- Feb 17, 2021
-
-
Peter Korsgaard authored
Signed-off-by:Peter Korsgaard <peter@korsgaard.com>
-
Peter Korsgaard authored
Signed-off-by:
-
Peter Korsgaard authored
Signed-off-by: -
Peter Korsgaard authored
Signed-off-by:
-
Peter Korsgaard authored
Signed-off-by: -
Fabrice Fontaine authored
Set PATH to BR_PATH to allow perl-extutils-pkgconfig to find pkg-config binary Fixes: - http://autobuild.buildroot.org/results/d87787fbf2a8cb9bbaa3b59d1e8004ad1459536a Signed-off-by:
Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issues: - CVE-2021-23841: Null pointer deref in X509_issuer_and_serial_hash() The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. - CVE-2021-23839: Incorrect SSLv2 rollback protection OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are supposed to use a special form of padding. A server that supports greater than SSLv2 is supposed to reject connection attempts from a client where this special form of padding is present, because this indicates that a version rollback has occurred (i.e. both client and server support greater than SSLv2, and yet this is the version that is being requested). The implementation of this padding check inverted the logic so that the connection attempt is accepted if the padding is present, and rejected if it is absent. This means that such as server will accept a connection if a version rollback attack has occurred. Further the server will erroneously reject a connection if a normal SSLv2 connection attempt is made. OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to this issue. The underlying error is in the implementation of the RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING padding mode used by various other functions. Although 1.1.1 does not support SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the RSA_SSLV23_PADDING padding mode. Applications that directly call that function or use that padding mode will encounter this issue. However since there is no support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a security issue in that version. - CVE-2021-23840: Integer overflow in CipherUpdate Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. For more details, see the advisory: https://www.openssl.org/news/secadv/20210216.txt Signed-off-by:
-
- Feb 16, 2021
-
-
Heiko Thiery authored
Add the list of <pkg>_IGNORE_CVES to the json output to show that we have a known cause (available patch or the CVE is not valid for our package configuration) that a affected CVE is not reported. Signed-off-by:
Heiko Thiery <heiko.thiery@gmail.com> Signed-off-by:
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
-
Thomas De Schampheleire authored
The compiler detection since openblas 0.3.8 added support for gcc 10, but this broke detection of compilers created with crosstool-ng, or other toolchains that have a package version containing a version like x.y.z where at least one of x, y or z have more than one digit, for example "Crosstool-NG 1.24.0". See the reported issue for more details [1]. Backport the upstream patch that fixes it. [1] https://github.com/xianyi/OpenBLAS/issues/3099 Signed-off-by:
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> Signed-off-by:
-
Thomas De Schampheleire authored
Buildroot would automatically enable multithreading in OpenBLAS if the architecture supports it. However, one may want to avoid OpenBLAS creating threads itself and configure single-threaded operation. To accommodate this use case, add a config option for multithreading. When multithreading is disabled but OpenBLAS functions are called in the same application by multiple threads, then locking is mandatory. The USE_LOCKING flag was added in version 0.3.7 with following release note: a new option USE_LOCKING was added to ensure thread safety when OpenBLAS itself is built without multithreading but will be called from multiple threads. However, if one knows that OpenBLAS will only be called from single-threaded applications, then passing USE_LOCKING is not necessary, so make it a config option too. When multithreading is enabled, locking is implicitly enabled inside openblas, so only provide the locking option when multithreading is disabled. Signed-off-by: -
Fabrice Fontaine authored
Retrieve an upstream patch to fix build with riscv as it fails to retrieve architecture due to "Use sigaction with SA_RESTART instead" being caught before riscv: exec: export LC_ALL=C ; { /home/fabrice/buildroot/output/host/bin/riscv32-linux-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -E archtest.c 2>/dev/null | grep -v ^# | grep ' | cut -f 2 -d' ; } Use sigaction with SA_RESTART instead riscv Fixes: - http://autobuild.buildroot.org/results/61ac6c9bfcd3bd9306aa49faf47b9f16e5abe846 Signed-off-by:Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
-
Fabrice Fontaine authored
Fix static build failure which is raised since the switch to meson-package in commit a7b51ed3 Fixes: - http://autobuild.buildroot.org/results/6cd54c497f5d19342ec94ece713547b887e4c02d Signed-off-by:
-
Peter Korsgaard authored
Bugfix release, fixing a number of issues: - Fix RunLoop objects leaked in worker threads. - Fix JavaScriptCore AArch64 LLInt build with JIT disabled. - Use Internet Explorer quirk for Google Docs. Signed-off-by:
Adrian Perez de Castro <aperez@igalia.com> Signed-off-by:
-
Peter Korsgaard authored
Fixes the following security issue: - CVE-2020-13558: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue in the AudioSourceProviderGStreamer class was addressed with improved memory management For more details, see the advisory: https://webkitgtk.org/security/WSA-2021-0001.html Signed-off-by:
-
Fabrice Fontaine authored
Now that gdlib-config is gone, provide the GD options otherwise perl-gd will assume that everything is available: $features = 'GD_GIF GD_GIFANIM GD_OPENPOLYGON GD_ZLIB GD_PNG GD_FREETYPE GD_FONTCONFIG GD_JPEG GD_XPM GD_TIFF GD_WEBP'; Also, while at it, also make some of the dependencies as optional as suggested by François Perrad Signed-off-by:
-
Fabrice Fontaine authored
Commit 3a291be2 forgot to add perl-extutils-pkgconfig dependency Fixes: - http://autobuild.buildroot.org/results/e590f1990180eae21512b23b884755e105a4c588 Signed-off-by:
Francois Perrad <francois.perrad@gadz.org> Signed-off-by:
-
Fabrice Fontaine authored
host-perl-extutils-pkgconfig is needed by perl-gd to find gd in version 2.3.0 Signed-off-by:
-
Peter Korsgaard authored
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/1019385940 FAIL: test_run (tests.core.test_timezone.TestGlibcNonDefaultLimitedTimezone) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builds/buildroot.org/buildroot/support/testing/tests/core/test_timezone.py", line 66, in test_run self.assertEqual(tz[0].strip(), "EST") AssertionError: '' != 'EST' Commit 7868289f (package/zic: bump version to 2020f) bumped the zic version to 2020f, which changed the default output format from the classic "fat" format to the new "slim" format: https://github.com/eggert/tz/commit/6ba6f2117b95eab345a7ed9159cef939e30c4cd3 The slim format is unfortunately not supported by glibc < 2.28 or uClibc, so explicitly request the classic "fat" format. Signed-off-by:
-
Thomas De Schampheleire authored
Currently, the envimage creation logic only depends on u-boot when the user does not specify a custom envimage source via BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE. This assumes that the user-provided envimage source is not coming from the u-boot source tree. But especially given the fact that the envimage creation logic used to be part of the u-boot package, this is a realistic scenario: users may have provided a value of BR2_PACKAGE_HOST_UBOOT_TOOLS_ENVIMAGE_SOURCE based on $(UBOOT_DIR), e.g.: $(UBOOT_DIR)/board/foo-vendor/bar-board/env.txt Therefore, always add the u-boot dependency if u-boot is selected, for either case of custom or default envimage source. Signed-off-by: -
pickle is no longer used since 09a71e6a Fixes: support/scripts/cpedb.py:7:1: F401 'pickle' imported but unused Signed-off-by:
-
Fabrice Fontaine authored
gst1-plugins-base is a mandatory dependency since at least version 1.9.90 and https://github.com/GStreamer/gst-python/commit/16f971226df1980b58ebde330123debaaf3b53d0 Fixes: - http://autobuild.buildroot.org/results/48b22c66c3a610d70931b9adfd6e5082bb3ff3d1 Signed-off-by:
-
Fabrice Fontaine authored
tiff is only used by tificc sample and upstream rejected the patch to fix the static build failure because "adding pkg-config dependency for a sample is an overkill": https://github.com/mm2/Little-CMS/pull/244 Signed-off-by:
-
Fabrice Fontaine authored
This reverts commit 7e4f054d. Signed-off-by:
-
Thomas De Schampheleire authored
The synproxy plugin exists since 5.8.0 and is enabled by default in collectd. Add an option in Buildroot, disabled by default. Signed-off-by:
-
Thomas De Schampheleire authored
The logparser plugin is new since 5.11.0 and enabled by default in collectd. Add an option in Buildroot, disabled by default. Signed-off-by:
-
Thomas De Schampheleire authored
The mdevents plugin is new since 5.12.0 and enabled by default in collectd. Add an option in Buildroot, disabled by default. Signed-off-by:
-
Thomas De Schampheleire authored
The infiniband plugin is new since 5.12.0 and enabled by default in collectd. Add an option in Buildroot, disabled by default. Signed-off-by:
-
Fabrice Fontaine authored
Autobuilder failures are raised with bootlin toolchains but it affects orc since version 0.4.30 Fixes: - http://autobuild.buildroot.org/results/0821e96cba3e455edd47b87485501d892fc7ac6a Signed-off-by:
-
Thomas De Schampheleire authored
Since the upgrade of ebtables from 2.0.10-4 to 2.0.11, there no longer is an 'ebtables' binary. It has been renamed to 'ebtables-legacy' and moved from '/sbin' to '/usr/sbin'. This change is part of the upstream change to integrate the functionality of ebtables (and arptables) in the iptables package, using the nf_tables kernel backend [1]. Unfortunately, the renaming (and move) of the original 'ebtables' binary breaks existing scripts that are calling 'ebtables' or '/sbin/ebtables'. Therefore, add a symlink from the original path to 'ebtables-legacy'. However, do not provide this symlink if BR2_PACKAGE_IPTABLES_NFTABLES is enabled. In this case, the iptables package will build the new equivalent of ebtables -- a symlink to ebtables-legacy would cause conflicts. [1] https://wiki.nftables.org/wiki-nftables/index.php/Legacy_xtables_tools Signed-off-by:
Baruch Siach <baruch@tkos.co.il> Signed-off-by:
-
Thomas De Schampheleire authored
Since tcpdump 4.99.0, the 'tcpdump' binary is no longer installed in /usr/sbin but in /usr/bin. This change invalidates the Buildroot hook 'TCPDUMP_REMOVE_DUPLICATED_BINARY', causing a fairly large rootfs size increase as a result. Update the path inside this hook. Signed-off-by:
-
Fabrice Fontaine authored
cpe:2.3:a:cesanta:mongoose is a valid CPE identifier for this package: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Acesanta%3Amongoose Signed-off-by:
-
Fabrice Fontaine authored
- Fix CVE-2021-26528: The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connection request after exhausting memory pool. - Fix CVE-2021-26529: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool. - Fix CVE-2021-26530: The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool. https://github.com/cesanta/mongoose/releases/tag/7.1 Signed-off-by:
-
Fabrice Fontaine authored
MG_ENABLE_SSL and MG_SSL_IF have been dropped since version 7.0 and https://github.com/cesanta/mongoose/commit/f2fba1d2004c5ddf2fc0a7ca8dc75b5f78feed85 So use the new MG_ENABLE_OPENSSL and MG_ENABLE_MBEDTLS variables Signed-off-by:
-
Thomas Petazzoni authored
<rahul.jain@imgtec.com>: host mxa-00376f01.gslb.pphosted.com[185.132.180.163] said: 550 5.1.1 User Unknown (in reply to RCPT TO command) Signed-off-by: -
Thomas Petazzoni authored
The oliseo.fr domain no longer responds to SMTP requests: smtplib.SMTPRecipientsRefused: {'Guillaume Gardet <guillaume.gardet@oliseo.fr>': (550, b'5.1.2 <guillaume.gardet@oliseo.fr>: Recipient address rejected: Domain not found')} Signed-off-by:
-
- Feb 15, 2021
-
-
Jörg Krause authored
Glibc 2.33 removed `_STAT_VER`. On host machines, which updated to glibc 2.33, building host-fakeroot breaks: ``` In file included from communicate.h:20, from libfakeroot.c:60: libfakeroot.c: In function ‘chown’: libfakeroot.c:99:40: error: ‘_STAT_VER’ undeclared (first use in this function) 99 | #define INT_NEXT_STAT(a,b) NEXT_STAT64(_STAT_VER,a,b) ``` The issue has been discussed on some package maintainer threads, e.g.: https://bugs.archlinux.org/task/69572 https://bugzilla.redhat.com/show_bug.cgi?id=1889862#c13 A patch series was prepared by Ilya Lipnitskiy which included two other patches not related to the glibc 2.33 compatibility issue and submitted as merge request for upstream: https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg57280.html Upstream accepted the merge request: https://salsa.debian.org/clint/fakeroot/-/merge_requests/10 Note, that this patch series only contains the necessay patches for glibc 2.33 compatibility. Tested on my Arch Linux machine, building a UBIFS/OverlayFS-based root filesystem for an i.MX6ULL target board. Signed-off-by:Jörg Krause <joerg.krause@embedded.rocks> Tested-by:
Bartosz Bilas <b.bilas@grinn-global.com> [Peter: drop patch numbering (PATCH x/y) as pointed out by check-package] Signed-off-by:
-
Fabrice Fontaine authored
Fix build without threads of libgpg-error in version >= 1.40 Fixes: - http://autobuild.buildroot.org/results/3344c96e5627a9327b0eabe0b27f34490bbabc0d Signed-off-by:
-
Fabrice Fontaine authored
Unit tests fail to build with gcc 10 on: [100%] Linking C executable NE10_dsp_unit_test_smoke /home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/aarch64-none-linux-gnu/10.2.1/../../../../aarch64-none-linux-gnu/bin/ld: CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_suite_fft_float32.c.o:(.bss+0x0): multiple definition of `seatest_simple_test_result'; CMakeFiles/NE10_dsp_unit_test_static.dir/__/modules/dsp/test/test_main.c.o:(.bss+0x0): first defined here So just disable them and, while at it, also disable examples which are also enabled by default Fixes: - http://autobuild.buildroot.org/results/c658d52668825c26a15d6ac3ca538472cad5cd78 Signed-off-by:
-
Michael Vetter authored
Changes: * Fix memory-related bugs in the JPEG-2000 codec resulting from attempting to decode invalid code streams. (#264, #265) This fix is associated with CVE-2021-26926 and CVE-2021-26927. * Fix wrong return value under some compilers (#260) * Fix CVE-2021-3272 heap buffer overflow in jp2_decode (#259) Signed-off-by:
Michael Vetter <jubalh@iodoru.org> Signed-off-by:
-
- Feb 14, 2021
-
-
Thomas Petazzoni authored
Currently, the CPE XML database is parsed into a Python dict, which is then pickled into a local file, to speed up the processing of further invocations. However, it turns out that since the initial implementation, we have switched the XML parsing from the out of tree xmltodict module to the standard ElementTree one, which has made the parsing much faster. The pickle caching only saves 6 seconds, on something that takes more than 13 minutes total. In addition, this pickle caching consumes a significant amount of RAM, causing the Python process to be OOM-killed on a server with 4 GB of RAM. So let's just drop this caching entirely. Signed-off-by:
Yann E. MORIN <yann.morin.1998@free.fr>
-
