The proftpd configure script doesn't use pkg-config to detect openssl
libraries. Instead, it just adds -lcrypto. Since openssl may be linked
with pthread, it tries to detect that by calling 'openssl version -f',
which gives the arguments with which openssl was compiled.
Since the openssl executable used is either host-openssl or the system
installed openssl, the output of 'openssl version -f' is useless in
Buildroot context. If the target toolchain doesn't have threads support,
it will wrongly pick up -pthread from host-openssl.
Fortunately there is a simple workaround: --without-openssl-cmdline says
that there is no openssl executable and skips the test, so -pthread is
not added. It turns out -pthread is never needed, even in static linking
cases, because openssl/libressl puts the thread support in a separate
object file that only gets linked in if the program actually uses
threads (which proftpd doesn't).
Fixes:
http://autobuild.buildroot.net/results/9c25c3cb3cf93b76c0538c5376a803641bf6575b
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
[Rewrite commit log, after additional analysis and testing]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
With recent dtc but old u-boot, compilation issues occur related to libfdt.
These problems really are u-boot issue since it does not properly set
include paths so that its own headers are included. Nevertheless, since the
u-boot version is typically decided by users and stuck at some version
provided by a SoC or board vendor, it is not feasible to fix those old
versions.
Instead, already several fixes were made in the past, in Buildroot.
See commits:
c7ffd8a75d5 "package/dtc: fix include guards for older kernel/u-boot"
f437bf547ca "uboot: fix build for older uboot source trees"
bf733342324 "uboot: fix build when libfdt-devel is installed system-wide"
0bf80e4bcd5 "uboot: ensure host includes are searched before system default
includes"
b15a7a62d3f "uboot: revert "uboot: use local libfdt.h""
baae5156ce3 "uboot: use local fdt headers"
3a6573ccee2 "uboot: use local libfdt.h"
Commit c7ffd8a75d55e24d793106eabbb80964ab91081f fixes the problem caused by
dtc having changed their include guards from _FOO_H to FOO_H (leading
underscore removed). Old u-boot would still use _FOO_H, which (combined with
host-dtc headers that use FOO_H) would cause the inclusion of two different
copies of the same nominal include file, e.g. libfdt.h or libfdt_env.h,
causing 'error: redefinition of xxx' compilation issues.
The fix sets the 'new' include guard when the 'old' one is detected,
preventing a second inclusion of the same nominal file.
For some u-boot versions, however, this change not only needs to be made in
libfdt.h and libfdt_env.h, but also in 'fdt.h'.
Update the dtc patch to do just that.
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Add a patch to use pkg-config to find id3tag dependency (-lz)
Fixes:
- http://autobuild.buildroot.org/results/5e4882ddacf205a92a3ff1e79649cf16e4b6c0ae
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[Arnout: add comment to AUTORECONF to refer to the patch]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Add -lz to id3tag.pc, this fix is needed to be able to use pkg-config in
madplay to find id3tag dependencies
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
COPYING contains only the license for GPL-2.0 so use the new license
files that have been added in the Licenses directory since version
2018.03 and
32c1f98eac
Also update GPL-2.0+ to "GPL-2.0+ with OpenSSL exception" and add
Exceptions file, see:
66d0dbe80f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
syslog-ng expects that rabbitmq-c is built with openssl support however
currently we're disabling openssl on rabbitmq-c in static build.
To fix this issue, add a dependency on dynamic library on rabbitmq-c and
its reverse dependencies (only BR2_PACKAGE_JANUS_GATEWAY_RABBITMQ as
php-amqp already depends on dynamic library)
Fixes:
- http://autobuild.buildroot.org/results/fce91b98fb199a26ad5f5f726c9bdec4f9d64486
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
rabbitmq-c is not an embedded submodule since version 3.16.1 and
c0559593c3
So enable/disable amqp depending on rabbitmq-c availability and remove
uneeded -lrt from LIBS
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Fabrice Fontaine <<a href="mailto:fontaine.fabrice@gmail.com" target="_blank" rel="noreferrer">fontaine.fabrice@gmail.com</a>><br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Looks good to me</div><div dir="auto"><br></div><div dir="auto">Reviewed-by: Chris Packham <<a href="mailto:judge.packham@gmail.com">judge.packham@gmail.com</a>><br><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
console-getty.service is not a template unit file (it doesn't have the
@ specifier), so %I doesn't get properly expanded in it. Thus, getty
startup will fail due to invalid options and no getty prompt is launched
on the console.
Fixes:
No getty prompt on boot
Signed-off-by: Francois Gervais <fgervais@distech-controls.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
When not using OpenSSL, the correct option to configure is --without-ssl
with two dashes.
Fixes: b8b78e7e6a ("libcurl: Allow selection of TLS package libcurl will use")
Signed-off-by: Trent Piepho <tpiepho@impinj.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes:
- http://autobuild.buildroot.org/results/1d868798c5b80d7b41123f988449ef548dd95490
This works for libressl as well, because libressl does provide
EVP_CIPHER_CTX_new() which is what gets enabled by -DSSL11
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes a long standing fsync issue and a number of other bugs:
https://www.postgresql.org/docs/11/release-11-2.htmlhttps://wiki.postgresql.org/wiki/Fsync_Errors
The hash of the license file is only changed due to a year update:
-Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
+Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Peter Seiderer <ps.report@gmx.net>
[Thomas: update commit log to explain why the license file hash has
changed, as repoted by Peter Seiderer]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For details see https://bugs.archlinux.org/task/61623
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
OPENSSL_SMALL_FOOTPRINT mode selects alternate paths in the sha512 and
blake2 algorithms which resolves a assembler issue like the following.
/tmp/ccfnLhKQ.s: Assembler messages:
/tmp/ccfnLhKQ.s:11167: Error: value -32790 out of range
make[2]: *** [crypto/blake2/blake2b.o] Error 1
This issue was found after the OpenSSL1.1.x bump.
Fixes
http://autobuild.buildroot.net/results/533e817695cde321b725145112cfd83c092d9d75
Upstream ticket
https://github.com/openssl/openssl/issues/8190
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- use BR2_TOOLCHAIN_HAS_UCONTEXT
This is used to set -DOPENSSL_NO_ASYNC if needed.
- apply the CFLAGS correctly when compiling with -Os (bugfix).
- use -latomic when needed
This fixes the build for br-sparc-uclibc-2018.05
- don't use madvise() if no MMU
Trying to do so results in undefined reference to madvise() as
it is not available on uclibc without MMU.
The original openssl code checks if a macro used in the madvise call
is defined. The problem comes from the fact that the code in
crypto/mem_sec.c also includes a kernel header defining the same macro
unconditionally. Thus the check is always true in that case.
Upstream: https://github.com/openssl/openssl/pull/8089
- don't compile test/fuzzers
These binaries introduced with 1.1.x sometimes do not compile.
This is the case with the br-arm-cortex-m4-full toolchain
- don't build ocsp daemon if no MMU.
Patch from Richard Levitte.
- correctly enable cryptodev engine
Thanks to Arnout Vandecappelle for spotting this.
- remove all parallel build patches (openssl build-system changed)
- rebased 0001-Dont-waste-time-building-manpages-if-we-re-not-going.patch
to apply to Configurations/unix-Makefile.tmpl (Makefile template)
- removed 0002-cryptodev-Fix-issue-with-signature-generation.patch
(upstream applied)
- rebased 0003-Reproducible-build-do-not-leak-compiler-path.patch to
apply to crypto/build.info (Makefile template)
- fix musl/uclibc build failure, use '-DOPENSSL_NO_ASYNC'
- remove legacy enable-tlsext configure option
- remove target/host libdir configure options, fixes openssl.pc installation
path, fixes wget compile
- change legacy INSTALL_PREFIX to DESTDIR
- remove 'libraries gets installed read only, so strip fails'
workaround (not needed anymore)
- change engine directory from /usr/lib/engines to
/usr/lib/engines-1.1
- change license file hash, no license change, only the following
hint was removed:
Actually both licenses are BSD-style Open Source licenses.
In case of any license issues related to OpenSSL please
contact openssl-core@openssl.org.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Ryan Coe <bluemrp9@gmail.com>
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
Signed-off-by: Patrick Havelange <patrick.havelange@essensium.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The host forces HTTPS regardless. This can be seen in the build logs:
>>> host-libopenssl 1.0.2q Downloading
URL transformed to HTTPS due to an HSTS policy
--2018-12-10 09:53:27-- https://www.openssl.org/source/openssl-1.0.2q.tar.gz
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security vulnerabilities:
*) Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
shown to be vulnerable to a microarchitecture timing side channel attack.
An attacker with sufficient access to mount local timing attacks during
ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
(CVE-2018-5407)
[Billy Brumley]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
For more information, see the changelog:
https://www.openssl.org/news/cl102.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
CVE-2019-6109: Due to missing character encoding in the progress
display, a malicious server (or Man-in-The-Middle attacker) can employ
crafted object names to manipulate the client output, e.g., by using
ANSI control codes to hide additional files being transferred. This
affects refresh_progress_meter() in progressmeter.c.
CVE-2019-6111: Due to the scp implementation being derived from 1983
rcp, the server chooses which files/directories are sent to the client.
However, the scp client only performs cursory validation of the object
name returned (only directory traversal attacks are prevented). A
malicious scp server (or Man-in-The-Middle attacker) can overwrite
arbitrary files in the scp client target directory. If recursive
operation (-r) is performed, the server can manipulate subdirectories as
well (for example, to overwrite the .ssh/authorized_keys file).
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Whether using the new sysusers.d snippet, or adding an entry to
/etc/password, set the service's home directory to /var/empty.
See README.privsep included as part of the openssh distribution.
Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The openssh privilege separation feature, enabled by default,
requires that the path /var/empty exists and has certain permissions
(not writable by the sshd user). Note that nothing ever gets writting
in this directory, so it works fine on a readonly rootfs.
See README.privsep included as part of the openssh distribution.
Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fixes CVE-2018-20685: The scp client allows server to modify permissions
of the target directory by using empty ("D0777 0 \n") or dot ("D0777 0
.\n") directory name.
The bug reporter lists a number of related vulnerabilities that are not
fixed yet:
https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We use the configuration option $(BR2_SYSTEM_DEFAULT_PATH) to set the
default PATH in OpenSSH sessions.
$(BR2_SYSTEM_DEFAULT_PATH) is a Kconfig string. So it is already
quoted, which is exactly what we want.
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop patch #1. uClibc no longer includes pthreads.h indirectly.
Drop patch #2. The sys/param.h header is included indirectly through the
local includes.h header since version 6.8p1.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On some architectures, atomic binutils are provided by the libatomic
library from gcc. Linking with libatomic is therefore necessary,
otherwise the build fails with:
sparc-buildroot-linux-uclibc/sysroot/lib/libatomic.so.1: error adding symbols: DSO missing from command line
This is often for example the case on sparcv8 32 bit.
Fixes:
- http://autobuild.buildroot.org/results/16e360cb91afff7655f459a3d1fb906ca48f8464
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Mender is a service explicitly written for systemd and so it doesn't
fork on background, doesn't redirect outputs and doesn't create a pid
file by itself.
To make the service running correctly is therefore necessary to use the
-m switch of start-stop-daemon to create the pid file and -b option to
send the process to background.
Logging is preserved because the service will log anyway on syslog.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Mender needs /var/lib directory to be available: on some configurations
/var/lib is not available and thus the mender package installation fails.
This patch does a mkdir to ensure the /var/lib directory is always
available.
Fixes:
http://autobuild.buildroot.net/results/d2237083a13ab7688dd2b6dc8dbcd4226ed5651a/
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Qt configure auto detection (and announced runtime detection
feature) failes (see e.g. [1]), so override the configuration
with the buildroot determined settings.
[1] http://lists.busybox.net/pipermail/buildroot/2019-January/241862.html
Reported-by: David Picard <dplamp@gmx.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- fix the following start warnings:
W: [pulseaudio] main.c: Running in system mode, but --disallow-exit not set.
W: [pulseaudio] main.c: Running in system mode, but --disallow-module-loading not set.
N: [pulseaudio] main.c: Running in system mode, forcibly disabling SHM mode.
N: [pulseaudio] main.c: Running in system mode, forcibly disabling exit idle time.
- fix the following stop error:
E: [pulseaudio] main.c: Failed to kill daemon: No such process
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In commit 3e99c8418af904b14b01455d68c84d7b5afd261f ("package/qwt:
remove qt4 support"), the following line was incorrectly dropped:
select BR2_PACKAGE_QT5BASE_GUI if BR2_PACKAGE_QT5
Due to this, qt5base can now be configured with widgets enabled but
gui disabled, causing the following build issue:
ERROR: Feature 'widgets' was enabled, but the pre-condition 'features.gui' failed.
Re-introduce the proper select, but slightly simplified since only Qt5
is supported now.
Fixes:
http://autobuild.buildroot.net/results/c771c2d5aac3e21f908e5a118f3755dbc9301a47
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Thomas: rework commit log]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Changes since 1.16.2:
- Makefile.am: don't use relative paths for include
- keytable: do not install bpf protocols decoders with execute permission
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
madplay uses a very old configure script.
When the toolchain lacks C++ and the build machine lacks /lib/cpp, this
old configure script fails because it can't find a C++ preprocessor that
is valid:
checking for arm-buildroot-linux-uclibcgnueabi-g++... no
checking whether we are using the GNU C++ compiler... no
checking whether no accepts -g... no
checking dependency style of no... none
checking how to run the C++ preprocessor... /lib/cpp
configure: error: C++ preprocessor "/lib/cpp" fails sanity check
See `config.log' for more details.
This is yet another case that was tentatively fixed by bd39d11d2e
(core/infra: fix build on toolchain without C++), further amended by
4cd1ab15886 (core: alternate solution to disable C++).
However, this only works on libtool scripts that are recent enough, and
thus we need to autoreconf to get it.
We also need to patch configure.ac so that it does not fail on the
missing, GNU-specific files: NEWS, AUTHORS, and Changelog.
Finally, remove also patch on ltmain.sh and MADPLAY_LIBTOOL_PATCH=NO as
autoreconf will create an up to date ltmain.sh
Fixes:
- http://autobuild.buildroot.org/results/fc927de0e9a42095789fb0a631d5facf14076f6e
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()
If django.utils.numberformat.format() – used by contrib.admin as well as the
the floatformat, filesizeformat, and intcomma templates filters – received a
Decimal with a large number of digits or a large exponent, it could lead to
significant memory usage due to a call to '{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted using
scientific notation.
https://docs.djangoproject.com/en/2.1/releases/2.1.6/
2.1.6 contained a packaging error, fixed by 2.1.7:
https://docs.djangoproject.com/en/2.1/releases/2.1.7/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is a bugfix release fixing two problems with C++ bindings.
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bugfix release, fixing a number of issues discovered post-1.5.6.
Drop patches as they are now included upstream.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Qemu assumes that when <linux/usbdevice_fs.h> is available, it can
build its USBFS code. However, some systems have
<linux/usbdevice_fs.h>, but it doesn't provide all the definitions
that Qemu needs, causing a build failure.
In order to fix this, we introduce a Qemu patch that improves the
check that determines whether USBFS support should be enabled or not.
Fixes:
http://autobuild.buildroot.net/results/c4af5505f80e1e6185df70d191e85d9393df5795/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Relase archive is distributed with depencies, this prevents the go
build system to download them.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 6e3f7fbc072c88ab344f2ffa39e402464b566f19 ("package/runc: add
upstream security fix for CVE-2019-5736") added a dependency of
docker-containerd to uclibc (inherited from runc), but the depends on
has a typo that makes it ineffective. Due to this, docker-containerd
can still be selected in uClibc configurations, causing runc to be
build, and failing to build due fexecve() being missing in uClibc.
Fixes:
http://autobuild.buildroot.net/results/64ecdb1e007106fdb05979b10b42b90591255504/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the startup warning from Docker:
failed to retrieve runc version: unknown output format: runc version commit ...
Introduces a patch to replace the faulty version detection logic in the Docker
engine.
Signed-off-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
