditionally. It will simply be empty when the quagga package doesn't install anything in it. For the record, here is the list of files installed in /etc/quagga when all quagga sub-options are enabled: bgpd.conf.sample bgpd.conf.sample2 isisd.conf.sample ospf6d.conf.sample ospfd.conf.sample pimd.conf.sample ripd.conf.sample ripngd.conf.sample vtysh.conf.sample zebra.conf.sample Fixes: http://autobuild.buildroot.net/results/cdb66589909fd3996186f7db7d1f19a3b03d58a0/ Signed-off-by:
-
- Aug 19, 2019
-
-
Fabrice Fontaine authored
- Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p 0.49.4, has a heap-based buffer overflow because a certain "Private->RunningCode - 2" array index is not checked. This will lead to a denial of service or possibly unspecified other impact. - Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero. Signed-off-by:
-
