When two Buildroot builds run in parallel, and they both happen to call
npm at roughly the same time, the two npm instances may conflict when
accessing the npm cache, which is by default ~/.npm
Although npm is supposed to lock access to the cache, it seems it does
sometimes fail to do so properly, bailling out in error, when it would
never ever crash at all when not running in parallel. We suspect that
the sequence leading to such failures are something like:
npm-1 npm-2
lock(retry=few, sleep=short) .
does-stuff() .
. lock(retry=few, sleep=short)
. # can't lock local cache
. download-module()
. # can't download
. exit(1)
unlock()
As per the docs [0], few = 10, short = 10. So if the first npm (npm-1)
takes more than 100s (which can happen behind slow links and/or big
modules that contain native code that is compiled), then the second npm
(npm-2) will bail out (the download would fail if there is no network
access, for example, and only local modules are used).
Point npm to use a per-build cache directory, so they no longer compete
across builds.
That would still need some care when we do top-level parallel builds,
though.
Note also that the conflicts are not totally eliminated: two or more npm
instances may still compete for some other resource that has not yet
been identified.
But, at least, the conflict window has been drastically shortened now,
to the point where it now seldom occurs.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4a16182d5f9f78e7d817f68a6d28449ce9c32e59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When two Buildroot builds run in parallel, and they both happen to call
npm at roughly the same time, the two npm instances may conflict when
accessing the npm cache, which is by default ~/.npm
Although npm is supposed to lock access to the cache, it seems it does
sometimes fail to do so properly, bailling out in error, when it would
never ever crash at all when not running in parallel. We suspect that
the sequence leading to such failures are something like:
npm-1 npm-2
lock(retry=few, sleep=short) .
does-stuff() .
. lock(retry=few, sleep=short)
. # can't lock local cache
. download-module()
. # can't download
. exit(1)
unlock()
As per the docs [0], few = 10, short = 10. So if the first npm (npm-1)
takes more than 100s (which can happen behind slow links and/or big
modules that contain native code that is compiled), then the second npm
(npm-2) will bail out (the download would fail if there is no network
access, for example, and only local modules are used).
Point npm to use a per-build cache directory, so they no longer compete
across builds.
That would still need some care when we do top-level parallel builds,
though.
Note also that the conflicts are not totally eliminated: two or more npm
instances may still compete for some other resource that has not yet
been identified.
But, at least, the conflict window has been drastically shortened now,
to the point where it now seldom occurs.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4a16182d5f9f78e7d817f68a6d28449ce9c32e59)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While Erlang includes a version of zlib, it's intended for Windows and
there's an expectation that non-Windows platforms provide it. It's also
not as regularly updated as the one in Buildroot. This change makes
Erlang always use a Buildroot-provided zlib.
Fixes this compile error:
CC /home/buildroot/autobuild/run/instance-0/output/build/erlang-21.0/erts/emulator/zlib/obj/x86_64-buildroot-linux-musl/opt/adler32.o
In file included from zlib/adler32.c:11:0:
zlib/zutil.h:172:39: error: "_LFS64_LARGEFILE" is not defined [-Werror=undef]
(!defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0)
^~~~~~~~~~~~~~~~
See http://autobuild.buildroot.net/results/fc633f80c7c36a90e641487f5a888fbb767c2a54/.
Signed-off-by: Frank Hunleth <fhunleth@troodon-software.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ec5378038f80f444ce7f5106283c7cccb8faae16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
While Erlang includes a version of zlib, it's intended for Windows and
there's an expectation that non-Windows platforms provide it. It's also
not as regularly updated as the one in Buildroot. This change makes
Erlang always use a Buildroot-provided zlib.
Fixes this compile error:
CC /home/buildroot/autobuild/run/instance-0/output/build/erlang-21.0/erts/emulator/zlib/obj/x86_64-buildroot-linux-musl/opt/adler32.o
In file included from zlib/adler32.c:11:0:
zlib/zutil.h:172:39: error: "_LFS64_LARGEFILE" is not defined [-Werror=undef]
(!defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0)
^~~~~~~~~~~~~~~~
See http://autobuild.buildroot.net/results/fc633f80c7c36a90e641487f5a888fbb767c2a54/.
Signed-off-by: Frank Hunleth <fhunleth@troodon-software.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ec5378038f80f444ce7f5106283c7cccb8faae16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For some reason, ustr installs its own source code, which means we end
up with 448 KB of source code in /usr/share in the target filesystem:
$ tree output/target/usr/share/
output/target/usr/share/
└── ustr-1.0.4
├── malloc-check.h
├── ustr-b-code.h
├── ustr-b-dbg-code.c
├── ustr-b-opt-code.c
├── ustr-cmp-code.h
├── ustr-cmp-dbg-code.c
├── ustr-cmp-internal.h
├── ustr-cmp-opt-code.c
├── ustr-cntl-code.h
├── ustr-fmt-code.h
├── ustr-fmt-dbg-code.c
├── ustr-fmt-internal.h
[...]
$ du -sh output/target/usr/share/ustr-1.0.4/
448K output/target/usr/share/ustr-1.0.4/
So let's drop this source code in a post-install target hook.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c27484b2efe0b1df57549f48f39e4d08e26c8200)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For some reason, ustr installs its own source code, which means we end
up with 448 KB of source code in /usr/share in the target filesystem:
$ tree output/target/usr/share/
output/target/usr/share/
└── ustr-1.0.4
├── malloc-check.h
├── ustr-b-code.h
├── ustr-b-dbg-code.c
├── ustr-b-opt-code.c
├── ustr-cmp-code.h
├── ustr-cmp-dbg-code.c
├── ustr-cmp-internal.h
├── ustr-cmp-opt-code.c
├── ustr-cntl-code.h
├── ustr-fmt-code.h
├── ustr-fmt-dbg-code.c
├── ustr-fmt-internal.h
[...]
$ du -sh output/target/usr/share/ustr-1.0.4/
448K output/target/usr/share/ustr-1.0.4/
So let's drop this source code in a post-install target hook.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c27484b2efe0b1df57549f48f39e4d08e26c8200)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-10933: authentication bypass vulnerability in the server
code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in
place of the SSH2_MSG_USERAUTH_REQUEST message which the server would
expect to initiate authentication, the attacker could successfully
authenticate without any credentials.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
Drop an upstream patch.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit de24e47d90f64f546978b6ec12f769dc4fd89587)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop GNU glob detection patch; issue fixed upstream.
Add upstream patch that completes the build fix when GNU glob is not
present.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 540e37bf7457fe41ffb6270ad23bea2fc8a706a4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-10933: authentication bypass vulnerability in the server
code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in
place of the SSH2_MSG_USERAUTH_REQUEST message which the server would
expect to initiate authentication, the attacker could successfully
authenticate without any credentials.
https://www.libssh.org/security/advisories/CVE-2018-10933.txt
Drop an upstream patch.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit de24e47d90f64f546978b6ec12f769dc4fd89587)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop GNU glob detection patch; issue fixed upstream.
Add upstream patch that completes the build fix when GNU glob is not
present.
Cc: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 540e37bf7457fe41ffb6270ad23bea2fc8a706a4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pass TARGET_LDFLAGS to EXTRA_LDFLAGS to fix following issue:
/home/buildroot/autobuild/run/instance-3/output/build/host-gcc-final-7.3.0/build/arm-buildroot-linux-musleabihf/libgcc/../../../libgcc/config/arm/lib1funcs.S:1545: undefined reference to `raise'
Also pass TARGET_CFLAGS to EXTRA_CFLAGS and TARGET_CXXFLAGS to
EXTRA_CXXFLAGS and move all these variables to
OPEN_PLC_UTILS_MAKE_OPTS for readability
Fixes:
- http://autobuild.buildroot.org/results/67bc5e7ac8ae1c49c035b022a394d2f746705cf2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d8738d3b97a1ec1b356143269b293d55c91de860)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Pass TARGET_LDFLAGS to EXTRA_LDFLAGS to fix following issue:
/home/buildroot/autobuild/run/instance-3/output/build/host-gcc-final-7.3.0/build/arm-buildroot-linux-musleabihf/libgcc/../../../libgcc/config/arm/lib1funcs.S:1545: undefined reference to `raise'
Also pass TARGET_CFLAGS to EXTRA_CFLAGS and TARGET_CXXFLAGS to
EXTRA_CXXFLAGS and move all these variables to
OPEN_PLC_UTILS_MAKE_OPTS for readability
Fixes:
- http://autobuild.buildroot.org/results/67bc5e7ac8ae1c49c035b022a394d2f746705cf2
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d8738d3b97a1ec1b356143269b293d55c91de860)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit a31a66802a7a1af76a629b0ba7120424ed547646 ("freetype:
security bump to version 2.5.3"), the freetype package was changed to
call ./autogen.sh to regenerate the autotools stuff, because the
ltmain.sh provided by upstream freetype was not compatible with
Buildroot libtool-patching logic.
Since then, freetype has been bumped several times, and the current
version packaged in Buildroot has an ltmain.sh that is compatible with
our libtool-patching logic.
Therefore, this commit drops the no longer needed autogen stuff.
This autogen stuff was badly breaking per-package host/target
directory, because the autogen happened at the post-patch hook step,
at which point the host-automake/host-autoconf/host-libtool
dependencies have not yet been copied into this package host
directory.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 88c6329521a634a6550f50900f4334b1d2e3473a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit a31a66802a7a1af76a629b0ba7120424ed547646 ("freetype:
security bump to version 2.5.3"), the freetype package was changed to
call ./autogen.sh to regenerate the autotools stuff, because the
ltmain.sh provided by upstream freetype was not compatible with
Buildroot libtool-patching logic.
Since then, freetype has been bumped several times, and the current
version packaged in Buildroot has an ltmain.sh that is compatible with
our libtool-patching logic.
Therefore, this commit drops the no longer needed autogen stuff.
This autogen stuff was badly breaking per-package host/target
directory, because the autogen happened at the post-patch hook step,
at which point the host-automake/host-autoconf/host-libtool
dependencies have not yet been copied into this package host
directory.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 88c6329521a634a6550f50900f4334b1d2e3473a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use system liblinear instead of using included liblinear.
liblinear in buildroot is at version 2.20 released on December 2017
whereas liblinear in nmap has not been updated since 7 years (except for
liblinear.vcxproj which has been updated 2 years ago)
Do not use --with-liblinear option as otherwise nmap will forget to add
-llinear to LIBS due to the following line in configure.ac:
if test $have_liblinear != yes; then
AC_CHECK_HEADERS([linear.h],
AC_CHECK_LIB(linear, predict, [have_liblinear=yes; LIBLINEAR_LIBS="-llinear"; break],, [-lm])
)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c0d9ba562c5522096d4ed70827c599c9a0e9aa7c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use system liblinear instead of using included liblinear.
liblinear in buildroot is at version 2.20 released on December 2017
whereas liblinear in nmap has not been updated since 7 years (except for
liblinear.vcxproj which has been updated 2 years ago)
Do not use --with-liblinear option as otherwise nmap will forget to add
-llinear to LIBS due to the following line in configure.ac:
if test $have_liblinear != yes; then
AC_CHECK_HEADERS([linear.h],
AC_CHECK_LIB(linear, predict, [have_liblinear=yes; LIBLINEAR_LIBS="-llinear"; break],, [-lm])
)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c0d9ba562c5522096d4ed70827c599c9a0e9aa7c)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When threads support is missing the ntp build system builds the
work_fork code. This code added call to set_user_group_ids() that is
under HAVE_DROPROOT, which is disabled when libcap is not built.
Add a patch fixing that.
Fixes:
http://autobuild.buildroot.net/results/ab9/ab9ceff1151b8b5e6b9fa77d39c0f9b0cac1a080/
Cc: Artyom Panfilov <apanfilov@spectracom.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 13dcc69a39da97f615627553e88113ba455875ea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 87d759ced5 (ntp: fix build for no-MMU) added a patch to make MMU
dependent code hidden behind HAVE_WORKING_FORK. It turns out that the
patch covers too much code. When libcap is enabled we pass
--enable-linuxcaps, which in turn enables HAVE_DROPROOT. This adds calls
to code that is covered by HAVE_WORKING_FORK.
Update the no-MMU fix so that HAVE_WORKING_FORK only covers the no-MMU
incompatible routine.
Fixes:
http://autobuild.buildroot.net/results/c5c/c5cf28bb969fec7c07864cdd094dedfa4d5439d2/
Cc: Artem Panfilov <apanfilov@spectracom.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7cf152852dd0b4bf30659e3e62d891171f1e4aa5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12
Fixed security issues:
CVE-2016-1549 / CVE-2018-7170: Sybil vulnerability: ephemeral association
attack
CVE-2018-12327: The openhost() function used during command-line hostname
processing by ntpq and ntpdc can write beyond its buffer limit
Signed-off-by: Artem Panfilov <apanfilov@spectracom.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf9344c45e85ed274cf783271344f4c03138971d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When threads support is missing the ntp build system builds the
work_fork code. This code added call to set_user_group_ids() that is
under HAVE_DROPROOT, which is disabled when libcap is not built.
Add a patch fixing that.
Fixes:
http://autobuild.buildroot.net/results/ab9/ab9ceff1151b8b5e6b9fa77d39c0f9b0cac1a080/
Cc: Artyom Panfilov <apanfilov@spectracom.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 13dcc69a39da97f615627553e88113ba455875ea)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 87d759ced5 (ntp: fix build for no-MMU) added a patch to make MMU
dependent code hidden behind HAVE_WORKING_FORK. It turns out that the
patch covers too much code. When libcap is enabled we pass
--enable-linuxcaps, which in turn enables HAVE_DROPROOT. This adds calls
to code that is covered by HAVE_WORKING_FORK.
Update the no-MMU fix so that HAVE_WORKING_FORK only covers the no-MMU
incompatible routine.
Fixes:
http://autobuild.buildroot.net/results/c5c/c5cf28bb969fec7c07864cdd094dedfa4d5439d2/
Cc: Artem Panfilov <apanfilov@spectracom.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7cf152852dd0b4bf30659e3e62d891171f1e4aa5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes:
https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12
Fixed security issues:
CVE-2016-1549 / CVE-2018-7170: Sybil vulnerability: ephemeral association
attack
CVE-2018-12327: The openhost() function used during command-line hostname
processing by ntpq and ntpdc can write beyond its buffer limit
Signed-off-by: Artem Panfilov <apanfilov@spectracom.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf9344c45e85ed274cf783271344f4c03138971d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hash for license file and use SPDX short term identifier
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ab666003e276e2e0624c70a4c4105f668f20b330)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hash for license file and use SPDX short term identifier
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ab666003e276e2e0624c70a4c4105f668f20b330)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The patch
0002-ntp_isc_md5-rename-EVP_MD_CTX-into-PTPD_EVP_MD_CTX.patch added in
commit 5b7bc560a5859d4b9f0c2a14c10e83c18fbd6bca ("ptpd2: fix build
failures due to EVP_MD_CTX conflict and U64 missing") was broken and
did not apply correctly.
This commit fixes the patch so that it applies properly.
Fixes:
http://autobuild.buildroot.net/results/ffa28ee2cecc77d66d934fdb03e1f2014189e45b/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d60973af00c5ad7dc15049597cf03bd1ad538041)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The patch
0002-ntp_isc_md5-rename-EVP_MD_CTX-into-PTPD_EVP_MD_CTX.patch added in
commit 5b7bc560a5859d4b9f0c2a14c10e83c18fbd6bca ("ptpd2: fix build
failures due to EVP_MD_CTX conflict and U64 missing") was broken and
did not apply correctly.
This commit fixes the patch so that it applies properly.
Fixes:
http://autobuild.buildroot.net/results/ffa28ee2cecc77d66d934fdb03e1f2014189e45b/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d60973af00c5ad7dc15049597cf03bd1ad538041)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Many platforms don't provide all FPU features needed by Poco when
configured for soft floating point in their fenv.h header. So
disable fpenvironment for this configuration to avoid build breakage.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c735f39881cf49bc58ad1b8375fd630e8284ad21)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Many platforms don't provide all FPU features needed by Poco when
configured for soft floating point in their fenv.h header. So
disable fpenvironment for this configuration to avoid build breakage.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c735f39881cf49bc58ad1b8375fd630e8284ad21)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The enum34 dependency is required for python2.7 for both the host and
target builds. This patch adds the host dependency to match what is
already in place for the target.
The host build is used by the setools package seinfo tool offline for
host based policy analysis. The analysis is easiest performed offline
as the policy is checked for path/reachability, which is something
that occurs by taking the policy file and using debug libraries to
perform test cases.
Fixes the following runtime error:
$ ./output/host/bin/sesearch
Traceback (most recent call last):
[...]
File "/home/test/buildroot/output/host/lib/python2.7/site-packages/setools-4.1.1-py2.7-linux-x86_64.egg/setools/policyrep/util.py", line 21, in <module>
from enum import Enum
ImportError: No module named enum
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a5e4eddb84d11ad0e4ee5c7d5298f6267e0e7f87)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is initially used by the setools package to do offline
policy analysis using host tools.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3ec98f0564dfa68d55b52b2815f8017455993ea9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The enum34 dependency is required for python2.7 for both the host and
target builds. This patch adds the host dependency to match what is
already in place for the target.
The host build is used by the setools package seinfo tool offline for
host based policy analysis. The analysis is easiest performed offline
as the policy is checked for path/reachability, which is something
that occurs by taking the policy file and using debug libraries to
perform test cases.
Fixes the following runtime error:
$ ./output/host/bin/sesearch
Traceback (most recent call last):
[...]
File "/home/test/buildroot/output/host/lib/python2.7/site-packages/setools-4.1.1-py2.7-linux-x86_64.egg/setools/policyrep/util.py", line 21, in <module>
from enum import Enum
ImportError: No module named enum
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a5e4eddb84d11ad0e4ee5c7d5298f6267e0e7f87)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is initially used by the setools package to do offline
policy analysis using host tools.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3ec98f0564dfa68d55b52b2815f8017455993ea9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16758: Michael Yonli discovered that tinc 1.0.34 and earlier allow
a man-in-the-middle attack that, even if the MITM cannot decrypt the traffic
sent between the two endpoints, when the MITM can correctly predict when an
ephemeral key exchange message is sent in a TCP connection between two
nodes, allows the MITM to force one node to send UDP packets in plaintext.
The tinc 1.1pre versions are not affected by this.
CVE-2018-16738: Michael Yonli discoverd that tinc versions 1.0.30 to 1.0.34
allow an oracle attack, similar to CVE-2018-16737, but due to the
mitigations put in place for the Sweet32 attack in tinc 1.0.30, it now
requires a timing attack that has only a limited time to complete. Tinc
1.1pre16 and earlier are also affected if there are nodes on the same VPN
that still use the legacy protocol from tinc version 1.0.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d0758184c03f6bb7928cb957faa649be68a145c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16758: Michael Yonli discovered that tinc 1.0.34 and earlier allow
a man-in-the-middle attack that, even if the MITM cannot decrypt the traffic
sent between the two endpoints, when the MITM can correctly predict when an
ephemeral key exchange message is sent in a TCP connection between two
nodes, allows the MITM to force one node to send UDP packets in plaintext.
The tinc 1.1pre versions are not affected by this.
CVE-2018-16738: Michael Yonli discoverd that tinc versions 1.0.30 to 1.0.34
allow an oracle attack, similar to CVE-2018-16737, but due to the
mitigations put in place for the Sweet32 attack in tinc 1.0.30, it now
requires a timing attack that has only a limited time to complete. Tinc
1.1pre16 and earlier are also affected if there are nodes on the same VPN
that still use the legacy protocol from tinc version 1.0.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d0758184c03f6bb7928cb957faa649be68a145c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
