ICU build scripting adds some host libraries to LD_LIBRARY_PATH by
using constructs of the following form:
LD_LIBRARY_PATH="custom-path:${LD_LIBRARY_PATH}"
If the original LD_LIBRARY_PATH is empty, this causes the last search
directory be an empty string, i.e. the working directory.
ICU build runs some basic host commands (e.g. "rm") in $(TARGET_DIR)/lib
under such an LD_LIBRARY_PATH, causing target libraries (e.g. libc) to
possibly get loaded instead of host system libraries if they are
compatible enough (e.g. arch matches).
Since the target libraries may not actually be ABI compatible with host
system binaries (e.g. target has an old libc), this can cause crashes
or other errors.
Observed errors include:
(1) rm: libc.so.6: version `GLIBC_2.33' not found (required by rm)
(2) sh: line 1: 1362670 Segmentation fault (core dumped) rm -f libicudata.so.65
Workaround the issue by setting a dummy LD_LIBRARY_PATH when it would
otherwise be empty.
https://unicode-org.atlassian.net/browse/ICU-21417
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ac1c781149)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following build failure raised with help2man since bump to
version 1.30.0 in commit 50c5495f81:
FAILED: docs/man/qmicli.1
/usr/bin/help2man --output=docs/man/qmicli.1 '--name=Control QMI devices' '--help-option="--help-all"' /home/peko/autobuild/instance-1/output-1/build/libqmi-1.30.2/build/src/qmicli/qmicli
help2man: can't get `"--help-all"' info from /home/peko/autobuild/instance-1/output-1/build/libqmi-1.30.2/build/src/qmicli/qmicli
Try `--no-discard-stderr' if option outputs to stderr
Fixes:
- http://autobuild.buildroot.org/results/15818b6de7378cd75c59b1d6dc732ed9a20c092a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7f38ce2103)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities:
* CVE-2021-4008/ZDI-CAN-14192 SProcRenderCompositeGlyphs out-of-bounds
access
The handler for the CompositeGlyphs request of the Render extension does
not properly validate the request length leading to out of bounds memory
write.
* CVE-2021-4009/ZDI-CAN 14950 SProcXFixesCreatePointerBarrier out-of-bounds
access
The handler for the CreatePointerBarrier request of the XFixes extension
does not properly validate the request length leading to out of bounds
memory write.
* CVE-2021-4010/ZDI-CAN-14951 SProcScreenSaverSuspend out-of-bounds access
The handler for the Suspend request of the Screen Saver extension does not
properly validate the request length leading to out of bounds memory
write.
* CVE-2021-4011/ZDI-CAN-14952 SwapCreateRegister out-of-bounds access
The handlers for the RecordCreateContext and RecordRegisterClients
requests of the Record extension do not properly validate the request
length leading to out of bounds memory write.
For details, see the advisory:
https://lists.x.org/archives/xorg-announce/2021-December/003122.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-4048: An out-of-bounds read flaw was found in the CLARRV,
DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0,
as also used in OpenBLAS before version 0.3.18. Specially crafted
inputs passed to these functions could cause an application using
lapack to crash or possibly disclose portions of its memory.
- Update license hash, year changed:
f67034373e
- Update indentation in hash file (two spaces)
http://netlib.org/lapack/lapack-3.10.0.html
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 59a1fcc696)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
/usr/bin/ld: scripts/dtc/dtc-parser.tab.o:(.bss+0x10): multiple definition...
scripts/dtc/dtc-lexer.lex.o:(.bss+0x0): first defined here
Tested on beaglebone black and beaglebone white (A6)
Signed-off-by: Lothar Felten <lothar.felten@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7b55cb018d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Minor bugfix release:
Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
*) Avoid loading of a dynamic engine twice.
[Bernd Edlinger]
*) Fixed building on Debian with kfreebsd kernels
[Mattias Ellert]
*) Prioritise DANE TLSA issuer certs over peer certs
[Viktor Dukhovni]
*) Fixed random API for MacOS prior to 10.12
These MacOS versions don't support the CommonCrypto APIs
[Lenny Primak]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 2b906b975a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- cgi_error_no_template(): Encode the template name to prevent
XSS (cross-site scripting) when Privoxy is configured to servce
the user-manual itself.
Commit 0e668e9409c. OVE-20211102-0001. CVE-2021-44543.
Reported by: Artem Ivanov
- get_url_spec_param(): Free memory of compiled pattern spec
before bailing.
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit 652b4b7cb0. OVE-20211201-0003. CVE-2021-44540.
- process_encrypted_request_headers(): Free header memory when
failing to get the request destination.
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit 0509c58045. OVE-20211201-0002. CVE-2021-44541.
- send_http_request(): Prevent memory leaks when handling errors
Reported by Joshua Rogers (Opera) who also provided the fix.
Commit c48d1d6d08. OVE-20211201-0001. CVE-2021-44542.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 44a97dcb93)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-44420: Potential bypass of an upstream access control based on
URL paths
HTTP requests for URLs with trailing newlines could bypass an upstream
access control based on URL paths.
This issue has low severity, according to the Django security policy.
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
In addition, 3.2.8 / 3.2.9 fixes a number of bugs.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 086d357dfb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop 0030-Fix-cross-compiling-the-uuid-module.patch as the patched code has
been reworked upstream and python3 is built with --disable-uuid:
91a51c5ffc
Rework 0033-configure.ac-fixup-CC-print-multiarch-output-for-mus.patch as
the MULTIARCH code is now conditional on !darwin:
9901d153c2
Refresh and renumber remaining patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ce81a6e6d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
connman might depend on iptables or nftables, and those dependencies
are already selected later in this file as required.
Config.in already only selects iptables if BR2_PACKAGE_CONNMAN_IPTABLES.
Signed-off-by: Nuno Goncalves <nunojpg@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit edc46a56f6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
TARGET_LDFLAGS is overriden since the addition of the package in commit
8d66bc940d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 6deb6bdc7c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This release fixes two bugs introduced in release 3.10.0 and fixes the
conversion of std::filesystem::path. All changes are backward-compatible.
https://github.com/nlohmann/json/releases/tag/v3.10.4
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 87577a92aa)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop spurious "depends on WCHAR" added with commit
ccfc90e101 and adds missing wchar comment
While at it, drop BR2_USE_MMU from comment as it is already added by
BR2_PACKAGE_LIBVIRT_ARCH_SUPPORTS and fix indentation before
(BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_11 || !BR2_aarch64))
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 250e965803)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Replace libvirtd by driver_libvirtd to avoid the following build failure
raised since the addition of the package in commit
ccfc90e101:
../output-1/build/libvirt-7.7.0/meson.build:1:0: ERROR: Unknown options: "libvirtd"
Fixes:
- http://autobuild.buildroot.org/results/3a20db6cb39c0d91213adbe82934274659df43e7
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 86f91e14b5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Beaglebone Black Wireless needs a specific DT, which u-boot tries to
load based on the board name. Make sure we ship the DT so that we can
boot on that platform.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 1984222c84)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
to monitor issues and changes.
Signed-off-by: Andreas Ziegler <br015@umbiko.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit f9ae224604)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Mutt 2.1.4 was released on December 11, 2021. This is a bug-fix release,
fixing a performance issue when used with DavMail.
Mutt 2.1.3 was released on September 10, 2021. This is a bug-fix
release, fixing some of the fixes in the last release. IMAP and
QRESYNC users are advised to upgrade.
Mutt 2.1.2 was released on August 24, 2021. This is an important bug-fix
release, fixing a potential data-loss IMAP bug, a couple QRESYNC bugs,
and a few other issues. IMAP users are strongly advised to upgrade.
http://www.mutt.orghttps://gitlab.com/muttmua/mutt/-/blob/mutt-2-1-4-rel/ChangeLog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7686a1382f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
<roman.gorbenkov@ens2m.org>: host mxd.relay.renater.fr[194.214.200.9] said: 550
5.5.0 Requested actions not taken as the mailbox is unavailable (in reply
to RCPT TO command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 656f4a3718)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
and the go/types, net/http, and time packages.
go1.17.5 (released 2021-12-09) includes security fixes to the syscall and
net/http packages:
- CVE-2021-44716
- CVE-2021-44717
https://go.dev/doc/devel/release#go1.17
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit eb92bb01b3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
First patch is not needed since bump to version 0.99.1 in commit
2c8e5dd69f and
6890053176
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 3d565a831d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The copy command for /usr/share/alsa missing an asterisk cause it to copy to
/usr/share/alsa/alsa instead of /usr/share/alsa where it should be.
Signed-off-by: Khoa Hoang <admin@khoahoang.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 6c71b52235)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The eighth patch release for containerd 1.5 contains a mitigation for
CVE-2021-41190 as well as several fixes and updates.
https://github.com/containerd/containerd/releases/tag/v1.5.8
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Christian Stewart <christian@paral.in>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit fc24c5c30a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Keepalived through 2.2.4, the D-Bus policy does not sufficiently
restrict the message destination, allowing any user to inspect and
manipulate any property. This leads to access-control bypass in some
situations in which an unrelated D-Bus system service has a settable
(writable) property
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit e4464fabb6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Some of the third party code is BSD-licensed. In addition, the roots.pem
certificate store is MPL-licensed.
This was probably already the case in earlier versions as well, but it
was only noticed while updating to 1.42.0 because the LICENSE file was
adapted for it.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 50c4fd9363)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It is possible that some users of buildroot have put it in a repository
and call into it from another Makefile such as:
.DEFAULT:
$(MAKE) O=$(abspath $(O)) -C buildroot $(@)
This technique works well except that Make tells us that it changes into
the buildroot directory:
make[1]: Entering directory 'buildroot'
Because this line doesn't have an equals within it, python raises a
ValueError exception within pkg-stats.
This patch has python tell the invoked make not to print directories
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c988867fd2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, by following the instructions in the manual and querying for
developers for a patch that changes path
package/foobar
the script reports both developers that have these entries in the
DEVELOPERS file:
F: package/foo/
F: package/foobar/
Starting from commit "afc112b0e4 utils/getdeveloperlib.py: fix issue
with hasfile()" get-developers script uses os.path.abspath() and
os.path.relpath().
The catch is that those functions return the absolute path and the
relative path without the trailing slash.
When the paths associated to a developer are then compared to the paths
a patch touches, using the string.startswith(), any substring returns
True, leading to developers for package/foo/ being wrongly reported
for package/foobar/ .
Fix this by re-adding the trailing slash after using relpath().
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Cc: James Knight <james.d.knight@live.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 29bb478a49)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-4069: vim is vulnerable to Use After Free
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 7600ca7960)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix CVE-2021-43784: runc is a CLI tool for spawning and running
containers on Linux according to the OCI specification. In runc, netlink
is used internally as a serialization system for specifying the relevant
container configuration to the `C` portion of the code (responsible for
the based namespace setup of containers). In all versions of runc prior
to 1.0.3, the encoder did not handle the possibility of an integer
overflow in the 16-bit length field for the byte array attribute type,
meaning that a large enough malicious byte array attribute could result
in the length overflowing and the attribute contents being parsed as
netlink messages for container configuration. This vulnerability
requires the attacker to have some control over the configuration of the
container and would allow the attacker to bypass the namespace
restrictions of the container by simply adding their own netlink payload
which disables all namespaces. The main users impacted are those who
allow untrusted images with untrusted configurations to run on their
machines (such as with shared cloud infrastructure). runc version 1.0.3
contains a fix for this bug. As a workaround, one may try disallowing
untrusted namespace paths from your container. It should be noted that
untrusted namespace paths would allow the attacker to disable namespace
protections entirely even in the absence of this bug.
https://github.com/opencontainers/runc/releases/tag/v1.0.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 0acaad1be2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently this .mk snippet results in unexpected behavior from
check-package:
|VAR_1 = VALUE1
|ifeq (condition)
|VAR_1 := $(VAR_1), VALUE2
|endif
Fix commit "163f160a8e utils/{check-package, checkpackagelib}:
consistently use raw strings for re.compile" that ended up doing this:
- CONCATENATING = re.compile("^([A-Z0-9_]+)\s*(\+|:|)=\s*\$\(\\1\)")
+ CONCATENATING = re.compile(r"^([A-Z0-9_]+)\s*(\+|:|)=\s*\$\(\\1\)")
But raw strings do not expect escaping when referencing \1 and the
pattern ends up searching for a raw '\\1' instead of an occurrence of
the first pattern inside parenthesis.
|$ python3
|Python 3.8.10 (default, Sep 28 2021, 16:10:42)
|[GCC 9.3.0] on linux
|Type "help", "copyright", "credits" or "license" for more information.
|>>> import re
|>>> p1 = re.compile('(foo)bar\\1')
|>>> p2 = re.compile(r'(foo)bar\\1')
|>>> p3 = re.compile(r'(foo)bar\1')
|>>> s1 = 'foobarfoo'
|>>> s2 = 'foobar\\1'
|>>> print(p1.search(s1))
|<re.Match object; span=(0, 9), match='foobarfoo'>
|>>> print(p2.search(s1))
|None
|>>> print(p3.search(s1))
|<re.Match object; span=(0, 9), match='foobarfoo'>
|>>> print(p1.search(s2))
|None
|>>> print(p2.search(s2))
|<re.Match object; span=(0, 8), match='foobar\\1'>
|>>> print(p3.search(s2))
|None
|>>>
So use '\1' instead of '\\1' in the raw string.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 5bbedea9c2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As stated on www.pcre.org:
You can download the current release of the PCRE2 library from its
official home on GitHub
[...]
Note that the former ftp.pcre.org FTP site is no longer available.
Update _SITE URL to the official home on Github.
Signed-off-by: Dario Binacchi <dariobin@libero.it>
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
[yann.morin.1998@free.fr: use Github, not SourceForge]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit cc570eff96)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following are runtime dependencies for host-python-requests:
host-python-certifi
host-python-charset-normalizer
host-python-idna
host-python-urllib3
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit b48d10f40a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A host variant of the python-urllib3 package will be needed for the
host-python-requests package.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit dccfefafd4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A host variant of the python-idna package will be needed for the
host-python-requests package.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7c4a52e087)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A host variant of the python-charset-normalizer package will be needed
for the host-python-requests package.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 07fc2fb1a5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The message attribute does not exist in python3, see PEP-0352:
https://www.python.org/dev/peps/pep-0352/
Fixes:
Traceback (most recent call last):
File "utils/scanpypi", line 743, in <module>
main()
File "utils/scanpypi", line 693, in main
if 'buildutils' in err.message:
AttributeError: 'ImportError' object has no attribute 'message'
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c3029878c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- Fix CVE-2021-4048: An out-of-bounds read flaw was found in the CLARRV,
DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0,
as also used in OpenBLAS before version 0.3.18. Specially crafted
inputs passed to these functions could cause an application using
lapack to crash or possibly disclose portions of its memory.
- Drop first and second patches (already in version)
https://github.com/xianyi/OpenBLAS/blob/v0.3.18/Changelog.txt
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
