When building host-cryptsetup, if tmpfiles.d support is enabled then the
install step tries to install /usr/lib/tmpfiles.d/cryptsetup.conf
globally on the host system.
Even if the tmpfiles.d config were installed correctly in the host
directory, nothing would ever run these rules, so disable this feature
via configure.
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b2e82f9fa5)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- CVE-2021-31525: ReadRequest and ReadResponse in net/http can hit an
unrecoverable panic when reading a very large header (over 7MB on 64-bit
architectures, or over 4MB on 32-bit ones). Transport and Client are
vulnerable and the program can be made to crash by a malicious server.
Server is not vulnerable by default, but can be if the default max header
of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value,
in which case the program can be made to crash by a malicious client.
https://github.com/golang/go/issues/45710
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- bpo-43434: Creating a sqlite3.Connection object now also produces a
sqlite3.connect auditing event. Previously this event was only produced
by sqlite3.connect() calls. Patch by Erlend E. Aasland.
- bpo-43882: The presence of newline or tab characters in parts of a URL
could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG
urllib.parse() now removes ASCII newlines and tabs from URLs, preventing
such attacks.
- bpo-43472: Ensures interpreter-level audit hooks receive the
cpython.PyInterpreterState_New event when called through the
_xxsubinterpreters module.
- bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
address strings. Leading zeros are ambiguous and interpreted as octal
notation by some libraries. For example the legacy function
socket.inet_aton() treats leading zeros as octal notatation. glibc
implementation of modern inet_pton() does not accept any leading zeros.
For a while the ipaddress module used to accept ambiguous leading zeros.
- bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex
has quadratic worst-case complexity and it allows cause a denial of
service when identifying crafted invalid RFCs. This ReDoS issue is on the
client side and needs remote attackers to control the HTTP server.
- bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
and generator code/frame attribute access.
https://www.python.org/downloads/release/python-395/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f02c0ee1b0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Django 3.0.x is EOL, so move to 3.2.x which is the new LTS release. For
details of the changes and update instructions, see the announcement:
https://www.djangoproject.com/weblog/2021/apr/06/django-32-released/
Fixes the following security issues:
- CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of
the SQLPanel for Django Debug Toolbar >= 0.10.0
With Django Debug Toolbar 0.10.0 and above, attackers are able to execute
SQL by changing the raw_sql input of the SQL explain, analyze or select
forms and submitting the form. This is a high severity issue for anyone
using the toolbar in a production environment. Generally the Django Debug
Toolbar team only maintains the latest version of django-debug-toolbar,
but an exception was made because of the high severity of this issue.
The GitHub Security Advisory can be found here:
https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj
- CVE-2021-31542: Potential directory-traversal via uploaded files
MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal
via uploaded files with suitably crafted file names.
In order to mitigate this risk, stricter basename and path sanitation is
now applied. Specifically, empty file names and paths with dot segments
will be rejected.
This issue has low severity, according to the Django security policy.
- CVE-2021-32052: Header injection possibility since URLValidator accepted
newlines in input on Python 3.9.5+
On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you
used values with newlines in HTTP response, you could suffer from header
injection attacks. Django itself wasn't vulnerable because HttpResponse
prohibits newlines in HTTP headers.
Moreover, the URLField form field which uses URLValidator silently removes
newlines and tabs on Python 3.9.5+, so the possibility of newlines
entering your data only existed if you are using this validator outside of
the form fields.
This issue was introduced by the bpo-43882 fix.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 84441433ec)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sometimes, post-build or post-image scripts need to reinvoke
Buildroot's make, for example to execute "make printvars".
However, so far post-build/image/fakeroot can't trivially run printvars
in a way that worked for both in-tree and out-of-tree builds. Indeed:
* "make printvars" would work for in-tree builds, but not out of tree
builds
* "make -C ${O} printvars" would work for out-of-tree builds, but not
in-tree builds
* "make -C ${BR2_CONFIG%/*} printvars" works in both cases, but it is
a bit cryptic, and two maintainers did not even immediately think of
it
In order to solve this, this commit exposes $(CONFIG_DIR) to
post-build/image/fakeroot scripts, through the EXTRA_ENV variable.
The documentation is updated accordingly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
- reference BR2_CONFIG as an exemple
- slightly reword the commit log accordingly
- move the doc for CONFIG_DIR next to that of BR2_CONFIG
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit efdcd651bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This will fix a build failure with gcc 10
- Update indentation in hash file (two spaces)
- Drop INSTALL_SYSCONFDIR, INSTALL_WEBROOTDIR and WITH_SYSTEM_MALLOC
(not available since
df145932e3)
- Set WITHOUT_HEADERS to ON because headers are not needed and to avoid
the following build failure:
CMake Error at include/cmake_install.cmake:46 (file):
file INSTALL cannot find
"/home/fabrice/buildroot/output/build/monkey-f54856ce250c4e25735434dc75717a4b7fbfc45b/include/mk_core.h":
No such file or directory.
Call Stack (most recent call first):
cmake_install.cmake:69 (include)
Upstream is aware than the lack of release is an issue but no comments
since 2018: https://github.com/monkey/monkey/issues/276
Fixes:
- http://autobuild.buildroot.org/results/0b723937ca048228082d040100f6e6324ac8300b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 26a7d912f4)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Kernel 4.16.7 is old enough to produce the "multiple definition of `yylloc'"
error which is fixed in newer versions.
Bump the test kernel version from 4.16.7 to 5.10.34 to prevent this error wwhen
building the test image.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit ab2d472cde)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
.../x86_64-buildroot-linux-gnu/bin/ld: .../host/x86_64-buildroot-linux-gnu/sysroot/usr/lib/libtomcrypt.a(md5.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
when building a shared library that links with libtomcrypt. Our only
internal user dropbear doesn't do this, so there are no autobuilder
failures.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ec2ee79ec1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
kexec build will fail on older kernels (pre 4.4) as the define VIDEO_CAPABILITY_64BIT_BASE was not present at that time.
This patch adds it, as per linux/include/uapi/linux/screen_info.h, if not present.
Signed-off-by: Federico Pellegrin <fede@evolware.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes various networking issues:
- Fix a regression in docker 20.10, causing IPv6 addresses no longer to be
bound by default when mapping ports moby/moby#42205
- Fix implicit IPv6 port-mappings not included in API response. Before
docker 20.10, published ports were accessible through both IPv4 and IPv6
by default, but the API only included information about the IPv4 (0.0.0.0)
mapping moby/moby#42205
- Fix a regression in docker 20.10, causing the docker-proxy to not be
terminated in all cases moby/moby#42205
- Fix iptables forwarding rules not being cleaned up upon container removal
moby/moby#42205
For more details, see the release notes:
https://docs.docker.com/engine/release-notes/#20106
Signed-off-by: Mario Fink <knif.oiram@gmail.com>
Tested-by: Christian Stewart <christian@paral.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e1458fe943)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- update home page URL to https
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 27b30ee742)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop first patch and pass -fPIC to configure to fix the following build
failure on ARC:
ERROR: architecture for "/usr/lib/libdmalloc.so" is "ARCompact", should be "ARCv2"
ERROR: architecture for "/usr/lib/libdmallocth.so" is "ARCompact", should be "ARCv2"
ERROR: architecture for "/usr/lib/libdmallocthcxx.so" is "ARCompact", should be "ARCv2"
ERROR: architecture for "/usr/lib/libdmallocxx.so" is "ARCompact", should be "ARCv2"
This build failure is due to the following configure error:
checking shared library link args... ./configure: line 4467: 10229 Segmentation fault ( ${LD-ld} -shared --whole-archive -soname conftest.so -o conftest.so.t conftest.a ) 2>&5
/home/buildroot/autobuild/run/instance-0/output-1/host/bin/arc-buildroot-linux-gnu-ld -G -o $@.t
This configure error is due to missing -fPIC:
configure:4392: checking shared library link args
configure:4398: /home/buildroot/autobuild/run/instance-0/output-1/host/bin/arc-buildroot-linux-gnu-gcc -c -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g2 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c >&5
configure:4404: $? = 0
configure:4408: test -z
|| test ! -s conftest.err
configure:4411: $? = 0
configure:4414: test -s conftest.o
configure:4417: $? = 0
/home/buildroot/autobuild/run/instance-0/output-1/host/bin/arc-buildroot-linux-gnu-ld: conftest.a(conftest.o): relocation R_ARC_32_ME against `__stack_chk_guard' can not be used when making a shared object; recompile with -fPIC
/home/buildroot/autobuild/run/instance-0/output-1/host/bin/arc-buildroot-linux-gnu-ld: BFD (GNU Binutils) 2.33.50.20191002 assertion fail elf32-arc.c:1805
/home/buildroot/autobuild/run/instance-0/output-1/host/bin/arc-buildroot-linux-gnu-ld: unrecognized option '-all'
/home/buildroot/autobuild/run/instance-0/output-1/host/bin/arc-buildroot-linux-gnu-ld: use the --help option for usage information
configure:4475: result: /home/buildroot/autobuild/run/instance-0/output-1/host/bin/arc-buildroot-linux-gnu-ld -G -o $@.t
Fixes:
- http://autobuild.buildroot.org/results/65677d889c27649e1f3ca1f3b6c70df7c89779f6
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 19ec872f16)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The poppler package failed to build for me with errors such as this one:
host/aarch64-buildroot-linux-gnu/include/c++/10.3.0/cstdlib:75:15: fatal error: stdlib.h: No such file or directory
75 | #include_next <stdlib.h>
| ^~~~~~~~~~
Changing the CMake option to a link-specific one fixes the issue.
Also change other packages with the same issue: cutelyst, gerbera,
kf5-modemmanager-qt, kodi and wampcc.
Signed-off-by: Gleb Mazovetskiy <glex.spb@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit 7333207eaf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following security issues:
- A malformed incoming IXFR transfer could trigger an assertion failure in
named, causing it to quit abnormally. (CVE-2021-25214)
- named crashed when a DNAME record placed in the ANSWER section during
DNAME chasing turned out to be the final answer to a client query.
(CVE-2021-25215)
- When a server's configuration set the tkey-gssapi-keytab or
tkey-gssapi-credential option, a specially crafted GSS-TSIG query could
cause a buffer overflow in the ISC implementation of SPNEGO (a protocol
enabling negotiation of the security mechanism used for GSSAPI
authentication). This flaw could be exploited to crash named binaries
compiled for 64-bit platforms, and could enable remote code execution when
named was compiled for 32-bit platforms. (CVE-2021-25216)
For more details, see the release notes:
https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.31.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit 862609b389)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update patch added by commit 183d583fb5 to
use pkg-config instead of linking with zlib to fix the following static
build failure with a bzip2-enabled libmagic:
/home/buildroot/autobuild/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arc-buildroot-linux-uclibc/9.3.1/../../../../arc-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/instance-1/output-1/host/arc-buildroot-linux-uclibc/sysroot/usr/lib/libmagic.a(compress.o): in function `uncompressbuf':
compress.c:(.text+0x422): undefined reference to `BZ2_bzDecompressInit'
/home/buildroot/autobuild/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/arc-buildroot-linux-uclibc/9.3.1/../../../../arc-buildroot-linux-uclibc/bin/ld: compress.c:(.text+0x422): undefined reference to `BZ2_bzDecompressInit'
Fixes:
- http://autobuild.buildroot.org/results/4c511c02e4c63b35ecf77a2658f88e8a0d9dbb4d
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit c5f3c6ff1a)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 5871e278f8 (package/openjdk{, -bin}: security bump to version
11.0.11_9) forgot to account for the openjdk patch in the versioned
directory.
That patch was a collection of backports from upstream ,that are now all
present in 11.0.11+9, so drop that patch.
Fixes: 5871e278f8
Reported-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit bc2e555eb1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As recently discussed on the list:
http://lists.busybox.net/pipermail/buildroot/2021-April/308373.html
Packages like mkpimage where the source code is included in the Buildroot
tree, currently doesn't use an extract step (which also skips the patch
step), so they cannot be patched by a patch in BR2_GLOBAL_PATCH_DIR (or the
pkgdir), which is a bit confusing.
As a fix, add a simple extract step that copies the source file to the build
directory, so the patch step gets run as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 89d4e1ccdb)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As recently discussed on the list:
http://lists.busybox.net/pipermail/buildroot/2021-April/308373.html
Packages like mkpasswd where the source code is included in the Buildroot
tree, currently doesn't use an extract step (which also skips the patch
step), so they cannot be patched by a patch in BR2_GLOBAL_PATCH_DIR (or the
pkgdir), which is a bit confusing.
As a fix, add a simple extract step that copies the source files to the
build directory, so the patch step gets run as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a052e6e883)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As recently discussed on the list:
http://lists.busybox.net/pipermail/buildroot/2021-April/308373.html
Packages like makedevs where the source code is included in the Buildroot
tree, currently doesn't use an extract step (which also skips the patch
step), so they cannot be patched by a patch in BR2_GLOBAL_PATCH_DIR (or the
pkgdir), which is a bit confusing.
As a fix, add a simple extract step that copies the source file to the build
directory, so the patch step gets run as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c3355e31d2)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
