Yann E. MORIN [Tue, 17 Nov 2020 20:51:22 +0000 (21:51 +0100)]
Merge branch 'master' into next
* master: (125 commits)
package/jpeg-turbo: security bump to version 2.0.5
package/modem-manager: bump to version 1.14.8
package/c-ares: security bump to version 1.17.0
docs/website: update for 2020.02.8
Update for 2020.02.8
docs/website: update for 2020.08.2
Update for 2020.08.2
package/qemu: fix build with 64 bits time_t
package/harfbuzz: fix build without threads
boot/uboot: fix custom repo error message
package/numactl: needs -fPIC
package/dovecot-pigeonhole: fix build with per-package directories
package/libpam-tacplus: remove duplicate LIBPAM_TACPLUS_AUTORECONF
package/openntpd: needs host-bison
package/xorriso: fix host option
DEVELOPERS: drop Trent Piepho
package/postgresql: security bump to version 12.5
package/redis: security bump to version 6.0.9
Revert "package/linux-backports: bump version to 5.8"
package/linux-backports: bump version to 5.8
...
There should be no longer any need for the ac_cv_prog_XSLTPROC_CHECK
hack, this release already removes xsltproc from being a build
dependency when building from dist tarballs.
Fabrice Fontaine [Tue, 17 Nov 2020 07:10:54 +0000 (08:10 +0100)]
package/c-ares: security bump to version 1.17.0
- avoid read-heap-buffer-overflow in ares_parse_soa_reply found during
fuzzing
- Avoid theoretical buffer overflow in RC4 loop comparison
- Empty hquery->name could lead to invalid memory access
- ares_parse_{a,aaaa}_reply() could return a larger *naddrttls than was
passed in
Garret Kelly [Sun, 15 Nov 2020 04:40:43 +0000 (23:40 -0500)]
boot/uboot: fix custom repo error message
When using a custom git or mercurial repository for u-boot the error message
indicating a version had not been provided incorrectly stated that the URL was
missing. Update the error message to indicate that it's the version that's
missing.
Fabrice Fontaine [Sat, 14 Nov 2020 22:11:24 +0000 (23:11 +0100)]
package/numactl: needs -fPIC
This will avoid the following build failure with qemu 5.0.0 and above:
/srv/storage/autobuild/run/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/8.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: /srv/storage/autobuild/run/instance-2/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/lib/../lib64/libnuma.a(libnuma.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a PIE object; recompile with -fPIC
The commit [1] added a second LIBPAM_TACPLUS_AUTORECONF
because we are now patching configure.ac.
But LIBPAM_TACPLUS_AUTORECONF was already used because the
package is fetched from github.
Fabrice Fontaine [Sat, 14 Nov 2020 14:48:47 +0000 (15:48 +0100)]
package/redis: security bump to version 6.0.9
This release fixes a potential heap overflow when using a heap allocator
other than jemalloc or glibc's malloc. See:
https://github.com/redis/redis/pull/7963
Julien Olivain [Fri, 13 Nov 2020 13:09:41 +0000 (14:09 +0100)]
package/linux-backports: bump version to 5.8
Attempting to compile this package with newer Kernel version (e.g. v5.4)
fails with message:
Generating local configuration database from kernel ...Kernel version parse failed!
Upgrading the package to 5.8 fixes this issue. Anyways, v4.4 is now
rather old and beat the very purpose of having newer drivers in older
kernels.
Since backports tag v4.14-rc4-1, the requirement on minimal kernel
version changed from 3.0 to 3.10. See commit [1]. The minimal kernel
version check is changed accordingly.
License files are also updated: the linux backports package copies the
license files from the kernel version used for its generation. v5.8 is
now "GPL-2.0 WITH Linux-syscall-note". However, there is no such SPDX
identifier (contrary to what is said in the COPYING file), so we keep it
as GPL-2.0 (which also keeps it aligned to what we have in linux.mk).
Thomas Petazzoni [Sat, 14 Nov 2020 10:48:07 +0000 (11:48 +0100)]
toolchain/toolchain-external/toolchain-external-arm-arm: add dependency on NEON
While testing Buildroot on a Cortex-A5 that doesn't provide NEON, we
found out that a system generated with the ARM toolchain from Arm
didn't boot. It turns out that this ARM toolchain is built with:
So, it uses NEON as its FPU, which means it can only work on CPU cores
that have NEON support. This commit adds the appropriate dependency to
the toolchain-external-arm-arm package, and adjusts the Config.in help
text accordingly.
While at it, it also drops the part of the Config.in help text that
says the code is tuned for Cortex-A9, as it is not the case: it was
the case for the Linaro toolchain (built with --with-tune=cortex-a9),
but not for the ARM toolchain, for which no specific --with-tune is
passed.
Julien Olivain [Fri, 13 Nov 2020 13:09:40 +0000 (14:09 +0100)]
package/linux-backports: fix kernel version check
The commit 05fea6e4a60a38a797d9bacbf318a2cd7dbd435f "infra/pkg-kconfig:
do not rely on package's .config as a timestamp" broke the kernel
version check of this linux-backports package (it was no longer
executed). Since linux-4.19, the kernel's build system internally
touches its .config file, so it can no longer be used as a stamp file.
The stamp file defined in KCONFIG_STAMP_DOTCONFIG variable of
pkg-kconfig infra need to be used instead.
Baruch Siach [Thu, 12 Nov 2020 18:34:45 +0000 (20:34 +0200)]
package/luajit: drop static build handling
Static build of luajit is disabled since commit b2e8f28efac
("package/luajit: disable for static build"). Remove the related
BUILDMODE handling as well.
Fabrice Fontaine [Fri, 13 Nov 2020 06:35:35 +0000 (07:35 +0100)]
package/quota: bump to version 4.06
- Drop patch (already in version) and so autoreconf
- Update hash of COPYING (mailing address updated:
https://sourceforge.net/p/linuxquota/code/ci/b6bb53e1124e6b813fe4de5682b9d9a9f8a1fba8)
- Update indentation in hash file (two spaces)
Fabrice Fontaine [Thu, 12 Nov 2020 20:22:02 +0000 (21:22 +0100)]
package/suricata: link with libatomic if needed
Fix build of suricata 6.0.0 with mips32r6
app-layer-ftp.o: In function `FTPCheckMemcap':
app-layer-ftp.c:(.text+0x284): undefined reference to `__atomic_load_8'
app-layer-ftp.c:(.text+0x2d8): undefined reference to `__atomic_fetch_add_8'
Peter Korsgaard [Fri, 13 Nov 2020 10:31:11 +0000 (11:31 +0100)]
package/go: security bump to 1.15.5
Fixes the following security issues:
- math/big: panic during recursive division of very large numbers
A number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod,
ModInverse, ModSqrt, Jacobi, and GCD) can panic when provided crafted
large inputs. For the panic to happen, the divisor or modulo argument
must be larger than 3168 bits (on 32-bit architectures) or 6336 bits (on
64-bit architectures). Multiple math/big.Rat methods are similarly affected.
crypto/rsa.VerifyPSS, crypto/rsa.VerifyPKCS1v15, and crypto/dsa.Verify may
panic when provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams with
unusually large field sizes (several times larger than the largest
supported curve, P-521) are in use. Using crypto/x509.Verify on a crafted
X.509 certificate chain can lead to a panic, even if the certificates
don’t chain to a trusted root. The chain can be delivered via a
crypto/tls connection to a client, or to a server that accepts and
verifies client certificates. net/http clients can be made to crash by an
HTTPS server, while net/http servers that accept client certificates will
recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed
host key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.
Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting
this. Thanks to Rémy Oudompheng and Robert Griesemer for their help
developing and validating the fix.
This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.
- cmd/go: arbitrary code execution at build time through cgo
The go command may execute arbitrary code at build time when cgo is in
use. This may occur when running go get on a malicious package, or any
other command that builds untrusted code.
This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.
Thanks to Imre Rad and to Chris Brown and Tempus Ex respectively for
reporting these issues.
These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.
Romain Naour [Sun, 31 May 2020 14:34:52 +0000 (16:34 +0200)]
configs/rock64_defconfig: remove defconfig
The rock64 defconfig is currently broken [1][2] since a while due to
incompatibility between uboot-2017.09-rockchip-ayufan fork and pylibfdt.
Even with the latest uboot-2017.09-rockchip-ayufan fork version [3],
it doesn't build.
The original submitter tried the uboot upstream rock64-rk3328_defconfig
but the board doesn't boot [4].
In order to not release 2020.05 with a broken defconfig, let's remove
it. It can be re-added later once the uboot issue has been resolved.
Romain Naour [Wed, 11 Nov 2020 23:34:28 +0000 (00:34 +0100)]
package/python3: uClibc-ng doesn't set errno when encryption method is not available
Since commit [1] in cpython, an exception is raised when an encryption method
is not available. This eception is handled only if errno is set to EINVAL by
crypt() but uClibc-ng doesn't set errno in crypt() [2].
Peter Seiderer [Tue, 10 Nov 2020 22:16:29 +0000 (23:16 +0100)]
package/wpewebkit: fix compile without video support
Fixes:
- https://bugs.busybox.net/show_bug.cgi?id=13306
.../wpewebkit-2.30.2/Source/WebKit/WebProcess/InjectedBundle/InjectedBundle.cpp:242:30: error: ‘class WebCore::Settings’ has no member named ‘setGenericCueAPIEnabled’; did you mean ‘setBeaconAPIEnabled’?
page->settings().setGenericCueAPIEnabled(enabled);
^~~~~~~~~~~~~~~~~~~~~~~
setBeaconAPIEnabled
Julien Olivain [Thu, 12 Nov 2020 12:01:54 +0000 (13:01 +0100)]
package/linux-backports: use flex and bison to generate kconfig parser
Upstream backports package does not define the LEX/YACC Makefile
variables, contrary to the Kernel which is defining those in [1]. The
default "lex" and "yacc" are then used. On some systems, "yacc" is
Berkeley Yacc. Kconfig parser files are using non-Posix Bison
constructs.
Attempting to generate the parser with byacc fails with error:
yacc: e - line 97 of "zconf.y", syntax error
%destructor {
^
This patch defines the LEX and YACC Makefile variable to use flex and
bison, to fix this issue. The host-bison and host-flex dependencies are
added only if the host does not have them, following the same logic of
the Kernel.
Pick the below patch from upstream, in order to fix
'settimeofday: Invalid argument' introduced by using glibc v2.31+.
(busybox hasn't tagged a new version since).
See https://bugs.busybox.net/show_bug.cgi?id=12756 for more info.
Peter Korsgaard [Thu, 12 Nov 2020 12:44:08 +0000 (13:44 +0100)]
package/asterisk: security bump to version 16.14.1
Fixes the following security issues:
- AST-2020-001: Remote crash in res_pjsip_session
Upon receiving a new SIP Invite, Asterisk did not return the created
dialog locked or referenced.
- AST-2020-002: Outbound INVITE loop on challenge with different nonce
If Asterisk is challenged on an outbound INVITE and the nonce is changed
in each response, Asterisk will continually send INVITEs in a loop. This
causes Asterisk to consume more and more memory since the transaction will
never terminate (even if the call is hung up), ultimately leading to a
restart or shutdown of Asterisk. Outbound authentication must be
configured on the endpoint for this to occur.
For details, see the announcement:
https://www.asterisk.org/asterisk-news/asterisk-13-37-1-16-14-1-17-8-1-18-0-1-and-16-8-cert5-now-available-security/
Stefan Agner [Thu, 12 Nov 2020 20:21:34 +0000 (21:21 +0100)]
package/apparmor: fix permission bits for apparmor.service
Avoid setting executable bits for apparmor.service. This gets rid of a
corresponding warning during installation:
Configuration file ../target/usr/lib/systemd/system/apparmor.service
is marked executable. Please remove executable permission bits.
Proceeding anyway.
Peter Korsgaard [Thu, 12 Nov 2020 09:21:45 +0000 (10:21 +0100)]
package/tmux: add upstream security fix for CVE-2020-27347
Fixes CVE-2020-27347: The function input_csi_dispatch_sgr_colon() in file
input.c contained a stack-based buffer-overflow that can be exploited by
terminal output.
For details, see:
https://www.openwall.com/lists/oss-security/2020/11/05/3
Julien Olivain [Wed, 11 Nov 2020 15:46:37 +0000 (16:46 +0100)]
package/linux-firmware: Add new option for Qualcomm/Atheros 10k (QCA9377)
Initial Atheros ath10k QCA9377 support was introduced in Kernel v4.4
[1]. More recently, in v5.7 [2], the SDIO support was also added. This
patch adds a new option to install firmware files for this device.
Now that pkg-stats is not just a maintainer-oriented tool, but a tool
generally useful to users, introduce a make target to run
pkg-stats. Of course, it is run with the newly introduced -c option,
which produces a pkg-stats output for just the selection of packages
of the currently defined configuration.
Now that pkg-stats is able to generate its output based on the list of
packages enabled in the current configuration, cve-checker doesn't
serve any purpose.
support/scripts/pkg-stats: support generating stats based on configured packages
pkg-stats was initially a Buildroot maintenance oriented tool: it was
designed to examine all Buildroot packages and provide
statistics/details about them.
However, it turns out that a number of details provided by pkg-stats,
especially CVEs, are relevant also for Buildroot users, who would like
to check regularly if their specific Buildroot configuration is
affected by CVEs or not, and possibly check if all packages have
license information, license files, etc.
The cve-checker script was recently introduced to provide an output
relatively similar to pkg-stats, but focused on CVEs only.
But in fact, its main difference is on the set of packages that we
consider: pkg-stats considers all packages, while cve-checker uses
"make show-info" to only consider packages enabled in the current
configuration.
So, this commit introduces a -c option to pkg-stats, to tell pkg-stats
to generate its output based on the list of configured packages. -c is
mutually exclusive with the -p option (explicit list of packages) and
-n option (a number of packages, picked randomly).
support/scripts/pkg-stats: allow to run script outside of the top-level directory
Currently, pkg-stats expects being executed from Buildroot's top-level
source directory. As we are going to extend pkg-stats to cover only
the packages available in the current configuration, it makes sense to
be able to run it from the output directory, which can be anywhere
compared to Buildroot's top-level directory.
This commit adjusts pkg-stats to this, by inferring all Buildroot
paths based on the location of the pkg-stats script itself.
Romain Naour [Sun, 8 Nov 2020 17:51:05 +0000 (18:51 +0100)]
package/mesa3d: Add xcb-fixes to loader when using x11 and dri3
"loader_dr3_helper.c uses xcb_xfixes_create_region() that requires dep_xcb_xfixes to link.
This is dependent on with_platform_x11 and with_dri3.
But the source meson file does not set this up dependent on with_dri3."
i686-buildroot-linux-gnu/bin/ld: src/loader/libloader_dri3_helper.a(loader_dri3_helper.c.o): in function `loader_dri3_swap_buffers_msc':
loader_dri3_helper.c:(.text.loader_dri3_swap_buffers_msc+0x33e): undefined reference to `xcb_xfixes_create_region'
Romain Naour [Sun, 8 Nov 2020 20:53:44 +0000 (21:53 +0100)]
support/testing/tests/init/test_systemd: update to BR2_PACKAGE_SYSTEMD_JOURNAL_REMOTE
The commit [1] moved systemd-journal-gatewayd into systemd-journal-remote
option. Update to BR2_PACKAGE_SYSTEMD_JOURNAL_REMOTE in the testsuite
when BR2_PACKAGE_SYSTEMD_JOURNAL_GATEWAY is used.
Fabrice Fontaine [Tue, 10 Nov 2020 17:41:14 +0000 (18:41 +0100)]
package/guile: disable jit for host and target gcc < 5
jit also raises build failures with host gcc 4.9.2 and x86_64 so disable
it if host gcc < 5 and update workaround added by commit d8dad069c861468b17397f01875b95e7375891d7 to apply it for all
architectures and not only ARM
Fabrice Fontaine [Tue, 10 Nov 2020 20:17:07 +0000 (21:17 +0100)]
package/bitcoin: set BITCOIN_GENBUILD_NO_GIT
Set BITCOIN_GENBUILD_NO_GIT to not include (Buildroot) git version info in
build, which is available since version 0.15.0 and
https://github.com/bitcoin/bitcoin/commit/e98e3dde6a976a2c8f266ee963d6931fd4b37262
- systemd support/USE_SYSTEMD option was added since 2.30.0,
so add an optional dependency
Fixes:
-- Could NOT find Systemd (missing: Systemd_LIBRARY Systemd_INCLUDE_DIR)
CMake Error at Source/cmake/OptionsGTK.cmake:425 (message):
libsystemd is needed for USE_SYSTEMD
Romain Naour [Sun, 8 Nov 2020 15:27:36 +0000 (16:27 +0100)]
configs/qemu_arm_vexpress_defconfig: increase SD card image size to 64MiB
Since Qemu 5.1, this defconfig doesn't boot due to the to small SD card image size (60MB).
qemu-system-arm: sd_init failed: Invalid SD card size: 60 MiB
SD card size has to be a power of 2, e.g. 64 MiB.
You can resize disk images with 'qemu-img resize <imagefile> <new-size>'
(note that this will lose data if you make the image smaller than it currently is).
qemu-system-arm: sd_init failed
From [1]:
"While the possibility to use small SD card images has been seen as
a feature, it became a bug with CVE-2020-13253, where the guest is
able to do OOB read/write accesses past the image size end."
The qemu_arm_vexpress_tz_defconfig doesn't trigger such issue since
it doesn't use the same filesystem support (i.e doesn't use
-drive file=output/images/rootfs.ext2,if=sd,format=raw).
Romain Naour [Sun, 8 Nov 2020 15:27:35 +0000 (16:27 +0100)]
Revert "configs/qemu_arm_versatile_defconfig: increase SD card image size to 64MiB"
qemu_arm_versatile doesn't use SD card interface but SCSI, so there is no
need to increase the image size.
The change was for qemu_arm_vexpress_defconfig instead (notice the
name of the defconfig used in gitlab).
Bumping the package requires two fixes:
* pillow looks for header files in paths returned by pkg-config.
On buildroot, pkg-config returns nothing if PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
is disabled.
* png is the default pillow image format and png format is working only
if python zlib module is available.
Build of xen tools fails if slirp is built before xen because xen is not
compatible with spice slirp which does not provide libslirp.h:
/home/buildroot/autobuild/instance-2/output-1/build/xen-4.13.0/tools/qemu-xen/net/slirp.c:40:10: fatal error: libslirp.h: No such file or directory
#include <libslirp.h>
^~~~~~~~~~~~
Indeed, xen prefers a system-provided slirp over its internal one
So add slirp as a mandatory dependency (now that we switched to the up
to date https://gitlab.freedesktop.org/slirp/libslirp)
This build failure is raised since, at least, version 4.13.0
- Use an up to date fork (spice slirp is archived and has not been
updated since 2012)
- Add COPYRIGHT as the license file
- BSD-4-Clause has been replaced by BSD-3-Clause since
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3bac39137a652b24b89d5b9e2a39600619fbe1d3
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f9f6e69c4e1d9a43af30bfe791b31789ffa04954
- Add hash file
- Switch to meson-package
- Fix multiple security vulnerabilities: CVE-2014-3640, CVE-2017-11434,
CVE-2019-6778, CVE-2019-9824, CVE-2019-14378 and CVE-2020-10756
Peter Korsgaard [Tue, 10 Nov 2020 08:50:14 +0000 (09:50 +0100)]
package/gstreamer1/gst1-plugins-bad: explicitly enable _GNU_SOURCE for festival/glibc 2.18
festival fails to built with glibc 2.18 due to fopen and the h_addr field in
struct hostent:
../gst/festival/gstfestival.c: In function 'gst_festival_chain':
../gst/festival/gstfestival.c:273:3: warning: implicit declaration of function 'fdopen' [-Wimplicit-function-declaration]
fd = fdopen (f, "wb");
^
../gst/festival/gstfestival.c:273:6: warning: assignment makes pointer from integer without a cast [enabled by default]
fd = fdopen (f, "wb");
^
../gst/festival/gstfestival.c: In function 'festival_socket_open':
../gst/festival/gstfestival.c:367:45: error: 'struct hostent' has no member named 'h_addr'
memmove (&serv_addr.sin_addr, serverhost->h_addr, serverhost->h_length);
^
Both of which are hidden behind _GNU_SOURCE in glibc 2.18, so enable that to
fix this build issue.
Peter Korsgaard [Tue, 10 Nov 2020 08:46:00 +0000 (09:46 +0100)]
package/gstreamer1/gst1-plugins-bad: explicitly enable C99 for dvbsubenc/gcc 4.8
dvbsubenc fails to build with gcc 4.8 due to restrict keyword and for
loop declarations:
../gst/dvbsubenc/libimagequant/blur.c:10:46: error: expected ';', ',' or ')' before 'src'
transposing_1d_blur (unsigned char *restrict src, unsigned char *restrict dst,
^
../gst/dvbsubenc/libimagequant/blur.c: In function 'liq_min3':
../gst/dvbsubenc/libimagequant/blur.c:101:5: error: 'for' loop initial declarations are only allowed in C99 mode
for (unsigned int i = 0; i < width - 1; i++) {
^
../gst/dvbsubenc/libimagequant/blur.c:101:5: note: use option -std=c99 or -std=gnu99 to compile your code
projects / buildroot-mgba.git / log