This is initially used by the setools package to do offline
policy analysis using host tools.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3ec98f0564dfa68d55b52b2815f8017455993ea9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The enum34 dependency is required for python2.7 for both the host and
target builds. This patch adds the host dependency to match what is
already in place for the target.
The host build is used by the setools package seinfo tool offline for
host based policy analysis. The analysis is easiest performed offline
as the policy is checked for path/reachability, which is something
that occurs by taking the policy file and using debug libraries to
perform test cases.
Fixes the following runtime error:
$ ./output/host/bin/sesearch
Traceback (most recent call last):
[...]
File "/home/test/buildroot/output/host/lib/python2.7/site-packages/setools-4.1.1-py2.7-linux-x86_64.egg/setools/policyrep/util.py", line 21, in <module>
from enum import Enum
ImportError: No module named enum
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a5e4eddb84d11ad0e4ee5c7d5298f6267e0e7f87)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is initially used by the setools package to do offline
policy analysis using host tools.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3ec98f0564dfa68d55b52b2815f8017455993ea9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16758: Michael Yonli discovered that tinc 1.0.34 and earlier allow
a man-in-the-middle attack that, even if the MITM cannot decrypt the traffic
sent between the two endpoints, when the MITM can correctly predict when an
ephemeral key exchange message is sent in a TCP connection between two
nodes, allows the MITM to force one node to send UDP packets in plaintext.
The tinc 1.1pre versions are not affected by this.
CVE-2018-16738: Michael Yonli discoverd that tinc versions 1.0.30 to 1.0.34
allow an oracle attack, similar to CVE-2018-16737, but due to the
mitigations put in place for the Sweet32 attack in tinc 1.0.30, it now
requires a timing attack that has only a limited time to complete. Tinc
1.1pre16 and earlier are also affected if there are nodes on the same VPN
that still use the legacy protocol from tinc version 1.0.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d0758184c03f6bb7928cb957faa649be68a145c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
CVE-2018-16758: Michael Yonli discovered that tinc 1.0.34 and earlier allow
a man-in-the-middle attack that, even if the MITM cannot decrypt the traffic
sent between the two endpoints, when the MITM can correctly predict when an
ephemeral key exchange message is sent in a TCP connection between two
nodes, allows the MITM to force one node to send UDP packets in plaintext.
The tinc 1.1pre versions are not affected by this.
CVE-2018-16738: Michael Yonli discoverd that tinc versions 1.0.30 to 1.0.34
allow an oracle attack, similar to CVE-2018-16737, but due to the
mitigations put in place for the Sweet32 attack in tinc 1.0.30, it now
requires a timing attack that has only a limited time to complete. Tinc
1.1pre16 and earlier are also affected if there are nodes on the same VPN
that still use the legacy protocol from tinc version 1.0.x.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d0758184c03f6bb7928cb957faa649be68a145c5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The current URL no longer exists, as detected by the new pkg-stats.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 05200ad01434ce297a166c6e1bebc8196c18f7dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The current URL no longer exists, as detected by the new pkg-stats.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 05200ad01434ce297a166c6e1bebc8196c18f7dc)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
binutils 2.27 support was removed in commit
453d29f1f45736d0156071930a09015def68994a.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9861d487e1c6965d15d8ffcdcad2c30af84ef0e3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
binutils 2.27 support was removed in commit
453d29f1f45736d0156071930a09015def68994a.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9861d487e1c6965d15d8ffcdcad2c30af84ef0e3)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This test case uses a too old U-Boot version, which is affected by the
infamous libfdt header conflict issue. We update U-Boot and ATF to
what is used in the current version of
solidrun_macchiatobin_mainline_defconfig, for which the problem no
longer exists.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/107860312
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 22c2b27249107930ddedb3ed14c575e2ae8254e6)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This test case uses a too old U-Boot version, which is affected by the
infamous libfdt header conflict issue. Let's update to U-Boot 2017.11,
which is used by our current bananapi_m64_defconfig that was the
inspiration for this test case.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/107860310
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2a63cea587f66d328ad2528423f8b12f1005dd13)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
nmap is licensed under GPL-2.0 but with additional restrictions (see
COPYING, especially the "IMPORTANT NMAP LICENSE TERMS" part).
So, following advices of Yann and Arnout (see
https://patchwork.ozlabs.org/patch/979081), set license to nmap license
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f6199d3654d0a78d8ac5557679086e8618132854)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
nmap is licensed under GPL-2.0 but with additional restrictions (see
COPYING, especially the "IMPORTANT NMAP LICENSE TERMS" part).
So, following advices of Yann and Arnout (see
https://patchwork.ozlabs.org/patch/979081), set license to nmap license
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f6199d3654d0a78d8ac5557679086e8618132854)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build of leveldb sometimes fails on:
Fatal error: can't create out-shared/db/db_bench.o: No such file or directory
Patch is not upstreamable as upstream switched to cmake
Fixes:
- http://autobuild.buildroot.net/results/945bb8096c1f98f307161a6def5a9f7f25b2454a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit abba4e701246f69bc22ca9045e9932abfe9228e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Build of leveldb sometimes fails on:
Fatal error: can't create out-shared/db/db_bench.o: No such file or directory
Patch is not upstreamable as upstream switched to cmake
Fixes:
- http://autobuild.buildroot.net/results/945bb8096c1f98f307161a6def5a9f7f25b2454a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit abba4e701246f69bc22ca9045e9932abfe9228e9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/8a2/8a2ea2e4426416447705492237f526fc84b595d7/http://autobuild.buildroot.net/results/a1f/a1f2369d31c2387efdec908877e0bcaa728b5aeb/
file-5.33 added optional seccomp support, but the filters did not cover all
needed syscalls, leading to errors when the freshly built host-file is
executed as part of the build on distributions with seccomp support (E.G.
Arch Linux):
checking for seccomp_init in -lseccomp... yes
..
../src/file -C -m magic
make[3]: *** [Makefile:764: magic.mgc] Bad system call
This has been fixed in file-5.34, but it anyway makes sense to explicitly
disable libseccomp support for consistency as we do not need it for the host
build.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a609f83296a27f7677ba53ba40d60c9da21237a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
http://autobuild.buildroot.net/results/8a2/8a2ea2e4426416447705492237f526fc84b595d7/http://autobuild.buildroot.net/results/a1f/a1f2369d31c2387efdec908877e0bcaa728b5aeb/
file-5.33 added optional seccomp support, but the filters did not cover all
needed syscalls, leading to errors when the freshly built host-file is
executed as part of the build on distributions with seccomp support (E.G.
Arch Linux):
checking for seccomp_init in -lseccomp... yes
..
../src/file -C -m magic
make[3]: *** [Makefile:764: magic.mgc] Bad system call
This has been fixed in file-5.34, but it anyway makes sense to explicitly
disable libseccomp support for consistency as we do not need it for the host
build.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a609f83296a27f7677ba53ba40d60c9da21237a9)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
get-developers tries to open DEVELOPERS in the current directory, so it
breaks when calling it from elsewhere than the toplevel Buildroot directory.
Traceback (most recent call last):
File "../utils/get-developers", line 107, in <module>
__main__()
File "../utils/get-developers", line 26, in __main__
devs = getdeveloperlib.parse_developers(os.path.dirname()
File "/home/peko/source/buildroot/utils/getdeveloperlib.py", line 161, in parse_developers
with open(os.path.join(basepath, "DEVELOPERS"), "r") as f:
IOError: [Errno 2] No such file or directory: '/home/peko/source/buildroot/output-foo/DEVELOPERS'
Fix it by instead figuring out where the DEVELOPERS file is relative to the
location of get-developers (E.G. one level up).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Arnout:
- add realpath to support a symlinked get-developers script;
- pass devs_dir argument to check_developers() to support -c in subdir;
- convert basepath to absolute path to support -f option.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 62d5558f76a790d1c1b3a1834f1736dc86b6e34f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes a syntax error introduced in bcf2ed5cc3.
Output before the patch:
$ ./utils/get-developers outgoing/*
File "./utils/get-developers", line 97
print dev
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean
print(dev)?
Output after the patch:
$ ./utils/get-developers outgoing/*
git send-email --to buildroot@buildroot.org
Signed-off-by: Grégoire Delattre <gregoire.delattre@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8320ad3341b9242eaf82df7a4d4c1a367991ec3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When called with a list of patches, get-developers prints the entire git
send-email invocation line:
./utils/get-developers 0001-git-security-bump-to-version-2.16.5.patch
git send-email --to buildroot@buildroot.org --cc "Matt Weber <matthew.weber@rockwellcollins.com>"
This may be handy when creating an entire patch series and editing a cover
letter, but it does mean that this has to be explicitly executed and
get-developers cannot be used directly by the --cc-cmd option of git
send-email to automatically CC affected developers.
So add an -e flag to only let get-developers print the email addresses of
the affected developers in the one-email-per-line format expected by git
send-email, similar to how get_maintainer.pl works in the Linux kernel.
With this and a suitable git configuration:
git config sendemail.to buildroot@buildroot.org
git config sendemail.ccCmd "$(pwd)/utils/get-developers -e"
You can simply do:
git send-email master
To automatically mail the buildroot list and CC affected developers on
patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bcf2ed5cc3e6cba61aedb9eeb34f39d96d612867)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
get-developers tries to open DEVELOPERS in the current directory, so it
breaks when calling it from elsewhere than the toplevel Buildroot directory.
Traceback (most recent call last):
File "../utils/get-developers", line 107, in <module>
__main__()
File "../utils/get-developers", line 26, in __main__
devs = getdeveloperlib.parse_developers(os.path.dirname()
File "/home/peko/source/buildroot/utils/getdeveloperlib.py", line 161, in parse_developers
with open(os.path.join(basepath, "DEVELOPERS"), "r") as f:
IOError: [Errno 2] No such file or directory: '/home/peko/source/buildroot/output-foo/DEVELOPERS'
Fix it by instead figuring out where the DEVELOPERS file is relative to the
location of get-developers (E.G. one level up).
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Arnout:
- add realpath to support a symlinked get-developers script;
- pass devs_dir argument to check_developers() to support -c in subdir;
- convert basepath to absolute path to support -f option.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 62d5558f76a790d1c1b3a1834f1736dc86b6e34f)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes a syntax error introduced in bcf2ed5cc3.
Output before the patch:
$ ./utils/get-developers outgoing/*
File "./utils/get-developers", line 97
print dev
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean
print(dev)?
Output after the patch:
$ ./utils/get-developers outgoing/*
git send-email --to buildroot@buildroot.org
Signed-off-by: Grégoire Delattre <gregoire.delattre@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8320ad3341b9242eaf82df7a4d4c1a367991ec3d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When called with a list of patches, get-developers prints the entire git
send-email invocation line:
./utils/get-developers 0001-git-security-bump-to-version-2.16.5.patch
git send-email --to buildroot@buildroot.org --cc "Matt Weber <matthew.weber@rockwellcollins.com>"
This may be handy when creating an entire patch series and editing a cover
letter, but it does mean that this has to be explicitly executed and
get-developers cannot be used directly by the --cc-cmd option of git
send-email to automatically CC affected developers.
So add an -e flag to only let get-developers print the email addresses of
the affected developers in the one-email-per-line format expected by git
send-email, similar to how get_maintainer.pl works in the Linux kernel.
With this and a suitable git configuration:
git config sendemail.to buildroot@buildroot.org
git config sendemail.ccCmd "$(pwd)/utils/get-developers -e"
You can simply do:
git send-email master
To automatically mail the buildroot list and CC affected developers on
patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bcf2ed5cc3e6cba61aedb9eeb34f39d96d612867)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
This update contains new mitigation functionality for CVE-2018-3639
(Speculative Store Bypass) in x86. There are also bug fixes for
migration, Intel IOMMU emulation, block layer/image handling, ARM
emulation, and various other areas.
https://www.mail-archive.com/qemu-devel@nongnu.org/msg553574.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b400c2ae0b06e0be99925a56f1166bed37ff3986)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In addition:
- Update 0001-user-exec-fix-usage-of-mcontext-structure-on-ARM-uCl.patch
with new line numbers and file location.
- Remove upstream 0002-memfd-fix-configure-test.patch
- Add new options found in 2.12.0 in qemu.mk as disabled.
- Remove --with-system-pixman as it's no longer optional.
Tested with test-pkg:
./utils/test-pkg -p qemu -c configs/qemu_min_defconfig
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
armv5-ctng-linux-gnueabi [6/6]: OK
6 builds, 1 skipped, 0 build failed, 0 legal-info failed
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 06e3957c16ae58745a29c56436c537170e246ea2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Our package infrastructure uses inheritance of a number of values from
the target package to the host package, which assumes the target
package is defined before the host package. In addition, future
changes are going to make this requirement even more important.
Therefore, let's fix the qemu package so that it declares its target
variant before its host variant, like all other packages in
Buildroot. We handle qemu separately from other packages, because
unlike other packages, it didn't had the "eval" for the host and
target packages at the end of the file, but rather all variables
related to the host variant first, then the call to the package
infrastructure for the host variant, then the variables related to the
target variant, and finally the call to the package infrastructure for
the target variant. We are inverting the order of those two big parts
in this commit.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2ae7b21e0b4d49575dace799424f1dda5f5d2465)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
According to target/mips/TODO in the Qemu sources:
MIPS64
------
- Userland emulation (both n32 and n64) not functional.
And indeed, trying to run a mips64n32 binary under qemu user emulation
results in:
Invalid ELF image for this architecture
So we move the BR2_mips64(el) dependency from
BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS to
BR2_PACKAGE_HOST_QEMU_SYSTEM_ARCH_SUPPORTS, so that only the system
emulation is available on mips64, and not the user-mode emulation.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 17024f5900b9803fc34388c39915f70ce51fb037)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Not all architectures are supported by both the system emulation and
user-mode emulation in Qemu, so a single
BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS doesn't work very well.
Therefore, this commit introduces the
BR2_PACKAGE_HOST_QEMU_{SYSTEM,USER}_ARCH_SUPPORTS hidden options. We
keep the BR2_PACKAGE_HOST_QEMU_ARCH_SUPPORTS option for the (numerous)
architectures supported by both system emulation and user-mode
emulation.
The 'select' logic to make sure that at least either system emulation
or user-mode emulation is selected is reworked, and done carefully to
avoid recursive Kconfig dependencies.
For now BR2_PACKAGE_HOST_QEMU_SYSTEM_ARCH_SUPPORTS and
BR2_PACKAGE_HOST_QEMU_USER_ARCH_SUPPORTS are the same, but they will
become different in a follow-up commit.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d7f74dced987a81ebd98de8dd2f70f5effda7463)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 65e05cd914c895461a65ebdf901f991585529005)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Do the same as used in all other Config.in files and use only one tab.
Signed-off-by: Ricardo Martincoski <ricardo.martincoski@gmail.com>
Cc: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9b9ad206a3d3afaae90cf5dab9f909432645aff)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The 620, 630, and 970 are not supported at this time by qemu.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit efc67deef38c9c69279c35b8e2665d81e8344e96)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Match the style used with other packages such as valgrind.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 62099784d40333079a811503bc4f5cd138d9f6ed)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>From the release notes:
This update contains new mitigation functionality for CVE-2018-3639
(Speculative Store Bypass) in x86. There are also bug fixes for
migration, Intel IOMMU emulation, block layer/image handling, ARM
emulation, and various other areas.
https://www.mail-archive.com/qemu-devel@nongnu.org/msg553574.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b400c2ae0b06e0be99925a56f1166bed37ff3986)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In addition:
- Update 0001-user-exec-fix-usage-of-mcontext-structure-on-ARM-uCl.patch
with new line numbers and file location.
- Remove upstream 0002-memfd-fix-configure-test.patch
- Add new options found in 2.12.0 in qemu.mk as disabled.
- Remove --with-system-pixman as it's no longer optional.
Tested with test-pkg:
./utils/test-pkg -p qemu -c configs/qemu_min_defconfig
br-arm-full [1/6]: OK
br-arm-cortex-a9-glibc [2/6]: OK
br-arm-cortex-m4-full [3/6]: SKIPPED
br-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
armv5-ctng-linux-gnueabi [6/6]: OK
6 builds, 1 skipped, 0 build failed, 0 legal-info failed
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 06e3957c16ae58745a29c56436c537170e246ea2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit:
https://git.buildroot.net/buildroot/commit/?id=13722d58f77d0e9fea9eefc50bf083d19f835433
Patch "0003-configure-Invert-AC_CHECK_LIB-EVP_md5-.-without-lz-w.patch"
was intended to fix AC_CHECK_FUNCS() failure on openssl functions. This
was due to missing -lz during static linking.
But the patch is wrong and results in explicitly linking against -lz in
both shared and static build.
This makes no sense, since shared linking has transitive dependency so
it doesn't need to list -lz after -lssl, -lssl is enough.
Differently static linking needs -lz to be listed after -lssl.
So the real cause of previous build failure:
http://autobuild.buildroot.net/results/881/881139fb049738b16609d39ad5a49bd77ff6b4aa/
is that when AC_CHECK_FUNCS(), $LIBS variable is overwritten with
$LIBCRYPTO without taking into accout previous $LIBS content(i.e. where
-lz is present). This results in AC_CHEC_FUNCS() to fail while trying to
statically link without listing -lz.
Then:
- Remove current "0003-configure-Invert-AC_CHECK_LIB-EVP_md5-.-without-lz-w.patch"
- Add patch "0003-configure-fix-AC_CHECK_FUNCS-EVP_sha224-EVP_sha384-..patch"
where add $LIBS content to tail of new $LIBS variable like this:
LIBS="$LIBCRYPTO $LIBS"
NOTE: $LIBS is at the end to ensure static linking to work correctly.
- Add patch 0004-configure-fix-AC_CHECK_FUNCS-TLS_method-TLSv1_method.patch
where add $LIBS content to tail of new $LIBS variable like this:
LIBS="-lssl $LIBCRYPTO $LIBS"
NOTE: $LIBS is at the end to ensure static linking to work correctly.
This way AC_CHECK_FUNCS(), when static linking, try to link with -lz too
appending it at the end of linking library list.
And after every AC_CHECK_FUNCS(), previously saved $LIBS variable gets
back to its original value(i.e. containing -lz if present) resulting in
having or not -lz appended to library list according to static or
shared build.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c5a7c287de4a3108d8aaf965731ef7978a903875)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-18065: _set_key in agent/helpers/table_container.c in
Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an
authenticated attacker to remotely cause the instance to crash via a crafted
UDP packet, resulting in Denial of Service.
For more details, see description and PoC:
https://dumpco.re/blog/net-snmp-5.7.3-remote-dos
Removed patch, applied upstream, autoreconf is not needed anymore.
Added sha256 hashes for tarball and license file.
Switched _SITE to https.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1fe32e837597ac23bcc52f121257d1de126fb5c2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit:
https://git.buildroot.net/buildroot/commit/?id=13722d58f77d0e9fea9eefc50bf083d19f835433
Patch "0003-configure-Invert-AC_CHECK_LIB-EVP_md5-.-without-lz-w.patch"
was intended to fix AC_CHECK_FUNCS() failure on openssl functions. This
was due to missing -lz during static linking.
But the patch is wrong and results in explicitly linking against -lz in
both shared and static build.
This makes no sense, since shared linking has transitive dependency so
it doesn't need to list -lz after -lssl, -lssl is enough.
Differently static linking needs -lz to be listed after -lssl.
So the real cause of previous build failure:
http://autobuild.buildroot.net/results/881/881139fb049738b16609d39ad5a49bd77ff6b4aa/
is that when AC_CHECK_FUNCS(), $LIBS variable is overwritten with
$LIBCRYPTO without taking into accout previous $LIBS content(i.e. where
-lz is present). This results in AC_CHEC_FUNCS() to fail while trying to
statically link without listing -lz.
Then:
- Remove current "0003-configure-Invert-AC_CHECK_LIB-EVP_md5-.-without-lz-w.patch"
- Add patch "0003-configure-fix-AC_CHECK_FUNCS-EVP_sha224-EVP_sha384-..patch"
where add $LIBS content to tail of new $LIBS variable like this:
LIBS="$LIBCRYPTO $LIBS"
NOTE: $LIBS is at the end to ensure static linking to work correctly.
- Add patch 0004-configure-fix-AC_CHECK_FUNCS-TLS_method-TLSv1_method.patch
where add $LIBS content to tail of new $LIBS variable like this:
LIBS="-lssl $LIBCRYPTO $LIBS"
NOTE: $LIBS is at the end to ensure static linking to work correctly.
This way AC_CHECK_FUNCS(), when static linking, try to link with -lz too
appending it at the end of linking library list.
And after every AC_CHECK_FUNCS(), previously saved $LIBS variable gets
back to its original value(i.e. containing -lz if present) resulting in
having or not -lz appended to library list according to static or
shared build.
Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c5a7c287de4a3108d8aaf965731ef7978a903875)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-18065: _set_key in agent/helpers/table_container.c in
Net-SNMP before 5.8 has a NULL Pointer Exception bug that can be used by an
authenticated attacker to remotely cause the instance to crash via a crafted
UDP packet, resulting in Denial of Service.
For more details, see description and PoC:
https://dumpco.re/blog/net-snmp-5.7.3-remote-dos
Removed patch, applied upstream, autoreconf is not needed anymore.
Added sha256 hashes for tarball and license file.
Switched _SITE to https.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1fe32e837597ac23bcc52f121257d1de126fb5c2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-17456: RCE issue in handling of git submodules
For more details, see the announcement:
https://marc.info/?l=git&m=153875888916397&w=2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 063eff9bc622b223530e7a2a83a45f7adb5c7d6d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2018-17456: RCE issue in handling of git submodules
For more details, see the announcement:
https://marc.info/?l=git&m=153875888916397&w=2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 063eff9bc622b223530e7a2a83a45f7adb5c7d6d)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
