- Drop second patch (already in version)
- Fix CVE-2021-43400: An issue was discovered in gatt-database.c in BlueZ
5.61. A use-after-free can occur when a client disconnects during D-Bus
processing of a WriteValue call.
http://www.bluez.org/release-of-bluez-5-62
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e48b159dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
pause() is defined in glibc since the very early times; it appears in
upstream commit 28f540f45bba (initial import) in 1995 [0].
Bluez has been defining a function named pause() for ages too, since
comit caab74c97542 (media: Implement new callbacks for pass-through
operations) in 2013 [1]
With the recent bump to glibc 2.34.xxx, the build now fails because the
two pause() clash:
profiles/audio/media.c:1284:13: error: conflicting types for 'pause'
1284 | static bool pause(void *user_data)
| ^~~~~
In file included from /tmp/instance-0/output-1/per-package/bluez5_utils/host/s390x-buildroot-linux-gnu/sysroot/usr/include/bits/sigstksz.h:24,
from /tmp/instance-0/output-1/per-package/bluez5_utils/host/s390x-buildroot-linux-gnu/sysroot/usr/include/signal.h:328,
from /tmp/instance-0/output-1/per-package/bluez5_utils/host/bin/../s390x-buildroot-linux-gnu/sysroot/usr/include/glib-2.0/glib/gbacktrace.h:36,
from /tmp/instance-0/output-1/per-package/bluez5_utils/host/bin/../s390x-buildroot-linux-gnu/sysroot/usr/include/glib-2.0/glib.h:34,
from profiles/audio/media.c:21:
/tmp/instance-0/output-1/per-package/bluez5_utils/host/s390x-buildroot-linux-gnu/sysroot/usr/include/unistd.h:489:12: note: previous declaration of 'pause' was here
489 | extern int pause (void);
| ^~~~~
The culprit is indeed glibc 2.34, as can be seen in this result matrix:
\ bluez5_utils
glibc \ 5.60 | 5.61
-------\-------+--------
2.33 | OK | OK
-------+-------+--------
2.34 | KO | KO
Even though we first bumped to glibc 2.34, then to blues5_utils 5.61,
we did not notice build issues with bluez5_utils 5.60 because the two
bumps were too close to each other for the failure to trigger in the
autobuilders.
The underlying reason that pause() is now causing issues with glibc 2.34
is not obvious: glibc is a big beast, and finding such issues is not
easy. However, we can see that the pause() provided by NPTL has been
dropped in favour of the generic one, so maybe this is causing symbol
visibility or weakness to change or something...
We fix that by renaming the local pause() in bluez5_utils with a
namespace-prefix, like some other functions there already have.
Fixes:
- http://autobuild.buildroot.org/results/c4f/c4fbface34be8815838fd7201621d7a8fddd32c5/
- http://autobuild.buildroot.org/results/62b/62b88740f19fbe4a1ad7959dc141d539eb88c1f8/
[0] https://sourceware.org/git/?p=glibc.git;a=commit;h=28f540f45bbacd939bfd07f213bcad2bf730b1bf
[1] caab74c975
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: extend commit log with the glibc culprit]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit a02927b94a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We define _DEFAULT_SOURCE in mkpasswd.c to suppress a compiler warning.
In file included from /usr/include/x86_64-linux-gnu/bits/libc-header-start.h:33,
from /usr/include/stdio.h:27,
from [...]/buildroot/output/arm64/build/host-mkpasswd/mkpasswd.c:24:
/usr/include/features.h:187:3:
187 | # warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
| ^~~~~~~
As per GLIBC 2.20 release notes[1]:
The _BSD_SOURCE and _SVID_SOURCE feature test macros are no longer
supported; they now act the same as _DEFAULT_SOURCE (but generate a
warning). Except for cases where _BSD_SOURCE enabled BSD interfaces
that conflicted with POSIX (support for which was removed in 2.19),
the interfaces those macros enabled remain available when compiling
with _GNU_SOURCE defined, with _DEFAULT_SOURCE defined, or without
any feature test macros defined.
[1] https://lwn.net/Articles/611162/
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 9616ade222)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream maintainer, now also maintainer in Buildroot.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit afdd3b2afc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
cpe:2.3🅰️kernel:util-linux is a valid CPE identifier for this package:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Akernel%3Autil-linux
Inherit the values from util-linux; they really are, and have to be,
the same.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr: inherit values from util-linux]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit bfe518b068)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 0cfa165948 (package/pkg-utils.mk: introduce "name" field in
show-info output) did what it said, but did so in the generic show-info
part, thus it was also added to filesystems (rootfs), the other kind of
entity that show-info reports on.
Only packages have a "name"; filesystems do not. Instead, they already
have an 'image_name'.
Move the 'name' field to the package-related part of show-info.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 471ecea5ee)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The unmatched escaped single-quote lies in the middle of a few
function calls, so they too must be fake-closed to properly fix
colour highlighting in some editors.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit cba51c7f5a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some packages install nothing in target nor staging, but install images
(like the kernel vmlinux, or a bootloader boot blob...)
If we want to appropriately account for the files installed by each
package, we also need to take images/ into account.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Herve Codina <herve.codina@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 5d00fecb7d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When calling 'printvars', the 'suitable-host-package' macro is printed
(a macro is just a variable like the others, after all, just with some
parameters). Because it is printed as a variable, it is missing its
parameters, but it still tries to evaluate the $(shell) construct.
This causes spurious warning:
make[1]: support/dependencies/check-host-.sh: Command not found
Only try and call the script if there is actually a tool to check for.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 77304e5143)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When calling 'printvars' on a just-configured tree, the output contains
many spurious warnings about pkg-config being not found:
make[1]: [...]/host/bin/pkg-config: Command not found
This is partly because a few packages call pkg-config at the time the
Makefile is parsed (really, right when make evaluates the recipe before
executing it).
It is customary, instead, to defer the call to pkg-config to the actual
shell running the recipe's commands, like all our other packages do.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 22fb4c469b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, the build_dir field is reported relative to $(BASE_DIR), to
avoid leaking local paths.
However, BASE_DIR is not a directory that is very convenient: for
in-tree builds, it is $(CONFIG_DIR)/output/, while for out-of-tree
builds, it is $(CONFIG_DIR). This difference is purely an idiosyncracy
of how out-of-tree builds have been implemented in Buildroot, and is
not under the control of the user.
What the user is in control of, however, is where the .config file is
located. This, really, is the directory we should base relative paths
on.
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 76c4df324d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-4020: janus-gateway is vulnerable to Improper
Neutralization of Input During Web Page Generation ('Cross-site
Scripting')
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 99d2826e03)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As already done for libglib2 in commit
b094f88a4d, fix girdir to avoid the
following build failure with gst1-plugins-base and introspection:
/home/giuliobenetti/autobuild/run/instance-3/output-1/host/riscv32-buildroot-linux-gnu/sysroot/usr/bin/g-ir-compiler gst-libs/gst/tag/GstTag-1.0.gir --output gst-libs/gst/tag/GstTag-1.0.typelib --includedir=/usr/share/gir-1.0
Could not find GIR file 'Gst-1.0.gir'; check XDG_DATA_DIRS or use --includedir
Fixes:
- http://autobuild.buildroot.org/results/d1e2bdde97777ff61c185d375ba412a93e7ca467
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ff420a3195)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2021-30535: Double free in ICU in Google Chrome prior to
91.0.4472.77 allowed a remote attacker to potentially exploit heap
corruption via a crafted HTML page.
https://nvd.nist.gov/vuln/detail/CVE-2021-30535
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f4483f1aab)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
5.14.x is EOL, so no more updates for that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 64cb922db7)
[Peter: drop 5.15.x bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issue:
- CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS
DER-encoded signatures
For more details, see the advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop third patch as it is not needed when using compile_et from heimdal
instead of compile_et from e2fprogs as spotted by upstream in:
https://bugzilla.samba.org/show_bug.cgi?id=13856#c20
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5847208213)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
compile_et is not installed anymore by heimdal since version 7.0.1 and
e40ef47b57
So remove the broken symlink and install it manually as it is needed for
samba4 because compile_et provided by e2fsprogs raises a build failure
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 30107f026e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Don't install compile_et as it raises the following build failure with
samba4 since, at least, bump to version 4.14.7 in commit
630e85f8f5:
source4/heimdal/lib/asn1/asn1_err.c:47:23: error: 'link' redeclared as different kind of symbol
47 | static struct et_list link = { 0, 0 };
| ^~~~
In file included from /home/giuliobenetti/autobuild/run/instance-1/output-1/host/s390x-buildroot-linux-gnu/sysroot/usr/include/bits/sigstksz.h:24,
from /home/giuliobenetti/autobuild/run/instance-1/output-1/host/s390x-buildroot-linux-gnu/sysroot/usr/include/signal.h:328,
from /home/giuliobenetti/autobuild/run/instance-1/output-1/host/s390x-buildroot-linux-gnu/sysroot/usr/include/sys/param.h:28,
from ../../lib/replace/../replace/replace.h:659,
from ../../source4/heimdal_build/config.h:10,
from source4/heimdal/lib/asn1/asn1_err.c:1:
/home/giuliobenetti/autobuild/run/instance-1/output-1/host/s390x-buildroot-linux-gnu/sysroot/usr/include/unistd.h:819:12: note: previous declaration of 'link' was here
819 | extern int link (const char *__from, const char *__to)
| ^~~~
Fixes:
- http://autobuild.buildroot.org/results/d6de6ed59c553f6f413d280f3c65184945bb3850
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dd89074e83)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure raised since bump to version 3.4.10 in
commit 0ce776942d:
/usr/bin/ld: cannot find /usr/lib64/libatomic.so.1.0.0
collect2: error: ld returned 1 exit status
make[3]: *** [run/lemon] Error 1
Fixes:
- http://autobuild.buildroot.org/results/02ea7d76a683b039fb37e005578644108bd1e3b7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 76e66240da)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes build on an ARM64 host (and I assume also
other non-x86).
Signed-off-by: Urja Rannikko <urjaman@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e938419bd9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update fourth patch to add girdir in gio-2.0.pc. This will fix the
following build failure with libnice raised since commit
aade2fd293:
/home/giuliobenetti/autobuild/run/instance-3/output-1/host/riscv32-buildroot-linux-gnu/sysroot/usr/bin/g-ir-compiler nice/Nice-0.1.gir --output nice/Nice-0.1.typelib --includedir=/usr/share/gir-1.0
Could not find GIR file 'GObject-2.0.gir'; check XDG_DATA_DIRS or use --includedir
Fixes:
- http://autobuild.buildroot.org/results/3088ef32b03e0bb984291b1227b187f1ff816eb7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2c916b400b)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-3973: vim is vulnerable to Heap-based Buffer Overflow
- Fix CVE-2021-3974: vim is vulnerable to Use After Free
- Fix CVE-2021-3968: vim is vulnerable to Heap-based Buffer Overflow
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5377ff1933)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
