diff --git a/buildroot/.gitlab-ci.yml b/buildroot/.gitlab-ci.yml index b4dad3173..c838ff3c2 100644 --- a/buildroot/.gitlab-ci.yml +++ b/buildroot/.gitlab-ci.yml @@ -4,12 +4,13 @@ # It needs to be regenerated every time a defconfig is added, using # "make .gitlab-ci.yml". -image: buildroot/base:20191027.2027 +image: buildroot/base:20200814.2228 .check_base: - except: - - /^.*-.*_defconfig$/ - - /^.*-tests\..*$/ + rules: + - if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/ || $CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/' + when: never + - when: always check-DEVELOPERS: extends: .check_base @@ -27,7 +28,7 @@ check-flake8: - find * -type f -print0 | xargs -0 file | grep 'Python script' | cut -d':' -f1 >> files.txt - sort -u files.txt | tee files.processed script: - - python -m flake8 --statistics --count --max-line-length=132 $(cat files.processed) + - python3 -m flake8 --statistics --count --max-line-length=132 $(cat files.processed) after_script: - wc -l files.processed @@ -69,17 +70,21 @@ check-package: extends: .defconfig_base # Running the defconfigs for every push is too much, so limit to # explicit triggers through the API. - only: - - triggers - - tags - - /-defconfigs$/ + rules: + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For pipeline created by using a trigger token. + - if: '$CI_PIPELINE_TRIGGERED' + # For the branch or tag name named *-defconfigs, create a pipeline. + - if: '$CI_COMMIT_REF_NAME =~ /^.*-defconfigs$/' before_script: - DEFCONFIG_NAME=${CI_JOB_NAME} one-defconfig: extends: .defconfig_base - only: - - /^.*-.*_defconfig$/ + rules: + # For the branch or tag name named *-*_defconfigs, create a pipeline. + - if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/' before_script: - DEFCONFIG_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g') @@ -103,17 +108,20 @@ one-defconfig: extends: .runtime_test_base # Running the runtime tests for every push is too much, so limit to # explicit triggers through the API. - only: - - triggers - - tags - - /-runtime-tests$/ + rules: + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For pipeline created by using a trigger token. + - if: '$CI_PIPELINE_TRIGGERED' + # For the branch or tag name named *-runtime-tests, create a pipeline. + - if: '$CI_COMMIT_REF_NAME =~ /^.*-runtime-tests$/' before_script: - TEST_CASE_NAME=${CI_JOB_NAME} one-runtime_test: extends: .runtime_test_base - only: - - /^.*-tests\..*$/ + rules: + - if: '$CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/' before_script: - TEST_CASE_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g') aarch64_efi_defconfig: { extends: .defconfig } diff --git a/buildroot/.gitlab-ci.yml.in b/buildroot/.gitlab-ci.yml.in index 7e6a7598a..08a714f32 100644 --- a/buildroot/.gitlab-ci.yml.in +++ b/buildroot/.gitlab-ci.yml.in @@ -4,12 +4,13 @@ # It needs to be regenerated every time a defconfig is added, using # "make .gitlab-ci.yml". -image: buildroot/base:20191027.2027 +image: buildroot/base:20200814.2228 .check_base: - except: - - /^.*-.*_defconfig$/ - - /^.*-tests\..*$/ + rules: + - if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/ || $CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/' + when: never + - when: always check-DEVELOPERS: extends: .check_base @@ -27,7 +28,7 @@ check-flake8: - find * -type f -print0 | xargs -0 file | grep 'Python script' | cut -d':' -f1 >> files.txt - sort -u files.txt | tee files.processed script: - - python -m flake8 --statistics --count --max-line-length=132 $(cat files.processed) + - python3 -m flake8 --statistics --count --max-line-length=132 $(cat files.processed) after_script: - wc -l files.processed @@ -69,17 +70,21 @@ check-package: extends: .defconfig_base # Running the defconfigs for every push is too much, so limit to # explicit triggers through the API. - only: - - triggers - - tags - - /-defconfigs$/ + rules: + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For pipeline created by using a trigger token. + - if: '$CI_PIPELINE_TRIGGERED' + # For the branch or tag name named *-defconfigs, create a pipeline. + - if: '$CI_COMMIT_REF_NAME =~ /^.*-defconfigs$/' before_script: - DEFCONFIG_NAME=${CI_JOB_NAME} one-defconfig: extends: .defconfig_base - only: - - /^.*-.*_defconfig$/ + rules: + # For the branch or tag name named *-*_defconfigs, create a pipeline. + - if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/' before_script: - DEFCONFIG_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g') @@ -103,16 +108,19 @@ one-defconfig: extends: .runtime_test_base # Running the runtime tests for every push is too much, so limit to # explicit triggers through the API. - only: - - triggers - - tags - - /-runtime-tests$/ + rules: + # For tags, create a pipeline. + - if: '$CI_COMMIT_TAG' + # For pipeline created by using a trigger token. + - if: '$CI_PIPELINE_TRIGGERED' + # For the branch or tag name named *-runtime-tests, create a pipeline. + - if: '$CI_COMMIT_REF_NAME =~ /^.*-runtime-tests$/' before_script: - TEST_CASE_NAME=${CI_JOB_NAME} one-runtime_test: extends: .runtime_test_base - only: - - /^.*-tests\..*$/ + rules: + - if: '$CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/' before_script: - TEST_CASE_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g') diff --git a/buildroot/CHANGES b/buildroot/CHANGES index 86ecec8f7..77e274f5c 100644 --- a/buildroot/CHANGES +++ b/buildroot/CHANGES @@ -1,3 +1,94 @@ +2020.02.7, released October 12th, 2020 + + Important / security related fixes. + + meson: Correct SDK cross-compilation.conf file when + per-package builds were used to build SDK. + + systemd: Use /run rather than /var/run for PID files in units. + + Toolchain: use Secure-PLT rather than BSS-PLT for PowerPC 32. + + support/script/pycompile: Rework logic to ensure .pyc files + contain absolute target paths, fixing code inspection at + runtime when executed with cwd != '/'. + + support/scripts/setlocalversion: Correct Mercurial output to + match behaviour with Git. + + support/scripts/apply-patches.sh: Use patch + --no-backup-if-mismatch, so we no longer blindly have to + remove *.orig files after patching, fixing issues with + packages containing such files. + + Updated/fixed packages: bandwidthd, barebox, bash, bison, + brotli, cifs-utils, cryptsetup, dhcpcd, dhcpdump, docker-cli, + docker-engine, ecryptfs-utils, efl, fail2ban, freetype, gcc, + gdb, ghostscript, gnutls, go, gst1-plugins-base, + gst1-plugins-ugly, ipmitool, libhtp, libraw, libssh, libxml2, + libxml-parser-perl, localedef, lua, memcached, mesa3d, meson, + minidlna, nginx, nodejs, nss-pam-ldapd, openvmtools, php, + postgresql, python, python-aenum, python-autobahn, + python-engineio, python-fire, python-pymodbus, python-scapy, + python-semver, python-sentry-sdk, python-socketio, + python-texttable, python-tinyrpc, python-txtorcon, python3, + qt5base, runc, samba4, strace, supertux, suricata, systemd, + vlc, wayland-protocols, wireguard-linux-compat, wireshark, + xserver_xorg-server, zeromq, zstd + + Issues resolved (http://bugs.uclibc.org): + + #12911: usb_modeswitch installation race condition + #13251: cryptsetup does not work on branch 2020.02 following.. + +2020.02.6, released September 5th, 2020 + + Important / security related fixes. + + Fix a 2020.02.5 build regression in busybox when systemd (and + not less) are enabled because of missing infrastructure. + + Updated/fixed packages: alsa-utils, avahi, busybox, cups, + docker-cli, graphite2, imagemagick, libeXosip2, mbedtls, + nvidia-driver, paho-mqtt-c, python-django, systemd, uclibc, + usb_modeswitch, wolfssl + + Issues resolved (http://bugs.uclibc.org): + + #12911: usb_modeswitch installation race condition + +2020.02.5, released August 29th, 2020 + + Important / security related fixes. + + Infrastructure: Ensure RPATH entries that may be needed for + dlopen() are not dropped by patchelf. + + BR_VERSION_FULL/setlocalversion (used by make print-version + and /etc/os-release): Properly handle local git tags + + Updated/fixed packages: apache, at91bootstrap3, bind, boost, + busybox, capnproto, chrony, collectd, cpio, cryptsetup, cups, + cvs, dbus, docker-engine, domoticz, dovecot, + dovecot-pigeonhole, dropbear, efl, elixir, f2fs-tools, ffmpeg, + gd, gdk-pixbuf, ghostscript, glibc, grub2, gst1-plugins-bad, + hostapd, iputils, jasper, json-c, libcurl, libwebsockets, + linux, live555, mesa3d, mosquitto, mpv, nodejs, opencv, + opencv3, openjpeg, patchelf, perl, php, postgresql, + python-django, python-gunicorn, python-matplotlib, ripgrep, + rtl8188eu, rtl8821au, ruby, shadowsocks-libev, squid, + tpm2-abrmd, tpm2-tools, trousers, uacme, webkitgtk, wireshark, + wolfssl, wpa_supplicant, wpewebkit, xen, xlib_libX11, + xserver_xorg-server + + Issues resolved (http://bugs.uclibc.org): + + #12876: nodejs fails to build when host-icu has been built before + #13111: python-gunicorn: missing dependency on python-setuptools + #13121: wpa_supplicant fails to build without libopenssl enabled + #13141: Target-finalize fail with "depmod: ERROR: Bad version passed" + #13156: package live555 new license + 2020.02.4, released July 26th, 2020 Important / security related fixes. diff --git a/buildroot/DEVELOPERS b/buildroot/DEVELOPERS index 66ef194dd..5abdb916a 100644 --- a/buildroot/DEVELOPERS +++ b/buildroot/DEVELOPERS @@ -186,18 +186,25 @@ F: package/rauc/ N: Angelo Compagnucci F: package/corkscrew/ +F: package/cups/ +F: package/cups-filters/ F: package/fail2ban/ +F: package/grep/ F: package/i2c-tools/ +F: package/jq/ +F: package/libb64/ F: package/mender/ F: package/mender-artifact/ F: package/mono/ F: package/mono-gtksharp3/ F: package/monolite/ +F: package/openjpeg/ F: package/python-can/ F: package/python-pillow/ F: package/python-pydal/ F: package/python-spidev/ F: package/python-web2py/ +F: package/sam-ba/ F: package/sshguard/ F: package/sunwait/ F: package/sysdig/ @@ -211,6 +218,8 @@ N: Anthony Viallard F: package/gnuplot/ N: Antoine Ténart +F: package/libselinux/ +F: package/refpolicy/ F: package/wf111/ N: Antony Pavlov @@ -1035,6 +1044,7 @@ N: Gwenhael Goavec-Merou F: package/gnuradio/ F: package/gqrx/ F: package/gr-osmosdr/ +F: package/librtlsdr/ F: package/libusbgx/ F: package/python-cheetah/ F: package/python-markdown/ @@ -1713,9 +1723,6 @@ F: package/systemd-bootchart/ F: package/tinyalsa/ F: package/tinyxml/ -N: Maxime Ripard -F: package/kmsxx/ - N: Michael Durrant F: board/arcturus/ F: configs/arcturus_ucp1020_defconfig @@ -1810,6 +1817,7 @@ F: package/tpm-tools/ F: package/trousers/ N: Norbert Lange +F: package/systemd/ F: package/tcf-agent/ N: Nylon Chen @@ -2135,6 +2143,7 @@ F: package/davfs2/ N: Ryan Barnett F: package/atftp/ +F: package/c-periphery/ F: package/miraclecast/ F: package/python-pyasn/ F: package/python-pysnmp/ diff --git a/buildroot/Makefile b/buildroot/Makefile index b2dfce197..bf17f52f8 100644 --- a/buildroot/Makefile +++ b/buildroot/Makefile @@ -92,9 +92,9 @@ all: .PHONY: all # Set and export the version string -export BR2_VERSION := 2020.02.4 +export BR2_VERSION := 2020.02.7 # Actual time the release is cut (for reproducible builds) -BR2_VERSION_EPOCH = 1595750000 +BR2_VERSION_EPOCH = 1602538000 # Save running make version since it's clobbered by the make package RUNNING_MAKE_VERSION := $(MAKE_VERSION) @@ -113,7 +113,13 @@ DATE := $(shell date +%Y%m%d) # Compute the full local version string so packages can use it as-is # Need to export it, so it can be got from environment in children (eg. mconf) -export BR2_VERSION_FULL := $(BR2_VERSION)$(shell $(TOPDIR)/support/scripts/setlocalversion) + +BR2_LOCALVERSION := $(shell $(TOPDIR)/support/scripts/setlocalversion) +ifeq ($(BR2_LOCALVERSION),) +export BR2_VERSION_FULL := $(BR2_VERSION) +else +export BR2_VERSION_FULL := $(BR2_LOCALVERSION) +endif # List of targets and target patterns for which .config doesn't need to be read in noconfig_targets := menuconfig nconfig gconfig xconfig config oldconfig randconfig \ @@ -793,9 +799,9 @@ endif # counterparts are appropriately setup as symlinks ones to the others. ifeq ($(BR2_ROOTFS_MERGED_USR),y) - @$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \ - $(call MESSAGE,"Sanity check in overlay $(d)"); \ - not_merged_dirs="$$(support/scripts/check-merged-usr.sh $(d))"; \ + $(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \ + @$(call MESSAGE,"Sanity check in overlay $(d)")$(sep) \ + $(Q)not_merged_dirs="$$(support/scripts/check-merged-usr.sh $(d))"; \ test -n "$$not_merged_dirs" && { \ echo "ERROR: The overlay in $(d) is not" \ "using a merged /usr for the following directories:" \ @@ -805,20 +811,20 @@ ifeq ($(BR2_ROOTFS_MERGED_USR),y) endif # merged /usr - @$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \ - $(call MESSAGE,"Copying overlay $(d)"); \ - $(call SYSTEM_RSYNC,$(d),$(TARGET_DIR))$(sep)) + $(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \ + @$(call MESSAGE,"Copying overlay $(d)")$(sep) \ + $(Q)$(call SYSTEM_RSYNC,$(d),$(TARGET_DIR))$(sep)) - $(if $(TARGET_DIR_FILES_LISTS), \ + $(Q)$(if $(TARGET_DIR_FILES_LISTS), \ cat $(TARGET_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list.txt - $(if $(HOST_DIR_FILES_LISTS), \ + $(Q)$(if $(HOST_DIR_FILES_LISTS), \ cat $(HOST_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list-host.txt - $(if $(STAGING_DIR_FILES_LISTS), \ + $(Q)$(if $(STAGING_DIR_FILES_LISTS), \ cat $(STAGING_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list-staging.txt - @$(foreach s, $(call qstrip,$(BR2_ROOTFS_POST_BUILD_SCRIPT)), \ - $(call MESSAGE,"Executing post-build script $(s)"); \ - $(EXTRA_ENV) $(s) $(TARGET_DIR) $(call qstrip,$(BR2_ROOTFS_POST_SCRIPT_ARGS))$(sep)) + $(foreach s, $(call qstrip,$(BR2_ROOTFS_POST_BUILD_SCRIPT)), \ + @$(call MESSAGE,"Executing post-build script $(s)")$(sep) \ + $(Q)$(EXTRA_ENV) $(s) $(TARGET_DIR) $(call qstrip,$(BR2_ROOTFS_POST_SCRIPT_ARGS))$(sep)) touch $(TARGET_DIR)/usr diff --git a/buildroot/boot/at91bootstrap3/Config.in b/buildroot/boot/at91bootstrap3/Config.in index faab7635d..bd3873860 100644 --- a/buildroot/boot/at91bootstrap3/Config.in +++ b/buildroot/boot/at91bootstrap3/Config.in @@ -1,6 +1,6 @@ config BR2_TARGET_AT91BOOTSTRAP3 bool "AT91 Bootstrap 3" - depends on BR2_arm926t || BR2_cortex_a5 + depends on BR2_arm926t || BR2_cortex_a5 || BR2_cortex_a7 help AT91Bootstrap is a first level bootloader for the Atmel AT91 devices. It integrates algorithms for: diff --git a/buildroot/boot/barebox/barebox.mk b/buildroot/boot/barebox/barebox.mk index 1efe5665d..9d62037e7 100644 --- a/buildroot/boot/barebox/barebox.mk +++ b/buildroot/boot/barebox/barebox.mk @@ -88,13 +88,6 @@ $(1)_KCONFIG_DEPENDENCIES = \ $(BR2_BISON_HOST_DEPENDENCY) \ $(BR2_FLEX_HOST_DEPENDENCY) -ifeq ($$(BR2_TARGET_$(1)_BAREBOXENV),y) -define $(1)_BUILD_BAREBOXENV_CMDS - $$(TARGET_CC) $$(TARGET_CFLAGS) $$(TARGET_LDFLAGS) -o $$(@D)/bareboxenv \ - $$(@D)/scripts/bareboxenv.c -endef -endif - ifeq ($$(BR2_TARGET_$(1)_CUSTOM_ENV),y) $(1)_ENV_NAME = $$(notdir $$(call qstrip,\ $$(BR2_TARGET_$(1)_CUSTOM_ENV_PATH))) @@ -109,12 +102,23 @@ endef endif ifneq ($$($(1)_CUSTOM_EMBEDDED_ENV_PATH),) -define $(1)_KCONFIG_FIXUP_CMDS - $$(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_ENVIRONMENT,$$(@D)/.config) - $$(call KCONFIG_SET_OPT,CONFIG_DEFAULT_ENVIRONMENT_PATH,"$$($(1)_CUSTOM_EMBEDDED_ENV_PATH)",$$(@D)/.config) +define $(1)_KCONFIG_FIXUP_CUSTOM_EMBEDDED_ENV_PATH + $$(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_ENVIRONMENT) + $$(call KCONFIG_SET_OPT,CONFIG_DEFAULT_ENVIRONMENT_PATH,"$$($(1)_CUSTOM_EMBEDDED_ENV_PATH)") endef endif +define $(1)_KCONFIG_FIXUP_BAREBOXENV + $$(if $$(BR2_TARGET_$(1)_BAREBOXENV),\ + $$(call KCONFIG_ENABLE_OPT,CONFIG_BAREBOXENV_TARGET),\ + $$(call KCONFIG_DISABLE_OPT,CONFIG_BAREBOXENV_TARGET)) +endef + +define $(1)_KCONFIG_FIXUP_CMDS + $$($(1)_KCONFIG_FIXUP_CUSTOM_EMBEDDED_ENV_PATH) + $$($(1)_KCONFIG_FIXUP_BAREBOXENV) +endef + define $(1)_BUILD_CMDS $$($(1)_BUILD_BAREBOXENV_CMDS) $$(TARGET_MAKE_ENV) $$(MAKE) $$($(1)_MAKE_FLAGS) -C $$(@D) @@ -136,7 +140,7 @@ endef ifeq ($$(BR2_TARGET_$(1)_BAREBOXENV),y) define $(1)_INSTALL_TARGET_CMDS - cp $$(@D)/bareboxenv $$(TARGET_DIR)/usr/bin + cp $$(@D)/scripts/bareboxenv-target $$(TARGET_DIR)/usr/bin/bareboxenv endef endif diff --git a/buildroot/boot/grub2/0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch b/buildroot/boot/grub2/0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch new file mode 100644 index 000000000..001dda820 --- /dev/null +++ b/buildroot/boot/grub2/0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch @@ -0,0 +1,73 @@ +From a7ab0cc98fa89a3d5098c29cbe44bcd24b0a6454 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Wed, 15 Apr 2020 15:45:02 -0400 +Subject: [PATCH] yylex: Make lexer fatal errors actually be fatal +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When presented with a command that can't be tokenized to anything +smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg), +expecting that will stop further processing, as such: + + #define YY_DO_BEFORE_ACTION \ + yyg->yytext_ptr = yy_bp; \ + yyleng = (int) (yy_cp - yy_bp); \ + yyg->yy_hold_char = *yy_cp; \ + *yy_cp = '\0'; \ + if ( yyleng >= YYLMAX ) \ + YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \ + yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \ + yyg->yy_c_buf_p = yy_cp; + +The code flex generates expects that YY_FATAL_ERROR() will either return +for it or do some form of longjmp(), or handle the error in some way at +least, and so the strncpy() call isn't in an "else" clause, and thus if +YY_FATAL_ERROR() is *not* actually fatal, it does the call with the +questionable limit, and predictable results ensue. + +Unfortunately, our implementation of YY_FATAL_ERROR() is: + + #define YY_FATAL_ERROR(msg) \ + do { \ + grub_printf (_("fatal error: %s\n"), _(msg)); \ + } while (0) + +The same pattern exists in yyless(), and similar problems exist in users +of YY_INPUT(), several places in the main parsing loop, +yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack, +yy_scan_buffer(), etc. + +All of these callers expect YY_FATAL_ERROR() to actually be fatal, and +the things they do if it returns after calling it are wildly unsafe. + +Fixes: CVE-2020-10713 + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/script/yylex.l | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l +index 7b44c37b7..b7203c823 100644 +--- a/grub-core/script/yylex.l ++++ b/grub-core/script/yylex.l +@@ -37,11 +37,11 @@ + + /* + * As we don't have access to yyscanner, we cannot do much except to +- * print the fatal error. ++ * print the fatal error and exit. + */ + #define YY_FATAL_ERROR(msg) \ + do { \ +- grub_printf (_("fatal error: %s\n"), _(msg)); \ ++ grub_fatal (_("fatal error: %s\n"), _(msg));\ + } while (0) + + #define COPY(str, hint) \ +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch b/buildroot/boot/grub2/0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch new file mode 100644 index 000000000..5c5211346 --- /dev/null +++ b/buildroot/boot/grub2/0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch @@ -0,0 +1,128 @@ +From 782a4580a5e347793443aa8e9152db1bf4a0fff8 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 15 Jun 2020 10:58:42 -0400 +Subject: [PATCH] safemath: Add some arithmetic primitives that check for + overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This adds a new header, include/grub/safemath.h, that includes easy to +use wrappers for __builtin_{add,sub,mul}_overflow() declared like: + + bool OP(a, b, res) + +where OP is grub_add, grub_sub or grub_mul. OP() returns true in the +case where the operation would overflow and res is not modified. +Otherwise, false is returned and the operation is executed. + +These arithmetic primitives require newer compiler versions. So, bump +these requirements in the INSTALL file too. + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + INSTALL | 22 ++-------------------- + include/grub/compiler.h | 8 ++++++++ + include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+), 20 deletions(-) + create mode 100644 include/grub/safemath.h + +diff --git a/INSTALL b/INSTALL +index 8acb40902..dcb9b7d7b 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -11,27 +11,9 @@ GRUB depends on some software packages installed into your system. If + you don't have any of them, please obtain and install them before + configuring the GRUB. + +-* GCC 4.1.3 or later +- Note: older versions may work but support is limited +- +- Experimental support for clang 3.3 or later (results in much bigger binaries) ++* GCC 5.1.0 or later ++ Experimental support for clang 3.8.0 or later (results in much bigger binaries) + for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64 +- Note: clang 3.2 or later works for i386 and x86_64 targets but results in +- much bigger binaries. +- earlier versions not tested +- Note: clang 3.2 or later works for arm +- earlier versions not tested +- Note: clang on arm64 is not supported due to +- https://llvm.org/bugs/show_bug.cgi?id=26030 +- Note: clang 3.3 or later works for mips(el) +- earlier versions fail to generate .reginfo and hence gprel relocations +- fail. +- Note: clang 3.2 or later works for powerpc +- earlier versions not tested +- Note: clang 3.5 or later works for sparc64 +- earlier versions return "error: unable to interface with target machine" +- Note: clang has no support for ia64 and hence you can't compile GRUB +- for ia64 with clang + * GNU Make + * GNU Bison 2.3 or later + * GNU gettext 0.17 or later +diff --git a/include/grub/compiler.h b/include/grub/compiler.h +index c9e1d7a73..8f3be3ae7 100644 +--- a/include/grub/compiler.h ++++ b/include/grub/compiler.h +@@ -48,4 +48,12 @@ + # define WARN_UNUSED_RESULT + #endif + ++#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__) ++# define CLANG_PREREQ(maj,min) \ ++ ((__clang_major__ > (maj)) || \ ++ (__clang_major__ == (maj) && __clang_minor__ >= (min))) ++#else ++# define CLANG_PREREQ(maj,min) 0 ++#endif ++ + #endif /* ! GRUB_COMPILER_HEADER */ +diff --git a/include/grub/safemath.h b/include/grub/safemath.h +new file mode 100644 +index 000000000..c17b89bba +--- /dev/null ++++ b/include/grub/safemath.h +@@ -0,0 +1,37 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2020 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see . ++ * ++ * Arithmetic operations that protect against overflow. ++ */ ++ ++#ifndef GRUB_SAFEMATH_H ++#define GRUB_SAFEMATH_H 1 ++ ++#include ++ ++/* These appear in gcc 5.1 and clang 3.8. */ ++#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8) ++ ++#define grub_add(a, b, res) __builtin_add_overflow(a, b, res) ++#define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) ++#define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) ++ ++#else ++#error gcc 5.1 or newer or clang 3.8 or newer is required ++#endif ++ ++#endif /* GRUB_SAFEMATH_H */ +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch b/buildroot/boot/grub2/0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch new file mode 100644 index 000000000..a2e19f0ea --- /dev/null +++ b/buildroot/boot/grub2/0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch @@ -0,0 +1,246 @@ +From 5775eb40862b67468ced816e6d7560dbe22a3670 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 15 Jun 2020 12:15:29 -0400 +Subject: [PATCH] calloc: Make sure we always have an overflow-checking + calloc() available +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This tries to make sure that everywhere in this source tree, we always have +an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.) +available, and that they all safely check for overflow and return NULL when +it would occur. + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/kern/emu/misc.c | 12 +++++++++ + grub-core/kern/emu/mm.c | 10 ++++++++ + grub-core/kern/mm.c | 40 ++++++++++++++++++++++++++++++ + grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++-- + grub-core/lib/posix_wrap/stdlib.h | 8 +++++- + include/grub/emu/misc.h | 1 + + include/grub/mm.h | 6 +++++ + 7 files changed, 85 insertions(+), 3 deletions(-) + +diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c +index 65db79baa..dfd8a8ec4 100644 +--- a/grub-core/kern/emu/misc.c ++++ b/grub-core/kern/emu/misc.c +@@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...) + exit (1); + } + ++void * ++xcalloc (grub_size_t nmemb, grub_size_t size) ++{ ++ void *p; ++ ++ p = calloc (nmemb, size); ++ if (!p) ++ grub_util_error ("%s", _("out of memory")); ++ ++ return p; ++} ++ + void * + xmalloc (grub_size_t size) + { +diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c +index f262e95e3..145b01d37 100644 +--- a/grub-core/kern/emu/mm.c ++++ b/grub-core/kern/emu/mm.c +@@ -25,6 +25,16 @@ + #include + #include + ++void * ++grub_calloc (grub_size_t nmemb, grub_size_t size) ++{ ++ void *ret; ++ ret = calloc (nmemb, size); ++ if (!ret) ++ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory")); ++ return ret; ++} ++ + void * + grub_malloc (grub_size_t size) + { +diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c +index ee88ff611..f2822a836 100644 +--- a/grub-core/kern/mm.c ++++ b/grub-core/kern/mm.c +@@ -67,8 +67,10 @@ + #include + #include + #include ++#include + + #ifdef MM_DEBUG ++# undef grub_calloc + # undef grub_malloc + # undef grub_zalloc + # undef grub_realloc +@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size) + return 0; + } + ++/* ++ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on ++ * integer overflow. ++ */ ++void * ++grub_calloc (grub_size_t nmemb, grub_size_t size) ++{ ++ void *ret; ++ grub_size_t sz = 0; ++ ++ if (grub_mul (nmemb, size, &sz)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ ++ ret = grub_memalign (0, sz); ++ if (!ret) ++ return NULL; ++ ++ grub_memset (ret, 0, sz); ++ return ret; ++} ++ + /* Allocate SIZE bytes and return the pointer. */ + void * + grub_malloc (grub_size_t size) +@@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno) + grub_printf ("\n"); + } + ++void * ++grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size) ++{ ++ void *ptr; ++ ++ if (grub_mm_debug) ++ grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ", ++ file, line, size); ++ ptr = grub_calloc (nmemb, size); ++ if (grub_mm_debug) ++ grub_printf ("%p\n", ptr); ++ return ptr; ++} ++ + void * + grub_debug_malloc (const char *file, int line, grub_size_t size) + { +diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c +index beeb661a3..74c6eafe5 100644 +--- a/grub-core/lib/libgcrypt_wrap/mem.c ++++ b/grub-core/lib/libgcrypt_wrap/mem.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -36,7 +37,10 @@ void * + gcry_xcalloc (size_t n, size_t m) + { + void *ret; +- ret = grub_zalloc (n * m); ++ size_t sz; ++ if (grub_mul (n, m, &sz)) ++ grub_fatal ("gcry_xcalloc would overflow"); ++ ret = grub_zalloc (sz); + if (!ret) + grub_fatal ("gcry_xcalloc failed"); + return ret; +@@ -56,7 +60,10 @@ void * + gcry_xcalloc_secure (size_t n, size_t m) + { + void *ret; +- ret = grub_zalloc (n * m); ++ size_t sz; ++ if (grub_mul (n, m, &sz)) ++ grub_fatal ("gcry_xcalloc would overflow"); ++ ret = grub_zalloc (sz); + if (!ret) + grub_fatal ("gcry_xcalloc failed"); + return ret; +diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h +index 3b46f47ff..7a8d385e9 100644 +--- a/grub-core/lib/posix_wrap/stdlib.h ++++ b/grub-core/lib/posix_wrap/stdlib.h +@@ -21,6 +21,7 @@ + + #include + #include ++#include + + static inline void + free (void *ptr) +@@ -37,7 +38,12 @@ malloc (grub_size_t size) + static inline void * + calloc (grub_size_t size, grub_size_t nelem) + { +- return grub_zalloc (size * nelem); ++ grub_size_t sz; ++ ++ if (grub_mul (size, nelem, &sz)) ++ return NULL; ++ ++ return grub_zalloc (sz); + } + + static inline void * +diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h +index ce464cfd0..ff9c48a64 100644 +--- a/include/grub/emu/misc.h ++++ b/include/grub/emu/misc.h +@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev); + #define GRUB_HOST_PRIuLONG_LONG "llu" + #define GRUB_HOST_PRIxLONG_LONG "llx" + ++void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT; + void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT; + void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT; + char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT; +diff --git a/include/grub/mm.h b/include/grub/mm.h +index 28e2e53eb..9c38dd3ca 100644 +--- a/include/grub/mm.h ++++ b/include/grub/mm.h +@@ -29,6 +29,7 @@ + #endif + + void grub_mm_init_region (void *addr, grub_size_t size); ++void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size); + void *EXPORT_FUNC(grub_malloc) (grub_size_t size); + void *EXPORT_FUNC(grub_zalloc) (grub_size_t size); + void EXPORT_FUNC(grub_free) (void *ptr); +@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug); + void grub_mm_dump_free (void); + void grub_mm_dump (unsigned lineno); + ++#define grub_calloc(nmemb, size) \ ++ grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size) ++ + #define grub_malloc(size) \ + grub_debug_malloc (GRUB_FILE, __LINE__, size) + +@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno); + #define grub_free(ptr) \ + grub_debug_free (GRUB_FILE, __LINE__, ptr) + ++void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line, ++ grub_size_t nmemb, grub_size_t size); + void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line, + grub_size_t size); + void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line, +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0005-calloc-Use-calloc-at-most-places.patch b/buildroot/boot/grub2/0005-calloc-Use-calloc-at-most-places.patch new file mode 100644 index 000000000..096c2dfc4 --- /dev/null +++ b/buildroot/boot/grub2/0005-calloc-Use-calloc-at-most-places.patch @@ -0,0 +1,1840 @@ +From 8185711241d73931269f402bb6799f7e2c58f04b Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 15 Jun 2020 12:26:01 -0400 +Subject: [PATCH] calloc: Use calloc() at most places +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This modifies most of the places we do some form of: + + X = malloc(Y * Z); + +to use calloc(Y, Z) instead. + +Among other issues, this fixes: + - allocation of integer overflow in grub_png_decode_image_header() + reported by Chris Coulson, + - allocation of integer overflow in luks_recover_key() + reported by Chris Coulson, + - allocation of integer overflow in grub_lvm_detect() + reported by Chris Coulson. + +Fixes: CVE-2020-14308 + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/bus/usb/usbhub.c | 8 ++++---- + grub-core/commands/efi/lsefisystab.c | 3 ++- + grub-core/commands/legacycfg.c | 6 +++--- + grub-core/commands/menuentry.c | 2 +- + grub-core/commands/nativedisk.c | 2 +- + grub-core/commands/parttool.c | 12 +++++++++--- + grub-core/commands/regexp.c | 2 +- + grub-core/commands/search_wrap.c | 2 +- + grub-core/disk/diskfilter.c | 4 ++-- + grub-core/disk/ieee1275/ofdisk.c | 2 +- + grub-core/disk/ldm.c | 14 +++++++------- + grub-core/disk/luks.c | 2 +- + grub-core/disk/lvm.c | 8 ++++---- + grub-core/disk/xen/xendisk.c | 2 +- + grub-core/efiemu/loadcore.c | 2 +- + grub-core/efiemu/mm.c | 6 +++--- + grub-core/font/font.c | 3 +-- + grub-core/fs/affs.c | 6 +++--- + grub-core/fs/btrfs.c | 6 +++--- + grub-core/fs/hfs.c | 2 +- + grub-core/fs/hfsplus.c | 6 +++--- + grub-core/fs/iso9660.c | 2 +- + grub-core/fs/ntfs.c | 4 ++-- + grub-core/fs/sfs.c | 2 +- + grub-core/fs/tar.c | 2 +- + grub-core/fs/udf.c | 4 ++-- + grub-core/fs/zfs/zfs.c | 4 ++-- + grub-core/gfxmenu/gui_string_util.c | 2 +- + grub-core/gfxmenu/widget-box.c | 4 ++-- + grub-core/io/gzio.c | 2 +- + grub-core/kern/efi/efi.c | 6 +++--- + grub-core/kern/emu/hostdisk.c | 2 +- + grub-core/kern/fs.c | 2 +- + grub-core/kern/misc.c | 2 +- + grub-core/kern/parser.c | 2 +- + grub-core/kern/uboot/uboot.c | 2 +- + grub-core/lib/libgcrypt/cipher/ac.c | 8 ++++---- + grub-core/lib/libgcrypt/cipher/primegen.c | 4 ++-- + grub-core/lib/libgcrypt/cipher/pubkey.c | 4 ++-- + grub-core/lib/priority_queue.c | 2 +- + grub-core/lib/reed_solomon.c | 7 +++---- + grub-core/lib/relocator.c | 10 +++++----- + grub-core/lib/zstd/fse_decompress.c | 2 +- + grub-core/loader/arm/linux.c | 2 +- + grub-core/loader/efi/chainloader.c | 2 +- + grub-core/loader/i386/bsdXX.c | 2 +- + grub-core/loader/i386/xnu.c | 4 ++-- + grub-core/loader/macho.c | 2 +- + grub-core/loader/multiboot_elfxx.c | 2 +- + grub-core/loader/xnu.c | 2 +- + grub-core/mmap/mmap.c | 4 ++-- + grub-core/net/bootp.c | 2 +- + grub-core/net/dns.c | 10 +++++----- + grub-core/net/net.c | 4 ++-- + grub-core/normal/charset.c | 10 +++++----- + grub-core/normal/cmdline.c | 14 +++++++------- + grub-core/normal/menu_entry.c | 14 +++++++------- + grub-core/normal/menu_text.c | 4 ++-- + grub-core/normal/term.c | 4 ++-- + grub-core/osdep/linux/getroot.c | 6 +++--- + grub-core/osdep/unix/config.c | 2 +- + grub-core/osdep/windows/getroot.c | 2 +- + grub-core/osdep/windows/hostdisk.c | 4 ++-- + grub-core/osdep/windows/init.c | 2 +- + grub-core/osdep/windows/platform.c | 4 ++-- + grub-core/osdep/windows/relpath.c | 2 +- + grub-core/partmap/gpt.c | 2 +- + grub-core/partmap/msdos.c | 2 +- + grub-core/script/execute.c | 2 +- + grub-core/tests/fake_input.c | 2 +- + grub-core/tests/video_checksum.c | 6 +++--- + grub-core/video/capture.c | 2 +- + grub-core/video/emu/sdl.c | 2 +- + grub-core/video/i386/pc/vga.c | 2 +- + grub-core/video/readers/png.c | 2 +- + include/grub/unicode.h | 4 ++-- + util/getroot.c | 2 +- + util/grub-file.c | 2 +- + util/grub-fstest.c | 4 ++-- + util/grub-install-common.c | 2 +- + util/grub-install.c | 4 ++-- + util/grub-mkimagexx.c | 6 ++---- + util/grub-mkrescue.c | 4 ++-- + util/grub-mkstandalone.c | 2 +- + util/grub-pe2elf.c | 12 +++++------- + util/grub-probe.c | 4 ++-- + 86 files changed, 176 insertions(+), 175 deletions(-) + +diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c +index 34a7ff1b5..a06cce302 100644 +--- a/grub-core/bus/usb/usbhub.c ++++ b/grub-core/bus/usb/usbhub.c +@@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev) + grub_usb_set_configuration (dev, 1); + + dev->nports = hubdesc.portcnt; +- dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0])); +- dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0])); ++ dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0])); ++ dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0])); + if (!dev->children || !dev->ports) + { + grub_free (dev->children); +@@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d + + /* Query the number of ports the root Hub has. */ + hub->nports = controller->dev->hubports (controller); +- hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports); +- hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports); ++ hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0])); ++ hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0])); + if (!hub->devices || !hub->ports) + { + grub_free (hub->devices); +diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c +index df1030221..cd81507f5 100644 +--- a/grub-core/commands/efi/lsefisystab.c ++++ b/grub-core/commands/efi/lsefisystab.c +@@ -71,7 +71,8 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)), + grub_printf ("Vendor: "); + + for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++); +- vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1); ++ /* Allocate extra 3 bytes to simplify math. */ ++ vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1); + if (!vendor) + return grub_errno; + *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor, +diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c +index db7a8f002..5e3ec0d5e 100644 +--- a/grub-core/commands/legacycfg.c ++++ b/grub-core/commands/legacycfg.c +@@ -314,7 +314,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)), + if (argc < 2) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); + +- cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1)); ++ cutargs = grub_calloc (argc - 1, sizeof (cutargs[0])); + if (!cutargs) + return grub_errno; + cutargc = argc - 1; +@@ -436,7 +436,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)), + { + char rbuf[3] = "-r"; + bsdargc = cutargc + 2; +- bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc); ++ bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0])); + if (!bsdargs) + { + err = grub_errno; +@@ -559,7 +559,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"), + "module"); + +- newargs = grub_malloc ((argc + 1) * sizeof (newargs[0])); ++ newargs = grub_calloc (argc + 1, sizeof (newargs[0])); + if (!newargs) + return grub_errno; + grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0])); +diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c +index 2c5363da7..9164df744 100644 +--- a/grub-core/commands/menuentry.c ++++ b/grub-core/commands/menuentry.c +@@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args, + goto fail; + + /* Save argc, args to pass as parameters to block arg later. */ +- menu_args = grub_malloc (sizeof (char*) * (argc + 1)); ++ menu_args = grub_calloc (argc + 1, sizeof (char *)); + if (! menu_args) + goto fail; + +diff --git a/grub-core/commands/nativedisk.c b/grub-core/commands/nativedisk.c +index 699447d11..7c8f97f6a 100644 +--- a/grub-core/commands/nativedisk.c ++++ b/grub-core/commands/nativedisk.c +@@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)), + else + path_prefix = prefix; + +- mods = grub_malloc (argc * sizeof (mods[0])); ++ mods = grub_calloc (argc, sizeof (mods[0])); + if (!mods) + return grub_errno; + +diff --git a/grub-core/commands/parttool.c b/grub-core/commands/parttool.c +index 22b46b187..051e31320 100644 +--- a/grub-core/commands/parttool.c ++++ b/grub-core/commands/parttool.c +@@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name, + for (nargs = 0; args[nargs].name != 0; nargs++); + cur->nargs = nargs; + cur->args = (struct grub_parttool_argdesc *) +- grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc)); ++ grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc)); ++ if (!cur->args) ++ { ++ grub_free (cur); ++ curhandle--; ++ return -1; ++ } + grub_memcpy (cur->args, args, + (nargs + 1) * sizeof (struct grub_parttool_argdesc)); + +@@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)), + return err; + } + +- parsed = (int *) grub_zalloc (argc * sizeof (int)); ++ parsed = (int *) grub_calloc (argc, sizeof (int)); + + for (i = 1; i < argc; i++) + if (! parsed[i]) +@@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)), + } + ptool = cur; + pargs = (struct grub_parttool_args *) +- grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args)); ++ grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args)); + for (j = i; j < argc; j++) + if (! parsed[j]) + { +diff --git a/grub-core/commands/regexp.c b/grub-core/commands/regexp.c +index f00b184c8..4019164f3 100644 +--- a/grub-core/commands/regexp.c ++++ b/grub-core/commands/regexp.c +@@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args) + if (ret) + goto fail; + +- matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1)); ++ matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches)); + if (! matches) + goto fail; + +diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c +index d7fd26b94..47fc8eb99 100644 +--- a/grub-core/commands/search_wrap.c ++++ b/grub-core/commands/search_wrap.c +@@ -122,7 +122,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args) + for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++) + nhints++; + +- hints = grub_malloc (sizeof (hints[0]) * nhints); ++ hints = grub_calloc (nhints, sizeof (hints[0])); + if (!hints) + return grub_errno; + j = 0; +diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c +index c3b578acf..68ca9e0be 100644 +--- a/grub-core/disk/diskfilter.c ++++ b/grub-core/disk/diskfilter.c +@@ -1134,7 +1134,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb, + array->lvs->segments->node_count = nmemb; + array->lvs->segments->raid_member_size = disk_size; + array->lvs->segments->nodes +- = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0])); ++ = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0])); + array->lvs->segments->stripe_size = stripe_size; + for (i = 0; i < nmemb; i++) + { +@@ -1226,7 +1226,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id, + grub_partition_t p; + for (p = disk->partition; p; p = p->parent) + s++; +- pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0])); ++ pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0])); + s = 0; + for (p = disk->partition; p; p = p->parent) + pv->partmaps[s++] = xstrdup (p->partmap->name); +diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c +index f73257e66..03674cb47 100644 +--- a/grub-core/disk/ieee1275/ofdisk.c ++++ b/grub-core/disk/ieee1275/ofdisk.c +@@ -297,7 +297,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias) + /* Power machines documentation specify 672 as maximum SAS disks in + one system. Using a slightly larger value to be safe. */ + table_size = 768; +- table = grub_malloc (table_size * sizeof (grub_uint64_t)); ++ table = grub_calloc (table_size, sizeof (grub_uint64_t)); + + if (!table) + { +diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c +index 2a22d2d6c..e6323701a 100644 +--- a/grub-core/disk/ldm.c ++++ b/grub-core/disk/ldm.c +@@ -323,8 +323,8 @@ make_vg (grub_disk_t disk, + lv->segments->type = GRUB_DISKFILTER_MIRROR; + lv->segments->node_count = 0; + lv->segments->node_alloc = 8; +- lv->segments->nodes = grub_zalloc (sizeof (*lv->segments->nodes) +- * lv->segments->node_alloc); ++ lv->segments->nodes = grub_calloc (lv->segments->node_alloc, ++ sizeof (*lv->segments->nodes)); + if (!lv->segments->nodes) + goto fail2; + ptr = vblk[i].dynamic; +@@ -543,8 +543,8 @@ make_vg (grub_disk_t disk, + { + comp->segment_alloc = 8; + comp->segment_count = 0; +- comp->segments = grub_malloc (sizeof (*comp->segments) +- * comp->segment_alloc); ++ comp->segments = grub_calloc (comp->segment_alloc, ++ sizeof (*comp->segments)); + if (!comp->segments) + goto fail2; + } +@@ -590,8 +590,8 @@ make_vg (grub_disk_t disk, + } + comp->segments->node_count = read_int (ptr + 1, *ptr); + comp->segments->node_alloc = comp->segments->node_count; +- comp->segments->nodes = grub_zalloc (sizeof (*comp->segments->nodes) +- * comp->segments->node_alloc); ++ comp->segments->nodes = grub_calloc (comp->segments->node_alloc, ++ sizeof (*comp->segments->nodes)); + if (!lv->segments->nodes) + goto fail2; + } +@@ -1017,7 +1017,7 @@ grub_util_ldm_embed (struct grub_disk *disk, unsigned int *nsectors, + *nsectors = lv->size; + if (*nsectors > max_nsectors) + *nsectors = max_nsectors; +- *sectors = grub_malloc (*nsectors * sizeof (**sectors)); ++ *sectors = grub_calloc (*nsectors, sizeof (**sectors)); + if (!*sectors) + return grub_errno; + for (i = 0; i < *nsectors; i++) +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 86c50c612..18b3a8bb1 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -336,7 +336,7 @@ luks_recover_key (grub_disk_t source, + && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes) + max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes); + +- split_key = grub_malloc (keysize * max_stripes); ++ split_key = grub_calloc (keysize, max_stripes); + if (!split_key) + return grub_errno; + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index 7b265c780..d1df640b3 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -173,7 +173,7 @@ grub_lvm_detect (grub_disk_t disk, + first one. */ + + /* Allocate buffer space for the circular worst-case scenario. */ +- metadatabuf = grub_malloc (2 * mda_size); ++ metadatabuf = grub_calloc (2, mda_size); + if (! metadatabuf) + goto fail; + +@@ -426,7 +426,7 @@ grub_lvm_detect (grub_disk_t disk, + #endif + goto lvs_fail; + } +- lv->segments = grub_zalloc (sizeof (*seg) * lv->segment_count); ++ lv->segments = grub_calloc (lv->segment_count, sizeof (*seg)); + seg = lv->segments; + + for (i = 0; i < lv->segment_count; i++) +@@ -483,8 +483,8 @@ grub_lvm_detect (grub_disk_t disk, + if (seg->node_count != 1) + seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = "); + +- seg->nodes = grub_zalloc (sizeof (*stripe) +- * seg->node_count); ++ seg->nodes = grub_calloc (seg->node_count, ++ sizeof (*stripe)); + stripe = seg->nodes; + + p = grub_strstr (p, "stripes = ["); +diff --git a/grub-core/disk/xen/xendisk.c b/grub-core/disk/xen/xendisk.c +index 48476cbbf..d6612eebd 100644 +--- a/grub-core/disk/xen/xendisk.c ++++ b/grub-core/disk/xen/xendisk.c +@@ -426,7 +426,7 @@ grub_xendisk_init (void) + if (!ctr) + return; + +- virtdisks = grub_malloc (ctr * sizeof (virtdisks[0])); ++ virtdisks = grub_calloc (ctr, sizeof (virtdisks[0])); + if (!virtdisks) + return; + if (grub_xenstore_dir ("device/vbd", fill, &ctr)) +diff --git a/grub-core/efiemu/loadcore.c b/grub-core/efiemu/loadcore.c +index 44085ef81..2b924623f 100644 +--- a/grub-core/efiemu/loadcore.c ++++ b/grub-core/efiemu/loadcore.c +@@ -201,7 +201,7 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e) + + grub_efiemu_nelfsyms = (unsigned) s->sh_size / (unsigned) s->sh_entsize; + grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *) +- grub_malloc (sizeof (struct grub_efiemu_elf_sym) * grub_efiemu_nelfsyms); ++ grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym)); + + /* Relocators */ + for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff); +diff --git a/grub-core/efiemu/mm.c b/grub-core/efiemu/mm.c +index 52a032f7b..9b8e0d0ad 100644 +--- a/grub-core/efiemu/mm.c ++++ b/grub-core/efiemu/mm.c +@@ -554,11 +554,11 @@ grub_efiemu_mmap_sort_and_uniq (void) + /* Initialize variables*/ + grub_memset (present, 0, sizeof (int) * GRUB_EFI_MAX_MEMORY_TYPE); + scanline_events = (struct grub_efiemu_mmap_scan *) +- grub_malloc (sizeof (struct grub_efiemu_mmap_scan) * 2 * mmap_num); ++ grub_calloc (mmap_num, sizeof (struct grub_efiemu_mmap_scan) * 2); + + /* Number of chunks can't increase more than by factor of 2 */ + result = (grub_efi_memory_descriptor_t *) +- grub_malloc (sizeof (grub_efi_memory_descriptor_t) * 2 * mmap_num); ++ grub_calloc (mmap_num, sizeof (grub_efi_memory_descriptor_t) * 2); + if (!result || !scanline_events) + { + grub_free (result); +@@ -660,7 +660,7 @@ grub_efiemu_mm_do_alloc (void) + + /* Preallocate mmap */ + efiemu_mmap = (grub_efi_memory_descriptor_t *) +- grub_malloc (mmap_reserved_size * sizeof (grub_efi_memory_descriptor_t)); ++ grub_calloc (mmap_reserved_size, sizeof (grub_efi_memory_descriptor_t)); + if (!efiemu_mmap) + { + grub_efiemu_unload (); +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 85a292557..8e118b315 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -293,8 +293,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct + font->num_chars = sect_length / FONT_CHAR_INDEX_ENTRY_SIZE; + + /* Allocate the character index array. */ +- font->char_index = grub_malloc (font->num_chars +- * sizeof (struct char_index_entry)); ++ font->char_index = grub_calloc (font->num_chars, sizeof (struct char_index_entry)); + if (!font->char_index) + return 1; + font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t)); +diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c +index 6b6a2bc91..220b3712f 100644 +--- a/grub-core/fs/affs.c ++++ b/grub-core/fs/affs.c +@@ -301,7 +301,7 @@ grub_affs_read_symlink (grub_fshelp_node_t node) + return 0; + } + latin1[symlink_size] = 0; +- utf8 = grub_malloc (symlink_size * GRUB_MAX_UTF8_PER_LATIN1 + 1); ++ utf8 = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, symlink_size); + if (!utf8) + { + grub_free (latin1); +@@ -422,7 +422,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir, + return 1; + } + +- hashtable = grub_zalloc (data->htsize * sizeof (*hashtable)); ++ hashtable = grub_calloc (data->htsize, sizeof (*hashtable)); + if (!hashtable) + return 1; + +@@ -628,7 +628,7 @@ grub_affs_label (grub_device_t device, char **label) + len = file.namelen; + if (len > sizeof (file.name)) + len = sizeof (file.name); +- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); ++ *label = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, len); + if (*label) + *grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0'; + } +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index 48bd3d04a..11272efc1 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -413,7 +413,7 @@ lower_bound (struct grub_btrfs_data *data, + { + desc->allocated = 16; + desc->depth = 0; +- desc->data = grub_malloc (sizeof (desc->data[0]) * desc->allocated); ++ desc->data = grub_calloc (desc->allocated, sizeof (desc->data[0])); + if (!desc->data) + return grub_errno; + } +@@ -752,7 +752,7 @@ raid56_read_retry (struct grub_btrfs_data *data, + grub_err_t ret = GRUB_ERR_OUT_OF_MEMORY; + grub_uint64_t i, failed_devices; + +- buffers = grub_zalloc (sizeof(*buffers) * nstripes); ++ buffers = grub_calloc (nstripes, sizeof (*buffers)); + if (!buffers) + goto cleanup; + +@@ -2160,7 +2160,7 @@ grub_btrfs_embed (grub_device_t device __attribute__ ((unused)), + *nsectors = 64 * 2 - 1; + if (*nsectors > max_nsectors) + *nsectors = max_nsectors; +- *sectors = grub_malloc (*nsectors * sizeof (**sectors)); ++ *sectors = grub_calloc (*nsectors, sizeof (**sectors)); + if (!*sectors) + return grub_errno; + for (i = 0; i < *nsectors; i++) +diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c +index ac0a40990..3fe842b4d 100644 +--- a/grub-core/fs/hfs.c ++++ b/grub-core/fs/hfs.c +@@ -1360,7 +1360,7 @@ grub_hfs_label (grub_device_t device, char **label) + grub_size_t len = data->sblock.volname[0]; + if (len > sizeof (data->sblock.volname) - 1) + len = sizeof (data->sblock.volname) - 1; +- *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1); ++ *label = grub_calloc (MAX_UTF8_PER_MAC_ROMAN + 1, len); + if (*label) + macroman_to_utf8 (*label, data->sblock.volname + 1, + len + 1, 0); +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index 54786bb1c..dae43becc 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -720,7 +720,7 @@ list_nodes (void *record, void *hook_arg) + if (! filename) + return 0; + +- keyname = grub_malloc (grub_be_to_cpu16 (catkey->namelen) * sizeof (*keyname)); ++ keyname = grub_calloc (grub_be_to_cpu16 (catkey->namelen), sizeof (*keyname)); + if (!keyname) + { + grub_free (filename); +@@ -1007,7 +1007,7 @@ grub_hfsplus_label (grub_device_t device, char **label) + grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr); + + label_len = grub_be_to_cpu16 (catkey->namelen); +- label_name = grub_malloc (label_len * sizeof (*label_name)); ++ label_name = grub_calloc (label_len, sizeof (*label_name)); + if (!label_name) + { + grub_free (node); +@@ -1029,7 +1029,7 @@ grub_hfsplus_label (grub_device_t device, char **label) + } + } + +- *label = grub_malloc (label_len * GRUB_MAX_UTF8_PER_UTF16 + 1); ++ *label = grub_calloc (label_len, GRUB_MAX_UTF8_PER_UTF16 + 1); + if (! *label) + { + grub_free (label_name); +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index 49c0c632b..4f1b52a55 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -331,7 +331,7 @@ grub_iso9660_convert_string (grub_uint8_t *us, int len) + int i; + grub_uint16_t t[MAX_NAMELEN / 2 + 1]; + +- p = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1); ++ p = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1); + if (! p) + return NULL; + +diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c +index fc4e1f678..2f34f76da 100644 +--- a/grub-core/fs/ntfs.c ++++ b/grub-core/fs/ntfs.c +@@ -556,8 +556,8 @@ get_utf8 (grub_uint8_t *in, grub_size_t len) + grub_uint16_t *tmp; + grub_size_t i; + +- buf = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1); +- tmp = grub_malloc (len * sizeof (tmp[0])); ++ buf = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1); ++ tmp = grub_calloc (len, sizeof (tmp[0])); + if (!buf || !tmp) + { + grub_free (buf); +diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c +index 50c1fe72f..90f7fb379 100644 +--- a/grub-core/fs/sfs.c ++++ b/grub-core/fs/sfs.c +@@ -266,7 +266,7 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) + node->next_extent = node->block; + node->cache_size = 0; + +- node->cache = grub_malloc (sizeof (node->cache[0]) * cache_size); ++ node->cache = grub_calloc (cache_size, sizeof (node->cache[0])); + if (!node->cache) + { + grub_errno = 0; +diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c +index 7d63e0c99..c551ed6b5 100644 +--- a/grub-core/fs/tar.c ++++ b/grub-core/fs/tar.c +@@ -120,7 +120,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name, + if (data->linkname_alloc < linksize + 1) + { + char *n; +- n = grub_malloc (2 * (linksize + 1)); ++ n = grub_calloc (2, linksize + 1); + if (!n) + return grub_errno; + grub_free (data->linkname); +diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c +index dc8b6e2d1..a83761674 100644 +--- a/grub-core/fs/udf.c ++++ b/grub-core/fs/udf.c +@@ -873,7 +873,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf) + { + unsigned i; + utf16len = sz - 1; +- utf16 = grub_malloc (utf16len * sizeof (utf16[0])); ++ utf16 = grub_calloc (utf16len, sizeof (utf16[0])); + if (!utf16) + return NULL; + for (i = 0; i < utf16len; i++) +@@ -883,7 +883,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf) + { + unsigned i; + utf16len = (sz - 1) / 2; +- utf16 = grub_malloc (utf16len * sizeof (utf16[0])); ++ utf16 = grub_calloc (utf16len, sizeof (utf16[0])); + if (!utf16) + return NULL; + for (i = 0; i < utf16len; i++) +diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c +index 2f72e42bf..381dde556 100644 +--- a/grub-core/fs/zfs/zfs.c ++++ b/grub-core/fs/zfs/zfs.c +@@ -3325,7 +3325,7 @@ dnode_get_fullpath (const char *fullpath, struct subvolume *subvol, + } + subvol->nkeys = 0; + zap_iterate (&keychain_dn, 8, count_zap_keys, &ctx, data); +- subvol->keyring = grub_zalloc (subvol->nkeys * sizeof (subvol->keyring[0])); ++ subvol->keyring = grub_calloc (subvol->nkeys, sizeof (subvol->keyring[0])); + if (!subvol->keyring) + { + grub_free (fsname); +@@ -4336,7 +4336,7 @@ grub_zfs_embed (grub_device_t device __attribute__ ((unused)), + *nsectors = (VDEV_BOOT_SIZE >> GRUB_DISK_SECTOR_BITS); + if (*nsectors > max_nsectors) + *nsectors = max_nsectors; +- *sectors = grub_malloc (*nsectors * sizeof (**sectors)); ++ *sectors = grub_calloc (*nsectors, sizeof (**sectors)); + if (!*sectors) + return grub_errno; + for (i = 0; i < *nsectors; i++) +diff --git a/grub-core/gfxmenu/gui_string_util.c b/grub-core/gfxmenu/gui_string_util.c +index a9a415e31..ba1e1eab3 100644 +--- a/grub-core/gfxmenu/gui_string_util.c ++++ b/grub-core/gfxmenu/gui_string_util.c +@@ -55,7 +55,7 @@ canonicalize_path (const char *path) + if (*p == '/') + components++; + +- char **path_array = grub_malloc (components * sizeof (*path_array)); ++ char **path_array = grub_calloc (components, sizeof (*path_array)); + if (! path_array) + return 0; + +diff --git a/grub-core/gfxmenu/widget-box.c b/grub-core/gfxmenu/widget-box.c +index b60602889..470597ded 100644 +--- a/grub-core/gfxmenu/widget-box.c ++++ b/grub-core/gfxmenu/widget-box.c +@@ -303,10 +303,10 @@ grub_gfxmenu_create_box (const char *pixmaps_prefix, + box->content_height = 0; + box->raw_pixmaps = + (struct grub_video_bitmap **) +- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *)); ++ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *)); + box->scaled_pixmaps = + (struct grub_video_bitmap **) +- grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *)); ++ grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *)); + + /* Initialize all pixmap pointers to NULL so that proper destruction can + be performed if an error is encountered partway through construction. */ +diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c +index 6208a9763..43d98a7bd 100644 +--- a/grub-core/io/gzio.c ++++ b/grub-core/io/gzio.c +@@ -554,7 +554,7 @@ huft_build (unsigned *b, /* code lengths in bits (all assumed <= BMAX) */ + z = 1 << j; /* table entries for j-bit table */ + + /* allocate and link in new table */ +- q = (struct huft *) grub_zalloc ((z + 1) * sizeof (struct huft)); ++ q = (struct huft *) grub_calloc (z + 1, sizeof (struct huft)); + if (! q) + { + if (h) +diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c +index 6e1ceb905..dc31caa21 100644 +--- a/grub-core/kern/efi/efi.c ++++ b/grub-core/kern/efi/efi.c +@@ -202,7 +202,7 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid, + + len = grub_strlen (var); + len16 = len * GRUB_MAX_UTF16_PER_UTF8; +- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0])); ++ var16 = grub_calloc (len16 + 1, sizeof (var16[0])); + if (!var16) + return grub_errno; + len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL); +@@ -237,7 +237,7 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid, + + len = grub_strlen (var); + len16 = len * GRUB_MAX_UTF16_PER_UTF8; +- var16 = grub_malloc ((len16 + 1) * sizeof (var16[0])); ++ var16 = grub_calloc (len16 + 1, sizeof (var16[0])); + if (!var16) + return NULL; + len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL); +@@ -383,7 +383,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) + while (len > 0 && fp->path_name[len - 1] == 0) + len--; + +- dup_name = grub_malloc (len * sizeof (*dup_name)); ++ dup_name = grub_calloc (len, sizeof (*dup_name)); + if (!dup_name) + { + grub_free (name); +diff --git a/grub-core/kern/emu/hostdisk.c b/grub-core/kern/emu/hostdisk.c +index e9ec680cd..d975265b2 100644 +--- a/grub-core/kern/emu/hostdisk.c ++++ b/grub-core/kern/emu/hostdisk.c +@@ -615,7 +615,7 @@ static char * + grub_util_path_concat_real (size_t n, int ext, va_list ap) + { + size_t totlen = 0; +- char **l = xmalloc ((n + ext) * sizeof (l[0])); ++ char **l = xcalloc (n + ext, sizeof (l[0])); + char *r, *p, *pi; + size_t i; + int first = 1; +diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c +index 2b85f4950..f90be6566 100644 +--- a/grub-core/kern/fs.c ++++ b/grub-core/kern/fs.c +@@ -151,7 +151,7 @@ grub_fs_blocklist_open (grub_file_t file, const char *name) + while (p); + + /* Allocate a block list. */ +- blocks = grub_zalloc (sizeof (struct grub_fs_block) * (num + 1)); ++ blocks = grub_calloc (num + 1, sizeof (struct grub_fs_block)); + if (! blocks) + return 0; + +diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c +index 3b633d51f..a7abd367a 100644 +--- a/grub-core/kern/misc.c ++++ b/grub-core/kern/misc.c +@@ -690,7 +690,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args, + args->ptr = args->prealloc; + else + { +- args->ptr = grub_malloc (args->count * sizeof (args->ptr[0])); ++ args->ptr = grub_calloc (args->count, sizeof (args->ptr[0])); + if (!args->ptr) + { + grub_errno = GRUB_ERR_NONE; +diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c +index 78175aac2..619db3122 100644 +--- a/grub-core/kern/parser.c ++++ b/grub-core/kern/parser.c +@@ -213,7 +213,7 @@ grub_parser_split_cmdline (const char *cmdline, + return grub_errno; + grub_memcpy (args, buffer, bp - buffer); + +- *argv = grub_malloc (sizeof (char *) * (*argc + 1)); ++ *argv = grub_calloc (*argc + 1, sizeof (char *)); + if (!*argv) + { + grub_free (args); +diff --git a/grub-core/kern/uboot/uboot.c b/grub-core/kern/uboot/uboot.c +index be4816fe6..aac8f9ae1 100644 +--- a/grub-core/kern/uboot/uboot.c ++++ b/grub-core/kern/uboot/uboot.c +@@ -133,7 +133,7 @@ grub_uboot_dev_enum (void) + return num_devices; + + max_devices = 2; +- enum_devices = grub_malloc (sizeof(struct device_info) * max_devices); ++ enum_devices = grub_calloc (max_devices, sizeof(struct device_info)); + if (!enum_devices) + return 0; + +diff --git a/grub-core/lib/libgcrypt/cipher/ac.c b/grub-core/lib/libgcrypt/cipher/ac.c +index f5e946a2d..63f6fcd11 100644 +--- a/grub-core/lib/libgcrypt/cipher/ac.c ++++ b/grub-core/lib/libgcrypt/cipher/ac.c +@@ -185,7 +185,7 @@ ac_data_mpi_copy (gcry_ac_mpi_t *data_mpis, unsigned int data_mpis_n, + gcry_mpi_t mpi; + char *label; + +- data_mpis_new = gcry_malloc (sizeof (*data_mpis_new) * data_mpis_n); ++ data_mpis_new = gcry_calloc (data_mpis_n, sizeof (*data_mpis_new)); + if (! data_mpis_new) + { + err = gcry_error_from_errno (errno); +@@ -572,7 +572,7 @@ _gcry_ac_data_to_sexp (gcry_ac_data_t data, gcry_sexp_t *sexp, + } + + /* Add MPI list. */ +- arg_list = gcry_malloc (sizeof (*arg_list) * (data_n + 1)); ++ arg_list = gcry_calloc (data_n + 1, sizeof (*arg_list)); + if (! arg_list) + { + err = gcry_error_from_errno (errno); +@@ -1283,7 +1283,7 @@ ac_data_construct (const char *identifier, int include_flags, + /* We build a list of arguments to pass to + gcry_sexp_build_array(). */ + data_length = _gcry_ac_data_length (data); +- arg_list = gcry_malloc (sizeof (*arg_list) * (data_length * 2)); ++ arg_list = gcry_calloc (data_length, sizeof (*arg_list) * 2); + if (! arg_list) + { + err = gcry_error_from_errno (errno); +@@ -1593,7 +1593,7 @@ _gcry_ac_key_pair_generate (gcry_ac_handle_t handle, unsigned int nbits, + arg_list_n += 2; + + /* Allocate list. */ +- arg_list = gcry_malloc (sizeof (*arg_list) * arg_list_n); ++ arg_list = gcry_calloc (arg_list_n, sizeof (*arg_list)); + if (! arg_list) + { + err = gcry_error_from_errno (errno); +diff --git a/grub-core/lib/libgcrypt/cipher/primegen.c b/grub-core/lib/libgcrypt/cipher/primegen.c +index 2788e349f..b12e79b19 100644 +--- a/grub-core/lib/libgcrypt/cipher/primegen.c ++++ b/grub-core/lib/libgcrypt/cipher/primegen.c +@@ -383,7 +383,7 @@ prime_generate_internal (int need_q_factor, + } + + /* Allocate an array to track pool usage. */ +- pool_in_use = gcry_malloc (n * sizeof *pool_in_use); ++ pool_in_use = gcry_calloc (n, sizeof *pool_in_use); + if (!pool_in_use) + { + err = gpg_err_code_from_errno (errno); +@@ -765,7 +765,7 @@ gen_prime (unsigned int nbits, int secret, int randomlevel, + if (nbits < 16) + log_fatal ("can't generate a prime with less than %d bits\n", 16); + +- mods = gcry_xmalloc( no_of_small_prime_numbers * sizeof *mods ); ++ mods = gcry_xcalloc( no_of_small_prime_numbers, sizeof *mods); + /* Make nbits fit into gcry_mpi_t implementation. */ + val_2 = mpi_alloc_set_ui( 2 ); + val_3 = mpi_alloc_set_ui( 3); +diff --git a/grub-core/lib/libgcrypt/cipher/pubkey.c b/grub-core/lib/libgcrypt/cipher/pubkey.c +index 910982141..ca087ad75 100644 +--- a/grub-core/lib/libgcrypt/cipher/pubkey.c ++++ b/grub-core/lib/libgcrypt/cipher/pubkey.c +@@ -2941,7 +2941,7 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t s_pkey) + * array to a format string, so we have to do it this way :-(. */ + /* FIXME: There is now such a format specifier, so we can + change the code to be more clear. */ +- arg_list = malloc (nelem * sizeof *arg_list); ++ arg_list = calloc (nelem, sizeof *arg_list); + if (!arg_list) + { + rc = gpg_err_code_from_syserror (); +@@ -3233,7 +3233,7 @@ gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey) + } + strcpy (p, "))"); + +- arg_list = malloc (nelem * sizeof *arg_list); ++ arg_list = calloc (nelem, sizeof *arg_list); + if (!arg_list) + { + rc = gpg_err_code_from_syserror (); +diff --git a/grub-core/lib/priority_queue.c b/grub-core/lib/priority_queue.c +index 659be0b7f..7d5e7c05a 100644 +--- a/grub-core/lib/priority_queue.c ++++ b/grub-core/lib/priority_queue.c +@@ -92,7 +92,7 @@ grub_priority_queue_new (grub_size_t elsize, + { + struct grub_priority_queue *ret; + void *els; +- els = grub_malloc (elsize * 8); ++ els = grub_calloc (8, elsize); + if (!els) + return 0; + ret = (struct grub_priority_queue *) grub_malloc (sizeof (*ret)); +diff --git a/grub-core/lib/reed_solomon.c b/grub-core/lib/reed_solomon.c +index ee9fa7b4f..467305b46 100644 +--- a/grub-core/lib/reed_solomon.c ++++ b/grub-core/lib/reed_solomon.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#define xcalloc calloc + #define xmalloc malloc + #define grub_memset memset + #define grub_memcpy memcpy +@@ -158,11 +159,9 @@ rs_encode (gf_single_t *data, grub_size_t s, grub_size_t rs) + gf_single_t *rs_polynomial; + int i, j; + gf_single_t *m; +- m = xmalloc ((s + rs) * sizeof (gf_single_t)); ++ m = xcalloc (s + rs, sizeof (gf_single_t)); + grub_memcpy (m, data, s * sizeof (gf_single_t)); +- grub_memset (m + s, 0, rs * sizeof (gf_single_t)); +- rs_polynomial = xmalloc ((rs + 1) * sizeof (gf_single_t)); +- grub_memset (rs_polynomial, 0, (rs + 1) * sizeof (gf_single_t)); ++ rs_polynomial = xcalloc (rs + 1, sizeof (gf_single_t)); + rs_polynomial[rs] = 1; + /* Multiply with X - a^r */ + for (j = 0; j < rs; j++) +diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c +index ea3ebc719..5847aac36 100644 +--- a/grub-core/lib/relocator.c ++++ b/grub-core/lib/relocator.c +@@ -495,9 +495,9 @@ malloc_in_range (struct grub_relocator *rel, + } + #endif + +- eventt = grub_malloc (maxevents * sizeof (events[0])); ++ eventt = grub_calloc (maxevents, sizeof (events[0])); + counter = grub_malloc ((DIGITSORT_MASK + 2) * sizeof (counter[0])); +- events = grub_malloc (maxevents * sizeof (events[0])); ++ events = grub_calloc (maxevents, sizeof (events[0])); + if (!events || !eventt || !counter) + { + grub_dprintf ("relocator", "events or counter allocation failed %d\n", +@@ -963,7 +963,7 @@ malloc_in_range (struct grub_relocator *rel, + #endif + unsigned cural = 0; + int oom = 0; +- res->subchunks = grub_malloc (sizeof (res->subchunks[0]) * nallocs); ++ res->subchunks = grub_calloc (nallocs, sizeof (res->subchunks[0])); + if (!res->subchunks) + oom = 1; + res->nsubchunks = nallocs; +@@ -1562,8 +1562,8 @@ grub_relocator_prepare_relocs (struct grub_relocator *rel, grub_addr_t addr, + count[(chunk->src & 0xff) + 1]++; + } + } +- from = grub_malloc (nchunks * sizeof (sorted[0])); +- to = grub_malloc (nchunks * sizeof (sorted[0])); ++ from = grub_calloc (nchunks, sizeof (sorted[0])); ++ to = grub_calloc (nchunks, sizeof (sorted[0])); + if (!from || !to) + { + grub_free (from); +diff --git a/grub-core/lib/zstd/fse_decompress.c b/grub-core/lib/zstd/fse_decompress.c +index 72bbead5b..2227b84bc 100644 +--- a/grub-core/lib/zstd/fse_decompress.c ++++ b/grub-core/lib/zstd/fse_decompress.c +@@ -82,7 +82,7 @@ + FSE_DTable* FSE_createDTable (unsigned tableLog) + { + if (tableLog > FSE_TABLELOG_ABSOLUTE_MAX) tableLog = FSE_TABLELOG_ABSOLUTE_MAX; +- return (FSE_DTable*)malloc( FSE_DTABLE_SIZE_U32(tableLog) * sizeof (U32) ); ++ return (FSE_DTable*)calloc( FSE_DTABLE_SIZE_U32(tableLog), sizeof (U32) ); + } + + void FSE_freeDTable (FSE_DTable* dt) +diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c +index 51684914c..d70c17486 100644 +--- a/grub-core/loader/arm/linux.c ++++ b/grub-core/loader/arm/linux.c +@@ -78,7 +78,7 @@ linux_prepare_atag (void *target_atag) + + /* some place for cmdline, initrd and terminator. */ + tmp_size = get_atag_size (atag_orig) + 20 + (arg_size) / 4; +- tmp_atag = grub_malloc (tmp_size * sizeof (grub_uint32_t)); ++ tmp_atag = grub_calloc (tmp_size, sizeof (grub_uint32_t)); + if (!tmp_atag) + return grub_errno; + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index cd92ea3f2..daf8c6b54 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -116,7 +116,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp, + fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE; + fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE; + +- path_name = grub_malloc (len * GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name)); ++ path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name)); + if (!path_name) + return; + +diff --git a/grub-core/loader/i386/bsdXX.c b/grub-core/loader/i386/bsdXX.c +index af6741d15..a8d8bf7da 100644 +--- a/grub-core/loader/i386/bsdXX.c ++++ b/grub-core/loader/i386/bsdXX.c +@@ -48,7 +48,7 @@ read_headers (grub_file_t file, const char *filename, Elf_Ehdr *e, char **shdr) + if (e->e_ident[EI_CLASS] != SUFFIX (ELFCLASS)) + return grub_error (GRUB_ERR_BAD_OS, N_("invalid arch-dependent ELF magic")); + +- *shdr = grub_malloc ((grub_uint32_t) e->e_shnum * e->e_shentsize); ++ *shdr = grub_calloc (e->e_shnum, e->e_shentsize); + if (! *shdr) + return grub_errno; + +diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c +index e64ed08f5..b7d176b5d 100644 +--- a/grub-core/loader/i386/xnu.c ++++ b/grub-core/loader/i386/xnu.c +@@ -295,7 +295,7 @@ grub_xnu_devprop_add_property_utf8 (struct grub_xnu_devprop_device_descriptor *d + return grub_errno; + + len = grub_strlen (name); +- utf16 = grub_malloc (sizeof (grub_uint16_t) * len); ++ utf16 = grub_calloc (len, sizeof (grub_uint16_t)); + if (!utf16) + { + grub_free (utf8); +@@ -331,7 +331,7 @@ grub_xnu_devprop_add_property_utf16 (struct grub_xnu_devprop_device_descriptor * + grub_uint16_t *utf16; + grub_err_t err; + +- utf16 = grub_malloc (sizeof (grub_uint16_t) * namelen); ++ utf16 = grub_calloc (namelen, sizeof (grub_uint16_t)); + if (!utf16) + return grub_errno; + grub_memcpy (utf16, name, sizeof (grub_uint16_t) * namelen); +diff --git a/grub-core/loader/macho.c b/grub-core/loader/macho.c +index 085f9c689..05710c48e 100644 +--- a/grub-core/loader/macho.c ++++ b/grub-core/loader/macho.c +@@ -97,7 +97,7 @@ grub_macho_file (grub_file_t file, const char *filename, int is_64bit) + if (grub_file_seek (macho->file, sizeof (struct grub_macho_fat_header)) + == (grub_off_t) -1) + goto fail; +- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs); ++ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch)); + if (!archs) + goto fail; + if (grub_file_read (macho->file, archs, +diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c +index 70cd1db51..cc6853692 100644 +--- a/grub-core/loader/multiboot_elfxx.c ++++ b/grub-core/loader/multiboot_elfxx.c +@@ -217,7 +217,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) + { + grub_uint8_t *shdr, *shdrptr; + +- shdr = grub_malloc ((grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize); ++ shdr = grub_calloc (ehdr->e_shnum, ehdr->e_shentsize); + if (!shdr) + return grub_errno; + +diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c +index 7f74d1d6f..77d7060e1 100644 +--- a/grub-core/loader/xnu.c ++++ b/grub-core/loader/xnu.c +@@ -800,7 +800,7 @@ grub_cmd_xnu_mkext (grub_command_t cmd __attribute__ ((unused)), + if (grub_be_to_cpu32 (head.magic) == GRUB_MACHO_FAT_MAGIC) + { + narchs = grub_be_to_cpu32 (head.nfat_arch); +- archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs); ++ archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch)); + if (! archs) + { + grub_file_close (file); +diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c +index 6a31cbae3..57b4e9a72 100644 +--- a/grub-core/mmap/mmap.c ++++ b/grub-core/mmap/mmap.c +@@ -143,9 +143,9 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data) + + /* Initialize variables. */ + ctx.scanline_events = (struct grub_mmap_scan *) +- grub_malloc (sizeof (struct grub_mmap_scan) * 2 * mmap_num); ++ grub_calloc (mmap_num, sizeof (struct grub_mmap_scan) * 2); + +- present = grub_zalloc (sizeof (present[0]) * current_priority); ++ present = grub_calloc (current_priority, sizeof (present[0])); + + if (! ctx.scanline_events || !present) + { +diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c +index 04cfbb045..653957200 100644 +--- a/grub-core/net/bootp.c ++++ b/grub-core/net/bootp.c +@@ -766,7 +766,7 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)), + if (ncards == 0) + return grub_error (GRUB_ERR_NET_NO_CARD, N_("no network card found")); + +- ifaces = grub_zalloc (ncards * sizeof (ifaces[0])); ++ ifaces = grub_calloc (ncards, sizeof (ifaces[0])); + if (!ifaces) + return grub_errno; + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index 5d9afe093..e332d5eb4 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -285,8 +285,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + ptr++; + ptr += 4; + } +- *data->addresses = grub_malloc (sizeof ((*data->addresses)[0]) +- * grub_be_to_cpu16 (head->ancount)); ++ *data->addresses = grub_calloc (grub_be_to_cpu16 (head->ancount), ++ sizeof ((*data->addresses)[0])); + if (!*data->addresses) + { + grub_errno = GRUB_ERR_NONE; +@@ -406,8 +406,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)), + dns_cache[h].addresses = 0; + dns_cache[h].name = grub_strdup (data->oname); + dns_cache[h].naddresses = *data->naddresses; +- dns_cache[h].addresses = grub_malloc (*data->naddresses +- * sizeof (dns_cache[h].addresses[0])); ++ dns_cache[h].addresses = grub_calloc (*data->naddresses, ++ sizeof (dns_cache[h].addresses[0])); + dns_cache[h].limit_time = grub_get_time_ms () + 1000 * ttl_all; + if (!dns_cache[h].addresses || !dns_cache[h].name) + { +@@ -479,7 +479,7 @@ grub_net_dns_lookup (const char *name, + } + } + +- sockets = grub_malloc (sizeof (sockets[0]) * n_servers); ++ sockets = grub_calloc (n_servers, sizeof (sockets[0])); + if (!sockets) + return grub_errno; + +diff --git a/grub-core/net/net.c b/grub-core/net/net.c +index d5d726a31..38f19dfc9 100644 +--- a/grub-core/net/net.c ++++ b/grub-core/net/net.c +@@ -333,8 +333,8 @@ grub_cmd_ipv6_autoconf (struct grub_command *cmd __attribute__ ((unused)), + ncards++; + } + +- ifaces = grub_zalloc (ncards * sizeof (ifaces[0])); +- slaacs = grub_zalloc (ncards * sizeof (slaacs[0])); ++ ifaces = grub_calloc (ncards, sizeof (ifaces[0])); ++ slaacs = grub_calloc (ncards, sizeof (slaacs[0])); + if (!ifaces || !slaacs) + { + grub_free (ifaces); +diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c +index b0ab47d73..d57fb72fa 100644 +--- a/grub-core/normal/charset.c ++++ b/grub-core/normal/charset.c +@@ -203,7 +203,7 @@ grub_utf8_to_ucs4_alloc (const char *msg, grub_uint32_t **unicode_msg, + { + grub_size_t msg_len = grub_strlen (msg); + +- *unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t)); ++ *unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t)); + + if (!*unicode_msg) + return -1; +@@ -488,7 +488,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, + } + else + { +- n = grub_malloc (sizeof (n[0]) * (out->ncomb + 1)); ++ n = grub_calloc (out->ncomb + 1, sizeof (n[0])); + if (!n) + { + grub_errno = GRUB_ERR_NONE; +@@ -842,7 +842,7 @@ grub_bidi_line_logical_to_visual (const grub_uint32_t *logical, + } \ + } + +- visual = grub_malloc (sizeof (visual[0]) * logical_len); ++ visual = grub_calloc (logical_len, sizeof (visual[0])); + if (!visual) + return -1; + +@@ -1165,8 +1165,8 @@ grub_bidi_logical_to_visual (const grub_uint32_t *logical, + { + const grub_uint32_t *line_start = logical, *ptr; + struct grub_unicode_glyph *visual_ptr; +- *visual_out = visual_ptr = grub_malloc (3 * sizeof (visual_ptr[0]) +- * (logical_len + 2)); ++ *visual_out = visual_ptr = grub_calloc (logical_len + 2, ++ 3 * sizeof (visual_ptr[0])); + if (!visual_ptr) + return -1; + for (ptr = logical; ptr <= logical + logical_len; ptr++) +diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c +index c037d5050..c57242e2e 100644 +--- a/grub-core/normal/cmdline.c ++++ b/grub-core/normal/cmdline.c +@@ -41,7 +41,7 @@ grub_err_t + grub_set_history (int newsize) + { + grub_uint32_t **old_hist_lines = hist_lines; +- hist_lines = grub_malloc (sizeof (grub_uint32_t *) * newsize); ++ hist_lines = grub_calloc (newsize, sizeof (grub_uint32_t *)); + + /* Copy the old lines into the new buffer. */ + if (old_hist_lines) +@@ -114,7 +114,7 @@ static void + grub_history_set (int pos, grub_uint32_t *s, grub_size_t len) + { + grub_free (hist_lines[pos]); +- hist_lines[pos] = grub_malloc ((len + 1) * sizeof (grub_uint32_t)); ++ hist_lines[pos] = grub_calloc (len + 1, sizeof (grub_uint32_t)); + if (!hist_lines[pos]) + { + grub_print_error (); +@@ -349,7 +349,7 @@ grub_cmdline_get (const char *prompt_translated) + char *ret; + unsigned nterms; + +- buf = grub_malloc (max_len * sizeof (grub_uint32_t)); ++ buf = grub_calloc (max_len, sizeof (grub_uint32_t)); + if (!buf) + return 0; + +@@ -377,7 +377,7 @@ grub_cmdline_get (const char *prompt_translated) + FOR_ACTIVE_TERM_OUTPUTS(cur) + nterms++; + +- cl_terms = grub_malloc (sizeof (cl_terms[0]) * nterms); ++ cl_terms = grub_calloc (nterms, sizeof (cl_terms[0])); + if (!cl_terms) + { + grub_free (buf); +@@ -385,7 +385,7 @@ grub_cmdline_get (const char *prompt_translated) + } + cl_term_cur = cl_terms; + +- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t)); ++ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t)); + if (!unicode_msg) + { + grub_free (buf); +@@ -495,7 +495,7 @@ grub_cmdline_get (const char *prompt_translated) + grub_uint32_t *insert; + + insertlen = grub_strlen (insertu8); +- insert = grub_malloc ((insertlen + 1) * sizeof (grub_uint32_t)); ++ insert = grub_calloc (insertlen + 1, sizeof (grub_uint32_t)); + if (!insert) + { + grub_free (insertu8); +@@ -602,7 +602,7 @@ grub_cmdline_get (const char *prompt_translated) + + grub_free (kill_buf); + +- kill_buf = grub_malloc ((n + 1) * sizeof(grub_uint32_t)); ++ kill_buf = grub_calloc (n + 1, sizeof (grub_uint32_t)); + if (grub_errno) + { + grub_print_error (); +diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c +index cdf3590a3..1993995be 100644 +--- a/grub-core/normal/menu_entry.c ++++ b/grub-core/normal/menu_entry.c +@@ -95,8 +95,8 @@ init_line (struct screen *screen, struct line *linep) + { + linep->len = 0; + linep->max_len = 80; +- linep->buf = grub_malloc ((linep->max_len + 1) * sizeof (linep->buf[0])); +- linep->pos = grub_zalloc (screen->nterms * sizeof (linep->pos[0])); ++ linep->buf = grub_calloc (linep->max_len + 1, sizeof (linep->buf[0])); ++ linep->pos = grub_calloc (screen->nterms, sizeof (linep->pos[0])); + if (! linep->buf || !linep->pos) + { + grub_free (linep->buf); +@@ -287,7 +287,7 @@ update_screen (struct screen *screen, struct per_term_screen *term_screen, + pos = linep->pos + (term_screen - screen->terms); + + if (!*pos) +- *pos = grub_zalloc ((linep->len + 1) * sizeof (**pos)); ++ *pos = grub_calloc (linep->len + 1, sizeof (**pos)); + + if (i == region_start || linep == screen->lines + screen->line + || (i > region_start && mode == ALL_LINES)) +@@ -471,7 +471,7 @@ insert_string (struct screen *screen, const char *s, int update) + + /* Insert the string. */ + current_linep = screen->lines + screen->line; +- unicode_msg = grub_malloc ((p - s) * sizeof (grub_uint32_t)); ++ unicode_msg = grub_calloc (p - s, sizeof (grub_uint32_t)); + + if (!unicode_msg) + return 0; +@@ -1023,7 +1023,7 @@ complete (struct screen *screen, int continuous, int update) + if (completion_buffer.buf) + { + buflen = grub_strlen (completion_buffer.buf); +- ucs4 = grub_malloc (sizeof (grub_uint32_t) * (buflen + 1)); ++ ucs4 = grub_calloc (buflen + 1, sizeof (grub_uint32_t)); + + if (!ucs4) + { +@@ -1268,7 +1268,7 @@ grub_menu_entry_run (grub_menu_entry_t entry) + for (i = 0; i < (unsigned) screen->num_lines; i++) + { + grub_free (screen->lines[i].pos); +- screen->lines[i].pos = grub_zalloc (screen->nterms * sizeof (screen->lines[i].pos[0])); ++ screen->lines[i].pos = grub_calloc (screen->nterms, sizeof (screen->lines[i].pos[0])); + if (! screen->lines[i].pos) + { + grub_print_error (); +@@ -1278,7 +1278,7 @@ grub_menu_entry_run (grub_menu_entry_t entry) + } + } + +- screen->terms = grub_zalloc (screen->nterms * sizeof (screen->terms[0])); ++ screen->terms = grub_calloc (screen->nterms, sizeof (screen->terms[0])); + if (!screen->terms) + { + grub_print_error (); +diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c +index e22bb91f6..18240e76c 100644 +--- a/grub-core/normal/menu_text.c ++++ b/grub-core/normal/menu_text.c +@@ -78,7 +78,7 @@ grub_print_message_indented_real (const char *msg, int margin_left, + grub_size_t msg_len = grub_strlen (msg) + 2; + int ret = 0; + +- unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t)); ++ unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t)); + + if (!unicode_msg) + return 0; +@@ -211,7 +211,7 @@ print_entry (int y, int highlight, grub_menu_entry_t entry, + + title = entry ? entry->title : ""; + title_len = grub_strlen (title); +- unicode_title = grub_malloc (title_len * sizeof (*unicode_title)); ++ unicode_title = grub_calloc (title_len, sizeof (*unicode_title)); + if (! unicode_title) + /* XXX How to show this error? */ + return; +diff --git a/grub-core/normal/term.c b/grub-core/normal/term.c +index a1e5c5a0d..cc8c173b6 100644 +--- a/grub-core/normal/term.c ++++ b/grub-core/normal/term.c +@@ -264,7 +264,7 @@ grub_term_save_pos (void) + FOR_ACTIVE_TERM_OUTPUTS(cur) + cnt++; + +- ret = grub_malloc (cnt * sizeof (ret[0])); ++ ret = grub_calloc (cnt, sizeof (ret[0])); + if (!ret) + return NULL; + +@@ -1013,7 +1013,7 @@ grub_xnputs (const char *str, grub_size_t msg_len) + + grub_error_push (); + +- unicode_str = grub_malloc (msg_len * sizeof (grub_uint32_t)); ++ unicode_str = grub_calloc (msg_len, sizeof (grub_uint32_t)); + + grub_error_pop (); + +diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c +index 90d92d3ad..5b41ad022 100644 +--- a/grub-core/osdep/linux/getroot.c ++++ b/grub-core/osdep/linux/getroot.c +@@ -168,7 +168,7 @@ grub_util_raid_getmembers (const char *name, int bootable) + if (ret != 0) + grub_util_error (_("ioctl GET_ARRAY_INFO error: %s"), strerror (errno)); + +- devicelist = xmalloc ((info.nr_disks + 1) * sizeof (char *)); ++ devicelist = xcalloc (info.nr_disks + 1, sizeof (char *)); + + for (i = 0, j = 0; j < info.nr_disks; i++) + { +@@ -241,7 +241,7 @@ grub_find_root_devices_from_btrfs (const char *dir) + return NULL; + } + +- ret = xmalloc ((fsi.num_devices + 1) * sizeof (ret[0])); ++ ret = xcalloc (fsi.num_devices + 1, sizeof (ret[0])); + + for (i = 1; i <= fsi.max_id && j < fsi.num_devices; i++) + { +@@ -396,7 +396,7 @@ grub_find_root_devices_from_mountinfo (const char *dir, char **relroot) + if (relroot) + *relroot = NULL; + +- entries = xmalloc (entry_max * sizeof (*entries)); ++ entries = xcalloc (entry_max, sizeof (*entries)); + + again: + fp = grub_util_fopen ("/proc/self/mountinfo", "r"); +diff --git a/grub-core/osdep/unix/config.c b/grub-core/osdep/unix/config.c +index 65effa9f3..7d6325138 100644 +--- a/grub-core/osdep/unix/config.c ++++ b/grub-core/osdep/unix/config.c +@@ -89,7 +89,7 @@ grub_util_load_config (struct grub_util_config *cfg) + argv[0] = "sh"; + argv[1] = "-c"; + +- script = xmalloc (4 * strlen (cfgfile) + 300); ++ script = xcalloc (4, strlen (cfgfile) + 300); + + ptr = script; + memcpy (ptr, ". '", 3); +diff --git a/grub-core/osdep/windows/getroot.c b/grub-core/osdep/windows/getroot.c +index 661d95461..eada663b2 100644 +--- a/grub-core/osdep/windows/getroot.c ++++ b/grub-core/osdep/windows/getroot.c +@@ -59,7 +59,7 @@ grub_get_mount_point (const TCHAR *path) + + for (ptr = path; *ptr; ptr++); + allocsize = (ptr - path + 10) * 2; +- out = xmalloc (allocsize * sizeof (out[0])); ++ out = xcalloc (allocsize, sizeof (out[0])); + + /* When pointing to EFI system partition GetVolumePathName fails + for ESP root and returns abberant information for everything +diff --git a/grub-core/osdep/windows/hostdisk.c b/grub-core/osdep/windows/hostdisk.c +index 355100789..0be327394 100644 +--- a/grub-core/osdep/windows/hostdisk.c ++++ b/grub-core/osdep/windows/hostdisk.c +@@ -111,7 +111,7 @@ grub_util_get_windows_path_real (const char *path) + + while (1) + { +- fpa = xmalloc (alloc * sizeof (fpa[0])); ++ fpa = xcalloc (alloc, sizeof (fpa[0])); + + len = GetFullPathName (tpath, alloc, fpa, NULL); + if (len >= alloc) +@@ -399,7 +399,7 @@ grub_util_fd_opendir (const char *name) + for (l = 0; name_windows[l]; l++); + for (l--; l >= 0 && (name_windows[l] == '\\' || name_windows[l] == '/'); l--); + l++; +- pattern = xmalloc ((l + 3) * sizeof (pattern[0])); ++ pattern = xcalloc (l + 3, sizeof (pattern[0])); + memcpy (pattern, name_windows, l * sizeof (pattern[0])); + pattern[l] = '\\'; + pattern[l + 1] = '*'; +diff --git a/grub-core/osdep/windows/init.c b/grub-core/osdep/windows/init.c +index e8ffd62c6..6297de632 100644 +--- a/grub-core/osdep/windows/init.c ++++ b/grub-core/osdep/windows/init.c +@@ -161,7 +161,7 @@ grub_util_host_init (int *argc __attribute__ ((unused)), + LPWSTR *targv; + + targv = CommandLineToArgvW (tcmdline, argc); +- *argv = xmalloc ((*argc + 1) * sizeof (argv[0])); ++ *argv = xcalloc (*argc + 1, sizeof (argv[0])); + + for (i = 0; i < *argc; i++) + (*argv)[i] = grub_util_tchar_to_utf8 (targv[i]); +diff --git a/grub-core/osdep/windows/platform.c b/grub-core/osdep/windows/platform.c +index 7eb53fe01..1ef86bf58 100644 +--- a/grub-core/osdep/windows/platform.c ++++ b/grub-core/osdep/windows/platform.c +@@ -225,8 +225,8 @@ grub_install_register_efi (grub_device_t efidir_grub_dev, + grub_util_error ("%s", _("no EFI routines are available when running in BIOS mode")); + + distrib8_len = grub_strlen (efi_distributor); +- distributor16 = xmalloc ((distrib8_len + 1) * GRUB_MAX_UTF16_PER_UTF8 +- * sizeof (grub_uint16_t)); ++ distributor16 = xcalloc (distrib8_len + 1, ++ GRUB_MAX_UTF16_PER_UTF8 * sizeof (grub_uint16_t)); + distrib16_len = grub_utf8_to_utf16 (distributor16, distrib8_len * GRUB_MAX_UTF16_PER_UTF8, + (const grub_uint8_t *) efi_distributor, + distrib8_len, 0); +diff --git a/grub-core/osdep/windows/relpath.c b/grub-core/osdep/windows/relpath.c +index cb0861744..478e8ef14 100644 +--- a/grub-core/osdep/windows/relpath.c ++++ b/grub-core/osdep/windows/relpath.c +@@ -72,7 +72,7 @@ grub_make_system_path_relative_to_its_root (const char *path) + if (dirwindows[0] && dirwindows[1] == ':') + offset = 2; + } +- ret = xmalloc (sizeof (ret[0]) * (flen - offset + 2)); ++ ret = xcalloc (flen - offset + 2, sizeof (ret[0])); + if (dirwindows[offset] != '\\' + && dirwindows[offset] != '/' + && dirwindows[offset]) +diff --git a/grub-core/partmap/gpt.c b/grub-core/partmap/gpt.c +index 103f6796f..72a2e37cd 100644 +--- a/grub-core/partmap/gpt.c ++++ b/grub-core/partmap/gpt.c +@@ -199,7 +199,7 @@ gpt_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors, + *nsectors = ctx.len; + if (*nsectors > max_nsectors) + *nsectors = max_nsectors; +- *sectors = grub_malloc (*nsectors * sizeof (**sectors)); ++ *sectors = grub_calloc (*nsectors, sizeof (**sectors)); + if (!*sectors) + return grub_errno; + for (i = 0; i < *nsectors; i++) +diff --git a/grub-core/partmap/msdos.c b/grub-core/partmap/msdos.c +index 7b8e45076..ee3f24982 100644 +--- a/grub-core/partmap/msdos.c ++++ b/grub-core/partmap/msdos.c +@@ -337,7 +337,7 @@ pc_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors, + avail_nsectors = *nsectors; + if (*nsectors > max_nsectors) + *nsectors = max_nsectors; +- *sectors = grub_malloc (*nsectors * sizeof (**sectors)); ++ *sectors = grub_calloc (*nsectors, sizeof (**sectors)); + if (!*sectors) + return grub_errno; + for (i = 0; i < *nsectors; i++) +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index ee299fd0e..c8d6806fe 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -553,7 +553,7 @@ gettext_append (struct grub_script_argv *result, const char *orig_str) + for (iptr = orig_str; *iptr; iptr++) + if (*iptr == '$') + dollar_cnt++; +- ctx.allowed_strings = grub_malloc (sizeof (ctx.allowed_strings[0]) * dollar_cnt); ++ ctx.allowed_strings = grub_calloc (dollar_cnt, sizeof (ctx.allowed_strings[0])); + + if (parse_string (orig_str, gettext_save_allow, &ctx, 0)) + goto fail; +diff --git a/grub-core/tests/fake_input.c b/grub-core/tests/fake_input.c +index 2d6085298..b5eb516be 100644 +--- a/grub-core/tests/fake_input.c ++++ b/grub-core/tests/fake_input.c +@@ -49,7 +49,7 @@ grub_terminal_input_fake_sequence (int *seq_in, int nseq_in) + saved = grub_term_inputs; + if (seq) + grub_free (seq); +- seq = grub_malloc (nseq_in * sizeof (seq[0])); ++ seq = grub_calloc (nseq_in, sizeof (seq[0])); + if (!seq) + return; + +diff --git a/grub-core/tests/video_checksum.c b/grub-core/tests/video_checksum.c +index 74d5b65e5..44d081069 100644 +--- a/grub-core/tests/video_checksum.c ++++ b/grub-core/tests/video_checksum.c +@@ -336,7 +336,7 @@ grub_video_capture_write_bmp (const char *fname, + { + case 4: + { +- grub_uint8_t *buffer = xmalloc (mode_info->width * 3); ++ grub_uint8_t *buffer = xcalloc (3, mode_info->width); + grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1); + grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1); + grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1); +@@ -367,7 +367,7 @@ grub_video_capture_write_bmp (const char *fname, + } + case 3: + { +- grub_uint8_t *buffer = xmalloc (mode_info->width * 3); ++ grub_uint8_t *buffer = xcalloc (3, mode_info->width); + grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1); + grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1); + grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1); +@@ -407,7 +407,7 @@ grub_video_capture_write_bmp (const char *fname, + } + case 2: + { +- grub_uint8_t *buffer = xmalloc (mode_info->width * 3); ++ grub_uint8_t *buffer = xcalloc (3, mode_info->width); + grub_uint16_t rmask = ((1 << mode_info->red_mask_size) - 1); + grub_uint16_t gmask = ((1 << mode_info->green_mask_size) - 1); + grub_uint16_t bmask = ((1 << mode_info->blue_mask_size) - 1); +diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c +index 4f83c7441..4d3195e01 100644 +--- a/grub-core/video/capture.c ++++ b/grub-core/video/capture.c +@@ -89,7 +89,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info, + framebuffer.mode_info = *mode_info; + framebuffer.mode_info.blit_format = grub_video_get_blit_format (&framebuffer.mode_info); + +- framebuffer.ptr = grub_malloc (framebuffer.mode_info.height * framebuffer.mode_info.pitch); ++ framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch); + if (!framebuffer.ptr) + return grub_errno; + +diff --git a/grub-core/video/emu/sdl.c b/grub-core/video/emu/sdl.c +index a2f639f66..0ebab6f57 100644 +--- a/grub-core/video/emu/sdl.c ++++ b/grub-core/video/emu/sdl.c +@@ -172,7 +172,7 @@ grub_video_sdl_set_palette (unsigned int start, unsigned int count, + if (start + count > mode_info.number_of_colors) + count = mode_info.number_of_colors - start; + +- tmp = grub_malloc (count * sizeof (tmp[0])); ++ tmp = grub_calloc (count, sizeof (tmp[0])); + for (i = 0; i < count; i++) + { + tmp[i].r = palette_data[i].r; +diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c +index 01f47112d..b2f776c99 100644 +--- a/grub-core/video/i386/pc/vga.c ++++ b/grub-core/video/i386/pc/vga.c +@@ -127,7 +127,7 @@ grub_video_vga_setup (unsigned int width, unsigned int height, + + vga_height = height ? : 480; + +- framebuffer.temporary_buffer = grub_malloc (vga_height * VGA_WIDTH); ++ framebuffer.temporary_buffer = grub_calloc (vga_height, VGA_WIDTH); + framebuffer.front_page = 0; + framebuffer.back_page = 0; + if (!framebuffer.temporary_buffer) +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 777e71334..61bd64537 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -309,7 +309,7 @@ grub_png_decode_image_header (struct grub_png_data *data) + if (data->is_16bit || data->is_gray || data->is_palette) + #endif + { +- data->image_data = grub_malloc (data->image_height * data->row_bytes); ++ data->image_data = grub_calloc (data->image_height, data->row_bytes); + if (grub_errno) + return grub_errno; + +diff --git a/include/grub/unicode.h b/include/grub/unicode.h +index a0403e91f..4de986a85 100644 +--- a/include/grub/unicode.h ++++ b/include/grub/unicode.h +@@ -293,7 +293,7 @@ grub_unicode_glyph_dup (const struct grub_unicode_glyph *in) + grub_memcpy (out, in, sizeof (*in)); + if (in->ncomb > ARRAY_SIZE (out->combining_inline)) + { +- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0])); ++ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0])); + if (!out->combining_ptr) + { + grub_free (out); +@@ -315,7 +315,7 @@ grub_unicode_set_glyph (struct grub_unicode_glyph *out, + grub_memcpy (out, in, sizeof (*in)); + if (in->ncomb > ARRAY_SIZE (out->combining_inline)) + { +- out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0])); ++ out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0])); + if (!out->combining_ptr) + return; + grub_memcpy (out->combining_ptr, in->combining_ptr, +diff --git a/util/getroot.c b/util/getroot.c +index 847406fba..a5eaa64fd 100644 +--- a/util/getroot.c ++++ b/util/getroot.c +@@ -200,7 +200,7 @@ make_device_name (const char *drive) + char *ret, *ptr; + const char *iptr; + +- ret = xmalloc (strlen (drive) * 2); ++ ret = xcalloc (2, strlen (drive)); + ptr = ret; + for (iptr = drive; *iptr; iptr++) + { +diff --git a/util/grub-file.c b/util/grub-file.c +index 50c18b683..b2e7dd69f 100644 +--- a/util/grub-file.c ++++ b/util/grub-file.c +@@ -54,7 +54,7 @@ main (int argc, char *argv[]) + + grub_util_host_init (&argc, &argv); + +- argv2 = xmalloc (argc * sizeof (argv2[0])); ++ argv2 = xcalloc (argc, sizeof (argv2[0])); + + if (argc == 2 && strcmp (argv[1], "--version") == 0) + { +diff --git a/util/grub-fstest.c b/util/grub-fstest.c +index f14e02d97..57246af7c 100644 +--- a/util/grub-fstest.c ++++ b/util/grub-fstest.c +@@ -650,7 +650,7 @@ argp_parser (int key, char *arg, struct argp_state *state) + if (args_count < num_disks) + { + if (args_count == 0) +- images = xmalloc (num_disks * sizeof (images[0])); ++ images = xcalloc (num_disks, sizeof (images[0])); + images[args_count] = grub_canonicalize_file_name (arg); + args_count++; + return 0; +@@ -734,7 +734,7 @@ main (int argc, char *argv[]) + + grub_util_host_init (&argc, &argv); + +- args = xmalloc (argc * sizeof (args[0])); ++ args = xcalloc (argc, sizeof (args[0])); + + argp_parse (&argp, argc, argv, 0, 0, 0); + +diff --git a/util/grub-install-common.c b/util/grub-install-common.c +index ca0ac612a..0295d40f5 100644 +--- a/util/grub-install-common.c ++++ b/util/grub-install-common.c +@@ -286,7 +286,7 @@ handle_install_list (struct install_list *il, const char *val, + il->n_entries++; + } + il->n_alloc = il->n_entries + 1; +- il->entries = xmalloc (il->n_alloc * sizeof (il->entries[0])); ++ il->entries = xcalloc (il->n_alloc, sizeof (il->entries[0])); + ptr = val; + for (ce = il->entries; ; ce++) + { +diff --git a/util/grub-install.c b/util/grub-install.c +index 8a55ad4b8..a82725f29 100644 +--- a/util/grub-install.c ++++ b/util/grub-install.c +@@ -626,7 +626,7 @@ device_map_check_duplicates (const char *dev_map) + if (! fp) + return; + +- d = xmalloc (alloced * sizeof (d[0])); ++ d = xcalloc (alloced, sizeof (d[0])); + + while (fgets (buf, sizeof (buf), fp)) + { +@@ -1260,7 +1260,7 @@ main (int argc, char *argv[]) + ndev++; + } + +- grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1)); ++ grub_drives = xcalloc (ndev + 1, sizeof (grub_drives[0])); + + for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++, + curdrive++) +diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c +index bc087c2b5..d97d0e7be 100644 +--- a/util/grub-mkimagexx.c ++++ b/util/grub-mkimagexx.c +@@ -2294,10 +2294,8 @@ SUFFIX (grub_mkimage_load_image) (const char *kernel_path, + + grub_host_to_target16 (e->e_shstrndx) * smd.section_entsize); + smd.strtab = (char *) e + grub_host_to_target_addr (s->sh_offset); + +- smd.addrs = xmalloc (sizeof (*smd.addrs) * smd.num_sections); +- memset (smd.addrs, 0, sizeof (*smd.addrs) * smd.num_sections); +- smd.vaddrs = xmalloc (sizeof (*smd.vaddrs) * smd.num_sections); +- memset (smd.vaddrs, 0, sizeof (*smd.vaddrs) * smd.num_sections); ++ smd.addrs = xcalloc (smd.num_sections, sizeof (*smd.addrs)); ++ smd.vaddrs = xcalloc (smd.num_sections, sizeof (*smd.vaddrs)); + + SUFFIX (locate_sections) (e, kernel_path, &smd, layout, image_target); + +diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c +index ce2cbc4f1..51831027f 100644 +--- a/util/grub-mkrescue.c ++++ b/util/grub-mkrescue.c +@@ -441,8 +441,8 @@ main (int argc, char *argv[]) + xorriso = xstrdup ("xorriso"); + label_font = grub_util_path_concat (2, pkgdatadir, "unicode.pf2"); + +- argp_argv = xmalloc (sizeof (argp_argv[0]) * argc); +- xorriso_tail_argv = xmalloc (sizeof (argp_argv[0]) * argc); ++ argp_argv = xcalloc (argc, sizeof (argp_argv[0])); ++ xorriso_tail_argv = xcalloc (argc, sizeof (argp_argv[0])); + + xorriso_tail_argc = 0; + /* Program name */ +diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c +index 4907d44c0..edf309717 100644 +--- a/util/grub-mkstandalone.c ++++ b/util/grub-mkstandalone.c +@@ -296,7 +296,7 @@ main (int argc, char *argv[]) + grub_util_host_init (&argc, &argv); + grub_util_disable_fd_syncs (); + +- files = xmalloc ((argc + 1) * sizeof (files[0])); ++ files = xcalloc (argc + 1, sizeof (files[0])); + + argp_parse (&argp, argc, argv, 0, 0, 0); + +diff --git a/util/grub-pe2elf.c b/util/grub-pe2elf.c +index 0d4084a10..11331294f 100644 +--- a/util/grub-pe2elf.c ++++ b/util/grub-pe2elf.c +@@ -100,9 +100,9 @@ write_section_data (FILE* fp, const char *name, char *image, + char *pe_strtab = (image + pe_chdr->symtab_offset + + pe_chdr->num_symbols * sizeof (struct grub_pe32_symbol)); + +- section_map = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (int)); ++ section_map = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (int)); + section_map[0] = 0; +- shdr = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (shdr[0])); ++ shdr = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (shdr[0])); + idx = 1; + idx_reloc = pe_chdr->num_sections + 1; + +@@ -233,7 +233,7 @@ write_reloc_section (FILE* fp, const char *name, char *image, + + pe_sec = pe_shdr + shdr[i].sh_link; + pe_rel = (struct grub_pe32_reloc *) (image + pe_sec->relocations_offset); +- rel = (elf_reloc_t *) xmalloc (pe_sec->num_relocations * sizeof (elf_reloc_t)); ++ rel = (elf_reloc_t *) xcalloc (pe_sec->num_relocations, sizeof (elf_reloc_t)); + num_rels = 0; + modified = 0; + +@@ -365,12 +365,10 @@ write_symbol_table (FILE* fp, const char *name, char *image, + pe_symtab = (struct grub_pe32_symbol *) (image + pe_chdr->symtab_offset); + pe_strtab = (char *) (pe_symtab + pe_chdr->num_symbols); + +- symtab = (Elf_Sym *) xmalloc ((pe_chdr->num_symbols + 1) * +- sizeof (Elf_Sym)); +- memset (symtab, 0, (pe_chdr->num_symbols + 1) * sizeof (Elf_Sym)); ++ symtab = (Elf_Sym *) xcalloc (pe_chdr->num_symbols + 1, sizeof (Elf_Sym)); + num_syms = 1; + +- symtab_map = (int *) xmalloc (pe_chdr->num_symbols * sizeof (int)); ++ symtab_map = (int *) xcalloc (pe_chdr->num_symbols, sizeof (int)); + + for (i = 0; i < (int) pe_chdr->num_symbols; + i += pe_symtab->num_aux + 1, pe_symtab += pe_symtab->num_aux + 1) +diff --git a/util/grub-probe.c b/util/grub-probe.c +index 81d27eead..cbe6ed94c 100644 +--- a/util/grub-probe.c ++++ b/util/grub-probe.c +@@ -361,8 +361,8 @@ probe (const char *path, char **device_names, char delim) + grub_util_pull_device (*curdev); + ndev++; + } +- +- drives_names = xmalloc (sizeof (drives_names[0]) * (ndev + 1)); ++ ++ drives_names = xcalloc (ndev + 1, sizeof (drives_names[0])); + + for (curdev = device_names, curdrive = drives_names; *curdev; curdev++, + curdrive++) +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/buildroot/boot/grub2/0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch new file mode 100644 index 000000000..aaad72563 --- /dev/null +++ b/buildroot/boot/grub2/0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch @@ -0,0 +1,1326 @@ +From 4ad7e85adc3803788d65707a9db11fd681aebe4a Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 15 Jun 2020 12:28:27 -0400 +Subject: [PATCH] malloc: Use overflow checking primitives where we do + complex allocations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This attempts to fix the places where we do the following where +arithmetic_expr may include unvalidated data: + + X = grub_malloc(arithmetic_expr); + +It accomplishes this by doing the arithmetic ahead of time using grub_add(), +grub_sub(), grub_mul() and testing for overflow before proceeding. + +Among other issues, this fixes: + - allocation of integer overflow in grub_video_bitmap_create() + reported by Chris Coulson, + - allocation of integer overflow in grub_png_decode_image_header() + reported by Chris Coulson, + - allocation of integer overflow in grub_squash_read_symlink() + reported by Chris Coulson, + - allocation of integer overflow in grub_ext2_read_symlink() + reported by Chris Coulson, + - allocation of integer overflow in read_section_as_string() + reported by Chris Coulson. + +Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/commands/legacycfg.c | 29 +++++++++++++++---- + grub-core/commands/wildcard.c | 36 ++++++++++++++++++++---- + grub-core/disk/ldm.c | 32 +++++++++++++++------ + grub-core/font/font.c | 7 ++++- + grub-core/fs/btrfs.c | 28 +++++++++++++------ + grub-core/fs/ext2.c | 10 ++++++- + grub-core/fs/iso9660.c | 51 ++++++++++++++++++++++++---------- + grub-core/fs/sfs.c | 27 ++++++++++++++---- + grub-core/fs/squash4.c | 45 ++++++++++++++++++++++-------- + grub-core/fs/udf.c | 41 +++++++++++++++++---------- + grub-core/fs/xfs.c | 11 +++++--- + grub-core/fs/zfs/zfs.c | 22 ++++++++++----- + grub-core/fs/zfs/zfscrypt.c | 7 ++++- + grub-core/lib/arg.c | 20 +++++++++++-- + grub-core/loader/i386/bsd.c | 8 +++++- + grub-core/net/dns.c | 9 +++++- + grub-core/normal/charset.c | 10 +++++-- + grub-core/normal/cmdline.c | 14 ++++++++-- + grub-core/normal/menu_entry.c | 13 +++++++-- + grub-core/script/argv.c | 16 +++++++++-- + grub-core/script/lexer.c | 21 ++++++++++++-- + grub-core/video/bitmap.c | 25 +++++++++++------ + grub-core/video/readers/png.c | 13 +++++++-- + 23 files changed, 382 insertions(+), 113 deletions(-) + +diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c +index 5e3ec0d5e..cc5971f4d 100644 +--- a/grub-core/commands/legacycfg.c ++++ b/grub-core/commands/legacycfg.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -104,13 +105,22 @@ legacy_file (const char *filename) + if (newsuffix) + { + char *t; +- ++ grub_size_t sz; ++ ++ if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) || ++ grub_add (sz, 1, &sz)) ++ { ++ grub_errno = GRUB_ERR_OUT_OF_RANGE; ++ goto fail_0; ++ } ++ + t = suffix; +- suffix = grub_realloc (suffix, grub_strlen (suffix) +- + grub_strlen (newsuffix) + 1); ++ suffix = grub_realloc (suffix, sz); + if (!suffix) + { + grub_free (t); ++ ++ fail_0: + grub_free (entrysrc); + grub_free (parsed); + grub_free (newsuffix); +@@ -154,13 +164,22 @@ legacy_file (const char *filename) + else + { + char *t; ++ grub_size_t sz; ++ ++ if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) || ++ grub_add (sz, 1, &sz)) ++ { ++ grub_errno = GRUB_ERR_OUT_OF_RANGE; ++ goto fail_1; ++ } + + t = entrysrc; +- entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc) +- + grub_strlen (parsed) + 1); ++ entrysrc = grub_realloc (entrysrc, sz); + if (!entrysrc) + { + grub_free (t); ++ ++ fail_1: + grub_free (parsed); + grub_free (suffix); + return grub_errno; +diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c +index 4a106ca04..cc3290311 100644 +--- a/grub-core/commands/wildcard.c ++++ b/grub-core/commands/wildcard.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include + +@@ -48,6 +49,7 @@ merge (char **dest, char **ps) + int i; + int j; + char **p; ++ grub_size_t sz; + + if (! dest) + return ps; +@@ -60,7 +62,12 @@ merge (char **dest, char **ps) + for (j = 0; ps[j]; j++) + ; + +- p = grub_realloc (dest, sizeof (char*) * (i + j + 1)); ++ if (grub_add (i, j, &sz) || ++ grub_add (sz, 1, &sz) || ++ grub_mul (sz, sizeof (char *), &sz)) ++ return dest; ++ ++ p = grub_realloc (dest, sz); + if (! p) + { + grub_free (dest); +@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp) + char ch; + int i = 0; + unsigned len = end - start; +- char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */ ++ char *buffer; ++ grub_size_t sz; + ++ /* Worst case size is (len * 2 + 2 + 1). */ ++ if (grub_mul (len, 2, &sz) || ++ grub_add (sz, 3, &sz)) ++ return 1; ++ ++ buffer = grub_malloc (sz); + if (! buffer) + return 1; + +@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data) + struct match_devices_ctx *ctx = data; + char **t; + char *buffer; ++ grub_size_t sz; + + /* skip partitions if asked to. */ + if (ctx->noparts && grub_strchr (name, ',')) +@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data) + if (regexec (ctx->regexp, buffer, 0, 0, 0)) + { + grub_dprintf ("expand", "not matched\n"); ++ fail: + grub_free (buffer); + return 0; + } + +- t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2)); ++ if (grub_add (ctx->ndev, 2, &sz) || ++ grub_mul (sz, sizeof (char *), &sz)) ++ goto fail; ++ ++ t = grub_realloc (ctx->devs, sz); + if (! t) + { + grub_free (buffer); +@@ -300,6 +320,7 @@ match_files_iter (const char *name, + struct match_files_ctx *ctx = data; + char **t; + char *buffer; ++ grub_size_t sz; + + /* skip . and .. names */ + if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0) +@@ -315,9 +336,14 @@ match_files_iter (const char *name, + if (! buffer) + return 1; + +- t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2)); +- if (! t) ++ if (grub_add (ctx->nfile, 2, &sz) || ++ grub_mul (sz, sizeof (char *), &sz)) ++ goto fail; ++ ++ t = grub_realloc (ctx->files, sz); ++ if (!t) + { ++ fail: + grub_free (buffer); + return 1; + } +diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c +index e6323701a..58f8a53e1 100644 +--- a/grub-core/disk/ldm.c ++++ b/grub-core/disk/ldm.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #ifdef GRUB_UTIL + #include +@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk, + struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE + / sizeof (struct grub_ldm_vblk)]; + unsigned i; ++ grub_size_t sz; + err = grub_disk_read (disk, cursec, 0, + sizeof(vblk), &vblk); + if (err) +@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk, + grub_free (lv); + goto fail2; + } +- lv->name = grub_malloc (*ptr + 1); ++ if (grub_add (*ptr, 1, &sz)) ++ { ++ grub_free (lv->internal_id); ++ grub_free (lv); ++ goto fail2; ++ } ++ lv->name = grub_malloc (sz); + if (!lv->name) + { + grub_free (lv->internal_id); +@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk, + if (lv->segments->node_alloc == lv->segments->node_count) + { + void *t; +- lv->segments->node_alloc *= 2; +- t = grub_realloc (lv->segments->nodes, +- sizeof (*lv->segments->nodes) +- * lv->segments->node_alloc); ++ grub_size_t sz; ++ ++ if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) || ++ grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz)) ++ goto fail2; ++ ++ t = grub_realloc (lv->segments->nodes, sz); + if (!t) + goto fail2; + lv->segments->nodes = t; +@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk, + if (comp->segment_alloc == comp->segment_count) + { + void *t; +- comp->segment_alloc *= 2; +- t = grub_realloc (comp->segments, +- comp->segment_alloc +- * sizeof (*comp->segments)); ++ grub_size_t sz; ++ ++ if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) || ++ grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz)) ++ goto fail2; ++ ++ t = grub_realloc (comp->segments, sz); + if (!t) + goto fail2; + comp->segments = t; +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 8e118b315..5edb477ac 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -360,9 +361,13 @@ static char * + read_section_as_string (struct font_file_section *section) + { + char *str; ++ grub_size_t sz; + grub_ssize_t ret; + +- str = grub_malloc (section->length + 1); ++ if (grub_add (section->length, 1, &sz)) ++ return NULL; ++ ++ str = grub_malloc (sz); + if (!str) + return 0; + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index 11272efc1..2b65bd56a 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc, + if (desc->allocated < desc->depth) + { + void *newdata; +- desc->allocated *= 2; +- newdata = grub_realloc (desc->data, sizeof (desc->data[0]) +- * desc->allocated); ++ grub_size_t sz; ++ ++ if (grub_mul (desc->allocated, 2, &desc->allocated) || ++ grub_mul (desc->allocated, sizeof (desc->data[0]), &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ++ newdata = grub_realloc (desc->data, sz); + if (!newdata) + return grub_errno; + desc->data = newdata; +@@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id) + if (data->n_devices_attached > data->n_devices_allocated) + { + void *tmp; +- data->n_devices_allocated = 2 * data->n_devices_attached + 1; +- data->devices_attached +- = grub_realloc (tmp = data->devices_attached, +- data->n_devices_allocated +- * sizeof (data->devices_attached[0])); ++ grub_size_t sz; ++ ++ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) || ++ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) || ++ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz)) ++ goto fail; ++ ++ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz); + if (!data->devices_attached) + { ++ data->devices_attached = tmp; ++ ++ fail: + if (ctx.dev_found) + grub_device_close (ctx.dev_found); +- data->devices_attached = tmp; + return NULL; + } + } +diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c +index 9b389802a..ac33bcd68 100644 +--- a/grub-core/fs/ext2.c ++++ b/grub-core/fs/ext2.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) + { + char *symlink; + struct grub_fshelp_node *diro = node; ++ grub_size_t sz; + + if (! diro->inode_read) + { +@@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) + } + } + +- symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1); ++ if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ ++ symlink = grub_malloc (sz); + if (! symlink) + return 0; + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index 4f1b52a55..7ba5b300b 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx, + int len2) + { + int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; ++ grub_size_t sz; + +- ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1); ++ if (grub_add (size, len2, &sz) || ++ grub_add (sz, 1, &sz)) ++ return; ++ ++ ctx->symlink = grub_realloc (ctx->symlink, sz); + if (! ctx->symlink) + return; + +@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, + { + grub_size_t off = 0, csize = 1; + char *old; ++ grub_size_t sz; ++ + csize = entry->len - 5; + old = ctx->filename; + if (ctx->filename_alloc) + { + off = grub_strlen (ctx->filename); +- ctx->filename = grub_realloc (ctx->filename, csize + off + 1); ++ if (grub_add (csize, off, &sz) || ++ grub_add (sz, 1, &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ctx->filename = grub_realloc (ctx->filename, sz); + } + else + { + off = 0; +- ctx->filename = grub_zalloc (csize + 1); ++ if (grub_add (csize, 1, &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ctx->filename = grub_zalloc (sz); + } + if (!ctx->filename) + { +@@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, + if (node->have_dirents >= node->alloc_dirents) + { + struct grub_fshelp_node *new_node; +- node->alloc_dirents *= 2; +- new_node = grub_realloc (node, +- sizeof (struct grub_fshelp_node) +- + ((node->alloc_dirents +- - ARRAY_SIZE (node->dirents)) +- * sizeof (node->dirents[0]))); ++ grub_size_t sz; ++ ++ if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) || ++ grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) || ++ grub_mul (sz, sizeof (node->dirents[0]), &sz) || ++ grub_add (sz, sizeof (struct grub_fshelp_node), &sz)) ++ goto fail_0; ++ ++ new_node = grub_realloc (node, sz); + if (!new_node) + { ++ fail_0: + if (ctx.filename_alloc) + grub_free (ctx.filename); + grub_free (node); +@@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir, + * sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1) + { + struct grub_fshelp_node *new_node; +- new_node = grub_realloc (node, +- sizeof (struct grub_fshelp_node) +- + ((node->alloc_dirents +- - ARRAY_SIZE (node->dirents)) +- * sizeof (node->dirents[0])) +- + grub_strlen (ctx.symlink) + 1); ++ grub_size_t sz; ++ ++ if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) || ++ grub_mul (sz, sizeof (node->dirents[0]), &sz) || ++ grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) || ++ grub_add (sz, grub_strlen (ctx.symlink), &sz)) ++ goto fail_1; ++ ++ new_node = grub_realloc (node, sz); + if (!new_node) + { ++ fail_1: + if (ctx.filename_alloc) + grub_free (ctx.filename); + grub_free (node); +diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c +index 90f7fb379..de2b107a4 100644 +--- a/grub-core/fs/sfs.c ++++ b/grub-core/fs/sfs.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock) + if (node->cache && node->cache_size >= node->cache_allocated) + { + struct cache_entry *e = node->cache; +- e = grub_realloc (node->cache,node->cache_allocated * 2 +- * sizeof (e[0])); ++ grub_size_t sz; ++ ++ if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz)) ++ goto fail; ++ ++ e = grub_realloc (node->cache, sz); + if (!e) + { ++ fail: + grub_errno = 0; + grub_free (node->cache); + node->cache = 0; +@@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node, + grub_size_t len = grub_strlen (name); + grub_uint8_t *name_u8; + int ret; ++ grub_size_t sz; ++ ++ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) || ++ grub_add (sz, 1, &sz)) ++ return 1; ++ + *node = grub_malloc (sizeof (**node)); + if (!*node) + return 1; +- name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); ++ name_u8 = grub_malloc (sz); + if (!name_u8) + { + grub_free (*node); +@@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label) + data = grub_sfs_mount (disk); + if (data) + { +- grub_size_t len = grub_strlen (data->label); +- *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1); ++ grub_size_t sz, len = grub_strlen (data->label); ++ ++ if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) || ++ grub_add (sz, 1, &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ++ *label = grub_malloc (sz); + if (*label) + *grub_latin1_to_utf8 ((grub_uint8_t *) *label, + (const grub_uint8_t *) data->label, +diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c +index 95d5c1e1f..785123894 100644 +--- a/grub-core/fs/squash4.c ++++ b/grub-core/fs/squash4.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + #include "xz.h" +@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node) + { + char *ret; + grub_err_t err; +- ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1); ++ grub_size_t sz; ++ ++ if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return NULL; ++ } ++ ++ ret = grub_malloc (sz); ++ if (!ret) ++ return NULL; + + err = read_chunk (node->data, ret, + grub_le_to_cpu32 (node->ino.symlink.namelen), +@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, + + { + grub_fshelp_node_t node; +- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); ++ grub_size_t sz; ++ ++ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) || ++ grub_add (sz, sizeof (*node), &sz)) ++ return 0; ++ ++ node = grub_malloc (sz); + if (!node) + return 0; +- grub_memcpy (node, dir, +- sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); ++ grub_memcpy (node, dir, sz); + if (hook (".", GRUB_FSHELP_DIR, node, hook_data)) + return 1; + +@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, + { + grub_err_t err; + +- node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); ++ if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) || ++ grub_add (sz, sizeof (*node), &sz)) ++ return 0; ++ ++ node = grub_malloc (sz); + if (!node) + return 0; + +- grub_memcpy (node, dir, +- sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); ++ grub_memcpy (node, dir, sz); + + node->stsize--; + err = read_chunk (dir->data, &node->ino, sizeof (node->ino), +@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, + enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG; + struct grub_squash_dirent di; + struct grub_squash_inode ino; ++ grub_size_t sz; + + err = read_chunk (dir->data, &di, sizeof (di), + grub_le_to_cpu64 (dir->data->sb.diroffset) +@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir, + if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK) + filetype = GRUB_FSHELP_SYMLINK; + +- node = grub_malloc (sizeof (*node) +- + (dir->stsize + 1) * sizeof (dir->stack[0])); ++ if (grub_add (dir->stsize, 1, &sz) || ++ grub_mul (sz, sizeof (dir->stack[0]), &sz) || ++ grub_add (sz, sizeof (*node), &sz)) ++ return 0; ++ ++ node = grub_malloc (sz); + if (! node) + return 0; + +- grub_memcpy (node, dir, +- sizeof (*node) + dir->stsize * sizeof (dir->stack[0])); ++ grub_memcpy (node, dir, sz - sizeof(dir->stack[0])); + + node->ino = ino; + node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk); +diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c +index a83761674..21ac7f446 100644 +--- a/grub-core/fs/udf.c ++++ b/grub-core/fs/udf.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf) + utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2]; + } + if (!outbuf) +- outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1); ++ { ++ grub_size_t size; ++ ++ if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) || ++ grub_add (size, 1, &size)) ++ goto fail; ++ ++ outbuf = grub_malloc (size); ++ } + if (outbuf) + *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0'; ++ ++ fail: + grub_free (utf16); + return outbuf; + } +@@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node) + grub_size_t sz = U64 (node->block.fe.file_size); + grub_uint8_t *raw; + const grub_uint8_t *ptr; +- char *out, *optr; ++ char *out = NULL, *optr; + + if (sz < 4) + return NULL; +@@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node) + if (!raw) + return NULL; + if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0) +- { +- grub_free (raw); +- return NULL; +- } ++ goto fail_1; + +- out = grub_malloc (sz * 2 + 1); ++ if (grub_mul (sz, 2, &sz) || ++ grub_add (sz, 1, &sz)) ++ goto fail_0; ++ ++ out = grub_malloc (sz); + if (!out) + { ++ fail_0: + grub_free (raw); + return NULL; + } +@@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node) + { + grub_size_t s; + if ((grub_size_t) (ptr - raw + 4) > sz) +- goto fail; ++ goto fail_1; + if (!(ptr[2] == 0 && ptr[3] == 0)) +- goto fail; ++ goto fail_1; + s = 4 + ptr[1]; + if ((grub_size_t) (ptr - raw + s) > sz) +- goto fail; ++ goto fail_1; + switch (*ptr) + { + case 1: + if (ptr[1]) +- goto fail; ++ goto fail_1; + /* Fallthrough. */ + case 2: + /* in 4 bytes. out: 1 byte. */ +@@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node) + if (optr != out) + *optr++ = '/'; + if (!read_string (ptr + 4, s - 4, optr)) +- goto fail; ++ goto fail_1; + optr += grub_strlen (optr); + break; + default: +- goto fail; ++ goto fail_1; + } + ptr += s; + } +@@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node) + grub_free (raw); + return out; + +- fail: ++ fail_1: + grub_free (raw); + grub_free (out); + grub_error (GRUB_ERR_BAD_FS, "invalid symlink"); +diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c +index 96ffecbfc..ea6590290 100644 +--- a/grub-core/fs/xfs.c ++++ b/grub-core/fs/xfs.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -899,6 +900,7 @@ static struct grub_xfs_data * + grub_xfs_mount (grub_disk_t disk) + { + struct grub_xfs_data *data = 0; ++ grub_size_t sz; + + data = grub_zalloc (sizeof (struct grub_xfs_data)); + if (!data) +@@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk) + if (!grub_xfs_sb_valid(data)) + goto fail; + +- data = grub_realloc (data, +- sizeof (struct grub_xfs_data) +- - sizeof (struct grub_xfs_inode) +- + grub_xfs_inode_size(data) + 1); ++ if (grub_add (grub_xfs_inode_size (data), ++ sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz)) ++ goto fail; ++ ++ data = grub_realloc (data, sz); + + if (! data) + goto fail; +diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c +index 381dde556..36d0373a6 100644 +--- a/grub-core/fs/zfs/zfs.c ++++ b/grub-core/fs/zfs/zfs.c +@@ -55,6 +55,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data, + if (data->n_devices_attached > data->n_devices_allocated) + { + void *tmp; +- data->n_devices_allocated = 2 * data->n_devices_attached + 1; +- data->devices_attached +- = grub_realloc (tmp = data->devices_attached, +- data->n_devices_allocated +- * sizeof (data->devices_attached[0])); ++ grub_size_t sz; ++ ++ if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) || ++ grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) || ++ grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ++ data->devices_attached = grub_realloc (tmp = data->devices_attached, sz); + if (!data->devices_attached) + { + data->devices_attached = tmp; +@@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name) + { + char *nvpair; + char *ret; +- grub_size_t size; ++ grub_size_t size, sz; + int found; + + found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair, + &size, 0); + if (!found) + return 0; +- ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t)); ++ ++ if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz)) ++ return 0; ++ ++ ret = grub_zalloc (sz); + if (!ret) + return 0; + grub_memcpy (ret, nvlist, sizeof (grub_uint32_t)); +diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c +index 1402e0bc2..de3b015f5 100644 +--- a/grub-core/fs/zfs/zfscrypt.c ++++ b/grub-core/fs/zfs/zfscrypt.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in, + int passphrase) + { + struct grub_zfs_wrap_key *key; ++ grub_size_t sz; ++ + if (!passphrase && keylen > 32) + keylen = 32; +- key = grub_malloc (sizeof (*key) + keylen); ++ if (grub_add (sizeof (*key), keylen, &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ key = grub_malloc (sz); + if (!key) + return grub_errno; + key->is_passphrase = passphrase; +diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c +index fd7744a6f..3288609a5 100644 +--- a/grub-core/lib/arg.c ++++ b/grub-core/lib/arg.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + /* Built-in parser for default options. */ + static const struct grub_arg_option help_options[] = +@@ -216,7 +217,13 @@ static inline grub_err_t + add_arg (char ***argl, int *num, char *s) + { + char **p = *argl; +- *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *)); ++ grub_size_t sz; ++ ++ if (grub_add (++(*num), 1, &sz) || ++ grub_mul (sz, sizeof (char *), &sz)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ ++ *argl = grub_realloc (*argl, sz); + if (! *argl) + { + grub_free (p); +@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc, + grub_size_t argcnt; + struct grub_arg_list *list; + const struct grub_arg_option *options; ++ grub_size_t sz0, sz1; + + options = extcmd->options; + if (! options) +@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc, + argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */ + } + +- list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt); ++ if (grub_mul (sizeof (*list), i, &sz0) || ++ grub_mul (sizeof (char *), argcnt, &sz1) || ++ grub_add (sz0, sz1, &sz0)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ return 0; ++ } ++ ++ list = grub_zalloc (sz0); + if (! list) + return 0; + +diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c +index 3730ed382..b92cbe98d 100644 +--- a/grub-core/loader/i386/bsd.c ++++ b/grub-core/loader/i386/bsd.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #ifdef GRUB_MACHINE_PCBIOS + #include +@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void) + struct grub_netbsd_btinfo_modules *mods; + unsigned i; + grub_err_t err; ++ grub_size_t sz; + + for (mod = netbsd_mods; mod; mod = mod->next) + modcnt++; + +- mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt); ++ if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) || ++ grub_add (sz, sizeof (*mods), &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ++ mods = grub_malloc (sz); + if (!mods) + return grub_errno; + +diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c +index e332d5eb4..906ec7d67 100644 +--- a/grub-core/net/dns.c ++++ b/grub-core/net/dns.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + struct dns_cache_element + { +@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s) + { + int na = dns_servers_alloc * 2; + struct grub_net_network_level_address *ns; ++ grub_size_t sz; ++ + if (na < 8) + na = 8; +- ns = grub_realloc (dns_servers, na * sizeof (ns[0])); ++ ++ if (grub_mul (na, sizeof (ns[0]), &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ++ ns = grub_realloc (dns_servers, sz); + if (!ns) + return grub_errno; + dns_servers_alloc = na; +diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c +index d57fb72fa..4dfcc3107 100644 +--- a/grub-core/normal/charset.c ++++ b/grub-core/normal/charset.c +@@ -48,6 +48,7 @@ + #include + #include + #include ++#include + + #if HAVE_FONT_SOURCE + #include "widthspec.h" +@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, + { + struct grub_unicode_combining *n; + unsigned j; ++ grub_size_t sz; + + if (!haveout) + continue; +@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, + n = out->combining_inline; + else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline)) + { +- n = grub_realloc (out->combining_ptr, +- sizeof (n[0]) * (out->ncomb + 1)); ++ if (grub_add (out->ncomb, 1, &sz) || ++ grub_mul (sz, sizeof (n[0]), &sz)) ++ goto fail; ++ ++ n = grub_realloc (out->combining_ptr, sz); + if (!n) + { ++ fail: + grub_errno = GRUB_ERR_NONE; + continue; + } +diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c +index c57242e2e..de03fe63b 100644 +--- a/grub-core/normal/cmdline.c ++++ b/grub-core/normal/cmdline.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + static grub_uint32_t *kill_buf; + +@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms, + if (len + (*llen) >= (*max_len)) + { + grub_uint32_t *nbuf; +- (*max_len) *= 2; +- nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len)); ++ grub_size_t sz; ++ ++ if (grub_mul (*max_len, 2, max_len) || ++ grub_mul (*max_len, sizeof (grub_uint32_t), &sz)) ++ { ++ grub_errno = GRUB_ERR_OUT_OF_RANGE; ++ goto fail; ++ } ++ ++ nbuf = grub_realloc ((*buf), sz); + if (nbuf) + (*buf) = nbuf; + else + { ++ fail: + grub_print_error (); + grub_errno = GRUB_ERR_NONE; + (*max_len) /= 2; +diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c +index 1993995be..50eef918c 100644 +--- a/grub-core/normal/menu_entry.c ++++ b/grub-core/normal/menu_entry.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + + enum update_mode + { +@@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra) + { + if (linep->max_len < linep->len + extra) + { +- linep->max_len = 2 * (linep->len + extra); +- linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0])); ++ grub_size_t sz0, sz1; ++ ++ if (grub_add (linep->len, extra, &sz0) || ++ grub_mul (sz0, 2, &sz0) || ++ grub_add (sz0, 1, &sz1) || ++ grub_mul (sz1, sizeof (linep->buf[0]), &sz1)) ++ return 0; ++ ++ linep->buf = grub_realloc (linep->buf, sz1); + if (! linep->buf) + return 0; ++ linep->max_len = sz0; + } + + return 1; +diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c +index 217ec5d1e..5751fdd57 100644 +--- a/grub-core/script/argv.c ++++ b/grub-core/script/argv.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + /* Return nearest power of two that is >= v. */ + static unsigned +@@ -81,11 +82,16 @@ int + grub_script_argv_next (struct grub_script_argv *argv) + { + char **p = argv->args; ++ grub_size_t sz; + + if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0) + return 0; + +- p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *))); ++ if (grub_add (argv->argc, 2, &sz) || ++ grub_mul (sz, sizeof (char *), &sz)) ++ return 1; ++ ++ p = grub_realloc (p, round_up_exp (sz)); + if (! p) + return 1; + +@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s, + { + grub_size_t a; + char *p = argv->args[argv->argc - 1]; ++ grub_size_t sz; + + if (! s) + return 0; + + a = p ? grub_strlen (p) : 0; + +- p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char))); ++ if (grub_add (a, slen, &sz) || ++ grub_add (sz, 1, &sz) || ++ grub_mul (sz, sizeof (char), &sz)) ++ return 1; ++ ++ p = grub_realloc (p, round_up_exp (sz)); + if (! p) + return 1; + +diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c +index c6bd3172f..5fb0cbd0b 100644 +--- a/grub-core/script/lexer.c ++++ b/grub-core/script/lexer.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #define yytext_ptr char * + #include "grub_script.tab.h" +@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str) + old = lexer->recording; + if (lexer->recordlen < len) + lexer->recordlen = len; +- lexer->recordlen *= 2; ++ ++ if (grub_mul (lexer->recordlen, 2, &lexer->recordlen)) ++ goto fail; ++ + lexer->recording = grub_realloc (lexer->recording, lexer->recordlen); + if (!lexer->recording) + { ++ fail: + grub_free (old); + lexer->recordpos = 0; + lexer->recordlen = 0; +@@ -130,7 +135,7 @@ int + grub_script_lexer_yywrap (struct grub_parser_param *parserstate, + const char *input) + { +- grub_size_t len = 0; ++ grub_size_t len = 0, sz; + char *p = 0; + char *line = 0; + YY_BUFFER_STATE buffer; +@@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate, + } + else if (len && line[len - 1] != '\n') + { +- p = grub_realloc (line, len + 2); ++ if (grub_add (len, 2, &sz)) ++ { ++ grub_free (line); ++ grub_script_yyerror (parserstate, N_("overflow is detected")); ++ return 1; ++ } ++ ++ p = grub_realloc (line, sz); + if (p) + { + p[len++] = '\n'; + p[len] = '\0'; + } ++ else ++ grub_free (line); ++ + line = p; + } + +diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c +index b2e031566..6256e209a 100644 +--- a/grub-core/video/bitmap.c ++++ b/grub-core/video/bitmap.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap, + enum grub_video_blit_format blit_format) + { + struct grub_video_mode_info *mode_info; +- unsigned int size; ++ grub_size_t size; + + if (!bitmap) + return grub_error (GRUB_ERR_BUG, "invalid argument"); +@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap, + + mode_info->pitch = width * mode_info->bytes_per_pixel; + +- /* Calculate size needed for the data. */ +- size = (width * mode_info->bytes_per_pixel) * height; ++ /* Calculate size needed for the data. */ ++ if (grub_mul (width, mode_info->bytes_per_pixel, &size) || ++ grub_mul (size, height, &size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ goto fail; ++ } + + (*bitmap)->data = grub_zalloc (size); + if (! (*bitmap)->data) +- { +- grub_free (*bitmap); +- *bitmap = 0; +- +- return grub_errno; +- } ++ goto fail; + + return GRUB_ERR_NONE; ++ ++ fail: ++ grub_free (*bitmap); ++ *bitmap = NULL; ++ ++ return grub_errno; + } + + /* Frees all resources allocated by bitmap. */ +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 61bd64537..0157ff742 100644 +--- a/grub-core/video/readers/png.c ++++ b/grub-core/video/readers/png.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data) + data->bpp <<= 1; + + data->color_bits = color_bits; +- data->row_bytes = data->image_width * data->bpp; ++ ++ if (grub_mul (data->image_width, data->bpp, &data->row_bytes)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ + if (data->color_bits <= 4) +- data->row_bytes = (data->image_width * data->color_bits + 7) / 8; ++ { ++ if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes)) ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ ++ data->row_bytes >>= 3; ++ } + + #ifndef GRUB_CPU_WORDS_BIGENDIAN + if (data->is_16bit || data->is_gray || data->is_palette) +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch b/buildroot/boot/grub2/0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch new file mode 100644 index 000000000..6b0aee080 --- /dev/null +++ b/buildroot/boot/grub2/0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch @@ -0,0 +1,72 @@ +From e0dd17a3ce79c6622dc78c96e1f2ef1b20e2bf7b Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sat, 4 Jul 2020 12:25:09 -0400 +Subject: [PATCH] iso9660: Don't leak memory on realloc() failures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/fs/iso9660.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c +index 7ba5b300b..5ec4433b8 100644 +--- a/grub-core/fs/iso9660.c ++++ b/grub-core/fs/iso9660.c +@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx, + { + int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0; + grub_size_t sz; ++ char *new; + + if (grub_add (size, len2, &sz) || + grub_add (sz, 1, &sz)) + return; + +- ctx->symlink = grub_realloc (ctx->symlink, sz); +- if (! ctx->symlink) +- return; ++ new = grub_realloc (ctx->symlink, sz); ++ if (!new) ++ { ++ grub_free (ctx->symlink); ++ ctx->symlink = NULL; ++ return; ++ } ++ ctx->symlink = new; + + grub_memcpy (ctx->symlink + size, part, len2); + ctx->symlink[size + len2] = 0; +@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, + is the length. Both are part of the `Component + Record'. */ + if (ctx->symlink && !ctx->was_continue) +- add_part (ctx, "/", 1); ++ { ++ add_part (ctx, "/", 1); ++ if (grub_errno) ++ return grub_errno; ++ } ++ + add_part (ctx, (char *) &entry->data[pos + 2], + entry->data[pos + 1]); + ctx->was_continue = (entry->data[pos] & 1); +@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry, + add_part (ctx, "/", 1); + break; + } ++ ++ /* Check if grub_realloc() failed in add_part(). */ ++ if (grub_errno) ++ return grub_errno; ++ + /* In pos + 1 the length of the `Component Record' is + stored. */ + pos += entry->data[pos + 1] + 2; +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0008-font-Do-not-load-more-than-one-NAME-section.patch b/buildroot/boot/grub2/0008-font-Do-not-load-more-than-one-NAME-section.patch new file mode 100644 index 000000000..f4616292f --- /dev/null +++ b/buildroot/boot/grub2/0008-font-Do-not-load-more-than-one-NAME-section.patch @@ -0,0 +1,41 @@ +From 73bc7a964c9496d5b0f00dbd69959dacf5adcebe Mon Sep 17 00:00:00 2001 +From: Daniel Kiper +Date: Tue, 7 Jul 2020 15:36:26 +0200 +Subject: [PATCH] font: Do not load more than one NAME section +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The GRUB font file can have one NAME section only. Though if somebody +crafts a broken font file with many NAME sections and loads it then the +GRUB leaks memory. So, prevent against that by loading first NAME +section and failing in controlled way on following one. + +Reported-by: Chris Coulson +Signed-off-by: Daniel Kiper +Reviewed-by: Jan Setje-Eilers +Signed-off-by: Stefan Sørensen +--- + grub-core/font/font.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 5edb477ac..d09bb38d8 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -532,6 +532,12 @@ grub_font_load (const char *filename) + if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME, + sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0) + { ++ if (font->name != NULL) ++ { ++ grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections"); ++ goto fail; ++ } ++ + font->name = read_section_as_string (§ion); + if (!font->name) + goto fail; +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0009-gfxmenu-Fix-double-free-in-load_image.patch b/buildroot/boot/grub2/0009-gfxmenu-Fix-double-free-in-load_image.patch new file mode 100644 index 000000000..732d16664 --- /dev/null +++ b/buildroot/boot/grub2/0009-gfxmenu-Fix-double-free-in-load_image.patch @@ -0,0 +1,39 @@ +From 9ff609f0e7798bc5fb04f791131c98e7693bdd9b Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Wed, 8 Jul 2020 20:41:56 +0000 +Subject: [PATCH] gfxmenu: Fix double free in load_image() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +self->bitmap should be zeroed after free. Otherwise, there is a chance +to double free (USE_AFTER_FREE) it later in rescale_image(). + +Fixes: CID 292472 + +Signed-off-by: Alexey Makhalov +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/gfxmenu/gui_image.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/grub-core/gfxmenu/gui_image.c b/grub-core/gfxmenu/gui_image.c +index 29784ed2d..6b2e976f1 100644 +--- a/grub-core/gfxmenu/gui_image.c ++++ b/grub-core/gfxmenu/gui_image.c +@@ -195,7 +195,10 @@ load_image (grub_gui_image_t self, const char *path) + return grub_errno; + + if (self->bitmap && (self->bitmap != self->raw_bitmap)) +- grub_video_bitmap_destroy (self->bitmap); ++ { ++ grub_video_bitmap_destroy (self->bitmap); ++ self->bitmap = 0; ++ } + if (self->raw_bitmap) + grub_video_bitmap_destroy (self->raw_bitmap); + +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch b/buildroot/boot/grub2/0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch new file mode 100644 index 000000000..72cf58d44 --- /dev/null +++ b/buildroot/boot/grub2/0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch @@ -0,0 +1,58 @@ +From dc9777dc17697b196c415c53187a55861d41fd2a Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Wed, 8 Jul 2020 21:30:43 +0000 +Subject: [PATCH] xnu: Fix double free in grub_xnu_devprop_add_property() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get +allocated and freed in the caller. + +Minor improvement: do prop fields initialization after memory allocations. + +Fixes: CID 292442, CID 292457, CID 292460, CID 292466 + +Signed-off-by: Alexey Makhalov +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/loader/i386/xnu.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c +index b7d176b5d..e9e119259 100644 +--- a/grub-core/loader/i386/xnu.c ++++ b/grub-core/loader/i386/xnu.c +@@ -262,20 +262,19 @@ grub_xnu_devprop_add_property (struct grub_xnu_devprop_device_descriptor *dev, + if (!prop) + return grub_errno; + +- prop->name = utf8; +- prop->name16 = utf16; +- prop->name16len = utf16len; +- +- prop->length = datalen; +- prop->data = grub_malloc (prop->length); ++ prop->data = grub_malloc (datalen); + if (!prop->data) + { +- grub_free (prop->name); +- grub_free (prop->name16); + grub_free (prop); + return grub_errno; + } +- grub_memcpy (prop->data, data, prop->length); ++ grub_memcpy (prop->data, data, datalen); ++ ++ prop->name = utf8; ++ prop->name16 = utf16; ++ prop->name16len = utf16len; ++ prop->length = datalen; ++ + grub_list_push (GRUB_AS_LIST_P (&dev->properties), + GRUB_AS_LIST (prop)); + return GRUB_ERR_NONE; +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0011-lzma-Make-sure-we-don-t-dereference-past-array.patch b/buildroot/boot/grub2/0011-lzma-Make-sure-we-don-t-dereference-past-array.patch new file mode 100644 index 000000000..a7d5a48e5 --- /dev/null +++ b/buildroot/boot/grub2/0011-lzma-Make-sure-we-don-t-dereference-past-array.patch @@ -0,0 +1,55 @@ +From 78829f0c230680e386fff9f420bb1631bc20f761 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Thu, 9 Jul 2020 03:05:23 +0000 +Subject: [PATCH] lzma: Make sure we don't dereference past array +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The two dimensional array p->posSlotEncoder[4][64] is being dereferenced +using the GetLenToPosState() macro which checks if len is less than 5, +and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294. +Obviously we don't want to dereference that far out so we check if the +position found is greater or equal kNumLenToPosStates (4) and bail out. + +N.B.: Upstream LZMA 18.05 and later has this function completely rewritten +without any history. + +Fixes: CID 51526 + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/lib/LzmaEnc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c +index f2ec04a8c..753e56a95 100644 +--- a/grub-core/lib/LzmaEnc.c ++++ b/grub-core/lib/LzmaEnc.c +@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize + } + else + { +- UInt32 posSlot; ++ UInt32 posSlot, lenToPosState; + RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0); + p->state = kMatchNextStates[p->state]; + LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices); + pos -= LZMA_NUM_REPS; + GetPosSlot(pos, posSlot); +- RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot); ++ lenToPosState = GetLenToPosState(len); ++ if (lenToPosState >= kNumLenToPosStates) ++ { ++ p->result = SZ_ERROR_DATA; ++ return CheckErrors(p); ++ } ++ RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot); + + if (posSlot >= kStartPosModelIndex) + { +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0012-term-Fix-overflow-on-user-inputs.patch b/buildroot/boot/grub2/0012-term-Fix-overflow-on-user-inputs.patch new file mode 100644 index 000000000..77b01a481 --- /dev/null +++ b/buildroot/boot/grub2/0012-term-Fix-overflow-on-user-inputs.patch @@ -0,0 +1,69 @@ +From 8d3b6f9da468f666e3a7976657f2ab5c52762a21 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Tue, 7 Jul 2020 15:12:25 -0400 +Subject: [PATCH] term: Fix overflow on user inputs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This requires a very weird input from the serial interface but can cause +an overflow in input_buf (keys) overwriting the next variable (npending) +with the user choice: + +(pahole output) + +struct grub_terminfo_input_state { + int input_buf[6]; /* 0 24 */ + int npending; /* 24 4 */ <- CORRUPT + ...snip... + +The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow +npending with "q" (aka increase npending to 161). The simplest fix is to +just to disallow overwrites input_buf, which exactly what this patch does. + +Fixes: CID 292449 + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/term/terminfo.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/grub-core/term/terminfo.c b/grub-core/term/terminfo.c +index d317efa36..5fa94c0c3 100644 +--- a/grub-core/term/terminfo.c ++++ b/grub-core/term/terminfo.c +@@ -398,7 +398,7 @@ grub_terminfo_getwh (struct grub_term_output *term) + } + + static void +-grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, ++grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, int max_len, + int (*readkey) (struct grub_term_input *term)) + { + int c; +@@ -414,6 +414,9 @@ grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, + if (c == -1) \ + return; \ + \ ++ if (*len >= max_len) \ ++ return; \ ++ \ + keys[*len] = c; \ + (*len)++; \ + } +@@ -602,8 +605,8 @@ grub_terminfo_getkey (struct grub_term_input *termi) + return ret; + } + +- grub_terminfo_readkey (termi, data->input_buf, +- &data->npending, data->readkey); ++ grub_terminfo_readkey (termi, data->input_buf, &data->npending, ++ GRUB_TERMINFO_READKEY_MAX_LEN, data->readkey); + + #if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275) + if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0013-udf-Fix-memory-leak.patch b/buildroot/boot/grub2/0013-udf-Fix-memory-leak.patch new file mode 100644 index 000000000..d79de9059 --- /dev/null +++ b/buildroot/boot/grub2/0013-udf-Fix-memory-leak.patch @@ -0,0 +1,59 @@ +From 748b691761d31bfff7e9d0d210caa606294c2b52 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Tue, 7 Jul 2020 22:02:31 -0400 +Subject: [PATCH] udf: Fix memory leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CID 73796 + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel Kiper +Reviewed-by: Jan Setje-Eilers +Signed-off-by: Stefan Sørensen +--- + grub-core/fs/udf.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c +index 21ac7f446..2ac5c1d00 100644 +--- a/grub-core/fs/udf.c ++++ b/grub-core/fs/udf.c +@@ -965,8 +965,10 @@ grub_udf_iterate_dir (grub_fshelp_node_t dir, + return 0; + + if (grub_udf_read_icb (dir->data, &dirent.icb, child)) +- return 0; +- ++ { ++ grub_free (child); ++ return 0; ++ } + if (dirent.characteristics & GRUB_UDF_FID_CHAR_PARENT) + { + /* This is the parent directory. */ +@@ -988,11 +990,18 @@ grub_udf_iterate_dir (grub_fshelp_node_t dir, + dirent.file_ident_length, + (char *) raw)) + != dirent.file_ident_length) +- return 0; ++ { ++ grub_free (child); ++ return 0; ++ } + + filename = read_string (raw, dirent.file_ident_length, 0); + if (!filename) +- grub_print_error (); ++ { ++ /* As the hook won't get called. */ ++ grub_free (child); ++ grub_print_error (); ++ } + + if (filename && hook (filename, type, child, hook_data)) + { +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch b/buildroot/boot/grub2/0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch new file mode 100644 index 000000000..f3e2a0414 --- /dev/null +++ b/buildroot/boot/grub2/0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch @@ -0,0 +1,38 @@ +From 49bf3faa106498e151306fc780c63194a14751e3 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Fri, 26 Jun 2020 10:51:43 -0400 +Subject: [PATCH] multiboot2: Fix memory leak if + grub_create_loader_cmdline() fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: CID 292468 + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/loader/multiboot_mbi2.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c +index 53da78615..0efc66062 100644 +--- a/grub-core/loader/multiboot_mbi2.c ++++ b/grub-core/loader/multiboot_mbi2.c +@@ -1070,7 +1070,11 @@ grub_multiboot2_add_module (grub_addr_t start, grub_size_t size, + err = grub_create_loader_cmdline (argc, argv, newmod->cmdline, + newmod->cmdline_size, GRUB_VERIFY_MODULE_CMDLINE); + if (err) +- return err; ++ { ++ grub_free (newmod->cmdline); ++ grub_free (newmod); ++ return err; ++ } + + if (modules_last) + modules_last->next = newmod; +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0015-tftp-Do-not-use-priority-queue.patch b/buildroot/boot/grub2/0015-tftp-Do-not-use-priority-queue.patch new file mode 100644 index 000000000..833606bef --- /dev/null +++ b/buildroot/boot/grub2/0015-tftp-Do-not-use-priority-queue.patch @@ -0,0 +1,283 @@ +From b6c4a1b204740fe52b32e7f530831a59f4038e20 Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Thu, 9 Jul 2020 08:10:40 +0000 +Subject: [PATCH] tftp: Do not use priority queue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There is not need to reassemble the order of blocks. Per RFC 1350, +server must wait for the ACK, before sending next block. Data packets +can be served immediately without putting them to priority queue. + +Logic to handle incoming packet is this: + - if packet block id equal to expected block id, then + process the packet, + - if packet block id is less than expected - this is retransmit + of old packet, then ACK it and drop the packet, + - if packet block id is more than expected - that shouldn't + happen, just drop the packet. + +It makes the tftp receive path code simpler, smaller and faster. +As a benefit, this change fixes CID# 73624 and CID# 96690, caused +by following while loop: + + while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0) + +where tftph pointer is not moving from one iteration to another, causing +to serve same packet again. Luckily, double serving didn't happen due to +data->block++ during the first iteration. + +Fixes: CID 73624, CID 96690 + +Signed-off-by: Alexey Makhalov +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/net/tftp.c | 168 ++++++++++++++----------------------------- + 1 file changed, 53 insertions(+), 115 deletions(-) + +diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c +index 7d90bf66e..b4297bc8d 100644 +--- a/grub-core/net/tftp.c ++++ b/grub-core/net/tftp.c +@@ -25,7 +25,6 @@ + #include + #include + #include +-#include + #include + + GRUB_MOD_LICENSE ("GPLv3+"); +@@ -106,31 +105,8 @@ typedef struct tftp_data + int have_oack; + struct grub_error_saved save_err; + grub_net_udp_socket_t sock; +- grub_priority_queue_t pq; + } *tftp_data_t; + +-static int +-cmp_block (grub_uint16_t a, grub_uint16_t b) +-{ +- grub_int16_t i = (grub_int16_t) (a - b); +- if (i > 0) +- return +1; +- if (i < 0) +- return -1; +- return 0; +-} +- +-static int +-cmp (const void *a__, const void *b__) +-{ +- struct grub_net_buff *a_ = *(struct grub_net_buff **) a__; +- struct grub_net_buff *b_ = *(struct grub_net_buff **) b__; +- struct tftphdr *a = (struct tftphdr *) a_->data; +- struct tftphdr *b = (struct tftphdr *) b_->data; +- /* We want the first elements to be on top. */ +- return -cmp_block (grub_be_to_cpu16 (a->u.data.block), grub_be_to_cpu16 (b->u.data.block)); +-} +- + static grub_err_t + ack (tftp_data_t data, grub_uint64_t block) + { +@@ -207,73 +183,60 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), + return GRUB_ERR_NONE; + } + +- err = grub_priority_queue_push (data->pq, &nb); +- if (err) +- return err; +- +- { +- struct grub_net_buff **nb_top_p, *nb_top; +- while (1) +- { +- nb_top_p = grub_priority_queue_top (data->pq); +- if (!nb_top_p) +- return GRUB_ERR_NONE; +- nb_top = *nb_top_p; +- tftph = (struct tftphdr *) nb_top->data; +- if (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) >= 0) +- break; +- ack (data, grub_be_to_cpu16 (tftph->u.data.block)); +- grub_netbuff_free (nb_top); +- grub_priority_queue_pop (data->pq); +- } +- while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0) +- { +- unsigned size; +- +- grub_priority_queue_pop (data->pq); +- +- if (file->device->net->packs.count < 50) ++ /* Ack old/retransmitted block. */ ++ if (grub_be_to_cpu16 (tftph->u.data.block) < data->block + 1) ++ ack (data, grub_be_to_cpu16 (tftph->u.data.block)); ++ /* Ignore unexpected block. */ ++ else if (grub_be_to_cpu16 (tftph->u.data.block) > data->block + 1) ++ grub_dprintf ("tftp", "TFTP unexpected block # %d\n", tftph->u.data.block); ++ else ++ { ++ unsigned size; ++ ++ if (file->device->net->packs.count < 50) ++ { + err = ack (data, data->block + 1); +- else +- { +- file->device->net->stall = 1; +- err = 0; +- } +- if (err) +- return err; +- +- err = grub_netbuff_pull (nb_top, sizeof (tftph->opcode) + +- sizeof (tftph->u.data.block)); +- if (err) +- return err; +- size = nb_top->tail - nb_top->data; +- +- data->block++; +- if (size < data->block_size) +- { +- if (data->ack_sent < data->block) +- ack (data, data->block); +- file->device->net->eof = 1; +- file->device->net->stall = 1; +- grub_net_udp_close (data->sock); +- data->sock = NULL; +- } +- /* Prevent garbage in broken cards. Is it still necessary +- given that IP implementation has been fixed? +- */ +- if (size > data->block_size) +- { +- err = grub_netbuff_unput (nb_top, size - data->block_size); +- if (err) +- return err; +- } +- /* If there is data, puts packet in socket list. */ +- if ((nb_top->tail - nb_top->data) > 0) +- grub_net_put_packet (&file->device->net->packs, nb_top); +- else +- grub_netbuff_free (nb_top); +- } +- } ++ if (err) ++ return err; ++ } ++ else ++ file->device->net->stall = 1; ++ ++ err = grub_netbuff_pull (nb, sizeof (tftph->opcode) + ++ sizeof (tftph->u.data.block)); ++ if (err) ++ return err; ++ size = nb->tail - nb->data; ++ ++ data->block++; ++ if (size < data->block_size) ++ { ++ if (data->ack_sent < data->block) ++ ack (data, data->block); ++ file->device->net->eof = 1; ++ file->device->net->stall = 1; ++ grub_net_udp_close (data->sock); ++ data->sock = NULL; ++ } ++ /* ++ * Prevent garbage in broken cards. Is it still necessary ++ * given that IP implementation has been fixed? ++ */ ++ if (size > data->block_size) ++ { ++ err = grub_netbuff_unput (nb, size - data->block_size); ++ if (err) ++ return err; ++ } ++ /* If there is data, puts packet in socket list. */ ++ if ((nb->tail - nb->data) > 0) ++ { ++ grub_net_put_packet (&file->device->net->packs, nb); ++ /* Do not free nb. */ ++ return GRUB_ERR_NONE; ++ } ++ } ++ grub_netbuff_free (nb); + return GRUB_ERR_NONE; + case TFTP_ERROR: + data->have_oack = 1; +@@ -287,19 +250,6 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)), + } + } + +-static void +-destroy_pq (tftp_data_t data) +-{ +- struct grub_net_buff **nb_p; +- while ((nb_p = grub_priority_queue_top (data->pq))) +- { +- grub_netbuff_free (*nb_p); +- grub_priority_queue_pop (data->pq); +- } +- +- grub_priority_queue_destroy (data->pq); +-} +- + static grub_err_t + tftp_open (struct grub_file *file, const char *filename) + { +@@ -372,17 +322,9 @@ tftp_open (struct grub_file *file, const char *filename) + file->not_easily_seekable = 1; + file->data = data; + +- data->pq = grub_priority_queue_new (sizeof (struct grub_net_buff *), cmp); +- if (!data->pq) +- { +- grub_free (data); +- return grub_errno; +- } +- + err = grub_net_resolve_address (file->device->net->server, &addr); + if (err) + { +- destroy_pq (data); + grub_free (data); + return err; + } +@@ -392,7 +334,6 @@ tftp_open (struct grub_file *file, const char *filename) + file); + if (!data->sock) + { +- destroy_pq (data); + grub_free (data); + return grub_errno; + } +@@ -406,7 +347,6 @@ tftp_open (struct grub_file *file, const char *filename) + if (err) + { + grub_net_udp_close (data->sock); +- destroy_pq (data); + grub_free (data); + return err; + } +@@ -423,7 +363,6 @@ tftp_open (struct grub_file *file, const char *filename) + if (grub_errno) + { + grub_net_udp_close (data->sock); +- destroy_pq (data); + grub_free (data); + return grub_errno; + } +@@ -466,7 +405,6 @@ tftp_close (struct grub_file *file) + grub_print_error (); + grub_net_udp_close (data->sock); + } +- destroy_pq (data); + grub_free (data); + return GRUB_ERR_NONE; + } +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch b/buildroot/boot/grub2/0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch new file mode 100644 index 000000000..293b9f89b --- /dev/null +++ b/buildroot/boot/grub2/0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch @@ -0,0 +1,153 @@ +From 1c7b619c84f229c1602c1958bcd054b6d9937562 Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Wed, 15 Jul 2020 06:42:37 +0000 +Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr() + input args against integer underflow/overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use arithmetic macros from safemath.h to accomplish it. In this commit, +I didn't want to be too paranoid to check every possible math equation +for overflow/underflow. Only obvious places (with non zero chance of +overflow/underflow) were refactored. + +Signed-off-by: Alexey Makhalov +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/loader/i386/linux.c | 9 +++++++-- + grub-core/loader/i386/pc/linux.c | 9 +++++++-- + grub-core/loader/i386/xen.c | 12 ++++++++++-- + grub-core/loader/xnu.c | 11 +++++++---- + 4 files changed, 31 insertions(+), 10 deletions(-) + +diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c +index d0501e229..02a73463a 100644 +--- a/grub-core/loader/i386/linux.c ++++ b/grub-core/loader/i386/linux.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -547,9 +548,13 @@ grub_linux_boot (void) + + { + grub_relocator_chunk_t ch; ++ grub_size_t sz; ++ ++ if (grub_add (ctx.real_size, efi_mmap_size, &sz)) ++ return GRUB_ERR_OUT_OF_RANGE; ++ + err = grub_relocator_alloc_chunk_addr (relocator, &ch, +- ctx.real_mode_target, +- (ctx.real_size + efi_mmap_size)); ++ ctx.real_mode_target, sz); + if (err) + return err; + real_mode_mem = get_virtual_current_address (ch); +diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c +index 47ea2945e..31f09922b 100644 +--- a/grub-core/loader/i386/pc/linux.c ++++ b/grub-core/loader/i386/pc/linux.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -218,8 +219,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + setup_sects = GRUB_LINUX_DEFAULT_SETUP_SECTS; + + real_size = setup_sects << GRUB_DISK_SECTOR_BITS; +- grub_linux16_prot_size = grub_file_size (file) +- - real_size - GRUB_DISK_SECTOR_SIZE; ++ if (grub_sub (grub_file_size (file), real_size, &grub_linux16_prot_size) || ++ grub_sub (grub_linux16_prot_size, GRUB_DISK_SECTOR_SIZE, &grub_linux16_prot_size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ goto fail; ++ } + + if (! grub_linux_is_bzimage + && GRUB_LINUX_ZIMAGE_ADDR + grub_linux16_prot_size +diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c +index 8f662c8ac..cd24874ca 100644 +--- a/grub-core/loader/i386/xen.c ++++ b/grub-core/loader/i386/xen.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -636,6 +637,7 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)), + grub_relocator_chunk_t ch; + grub_addr_t kern_start; + grub_addr_t kern_end; ++ grub_size_t sz; + + if (argc == 0) + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); +@@ -703,8 +705,14 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)), + + xen_state.max_addr = ALIGN_UP (kern_end, PAGE_SIZE); + +- err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, +- kern_end - kern_start); ++ ++ if (grub_sub (kern_end, kern_start, &sz)) ++ { ++ err = GRUB_ERR_OUT_OF_RANGE; ++ goto fail; ++ } ++ ++ err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, sz); + if (err) + goto fail; + kern_chunk_src = get_virtual_current_address (ch); +diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c +index 77d7060e1..9ae4ceb35 100644 +--- a/grub-core/loader/xnu.c ++++ b/grub-core/loader/xnu.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -59,15 +60,17 @@ grub_xnu_heap_malloc (int size, void **src, grub_addr_t *target) + { + grub_err_t err; + grub_relocator_chunk_t ch; ++ grub_addr_t tgt; ++ ++ if (grub_add (grub_xnu_heap_target_start, grub_xnu_heap_size, &tgt)) ++ return GRUB_ERR_OUT_OF_RANGE; + +- err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, +- grub_xnu_heap_target_start +- + grub_xnu_heap_size, size); ++ err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, tgt, size); + if (err) + return err; + + *src = get_virtual_current_address (ch); +- *target = grub_xnu_heap_target_start + grub_xnu_heap_size; ++ *target = tgt; + grub_xnu_heap_size += size; + grub_dprintf ("xnu", "val=%p\n", *src); + return GRUB_ERR_NONE; +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch b/buildroot/boot/grub2/0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch new file mode 100644 index 000000000..e04e72aba --- /dev/null +++ b/buildroot/boot/grub2/0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch @@ -0,0 +1,341 @@ +From 0cfbbca3ccd84d36ffb1bcd6644ada7c73b19fc0 Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Wed, 8 Jul 2020 01:44:38 +0000 +Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_align() + max_addr against integer underflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This commit introduces integer underflow mitigation in max_addr calculation +in grub_relocator_alloc_chunk_align() invocation. + +It consists of 2 fixes: + 1. Introduced grub_relocator_alloc_chunk_align_safe() wrapper function to perform + sanity check for min/max and size values, and to make safe invocation of + grub_relocator_alloc_chunk_align() with validated max_addr value. Replace all + invocations such as grub_relocator_alloc_chunk_align(..., min_addr, max_addr - size, size, ...) + by grub_relocator_alloc_chunk_align_safe(..., min_addr, max_addr, size, ...). + 2. Introduced UP_TO_TOP32(s) macro for the cases where max_addr is 32-bit top + address (0xffffffff - size + 1) or similar. + +Signed-off-by: Alexey Makhalov +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/lib/i386/relocator.c | 28 ++++++++++---------------- + grub-core/lib/mips/relocator.c | 6 ++---- + grub-core/lib/powerpc/relocator.c | 6 ++---- + grub-core/lib/x86_64/efi/relocator.c | 7 +++---- + grub-core/loader/i386/linux.c | 5 ++--- + grub-core/loader/i386/multiboot_mbi.c | 7 +++---- + grub-core/loader/i386/pc/linux.c | 6 ++---- + grub-core/loader/mips/linux.c | 9 +++------ + grub-core/loader/multiboot.c | 2 +- + grub-core/loader/multiboot_elfxx.c | 10 ++++----- + grub-core/loader/multiboot_mbi2.c | 10 ++++----- + grub-core/loader/xnu_resume.c | 2 +- + include/grub/relocator.h | 29 +++++++++++++++++++++++++++ + 13 files changed, 69 insertions(+), 58 deletions(-) + +diff --git a/grub-core/lib/i386/relocator.c b/grub-core/lib/i386/relocator.c +index 71dd4f0ab..34cbe834f 100644 +--- a/grub-core/lib/i386/relocator.c ++++ b/grub-core/lib/i386/relocator.c +@@ -83,11 +83,10 @@ grub_relocator32_boot (struct grub_relocator *rel, + /* Specific memory range due to Global Descriptor Table for use by payload + that we will store in returned chunk. The address range and preference + are based on "THE LINUX/x86 BOOT PROTOCOL" specification. */ +- err = grub_relocator_alloc_chunk_align (rel, &ch, 0x1000, +- 0x9a000 - RELOCATOR_SIZEOF (32), +- RELOCATOR_SIZEOF (32), 16, +- GRUB_RELOCATOR_PREFERENCE_LOW, +- avoid_efi_bootservices); ++ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0x1000, 0x9a000, ++ RELOCATOR_SIZEOF (32), 16, ++ GRUB_RELOCATOR_PREFERENCE_LOW, ++ avoid_efi_bootservices); + if (err) + return err; + +@@ -125,13 +124,10 @@ grub_relocator16_boot (struct grub_relocator *rel, + grub_relocator_chunk_t ch; + + /* Put it higher than the byte it checks for A20 check. */ +- err = grub_relocator_alloc_chunk_align (rel, &ch, 0x8010, +- 0xa0000 - RELOCATOR_SIZEOF (16) +- - GRUB_RELOCATOR16_STACK_SIZE, +- RELOCATOR_SIZEOF (16) +- + GRUB_RELOCATOR16_STACK_SIZE, 16, +- GRUB_RELOCATOR_PREFERENCE_NONE, +- 0); ++ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0x8010, 0xa0000, ++ RELOCATOR_SIZEOF (16) + ++ GRUB_RELOCATOR16_STACK_SIZE, 16, ++ GRUB_RELOCATOR_PREFERENCE_NONE, 0); + if (err) + return err; + +@@ -183,11 +179,9 @@ grub_relocator64_boot (struct grub_relocator *rel, + void *relst; + grub_relocator_chunk_t ch; + +- err = grub_relocator_alloc_chunk_align (rel, &ch, min_addr, +- max_addr - RELOCATOR_SIZEOF (64), +- RELOCATOR_SIZEOF (64), 16, +- GRUB_RELOCATOR_PREFERENCE_NONE, +- 0); ++ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, min_addr, max_addr, ++ RELOCATOR_SIZEOF (64), 16, ++ GRUB_RELOCATOR_PREFERENCE_NONE, 0); + if (err) + return err; + +diff --git a/grub-core/lib/mips/relocator.c b/grub-core/lib/mips/relocator.c +index 9d5f49cb9..743b213e6 100644 +--- a/grub-core/lib/mips/relocator.c ++++ b/grub-core/lib/mips/relocator.c +@@ -120,10 +120,8 @@ grub_relocator32_boot (struct grub_relocator *rel, + unsigned i; + grub_addr_t vtarget; + +- err = grub_relocator_alloc_chunk_align (rel, &ch, 0, +- (0xffffffff - stateset_size) +- + 1, stateset_size, +- sizeof (grub_uint32_t), ++ err = grub_relocator_alloc_chunk_align (rel, &ch, 0, UP_TO_TOP32 (stateset_size), ++ stateset_size, sizeof (grub_uint32_t), + GRUB_RELOCATOR_PREFERENCE_NONE, 0); + if (err) + return err; +diff --git a/grub-core/lib/powerpc/relocator.c b/grub-core/lib/powerpc/relocator.c +index bdf2b111b..8ffb8b686 100644 +--- a/grub-core/lib/powerpc/relocator.c ++++ b/grub-core/lib/powerpc/relocator.c +@@ -115,10 +115,8 @@ grub_relocator32_boot (struct grub_relocator *rel, + unsigned i; + grub_relocator_chunk_t ch; + +- err = grub_relocator_alloc_chunk_align (rel, &ch, 0, +- (0xffffffff - stateset_size) +- + 1, stateset_size, +- sizeof (grub_uint32_t), ++ err = grub_relocator_alloc_chunk_align (rel, &ch, 0, UP_TO_TOP32 (stateset_size), ++ stateset_size, sizeof (grub_uint32_t), + GRUB_RELOCATOR_PREFERENCE_NONE, 0); + if (err) + return err; +diff --git a/grub-core/lib/x86_64/efi/relocator.c b/grub-core/lib/x86_64/efi/relocator.c +index 3caef7a40..7d200a125 100644 +--- a/grub-core/lib/x86_64/efi/relocator.c ++++ b/grub-core/lib/x86_64/efi/relocator.c +@@ -50,10 +50,9 @@ grub_relocator64_efi_boot (struct grub_relocator *rel, + * 64-bit relocator code may live above 4 GiB quite well. + * However, I do not want ask for problems. Just in case. + */ +- err = grub_relocator_alloc_chunk_align (rel, &ch, 0, +- 0x100000000 - RELOCATOR_SIZEOF (64_efi), +- RELOCATOR_SIZEOF (64_efi), 16, +- GRUB_RELOCATOR_PREFERENCE_NONE, 1); ++ err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0, 0x100000000, ++ RELOCATOR_SIZEOF (64_efi), 16, ++ GRUB_RELOCATOR_PREFERENCE_NONE, 1); + if (err) + return err; + +diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c +index 02a73463a..efbb99307 100644 +--- a/grub-core/loader/i386/linux.c ++++ b/grub-core/loader/i386/linux.c +@@ -181,9 +181,8 @@ allocate_pages (grub_size_t prot_size, grub_size_t *align, + for (; err && *align + 1 > min_align; (*align)--) + { + grub_errno = GRUB_ERR_NONE; +- err = grub_relocator_alloc_chunk_align (relocator, &ch, +- 0x1000000, +- 0xffffffff & ~prot_size, ++ err = grub_relocator_alloc_chunk_align (relocator, &ch, 0x1000000, ++ UP_TO_TOP32 (prot_size), + prot_size, 1 << *align, + GRUB_RELOCATOR_PREFERENCE_LOW, + 1); +diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c +index ad3cc292f..a67d9d0a8 100644 +--- a/grub-core/loader/i386/multiboot_mbi.c ++++ b/grub-core/loader/i386/multiboot_mbi.c +@@ -466,10 +466,9 @@ grub_multiboot_make_mbi (grub_uint32_t *target) + + bufsize = grub_multiboot_get_mbi_size (); + +- err = grub_relocator_alloc_chunk_align (grub_multiboot_relocator, &ch, +- 0x10000, 0xa0000 - bufsize, +- bufsize, 4, +- GRUB_RELOCATOR_PREFERENCE_NONE, 0); ++ err = grub_relocator_alloc_chunk_align_safe (grub_multiboot_relocator, &ch, ++ 0x10000, 0xa0000, bufsize, 4, ++ GRUB_RELOCATOR_PREFERENCE_NONE, 0); + if (err) + return err; + ptrorig = get_virtual_current_address (ch); +diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c +index 31f09922b..5fed5ffdf 100644 +--- a/grub-core/loader/i386/pc/linux.c ++++ b/grub-core/loader/i386/pc/linux.c +@@ -453,10 +453,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), + + { + grub_relocator_chunk_t ch; +- err = grub_relocator_alloc_chunk_align (relocator, &ch, +- addr_min, addr_max - size, +- size, 0x1000, +- GRUB_RELOCATOR_PREFERENCE_HIGH, 0); ++ err = grub_relocator_alloc_chunk_align_safe (relocator, &ch, addr_min, addr_max, size, ++ 0x1000, GRUB_RELOCATOR_PREFERENCE_HIGH, 0); + if (err) + return err; + initrd_chunk = get_virtual_current_address (ch); +diff --git a/grub-core/loader/mips/linux.c b/grub-core/loader/mips/linux.c +index 7b723bf18..e4ed95921 100644 +--- a/grub-core/loader/mips/linux.c ++++ b/grub-core/loader/mips/linux.c +@@ -442,12 +442,9 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), + { + grub_relocator_chunk_t ch; + +- err = grub_relocator_alloc_chunk_align (relocator, &ch, +- (target_addr & 0x1fffffff) +- + linux_size + 0x10000, +- (0x10000000 - size), +- size, 0x10000, +- GRUB_RELOCATOR_PREFERENCE_NONE, 0); ++ err = grub_relocator_alloc_chunk_align_safe (relocator, &ch, (target_addr & 0x1fffffff) + ++ linux_size + 0x10000, 0x10000000, size, ++ 0x10000, GRUB_RELOCATOR_PREFERENCE_NONE, 0); + + if (err) + goto fail; +diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c +index 4a98d7082..facb13f3d 100644 +--- a/grub-core/loader/multiboot.c ++++ b/grub-core/loader/multiboot.c +@@ -403,7 +403,7 @@ grub_cmd_module (grub_command_t cmd __attribute__ ((unused)), + { + grub_relocator_chunk_t ch; + err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch, +- lowest_addr, (0xffffffff - size) + 1, ++ lowest_addr, UP_TO_TOP32 (size), + size, MULTIBOOT_MOD_ALIGN, + GRUB_RELOCATOR_PREFERENCE_NONE, 1); + if (err) +diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c +index cc6853692..f2318e0d1 100644 +--- a/grub-core/loader/multiboot_elfxx.c ++++ b/grub-core/loader/multiboot_elfxx.c +@@ -109,10 +109,10 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) + if (load_size > mld->max_addr || mld->min_addr > mld->max_addr - load_size) + return grub_error (GRUB_ERR_BAD_OS, "invalid min/max address and/or load size"); + +- err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch, +- mld->min_addr, mld->max_addr - load_size, +- load_size, mld->align ? mld->align : 1, +- mld->preference, mld->avoid_efi_boot_services); ++ err = grub_relocator_alloc_chunk_align_safe (GRUB_MULTIBOOT (relocator), &ch, ++ mld->min_addr, mld->max_addr, ++ load_size, mld->align ? mld->align : 1, ++ mld->preference, mld->avoid_efi_boot_services); + + if (err) + { +@@ -256,7 +256,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld) + continue; + + err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch, 0, +- (0xffffffff - sh->sh_size) + 1, ++ UP_TO_TOP32 (sh->sh_size), + sh->sh_size, sh->sh_addralign, + GRUB_RELOCATOR_PREFERENCE_NONE, + mld->avoid_efi_boot_services); +diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c +index 0efc66062..03967839c 100644 +--- a/grub-core/loader/multiboot_mbi2.c ++++ b/grub-core/loader/multiboot_mbi2.c +@@ -295,10 +295,10 @@ grub_multiboot2_load (grub_file_t file, const char *filename) + return grub_error (GRUB_ERR_BAD_OS, "invalid min/max address and/or load size"); + } + +- err = grub_relocator_alloc_chunk_align (grub_multiboot2_relocator, &ch, +- mld.min_addr, mld.max_addr - code_size, +- code_size, mld.align ? mld.align : 1, +- mld.preference, keep_bs); ++ err = grub_relocator_alloc_chunk_align_safe (grub_multiboot2_relocator, &ch, ++ mld.min_addr, mld.max_addr, ++ code_size, mld.align ? mld.align : 1, ++ mld.preference, keep_bs); + } + else + err = grub_relocator_alloc_chunk_addr (grub_multiboot2_relocator, +@@ -708,7 +708,7 @@ grub_multiboot2_make_mbi (grub_uint32_t *target) + COMPILE_TIME_ASSERT (MULTIBOOT_TAG_ALIGN % sizeof (grub_properly_aligned_t) == 0); + + err = grub_relocator_alloc_chunk_align (grub_multiboot2_relocator, &ch, +- 0, 0xffffffff - bufsize, ++ 0, UP_TO_TOP32 (bufsize), + bufsize, MULTIBOOT_TAG_ALIGN, + GRUB_RELOCATOR_PREFERENCE_NONE, 1); + if (err) +diff --git a/grub-core/loader/xnu_resume.c b/grub-core/loader/xnu_resume.c +index 8089804d4..d648ef0cd 100644 +--- a/grub-core/loader/xnu_resume.c ++++ b/grub-core/loader/xnu_resume.c +@@ -129,7 +129,7 @@ grub_xnu_resume (char *imagename) + { + grub_relocator_chunk_t ch; + err = grub_relocator_alloc_chunk_align (grub_xnu_relocator, &ch, 0, +- (0xffffffff - hibhead.image_size) + 1, ++ UP_TO_TOP32 (hibhead.image_size), + hibhead.image_size, + GRUB_XNU_PAGESIZE, + GRUB_RELOCATOR_PREFERENCE_NONE, 0); +diff --git a/include/grub/relocator.h b/include/grub/relocator.h +index 24d8672d2..1b3bdd92a 100644 +--- a/include/grub/relocator.h ++++ b/include/grub/relocator.h +@@ -49,6 +49,35 @@ grub_relocator_alloc_chunk_align (struct grub_relocator *rel, + int preference, + int avoid_efi_boot_services); + ++/* ++ * Wrapper for grub_relocator_alloc_chunk_align() with purpose of ++ * protecting against integer underflow. ++ * ++ * Compare to its callee, max_addr has different meaning here. ++ * It covers entire chunk and not just start address of the chunk. ++ */ ++static inline grub_err_t ++grub_relocator_alloc_chunk_align_safe (struct grub_relocator *rel, ++ grub_relocator_chunk_t *out, ++ grub_phys_addr_t min_addr, ++ grub_phys_addr_t max_addr, ++ grub_size_t size, grub_size_t align, ++ int preference, ++ int avoid_efi_boot_services) ++{ ++ /* Sanity check and ensure following equation (max_addr - size) is safe. */ ++ if (max_addr < size || (max_addr - size) < min_addr) ++ return GRUB_ERR_OUT_OF_RANGE; ++ ++ return grub_relocator_alloc_chunk_align (rel, out, min_addr, ++ max_addr - size, ++ size, align, preference, ++ avoid_efi_boot_services); ++} ++ ++/* Top 32-bit address minus s bytes and plus 1 byte. */ ++#define UP_TO_TOP32(s) ((~(s) & 0xffffffff) + 1) ++ + #define GRUB_RELOCATOR_PREFERENCE_NONE 0 + #define GRUB_RELOCATOR_PREFERENCE_LOW 1 + #define GRUB_RELOCATOR_PREFERENCE_HIGH 2 +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0018-script-Remove-unused-fields-from-grub_script_functio.patch b/buildroot/boot/grub2/0018-script-Remove-unused-fields-from-grub_script_functio.patch new file mode 100644 index 000000000..7b0a5e514 --- /dev/null +++ b/buildroot/boot/grub2/0018-script-Remove-unused-fields-from-grub_script_functio.patch @@ -0,0 +1,37 @@ +From 73aa0776457066ee6ebc93486c3cf0e6b755d1b8 Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Fri, 10 Jul 2020 11:21:14 +0100 +Subject: [PATCH] script: Remove unused fields from grub_script_function + struct +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + include/grub/script_sh.h | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h +index 360c2be1f..b382bcf09 100644 +--- a/include/grub/script_sh.h ++++ b/include/grub/script_sh.h +@@ -359,13 +359,8 @@ struct grub_script_function + /* The script function. */ + struct grub_script *func; + +- /* The flags. */ +- unsigned flags; +- + /* The next element. */ + struct grub_script_function *next; +- +- int references; + }; + typedef struct grub_script_function *grub_script_function_t; + +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/buildroot/boot/grub2/0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch new file mode 100644 index 000000000..0fd60357d --- /dev/null +++ b/buildroot/boot/grub2/0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch @@ -0,0 +1,113 @@ +From 26349fcf80982b4d0120b73b2836e88bcf16853c Mon Sep 17 00:00:00 2001 +From: Chris Coulson +Date: Fri, 10 Jul 2020 14:41:45 +0100 +Subject: [PATCH] script: Avoid a use-after-free when redefining a + function during execution +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Defining a new function with the same name as a previously defined +function causes the grub_script and associated resources for the +previous function to be freed. If the previous function is currently +executing when a function with the same name is defined, this results +in use-after-frees when processing subsequent commands in the original +function. + +Instead, reject a new function definition if it has the same name as +a previously defined function, and that function is currently being +executed. Although a behavioural change, this should be backwards +compatible with existing configurations because they can't be +dependent on the current behaviour without being broken. + +Fixes: CVE-2020-15706 + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/script/execute.c | 2 ++ + grub-core/script/function.c | 16 +++++++++++++--- + grub-core/script/parser.y | 3 ++- + include/grub/script_sh.h | 2 ++ + 4 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index c8d6806fe..7e028e135 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args) + old_scope = scope; + scope = &new_scope; + ++ func->executing++; + ret = grub_script_execute (func->func); ++ func->executing--; + + function_return = 0; + active_loops = loops; +diff --git a/grub-core/script/function.c b/grub-core/script/function.c +index d36655e51..3aad04bf9 100644 +--- a/grub-core/script/function.c ++++ b/grub-core/script/function.c +@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, + func = (grub_script_function_t) grub_malloc (sizeof (*func)); + if (! func) + return 0; ++ func->executing = 0; + + func->name = grub_strdup (functionname_arg->str); + if (! func->name) +@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg, + grub_script_function_t q; + + q = *p; +- grub_script_free (q->func); +- q->func = cmd; + grub_free (func); +- func = q; ++ if (q->executing > 0) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, ++ N_("attempt to redefine a function being executed")); ++ func = NULL; ++ } ++ else ++ { ++ grub_script_free (q->func); ++ q->func = cmd; ++ func = q; ++ } + } + else + { +diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y +index 4f0ab8319..f80b86b6f 100644 +--- a/grub-core/script/parser.y ++++ b/grub-core/script/parser.y +@@ -289,7 +289,8 @@ function: "function" "name" + grub_script_mem_free (state->func_mem); + else { + script->children = state->scripts; +- grub_script_function_create ($2, script); ++ if (!grub_script_function_create ($2, script)) ++ grub_script_free (script); + } + + state->scripts = $3; +diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h +index b382bcf09..6c48e0751 100644 +--- a/include/grub/script_sh.h ++++ b/include/grub/script_sh.h +@@ -361,6 +361,8 @@ struct grub_script_function + + /* The next element. */ + struct grub_script_function *next; ++ ++ unsigned executing; + }; + typedef struct grub_script_function *grub_script_function_t; + +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch b/buildroot/boot/grub2/0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch new file mode 100644 index 000000000..fc518c5f3 --- /dev/null +++ b/buildroot/boot/grub2/0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch @@ -0,0 +1,49 @@ +From 06aa91f79f902752cb7e5d22ac0ea8e13bffd056 Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Fri, 17 Jul 2020 05:17:26 +0000 +Subject: [PATCH] relocator: Fix grub_relocator_alloc_chunk_align() top + memory allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Current implementation of grub_relocator_alloc_chunk_align() +does not allow allocation of the top byte. + +Assuming input args are: + max_addr = 0xfffff000; + size = 0x1000; + +And this is valid. But following overflow protection will +unnecessarily move max_addr one byte down (to 0xffffefff): + if (max_addr > ~size) + max_addr = ~size; + +~size + 1 will fix the situation. In addition, check size +for non zero to do not zero max_addr. + +Signed-off-by: Alexey Makhalov +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/lib/relocator.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c +index 5847aac36..f2c1944c2 100644 +--- a/grub-core/lib/relocator.c ++++ b/grub-core/lib/relocator.c +@@ -1386,8 +1386,8 @@ grub_relocator_alloc_chunk_align (struct grub_relocator *rel, + }; + grub_addr_t min_addr2 = 0, max_addr2; + +- if (max_addr > ~size) +- max_addr = ~size; ++ if (size && (max_addr > ~size)) ++ max_addr = ~size + 1; + + #ifdef GRUB_MACHINE_PCBIOS + if (min_addr < 0x1000) +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0021-hfsplus-Fix-two-more-overflows.patch b/buildroot/boot/grub2/0021-hfsplus-Fix-two-more-overflows.patch new file mode 100644 index 000000000..9ea678021 --- /dev/null +++ b/buildroot/boot/grub2/0021-hfsplus-Fix-two-more-overflows.patch @@ -0,0 +1,61 @@ +From feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sun, 19 Jul 2020 14:43:31 -0400 +Subject: [PATCH] hfsplus: Fix two more overflows +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Both node->size and node->namelen come from the supplied filesystem, +which may be user-supplied. We can't trust them for the math unless we +know they don't overflow. Making sure they go through grub_add() or +grub_calloc() first will give us that. + +Signed-off-by: Peter Jones +Reviewed-by: Darren Kenny +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/fs/hfsplus.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c +index dae43becc..9c4e4c88c 100644 +--- a/grub-core/fs/hfsplus.c ++++ b/grub-core/fs/hfsplus.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node) + { + char *symlink; + grub_ssize_t numread; ++ grub_size_t sz = node->size; + +- symlink = grub_malloc (node->size + 1); ++ if (grub_add (sz, 1, &sz)) ++ return NULL; ++ ++ symlink = grub_malloc (sz); + if (!symlink) + return 0; + +@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg) + if (type == GRUB_FSHELP_UNKNOWN) + return 0; + +- filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen) +- * GRUB_MAX_UTF8_PER_UTF16 + 1); ++ filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen), ++ GRUB_MAX_UTF8_PER_UTF16 + 1); + if (! filename) + return 0; + +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch b/buildroot/boot/grub2/0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch new file mode 100644 index 000000000..ad97ad0b1 --- /dev/null +++ b/buildroot/boot/grub2/0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch @@ -0,0 +1,116 @@ +From a1845e90fc19fb5e904091bad8a378f458798e4a Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sun, 19 Jul 2020 15:48:20 -0400 +Subject: [PATCH] lvm: Fix two more potential data-dependent alloc + overflows +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It appears to be possible to make a (possibly invalid) lvm PV with +a metadata size field that overflows our type when adding it to the +address we've allocated. Even if it doesn't, it may be possible to do so +with the math using the outcome of that as an operand. Check them both. + +Signed-off-by: Peter Jones +Signed-off-by: Darren Kenny +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 8 deletions(-) + +diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c +index d1df640b3..139fafd47 100644 +--- a/grub-core/disk/lvm.c ++++ b/grub-core/disk/lvm.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #ifdef GRUB_UTIL + #include +@@ -102,10 +103,11 @@ grub_lvm_detect (grub_disk_t disk, + { + grub_err_t err; + grub_uint64_t mda_offset, mda_size; ++ grub_size_t ptr; + char buf[GRUB_LVM_LABEL_SIZE]; + char vg_id[GRUB_LVM_ID_STRLEN+1]; + char pv_id[GRUB_LVM_ID_STRLEN+1]; +- char *metadatabuf, *p, *q, *vgname; ++ char *metadatabuf, *p, *q, *mda_end, *vgname; + struct grub_lvm_label_header *lh = (struct grub_lvm_label_header *) buf; + struct grub_lvm_pv_header *pvh; + struct grub_lvm_disk_locn *dlocn; +@@ -205,19 +207,31 @@ grub_lvm_detect (grub_disk_t disk, + grub_le_to_cpu64 (rlocn->size) - + grub_le_to_cpu64 (mdah->size)); + } +- p = q = metadatabuf + grub_le_to_cpu64 (rlocn->offset); + +- while (*q != ' ' && q < metadatabuf + mda_size) +- q++; +- +- if (q == metadatabuf + mda_size) ++ if (grub_add ((grub_size_t)metadatabuf, ++ (grub_size_t)grub_le_to_cpu64 (rlocn->offset), ++ &ptr)) + { ++ error_parsing_metadata: + #ifdef GRUB_UTIL + grub_util_info ("error parsing metadata"); + #endif + goto fail2; + } + ++ p = q = (char *)ptr; ++ ++ if (grub_add ((grub_size_t)metadatabuf, (grub_size_t)mda_size, &ptr)) ++ goto error_parsing_metadata; ++ ++ mda_end = (char *)ptr; ++ ++ while (*q != ' ' && q < mda_end) ++ q++; ++ ++ if (q == mda_end) ++ goto error_parsing_metadata; ++ + vgname_len = q - p; + vgname = grub_malloc (vgname_len + 1); + if (!vgname) +@@ -367,8 +381,26 @@ grub_lvm_detect (grub_disk_t disk, + { + const char *iptr; + char *optr; +- lv->fullname = grub_malloc (sizeof ("lvm/") - 1 + 2 * vgname_len +- + 1 + 2 * s + 1); ++ ++ /* ++ * This is kind of hard to read with our safe (but rather ++ * baroque) math primatives, but it boils down to: ++ * ++ * sz0 = vgname_len * 2 + 1 + ++ * s * 2 + 1 + ++ * sizeof ("lvm/") - 1; ++ */ ++ grub_size_t sz0 = vgname_len, sz1 = s; ++ ++ if (grub_mul (sz0, 2, &sz0) || ++ grub_add (sz0, 1, &sz0) || ++ grub_mul (sz1, 2, &sz1) || ++ grub_add (sz1, 1, &sz1) || ++ grub_add (sz0, sz1, &sz0) || ++ grub_add (sz0, sizeof ("lvm/") - 1, &sz0)) ++ goto lvs_fail; ++ ++ lv->fullname = grub_malloc (sz0); + if (!lv->fullname) + goto lvs_fail; + +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0023-emu-Make-grub_free-NULL-safe.patch b/buildroot/boot/grub2/0023-emu-Make-grub_free-NULL-safe.patch new file mode 100644 index 000000000..f30e56a8b --- /dev/null +++ b/buildroot/boot/grub2/0023-emu-Make-grub_free-NULL-safe.patch @@ -0,0 +1,38 @@ +From 320e86747a32e4d46d24ee4b64493741c161da50 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sun, 19 Jul 2020 16:08:08 -0400 +Subject: [PATCH] emu: Make grub_free(NULL) safe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The grub_free() implementation in grub-core/kern/mm.c safely handles +NULL pointers, and code at many places depends on this. We don't know +that the same is true on all host OSes, so we need to handle the same +behavior in grub-emu's implementation. + +Signed-off-by: Peter Jones +Reviewed-by: Darren Kenny +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/kern/emu/mm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c +index 145b01d37..4d1046a21 100644 +--- a/grub-core/kern/emu/mm.c ++++ b/grub-core/kern/emu/mm.c +@@ -60,7 +60,8 @@ grub_zalloc (grub_size_t size) + void + grub_free (void *ptr) + { +- free (ptr); ++ if (ptr) ++ free (ptr); + } + + void * +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch b/buildroot/boot/grub2/0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch new file mode 100644 index 000000000..48b5b8912 --- /dev/null +++ b/buildroot/boot/grub2/0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch @@ -0,0 +1,239 @@ +From c330aa099a38bc5c4d3066954fe35767cc06adb1 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sun, 19 Jul 2020 16:53:27 -0400 +Subject: [PATCH] efi: Fix some malformed device path arithmetic errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Several places we take the length of a device path and subtract 4 from +it, without ever checking that it's >= 4. There are also cases where +this kind of malformation will result in unpredictable iteration, +including treating the length from one dp node as the type in the next +node. These are all errors, no matter where the data comes from. + +This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which +can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH() +return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when +the length is too small. Additionally, it makes several places in the +code check for and return errors in these cases. + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/kern/efi/efi.c | 64 +++++++++++++++++++++++++----- + grub-core/loader/efi/chainloader.c | 13 +++++- + grub-core/loader/i386/xnu.c | 9 +++-- + include/grub/efi/api.h | 14 ++++--- + 4 files changed, 79 insertions(+), 21 deletions(-) + +diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c +index dc31caa21..c97969a65 100644 +--- a/grub-core/kern/efi/efi.c ++++ b/grub-core/kern/efi/efi.c +@@ -332,7 +332,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) + + dp = dp0; + +- while (1) ++ while (dp) + { + grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp); + grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp); +@@ -342,9 +342,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) + if (type == GRUB_EFI_MEDIA_DEVICE_PATH_TYPE + && subtype == GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE) + { +- grub_efi_uint16_t len; +- len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4) +- / sizeof (grub_efi_char16_t)); ++ grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp); ++ ++ if (len < 4) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, ++ "malformed EFI Device Path node has length=%d", len); ++ return NULL; ++ } ++ len = (len - 4) / sizeof (grub_efi_char16_t); + filesize += GRUB_MAX_UTF8_PER_UTF16 * len + 2; + } + +@@ -360,7 +366,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) + if (!name) + return NULL; + +- while (1) ++ while (dp) + { + grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp); + grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp); +@@ -376,8 +382,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0) + + *p++ = '/'; + +- len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4) +- / sizeof (grub_efi_char16_t)); ++ len = GRUB_EFI_DEVICE_PATH_LENGTH (dp); ++ if (len < 4) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, ++ "malformed EFI Device Path node has length=%d", len); ++ return NULL; ++ } ++ ++ len = (len - 4) / sizeof (grub_efi_char16_t); + fp = (grub_efi_file_path_device_path_t *) dp; + /* According to EFI spec Path Name is NULL terminated */ + while (len > 0 && fp->path_name[len - 1] == 0) +@@ -452,7 +465,26 @@ grub_efi_duplicate_device_path (const grub_efi_device_path_t *dp) + ; + p = GRUB_EFI_NEXT_DEVICE_PATH (p)) + { +- total_size += GRUB_EFI_DEVICE_PATH_LENGTH (p); ++ grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (p); ++ ++ /* ++ * In the event that we find a node that's completely garbage, for ++ * example if we get to 0x7f 0x01 0x02 0x00 ... (EndInstance with a size ++ * of 2), GRUB_EFI_END_ENTIRE_DEVICE_PATH() will be true and ++ * GRUB_EFI_NEXT_DEVICE_PATH() will return NULL, so we won't continue, ++ * and neither should our consumers, but there won't be any error raised ++ * even though the device path is junk. ++ * ++ * This keeps us from passing junk down back to our caller. ++ */ ++ if (len < 4) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, ++ "malformed EFI Device Path node has length=%d", len); ++ return NULL; ++ } ++ ++ total_size += len; + if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (p)) + break; + } +@@ -497,7 +529,7 @@ dump_vendor_path (const char *type, grub_efi_vendor_device_path_t *vendor) + void + grub_efi_print_device_path (grub_efi_device_path_t *dp) + { +- while (1) ++ while (GRUB_EFI_DEVICE_PATH_VALID (dp)) + { + grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp); + grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp); +@@ -909,7 +941,10 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1, + /* Return non-zero. */ + return 1; + +- while (1) ++ if (dp1 == dp2) ++ return 0; ++ ++ while (GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2)) + { + grub_efi_uint8_t type1, type2; + grub_efi_uint8_t subtype1, subtype2; +@@ -945,5 +980,14 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1, + dp2 = (grub_efi_device_path_t *) ((char *) dp2 + len2); + } + ++ /* ++ * There's no "right" answer here, but we probably don't want to call a valid ++ * dp and an invalid dp equal, so pick one way or the other. ++ */ ++ if (GRUB_EFI_DEVICE_PATH_VALID (dp1) && !GRUB_EFI_DEVICE_PATH_VALID (dp2)) ++ return 1; ++ else if (!GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2)) ++ return -1; ++ + return 0; + } +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index daf8c6b54..a8d7b9155 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -156,9 +156,18 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename) + + size = 0; + d = dp; +- while (1) ++ while (d) + { +- size += GRUB_EFI_DEVICE_PATH_LENGTH (d); ++ grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (d); ++ ++ if (len < 4) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, ++ "malformed EFI Device Path node has length=%d", len); ++ return NULL; ++ } ++ ++ size += len; + if ((GRUB_EFI_END_ENTIRE_DEVICE_PATH (d))) + break; + d = GRUB_EFI_NEXT_DEVICE_PATH (d); +diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c +index e9e119259..a70093607 100644 +--- a/grub-core/loader/i386/xnu.c ++++ b/grub-core/loader/i386/xnu.c +@@ -515,14 +515,15 @@ grub_cmd_devprop_load (grub_command_t cmd __attribute__ ((unused)), + + devhead = buf; + buf = devhead + 1; +- dpstart = buf; ++ dp = dpstart = buf; + +- do ++ while (GRUB_EFI_DEVICE_PATH_VALID (dp) && buf < bufend) + { +- dp = buf; + buf = (char *) buf + GRUB_EFI_DEVICE_PATH_LENGTH (dp); ++ if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp)) ++ break; ++ dp = buf; + } +- while (!GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp) && buf < bufend); + + dev = grub_xnu_devprop_add_device (dpstart, (char *) buf + - (char *) dpstart); +diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h +index addcbfa8f..cf1355a8c 100644 +--- a/include/grub/efi/api.h ++++ b/include/grub/efi/api.h +@@ -625,6 +625,7 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t; + #define GRUB_EFI_DEVICE_PATH_TYPE(dp) ((dp)->type & 0x7f) + #define GRUB_EFI_DEVICE_PATH_SUBTYPE(dp) ((dp)->subtype) + #define GRUB_EFI_DEVICE_PATH_LENGTH(dp) ((dp)->length) ++#define GRUB_EFI_DEVICE_PATH_VALID(dp) ((dp) != NULL && GRUB_EFI_DEVICE_PATH_LENGTH (dp) >= 4) + + /* The End of Device Path nodes. */ + #define GRUB_EFI_END_DEVICE_PATH_TYPE (0xff & 0x7f) +@@ -633,13 +634,16 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t; + #define GRUB_EFI_END_THIS_DEVICE_PATH_SUBTYPE 0x01 + + #define GRUB_EFI_END_ENTIRE_DEVICE_PATH(dp) \ +- (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \ +- && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \ +- == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE)) ++ (!GRUB_EFI_DEVICE_PATH_VALID (dp) || \ ++ (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \ ++ && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \ ++ == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE))) + + #define GRUB_EFI_NEXT_DEVICE_PATH(dp) \ +- ((grub_efi_device_path_t *) ((char *) (dp) \ +- + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) ++ (GRUB_EFI_DEVICE_PATH_VALID (dp) \ ++ ? ((grub_efi_device_path_t *) \ ++ ((char *) (dp) + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) \ ++ : NULL) + + /* Hardware Device Path. */ + #define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE 1 +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch b/buildroot/boot/grub2/0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch new file mode 100644 index 000000000..eb3e0f0e2 --- /dev/null +++ b/buildroot/boot/grub2/0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch @@ -0,0 +1,78 @@ +From fb55bc37dd510911df4eaf649da939f5fafdc7ce Mon Sep 17 00:00:00 2001 +From: Daniel Kiper +Date: Wed, 29 Jul 2020 13:38:31 +0200 +Subject: [PATCH] efi/chainloader: Propagate errors from copy_file_path() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Without any error propagated to the caller, make_file_path() +would then try to advance the invalid device path node with +GRUB_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL +pointer that would subsequently be dereferenced. Hence, propagate +errors from copy_file_path(). + +Signed-off-by: Chris Coulson +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/loader/efi/chainloader.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c +index a8d7b9155..7b31c3fb9 100644 +--- a/grub-core/loader/efi/chainloader.c ++++ b/grub-core/loader/efi/chainloader.c +@@ -106,7 +106,7 @@ grub_chainloader_boot (void) + return grub_errno; + } + +-static void ++static grub_err_t + copy_file_path (grub_efi_file_path_device_path_t *fp, + const char *str, grub_efi_uint16_t len) + { +@@ -118,7 +118,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp, + + path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name)); + if (!path_name) +- return; ++ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "failed to allocate path buffer"); + + size = grub_utf8_to_utf16 (path_name, len * GRUB_MAX_UTF16_PER_UTF8, + (const grub_uint8_t *) str, len, 0); +@@ -131,6 +131,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp, + fp->path_name[size++] = '\0'; + fp->header.length = size * sizeof (grub_efi_char16_t) + sizeof (*fp); + grub_free (path_name); ++ return GRUB_ERR_NONE; + } + + static grub_efi_device_path_t * +@@ -189,13 +190,19 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename) + d = (grub_efi_device_path_t *) ((char *) file_path + + ((char *) d - (char *) dp)); + grub_efi_print_device_path (d); +- copy_file_path ((grub_efi_file_path_device_path_t *) d, +- dir_start, dir_end - dir_start); ++ if (copy_file_path ((grub_efi_file_path_device_path_t *) d, ++ dir_start, dir_end - dir_start) != GRUB_ERR_NONE) ++ { ++ fail: ++ grub_free (file_path); ++ return 0; ++ } + + /* Fill the file path for the file. */ + d = GRUB_EFI_NEXT_DEVICE_PATH (d); +- copy_file_path ((grub_efi_file_path_device_path_t *) d, +- dir_end + 1, grub_strlen (dir_end + 1)); ++ if (copy_file_path ((grub_efi_file_path_device_path_t *) d, ++ dir_end + 1, grub_strlen (dir_end + 1)) != GRUB_ERR_NONE) ++ goto fail; + + /* Fill the end of device path nodes. */ + d = GRUB_EFI_NEXT_DEVICE_PATH (d); +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0026-efi-Fix-use-after-free-in-halt-reboot-path.patch b/buildroot/boot/grub2/0026-efi-Fix-use-after-free-in-halt-reboot-path.patch new file mode 100644 index 000000000..75dd05d48 --- /dev/null +++ b/buildroot/boot/grub2/0026-efi-Fix-use-after-free-in-halt-reboot-path.patch @@ -0,0 +1,183 @@ +From 8a6d6299efcffd14c1130942195e6c0d9b50cacd Mon Sep 17 00:00:00 2001 +From: Alexey Makhalov +Date: Mon, 20 Jul 2020 23:03:05 +0000 +Subject: [PATCH] efi: Fix use-after-free in halt/reboot path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 92bfc33db984 ("efi: Free malloc regions on exit") +introduced memory freeing in grub_efi_fini(), which is +used not only by exit path but by halt/reboot one as well. +As result of memory freeing, code and data regions used by +modules, such as halt, reboot, acpi (used by halt) also got +freed. After return to module code, CPU executes, filled +by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as +a code. Which leads to #UD exception later. + +grub> halt +!!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!! +RIP - 0000000003F4EC28, CS - 0000000000000038, RFLAGS - 0000000000200246 +RAX - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41 +RBX - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000 +RSI - 00000000064DB768, RDI - 000000000832C5C3 +R8 - 0000000000000002, R9 - 0000000000000000, R10 - 00000000061E2E52 +R11 - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4 +R14 - 0000000003E10D80, R15 - 00000000061E2F60 +DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030 +GS - 0000000000000030, SS - 0000000000000030 +CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000 +CR4 - 0000000000000668, CR8 - 0000000000000000 +DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000 +DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400 +GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000 +IDTR - 0000000007598018 0000000000000FFF, TR - 0000000000000000 +FXSAVE_STATE - 0000000007F0F4C0 + +Proposal here is to continue to free allocated memory for +exit boot services path but keep it for halt/reboot path +as it won't be much security concern here. +Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY +loader flag to be used by efi halt/reboot path. + +Signed-off-by: Alexey Makhalov +Reviewed-by: Darren Kenny +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/kern/arm/efi/init.c | 3 +++ + grub-core/kern/arm64/efi/init.c | 3 +++ + grub-core/kern/efi/efi.c | 3 ++- + grub-core/kern/efi/init.c | 1 - + grub-core/kern/i386/efi/init.c | 9 +++++++-- + grub-core/kern/ia64/efi/init.c | 9 +++++++-- + grub-core/kern/riscv/efi/init.c | 3 +++ + grub-core/lib/efi/halt.c | 3 ++- + include/grub/loader.h | 1 + + 9 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/grub-core/kern/arm/efi/init.c b/grub-core/kern/arm/efi/init.c +index 06df60e2f..40c3b467f 100644 +--- a/grub-core/kern/arm/efi/init.c ++++ b/grub-core/kern/arm/efi/init.c +@@ -71,4 +71,7 @@ grub_machine_fini (int flags) + efi_call_1 (b->close_event, tmr_evt); + + grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/arm64/efi/init.c b/grub-core/kern/arm64/efi/init.c +index 6224999ec..5010caefd 100644 +--- a/grub-core/kern/arm64/efi/init.c ++++ b/grub-core/kern/arm64/efi/init.c +@@ -57,4 +57,7 @@ grub_machine_fini (int flags) + return; + + grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c +index c97969a65..9cfd88d77 100644 +--- a/grub-core/kern/efi/efi.c ++++ b/grub-core/kern/efi/efi.c +@@ -157,7 +157,8 @@ grub_efi_get_loaded_image (grub_efi_handle_t image_handle) + void + grub_reboot (void) + { +- grub_machine_fini (GRUB_LOADER_FLAG_NORETURN); ++ grub_machine_fini (GRUB_LOADER_FLAG_NORETURN | ++ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY); + efi_call_4 (grub_efi_system_table->runtime_services->reset_system, + GRUB_EFI_RESET_COLD, GRUB_EFI_SUCCESS, 0, NULL); + for (;;) ; +diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c +index 3dfdf2d22..2c31847bf 100644 +--- a/grub-core/kern/efi/init.c ++++ b/grub-core/kern/efi/init.c +@@ -80,5 +80,4 @@ grub_efi_fini (void) + { + grub_efidisk_fini (); + grub_console_fini (); +- grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/i386/efi/init.c b/grub-core/kern/i386/efi/init.c +index da499aba0..deb2eacd8 100644 +--- a/grub-core/kern/i386/efi/init.c ++++ b/grub-core/kern/i386/efi/init.c +@@ -39,6 +39,11 @@ grub_machine_init (void) + void + grub_machine_fini (int flags) + { +- if (flags & GRUB_LOADER_FLAG_NORETURN) +- grub_efi_fini (); ++ if (!(flags & GRUB_LOADER_FLAG_NORETURN)) ++ return; ++ ++ grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/ia64/efi/init.c b/grub-core/kern/ia64/efi/init.c +index b5ecbd091..f1965571b 100644 +--- a/grub-core/kern/ia64/efi/init.c ++++ b/grub-core/kern/ia64/efi/init.c +@@ -70,6 +70,11 @@ grub_machine_init (void) + void + grub_machine_fini (int flags) + { +- if (flags & GRUB_LOADER_FLAG_NORETURN) +- grub_efi_fini (); ++ if (!(flags & GRUB_LOADER_FLAG_NORETURN)) ++ return; ++ ++ grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/kern/riscv/efi/init.c b/grub-core/kern/riscv/efi/init.c +index 7eb1969d0..38795fe67 100644 +--- a/grub-core/kern/riscv/efi/init.c ++++ b/grub-core/kern/riscv/efi/init.c +@@ -73,4 +73,7 @@ grub_machine_fini (int flags) + return; + + grub_efi_fini (); ++ ++ if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY)) ++ grub_efi_memory_fini (); + } +diff --git a/grub-core/lib/efi/halt.c b/grub-core/lib/efi/halt.c +index 5859f0498..29d413641 100644 +--- a/grub-core/lib/efi/halt.c ++++ b/grub-core/lib/efi/halt.c +@@ -28,7 +28,8 @@ + void + grub_halt (void) + { +- grub_machine_fini (GRUB_LOADER_FLAG_NORETURN); ++ grub_machine_fini (GRUB_LOADER_FLAG_NORETURN | ++ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY); + #if !defined(__ia64__) && !defined(__arm__) && !defined(__aarch64__) && \ + !defined(__riscv) + grub_acpi_halt (); +diff --git a/include/grub/loader.h b/include/grub/loader.h +index 7f82a499f..b20864282 100644 +--- a/include/grub/loader.h ++++ b/include/grub/loader.h +@@ -33,6 +33,7 @@ enum + { + GRUB_LOADER_FLAG_NORETURN = 1, + GRUB_LOADER_FLAG_PXE_NOT_UNLOAD = 2, ++ GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY = 4, + }; + + void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void), +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch b/buildroot/boot/grub2/0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch new file mode 100644 index 000000000..823f20556 --- /dev/null +++ b/buildroot/boot/grub2/0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch @@ -0,0 +1,32 @@ +From a2a7464e9f10a677d6f91e1c4fa527d084c22e7c Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 24 Jul 2020 13:57:27 -0400 +Subject: [PATCH] loader/linux: Avoid overflow on initrd size calculation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Peter Jones +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/loader/linux.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c +index 471b214d6..4cd8c20c7 100644 +--- a/grub-core/loader/linux.c ++++ b/grub-core/loader/linux.c +@@ -151,8 +151,7 @@ grub_initrd_init (int argc, char *argv[], + initrd_ctx->nfiles = 0; + initrd_ctx->components = 0; + +- initrd_ctx->components = grub_zalloc (argc +- * sizeof (initrd_ctx->components[0])); ++ initrd_ctx->components = grub_calloc (argc, sizeof (initrd_ctx->components[0])); + if (!initrd_ctx->components) + return grub_errno; + +-- +2.26.2 + diff --git a/buildroot/boot/grub2/0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch b/buildroot/boot/grub2/0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch new file mode 100644 index 000000000..bf6590d8e --- /dev/null +++ b/buildroot/boot/grub2/0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch @@ -0,0 +1,173 @@ +From 0367e7d1b9bac3a78608a672bf6e4ace6a28b964 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sat, 25 Jul 2020 12:15:37 +0100 +Subject: [PATCH] linux: Fix integer overflows in initrd size handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These could be triggered by a crafted filesystem with very large files. + +Fixes: CVE-2020-15707 + +Signed-off-by: Colin Watson +Reviewed-by: Jan Setje-Eilers +Reviewed-by: Daniel Kiper +Signed-off-by: Stefan Sørensen +--- + grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++----------- + 1 file changed, 54 insertions(+), 20 deletions(-) + +diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c +index 4cd8c20c7..3fe390f17 100644 +--- a/grub-core/loader/linux.c ++++ b/grub-core/loader/linux.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + struct newc_head + { +@@ -98,13 +99,13 @@ free_dir (struct dir *root) + grub_free (root); + } + +-static grub_size_t ++static grub_err_t + insert_dir (const char *name, struct dir **root, +- grub_uint8_t *ptr) ++ grub_uint8_t *ptr, grub_size_t *size) + { + struct dir *cur, **head = root; + const char *cb, *ce = name; +- grub_size_t size = 0; ++ *size = 0; + while (1) + { + for (cb = ce; *cb == '/'; cb++); +@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root, + ptr = make_header (ptr, name, ce - name, + 040777, 0); + } +- size += ALIGN_UP ((ce - (char *) name) +- + sizeof (struct newc_head), 4); ++ if (grub_add (*size, ++ ALIGN_UP ((ce - (char *) name) ++ + sizeof (struct newc_head), 4), ++ size)) ++ { ++ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); ++ grub_free (n->name); ++ grub_free (n); ++ return grub_errno; ++ } + *head = n; + cur = n; + } + root = &cur->next; + } +- return size; ++ return GRUB_ERR_NONE; + } + + grub_err_t +@@ -172,26 +181,33 @@ grub_initrd_init (int argc, char *argv[], + eptr = grub_strchr (ptr, ':'); + if (eptr) + { ++ grub_size_t dir_size, name_len; ++ + initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr); +- if (!initrd_ctx->components[i].newc_name) ++ if (!initrd_ctx->components[i].newc_name || ++ insert_dir (initrd_ctx->components[i].newc_name, &root, 0, ++ &dir_size)) + { + grub_initrd_close (initrd_ctx); + return grub_errno; + } +- initrd_ctx->size +- += ALIGN_UP (sizeof (struct newc_head) +- + grub_strlen (initrd_ctx->components[i].newc_name), +- 4); +- initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name, +- &root, 0); ++ name_len = grub_strlen (initrd_ctx->components[i].newc_name); ++ if (grub_add (initrd_ctx->size, ++ ALIGN_UP (sizeof (struct newc_head) + name_len, 4), ++ &initrd_ctx->size) || ++ grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size)) ++ goto overflow; + newc = 1; + fname = eptr + 1; + } + } + else if (newc) + { +- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head) +- + sizeof ("TRAILER!!!") - 1, 4); ++ if (grub_add (initrd_ctx->size, ++ ALIGN_UP (sizeof (struct newc_head) ++ + sizeof ("TRAILER!!!") - 1, 4), ++ &initrd_ctx->size)) ++ goto overflow; + free_dir (root); + root = 0; + newc = 0; +@@ -207,19 +223,29 @@ grub_initrd_init (int argc, char *argv[], + initrd_ctx->nfiles++; + initrd_ctx->components[i].size + = grub_file_size (initrd_ctx->components[i].file); +- initrd_ctx->size += initrd_ctx->components[i].size; ++ if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size, ++ &initrd_ctx->size)) ++ goto overflow; + } + + if (newc) + { + initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); +- initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head) +- + sizeof ("TRAILER!!!") - 1, 4); ++ if (grub_add (initrd_ctx->size, ++ ALIGN_UP (sizeof (struct newc_head) ++ + sizeof ("TRAILER!!!") - 1, 4), ++ &initrd_ctx->size)) ++ goto overflow; + free_dir (root); + root = 0; + } + + return GRUB_ERR_NONE; ++ ++ overflow: ++ free_dir (root); ++ grub_initrd_close (initrd_ctx); ++ return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected")); + } + + grub_size_t +@@ -260,8 +286,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, + + if (initrd_ctx->components[i].newc_name) + { +- ptr += insert_dir (initrd_ctx->components[i].newc_name, +- &root, ptr); ++ grub_size_t dir_size; ++ ++ if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr, ++ &dir_size)) ++ { ++ free_dir (root); ++ grub_initrd_close (initrd_ctx); ++ return grub_errno; ++ } ++ ptr += dir_size; + ptr = make_header (ptr, initrd_ctx->components[i].newc_name, + grub_strlen (initrd_ctx->components[i].newc_name), + 0100777, +-- +2.26.2 + diff --git a/buildroot/boot/grub2/grub2.mk b/buildroot/boot/grub2/grub2.mk index f77dc0f9d..5fca2315e 100644 --- a/buildroot/boot/grub2/grub2.mk +++ b/buildroot/boot/grub2/grub2.mk @@ -21,6 +21,17 @@ endef GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF HOST_GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF +# 0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch +GRUB2_IGNORE_CVES += CVE-2020-10713 +# 0005-calloc-Use-calloc-at-most-places.patch +GRUB2_IGNORE_CVES += CVE-2020-14308 +# 0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch +GRUB2_IGNORE_CVES += CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 +# 0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch +GRUB2_IGNORE_CVES += CVE-2020-15706 +# 0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch +GRUB2_IGNORE_CVES += CVE-2020-15707 + ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y) GRUB2_INSTALL_TARGET = YES else diff --git a/buildroot/boot/uboot/uboot.mk b/buildroot/boot/uboot/uboot.mk index 2bfa50779..9cbd81b05 100644 --- a/buildroot/boot/uboot/uboot.mk +++ b/buildroot/boot/uboot/uboot.mk @@ -16,6 +16,7 @@ UBOOT_INSTALL_IMAGES = YES # u-boot 2020.01+ needs make 4.0+ UBOOT_DEPENDENCIES = $(BR2_MAKE_HOST_DEPENDENCY) +UBOOT_MAKE = $(BR2_MAKE) ifeq ($(UBOOT_VERSION),custom) # Handle custom U-Boot tarballs as specified by the configuration @@ -247,7 +248,7 @@ UBOOT_POST_PATCH_HOOKS += UBOOT_FIXUP_LIBFDT_INCLUDE ifeq ($(BR2_TARGET_UBOOT_BUILD_SYSTEM_LEGACY),y) define UBOOT_CONFIGURE_CMDS $(TARGET_CONFIGURE_OPTS) \ - $(BR2_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \ + $(UBOOT_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \ $(UBOOT_BOARD_NAME)_config endef else ifeq ($(BR2_TARGET_UBOOT_BUILD_SYSTEM_KCONFIG),y) @@ -284,7 +285,7 @@ define UBOOT_BUILD_CMDS cp -f $(UBOOT_CUSTOM_DTS_PATH) $(@D)/arch/$(UBOOT_ARCH)/dts/ ) $(TARGET_CONFIGURE_OPTS) \ - $(BR2_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \ + $(UBOOT_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \ $(UBOOT_MAKE_TARGET) $(if $(BR2_TARGET_UBOOT_FORMAT_SD), $(@D)/tools/mxsboot sd $(@D)/u-boot.sb $(@D)/u-boot.sd) diff --git a/buildroot/docs/manual/adding-board-support.txt b/buildroot/docs/manual/adding-board-support.txt index f6d74ae1f..33ed70953 100644 --- a/buildroot/docs/manual/adding-board-support.txt +++ b/buildroot/docs/manual/adding-board-support.txt @@ -10,9 +10,9 @@ that is known to work. You are welcome to add support for other boards to Buildroot too. To do so, you need to create a normal Buildroot configuration that -builds a basic system for the hardware: toolchain, kernel, bootloader, -filesystem and a simple BusyBox-only userspace. No specific package -should be selected: the configuration should be as minimal as +builds a basic system for the hardware: (internal) toolchain, kernel, +bootloader, filesystem and a simple BusyBox-only userspace. No specific +package should be selected: the configuration should be as minimal as possible, and should only build a working basic BusyBox system for the target platform. You can of course use more complicated configurations for your internal projects, but the Buildroot project will only @@ -22,7 +22,17 @@ selections are highly application-specific. Once you have a known working configuration, run +make savedefconfig+. This will generate a minimal +defconfig+ file at the root of the Buildroot source tree. Move this file into the +configs/+ -directory, and rename it +_defconfig+. +directory, and rename it +_defconfig+. If the configuration +is a bit more complicated, it is nice to manually reformat it and +separate it into sections, with a comment before each section. Typical +sections are _Architecture_, _Toolchain options_ (typically just linux +headers version), _Firmware_, _Bootloader_, _Kernel_, and _Filesystem_. + +Always use fixed versions or commit hashes for the different +components, not the "latest" version. For example, set ++BR2_LINUX_KERNEL_CUSTOM_VERSION=y+ and ++BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE+ to the kernel version you tested +with. It is recommended to use as much as possible upstream versions of the Linux kernel and bootloaders, and to use as much as possible default diff --git a/buildroot/docs/manual/adding-packages-cargo.txt b/buildroot/docs/manual/adding-packages-cargo.txt index b6029e1ee..edf698e70 100644 --- a/buildroot/docs/manual/adding-packages-cargo.txt +++ b/buildroot/docs/manual/adding-packages-cargo.txt @@ -47,32 +47,31 @@ package. Let's start with an example: 13: FOO_DEPENDENCIES = host-cargo 14: 15: FOO_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo -16: FOO_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release) -17: -18: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE) -19: -20: FOO_CARGO_OPTS = \ -21: --$(FOO_CARGO_MODE) \ -22: --target=$(RUSTC_TARGET_NAME) \ -23: --manifest-path=$(@D)/Cargo.toml -24: -25: define FOO_BUILD_CMDS -26: $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \ -27: cargo build $(FOO_CARGO_OPTS) -28: endef -29: -30: define FOO_INSTALL_TARGET_CMDS -31: $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \ -32: $(TARGET_DIR)/usr/bin/foo -33: endef -34: -35: $(eval $(generic-package)) +16: +17: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE) +18: +19: FOO_CARGO_OPTS = \ +20: $(if $(BR2_ENABLE_DEBUG),,--release) \ +21: --target=$(RUSTC_TARGET_NAME) \ +22: --manifest-path=$(@D)/Cargo.toml +23: +24: define FOO_BUILD_CMDS +25: $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \ +26: cargo build $(FOO_CARGO_OPTS) +27: endef +28: +29: define FOO_INSTALL_TARGET_CMDS +30: $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \ +31: $(TARGET_DIR)/usr/bin/foo +32: endef +33: +34: $(eval $(generic-package)) -------------------------------- The Makefile starts with the definition of the standard variables for package declaration (lines 7 to 11). -As seen in line 35, it is based on the +As seen in line 34, it is based on the xref:generic-package-tutorial[+generic-package+ infrastructure]. So, it defines the variables required by this particular infrastructure, where Cargo is invoked: diff --git a/buildroot/docs/manual/adding-packages-waf.txt b/buildroot/docs/manual/adding-packages-waf.txt index ffc004c29..101cddf1f 100644 --- a/buildroot/docs/manual/adding-packages-waf.txt +++ b/buildroot/docs/manual/adding-packages-waf.txt @@ -34,7 +34,7 @@ will automatically download the tarball from this location. On line 10, we tell Buildroot what options to enable for libfoo. -On line 11, we tell Buildroot the depednencies of libfoo. +On line 11, we tell Buildroot the dependencies of libfoo. Finally, on line line 13, we invoke the +waf-package+ macro that generates all the Makefile rules that actually allows the diff --git a/buildroot/docs/manual/contribute.txt b/buildroot/docs/manual/contribute.txt index bde7543c2..70d178d00 100644 --- a/buildroot/docs/manual/contribute.txt +++ b/buildroot/docs/manual/contribute.txt @@ -371,6 +371,37 @@ in the following cases: * whenever you feel it will help presenting your work, your choices, the review process, etc. +==== Patches for maintenance branches + +When fixing bugs on a maintenance branch, bugs should be fixed on the +master branch first. The commit log for such a patch may then contain a +post-commit note specifying what branches are affected: + +---- +package/foo: fix stuff + +Signed-off-by: Your Real Name +--- +Backport to: 2020.02.x, 2020.05.x +(2020.08.x not affected as the version was bumped) +---- + +Those changes will then be backported by a maintainer to the affected +branches. + +However, some bugs may apply only to a specific release, for example +because it is using an older version of a package. In that case, patches +should be based off the maintenance branch, and the patch subject prefix +must include the maintenance branch name (for example "[PATCH 2020.02.x]"). +This can be done with the +git format-patch+ flag +--subject-prefix+: + +--------------------- +$ git format-patch --subject-prefix "PATCH 2020.02.x" \ + -M -s -o outgoing origin/2020.02.x +--------------------- + +Then send the patches with +git send-email+, as described above. + ==== Patch revision changelog When improvements are requested, the new revision of each commit diff --git a/buildroot/docs/manual/manual.html b/buildroot/docs/manual/manual.html index aca28363f..87aaa4f27 100644 --- a/buildroot/docs/manual/manual.html +++ b/buildroot/docs/manual/manual.html @@ -1,8 +1,8 @@ -The Buildroot user manual

The Buildroot user manual

Table of Contents

I. Getting started
1. About Buildroot
2. System requirements
2.1. Mandatory packages
2.2. Optional packages
3. Getting Buildroot
4. Buildroot quick start
5. Community resources
II. User guide
6. Buildroot configuration
6.1. Cross-compilation toolchain
6.2. /dev management
6.3. init system
7. Configuration of other components
8. General Buildroot usage
8.1. make tips
8.2. Understanding when a full rebuild is necessary
8.3. Understanding how to rebuild packages
8.4. Offline builds
8.5. Building out-of-tree
8.6. Environment variables
8.7. Dealing efficiently with filesystem images
8.8. Graphing the dependencies between packages
8.9. Graphing the build duration
8.10. Graphing the filesystem size contribution of packages
8.11. Top-level parallel build
8.12. Integration with Eclipse
8.13. Advanced usage
9. Project-specific customization
9.1. Recommended directory structure
9.2. Keeping customizations outside of Buildroot
9.3. Storing the Buildroot configuration
9.4. Storing the configuration of other components
9.5. Customizing the generated target filesystem
9.6. Adding custom user accounts
9.7. Customization after the images have been created
9.8. Adding project-specific patches
9.9. Adding project-specific packages
9.10. Quick guide to storing your project-specific customizations
10. Frequently Asked Questions & Troubleshooting
10.1. The boot hangs after Starting network…
10.2. Why is there no compiler on the target?
10.3. Why are there no development files on the target?
10.4. Why is there no documentation on the target?
10.5. Why are some packages not visible in the Buildroot config menu?
10.6. Why not use the target directory as a chroot directory?
10.7. Why doesn’t Buildroot generate binary packages (.deb, .ipkg…)?
10.8. How to speed-up the build process?
11. Known issues
12. Legal notice and licensing
12.1. Complying with open source licenses
12.2. Complying with the Buildroot license
13. Beyond Buildroot
13.1. Boot the generated images
13.2. Chroot
III. Developer guide
14. How Buildroot works
15. Coding style
15.1. Config.in file
15.2. The .mk file
15.3. The documentation
15.4. Support scripts
16. Adding support for a particular board
17. Adding new packages to Buildroot
17.1. Package directory
17.2. Config files
17.3. The .mk file
17.4. The .hash file
17.5. Infrastructure for packages with specific build systems
17.6. Infrastructure for autotools-based packages
17.7. Infrastructure for CMake-based packages
17.8. Infrastructure for Python packages
17.9. Infrastructure for LuaRocks-based packages
17.10. Infrastructure for Perl/CPAN packages
17.11. Infrastructure for virtual packages
17.12. Infrastructure for packages using kconfig for configuration files
17.13. Infrastructure for rebar-based packages
17.14. Infrastructure for Waf-based packages
17.15. Infrastructure for Meson-based packages
17.16. Integration of Cargo-based packages
17.17. Infrastructure for Go packages
17.18. Infrastructure for packages building kernel modules
17.19. Infrastructure for asciidoc documents
17.20. Infrastructure specific to the Linux kernel package
17.21. Hooks available in the various build steps
17.22. Gettext integration and interaction with packages
17.23. Tips and tricks
17.24. Conclusion
18. Patching a package
18.1. Providing patches
18.2. How patches are applied
18.3. Format and licensing of the package patches
18.4. Integrating patches found on the Web
19. Download infrastructure
20. Debugging Buildroot
21. Contributing to Buildroot
21.1. Reproducing, analyzing and fixing bugs
21.2. Analyzing and fixing autobuild failures
21.3. Reviewing and testing patches
21.4. Work on items from the TODO list
21.5. Submitting patches
21.6. Reporting issues/bugs or getting help
21.7. Using the run-tests framework
22. DEVELOPERS file and get-developers
23. Release Engineering
23.1. Releases
23.2. Development
IV. Appendix
24. Makedev syntax documentation
25. Makeusers syntax documentation
26. Migrating from older Buildroot versions
26.1. Migrating to 2016.11
26.2. Migrating to 2017.08

List of Examples

17.1. Config script: divine package
17.2. Config script: imagemagick package:

Buildroot 2020.02.4 manual generated on 2020-07-26 -08:11:28 UTC from git revision dee53013da

The Buildroot manual is written by the Buildroot developers. +The Buildroot user manual

The Buildroot user manual

Table of Contents

I. Getting started
1. About Buildroot
2. System requirements
2.1. Mandatory packages
2.2. Optional packages
3. Getting Buildroot
4. Buildroot quick start
5. Community resources
II. User guide
6. Buildroot configuration
6.1. Cross-compilation toolchain
6.2. /dev management
6.3. init system
7. Configuration of other components
8. General Buildroot usage
8.1. make tips
8.2. Understanding when a full rebuild is necessary
8.3. Understanding how to rebuild packages
8.4. Offline builds
8.5. Building out-of-tree
8.6. Environment variables
8.7. Dealing efficiently with filesystem images
8.8. Graphing the dependencies between packages
8.9. Graphing the build duration
8.10. Graphing the filesystem size contribution of packages
8.11. Top-level parallel build
8.12. Integration with Eclipse
8.13. Advanced usage
9. Project-specific customization
9.1. Recommended directory structure
9.2. Keeping customizations outside of Buildroot
9.3. Storing the Buildroot configuration
9.4. Storing the configuration of other components
9.5. Customizing the generated target filesystem
9.6. Adding custom user accounts
9.7. Customization after the images have been created
9.8. Adding project-specific patches
9.9. Adding project-specific packages
9.10. Quick guide to storing your project-specific customizations
10. Frequently Asked Questions & Troubleshooting
10.1. The boot hangs after Starting network…
10.2. Why is there no compiler on the target?
10.3. Why are there no development files on the target?
10.4. Why is there no documentation on the target?
10.5. Why are some packages not visible in the Buildroot config menu?
10.6. Why not use the target directory as a chroot directory?
10.7. Why doesn’t Buildroot generate binary packages (.deb, .ipkg…)?
10.8. How to speed-up the build process?
11. Known issues
12. Legal notice and licensing
12.1. Complying with open source licenses
12.2. Complying with the Buildroot license
13. Beyond Buildroot
13.1. Boot the generated images
13.2. Chroot
III. Developer guide
14. How Buildroot works
15. Coding style
15.1. Config.in file
15.2. The .mk file
15.3. The documentation
15.4. Support scripts
16. Adding support for a particular board
17. Adding new packages to Buildroot
17.1. Package directory
17.2. Config files
17.3. The .mk file
17.4. The .hash file
17.5. Infrastructure for packages with specific build systems
17.6. Infrastructure for autotools-based packages
17.7. Infrastructure for CMake-based packages
17.8. Infrastructure for Python packages
17.9. Infrastructure for LuaRocks-based packages
17.10. Infrastructure for Perl/CPAN packages
17.11. Infrastructure for virtual packages
17.12. Infrastructure for packages using kconfig for configuration files
17.13. Infrastructure for rebar-based packages
17.14. Infrastructure for Waf-based packages
17.15. Infrastructure for Meson-based packages
17.16. Integration of Cargo-based packages
17.17. Infrastructure for Go packages
17.18. Infrastructure for packages building kernel modules
17.19. Infrastructure for asciidoc documents
17.20. Infrastructure specific to the Linux kernel package
17.21. Hooks available in the various build steps
17.22. Gettext integration and interaction with packages
17.23. Tips and tricks
17.24. Conclusion
18. Patching a package
18.1. Providing patches
18.2. How patches are applied
18.3. Format and licensing of the package patches
18.4. Integrating patches found on the Web
19. Download infrastructure
20. Debugging Buildroot
21. Contributing to Buildroot
21.1. Reproducing, analyzing and fixing bugs
21.2. Analyzing and fixing autobuild failures
21.3. Reviewing and testing patches
21.4. Work on items from the TODO list
21.5. Submitting patches
21.6. Reporting issues/bugs or getting help
21.7. Using the run-tests framework
22. DEVELOPERS file and get-developers
23. Release Engineering
23.1. Releases
23.2. Development
IV. Appendix
24. Makedev syntax documentation
25. Makeusers syntax documentation
26. Migrating from older Buildroot versions
26.1. Migrating to 2016.11
26.2. Migrating to 2017.08

List of Examples

17.1. Config script: divine package
17.2. Config script: imagemagick package:

Buildroot 2020.02.7 manual generated on 2020-10-12 +21:37:29 UTC from git revision d8082db677

The Buildroot manual is written by the Buildroot developers. It is licensed under the GNU General Public License, version 2. Refer to the -COPYING +COPYING file in the Buildroot sources for the full text of this license.

Copyright © 2004-2020 The Buildroot developers

logo.png

Part I. Getting started

Chapter 1. About Buildroot

Buildroot is a tool that simplifies and automates the process of building a complete Linux system for an embedded system, using cross-compilation.

In order to achieve this, Buildroot is able to generate a @@ -2346,9 +2346,9 @@ Python and should follow the hardware boards, so that users of such a board can easily build a system that is known to work. You are welcome to add support for other boards to Buildroot too.

To do so, you need to create a normal Buildroot configuration that -builds a basic system for the hardware: toolchain, kernel, bootloader, -filesystem and a simple BusyBox-only userspace. No specific package -should be selected: the configuration should be as minimal as +builds a basic system for the hardware: (internal) toolchain, kernel, +bootloader, filesystem and a simple BusyBox-only userspace. No specific +package should be selected: the configuration should be as minimal as possible, and should only build a working basic BusyBox system for the target platform. You can of course use more complicated configurations for your internal projects, but the Buildroot project will only @@ -2356,7 +2356,15 @@ integrate basic board configurations. This is because package selections are highly application-specific.

Once you have a known working configuration, run make savedefconfig. This will generate a minimal defconfig file at the root of the Buildroot source tree. Move this file into the configs/ -directory, and rename it <boardname>_defconfig.

It is recommended to use as much as possible upstream versions of the +directory, and rename it <boardname>_defconfig. If the configuration +is a bit more complicated, it is nice to manually reformat it and +separate it into sections, with a comment before each section. Typical +sections are Architecture, Toolchain options (typically just linux +headers version), Firmware, Bootloader, Kernel, and Filesystem.

Always use fixed versions or commit hashes for the different +components, not the "latest" version. For example, set +BR2_LINUX_KERNEL_CUSTOM_VERSION=y and +BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE to the kernel version you tested +with.

It is recommended to use as much as possible upstream versions of the Linux kernel and bootloaders, and to use as much as possible default kernel and bootloader configurations. If they are incorrect for your board, or no default exists, we encourage you to send fixes to the @@ -2849,7 +2857,7 @@ flags. The argument to be given to LIBFOO_CONFIG_SCRIPTS is the file name(s) of the shell script(s) needing fixing. All these names are relative to $(STAGING_DIR)/usr/bin and if needed multiple names can be given.

In addition, the scripts listed in LIBFOO_CONFIG_SCRIPTS are removed -from $(TARGET_DIR)/usr/bin, since they are not needed on the target.

Example 17.1. Config script: divine package

Package divine installs shell script $(STAGING_DIR)/usr/bin/divine-config.

So its fixup would be:

DIVINE_CONFIG_SCRIPTS = divine-config

Example 17.2. Config script: imagemagick package:

Package imagemagick installs the following scripts: +from $(TARGET_DIR)/usr/bin, since they are not needed on the target.

Example 17.1. Config script: divine package

Package divine installs shell script $(STAGING_DIR)/usr/bin/divine-config.

So its fixup would be:

DIVINE_CONFIG_SCRIPTS = divine-config

Example 17.2. Config script: imagemagick package:

Package imagemagick installs the following scripts: $(STAGING_DIR)/usr/bin/{Magick,Magick++,MagickCore,MagickWand,Wand}-config

So it’s fixup would be:

IMAGEMAGICK_CONFIG_SCRIPTS = \
    Magick-config Magick++-config \
    MagickCore-config MagickWand-config Wand-config

On line 14, we specify the list of dependencies this package relies @@ -4073,7 +4081,7 @@ an example :

01: ########################################
 12:
 13: $(eval $(waf-package))

On line 7, we declare the version of the package.

On line 8 and 9, we declare the name of the tarball (xz-ed tarball recommended) and the location of the tarball on the Web. Buildroot -will automatically download the tarball from this location.

On line 10, we tell Buildroot what options to enable for libfoo.

On line 11, we tell Buildroot the depednencies of libfoo.

Finally, on line line 13, we invoke the waf-package +will automatically download the tarball from this location.

On line 10, we tell Buildroot what options to enable for libfoo.

On line 11, we tell Buildroot the dependencies of libfoo.

Finally, on line line 13, we invoke the waf-package macro that generates all the Makefile rules that actually allows the package to be built.

17.14.2. waf-package reference

The main macro of the Waf package infrastructure is waf-package. It is similar to the generic-package macro.

Just like the generic infrastructure, the Waf infrastructure works @@ -4224,27 +4232,26 @@ package. Let’s start with an example:

01: #############
 13: FOO_DEPENDENCIES = host-cargo
 14:
 15: FOO_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo
-16: FOO_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release)
-17:
-18: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
-19:
-20: FOO_CARGO_OPTS = \
-21:   --$(FOO_CARGO_MODE) \
-22:     --target=$(RUSTC_TARGET_NAME) \
-23:     --manifest-path=$(@D)/Cargo.toml
-24:
-25: define FOO_BUILD_CMDS
-26:     $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
-27:             cargo build $(FOO_CARGO_OPTS)
-28: endef
-29:
-30: define FOO_INSTALL_TARGET_CMDS
-31:     $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
-32:             $(TARGET_DIR)/usr/bin/foo
-33: endef
-34:
-35: $(eval $(generic-package))

The Makefile starts with the definition of the standard variables for package -declaration (lines 7 to 11).

As seen in line 35, it is based on the +16: +17: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE) +18: +19: FOO_CARGO_OPTS = \ +20: $(if $(BR2_ENABLE_DEBUG),,--release) \ +21: --target=$(RUSTC_TARGET_NAME) \ +22: --manifest-path=$(@D)/Cargo.toml +23: +24: define FOO_BUILD_CMDS +25: $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \ +26: cargo build $(FOO_CARGO_OPTS) +27: endef +28: +29: define FOO_INSTALL_TARGET_CMDS +30: $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \ +31: $(TARGET_DIR)/usr/bin/foo +32: endef +33: +34: $(eval $(generic-package))

The Makefile starts with the definition of the standard variables for package +declaration (lines 7 to 11).

As seen in line 34, it is based on the generic-package infrastructure. So, it defines the variables required by this particular infrastructure, where Cargo is invoked:

  • @@ -5212,11 +5219,24 @@ large number of commits in the series;
  • deep impact of the changes in the rest of the project;
  • -RFC [4]; +RFC [4];
  • whenever you feel it will help presenting your work, your choices, the review process, etc. -

21.5.4. Patch revision changelog

When improvements are requested, the new revision of each commit +

21.5.4. Patches for maintenance branches

When fixing bugs on a maintenance branch, bugs should be fixed on the +master branch first. The commit log for such a patch may then contain a +post-commit note specifying what branches are affected:

package/foo: fix stuff
+
+Signed-off-by: Your Real Name <your@email.address>
+---
+Backport to: 2020.02.x, 2020.05.x
+(2020.08.x not affected as the version was bumped)

Those changes will then be backported by a maintainer to the affected +branches.

However, some bugs may apply only to a specific release, for example +because it is using an older version of a package. In that case, patches +should be based off the maintenance branch, and the patch subject prefix +must include the maintenance branch name (for example "[PATCH 2020.02.x]"). +This can be done with the git format-patch flag --subject-prefix:

$ git format-patch --subject-prefix "PATCH 2020.02.x" \
+    -M -s -o outgoing origin/2020.02.x

Then send the patches with git send-email, as described above.

21.5.5. Patch revision changelog

When improvements are requested, the new revision of each commit should include a changelog of the modifications between each submission. Note that when your patch series is introduced by a cover letter, an overall changelog may be added to the cover letter in @@ -5416,7 +5436,7 @@ to trigger all run-test test case jobs: 

 $ git push gitlab HEAD:<name>-runtime-tests
  • to trigger one test case job, a specific branch naming string is used that includes the full test case name. -
 $ git push gitlab HEAD:<name>-<test case name>

[4] RFC: (Request for comments) change proposal

Chapter 22. DEVELOPERS file and get-developers

The main Buildroot directory contains a file named DEVELOPERS that +

 $ git push gitlab HEAD:<name>-<test case name>

[4] RFC: (Request for comments) change proposal

Chapter 22. DEVELOPERS file and get-developers

The main Buildroot directory contains a file named DEVELOPERS that lists the developers involved with various areas of Buildroot. Thanks to this file, the get-developers tool allows to:

  • Calculate the list of developers to whom patches should be sent, by diff --git a/buildroot/docs/manual/manual.pdf b/buildroot/docs/manual/manual.pdf index d37de3d27..a085d4b98 100644 Binary files a/buildroot/docs/manual/manual.pdf and b/buildroot/docs/manual/manual.pdf differ diff --git a/buildroot/docs/manual/manual.text b/buildroot/docs/manual/manual.text index eb20b407c..1f0e94811 100644 --- a/buildroot/docs/manual/manual.text +++ b/buildroot/docs/manual/manual.text @@ -167,13 +167,13 @@ List of Examples --------------------------------------------------------------------- -Buildroot 2020.02.4 manual generated on 2020-07-26 08:11:34 UTC from -git revision dee53013da +Buildroot 2020.02.7 manual generated on 2020-10-12 21:37:33 UTC from +git revision d8082db677 The Buildroot manual is written by the Buildroot developers. It is licensed under the GNU General Public License, version 2. Refer to the COPYING [http://git.buildroot.org/buildroot/tree/COPYING?id= -dee53013da87dfa4bcb3433bdef79ec43b5a5c24] file in the Buildroot +d8082db677046e004a6537828b3e4f4b9a818a4f] file in the Buildroot sources for the full text of this license. Copyright © 2004-2020 The Buildroot developers @@ -3670,7 +3670,7 @@ build a system that is known to work. You are welcome to add support for other boards to Buildroot too. To do so, you need to create a normal Buildroot configuration that -builds a basic system for the hardware: toolchain, kernel, +builds a basic system for the hardware: (internal) toolchain, kernel, bootloader, filesystem and a simple BusyBox-only userspace. No specific package should be selected: the configuration should be as minimal as possible, and should only build a working basic BusyBox @@ -3682,7 +3682,17 @@ This is because package selections are highly application-specific. Once you have a known working configuration, run make savedefconfig. This will generate a minimal defconfig file at the root of the Buildroot source tree. Move this file into the configs/ directory, -and rename it _defconfig. +and rename it _defconfig. If the configuration is a bit +more complicated, it is nice to manually reformat it and separate it +into sections, with a comment before each section. Typical sections +are Architecture, Toolchain options (typically just linux headers +version), Firmware, Bootloader, Kernel, and Filesystem. + +Always use fixed versions or commit hashes for the different +components, not the "latest" version. For example, set +BR2_LINUX_KERNEL_CUSTOM_VERSION=y and +BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE to the kernel version you +tested with. It is recommended to use as much as possible upstream versions of the Linux kernel and bootloaders, and to use as much as possible default @@ -5877,7 +5887,7 @@ will automatically download the tarball from this location. On line 10, we tell Buildroot what options to enable for libfoo. -On line 11, we tell Buildroot the depednencies of libfoo. +On line 11, we tell Buildroot the dependencies of libfoo. Finally, on line line 13, we invoke the waf-package macro that generates all the Makefile rules that actually allows the package to @@ -6080,31 +6090,30 @@ for such a package. Let’s start with an example: 13: FOO_DEPENDENCIES = host-cargo 14: 15: FOO_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo -16: FOO_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release) -17: -18: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE) -19: -20: FOO_CARGO_OPTS = \ -21: --$(FOO_CARGO_MODE) \ -22: --target=$(RUSTC_TARGET_NAME) \ -23: --manifest-path=$(@D)/Cargo.toml -24: -25: define FOO_BUILD_CMDS -26: $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \ -27: cargo build $(FOO_CARGO_OPTS) -28: endef -29: -30: define FOO_INSTALL_TARGET_CMDS -31: $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \ -32: $(TARGET_DIR)/usr/bin/foo -33: endef -34: -35: $(eval $(generic-package)) +16: +17: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE) +18: +19: FOO_CARGO_OPTS = \ +20: $(if $(BR2_ENABLE_DEBUG),,--release) \ +21: --target=$(RUSTC_TARGET_NAME) \ +22: --manifest-path=$(@D)/Cargo.toml +23: +24: define FOO_BUILD_CMDS +25: $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \ +26: cargo build $(FOO_CARGO_OPTS) +27: endef +28: +29: define FOO_INSTALL_TARGET_CMDS +30: $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \ +31: $(TARGET_DIR)/usr/bin/foo +32: endef +33: +34: $(eval $(generic-package)) The Makefile starts with the definition of the standard variables for package declaration (lines 7 to 11). -As seen in line 35, it is based on the generic-package infrastructure +As seen in line 34, it is based on the generic-package infrastructure . So, it defines the variables required by this particular infrastructure, where Cargo is invoked: @@ -7499,7 +7508,35 @@ the following cases: * whenever you feel it will help presenting your work, your choices, the review process, etc. -21.5.4. Patch revision changelog +21.5.4. Patches for maintenance branches + +When fixing bugs on a maintenance branch, bugs should be fixed on the +master branch first. The commit log for such a patch may then contain +a post-commit note specifying what branches are affected: + +package/foo: fix stuff + +Signed-off-by: Your Real Name +--- +Backport to: 2020.02.x, 2020.05.x +(2020.08.x not affected as the version was bumped) + +Those changes will then be backported by a maintainer to the affected +branches. + +However, some bugs may apply only to a specific release, for example +because it is using an older version of a package. In that case, +patches should be based off the maintenance branch, and the patch +subject prefix must include the maintenance branch name (for example +"[PATCH 2020.02.x]"). This can be done with the git format-patch flag +--subject-prefix: + +$ git format-patch --subject-prefix "PATCH 2020.02.x" \ + -M -s -o outgoing origin/2020.02.x + +Then send the patches with git send-email, as described above. + +21.5.5. Patch revision changelog When improvements are requested, the new revision of each commit should include a changelog of the modifications between each diff --git a/buildroot/fs/cpio/init b/buildroot/fs/cpio/init index b0af18b67..f74ef7e15 100755 --- a/buildroot/fs/cpio/init +++ b/buildroot/fs/cpio/init @@ -1,4 +1,15 @@ #!/bin/sh # devtmpfs does not get automounted for initramfs /bin/mount -t devtmpfs devtmpfs /dev + +# use the /dev/console device node from devtmpfs if possible to not +# confuse glibc's ttyname_r(). +# This may fail (E.G. booted with console=), and errors from exec will +# terminate the shell, so use a subshell for the test +if (exec 0/dev/null; then + exec 0/dev/console + exec 2>/dev/console +fi + exec /sbin/init "$@" diff --git a/buildroot/linux/Config.in b/buildroot/linux/Config.in index c19ccb70a..f83474e1e 100644 --- a/buildroot/linux/Config.in +++ b/buildroot/linux/Config.in @@ -30,7 +30,7 @@ config BR2_LINUX_KERNEL_LATEST_VERSION bool "Latest version (5.4)" config BR2_LINUX_KERNEL_LATEST_CIP_VERSION - bool "Latest CIP SLTS version (4.19.118-cip25)" + bool "Latest CIP SLTS version (4.19.132-cip30)" help CIP launched in the spring of 2016 to address the needs of organizations in industries such as power generation and @@ -49,7 +49,7 @@ config BR2_LINUX_KERNEL_LATEST_CIP_VERSION https://www.cip-project.org config BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION - bool "Latest CIP RT SLTS version (4.19.115-cip24-rt9)" + bool "Latest CIP RT SLTS version (4.19.132-cip30-rt12)" help Same as the CIP version, but this is the PREEMPT_RT realtime variant. @@ -128,9 +128,9 @@ endif config BR2_LINUX_KERNEL_VERSION string - default "5.4.45" if BR2_LINUX_KERNEL_LATEST_VERSION - default "4.19.118-cip25" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION - default "4.19.115-cip24-rt9" if BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION + default "5.4.70" if BR2_LINUX_KERNEL_LATEST_VERSION + default "4.19.132-cip30" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION + default "4.19.132-cip30-rt12" if BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION default BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE \ if BR2_LINUX_KERNEL_CUSTOM_VERSION default "custom" if BR2_LINUX_KERNEL_CUSTOM_TARBALL diff --git a/buildroot/linux/linux.hash b/buildroot/linux/linux.hash index 39a75711d..b2eccb38e 100644 --- a/buildroot/linux/linux.hash +++ b/buildroot/linux/linux.hash @@ -1,13 +1,13 @@ # From https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc -sha256 103f039f34a9009c42ea643b4f473bda6bb9607d5ad7f63b56b3e2351615fe2e linux-5.4.45.tar.xz +sha256 c0b3d8085c5ba235df38b00b740e053659709e8a5ca21957a239f6bc22c45007 linux-5.4.70.tar.xz # From https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc -sha256 418299385195f09b27e371a35f305f3aff148e7557a341b53460091303aa9bb7 linux-4.4.226.tar.xz -sha256 460a8c168fe5c60ce5b30015a4e4bf348d93a89f8b949de1f90779567ef345ca linux-4.9.226.tar.xz -sha256 4265afef56819b04656107a5abecde205c5bc5fb04b2e81447955e7e45db8085 linux-4.14.183.tar.xz -sha256 82af886bc588b5c8d7474beb2bac13810ee3ed07da356a2553c81ae8e52e586f linux-4.19.127.tar.xz +sha256 067814035c17e77dee84076dcc06a95eb675344cd926b7b79a16b80fee593364 linux-4.4.238.tar.xz +sha256 b1eaf60b771ec4df0546d2b7539e164355008ea2f680a0642ae430e9cb134a3f linux-4.9.238.tar.xz +sha256 5d404a0224a34b5379f1871cc46825487d557c2660459d2b5c3cd4871d699a38 linux-4.14.200.tar.xz +sha256 f2f709ef086a4d8cb3c15a857daa44dfecf1b88d7d7c53c980fb180f6dccbace linux-4.19.150.tar.xz # Locally computed -sha256 ea53913813cb5a9069608532b327de7a7ed0fdc8fed8c6f10cd55d1ac6a58ffb linux-cip-4.19.118-cip25.tar.gz -sha256 7f0a0db0e1cfb14053523f4432f1ad1468b5bd42305b44905c4b103466c8d655 linux-cip-4.19.115-cip24-rt9.tar.gz +sha256 c20f9014b89ea3e27f55f1d407aa5a4724ed38ac520c197291e9d644f164c43a linux-cip-4.19.132-cip30.tar.gz +sha256 81dd791d9ad6c3fddaeaffc6d7d8df0e13831283a5fe494c437ac7820d79ca39 linux-cip-4.19.132-cip30-rt12.tar.gz # Licenses hashes sha256 ee5808b032a67f587d3541099d46de34f5bec8cd5976114ba07f1299ee6001ff COPYING diff --git a/buildroot/linux/linux.mk b/buildroot/linux/linux.mk index 5a1cb42eb..fd44f0f0e 100644 --- a/buildroot/linux/linux.mk +++ b/buildroot/linux/linux.mk @@ -160,7 +160,8 @@ endif # Get the real Linux version, which tells us where kernel modules are # going to be installed in the target filesystem. -LINUX_VERSION_PROBED = `$(MAKE) $(LINUX_MAKE_FLAGS) -C $(LINUX_DIR) --no-print-directory -s kernelrelease 2>/dev/null` +# Filter out 'w' from MAKEFLAGS, to workaround a bug in make 4.1 (#13141) +LINUX_VERSION_PROBED = `MAKEFLAGS='$(filter-out w,$(MAKEFLAGS))' $(MAKE) $(LINUX_MAKE_FLAGS) -C $(LINUX_DIR) --no-print-directory -s kernelrelease 2>/dev/null` LINUX_DTS_NAME += $(call qstrip,$(BR2_LINUX_KERNEL_INTREE_DTS_NAME)) @@ -535,7 +536,8 @@ endef # Run depmod in a target-finalize hook, to encompass modules installed by # packages. define LINUX_RUN_DEPMOD - if grep -q "CONFIG_MODULES=y" $(LINUX_DIR)/.config; then \ + if test -d $(TARGET_DIR)/lib/modules/$(LINUX_VERSION_PROBED) \ + && grep -q "CONFIG_MODULES=y" $(LINUX_DIR)/.config; then \ $(HOST_DIR)/sbin/depmod -a -b $(TARGET_DIR) $(LINUX_VERSION_PROBED); \ fi endef diff --git a/buildroot/package/alsa-utils/alsa-utils.mk b/buildroot/package/alsa-utils/alsa-utils.mk index 2cd3c4a33..7af46e239 100644 --- a/buildroot/package/alsa-utils/alsa-utils.mk +++ b/buildroot/package/alsa-utils/alsa-utils.mk @@ -90,10 +90,10 @@ define ALSA_UTILS_INSTALL_INIT_SYSTEMD $(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service $(INSTALL) -D -m 0644 $(@D)/alsactl/alsa-state.service \ $(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service - mkdir $(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d + $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d printf '[Install]\nWantedBy=multi-user.target\n' \ >$(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d/buildroot-enable.conf - mkdir $(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d + $(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d printf '[Install]\nWantedBy=multi-user.target\n' \ >$(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d/buildroot-enable.conf; endef diff --git a/buildroot/package/apache/apache.hash b/buildroot/package/apache/apache.hash index 7b0e4ad8e..bd3f6ac7b 100644 --- a/buildroot/package/apache/apache.hash +++ b/buildroot/package/apache/apache.hash @@ -1,4 +1,5 @@ -# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256 -sha256 a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43 httpd-2.4.43.tar.bz2 +# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.{sha256,sha512} +sha256 740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea httpd-2.4.46.tar.bz2 +sha512 5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13 httpd-2.4.46.tar.bz2 # Locally computed sha256 47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43 LICENSE diff --git a/buildroot/package/apache/apache.mk b/buildroot/package/apache/apache.mk index 068f36e32..203d637fb 100644 --- a/buildroot/package/apache/apache.mk +++ b/buildroot/package/apache/apache.mk @@ -4,7 +4,7 @@ # ################################################################################ -APACHE_VERSION = 2.4.43 +APACHE_VERSION = 2.4.46 APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2 APACHE_SITE = http://archive.apache.org/dist/httpd APACHE_LICENSE = Apache-2.0 diff --git a/buildroot/package/avahi/avahi.mk b/buildroot/package/avahi/avahi.mk index 53021f6b6..8d451c179 100644 --- a/buildroot/package/avahi/avahi.mk +++ b/buildroot/package/avahi/avahi.mk @@ -81,6 +81,7 @@ AVAHI_CONF_OPTS = \ --disable-mono \ --disable-monodoc \ --disable-stack-protector \ + --disable-introspection \ --with-distro=none \ --disable-manpages \ $(if $(BR2_PACKAGE_AVAHI_AUTOIPD),--enable,--disable)-autoipd \ diff --git a/buildroot/package/bandwidthd/bandwidthd.service b/buildroot/package/bandwidthd/bandwidthd.service index 9c03d4294..ab7f05a2e 100644 --- a/buildroot/package/bandwidthd/bandwidthd.service +++ b/buildroot/package/bandwidthd/bandwidthd.service @@ -5,7 +5,7 @@ After=network.target [Service] Type=forking ExecStart=/usr/bin/bandwidthd -PIDFile=/var/run/bandwidthd.pid +PIDFile=/run/bandwidthd.pid [Install] WantedBy=multi-user.target diff --git a/buildroot/package/bash/0017-bash50-017.patch b/buildroot/package/bash/0017-bash50-017.patch new file mode 100644 index 000000000..6758b203f --- /dev/null +++ b/buildroot/package/bash/0017-bash50-017.patch @@ -0,0 +1,293 @@ +From https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash55-017 + +Signed-off-by: Peter Korsgaard + + BASH PATCH REPORT + ================= + +Bash-Release: 5.0 +Patch-ID: bash50-017 + +Bug-Reported-by: Valentin Lab +Bug-Reference-ID: +Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2020-03/msg00062.html + +Bug-Description: + +There were cases where patch 16 reaped process substitution file descriptors +(or FIFOs) and processes to early. This is a better fix for the problem that +bash50-016 attempted to solve. + +Patch (apply with `patch -p0'): + +*** bash-5.0-patched/subst.c 2019-08-29 11:16:49.000000000 -0400 +--- b/subst.c 2020-04-02 16:24:19.000000000 -0400 +*************** +*** 5337,5341 **** + } + +! char * + copy_fifo_list (sizep) + int *sizep; +--- b/5337,5341 ---- + } + +! void * + copy_fifo_list (sizep) + int *sizep; +*************** +*** 5343,5347 **** + if (sizep) + *sizep = 0; +! return (char *)NULL; + } + +--- b/5343,5347 ---- + if (sizep) + *sizep = 0; +! return (void *)NULL; + } + +*************** +*** 5409,5414 **** + if (fifo_list[i].file) + { +! fifo_list[j].file = fifo_list[i].file; +! fifo_list[j].proc = fifo_list[i].proc; + j++; + } +--- b/5409,5419 ---- + if (fifo_list[i].file) + { +! if (i != j) +! { +! fifo_list[j].file = fifo_list[i].file; +! fifo_list[j].proc = fifo_list[i].proc; +! fifo_list[i].file = (char *)NULL; +! fifo_list[i].proc = 0; +! } + j++; + } +*************** +*** 5426,5433 **** + void + close_new_fifos (list, lsize) +! char *list; + int lsize; + { + int i; + + if (list == 0) +--- b/5431,5439 ---- + void + close_new_fifos (list, lsize) +! void *list; + int lsize; + { + int i; ++ char *plist; + + if (list == 0) +*************** +*** 5437,5442 **** + } + +! for (i = 0; i < lsize; i++) +! if (list[i] == 0 && i < fifo_list_size && fifo_list[i].proc != -1) + unlink_fifo (i); + +--- b/5443,5448 ---- + } + +! for (plist = (char *)list, i = 0; i < lsize; i++) +! if (plist[i] == 0 && i < fifo_list_size && fifo_list[i].proc != -1) + unlink_fifo (i); + +*************** +*** 5560,5568 **** + } + +! char * + copy_fifo_list (sizep) + int *sizep; + { +! char *ret; + + if (nfds == 0 || totfds == 0) +--- b/5566,5574 ---- + } + +! void * + copy_fifo_list (sizep) + int *sizep; + { +! void *ret; + + if (nfds == 0 || totfds == 0) +*************** +*** 5570,5579 **** + if (sizep) + *sizep = 0; +! return (char *)NULL; + } + + if (sizep) + *sizep = totfds; +! ret = (char *)xmalloc (totfds * sizeof (pid_t)); + return (memcpy (ret, dev_fd_list, totfds * sizeof (pid_t))); + } +--- b/5576,5585 ---- + if (sizep) + *sizep = 0; +! return (void *)NULL; + } + + if (sizep) + *sizep = totfds; +! ret = xmalloc (totfds * sizeof (pid_t)); + return (memcpy (ret, dev_fd_list, totfds * sizeof (pid_t))); + } +*************** +*** 5648,5655 **** + void + close_new_fifos (list, lsize) +! char *list; + int lsize; + { + int i; + + if (list == 0) +--- b/5654,5662 ---- + void + close_new_fifos (list, lsize) +! void *list; + int lsize; + { + int i; ++ pid_t *plist; + + if (list == 0) +*************** +*** 5659,5664 **** + } + +! for (i = 0; i < lsize; i++) +! if (list[i] == 0 && i < totfds && dev_fd_list[i]) + unlink_fifo (i); + +--- b/5666,5671 ---- + } + +! for (plist = (pid_t *)list, i = 0; i < lsize; i++) +! if (plist[i] == 0 && i < totfds && dev_fd_list[i]) + unlink_fifo (i); + +*** bash-5.0-patched/subst.h 2018-10-21 18:46:09.000000000 -0400 +--- b/subst.h 2020-04-02 16:29:28.000000000 -0400 +*************** +*** 274,280 **** + extern void unlink_fifo __P((int)); + +! extern char *copy_fifo_list __P((int *)); +! extern void unlink_new_fifos __P((char *, int)); +! extern void close_new_fifos __P((char *, int)); + + extern void clear_fifo_list __P((void)); +--- b/274,279 ---- + extern void unlink_fifo __P((int)); + +! extern void *copy_fifo_list __P((int *)); +! extern void close_new_fifos __P((void *, int)); + + extern void clear_fifo_list __P((void)); +*** bash-5.0-patched/execute_cmd.c 2020-02-06 20:16:48.000000000 -0500 +--- b/execute_cmd.c 2020-04-02 17:00:10.000000000 -0400 +*************** +*** 565,569 **** + #if defined (PROCESS_SUBSTITUTION) + volatile int ofifo, nfifo, osize, saved_fifo; +! volatile char *ofifo_list; + #endif + +--- b/565,569 ---- + #if defined (PROCESS_SUBSTITUTION) + volatile int ofifo, nfifo, osize, saved_fifo; +! volatile void *ofifo_list; + #endif + +*************** +*** 751,760 **** + # endif + +! if (variable_context != 0) /* XXX - also if sourcelevel != 0? */ + { + ofifo = num_fifos (); + ofifo_list = copy_fifo_list ((int *)&osize); + begin_unwind_frame ("internal_fifos"); +! add_unwind_protect (xfree, ofifo_list); + saved_fifo = 1; + } +--- b/751,762 ---- + # endif + +! /* XXX - also if sourcelevel != 0? */ +! if (variable_context != 0) + { + ofifo = num_fifos (); + ofifo_list = copy_fifo_list ((int *)&osize); + begin_unwind_frame ("internal_fifos"); +! if (ofifo_list) +! add_unwind_protect (xfree, ofifo_list); + saved_fifo = 1; + } +*************** +*** 1100,1123 **** + nfifo = num_fifos (); + if (nfifo > ofifo) +! close_new_fifos ((char *)ofifo_list, osize); + free ((void *)ofifo_list); + discard_unwind_frame ("internal_fifos"); + } +- # if defined (HAVE_DEV_FD) +- /* Reap process substitutions at the end of loops */ +- switch (command->type) +- { +- case cm_while: +- case cm_until: +- case cm_for: +- case cm_group: +- # if defined (ARITH_FOR_COMMAND) +- case cm_arith_for: +- # endif +- reap_procsubs (); +- default: +- break; +- } +- # endif /* HAVE_DEV_FD */ + #endif + +--- b/1102,1109 ---- + nfifo = num_fifos (); + if (nfifo > ofifo) +! close_new_fifos ((void *)ofifo_list, osize); + free ((void *)ofifo_list); + discard_unwind_frame ("internal_fifos"); + } + #endif + + +*** bash-5.0/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 +--- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 16 + + #endif /* _PATCHLEVEL_H_ */ +--- b/26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 17 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/buildroot/package/bash/0018-bash50-018.patch b/buildroot/package/bash/0018-bash50-018.patch new file mode 100644 index 000000000..efecb1897 --- /dev/null +++ b/buildroot/package/bash/0018-bash50-018.patch @@ -0,0 +1,49 @@ +From https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash55-018 + +Signed-off-by: Peter Korsgaard + + BASH PATCH REPORT + ================= + +Bash-Release: 5.0 +Patch-ID: bash50-018 + +Bug-Reported-by: oguzismailuysal@gmail.com +Bug-Reference-ID: +Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2019-10/msg00098.html + +Bug-Description: + +In certain cases, bash does not perform quoted null removal on patterns +that are used as part of word expansions such as ${parameter##pattern}, so +empty patterns are treated as non-empty. + +Patch (apply with `patch -p0'): + +*** bash-5.0.17/subst.c 2020-04-02 17:14:58.000000000 -0400 +--- b/subst.c 2020-07-09 15:28:19.000000000 -0400 +*************** +*** 5113,5116 **** +--- b/5113,5118 ---- + (int *)NULL, (int *)NULL) + : (WORD_LIST *)0; ++ if (l) ++ word_list_remove_quoted_nulls (l); + pat = string_list (l); + dispose_words (l); + +*** bash-5.0/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 +--- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 17 + + #endif /* _PATCHLEVEL_H_ */ +--- b/26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 18 + + #endif /* _PATCHLEVEL_H_ */ diff --git a/buildroot/package/bash/0017-input.h-add-missing-include-on-stdio.h.patch b/buildroot/package/bash/0019-input.h-add-missing-include-on-stdio.h.patch similarity index 100% rename from buildroot/package/bash/0017-input.h-add-missing-include-on-stdio.h.patch rename to buildroot/package/bash/0019-input.h-add-missing-include-on-stdio.h.patch diff --git a/buildroot/package/bash/0018-locale.c-fix-build-without-wchar.patch b/buildroot/package/bash/0020-locale.c-fix-build-without-wchar.patch similarity index 100% rename from buildroot/package/bash/0018-locale.c-fix-build-without-wchar.patch rename to buildroot/package/bash/0020-locale.c-fix-build-without-wchar.patch diff --git a/buildroot/package/bind/bind.hash b/buildroot/package/bind/bind.hash index 282b2aeba..4ba0182b1 100644 --- a/buildroot/package/bind/bind.hash +++ b/buildroot/package/bind/bind.hash @@ -1,4 +1,4 @@ -# Verified from https://ftp.isc.org/isc/bind9/9.11.20/bind-9.11.20.tar.gz.asc +# Verified from https://ftp.isc.org/isc/bind9/9.11.22/bind-9.11.22.tar.gz.asc # with key AE3FAC796711EC59FC007AA474BB6B9A4CBB3D38 -sha256 306831a738a275693bbe1d6839a09b34a2c8b5c26f8a42ea57ef000a6a99c2b6 bind-9.11.20.tar.gz +sha256 afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9 bind-9.11.22.tar.gz sha256 da2aec2b7f6f0feb16bcb080e2c587375fd3195145f047e4d92d112f5b9db501 COPYRIGHT diff --git a/buildroot/package/bind/bind.mk b/buildroot/package/bind/bind.mk index 80f8defca..18fc4845f 100644 --- a/buildroot/package/bind/bind.mk +++ b/buildroot/package/bind/bind.mk @@ -4,7 +4,7 @@ # ################################################################################ -BIND_VERSION = 9.11.20 +BIND_VERSION = 9.11.22 BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION) # bind does not support parallel builds. BIND_MAKE = $(MAKE1) diff --git a/buildroot/package/bison/bison.mk b/buildroot/package/bison/bison.mk index 4cc635c44..738052096 100644 --- a/buildroot/package/bison/bison.mk +++ b/buildroot/package/bison/bison.mk @@ -13,5 +13,6 @@ BISON_LICENSE_FILES = COPYING BISON_MAKE = $(MAKE1) HOST_BISON_DEPENDENCIES = host-m4 HOST_BISON_CONF_OPTS = --enable-relocatable +HOST_BISON_CONF_ENV = ac_cv_libtextstyle=no $(eval $(host-autotools-package)) diff --git a/buildroot/package/boost/boost.mk b/buildroot/package/boost/boost.mk index 2daf7f5a9..8e47a90c3 100644 --- a/buildroot/package/boost/boost.mk +++ b/buildroot/package/boost/boost.mk @@ -134,6 +134,7 @@ define BOOST_CONFIGURE_CMDS (cd $(@D) && ./bootstrap.sh $(BOOST_FLAGS)) echo "using gcc : `$(TARGET_CC) -dumpversion` : $(TARGET_CXX) : \"$(BOOST_TARGET_CXXFLAGS)\" \"$(TARGET_LDFLAGS)\" ;" > $(@D)/user-config.jam echo "" >> $(@D)/user-config.jam + sed -i "s/: -O.* ;/: $(TARGET_OPTIMIZATION) ;/" $(@D)/tools/build/src/tools/gcc.jam endef define BOOST_BUILD_CMDS diff --git a/buildroot/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch b/buildroot/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch index ae5386b1c..2a3204fc3 100644 --- a/buildroot/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch +++ b/buildroot/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch @@ -1,6 +1,6 @@ -From 7289e5a378ba13801996a84d89d8fe95c3fc4c11 Mon Sep 17 00:00:00 2001 +From 6cb16322decd643fed9de332d9cda77f7738b7af Mon Sep 17 00:00:00 2001 From: Adrian Perez de Castro -Date: Mon, 26 Mar 2018 19:08:31 +0100 +Date: Mon, 7 Sep 2020 12:14:22 +0300 Subject: [PATCH] CMake: Allow using BUILD_SHARED_LIBS to choose static/shared libs @@ -18,16 +18,16 @@ This way, the following will both work as expected: This is helpful for distributions which need (or want) to build only static libraries. ---- - CMakeLists.txt | 42 ++++++++++++++---------------------------- - c/fuzz/test_fuzzer.sh | 6 +++--- - 2 files changed, 17 insertions(+), 31 deletions(-) Signed-off-by: Adrian Perez de Castro -Upstream-Status: Submitted [https://github.com/google/brotli/pull/655] +[Upstream status: https://github.com/google/brotli/pull/655] +--- + CMakeLists.txt | 46 ++++++++++++++----------------------------- + c/fuzz/test_fuzzer.sh | 6 +++--- + 2 files changed, 18 insertions(+), 34 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt -index fc45f80..3f87f13 100644 +index 4ff3401..f889311 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -6,6 +6,8 @@ cmake_minimum_required(VERSION 2.8.6) @@ -36,10 +36,10 @@ index fc45f80..3f87f13 100644 +option(BUILD_SHARED_LIBS "Build shared libraries" ON) + - # If Brotli is being bundled in another project, we don't want to - # install anything. However, we want to let people override this, so - # we'll use the BROTLI_BUNDLED_MODE variable to let them do that; just -@@ -114,10 +116,6 @@ set(BROTLI_LIBRARIES_CORE brotlienc brotlidec brotlicommon) + if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES) + message(STATUS "Setting build type to Release as none was specified.") + set(CMAKE_BUILD_TYPE "Release" CACHE STRING "Choose the type of build." FORCE) +@@ -137,10 +139,6 @@ set(BROTLI_LIBRARIES_CORE brotlienc brotlidec brotlicommon) set(BROTLI_LIBRARIES ${BROTLI_LIBRARIES_CORE} ${LIBM_LIBRARY}) mark_as_advanced(BROTLI_LIBRARIES) @@ -50,14 +50,20 @@ index fc45f80..3f87f13 100644 if(${CMAKE_SYSTEM_NAME} MATCHES "Linux") add_definitions(-DOS_LINUX) elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD") -@@ -137,24 +135,22 @@ endfunction() - transform_sources_list("scripts/sources.lst" "${CMAKE_CURRENT_BINARY_DIR}/sources.lst.cmake") +@@ -161,29 +159,25 @@ transform_sources_list("scripts/sources.lst" "${CMAKE_CURRENT_BINARY_DIR}/source include("${CMAKE_CURRENT_BINARY_DIR}/sources.lst.cmake") --add_library(brotlicommon SHARED ${BROTLI_COMMON_C}) --add_library(brotlidec SHARED ${BROTLI_DEC_C}) --add_library(brotlienc SHARED ${BROTLI_ENC_C}) -- + if(BROTLI_EMSCRIPTEN) +- set(BROTLI_SHARED_LIBS "") +-else() +- set(BROTLI_SHARED_LIBS brotlicommon brotlidec brotlienc) +- add_library(brotlicommon SHARED ${BROTLI_COMMON_C}) +- add_library(brotlidec SHARED ${BROTLI_DEC_C}) +- add_library(brotlienc SHARED ${BROTLI_ENC_C}) ++ set(BUILD_SHARED_LIBS OFF) + endif() + +-set(BROTLI_STATIC_LIBS brotlicommon-static brotlidec-static brotlienc-static) -add_library(brotlicommon-static STATIC ${BROTLI_COMMON_C}) -add_library(brotlidec-static STATIC ${BROTLI_DEC_C}) -add_library(brotlienc-static STATIC ${BROTLI_ENC_C}) @@ -68,27 +74,27 @@ index fc45f80..3f87f13 100644 # Older CMake versions does not understand INCLUDE_DIRECTORIES property. include_directories(${BROTLI_INCLUDE_DIRS}) +-foreach(lib IN LISTS BROTLI_SHARED_LIBS) +- target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" ) +- string(TOUPPER "${lib}" LIB) +- set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION") +-endforeach() +if(BUILD_SHARED_LIBS) + foreach(lib brotlicommon brotlidec brotlienc) + target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" ) + string(TOUPPER "${lib}" LIB) -+ set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION" ) ++ set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION") + endforeach() +endif() -+ - foreach(lib brotlicommon brotlidec brotlienc) -- target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" ) -- string(TOUPPER "${lib}" LIB) -- set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION" ) --endforeach() -- --foreach(lib brotlicommon brotlidec brotlienc brotlicommon-static brotlidec-static brotlienc-static) + +-foreach(lib IN LISTS BROTLI_SHARED_LIBS BROTLI_STATIC_LIBS) ++foreach(lib brotlicommon brotlidec brotlienc) target_link_libraries(${lib} ${LIBM_LIBRARY}) set_property(TARGET ${lib} APPEND PROPERTY INCLUDE_DIRECTORIES ${BROTLI_INCLUDE_DIRS}) set_target_properties(${lib} PROPERTIES -@@ -167,9 +163,6 @@ endforeach() - target_link_libraries(brotlidec brotlicommon) +@@ -200,9 +194,6 @@ target_link_libraries(brotlidec brotlicommon) target_link_libraries(brotlienc brotlicommon) + endif() -target_link_libraries(brotlidec-static brotlicommon-static) -target_link_libraries(brotlienc-static brotlicommon-static) @@ -96,7 +102,7 @@ index fc45f80..3f87f13 100644 # For projects stuck on older versions of CMake, this will set the # BROTLI_INCLUDE_DIRS and BROTLI_LIBRARIES variables so they still # have a relatively easy way to use Brotli: -@@ -183,7 +176,7 @@ endif() +@@ -216,7 +207,7 @@ endif() # Build the brotli executable add_executable(brotli ${BROTLI_CLI_C}) @@ -104,8 +110,8 @@ index fc45f80..3f87f13 100644 +target_link_libraries(brotli ${BROTLI_LIBRARIES}) # Installation - if(NOT BROTLI_BUNDLED_MODE) -@@ -199,13 +192,6 @@ if(NOT BROTLI_BUNDLED_MODE) + if(NOT BROTLI_EMSCRIPTEN) +@@ -233,13 +224,6 @@ if(NOT BROTLI_BUNDLED_MODE) RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" ) @@ -119,26 +125,6 @@ index fc45f80..3f87f13 100644 install( DIRECTORY ${BROTLI_INCLUDE_DIRS}/brotli DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" -diff --git a/c/fuzz/test_fuzzer.sh b/c/fuzz/test_fuzzer.sh -index 9985194..4b99947 100755 ---- a/c/fuzz/test_fuzzer.sh -+++ b/c/fuzz/test_fuzzer.sh -@@ -13,12 +13,12 @@ mkdir bin - cd bin - - cmake $BROTLI -DCMAKE_C_COMPILER="$CC" \ -- -DBUILD_TESTING=OFF -DENABLE_SANITIZER=address --make -j$(nproc) brotlidec-static -+ -DBUILD_TESTING=OFF -DBUILD_SHARED_LIBS=OFF -DENABLE_SANITIZER=address -+make -j$(nproc) brotlidec - - ${CC} -o run_decode_fuzzer -std=c99 -fsanitize=address -I$SRC/include \ - $SRC/fuzz/decode_fuzzer.c $SRC/fuzz/run_decode_fuzzer.c \ -- ./libbrotlidec-static.a ./libbrotlicommon-static.a -+ ./libbrotlidec.a ./libbrotlicommon.a - - mkdir decode_corpora - unzip $BROTLI/java/org/brotli/integration/fuzz_data.zip -d decode_corpora -- -2.19.1 +2.28.0 diff --git a/buildroot/package/brotli/0002-Revert-Add-runtime-linker-path-to-pkg-config-files.patch b/buildroot/package/brotli/0002-Revert-Add-runtime-linker-path-to-pkg-config-files.patch new file mode 100644 index 000000000..892aa1da1 --- /dev/null +++ b/buildroot/package/brotli/0002-Revert-Add-runtime-linker-path-to-pkg-config-files.patch @@ -0,0 +1,51 @@ +From 09b0992b6acb7faa6fd3b23f9bc036ea117230fc Mon Sep 17 00:00:00 2001 +From: Eugene Kliuchnikov +Date: Wed, 2 Sep 2020 11:38:26 +0200 +Subject: [PATCH] Revert "Add runtime linker path to pkg-config files (#740)" + (#838) + +This reverts commit 31754d4ffce14153b5c2addf7a11019ec23f51c1. +[Retrieved from: +https://github.com/google/brotli/commit/09b0992b6acb7faa6fd3b23f9bc036ea117230fc] +Signed-off-by: Fabrice Fontaine +--- + scripts/libbrotlicommon.pc.in | 2 +- + scripts/libbrotlidec.pc.in | 2 +- + scripts/libbrotlienc.pc.in | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/scripts/libbrotlicommon.pc.in b/scripts/libbrotlicommon.pc.in +index 10ca969e..2a8cf7a3 100644 +--- a/scripts/libbrotlicommon.pc.in ++++ b/scripts/libbrotlicommon.pc.in +@@ -7,5 +7,5 @@ Name: libbrotlicommon + URL: https://github.com/google/brotli + Description: Brotli common dictionary library + Version: @PACKAGE_VERSION@ +-Libs: -L${libdir} -R${libdir} -lbrotlicommon ++Libs: -L${libdir} -lbrotlicommon + Cflags: -I${includedir} +diff --git a/scripts/libbrotlidec.pc.in b/scripts/libbrotlidec.pc.in +index e7c3124f..6f8ef2e4 100644 +--- a/scripts/libbrotlidec.pc.in ++++ b/scripts/libbrotlidec.pc.in +@@ -7,6 +7,6 @@ Name: libbrotlidec + URL: https://github.com/google/brotli + Description: Brotli decoder library + Version: @PACKAGE_VERSION@ +-Libs: -L${libdir} -R${libdir} -lbrotlidec ++Libs: -L${libdir} -lbrotlidec + Requires.private: libbrotlicommon >= 1.0.2 + Cflags: -I${includedir} +diff --git a/scripts/libbrotlienc.pc.in b/scripts/libbrotlienc.pc.in +index 4dd0811b..2098afe2 100644 +--- a/scripts/libbrotlienc.pc.in ++++ b/scripts/libbrotlienc.pc.in +@@ -7,6 +7,6 @@ Name: libbrotlienc + URL: https://github.com/google/brotli + Description: Brotli encoder library + Version: @PACKAGE_VERSION@ +-Libs: -L${libdir} -R${libdir} -lbrotlienc ++Libs: -L${libdir} -lbrotlienc + Requires.private: libbrotlicommon >= 1.0.2 + Cflags: -I${includedir} diff --git a/buildroot/package/brotli/brotli.hash b/buildroot/package/brotli/brotli.hash index 82163040d..22f894c40 100644 --- a/buildroot/package/brotli/brotli.hash +++ b/buildroot/package/brotli/brotli.hash @@ -1,5 +1,5 @@ # Locally generated: -sha512 a82362aa36d2f2094bca0b2808d9de0d57291fb3a4c29d7c0ca0a37e73087ec5ac4df299c8c363e61106fccf2fe7f58b5cf76eb97729e2696058ef43b1d3930a v1.0.7.tar.gz +sha512 b8e2df955e8796ac1f022eb4ebad29532cb7e3aa6a4b6aee91dbd2c7d637eee84d9a144d3e878895bb5e62800875c2c01c8f737a1261020c54feacf9f676b5f5 v1.0.9.tar.gz # Hash for license files: sha512 bae78184c2f50f86d8c727826d3982c469454c42b9af81f4ef007e39036434fa894cf5be3bf5fc65b7de2301f0a72d067a8186e303327db8a96bd14867e0a3a8 LICENSE diff --git a/buildroot/package/brotli/brotli.mk b/buildroot/package/brotli/brotli.mk index 134f48089..5209d3186 100644 --- a/buildroot/package/brotli/brotli.mk +++ b/buildroot/package/brotli/brotli.mk @@ -4,7 +4,7 @@ # ################################################################################ -BROTLI_VERSION = 1.0.7 +BROTLI_VERSION = 1.0.9 BROTLI_SOURCE = v$(BROTLI_VERSION).tar.gz BROTLI_SITE = https://github.com/google/brotli/archive BROTLI_LICENSE = MIT diff --git a/buildroot/package/busybox/busybox.mk b/buildroot/package/busybox/busybox.mk index b9d82ed71..55aa9b0bb 100644 --- a/buildroot/package/busybox/busybox.mk +++ b/buildroot/package/busybox/busybox.mk @@ -237,6 +237,18 @@ define BUSYBOX_SET_SELINUX endef endif +# enable relevant options to allow the Busybox less applet to be used +# as a systemd pager +ifeq ($(BR2_PACKAGE_SYSTEMD):$(BR2_PACKAGE_LESS),y:) +define BUSYBOX_SET_LESS_FLAGS + $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_DASHCMD) + $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_RAW) + $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_TRUNCATE) + $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_FLAGS) + $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_ENV) +endef +endif + ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y) define BUSYBOX_SET_INDIVIDUAL_BINARIES $(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG)) @@ -338,6 +350,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS $(BUSYBOX_SET_INIT) $(BUSYBOX_SET_WATCHDOG) $(BUSYBOX_SET_SELINUX) + $(BUSYBOX_SET_LESS_FLAGS) $(BUSYBOX_SET_INDIVIDUAL_BINARIES) endef diff --git a/buildroot/package/busybox/udhcpc.script b/buildroot/package/busybox/udhcpc.script index 711963f97..0196351cd 100755 --- a/buildroot/package/busybox/udhcpc.script +++ b/buildroot/package/busybox/udhcpc.script @@ -42,19 +42,19 @@ case "$1" in rm -f $TMPFILE if [ -x /usr/sbin/avahi-autoipd ]; then - /usr/sbin/avahi-autoipd -k $interface + /usr/sbin/avahi-autoipd -c $interface && /usr/sbin/avahi-autoipd -k $interface fi ;; leasefail|nak) if [ -x /usr/sbin/avahi-autoipd ]; then - /usr/sbin/avahi-autoipd -wD $interface --no-chroot + /usr/sbin/avahi-autoipd -c $interface || /usr/sbin/avahi-autoipd -wD $interface --no-chroot fi ;; renew|bound) if [ -x /usr/sbin/avahi-autoipd ]; then - /usr/sbin/avahi-autoipd -k $interface + /usr/sbin/avahi-autoipd -c $interface && /usr/sbin/avahi-autoipd -k $interface fi /sbin/ifconfig $interface $ip $BROADCAST $NETMASK if [ -n "$ipv6" ] ; then diff --git a/buildroot/package/capnproto/capnproto.mk b/buildroot/package/capnproto/capnproto.mk index 34fb88591..2afeb8ffa 100644 --- a/buildroot/package/capnproto/capnproto.mk +++ b/buildroot/package/capnproto/capnproto.mk @@ -21,5 +21,12 @@ endif # The actual source to be compiled is within a 'c++' subdirectory CAPNPROTO_SUBDIR = c++ +ifeq ($(BR2_PACKAGE_OPENSSL),y) +CAPNPROTO_CONF_OPTS += --with-openssl +CAPNPROTO_DEPENDENCIES += openssl +else +CAPNPROTO_CONF_OPTS += --without-openssl +endif + $(eval $(autotools-package)) $(eval $(host-autotools-package)) diff --git a/buildroot/package/chrony/chrony.hash b/buildroot/package/chrony/chrony.hash index c31c6893a..57ce91ac8 100644 --- a/buildroot/package/chrony/chrony.hash +++ b/buildroot/package/chrony/chrony.hash @@ -1,5 +1,4 @@ -# From https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2019/05/msg00001.html -md5 5f66338bc940a9b51eede8f391e7bed3 chrony-3.5.tar.gz -sha1 79e9aeace143550300387a99f17bff04b45673f7 chrony-3.5.tar.gz +# From https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html +sha256 1ba82f70db85d414cd7420c39858e3ceca4b9eb8b028cbe869512c3a14a2dca7 chrony-3.5.1.tar.gz # Locally calculated -sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING +sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 COPYING diff --git a/buildroot/package/chrony/chrony.mk b/buildroot/package/chrony/chrony.mk index d7f5c0518..f8938a80f 100644 --- a/buildroot/package/chrony/chrony.mk +++ b/buildroot/package/chrony/chrony.mk @@ -4,7 +4,7 @@ # ################################################################################ -CHRONY_VERSION = 3.5 +CHRONY_VERSION = 3.5.1 CHRONY_SITE = http://download.tuxfamily.org/chrony CHRONY_LICENSE = GPL-2.0 CHRONY_LICENSE_FILES = COPYING diff --git a/buildroot/package/cifs-utils/0001-Use-DESTDIR-when-installing-mount.smb3-and-optionall.patch b/buildroot/package/cifs-utils/0001-Use-DESTDIR-when-installing-mount.smb3-and-optionall.patch new file mode 100644 index 000000000..e36ec5b5d --- /dev/null +++ b/buildroot/package/cifs-utils/0001-Use-DESTDIR-when-installing-mount.smb3-and-optionall.patch @@ -0,0 +1,41 @@ +From dbb4452787cb966cc74b2015689961875fd5d668 Mon Sep 17 00:00:00 2001 +From: Ryan Barnett +Date: Mon, 27 Apr 2020 22:03:25 -0500 +Subject: [PATCH] Use DESTDIR when installing mount.smb3 and optionally install + man page + +Properly create mount.smb3 symlink by using DESTDIR. Also use +CONFIG_MAN to optionally install manpage for mount.smb3. + +Signed-off-by: Ryan Barnett +--- +Upstream: https://marc.info/?l=linux-cifs&m=158804444725745&w=2 +--- + Makefile.am | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index fe9cd34..e0587f1 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -119,11 +119,13 @@ endif + SUBDIRS = contrib + + install-exec-hook: +- (cd $(ROOTSBINDIR) && ln -sf mount.cifs mount.smb3) ++ (cd $(DESTDIR)$(ROOTSBINDIR) && ln -sf mount.cifs mount.smb3) + ++if CONFIG_MAN + install-data-hook: +- (cd $(man8dir) && ln -sf mount.cifs.8 mount.smb3.8) ++ (cd $(DESTDIR)$(man8dir) && ln -sf mount.cifs.8 mount.smb3.8) ++endif + + uninstall-hook: +- (cd $(ROOTSBINDIR) && rm -f $(ROOTSBINDIR)/mount.smb3) +- (cd $(man8dir) && rm -f $(man8dir)/mount.smb3.8) ++ rm -f $(DESTDIR)$(ROOTSBINDIR)/mount.smb3 ++ rm -f $(DESTDIR)$(man8dir)/mount.smb3.8 +-- +2.17.1 + diff --git a/buildroot/package/cifs-utils/cifs-utils.hash b/buildroot/package/cifs-utils/cifs-utils.hash index bbfbc1d8f..ca97eb8e5 100644 --- a/buildroot/package/cifs-utils/cifs-utils.hash +++ b/buildroot/package/cifs-utils/cifs-utils.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -sha256 18d8f1bf92c13c4d611502dbd6759e3a766ddc8467ec8a2eda3f589e40b9ac9c cifs-utils-6.9.tar.bz2 +sha256 b859239a3f204f8220d3e54ed43bf8109e1ef202042dd87ba87492f8878728d9 cifs-utils-6.11.tar.bz2 # Hash for license file: -sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING +sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING diff --git a/buildroot/package/cifs-utils/cifs-utils.mk b/buildroot/package/cifs-utils/cifs-utils.mk index 511e9ccc0..b06ce7ddd 100644 --- a/buildroot/package/cifs-utils/cifs-utils.mk +++ b/buildroot/package/cifs-utils/cifs-utils.mk @@ -4,12 +4,12 @@ # ################################################################################ -CIFS_UTILS_VERSION = 6.9 +CIFS_UTILS_VERSION = 6.11 CIFS_UTILS_SOURCE = cifs-utils-$(CIFS_UTILS_VERSION).tar.bz2 CIFS_UTILS_SITE = http://ftp.samba.org/pub/linux-cifs/cifs-utils CIFS_UTILS_LICENSE = GPL-3.0+ CIFS_UTILS_LICENSE_FILES = COPYING -# Missing install-sh in release tarball +# Missing install-sh in release tarball and patching Makefile.am CIFS_UTILS_AUTORECONF = YES CIFS_UTILS_DEPENDENCIES = host-pkgconf @@ -17,6 +17,9 @@ CIFS_UTILS_DEPENDENCIES = host-pkgconf # the global BR2_RELRO_FULL option. CIFS_UTILS_CONF_OPTS = --disable-pie --disable-man +# uses C11 code in smbinfo.c and mtab.c +CIFS_UTILS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=gnu11" + ifeq ($(BR2_PACKAGE_KEYUTILS),y) CIFS_UTILS_DEPENDENCIES += keyutils endif diff --git a/buildroot/package/collectd/Config.in b/buildroot/package/collectd/Config.in index 303b5dc01..5b194e943 100644 --- a/buildroot/package/collectd/Config.in +++ b/buildroot/package/collectd/Config.in @@ -593,7 +593,6 @@ comment "grpc needs a toolchain w/ C++, gcc >= 4.8" config BR2_PACKAGE_COLLECTD_MQTT bool "mqtt" - depends on BR2_TOOLCHAIN_HAS_SYNC_4 # mosquitto select BR2_PACKAGE_MOSQUITTO help Sends metrics to and/or receives metrics from an MQTT broker. diff --git a/buildroot/package/cpio/0001-Minor-fix.patch b/buildroot/package/cpio/0001-Minor-fix.patch new file mode 100644 index 000000000..429df7d5f --- /dev/null +++ b/buildroot/package/cpio/0001-Minor-fix.patch @@ -0,0 +1,30 @@ +From 641d3f489cf6238bb916368d4ba0d9325a235afb Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff +Date: Mon, 20 Jan 2020 07:45:39 +0200 +Subject: Minor fix * src/global.c: Remove superfluous declaration of + program_name + +[Retrieved from: +https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=641d3f489cf6238bb916368d4ba0d9325a235afb] +Signed-off-by: Fabrice Fontaine +--- + src/global.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/global.c b/src/global.c +index fb3abe9..acf92bc 100644 +--- a/src/global.c ++++ b/src/global.c +@@ -184,9 +184,6 @@ unsigned int warn_option = 0; + /* Extract to standard output? */ + bool to_stdout_option = false; + +-/* The name this program was run with. */ +-char *program_name; +- + /* A pointer to either lstat or stat, depending on whether + dereferencing of symlinks is done for input files. */ + int (*xstat) (); +-- +cgit v1.2.1 + diff --git a/buildroot/package/cryptsetup/0002-Add-support-for-upcoming-json-c-0.14.0.patch b/buildroot/package/cryptsetup/0002-Add-support-for-upcoming-json-c-0.14.0.patch new file mode 100644 index 000000000..6a7313903 --- /dev/null +++ b/buildroot/package/cryptsetup/0002-Add-support-for-upcoming-json-c-0.14.0.patch @@ -0,0 +1,179 @@ +From 604abec333a0efb44fd8bc610aa0b1151dd0f612 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= +Date: Mon, 13 Apr 2020 11:48:17 +0200 +Subject: [PATCH] Add support for upcoming json-c 0.14.0. + + * TRUE/FALSE are not defined anymore. 1 and 0 are used instead. + * json_object_get_uint64() and json_object_new_uint64() are part + of the upstream API now. + +Signed-off-by: Peter Korsgaard +--- + lib/luks2/luks2_internal.h | 4 +++- + lib/luks2/luks2_json_metadata.c | 38 +++++++++++++++++---------------- + 2 files changed, 23 insertions(+), 19 deletions(-) + +diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h +index b9fec6b5..939101d6 100644 +--- a/lib/luks2/luks2_internal.h ++++ b/lib/luks2/luks2_internal.h +@@ -58,9 +58,11 @@ json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr); + void hexprint_base64(struct crypt_device *cd, json_object *jobj, + const char *sep, const char *line_sep); + ++#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99)) + uint64_t json_object_get_uint64(json_object *jobj); +-uint32_t json_object_get_uint32(json_object *jobj); + json_object *json_object_new_uint64(uint64_t value); ++#endif ++uint32_t json_object_get_uint32(json_object *jobj); + + int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val); + void json_object_object_del_by_uint(json_object *jobj, unsigned key); +diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c +index 781280c2..712c2bbd 100644 +--- a/lib/luks2/luks2_json_metadata.c ++++ b/lib/luks2/luks2_json_metadata.c +@@ -234,13 +234,14 @@ static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value) + tmp = strtoull(json_object_get_string(jobj), &endptr, 10); + if (*endptr || errno) { + *value = 0; +- return FALSE; ++ return 0; + } + + *value = tmp; +- return TRUE; ++ return 1; + } + ++#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99)) + uint64_t json_object_get_uint64(json_object *jobj) + { + uint64_t r; +@@ -262,6 +263,7 @@ json_object *json_object_new_uint64(uint64_t value) + jobj = json_object_new_string(num); + return jobj; + } ++#endif + + /* + * Validate helpers +@@ -273,9 +275,9 @@ static json_bool numbered(struct crypt_device *cd, const char *name, const char + for (i = 0; key[i]; i++) + if (!isdigit(key[i])) { + log_dbg(cd, "%s \"%s\" is not in numbered form.", name, key); +- return FALSE; ++ return 0; + } +- return TRUE; ++ return 1; + } + + json_object *json_contains(struct crypt_device *cd, json_object *jobj, const char *name, +@@ -300,7 +302,7 @@ json_bool validate_json_uint32(json_object *jobj) + errno = 0; + tmp = json_object_get_int64(jobj); + +- return (errno || tmp < 0 || tmp > UINT32_MAX) ? FALSE : TRUE; ++ return (errno || tmp < 0 || tmp > UINT32_MAX) ? 0 : 1; + } + + static json_bool validate_keyslots_array(struct crypt_device *cd, +@@ -313,17 +315,17 @@ static json_bool validate_keyslots_array(struct crypt_device *cd, + jobj = json_object_array_get_idx(jarr, i); + if (!json_object_is_type(jobj, json_type_string)) { + log_dbg(cd, "Illegal value type in keyslots array at index %d.", i); +- return FALSE; ++ return 0; + } + + if (!json_contains(cd, jobj_keys, "", "Keyslots section", + json_object_get_string(jobj), json_type_object)) +- return FALSE; ++ return 0; + + i++; + } + +- return TRUE; ++ return 1; + } + + static json_bool validate_segments_array(struct crypt_device *cd, +@@ -336,17 +338,17 @@ static json_bool validate_segments_array(struct crypt_device *cd, + jobj = json_object_array_get_idx(jarr, i); + if (!json_object_is_type(jobj, json_type_string)) { + log_dbg(cd, "Illegal value type in segments array at index %d.", i); +- return FALSE; ++ return 0; + } + + if (!json_contains(cd, jobj_segments, "", "Segments section", + json_object_get_string(jobj), json_type_object)) +- return FALSE; ++ return 0; + + i++; + } + +- return TRUE; ++ return 1; + } + + static json_bool segment_has_digest(const char *segment_name, json_object *jobj_digests) +@@ -357,10 +359,10 @@ static json_bool segment_has_digest(const char *segment_name, json_object *jobj_ + UNUSED(key); + json_object_object_get_ex(val, "segments", &jobj_segments); + if (LUKS2_array_jobj(jobj_segments, segment_name)) +- return TRUE; ++ return 1; + } + +- return FALSE; ++ return 0; + } + + static json_bool validate_intervals(struct crypt_device *cd, +@@ -372,18 +374,18 @@ static json_bool validate_intervals(struct crypt_device *cd, + while (i < length) { + if (ix[i].offset < 2 * metadata_size) { + log_dbg(cd, "Illegal area offset: %" PRIu64 ".", ix[i].offset); +- return FALSE; ++ return 0; + } + + if (!ix[i].length) { + log_dbg(cd, "Area length must be greater than zero."); +- return FALSE; ++ return 0; + } + + if ((ix[i].offset + ix[i].length) > keyslots_area_end) { + log_dbg(cd, "Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").", + ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end); +- return FALSE; ++ return 0; + } + + for (j = 0; j < length; j++) { +@@ -393,14 +395,14 @@ static json_bool validate_intervals(struct crypt_device *cd, + log_dbg(cd, "Overlapping areas [%" PRIu64 ",%" PRIu64 "] and [%" PRIu64 ",%" PRIu64 "].", + ix[i].offset, ix[i].offset + ix[i].length, + ix[j].offset, ix[j].offset + ix[j].length); +- return FALSE; ++ return 0; + } + } + + i++; + } + +- return TRUE; ++ return 1; + } + + static int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj, json_object *hdr_keyslot, const char *key) +-- +2.20.1 + diff --git a/buildroot/package/cryptsetup/0003-Avoid-name-clash-with-newer-json-c-library.patch b/buildroot/package/cryptsetup/0003-Avoid-name-clash-with-newer-json-c-library.patch new file mode 100644 index 000000000..83ce71c6f --- /dev/null +++ b/buildroot/package/cryptsetup/0003-Avoid-name-clash-with-newer-json-c-library.patch @@ -0,0 +1,512 @@ +From 55cf272d275c561459f2c9c3dc943ef7a69c9d4c Mon Sep 17 00:00:00 2001 +From: Ondrej Kozina +Date: Tue, 14 Apr 2020 17:24:54 +0200 +Subject: [PATCH] Avoid name clash with newer json-c library. + +This is partial revert of previous commit and also +fixes wrong decision to name our internal helpers with +json_object prefix. + +(cherry picked from commit e6a356974330e3ae21579a5737976e9a2aad1b51) +Signed-off-by: Peter Korsgaard +--- + lib/luks2/luks2_internal.h | 8 +++----- + lib/luks2/luks2_json_format.c | 6 +++--- + lib/luks2/luks2_json_metadata.c | 18 ++++++++---------- + lib/luks2/luks2_keyslot.c | 8 ++++---- + lib/luks2/luks2_keyslot_luks2.c | 16 ++++++++-------- + lib/luks2/luks2_keyslot_reenc.c | 20 ++++++++++---------- + lib/luks2/luks2_luks1_convert.c | 22 +++++++++++----------- + lib/luks2/luks2_reencrypt.c | 16 ++++++++-------- + lib/luks2/luks2_segment.c | 12 ++++++------ + 9 files changed, 61 insertions(+), 65 deletions(-) + +diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h +index 6a8b8f2a..d2222e84 100644 +--- a/lib/luks2/luks2_internal.h ++++ b/lib/luks2/luks2_internal.h +@@ -59,11 +59,9 @@ json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr); + void hexprint_base64(struct crypt_device *cd, json_object *jobj, + const char *sep, const char *line_sep); + +-#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99)) +-uint64_t json_object_get_uint64(json_object *jobj); +-json_object *json_object_new_uint64(uint64_t value); +-#endif +-uint32_t json_object_get_uint32(json_object *jobj); ++uint64_t crypt_jobj_get_uint64(json_object *jobj); ++uint32_t crypt_jobj_get_uint32(json_object *jobj); ++json_object *crypt_jobj_new_uint64(uint64_t value); + + int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val); + void json_object_object_del_by_uint(json_object *jobj, unsigned key); +diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c +index d4f36247..32ea0ea4 100644 +--- a/lib/luks2/luks2_json_format.c ++++ b/lib/luks2/luks2_json_format.c +@@ -325,8 +325,8 @@ int LUKS2_generate_hdr( + + json_object_object_add_by_uint(jobj_segments, 0, jobj_segment); + +- json_object_object_add(jobj_config, "json_size", json_object_new_uint64(metadata_size - LUKS2_HDR_BIN_LEN)); +- json_object_object_add(jobj_config, "keyslots_size", json_object_new_uint64(keyslots_size)); ++ json_object_object_add(jobj_config, "json_size", crypt_jobj_new_uint64(metadata_size - LUKS2_HDR_BIN_LEN)); ++ json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size)); + + JSON_DBG(cd, hdr->jobj, "Header JSON:"); + return 0; +@@ -400,6 +400,6 @@ int LUKS2_set_keyslots_size(struct crypt_device *cd, + if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config)) + return 1; + +- json_object_object_add(jobj_config, "keyslots_size", json_object_new_uint64(keyslots_size)); ++ json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size)); + return 0; + } +diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c +index 52421fac..19fb9588 100644 +--- a/lib/luks2/luks2_json_metadata.c ++++ b/lib/luks2/luks2_json_metadata.c +@@ -219,7 +219,7 @@ int LUKS2_get_default_segment(struct luks2_hdr *hdr) + * json_type_int needs to be validated first. + * See validate_json_uint32() + */ +-uint32_t json_object_get_uint32(json_object *jobj) ++uint32_t crypt_jobj_get_uint32(json_object *jobj) + { + return json_object_get_int64(jobj); + } +@@ -241,15 +241,14 @@ static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value) + return 1; + } + +-#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99)) +-uint64_t json_object_get_uint64(json_object *jobj) ++uint64_t crypt_jobj_get_uint64(json_object *jobj) + { + uint64_t r; + json_str_to_uint64(jobj, &r); + return r; + } + +-json_object *json_object_new_uint64(uint64_t value) ++json_object *crypt_jobj_new_uint64(uint64_t value) + { + /* 18446744073709551615 */ + char num[21]; +@@ -263,7 +262,6 @@ json_object *json_object_new_uint64(uint64_t value) + jobj = json_object_new_string(num); + return jobj; + } +-#endif + + /* + * Validate helpers +@@ -457,7 +455,7 @@ static int hdr_validate_json_size(struct crypt_device *cd, json_object *hdr_jobj + + json = json_object_to_json_string_ext(hdr_jobj, + JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE); +- json_area_size = json_object_get_uint64(jobj1); ++ json_area_size = crypt_jobj_get_uint64(jobj1); + json_size = (uint64_t)strlen(json); + + if (hdr_json_size != json_area_size) { +@@ -545,7 +543,7 @@ static int hdr_validate_crypt_segment(struct crypt_device *cd, + return 1; + } + +- sector_size = json_object_get_uint32(jobj_sector_size); ++ sector_size = crypt_jobj_get_uint32(jobj_sector_size); + if (!sector_size || MISALIGNED_512(sector_size)) { + log_dbg(cd, "Illegal sector size: %" PRIu32, sector_size); + return 1; +@@ -1569,7 +1567,7 @@ static void hdr_dump_keyslots(struct crypt_device *cd, json_object *hdr_jobj) + log_std(cd, " %s: %s%s\n", slot, tmps, r == -ENOENT ? " (unbound)" : ""); + + if (json_object_object_get_ex(val, "key_size", &jobj2)) +- log_std(cd, "\tKey: %u bits\n", json_object_get_uint32(jobj2) * 8); ++ log_std(cd, "\tKey: %u bits\n", crypt_jobj_get_uint32(jobj2) * 8); + + log_std(cd, "\tPriority: %s\n", get_priority_desc(val)); + +@@ -1652,7 +1650,7 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj) + log_std(cd, "\tcipher: %s\n", json_object_get_string(jobj1)); + + if (json_object_object_get_ex(jobj_segment, "sector_size", &jobj1)) +- log_std(cd, "\tsector: %" PRIu32 " [bytes]\n", json_object_get_uint32(jobj1)); ++ log_std(cd, "\tsector: %" PRIu32 " [bytes]\n", crypt_jobj_get_uint32(jobj1)); + + if (json_object_object_get_ex(jobj_segment, "integrity", &jobj1) && + json_object_object_get_ex(jobj1, "type", &jobj2)) +@@ -1749,7 +1747,7 @@ int LUKS2_get_data_size(struct luks2_hdr *hdr, uint64_t *size, bool *dynamic) + return 0; + } + +- tmp += json_object_get_uint64(jobj_size); ++ tmp += crypt_jobj_get_uint64(jobj_size); + } + + /* impossible, real device size must not be zero */ +diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c +index 7d06df80..d853fc8e 100644 +--- a/lib/luks2/luks2_keyslot.c ++++ b/lib/luks2/luks2_keyslot.c +@@ -301,11 +301,11 @@ int LUKS2_keyslot_area(struct luks2_hdr *hdr, + + if (!json_object_object_get_ex(jobj_area, "offset", &jobj)) + return -EINVAL; +- *offset = json_object_get_uint64(jobj); ++ *offset = crypt_jobj_get_uint64(jobj); + + if (!json_object_object_get_ex(jobj_area, "size", &jobj)) + return -EINVAL; +- *length = json_object_get_uint64(jobj); ++ *length = crypt_jobj_get_uint64(jobj); + + return 0; + } +@@ -840,8 +840,8 @@ int placeholder_keyslot_alloc(struct crypt_device *cd, + + /* Area object */ + jobj_area = json_object_new_object(); +- json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset)); +- json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length)); ++ json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset)); ++ json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length)); + json_object_object_add(jobj_keyslot, "area", jobj_area); + + json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot); +diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c +index 7b438a8b..953ba168 100644 +--- a/lib/luks2/luks2_keyslot_luks2.c ++++ b/lib/luks2/luks2_keyslot_luks2.c +@@ -220,7 +220,7 @@ static int luks2_keyslot_set_key(struct crypt_device *cd, + + if (!json_object_object_get_ex(jobj_area, "offset", &jobj2)) + return -EINVAL; +- area_offset = json_object_get_uint64(jobj2); ++ area_offset = crypt_jobj_get_uint64(jobj2); + + if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2)) + return -EINVAL; +@@ -313,7 +313,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd, + + if (!json_object_object_get_ex(jobj_area, "offset", &jobj2)) + return -EINVAL; +- area_offset = json_object_get_uint64(jobj2); ++ area_offset = crypt_jobj_get_uint64(jobj2); + + if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2)) + return -EINVAL; +@@ -494,8 +494,8 @@ static int luks2_keyslot_alloc(struct crypt_device *cd, + /* Area object */ + jobj_area = json_object_new_object(); + json_object_object_add(jobj_area, "type", json_object_new_string("raw")); +- json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset)); +- json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length)); ++ json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset)); ++ json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length)); + json_object_object_add(jobj_keyslot, "area", jobj_area); + + json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot); +@@ -607,7 +607,7 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot) + log_std(cd, "\tCipher: %s\n", json_object_get_string(jobj1)); + + json_object_object_get_ex(jobj_area, "key_size", &jobj1); +- log_std(cd, "\tCipher key: %u bits\n", json_object_get_uint32(jobj1) * 8); ++ log_std(cd, "\tCipher key: %u bits\n", crypt_jobj_get_uint32(jobj1) * 8); + + json_object_object_get_ex(jobj_kdf, "type", &jobj1); + log_std(cd, "\tPBKDF: %s\n", json_object_get_string(jobj1)); +@@ -617,7 +617,7 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot) + log_std(cd, "\tHash: %s\n", json_object_get_string(jobj1)); + + json_object_object_get_ex(jobj_kdf, "iterations", &jobj1); +- log_std(cd, "\tIterations: %" PRIu64 "\n", json_object_get_uint64(jobj1)); ++ log_std(cd, "\tIterations: %" PRIu64 "\n", crypt_jobj_get_uint64(jobj1)); + } else { + json_object_object_get_ex(jobj_kdf, "time", &jobj1); + log_std(cd, "\tTime cost: %" PRIu64 "\n", json_object_get_int64(jobj1)); +@@ -640,10 +640,10 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot) + log_std(cd, "\tAF hash: %s\n", json_object_get_string(jobj1)); + + json_object_object_get_ex(jobj_area, "offset", &jobj1); +- log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1)); ++ log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1)); + + json_object_object_get_ex(jobj_area, "size", &jobj1); +- log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1)); ++ log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1)); + + return 0; + } +diff --git a/lib/luks2/luks2_keyslot_reenc.c b/lib/luks2/luks2_keyslot_reenc.c +index 64b8d274..c6b92db3 100644 +--- a/lib/luks2/luks2_keyslot_reenc.c ++++ b/lib/luks2/luks2_keyslot_reenc.c +@@ -67,13 +67,13 @@ int reenc_keyslot_alloc(struct crypt_device *cd, + + if (params->data_shift) { + json_object_object_add(jobj_area, "type", json_object_new_string("datashift")); +- json_object_object_add(jobj_area, "shift_size", json_object_new_uint64(params->data_shift << SECTOR_SHIFT)); ++ json_object_object_add(jobj_area, "shift_size", crypt_jobj_new_uint64(params->data_shift << SECTOR_SHIFT)); + } else + /* except data shift protection, initial setting is irrelevant. Type can be changed during reencryption */ + json_object_object_add(jobj_area, "type", json_object_new_string("none")); + +- json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset)); +- json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length)); ++ json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset)); ++ json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length)); + + json_object_object_add(jobj_keyslot, "type", json_object_new_string("reencrypt")); + json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(1)); /* useless but mandatory */ +@@ -113,8 +113,8 @@ static int reenc_keyslot_store_data(struct crypt_device *cd, + !json_object_object_get_ex(jobj_area, "size", &jobj_length)) + return -EINVAL; + +- area_offset = json_object_get_uint64(jobj_offset); +- area_length = json_object_get_uint64(jobj_length); ++ area_offset = crypt_jobj_get_uint64(jobj_offset); ++ area_length = crypt_jobj_get_uint64(jobj_length); + + if (!area_offset || !area_length || ((uint64_t)buffer_len > area_length)) + return -EINVAL; +@@ -242,14 +242,14 @@ static int reenc_keyslot_dump(struct crypt_device *cd, int keyslot) + log_std(cd, "\t%-12s%d [bytes]\n", "Hash data:", json_object_get_int(jobj1)); + } else if (!strcmp(json_object_get_string(jobj_resilience), "datashift")) { + json_object_object_get_ex(jobj_area, "shift_size", &jobj1); +- log_std(cd, "\t%-12s%" PRIu64 "[bytes]\n", "Shift size:", json_object_get_uint64(jobj1)); ++ log_std(cd, "\t%-12s%" PRIu64 "[bytes]\n", "Shift size:", crypt_jobj_get_uint64(jobj1)); + } + + json_object_object_get_ex(jobj_area, "offset", &jobj1); +- log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1)); ++ log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1)); + + json_object_object_get_ex(jobj_area, "size", &jobj1); +- log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1)); ++ log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1)); + + return 0; + } +@@ -304,7 +304,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key + return -EINVAL; + if (!validate_json_uint32(jobj_sector_size)) + return -EINVAL; +- sector_size = json_object_get_uint32(jobj_sector_size); ++ sector_size = crypt_jobj_get_uint32(jobj_sector_size); + if (sector_size < SECTOR_SIZE || NOTPOW2(sector_size)) { + log_dbg(cd, "Invalid sector_size (%" PRIu32 ") for checksum resilience mode.", sector_size); + return -EINVAL; +@@ -313,7 +313,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key + if (!(jobj_shift_size = json_contains(cd, jobj_area, "type:datashift", "Keyslot area", "shift_size", json_type_string))) + return -EINVAL; + +- shift_size = json_object_get_uint64(jobj_shift_size); ++ shift_size = crypt_jobj_get_uint64(jobj_shift_size); + if (!shift_size) + return -EINVAL; + +diff --git a/lib/luks2/luks2_luks1_convert.c b/lib/luks2/luks2_luks1_convert.c +index 7f5f26b7..cbaa8603 100644 +--- a/lib/luks2/luks2_luks1_convert.c ++++ b/lib/luks2/luks2_luks1_convert.c +@@ -91,8 +91,8 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc + } + area_size = offs_b - offs_a; + json_object_object_add(jobj_area, "key_size", json_object_new_int(hdr_v1->keyBytes)); +- json_object_object_add(jobj_area, "offset", json_object_new_uint64(offset)); +- json_object_object_add(jobj_area, "size", json_object_new_uint64(area_size)); ++ json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(offset)); ++ json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_size)); + json_object_object_add(keyslot_obj, "area", jobj_area); + + *keyslot_object = keyslot_obj; +@@ -145,7 +145,7 @@ static int json_luks1_segment(const struct luks_phdr *hdr_v1, struct json_object + /* offset field */ + number = (uint64_t)hdr_v1->payloadOffset * SECTOR_SIZE; + +- field = json_object_new_uint64(number); ++ field = crypt_jobj_new_uint64(number); + if (!field) { + json_object_put(segment_obj); + return -ENOMEM; +@@ -401,8 +401,8 @@ static int json_luks1_object(struct luks_phdr *hdr_v1, struct json_object **luks + json_object_object_add(luks1_obj, "config", field); + + json_size = LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN; +- json_object_object_add(field, "json_size", json_object_new_uint64(json_size)); +- json_object_object_add(field, "keyslots_size", json_object_new_uint64(keyslots_size)); ++ json_object_object_add(field, "json_size", crypt_jobj_new_uint64(json_size)); ++ json_object_object_add(field, "keyslots_size", crypt_jobj_new_uint64(keyslots_size)); + + *luks1_object = luks1_obj; + return 0; +@@ -418,8 +418,8 @@ static void move_keyslot_offset(json_object *jobj, int offset_add) + UNUSED(key); + json_object_object_get_ex(val, "area", &jobj_area); + json_object_object_get_ex(jobj_area, "offset", &jobj2); +- offset = json_object_get_uint64(jobj2) + offset_add; +- json_object_object_add(jobj_area, "offset", json_object_new_uint64(offset)); ++ offset = crypt_jobj_get_uint64(jobj2) + offset_add; ++ json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(offset)); + } + } + +@@ -749,7 +749,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct + return -EINVAL; + if (!json_object_object_get_ex(jobj_area, "offset", &jobj1)) + return -EINVAL; +- offset = json_object_get_uint64(jobj1); ++ offset = crypt_jobj_get_uint64(jobj1); + } else { + if (LUKS2_find_area_gap(cd, hdr2, key_size, &offset, &area_length)) + return -EINVAL; +@@ -781,7 +781,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct + + if (!json_object_object_get_ex(jobj_kdf, "iterations", &jobj1)) + continue; +- hdr1->keyblock[i].passwordIterations = json_object_get_uint32(jobj1); ++ hdr1->keyblock[i].passwordIterations = crypt_jobj_get_uint32(jobj1); + + if (!json_object_object_get_ex(jobj_kdf, "salt", &jobj1)) + continue; +@@ -822,7 +822,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct + + if (!json_object_object_get_ex(jobj_digest, "iterations", &jobj1)) + return -EINVAL; +- hdr1->mkDigestIterations = json_object_get_uint32(jobj1); ++ hdr1->mkDigestIterations = crypt_jobj_get_uint32(jobj1); + + if (!json_object_object_get_ex(jobj_digest, "digest", &jobj1)) + return -EINVAL; +@@ -847,7 +847,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct + + if (!json_object_object_get_ex(jobj_segment, "offset", &jobj1)) + return -EINVAL; +- offset = json_object_get_uint64(jobj1) / SECTOR_SIZE; ++ offset = crypt_jobj_get_uint64(jobj1) / SECTOR_SIZE; + if (offset > UINT32_MAX) + return -EINVAL; + /* FIXME: LUKS1 requires offset == 0 || offset >= luks1_hdr_size */ +diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c +index 6bac4420..c99577cc 100644 +--- a/lib/luks2/luks2_reencrypt.c ++++ b/lib/luks2/luks2_reencrypt.c +@@ -165,7 +165,7 @@ static uint32_t reencrypt_alignment(struct luks2_hdr *hdr) + if (!json_object_object_get_ex(jobj_area, "sector_size", &jobj_sector_size)) + return 0; + +- return json_object_get_uint32(jobj_sector_size); ++ return crypt_jobj_get_uint32(jobj_sector_size); + } + + static json_object *_enc_create_segments_shift_after(struct crypt_device *cd, +@@ -200,13 +200,13 @@ static json_object *_enc_create_segments_shift_after(struct crypt_device *cd, + json_segment_remove_flag(jobj_seg_new, "in-reencryption"); + tmp = rh->length; + } else { +- json_object_object_add(jobj_seg_new, "offset", json_object_new_uint64(rh->offset + data_offset)); +- json_object_object_add(jobj_seg_new, "iv_tweak", json_object_new_uint64(rh->offset >> SECTOR_SHIFT)); ++ json_object_object_add(jobj_seg_new, "offset", crypt_jobj_new_uint64(rh->offset + data_offset)); ++ json_object_object_add(jobj_seg_new, "iv_tweak", crypt_jobj_new_uint64(rh->offset >> SECTOR_SHIFT)); + tmp = json_segment_get_size(jobj_seg_new, 0) + rh->length; + } + + /* alter size of new segment, reenc_seg == 0 we're finished */ +- json_object_object_add(jobj_seg_new, "size", reenc_seg > 0 ? json_object_new_uint64(tmp) : json_object_new_string("dynamic")); ++ json_object_object_add(jobj_seg_new, "size", reenc_seg > 0 ? crypt_jobj_new_uint64(tmp) : json_object_new_string("dynamic")); + json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_seg_new); + + return jobj_segs_post; +@@ -256,7 +256,7 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct crypt_devic + jobj_seg_shrunk = NULL; + if (json_object_copy(LUKS2_get_segment_jobj(hdr, sg), &jobj_seg_shrunk)) + goto err; +- json_object_object_add(jobj_seg_shrunk, "size", json_object_new_uint64(segment_size - rh->length)); ++ json_object_object_add(jobj_seg_shrunk, "size", crypt_jobj_new_uint64(segment_size - rh->length)); + json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_seg_shrunk); + } + +@@ -336,7 +336,7 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd + goto err; + jobj_old_seg = jobj_old_seg_copy; + fixed_length = rh->device_size - fixed_length; +- json_object_object_add(jobj_old_seg, "size", json_object_new_uint64(fixed_length)); ++ json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(fixed_length)); + } else + json_object_get(jobj_old_seg); + json_object_object_add_by_uint(jobj_segs_post, 1, jobj_old_seg); +@@ -491,7 +491,7 @@ static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd + if (rh->offset) { + if (json_object_copy(LUKS2_get_segment_jobj(hdr, 0), &jobj_old_seg)) + goto err; +- json_object_object_add(jobj_old_seg, "size", json_object_new_uint64(rh->offset)); ++ json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(rh->offset)); + + json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_old_seg); + } +@@ -575,7 +575,7 @@ static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr) + if (!json_object_object_get_ex(jobj_area, "shift_size", &jobj_data_shift)) + return 0; + +- return json_object_get_uint64(jobj_data_shift); ++ return crypt_jobj_get_uint64(jobj_data_shift); + } + + static crypt_reencrypt_mode_info reencrypt_mode(struct luks2_hdr *hdr) +diff --git a/lib/luks2/luks2_segment.c b/lib/luks2/luks2_segment.c +index 6ece2fdd..cd5108e8 100644 +--- a/lib/luks2/luks2_segment.c ++++ b/lib/luks2/luks2_segment.c +@@ -55,7 +55,7 @@ uint64_t json_segment_get_offset(json_object *jobj_segment, unsigned blockwise) + !json_object_object_get_ex(jobj_segment, "offset", &jobj)) + return 0; + +- return blockwise ? json_object_get_uint64(jobj) >> SECTOR_SHIFT : json_object_get_uint64(jobj); ++ return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj); + } + + const char *json_segment_type(json_object *jobj_segment) +@@ -77,7 +77,7 @@ uint64_t json_segment_get_iv_offset(json_object *jobj_segment) + !json_object_object_get_ex(jobj_segment, "iv_tweak", &jobj)) + return 0; + +- return json_object_get_uint64(jobj); ++ return crypt_jobj_get_uint64(jobj); + } + + uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise) +@@ -88,7 +88,7 @@ uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise) + !json_object_object_get_ex(jobj_segment, "size", &jobj)) + return 0; + +- return blockwise ? json_object_get_uint64(jobj) >> SECTOR_SHIFT : json_object_get_uint64(jobj); ++ return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj); + } + + const char *json_segment_get_cipher(json_object *jobj_segment) +@@ -229,8 +229,8 @@ static json_object *_segment_create_generic(const char *type, uint64_t offset, c + return NULL; + + json_object_object_add(jobj, "type", json_object_new_string(type)); +- json_object_object_add(jobj, "offset", json_object_new_uint64(offset)); +- json_object_object_add(jobj, "size", length ? json_object_new_uint64(*length) : json_object_new_string("dynamic")); ++ json_object_object_add(jobj, "offset", crypt_jobj_new_uint64(offset)); ++ json_object_object_add(jobj, "size", length ? crypt_jobj_new_uint64(*length) : json_object_new_string("dynamic")); + + return jobj; + } +@@ -252,7 +252,7 @@ json_object *json_segment_create_crypt(uint64_t offset, + if (!jobj) + return NULL; + +- json_object_object_add(jobj, "iv_tweak", json_object_new_uint64(iv_offset)); ++ json_object_object_add(jobj, "iv_tweak", crypt_jobj_new_uint64(iv_offset)); + json_object_object_add(jobj, "encryption", json_object_new_string(cipher)); + json_object_object_add(jobj, "sector_size", json_object_new_int(sector_size)); + if (reencryption) +-- +2.20.1 + diff --git a/buildroot/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch b/buildroot/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch index b1ab7cbac..7fcf7133c 100644 --- a/buildroot/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch +++ b/buildroot/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch @@ -6,15 +6,17 @@ Subject: [PATCH] Remove man from BUILDDIRS in configure Signed-off-by: Bernd Kuhls [Fabrice: updated for 2.3.0] Signed-off-by: Fabrice Fontaine +[Michael: updated for 2.3.3] +Signed-off-by: Michael Trimarchi --- config-scripts/cups-common.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4 -index fbba715..77d0f5c 100644 +index a460a73..d427acb 100644 --- a/config-scripts/cups-common.m4 +++ b/config-scripts/cups-common.m4 -@@ -446,7 +446,7 @@ AC_ARG_WITH(components, [ --with-components set components to build: +@@ -434,7 +434,7 @@ LIBHEADERSPRIV="\$(COREHEADERSPRIV) \$(DRIVERHEADERSPRIV)" case "$COMPONENTS" in all) @@ -24,5 +26,5 @@ index fbba715..77d0f5c 100644 core) -- -2.8.1 +2.17.1 diff --git a/buildroot/package/cups/0002-Do-not-use-genstrings.patch b/buildroot/package/cups/0002-Do-not-use-genstrings.patch index b3566b8b1..c7d6735b5 100644 --- a/buildroot/package/cups/0002-Do-not-use-genstrings.patch +++ b/buildroot/package/cups/0002-Do-not-use-genstrings.patch @@ -16,23 +16,25 @@ genstrings call.] Signed-off-by: Thomas Petazzoni [Fabrice: updated for 2.3.0] Signed-off-by: Fabrice Fontaine +[Michael: updated for 2.3.3] +Signed-off-by: Michael Trimarchi --- ppdc/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/ppdc/Makefile b/ppdc/Makefile -index 68bf6b2..d57a0c9 100644 +index 32e2e0b..7b18879 100644 --- a/ppdc/Makefile +++ b/ppdc/Makefile -@@ -242,8 +242,6 @@ genstrings: genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \ - $(LD_CXX) $(ARCHFLAGS) $(ALL_LDFLAGS) -o genstrings genstrings.o \ - libcupsppdc.a $(LINKCUPSSTATIC) - $(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@ +@@ -186,8 +186,6 @@ genstrings: genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \ + $(LD_CXX) $(ARCHFLAGS) $(ALL_LDFLAGS) -o genstrings genstrings.o \ + libcupsppdc.a $(LINKCUPSSTATIC) + $(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@ - echo Generating localization strings... - ./genstrings >sample.c # -- -2.6.4 +2.17.1 diff --git a/buildroot/package/cups/0004-Remove-PIE-flags-from-the-build.patch b/buildroot/package/cups/0004-Remove-PIE-flags-from-the-build.patch index 8401e133e..c2765dff0 100644 --- a/buildroot/package/cups/0004-Remove-PIE-flags-from-the-build.patch +++ b/buildroot/package/cups/0004-Remove-PIE-flags-from-the-build.patch @@ -13,15 +13,17 @@ Signed-off-by: Thomas Petazzoni Signed-off-by: Olivier Schonken [Fabrice: updated for 2.3.0] Signed-off-by: Fabrice Fontaine +[Michael: updated for 2.3.3] +Signed-off-by: Michael Trimarchi --- Makedefs.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makedefs.in b/Makedefs.in -index 3afef0a..299b297 100644 +index 5f1d32f..d669ea8 100644 --- a/Makedefs.in +++ b/Makedefs.in -@@ -148,7 +148,7 @@ IPPFIND_BIN = @IPPFIND_BIN@ +@@ -155,7 +155,7 @@ ALL_CXXFLAGS = -I.. -D_CUPS_SOURCE $(CXXFLAGS) \ $(ONDEMANDFLAGS) $(OPTIONS) ALL_DSOFLAGS = -L../cups @ARCHFLAGS@ @RELROFLAGS@ $(DSOFLAGS) $(OPTIM) ALL_LDFLAGS = -L../cups @LDARCHFLAGS@ @RELROFLAGS@ $(LDFLAGS) \ @@ -31,5 +33,5 @@ index 3afef0a..299b297 100644 ARFLAGS = @ARFLAGS@ BACKLIBS = @BACKLIBS@ -- -2.7.4 +2.17.1 diff --git a/buildroot/package/cups/70-usb-printers.rules b/buildroot/package/cups/70-usb-printers.rules new file mode 100644 index 000000000..67e7f5e93 --- /dev/null +++ b/buildroot/package/cups/70-usb-printers.rules @@ -0,0 +1,3 @@ +# Allow USB printers in the lp group +# Match rules converted from usblp.c driver's usblp_ids +ACTION=="add", SUBSYSTEM=="usb", ATTR{bInterfaceClass}=="07", ATTR{bInterfaceSubClass}=="01", GROUP="lp" diff --git a/buildroot/package/cups/S81cupsd b/buildroot/package/cups/S81cupsd new file mode 100644 index 000000000..45d0cbcc2 --- /dev/null +++ b/buildroot/package/cups/S81cupsd @@ -0,0 +1,48 @@ +#!/bin/sh + +DAEMON="cupsd" +PIDFILE="/var/run/$DAEMON.pid" + +start() { + printf 'Starting %s: ' "$DAEMON" + # shellcheck disable=SC2086 # we need the word splitting + start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \ + -- -C /etc/cups/cupsd.conf -s /etc/cups/cups-files + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +stop() { + printf 'Stopping %s: ' "$DAEMON" + start-stop-daemon -K -q -p "$PIDFILE" + status=$? + if [ "$status" -eq 0 ]; then + rm -f "$PIDFILE" + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +restart() { + stop + sleep 1 + start +} + +case "$1" in + start|stop|restart) + "$1";; + reload) + # Restart, since there is no true "reload" feature. + restart;; + *) + echo "Usage: $0 {start|stop|restart|reload}" + exit 1 +esac diff --git a/buildroot/package/cups/cups.hash b/buildroot/package/cups/cups.hash index 8f037c642..2eb289e20 100644 --- a/buildroot/package/cups/cups.hash +++ b/buildroot/package/cups/cups.hash @@ -1,4 +1,4 @@ # Locally calculated: -sha256 1bca9d89507e3f68cbc84482fe46ae8d5333af5bc2b9061347b2007182ac77ce cups-2.3.1-source.tar.gz +sha256 261fd948bce8647b6d5cb2a1784f0c24cc52b5c4e827b71d726020bcc502f3ee cups-2.3.3-source.tar.gz sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 LICENSE sha256 a5d616e6322a9cb1a971e18765025edfca4f3cd9c0eafc32d6d2eb4b8c8787b5 NOTICE diff --git a/buildroot/package/cups/cups.mk b/buildroot/package/cups/cups.mk index 18f01d848..2f4385671 100644 --- a/buildroot/package/cups/cups.mk +++ b/buildroot/package/cups/cups.mk @@ -4,7 +4,7 @@ # ################################################################################ -CUPS_VERSION = 2.3.1 +CUPS_VERSION = 2.3.3 CUPS_SOURCE = cups-$(CUPS_VERSION)-source.tar.gz CUPS_SITE = https://github.com/apple/cups/releases/download/v$(CUPS_VERSION) CUPS_LICENSE = Apache-2.0 with GPL-2.0/LGPL-2.0 exception @@ -21,7 +21,11 @@ CUPS_CONF_OPTS = \ --with-docdir=/usr/share/cups/doc-root \ --disable-gssapi \ --disable-pam \ - --libdir=/usr/lib + --libdir=/usr/lib \ + --with-cups-user=lp \ + --with-cups-group=lp \ + --with-system-groups="lpadmin sys root" \ + --without-rcdir CUPS_CONFIG_SCRIPTS = cups-config CUPS_DEPENDENCIES = \ host-autoconf \ @@ -71,4 +75,25 @@ else CUPS_CONF_OPTS += --disable-avahi endif +ifeq ($(BR2_PACKAGE_HAS_UDEV),y) +define CUPS_INSTALL_UDEV_RULES + $(INSTALL) -D -m 0644 package/cups/70-usb-printers.rules \ + $(TARGET_DIR)/lib/udev/rules.d/70-usb-printers.rules +endef + +CUPS_POST_INSTALL_TARGET_HOOKS += CUPS_INSTALL_UDEV_RULES +endif + +define CUPS_INSTALL_INIT_SYSV + $(INSTALL) -D -m 0755 package/cups/S81cupsd \ + $(TARGET_DIR)/etc/init.d/S81cupsd +endef + +# lp user is needed to run cups spooler +# lpadmin group membership grants administrative privileges +define CUPS_USERS + lp -1 lp -1 * /var/spool/lpd /bin/false - lp + - - lpadmin -1 * - - - Printers admin group. +endef + $(eval $(autotools-package)) diff --git a/buildroot/package/cvs/cvs.mk b/buildroot/package/cvs/cvs.mk index 563802cc9..6f83ca640 100644 --- a/buildroot/package/cvs/cvs.mk +++ b/buildroot/package/cvs/cvs.mk @@ -12,7 +12,9 @@ CVS_LICENSE = GPL-1.0+, LGPL-2.0+, LGPL-2.1+ (glob) CVS_LICENSE_FILES = COPYING COPYING.LIB lib/glob-libc.h CVS_DEPENDENCIES = ncurses -CVS_CONF_ENV = cvs_cv_func_printf_ptr=yes +CVS_CONF_ENV = \ + ac_cv_func_working_mktime=yes \ + cvs_cv_func_printf_ptr=yes CVS_CONFIGURE_ARGS = --disable-old-info-format-support ifeq ($(BR2_PACKAGE_CVS_SERVER),y) diff --git a/buildroot/package/dbus/dbus.mk b/buildroot/package/dbus/dbus.mk index 5c2a5fb2c..952eff1fc 100644 --- a/buildroot/package/dbus/dbus.mk +++ b/buildroot/package/dbus/dbus.mk @@ -107,6 +107,7 @@ HOST_DBUS_CONF_OPTS = \ --disable-selinux \ --disable-xml-docs \ --disable-doxygen-docs \ + --disable-systemd \ --without-x \ --with-xml=expat diff --git a/buildroot/package/dhcpcd/dhcpcd.service b/buildroot/package/dhcpcd/dhcpcd.service index 0552b5c73..e648092c9 100644 --- a/buildroot/package/dhcpcd/dhcpcd.service +++ b/buildroot/package/dhcpcd/dhcpcd.service @@ -5,7 +5,7 @@ After=network.target [Service] Type=forking EnvironmentFile=-/etc/default/dhcpcd -PIDFile=/var/run/dhcpcd.pid +PIDFile=/run/dhcpcd.pid ExecStart=/sbin/dhcpcd $DAEMON_ARGS Restart=always diff --git a/buildroot/package/dhcpdump/dhcpdump.mk b/buildroot/package/dhcpdump/dhcpdump.mk index 241381288..ec9571c0a 100644 --- a/buildroot/package/dhcpdump/dhcpdump.mk +++ b/buildroot/package/dhcpdump/dhcpdump.mk @@ -20,7 +20,7 @@ DHCPDUMP_CFLAGS = $(TARGET_CFLAGS) -DHAVE_STRSEP define DHCPDUMP_BUILD_CMDS $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) CC="$(TARGET_CC) $(DHCPDUMP_CFLAGS) \ - -D_GNU_SOURCE" LIBS="$(DHCPDUMP_LIBS)" + -D_GNU_SOURCE" LIBS="$(DHCPDUMP_LIBS)" dhcpdump endef define DHCPDUMP_INSTALL_TARGET_CMDS diff --git a/buildroot/package/docker-cli/docker-cli.hash b/buildroot/package/docker-cli/docker-cli.hash index 8868a60e3..8f9e69e59 100644 --- a/buildroot/package/docker-cli/docker-cli.hash +++ b/buildroot/package/docker-cli/docker-cli.hash @@ -1,3 +1,3 @@ # Locally calculated -sha256 a5b1d6c5766f77896273e864a448a7f0ea4055bb52f50f884f14ad6ef0d5fdb4 docker-cli-19.03.11.tar.gz +sha256 00801d6b7e9777cf2cf54255ca5afb7b58b3d35c14bb0f60bb9f07d031883223 docker-cli-19.03.12.tar.gz sha256 2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0 LICENSE diff --git a/buildroot/package/docker-cli/docker-cli.mk b/buildroot/package/docker-cli/docker-cli.mk index 1466b0afb..49abefcaf 100644 --- a/buildroot/package/docker-cli/docker-cli.mk +++ b/buildroot/package/docker-cli/docker-cli.mk @@ -4,7 +4,7 @@ # ################################################################################ -DOCKER_CLI_VERSION = 19.03.11 +DOCKER_CLI_VERSION = 19.03.12 DOCKER_CLI_SITE = $(call github,docker,cli,v$(DOCKER_CLI_VERSION)) DOCKER_CLI_WORKSPACE = gopath @@ -17,8 +17,8 @@ DOCKER_CLI_TAGS = autogen DOCKER_CLI_BUILD_TARGETS = cmd/docker DOCKER_CLI_LDFLAGS = \ - -X github.com/docker/cli/cli.GitCommit=$(DOCKER_CLI_VERSION) \ - -X github.com/docker/cli/cli.Version=$(DOCKER_CLI_VERSION) + -X github.com/docker/cli/cli/version.GitCommit=$(DOCKER_CLI_VERSION) \ + -X github.com/docker/cli/cli/version.Version=$(DOCKER_CLI_VERSION) ifeq ($(BR2_PACKAGE_DOCKER_CLI_STATIC),y) DOCKER_CLI_LDFLAGS += -extldflags '-static' diff --git a/buildroot/package/docker-engine/Config.in b/buildroot/package/docker-engine/Config.in index 1fd229fcb..4fe6956ab 100644 --- a/buildroot/package/docker-engine/Config.in +++ b/buildroot/package/docker-engine/Config.in @@ -5,6 +5,7 @@ config BR2_PACKAGE_DOCKER_ENGINE depends on BR2_TOOLCHAIN_HAS_THREADS depends on !BR2_TOOLCHAIN_USES_UCLIBC # docker-containerd -> runc depends on BR2_USE_MMU # docker-containerd + select BR2_PACKAGE_CGROUPFS_MOUNT if !BR2_PACKAGE_SYSTEMD # runtime dependency select BR2_PACKAGE_DOCKER_CONTAINERD # runtime dependency select BR2_PACKAGE_DOCKER_PROXY # runtime dependency select BR2_PACKAGE_IPTABLES # runtime dependency diff --git a/buildroot/package/docker-engine/docker-engine.hash b/buildroot/package/docker-engine/docker-engine.hash index 99159f937..3283e4eb4 100644 --- a/buildroot/package/docker-engine/docker-engine.hash +++ b/buildroot/package/docker-engine/docker-engine.hash @@ -1,3 +1,3 @@ # Locally calculated -sha256 5ff62d7b3638a275b2c459e53a4d1a7a8fb03dde8305defcd55e05e059e5618d docker-engine-19.03.11.tar.gz +sha256 858e4e74ee0097bcbdb71d737e268dfcfd1970efa4a1600354253b02fd403e39 docker-engine-19.03.12.tar.gz sha256 7c87873291f289713ac5df48b1f2010eb6963752bbd6b530416ab99fc37914a8 LICENSE diff --git a/buildroot/package/docker-engine/docker-engine.mk b/buildroot/package/docker-engine/docker-engine.mk index fa30d9a22..c12013221 100644 --- a/buildroot/package/docker-engine/docker-engine.mk +++ b/buildroot/package/docker-engine/docker-engine.mk @@ -4,7 +4,7 @@ # ################################################################################ -DOCKER_ENGINE_VERSION = 19.03.11 +DOCKER_ENGINE_VERSION = 19.03.12 DOCKER_ENGINE_SITE = $(call github,docker,engine,v$(DOCKER_ENGINE_VERSION)) DOCKER_ENGINE_LICENSE = Apache-2.0 diff --git a/buildroot/package/domoticz/Config.in b/buildroot/package/domoticz/Config.in index b99e54801..0639718c2 100644 --- a/buildroot/package/domoticz/Config.in +++ b/buildroot/package/domoticz/Config.in @@ -1,11 +1,10 @@ config BR2_PACKAGE_DOMOTICZ bool "domoticz" - depends on BR2_USE_MMU # mosquitto - depends on BR2_TOOLCHAIN_HAS_SYNC_4 # mosquitto - depends on !BR2_STATIC_LIBS # mosquitto + depends on BR2_USE_MMU # fork() + depends on !BR2_STATIC_LIBS depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 # sleep_for # pthread_condattr_setclock - depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL + depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL # mosquitto depends on BR2_INSTALL_LIBSTDCPP depends on BR2_USE_WCHAR depends on BR2_PACKAGE_LUA_5_3 @@ -30,7 +29,6 @@ config BR2_PACKAGE_DOMOTICZ comment "domoticz needs lua 5.3 and a toolchain w/ C++, gcc >= 4.8, NPTL, wchar, dynamic library" depends on BR2_USE_MMU - depends on BR2_TOOLCHAIN_HAS_SYNC_4 depends on !BR2_INSTALL_LIBSTDCPP || \ !BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 || \ !BR2_TOOLCHAIN_HAS_THREADS_NPTL || \ diff --git a/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.hash b/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.hash index 28a49b13d..7f4b8579c 100644 --- a/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.hash +++ b/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.hash @@ -1,3 +1,3 @@ # Locally computed after checking signature -sha256 36da68aae5157b83e21383f711b8977e5b6f5477f369f71e7e22e76a738bbd05 dovecot-2.3-pigeonhole-0.5.9.tar.gz -sha256 fc9e9522216f2a9a28b31300e3c73c1df56acc27dfae951bf516e7995366b51a COPYING +sha256 0b972a441f680545ddfacd2f41fb2a705fb03249d46ed5ce7e01fe68b6cfb5f0 dovecot-2.3-pigeonhole-0.5.11.tar.gz +sha256 fc9e9522216f2a9a28b31300e3c73c1df56acc27dfae951bf516e7995366b51a COPYING diff --git a/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.mk b/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.mk index 95bfa6fc4..d7068cd87 100644 --- a/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.mk +++ b/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.mk @@ -4,7 +4,7 @@ # ################################################################################ -DOVECOT_PIGEONHOLE_VERSION = 0.5.9 +DOVECOT_PIGEONHOLE_VERSION = 0.5.11 DOVECOT_PIGEONHOLE_SOURCE = dovecot-2.3-pigeonhole-$(DOVECOT_PIGEONHOLE_VERSION).tar.gz DOVECOT_PIGEONHOLE_SITE = https://pigeonhole.dovecot.org/releases/2.3 DOVECOT_PIGEONHOLE_LICENSE = LGPL-2.1 diff --git a/buildroot/package/dovecot/dovecot.hash b/buildroot/package/dovecot/dovecot.hash index 09295816d..e5c2ab6f4 100644 --- a/buildroot/package/dovecot/dovecot.hash +++ b/buildroot/package/dovecot/dovecot.hash @@ -1,5 +1,5 @@ # Locally computed after checking signature -sha256 6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c dovecot-2.3.10.1.tar.gz +sha256 d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc dovecot-2.3.11.3.tar.gz sha256 a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8 COPYING sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPL sha256 52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97 COPYING.MIT diff --git a/buildroot/package/dovecot/dovecot.mk b/buildroot/package/dovecot/dovecot.mk index 59b52a3f8..f0508753a 100644 --- a/buildroot/package/dovecot/dovecot.mk +++ b/buildroot/package/dovecot/dovecot.mk @@ -5,7 +5,7 @@ ################################################################################ DOVECOT_VERSION_MAJOR = 2.3 -DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).10.1 +DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).11.3 DOVECOT_SITE = https://dovecot.org/releases/$(DOVECOT_VERSION_MAJOR) DOVECOT_INSTALL_STAGING = YES DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015 diff --git a/buildroot/package/dropbear/0001-scp-Port-OpenSSH-CVE-2018-20685-fix.patch b/buildroot/package/dropbear/0001-scp-Port-OpenSSH-CVE-2018-20685-fix.patch new file mode 100644 index 000000000..4372d615d --- /dev/null +++ b/buildroot/package/dropbear/0001-scp-Port-OpenSSH-CVE-2018-20685-fix.patch @@ -0,0 +1,24 @@ +# HG changeset patch +# User Haelwenn Monnier +# Date 1590411269 -7200 +# Mon May 25 14:54:29 2020 +0200 +# Node ID 087c2804147074c95b6a3f35137b4f4b726b1452 +# Parent 009d52ae26d35f3381c801e02318fa9be34be93c +scp.c: Port OpenSSH CVE-2018-20685 fix (#80) + +[backport from 2020.79 to 2019.78 for Buildroot 2020.02.x] +Signed-off-by: Thomas De Schampheleire + +diff --git a/scp.c b/scp.c +--- a/scp.c ++++ b/scp.c +@@ -935,7 +935,8 @@ sink(int argc, char **argv) + size = size * 10 + (*cp++ - '0'); + if (*cp++ != ' ') + SCREWUP("size not delimited"); +- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { ++ if (*cp == '\0' || strchr(cp, '/') != NULL || ++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { + run_err("error: unexpected filename: %s", cp); + exit(1); + } diff --git a/buildroot/package/ecryptfs-utils/ecryptfs-utils.mk b/buildroot/package/ecryptfs-utils/ecryptfs-utils.mk index 326ff4f2d..3a3253a36 100644 --- a/buildroot/package/ecryptfs-utils/ecryptfs-utils.mk +++ b/buildroot/package/ecryptfs-utils/ecryptfs-utils.mk @@ -15,6 +15,7 @@ ECRYPTFS_UTILS_CONF_OPTS = --disable-pywrap #Needed for build system to find pk11func.h and libnss3.so ECRYPTFS_UTILS_CONF_ENV = \ + ac_cv_path_POD2MAN=true \ NSS_CFLAGS="-I$(STAGING_DIR)/usr/include/nss -I$(STAGING_DIR)/usr/include/nspr" \ NSS_LIBS="-lnss3" diff --git a/buildroot/package/efl/Config.in b/buildroot/package/efl/Config.in index ff4916116..ce1e51e2f 100644 --- a/buildroot/package/efl/Config.in +++ b/buildroot/package/efl/Config.in @@ -1,19 +1,18 @@ config BR2_PACKAGE_EFL bool "efl" - # g++ issue with 4.4.5, tested with g++ 4.7.2 - depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # C++11 + depends on BR2_HOST_GCC_AT_LEAST_4_9 # host-efl depends on BR2_INSTALL_LIBSTDCPP - depends on BR2_PACKAGE_LUAJIT_ARCH_SUPPORTS # luajit depends on BR2_TOOLCHAIN_HAS_THREADS # untested without threads depends on BR2_USE_MMU depends on BR2_USE_WCHAR # use wchar_t depends on !BR2_STATIC_LIBS # dlfcn.h + # https://phab.enlightenment.org/T2728 + depends on BR2_PACKAGE_LUAJIT select BR2_PACKAGE_DBUS select BR2_PACKAGE_FREETYPE select BR2_PACKAGE_JPEG # Emile needs libjpeg select BR2_PACKAGE_LIBCURL # Ecore_con_url, runtime dependency - # https://phab.enlightenment.org/T2728 - select BR2_PACKAGE_LUAJIT # Lua support broken select BR2_PACKAGE_LZ4 select BR2_PACKAGE_ZLIB help @@ -302,9 +301,9 @@ comment "SVG loader needs a toolchain w/ gcc >= 4.8" endif # BR2_PACKAGE_EFL -comment "efl needs a toolchain w/ C++, dynamic library, gcc >= 4.7, threads, wchar" +comment "efl needs a toolchain w/ C++, dynamic library, gcc >= 4.9, host gcc >= 4.9, threads, wchar" depends on !BR2_INSTALL_LIBSTDCPP \ - || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 \ - || BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS || !BR2_USE_WCHAR - depends on BR2_PACKAGE_LUAJIT_ARCH_SUPPORTS + || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 \ + || !BR2_HOST_GCC_AT_LEAST_4_9 || BR2_STATIC_LIBS \ + || !BR2_TOOLCHAIN_HAS_THREADS || !BR2_USE_WCHAR depends on BR2_USE_MMU diff --git a/buildroot/package/elixir/elixir.mk b/buildroot/package/elixir/elixir.mk index 7a545d43b..6d935516f 100644 --- a/buildroot/package/elixir/elixir.mk +++ b/buildroot/package/elixir/elixir.mk @@ -8,7 +8,7 @@ ELIXIR_VERSION = 1.9.4 ELIXIR_SITE = $(call github,elixir-lang,elixir,v$(ELIXIR_VERSION)) ELIXIR_LICENSE = Apache-2.0 ELIXIR_LICENSE_FILES = LICENSE -ELIXIR_DEPENDENCIES = host-erlang +HOST_ELIXIR_DEPENDENCIES = host-erlang define HOST_ELIXIR_BUILD_CMDS $(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) -C $(@D) compile diff --git a/buildroot/package/f2fs-tools/0002-fsck.f2fs-correct-return-value.patch b/buildroot/package/f2fs-tools/0002-fsck.f2fs-correct-return-value.patch new file mode 100644 index 000000000..b420e27a0 --- /dev/null +++ b/buildroot/package/f2fs-tools/0002-fsck.f2fs-correct-return-value.patch @@ -0,0 +1,195 @@ +From eee12fe5e2e6c5f71bc7cbe25a608b730fd5362e Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 7 Aug 2020 10:02:31 +0800 +Subject: [PATCH] fsck.f2fs: correct return value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As Norbert Lange reported: + +" +$ fsck.f2fs -a /dev/mmcblk0p5; echo $? +Info: Fix the reported corruption. +Info: Mounted device! +Info: Check FS only on RO mounted device +Error: Failed to open the device! +255 +" + +Michael Laß reminds: + +" +I think the return value is exactly the problem here. See fsck(8) ( +https://linux.die.net/man/8/fsck) which specifies the return values. +Systemd looks at these and decides how to proceed: + +https://github.com/systemd/systemd/blob/a859abf062cef1511e4879c4ee39c6036ebeaec8/src/fsck/fsck.c#L407 + +That means, if fsck.f2fs returns 255, then +the FSCK_SYSTEM_SHOULD_REBOOT bit is set and systemd will reboot. +" + +So the problem here is fsck.f2fs didn't return correct value to userspace +apps, result in later unexpected behavior of rebooting, let's fix this. + +Reported-by: Norbert Lange +Reported-by: Michael Laß +Signed-off-by: Chao Yu +Signed-off-by: Norbert Lange +--- + fsck/fsck.h | 11 +++++++++++ + fsck/main.c | 45 +++++++++++++++++++++++++++++++-------------- + 2 files changed, 42 insertions(+), 14 deletions(-) + +diff --git a/fsck/fsck.h b/fsck/fsck.h +index ccf4a39..c8aeb06 100644 +--- a/fsck/fsck.h ++++ b/fsck/fsck.h +@@ -13,6 +13,17 @@ + + #include "f2fs.h" + ++enum { ++ FSCK_SUCCESS = 0, ++ FSCK_ERROR_CORRECTED = 1 << 0, ++ FSCK_SYSTEM_SHOULD_REBOOT = 1 << 1, ++ FSCK_ERRORS_LEFT_UNCORRECTED = 1 << 2, ++ FSCK_OPERATIONAL_ERROR = 1 << 3, ++ FSCK_USAGE_OR_SYNTAX_ERROR = 1 << 4, ++ FSCK_USER_CANCELLED = 1 << 5, ++ FSCK_SHARED_LIB_ERROR = 1 << 7, ++}; ++ + struct quota_ctx; + + #define FSCK_UNMATCHED_EXTENT 0x00000001 +diff --git a/fsck/main.c b/fsck/main.c +index 8c62a14..b0f2ec3 100644 +--- a/fsck/main.c ++++ b/fsck/main.c +@@ -591,7 +591,7 @@ void f2fs_parse_options(int argc, char *argv[]) + error_out(prog); + } + +-static void do_fsck(struct f2fs_sb_info *sbi) ++static int do_fsck(struct f2fs_sb_info *sbi) + { + struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); + u32 flag = le32_to_cpu(ckpt->ckpt_flags); +@@ -614,7 +614,7 @@ static void do_fsck(struct f2fs_sb_info *sbi) + } else { + MSG(0, "[FSCK] F2FS metadata [Ok..]"); + fsck_free(sbi); +- return; ++ return FSCK_SUCCESS; + } + + if (!c.ro) +@@ -646,7 +646,7 @@ static void do_fsck(struct f2fs_sb_info *sbi) + ret = quota_init_context(sbi); + if (ret) { + ASSERT_MSG("quota_init_context failure: %d", ret); +- return; ++ return FSCK_OPERATIONAL_ERROR; + } + } + fsck_chk_orphan_node(sbi); +@@ -654,8 +654,14 @@ static void do_fsck(struct f2fs_sb_info *sbi) + F2FS_FT_DIR, TYPE_INODE, &blk_cnt, NULL); + fsck_chk_quota_files(sbi); + +- fsck_verify(sbi); ++ ret = fsck_verify(sbi); + fsck_free(sbi); ++ ++ if (!c.bug_on) ++ return FSCK_SUCCESS; ++ if (!ret) ++ return FSCK_ERROR_CORRECTED; ++ return FSCK_ERRORS_LEFT_UNCORRECTED; + } + + static void do_dump(struct f2fs_sb_info *sbi) +@@ -763,7 +769,7 @@ static int do_sload(struct f2fs_sb_info *sbi) + int main(int argc, char **argv) + { + struct f2fs_sb_info *sbi; +- int ret = 0; ++ int ret = 0, ret2; + clock_t start = clock(); + + f2fs_init_configuration(); +@@ -771,10 +777,15 @@ int main(int argc, char **argv) + f2fs_parse_options(argc, argv); + + if (c.func != DUMP && f2fs_devs_are_umounted() < 0) { +- if (errno == EBUSY) ++ if (errno == EBUSY) { ++ if (c.func == FSCK) ++ return FSCK_OPERATIONAL_ERROR; + return -1; ++ } + if (!c.ro || c.func == DEFRAG) { + MSG(0, "\tError: Not available on mounted device!\n"); ++ if (c.func == FSCK) ++ return FSCK_OPERATIONAL_ERROR; + return -1; + } + +@@ -789,8 +800,11 @@ int main(int argc, char **argv) + } + + /* Get device */ +- if (f2fs_get_device_info() < 0) ++ if (f2fs_get_device_info() < 0) { ++ if (c.func == FSCK) ++ return FSCK_OPERATIONAL_ERROR; + return -1; ++ } + + fsck_again: + memset(&gfsck, 0, sizeof(gfsck)); +@@ -808,7 +822,7 @@ fsck_again: + + switch (c.func) { + case FSCK: +- do_fsck(sbi); ++ ret = do_fsck(sbi); + break; + #ifdef WITH_DUMP + case DUMP: +@@ -856,8 +870,8 @@ fsck_again: + char ans[255] = {0}; + retry: + printf("Do you want to fix this partition? [Y/N] "); +- ret = scanf("%s", ans); +- ASSERT(ret >= 0); ++ ret2 = scanf("%s", ans); ++ ASSERT(ret2 >= 0); + if (!strcasecmp(ans, "y")) + c.fix_on = 1; + else if (!strcasecmp(ans, "n")) +@@ -869,12 +883,15 @@ retry: + goto fsck_again; + } + } +- ret = f2fs_finalize_device(); +- if (ret < 0) +- return ret; ++ ret2 = f2fs_finalize_device(); ++ if (ret2) { ++ if (c.func == FSCK) ++ return FSCK_OPERATIONAL_ERROR; ++ return ret2; ++ } + + printf("\nDone: %lf secs\n", (clock() - start) / (double)CLOCKS_PER_SEC); +- return 0; ++ return ret; + + out_err: + if (sbi->ckpt) +-- +2.27.0 + diff --git a/buildroot/package/fail2ban/fail2ban.mk b/buildroot/package/fail2ban/fail2ban.mk index a0a2dc704..a4ee0852c 100644 --- a/buildroot/package/fail2ban/fail2ban.mk +++ b/buildroot/package/fail2ban/fail2ban.mk @@ -27,6 +27,13 @@ define FAIL2BAN_FIX_DEFAULT_CONFIG endef FAIL2BAN_POST_INSTALL_TARGET_HOOKS += FAIL2BAN_FIX_DEFAULT_CONFIG +# fail2ban-python points to host python +define FAIL2BAN_FIX_FAIL2BAN_PYTHON_SYMLINK + ln -snf $(if $(BR2_PACKAGE_PYTHON),python,python3) \ + $(TARGET_DIR)/usr/bin/fail2ban-python +endef +FAIL2BAN_POST_INSTALL_TARGET_HOOKS += FAIL2BAN_FIX_FAIL2BAN_PYTHON_SYMLINK + define FAIL2BAN_INSTALL_INIT_SYSV $(INSTALL) -D -m 755 package/fail2ban/S60fail2ban \ $(TARGET_DIR)/etc/init.d/S60fail2ban diff --git a/buildroot/package/ffmpeg/ffmpeg.hash b/buildroot/package/ffmpeg/ffmpeg.hash index 35bd68132..752372619 100644 --- a/buildroot/package/ffmpeg/ffmpeg.hash +++ b/buildroot/package/ffmpeg/ffmpeg.hash @@ -1,5 +1,5 @@ # Locally calculated -sha256 9df6c90aed1337634c1fb026fb01c154c29c82a64ea71291ff2da9aacb9aad31 ffmpeg-4.2.3.tar.xz +sha256 0d5da81feba073ee78e0f18e0966bcaf91464ae75e18e9a0135186249e3d2a0b ffmpeg-4.2.4.tar.xz sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING.GPLv2 sha256 b634ab5640e258563c536e658cad87080553df6f34f62269a21d554844e58bfe COPYING.LGPLv2.1 sha256 cad1218c22121b169fb1380178ab7a0b33cb38a3ff6d3915b8533d1d954f3ce7 LICENSE.md diff --git a/buildroot/package/ffmpeg/ffmpeg.mk b/buildroot/package/ffmpeg/ffmpeg.mk index 736aa5b4b..ca90242f9 100644 --- a/buildroot/package/ffmpeg/ffmpeg.mk +++ b/buildroot/package/ffmpeg/ffmpeg.mk @@ -4,7 +4,7 @@ # ################################################################################ -FFMPEG_VERSION = 4.2.3 +FFMPEG_VERSION = 4.2.4 FFMPEG_SOURCE = ffmpeg-$(FFMPEG_VERSION).tar.xz FFMPEG_SITE = http://ffmpeg.org/releases FFMPEG_INSTALL_STAGING = YES diff --git a/buildroot/package/freetype/freetype.mk b/buildroot/package/freetype/freetype.mk index 8b3a4ca09..9cf75d162 100644 --- a/buildroot/package/freetype/freetype.mk +++ b/buildroot/package/freetype/freetype.mk @@ -14,8 +14,16 @@ FREETYPE_LICENSE_FILES = docs/LICENSE.TXT docs/FTL.TXT docs/GPLv2.TXT FREETYPE_DEPENDENCIES = host-pkgconf FREETYPE_CONFIG_SCRIPTS = freetype-config +# harfbuzz already depends on freetype so disable harfbuzz in freetype to avoid +# a circular dependency +FREETYPE_CONF_OPTS = --without-harfbuzz + HOST_FREETYPE_DEPENDENCIES = host-pkgconf -HOST_FREETYPE_CONF_OPTS = --without-zlib --without-bzip2 --without-png +HOST_FREETYPE_CONF_OPTS = \ + --without-bzip2 \ + --without-harfbuzz \ + --without-png \ + --without-zlib # since 2.9.1 needed for freetype-config install FREETYPE_CONF_OPTS += --enable-freetype-config @@ -37,9 +45,7 @@ endif ifeq ($(BR2_PACKAGE_LIBPNG),y) FREETYPE_DEPENDENCIES += libpng -FREETYPE_CONF_OPTS += LIBPNG_CFLAGS="`$(STAGING_DIR)/usr/bin/libpng-config --cflags`" \ - LIBPNG_LDFLAGS="`$(STAGING_DIR)/usr/bin/libpng-config --ldflags`" -FREETYPE_LIBPNG_LIBS = "`$(STAGING_DIR)/usr/bin/libpng-config --libs`" +FREETYPE_CONF_OPTS += --with-png else FREETYPE_CONF_OPTS += --without-png endif @@ -52,14 +58,5 @@ define FREETYPE_FIX_CONFIG_FILE endef FREETYPE_POST_INSTALL_STAGING_HOOKS += FREETYPE_FIX_CONFIG_FILE -# libpng isn't included in freetype-config & freetype2.pc :-/ -define FREETYPE_FIX_CONFIG_FILE_LIBS - $(SED) "s,^Libs.private:,& $(FREETYPE_LIBPNG_LIBS)," \ - $(STAGING_DIR)/usr/lib/pkgconfig/freetype2.pc - $(SED) "s,-lfreetype,& $(FREETYPE_LIBPNG_LIBS)," \ - $(STAGING_DIR)/usr/bin/freetype-config -endef -FREETYPE_POST_INSTALL_STAGING_HOOKS += FREETYPE_FIX_CONFIG_FILE_LIBS - $(eval $(autotools-package)) $(eval $(host-autotools-package)) diff --git a/buildroot/package/gcc/gcc.mk b/buildroot/package/gcc/gcc.mk index 50f2a3fcb..b58f17575 100644 --- a/buildroot/package/gcc/gcc.mk +++ b/buildroot/package/gcc/gcc.mk @@ -138,6 +138,14 @@ ifeq ($(BR2_sparc)$(BR2_sparc64),y) HOST_GCC_COMMON_CONF_OPTS += --disable-libsanitizer endif +# The logic in libbacktrace/configure.ac to detect if __sync builtins +# are available assumes they are as soon as target_subdir is not +# empty, i.e when cross-compiling. However, some platforms do not have +# __sync builtins, so help the configure script a bit. +ifeq ($(BR2_TOOLCHAIN_HAS_SYNC_4),) +HOST_GCC_COMMON_CONF_ENV += target_configargs="libbacktrace_cv_sys_sync=no" +endif + # TLS support is not needed on uClibc/no-thread and # uClibc/linux-threads, otherwise, for all other situations (glibc, # musl and uClibc/NPTL), we need it. @@ -220,6 +228,13 @@ HOST_GCC_COMMON_CONF_OPTS += \ --with-long-double-128 endif +# Set default to Secure-PLT to prevent run-time +# generation of PLT stubs (supports RELRO and +# SELinux non-exemem capabilities) +ifeq ($(BR2_powerpc),y) +HOST_GCC_COMMON_CONF_OPTS += --enable-secureplt +endif + # PowerPC64 big endian by default uses the elfv1 ABI, and PowerPC 64 # little endian by default uses the elfv2 ABI. However, musl has # decided to use the elfv2 ABI for both, so we force the elfv2 ABI for diff --git a/buildroot/package/gd/0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch b/buildroot/package/gd/0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch new file mode 100644 index 000000000..8234de45a --- /dev/null +++ b/buildroot/package/gd/0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch @@ -0,0 +1,44 @@ +From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= +Date: Fri, 20 Dec 2019 12:03:33 -0300 +Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone() + +[Retrieved (and updated to remove .gitignore and tests) from: +https://github.com/libgd/libgd/commit/a93eac0e843148dc2d631c3ba80af17e9c8c860f] +Signed-off-by: Fabrice Fontaine +--- + src/gd.c | 9 +-------- + tests/gdimageclone/.gitignore | 1 + + tests/gdimageclone/CMakeLists.txt | 1 + + tests/gdimageclone/Makemodule.am | 3 ++- + tests/gdimageclone/style.c | 30 ++++++++++++++++++++++++++++++ + 5 files changed, 35 insertions(+), 9 deletions(-) + create mode 100644 tests/gdimageclone/style.c + +diff --git a/src/gd.c b/src/gd.c +index 592a0286..d564d1f9 100644 +--- a/src/gd.c ++++ b/src/gd.c +@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { + } + } + +- if (src->styleLength > 0) { +- dst->styleLength = src->styleLength; +- dst->stylePos = src->stylePos; +- for (i = 0; i < src->styleLength; i++) { +- dst->style[i] = src->style[i]; +- } +- } +- + dst->interlace = src->interlace; + + dst->alphaBlendingFlag = src->alphaBlendingFlag; +@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) { + + if (src->style) { + gdImageSetStyle(dst, src->style, src->styleLength); ++ dst->stylePos = src->stylePos; + } + + for (i = 0; i < gdMaxColors; i++) { diff --git a/buildroot/package/gd/0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch b/buildroot/package/gd/0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch new file mode 100644 index 000000000..11c7575dd --- /dev/null +++ b/buildroot/package/gd/0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch @@ -0,0 +1,39 @@ +From 2e886046f86d0d6bfc14aab94a881259a081e3f4 Mon Sep 17 00:00:00 2001 +From: wilson chen +Date: Fri, 20 Dec 2019 10:12:04 +0800 +Subject: [PATCH] Fix #497: gdImageColorMatch Out Of Bounds Write on Heap + (CVE-2019-6977) + +Fixed CVE-2019-6977 and add corresponding testcase. + +Original patch by Christoph M. Bechker +https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced + +[Retrieved (and updated to remove .gitignore and tests) from: +https://github.com/libgd/libgd/commit/2e886046f86d0d6bfc14aab94a881259a081e3f4] +Signed-off-by: Fabrice Fontaine +--- + src/gd_color_match.c | 5 ++--- + tests/gdimagecolormatch/.gitignore | 1 + + tests/gdimagecolormatch/CMakeLists.txt | 1 + + tests/gdimagecolormatch/Makemodule.am | 1 + + tests/gdimagecolormatch/cve_2019_6977.c | 25 +++++++++++++++++++++++++ + 5 files changed, 30 insertions(+), 3 deletions(-) + create mode 100644 tests/gdimagecolormatch/cve_2019_6977.c + +diff --git a/src/gd_color_match.c b/src/gd_color_match.c +index f0842b69..f0194302 100644 +--- a/src/gd_color_match.c ++++ b/src/gd_color_match.c +@@ -31,9 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2) + return -4; /* At least 1 color must be allocated */ + } + +- buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal); +- memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal ); +- ++ buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors); ++ memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors ); + for (x=0; x < im1->sx; x++) { + for( y=0; ysy; y++ ) { + color = im2->pixels[y][x]; diff --git a/buildroot/package/gd/gd.mk b/buildroot/package/gd/gd.mk index e2a46dca3..419d9a638 100644 --- a/buildroot/package/gd/gd.mk +++ b/buildroot/package/gd/gd.mk @@ -14,6 +14,19 @@ GD_CONFIG_SCRIPTS = gdlib-config GD_CONF_OPTS = --without-x --disable-rpath --disable-werror GD_DEPENDENCIES = host-pkgconf +# 0001-bmp-check-return-value-in-gdImageBmpPtr.patch +GD_IGNORE_CVES += CVE-2018-1000222 +# 0002-Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch +GD_IGNORE_CVES += CVE-2018-5711 +# 0003-Fix-501-Uninitialized-read-in-gdImageCreateFromXbm-C.patch +GD_IGNORE_CVES += CVE-2019-11038 +# 0004-Fix-492-Potential-double-free-in-gdImage-Ptr.patch +GD_IGNORE_CVES += CVE-2019-6978 +# 0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch +GD_IGNORE_CVES += CVE-2018-14553 +# 0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch +GD_IGNORE_CVES += CVE-2019-6977 + # gd forgets to link utilities with -pthread even though it uses # pthreads, causing linking errors with static linking ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y) diff --git a/buildroot/package/gdb/gdb.mk b/buildroot/package/gdb/gdb.mk index 46d745a89..469f25ff9 100644 --- a/buildroot/package/gdb/gdb.mk +++ b/buildroot/package/gdb/gdb.mk @@ -67,7 +67,8 @@ GDB_DISABLE_BINUTILS_CONF_OPTS = \ --disable-binutils \ --disable-install-libbfd \ --disable-ld \ - --disable-gas + --disable-gas \ + --disable-gprof GDB_CONF_ENV = \ ac_cv_type_uintptr_t=yes \ diff --git a/buildroot/package/gdk-pixbuf/gdk-pixbuf.hash b/buildroot/package/gdk-pixbuf/gdk-pixbuf.hash index 9cb947f19..8fa178b55 100644 --- a/buildroot/package/gdk-pixbuf/gdk-pixbuf.hash +++ b/buildroot/package/gdk-pixbuf/gdk-pixbuf.hash @@ -1,4 +1,4 @@ -# From http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.10.sha256sum -sha256 f8f6fa896b89475c73b6e9e8d2a2b062fc359c4b4ccb8e96470d6ab5da949ace gdk-pixbuf-2.36.10.tar.xz +# From http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.12.sha256sum +sha256 fff85cf48223ab60e3c3c8318e2087131b590fd6f1737e42cb3759a3b427a334 gdk-pixbuf-2.36.12.tar.xz # Locally calculated -sha256 d245807f90032872d1438d741ed21e2490e1175dc8aa3afa5ddb6c8e529b58e5 COPYING +sha256 d245807f90032872d1438d741ed21e2490e1175dc8aa3afa5ddb6c8e529b58e5 COPYING diff --git a/buildroot/package/gdk-pixbuf/gdk-pixbuf.mk b/buildroot/package/gdk-pixbuf/gdk-pixbuf.mk index 33de2e3d3..3320827d0 100644 --- a/buildroot/package/gdk-pixbuf/gdk-pixbuf.mk +++ b/buildroot/package/gdk-pixbuf/gdk-pixbuf.mk @@ -5,7 +5,7 @@ ################################################################################ GDK_PIXBUF_VERSION_MAJOR = 2.36 -GDK_PIXBUF_VERSION = $(GDK_PIXBUF_VERSION_MAJOR).10 +GDK_PIXBUF_VERSION = $(GDK_PIXBUF_VERSION_MAJOR).12 GDK_PIXBUF_SOURCE = gdk-pixbuf-$(GDK_PIXBUF_VERSION).tar.xz GDK_PIXBUF_SITE = http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/$(GDK_PIXBUF_VERSION_MAJOR) GDK_PIXBUF_LICENSE = LGPL-2.0+ diff --git a/buildroot/package/ghostscript/0001-Fix-cross-compilation-issue.patch b/buildroot/package/ghostscript/0001-Fix-cross-compilation-issue.patch deleted file mode 100644 index a13c7f838..000000000 --- a/buildroot/package/ghostscript/0001-Fix-cross-compilation-issue.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 5fed765abb8ff07c381cc3ebb9367e9560f7a658 Mon Sep 17 00:00:00 2001 -From: Bernd Kuhls -Date: Mon, 20 Mar 2017 23:43:03 +0100 -Subject: [PATCH] Fix cross compilation issue - -Without this patch unsafe paths are used: -x86_64-linux-gcc: ERROR: unsafe header/library path used in cross-compilation: '/libtiff' - -Downloaded from -http://bugs.ghostscript.com/show_bug.cgi?id=696508#c3 - -Slightly updated to work with 9.23 - -Signed-off-by: Bernd Kuhls -Signed-off-by: Fabrice Fontaine ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index d0f62d7..0d49344 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1173,7 +1173,7 @@ XPSWRITEDEVICE='' - - - LIBTIFFDIR='src' --LIBTIFFCONFDIR='' -+LIBTIFFCONFDIR='src' - TIFFCFLAGS='' - - TIFFDEVS_ALL='tiffs tiff12nc tiff24nc tiff48nc tiff32nc tiff64nc tiffcrle tifflzw tiffpack tiffgray tiffsep tiffsep1 tiffscaled tiffscaled4 tiffscaled8 tiffscaled24 tiffscaled32' - FAX_DEVS_ALL='cfax dfaxlow dfaxhigh fax faxg3 faxg32d faxg4 tiffg3 tiffg32d tiffg4 tfax' --- -2.7.4 - diff --git a/buildroot/package/ghostscript/ghostscript.hash b/buildroot/package/ghostscript/ghostscript.hash index 51b3a2a09..143b28014 100644 --- a/buildroot/package/ghostscript/ghostscript.hash +++ b/buildroot/package/ghostscript/ghostscript.hash @@ -1,5 +1,5 @@ -# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs950/SHA512SUMS -sha512 3c1e5db519a427f4b6bfb8d93f3c3dfb67d5ec9ccd19c7afa7670deb768515f3fc617c5588e54934bbfbedfdf8609ce2ffa36dd7da3cb618937fe034f64f43ee ghostscript-9.50.tar.xz +# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9532/SHA512SUMS +sha512 73aa6013aeecbd1345317a40349089a2f19a2205fc11b8ca0b619df1e91f2ca8b03efc09be9e079cb5ab8e1b838aa2236349cd1c177217c14308242f99138ae4 ghostscript-9.53.2.tar.gz # Hash for license file: -sha256 6f852249f975287b3efd43a5883875e47fa9f3125e2f1b18b5c09517ac30ecf2 LICENSE +sha256 6f852249f975287b3efd43a5883875e47fa9f3125e2f1b18b5c09517ac30ecf2 LICENSE diff --git a/buildroot/package/ghostscript/ghostscript.mk b/buildroot/package/ghostscript/ghostscript.mk index a6e85d989..31d23fd20 100644 --- a/buildroot/package/ghostscript/ghostscript.mk +++ b/buildroot/package/ghostscript/ghostscript.mk @@ -4,13 +4,10 @@ # ################################################################################ -GHOSTSCRIPT_VERSION = 9.50 +GHOSTSCRIPT_VERSION = 9.53.2 GHOSTSCRIPT_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$(subst .,,$(GHOSTSCRIPT_VERSION)) -GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz GHOSTSCRIPT_LICENSE = AGPL-3.0 GHOSTSCRIPT_LICENSE_FILES = LICENSE -# 0001-Fix-cross-compilation-issue.patch -GHOSTSCRIPT_AUTORECONF = YES GHOSTSCRIPT_DEPENDENCIES = \ host-lcms2 \ host-libjpeg \ @@ -34,7 +31,8 @@ GHOSTSCRIPT_POST_PATCH_HOOKS += GHOSTSCRIPT_REMOVE_LIBS GHOSTSCRIPT_CONF_ENV = \ CCAUX="$(HOSTCC)" \ - CFLAGSAUX="$(HOST_CFLAGS) $(HOST_LDFLAGS)" + CFLAGSAUX="$(HOST_CFLAGS) $(HOST_LDFLAGS)" \ + PKGCONFIG="$(PKG_CONFIG_HOST_BINARY)" GHOSTSCRIPT_CONF_OPTS = \ --disable-compile-inits \ diff --git a/buildroot/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash b/buildroot/package/glibc/2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d/glibc.hash similarity index 70% rename from buildroot/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash rename to buildroot/package/glibc/2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d/glibc.hash index 6677d32db..21ee1faea 100644 --- a/buildroot/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash +++ b/buildroot/package/glibc/2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d/glibc.hash @@ -1,5 +1,5 @@ # Locally calculated (fetched from Github) -sha256 4462f56696332efbc5b0c2f86d7aa75a2a02c3d44bc4345fa42b5bab1225de5c glibc-2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427.tar.gz +sha256 ce788d30851a215d58ff94c972d9cff5956725cc5ee906298711ddc63078c315 glibc-2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d.tar.gz # Hashes for license files sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/buildroot/package/glibc/glibc.mk b/buildroot/package/glibc/glibc.mk index 4621c9c2f..08170fbbc 100644 --- a/buildroot/package/glibc/glibc.mk +++ b/buildroot/package/glibc/glibc.mk @@ -17,7 +17,7 @@ else # Generate version string using: # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2- # When updating the version, please also update localedef -GLIBC_VERSION = 2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427 +GLIBC_VERSION = 2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d # Upstream doesn't officially provide an https download link. # There is one (https://sourceware.org/git/glibc.git) but it's not reliable, # sometimes the connection times out. So use an unofficial github mirror. diff --git a/buildroot/package/gnutls/gnutls.hash b/buildroot/package/gnutls/gnutls.hash index 6a4203f3a..c360a56f9 100644 --- a/buildroot/package/gnutls/gnutls.hash +++ b/buildroot/package/gnutls/gnutls.hash @@ -1,6 +1,6 @@ # Locally calculated after checking pgp signature -# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.14.tar.xz.sig -sha256 5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63 gnutls-3.6.14.tar.xz +# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.15.tar.xz.sig +sha256 0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558 gnutls-3.6.15.tar.xz # Locally calculated sha256 e79e9c8a0c85d735ff98185918ec94ed7d175efc377012787aebcf3b80f0d90b doc/COPYING sha256 6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3 doc/COPYING.LESSER diff --git a/buildroot/package/gnutls/gnutls.mk b/buildroot/package/gnutls/gnutls.mk index 34878e97b..9f5315000 100644 --- a/buildroot/package/gnutls/gnutls.mk +++ b/buildroot/package/gnutls/gnutls.mk @@ -5,7 +5,7 @@ ################################################################################ GNUTLS_VERSION_MAJOR = 3.6 -GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).14 +GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).15 GNUTLS_SOURCE = gnutls-$(GNUTLS_VERSION).tar.xz GNUTLS_SITE = https://www.gnupg.org/ftp/gcrypt/gnutls/v$(GNUTLS_VERSION_MAJOR) GNUTLS_LICENSE = LGPL-2.1+ (core library) diff --git a/buildroot/package/go/go.hash b/buildroot/package/go/go.hash index f58449d07..ce8e27c97 100644 --- a/buildroot/package/go/go.hash +++ b/buildroot/package/go/go.hash @@ -1,3 +1,3 @@ # From https://golang.org/dl/ -sha256 197333e97290e9ea8796f738d61019dcba1c377c2f3961fd6a114918ecc7ab06 go1.13.14.src.tar.gz +sha256 5fb43171046cf8784325e67913d55f88a683435071eef8e9da1aa8a1588fcf5d go1.13.15.src.tar.gz sha256 2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067 LICENSE diff --git a/buildroot/package/go/go.mk b/buildroot/package/go/go.mk index 72604a250..1f95bec82 100644 --- a/buildroot/package/go/go.mk +++ b/buildroot/package/go/go.mk @@ -4,7 +4,7 @@ # ################################################################################ -GO_VERSION = 1.13.14 +GO_VERSION = 1.13.15 GO_SITE = https://storage.googleapis.com/golang GO_SOURCE = go$(GO_VERSION).src.tar.gz diff --git a/buildroot/package/graphite2/0001-don-t-install-a-libtool-file-with-static-library.patch b/buildroot/package/graphite2/0001-don-t-install-a-libtool-file-with-static-library.patch new file mode 100644 index 000000000..ac150622d --- /dev/null +++ b/buildroot/package/graphite2/0001-don-t-install-a-libtool-file-with-static-library.patch @@ -0,0 +1,67 @@ +From 3edb88b55c0870989778c670d555aa159a2c3abc Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine +Date: Mon, 31 Aug 2020 20:56:43 +0200 +Subject: [PATCH] don't install a libtool file with static library + +Static library is supported since version 1.3.11 and +https://github.com/silnrsi/graphite/commit/2f143c04da5caa43ddf4dba437b2f2bc26bf4238 + +However, graphite2 is still installing libgraphite2.la which contains +incorrect information (i.e. dlname set to libgraphite2.so and +old_library set to ''): + +dlname='libgraphite2.so' + +library_names='libgraphite2.so.3.2.1 libgraphite2.so.3 libgraphite2.so' + +old_library='' + +dependency_libs='' + +This will result in the following build failure with any applications +using this file such as harfbuzz: + +arm-linux-g++.br_real: error: /home/buildroot/autobuild/run/instance-3/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libgraphite2.so: No such file or directory +make[5]: *** [main] Error 1 + +Instead of trying to fix this libtool file, just disable it when +building a static library as it is not needed + +Fixes: + - http://autobuild.buildroot.org/results/9ebe1d11e80755d59190ef2aae82bbba5cc45e44 + +Signed-off-by: Fabrice Fontaine +[Upstream status: https://github.com/silnrsi/graphite/pull/65] +--- + src/CMakeLists.txt | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt +index b6ac26bf..a7ace040 100644 +--- a/src/CMakeLists.txt ++++ b/src/CMakeLists.txt +@@ -131,7 +131,9 @@ if (${CMAKE_SYSTEM_NAME} STREQUAL "Linux") + nolib_test(stdc++ $) + endif () + set(CMAKE_CXX_IMPLICIT_LINK_LIBRARIES "") +- CREATE_LIBTOOL_FILE(graphite2 "/lib${LIB_SUFFIX}") ++ if (BUILD_SHARED_LIBS) ++ CREATE_LIBTOOL_FILE(graphite2 "/lib${LIB_SUFFIX}") ++ endif() + endif() + + if (${CMAKE_SYSTEM_NAME} STREQUAL "Darwin") +@@ -146,7 +148,9 @@ if (${CMAKE_SYSTEM_NAME} STREQUAL "Darwin") + include(Graphite) + nolib_test(stdc++ $) + set(CMAKE_CXX_IMPLICIT_LINK_LIBRARIES "") +- CREATE_LIBTOOL_FILE(graphite2 "/lib${LIB_SUFFIX}") ++ if (BUILD_SHARED_LIBS) ++ CREATE_LIBTOOL_FILE(graphite2 "/lib${LIB_SUFFIX}") ++ endif() + endif() + + if (${CMAKE_SYSTEM_NAME} STREQUAL "Windows") +-- +2.28.0 + diff --git a/buildroot/package/graphite2/Config.in b/buildroot/package/graphite2/Config.in index 5499e17e2..ec92ff7be 100644 --- a/buildroot/package/graphite2/Config.in +++ b/buildroot/package/graphite2/Config.in @@ -1,13 +1,12 @@ config BR2_PACKAGE_GRAPHITE2 bool "graphite2" depends on BR2_INSTALL_LIBSTDCPP - depends on !BR2_STATIC_LIBS help Graphite is a project within SIL's scripts and software dev groups to provide cross-platform rendering for complex writing systems. - http://graphite.sil.org/ + https://github.com/silnrsi/graphite -comment "graphite2 needs a toolchain w/ C++, dynamic library" - depends on !BR2_INSTALL_LIBSTDCPP || BR2_STATIC_LIBS +comment "graphite2 needs a toolchain w/ C++" + depends on !BR2_INSTALL_LIBSTDCPP diff --git a/buildroot/package/graphite2/graphite2.hash b/buildroot/package/graphite2/graphite2.hash index e0c1aae67..e005375f8 100644 --- a/buildroot/package/graphite2/graphite2.hash +++ b/buildroot/package/graphite2/graphite2.hash @@ -1,6 +1,4 @@ -# From http://sourceforge.net/projects/silgraphite/files/graphite2 -md5 b39d5ed21195f8b709bcee548c87e2b5 graphite2-1.3.10.tgz -sha1 668f3bce96fc02d90ea875b401ed36b2e8957d2f graphite2-1.3.10.tgz +# From https://github.com/silnrsi/graphite/releases/download/1.3.14/graphite2-1.3.14.sha256sum +sha256 f99d1c13aa5fa296898a181dff9b82fb25f6cc0933dbaa7a475d8109bd54209d graphite2-1.3.14.tgz # Locally computed -sha256 90fde3b2f9ea95d68ffb19278d07d9b8a7efa5ba0e413bebcea802ce05cda1ae graphite2-1.3.10.tgz sha256 a9bdde5616ecdd1e980b44f360600ee8783b1f99b8cc83a2beb163a0a390e861 LICENSE diff --git a/buildroot/package/graphite2/graphite2.mk b/buildroot/package/graphite2/graphite2.mk index 2bb4f463b..40206bf0f 100644 --- a/buildroot/package/graphite2/graphite2.mk +++ b/buildroot/package/graphite2/graphite2.mk @@ -4,9 +4,10 @@ # ################################################################################ -GRAPHITE2_VERSION = 1.3.10 +GRAPHITE2_VERSION = 1.3.14 GRAPHITE2_SOURCE = graphite2-$(GRAPHITE2_VERSION).tgz -GRAPHITE2_SITE = http://downloads.sourceforge.net/project/silgraphite/graphite2 +GRAPHITE2_SITE = \ + https://github.com/silnrsi/graphite/releases/download/$(GRAPHITE2_VERSION) GRAPHITE2_INSTALL_STAGING = YES GRAPHITE2_LICENSE = LGPL-2.1+ GRAPHITE2_LICENSE_FILES = LICENSE diff --git a/buildroot/package/gstreamer1/gst1-plugins-bad/0002-meson-allow-the-user-to-disable-opencv.patch b/buildroot/package/gstreamer1/gst1-plugins-bad/0002-meson-allow-the-user-to-disable-opencv.patch new file mode 100644 index 000000000..02e91e33e --- /dev/null +++ b/buildroot/package/gstreamer1/gst1-plugins-bad/0002-meson-allow-the-user-to-disable-opencv.patch @@ -0,0 +1,31 @@ +From 1bc387f8feaab9020be72e88cf26ccc1a67a6a10 Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine +Date: Sat, 22 Aug 2020 23:33:48 +0200 +Subject: [PATCH] meson: allow the user to disable opencv + +Allow the user to really disable opencv through meson (i.e. +-Dopencv=disabled). + +Signed-off-by: Fabrice Fontaine +[Upstream status: +https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1533] +--- + gst-libs/gst/opencv/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gst-libs/gst/opencv/meson.build b/gst-libs/gst/opencv/meson.build +index 6cc4602f3..fb6c46e40 100644 +--- a/gst-libs/gst/opencv/meson.build ++++ b/gst-libs/gst/opencv/meson.build +@@ -13,7 +13,7 @@ opencv_dep = dependency('opencv', version : '>= 3.0.0', required : false) + if not opencv_dep.found() + opencv_dep = dependency('opencv4', version : '>= 4.0.0', required : false) + endif +-if opencv_dep.found() ++if not get_option('opencv').disabled() and opencv_dep.found() + gstopencv = library('gstopencv-' + api_version, + opencv_sources, + c_args : gst_plugins_bad_args + ['-DBUILDING_GST_OPENCV'], +-- +2.28.0 + diff --git a/buildroot/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk b/buildroot/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk index 1781a5d46..42fe09bf5 100644 --- a/buildroot/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk +++ b/buildroot/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk @@ -38,19 +38,22 @@ else GST1_PLUGINS_BASE_CONF_OPTS += -Dorc=disabled endif -ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_HAS_API),y) +ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_HAS_API)$(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_HAS_PLATFORM)$(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_HAS_WINDOW),yyy) GST1_PLUGINS_BASE_CONF_OPTS += -Dgl=enabled +else +GST1_PLUGINS_BASE_CONF_OPTS += -Dgl=disabled +endif + ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_OPENGL),y) GST1_PLUGINS_BASE_GL_API_LIST = opengl GST1_PLUGINS_BASE_DEPENDENCIES += libgl libglu endif + ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_GLES2),y) GST1_PLUGINS_BASE_GL_API_LIST += gles2 GST1_PLUGINS_BASE_DEPENDENCIES += libgles endif -else -GST1_PLUGINS_BASE_CONF_OPTS += -Dgl=disabled -endif + GST1_PLUGINS_BASE_CONF_OPTS += -Dgl_api='$(subst $(space),$(comma),$(GST1_PLUGINS_BASE_GL_API_LIST))' ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_GLX),y) diff --git a/buildroot/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk b/buildroot/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk index 9f8b1d335..0261dc323 100644 --- a/buildroot/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk +++ b/buildroot/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk @@ -89,7 +89,7 @@ endif # Add GPL license if GPL plugins enabled. ifeq ($(GST1_PLUGINS_UGLY_HAS_GPL_LICENSE),y) -GST1_PLUGINS_UGLY_LICENSE += GPL-2.0 +GST1_PLUGINS_UGLY_LICENSE += , GPL-2.0 endif # Use the following command to extract license info for plugins. diff --git a/buildroot/package/hostapd/hostapd.hash b/buildroot/package/hostapd/hostapd.hash index bf5016acc..e2f76c12d 100644 --- a/buildroot/package/hostapd/hostapd.hash +++ b/buildroot/package/hostapd/hostapd.hash @@ -1,3 +1,6 @@ # Locally calculated sha256 881d7d6a90b2428479288d64233151448f8990ab4958e0ecaca7eeb3c9db2bd7 hostapd-2.9.tar.gz +sha256 2d9a5b9d616f1b4aa4a22b967cee866e2f69b798b0b46803a7928c8559842bd7 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch +sha256 49feb35a5276279b465f6836d6fa2c6b34d94dc979e8b840d1918865c04260de 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch +sha256 a8212a2d89a5bab2824d22b6047e7740553df163114fcec94832bfa9c5c5d78a 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch sha256 9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761 README diff --git a/buildroot/package/hostapd/hostapd.mk b/buildroot/package/hostapd/hostapd.mk index b94a0e457..676e36d8b 100644 --- a/buildroot/package/hostapd/hostapd.mk +++ b/buildroot/package/hostapd/hostapd.mk @@ -8,6 +8,10 @@ HOSTAPD_VERSION = 2.9 HOSTAPD_SITE = http://w1.fi/releases HOSTAPD_SUBDIR = hostapd HOSTAPD_CONFIG = $(HOSTAPD_DIR)/$(HOSTAPD_SUBDIR)/.config +HOSTAPD_PATCH = \ + https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ + https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ + https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch HOSTAPD_DEPENDENCIES = host-pkgconf HOSTAPD_CFLAGS = $(TARGET_CFLAGS) HOSTAPD_LICENSE = BSD-3-Clause @@ -16,6 +20,9 @@ HOSTAPD_LICENSE_FILES = README # 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch HOSTAPD_IGNORE_CVES += CVE-2019-16275 +# 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch +HOSTAPD_IGNORE_CVES += CVE-2020-12695 + HOSTAPD_CONFIG_SET = HOSTAPD_CONFIG_ENABLE = \ diff --git a/buildroot/package/imagemagick/imagemagick.hash b/buildroot/package/imagemagick/imagemagick.hash index f95fa275d..3380378fd 100644 --- a/buildroot/package/imagemagick/imagemagick.hash +++ b/buildroot/package/imagemagick/imagemagick.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 238ee17196fcb80bb58485910aaefc12d48f99e4043c2a28f06ff9588161c4e3 7.0.8-59.tar.gz -sha256 5b47db932754743460eba7a226aea85b63e3408d3c7affb4d0117f70c9594ded LICENSE +sha256 9f2b8b131222354b196c640fca4e53eb0bbf62246621b9d467f223366272d7a7 imagemagick-7.0.10-28.tar.gz +sha256 e2d364de83dd9e7c866bd99ee7dac2fe92071fb70e9b187293353fb285cf09ac LICENSE diff --git a/buildroot/package/imagemagick/imagemagick.mk b/buildroot/package/imagemagick/imagemagick.mk index 5ef04973a..d44b7d1d1 100644 --- a/buildroot/package/imagemagick/imagemagick.mk +++ b/buildroot/package/imagemagick/imagemagick.mk @@ -4,9 +4,8 @@ # ################################################################################ -IMAGEMAGICK_VERSION = 7.0.8-59 -IMAGEMAGICK_SOURCE = $(IMAGEMAGICK_VERSION).tar.gz -IMAGEMAGICK_SITE = https://github.com/ImageMagick/ImageMagick/archive +IMAGEMAGICK_VERSION = 7.0.10-28 +IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION)) IMAGEMAGICK_LICENSE = Apache-2.0 IMAGEMAGICK_LICENSE_FILES = LICENSE diff --git a/buildroot/package/ipmitool/0008-fru-Fix-buffer-overflow-vulnerabilities.patch b/buildroot/package/ipmitool/0008-fru-Fix-buffer-overflow-vulnerabilities.patch new file mode 100644 index 000000000..a39713fdb --- /dev/null +++ b/buildroot/package/ipmitool/0008-fru-Fix-buffer-overflow-vulnerabilities.patch @@ -0,0 +1,132 @@ +From d615cb6c39d401a569941be2a615176191afa7ac Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:33:59 +0000 +Subject: [PATCH] fru: Fix buffer overflow vulnerabilities + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `read_fru_area_section` function only performs size validation of +requested read size, and falsely assumes that the IPMI message will not +respond with more than the requested amount of data; it uses the +unvalidated response size to copy into `frubuf`. If the response is +larger than the request, this can result in overflowing the buffer. + +The same issue affects the `read_fru_area` function. + +[Retrieve from +https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2] +Signed-off-by: Heiko Thiery +--- + lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c +index cf00eff..af99aa9 100644 +--- a/lib/ipmi_fru.c ++++ b/lib/ipmi_fru.c +@@ -615,7 +615,10 @@ int + read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp; ++ uint32_t finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + } + ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } ++ + memcpy(frubuf, rsp->data + 1, tmp); + off += tmp; + frubuf += tmp; ++ size_left_in_buffer -= tmp; + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function + * still attempts to parse what was returned */ +@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { + static uint32_t fru_data_rqst_size = 20; +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp, finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + if (fru->access && fru_data_rqst_size > 16) + #endif + fru_data_rqst_size = 16; ++ ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy((frubuf + off)-offset, rsp->data + 1, tmp); + off += tmp; ++ size_left_in_buffer -= tmp; + + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function +-- +2.20.1 + diff --git a/buildroot/package/ipmitool/0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/buildroot/package/ipmitool/0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch new file mode 100644 index 000000000..213a2ad7b --- /dev/null +++ b/buildroot/package/ipmitool/0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch @@ -0,0 +1,52 @@ +From 879f57c3b1ff17b1ca0dbdc8aac9c7a814e876fc Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:44:18 +0000 +Subject: [PATCH] fru: Fix buffer overflow in ipmi_spd_print_fru + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `ipmi_spd_print_fru` function has a similar issue as the one fixed +by the previous commit in `read_fru_area_section`. An initial request is +made to get the `fru.size`, which is used as the size for the allocation +of `spd_data`. Inside a loop, further requests are performed to get the +copy sizes which are not checked before being used as the size for a +copy into the buffer. + +[Retrieve from: +https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10] +Signed-off-by: Heiko Thiery +--- + lib/dimm_spd.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c +index 41e30db..68f3b4f 100644 +--- a/lib/dimm_spd.c ++++ b/lib/dimm_spd.c +@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + struct ipmi_rq req; + struct fru_info fru; + uint8_t *spd_data, msg_data[4]; +- int len, offset; ++ uint32_t len, offset; + + msg_data[0] = id; + +@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + } + + len = rsp->data[0]; ++ if(rsp->data_len < 1 ++ || len > rsp->data_len - 1 ++ || len > fru.size - offset) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy(&spd_data[offset], rsp->data + 1, len); + offset += len; + } while (offset < fru.size); +-- +2.20.1 + diff --git a/buildroot/package/ipmitool/0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/buildroot/package/ipmitool/0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch new file mode 100644 index 000000000..94a5ce650 --- /dev/null +++ b/buildroot/package/ipmitool/0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch @@ -0,0 +1,52 @@ +From cd785a7fe4f42ab59bcefcf01b9175f039af29b5 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:51:49 +0000 +Subject: [PATCH] session: Fix buffer overflow in ipmi_get_session_info + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `ipmi_get_session_info` function does not properly check the +response `data_len`, which is used as a copy size, allowing stack buffer +overflow. + +[Retrieve from: +https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22] +Signed-off-by: Heiko Thiery +--- + lib/ipmi_session.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c +index 141f0f4..b9af1fd 100644 +--- a/lib/ipmi_session.c ++++ b/lib/ipmi_session.c +@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, + } + else + { +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + } + break; + +@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, + break; + } + +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + + } while (i <= session_info.session_slot_count); + break; +-- +2.20.1 + diff --git a/buildroot/package/ipmitool/0011-channel-Fix-buffer-overflow.patch b/buildroot/package/ipmitool/0011-channel-Fix-buffer-overflow.patch new file mode 100644 index 000000000..62e04c3e2 --- /dev/null +++ b/buildroot/package/ipmitool/0011-channel-Fix-buffer-overflow.patch @@ -0,0 +1,46 @@ +From 1d479fc61feacc64adea64da9601f3dfcf6f74b3 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:56:38 +0000 +Subject: [PATCH] channel: Fix buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `ipmi_get_channel_cipher_suites` function does not properly check +the final response’s `data_len`, which can lead to stack buffer overflow +on the final copy. + +[Retrieve from: +https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 + +The patch is slightly modified manually. The define +(MAX_CIPHER_SUITE_DATA_LEN) was introduced upstream in another patch. +Replace the define by the value 0x10.] + +Signed-off-by: Heiko Thiery +--- + lib/ipmi_channel.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c +index fab2e54..59ac227 100644 +--- a/lib/ipmi_channel.c ++++ b/lib/ipmi_channel.c +@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode > 0) { ++ if (rsp->ccode ++ || rsp->data_len < 1 ++ || rsp->data_len > sizeof(uint8_t) + 0x10) ++ { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; +-- +2.20.1 + diff --git a/buildroot/package/ipmitool/0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/buildroot/package/ipmitool/0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch new file mode 100644 index 000000000..aba9ad2c7 --- /dev/null +++ b/buildroot/package/ipmitool/0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch @@ -0,0 +1,92 @@ +From ceebf5998b71e11c81133680560b498977d3d3cd Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 17:06:39 +0000 +Subject: [PATCH] lanp: Fix buffer overflows in get_lan_param_select +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Partial fix for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +The `get_lan_param_select` function is missing a validation check on the +response’s `data_len`, which it then returns to caller functions, where +stack buffer overflow can occur. + +[Retrieve from: +https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10] +Signed-off-by: Heiko Thiery +--- + lib/ipmi_lanp.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c +index 65d881b..022c7f1 100644 +--- a/lib/ipmi_lanp.c ++++ b/lib/ipmi_lanp.c +@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + /* set new ipaddr */ + memcpy(data+3, temp, 4); + printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, +@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + /* set new macaddr */ + memcpy(data+7, temp, 6); + printf("Setting LAN Alert %d MAC Address to " +@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "def", 3) == 0 || + strncasecmp(argv[1], "default", 7) == 0) { +@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "on", 2) == 0 || + strncasecmp(argv[1], "yes", 3) == 0) { +@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "pet", 3) == 0) { + printf("Setting LAN Alert %d destination to PET Trap\n", alert); +@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (str2uchar(argv[1], &data[2]) != 0) { + lprintf(LOG_ERR, "Invalid time: %s", argv[1]); +@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (str2uchar(argv[1], &data[3]) != 0) { + lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); +-- +2.20.1 + diff --git a/buildroot/package/ipmitool/0013-fru-sdr-Fix-id_string-buffer-overflows.patch b/buildroot/package/ipmitool/0013-fru-sdr-Fix-id_string-buffer-overflows.patch new file mode 100644 index 000000000..2a519f3c7 --- /dev/null +++ b/buildroot/package/ipmitool/0013-fru-sdr-Fix-id_string-buffer-overflows.patch @@ -0,0 +1,141 @@ +From bf3ded3a474d85da99eb717acdcd8ff4f89f9879 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 17:13:45 +0000 +Subject: [PATCH] fru, sdr: Fix id_string buffer overflows + +Final part of the fixes for CVE-2020-5208, see +https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +9 variants of stack buffer overflow when parsing `id_string` field of +SDR records returned from `CMD_GET_SDR` command. + +SDR record structs have an `id_code` field, and an `id_string` `char` +array. + +The length of `id_string` is calculated as `(id_code & 0x1f) + 1`, +which can be larger than expected 16 characters (if `id_code = 0xff`, +then length will be `(0xff & 0x1f) + 1 = 32`). + +In numerous places, this can cause stack buffer overflow when copying +into fixed buffer of size `17` bytes from this calculated length. + +[Retrieve from: +https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637] +Signed-off-by: Heiko Thiery +--- + lib/ipmi_fru.c | 2 +- + lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++---------------- + 2 files changed, 25 insertions(+), 17 deletions(-) + +diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c +index af99aa9..98bc984 100644 +--- a/lib/ipmi_fru.c ++++ b/lib/ipmi_fru.c +@@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru) + return 0; + + memset(desc, 0, sizeof(desc)); +- memcpy(desc, fru->id_string, fru->id_code & 0x01f); ++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); + desc[fru->id_code & 0x01f] = 0; + printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); + +diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c +index 2a9cbe3..62aac08 100644 +--- a/lib/ipmi_sdr.c ++++ b/lib/ipmi_sdr.c +@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf, + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); + + if (verbose) { + printf("Sensor ID : %s (0x%x)\n", +@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf, + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); + + if (verbose == 0) { + if (csv_output) +@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf, + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); + + if (!verbose) { + if (csv_output) +@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf, + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); + + if (!verbose) { + if (csv_output) +@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf, uint16_t id, + + int rc =0; + char desc[17]; ++ const char *id_string; ++ uint8_t id_code; + memset(desc, ' ', sizeof (desc)); + + switch ( type) { + case SDR_RECORD_TYPE_FULL_SENSOR: + record.full = (struct sdr_record_full_sensor *) raw; +- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", +- (const char *)record.full->id_string); ++ id_code = record.full->id_code; ++ id_string = record.full->id_string; + break; ++ + case SDR_RECORD_TYPE_COMPACT_SENSOR: + record.compact = (struct sdr_record_compact_sensor *) raw ; +- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", +- (const char *)record.compact->id_string); ++ id_code = record.compact->id_code; ++ id_string = record.compact->id_string; + break; ++ + case SDR_RECORD_TYPE_EVENTONLY_SENSOR: + record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; +- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", +- (const char *)record.eventonly->id_string); +- break; ++ id_code = record.eventonly->id_code; ++ id_string = record.eventonly->id_string; ++ break; ++ + case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: + record.mcloc = (struct sdr_record_mc_locator *) raw ; +- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", +- (const char *)record.mcloc->id_string); ++ id_code = record.mcloc->id_code; ++ id_string = record.mcloc->id_string; + break; ++ + default: + rc = -1; +- break; +- } ++ } ++ if (!rc) { ++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); ++ } + +- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); ++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); + return rc; + } + +-- +2.20.1 + diff --git a/buildroot/package/ipmitool/ipmitool.mk b/buildroot/package/ipmitool/ipmitool.mk index 525466887..123dd274f 100644 --- a/buildroot/package/ipmitool/ipmitool.mk +++ b/buildroot/package/ipmitool/ipmitool.mk @@ -10,6 +10,14 @@ IPMITOOL_SITE = http://downloads.sourceforge.net/project/ipmitool/ipmitool/$(IPM IPMITOOL_LICENSE = BSD-3-Clause IPMITOOL_LICENSE_FILES = COPYING +# 0008-fru-Fix-buffer-overflow-vulnerabilities.patch +# 0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch +# 0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch +# 0011-channel-Fix-buffer-overflow.patch +# 0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch +# 0013-fru-sdr-Fix-id_string-buffer-overflows.patch +IPMITOOL_IGNORE_CVES += CVE-2020-5208 + ifeq ($(BR2_PACKAGE_IPMITOOL_LANPLUS),y) IPMITOOL_DEPENDENCIES += openssl IPMITOOL_CONF_OPTS += --enable-intf-lanplus diff --git a/buildroot/package/iputils/iputils.mk b/buildroot/package/iputils/iputils.mk index 0d260891e..d09bc58b3 100644 --- a/buildroot/package/iputils/iputils.mk +++ b/buildroot/package/iputils/iputils.mk @@ -40,13 +40,8 @@ IPUTILS_DEPENDENCIES += libgcrypt else ifeq ($(BR2_PACKAGE_OPENSSL),y) IPUTILS_CONF_OPTS += -DUSE_CRYPTO=openssl IPUTILS_DEPENDENCIES += openssl -else ifeq ($(BR2_PACKAGE_LINUX_HEADERS),y) -IPUTILS_CONF_OPTS += -DUSE_CRYPTO=kernel -IPUTILS_DEPENDENCIES += linux-headers else -IPUTILS_CONF_OPTS += -DUSE_CRYPTO=none -# BUILD_NINFOD=true and USE_CRYPTO=none cannot be combined -IPUTILS_NINFOD = n +IPUTILS_CONF_OPTS += -DUSE_CRYPTO=kernel endif ifeq ($(BR2_PACKAGE_SYSTEMD),y) diff --git a/buildroot/package/janus-gateway/Config.in b/buildroot/package/janus-gateway/Config.in index 9b70fa0ca..45990b633 100644 --- a/buildroot/package/janus-gateway/Config.in +++ b/buildroot/package/janus-gateway/Config.in @@ -59,12 +59,11 @@ comment "transports" config BR2_PACKAGE_JANUS_GATEWAY_MQTT bool "MQTT" - depends on !BR2_STATIC_LIBS depends on BR2_TOOLCHAIN_HAS_THREADS select BR2_PACKAGE_PAHO_MQTT_C -comment "MQTT transport needs a toolchain w/ threads and dynamic library support" - depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS +comment "MQTT transport needs a toolchain w/ threads" + depends on !BR2_TOOLCHAIN_HAS_THREADS config BR2_PACKAGE_JANUS_GATEWAY_RABBITMQ bool "RabbitMQ" @@ -89,7 +88,6 @@ config BR2_PACKAGE_JANUS_GATEWAY_UNIX_SOCKETS config BR2_PACKAGE_JANUS_GATEWAY_WEBSOCKETS bool "WebSockets" - depends on BR2_USE_MMU select BR2_PACKAGE_LIBWEBSOCKETS endif diff --git a/buildroot/package/jasper/0001-verify-data-range-CVE-2018-19541.patch b/buildroot/package/jasper/0001-verify-data-range-CVE-2018-19541.patch deleted file mode 100644 index 35b4299dc..000000000 --- a/buildroot/package/jasper/0001-verify-data-range-CVE-2018-19541.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 24fc4d6f01d2d4c8297d1bebec02360f796e01c2 Mon Sep 17 00:00:00 2001 -From: Michael Vetter -Date: Mon, 4 Nov 2019 18:17:44 +0100 -Subject: [PATCH] Verify range data in jp2_pclr_getdata - -This fixes CVE-2018-19541. -We need to verify the data is in the expected range. Otherwise we get -problems later. - -This is a better fix for https://github.com/mdadams/jasper/pull/199 -which caused segfaults under certain circumstances. - -Patch by Adam Majer -Signed-off-by: Michael Vetter ---- - src/libjasper/jp2/jp2_cod.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c -index 890e6ad..0f8d804 100644 ---- a/src/libjasper/jp2/jp2_cod.c -+++ b/src/libjasper/jp2/jp2_cod.c -@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in) - jp2_getuint8(in, &pclr->numchans)) { - return -1; - } -+ -+ // verify in range data as per I.5.3.4 - Palette box -+ if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) { -+ return -1; -+ } -+ - lutsize = pclr->numlutents * pclr->numchans; - if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) { - return -1; diff --git a/buildroot/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch b/buildroot/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch deleted file mode 100644 index 515a6162c..000000000 --- a/buildroot/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch +++ /dev/null @@ -1,24 +0,0 @@ -From fc62d1b7164ded2405fd6a0604548b34a5a77462 Mon Sep 17 00:00:00 2001 -From: Timothy Lyanguzov -Date: Mon, 18 Mar 2019 16:46:24 +1300 -Subject: [PATCH] Fix CVE-2018-19542: Check for NULL pointer in jp2_decode - -Signed-off-by: Michael Vetter ---- - src/libjasper/jp2/jp2_dec.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c -index 03b0eaf..a535c19 100644 ---- a/src/libjasper/jp2/jp2_dec.c -+++ b/src/libjasper/jp2/jp2_dec.c -@@ -388,6 +388,9 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr) - jas_image_setcmpttype(dec->image, newcmptno, jp2_getct(jas_image_clrspc(dec->image), 0, channo + 1)); - } - #endif -+ } else { -+ jas_eprintf("error: invalid MTYP in CMAP box\n"); -+ goto error; - } - } - } diff --git a/buildroot/package/jasper/0003-test-asclen-CVE-2018-19540.patch b/buildroot/package/jasper/0003-test-asclen-CVE-2018-19540.patch deleted file mode 100644 index 9401da511..000000000 --- a/buildroot/package/jasper/0003-test-asclen-CVE-2018-19540.patch +++ /dev/null @@ -1,29 +0,0 @@ -From e38454aa1a15b78c028a778fc8bfba3587e25c25 Mon Sep 17 00:00:00 2001 -From: Michael Vetter -Date: Fri, 15 Mar 2019 11:01:02 +0100 -Subject: [PATCH] Make sure asclen is at least 1 - -If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow. - -Regards CVE-2018-19540. -Regards https://github.com/mdadams/jasper/issues/182 bug#3 -Fix by Markus Koschany . -From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823 -Signed-off-by: Michael Vetter ---- - src/libjasper/base/jas_icc.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c -index 4607930..762c0e8 100644 ---- a/src/libjasper/base/jas_icc.c -+++ b/src/libjasper/base/jas_icc.c -@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in, - if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) != - JAS_CAST(int, txtdesc->asclen)) - goto error; -+ if (txtdesc->asclen < 1) -+ goto error; - txtdesc->ascdata[txtdesc->asclen - 1] = '\0'; - if (jas_iccgetuint32(in, &txtdesc->uclangcode) || - jas_iccgetuint32(in, &txtdesc->uclen)) diff --git a/buildroot/package/jasper/jasper.hash b/buildroot/package/jasper/jasper.hash index 7e9ce0ea9..67ad90d73 100644 --- a/buildroot/package/jasper/jasper.hash +++ b/buildroot/package/jasper/jasper.hash @@ -1,3 +1,3 @@ # Locally calculated -sha256 f1d8b90f231184d99968f361884e2054a1714fdbbd9944ba1ae4ebdcc9bbfdb1 jasper-2.0.16.tar.gz +sha256 b9d16162a088617ada36450f2374d72165377cb64b33ed197c200bcfb73ec76c jasper-2.0.19.tar.gz sha256 4ad1bb42aff888c4403d792e6e2c5f1716d6c279fea70b296333c9d577d30b81 LICENSE diff --git a/buildroot/package/jasper/jasper.mk b/buildroot/package/jasper/jasper.mk index 287c35888..f6ae2ead7 100644 --- a/buildroot/package/jasper/jasper.mk +++ b/buildroot/package/jasper/jasper.mk @@ -4,8 +4,8 @@ # ################################################################################ -JASPER_VERSION = 2.0.16 -JASPER_SITE = $(call github,mdadams,jasper,version-$(JASPER_VERSION)) +JASPER_VERSION = 2.0.19 +JASPER_SITE = $(call github,jasper-software,jasper,version-$(JASPER_VERSION)) JASPER_INSTALL_STAGING = YES JASPER_LICENSE = JasPer-2.0 JASPER_LICENSE_FILES = LICENSE diff --git a/buildroot/package/json-c/json-c.hash b/buildroot/package/json-c/json-c.hash index 0e0300747..a20d370eb 100644 --- a/buildroot/package/json-c/json-c.hash +++ b/buildroot/package/json-c/json-c.hash @@ -1,4 +1,4 @@ # From https://github.com/json-c/json-c/wiki -sha256 b87e608d4d3f7bfdd36ef78d56d53c74e66ab278d318b71e6002a369d36f4873 json-c-0.13.1.tar.gz +sha256 b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6 json-c-0.15.tar.gz # Locally calculated -sha256 74c1e6ca5eba76b54d0ad00d4815c8315c1b3bc45ff99de61d103dc92486284c COPYING +sha256 74c1e6ca5eba76b54d0ad00d4815c8315c1b3bc45ff99de61d103dc92486284c COPYING diff --git a/buildroot/package/json-c/json-c.mk b/buildroot/package/json-c/json-c.mk index 2788fe563..5e27c9b23 100644 --- a/buildroot/package/json-c/json-c.mk +++ b/buildroot/package/json-c/json-c.mk @@ -4,19 +4,11 @@ # ################################################################################ -JSON_C_VERSION = 0.13.1 +JSON_C_VERSION = 0.15 JSON_C_SITE = https://s3.amazonaws.com/json-c_releases/releases JSON_C_INSTALL_STAGING = YES JSON_C_LICENSE = MIT JSON_C_LICENSE_FILES = COPYING -# update config.h.in timestamp to avoid autoheader run -define JSON_C_UPDATE_CONFIG_TIMESTAMP - touch $(@D)/config.h.in -endef - -JSON_C_POST_EXTRACT_HOOKS += JSON_C_UPDATE_CONFIG_TIMESTAMP -HOST_JSON_C_POST_EXTRACT_HOOKS += JSON_C_UPDATE_CONFIG_TIMESTAMP - -$(eval $(autotools-package)) -$(eval $(host-autotools-package)) +$(eval $(cmake-package)) +$(eval $(host-cmake-package)) diff --git a/buildroot/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch b/buildroot/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch deleted file mode 100644 index b6d89859b..000000000 --- a/buildroot/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 3a46be47cad5a3498b5f6d6007b7d1fe5b8dff78 Mon Sep 17 00:00:00 2001 -Message-Id: <3a46be47cad5a3498b5f6d6007b7d1fe5b8dff78.1594274321.git.baruch@tkos.co.il> -From: Baruch Siach -Date: Thu, 9 Jul 2020 08:14:49 +0300 -Subject: [PATCH] bearssl: fix build with disabled proxy support - -Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is -defined. - -Signed-off-by: Baruch Siach ---- -Upstream status: https://github.com/curl/curl/pull/5666 - - lib/vtls/bearssl.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c -index 628e16a124a9..44e7406e8e39 100644 ---- a/lib/vtls/bearssl.c -+++ b/lib/vtls/bearssl.c -@@ -300,8 +300,12 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct ssl_backend_data *backend = connssl->backend; - const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); -+#ifndef CURL_DISABLE_PROXY - const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : - conn->host.name; -+#else -+ const char *hostname = conn->host.name; -+#endif - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const bool verifyhost = SSL_CONN_CONFIG(verifyhost); - CURLcode ret; -@@ -386,8 +390,11 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) - */ - - #ifdef USE_NGHTTP2 -- if(data->set.httpversion >= CURL_HTTP_VERSION_2 && -- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) { -+ if(data->set.httpversion >= CURL_HTTP_VERSION_2 -+#ifndef CURL_DISABLE_PROXY -+ && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) -+#endif -+ ) { - backend->protocols[cur++] = NGHTTP2_PROTO_VERSION_ID; - infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); - } --- -2.27.0 - diff --git a/buildroot/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch b/buildroot/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch deleted file mode 100644 index 0d1286338..000000000 --- a/buildroot/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch +++ /dev/null @@ -1,159 +0,0 @@ -From d040da28f57d0b3fcd6f63809a8c85a600f87a62 Mon Sep 17 00:00:00 2001 -Message-Id: -From: Baruch Siach -Date: Thu, 9 Jul 2020 08:14:49 +0300 -Subject: [PATCH] nss: fix build with disabled proxy support - -Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is -defined. - -Signed-off-by: Baruch Siach ---- -Upstream status: https://github.com/curl/curl/pull/5667 - - lib/vtls/nss.c | 44 +++++++++++++++++++++++++++++++++++--------- - 1 file changed, 35 insertions(+), 9 deletions(-) - -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index fca292613815..0f0d1ee6c80f 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -1027,9 +1027,11 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) - CERTCertificate *cert; - - /* remember the cert verification result */ -+#ifndef CURL_DISABLE_PROXY - if(SSL_IS_PROXY()) - data->set.proxy_ssl.certverifyresult = err; - else -+#endif - data->set.ssl.certverifyresult = err; - - if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost)) -@@ -1553,24 +1555,32 @@ static void nss_close(struct ssl_connect_data *connssl) - static void Curl_nss_close(struct connectdata *conn, int sockindex) - { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -+#ifndef CURL_DISABLE_PROXY - struct ssl_connect_data *connssl_proxy = &conn->proxy_ssl[sockindex]; -+#endif - struct ssl_backend_data *backend = connssl->backend; - -- if(backend->handle || connssl_proxy->backend->handle) { -+ if(backend->handle -+#ifndef CURL_DISABLE_PROXY -+ || connssl_proxy->backend->handle -+#endif -+ ) { - /* NSS closes the socket we previously handed to it, so we must mark it - as closed to avoid double close */ - fake_sclose(conn->sock[sockindex]); - conn->sock[sockindex] = CURL_SOCKET_BAD; - } - -+#ifndef CURL_DISABLE_PROXY - if(backend->handle) - /* nss_close(connssl) will transitively close also - connssl_proxy->backend->handle if both are used. Clear it to avoid - a double close leading to crash. */ - connssl_proxy->backend->handle = NULL; - -- nss_close(connssl); - nss_close(connssl_proxy); -+#endif -+ nss_close(connssl); - } - - /* return true if NSS can provide error code (and possibly msg) for the -@@ -1828,6 +1838,12 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) - CURLcode result; - bool second_layer = FALSE; - SSLVersionRange sslver_supported; -+#ifndef CURL_DISABLE_PROXY -+ const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : -+ conn->host.name; -+#else -+ const char *hostname = conn->host.name; -+#endif - - SSLVersionRange sslver = { - SSL_LIBRARY_VERSION_TLS_1_0, /* min */ -@@ -1932,9 +1948,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) - goto error; - - /* not checked yet */ -+#ifndef CURL_DISABLE_PROXY - if(SSL_IS_PROXY()) - data->set.proxy_ssl.certverifyresult = 0; - else -+#endif - data->set.ssl.certverifyresult = 0; - - if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess) -@@ -1991,12 +2009,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) - goto error; - } - -+#ifndef CURL_DISABLE_PROXY - if(conn->proxy_ssl[sockindex].use) { - DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state); - DEBUGASSERT(conn->proxy_ssl[sockindex].backend->handle != NULL); - nspr_io = conn->proxy_ssl[sockindex].backend->handle; - second_layer = TRUE; - } -+#endif - else { - /* wrap OS file descriptor by NSPR's file descriptor abstraction */ - nspr_io = PR_ImportTCPSocket(sockfd); -@@ -2077,8 +2097,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) - unsigned char protocols[128]; - - #ifdef USE_NGHTTP2 -- if(data->set.httpversion >= CURL_HTTP_VERSION_2 && -- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) { -+ if(data->set.httpversion >= CURL_HTTP_VERSION_2 -+#ifndef CURL_DISABLE_PROXY -+ && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) -+#endif -+ ) { - protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN; - memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID, - NGHTTP2_PROTO_VERSION_ID_LEN); -@@ -2101,14 +2124,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) - goto error; - - /* propagate hostname to the TLS layer */ -- if(SSL_SetURL(backend->handle, SSL_IS_PROXY() ? conn->http_proxy.host.name : -- conn->host.name) != SECSuccess) -+ if(SSL_SetURL(backend->handle, hostname) != SECSuccess) - goto error; - - /* prevent NSS from re-using the session for a different hostname */ -- if(SSL_SetSockPeerID(backend->handle, SSL_IS_PROXY() ? -- conn->http_proxy.host.name : conn->host.name) -- != SECSuccess) -+ if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess) - goto error; - - return CURLE_OK; -@@ -2127,11 +2147,17 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) - struct Curl_easy *data = conn->data; - CURLcode result = CURLE_SSL_CONNECT_ERROR; - PRUint32 timeout; -+#ifndef CURL_DISABLE_PROXY - long * const certverifyresult = SSL_IS_PROXY() ? - &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; - const char * const pinnedpubkey = SSL_IS_PROXY() ? - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : - data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+#else -+ long * const certverifyresult = &data->set.ssl.certverifyresult; -+ const char * const pinnedpubkey = -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+#endif - - - /* check timeout situation */ --- -2.27.0 - diff --git a/buildroot/package/libcurl/libcurl.hash b/buildroot/package/libcurl/libcurl.hash index 46f72c1ea..2bd1890ca 100644 --- a/buildroot/package/libcurl/libcurl.hash +++ b/buildroot/package/libcurl/libcurl.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -# https://curl.haxx.se/download/curl-7.71.1.tar.xz.asc +# https://curl.haxx.se/download/curl-7.72.0.tar.xz.asc # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 -sha256 40f83eda27cdbeb25cd4da48cefb639af1b9395d6026d2da1825bf059239658c curl-7.71.1.tar.xz +sha256 0ded0808c4d85f2ee0db86980ae610cc9d165e9ca9da466196cc73c346513713 curl-7.72.0.tar.xz sha256 db3c4a3b3695a0f317a0c5176acd2f656d18abc45b3ee78e50935a78eb1e132e COPYING diff --git a/buildroot/package/libcurl/libcurl.mk b/buildroot/package/libcurl/libcurl.mk index 2581207b0..e233926cb 100644 --- a/buildroot/package/libcurl/libcurl.mk +++ b/buildroot/package/libcurl/libcurl.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBCURL_VERSION = 7.71.1 +LIBCURL_VERSION = 7.72.0 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz LIBCURL_SITE = https://curl.haxx.se/download LIBCURL_DEPENDENCIES = host-pkgconf \ diff --git a/buildroot/package/libeXosip2/Config.in b/buildroot/package/libeXosip2/Config.in index 4cb8218f2..9fbe9789f 100644 --- a/buildroot/package/libeXosip2/Config.in +++ b/buildroot/package/libeXosip2/Config.in @@ -4,10 +4,10 @@ config BR2_PACKAGE_LIBEXOSIP2 select BR2_PACKAGE_LIBOSIP2 help eXosip is a library that hides the complexity of using the - SIP protocol for mutlimedia session establishement. + SIP protocol for multimedia session establishment. This protocol is mainly to be used by VoIP telephony applications (endpoints or conference server) but might be - also usefull for any application that wish to establish + also useful for any application that wish to establish sessions like multiplayer games. eXosip is based in libosip. diff --git a/buildroot/package/libhtp/0001-htp.pc.in-add-lz-to-Libs.private.patch b/buildroot/package/libhtp/0001-htp.pc.in-add-lz-to-Libs.private.patch deleted file mode 100644 index b21ea6053..000000000 --- a/buildroot/package/libhtp/0001-htp.pc.in-add-lz-to-Libs.private.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 39e534ab696157b244ec226d649c789dcf423e42 Mon Sep 17 00:00:00 2001 -From: Fabrice Fontaine -Date: Wed, 24 Apr 2019 20:48:57 +0200 -Subject: [PATCH] htp.pc.in: add -lz to Libs.private - -zlib is a mandatory dependency so add it to Libs.private otherwise -static linking of packages linking with htp (e.g. suricata) will fail. - -Signed-off-by: Fabrice Fontaine -[Upstream status: https://github.com/OISF/libhtp/pull/294] ---- - htp.pc.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/htp.pc.in b/htp.pc.in -index 2fec995..9b1a6cc 100644 ---- a/htp.pc.in -+++ b/htp.pc.in -@@ -7,6 +7,6 @@ Name: @PACKAGE_NAME@ - Description: A security-aware HTTP parser, designed for use in IDS/IPS and WAF products. - Version: @PACKAGE_VERSION@ - Libs: -L${libdir} -lhtp --Libs.private: @LIBICONV@ -+Libs.private: -lz @LIBICONV@ - Cflags: -I${includedir} -I${libdir}/htp/include - --- -2.20.1 - diff --git a/buildroot/package/libhtp/libhtp.hash b/buildroot/package/libhtp/libhtp.hash index 765acd5bf..df75336df 100644 --- a/buildroot/package/libhtp/libhtp.hash +++ b/buildroot/package/libhtp/libhtp.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 953651fdfe828805bb82dc1aa8b56187b0e2f80781727343e68ccf8afd6a9122 libhtp-0.5.33.tar.gz +sha256 4c3ac4c6027710455ffe725f24ac6a83b2c13fe0afc83b74df2cca78ba46976a libhtp-0.5.35.tar.gz sha256 87c93904e5434c81622ea690c2b90097b9f162aaa92a96542649a157dbf98d15 LICENSE diff --git a/buildroot/package/libhtp/libhtp.mk b/buildroot/package/libhtp/libhtp.mk index b77d8715f..c402cf750 100644 --- a/buildroot/package/libhtp/libhtp.mk +++ b/buildroot/package/libhtp/libhtp.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBHTP_VERSION = 0.5.33 +LIBHTP_VERSION = 0.5.35 LIBHTP_SITE = $(call github,OISF,libhtp,$(LIBHTP_VERSION)) LIBHTP_LICENSE = BSD-3-Clause LIBHTP_LICENSE_FILES = LICENSE diff --git a/buildroot/package/libraw/libraw.hash b/buildroot/package/libraw/libraw.hash index 3337396f5..e8117cd1f 100644 --- a/buildroot/package/libraw/libraw.hash +++ b/buildroot/package/libraw/libraw.hash @@ -1,5 +1,5 @@ # Locally calculated -sha256 40a262d7cc71702711a0faec106118ee004f86c86cc228281d12d16da03e02f5 LibRaw-0.19.5.tar.gz -sha256 eea173a556abac0370461e57e12aab266894ea6be3874c2be05fd87871f75449 LICENSE.LGPL -sha256 0e3098d2d54a12434715f6679ea408d57da5e8d613c385c58ecc6fe5d30cc81f LICENSE.CDDL -sha256 ed971b7f1f57fd8e7d28419ff7749cfe0f296e701687756e798a69555fd76646 README.md +sha256 1f0a383da2ce9f409087facd28261decbf6be72cc90c78cd003b0766e4d694a3 LibRaw-0.20.0.tar.gz +sha256 eea173a556abac0370461e57e12aab266894ea6be3874c2be05fd87871f75449 LICENSE.LGPL +sha256 0e3098d2d54a12434715f6679ea408d57da5e8d613c385c58ecc6fe5d30cc81f LICENSE.CDDL +sha256 313415f7f48f6cd3cc78856626aab4bbe97dbb1e9a11db9c25396ca8d0e76cd9 README.md diff --git a/buildroot/package/libraw/libraw.mk b/buildroot/package/libraw/libraw.mk index 9a647f8d5..e33674e6f 100644 --- a/buildroot/package/libraw/libraw.mk +++ b/buildroot/package/libraw/libraw.mk @@ -4,15 +4,13 @@ # ################################################################################ -LIBRAW_VERSION = 0.19.5 +LIBRAW_VERSION = 0.20.0 LIBRAW_SOURCE = LibRaw-$(LIBRAW_VERSION).tar.gz LIBRAW_SITE = http://www.libraw.org/data LIBRAW_INSTALL_STAGING = YES LIBRAW_CONF_OPTS += \ --disable-examples \ - --disable-openmp \ - --disable-demosaic-pack-gpl2 \ - --disable-demosaic-pack-gpl3 + --disable-openmp LIBRAW_LICENSE = LGPL-2.1 or CDDL-1.0 LIBRAW_LICENSE_FILES = LICENSE.LGPL LICENSE.CDDL README.md LIBRAW_DEPENDENCIES = host-pkgconf @@ -43,4 +41,11 @@ else LIBRAW_CONF_OPTS += --disable-lcms endif +ifeq ($(BR2_PACKAGE_ZLIB),y) +LIBRAW_CONF_OPTS += --enable-zlib +LIBRAW_DEPENDENCIES += zlib +else +LIBRAW_CONF_OPTS += --disable-zlib +endif + $(eval $(autotools-package)) diff --git a/buildroot/package/libssh/0001-libssh.h-bump-to-version-0.9.4.patch b/buildroot/package/libssh/0001-libssh.h-bump-to-version-0.9.4.patch deleted file mode 100644 index d6ec50509..000000000 --- a/buildroot/package/libssh/0001-libssh.h-bump-to-version-0.9.4.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 8d8428cbbc2c00d078cfbc967e4e6fee7ff7bf0b Mon Sep 17 00:00:00 2001 -From: Heiko Thiery -Date: Wed, 15 Apr 2020 11:57:29 +0200 -Subject: [PATCH] libssh.h: bump to version 0.9.4 - -In the released version of libssh the version bump was not done -properly. Therefore the current release 0.9.4 reports 0.9.3. - -Signed-off-by: Heiko Thiery ---- - include/libssh/libssh.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h -index 79030131..e2a8d991 100644 ---- a/include/libssh/libssh.h -+++ b/include/libssh/libssh.h -@@ -79,7 +79,7 @@ - /* libssh version */ - #define LIBSSH_VERSION_MAJOR 0 - #define LIBSSH_VERSION_MINOR 9 --#define LIBSSH_VERSION_MICRO 3 -+#define LIBSSH_VERSION_MICRO 4 - - #define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \ - LIBSSH_VERSION_MINOR, \ --- -2.20.1 - diff --git a/buildroot/package/libssh/0002-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch b/buildroot/package/libssh/0002-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch deleted file mode 100644 index 9cc938947..000000000 --- a/buildroot/package/libssh/0002-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 6417f5a3cac8537ac6f6ff7fc1642dfaa0917fb4 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Thu, 16 Apr 2020 11:13:34 +0200 -Subject: [PATCH] channels: Avoid returning SSH_AGAIN from - ssh_channel_poll_timeout() - -This addresses a regression introduced in 3bad0607, partially fixed in 022409e9, -but the function was still able to return SSH_AGAIN, which was not expected by -callers. - -Based on discussion in [1] and [2] - -[1] https://gitlab.com/libssh/libssh-mirror/-/merge_requests/101 -[2] https://www.libssh.org/archive/libssh/2020-03/0000029.html - -Signed-off-by: Jakub Jelen -Reviewed-by: Anderson Toshiyuki Sasaki - -[Backport from upstream commit: -6417f5a3cac8537ac6f6ff7fc1642dfaa0917fb4] -Signed-off-by: Heiko Thiery ---- - src/channels.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/src/channels.c b/src/channels.c -index bcc1c207..9fe309d0 100644 ---- a/src/channels.c -+++ b/src/channels.c -@@ -3116,6 +3116,12 @@ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr) - session->session_state == SSH_SESSION_STATE_ERROR) { - rc = SSH_ERROR; - goto out; -+ } else if (rc == SSH_AGAIN) { -+ /* If the above timeout expired, it is ok and we do not need to -+ * attempt to check the read buffer. The calling functions do not -+ * expect us to return SSH_AGAIN either here. */ -+ rc = SSH_OK; -+ goto out; - } - len = ssh_buffer_get_len(stdbuf); - if (len > 0) { --- -2.20.1 - diff --git a/buildroot/package/libssh/libssh.hash b/buildroot/package/libssh/libssh.hash index 62b860300..bc6fa3f1f 100644 --- a/buildroot/package/libssh/libssh.hash +++ b/buildroot/package/libssh/libssh.hash @@ -1,5 +1,5 @@ # Locally calculated after checking pgp signature -# https://www.libssh.org/files/0.9/libssh-0.9.3.tar.xz.asc +# https://www.libssh.org/files/0.9/libssh-0.9.5.tar.xz.asc # with key 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D -sha256 150897a569852ac05aac831dc417a7ba8e610c86ca2e0154a99c6ade2486226b libssh-0.9.4.tar.xz +sha256 acffef2da98e761fc1fd9c4fddde0f3af60ab44c4f5af05cd1b2d60a3fa08718 libssh-0.9.5.tar.xz sha256 1656186e951db1c010a8485481fa94587f7e53a26d24976bef97945ad0c4df5a COPYING diff --git a/buildroot/package/libssh/libssh.mk b/buildroot/package/libssh/libssh.mk index abc9aec9a..67e3ad9f9 100644 --- a/buildroot/package/libssh/libssh.mk +++ b/buildroot/package/libssh/libssh.mk @@ -5,7 +5,7 @@ ################################################################################ LIBSSH_VERSION_MAJOR = 0.9 -LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).4 +LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).5 LIBSSH_SOURCE = libssh-$(LIBSSH_VERSION).tar.xz LIBSSH_SITE = https://www.libssh.org/files/$(LIBSSH_VERSION_MAJOR) LIBSSH_LICENSE = LGPL-2.1 diff --git a/buildroot/package/libwebsockets/Config.in b/buildroot/package/libwebsockets/Config.in index 2b350bf38..1d927bb4e 100644 --- a/buildroot/package/libwebsockets/Config.in +++ b/buildroot/package/libwebsockets/Config.in @@ -1,6 +1,5 @@ config BR2_PACKAGE_LIBWEBSOCKETS bool "libwebsockets" - depends on BR2_USE_MMU # fork() select BR2_PACKAGE_ZLIB help Libwebsockets is a lightweight pure C library built to use diff --git a/buildroot/package/libxml-parser-perl/libxml-parser-perl.mk b/buildroot/package/libxml-parser-perl/libxml-parser-perl.mk index fcde5fc93..37cef2e41 100644 --- a/buildroot/package/libxml-parser-perl/libxml-parser-perl.mk +++ b/buildroot/package/libxml-parser-perl/libxml-parser-perl.mk @@ -12,9 +12,14 @@ LIBXML_PARSER_PERL_LICENSE = Artistic or GPL-1.0+ LIBXML_PARSER_PERL_LICENSE_FILES = README LIBXML_PARSER_PERL_RUN_PERL = `which perl` +HOST_LIBXML_PARSER_PERL_CONFIGURE_OPTS = \ + $(HOST_CONFIGURE_OPTS) \ + LD="$(HOSTCC)" + define HOST_LIBXML_PARSER_PERL_CONFIGURE_CMDS (cd $(@D) ; \ - $(HOST_CONFIGURE_OPTS) $(LIBXML_PARSER_PERL_RUN_PERL) Makefile.PL \ + $(HOST_LIBXML_PARSER_PERL_CONFIGURE_OPTS) \ + $(LIBXML_PARSER_PERL_RUN_PERL) Makefile.PL \ PREFIX=$(HOST_DIR) \ EXPATLIBPATH=$(HOST_DIR)/lib \ EXPATINCPATH=$(HOST_DIR)/include \ @@ -25,7 +30,7 @@ define HOST_LIBXML_PARSER_PERL_CONFIGURE_CMDS endef define HOST_LIBXML_PARSER_PERL_BUILD_CMDS - $(HOST_MAKE_ENV) $(MAKE) -C $(@D) + $(HOST_MAKE_ENV) $(MAKE) $(HOST_LIBXML_PARSER_PERL_CONFIGURE_OPTS) -C $(@D) endef define HOST_LIBXML_PARSER_PERL_INSTALL_CMDS diff --git a/buildroot/package/libxml2/0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch b/buildroot/package/libxml2/0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch new file mode 100644 index 000000000..460f2a3ae --- /dev/null +++ b/buildroot/package/libxml2/0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch @@ -0,0 +1,40 @@ +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Fri, 7 Aug 2020 21:54:27 +0200 +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' + +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds +array access. + +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for +the report. + +Fixes #178. + +[Retrieved from: +https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2] +Signed-off-by: Fabrice Fontaine +--- + xmllint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xmllint.c b/xmllint.c +index f6a8e4636..c647486f3 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -528,6 +528,12 @@ static void + xmlHTMLEncodeSend(void) { + char *result; + ++ /* ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid ++ * an out-of-bounds read. ++ */ ++ memset(&buffer[sizeof(buffer)-4], 0, 4); + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); + if (result) { + xmlGenericError(xmlGenericErrorContext, "%s", result); +-- +GitLab + diff --git a/buildroot/package/libxml2/libxml2.mk b/buildroot/package/libxml2/libxml2.mk index acbdfb772..e9379b05a 100644 --- a/buildroot/package/libxml2/libxml2.mk +++ b/buildroot/package/libxml2/libxml2.mk @@ -13,6 +13,8 @@ LIBXML2_LICENSE_FILES = COPYING LIBXML2_IGNORE_CVES += CVE-2020-7595 # 0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch LIBXML2_IGNORE_CVES += CVE-2019-20388 +# 0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch +LIBXML2_IGNORE_CVES += CVE-2020-24977 LIBXML2_CONFIG_SCRIPTS = xml2-config # relocation truncated to fit: R_68K_GOT16O diff --git a/buildroot/package/linux-headers/Config.in.host b/buildroot/package/linux-headers/Config.in.host index 7fbd07015..87a72af6e 100644 --- a/buildroot/package/linux-headers/Config.in.host +++ b/buildroot/package/linux-headers/Config.in.host @@ -318,11 +318,11 @@ endchoice config BR2_DEFAULT_KERNEL_HEADERS string - default "4.4.226" if BR2_KERNEL_HEADERS_4_4 - default "4.9.226" if BR2_KERNEL_HEADERS_4_9 - default "4.14.183" if BR2_KERNEL_HEADERS_4_14 - default "4.19.127" if BR2_KERNEL_HEADERS_4_19 - default "5.4.45" if BR2_KERNEL_HEADERS_5_4 + default "4.4.238" if BR2_KERNEL_HEADERS_4_4 + default "4.9.238" if BR2_KERNEL_HEADERS_4_9 + default "4.14.200" if BR2_KERNEL_HEADERS_4_14 + default "4.19.150" if BR2_KERNEL_HEADERS_4_19 + default "5.4.70" if BR2_KERNEL_HEADERS_5_4 default BR2_DEFAULT_KERNEL_VERSION if BR2_KERNEL_HEADERS_VERSION default "custom" if BR2_KERNEL_HEADERS_CUSTOM_TARBALL default BR2_KERNEL_HEADERS_CUSTOM_REPO_VERSION \ diff --git a/buildroot/package/live555/live555.hash b/buildroot/package/live555/live555.hash index f5df69f24..2072b0ddf 100644 --- a/buildroot/package/live555/live555.hash +++ b/buildroot/package/live555/live555.hash @@ -1,5 +1,5 @@ # From http://www.live555.com/liveMedia/public/live555-latest-md5.txt md5 12e105c8fef9d34658d68367dc26a3d9 live.2019.09.30.tar.gz # Locally generated -sha256 ef44f48a84324525cebc2081dd2d0f1e908f2d0a79d9d30dd41967e142dfb06b live.2019.09.30.tar.gz -sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING +sha256 ef44f48a84324525cebc2081dd2d0f1e908f2d0a79d9d30dd41967e142dfb06b live.2019.09.30.tar.gz +sha256 da7eabb7bafdf7d3ae5e9f223aa5bdc1eece45ac569dc21b3b037520b4464768 COPYING.LESSER diff --git a/buildroot/package/live555/live555.mk b/buildroot/package/live555/live555.mk index cbe1c1bc0..81c8b3de8 100644 --- a/buildroot/package/live555/live555.mk +++ b/buildroot/package/live555/live555.mk @@ -7,8 +7,12 @@ LIVE555_VERSION = 2019.09.30 LIVE555_SOURCE = live.$(LIVE555_VERSION).tar.gz LIVE555_SITE = http://www.live555.com/liveMedia/public -LIVE555_LICENSE = LGPL-2.1+ -LIVE555_LICENSE_FILES = COPYING +# There is a COPYING file with the GPL-3.0 license text, but none of +# the source files appear to be released under GPL-3.0, and the +# project web site says it's licensed under the LGPL: +# http://live555.com/liveMedia/faq.html#copyright-and-license +LIVE555_LICENSE = LGPL-3.0+ +LIVE555_LICENSE_FILES = COPYING.LESSER LIVE555_INSTALL_STAGING = YES LIVE555_CFLAGS = $(TARGET_CFLAGS) diff --git a/buildroot/package/localedef/localedef.mk b/buildroot/package/localedef/localedef.mk index f6e26b566..d6f1625e3 100644 --- a/buildroot/package/localedef/localedef.mk +++ b/buildroot/package/localedef/localedef.mk @@ -14,6 +14,7 @@ HOST_LOCALEDEF_DL_SUBDIR = glibc HOST_LOCALEDEF_DEPENDENCIES = \ $(BR2_MAKE_HOST_DEPENDENCY) \ + $(BR2_PYTHON3_HOST_DEPENDENCY) \ host-bison \ host-gawk diff --git a/buildroot/package/lua/5.1.5/lua.hash b/buildroot/package/lua/5.1.5/lua.hash new file mode 100644 index 000000000..22ff8b7da --- /dev/null +++ b/buildroot/package/lua/5.1.5/lua.hash @@ -0,0 +1,6 @@ +# Hashes from: http://www.lua.org/ftp/ +md5 2e115fe26e435e33b0d5c022e4490567 lua-5.1.5.tar.gz +sha1 b3882111ad02ecc6b972f8c1241647905cb2e3fc lua-5.1.5.tar.gz + +# Locally computed +sha256 ee5e3e82af1e1b543c4f216e399d7c8cfee797711913f349e385101c4ae60a79 COPYRIGHT diff --git a/buildroot/package/lua/5.3.5/0003-fix-revision-number.patch b/buildroot/package/lua/5.3.5/0003-fix-revision-number.patch deleted file mode 100644 index ed2e0460e..000000000 --- a/buildroot/package/lua/5.3.5/0003-fix-revision-number.patch +++ /dev/null @@ -1,31 +0,0 @@ -Fix revision number - -In 0002-shared-libs-for-lua.patch, revision number is used to set -library name: -TO_SOLIB = liblua.so.$(R) - -However, library is built using PKG_VERSION which is passed only during -build step: -$(CC) -o $@.$(PKG_VERSION) -shared -Wl,-soname="$@.$(PKG_VERSION)" $? - -As a result, dynamic library is not installed in staging or target paths -since bump to lua 5.3.5 - -So, instead of replacing R by PKG_VERSION and passing this variable in -all steps, simply update R to 5 - -Signed-off-by: Fabrice Fontaine - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -47,6 +47,6 @@ - - # Lua version and release. - V= 5.3 --R= $V.4 -+R= $V.5 - - # Targets start here. - all: $(PLAT) diff --git a/buildroot/package/lua/5.3.5/0001-root-path.patch b/buildroot/package/lua/5.3.6/0001-root-path.patch similarity index 100% rename from buildroot/package/lua/5.3.5/0001-root-path.patch rename to buildroot/package/lua/5.3.6/0001-root-path.patch diff --git a/buildroot/package/lua/5.3.5/0002-shared-libs-for-lua.patch b/buildroot/package/lua/5.3.6/0002-shared-libs-for-lua.patch similarity index 100% rename from buildroot/package/lua/5.3.5/0002-shared-libs-for-lua.patch rename to buildroot/package/lua/5.3.6/0002-shared-libs-for-lua.patch diff --git a/buildroot/package/lua/5.3.5/0011-linenoise.patch b/buildroot/package/lua/5.3.6/0003-linenoise.patch similarity index 100% rename from buildroot/package/lua/5.3.5/0011-linenoise.patch rename to buildroot/package/lua/5.3.6/0003-linenoise.patch diff --git a/buildroot/package/lua/5.3.6/lua.hash b/buildroot/package/lua/5.3.6/lua.hash new file mode 100644 index 000000000..74849b310 --- /dev/null +++ b/buildroot/package/lua/5.3.6/lua.hash @@ -0,0 +1,6 @@ +# Hashes from: http://www.lua.org/ftp/ +md5 83f23dbd5230140a3770d5f54076948d lua-5.3.6.tar.gz +sha1 f27d20d6c81292149bc4308525a9d6733c224fa5 lua-5.3.6.tar.gz + +# Locally computed +sha256 2ddff2161e0c4487d744943565538743c0721485873092f6809d072a983b06ef doc/readme.html diff --git a/buildroot/package/lua/lua.hash b/buildroot/package/lua/lua.hash deleted file mode 100644 index 3e7812b7d..000000000 --- a/buildroot/package/lua/lua.hash +++ /dev/null @@ -1,8 +0,0 @@ -# Hashes from: http://www.lua.org/ftp/ -md5 4f4b4f323fd3514a68e0ab3da8ce3455 lua-5.3.5.tar.gz -sha1 112eb10ff04d1b4c9898e121d6bdf54a81482447 lua-5.3.5.tar.gz - -md5 2e115fe26e435e33b0d5c022e4490567 lua-5.1.5.tar.gz -sha1 b3882111ad02ecc6b972f8c1241647905cb2e3fc lua-5.1.5.tar.gz -# Locally computed -sha256 ee5e3e82af1e1b543c4f216e399d7c8cfee797711913f349e385101c4ae60a79 COPYRIGHT diff --git a/buildroot/package/lua/lua.mk b/buildroot/package/lua/lua.mk index 8a5f9258a..83637caf0 100644 --- a/buildroot/package/lua/lua.mk +++ b/buildroot/package/lua/lua.mk @@ -5,7 +5,7 @@ ################################################################################ ifeq ($(BR2_PACKAGE_LUA_5_3),y) -LUA_VERSION = 5.3.5 +LUA_VERSION = 5.3.6 else LUA_VERSION = 5.1.5 endif diff --git a/buildroot/package/mbedtls/mbedtls.hash b/buildroot/package/mbedtls/mbedtls.hash index b75a8fa80..0082eee4a 100644 --- a/buildroot/package/mbedtls/mbedtls.hash +++ b/buildroot/package/mbedtls/mbedtls.hash @@ -1,3 +1,4 @@ +# From https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8: +sha256 fe9e3b15c3375943bdfebbbb20dd6b4f1147b3b5d926248bd835d73247407430 mbedtls-2.16.8.tar.gz # Locally calculated -sha256 4786b7d1676f5e4d248f3a7f2d28446876d64962634f060ff21b92c690cfbe86 mbedtls-2.16.7.tar.gz sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 apache-2.0.txt diff --git a/buildroot/package/mbedtls/mbedtls.mk b/buildroot/package/mbedtls/mbedtls.mk index 4ae8291c1..5094434e6 100644 --- a/buildroot/package/mbedtls/mbedtls.mk +++ b/buildroot/package/mbedtls/mbedtls.mk @@ -4,8 +4,8 @@ # ################################################################################ -MBEDTLS_VERSION = 2.16.7 -MBEDTLS_SITE = $(call github,ARMmbed,mbedtls,mbedtls-$(MBEDTLS_VERSION)) +MBEDTLS_VERSION = 2.16.8 +MBEDTLS_SITE = $(call github,ARMmbed,mbedtls,v$(MBEDTLS_VERSION)) MBEDTLS_CONF_OPTS = \ -DENABLE_PROGRAMS=$(if $(BR2_PACKAGE_MBEDTLS_PROGRAMS),ON,OFF) \ -DENABLE_TESTING=OFF diff --git a/buildroot/package/memcached/0001-configure-Fix-cross-compilation-errors.patch b/buildroot/package/memcached/0001-configure-Fix-cross-compilation-errors.patch deleted file mode 100644 index 5c5d94832..000000000 --- a/buildroot/package/memcached/0001-configure-Fix-cross-compilation-errors.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 1146bf07624b5820b942b84b68e66f0d3dd25914 Mon Sep 17 00:00:00 2001 -From: Ola Jeppsson -Date: Mon, 7 Oct 2019 18:07:30 -0400 -Subject: [PATCH] configure: Fix cross-compilation errors - -AC_RUN_IFELSE does not work when cross-compiling so we need to provide -fallback methods for those cases. - -I tried to use constructs that work with Autoconf 2.52. -Alas, I wasn't able to generate a working build system with that version. - -Autoconf 2.58 / Automake 1.7.9 is the earliest combo that I could get -to work (with and without this patch). -Perhaps it's time for a slight bump for the required version numbers? - -Cross-compiles sucessfully against: -riscv64-unknown-linux-gnu - -Downloaded from upstream PR: -https://github.com/memcached/memcached/pull/552 - -Signed-off-by: Bernd Kuhls ---- - configure.ac | 80 +++++++++++++++++++++++++++------------------------- - 1 file changed, 41 insertions(+), 39 deletions(-) - -diff --git a/configure.ac b/configure.ac -index fb78fc5..27dc939 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -264,23 +264,42 @@ return sizeof(void*) == 8 ? 0 : 1; - ],[ - CFLAGS="-m64 $org_cflags" - ],[ -- AC_MSG_ERROR([Don't know how to build a 64-bit object.]) -+ AC_MSG_ERROR([Don't know how to build a 64-bit object.]) -+ ],[ -+ dnl cross compile -+ AC_MSG_WARN([Assuming no extra CFLAGS are required for cross-compiling 64bit version.]) - ]) - fi - - dnl If data pointer is 64bit or not. --AC_RUN_IFELSE( -- [AC_LANG_PROGRAM([], [dnl --return sizeof(void*) == 8 ? 0 : 1; -- ]) --],[ -- have_64bit_ptr=yes --],[ -+AC_CHECK_HEADERS([stdint.h]) -+AS_IF([test -z "$have_64bit_ptr"], -+ [AC_RUN_IFELSE( -+ [AC_LANG_PROGRAM([], [return sizeof(void*) == 8 ? 0 : 1;])], -+ [have_64bit_ptr=yes ], -+ [have_64bit_ptr=no], -+ [dnl cross compile (this test requires C99) -+ AS_IF([test "x$ac_cv_header_stdint_h" = xyes], -+ [AC_COMPILE_IFELSE( -+ [AC_LANG_PROGRAM([ -+ #include -+ #if UINTPTR_MAX == 0xFFFFFFFFFFFFFFFFUL -+ /* 64 bit pointer */ -+ #else -+ #error 32 bit pointer -+ #endif -+ ], [])], -+ [have_64bit_ptr=yes], -+ [have_64bit_ptr=no])], -+ [have_64bit_ptr=unknown]) -+ ]) - ]) -- --if test $have_64bit_ptr = yes; then -+AS_IF([test "$have_64bit_ptr" = "unknown" ],[ -+ AC_MSG_ERROR([Cannot detect pointer size. Must pass have_64bit_ptr={yes,no} to configure.]) -+]) -+AS_IF([test "$have_64bit_ptr" = yes],[ - AC_DEFINE(HAVE_64BIT_PTR, 1, [data pointer is 64bit]) --fi -+]) - - # Issue 213: Search for clock_gettime to help people linking - # with a static version of libevent -@@ -570,30 +589,10 @@ fi - AC_C_SOCKLEN_T - - dnl Check if we're a little-endian or a big-endian system, needed by hash code --AC_DEFUN([AC_C_ENDIAN], --[AC_CACHE_CHECK(for endianness, ac_cv_c_endian, --[ -- AC_RUN_IFELSE( -- [AC_LANG_PROGRAM([], [dnl -- long val = 1; -- char *c = (char *) &val; -- exit(*c == 1); -- ]) -- ],[ -- ac_cv_c_endian=big -- ],[ -- ac_cv_c_endian=little -- ]) --]) --if test $ac_cv_c_endian = big; then -- AC_DEFINE(ENDIAN_BIG, 1, [machine is bigendian]) --fi --if test $ac_cv_c_endian = little; then -- AC_DEFINE(ENDIAN_LITTLE, 1, [machine is littleendian]) --fi --]) -- --AC_C_ENDIAN -+AC_C_BIGENDIAN( -+ [AC_DEFINE(ENDIAN_BIG, 1, [machine is bigendian])], -+ [AC_DEFINE(ENDIAN_LITTLE, 1, [machine is littleendian])], -+ [AC_MSG_ERROR([Cannot detect endianness. Must pass ac_cv_c_bigendian={yes,no} to configure.])]) - - AC_DEFUN([AC_C_HTONLL], - [ -@@ -670,12 +669,15 @@ AC_DEFUN([AC_C_ALIGNMENT], - ],[ - ac_cv_c_alignment=need - ],[ -- ac_cv_c_alignment=need -+ dnl cross compile -+ ac_cv_c_alignment=maybe - ]) - ]) --if test $ac_cv_c_alignment = need; then -- AC_DEFINE(NEED_ALIGN, 1, [Machine need alignment]) --fi -+AS_IF([test $ac_cv_c_alignment = need], -+ [AC_DEFINE(NEED_ALIGN, 1, [Machine need alignment])]) -+AS_IF([test $ac_cv_c_alignment = maybe], -+ [AC_MSG_WARN([Assuming aligned access is required when cross-compiling]) -+ AC_DEFINE(NEED_ALIGN, 1, [Machine need alignment])]) - ]) - - AC_C_ALIGNMENT --- -2.20.1 - diff --git a/buildroot/package/memcached/0002-configure-Simplify-pointer-size-check.patch b/buildroot/package/memcached/0002-configure-Simplify-pointer-size-check.patch deleted file mode 100644 index 1a5dc3196..000000000 --- a/buildroot/package/memcached/0002-configure-Simplify-pointer-size-check.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ec7f3bc97c53578d5ca332b9e86c4d08d155c5a0 Mon Sep 17 00:00:00 2001 -From: Ola Jeppsson -Date: Mon, 7 Oct 2019 19:57:46 -0400 -Subject: [PATCH] configure: Simplify pointer size check - -Tested with: -Autoconf 2.59 / Automake 1.7.9 -Autoconf 2.69 / Automake 1.16.1 - -Downloaded from upstream PR: -https://github.com/memcached/memcached/pull/552 - -Signed-off-by: Bernd Kuhls ---- - configure.ac | 31 ++----------------------------- - restart.h | 2 +- - 2 files changed, 3 insertions(+), 30 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 27dc939..7e5bd5d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -271,35 +271,8 @@ return sizeof(void*) == 8 ? 0 : 1; - ]) - fi - --dnl If data pointer is 64bit or not. --AC_CHECK_HEADERS([stdint.h]) --AS_IF([test -z "$have_64bit_ptr"], -- [AC_RUN_IFELSE( -- [AC_LANG_PROGRAM([], [return sizeof(void*) == 8 ? 0 : 1;])], -- [have_64bit_ptr=yes ], -- [have_64bit_ptr=no], -- [dnl cross compile (this test requires C99) -- AS_IF([test "x$ac_cv_header_stdint_h" = xyes], -- [AC_COMPILE_IFELSE( -- [AC_LANG_PROGRAM([ -- #include -- #if UINTPTR_MAX == 0xFFFFFFFFFFFFFFFFUL -- /* 64 bit pointer */ -- #else -- #error 32 bit pointer -- #endif -- ], [])], -- [have_64bit_ptr=yes], -- [have_64bit_ptr=no])], -- [have_64bit_ptr=unknown]) -- ]) --]) --AS_IF([test "$have_64bit_ptr" = "unknown" ],[ -- AC_MSG_ERROR([Cannot detect pointer size. Must pass have_64bit_ptr={yes,no} to configure.]) --]) --AS_IF([test "$have_64bit_ptr" = yes],[ -- AC_DEFINE(HAVE_64BIT_PTR, 1, [data pointer is 64bit]) --]) -+dnl Check if data pointer is 64bit or not -+AC_CHECK_SIZEOF([void *]) - - # Issue 213: Search for clock_gettime to help people linking - # with a static version of libevent -diff --git a/restart.h b/restart.h -index 76cd0a8..9de5096 100644 ---- a/restart.h -+++ b/restart.h -@@ -4,7 +4,7 @@ - #define RESTART_TAG_MAXLEN 255 - - // Track the pointer size for restart fiddling. --#ifdef HAVE_64BIT_PTR -+#if SIZEOF_VOID_P == 8 - typedef uint64_t mc_ptr_t; - #else - typedef uint32_t mc_ptr_t; --- -2.20.1 - diff --git a/buildroot/package/memcached/memcached.hash b/buildroot/package/memcached/memcached.hash index 98e47d6c0..e599cd2fa 100644 --- a/buildroot/package/memcached/memcached.hash +++ b/buildroot/package/memcached/memcached.hash @@ -1,6 +1,6 @@ -# From http://www.memcached.org/files/memcached-1.5.19.tar.gz.sha1 -sha1 14e6a02e743838696fcb620edf6a2fd7e60cabec memcached-1.5.19.tar.gz +# From http://www.memcached.org/files/memcached-1.5.22.tar.gz.sha1 +sha1 3fe5d3929130e860efcfde18d4d396a29db006b7 memcached-1.5.22.tar.gz # Locally computed -sha256 3ddcdaa2d14d215f3111a7448b79c889c57618a26e97ad989581f1880a5a4be0 memcached-1.5.19.tar.gz -sha256 bc887c4ad8051fe690ace9528fe37a2e0bb362e6d963331d82e845ca9b585a0c COPYING +sha256 c2b47e9d20575a2367087c229636ffc3fb699a6c3a7f3a22f44402f25f5f1f93 memcached-1.5.22.tar.gz +sha256 bc887c4ad8051fe690ace9528fe37a2e0bb362e6d963331d82e845ca9b585a0c COPYING diff --git a/buildroot/package/memcached/memcached.mk b/buildroot/package/memcached/memcached.mk index 9b362d2a3..8a980677c 100644 --- a/buildroot/package/memcached/memcached.mk +++ b/buildroot/package/memcached/memcached.mk @@ -4,16 +4,13 @@ # ################################################################################ -MEMCACHED_VERSION = 1.5.19 +MEMCACHED_VERSION = 1.5.22 MEMCACHED_SITE = http://www.memcached.org/files MEMCACHED_DEPENDENCIES = libevent MEMCACHED_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99' MEMCACHED_CONF_OPTS = --disable-coverage MEMCACHED_LICENSE = BSD-3-Clause MEMCACHED_LICENSE_FILES = COPYING -# 0001-configure-Fix-cross-compilation-errors.patch -# 0002-configure-Simplify-pointer-size-check.patch -MEMCACHED_AUTORECONF = YES ifeq ($(BR2_ENDIAN),"BIG") MEMCACHED_CONF_ENV += ac_cv_c_endian=big diff --git a/buildroot/package/mesa3d/Config.in b/buildroot/package/mesa3d/Config.in index ade13ec03..f65ccbb1f 100644 --- a/buildroot/package/mesa3d/Config.in +++ b/buildroot/package/mesa3d/Config.in @@ -320,6 +320,7 @@ config BR2_PACKAGE_MESA3D_XVMC depends on BR2_PACKAGE_XORG7 depends on BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_NOUVEAU \ || BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_R600 + select BR2_PACKAGE_MESA3D_NEEDS_X11 select BR2_PACKAGE_XLIB_LIBXV select BR2_PACKAGE_XLIB_LIBXVMC help @@ -369,7 +370,13 @@ config BR2_PACKAGE_MESA3D_DRI_DRIVER_NOUVEAU Support for Nvidia-based GPUs. config BR2_PACKAGE_MESA3D_DRI_DRIVER_RADEON - bool "DRI radeon driver" + bool "DRI radeon r100 driver" + depends on BR2_i386 || BR2_x86_64 + # libdrm's radeon option depends on LIBDRM_HAS_ATOMIC. Propagating + # that dependency here causes a circular dependency that Kconfig + # can't see is just spurious. However, that dependency is about + # the toolchain having sync4 primitives, which is always a given + # for i386 and x86_64. select BR2_PACKAGE_MESA3D_DRI_DRIVER select BR2_PACKAGE_LIBDRM_RADEON help diff --git a/buildroot/package/meson/meson.mk b/buildroot/package/meson/meson.mk index d782ee086..aa4ef5cd0 100644 --- a/buildroot/package/meson/meson.mk +++ b/buildroot/package/meson/meson.mk @@ -25,6 +25,10 @@ else ifeq ($(BR2_aarch64)$(BR2_aarch64_be),y) HOST_MESON_TARGET_CPU_FAMILY = aarch64 else ifeq ($(BR2_i386),y) HOST_MESON_TARGET_CPU_FAMILY = x86 +else ifeq ($(BR2_m68k),y) +HOST_MESON_TARGET_CPU_FAMILY = m68k +else ifeq ($(BR2_microblazeel)$(BR2_microblazebe),y) +HOST_MESON_TARGET_CPU_FAMILY = microblaze else ifeq ($(BR2_mips)$(BR2_mipsel),y) HOST_MESON_TARGET_CPU_FAMILY = mips else ifeq ($(BR2_mips64)$(BR2_mips64el),y) @@ -35,6 +39,8 @@ else ifeq ($(BR2_powerpc64)$(BR2_powerpc64le),y) HOST_MESON_TARGET_CPU_FAMILY = ppc64 else ifeq ($(BR2_riscv),y) HOST_MESON_TARGET_CPU_FAMILY = riscv64 +else ifeq ($(BR2_sh4)$(BR2_sh4eb)$(BR2_sh4a)$(BR2_sh4aeb),y) +HOST_MESON_TARGET_CPU_FAMILY = sh4 else ifeq ($(BR2_sparc),y) HOST_MESON_TARGET_CPU_FAMILY = sparc else ifeq ($(BR2_sparc64),y) diff --git a/buildroot/package/minidlna/0001-fix-build-with-gcc-10.patch b/buildroot/package/minidlna/0001-fix-build-with-gcc-10.patch new file mode 100644 index 000000000..521d17f0c --- /dev/null +++ b/buildroot/package/minidlna/0001-fix-build-with-gcc-10.patch @@ -0,0 +1,49 @@ +From 90e88764f0fb3d981cd0c3cfd07d63323cc64090 Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine +Date: Tue, 1 Sep 2020 22:55:24 +0200 +Subject: [PATCH] fix build with gcc 10 + +Define setjmp_buffer as static to avoid the following build failure with +gcc 10 (which defaults to -fno-common): + +/home/buildroot/autobuild/instance-1/output-1/host/lib/gcc/arm-buildroot-linux-gnueabihf/10.2.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: image_utils.o:(.bss+0x0): multiple definition of `setjmp_buffer'; metadata.o:(.bss+0x0): first defined here +collect2: error: ld returned 1 exit status + +Fixes: + - http://autobuild.buildroot.org/results/8754bb4f7d749f999d5f8ddfec587470ceec4476 + +Signed-off-by: Fabrice Fontaine +--- + image_utils.c | 2 +- + metadata.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/image_utils.c b/image_utils.c +index 24cfd08..e8d9635 100644 +--- a/image_utils.c ++++ b/image_utils.c +@@ -190,7 +190,7 @@ jpeg_memory_src(j_decompress_ptr cinfo, const unsigned char * buffer, size_t buf + src->pub.bytes_in_buffer = bufsize; + } + +-jmp_buf setjmp_buffer; ++static jmp_buf setjmp_buffer; + /* Don't exit on error like libjpeg likes to do */ + static void + libjpeg_error_handler(j_common_ptr cinfo) +diff --git a/metadata.c b/metadata.c +index 9cd86dc..4781db7 100644 +--- a/metadata.c ++++ b/metadata.c +@@ -502,7 +502,7 @@ GetAudioMetadata(const char *path, const char *name) + } + + /* For libjpeg error handling */ +-jmp_buf setjmp_buffer; ++static jmp_buf setjmp_buffer; + static void + libjpeg_error_handler(j_common_ptr cinfo) + { +-- +2.28.0 + diff --git a/buildroot/package/minidlna/0002-upnphttp.c-fix-CallStranger-a.k.a.-CVE-2020-12695.patch b/buildroot/package/minidlna/0002-upnphttp.c-fix-CallStranger-a.k.a.-CVE-2020-12695.patch new file mode 100644 index 000000000..7406ce2e9 --- /dev/null +++ b/buildroot/package/minidlna/0002-upnphttp.c-fix-CallStranger-a.k.a.-CVE-2020-12695.patch @@ -0,0 +1,133 @@ +From 51bfbee51fd0376b5a66c944134af3e9972d8592 Mon Sep 17 00:00:00 2001 +From: Fabrice Fontaine +Date: Sun, 6 Sep 2020 11:22:48 +0200 +Subject: [PATCH] upnphttp.c: fix CallStranger a.k.a. CVE-2020-12695 + +Import CheckCallback function from miniupnpd source code: +https://github.com/miniupnp/miniupnp/commit/0d9634658860c3c8c209e466cc0ef7002bad3b0a + +IPv6 code was kept even if minidlna does not support it currently. + +This code is licensed under BSD-3-Clause like minidlna. + +Signed-off-by: Fabrice Fontaine +[Upstream status: +https://sourceforge.net/p/minidlna/support-requests/71] +--- + upnphttp.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 82 insertions(+), 10 deletions(-) + +diff --git a/upnphttp.c b/upnphttp.c +index 974434e..3be793e 100644 +--- a/upnphttp.c ++++ b/upnphttp.c +@@ -742,6 +742,70 @@ check_event(struct upnphttp *h) + return type; + } + ++/** ++ * returns 0 if the callback header value is not valid ++ * 1 if it is valid. ++ */ ++static int ++checkCallbackURL(struct upnphttp * h) ++{ ++ char addrstr[48]; ++ int ipv6; ++ const char * p; ++ int i; ++ ++ if(!h->req_Callback || h->req_CallbackLen < 8) ++ return 0; ++ if(memcmp(h->req_Callback, "http://", 7) != 0) ++ return 0; ++ ipv6 = 0; ++ i = 0; ++ p = h->req_Callback + 7; ++ if(*p == '[') { ++ p++; ++ ipv6 = 1; ++ while(*p != ']' && i < (sizeof(addrstr)-1) ++ && p < (h->req_Callback + h->req_CallbackLen)) ++ addrstr[i++] = *(p++); ++ } else { ++ while(*p != '/' && *p != ':' && i < (sizeof(addrstr)-1) ++ && p < (h->req_Callback + h->req_CallbackLen)) ++ addrstr[i++] = *(p++); ++ } ++ addrstr[i] = '\0'; ++ if(ipv6) { ++ struct in6_addr addr; ++ if(inet_pton(AF_INET6, addrstr, &addr) <= 0) ++ return 0; ++#ifdef ENABLE_IPV6 ++ if(!h->ipv6 ++ || (0!=memcmp(&addr, &(h->clientaddr_v6), sizeof(struct in6_addr)))) ++ return 0; ++#else ++ return 0; ++#endif ++ } else { ++ struct in_addr addr; ++ if(inet_pton(AF_INET, addrstr, &addr) <= 0) ++ return 0; ++#ifdef ENABLE_IPV6 ++ if(h->ipv6) { ++ if(!IN6_IS_ADDR_V4MAPPED(&(h->clientaddr_v6))) ++ return 0; ++ if(0!=memcmp(&addr, ((const char *)&(h->clientaddr_v6) + 12), 4)) ++ return 0; ++ } else { ++ if(0!=memcmp(&addr, &(h->clientaddr), sizeof(struct in_addr))) ++ return 0; ++ } ++#else ++ if(0!=memcmp(&addr, &(h->clientaddr), sizeof(struct in_addr))) ++ return 0; ++#endif ++ } ++ return 1; ++} ++ + static void + ProcessHTTPSubscribe_upnphttp(struct upnphttp * h, const char * path) + { +@@ -759,17 +823,25 @@ ProcessHTTPSubscribe_upnphttp(struct upnphttp * h, const char * path) + * - respond HTTP/x.x 200 OK + * - Send the initial event message */ + /* Server:, SID:; Timeout: Second-(xx|infinite) */ +- sid = upnpevents_addSubscriber(path, h->req_Callback, +- h->req_CallbackLen, h->req_Timeout); +- h->respflags = FLAG_TIMEOUT; +- if (sid) +- { +- DPRINTF(E_DEBUG, L_HTTP, "generated sid=%s\n", sid); +- h->respflags |= FLAG_SID; +- h->req_SID = sid; +- h->req_SIDLen = strlen(sid); ++ /* Check that the callback URL is on the same IP as ++ * the request, and not on the internet, nor on ourself (DOS attack ?) */ ++ if(checkCallbackURL(h)) { ++ sid = upnpevents_addSubscriber(path, h->req_Callback, ++ h->req_CallbackLen, h->req_Timeout); ++ h->respflags = FLAG_TIMEOUT; ++ if (sid) ++ { ++ DPRINTF(E_DEBUG, L_HTTP, "generated sid=%s\n", sid); ++ h->respflags |= FLAG_SID; ++ h->req_SID = sid; ++ h->req_SIDLen = strlen(sid); ++ } ++ BuildResp_upnphttp(h, 0, 0); ++ } else { ++ DPRINTF(E_WARN, L_HTTP, "Invalid Callback in SUBSCRIBE %.*s", ++ h->req_CallbackLen, h->req_Callback); ++ BuildResp2_upnphttp(h, 412, "Precondition Failed", 0, 0); + } +- BuildResp_upnphttp(h, 0, 0); + } + else if (type == E_RENEW) + { +-- +2.28.0 + diff --git a/buildroot/package/minidlna/minidlnad.service b/buildroot/package/minidlna/minidlnad.service index f69476b30..4e968d385 100644 --- a/buildroot/package/minidlna/minidlnad.service +++ b/buildroot/package/minidlna/minidlnad.service @@ -5,7 +5,7 @@ After=network.target [Service] Type=forking ExecStart=/usr/sbin/minidlnad -PIDFile=/var/run/minidlna/minidlna.pid +PIDFile=/run/minidlna/minidlna.pid [Install] WantedBy=multi-user.target diff --git a/buildroot/package/mosquitto/mosquitto.hash b/buildroot/package/mosquitto/mosquitto.hash index ab3f7aeb2..13f0c8de2 100644 --- a/buildroot/package/mosquitto/mosquitto.hash +++ b/buildroot/package/mosquitto/mosquitto.hash @@ -1,6 +1,6 @@ # Locally calculated after checking gpg signature -# from https://mosquitto.org/files/source/mosquitto-1.6.9.tar.gz.asc -sha256 412979b2db0a0020bd02fa64f0a0de9e7000b84462586e32b67f29bb1f6c1685 mosquitto-1.6.9.tar.gz +# from https://mosquitto.org/files/source/mosquitto-1.6.12.tar.gz.asc +sha256 548d73d19fb787dd0530334e398fd256ef3a581181678488a741a995c4f007fb mosquitto-1.6.12.tar.gz # License files sha256 cc77e25bafd40637b7084f04086d606f0a200051b61806f97c93405926670bc1 LICENSE.txt diff --git a/buildroot/package/mosquitto/mosquitto.mk b/buildroot/package/mosquitto/mosquitto.mk index ea57d7693..8cee0d7b0 100644 --- a/buildroot/package/mosquitto/mosquitto.mk +++ b/buildroot/package/mosquitto/mosquitto.mk @@ -4,7 +4,7 @@ # ################################################################################ -MOSQUITTO_VERSION = 1.6.9 +MOSQUITTO_VERSION = 1.6.12 MOSQUITTO_SITE = https://mosquitto.org/files/source MOSQUITTO_LICENSE = EPL-1.0 or EDLv1.0 MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v10 edl-v10 @@ -41,7 +41,8 @@ else MOSQUITTO_MAKE_OPTS += WITH_ADNS=no endif -ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y) +# threaded API uses pthread_setname_np +ifeq ($(BR2_TOOLCHAIN_HAS_THREADS_NPTL),y) MOSQUITTO_MAKE_OPTS += WITH_THREADING=yes else MOSQUITTO_MAKE_OPTS += WITH_THREADING=no diff --git a/buildroot/package/mpv/Config.in b/buildroot/package/mpv/Config.in index 32910f224..697ad57ba 100644 --- a/buildroot/package/mpv/Config.in +++ b/buildroot/package/mpv/Config.in @@ -3,7 +3,7 @@ config BR2_PACKAGE_MPV depends on BR2_TOOLCHAIN_HAS_THREADS depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_5 - depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8 + depends on BR2_TOOLCHAIN_HAS_ATOMIC select BR2_PACKAGE_LIBICONV if !BR2_ENABLE_LOCALE select BR2_PACKAGE_FFMPEG select BR2_PACKAGE_FFMPEG_SWSCALE @@ -25,6 +25,6 @@ config BR2_PACKAGE_MPV comment "mpv needs a toolchain w/ threads, gcc >= 4.5" depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS - depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8 + depends on BR2_TOOLCHAIN_HAS_ATOMIC depends on !BR2_TOOLCHAIN_HAS_THREADS || \ !BR2_TOOLCHAIN_GCC_AT_LEAST_4_5 diff --git a/buildroot/package/mpv/mpv.mk b/buildroot/package/mpv/mpv.mk index 8619de5a8..6801a0468 100644 --- a/buildroot/package/mpv/mpv.mk +++ b/buildroot/package/mpv/mpv.mk @@ -235,4 +235,8 @@ else MPV_CONF_OPTS += --disable-x11 endif +ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y) +MPV_CONF_ENV += LDFLAGS="$(TARGET_LDFLAGS) -latomic" +endif + $(eval $(waf-package)) diff --git a/buildroot/package/nginx/nginx.service b/buildroot/package/nginx/nginx.service index 320df9a80..9fd215fd3 100644 --- a/buildroot/package/nginx/nginx.service +++ b/buildroot/package/nginx/nginx.service @@ -4,7 +4,7 @@ After=syslog.target network.target [Service] Type=forking -PIDFile=/var/run/nginx.pid +PIDFile=/run/nginx.pid ExecStartPre=/usr/bin/mkdir -p /var/log/nginx /var/tmp/nginx ExecStartPre=/usr/sbin/nginx -t -q -g 'pid /var/run/nginx.pid; daemon on; master_process on;' ExecStart=/usr/sbin/nginx -g 'pid /var/run/nginx.pid; daemon on; master_process on;' diff --git a/buildroot/package/nodejs/nodejs.hash b/buildroot/package/nodejs/nodejs.hash index 60d69a863..33fb40788 100644 --- a/buildroot/package/nodejs/nodejs.hash +++ b/buildroot/package/nodejs/nodejs.hash @@ -1,5 +1,5 @@ -# From https://nodejs.org/dist/v12.18.0/SHASUMS256.txt -sha256 d4688636a378367f5157f02bd5c13902f5c193356f8f7a35c99dfa383b03b13f node-v12.18.0.tar.xz +# From https://nodejs.org/dist/v12.18.4/SHASUMS256.txt +sha256 25f03cb18e53b6d0959d0c219e701a85eb4693f526bdda7c72bc6199b364f609 node-v12.18.4.tar.xz # Hash for license file -sha256 cd2e5817a25d7d28efba927b01056cae04a616b673014159f9eafeb008a0e747 LICENSE +sha256 0dc03af08b95ea0c1e27f8fd591dee4383eb6f2c304db6eb6cdfb6751f7da87b LICENSE diff --git a/buildroot/package/nodejs/nodejs.mk b/buildroot/package/nodejs/nodejs.mk index 3f35ac7c3..b159b1025 100644 --- a/buildroot/package/nodejs/nodejs.mk +++ b/buildroot/package/nodejs/nodejs.mk @@ -4,13 +4,13 @@ # ################################################################################ -NODEJS_VERSION = 12.18.0 +NODEJS_VERSION = 12.18.4 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION) NODEJS_DEPENDENCIES = host-python host-nodejs c-ares \ libuv zlib nghttp2 \ $(call qstrip,$(BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL_DEPS)) -HOST_NODEJS_DEPENDENCIES = host-libopenssl host-python host-zlib +HOST_NODEJS_DEPENDENCIES = host-icu host-libopenssl host-python host-zlib NODEJS_INSTALL_STAGING = YES NODEJS_LICENSE = MIT (core code); MIT, Apache and BSD family licenses (Bundled components) NODEJS_LICENSE_FILES = LICENSE @@ -66,7 +66,7 @@ define HOST_NODEJS_CONFIGURE_CMDS --shared-openssl-libpath=$(HOST_DIR)/lib \ --shared-zlib \ --no-cross-compiling \ - --with-intl=small-icu \ + --with-intl=system-icu \ ) endef @@ -77,10 +77,13 @@ NODEJS_HOST_TOOLS_V8 = \ NODEJS_HOST_TOOLS_NODE = mkcodecache NODEJS_HOST_TOOLS = $(NODEJS_HOST_TOOLS_V8) $(NODEJS_HOST_TOOLS_NODE) +HOST_NODEJS_CXXFLAGS = $(HOST_CXXFLAGS) -DU_DISABLE_RENAMING=1 + define HOST_NODEJS_BUILD_CMDS $(HOST_MAKE_ENV) PYTHON=$(HOST_DIR)/bin/python2 \ $(MAKE) -C $(@D) \ $(HOST_CONFIGURE_OPTS) \ + CXXFLAGS="$(HOST_NODEJS_CXXFLAGS)" \ LDFLAGS.host="$(HOST_LDFLAGS)" \ NO_LOAD=cctest.target.mk \ PATH=$(@D)/bin:$(BR_PATH) @@ -90,6 +93,7 @@ define HOST_NODEJS_INSTALL_CMDS $(HOST_MAKE_ENV) PYTHON=$(HOST_DIR)/bin/python2 \ $(MAKE) -C $(@D) install \ $(HOST_CONFIGURE_OPTS) \ + CXXFLAGS="$(HOST_NODEJS_CXXFLAGS)" \ LDFLAGS.host="$(HOST_LDFLAGS)" \ NO_LOAD=cctest.target.mk \ PATH=$(@D)/bin:$(BR_PATH) diff --git a/buildroot/package/nss-pam-ldapd/nslcd.service b/buildroot/package/nss-pam-ldapd/nslcd.service index 6c0d71b24..5a000a8e4 100644 --- a/buildroot/package/nss-pam-ldapd/nslcd.service +++ b/buildroot/package/nss-pam-ldapd/nslcd.service @@ -4,7 +4,7 @@ After=syslog.target network.target [Service] Type=forking -PIDFile=/var/run/nslcd/nslcd.pid +PIDFile=/run/nslcd/nslcd.pid ExecStart=/usr/sbin/nslcd [Install] diff --git a/buildroot/package/nvidia-driver/nvidia-driver.mk b/buildroot/package/nvidia-driver/nvidia-driver.mk index baf2ba2be..44e34cb7b 100644 --- a/buildroot/package/nvidia-driver/nvidia-driver.mk +++ b/buildroot/package/nvidia-driver/nvidia-driver.mk @@ -35,7 +35,7 @@ NVIDIA_DRIVER_PROVIDES += libgl libegl libgles # NVidia extensions (which is deemed bad now), while the former follows # the newly-introduced vendor-neutral "dispatching" API/ABI: # https://github.com/aritger/linux-opengl-abi-proposal/blob/master/linux-opengl-abi-proposal.txt -# However, this is not very usefull to us, as we don't support multiple +# However, this is not very useful to us, as we don't support multiple # GL providers at the same time on the system, which this proposal is # aimed at supporting. # @@ -84,7 +84,7 @@ endef # Those libraries are 'private' libraries requiring an agreement with # NVidia to develop code for those libs. There seems to be no restriction # on using those libraries (e.g. if the user has such an agreement, or -# wants to run a third-party program developped under such an agreement). +# wants to run a third-party program developed under such an agreement). ifeq ($(BR2_PACKAGE_NVIDIA_DRIVER_PRIVATE_LIBS),y) NVIDIA_DRIVER_LIBS += \ libnvidia-ifr.so.$(NVIDIA_DRIVER_VERSION) \ diff --git a/buildroot/package/opencv/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch b/buildroot/package/opencv/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch new file mode 100644 index 000000000..683dd95d9 --- /dev/null +++ b/buildroot/package/opencv/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch @@ -0,0 +1,37 @@ +From f66fc199a20882c546fa31142e9c0f5a8b3cf983 Mon Sep 17 00:00:00 2001 +From: Florian Jung +Date: Wed, 29 Jul 2020 18:51:55 +0200 +Subject: [PATCH] Fix build of grfmt_jpeg2000.cpp + +libjasper has recently changed `jas_matrix_get` from a macro to an inline function +(389951d071 in https://github.com/jasper-software/jasper), causing the build to fail. + +[Retrieved (and backported) from: +https://github.com/opencv/opencv/commit/f66fc199a20882c546fa31142e9c0f5a8b3cf983] +Signed-off-by: Fabrice Fontaine +--- + modules/imgcodecs/src/grfmt_jpeg2000.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules/highgui/src/grfmt_jpeg2000.cpp b/modules/highgui/src/grfmt_jpeg2000.cpp +index fe69f80c86f..0f4d28d6f4d 100644 +--- a/modules/highgui/src/grfmt_jpeg2000.cpp ++++ b/modules/highgui/src/grfmt_jpeg2000.cpp +@@ -377,7 +377,7 @@ bool Jpeg2KDecoder::readComponent8u( uchar *data, void *_buffer, + + for( y = 0; y < yend - ystart; ) + { +- jas_seqent_t* pix_row = &jas_matrix_get( buffer, y / ystep, 0 ); ++ jas_seqent_t* pix_row = jas_matrix_getref( buffer, y / ystep, 0 ); + uchar* dst = data + (y - yoffset) * step - xoffset; + + if( xstep == 1 ) +@@ -443,7 +443,7 @@ bool Jpeg2KDecoder::readComponent16u( unsigned short *data, void *_buffer, + + for( y = 0; y < yend - ystart; ) + { +- jas_seqent_t* pix_row = &jas_matrix_get( buffer, y / ystep, 0 ); ++ jas_seqent_t* pix_row = jas_matrix_getref( buffer, y / ystep, 0 ); + ushort* dst = data + (y - yoffset) * step - xoffset; + + if( xstep == 1 ) diff --git a/buildroot/package/opencv3/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch b/buildroot/package/opencv3/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch new file mode 100644 index 000000000..e54fab852 --- /dev/null +++ b/buildroot/package/opencv3/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch @@ -0,0 +1,37 @@ +From f66fc199a20882c546fa31142e9c0f5a8b3cf983 Mon Sep 17 00:00:00 2001 +From: Florian Jung +Date: Wed, 29 Jul 2020 18:51:55 +0200 +Subject: [PATCH] Fix build of grfmt_jpeg2000.cpp + +libjasper has recently changed `jas_matrix_get` from a macro to an inline function +(389951d071 in https://github.com/jasper-software/jasper), causing the build to fail. + +[Retrieved from: +https://github.com/opencv/opencv/commit/f66fc199a20882c546fa31142e9c0f5a8b3cf983] +Signed-off-by: Fabrice Fontaine +--- + modules/imgcodecs/src/grfmt_jpeg2000.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules/imgcodecs/src/grfmt_jpeg2000.cpp b/modules/imgcodecs/src/grfmt_jpeg2000.cpp +index fe69f80c86f..0f4d28d6f4d 100644 +--- a/modules/imgcodecs/src/grfmt_jpeg2000.cpp ++++ b/modules/imgcodecs/src/grfmt_jpeg2000.cpp +@@ -377,7 +377,7 @@ bool Jpeg2KDecoder::readComponent8u( uchar *data, void *_buffer, + + for( y = 0; y < yend - ystart; ) + { +- jas_seqent_t* pix_row = &jas_matrix_get( buffer, y / ystep, 0 ); ++ jas_seqent_t* pix_row = jas_matrix_getref( buffer, y / ystep, 0 ); + uchar* dst = data + (y - yoffset) * step - xoffset; + + if( xstep == 1 ) +@@ -443,7 +443,7 @@ bool Jpeg2KDecoder::readComponent16u( unsigned short *data, void *_buffer, + + for( y = 0; y < yend - ystart; ) + { +- jas_seqent_t* pix_row = &jas_matrix_get( buffer, y / ystep, 0 ); ++ jas_seqent_t* pix_row = jas_matrix_getref( buffer, y / ystep, 0 ); + ushort* dst = data + (y - yoffset) * step - xoffset; + + if( xstep == 1 ) diff --git a/buildroot/package/openjpeg/0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch b/buildroot/package/openjpeg/0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch new file mode 100644 index 000000000..4c1b3eb2a --- /dev/null +++ b/buildroot/package/openjpeg/0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch @@ -0,0 +1,43 @@ +From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Sun, 28 Jun 2020 14:19:59 +0200 +Subject: [PATCH] opj_decompress: fix double-free on input directory with mix + of valid and invalid images (CVE-2020-15389) + +Fixes #1261 + +Credits to @Ruia-ruia for reporting and analysis. + +[Retrieved from: +https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0] +Signed-off-by: Fabrice Fontaine +--- + src/bin/jp2/opj_decompress.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c +index 7eeb0952f..2634907f0 100644 +--- a/src/bin/jp2/opj_decompress.c ++++ b/src/bin/jp2/opj_decompress.c +@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original) + int main(int argc, char **argv) + { + opj_decompress_parameters parameters; /* decompression parameters */ +- opj_image_t* image = NULL; +- opj_stream_t *l_stream = NULL; /* Stream */ +- opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ +- opj_codestream_index_t* cstr_index = NULL; + + OPJ_INT32 num_images, imageno; + img_fol_t img_fol; +@@ -1393,6 +1389,10 @@ int main(int argc, char **argv) + + /*Decoding image one by one*/ + for (imageno = 0; imageno < num_images ; imageno++) { ++ opj_image_t* image = NULL; ++ opj_stream_t *l_stream = NULL; /* Stream */ ++ opj_codec_t* l_codec = NULL; /* Handle to a decompressor */ ++ opj_codestream_index_t* cstr_index = NULL; + + if (!parameters.quiet) { + fprintf(stderr, "\n"); diff --git a/buildroot/package/openjpeg/openjpeg.mk b/buildroot/package/openjpeg/openjpeg.mk index 1ff3111d6..b65dbce80 100644 --- a/buildroot/package/openjpeg/openjpeg.mk +++ b/buildroot/package/openjpeg/openjpeg.mk @@ -20,6 +20,9 @@ OPENJPEG_IGNORE_CVES += CVE-2020-6851 # 0007-opj_tcd_init_tile-avoid-integer-overflow.patch OPENJPEG_IGNORE_CVES += CVE-2020-8112 +# 0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch +OPENJPEG_IGNORE_CVES += CVE-2020-15389 + OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib) OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_LIBPNG),libpng) OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_TIFF),tiff) diff --git a/buildroot/package/openvmtools/vmtoolsd.service b/buildroot/package/openvmtools/vmtoolsd.service index cb97357ec..1d2a3566c 100644 --- a/buildroot/package/openvmtools/vmtoolsd.service +++ b/buildroot/package/openvmtools/vmtoolsd.service @@ -5,8 +5,8 @@ ConditionVirtualization=vmware [Service] Type=forking -PIDFile=/var/run/vmtoolsd.pid -ExecStart=/usr/bin/vmtoolsd -b /var/run/vmtoolsd.pid +PIDFile=/run/vmtoolsd.pid +ExecStart=/usr/bin/vmtoolsd -b /run/vmtoolsd.pid Restart=on-failure KillMode=process KillSignal=SIGKILL diff --git a/buildroot/package/paho-mqtt-c/Config.in b/buildroot/package/paho-mqtt-c/Config.in index 3560d8c08..0f4b2a29b 100644 --- a/buildroot/package/paho-mqtt-c/Config.in +++ b/buildroot/package/paho-mqtt-c/Config.in @@ -1,11 +1,10 @@ config BR2_PACKAGE_PAHO_MQTT_C bool "paho-mqtt-c" - depends on !BR2_STATIC_LIBS # dlopen() depends on BR2_TOOLCHAIN_HAS_THREADS help MQTT client C library https://eclipse.org/paho/clients/c/ -comment "paho-mqtt-c needs a toolchain w/ threads and dynamic library support" - depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS +comment "paho-mqtt-c needs a toolchain w/ threads" + depends on !BR2_TOOLCHAIN_HAS_THREADS diff --git a/buildroot/package/paho-mqtt-c/paho-mqtt-c.hash b/buildroot/package/paho-mqtt-c/paho-mqtt-c.hash index bbfa2da38..3c1a27084 100644 --- a/buildroot/package/paho-mqtt-c/paho-mqtt-c.hash +++ b/buildroot/package/paho-mqtt-c/paho-mqtt-c.hash @@ -1,5 +1,5 @@ # Locally computed: -sha256 1ae9b657b693254ed0710350df3dcf5232d1f479409a52861b5e5bb5cc3da046 paho-mqtt-c-1.3.4.tar.gz +sha256 996eef9e498519da79108f58a887a34abc50cd76770b19b0300b27783706c71f paho-mqtt-c-1.3.5.tar.gz sha256 83bbba033dc985487e321b6dfde111772affb73460be48726299fed3da684b1c edl-v10 sha256 0becf16567beb77fa252b7664631dd177c8f9a1889e48995b45379c7130e5303 epl-v20 sha256 99d3a5c5cc2812f0593a85ec7c1b6dd83e8477b5090c01d9de0d49d49f367a4a LICENSE diff --git a/buildroot/package/paho-mqtt-c/paho-mqtt-c.mk b/buildroot/package/paho-mqtt-c/paho-mqtt-c.mk index aa2a0b026..e11f0687d 100644 --- a/buildroot/package/paho-mqtt-c/paho-mqtt-c.mk +++ b/buildroot/package/paho-mqtt-c/paho-mqtt-c.mk @@ -4,7 +4,7 @@ # ################################################################################ -PAHO_MQTT_C_VERSION = 1.3.4 +PAHO_MQTT_C_VERSION = 1.3.5 PAHO_MQTT_C_SITE = $(call github,eclipse,paho.mqtt.c,v$(PAHO_MQTT_C_VERSION)) PAHO_MQTT_C_LICENSE = EPL-2.0 or BSD-3-Clause PAHO_MQTT_C_LICENSE_FILES = epl-v20 edl-v10 LICENSE @@ -22,4 +22,18 @@ else PAHO_MQTT_C_CONF_OPTS += -DPAHO_WITH_SSL=FALSE endif +ifeq ($(BR2_SHARED_LIBS),y) +PAHO_MQTT_C_CONF_OPTS += \ + -DPAHO_BUILD_SHARED=TRUE \ + -DPAHO_BUILD_STATIC=FALSE +else ifeq ($(BR2_STATIC_LIBS),y) +PAHO_MQTT_C_CONF_OPTS += \ + -DPAHO_BUILD_SHARED=FALSE \ + -DPAHO_BUILD_STATIC=TRUE +else ifeq ($(BR2_SHARED_STATIC_LIBS),y) +PAHO_MQTT_C_CONF_OPTS += \ + -DPAHO_BUILD_SHARED=TRUE \ + -DPAHO_BUILD_STATIC=TRUE +endif + $(eval $(cmake-package)) diff --git a/buildroot/package/patchelf/0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch b/buildroot/package/patchelf/0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch index feec62768..f9f2537a6 100644 --- a/buildroot/package/patchelf/0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch +++ b/buildroot/package/patchelf/0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch @@ -167,7 +167,7 @@ index 1d9a772..35b4a33 100644 if (op == rpShrink && !rpath) { debug("no RPATH to shrink\n"); return; -@@ -1120,26 +1196,86 @@ void ElfFile::modifyRPath(RPathOp op, string newRPath) +@@ -1120,26 +1196,80 @@ void ElfFile::modifyRPath(RPathOp op, string newRPath) continue; } @@ -250,12 +250,6 @@ index 1d9a772..35b4a33 100644 + } + } + -+ if (!libFoundInRPath(canonicalPath, neededLibs, neededLibFound)) { -+ debug("removing directory '%s' from RPATH because it does not contain needed libs\n", -+ dirName.c_str()); -+ continue; -+ } -+ + /* Finally make "canonicalPath" relative to "filedir" in "rootDir" */ + if (relativeToFile) + concatToRPath(newRPath, makePathRelative(canonicalPath, fileDir)); @@ -268,7 +262,7 @@ index 1d9a772..35b4a33 100644 if (op == rpRemove) { if (!rpath) { debug("no RPATH to delete\n"); -@@ -1413,7 +1549,9 @@ static bool shrinkRPath = false; +@@ -1413,7 +1543,9 @@ static bool shrinkRPath = false; static bool removeRPath = false; static bool setRPath = false; static bool printRPath = false; @@ -278,7 +272,7 @@ index 1d9a772..35b4a33 100644 static set neededLibsToRemove; static map neededLibsToReplace; static set neededLibsToAdd; -@@ -1438,14 +1576,16 @@ static void patchElf2(ElfFile & elfFile) +@@ -1438,14 +1570,16 @@ static void patchElf2(ElfFile & elfFile) elfFile.setInterpreter(newInterpreter); if (printRPath) @@ -299,7 +293,7 @@ index 1d9a772..35b4a33 100644 if (printNeeded) elfFile.printNeededLibs(); -@@ -1508,6 +1648,9 @@ void showHelp(const string & progName) +@@ -1508,6 +1642,9 @@ void showHelp(const string & progName) [--set-rpath RPATH]\n\ [--remove-rpath]\n\ [--shrink-rpath]\n\ @@ -309,7 +303,7 @@ index 1d9a772..35b4a33 100644 [--print-rpath]\n\ [--force-rpath]\n\ [--add-needed LIBRARY]\n\ -@@ -1564,6 +1707,17 @@ int main(int argc, char * * argv) +@@ -1564,6 +1701,17 @@ int main(int argc, char * * argv) setRPath = true; newRPath = argv[i]; } diff --git a/buildroot/package/perl/perl.hash b/buildroot/package/perl/perl.hash index 7c153fedb..ba3a39d43 100644 --- a/buildroot/package/perl/perl.hash +++ b/buildroot/package/perl/perl.hash @@ -1,10 +1,10 @@ -# Hashes from: http://www.cpan.org/src/5.0/perl-5.30.2.tar.xz.{md5,sha1,sha256}.txt -md5 4bfa12b528522a50de0470b8b70b9b3b perl-5.30.2.tar.xz -sha1 d82cdaa610a3e749e821fc77004b1b4bfd5ebd28 perl-5.30.2.tar.xz -sha256 a1aa88bd6fbbdc2e82938afbb76c408b0ea847317737b712dc196cc7907a5259 perl-5.30.2.tar.xz +# Hashes from: http://www.cpan.org/src/5.0/perl-5.30.3.tar.xz.{md5,sha1,sha256}.txt +md5 0af2ab0f01ec13e37cc13a27de930936 perl-5.30.3.tar.xz +sha1 1003c6aa71d8966501038178459a9fa4e9aba747 perl-5.30.3.tar.xz +sha256 6967595f2e3f3a94544c35152f9a25e0cb8ea24ae45f4bf1882f2e33f4a400f4 perl-5.30.3.tar.xz -# Hashes from: https://github.com/arsv/perl-cross/releases/download/1.3.2/perl-cross-1.3.2.hash -sha256 defa12f0ad7be0b6c48b4f76e2fb5b37c1b37fbeb6e9ebe938279cd539a0c20c perl-cross-1.3.2.tar.gz +# Hashes from: https://github.com/arsv/perl-cross/releases/download/1.3.4/perl-cross-1.3.4.hash +sha256 755aa0ca8141a942188a269564f86c3c82349f82c346ed5c992495d7f35138ba perl-cross-1.3.4.tar.gz # Locally calculated sha256 dd90d4f42e4dcadf5a7c09eea0189d93c7b37ae560c91f0f6d5233ed3b9292a2 Artistic diff --git a/buildroot/package/perl/perl.mk b/buildroot/package/perl/perl.mk index c865fc768..2f82e1d6d 100644 --- a/buildroot/package/perl/perl.mk +++ b/buildroot/package/perl/perl.mk @@ -6,14 +6,14 @@ # When updating the version here, also update utils/scancpan PERL_VERSION_MAJOR = 30 -PERL_VERSION = 5.$(PERL_VERSION_MAJOR).2 +PERL_VERSION = 5.$(PERL_VERSION_MAJOR).3 PERL_SITE = http://www.cpan.org/src/5.0 PERL_SOURCE = perl-$(PERL_VERSION).tar.xz PERL_LICENSE = Artistic or GPL-1.0+ PERL_LICENSE_FILES = Artistic Copying README PERL_INSTALL_STAGING = YES -PERL_CROSS_VERSION = 1.3.2 +PERL_CROSS_VERSION = 1.3.4 # DO NOT refactor with the github helper (the result is not the same) PERL_CROSS_SITE = https://github.com/arsv/perl-cross/releases/download/$(PERL_CROSS_VERSION) PERL_CROSS_SOURCE = perl-cross-$(PERL_CROSS_VERSION).tar.gz diff --git a/buildroot/package/php/0002-iconv-tweak-iconv-detection.patch b/buildroot/package/php/0002-iconv-tweak-iconv-detection.patch index 1aa840013..a12041603 100644 --- a/buildroot/package/php/0002-iconv-tweak-iconv-detection.patch +++ b/buildroot/package/php/0002-iconv-tweak-iconv-detection.patch @@ -15,6 +15,8 @@ Signed-off-by: Gustavo Zacarias [Gustavo: update for 5.6.10] Signed-off-by: Adam Duskett [aduskett@gmail.com: Update for 7.3.0] +Signed-off-by: Bernd Kuhls +[Bernd: rebased for 7.4.10] --- build/php.m4 | 2 +- ext/iconv/config.m4 | 22 ---------------------- @@ -24,7 +26,7 @@ diff --git a/build/php.m4 b/build/php.m4 index 9586c490..8b3d47ed 100644 --- a/build/php.m4 +++ b/build/php.m4 -@@ -1971,7 +1971,7 @@ AC_DEFUN([PHP_SETUP_ICONV], [ +@@ -1965,7 +1965,7 @@ AC_DEFUN([PHP_SETUP_ICONV], [ dnl Check external libs for iconv funcs. if test "$found_iconv" = "no"; then diff --git a/buildroot/package/php/0003-configure-disable-the-phar-tool.patch b/buildroot/package/php/0003-configure-disable-the-phar-tool.patch index 7cc363797..aface92d7 100644 --- a/buildroot/package/php/0003-configure-disable-the-phar-tool.patch +++ b/buildroot/package/php/0003-configure-disable-the-phar-tool.patch @@ -12,6 +12,8 @@ Signed-off-by: Gustavo Zacarias [Gustavo: update for autoreconf/configure.in] Signed-off-by: Adam Duskett [Aduskett: update for 7.3.0] +Signed-off-by: Bernd Kuhls +[Bernd: rebased for 7.4.10] --- configure.ac | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) @@ -20,7 +22,7 @@ diff --git a/configure.ac b/configure.ac index 0dfab302..6026fb66 100644 --- a/configure.ac +++ b/configure.ac -@@ -1430,13 +1430,8 @@ CFLAGS="\$(CFLAGS_CLEAN) $standard_libtool_flag" +@@ -1453,13 +1453,8 @@ CFLAGS="\$(CFLAGS_CLEAN) $standard_libtool_flag" INLINE_CFLAGS="$INLINE_CFLAGS $standard_libtool_flag" CXXFLAGS="$CXXFLAGS $standard_libtool_flag \$(PROF_FLAGS)" diff --git a/buildroot/package/php/php.hash b/buildroot/package/php/php.hash index 47879eecc..77a0feb55 100644 --- a/buildroot/package/php/php.hash +++ b/buildroot/package/php/php.hash @@ -1,5 +1,5 @@ # From https://www.php.net/downloads.php -sha256 642843890b732e8af01cb661e823ae01472af1402f211c83009c9b3abd073245 php-7.4.8.tar.xz +sha256 5d31675a9b9c21b5bd03389418218c30b26558246870caba8eb54f5856e2d6ce php-7.4.11.tar.xz # License file sha256 0967ad6cf4b7fe81d38709d7aaef3fecb3bd685be7eebb37b864aa34c991baa7 LICENSE diff --git a/buildroot/package/php/php.mk b/buildroot/package/php/php.mk index 48af0f6fd..011c9019c 100644 --- a/buildroot/package/php/php.mk +++ b/buildroot/package/php/php.mk @@ -4,7 +4,7 @@ # ################################################################################ -PHP_VERSION = 7.4.8 +PHP_VERSION = 7.4.11 PHP_SITE = http://www.php.net/distributions PHP_SOURCE = php-$(PHP_VERSION).tar.xz PHP_INSTALL_STAGING = YES diff --git a/buildroot/package/pkg-kconfig.mk b/buildroot/package/pkg-kconfig.mk index e2d52ee8e..2aecf2e20 100644 --- a/buildroot/package/pkg-kconfig.mk +++ b/buildroot/package/pkg-kconfig.mk @@ -28,12 +28,12 @@ define kconfig-package-update-config endef PKG_KCONFIG_COMMON_OPTS = \ - HOSTCC=$(HOSTCC_NOCCACHE) + HOSTCC="$(HOSTCC_NOCCACHE)" # Macro to save the defconfig file # $(1): the name of the package in upper-case letters define kconfig-package-savedefconfig - $($(1)_MAKE_ENV) $(MAKE) -C $($(1)_DIR) \ + $($(1)_MAKE_ENV) $($(1)_MAKE) -C $($(1)_DIR) \ $(PKG_KCONFIG_COMMON_OPTS) $($(1)_KCONFIG_OPTS) savedefconfig endef @@ -89,6 +89,7 @@ $(2)_DEPENDENCIES += $$($(2)_KCONFIG_DEPENDENCIES) $(call inner-generic-package,$(1),$(2),$(3),$(4)) # Default values +$(2)_MAKE ?= $$(MAKE) $(2)_KCONFIG_EDITORS ?= menuconfig $(2)_KCONFIG_OPTS ?= $(2)_KCONFIG_FIXUP_CMDS ?= @@ -122,7 +123,7 @@ $$($(2)_KCONFIG_FILE) $$($(2)_KCONFIG_FRAGMENT_FILES): | $(1)-patch done $(2)_KCONFIG_MAKE = \ - $$($(2)_MAKE_ENV) $$(MAKE) -C $$($(2)_DIR) \ + $$($(2)_MAKE_ENV) $$($(2)_MAKE) -C $$($(2)_DIR) \ $$(PKG_KCONFIG_COMMON_OPTS) $$($(2)_KCONFIG_OPTS) # $(2)_KCONFIG_MAKE may already rely on shell expansion. As the $() syntax @@ -166,6 +167,7 @@ define $(2)_FIXUP_DOT_CONFIG $$(Q)touch $$($(2)_DIR)/.stamp_kconfig_fixup_done endef +$$($(2)_DIR)/.stamp_kconfig_fixup_done: PKG=$(2) $$($(2)_DIR)/.stamp_kconfig_fixup_done: $$($(2)_DIR)/$$($(2)_KCONFIG_STAMP_DOTCONFIG) $$($(2)_FIXUP_DOT_CONFIG) @@ -223,8 +225,9 @@ $(2)_CONFIGURATOR_MAKE_ENV = \ # end up having a valid @D. # $$(addprefix $(1)-,$$($(2)_KCONFIG_EDITORS)): $(1)-%: $$($(2)_DIR)/.kconfig_editor_% +$$($(2)_DIR)/.kconfig_editor_%: PKG=$(2) $$($(2)_DIR)/.kconfig_editor_%: $$($(2)_DIR)/.stamp_kconfig_fixup_done - $$($(2)_CONFIGURATOR_MAKE_ENV) $$(MAKE) -C $$($(2)_DIR) \ + $$($(2)_CONFIGURATOR_MAKE_ENV) $$($(2)_MAKE) -C $$($(2)_DIR) \ $$(PKG_KCONFIG_COMMON_OPTS) $$($(2)_KCONFIG_OPTS) $$(*) rm -f $$($(2)_DIR)/.stamp_{kconfig_fixup_done,configured,built} rm -f $$($(2)_DIR)/.stamp_{target,staging,images}_installed diff --git a/buildroot/package/pkg-meson.mk b/buildroot/package/pkg-meson.mk index 97129d808..185832bd0 100644 --- a/buildroot/package/pkg-meson.mk +++ b/buildroot/package/pkg-meson.mk @@ -193,7 +193,7 @@ define PKG_MESON_INSTALL_CROSS_CONF -e 's%@TARGET_CXXFLAGS@%$(call make-comma-list,$(TARGET_CXXFLAGS))@PKG_TARGET_CFLAGS@%g' \ -e 's%@HOST_DIR@%$(HOST_DIR)%g' \ -e 's%@STAGING_DIR@%$(STAGING_DIR)%g' \ - -e 's%@STATIC@%$$(if $$(BR2_STATIC_LIBS),true,false)%g' \ + -e 's%@STATIC@%$(if $(BR2_STATIC_LIBS),true,false)%g' \ $(HOST_MESON_PKGDIR)/cross-compilation.conf.in \ > $(HOST_DIR)/etc/meson/cross-compilation.conf.in sed -e 's%@PKG_TARGET_CFLAGS@%%g' \ @@ -203,4 +203,4 @@ define PKG_MESON_INSTALL_CROSS_CONF > $(HOST_DIR)/etc/meson/cross-compilation.conf endef -TOOLCHAIN_POST_INSTALL_STAGING_HOOKS += PKG_MESON_INSTALL_CROSS_CONF +TOOLCHAIN_TARGET_FINALIZE_HOOKS += PKG_MESON_INSTALL_CROSS_CONF diff --git a/buildroot/package/pkg-utils.mk b/buildroot/package/pkg-utils.mk index d324934db..c4cafeeee 100644 --- a/buildroot/package/pkg-utils.mk +++ b/buildroot/package/pkg-utils.mk @@ -11,20 +11,27 @@ # package, and more. # -define KCONFIG_ENABLE_OPT # (option, file) - $(SED) "/\\<$(1)\\>/d" $(2) - echo '$(1)=y' >> $(2) +# KCONFIG_DOT_CONFIG ([file]) +# Returns the path to the .config file that should be used, which will +# be $(1) if provided, or the current package .config file otherwise. +KCONFIG_DOT_CONFIG = $(strip \ + $(if $(strip $(1)), $(1), \ + $($(PKG)_BUILDDIR)/$($(PKG)_KCONFIG_DOTCONFIG) \ + ) \ +) + +# KCONFIG_MUNGE_DOT_CONFIG (option, newline [, file]) +define KCONFIG_MUNGE_DOT_CONFIG + $(SED) "/\\<$(strip $(1))\\>/d" $(call KCONFIG_DOT_CONFIG,$(3)) + echo '$(strip $(2))' >> $(call KCONFIG_DOT_CONFIG,$(3)) endef -define KCONFIG_SET_OPT # (option, value, file) - $(SED) "/\\<$(1)\\>/d" $(3) - echo '$(1)=$(2)' >> $(3) -endef - -define KCONFIG_DISABLE_OPT # (option, file) - $(SED) "/\\<$(1)\\>/d" $(2) - echo '# $(1) is not set' >> $(2) -endef +# KCONFIG_ENABLE_OPT (option [, file]) +KCONFIG_ENABLE_OPT = $(call KCONFIG_MUNGE_DOT_CONFIG, $(1), $(1)=y, $(2)) +# KCONFIG_SET_OPT (option, value [, file]) +KCONFIG_SET_OPT = $(call KCONFIG_MUNGE_DOT_CONFIG, $(1), $(1)=$(2), $(3)) +# KCONFIG_DISABLE_OPT (option [, file]) +KCONFIG_DISABLE_OPT = $(call KCONFIG_MUNGE_DOT_CONFIG, $(1), $(SHARP_SIGN) $(1) is not set, $(2)) # Helper functions to determine the name of a package and its # directory from its makefile directory, using the $(MAKEFILE_LIST) diff --git a/buildroot/package/postgresql/pg_config b/buildroot/package/postgresql/pg_config index 642252f27..59a9e6cfa 100644 --- a/buildroot/package/postgresql/pg_config +++ b/buildroot/package/postgresql/pg_config @@ -11,12 +11,18 @@ case "$1" in --includedir) echo "$prefix/include" ;; + --includedir-server) + echo "$prefix/include/postgresql/server" + ;; --libdir) echo "$prefix/lib" ;; --version) echo "PostgreSQL @POSTGRESQL_VERSION@" ;; + --configure) + echo "@POSTGRESQL_CONF_OPTIONS@" + ;; *) - echo "Usage: $0 {--includedir|--libdir|--version}" + echo "Usage: $0 {--includedir|--includedir-server|--libdir|--version|--configure}" esac diff --git a/buildroot/package/postgresql/postgresql.hash b/buildroot/package/postgresql/postgresql.hash index 7cb0c67d6..4e410d187 100644 --- a/buildroot/package/postgresql/postgresql.hash +++ b/buildroot/package/postgresql/postgresql.hash @@ -1,7 +1,7 @@ -# From https://ftp.postgresql.org/pub/source/v12.2/postgresql-12.2.tar.bz2.md5 -md5 a88ceea8ecf2741307f663e4539b58b7 postgresql-12.2.tar.bz2 -# From https://ftp.postgresql.org/pub/source/v12.2/postgresql-12.2.tar.bz2.sha256 -sha256 ad1dcc4c4fc500786b745635a9e1eba950195ce20b8913f50345bb7d5369b5de postgresql-12.2.tar.bz2 +# From https://ftp.postgresql.org/pub/source/v12.4/postgresql-12.4.tar.bz2.md5 +md5 80ebbf0e55193b123760e5f8e48c6cff postgresql-12.4.tar.bz2 +# From https://ftp.postgresql.org/pub/source/v12.4/postgresql-12.4.tar.bz2.sha256 +sha256 bee93fbe2c32f59419cb162bcc0145c58da9a8644ee154a30b9a5ce47de606cc postgresql-12.4.tar.bz2 # License file, Locally calculated -sha256 739e5d454d81d31a482469338b7c856f1f5c6b4cdda1551cea6f0f6d18eef62c COPYRIGHT +sha256 739e5d454d81d31a482469338b7c856f1f5c6b4cdda1551cea6f0f6d18eef62c COPYRIGHT diff --git a/buildroot/package/postgresql/postgresql.mk b/buildroot/package/postgresql/postgresql.mk index 378197d33..3630b5a38 100644 --- a/buildroot/package/postgresql/postgresql.mk +++ b/buildroot/package/postgresql/postgresql.mk @@ -4,7 +4,7 @@ # ################################################################################ -POSTGRESQL_VERSION = 12.2 +POSTGRESQL_VERSION = 12.4 POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2 POSTGRESQL_SITE = https://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION) POSTGRESQL_LICENSE = PostgreSQL @@ -115,6 +115,7 @@ POSTGRESQL_POST_INSTALL_TARGET_HOOKS += POSTGRESQL_INSTALL_TARGET_FIXUP define POSTGRESQL_INSTALL_CUSTOM_PG_CONFIG $(INSTALL) -m 0755 -D package/postgresql/pg_config \ $(STAGING_DIR)/usr/bin/pg_config + $(SED) "s|@POSTGRESQL_CONF_OPTIONS@|$(POSTGRESQL_CONF_OPTS)|g" $(STAGING_DIR)/usr/bin/pg_config $(SED) "s|@POSTGRESQL_VERSION@|$(POSTGRESQL_VERSION)|g" $(STAGING_DIR)/usr/bin/pg_config endef diff --git a/buildroot/package/postgresql/postgresql.service b/buildroot/package/postgresql/postgresql.service index 53e6f84f0..539eea896 100644 --- a/buildroot/package/postgresql/postgresql.service +++ b/buildroot/package/postgresql/postgresql.service @@ -15,7 +15,6 @@ Group=postgres StandardOutput=syslog StandardError=syslog SyslogIdentifier=postgres -PIDFile=/var/lib/pgsql/postmaster.pid ExecStartPre=/bin/sh -c "if [ ! -f /var/lib/pgsql/PG_VERSION ]; then /usr/bin/pg_ctl initdb -D /var/lib/pgsql; fi" ExecStart=/usr/bin/postgres -D /var/lib/pgsql diff --git a/buildroot/package/python-aenum/python-aenum.mk b/buildroot/package/python-aenum/python-aenum.mk index 1d5322ef4..97fcbb5e8 100644 --- a/buildroot/package/python-aenum/python-aenum.mk +++ b/buildroot/package/python-aenum/python-aenum.mk @@ -11,4 +11,13 @@ PYTHON_AENUM_SETUP_TYPE = setuptools PYTHON_AENUM_LICENSE = BSD-3-Clause PYTHON_AENUM_LICENSE_FILES = aenum/LICENSE +ifeq ($(BR2_PACKAGE_PYTHON),y) +# only needed/valid for python 3.x +define PYTHON_AENUM_RM_PY3_FILE + rm -f $(TARGET_DIR)/usr/lib/python*/site-packages/aenum/test_v3.py +endef + +PYTHON_AENUM_POST_INSTALL_TARGET_HOOKS += PYTHON_AENUM_RM_PY3_FILE +endif + $(eval $(python-package)) diff --git a/buildroot/package/python-autobahn/python-autobahn.mk b/buildroot/package/python-autobahn/python-autobahn.mk index 6c5c608b9..4b367177a 100644 --- a/buildroot/package/python-autobahn/python-autobahn.mk +++ b/buildroot/package/python-autobahn/python-autobahn.mk @@ -11,4 +11,15 @@ PYTHON_AUTOBAHN_LICENSE = MIT PYTHON_AUTOBAHN_LICENSE_FILES = LICENSE PYTHON_AUTOBAHN_SETUP_TYPE = setuptools +ifeq ($(BR2_PACKAGE_PYTHON),y) +# only needed/valid for python 3.x +define PYTHON_AUTOBAHN_RM_PY3_FILES + rm -rf $(TARGET_DIR)/usr/lib/python*/site-packages/autobahn/asyncio \ + $(TARGET_DIR)/usr/lib/python*/site-packages/autobahn/xbr \ + $(TARGET_DIR)/usr/lib/python*/site-packages/autobahn/twisted/xbr.py +endef + +PYTHON_AUTOBAHN_POST_INSTALL_TARGET_HOOKS += PYTHON_AUTOBAHN_RM_PY3_FILES +endif + $(eval $(python-package)) diff --git a/buildroot/package/python-cycler/Config.in b/buildroot/package/python-cycler/Config.in index 854873c96..813bc69dd 100644 --- a/buildroot/package/python-cycler/Config.in +++ b/buildroot/package/python-cycler/Config.in @@ -1,6 +1,5 @@ config BR2_PACKAGE_PYTHON_CYCLER bool "python-cycler" - depends on BR2_PACKAGE_PYTHON || BR2_PACKAGE_PYTHON3 help Creates a Cycler objects much like cycler, but includes input validation. diff --git a/buildroot/package/python-django/python-django.hash b/buildroot/package/python-django/python-django.hash index af5e4bb6e..8aebe6216 100644 --- a/buildroot/package/python-django/python-django.hash +++ b/buildroot/package/python-django/python-django.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/django/json -md5 0b0299419770eaff86ff3a4af519cd6a Django-3.0.4.tar.gz -sha256 50b781f6cbeb98f673aa76ed8e572a019a45e52bdd4ad09001072dfd91ab07c8 Django-3.0.4.tar.gz +md5 deec48e8713727e443a7cee6b54baaeb Django-3.0.10.tar.gz +sha256 2d14be521c3ae24960e5e83d4575e156a8c479a75c935224b671b1c6e66eddaf Django-3.0.10.tar.gz # Locally computed sha256 checksums sha256 b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669 LICENSE diff --git a/buildroot/package/python-django/python-django.mk b/buildroot/package/python-django/python-django.mk index 0cc5749a9..97bf75320 100644 --- a/buildroot/package/python-django/python-django.mk +++ b/buildroot/package/python-django/python-django.mk @@ -4,10 +4,10 @@ # ################################################################################ -PYTHON_DJANGO_VERSION = 3.0.4 +PYTHON_DJANGO_VERSION = 3.0.10 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz # The official Django site has an unpractical URL -PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/1d/38/89ea18b5aeb9b56fff7430388946e8e9dfd7a451f3e6ddb8a9b637f442c1 +PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/f4/09/d7c995b128bec61233cfea0e5fa40e442cae54c127b4b2b0881e1fdd0023 PYTHON_DJANGO_LICENSE = BSD-3-Clause PYTHON_DJANGO_LICENSE_FILES = LICENSE PYTHON_DJANGO_SETUP_TYPE = setuptools diff --git a/buildroot/package/python-engineio/python-engineio.mk b/buildroot/package/python-engineio/python-engineio.mk index 62036a9c7..507a0f27f 100644 --- a/buildroot/package/python-engineio/python-engineio.mk +++ b/buildroot/package/python-engineio/python-engineio.mk @@ -10,4 +10,14 @@ PYTHON_ENGINEIO_SETUP_TYPE = setuptools PYTHON_ENGINEIO_LICENSE = MIT PYTHON_ENGINEIO_LICENSE_FILES = LICENSE +ifeq ($(BR2_PACKAGE_PYTHON),y) +# only needed/valid for python 3.x +define PYTHON_ENGINEIO_RM_PY3_FILES + rm -rf $(TARGET_DIR)/usr/lib/python*/site-packages/engineio/async_drivers \ + $(TARGET_DIR)/usr/lib/python*/site-packages/engineio/asyncio_*.py +endef + +PYTHON_ENGINEIO_POST_INSTALL_TARGET_HOOKS += PYTHON_ENGINEIO_RM_PY3_FILES +endif + $(eval $(python-package)) diff --git a/buildroot/package/python-fire/python-fire.mk b/buildroot/package/python-fire/python-fire.mk index 6471a4d14..5f41a83f7 100644 --- a/buildroot/package/python-fire/python-fire.mk +++ b/buildroot/package/python-fire/python-fire.mk @@ -11,4 +11,13 @@ PYTHON_FIRE_SETUP_TYPE = setuptools PYTHON_FIRE_LICENSE = Apache-2.0 PYTHON_FIRE_LICENSE_FILES = LICENSE +ifeq ($(BR2_PACKAGE_PYTHON),y) +# only needed/valid for python 3.x +define PYTHON_FIRE_RM_PY3_FILE + rm -f $(TARGET_DIR)/usr/lib/python*/site-packages/fire/test_components_py3.py +endef + +PYTHON_FIRE_POST_INSTALL_TARGET_HOOKS += PYTHON_FIRE_RM_PY3_FILE +endif + $(eval $(python-package)) diff --git a/buildroot/package/python-gunicorn/Config.in b/buildroot/package/python-gunicorn/Config.in index 518157bf9..b3d11cf19 100644 --- a/buildroot/package/python-gunicorn/Config.in +++ b/buildroot/package/python-gunicorn/Config.in @@ -1,5 +1,6 @@ config BR2_PACKAGE_PYTHON_GUNICORN bool "python-gunicorn" + select BR2_PACKAGE_PYTHON_SETUPTOOLS # runtime select BR2_PACKAGE_PYTHON_SSL if BR2_PACKAGE_PYTHON # runtime select BR2_PACKAGE_PYTHON3_SSL if BR2_PACKAGE_PYTHON3 # runtime help diff --git a/buildroot/package/python-matplotlib/0002-Merge-pull-request-11983-from-anntzer-builddepchecks.patch b/buildroot/package/python-matplotlib/0002-Merge-pull-request-11983-from-anntzer-builddepchecks.patch new file mode 100644 index 000000000..b3a22acbb --- /dev/null +++ b/buildroot/package/python-matplotlib/0002-Merge-pull-request-11983-from-anntzer-builddepchecks.patch @@ -0,0 +1,170 @@ +From 923ce72409f184bd8e8c61b196260891036ba87e Mon Sep 17 00:00:00 2001 +From: Antony Lee +Date: Thu, 30 Aug 2018 15:27:55 +0200 +Subject: [PATCH] Simplify version checks for freetype and libpng. + +Currently, setupext.py replicates a lot of work done by the compiler to +check whether header files are present, and whether freetype and libpng +have sufficiently recent versions. + +Instead, we can just add a small stub source file at the top of the +extension sources which just tries to include the header and checks the +version macros. If the header is not found, compilation will +immediately abort with `foo.h: No such file or directory`; if the +version is too old, we can emit an appropriate error message (`#pragma +message` is supported by all major compilers and allows expanding of +macros in the error message). + +[Retrieved from: +https://github.com/matplotlib/matplotlib/commit/d1060a885309ec7ac19ca912d3011a5eb1673bd5] +Signed-off-by: Fabrice Fontaine +--- + setupext.py | 83 +++++----------------------------------- + src/checkdep_freetype2.c | 13 +++++++ + src/checkdep_libpng.c | 5 +++ + 3 files changed, 28 insertions(+), 73 deletions(-) + create mode 100644 src/checkdep_freetype2.c + create mode 100644 src/checkdep_libpng.c + +diff --git a/setupext.py b/setupext.py +index d5f4b81f562..a5163e39288 100644 +--- a/setupext.py ++++ b/setupext.py +@@ -814,6 +814,13 @@ def add_flags(self, ext, add_sources=True): + for x in agg_sources) + + ++# For FreeType2 and libpng, we add a separate checkdep_foo.c source to at the ++# top of the extension sources. This file is compiled first and immediately ++# aborts the compilation either with "foo.h: No such file or directory" if the ++# header is not found, or an appropriate error message if the header indicates ++# a too-old version. ++ ++ + class FreeType(SetupPackage): + name = "freetype" + pkg_names = { +@@ -825,59 +832,8 @@ class FreeType(SetupPackage): + "windows_url": "http://gnuwin32.sourceforge.net/packages/freetype.htm" + } + +- def check(self): +- if options.get('local_freetype'): +- return "Using local version for testing" +- +- if sys.platform == 'win32': +- try: +- check_include_file(get_include_dirs(), 'ft2build.h', 'freetype') +- except CheckFailed: +- check_include_file(get_include_dirs(), os.path.join('freetype2', 'ft2build.h'), 'freetype') +- return 'Using unknown version found on system.' +- +- status, output = subprocess.getstatusoutput( +- "freetype-config --ftversion") +- if status == 0: +- version = output +- else: +- version = None +- +- # Early versions of freetype grep badly inside freetype-config, +- # so catch those cases. (tested with 2.5.3). +- if version is None or 'No such file or directory\ngrep:' in version: +- version = self.version_from_header() +- +- # pkg_config returns the libtool version rather than the +- # freetype version so we need to explicitly pass the version +- # to _check_for_pkg_config +- return self._check_for_pkg_config( +- 'freetype2', 'ft2build.h', +- min_version='2.3', version=version) +- +- def version_from_header(self): +- version = 'unknown' +- ext = self.get_extension() +- if ext is None: +- return version +- # Return the first version found in the include dirs. +- for include_dir in ext.include_dirs: +- header_fname = os.path.join(include_dir, 'freetype.h') +- if os.path.exists(header_fname): +- major, minor, patch = 0, 0, 0 +- with open(header_fname, 'r') as fh: +- for line in fh: +- if line.startswith('#define FREETYPE_'): +- value = line.rsplit(' ', 1)[1].strip() +- if 'MAJOR' in line: +- major = value +- elif 'MINOR' in line: +- minor = value +- else: +- patch = value +- return '.'.join([major, minor, patch]) +- + def add_flags(self, ext): ++ ext.sources.insert(0, 'src/checkdep_freetype2.c') + if options.get('local_freetype'): + src_path = os.path.join( + 'build', 'freetype-{0}'.format(LOCAL_FREETYPE_VERSION)) +@@ -1058,30 +1014,11 @@ class Png(SetupPackage): + "windows_url": "http://gnuwin32.sourceforge.net/packages/libpng.htm" + } + +- def check(self): +- if sys.platform == 'win32': +- check_include_file(get_include_dirs(), 'png.h', 'png') +- return 'Using unknown version found on system.' +- +- status, output = subprocess.getstatusoutput("libpng-config --version") +- if status == 0: +- version = output +- else: +- version = None +- +- try: +- return self._check_for_pkg_config( +- 'libpng', 'png.h', +- min_version='1.2', version=version) +- except CheckFailed as e: +- if has_include_file(get_include_dirs(), 'png.h'): +- return str(e) + ' Using unknown version found on system.' +- raise +- + def get_extension(self): + sources = [ ++ 'src/checkdep_libpng.c', + 'src/_png.cpp', +- 'src/mplutils.cpp' ++ 'src/mplutils.cpp', + ] + ext = make_extension('matplotlib._png', sources) + pkg_config.setup_extension( +diff --git a/src/checkdep_freetype2.c b/src/checkdep_freetype2.c +new file mode 100644 +index 00000000000..bf9a8c94e38 +--- /dev/null ++++ b/src/checkdep_freetype2.c +@@ -0,0 +1,13 @@ ++#include ++#include FT_FREETYPE_H ++ ++#define XSTR(x) STR(x) ++#define STR(x) #x ++ ++#pragma message("Compiling with FreeType version " \ ++ XSTR(FREETYPE_MAJOR) "." XSTR(FREETYPE_MINOR) "." XSTR(FREETYPE_PATCH) ".") ++#if FREETYPE_MAJOR << 16 + FREETYPE_MINOR << 8 + FREETYPE_PATCH < 0x020300 ++ #error "FreeType version 2.3 or higher is required." \ ++ "Consider setting the MPLLOCALFREETYPE environment variable to 1." ++ #error ++#endif +diff --git a/src/checkdep_libpng.c b/src/checkdep_libpng.c +new file mode 100644 +index 00000000000..5ebe5cbe4d7 +--- /dev/null ++++ b/src/checkdep_libpng.c +@@ -0,0 +1,5 @@ ++#include ++#pragma message("Compiling with libpng version " PNG_LIBPNG_VER_STRING ".") ++#if PNG_LIBPNG_VER < 10200 ++ #error "libpng version 1.2 or higher is required." ++#endif diff --git a/buildroot/package/python-pymodbus/python-pymodbus.mk b/buildroot/package/python-pymodbus/python-pymodbus.mk index d96e21a55..9135a4d0c 100644 --- a/buildroot/package/python-pymodbus/python-pymodbus.mk +++ b/buildroot/package/python-pymodbus/python-pymodbus.mk @@ -11,4 +11,13 @@ PYTHON_PYMODBUS_SETUP_TYPE = setuptools PYTHON_PYMODBUS_LICENSE = BSD-3-Clause PYTHON_PYMODBUS_LICENSE_FILES = doc/LICENSE +ifeq ($(BR2_PACKAGE_PYTHON),y) +# only needed/valid for python 3.x +define PYTHON_PYMODBUS_RM_PY3_FILES + rm -rf $(TARGET_DIR)/usr/lib/python*/site-packages/pymodbus/client/asynchronous/asyncio +endef + +PYTHON_PYMODBUS_POST_INSTALL_TARGET_HOOKS += PYTHON_PYMODBUS_RM_PY3_FILES +endif + $(eval $(python-package)) diff --git a/buildroot/package/python-scapy/0001-Small-Python-2-fix.patch b/buildroot/package/python-scapy/0001-Small-Python-2-fix.patch new file mode 100644 index 000000000..562838d53 --- /dev/null +++ b/buildroot/package/python-scapy/0001-Small-Python-2-fix.patch @@ -0,0 +1,26 @@ +From 0c3d5e417bbd923c4729d15572c3d693d58aff81 Mon Sep 17 00:00:00 2001 +From: Gabriel +Date: Wed, 21 Aug 2019 18:18:14 +0800 +Subject: [PATCH] Small Python 2 fix + +Signed-off-by: Peter Korsgaard +--- + scapy/tools/generate_ethertypes.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scapy/tools/generate_ethertypes.py b/scapy/tools/generate_ethertypes.py +index 5bc5cdf9..47c38c4f 100644 +--- a/scapy/tools/generate_ethertypes.py ++++ b/scapy/tools/generate_ethertypes.py +@@ -20,7 +20,7 @@ URL = "https://raw.githubusercontent.com/openbsd/src/master/sys/net/ethertypes.h + with urllib.request.urlopen(URL) as stream: + DATA = stream.read() + +-reg = rb".*ETHERTYPE_([^\s]+)\s.0x([0-9A-Fa-f]+).*\/\*(.*)\*\/" ++reg = br".*ETHERTYPE_([^\s]+)\s.0x([0-9A-Fa-f]+).*\/\*(.*)\*\/" + COMPILED = b"""# + # Ethernet frame types + # This file describes some of the various Ethernet +-- +2.20.1 + diff --git a/buildroot/package/python-semver/python-semver.hash b/buildroot/package/python-semver/python-semver.hash index 60aaa6b8c..5c13764e5 100644 --- a/buildroot/package/python-semver/python-semver.hash +++ b/buildroot/package/python-semver/python-semver.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/semver/json -md5 a411b305a3f6714bca126a0b59dc4429 semver-2.9.0.tar.gz -sha256 ed1edeaa0c27f68feb74f09f715077fd07b728446dc2bb7fc470fc0f737873a0 semver-2.9.0.tar.gz +md5 3e11ae9782121e8ffe9f8a8b763a8cb5 semver-2.10.2.tar.gz +sha256 c0a4a9d1e45557297a722ee9bac3de2ec2ea79016b6ffcaca609b0bc62cf4276 semver-2.10.2.tar.gz # Locally computed -sha256 cda490c32e61d3884dc17791fc8078f2a3e564fba98dd18b4dc64eb2720b2b6f LICENSE.txt +sha256 cda490c32e61d3884dc17791fc8078f2a3e564fba98dd18b4dc64eb2720b2b6f LICENSE.txt diff --git a/buildroot/package/python-semver/python-semver.mk b/buildroot/package/python-semver/python-semver.mk index 6e1faef12..32ed6b971 100644 --- a/buildroot/package/python-semver/python-semver.mk +++ b/buildroot/package/python-semver/python-semver.mk @@ -4,9 +4,9 @@ # ################################################################################ -PYTHON_SEMVER_VERSION = 2.9.0 +PYTHON_SEMVER_VERSION = 2.10.2 PYTHON_SEMVER_SOURCE = semver-$(PYTHON_SEMVER_VERSION).tar.gz -PYTHON_SEMVER_SITE = https://files.pythonhosted.org/packages/be/c8/392e3c1c4080202b99e8b3b5d0ab6cbcfc4b25d50031c2c21d130871bf88 +PYTHON_SEMVER_SITE = https://files.pythonhosted.org/packages/aa/e8/cb894f70a52887f001aff5f264f68272c21fa58268495aca17df396c161f PYTHON_SEMVER_SETUP_TYPE = setuptools PYTHON_SEMVER_LICENSE = BSD-3-Clause PYTHON_SEMVER_LICENSE_FILES = LICENSE.txt diff --git a/buildroot/package/python-sentry-sdk/python-sentry-sdk.mk b/buildroot/package/python-sentry-sdk/python-sentry-sdk.mk index dd47e7c0c..2dcf4bce0 100644 --- a/buildroot/package/python-sentry-sdk/python-sentry-sdk.mk +++ b/buildroot/package/python-sentry-sdk/python-sentry-sdk.mk @@ -11,4 +11,14 @@ PYTHON_SENTRY_SDK_SETUP_TYPE = setuptools PYTHON_SENTRY_SDK_LICENSE = BSD-2-Clause PYTHON_SENTRY_SDK_LICENSE_FILES = LICENSE +ifeq ($(BR2_PACKAGE_PYTHON),y) +# only needed/valid for python 3.x +define PYTHON_SENTRY_SDK_RM_PY3_FILES + rm -f $(addprefix $(TARGET_DIR)/usr/lib/python*/site-packages/sentry_sdk/integrations/,\ + aiohttp.py asgi.py django/asgi.py sanic.py tornado.py) +endef + +PYTHON_SENTRY_SDK_POST_INSTALL_TARGET_HOOKS += PYTHON_SENTRY_SDK_RM_PY3_FILES +endif + $(eval $(python-package)) diff --git a/buildroot/package/python-socketio/python-socketio.mk b/buildroot/package/python-socketio/python-socketio.mk index ece4f65b7..73dab26f3 100644 --- a/buildroot/package/python-socketio/python-socketio.mk +++ b/buildroot/package/python-socketio/python-socketio.mk @@ -10,4 +10,14 @@ PYTHON_SOCKETIO_SETUP_TYPE = setuptools PYTHON_SOCKETIO_LICENSE = MIT PYTHON_SOCKETIO_LICENSE_FILES = LICENSE +ifeq ($(BR2_PACKAGE_PYTHON),y) +# only needed/valid for python 3.x +define PYTHON_SOCKETIO_RM_PY3_FILES + rm -f $(TARGET_DIR)/usr/lib/python*/site-packages/socketio/asgi.py \ + $(TARGET_DIR)/usr/lib/python*/site-packages/socketio/asyncio_*.py +endef + +PYTHON_SOCKETIO_POST_INSTALL_TARGET_HOOKS += PYTHON_SOCKETIO_RM_PY3_FILES +endif + $(eval $(python-package)) diff --git a/buildroot/package/python-texttable/python-texttable.hash b/buildroot/package/python-texttable/python-texttable.hash index 367eb8d60..a69e8ed46 100644 --- a/buildroot/package/python-texttable/python-texttable.hash +++ b/buildroot/package/python-texttable/python-texttable.hash @@ -1,5 +1,5 @@ # md5, sha256 from https://pypi.org/pypi/texttable/json -md5 763141f0bdf598cdc5cf780ed4d2eb94 texttable-1.6.2.tar.gz -sha256 eff3703781fbc7750125f50e10f001195174f13825a92a45e9403037d539b4f4 texttable-1.6.2.tar.gz +md5 68e6b31d36f5c20221da7d5db3eca772 texttable-1.6.3.tar.gz +sha256 ce0faf21aa77d806bbff22b107cc22cce68dc9438f97a2df32c93e9afa4ce436 texttable-1.6.3.tar.gz # Locally computed sha256 checksums -sha256 181d0c3366cc36fd6ae7d023b23a743581003fd42974c8983ea40f7161faeaf3 LICENSE +sha256 4ba7bdab54504a3bc44eb33ecca873a26a63ab902822101a87bb46235da63594 LICENSE diff --git a/buildroot/package/python-texttable/python-texttable.mk b/buildroot/package/python-texttable/python-texttable.mk index 3b173a35e..6af23917b 100644 --- a/buildroot/package/python-texttable/python-texttable.mk +++ b/buildroot/package/python-texttable/python-texttable.mk @@ -4,9 +4,9 @@ # ################################################################################ -PYTHON_TEXTTABLE_VERSION = 1.6.2 +PYTHON_TEXTTABLE_VERSION = 1.6.3 PYTHON_TEXTTABLE_SOURCE = texttable-$(PYTHON_TEXTTABLE_VERSION).tar.gz -PYTHON_TEXTTABLE_SITE = https://files.pythonhosted.org/packages/82/a8/60df592e3a100a1f83928795aca210414d72cebdc6e4e0c95a6d8ac632fe +PYTHON_TEXTTABLE_SITE = https://files.pythonhosted.org/packages/f5/be/716342325d6d6e05608e3a10e15f192f3723e454a25ce14bc9b9d1332772 PYTHON_TEXTTABLE_SETUP_TYPE = setuptools PYTHON_TEXTTABLE_LICENSE = MIT PYTHON_TEXTTABLE_LICENSE_FILES = LICENSE diff --git a/buildroot/package/python-tinyrpc/Config.in b/buildroot/package/python-tinyrpc/Config.in index 3c643c754..3194b7825 100644 --- a/buildroot/package/python-tinyrpc/Config.in +++ b/buildroot/package/python-tinyrpc/Config.in @@ -1,5 +1,6 @@ config BR2_PACKAGE_PYTHON_TINYRPC bool "python-tinyrpc" + depends on BR2_PACKAGE_PYTHON3 select BR2_PACKAGE_PYTHON_SIX # runtime help A small, modular, transport and protocol neutral RPC diff --git a/buildroot/package/python-txtorcon/python-txtorcon.mk b/buildroot/package/python-txtorcon/python-txtorcon.mk index a01c0b251..4df400c3e 100644 --- a/buildroot/package/python-txtorcon/python-txtorcon.mk +++ b/buildroot/package/python-txtorcon/python-txtorcon.mk @@ -11,4 +11,13 @@ PYTHON_TXTORCON_SETUP_TYPE = setuptools PYTHON_TXTORCON_LICENSE = MIT PYTHON_TXTORCON_LICENSE_FILES = LICENSE +ifeq ($(BR2_PACKAGE_PYTHON),y) +# only needed/valid for python 3.x +define PYTHON_TXTORCON_RM_PY3_FILE + rm -f $(TARGET_DIR)/usr/lib/python*/site-packages/txtorcon/controller_py3.py +endef + +PYTHON_TXTORCON_POST_INSTALL_TARGET_HOOKS += PYTHON_TXTORCON_RM_PY3_FILE +endif + $(eval $(python-package)) diff --git a/buildroot/package/python/python.mk b/buildroot/package/python/python.mk index 532c372de..e8cad54f9 100644 --- a/buildroot/package/python/python.mk +++ b/buildroot/package/python/python.mk @@ -194,6 +194,7 @@ define PYTHON_REMOVE_USELESS_FILES rm -f $(TARGET_DIR)/usr/bin/python2-config rm -f $(TARGET_DIR)/usr/bin/python-config rm -f $(TARGET_DIR)/usr/bin/smtpd.py + rm -f $(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/distutils/command/wininst*.exe for i in `find $(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/config/ \ -type f -not -name pyconfig.h -a -not -name Makefile` ; do \ rm -f $$i ; \ @@ -255,10 +256,10 @@ endif define PYTHON_CREATE_PYC_FILES $(PYTHON_FIX_TIME) PYTHONPATH="$(PYTHON_PATH)" \ - cd $(TARGET_DIR) && $(HOST_DIR)/bin/python$(PYTHON_VERSION_MAJOR) \ + $(HOST_DIR)/bin/python$(PYTHON_VERSION_MAJOR) \ $(TOPDIR)/support/scripts/pycompile.py \ - $(if $(BR2_REPRODUCIBLE),--force) \ - usr/lib/python$(PYTHON_VERSION_MAJOR) + --strip-root $(TARGET_DIR) \ + $(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR) endef ifeq ($(BR2_PACKAGE_PYTHON_PYC_ONLY)$(BR2_PACKAGE_PYTHON_PY_PYC),y) diff --git a/buildroot/package/python3/python3.hash b/buildroot/package/python3/python3.hash index 0a08d04b3..4c03293dd 100644 --- a/buildroot/package/python3/python3.hash +++ b/buildroot/package/python3/python3.hash @@ -1,5 +1,5 @@ -# From https://www.python.org/downloads/release/python-385/ -md5 35b5a3d0254c1c59be9736373d429db7 Python-3.8.5.tar.xz +# From https://www.python.org/downloads/release/python-386/ +md5 69e73c49eeb1a853cefd26d18c9d069d Python-3.8.6.tar.xz # Locally computed -sha256 e3003ed57db17e617acb382b0cade29a248c6026b1bd8aad1f976e9af66a83b0 Python-3.8.5.tar.xz -sha256 de4d1f2d2ad5ad0cfd1657a106476b31cb5db5ef9d1ff842b237c0c81f0c8a23 LICENSE +sha256 a9e0b79d27aa056eb9cce8d63a427b5f9bab1465dee3f942dcfdb25a82f4ab8a Python-3.8.6.tar.xz +sha256 1dceef1677a39befa8bf0285ab2db441ba117520bb2de839547ace006a17750d LICENSE diff --git a/buildroot/package/python3/python3.mk b/buildroot/package/python3/python3.mk index 31e7ca3d3..1a2edc647 100644 --- a/buildroot/package/python3/python3.mk +++ b/buildroot/package/python3/python3.mk @@ -5,7 +5,7 @@ ################################################################################ PYTHON3_VERSION_MAJOR = 3.8 -PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).5 +PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).6 PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION) PYTHON3_LICENSE = Python-2.0, others @@ -212,6 +212,7 @@ define PYTHON3_REMOVE_USELESS_FILES rm -f $(TARGET_DIR)/usr/bin/python$(PYTHON3_VERSION_MAJOR)m-config rm -f $(TARGET_DIR)/usr/bin/python3-config rm -f $(TARGET_DIR)/usr/bin/smtpd.py.3 + rm -f $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/distutils/command/wininst*.exe for i in `find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/config-$(PYTHON3_VERSION_MAJOR)m-*/ \ -type f -not -name Makefile` ; do \ rm -f $$i ; \ @@ -277,10 +278,10 @@ endif define PYTHON3_CREATE_PYC_FILES $(PYTHON3_FIX_TIME) PYTHONPATH="$(PYTHON3_PATH)" \ - cd $(TARGET_DIR) && $(HOST_DIR)/bin/python$(PYTHON3_VERSION_MAJOR) \ + $(HOST_DIR)/bin/python$(PYTHON3_VERSION_MAJOR) \ $(TOPDIR)/support/scripts/pycompile.py \ - $(if $(BR2_REPRODUCIBLE),--force) \ - usr/lib/python$(PYTHON3_VERSION_MAJOR) + --strip-root $(TARGET_DIR) \ + $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR) endef ifeq ($(BR2_PACKAGE_PYTHON3_PYC_ONLY)$(BR2_PACKAGE_PYTHON3_PY_PYC),y) diff --git a/buildroot/package/qt5/qt5base/qt5base.mk b/buildroot/package/qt5/qt5base/qt5base.mk index 774c771bc..f8f50530b 100644 --- a/buildroot/package/qt5/qt5base/qt5base.mk +++ b/buildroot/package/qt5/qt5base/qt5base.mk @@ -84,6 +84,9 @@ QT5BASE_DEPENDENCIES += gcnano-binaries else ifeq ($(BR2_PACKAGE_TI_SGX_LIBGBM),y) QT5BASE_CONFIGURE_OPTS += -gbm QT5BASE_DEPENDENCIES += ti-sgx-libgbm +else ifeq ($(BR2_PACKAGE_IMX_GPU_VIV),y) +QT5BASE_CONFIGURE_OPTS += -gbm +QT5BASE_DEPENDENCIES += imx-gpu-viv else QT5BASE_CONFIGURE_OPTS += -no-gbm endif diff --git a/buildroot/package/ripgrep/ripgrep.mk b/buildroot/package/ripgrep/ripgrep.mk index 0bb7017a9..1500733d0 100644 --- a/buildroot/package/ripgrep/ripgrep.mk +++ b/buildroot/package/ripgrep/ripgrep.mk @@ -11,15 +11,20 @@ RIPGREP_LICENSE_FILES = LICENSE-MIT RIPGREP_DEPENDENCIES = host-cargo RIPGREP_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo -RIPGREP_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release) -RIPGREP_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(RIPGREP_CARGO_MODE) +RIPGREP_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(RIPGREP_CARGO_BIN_SUBDIR) RIPGREP_CARGO_OPTS = \ - --$(RIPGREP_CARGO_MODE) \ --target=$(RUSTC_TARGET_NAME) \ --manifest-path=$(@D)/Cargo.toml +ifeq ($(BR2_ENABLE_DEBUG),y) +RIPGREP_CARGO_BIN_SUBDIR = debug +else +RIPGREP_CARGO_OPTS += --release +RIPGREP_CARGO_BIN_SUBDIR = release +endif + define RIPGREP_BUILD_CMDS $(TARGET_MAKE_ENV) $(RIPGREP_CARGO_ENV) \ cargo build $(RIPGREP_CARGO_OPTS) diff --git a/buildroot/package/rtl8188eu/rtl8188eu.hash b/buildroot/package/rtl8188eu/rtl8188eu.hash index 88c128aa3..b16986176 100644 --- a/buildroot/package/rtl8188eu/rtl8188eu.hash +++ b/buildroot/package/rtl8188eu/rtl8188eu.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 cc872aa0991c044d35abfcc81543bad950c6aae487e37d5a09d1cbf8c4cb3058 rtl8188eu-4b0ecca485b9f11f58670b69aa9f90ecad7da02f.tar.gz +sha256 24656123468506760974edf4a9087f6c77d13228fa6b6ce899c12c359a5dc1e7 rtl8188eu-0924dc8fe0845358ed5b3c4c673126069469b3fc.tar.gz sha256 af8067302947c01fd9eee72befa54c7e3ef8a48fecde7fd71277f2290b2bf0f7 COPYING diff --git a/buildroot/package/rtl8188eu/rtl8188eu.mk b/buildroot/package/rtl8188eu/rtl8188eu.mk index f292bba13..686b2ea9d 100644 --- a/buildroot/package/rtl8188eu/rtl8188eu.mk +++ b/buildroot/package/rtl8188eu/rtl8188eu.mk @@ -4,7 +4,7 @@ # ################################################################################ -RTL8188EU_VERSION = 4b0ecca485b9f11f58670b69aa9f90ecad7da02f +RTL8188EU_VERSION = 0924dc8fe0845358ed5b3c4c673126069469b3fc RTL8188EU_SITE = $(call github,lwfinger,rtl8188eu,$(RTL8188EU_VERSION)) RTL8188EU_LICENSE = GPL-2.0, proprietary (rtl8188eufw.bin firmware blob) RTL8188EU_LICENSE_FILES = COPYING diff --git a/buildroot/package/rtl8821au/0001-Fix-implicit-fallthrough-comments-for-kernel-5.3.patch b/buildroot/package/rtl8821au/0001-Fix-implicit-fallthrough-comments-for-kernel-5.3.patch index d323e8f93..00e801b6b 100644 --- a/buildroot/package/rtl8821au/0001-Fix-implicit-fallthrough-comments-for-kernel-5.3.patch +++ b/buildroot/package/rtl8821au/0001-Fix-implicit-fallthrough-comments-for-kernel-5.3.patch @@ -1,10 +1,11 @@ -From f41695e4069404639690d98c7aadfe72117965a6 Mon Sep 17 00:00:00 2001 +From 99f1e8bd7172ddf9613db3531a8b37921ed73351 Mon Sep 17 00:00:00 2001 From: Jesper Skov Date: Fri, 25 Oct 2019 10:05:41 +0200 Subject: [PATCH] Fix implicit fallthrough comments for kernel 5.3 -[Upstram: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/e8a30a4c5a80efbbd5b1dbfe11b22916df4492f9.patch] +[Upstream: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/e8a30a4c5a80efbbd5b1dbfe11b22916df4492f9.patch] Signed-off-by: Peter Seiderer +Signed-off-by: Christian Stewart --- core/rtw_mlme_ext.c | 2 ++ 1 file changed, 2 insertions(+) @@ -24,5 +25,5 @@ index 24565ea..380f507 100644 _mgt_dispatcher(padapter, ptable, precv_frame); #ifdef CONFIG_HOSTAPD_MLME -- -2.26.0 +2.28.0 diff --git a/buildroot/package/rtl8821au/0002-Fix-kernel-5.3-driver-crashes-from-aircrack-ng-rtl88.patch b/buildroot/package/rtl8821au/0002-Fix-kernel-5.3-driver-crashes-from-aircrack-ng-rtl88.patch index 6b1b70270..213ea806b 100644 --- a/buildroot/package/rtl8821au/0002-Fix-kernel-5.3-driver-crashes-from-aircrack-ng-rtl88.patch +++ b/buildroot/package/rtl8821au/0002-Fix-kernel-5.3-driver-crashes-from-aircrack-ng-rtl88.patch @@ -1,10 +1,11 @@ -From b7f8f8572d5abca6e1f0163a583628c0207d0be4 Mon Sep 17 00:00:00 2001 +From cde2dbf6e94e00fcf198422b03de01d3090675d9 Mon Sep 17 00:00:00 2001 From: Jesper Skov Date: Fri, 25 Oct 2019 10:10:29 +0200 Subject: [PATCH] Fix kernel 5.3 driver crashes, from aircrack-ng/rtl8812au#421 [Upstream: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/822b485d36d6f72304a219c3be228f40968b542b.patch] Signed-off-by: Peter Seiderer +Signed-off-by: Christian Stewart --- os_dep/linux/rtw_cfgvendor.c | 45 ++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) @@ -164,5 +165,5 @@ index e7ba90a..81fc8af 100644 } }; -- -2.26.0 +2.28.0 diff --git a/buildroot/package/rtl8821au/0003-Fix-using-sprintf-for-extending-string-which-causes-.patch b/buildroot/package/rtl8821au/0003-Fix-using-sprintf-for-extending-string-which-causes-.patch new file mode 100644 index 000000000..2c4b595c3 --- /dev/null +++ b/buildroot/package/rtl8821au/0003-Fix-using-sprintf-for-extending-string-which-causes-.patch @@ -0,0 +1,339 @@ +From 5b6641978e8fa68bca05d224a61f8513b010eda8 Mon Sep 17 00:00:00 2001 +From: Coleman +Date: Fri, 17 Jul 2020 08:53:00 +0800 +Subject: [PATCH] Fix using sprintf for extending string, which causes + undefined behavior + +[Upstream: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/be57045a0933d64e958878696883e9cf998e1bf3.patch] +Signed-off-by: Coleman +Signed-off-by: Christian Stewart +--- + core/rtw_mp.c | 2 +- + os_dep/linux/ioctl_linux.c | 108 ++++++++++++++++++------------------- + 2 files changed, 55 insertions(+), 55 deletions(-) + +diff --git a/core/rtw_mp.c b/core/rtw_mp.c +index c2e400d..989bb3e 100644 +--- a/core/rtw_mp.c ++++ b/core/rtw_mp.c +@@ -1871,7 +1871,7 @@ u32 mp_query_psd(PADAPTER pAdapter, u8 *data) + } else { + psd_data = rtw_GetPSDData(pAdapter, i); + } +- sprintf(data, "%s%x ", data, psd_data); ++ sprintf(data + strlen(data), "%x ", psd_data); + i++; + } + +diff --git a/os_dep/linux/ioctl_linux.c b/os_dep/linux/ioctl_linux.c +index c74a153..9543fa3 100644 +--- a/os_dep/linux/ioctl_linux.c ++++ b/os_dep/linux/ioctl_linux.c +@@ -9080,19 +9080,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, + sprintf(extra, "\n"); + for (i = 0; i < EFUSE_MAP_SIZE; i += 16) { + // DBG_871X("0x%02x\t", i); +- sprintf(extra, "%s0x%02x\t", extra, i); ++ sprintf(extra + strlen(extra), "0x%02x\t", i); + for (j=0; j<8; j++) { + // DBG_871X("%02X ", data[i+j]); +- sprintf(extra, "%s%02X ", extra, PROMContent[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", PROMContent[i+j]); + } + // DBG_871X("\t"); +- sprintf(extra, "%s\t", extra); ++ sprintf(extra + strlen(extra), "\t"); + for (; j<16; j++) { + // DBG_871X("%02X ", data[i+j]); +- sprintf(extra, "%s%02X ", extra, PROMContent[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", PROMContent[i+j]); + } + // DBG_871X("\n"); +- sprintf(extra,"%s\n",extra); ++ sprintf(extra + strlen(extra), "\n"); + } + // DBG_871X("\n"); + } else if (strcmp(tmp[0], "realmap") == 0) { +@@ -9107,19 +9107,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, + sprintf(extra, "\n"); + for (i = 0; i < EFUSE_MAP_SIZE; i += 16) { + // DBG_871X("0x%02x\t", i); +- sprintf(extra, "%s0x%02x\t", extra, i); ++ sprintf(extra + strlen(extra), "0x%02x\t", i); + for (j=0; j<8; j++) { + // DBG_871X("%02X ", data[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseInitMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseInitMap[i+j]); + } + // DBG_871X("\t"); +- sprintf(extra, "%s\t", extra); ++ sprintf(extra + strlen(extra), "\t"); + for (; j<16; j++) { + // DBG_871X("%02X ", data[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseInitMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseInitMap[i+j]); + } + // DBG_871X("\n"); +- sprintf(extra,"%s\n",extra); ++ sprintf(extra + strlen(extra), "\n"); + } + // DBG_871X("\n"); + } else if (strcmp(tmp[0], "rmap") == 0) { +@@ -9158,7 +9158,7 @@ static int rtw_mp_efuse_get(struct net_device *dev, + *extra = 0; + for (i=0; iBTEfuseInitMap[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]); + } + // DBG_871X("\t"); +- sprintf(extra,"%s\t",extra); ++ sprintf(extra + strlen(extra), "\t"); + for (; j<16; j++) { + // DBG_871X("%02X ", pEfuseHal->BTEfuseInitMap[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]); + } + // DBG_871X("\n"); +- sprintf(extra, "%s\n", extra); ++ sprintf(extra + strlen(extra), "\n"); + } + // DBG_871X("\n"); + } else if (strcmp(tmp[0],"btbmap") == 0) { +@@ -9384,19 +9384,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, + sprintf(extra, "\n"); + for (i=512; i<1024 ; i+=16) { + // DBG_871X("0x%03x\t", i); +- sprintf(extra, "%s0x%03x\t", extra, i); ++ sprintf(extra + strlen(extra), "0x%03x\t", i); + for (j=0; j<8; j++) { + // DBG_871X("%02X ", data[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]); + } + // DBG_871X("\t"); +- sprintf(extra,"%s\t",extra); ++ sprintf(extra + strlen(extra), "\t"); + for (; j<16; j++) { + // DBG_871X("%02X ", data[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]); + } + // DBG_871X("\n"); +- sprintf(extra, "%s\n", extra); ++ sprintf(extra + strlen(extra), "\n"); + } + // DBG_871X("\n"); + } else if (strcmp(tmp[0],"btrmap") == 0) { +@@ -9436,7 +9436,7 @@ static int rtw_mp_efuse_get(struct net_device *dev, + // DBG_871X("%s: bt efuse data={", __FUNCTION__); + for (i=0; ifakeBTEfuseModifiedMap[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); + } + // DBG_871X("\t"); +- sprintf(extra, "%s\t", extra); ++ sprintf(extra + strlen(extra), "\t"); + for (; j<16; j++) { + // DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); + } + // DBG_871X("\n"); +- sprintf(extra, "%s\n", extra); ++ sprintf(extra + strlen(extra), "\n"); + } + // DBG_871X("\n"); + } else if (strcmp(tmp[0],"btbfake") == 0) { +@@ -9465,19 +9465,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, + sprintf(extra, "\n"); + for (i=512; i<1024; i+=16) { + // DBG_871X("0x%03x\t", i); +- sprintf(extra, "%s0x%03x\t", extra, i); ++ sprintf(extra + strlen(extra), "0x%03x\t", i); + for (j=0; j<8; j++) { + // DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); + } + // DBG_871X("\t"); +- sprintf(extra, "%s\t", extra); ++ sprintf(extra + strlen(extra), "\t"); + for (; j<16; j++) { + // DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); + } + // DBG_871X("\n"); +- sprintf(extra, "%s\n", extra); ++ sprintf(extra + strlen(extra), "\n"); + } + // DBG_871X("\n"); + } else if (strcmp(tmp[0],"wlrfkmap")== 0) { +@@ -9485,19 +9485,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, + sprintf(extra, "\n"); + for (i=0; ifakeEfuseModifiedMap[i+j]); +- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseModifiedMap[i+j]); ++ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseModifiedMap[i+j]); + } + // DBG_871X("\t"); +- sprintf(extra, "%s\t", extra); ++ sprintf(extra + strlen(extra), "\t"); + for (; j<16; j++) { + // DBG_871X("%02X ", pEfuseHal->fakeEfuseModifiedMap[i+j]); +- sprintf(extra, "%s %02X", extra, pEfuseHal->fakeEfuseModifiedMap[i+j]); ++ sprintf(extra + strlen(extra), " %02X", pEfuseHal->fakeEfuseModifiedMap[i+j]); + } + // DBG_871X("\n"); +- sprintf(extra, "%s\n", extra); ++ sprintf(extra + strlen(extra), "\n"); + } + // DBG_871X("\n"); + +@@ -9523,7 +9523,7 @@ static int rtw_mp_efuse_get(struct net_device *dev, + *extra = 0; + for (i=0; ifakeEfuseModifiedMap[addr+i]); +- sprintf(extra, "%s0x%02X ", extra, pEfuseHal->fakeEfuseModifiedMap[addr+i]); ++ sprintf(extra + strlen(extra), "0x%02X ", pEfuseHal->fakeEfuseModifiedMap[addr+i]); + } + } else if (strcmp(tmp[0],"btrfkrmap")== 0) { + if ((tmp[1]==NULL) || (tmp[2]==NULL)) { +@@ -9547,7 +9547,7 @@ static int rtw_mp_efuse_get(struct net_device *dev, + *extra = 0; + for (i=0; ifakeBTEfuseModifiedMap[addr+i]); +- sprintf(extra, "%s0x%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[addr+i]); ++ sprintf(extra + strlen(extra), "0x%02X ", pEfuseHal->fakeBTEfuseModifiedMap[addr+i]); + } + } else { + sprintf(extra, "Command not found!"); +@@ -10409,7 +10409,7 @@ static int rtw_mp_read_reg(struct net_device *dev, + pnext++; + if ( *pnext != '\0' ) { + strtout = simple_strtoul (pnext , &ptmp, 16); +- sprintf( extra, "%s %d" ,extra ,strtout ); ++ sprintf(extra + strlen(extra), " %d" ,strtout ); + } else { + break; + } +@@ -10443,7 +10443,7 @@ static int rtw_mp_read_reg(struct net_device *dev, + pnext++; + if ( *pnext != '\0' ) { + strtout = simple_strtoul (pnext , &ptmp, 16); +- sprintf( extra, "%s %d" ,extra ,strtout ); ++ sprintf(extra + strlen(extra), " %d" ,strtout ); + } else { + break; + } +@@ -10566,7 +10566,7 @@ static int rtw_mp_read_rf(struct net_device *dev, + pnext++; + if ( *pnext != '\0' ) { + strtou = simple_strtoul (pnext , &ptmp, 16); +- sprintf( extra, "%s %d" ,extra ,strtou ); ++ sprintf(extra + strlen(extra), " %d" ,strtou ); + } else { + break; + } +@@ -12155,14 +12155,14 @@ todo: + goto exit; + + #ifdef CONFIG_RTL8723A +- sprintf(extra, "%s %d ", extra, (pMptCtx->mptOutBuf[i]& 0x3f)); ++ sprintf(extra + strlen(extra), " %d ", (pMptCtx->mptOutBuf[i]& 0x3f)); + #else +- sprintf(extra, "%s %d ", extra, (pMptCtx->mptOutBuf[i]& 0x1f)); ++ sprintf(extra + strlen(extra), " %d ", (pMptCtx->mptOutBuf[i]& 0x1f)); + #endif + } + } else { + for (i=4; imptOutLen; i++) { +- sprintf(extra, "%s 0x%x ", extra, pMptCtx->mptOutBuf[i]); ++ sprintf(extra + strlen(extra), " 0x%x ", pMptCtx->mptOutBuf[i]); + } + } + +-- +2.28.0 + diff --git a/buildroot/package/ruby/ruby.hash b/buildroot/package/ruby/ruby.hash index d0aac6387..89cab3fcd 100644 --- a/buildroot/package/ruby/ruby.hash +++ b/buildroot/package/ruby/ruby.hash @@ -1,5 +1,5 @@ -# https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/ -sha256 0c4e000253ef7187feeb940a01a1c7594f28d63aa16f978e892a0e2864f58614 ruby-2.4.9.tar.xz +# https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-4-10-released/ +sha256 d5668ed11544db034f70aec37d11e157538d639ed0d0a968e2f587191fc530df ruby-2.4.10.tar.xz # License files, Locally calculated sha256 609292a6d848ab223073944fc2d844449391a5ba2055a8b5baf1726bc13b39cb LEGAL sha256 f5eb1b2956d5f7a67b2e5722a3749bc2fe86f9c580f2e3f5a08519cf073b5864 COPYING diff --git a/buildroot/package/ruby/ruby.mk b/buildroot/package/ruby/ruby.mk index 0ac116433..6f8cb319c 100644 --- a/buildroot/package/ruby/ruby.mk +++ b/buildroot/package/ruby/ruby.mk @@ -5,7 +5,7 @@ ################################################################################ RUBY_VERSION_MAJOR = 2.4 -RUBY_VERSION = $(RUBY_VERSION_MAJOR).9 +RUBY_VERSION = $(RUBY_VERSION_MAJOR).10 RUBY_VERSION_EXT = 2.4.0 RUBY_SITE = http://cache.ruby-lang.org/pub/ruby/$(RUBY_VERSION_MAJOR) RUBY_SOURCE = ruby-$(RUBY_VERSION).tar.xz diff --git a/buildroot/package/runc/runc.hash b/buildroot/package/runc/runc.hash index b895f6fcc..d792947d5 100644 --- a/buildroot/package/runc/runc.hash +++ b/buildroot/package/runc/runc.hash @@ -1,3 +1,3 @@ # Locally computed -sha256 6b44985023347fb9c5a2cc6f761df8c41cc2c84a7a68a6e6acf834dff6653a9a runc-1.0.0-rc10.tar.gz +sha256 28378df983a3c586ed3ec8c76a774a9b10f36a0c323590a284b801cce95cc61f runc-1.0.0-rc92.tar.gz sha256 552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243 LICENSE diff --git a/buildroot/package/runc/runc.mk b/buildroot/package/runc/runc.mk index 5982f62c4..2e0c332fc 100644 --- a/buildroot/package/runc/runc.mk +++ b/buildroot/package/runc/runc.mk @@ -4,7 +4,7 @@ # ################################################################################ -RUNC_VERSION = 1.0.0-rc10 +RUNC_VERSION = 1.0.0-rc92 RUNC_SITE = $(call github,opencontainers,runc,v$(RUNC_VERSION)) RUNC_LICENSE = Apache-2.0 RUNC_LICENSE_FILES = LICENSE diff --git a/buildroot/package/samba4/0001-libreplace-disable-libbsd-support.patch b/buildroot/package/samba4/0001-libreplace-disable-libbsd-support.patch index a303fa666..79216860d 100644 --- a/buildroot/package/samba4/0001-libreplace-disable-libbsd-support.patch +++ b/buildroot/package/samba4/0001-libreplace-disable-libbsd-support.patch @@ -9,7 +9,7 @@ This causes redefinition conflicts for link(2) when both standard unistd.h and bsd/unistd.h get included. Signed-off-by: Gustavo Zacarias -[Bernd: rebased for versions 4.7.3, 4.8.0 & 4.8.5] +[Bernd: rebased for versions 4.7.3, 4.8.0, 4.8.5 & 4.11.13] Signed-off-by: Bernd Kuhls --- lib/replace/wscript | 15 --------------- @@ -19,7 +19,7 @@ diff --git a/lib/replace/wscript b/lib/replace/wscript index 240d730cbee..c6d8df43c74 100644 --- a/lib/replace/wscript +++ b/lib/replace/wscript -@@ -381,21 +381,6 @@ def configure(conf): +@@ -406,21 +406,6 @@ def configure(conf): strlcpy_in_bsd = False diff --git a/buildroot/package/samba4/0002-build-find-pre-built-heimdal-build-tools-in-case-of-.patch b/buildroot/package/samba4/0002-build-find-pre-built-heimdal-build-tools-in-case-of-.patch index 563b274d5..b8636958e 100644 --- a/buildroot/package/samba4/0002-build-find-pre-built-heimdal-build-tools-in-case-of-.patch +++ b/buildroot/package/samba4/0002-build-find-pre-built-heimdal-build-tools-in-case-of-.patch @@ -33,6 +33,7 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14164 Signed-off-by: Uri Simchoni Signed-off-by: Bernd Kuhls +[Bernd: rebased for version 4.11.13] --- wscript_configure_embedded_heimdal | 11 +++++++++++ wscript_configure_system_heimdal | 11 ----------- @@ -59,7 +60,7 @@ diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal index 0ff6dad2f55..f77c177442f 100644 --- a/wscript_configure_system_heimdal +++ b/wscript_configure_system_heimdal -@@ -36,14 +36,6 @@ def check_system_heimdal_lib(name, functions='', headers='', onlyif=None): +@@ -37,14 +37,6 @@ def check_system_heimdal_lib(name, functions='', headers='', onlyif=None): conf.define('USING_SYSTEM_%s' % name.upper(), 1) return True @@ -74,7 +75,7 @@ index 0ff6dad2f55..f77c177442f 100644 check_system_heimdal_lib("com_err", "com_right_r com_err", "com_err.h") if check_system_heimdal_lib("roken", "rk_socket_set_reuseaddr", "roken.h"): -@@ -88,7 +88,4 @@ +@@ -96,7 +96,4 @@ #if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'): # conf.define('USING_SYSTEM_TOMMATH', 1) diff --git a/buildroot/package/samba4/samba4.hash b/buildroot/package/samba4/samba4.hash index 34ae6f84b..4d47871fc 100644 --- a/buildroot/package/samba4/samba4.hash +++ b/buildroot/package/samba4/samba4.hash @@ -1,4 +1,4 @@ # Locally calculated after checking pgp signature -# https://download.samba.org/pub/samba/stable/samba-4.11.10.tar.asc -sha256 4346ed80c90132a4117fe2dd3e846954f44f006f4d057de3a3544116364e012f samba-4.11.10.tar.gz +# https://download.samba.org/pub/samba/stable/samba-4.11.13.tar.asc +sha256 e71ed29ae01c5ce7be8cee1f53e0530db86dd19b911accb08fae60224e686ba1 samba-4.11.13.tar.gz sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING diff --git a/buildroot/package/samba4/samba4.mk b/buildroot/package/samba4/samba4.mk index b6fe1a827..48ac48c18 100644 --- a/buildroot/package/samba4/samba4.mk +++ b/buildroot/package/samba4/samba4.mk @@ -4,7 +4,7 @@ # ################################################################################ -SAMBA4_VERSION = 4.11.10 +SAMBA4_VERSION = 4.11.13 SAMBA4_SITE = https://download.samba.org/pub/samba/stable SAMBA4_SOURCE = samba-$(SAMBA4_VERSION).tar.gz SAMBA4_INSTALL_STAGING = YES diff --git a/buildroot/package/shadowsocks-libev/shadowsocks-libev.hash b/buildroot/package/shadowsocks-libev/shadowsocks-libev.hash index 76928ebb4..cc7993a54 100644 --- a/buildroot/package/shadowsocks-libev/shadowsocks-libev.hash +++ b/buildroot/package/shadowsocks-libev/shadowsocks-libev.hash @@ -1,7 +1,7 @@ # Locally computed -sha256 677356a5ed6b5ae9e32a898061db2587158ff27e245db03f4bde9b006ef12dc9 shadowsocks-libev-3.3.3.tar.gz +sha256 fce47a956fad0c30def9c71821bcec450a40d3f881548e31e66cedf262b89eb1 shadowsocks-libev-3.3.4.tar.gz # License files, locally calculated -sha256 736883f97d44dbec288bb82819f18f4f86d02ae3192f6a9abefa00db76bace41 COPYING -sha256 c41a4bc2c4c43e4daa3051e77e31b2d5c8500498afaeac6d831d55a4bb8de3fb libbloom/LICENSE -sha256 4fa2ada54f8c0410ec243265378242ffe862386d5ac517f8dd30a1911d25ae93 libcork/COPYING +sha256 736883f97d44dbec288bb82819f18f4f86d02ae3192f6a9abefa00db76bace41 COPYING +sha256 c41a4bc2c4c43e4daa3051e77e31b2d5c8500498afaeac6d831d55a4bb8de3fb libbloom/LICENSE +sha256 4fa2ada54f8c0410ec243265378242ffe862386d5ac517f8dd30a1911d25ae93 libcork/COPYING diff --git a/buildroot/package/shadowsocks-libev/shadowsocks-libev.mk b/buildroot/package/shadowsocks-libev/shadowsocks-libev.mk index 4b0b963ee..3ba4cb875 100644 --- a/buildroot/package/shadowsocks-libev/shadowsocks-libev.mk +++ b/buildroot/package/shadowsocks-libev/shadowsocks-libev.mk @@ -4,7 +4,7 @@ # ################################################################################ -SHADOWSOCKS_LIBEV_VERSION = 3.3.3 +SHADOWSOCKS_LIBEV_VERSION = 3.3.4 SHADOWSOCKS_LIBEV_SITE = https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(SHADOWSOCKS_LIBEV_VERSION) SHADOWSOCKS_LIBEV_LICENSE = GPL-3.0+, BSD-2-Clause (libbloom), BSD-3-Clause (libcork, libipset) SHADOWSOCKS_LIBEV_LICENSE_FILES = COPYING libbloom/LICENSE libcork/COPYING diff --git a/buildroot/package/squid/squid.hash b/buildroot/package/squid/squid.hash index a3ef65518..b7e051960 100644 --- a/buildroot/package/squid/squid.hash +++ b/buildroot/package/squid/squid.hash @@ -1,6 +1,6 @@ -# From http://www.squid-cache.org/Versions/v4/squid-4.12.tar.xz.asc -md5 ad7a4a8a0031cae3435717a759173829 squid-4.12.tar.xz -sha1 316b8a343aa542b5e7469d33b9d726bee00679c6 squid-4.12.tar.xz +# From http://www.squid-cache.org/Versions/v4/squid-4.13.tar.xz.asc +md5 492e54afc15821141ff1d1d9903854d6 squid-4.13.tar.xz +sha1 cac95c18789e9ecd6620c2f278fc3900498c065b squid-4.13.tar.xz # Locally calculated -sha256 f42a03c8b3dc020722c88bf1a87da8cb0c087b2f66b41d8256c77ee1b527e317 squid-4.12.tar.xz +sha256 6891a0f540e60779b4f24f1802a302f813c6f473ec7336a474ed68c3e2e53ee0 squid-4.13.tar.xz sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/buildroot/package/squid/squid.mk b/buildroot/package/squid/squid.mk index 6bce74b7d..1ba375e54 100644 --- a/buildroot/package/squid/squid.mk +++ b/buildroot/package/squid/squid.mk @@ -4,7 +4,7 @@ # ################################################################################ -SQUID_VERSION = 4.12 +SQUID_VERSION = 4.13 SQUID_SOURCE = squid-$(SQUID_VERSION).tar.xz SQUID_SITE = http://www.squid-cache.org/Versions/v4 SQUID_LICENSE = GPL-2.0+ diff --git a/buildroot/package/strace/strace.mk b/buildroot/package/strace/strace.mk index 5ad249b13..3dd650f01 100644 --- a/buildroot/package/strace/strace.mk +++ b/buildroot/package/strace/strace.mk @@ -9,15 +9,7 @@ STRACE_SOURCE = strace-$(STRACE_VERSION).tar.xz STRACE_SITE = https://strace.io/files/$(STRACE_VERSION) STRACE_LICENSE = LGPL-2.1+ STRACE_LICENSE_FILES = COPYING LGPL-2.1-or-later -STRACE_CONF_OPTS = --enable-mpers=check - -# strace bundle some kernel headers to build libmpers, this mixes userspace -# headers and kernel headers which break the build with musl. -# The stddef.h from gcc is used instead of the one from musl. -ifeq ($(BR2_TOOLCHAIN_USES_MUSL),y) -STRACE_CONF_OPTS += st_cv_m32_mpers=no \ - st_cv_mx32_mpers=no -endif +STRACE_CONF_OPTS = --enable-mpers=no ifeq ($(BR2_PACKAGE_LIBUNWIND),y) STRACE_DEPENDENCIES += libunwind diff --git a/buildroot/package/supertux/0001-CMakeLists.txt-compile-squirrel-with-fPIC.patch b/buildroot/package/supertux/0001-CMakeLists.txt-compile-squirrel-with-fPIC.patch new file mode 100644 index 000000000..9fac20a3f --- /dev/null +++ b/buildroot/package/supertux/0001-CMakeLists.txt-compile-squirrel-with-fPIC.patch @@ -0,0 +1,35 @@ +From 23d0bb0ef0fde52d1cffe235edead09287326fb4 Mon Sep 17 00:00:00 2001 +From: Romain Naour +Date: Sun, 4 Oct 2020 01:11:30 +0200 +Subject: [PATCH] CMakeLists.txt: compile squirrel with -fPIC + +Ensure that squirrel is compiled with -fPIC to allow linking the static +libraries with dynamically linked programs. This is not a requirement +for most architectures but is mandatory for ARM. + +Fixes: +x86_64-buildroot-linux-musl/bin/ld: CMakeFiles/sq_static.dir/sq.c.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a PIE object; recompile with -fPIC +x86_64-buildroot-linux-musl/bin/ld: final link failed: nonrepresentable section on output + +Signed-off-by: Romain Naour +--- + CMakeLists.txt | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 8b1dafa1e..07c603cce 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -412,7 +412,8 @@ ExternalProject_Add(squirrel + -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} + -DCMAKE_CXX_FLAGS=${CMAKE_CXX_FLAGS} + -DCMAKE_INSTALL_PREFIX=${SQUIRREL_PREFIX} +- -DINSTALL_INC_DIR=include) ++ -DINSTALL_INC_DIR=include ++ -DCMAKE_POSITION_INDEPENDENT_CODE=ON) + + if(WIN32) + add_library(squirrel_lib SHARED IMPORTED) +-- +2.25.4 + diff --git a/buildroot/package/suricata/suricata.hash b/buildroot/package/suricata/suricata.hash index 05e3593c3..9e79f3a96 100644 --- a/buildroot/package/suricata/suricata.hash +++ b/buildroot/package/suricata/suricata.hash @@ -1,5 +1,5 @@ # Locally computed: -sha256 c8a83a05f57cedc0ef81d833ddcfdbbfdcdb6f459a91b1b15dc2d5671f1aecbb suricata-4.1.8.tar.gz +sha256 3440cd1065b1b3999dc101a37c49321fab2791b38f16e2f7fe27369dd007eea7 suricata-4.1.9.tar.gz # Hash for license files: sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/buildroot/package/suricata/suricata.mk b/buildroot/package/suricata/suricata.mk index 8dd23bf2f..d6ae48c1f 100644 --- a/buildroot/package/suricata/suricata.mk +++ b/buildroot/package/suricata/suricata.mk @@ -4,7 +4,7 @@ # ################################################################################ -SURICATA_VERSION = 4.1.8 +SURICATA_VERSION = 4.1.9 SURICATA_SITE = https://www.openinfosecfoundation.org/download SURICATA_LICENSE = GPL-2.0 SURICATA_LICENSE_FILES = COPYING LICENSE diff --git a/buildroot/package/systemd/0001-Fix-build-with-libmicrohttpd-0.9.71.patch b/buildroot/package/systemd/0001-Fix-build-with-libmicrohttpd-0.9.71.patch deleted file mode 100644 index 7c1cfe939..000000000 --- a/buildroot/package/systemd/0001-Fix-build-with-libmicrohttpd-0.9.71.patch +++ /dev/null @@ -1,71 +0,0 @@ -From d17eabb1052e7c8c432331a7a782845e36164f01 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Tue, 30 Jun 2020 09:56:10 +0200 -Subject: [PATCH] =?UTF-8?q?Fix=20build=20with=20=C2=B5httpd=200.9.71?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The return type of callbacks was changed from int to an enum. - -Signed-off-by: Bernd Kuhls -[downloaded from upstream commit - https://github.com/systemd/systemd/commit/d17eabb1052e7c8c432331a7a782845e36164f01] ---- - src/journal-remote/journal-gatewayd.c | 4 ++-- - src/journal-remote/journal-remote-main.c | 2 +- - src/journal-remote/microhttpd-util.h | 6 ++++++ - 3 files changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c -index 5177e0d1577..3ab7c98b0b5 100644 ---- a/src/journal-remote/journal-gatewayd.c -+++ b/src/journal-remote/journal-gatewayd.c -@@ -349,7 +349,7 @@ static int request_parse_range( - return 0; - } - --static int request_parse_arguments_iterator( -+static mhd_result request_parse_arguments_iterator( - void *cls, - enum MHD_ValueKind kind, - const char *key, -@@ -796,7 +796,7 @@ static int request_handler_machine( - return MHD_queue_response(connection, MHD_HTTP_OK, response); - } - --static int request_handler( -+static mhd_result request_handler( - void *cls, - struct MHD_Connection *connection, - const char *url, -diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c -index 69a111afead..f82d188a8c6 100644 ---- a/src/journal-remote/journal-remote-main.c -+++ b/src/journal-remote/journal-remote-main.c -@@ -253,7 +253,7 @@ static int process_http_upload( - return mhd_respond(connection, MHD_HTTP_ACCEPTED, "OK."); - }; - --static int request_handler( -+static mhd_result request_handler( - void *cls, - struct MHD_Connection *connection, - const char *url, -diff --git a/src/journal-remote/microhttpd-util.h b/src/journal-remote/microhttpd-util.h -index d90c6bbd4f1..4ca9a5c4f16 100644 ---- a/src/journal-remote/microhttpd-util.h -+++ b/src/journal-remote/microhttpd-util.h -@@ -47,6 +47,12 @@ - # define MHD_create_response_from_fd_at_offset64 MHD_create_response_from_fd_at_offset - #endif - -+#if MHD_VERSION >= 0x00097002 -+# define mhd_result enum MHD_Result -+#else -+# define mhd_result int -+#endif -+ - void microhttpd_logger(void *arg, const char *fmt, va_list ap) _printf_(2, 0); - - /* respond_oom() must be usable with return, hence this form. */ diff --git a/buildroot/package/systemd/0001-random-seed-add-missing-header-for-GRND_NONBLOCK.patch b/buildroot/package/systemd/0001-random-seed-add-missing-header-for-GRND_NONBLOCK.patch deleted file mode 100644 index e74df10e9..000000000 --- a/buildroot/package/systemd/0001-random-seed-add-missing-header-for-GRND_NONBLOCK.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 806e2011a0ea684b10a07b74c4ee0f817437e8c6 Mon Sep 17 00:00:00 2001 -From: Romain Naour -Date: Sun, 1 Mar 2020 15:19:01 +0100 -Subject: [PATCH] random-seed: add missing header for GRND_NONBLOCK - -GRND_NONBLOCK has been introduced with the 3.17 kernel version [1] -while adding getrandom(2) system call. - -The header missing_random.h is needed for random-seed.c when building -with old toolchain, such Sourcery CodeBench ARM 2014.05. - -Fixes: -https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917 - -[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c6e9d6f38894798696f23c8084ca7edbf16ee895 - -Upstream status: -https://github.com/systemd/systemd/pull/14988 - -Signed-off-by: Romain Naour ---- - src/random-seed/random-seed.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/random-seed/random-seed.c b/src/random-seed/random-seed.c -index 2fcbcb281a..596bff98f1 100644 ---- a/src/random-seed/random-seed.c -+++ b/src/random-seed/random-seed.c -@@ -19,6 +19,7 @@ - #include "io-util.h" - #include "log.h" - #include "main-func.h" -+#include "missing_random.h" - #include "missing_syscall.h" - #include "mkdir.h" - #include "parse-util.h" --- -2.24.1 - diff --git a/buildroot/package/systemd/systemd.hash b/buildroot/package/systemd/systemd.hash index 4ab514d67..db8f0193b 100644 --- a/buildroot/package/systemd/systemd.hash +++ b/buildroot/package/systemd/systemd.hash @@ -1,5 +1,5 @@ # sha256 locally computed -sha256 e6b463733da5eb37075352a64112d030b8612935a54e5b3468279a4f15a4cec4 systemd-244.3.tar.gz +sha256 d526f217450f98c695d0a20285436e48f1f1b3f31fe76aa4d6211ec60fee33c4 systemd-244.5.tar.gz sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 LICENSE.GPL2 sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 LICENSE.LGPL2.1 sha256 f7299f5f5e8bdffd347dce1bed888b1cea6ddaf27de521c307265098bcbeae92 README diff --git a/buildroot/package/systemd/systemd.mk b/buildroot/package/systemd/systemd.mk index d9ebd5db7..c01e8c9a3 100644 --- a/buildroot/package/systemd/systemd.mk +++ b/buildroot/package/systemd/systemd.mk @@ -4,7 +4,7 @@ # ################################################################################ -SYSTEMD_VERSION = 244.3 +SYSTEMD_VERSION = 244.5 SYSTEMD_SITE = $(call github,systemd,systemd-stable,v$(SYSTEMD_VERSION)) SYSTEMD_LICENSE = LGPL-2.1+, GPL-2.0+ (udev), Public Domain (few source files, see README), BSD-3-Clause (tools/chromiumos) SYSTEMD_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1 README tools/chromiumos/LICENSE @@ -498,7 +498,7 @@ endef define SYSTEMD_PRESET_ALL $(HOST_DIR)/bin/systemctl --root=$(TARGET_DIR) preset-all endef -SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_PRESET_ALL +SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_PRESET_ALL SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV) SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV) diff --git a/buildroot/package/tovid/Config.in b/buildroot/package/tovid/Config.in index d5b7a2831..f4ddcfa4a 100644 --- a/buildroot/package/tovid/Config.in +++ b/buildroot/package/tovid/Config.in @@ -7,7 +7,7 @@ config BR2_PACKAGE_TOVID depends on BR2_PACKAGE_PYTHON || BR2_PACKAGE_PYTHON3 depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_5 # mpv - depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8 # mpv + depends on BR2_TOOLCHAIN_HAS_ATOMIC # mpv depends on !BR2_TOOLCHAIN_EXTERNAL_SYNOPSYS_ARC # mpv # The below dependencies are runtime dependencies only select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS # procps_ng @@ -31,7 +31,7 @@ config BR2_PACKAGE_TOVID comment "tovid needs a toolchain w/ threads, C++, wchar, gcc >= 4.5" depends on BR2_USE_MMU depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS - depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8 + depends on BR2_TOOLCHAIN_HAS_ATOMIC depends on !BR2_TOOLCHAIN_HAS_THREADS \ || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_5 \ || !BR2_INSTALL_LIBSTDCPP \ @@ -41,7 +41,7 @@ comment "tovid needs a toolchain w/ threads, C++, wchar, gcc >= 4.5" comment "tovid depends on python or python3" depends on !BR2_PACKAGE_PYTHON && !BR2_PACKAGE_PYTHON3 depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS - depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8 + depends on BR2_TOOLCHAIN_HAS_ATOMIC depends on !BR2_TOOLCHAIN_HAS_THREADS || \ !BR2_TOOLCHAIN_GCC_AT_LEAST_4_5 depends on !BR2_TOOLCHAIN_EXTERNAL_SYNOPSYS_ARC diff --git a/buildroot/package/tpm2-abrmd/tpm2-abrmd.hash b/buildroot/package/tpm2-abrmd/tpm2-abrmd.hash index cff3266bc..1c6e73905 100644 --- a/buildroot/package/tpm2-abrmd/tpm2-abrmd.hash +++ b/buildroot/package/tpm2-abrmd/tpm2-abrmd.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 63cb59be1fd21e6ae233c37a0aa4a59883a4885a7bfd2c7e69979c5048518d50 tpm2-abrmd-2.3.0.tar.gz -sha256 18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448 LICENSE +sha256 1e587808c6739079d59f124d9c1a0058f8d34dd84f1f656c946667fa0a181c48 tpm2-abrmd-2.3.3.tar.gz +sha256 18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448 LICENSE diff --git a/buildroot/package/tpm2-abrmd/tpm2-abrmd.mk b/buildroot/package/tpm2-abrmd/tpm2-abrmd.mk index e92fda252..0584ba928 100644 --- a/buildroot/package/tpm2-abrmd/tpm2-abrmd.mk +++ b/buildroot/package/tpm2-abrmd/tpm2-abrmd.mk @@ -4,7 +4,7 @@ # ################################################################################ -TPM2_ABRMD_VERSION = 2.3.0 +TPM2_ABRMD_VERSION = 2.3.3 TPM2_ABRMD_SITE = https://github.com/tpm2-software/tpm2-abrmd/releases/download/$(TPM2_ABRMD_VERSION) TPM2_ABRMD_LICENSE = BSD-2-Clause TPM2_ABRMD_LICENSE_FILES = LICENSE diff --git a/buildroot/package/tpm2-tools/tpm2-tools.hash b/buildroot/package/tpm2-tools/tpm2-tools.hash index 16059627a..dd5583482 100644 --- a/buildroot/package/tpm2-tools/tpm2-tools.hash +++ b/buildroot/package/tpm2-tools/tpm2-tools.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 40b9263d8b949bd2bc03a3cd60fa242e27116727467f9bbdd0b5f2539a25a7b1 tpm2-tools-4.1.1.tar.gz -sha256 e10dce74279166bf7bc463eb6e462c2025bceb3e50cadfe865d92c1c3dc0bb21 LICENSE +sha256 175472b63d1e047c2ad38314d06c36bd734ae37e0c6abfa2a804c0d6eb3f2936 tpm2-tools-4.1.2.tar.gz +sha256 e10dce74279166bf7bc463eb6e462c2025bceb3e50cadfe865d92c1c3dc0bb21 LICENSE diff --git a/buildroot/package/tpm2-tools/tpm2-tools.mk b/buildroot/package/tpm2-tools/tpm2-tools.mk index 4ebca0f90..83be53d54 100644 --- a/buildroot/package/tpm2-tools/tpm2-tools.mk +++ b/buildroot/package/tpm2-tools/tpm2-tools.mk @@ -4,7 +4,7 @@ # ################################################################################ -TPM2_TOOLS_VERSION = 4.1.1 +TPM2_TOOLS_VERSION = 4.1.2 TPM2_TOOLS_SITE = https://github.com/tpm2-software/tpm2-tools/releases/download/$(TPM2_TOOLS_VERSION) TPM2_TOOLS_LICENSE = BSD-3-Clause TPM2_TOOLS_LICENSE_FILES = LICENSE diff --git a/buildroot/package/trousers/0003-Correct-multiple-security-issues-that-are-present-if.patch b/buildroot/package/trousers/0003-Correct-multiple-security-issues-that-are-present-if.patch new file mode 100644 index 000000000..609245dad --- /dev/null +++ b/buildroot/package/trousers/0003-Correct-multiple-security-issues-that-are-present-if.patch @@ -0,0 +1,90 @@ +From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Fri, 14 Aug 2020 22:14:36 -0700 +Subject: [PATCH] Correct multiple security issues that are present if the tcsd + is started by root instead of the tss user. + +Patch fixes the following 3 CVEs: + +CVE-2020-24332 +If the tcsd daemon is started with root privileges, +the creation of the system.data file is prone to symlink attacks + +CVE-2020-24330 +If the tcsd daemon is started with root privileges, +it fails to drop the root gid after it is no longer needed + +CVE-2020-24331 +If the tcsd daemon is started with root privileges, +the tss user has read and write access to the /etc/tcsd.conf file + +Authored-by: Matthias Gerstner +Signed-off-by: Debora Velarde Babb +Signed-off-by: Peter Korsgaard +--- + src/tcs/ps/tcsps.c | 2 +- + src/tcsd/svrside.c | 1 + + src/tcsd/tcsd_conf.c | 10 +++++----- + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/src/tcs/ps/tcsps.c b/src/tcs/ps/tcsps.c +index e47154b..85d45a9 100644 +--- a/src/tcs/ps/tcsps.c ++++ b/src/tcs/ps/tcsps.c +@@ -72,7 +72,7 @@ get_file() + } + + /* open and lock the file */ +- system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600); ++ system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600); + if (system_ps_fd < 0) { + LogError("system PS: open() of %s failed: %s", + tcsd_options.system_ps_file, strerror(errno)); +diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c +index 1ae1636..1c12ff3 100644 +--- a/src/tcsd/svrside.c ++++ b/src/tcsd/svrside.c +@@ -473,6 +473,7 @@ main(int argc, char **argv) + } + return TCSERR(TSS_E_INTERNAL_ERROR); + } ++ setgid(pwd->pw_gid); + setuid(pwd->pw_uid); + #endif + #endif +diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c +index a31503d..ea8ea13 100644 +--- a/src/tcsd/tcsd_conf.c ++++ b/src/tcsd/tcsd_conf.c +@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf) + #ifndef SOLARIS + struct group *grp; + struct passwd *pw; +- mode_t mode = (S_IRUSR|S_IWUSR); ++ mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP); + #endif /* SOLARIS */ + TSS_RESULT result; + +@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf) + } + + /* make sure user/group TSS owns the conf file */ +- if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) { ++ if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) { + LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file, +- TSS_USER_NAME, TSS_GROUP_NAME); ++ "root", TSS_GROUP_NAME); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + +- /* make sure only the tss user can manipulate the config file */ ++ /* make sure only the tss user can read (but not manipulate) the config file */ + if (((stat_buf.st_mode & 0777) ^ mode) != 0) { +- LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file); ++ LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file); + return TCSERR(TSS_E_INTERNAL_ERROR); + } + #endif /* SOLARIS */ +-- +2.20.1 + diff --git a/buildroot/package/trousers/trousers.mk b/buildroot/package/trousers/trousers.mk index 1d5364959..5e6161ce4 100644 --- a/buildroot/package/trousers/trousers.mk +++ b/buildroot/package/trousers/trousers.mk @@ -13,6 +13,9 @@ TROUSERS_INSTALL_STAGING = YES TROUSERS_AUTORECONF = YES TROUSERS_DEPENDENCIES = host-pkgconf openssl +# 0003-Correct-multiple-security-issues-that-are-present-if.patch +TROUSERS_IGNORE_CVES += CVE-2020-24330 CVE-2020-24331 CVE-2020-24332 + ifeq ($(BR2_PACKAGE_LIBICONV),y) TROUSERS_DEPENDENCIES += libiconv endif diff --git a/buildroot/package/uacme/Config.in b/buildroot/package/uacme/Config.in index ea9babfda..d69343611 100644 --- a/buildroot/package/uacme/Config.in +++ b/buildroot/package/uacme/Config.in @@ -5,7 +5,7 @@ config BR2_PACKAGE_UACME select BR2_PACKAGE_LIBCURL help uacme is a client for the ACMEv2 protocol described in - RFC8555, written in plain C code with minimal dependencies + RFC8555, written in plain C with minimal dependencies (libcurl and either of GnuTLS, OpenSSL or mbedTLS). The ACMEv2 protocol allows a Certificate Authority (https://letsencrypt.org is a popular one) and an applicant @@ -13,3 +13,22 @@ config BR2_PACKAGE_UACME issuance. https://github.com/ndilieto/uacme + +if BR2_PACKAGE_UACME + +config BR2_PACKAGE_UACME_UALPN + bool "enable ualpn" + depends on BR2_TOOLCHAIN_HAS_THREADS + depends on BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS + select BR2_PACKAGE_LIBEV + help + Build and install ualpn, the transparent proxying tls-alpn-01 + challenge responder. + +comment "ualpn needs a toolchain w/ threads" + depends on !BR2_TOOLCHAIN_HAS_THREADS + +comment "ualpn needs either OpenSSL or GnuTLS" + depends on !(BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS) + +endif diff --git a/buildroot/package/uacme/uacme.hash b/buildroot/package/uacme/uacme.hash index b8d631d50..b3ec7ed6f 100644 --- a/buildroot/package/uacme/uacme.hash +++ b/buildroot/package/uacme/uacme.hash @@ -1,3 +1,3 @@ # Locally computed: -sha256 c80bbee3c2ac3a64f70abe23be3b7768039785863170ac062625407a0b61e635 uacme-1.0.21.tar.gz -sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING +sha256 7757883ffc305018d3d181a26d0b82a8a0c1f1d5eea21a14979b2c69750b595e uacme-1.2.4.tar.gz +sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING diff --git a/buildroot/package/uacme/uacme.mk b/buildroot/package/uacme/uacme.mk index 5813399c5..be2aa6081 100644 --- a/buildroot/package/uacme/uacme.mk +++ b/buildroot/package/uacme/uacme.mk @@ -4,7 +4,7 @@ # ################################################################################ -UACME_VERSION = 1.0.21 +UACME_VERSION = 1.2.4 # Released versions are on branch upstream/latest, tagged as # upstream/X.Y.Z Do not use vX.Y.Z tags from master, as they do not # include .tarball-version @@ -18,12 +18,19 @@ UACME_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99' ifeq ($(BR2_PACKAGE_GNUTLS),y) UACME_CONF_OPTS += --with-gnutls UACME_DEPENDENCIES += gnutls -else ifeq ($(BR2_PACKAGE_MBEDTLS),y) -UACME_CONF_OPTS += --with-mbedtls -UACME_DEPENDENCIES += mbedtls else ifeq ($(BR2_PACKAGE_OPENSSL),y) UACME_CONF_OPTS += --with-openssl UACME_DEPENDENCIES += openssl +else ifeq ($(BR2_PACKAGE_MBEDTLS),y) +UACME_CONF_OPTS += --with-mbedtls +UACME_DEPENDENCIES += mbedtls +endif + +ifeq ($(BR2_PACKAGE_UACME_UALPN),y) +UACME_DEPENDENCIES += libev +UACME_CONF_OPTS += --with-ualpn +else +UACME_CONF_OPTS += --without-ualpn endif $(eval $(autotools-package)) diff --git a/buildroot/package/uclibc/uclibc.mk b/buildroot/package/uclibc/uclibc.mk index 2af666c20..7df446194 100644 --- a/buildroot/package/uclibc/uclibc.mk +++ b/buildroot/package/uclibc/uclibc.mk @@ -31,8 +31,13 @@ endif UCLIBC_KCONFIG_FILE = $(UCLIBC_CONFIG_FILE) UCLIBC_KCONFIG_FRAGMENT_FILES = $(call qstrip,$(BR2_UCLIBC_CONFIG_FRAGMENT_FILES)) +# UCLIBC_MAKE_FLAGS set HOSTCC to the default HOSTCC, which may be +# wrapped with ccache. However, host-ccache may not already be built +# and installed when we apply the configuration, so we override that +# to use the non-ccached host compiler. UCLIBC_KCONFIG_OPTS = \ $(UCLIBC_MAKE_FLAGS) \ + HOSTCC="$(HOSTCC_NOCCACHE)" \ PREFIX=$(STAGING_DIR) \ DEVEL_PREFIX=/usr/ \ RUNTIME_PREFIX=$(STAGING_DIR)/ diff --git a/buildroot/package/usb_modeswitch/usb_modeswitch.mk b/buildroot/package/usb_modeswitch/usb_modeswitch.mk index 7e9ed422b..064e1960b 100644 --- a/buildroot/package/usb_modeswitch/usb_modeswitch.mk +++ b/buildroot/package/usb_modeswitch/usb_modeswitch.mk @@ -17,12 +17,11 @@ USB_MODESWITCH_BUILD_TARGETS = all USB_MODESWITCH_INSTALL_TARGETS = install-script else USB_MODESWITCH_DEPENDENCIES += jimtcl +USB_MODESWITCH_INSTALL_TARGETS = install-common ifeq ($(BR2_STATIC_LIBS),y) USB_MODESWITCH_BUILD_TARGETS = all-with-statlink-dispatcher -USB_MODESWITCH_INSTALL_TARGETS = install-statlink else USB_MODESWITCH_BUILD_TARGETS = all-with-dynlink-dispatcher -USB_MODESWITCH_INSTALL_TARGETS = install-dynlink endif endif diff --git a/buildroot/package/vlc/vlc.mk b/buildroot/package/vlc/vlc.mk index 38d975169..ccaaa6cd6 100644 --- a/buildroot/package/vlc/vlc.mk +++ b/buildroot/package/vlc/vlc.mk @@ -440,6 +440,9 @@ endif ifeq ($(BR2_PACKAGE_LIVE555),y) VLC_CONF_OPTS += --enable-live555 VLC_DEPENDENCIES += live555 +ifneq ($(BR2_PACKAGE_OPENSSL),y) +VLC_CONF_ENV += CXXFLAGS="$(TARGET_CXXFLAGS) -DNO_OPENSSL" +endif else VLC_CONF_OPTS += --disable-live555 endif diff --git a/buildroot/package/vsftpd/0003-fix-CVE-2015-1419.patch b/buildroot/package/vsftpd/0002-fix-CVE-2015-1419.patch similarity index 100% rename from buildroot/package/vsftpd/0003-fix-CVE-2015-1419.patch rename to buildroot/package/vsftpd/0002-fix-CVE-2015-1419.patch diff --git a/buildroot/package/vsftpd/0004-Prevent-hang-in-SIGCHLD-handler.patch b/buildroot/package/vsftpd/0003-Prevent-hang-in-SIGCHLD-handler.patch similarity index 100% rename from buildroot/package/vsftpd/0004-Prevent-hang-in-SIGCHLD-handler.patch rename to buildroot/package/vsftpd/0003-Prevent-hang-in-SIGCHLD-handler.patch diff --git a/buildroot/package/wayland-protocols/wayland-protocols.mk b/buildroot/package/wayland-protocols/wayland-protocols.mk index fbfa99558..20a933087 100644 --- a/buildroot/package/wayland-protocols/wayland-protocols.mk +++ b/buildroot/package/wayland-protocols/wayland-protocols.mk @@ -5,7 +5,7 @@ ################################################################################ WAYLAND_PROTOCOLS_VERSION = 1.18 -WAYLAND_PROTOCOLS_SITE = http://wayland.freedesktop.org/releases +WAYLAND_PROTOCOLS_SITE = https://wayland.freedesktop.org/releases WAYLAND_PROTOCOLS_SOURCE = wayland-protocols-$(WAYLAND_PROTOCOLS_VERSION).tar.xz WAYLAND_PROTOCOLS_LICENSE = MIT WAYLAND_PROTOCOLS_LICENSE_FILES = COPYING diff --git a/buildroot/package/webkitgtk/webkitgtk.hash b/buildroot/package/webkitgtk/webkitgtk.hash index 44263745e..cdca65a5a 100644 --- a/buildroot/package/webkitgtk/webkitgtk.hash +++ b/buildroot/package/webkitgtk/webkitgtk.hash @@ -1,7 +1,7 @@ -# From https://webkitgtk.org/releases/webkitgtk-2.28.3.tar.xz.sums -md5 a03a4dcd2819baca14fdec5af68b4356 webkitgtk-2.28.3.tar.xz -sha1 af1d845d373e67fd666105e798a44e2cadaef83c webkitgtk-2.28.3.tar.xz -sha256 f0898ac072c220e13a4aee819408421a6cb56a6eb89170ceafe52468b0903522 webkitgtk-2.28.3.tar.xz +# From https://webkitgtk.org/releases/webkitgtk-2.28.4.tar.xz.sums +md5 10e0cce27208dfbd4cf63dd68a9a47d7 webkitgtk-2.28.4.tar.xz +sha1 70e9dd80647b30eaaf8a7f5b30d8869cd1254056 webkitgtk-2.28.4.tar.xz +sha256 821952e8c9303ed752f1fb1d4283f612c25249d00d705d2b79c2db1bc49c9464 webkitgtk-2.28.4.tar.xz # Hashes for license files: sha256 0b5d3a7cc325942567373b0ecd757d07c132e0ebd7c97bfc63f7e1a76094edb4 Source/WebCore/LICENSE-APPLE diff --git a/buildroot/package/webkitgtk/webkitgtk.mk b/buildroot/package/webkitgtk/webkitgtk.mk index f38ea5d20..65a443983 100644 --- a/buildroot/package/webkitgtk/webkitgtk.mk +++ b/buildroot/package/webkitgtk/webkitgtk.mk @@ -4,7 +4,7 @@ # ################################################################################ -WEBKITGTK_VERSION = 2.28.3 +WEBKITGTK_VERSION = 2.28.4 WEBKITGTK_SITE = https://www.webkitgtk.org/releases WEBKITGTK_SOURCE = webkitgtk-$(WEBKITGTK_VERSION).tar.xz WEBKITGTK_INSTALL_STAGING = YES diff --git a/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.hash b/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.hash index ac160cdf9..833e1af2f 100644 --- a/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.hash +++ b/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.hash @@ -1,4 +1,4 @@ -# https://lists.zx2c4.com/pipermail/wireguard/2020-June/005597.html -sha256 130937724515799edf05ff8216bc837df8acda879428f3a7f96a3287758f9445 wireguard-linux-compat-1.0.20200623.tar.xz +# https://lists.zx2c4.com/pipermail/wireguard/2020-September/005817.html +sha256 ad33b2d2267a37e0f65c97e65e7d4d926d5aef7d530c251b63fbf919048eead9 wireguard-linux-compat-1.0.20200908.tar.xz # Locally calculated sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING diff --git a/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.mk b/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.mk index bc155a1aa..7239da6d8 100644 --- a/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.mk +++ b/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.mk @@ -4,7 +4,7 @@ # ################################################################################ -WIREGUARD_LINUX_COMPAT_VERSION = 1.0.20200623 +WIREGUARD_LINUX_COMPAT_VERSION = 1.0.20200908 WIREGUARD_LINUX_COMPAT_SITE = https://git.zx2c4.com/wireguard-linux-compat/snapshot WIREGUARD_LINUX_COMPAT_SOURCE = wireguard-linux-compat-$(WIREGUARD_LINUX_COMPAT_VERSION).tar.xz WIREGUARD_LINUX_COMPAT_LICENSE = GPL-2.0 diff --git a/buildroot/package/wireshark/wireshark.hash b/buildroot/package/wireshark/wireshark.hash index b74b69244..16866d96b 100644 --- a/buildroot/package/wireshark/wireshark.hash +++ b/buildroot/package/wireshark/wireshark.hash @@ -1,6 +1,6 @@ -# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-3.2.5.txt -sha1 468c547ad13df805322e0979b348dcc602904017 wireshark-3.2.5.tar.xz -sha256 bd89052a5766cce08b1090df49628567e48cdd24bbaa47667c851bac6aaac940 wireshark-3.2.5.tar.xz +# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-3.2.7.txt +sha1 b564c2e729066cb7c952463fef6163e23a5fea1e wireshark-3.2.7.tar.xz +sha256 be832fb86d9c455c5be8b225a755cdc77cb0e92356bdfc1fe4b000d93f7d70da wireshark-3.2.7.tar.xz # Locally calculated sha256 7cdbed2b697efaa45576a033f1ac0e73cd045644a91c79bbf41d4a7d81dac7bf COPYING diff --git a/buildroot/package/wireshark/wireshark.mk b/buildroot/package/wireshark/wireshark.mk index 638a8a249..354f00825 100644 --- a/buildroot/package/wireshark/wireshark.mk +++ b/buildroot/package/wireshark/wireshark.mk @@ -4,7 +4,7 @@ # ################################################################################ -WIRESHARK_VERSION = 3.2.5 +WIRESHARK_VERSION = 3.2.7 WIRESHARK_SOURCE = wireshark-$(WIRESHARK_VERSION).tar.xz WIRESHARK_SITE = https://www.wireshark.org/download/src/all-versions WIRESHARK_LICENSE = wireshark license diff --git a/buildroot/package/wolfssl/0001-Make-ByteReverseWords-available-for-big-and-little-endian.patch b/buildroot/package/wolfssl/0001-Make-ByteReverseWords-available-for-big-and-little-endian.patch new file mode 100644 index 000000000..48a318d53 --- /dev/null +++ b/buildroot/package/wolfssl/0001-Make-ByteReverseWords-available-for-big-and-little-endian.patch @@ -0,0 +1,32 @@ +From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001 +From: Tesfa Mael +Date: Wed, 26 Aug 2020 10:13:06 -0700 +Subject: [PATCH] Make ByteReverseWords available for big and little endian + +[Retrieved from: +https://github.com/wolfSSL/wolfssl/pull/3255/commits/b90acc91d0cd276befe7f08f87ba2dc5ee7122ff] +Signed-off-by: Fabrice Fontaine +--- + wolfcrypt/src/misc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c +index fe66ee0a1a..23bfa1adc5 100644 +--- a/wolfcrypt/src/misc.c ++++ b/wolfcrypt/src/misc.c +@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWord32(word32 value) + return rotlFixed(value, 16U); + #endif + } +-#if defined(LITTLE_ENDIAN_ORDER) + /* This routine performs a byte swap of words array of a given count. */ + WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, + word32 byteCount) +@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, + out[i] = ByteReverseWord32(in[i]); + + } +-#endif /* LITTLE_ENDIAN_ORDER */ + + #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS) + diff --git a/buildroot/package/wolfssl/wolfssl.hash b/buildroot/package/wolfssl/wolfssl.hash index 5509552ca..0ee55276d 100644 --- a/buildroot/package/wolfssl/wolfssl.hash +++ b/buildroot/package/wolfssl/wolfssl.hash @@ -1,6 +1,6 @@ # Locally computed: -sha256 6896f8ad6c44aff3e583006eeee839600848a0e37118ebbb7514eca9409ae08b wolfssl-4.3.0-stable.tar.gz +sha256 7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c wolfssl-4.5.0-stable.tar.gz # Hash for license files: -sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING -sha256 74adaaef40b96c71378b6daa3feb8ccd4a1bfd9b76debf3f3f29cf3a0e86c9a0 LICENSING +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING +sha256 b23c1da1f85d699d3288d73c952b4cd02760d23dc1ddc1b221cbb8be82387189 LICENSING diff --git a/buildroot/package/wolfssl/wolfssl.mk b/buildroot/package/wolfssl/wolfssl.mk index 8834a0f46..e2833144f 100644 --- a/buildroot/package/wolfssl/wolfssl.mk +++ b/buildroot/package/wolfssl/wolfssl.mk @@ -4,11 +4,11 @@ # ################################################################################ -WOLFSSL_VERSION = 4.3.0-stable +WOLFSSL_VERSION = 4.5.0-stable WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)) WOLFSSL_INSTALL_STAGING = YES -WOLFSSL_LICENSE = GPL-2.0 +WOLFSSL_LICENSE = GPL-2.0+ WOLFSSL_LICENSE_FILES = COPYING LICENSING WOLFSSL_DEPENDENCIES = host-pkgconf @@ -17,6 +17,8 @@ WOLFSSL_DEPENDENCIES = host-pkgconf # script, so we need autoreconf WOLFSSL_AUTORECONF = YES +WOLFSSL_CONF_OPTS = --disable-examples --disable-crypttests + ifeq ($(BR2_PACKAGE_WOLFSSL_ALL),y) WOLFSSL_CONF_OPTS += --enable-all else diff --git a/buildroot/package/wpa_supplicant/wpa_supplicant.mk b/buildroot/package/wpa_supplicant/wpa_supplicant.mk index 8e7b9c3a6..7170db0d0 100644 --- a/buildroot/package/wpa_supplicant/wpa_supplicant.mk +++ b/buildroot/package/wpa_supplicant/wpa_supplicant.mk @@ -115,7 +115,7 @@ WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf libopenssl WPA_SUPPLICANT_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl` WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/' else -WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_PWD +WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/' endif diff --git a/buildroot/package/wpewebkit/wpewebkit.hash b/buildroot/package/wpewebkit/wpewebkit.hash index fcc35c502..1a6fbc8b9 100644 --- a/buildroot/package/wpewebkit/wpewebkit.hash +++ b/buildroot/package/wpewebkit/wpewebkit.hash @@ -1,7 +1,7 @@ -# From https://wpewebkit.org/releases/wpewebkit-2.28.3.tar.xz.sums -md5 0b3655598f340a5c83cc26423fefcf36 wpewebkit-2.28.3.tar.xz -sha1 ea03d365584ef5e86ca28cec6ca072a4674e9312 wpewebkit-2.28.3.tar.xz -sha256 2539263a4d73c00abfe0205f54770dc1f6d2b635edbe41e748b507254f21e98b wpewebkit-2.28.3.tar.xz +# From https://wpewebkit.org/releases/wpewebkit-2.28.4.tar.xz.sums +md5 6ab041f6ebdb2e053981de5980c864e7 wpewebkit-2.28.4.tar.xz +sha1 b31739a86a269eac4ddd5e537cdf954224672450 wpewebkit-2.28.4.tar.xz +sha256 785d83b99cd45cedb7c4f1f697db773a5a81eb0a42aeeafa3c623053f6fde87a wpewebkit-2.28.4.tar.xz # Hashes for license files: sha256 0b5d3a7cc325942567373b0ecd757d07c132e0ebd7c97bfc63f7e1a76094edb4 Source/WebCore/LICENSE-APPLE diff --git a/buildroot/package/wpewebkit/wpewebkit.mk b/buildroot/package/wpewebkit/wpewebkit.mk index 22c3d9646..646bdd938 100644 --- a/buildroot/package/wpewebkit/wpewebkit.mk +++ b/buildroot/package/wpewebkit/wpewebkit.mk @@ -4,7 +4,7 @@ # ################################################################################ -WPEWEBKIT_VERSION = 2.28.3 +WPEWEBKIT_VERSION = 2.28.4 WPEWEBKIT_SITE = http://www.wpewebkit.org/releases WPEWEBKIT_SOURCE = wpewebkit-$(WPEWEBKIT_VERSION).tar.xz WPEWEBKIT_INSTALL_STAGING = YES diff --git a/buildroot/package/x11r7/xlib_libX11/xlib_libX11.hash b/buildroot/package/x11r7/xlib_libX11/xlib_libX11.hash index defaa4c98..142e4505d 100644 --- a/buildroot/package/x11r7/xlib_libX11/xlib_libX11.hash +++ b/buildroot/package/x11r7/xlib_libX11/xlib_libX11.hash @@ -1,7 +1,6 @@ -# From https://lists.x.org/archives/xorg-announce/2019-October/003025.html -md5 55adbfb6d4370ecac5e70598c4e7eed2 libX11-1.6.9.tar.bz2 -sha1 62456536411f2540fbd4a3f59ed8af94967124c2 libX11-1.6.9.tar.bz2 -sha256 9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1 libX11-1.6.9.tar.bz2 -sha512 fc18f0dc17ade1fc37402179f52e1f2b9c7b7d3a1a9590fea13046eb0c5193b4796289431cd99388eac01e8e59de77db45d2c9675d4f05ef8cf3ba6382c3dd31 libX11-1.6.9.tar.bz2 +# From https://lists.x.org/archives/xorg-announce/2020-August/003057.html +sha256 f108227469419ac04d196df0f3b80ce1f7f65059bb54c0de811f4d8e03fd6ec7 libX11-1.6.12.tar.bz2 +sha512 79df7d61d9009b0dd3b65f67a62189aa0a43799c01026b3d2d534092596a0b67f246af5e398a89eb1ccc61a27335f81be8262b8a39768a76f62d862cd7415a47 libX11-1.6.12.tar.bz2 + # Locally computed -sha256 2daec087a88e7c9b8082557cdeebad5bbb8155a4137472f0b22e269cd99d0c1e COPYING +sha256 2daec087a88e7c9b8082557cdeebad5bbb8155a4137472f0b22e269cd99d0c1e COPYING diff --git a/buildroot/package/x11r7/xlib_libX11/xlib_libX11.mk b/buildroot/package/x11r7/xlib_libX11/xlib_libX11.mk index 18949c604..ba9fcef25 100644 --- a/buildroot/package/x11r7/xlib_libX11/xlib_libX11.mk +++ b/buildroot/package/x11r7/xlib_libX11/xlib_libX11.mk @@ -4,7 +4,7 @@ # ################################################################################ -XLIB_LIBX11_VERSION = 1.6.9 +XLIB_LIBX11_VERSION = 1.6.12 XLIB_LIBX11_SOURCE = libX11-$(XLIB_LIBX11_VERSION).tar.bz2 XLIB_LIBX11_SITE = https://xorg.freedesktop.org/archive/individual/lib XLIB_LIBX11_LICENSE = MIT diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0002-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0002-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch deleted file mode 100644 index c5f04bf25..000000000 --- a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0002-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch +++ /dev/null @@ -1,66 +0,0 @@ -Discover monotonic clock using compile-time check - -monotonic clock check does not work when cross-compiling. - -Upstream-Status: Denied [Does not work on OpenBSD] -Signed-off-by: Jussi Kukkonen - - - -Original patch follows: - -When xorg-xserver is being cross-compiled, there is currently no way -for us to detect whether the monotonic clock is available on the -target system, because we aren't able to run a test program on the host -system. Currently, in this situation, we default to not use the -monotonic clock. One problem with this situation is that the user will -be treated as idle when the date is updated. - -To fix this situation, we now use a compile-time check to detect whether the -monotonic clock is available. This check can run just fine when we are -cross-compiling. - -Signed-off-by: David James - -Downloaded from -https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch - -Signed-off-by: Bernd Kuhls ---- - configure.ac | 17 +++++++---------- - 1 file changed, 7 insertions(+), 10 deletions(-) - -diff --git a/configure.ac b/configure.ac -index f7ab48c..26e85cd 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1048,19 +1048,16 @@ if ! test "x$have_clock_gettime" = xno; then - CPPFLAGS="$CPPFLAGS -D_POSIX_C_SOURCE=200112L" - fi - -- AC_RUN_IFELSE([AC_LANG_SOURCE([ -+ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ - #include -- --int main(int argc, char *argv[[]]) { -- struct timespec tp; -- -- if (clock_gettime(CLOCK_MONOTONIC, &tp) == 0) -+#include -+int main() { -+#if !(defined(_POSIX_MONOTONIC_CLOCK) && _POSIX_MONOTONIC_CLOCK >= 0 && defined(CLOCK_MONOTONIC)) -+ #error No monotonic clock -+#endif - return 0; -- else -- return 1; - } -- ])], [MONOTONIC_CLOCK=yes], [MONOTONIC_CLOCK=no], -- [MONOTONIC_CLOCK="cross compiling"]) -+]])],[MONOTONIC_CLOCK=yes], [MONOTONIC_CLOCK=no]) - - LIBS="$LIBS_SAVE" - CPPFLAGS="$CPPFLAGS_SAVE" --- -2.1.4 - diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0001-modesettings-needs-dri2.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0001-modesettings-needs-dri2.patch similarity index 97% rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0001-modesettings-needs-dri2.patch rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0001-modesettings-needs-dri2.patch index 97ec29d04..74917720c 100644 --- a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0001-modesettings-needs-dri2.patch +++ b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0001-modesettings-needs-dri2.patch @@ -9,7 +9,7 @@ Signed-off-by: Bernd Kuhls diff -uNr xorg-server-1.17.2.org/configure.ac xorg-server-1.17.2/configure.ac --- xorg-server-1.17.2.org/configure.ac 2015-06-16 17:42:40.000000000 +0200 +++ xorg-server-1.17.2/configure.ac 2015-08-08 10:44:59.702382624 +0200 -@@ -2036,7 +2036,7 @@ +@@ -1962,7 +1962,7 @@ XORG_SYS_LIBS="$XORG_SYS_LIBS $XORG_MODULES_LIBS" fi diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0003-Remove-check-for-useSIGIO-option.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0002-Remove-check-for-useSIGIO-option.patch similarity index 96% rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0003-Remove-check-for-useSIGIO-option.patch rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0002-Remove-check-for-useSIGIO-option.patch index d4f0cca67..68a9d7fc7 100644 --- a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0003-Remove-check-for-useSIGIO-option.patch +++ b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0002-Remove-check-for-useSIGIO-option.patch @@ -38,7 +38,7 @@ index 884a71c..be76498 100644 for (i = 0; i < MAX_FUNCS; i++) { if (!xf86SigIOFuncs[i].f) { if (xf86IsPipe(fd)) -@@ -256,9 +253,6 @@ xf86RemoveSIGIOHandler(int fd) +@@ -257,9 +256,6 @@ xf86RemoveSIGIOHandler(int fd) int max; int ret; diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0004-include-misc.h-fix-uClibc-build.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0003-include-misc.h-fix-uClibc-build.patch similarity index 100% rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0004-include-misc.h-fix-uClibc-build.patch rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0003-include-misc.h-fix-uClibc-build.patch diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0005-hw-xwayland-Makefile.am-fix-build-without-glx.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0004-hw-xwayland-Makefile.am-fix-build-without-glx.patch similarity index 100% rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0005-hw-xwayland-Makefile.am-fix-build-without-glx.patch rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0004-hw-xwayland-Makefile.am-fix-build-without-glx.patch diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0006-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0005-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch similarity index 97% rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0006-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0005-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch index f1fdfe3e3..de086fb66 100644 --- a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0006-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch +++ b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0005-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch @@ -32,8 +32,8 @@ diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c index 0631c7237..e6fb11398 100644 --- a/hw/xfree86/common/xf86Init.c +++ b/hw/xfree86/common/xf86Init.c -@@ -74,7 +74,6 @@ - #include "xf86Crtc.h" +@@ -78,7 +78,6 @@ + #include "xf86InPriv.h" #include "picturestr.h" #include "randrstr.h" -#include "glxvndabi.h" diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0006-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0006-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch new file mode 100644 index 000000000..7802fd96c --- /dev/null +++ b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0006-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch @@ -0,0 +1,33 @@ +From e50c85f4ebf559a3bac4817b41074c43d4691779 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Fri, 26 Oct 2018 17:47:30 -0700 +Subject: [PATCH] Fix segfault on probing a non-PCI platform device on a system + with PCI. + +Some Broadcom set-top-box boards have PCI busses, but the GPU is still +probed through DT. We would dereference a null busid here in that +case. + +Signed-off-by: Eric Anholt +Backported from: e50c85f4ebf559a3bac4817b41074c43d4691779 +Signed-off-by: Joseph Kogut +--- + hw/xfree86/common/xf86platformBus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c +index cef47da03..dadbac6c8 100644 +--- a/hw/xfree86/common/xf86platformBus.c ++++ b/hw/xfree86/common/xf86platformBus.c +@@ -289,7 +289,7 @@ xf86platformProbe(void) + for (i = 0; i < xf86_num_platform_devices; i++) { + char *busid = xf86_platform_odev_attributes(i)->busid; + +- if (pci && (strncmp(busid, "pci:", 4) == 0)) { ++ if (pci && busid && (strncmp(busid, "pci:", 4) == 0)) { + platform_find_pci_info(&xf86_platform_devices[i], busid); + } + +-- +2.24.1 + diff --git a/buildroot/package/x11r7/xserver_xorg-server/Config.in b/buildroot/package/x11r7/xserver_xorg-server/Config.in index 79968ea97..87f1b37da 100644 --- a/buildroot/package/x11r7/xserver_xorg-server/Config.in +++ b/buildroot/package/x11r7/xserver_xorg-server/Config.in @@ -61,7 +61,7 @@ choice bool "X Window System server version" config BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_20 - bool "1.20.8" + bool "1.20.9" select BR2_PACKAGE_XSERVER_XORG_SERVER_VIDEODRV_ABI_24 select BR2_PACKAGE_XLIB_LIBXFONT2 @@ -79,7 +79,7 @@ endchoice config BR2_PACKAGE_XSERVER_XORG_SERVER_VERSION string - default "1.20.8" if BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_20 + default "1.20.9" if BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_20 default "1.17.4" if BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_17 default "1.14.7" if BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_14 diff --git a/buildroot/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash b/buildroot/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash index f7b1bc14b..930900c5e 100644 --- a/buildroot/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash +++ b/buildroot/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash @@ -1,11 +1,11 @@ # From http://lists.x.org/archives/xorg-announce/2014-June/002440.html -sha1 7a95765e56b124758fcd7b609589e65b8870880b xorg-server-1.14.7.tar.bz2 -sha256 fcf66fa6ad86227613d2d3e8ae13ded297e2a1e947e9060a083eaf80d323451f xorg-server-1.14.7.tar.bz2 +sha1 7a95765e56b124758fcd7b609589e65b8870880b xorg-server-1.14.7.tar.bz2 +sha256 fcf66fa6ad86227613d2d3e8ae13ded297e2a1e947e9060a083eaf80d323451f xorg-server-1.14.7.tar.bz2 # From https://lists.x.org/archives/xorg-announce/2015-October/002650.html -sha256 0c4b45c116a812a996eb432d8508cf26c2ec8c3916ff2a50781796882f8d6457 xorg-server-1.17.4.tar.bz2 -# From https://lists.x.org/archives/xorg-announce/2020-March/003041.html -sha256 d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146 xorg-server-1.20.8.tar.bz2 -sha512 ab0ec0fcbf490c61558b9297f61b58fd2dedb676c78bef6431dc9166054743b43a0091b88a8b3f4e81d1f539909440ee7e188a298cefabe13ea89159639cd805 xorg-server-1.20.8.tar.bz2 +sha256 0c4b45c116a812a996eb432d8508cf26c2ec8c3916ff2a50781796882f8d6457 xorg-server-1.17.4.tar.bz2 +# From https://lists.x.org/archives/xorg-announce/2020-August/003059.html +sha256 e219f2e0dfe455467939149d7cd2ee53b79b512cc1d2094ae4f5c9ed9ccd3571 xorg-server-1.20.9.tar.bz2 +sha512 d9b5f93e1b9763a89187d8b272aa7d4ce9709641b8539f4536708af153310e5a4931bffd4229c51a3b0e3b12da7838750aa71b635751fb4c0bb27438cce4e5e6 xorg-server-1.20.9.tar.bz2 # Locally calculated -sha256 4cc0447a22635c7b2f1a93fec4aa94f1970fadeb72a063de006b51cf4963a06f COPYING +sha256 4cc0447a22635c7b2f1a93fec4aa94f1970fadeb72a063de006b51cf4963a06f COPYING diff --git a/buildroot/package/xen/xen.hash b/buildroot/package/xen/xen.hash index ab5f9d908..0dd2f571a 100644 --- a/buildroot/package/xen/xen.hash +++ b/buildroot/package/xen/xen.hash @@ -1,3 +1,4 @@ # Locally computed sha256 b97ce363e55b12c992063f4466c43cba0a6386ceb7a747b4dc670311f337ef01 xen-4.13.1.tar.gz +sha256 1d057695d5b74ce2857204103e943caeaf773bc4fb9d91ea78016e01a9147ed7 xsa327.patch sha256 36b91794c6d4a678137c70c41e384c03b552c7efba82c0d73e6be842e41ab3d3 COPYING diff --git a/buildroot/package/xen/xen.mk b/buildroot/package/xen/xen.mk index 15742b512..ee5e9847f 100644 --- a/buildroot/package/xen/xen.mk +++ b/buildroot/package/xen/xen.mk @@ -6,6 +6,8 @@ XEN_VERSION = 4.13.1 XEN_SITE = https://downloads.xenproject.org/release/xen/$(XEN_VERSION) +XEN_PATCH = \ + https://xenbits.xenproject.org/xsa/xsa327.patch XEN_LICENSE = GPL-2.0 XEN_LICENSE_FILES = COPYING XEN_DEPENDENCIES = host-acpica host-python3 diff --git a/buildroot/package/ympd/0002-only-c-language.patch b/buildroot/package/ympd/0001-only-c-language.patch similarity index 100% rename from buildroot/package/ympd/0002-only-c-language.patch rename to buildroot/package/ympd/0001-only-c-language.patch diff --git a/buildroot/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch b/buildroot/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch deleted file mode 100644 index 49f753b27..000000000 --- a/buildroot/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d59dcbcaebd91ca30a0f866403c383177a4843f8 Mon Sep 17 00:00:00 2001 -From: Fabrice Fontaine -Date: Sun, 12 Jan 2020 10:10:15 +0100 -Subject: [PATCH] acinclude.m4: add -latomic to PKGCFG_LIBS_PRIVATE - -Add -latomic to PKGCFG_LIBS_PRIVATE so applications linking statically -with libzmq (such czmq) will know that they have to link with -latomic -and the following build failure will be avoided: - - CCLD src/czmq_selftest -/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/7.4.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/run/instance-3/output-1/host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libzmq.a(src_libzmq_la-ctx.o): in function `zmq::ctx_t::create_socket(int)': -ctx.cpp:(.text+0x1710): undefined reference to `__atomic_fetch_add_4' - -Fixes: - - http://autobuild.buildroot.org/results/4a12f1ede260cd956a0b5ccb4eec6ca8b44cb04f - -Signed-off-by: Fabrice Fontaine -[Retrieved from: -https://github.com/zeromq/libzmq/commit/d59dcbcaebd91ca30a0f866403c383177a4843f8] ---- - acinclude.m4 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/acinclude.m4 b/acinclude.m4 -index 8c042ca50..387a3d2a1 100644 ---- a/acinclude.m4 -+++ b/acinclude.m4 -@@ -691,7 +691,7 @@ int main (int, char **) - return t; - } - ])], -- [AC_MSG_RESULT(yes) ; libzmq_cv_has_atomic_instrisics="yes" ; $1], -+ [AC_MSG_RESULT(yes) ; libzmq_cv_has_atomic_instrisics="yes" PKGCFG_LIBS_PRIVATE="$PKGCFG_LIBS_PRIVATE -latomic" ; $1], - [AC_MSG_RESULT(no) ; libzmq_cv_has_atomic_instrisics="no" LIBS=$save_LIBS ; $2]) - fi - }]) diff --git a/buildroot/package/zeromq/zeromq.hash b/buildroot/package/zeromq/zeromq.hash index 689d960b2..17ffff876 100644 --- a/buildroot/package/zeromq/zeromq.hash +++ b/buildroot/package/zeromq/zeromq.hash @@ -1,7 +1,7 @@ # From https://github.com/zeromq/libzmq/releases -md5 2047e917c2cc93505e2579bcba67a573 zeromq-4.3.2.tar.gz -sha1 e5253bff214f77621b3d29443f1aa6e5a106ffe5 zeromq-4.3.2.tar.gz +md5 78acc277d95e10812d71b2b3c3c3c9a9 zeromq-4.3.3.tar.gz +sha1 d78bc504194d6908df40a2b9e41849b181b02491 zeromq-4.3.3.tar.gz # Locally computed -sha256 ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763 zeromq-4.3.2.tar.gz -sha256 4fd86507c9b486764343065a9e035222869a27b5789efeb4fd93edc85412d7a3 COPYING -sha256 83f32abe61ee58ffb1b007412c08415168c052501dbf56d7a47aaaac52b03ef6 COPYING.LESSER +sha256 9d9285db37ae942ed0780c016da87060497877af45094ff9e1a1ca736e3875a2 zeromq-4.3.3.tar.gz +sha256 4fd86507c9b486764343065a9e035222869a27b5789efeb4fd93edc85412d7a3 COPYING +sha256 83f32abe61ee58ffb1b007412c08415168c052501dbf56d7a47aaaac52b03ef6 COPYING.LESSER diff --git a/buildroot/package/zeromq/zeromq.mk b/buildroot/package/zeromq/zeromq.mk index 04f7e7d3f..7840d0362 100644 --- a/buildroot/package/zeromq/zeromq.mk +++ b/buildroot/package/zeromq/zeromq.mk @@ -4,15 +4,13 @@ # ################################################################################ -ZEROMQ_VERSION = 4.3.2 +ZEROMQ_VERSION = 4.3.3 ZEROMQ_SITE = https://github.com/zeromq/libzmq/releases/download/v$(ZEROMQ_VERSION) ZEROMQ_INSTALL_STAGING = YES ZEROMQ_DEPENDENCIES = util-linux ZEROMQ_CONF_OPTS = --without-documentation ZEROMQ_LICENSE = LGPL-3.0+ with exceptions ZEROMQ_LICENSE_FILES = COPYING COPYING.LESSER -# We're patching acinclude.m4 -ZEROMQ_AUTORECONF = YES # Assume these flags are always available. It is true, at least for # SOCK_CLOEXEC, since linux v2.6.27. diff --git a/buildroot/package/zstd/zstd.mk b/buildroot/package/zstd/zstd.mk index e2ba12b05..35002da33 100644 --- a/buildroot/package/zstd/zstd.mk +++ b/buildroot/package/zstd/zstd.mk @@ -71,7 +71,7 @@ endef # note: no 'HAVE_...' options for host library build only define HOST_ZSTD_BUILD_CMDS $(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) \ - -C $(@D)/lib + -C $(@D)/lib libzstd.a libzstd $(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) \ -C $(@D) zstd endef diff --git a/buildroot/support/dependencies/dependencies.sh b/buildroot/support/dependencies/dependencies.sh index 98469bd70..891e23404 100755 --- a/buildroot/support/dependencies/dependencies.sh +++ b/buildroot/support/dependencies/dependencies.sh @@ -180,6 +180,12 @@ if test "${missing_progs}" = "yes" ; then exit 1 fi +# apply-patches.sh needs patch with --no-backup-if-mismatch support (GNU, busybox w/DESKTOP) +if ! patch --no-backup-if-mismatch /dev/null; then + echo "Your patch program does not support the --no-backup-if-mismatch option. Install GNU patch" + exit 1 +fi + if grep ^BR2_NEEDS_HOST_UTF8_LOCALE=y $BR2_CONFIG > /dev/null; then if ! which locale > /dev/null ; then echo diff --git a/buildroot/support/docker/Dockerfile b/buildroot/support/docker/Dockerfile index 03acde85d..a9bacca3a 100644 --- a/buildroot/support/docker/Dockerfile +++ b/buildroot/support/docker/Dockerfile @@ -36,10 +36,8 @@ RUN apt-get install -y --no-install-recommends \ libncurses5-dev \ locales \ mercurial \ - python-flake8 \ - python-nose2 \ - python-pexpect \ python3 \ + python3-flake8 \ python3-nose2 \ python3-pexpect \ qemu-system-arm \ diff --git a/buildroot/support/misc/Vagrantfile b/buildroot/support/misc/Vagrantfile index bbb66a5c2..f08806df9 100644 --- a/buildroot/support/misc/Vagrantfile +++ b/buildroot/support/misc/Vagrantfile @@ -5,7 +5,7 @@ ################################################################################ # Buildroot version to use -RELEASE='2020.02' +RELEASE='2020.02.7' ### Change here for more memory/cores ### VM_MEMORY=2048 diff --git a/buildroot/support/scripts/apply-patches.sh b/buildroot/support/scripts/apply-patches.sh index 66fef262e..2d39d63da 100755 --- a/buildroot/support/scripts/apply-patches.sh +++ b/buildroot/support/scripts/apply-patches.sh @@ -119,7 +119,7 @@ function apply_patch { exit 1 fi echo "${path}/${patch}" >> ${builddir}/.applied_patches_list - ${uncomp} "${path}/$patch" | patch -g0 -p1 -E -d "${builddir}" -t -N $silent + ${uncomp} "${path}/$patch" | patch -g0 -p1 -E --no-backup-if-mismatch -d "${builddir}" -t -N $silent if [ $? != 0 ] ; then echo "Patch failed! Please fix ${patch}!" exit 1 @@ -168,6 +168,3 @@ if [ "`find $builddir/ '(' -name '*.rej' -o -name '.*.rej' ')' -print`" ] ; then echo "Aborting. Reject files found." exit 1 fi - -# Remove backup files -find $builddir/ '(' -name '*.orig' -o -name '.*.orig' ')' -exec rm -f {} \; diff --git a/buildroot/support/scripts/pkg-stats b/buildroot/support/scripts/pkg-stats index 8a67e509e..e642147b9 100755 --- a/buildroot/support/scripts/pkg-stats +++ b/buildroot/support/scripts/pkg-stats @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # Copyright (C) 2009 by Thomas Petazzoni # @@ -16,23 +16,25 @@ # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +import aiohttp import argparse +import asyncio import datetime import fnmatch import os from collections import defaultdict import re import subprocess -import requests # URL checking +import requests # NVD database download import json import ijson -import certifi import distutils.version import time import gzip -from urllib3 import HTTPSConnectionPool -from urllib3.exceptions import HTTPError -from multiprocessing import Pool +import sys + +sys.path.append('utils/') +from getdeveloperlib import parse_developers # noqa: E402 NVD_START_YEAR = 2002 NVD_JSON_VERSION = "1.0" @@ -46,32 +48,68 @@ RM_API_STATUS_FOUND_BY_DISTRO = 2 RM_API_STATUS_FOUND_BY_PATTERN = 3 RM_API_STATUS_NOT_FOUND = 4 -# Used to make multiple requests to the same host. It is global -# because it's used by sub-processes. -http_pool = None +CVE_AFFECTS = 1 +CVE_DOESNT_AFFECT = 2 +CVE_UNKNOWN = 3 + + +class Defconfig: + def __init__(self, name, path): + self.name = name + self.path = path + self.developers = None + + def set_developers(self, developers): + """ + Fills in the .developers field + """ + self.developers = [ + developer.name + for developer in developers + if developer.hasfile(self.path) + ] + + +def get_defconfig_list(): + """ + Builds the list of Buildroot defconfigs, returning a list of Defconfig + objects. + """ + return [ + Defconfig(name[:-len('_defconfig')], os.path.join('configs', name)) + for name in os.listdir('configs') + if name.endswith('_defconfig') + ] class Package: - all_licenses = list() + all_licenses = dict() all_license_files = list() all_versions = dict() all_ignored_cves = dict() + # This is the list of all possible checks. Add new checks to this list so + # a tool that post-processeds the json output knows the checks before + # iterating over the packages. + status_checks = ['cve', 'developers', 'hash', 'license', + 'license-files', 'patches', 'pkg-check', 'url', 'version'] def __init__(self, name, path): self.name = name self.path = path + self.pkg_path = os.path.dirname(path) self.infras = None + self.license = None self.has_license = False self.has_license_files = False self.has_hash = False - self.patch_count = 0 + self.patch_files = [] self.warnings = 0 self.current_version = None self.url = None - self.url_status = None self.url_worker = None self.cves = list() - self.latest_version = (RM_API_STATUS_ERROR, None, None) + self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None} + self.status = {} def pkgvar(self): return self.name.upper().replace("-", "_") @@ -80,19 +118,32 @@ class Package: """ Fills in the .url field """ - self.url_status = "No Config.in" + self.status['url'] = ("warning", "no Config.in") for filename in os.listdir(os.path.dirname(self.path)): if fnmatch.fnmatch(filename, 'Config.*'): fp = open(os.path.join(os.path.dirname(self.path), filename), "r") for config_line in fp: if URL_RE.match(config_line): self.url = config_line.strip() - self.url_status = "Found" + self.status['url'] = ("ok", "found") fp.close() return - self.url_status = "Missing" + self.status['url'] = ("error", "missing") fp.close() + @property + def patch_count(self): + return len(self.patch_files) + + @property + def has_valid_infra(self): + try: + if self.infras[0][1] == 'virtual': + return False + except IndexError: + return False + return True + def set_infra(self): """ Fills in the .infras field @@ -112,29 +163,55 @@ class Package: def set_license(self): """ - Fills in the .has_license and .has_license_files fields + Fills in the .status['license'] and .status['license-files'] fields """ + if not self.has_valid_infra: + self.status['license'] = ("na", "no valid package infra") + self.status['license-files'] = ("na", "no valid package infra") + return + var = self.pkgvar() + self.status['license'] = ("error", "missing") + self.status['license-files'] = ("error", "missing") if var in self.all_licenses: - self.has_license = True + self.license = self.all_licenses[var] + self.status['license'] = ("ok", "found") if var in self.all_license_files: - self.has_license_files = True + self.status['license-files'] = ("ok", "found") def set_hash_info(self): """ - Fills in the .has_hash field + Fills in the .status['hash'] field """ + if not self.has_valid_infra: + self.status['hash'] = ("na", "no valid package infra") + self.status['hash-license'] = ("na", "no valid package infra") + return + hashpath = self.path.replace(".mk", ".hash") - self.has_hash = os.path.exists(hashpath) + if os.path.exists(hashpath): + self.status['hash'] = ("ok", "found") + else: + self.status['hash'] = ("error", "missing") def set_patch_count(self): """ - Fills in the .patch_count field + Fills in the .patch_count, .patch_files and .status['patches'] fields """ - self.patch_count = 0 + if not self.has_valid_infra: + self.status['patches'] = ("na", "no valid package infra") + return + pkgdir = os.path.dirname(self.path) for subdir, _, _ in os.walk(pkgdir): - self.patch_count += len(fnmatch.filter(os.listdir(subdir), '*.patch')) + self.patch_files = fnmatch.filter(os.listdir(subdir), '*.patch') + + if self.patch_count == 0: + self.status['patches'] = ("ok", "no patches") + elif self.patch_count < 5: + self.status['patches'] = ("warning", "some patches") + else: + self.status['patches'] = ("error", "lots of patches") def set_current_version(self): """ @@ -146,10 +223,11 @@ class Package: def set_check_package_warnings(self): """ - Fills in the .warnings field + Fills in the .warnings and .status['pkg-check'] fields """ cmd = ["./utils/check-package"] pkgdir = os.path.dirname(self.path) + self.status['pkg-check'] = ("error", "Missing") for root, dirs, files in os.walk(pkgdir): for f in files: if f.endswith(".mk") or f.endswith(".hash") or f == "Config.in" or f == "Config.in.host": @@ -160,6 +238,10 @@ class Package: m = re.match("^([0-9]*) warnings generated", line.decode()) if m: self.warnings = int(m.group(1)) + if self.warnings == 0: + self.status['pkg-check'] = ("ok", "no warnings") + else: + self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings)) return def is_cve_ignored(self, cve): @@ -168,6 +250,24 @@ class Package: """ return cve in self.all_ignored_cves.get(self.pkgvar(), []) + def set_developers(self, developers): + """ + Fills in the .developers and .status['developers'] field + """ + self.developers = [ + dev.name + for dev in developers + if dev.hasfile(self.path) + ] + + if self.developers: + self.status['developers'] = ("ok", "{} developers".format(len(self.developers))) + else: + self.status['developers'] = ("warning", "no developers") + + def is_status_ok(self, name): + return self.status[name][0] == 'ok' + def __eq__(self, other): return self.path == other.path @@ -176,7 +276,8 @@ class Package: def __str__(self): return "%s (path='%s', license='%s', license_files='%s', hash='%s', patches=%d)" % \ - (self.name, self.path, self.has_license, self.has_license_files, self.has_hash, self.patch_count) + (self.name, self.path, self.is_status_ok('license'), + self.is_status_ok('license-files'), self.status['hash'], self.patch_count) class CVE: @@ -233,7 +334,7 @@ class CVE: filename = CVE.download_nvd_year(nvd_dir, year) try: content = ijson.items(gzip.GzipFile(filename), 'CVE_Items.item') - except: + except: # noqa: E722 print("ERROR: cannot read %s. Please remove the file then rerun this script" % filename) raise for cve in content: @@ -261,7 +362,7 @@ class CVE: by this CVE. """ if br_pkg.is_cve_ignored(self.identifier): - return False + return CVE_DOESNT_AFFECT for product in self.each_product(): if product['product_name'] != br_pkg.name: @@ -270,7 +371,7 @@ class CVE: for v in product['version']['version_data']: if v["version_affected"] == "=": if br_pkg.current_version == v["version_value"]: - return True + return CVE_AFFECTS elif v["version_affected"] == "<=": pkg_version = distutils.version.LooseVersion(br_pkg.current_version) if not hasattr(pkg_version, "version"): @@ -280,10 +381,17 @@ class CVE: if not hasattr(cve_affected_version, "version"): print("Cannot parse CVE affected version '%s'" % v["version_value"]) continue - return pkg_version <= cve_affected_version + try: + affected = pkg_version <= cve_affected_version + except TypeError: + return CVE_UNKNOWN + if affected: + return CVE_AFFECTS + else: + return CVE_DOESNT_AFFECT else: print("version_affected: %s" % v['version_affected']) - return False + return CVE_DOESNT_AFFECT def get_pkglist(npackages, package_list): @@ -370,7 +478,7 @@ def package_init_make_info(): if value == "unknown": continue pkgvar = pkgvar[:-8] - Package.all_licenses.append(pkgvar) + Package.all_licenses[pkgvar] = value elif pkgvar.endswith("_LICENSE_FILES"): if pkgvar.endswith("_MANIFEST_LICENSE_FILES"): @@ -389,82 +497,140 @@ def package_init_make_info(): Package.all_ignored_cves[pkgvar] = value.split() -def check_url_status_worker(url, url_status): - if url_status != "Missing" and url_status != "No Config.in": - try: - url_status_code = requests.head(url, timeout=30).status_code - if url_status_code >= 400: - return "Invalid(%s)" % str(url_status_code) - except requests.exceptions.RequestException: - return "Invalid(Err)" - return "Ok" - return url_status +check_url_count = 0 -def check_package_urls(packages): - pool = Pool(processes=64) - for pkg in packages: - pkg.url_worker = pool.apply_async(check_url_status_worker, (pkg.url, pkg.url_status)) - for pkg in packages: - pkg.url_status = pkg.url_worker.get(timeout=3600) - del pkg.url_worker - pool.terminate() +async def check_url_status(session, pkg, npkgs, retry=True): + global check_url_count - -def release_monitoring_get_latest_version_by_distro(pool, name): try: - req = pool.request('GET', "/api/project/Buildroot/%s" % name) - except HTTPError: - return (RM_API_STATUS_ERROR, None, None) + async with session.get(pkg.url) as resp: + if resp.status >= 400: + pkg.status['url'] = ("error", "invalid {}".format(resp.status)) + check_url_count += 1 + print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name)) + return + except (aiohttp.ClientError, asyncio.TimeoutError): + if retry: + return await check_url_status(session, pkg, npkgs, retry=False) + else: + pkg.status['url'] = ("error", "invalid (err)") + check_url_count += 1 + print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name)) + return - if req.status != 200: - return (RM_API_STATUS_NOT_FOUND, None, None) + pkg.status['url'] = ("ok", "valid") + check_url_count += 1 + print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name)) - data = json.loads(req.data) - if 'version' in data: - return (RM_API_STATUS_FOUND_BY_DISTRO, data['version'], data['id']) +async def check_package_urls(packages): + tasks = [] + connector = aiohttp.TCPConnector(limit_per_host=5) + async with aiohttp.ClientSession(connector=connector, trust_env=True) as sess: + packages = [p for p in packages if p.status['url'][0] == 'ok'] + for pkg in packages: + tasks.append(check_url_status(sess, pkg, len(packages))) + await asyncio.wait(tasks) + + +def check_package_latest_version_set_status(pkg, status, version, identifier): + pkg.latest_version = { + "status": status, + "version": version, + "id": identifier, + } + + if pkg.latest_version['status'] == RM_API_STATUS_ERROR: + pkg.status['version'] = ('warning', "Release Monitoring API error") + elif pkg.latest_version['status'] == RM_API_STATUS_NOT_FOUND: + pkg.status['version'] = ('warning', "Package not found on Release Monitoring") + + if pkg.latest_version['version'] is None: + pkg.status['version'] = ('warning', "No upstream version available on Release Monitoring") + elif pkg.latest_version['version'] != pkg.current_version: + pkg.status['version'] = ('error', "The newer version {} is available upstream".format(pkg.latest_version['version'])) else: - return (RM_API_STATUS_FOUND_BY_DISTRO, None, data['id']) + pkg.status['version'] = ('ok', 'up-to-date') -def release_monitoring_get_latest_version_by_guess(pool, name): +async def check_package_get_latest_version_by_distro(session, pkg, retry=True): + url = "https://release-monitoring.org//api/project/Buildroot/%s" % pkg.name try: - req = pool.request('GET', "/api/projects/?pattern=%s" % name) - except HTTPError: - return (RM_API_STATUS_ERROR, None, None) + async with session.get(url) as resp: + if resp.status != 200: + return False - if req.status != 200: - return (RM_API_STATUS_NOT_FOUND, None, None) + data = await resp.json() + version = data['version'] if 'version' in data else None + check_package_latest_version_set_status(pkg, + RM_API_STATUS_FOUND_BY_DISTRO, + version, + data['id']) + return True - data = json.loads(req.data) - - projects = data['projects'] - projects.sort(key=lambda x: x['id']) - - for p in projects: - if p['name'] == name and 'version' in p: - return (RM_API_STATUS_FOUND_BY_PATTERN, p['version'], p['id']) - - return (RM_API_STATUS_NOT_FOUND, None, None) + except (aiohttp.ClientError, asyncio.TimeoutError): + if retry: + return await check_package_get_latest_version_by_distro(session, pkg, retry=False) + else: + return False -def check_package_latest_version_worker(name): - """Wrapper to try both by name then by guess""" - print(name) - res = release_monitoring_get_latest_version_by_distro(http_pool, name) - if res[0] == RM_API_STATUS_NOT_FOUND: - res = release_monitoring_get_latest_version_by_guess(http_pool, name) - return res +async def check_package_get_latest_version_by_guess(session, pkg, retry=True): + url = "https://release-monitoring.org/api/projects/?pattern=%s" % pkg.name + try: + async with session.get(url) as resp: + if resp.status != 200: + return False + + data = await resp.json() + # filter projects that have the right name and a version defined + projects = [p for p in data['projects'] if p['name'] == pkg.name and 'version' in p] + projects.sort(key=lambda x: x['id']) + + if len(projects) > 0: + check_package_latest_version_set_status(pkg, + RM_API_STATUS_FOUND_BY_DISTRO, + projects[0]['version'], + projects[0]['id']) + return True + + except (aiohttp.ClientError, asyncio.TimeoutError): + if retry: + return await check_package_get_latest_version_by_guess(session, pkg, retry=False) + else: + return False -def check_package_latest_version(packages): +check_latest_count = 0 + + +async def check_package_latest_version_get(session, pkg, npkgs): + global check_latest_count + + if await check_package_get_latest_version_by_distro(session, pkg): + check_latest_count += 1 + print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name)) + return + + if await check_package_get_latest_version_by_guess(session, pkg): + check_latest_count += 1 + print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name)) + return + + check_package_latest_version_set_status(pkg, + RM_API_STATUS_NOT_FOUND, + None, None) + check_latest_count += 1 + print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name)) + + +async def check_package_latest_version(packages): """ Fills in the .latest_version field of all Package objects - This field has a special format: - (status, version, id) - with: + This field is a dict and has the following keys: + - status: one of RM_API_STATUS_ERROR, RM_API_STATUS_FOUND_BY_DISTRO, RM_API_STATUS_FOUND_BY_PATTERN, RM_API_STATUS_NOT_FOUND @@ -473,16 +639,17 @@ def check_package_latest_version(packages): - id: string containing the id of the project corresponding to this package, as known by release-monitoring.org """ - global http_pool - http_pool = HTTPSConnectionPool('release-monitoring.org', port=443, - cert_reqs='CERT_REQUIRED', ca_certs=certifi.where(), - timeout=30) - worker_pool = Pool(processes=64) - results = worker_pool.map(check_package_latest_version_worker, (pkg.name for pkg in packages)) - for pkg, r in zip(packages, results): - pkg.latest_version = r - worker_pool.terminate() - del http_pool + + for pkg in [p for p in packages if not p.has_valid_infra]: + pkg.status['version'] = ("na", "no valid package infra") + + tasks = [] + connector = aiohttp.TCPConnector(limit_per_host=5) + async with aiohttp.ClientSession(connector=connector, trust_env=True) as sess: + packages = [p for p in packages if p.has_valid_infra] + for pkg in packages: + tasks.append(check_package_latest_version_get(sess, pkg, len(packages))) + await asyncio.wait(tasks) def check_package_cves(nvd_path, packages): @@ -491,12 +658,13 @@ def check_package_cves(nvd_path, packages): for cve in CVE.read_nvd_dir(nvd_path): for pkg_name in cve.pkg_names: - if pkg_name in packages and cve.affects(packages[pkg_name]): + if pkg_name in packages and cve.affects(packages[pkg_name]) == CVE_AFFECTS: packages[pkg_name].cves.append(cve.identifier) def calculate_stats(packages): stats = defaultdict(int) + stats['packages'] = len(packages) for pkg in packages: # If packages have multiple infra, take the first one. For the # vast majority of packages, the target and host infra are the @@ -507,25 +675,25 @@ def calculate_stats(packages): stats["infra-%s" % infra] += 1 else: stats["infra-unknown"] += 1 - if pkg.has_license: + if pkg.is_status_ok('license'): stats["license"] += 1 else: stats["no-license"] += 1 - if pkg.has_license_files: + if pkg.is_status_ok('license-files'): stats["license-files"] += 1 else: stats["no-license-files"] += 1 - if pkg.has_hash: + if pkg.is_status_ok('hash'): stats["hash"] += 1 else: stats["no-hash"] += 1 - if pkg.latest_version[0] == RM_API_STATUS_FOUND_BY_DISTRO: + if pkg.latest_version['status'] == RM_API_STATUS_FOUND_BY_DISTRO: stats["rmo-mapping"] += 1 else: stats["rmo-no-mapping"] += 1 - if not pkg.latest_version[1]: + if not pkg.latest_version['version']: stats["version-unknown"] += 1 - elif pkg.latest_version[1] == pkg.current_version: + elif pkg.latest_version['version'] == pkg.current_version: stats["version-uptodate"] += 1 else: stats["version-not-uptodate"] += 1 @@ -658,30 +826,30 @@ def dump_html_pkg(f, pkg): # License td_class = ["centered"] - if pkg.has_license: + if pkg.is_status_ok('license'): td_class.append("correct") else: td_class.append("wrong") f.write(" %s\n" % - (" ".join(td_class), boolean_str(pkg.has_license))) + (" ".join(td_class), boolean_str(pkg.is_status_ok('license')))) # License files td_class = ["centered"] - if pkg.has_license_files: + if pkg.is_status_ok('license-files'): td_class.append("correct") else: td_class.append("wrong") f.write(" %s\n" % - (" ".join(td_class), boolean_str(pkg.has_license_files))) + (" ".join(td_class), boolean_str(pkg.is_status_ok('license-files')))) # Hash td_class = ["centered"] - if pkg.has_hash: + if pkg.is_status_ok('hash'): td_class.append("correct") else: td_class.append("wrong") f.write(" %s\n" % - (" ".join(td_class), boolean_str(pkg.has_hash))) + (" ".join(td_class), boolean_str(pkg.is_status_ok('hash')))) # Current version if len(pkg.current_version) > 20: @@ -691,29 +859,29 @@ def dump_html_pkg(f, pkg): f.write(" %s\n" % current_version) # Latest version - if pkg.latest_version[0] == RM_API_STATUS_ERROR: + if pkg.latest_version['status'] == RM_API_STATUS_ERROR: td_class.append("version-error") - if pkg.latest_version[1] is None: + if pkg.latest_version['version'] is None: td_class.append("version-unknown") - elif pkg.latest_version[1] != pkg.current_version: + elif pkg.latest_version['version'] != pkg.current_version: td_class.append("version-needs-update") else: td_class.append("version-good") - if pkg.latest_version[0] == RM_API_STATUS_ERROR: + if pkg.latest_version['status'] == RM_API_STATUS_ERROR: latest_version_text = "Error" - elif pkg.latest_version[0] == RM_API_STATUS_NOT_FOUND: + elif pkg.latest_version['status'] == RM_API_STATUS_NOT_FOUND: latest_version_text = "Not found" else: - if pkg.latest_version[1] is None: + if pkg.latest_version['version'] is None: latest_version_text = "Found, but no version" else: latest_version_text = "%s" % \ - (pkg.latest_version[2], str(pkg.latest_version[1])) + (pkg.latest_version['id'], str(pkg.latest_version['version'])) latest_version_text += "
    " - if pkg.latest_version[0] == RM_API_STATUS_FOUND_BY_DISTRO: + if pkg.latest_version['status'] == RM_API_STATUS_FOUND_BY_DISTRO: latest_version_text += "found by distro" else: latest_version_text += "found by guess" @@ -732,12 +900,12 @@ def dump_html_pkg(f, pkg): # URL status td_class = ["centered"] - url_str = pkg.url_status - if pkg.url_status == "Missing" or pkg.url_status == "No Config.in": + url_str = pkg.status['url'][1] + if pkg.status['url'][0] in ("error", "warning"): td_class.append("missing_url") - elif pkg.url_status.startswith("Invalid"): + if pkg.status['url'][0] == "error": td_class.append("invalid_url") - url_str = "%s" % (pkg.url, pkg.url_status) + url_str = "%s" % (pkg.url, pkg.status['url'][1]) else: td_class.append("good_url") url_str = "Link" % pkg.url @@ -832,7 +1000,7 @@ def dump_html(packages, stats, date, commit, output): f.write(html_footer) -def dump_json(packages, stats, date, commit, output): +def dump_json(packages, defconfigs, stats, date, commit, output): # Format packages as a dictionnary instead of a list # Exclude local field that does not contains real date excluded_fields = ['url_worker', 'name'] @@ -843,6 +1011,12 @@ def dump_json(packages, stats, date, commit, output): if k not in excluded_fields } for pkg in packages } + defconfigs = { + d.name: { + k: v + for k, v in d.__dict__.items() + } for d in defconfigs + } # Aggregate infrastructures into a single dict entry statistics = { k: v @@ -853,6 +1027,8 @@ def dump_json(packages, stats, date, commit, output): # The actual structure to dump, add commit and date to it final = {'packages': pkgs, 'stats': statistics, + 'defconfigs': defconfigs, + 'package_status_checks': Package.status_checks, 'commit': commit, 'date': str(date)} @@ -861,12 +1037,16 @@ def dump_json(packages, stats, date, commit, output): f.write('\n') +def resolvepath(path): + return os.path.abspath(os.path.expanduser(path)) + + def parse_args(): parser = argparse.ArgumentParser() output = parser.add_argument_group('output', 'Output file(s)') - output.add_argument('--html', dest='html', action='store', + output.add_argument('--html', dest='html', type=resolvepath, help='HTML output file') - output.add_argument('--json', dest='json', action='store', + output.add_argument('--json', dest='json', type=resolvepath, help='JSON output file') packages = parser.add_mutually_exclusive_group() packages.add_argument('-n', dest='npackages', type=int, action='store', @@ -874,7 +1054,7 @@ def parse_args(): packages.add_argument('-p', dest='packages', action='store', help='List of packages (comma separated)') parser.add_argument('--nvd-path', dest='nvd_path', - help='Path to the local NVD database') + help='Path to the local NVD database', type=resolvepath) args = parser.parse_args() if not args.html and not args.json: parser.error('at least one of --html or --json (or both) is required') @@ -892,6 +1072,12 @@ def __main__(): 'HEAD']).splitlines()[0].decode() print("Build package list ...") packages = get_pkglist(args.npackages, package_list) + print("Getting developers ...") + developers = parse_developers() + print("Build defconfig list ...") + defconfigs = get_defconfig_list() + for d in defconfigs: + d.set_developers(developers) print("Getting package make info ...") package_init_make_info() print("Getting package details ...") @@ -903,10 +1089,13 @@ def __main__(): pkg.set_check_package_warnings() pkg.set_current_version() pkg.set_url() + pkg.set_developers(developers) print("Checking URL status") - check_package_urls(packages) + loop = asyncio.get_event_loop() + loop.run_until_complete(check_package_urls(packages)) print("Getting latest versions ...") - check_package_latest_version(packages) + loop = asyncio.get_event_loop() + loop.run_until_complete(check_package_latest_version(packages)) if args.nvd_path: print("Checking packages CVEs") check_package_cves(args.nvd_path, {p.name: p for p in packages}) @@ -917,7 +1106,7 @@ def __main__(): dump_html(packages, stats, date, commit, args.html) if args.json: print("Write JSON") - dump_json(packages, stats, date, commit, args.json) + dump_json(packages, defconfigs, stats, date, commit, args.json) __main__() diff --git a/buildroot/support/scripts/pycompile.py b/buildroot/support/scripts/pycompile.py index 9192a7016..8399d5793 100644 --- a/buildroot/support/scripts/pycompile.py +++ b/buildroot/support/scripts/pycompile.py @@ -1,69 +1,85 @@ #!/usr/bin/env python -'''Wrapper for python2 and python3 around compileall to raise exception -when a python byte code generation failed. +""" +Byte compile all .py files from provided directories. This script is an +alternative implementation of compileall.compile_dir written with +cross-compilation in mind. +""" -Inspired from: - http://stackoverflow.com/questions/615632/how-to-detect-errors-from-compileall-compile-dir -''' from __future__ import print_function -import sys -import py_compile -import compileall + import argparse +import os +import py_compile +import re +import sys -def check_for_errors(comparison): - '''Wrap comparison operator with code checking for PyCompileError. - If PyCompileError was raised, re-raise it again to abort execution, - otherwise perform comparison as expected. - ''' - def operator(self, other): - exc_type, value, traceback = sys.exc_info() - if exc_type is not None and issubclass(exc_type, - py_compile.PyCompileError): - print("Cannot compile %s" % value.file) - raise value +def compile_one(host_path, strip_root=None): + """ + Compile a .py file into a .pyc file located next to it. - return comparison(self, other) + :arg host_path: + Absolute path to the file to compile on the host running the build. + :arg strip_root: + Prefix to remove from the original source paths encoded in compiled + files. + """ + if os.path.islink(host_path) or not os.path.isfile(host_path): + return # only compile real files - return operator + if not re.match(r"^[_A-Za-z][_A-Za-z0-9]+\.py$", + os.path.basename(host_path)): + return # only compile "importable" python modules + + if strip_root is not None: + # determine the runtime path of the file (i.e.: relative path to root + # dir prepended with "/"). + runtime_path = os.path.join("/", os.path.relpath(host_path, strip_root)) + else: + runtime_path = host_path + + # will raise an error if the file cannot be compiled + py_compile.compile(host_path, cfile=host_path + "c", + dfile=runtime_path, doraise=True) -class ReportProblem(int): - '''Class that pretends to be an int() object but implements all of its - comparison operators such that it'd detect being called in - PyCompileError handling context and abort execution - ''' - VALUE = 1 - - def __new__(cls, *args, **kwargs): - return int.__new__(cls, ReportProblem.VALUE, **kwargs) - - @check_for_errors - def __lt__(self, other): - return ReportProblem.VALUE < other - - @check_for_errors - def __eq__(self, other): - return ReportProblem.VALUE == other - - def __ge__(self, other): - return not self < other - - def __gt__(self, other): - return not self < other and not self == other - - def __ne__(self, other): - return not self == other +def existing_dir_abs(arg): + """ + argparse type callback that checks that argument is a directory and returns + its absolute path. + """ + if not os.path.isdir(arg): + raise argparse.ArgumentTypeError('no such directory: {!r}'.format(arg)) + return os.path.abspath(arg) -parser = argparse.ArgumentParser(description='Compile Python source files in a directory tree.') -parser.add_argument("target", metavar='DIRECTORY', - help='Directory to scan') -parser.add_argument("--force", action='store_true', - help="Force compilation even if alread compiled") +def main(): + parser = argparse.ArgumentParser(description=__doc__) + parser.add_argument("dirs", metavar="DIR", nargs="+", type=existing_dir_abs, + help="Directory to recursively scan and compile") + parser.add_argument("--strip-root", metavar="ROOT", type=existing_dir_abs, + help=""" + Prefix to remove from the original source paths encoded + in compiled files + """) -args = parser.parse_args() + args = parser.parse_args() -compileall.compile_dir(args.target, force=args.force, quiet=ReportProblem()) + try: + for d in args.dirs: + if args.strip_root and ".." in os.path.relpath(d, args.strip_root): + parser.error("DIR: not inside ROOT dir: {!r}".format(d)) + for parent, _, files in os.walk(d): + for f in files: + compile_one(os.path.join(parent, f), args.strip_root) + + except Exception as e: + print("error: {}".format(e)) + return 1 + + return 0 + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/buildroot/support/scripts/setlocalversion b/buildroot/support/scripts/setlocalversion index b39b751f0..d492f2db2 100755 --- a/buildroot/support/scripts/setlocalversion +++ b/buildroot/support/scripts/setlocalversion @@ -19,19 +19,14 @@ cd "${1:-.}" || usage # Check for git and a git repo. if head=`git rev-parse --verify --short HEAD 2>/dev/null`; then - # If we are at a tagged commit (like "v2.6.30-rc6"), we ignore it, - # because this version is defined in the top level Makefile. - if [ -z "`git describe --exact-match 2>/dev/null`" ]; then + atag="`git describe 2>/dev/null`" - # If we are past a tagged commit (like "v2.6.30-rc5-302-g72357d5"), - # we pretty print it. - if atag="`git describe 2>/dev/null`"; then - echo "$atag" | awk -F- '{printf("-%05d-%s", $(NF-1),$(NF))}' - - # If we don't have a tag at all we print -g{commitish}. - else - printf '%s%s' -g $head - fi + # Show -g if we have no tag, or just the tag + # otherwise. + if [ -z "${atag}" ] ; then + printf "%s%s" -g ${head} + else + printf ${atag} fi # Is this git on svn? @@ -53,13 +48,29 @@ if head=`git rev-parse --verify --short HEAD 2>/dev/null`; then fi # Check for mercurial and a mercurial repo. +# In the git case, 'git describe' will show the latest tag, and unless we are +# exactly on that tag, the number of commits since then, and last commit id. +# Mimic something similar in the Mercurial case. if hgid=`HGRCPATH= hg id --id --tags 2>/dev/null`; then tag=`printf '%s' "$hgid" | cut -d' ' -f2 --only-delimited` # Do we have an untagged version? if [ -z "$tag" -o "$tag" = tip ]; then + # current revision is not tagged, determine latest tag + latesttag=`HGRCPATH= hg log -r. -T '{latesttag}' 2>/dev/null` + # In case there is more than one tag on the latest tagged commit, + # 'latesttag' will separate them by colon (:). We'll retain this. + # In case there is no tag at all, 'null' will be returned. + if [ "$latesttag" = "null" ]; then + latesttag='' + fi + + # add the commit id id=`printf '%s' "$hgid" | sed 's/[+ ].*//'` - printf '%s%s' -hg "$id" + printf '%s%s%s' "${latesttag}" -hg "$id" + else + # current revision is tagged, just print the tag + printf ${tag} fi # Are there uncommitted changes? diff --git a/buildroot/support/testing/infra/__init__.py b/buildroot/support/testing/infra/__init__.py index 6392aa679..6522a265f 100644 --- a/buildroot/support/testing/infra/__init__.py +++ b/buildroot/support/testing/infra/__init__.py @@ -78,7 +78,7 @@ def get_elf_arch_tag(builddir, prefix, fpath, tag): cmd = ["host/bin/{}-readelf".format(prefix), "-A", os.path.join("target", fpath)] out = run_cmd_on_host(builddir, cmd) - regexp = re.compile("^ {}: (.*)$".format(tag)) + regexp = re.compile(r"^ {}: (.*)$".format(tag)) for line in out.splitlines(): m = regexp.match(line) if not m: @@ -105,7 +105,7 @@ def get_elf_prog_interpreter(builddir, prefix, fpath): cmd = ["host/bin/{}-readelf".format(prefix), "-l", os.path.join("target", fpath)] out = run_cmd_on_host(builddir, cmd) - regexp = re.compile("^ *\[Requesting program interpreter: (.*)\]$") + regexp = re.compile(r"^ *\[Requesting program interpreter: (.*)\]$") for line in out.splitlines(): m = regexp.match(line) if not m: diff --git a/buildroot/support/testing/tests/core/test_timezone.py b/buildroot/support/testing/tests/core/test_timezone.py index 050624e0a..f66151919 100644 --- a/buildroot/support/testing/tests/core/test_timezone.py +++ b/buildroot/support/testing/tests/core/test_timezone.py @@ -4,10 +4,10 @@ import infra.basetest def boot_armv5_cpio(emulator, builddir): - img = os.path.join(builddir, "images", "rootfs.cpio") - emulator.boot(arch="armv5", kernel="builtin", - options=["-initrd", img]) - emulator.login() + img = os.path.join(builddir, "images", "rootfs.cpio") + emulator.boot(arch="armv5", kernel="builtin", + options=["-initrd", img]) + emulator.login() class TestNoTimezone(infra.basetest.BRTest): diff --git a/buildroot/support/testing/tests/package/test_docker_compose.py b/buildroot/support/testing/tests/package/test_docker_compose.py index f12e2a6a3..67ee795f2 100644 --- a/buildroot/support/testing/tests/package/test_docker_compose.py +++ b/buildroot/support/testing/tests/package/test_docker_compose.py @@ -20,7 +20,6 @@ class TestDockerCompose(infra.basetest.BRTest): BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="{}" BR2_PACKAGE_CA_CERTIFICATES=y - BR2_PACKAGE_CGROUPFS_MOUNT=y BR2_PACKAGE_DOCKER_CLI=y BR2_PACKAGE_DOCKER_COMPOSE=y BR2_PACKAGE_DOCKER_ENGINE=y diff --git a/buildroot/utils/check-package b/buildroot/utils/check-package index 52317e02f..dd18d19c2 100755 --- a/buildroot/utils/check-package +++ b/buildroot/utils/check-package @@ -46,24 +46,24 @@ def parse_args(): return parser.parse_args() -CONFIG_IN_FILENAME = re.compile("Config\.\S*$") -DO_CHECK_INTREE = re.compile("|".join([ - "Config.in", - "arch/", - "boot/", - "fs/", - "linux/", - "package/", - "system/", - "toolchain/", +CONFIG_IN_FILENAME = re.compile(r"Config\.\S*$") +DO_CHECK_INTREE = re.compile(r"|".join([ + r"Config.in", + r"arch/", + r"boot/", + r"fs/", + r"linux/", + r"package/", + r"system/", + r"toolchain/", ])) -DO_NOT_CHECK_INTREE = re.compile("|".join([ - "boot/barebox/barebox\.mk$", - "fs/common\.mk$", - "package/doc-asciidoc\.mk$", - "package/pkg-\S*\.mk$", - "toolchain/helpers\.mk$", - "toolchain/toolchain-external/pkg-toolchain-external\.mk$", +DO_NOT_CHECK_INTREE = re.compile(r"|".join([ + r"boot/barebox/barebox\.mk$", + r"fs/common\.mk$", + r"package/doc-asciidoc\.mk$", + r"package/pkg-\S*\.mk$", + r"toolchain/helpers\.mk$", + r"toolchain/toolchain-external/pkg-toolchain-external\.mk$", ])) diff --git a/buildroot/utils/checkpackagelib/lib_config.py b/buildroot/utils/checkpackagelib/lib_config.py index 55c8589d7..c348eec39 100644 --- a/buildroot/utils/checkpackagelib/lib_config.py +++ b/buildroot/utils/checkpackagelib/lib_config.py @@ -152,8 +152,8 @@ class CommentsMenusPackagesOrder(_CheckFunction): class HelpText(_CheckFunction): - HELP_TEXT_FORMAT = re.compile("^\t .{,62}$") - URL_ONLY = re.compile("^(http|https|git)://\S*$") + HELP_TEXT_FORMAT = re.compile(r"^\t .{,62}$") + URL_ONLY = re.compile(r"^(http|https|git)://\S*$") def before(self): self.help_text = False diff --git a/buildroot/utils/checkpackagelib/lib_mk.py b/buildroot/utils/checkpackagelib/lib_mk.py index a0caf8463..45e37e459 100644 --- a/buildroot/utils/checkpackagelib/lib_mk.py +++ b/buildroot/utils/checkpackagelib/lib_mk.py @@ -20,12 +20,12 @@ end_conditional = ["endif"] class Indent(_CheckFunction): - COMMENT = re.compile("^\s*#") - CONDITIONAL = re.compile("^\s*({})\s".format("|".join(start_conditional + end_conditional))) + COMMENT = re.compile(r"^\s*#") + CONDITIONAL = re.compile(r"^\s*({})\s".format("|".join(start_conditional + end_conditional))) ENDS_WITH_BACKSLASH = re.compile(r"^[^#].*\\$") - END_DEFINE = re.compile("^\s*endef\s") - MAKEFILE_TARGET = re.compile("^[^# \t]+:\s") - START_DEFINE = re.compile("^\s*define\s") + END_DEFINE = re.compile(r"^\s*endef\s") + MAKEFILE_TARGET = re.compile(r"^[^# \t]+:\s") + START_DEFINE = re.compile(r"^\s*define\s") def before(self): self.define = False @@ -76,17 +76,17 @@ class Indent(_CheckFunction): class OverriddenVariable(_CheckFunction): - CONCATENATING = re.compile("^([A-Z0-9_]+)\s*(\+|:|)=\s*\$\(\\1\)") - END_CONDITIONAL = re.compile("^\s*({})".format("|".join(end_conditional))) + CONCATENATING = re.compile(r"^([A-Z0-9_]+)\s*(\+|:|)=\s*\$\(\\1\)") + END_CONDITIONAL = re.compile(r"^\s*({})".format("|".join(end_conditional))) OVERRIDING_ASSIGNMENTS = [':=', "="] - START_CONDITIONAL = re.compile("^\s*({})".format("|".join(start_conditional))) - VARIABLE = re.compile("^([A-Z0-9_]+)\s*((\+|:|)=)") - USUALLY_OVERRIDDEN = re.compile("^[A-Z0-9_]+({})".format("|".join([ - "_ARCH\s*=\s*", - "_CPU\s*=\s*", - "_SITE\s*=\s*", - "_SOURCE\s*=\s*", - "_VERSION\s*=\s*"]))) + START_CONDITIONAL = re.compile(r"^\s*({})".format("|".join(start_conditional))) + VARIABLE = re.compile(r"^([A-Z0-9_]+)\s*((\+|:|)=)") + USUALLY_OVERRIDDEN = re.compile(r"^[A-Z0-9_]+({})".format("|".join([ + r"_ARCH\s*=\s*", + r"_CPU\s*=\s*", + r"_SITE\s*=\s*", + r"_SOURCE\s*=\s*", + r"_VERSION\s*=\s*"]))) def before(self): self.conditional = 0 @@ -174,7 +174,7 @@ class RemoveDefaultPackageSourceVariable(_CheckFunction): package_upper = package.replace("-", "_").upper() self.package = package self.FIND_SOURCE = re.compile( - "^{}_SOURCE\s*=\s*{}-\$\({}_VERSION\)\.tar\.gz" + r"^{}_SOURCE\s*=\s*{}-\$\({}_VERSION\)\.tar\.gz" .format(package_upper, package, package_upper)) def check_line(self, lineno, text): @@ -222,7 +222,7 @@ class TrailingBackslash(_CheckFunction): class TypoInPackageVariable(_CheckFunction): - ALLOWED = re.compile("|".join([ + ALLOWED = re.compile(r"|".join([ "ACLOCAL_DIR", "ACLOCAL_HOST_DIR", "ACLOCAL_PATH", @@ -241,7 +241,7 @@ class TypoInPackageVariable(_CheckFunction): "TARGET_FINALIZE_HOOKS", "TARGETS_ROOTFS", "XTENSA_CORE_NAME"])) - VARIABLE = re.compile("^([A-Z0-9_]+_[A-Z0-9_]+)\s*(\+|)=") + VARIABLE = re.compile(r"^([A-Z0-9_]+_[A-Z0-9_]+)\s*(\+|)=") def before(self): package, _ = os.path.splitext(os.path.basename(self.filename)) @@ -251,9 +251,9 @@ class TypoInPackageVariable(_CheckFunction): # linux extensions do not use LINUX_EXT_ prefix for variables package = package.replace("LINUX_EXT_", "") self.package = package - self.REGEX = re.compile("^(HOST_|ROOTFS_)?({}_[A-Z0-9_]+)".format(package)) + self.REGEX = re.compile(r"^(HOST_|ROOTFS_)?({}_[A-Z0-9_]+)".format(package)) self.FIND_VIRTUAL = re.compile( - "^{}_PROVIDES\s*(\+|)=\s*(.*)".format(package)) + r"^{}_PROVIDES\s*(\+|)=\s*(.*)".format(package)) self.virtual = [] def check_line(self, lineno, text): @@ -281,16 +281,16 @@ class TypoInPackageVariable(_CheckFunction): class UselessFlag(_CheckFunction): - DEFAULT_AUTOTOOLS_FLAG = re.compile("^.*{}".format("|".join([ - "_AUTORECONF\s*=\s*NO", - "_LIBTOOL_PATCH\s*=\s*YES"]))) - DEFAULT_GENERIC_FLAG = re.compile("^.*{}".format("|".join([ - "_INSTALL_IMAGES\s*=\s*NO", - "_INSTALL_REDISTRIBUTE\s*=\s*YES", - "_INSTALL_STAGING\s*=\s*NO", - "_INSTALL_TARGET\s*=\s*YES"]))) - END_CONDITIONAL = re.compile("^\s*({})".format("|".join(end_conditional))) - START_CONDITIONAL = re.compile("^\s*({})".format("|".join(start_conditional))) + DEFAULT_AUTOTOOLS_FLAG = re.compile(r"^.*{}".format("|".join([ + r"_AUTORECONF\s*=\s*NO", + r"_LIBTOOL_PATCH\s*=\s*YES"]))) + DEFAULT_GENERIC_FLAG = re.compile(r"^.*{}".format("|".join([ + r"_INSTALL_IMAGES\s*=\s*NO", + r"_INSTALL_REDISTRIBUTE\s*=\s*YES", + r"_INSTALL_STAGING\s*=\s*NO", + r"_INSTALL_TARGET\s*=\s*YES"]))) + END_CONDITIONAL = re.compile(r"^\s*({})".format("|".join(end_conditional))) + START_CONDITIONAL = re.compile(r"^\s*({})".format("|".join(start_conditional))) def before(self): self.conditional = 0 diff --git a/buildroot/utils/checkpackagelib/lib_patch.py b/buildroot/utils/checkpackagelib/lib_patch.py index 438353ad3..e4e914b7f 100644 --- a/buildroot/utils/checkpackagelib/lib_patch.py +++ b/buildroot/utils/checkpackagelib/lib_patch.py @@ -11,7 +11,7 @@ from checkpackagelib.lib import NewlineAtEof # noqa: F401 class ApplyOrder(_CheckFunction): - APPLY_ORDER = re.compile("\d{1,4}-[^/]*$") + APPLY_ORDER = re.compile(r"\d{1,4}-[^/]*$") def before(self): if not self.APPLY_ORDER.match(os.path.basename(self.filename)): @@ -21,7 +21,7 @@ class ApplyOrder(_CheckFunction): class NumberedSubject(_CheckFunction): - NUMBERED_PATCH = re.compile("Subject:\s*\[PATCH\s*\d+/\d+\]") + NUMBERED_PATCH = re.compile(r"Subject:\s*\[PATCH\s*\d+/\d+\]") def before(self): self.git_patch = False @@ -44,7 +44,7 @@ class NumberedSubject(_CheckFunction): class Sob(_CheckFunction): - SOB_ENTRY = re.compile("^Signed-off-by: .*$") + SOB_ENTRY = re.compile(r"^Signed-off-by: .*$") def before(self): self.found = False diff --git a/buildroot/utils/getdeveloperlib.py b/buildroot/utils/getdeveloperlib.py index 239ffa340..dc0cc07cc 100644 --- a/buildroot/utils/getdeveloperlib.py +++ b/buildroot/utils/getdeveloperlib.py @@ -10,7 +10,7 @@ import unittest # Patch parsing functions # -FIND_INFRA_IN_PATCH = re.compile("^\+\$\(eval \$\((host-)?([^-]*)-package\)\)$") +FIND_INFRA_IN_PATCH = re.compile(r"^\+\$\(eval \$\((host-)?([^-]*)-package\)\)$") def analyze_patch(patch): @@ -33,7 +33,7 @@ def analyze_patch(patch): return (files, infras) -FIND_INFRA_IN_MK = re.compile("^\$\(eval \$\((host-)?([^-]*)-package\)\)$") +FIND_INFRA_IN_MK = re.compile(r"^\$\(eval \$\((host-)?([^-]*)-package\)\)$") def fname_get_package_infra(fname): @@ -178,7 +178,7 @@ def parse_arches_from_config_in(fname): parsing_arches = True continue if parsing_arches: - m = re.match("^\s*default \"([^\"]*)\".*", line) + m = re.match(r"^\s*default \"([^\"]*)\".*", line) if m: arches.add(m.group(1)) else: @@ -192,7 +192,7 @@ def parse_developer_architectures(fnames): developer is working on.""" arches = set() for fname in fnames: - if not re.match("^.*/arch/Config\.in\..*$", fname): + if not re.match(r"^.*/arch/Config\.in\..*$", fname): continue arches = arches | parse_arches_from_config_in(fname) return arches @@ -201,7 +201,7 @@ def parse_developer_architectures(fnames): def parse_developer_infras(fnames): infras = set() for fname in fnames: - m = re.match("^package/pkg-([^.]*).mk$", fname) + m = re.match(r"^package/pkg-([^.]*).mk$", fname) if m: infras.add(m.group(1)) return infras diff --git a/buildroot/utils/scanpypi b/buildroot/utils/scanpypi index 387755bbb..dfbf8131c 100755 --- a/buildroot/utils/scanpypi +++ b/buildroot/utils/scanpypi @@ -96,10 +96,10 @@ def pkg_buildroot_name(pkg_name): Keyword arguments: pkg_name -- String to rename """ - name = re.sub('[^\w-]', '', pkg_name.lower()) + name = re.sub(r'[^\w-]', '', pkg_name.lower()) name = name.replace('_', '-') prefix = 'python-' - pattern = re.compile('^(?!' + prefix + ')(.+?)$') + pattern = re.compile(r'^(?!' + prefix + ')(.+?)$') name = pattern.sub(r'python-\1', name) return name @@ -337,7 +337,7 @@ class BuildrootPackage(): self.pkg_req = None return set() self.pkg_req = self.setup_metadata['install_requires'] - self.pkg_req = [re.sub('([-.\w]+).*', r'\1', req) + self.pkg_req = [re.sub(r'([-.\w]+).*', r'\1', req) for req in self.pkg_req] # get rid of commented lines and also strip the package strings @@ -451,7 +451,7 @@ class BuildrootPackage(): "Mozilla Public License 2.0": "MPL-2.0", "Zope Public License": "ZPL" } - regexp = re.compile('^License :* *.* *:+ (.*)( \(.*\))?$') + regexp = re.compile(r'^License :* *.* *:+ (.*)( \(.*\))?$') classifiers_licenses = [regexp.sub(r"\1", lic) for lic in self.metadata['info']['classifiers'] if regexp.match(lic)]