Peter Korsgaard [Mon, 5 Dec 2022 13:18:06 +0000 (14:18 +0100)]
package/sdl2_ttf: fix legal-info after bump to 2.20.1
Commit 93d8b71371962 (package/sdl2_ttf: bump version to 2.20.1) dropped the
hash for COPYING.txt and added a hash for LICENSE.txt but forgot to adjust
SDL2_TTF_LICENSE_FILES, breaking legal-info:
>>> sdl2_ttf 2.20.1 Collecting legal info
ERROR: No hash found for COPYING.txt
cp: cannot stat '/path/to/output/build/sdl2_ttf-2.20.1/COPYING.txt': No such file or directory
make[1]: *** [package/sdl2_ttf/sdl2_ttf.mk:38: sdl2_ttf-legal-info] Error 1
Your message wasn't delivered to [email protected] because the address
couldn't be found, or is unable to receive mail.
Learn more here: https://support.google.com/mail/answer/6596
The response was:
The email account that you tried to reach does not exist. Please try
double-checking the recipient's email address for typos or unnecessary
spaces. Learn more at https://support.google.com/mail/answer/6596
In file included from ../src/lxc/utils.h:23,
from ../src/lxc/cgroups/cgfsng.c:51:
../src/lxc/process_utils.h:140:17: error: expected identifier before numeric constant
140 | #define P_PIDFD 3
| ^
Add a custom case to make sure that a random configuration with an empty
board for mxs-bootlets doesn't fail. It reverts to
BR2_TARGET_MXS_BOOTLETS_STMP37xx in that case.
Patrick Gerber [Sun, 4 Dec 2022 14:06:42 +0000 (15:06 +0100)]
package/pkg-golang: use package go env for download step
Currently package secific go env is used only during package build step.
Go vendering is done during the download step and it's sometimes required
to specify package secific go env also for this step.
For example, when importing custom go modules who are hosted on a private
host, it’s required to set GOPRIVATE to avoid public sum checking.
Of all the environment variables driving the behaviour of the go command
[0], there is none that obviously have an impact on the behaviour of
go-mod, unless they are explicitly listed as such [1], so it seems
pretty safe to include the generic environment variables for the
download step.
Commit 235636409fdd (package/mender-artifact: do not download modules
during the build process) introduced the use of GOFLAGS="-mod=vendor",
in 2020-08-13, before we had the go download post-process...
... which was introduced with ommit 24ac316ff58e (package/pkg-golang.mk:
implement Go vendoring support), in 2022-01-08, which added $(2)_DL_ENV
which contains $(HOST_GO_COMMON_ENV).
HOST_GO_COMMON_ENV, set in go/go.mk@23,i already contains
GOFLAGS="-mod=vendor".
Vincent Stehlé [Thu, 1 Dec 2022 18:33:37 +0000 (19:33 +0100)]
boot/edk2: bump version to edk2-stable202208
The Marvell Armada Devicetree files have been moved out of edk2-platforms
by commit 4b53da6b12a8 ("Marvell/Armada7k8k: Remove device tree sources
from edk2-platforms") and they are now in edk2-non-osi.
Therefore update the MACCHIATObin recipe to depend on the new edk2-non-osi
package and rework a bit the packages path to support that.
Also, drop the backported patch as it is not necessary anymore.
Vincent Stehlé [Thu, 1 Dec 2022 18:33:36 +0000 (19:33 +0100)]
package/edk2-non-osi: new package
Add a package to install the additional edk2 platforms files, not
compatible with the normal licensing requirements and held in the
edk2-non-osi repository.
Only the Marvell Armada files are copied at this point, to support building
edk2 for the MACCHIATObin platform.
The referenced commit corresponds to version edk2-stable202208 of edk2,
based on the timestamps.
This package is heavily inspired from package/edk2-platforms.
zlib is a mandatory dependency of gdb and by default, gdb will use its
internal one. Moreover, --with-zlib has been replaced by
--with-system-zlib since version 7.10 and
https://github.com/bminor/binutils-gdb/commit/fa1f5da0b6ff3622f9bf60e348e149b76920abba
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an
integer overflow and resultant buffer overflow that allows attackers to
execute arbitrary code or eliminate expected cryptographic properties.
This occurs in the sponge function interface.
Python 3.11 and later switched to using tiny_sha3 in GH-32060, so they
should not be affected.
/usr/bin/install -m 0755 -D package/optee-client//S30optee /home/autobuild/autobuild/instance-0/output-1/target/etc/init.d/S30optee
/usr/bin/install: cannot stat 'package/optee-client//S30optee': No such file or directory
Max Filippov [Wed, 30 Nov 2022 02:18:21 +0000 (18:18 -0800)]
package/elf2flt: fix text relocations on xtensa
elf2flt 2021.08 has changed endianness swapping logic for relocated
entries in the text segment. This broke little-endian xtensa FLAT images
which now fail to start with the following message:
binfmt_flat: reloc outside program 0x24c80100 (0 - 0x6e430/0x56a20)
Fix it by restoring old endianness swapping logic for relocated entries
in the text segment when building for xtensa.
Etienne Carriere [Wed, 30 Nov 2022 07:54:52 +0000 (08:54 +0100)]
package: optee-client: fix identation issues
Fix issues reported by utils/check-package:
package/optee-client/S30optee:40: should be indented with tabs (http://nightly.buildroot.org/#adding-packages-start-script)
package/optee-client/S30optee:46: should be indented with tabs (http://nightly.buildroot.org/#adding-packages-start-script)
package/optee-client/S30optee:47: should be indented with tabs (http://nightly.buildroot.org/#adding-packages-start-script)
package/optee-client/S30optee:48: should be indented with tabs (http://nightly.buildroot.org/#adding-packages-start-script)
package/optee-client/S30optee:0: filename should be S<number><number><daemon name> (http://nightly.buildroot.org/#adding-packages-start-script)
package/optee-client/S30tee-supplicant:0: run 'shellcheck' and fix the warnings
package/rtl8723bu: fix build failure due to missing Linux options
This driver requires:
CONFIG_NET
CONFIG_WIRELESS
CONFIG_CFG80211
CONFIG_USB_SUPPORT
CONFIG_USB
to build so let's add them to RTL8723BU_LINUX_CONFIG_FIXUPS.
When BR2_SHARED_STATIC_LIBS is enabled, both --enable-static and
--enable-shared are passed to configure. memcached configure.ac only
looks for --enable-static to make the build static. But when linking
against openssl pkg-config only returns dynamic linking dependencies,
resulting in the following build failure:
BR2_SHARED_STATIC_LIBS only makes sense for libraries, not executable
binaries. Pass --disable-static unless BR2_STATIC_LIBS is enabled for
static only build.
Vincent Stehlé [Thu, 1 Dec 2022 18:33:35 +0000 (19:33 +0100)]
package/edk2-platforms: bump in sync with edk2-stable202208
Bump the edk2-platforms commit to the one corresponding to version
edk2-stable202208 of edk2, based on the timestamps.
Note: the Marvell Armada Devicetree files have been moved out of
edk2-platforms by commit 4b53da6b12a8 ("Marvell/Armada7k8k: Remove device
tree sources from edk2-platforms") and they are now in edk2-non-osi.
Peter Korsgaard [Fri, 2 Dec 2022 19:15:19 +0000 (20:15 +0100)]
package/rabbitmq-server: drop package
The packaged version has a number of security issues, newer versions require
erlang 23+ and nobody has stepped up to maintain it since the issues were
reported:
Peter Korsgaard [Fri, 2 Dec 2022 18:36:31 +0000 (19:36 +0100)]
package/exim: mark CVE-2022-3620 as ignored
CVE-2022-3620: A vulnerability was found in Exim and classified as
problematic. This issue affects the function dmarc_dns_lookup of the file
dmarc.c of the component DMARC Handler. The manipulation leads to use after
free. The attack may be initiated remotely. The name of the patch is 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a
patch to fix this issue. The associated identifier of this vulnerability is
VDB-211919.
This vulnerability is in the DMARC handling, which is only used if
libopendmarc is available AND SUPPORT_DMARC is set to yes, neither of which
is true for Buildroot, so ignore the CVE.
Peter Korsgaard [Fri, 2 Dec 2022 18:36:30 +0000 (19:36 +0100)]
package/exim: add upstream security fixes for CVE-2022-3559
Fixes CVE-2022-3559: A vulnerability was found in Exim and classified as
problematic. This issue affects some unknown processing of the component
Regex Handler. The manipulation leads to use after free. The name of the
patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to
apply a patch to fix this issue. The identifier VDB-211073 was assigned to
this vulnerability.
The upstream patch does not apply to 4.96, so use the backported patches
from Debian. Amazingly, the patch needs 3 additional patches to unbreak
builds without "WITH_CONTENT_SCAN" (default in Buildroot), so add those as
well.
In libarchive 3.6.1, the software does not check for an error after
calling calloc function that can return with a NULL pointer if the
function fails, which leads to a resultant NULL pointer dereference.
NOTE: the discoverer cites this CWE-476 remark but third parties dispute
the code-execution impact: "In rare circumstances, when NULL is
equivalent to the 0x0 memory address and privileged code can access it,
then writing or reading memory is possible, which may lead to code
execution."
Fabrice Fontaine [Sat, 26 Nov 2022 13:13:10 +0000 (14:13 +0100)]
package/git: security bump to version 2.31.5
Fixes:
* CVE-2022-39253:
When relying on the `--local` clone optimization, Git dereferences
symbolic links in the source repository before creating hardlinks
(or copies) of the dereferenced link in the destination repository.
This can lead to surprising behavior where arbitrary files are
present in a repository's `$GIT_DIR` when cloning from a malicious
repository.
Git will no longer dereference symbolic links via the `--local`
clone mechanism, and will instead refuse to clone repositories that
have symbolic links present in the `$GIT_DIR/objects` directory.
Additionally, the value of `protocol.file.allow` is changed to be
"user" by default.
* CVE-2022-39260:
An overly-long command string given to `git shell` can result in
overflow in `split_cmdline()`, leading to arbitrary heap writes and
remote code execution when `git shell` is exposed and the directory
`$HOME/git-shell-commands` exists.
`git shell` is taught to refuse interactive commands that are
longer than 4MiB in size. `split_cmdline()` is hardened to reject
inputs larger than 2GiB.
Fabrice Fontaine [Sat, 26 Nov 2022 12:25:45 +0000 (13:25 +0100)]
package/vim: security bump to version 9.0.0951
Fix CVE-2022-3705: A vulnerability was found in vim and classified as
problematic. Affected by this issue is the function qf_update_buffer of
the file quickfix.c of the component autocmd Handler. The manipulation
leads to use after free. The attack may be launched remotely. Upgrading
to version 9.0.0805 is able to address this issue. The name of the patch
is d0fab10ed2a86698937e3c3fed2f10bd9bb5e731. It is recommended to
upgrade the affected component. The identifier of this vulnerability is
VDB-212324.
package/libmdbx: bump version to 0.11.13 "Swashplate"
This is stable bugfix release of libmdbx, in Family Glory and
in memory of Boris Yuriev (the inventor of Helicopter and
Swashplate in 1911) on his 133rd birthday.
It is reasonable to backport this patch to all applicable releases/branches of Buildroot.
Release notes for v0.11.13
--------------------------
Fixes:
- Fixed builds with older libc versions after using `fcntl64()` (backport).
- Fixed builds with older `stdatomic.h` versions,
where the `ATOMIC_*_LOCK_FREE` macros mistakenly redefined using functions (backport).
- Added workaround for `mremap()` defect to avoid assertion failure (backport).
- Workaround for `encryptfs` bug(s) in the `copy_file_range` implementation (backport).
- Fixed unexpected `MDBX_BUSY` from `mdbx_env_set_option()`, `mdbx_env_set_syncbytes()`
and `mdbx_env_set_syncperiod()` (backport).
- CMake requirements lowered to version 3.0.2 (backport).
- Added admonition of insecure for RISC-V (backport).
Minors:
- Minor clarification output of `--help` for `mdbx_test` (backport).
- Added admonition of insecure for RISC-V (backport).
- Stochastic scripts and CMake files synchronized with the `devel` branch.
- Use `--dont-check-ram-size` for small-tests make-targets (backport).
The complete ChangeLog: https://gitflic.ru/project/erthink/libmdbx/blob?file=ChangeLog.md
projects / buildroot-mgba.git / log