Since llama.cpp update in Buildroot commit [1], the test_aichat can
fail for several reasons:
The loop checking for the llama-server availability can fail if curl
succeed, but the returned json data is not formatted as expected.
This can happen if the server is ready but the model is not completely
loaded. In that case, the server returns:
{"error":{"message":"Loading model","type":"unavailable_error","code":503}}
This commit ignore Python KeyError exceptions while doing the
server test, to avoid failing if this message is received.
Also, this new llama-server version introduced a prompt caching, which
uses too much memory. This commit completely disable this prompt
caching by adding "--cache-ram 0" in the llama-server options.
[1] 05c36d5d87
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://github.com/ggml-org/llama.cpp/releases
Merge BR2_PACKAGE_LLAMA_CPP_SERVER into BR2_PACKAGE_LLAMA_CPP_TOOLS, as
both of these options must be enabled to build tools like llama-cli and
llama-server. See upstream commit [1].
Since the Buildroot option BR2_PACKAGE_LLAMA_CPP_SERVER is removed, this
commit also removes it from support/testing/tests/package/test_aichat.py
which was using it.
[1] a180ba78c7
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- reindent options in .mk
- remove BR2_PACKAGE_LLAMA_CPP_SERVER in test_aichat.py
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
drm_info is a small utility to dump info about DRM devices.
Link: https://gitlab.freedesktop.org/emersion/drm_info
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Julien:
- sort selected packages in Config.in alphabetically
- remove comment for license in hash file
- move "v" from _VERSION to _SITE
- switch _SITE to use gitlab release archives and add _SOURCE
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fix a silent build issue with the host-bootgen package if host-flex is already
built. The host-flex package will install a version of the flexlexer.h header
file that is not compatible with the version embedded in bootgen.
While the build will still 'succeed', the binary will not be correct. This
can be seen by just running the binary that is built. By default, running
bootgen without any parameters should print the help menu, but if the wrong
version of flexlexer.h is used, it will print the following instead:
$ output/host/bin/bootgen
****** Bootgen v2025.1-Merged
**** Build date : Mar 18 2026-07:08:01
** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
** Copyright 2022-2025 Advanced Micro Devices, Inc. All Rights Reserved.
ERROR: syntax error
-h
Add a patch to the bootgen package that corrects the issue.
Upstream: CR to AMD jira
Signed-off-by: Neal Frager <neal.frager@amd.com>
Tested-by: Steven J. Hill <steven.hill@collins.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Backport a patch from Xen 4.21 to fix the following build errors for Arm v7
with gcc-15:
xen-4.14.6/xen/include/asm/platforms/midway.h:1: error: header guard '__ASM_ARM_PLATFORMS_MIDWAY_H' followed by '#define' of a different macro [-Werror=header-guard]
xen-4.14.6/xen/include/asm/platforms/omap5.h:1: error: header guard '__ASM_ARM_PLATFORMS_OMAP5_H' followed by '#define' of a different macro [-Werror=header-guard]
Since the external 32b arm toolchain has been updated to a version based on
gcc-15, the tests.package.test_xen.TestXenArmv7 python test does not build
anymore.
Adding the patch repairs it.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13518318473
Fixes: 86d453a7dc ("toolchain/toolchain-external/toolchain-external-arm-arm: bump to 15.2.rel1")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
Cc: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add myself to packages recently orphaned which I am going to continue.
Signed-off-by: Manuel Diener <manuel.diener@oss.othermo.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the imxrt1050-evk_defconfig (using U-Boot v2025.07 and
binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update the defconfig to use a more recent U-Boot v2026.01, to fix the
build and at the same time bump Linux to version 6.18.18.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/13476922027
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: fix defconfig name in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- bumps the Linux kernel to 6.18.18
- bumps the U-Boot to 2026.01
- switches to a stable glibc Bootlin external toolchain
- enables force hashes check
- enlarge the rootfs size to 256M
The updated U-Boot should also fix the CI build of the board.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/13458392713
Run-tested on the board.
Signed-off-by: Dong Wang <wangdong115@foxmail.com>
[Julien:
- remove .checkpackageignore entry to fix check-package error
- move uboot.hash in its correct directory
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- bumps the Linux kernel to 6.18.18
- bumps the U-Boot to 2026.01
- switches to a stable glibc Bootlin external toolchain
The updated U-Boot should also fix the CI build of the board.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/13458392712
Run-tested on the board.
Signed-off-by: Dong Wang <wangdong115@foxmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This feature was made optional in mesa3d 25.2.0 as it is deprecated,
however some packages still require it so lets add a new config
option that those packages can select until they no longer require
this feature.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Add 'source' attribute to each CVE in vulnerabilities node, including NVD
URL reference to enable proper import into Dependency-Track.
Dependency-Track's VEX importer requires the source attribute to
properly process vulnerability entries. Without it, vulnerabilities are
skipped during import with "does not have an ID and / or source" warnings.
Include the full NVD URL following the CycloneDX 1.6 documentation format:
https://nvd.nist.gov/vuln/detail/{CVE-ID}
Test Environment:
- Buildroot: 2025.02.11 (or master)
- Dependency-Track: v4.13.6
Test Results - BEFORE (without source attribute):
apiserver_1 | 2026-02-23 16:05:40,890 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #0 does not have an ID and / or source; Skipping it
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #1 does not have an ID and / or source; Skipping it
...
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #19 does not have an ID and / or source; Skipping it
apiserver_1 | 2026-02-23 16:05:40,941 INFO [CycloneDXVexImporter] The uploaded VEX does not contain any applicable vulnerabilities; Skipping VEX import
Test Results - AFTER (with source):
apiserver_1 | 2026-02-23 16:17:13,492 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
apiserver_1 | 2026-02-23 16:17:14,054 INFO [VexUploadProcessingTask] Completed processing of CycloneDX VEX for project: e43fe185-c0a3-4e3a-a908-667344a66a9c
CVEs are correctly imported in Dependency-Track
Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Acked-By: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The 2025.11.x series was dropped with the 2026.02 release, so
(temporarily) re-add it. It will be dropped again with the 2026.02.1
release.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Following changes made it into the release:
Joris van Rantwijk (1):
Fix adjtimex() with TIME64
Waldemar Brodkorb (8):
sys/stat.h: remove _STAT_VER/_MKNOD_VER
fix gettid() declaration
add statx syscall wrapper
sparc: add optimize build support for leon3
sparc: sync with Linux kernel definition, fixes gdb compile
fix compile error on earlier Kernels predating statx
select: fix compilation failure with very old kernel
bump version for 1.0.57 release
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
uclibc 1.0.57 added a statx() syscall wrapper in upstream commit [1].
zfs fail to build with uclibc 1.0.57 (not yet in Buildroot), because:
1. uclibc <fcntl.h> internally includes <sys/stat.h>, and
2. a zfs test redefines a statx() wrapper with a slightly different
prototype.
In that case, zfs fails to compile with error:
tests/zfs-tests/cmd/statx.c:58:1: error: conflicting types for 'statx'; have 'int(int, const char *, int, unsigned int, void *)'
Issue has been reported upstream at [2].
This commit adds a package patch to fix that issue.
[1] d3a819aff2
[2] https://github.com/openzfs/zfs/pull/18316
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the iot-gate-imx8_ebbr_defconfig (using U-Boot v2025.07 and
binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update the defconfig to use a more recent U-Boot v2026.01, to fix the
build.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13476922237 [1]
Fixes: 51365ff063 ("package/python-setuptools: bump to version 82.0.0")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
[Julien: update custom uboot.hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the python test tests.boot.test_atf.TestATFAllwinner (using
U-Boot v2023.10 and binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update test_atf to use a more recent U-Boot v2026.01 (and add the
dependency on GNU TLS), to fix the build.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13500946337 [1]
Fixes: 51365ff063 ("package/python-setuptools: bump to version 82.0.0")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Upstream removed the old license file
772c03afe1
and added a new one
5634c661b8
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: remove LICENSE.txt entry in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM external toolchain to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Verified by booting on a default Qemu configuration.
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM aarch64-be external toolchains to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
[Julien: add newline at end of file to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM aarch64 external toolchain to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Verified by booting on a default Qemu configuration.
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host mkfs.xfs is needed to create XFS root filesystems
in Buildroot.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Remove incorrect $BINARIES_DIR reference from the symbolic link creation to
make a relative path and not an absolute path.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Backport upstream patches to fix a silent crash in U-Boot on
STM32MP135F-DK.
Fixes:
799d184e89
Signed-off-by: Thomas Richard <thomas.richard@bootlin.com>
[Romain: add Fixes link]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Specifying a list of br2-external trees is poorly documented, and the
only example uses a colon to separate the br2-external paths.
Adding the support for colon-separated list is the biggest mistake that
was made when introducing support for multiple br2-external [0]. Indeed,
both space and colon can be used to separate entries in the list, and it
is also possible to mix the two. However, internally, the list is stored
as a space-separated list, and all the code will split on spaces.
Besides, all other lists in Buildroot are a space-separated:
BR2_ROOTFS_DEVICE_TABLE
BR2_ROOTFS_STATIC_DEVICE_TABLE
BR2_TARGET_TZ_ZONELIST
BR2_ROOTFS_USERS_TABLES
BR2_ROOTFS_OVERLAY
BR2_ROOTFS_PRE_BUILD_SCRIPT
BR2_ROOTFS_POST_BUILD_SCRIPT
BR2_ROOTFS_POST_FAKEROOT_SCRIPT
BR2_ROOTFS_POST_IMAGE_SCRIPT
...
So, using colons is odd.
The fact that BR2_EXTERNAL is passed on the command line rather than
being a Kconfig item is not a reason enough to justify that it be
colon-separated.
Change the documentation to only mention using a space-separated list.
Of course, for backward compatibility, we keep the code as-is to accept
a colon-separated list, but we just do not advertise it.
Note that keeping the split on colons means that colons are not accepted
in pathnames of br2-external trees; in practice, this is not a new
restriction, or one that could lift as usign colons in Makefiles are
problematic anyway.
[0] in 20cd497387 core: add support for multiple br2-external trees
Reported-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Reported-by: Brandon Maier <Brandon.Maier@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Boring changes: either do what shellcheck suggested, or comment why we
don't want to fix the code.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The trap was initially introduced in c5fa9308ea (core/br2-external:
properly report unexpected errors), in 2017, to catch all unexpected
errors, back when a single file was generated, and errors emitted to
stderr.
Since commit d027cd75d0 (core: generate all br2-external files in
one go), in 2019 the single output file 'ofile' is no longer created,
as multiple output files were then introduced, while messages for
*expected errors* were redirected to a Makefile variable assignment
emitted on stdout, at which point the script just exits (in error);
expected failures only occur in do_validate().
Unexpected errors can only occur on failure to create, or write to,
output files, either '.br2-external.mk' in do_validate() or do_mk(),
or any of the kconfig fragments in do_kconfig(). Cause for failure to
create those can only be a no-space-left-on-device condition, as they
are created in a directory that was just created by the script earlier
in main(), and thus has the necessary mode; failure to create that
directory is now caught explicitly.
A trap on ERR is not called when the shell exits explicitly with a call
to 'exit', thus, only failures to create or write to output file would
be caught. In that case, we are better off not trying to write to those
files anyway: failure to create the file would already be reported by
the shell on stderr, while disk-full would not allow to store the output
anyway...
In any case, the script exits in error, which is going to be caught by
the caller, which will terminate.
So, drop the trap altogether.
As a side effect, that squelches a shellcheck error.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
That plugin can be used instead of the builtin support to persist the
mosquitto state across restarts.
Note that this plugin has a dependency, so we don't use the $(if)
one-liner.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Until version 2.0.x, support for using static password or ACL files, was
builtin to the broker. With version 2.1.x, two new plugins have been
introduced to replace the builtin support, which is now deprecated and
will get removed in the next version.
Add two new configuration options for those plugins.
We decided to do a single commit, rather than one per option, because
they are relatively tied together (ACL needs passwords, at least).
We also choose to make those options enabled by default, because the
traditional way to configure mosquitto is to use static files for
authentication and authorization, and the builtin support if now
deprecated in favour for the plugins.
The usual ifeq-else-endif conditional block is a bit verbose when just
setting an option ON or OFF, when no additional dependency is needed.
Instead, use the not-unusual $(if)-inline one-liner. For consistency,
switch the existing dynamic-security plugin to use that one-liner too.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The mosquitto broker (not the library) can have listeners configured to
serve HTTP requests; it can optionally accept (some) HTTP API requests
on such listeners.
Add a new option to enable the availability of http_pi.
Note that we do not just depend on libmicrohttpd to be enabled, because
the HTTP API is a security boundary, and enabling it must be an explicit
decision.
Co-developped-by: Titouan Christophe <titouan.christophe@mind.be>
[yann.morin@orange.com: make it an explicit option]
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Mosquitto 2.1.x adds the possibility to use a builtin websocket
implementation, as an alternative to using libwebsockets.
When using libwebsockets as the implementation, only the broker supports
websockets, and CLI tools do not; only when using the builtin one are
websockets usable with CLI tools (and the broker, of course).
Add a choice to select what type of websockets support to enable, if
any. Since the builtin implementation is still new, we keep the
libwebsockets one available.
Since this inverts the dependency logic to libwebsockets, we can't
provide a backward compatibility with existing (def)config files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
mosquitto_{ctrl,db_dump,passwd,signal} can be handy to interact with
the mosquitto broker during development, but are usually unnecessary
on the target.
Add an option to enable or disable them. Make that new option enabled
by default when the broker is enabled, to keep backward compatibility
with previous (def)config files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Fiona Klute <fiona.klute@gmx.de>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
mosquitto_pub/sub/rr can be handy to test a broker from the command
line, but they can get superfluous when only the broker is required
on the target.
Add an option to enable or disable them. Make that new option enabled
by default to keep backward compatibility with previous (def)config
files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Version 2.1.x has introduced a cmake-based build, and upstream strongly
recomends using it over the legacy Makefiles, which will ultimately be
retired.
So we do the switch, which cause quite some noise in the .mk file, but
at the same time allows for a bit of cleanup in the build process, as we
can now use the cmake-package infra.
Mosquitto now wants to peek into the malloc() internals for memory
tracking, and that only works on systems with an MMU (uClibc-ng does not
expose it for noMMU builds, as it's part of its malloc-standard
implementation).
Static-only builds are broken, even when only building the library. This
seems beyond a simple repair, so just require shared libs now (since
we're requiring an MMU as well, requiring shared libs is not too much of
an additional burden).
cJSON is now a required dependency, used in common parts of the code
(not just for the plugins).
There are a few options that we forcibly disable; they'll get addressed
in followup patches.
There are still a few build failures that are difficult to account for
(except):
$ printf 'BR2_PACKAGE_MOSQUITTO=y\n' >mosq.cfg
$ ./utils/docker-run ./utils/test-pkg -d $(pwd)/run-tests -c mosq.cfg -p mosquitto
br-arm-full-static [5/6]: FAILED
=> old uClibc-ng, would need __GNU_SOURCE (with dunder) to define
getrandom(); no longer needed since uClibc-ng 1.0.50; would need
openssl otherwise
bootlin-aarch64-glibc-old [6/6]: FAILED
=> really old glibc, missing getrandom(); would need openssl
Drop our existing patches, they've either been applied upstream, or are
no longer needed. Add new patches to fix various build issues
(submission upstream pending the signature of the CLA..,).
Thanks a lot to Titouan for providing his initial work on the update!
Some of his findings ended up in this patch. 👍
Note: by lack of a trusted path back to the PGP key that signed the
archive, the comment was dropped, as checking a signature without a
trust-chain does not make much sense...
Co-developped-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
[Romain: remove "mosquitto broker" comment for static builds]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Updating the hash of the WHENCE file, due to firmware additions and
firmware changes, but no changes to the redistribution/licensing
conditions.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://curl.se/ch/8.19.0.htmlhttps://curl.se/docs/security.html
Fixes the following CVEs:
CVE-2026-3805: use after free in SMB connection reuse
CVE-2026-3784: wrong proxy connection reuse with credentials
CVE-2026-3783: token leak with redirect and netrc
CVE-2026-1965: bad reuse of HTTP Negotiate connection
Switch to sha256 tarball hash provided by upstream.
Updated license hash due to copyright year bump:
e83c82f05f
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add back pgp signature info in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Building Go 1.26 and later requires Go 1.24.6 or later for bootstrap.
To support this we use Go version 1.25.8 as the version for
go-bootstrap-stage5 and have the build for Go 1.26.1 depend on
go-bootstrap-stage5.
Go version 1.25.8 is the latest Go version we can build using
go-bootstrap-stage4.
The package build for go-bootstrap-stage5 is effectively identical to
go-bootstrap-stage4 with only the Go version and stage number changed.
Go 1.28 is expected to require a minor release of Go 1.26 for bootstrap.
Fixes the following security vulnerabilities:
- CVE-2026-25679: net/url: reject IPv6 literal not at start of host
- CVE-2026-27142: html/template: URLs in meta attribute actions not escaped
- CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints
- CVE-2026-27138: crypto/x509: panic in name constraint checking: certificates
- CVE-2026-27139: os: FileInfo can escape from a Root
For full release notes, see:
https://go.dev/doc/devel/release#go1.26.0
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit switches the aarch64_efi_defconfig to an external glibc
stable Bootlin toolchain, to follow recommendation from [1].
Since an external toolchain is used, the linux-headers.hash custom
hash file is no longer needed and is removed.
[1] https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.10 to 6.18.16
- updates U-Boot from 2024.07 to 2026.01
- updates arm-trusted-firmware from v2.11 to v2.12 LTS
- switches to Bootlin external glibc stable toolchain
Replace OP-TEE TEE binary file tee-pager_v2.bin by tee-raw.bin using
the new option BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN.
Remove unsued linux-headers.hash since we now use a prebuilt toolchain.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Replace OP-TEE TEE binary file tee-pager_v2.bin by tee-raw.bin using
the new option BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN.
Remove unsued linux-headers.hash since we use a prebuilt toolchain.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
There was a previous attempt in commit [1] to bump the kernel to 6.18
but the SD card failed at boot. It seems the actual issue is related to
the "cheap" (or fake?) SD card with SD UHS SDR50 speed.
This offending SD card come from a lot recently purchased in order to
fix my “Too many boards, not enough SD cards” issue.
[1] 4abb8a98b2
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit [1] update arm-trusted-firmware to v2.12 LTS without
removing the custom file hash.
While at it, remove unused linux-headers.hash since we already use a
prebuilt toolchain.
[1] 4abb8a98b2
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This defconfig use BR2_TARGET_UBOOT_CUSTOM_MAKEOPTS to provide the path
to the TEE in raw binary format but use the legacy file name
"tee-pager_v2.bin" rather than the recommended "tee-raw.bin" [1][2].
Instead of just replacing the file name, use the newly introduced
BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN option. Since this option
needs BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE, we now have an explicit
dependency between u-boot and optee-os package.
Previously we had an indirect dependency: optee-os <- ATF <- u-boot
with both BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE and
BR2_TARGET_UBOOT_NEEDS_ATF_BL31 options enabled at the same time.
[1] 376cb124dd
[2] 4e0b8238ee
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
OP-TEE generates a few binaries that can be used by u-boot on some
platforms (Rockchip, Texas Instruments K3) using TEE variable.
Add a link to the OP-TEE documentation were we can find easily the
desciption for each TEE format that can be used by u-boot.
For convenience, copy tee.elf and tee.bin description in each option
choice help text.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Remove myself from packages that I'm no longer personally interested in.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Subproject tarballs are not provided anymore:
https://discourse.llvm.org/t/llvm-22-1-0-released/89950
"Please note since the last release the subproject tarballs have been
removed"
https://discourse.llvm.org/t/rfc-do-something-with-the-subproject-tarballs-in-the-release-page/75024/14
Used upstream tarball llvm-project-22.1.0.src.tar.xz for all packages
and linked subproject hash files to ../llvm-project.hash.
Removed patches which fix build errors caused by subproject tarballs.
Removed handling of third-party-21.1.8.src.tar.xz which is included in
the monolithic tarball.
Added _SUBDIR variable or updated _INSTALL_CMDS when needed.
For compiler-rt:
Removed both patches, they are not needed anymore.
Added patch to fix aarch64 build.
Added dependency on gcc >= 15.x because libcxx now depends on gcc >=
15.x: https://github.com/llvm/llvm-project/pull/165684
warning "Libc++ only supports GCC 15 and later"
Building with gcc 14.x causes many build errors like
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/is_array.h:43:68:
error: expected primary-expression before ')' token
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/is_array.h:43:44:
error: there are no arguments to '__is_unbounded_array' that depend on
a template parameter, so a declaration of '__is_unbounded_array' must
be available [-fpermissive]
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/decay.h:22:32:
error: expected type-specifier before '__decay'
A corresponding bug report sent upstream
https://github.com/llvm/llvm-project/issues/174203
was answered:
https://github.com/llvm/llvm-project/issues/174203#issuecomment-3711113919
"Our policy is rather clear: Only the latest GCC is supported."
and an update to supported compiler versions was committed:
d1146b1ddd
Updated TestClangCompilerRT to use a gcc 15-based toolchain.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit will also switch to the Bootlin glibc stable toolchain.
Switch to Bootlin glibc stable toolchain as requested by the 2024
Buildroot meeting report:
https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Signed-off-by: Scott Fan <fancp2007@gmail.com>
[Julien:
- remove no longer needed linux-headers.hash
- change comment in linux.hash to take hash from upstream
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
FTXUI is a simple cross-platform C++ library for terminal
based user interfaces.
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
[Julien: remove FTXUI_SOURCE to use the default archive name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Replaced install_prefix with DESTDIR in _INSTALL_TARGET_OPTS following
changes in upstream Makefiles, for example:
acb9dd88dc (diff-d56275146b88014f5017f78d3eb4ccdb545c8b82d94877b09ef33bac8f228414L13)
Build-tested using this defconfig
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XSCREENSAVER=y
arm-aarch64 [ 1/32]: OK
bootlin-aarch64-glibc [ 2/32]: OK
bootlin-aarch64-glibc-old [ 3/32]: SKIPPED
bootlin-arcle-hs38-uclibc [ 4/32]: OK
bootlin-armv5-uclibc [ 5/32]: OK
bootlin-armv7-glibc [ 6/32]: OK
bootlin-armv7m-uclibc [ 7/32]: SKIPPED
bootlin-armv7-musl [ 8/32]: OK
bootlin-m68k-5208-uclibc [ 9/32]: SKIPPED
bootlin-m68k-68040-uclibc [10/32]: OK
bootlin-microblazeel-uclibc [11/32]: SKIPPED
bootlin-mips64el-glibc [12/32]: OK
bootlin-mipsel32r6-glibc [13/32]: OK
bootlin-mipsel-uclibc [14/32]: OK
bootlin-openrisc-uclibc [15/32]: OK
bootlin-powerpc64le-power8-glibc [16/32]: OK
bootlin-powerpc-e500mc-uclibc [17/32]: OK
bootlin-riscv32-glibc [18/32]: OK
bootlin-riscv64-glibc [19/32]: OK
bootlin-riscv64-musl [20/32]: OK
bootlin-s390x-z13-glibc [21/32]: OK
bootlin-sh4-uclibc [22/32]: OK
bootlin-sparc64-glibc [23/32]: OK
bootlin-sparc-uclibc [24/32]: SKIPPED
bootlin-x86-64-glibc [25/32]: OK
bootlin-x86-64-musl [26/32]: OK
bootlin-x86-64-uclibc [27/32]: OK
bootlin-x86-i686-musl [28/32]: OK
bootlin-xtensa-uclibc [29/32]: OK
br-arm-basic [30/32]: SKIPPED
br-arm-full-nothread [31/32]: SKIPPED
br-arm-full-static [32/32]: SKIPPED
32 builds, 8 skipped, 0 build failed, 0 legal-info failed, 0 show-info failed
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes build error with gcc 9.x:
output/build/libheif-1.21.1/libheif/nclx.h:128:50: error:
'bool nclx_profile::operator==(const nclx_profile&)
const' cannot be defaulted
using this defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-static-2020.11.2.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_9=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_4=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
# BR2_TOOLCHAIN_EXTERNAL_HAS_THREADS_DEBUG is not set
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_STATIC_LIBS=y
BR2_PACKAGE_LIBHEIF=y
According to https://github.com/strukturag/libheif/issues/1615#issuecomment-3457979167
gcc >= 10 with support for C++20 is needed for the package.
The failing code was introduced upstream in version 0.21.0 with commit
a62f933e38
which was added to buildroot with commit
a8aed698c7.
Also removed -std=c++11 from CXXFLAGS.
The build error was not yet recorded by the autobuilders.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 72c7d99e22 switched the
build system to meson which causes an error during configure:
output/build/libvips-8.17.2/meson.build:108:4:
ERROR: Problem encountered: GModule is not supported on your system,
please reconfigure with -Dmodules=disabled
using this defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-static-2020.11.2.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_9=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_4=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
# BR2_TOOLCHAIN_EXTERNAL_HAS_THREADS_DEBUG is not set
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_STATIC_LIBS=y
BR2_PACKAGE_LIBVIPS=y
Added configure options for -Dmodules to fix the problem which was not
yet caught by the autobuilders.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
These modules were dropped in Python 3.13 as per PEP 594.
The current version in Buildroot is 3.14.3.
- Remove the TODO and related config overrides in python3.mk.
- Remove BR2_PACKAGE_PYTHON3_OSSAUDIODEV from Config.in.
- Add BR2_PACKAGE_PYTHON3_OSSAUDIODEV to Config.in.legacy.
See [1] [2] [3].
[1] https://peps.python.org/pep-0594/
[2] fc07fe4e37
[3] 17e1fe0f9b
Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
[Julien:
- add links in commit log
- move legacy option in 2026.05 section
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a035a0f99f bumped the
package to 6.0.2 which includes upstream commit
e806051f40
that adds optional support for libkrb5, enabled by default.
When building without libkrb5 we need to disable its support to avoid
a configure error:
configure: Build with gssapi_krb5 support
checking for gssapi/gssapi.h... no
configure: error: You need gssapi development files to compile libsmb2.
Fixes:
https://autobuild.buildroot.net/results/166/166fb283ef8830930ce191b4418d01e6c82176f5/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop no longer required python-pytz runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://codeberg.org/tenacityteam/libid3tag/releases/tag/0.16.4
"We now provide our own source packages instead of using Codeberg's
pre-generated sources, guaranteeing that the hash won't change."
Removed patches which are included in this bump.
Used tarball and its hashes provided by upstream.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
sntp/crypto.c includes sntp/config.h, then sntp/crypto.h which includes
ntp_stdlib.h which in turn includes l_stdlib.h that contains
#ifndef HAVE_MEMCHR
extern void *memchr(const void *s, int c, size_t n);
#endif
and breaks the build with glibc 2.43.
sntp/config.h does not contain any information about memchr() while the
top-level config.h does but this top-level config.h is not included
because sntp/Makefile lacks -I$(top_builddir) so sntp/config.h gets
included which does not define HAVE_MEMCHR although glibc does provide
memchr() but sntp/configure lacks a check for memchr().
This was not a problem with previous glibc versions but due to recent
C23 changes in glibc the ntp build is now broken.
To fix the problem we add a configure check for memchr() to
sntp/configure so HAVE_MEMCHR gets defined in sntp/config.h.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The artifacts URL has been moved to https and domain to .org to
improve security and avoid redirection issues. This ensures that
downloads of kernels and rootfs images during runtime tests are
encrypted and verified.
The change has been tested by running a runtime test, confirming the
correct download and renaming of artifacts from the new URL:
Downloading to .../tmpyotq8uor
Renaming from .../tmpyotq8uor to .../kernel-versatile-5.10.202
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With U-Boot 2022.04 gnutls is required for building the hostool
mkeficapsule.
mkeficapsule tool is built by default if EFI_LOADER is set since u-boot
2024.10 [1].
Thus the BR2_TARGET_UBOOT_NEEDS_GNUTLS config is needed.
This commit also updates the defconfig to the new convention:
- It adds custom hashes, enable BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_GLOBAL_PATCH_DIR="board/khadas/vim3/patches" to store the files.
[1] b7a625b1ce
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
[Julien:
- squashed linux and u-boot bumps
- change linux.hash comment reuse hashes published upstream
- increase BR2_TARGET_ROOTFS_EXT2_SIZE to 256M
- remove partition size constraint in genimage.cfg
- remove .checkpackageignore entry to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] was applied without fixing the edk2-platform patch
newlines which are changed by the mailing list. As a result,
the patch fails to apply.
This commit fixes the issue.
[1] 21baec5ef5
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since edk2-stable202508, see:
https://github.com/tianocore/edk2/releases/tag/edk2-stable202511
This commit also updates the edk2-platforms packages with the last
commit merged at the edk2 release date (2025-11-19), which corresponds
to commit [1].
The edk2-non-osi package is also updated the same way, which
corresponds to commit [2].
This commit also adds an edk2-platforms package patch to fix a Marvell
build failure seen with the SolidRun MacchiatoBin platform.
This commit has been runtime tested with tests using EDK2 package,
with commands:
support/testing/run-tests \
-d dl -o output_folder \
tests.boot.test_edk2 \
tests.boot.test_grub.TestGrubAArch64EFI \
tests.boot.test_grub.TestGrubRiscV64EFI \
tests.boot.test_grub.TestGrubX8664EFI \
tests.package.test_fwts
It has also been runtime tested (by booting in qemu) with defconfigs
using EDK2 package:
qemu_aarch64_sbsa_defconfig
qemu_loongarch64_virt_efi_defconfig
qemu_riscv64_virt_efi_defconfig
qemu_x86_64_efi_defconfig
[1] 1e64c1109a
[2] 94d0489811
Cc: Dick Olsson <hi@senzilla.io>
Cc: Romain Naour <romain.naour@smile.fr>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
EDK2 removed OVMF IA32 support in commit [1], which is included in
version edk2-stable202511. This commit removes the test relying on it.
[1] 1fb88ffe28
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
EDK2 removed OVMF IA32 support in commit [1], which is included in
version edk2-stable202511. This commit removes tests relying on it.
[1] 1fb88ffe28
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
While there is only one CVE number assigned (CVE-2025-14523) for one of
the patches included in this release, the bulk of the the changes are
security fixes.
Release notes may be found at:
25eac15300
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-14523
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The zjit option introduces a rust dependency and due to that not
being handled appropriately it can cause build failures if this
feature gets incorrectly autodetected as being available.
This feature was introduced when ruby was bumped to version 4.0.0
in f594f86f9d.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that custom arm-trusted-firmware versions can specify license files, add
license file hashes for the Xilinx custom arm-trusted-firmware version.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that custom Linux versions can specify license files, add license file
hashes for the Xilinx custom Linux version.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 127f36b406 ("package/ruby: bump to version 4.0.1") adjusted
RUBY_VERSION_EXT, but ruby 4.0.1 still installs its extensions into the
4.0.0 subdir:
ls target/usr/lib/ruby/
4.0.0 site_ruby vendor_ruby
So revert the RUBY_VERSION_EXT change to ensure the unneeded extensions are
correctly removed.
Signed-off-by: William Sherrer <william@sherrer.com>
[Peter: significantly extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patches mostly backported with the basis of the work of Ubuntu Security
team. See [1].
Fix the following vulnerabilities:
- CVE-2024-32661:
FreeRDP is a free implementation of the Remote Desktop Protocol.
FreeRDP based clients prior to version 3.5.1 are vulnerable to a
possible `NULL` access and crash. Version 3.5.1 contains a patch for
the issue. No known workarounds are available.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-32661
- CVE-2026-23530:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate
`nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before
RLE decode. A malicious server can trigger a client‑side heap buffer
overflow, causing a crash (DoS) and potential heap corruption with
code‑execution risk depending on allocator behavior and surrounding
heap layout. Version 3.21.0 contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23530
- CVE-2026-23531:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, in ClearCodec, when `glyphData` is present,
`clear_decompress` calls `freerdp_image_copy_no_overlap` without
validating the destination rectangle, allowing an out-of-bounds
read/write via crafted RDPGFX surface updates. A malicious server can
trigger a client‑side heap buffer overflow, causing a crash (DoS) and
potential heap corruption with code‑execution risk depending on
allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23531
- CVE-2026-23532:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between
destination rectangle clamping and the actual copy size. A malicious
server can trigger a client‑side heap buffer overflow, causing a crash
(DoS) and potential heap corruption with code‑execution risk depending
on allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23532
- CVE-2026-23533:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
RDPGFX ClearCodec decode path when maliciously crafted residual data
causes out-of-bounds writes during color output. A malicious server
can trigger a client‑side heap buffer overflow, causing a crash (DoS)
and potential heap corruption with code‑execution risk depending on
allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23533
- CVE-2026-23534:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
ClearCodec bands decode path when crafted band coordinates allow
writes past the end of the destination surface buffer. A malicious
server can trigger a client‑side heap buffer overflow, causing a crash
(DoS) and potential heap corruption with code‑execution risk depending
on allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23534
- CVE-2026-23948:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, a NULL pointer dereference vulnerability in
rdp_write_logon_info_v2() allows a malicious RDP server to crash
FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with
cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23948
- CVE-2026-24675:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, urb_select_interface can free the device's MS config on
error but later code still dereferences it, leading to a use after
free in libusb_udev_select_interface. This vulnerability is fixed in
3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24675
- CVE-2026-24676:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, AUDIN format renegotiation frees the active format list
while the capture thread continues using audin->format, leading to a
use after free in audio_format_compatible. This vulnerability is fixed
in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24676
- CVE-2026-24679:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, The URBDRC client uses server-supplied interface numbers as
array indices without bounds checks, causing an out-of-bounds read in
libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24679
- CVE-2026-24681:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, aAsynchronous bulk transfer completions can use a freed
channel callback after URBDRC channel close, leading to a use after
free in urb_write_completion. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24681
- CVE-2026-24682:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, audin_server_recv_formats frees an incorrect number of
audio formats on parse failure (i + i), leading to out-of-bounds
access in audio_formats_free. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24682
- CVE-2026-24683:
FreeRDP is a free implementation of the Remote Desktop Protocol.
ainput_send_input_event caches channel_callback in a local variable
and later uses it without synchronization; a concurrent channel close
can free or reinitialize the callback, leading to a use after free.
Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24683
[1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-62168:
Squid is a caching proxy for the Web. In Squid versions prior to 7.2,
a failure to redact HTTP authentication credentials in error handling
allows information disclosure. The vulnerability allows a script to
bypass browser security protections and learn the credentials a
trusted client uses to authenticate. This potentially allows a remote
client to identify security tokens or credentials used internally by a
web application using Squid for backend load balancing. These attacks
do not require Squid to be configured with HTTP authentication. The
vulnerability is fixed in version 7.2. As a workaround, disable debug
information in administrator mailto links generated by Squid by
configuring squid.conf with email_err_data off.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-62168
- 0951a06810
The backport has been compared against debian patch [1].
[1] https://sources.debian.org/src/squid/6.13-2%2Bdeb13u1/debian/patches/CVE-2025-62168.patch
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For changes, see:
- https://github.com/vim/vim/compare/v9.1.2017...v9.1.2148
Fixes the following vulnerabilities:
- CVE-2026-25749:
Vim is an open source, command line text editor. Prior to version
9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag
file resolution logic when processing the 'helpfile' option. The
vulnerability is located in the get_tagfname() function in src/tag.c.
When processing help file tags, Vim copies the user-controlled
'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1
bytes (typically 4097 bytes) using an unsafe STRCPY() operation
without any bounds checking. This issue has been patched in version
9.1.2132.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-25749
- 0714b15940
- CVE-2026-26269:
Vim is an open source, command line text editor. Prior to 9.1.2148, a
stack buffer overflow vulnerability exists in Vim's NetBeans
integration when processing the specialKeys command, affecting Vim
builds that enable and use the NetBeans feature. The Stack buffer
overflow exists in special_keys() (in src/netbeans.c). The while
(*tok) loop writes two bytes per iteration into a 64-byte stack buffer
(keybuf) with no bounds check. A malicious NetBeans server can
overflow keybuf with a single specialKeys command. The issue has been
fixed as of Vim patch v9.1.2148.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-26269
- c5f312aad8
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 3d2141bcee("support/testing/run-tests: specify multiprocessing
method") added a call to multiprocessing.set_start_method('fork') as a
workaround for python 3.14, which changed the default start method to
forkserver - Which is incompatible with the nose2 setup.
multiprocessing.set_start_method() is only supposed to be called a maximum
of 1 time per process and throws a RuntimeError if called more than that
(even with the same arguments):
>>> import multiprocessing
>>> multiprocessing.set_start_method('fork')
>>> multiprocessing.set_start_method('fork')
Traceback (most recent call last):
File "<python-input-2>", line 1, in <module>
multiprocessing.set_start_method('fork')
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File "/usr/lib/python3.13/multiprocessing/context.py", line 247, in set_start_method
raise RuntimeError('context has already been set')
Debian included a similar patch in python3-nose2 0.51.1-2 (currently in
testing/unstable) which adds its own call to set_start_method():
https://salsa.debian.org/python-team/packages/nose2/-/blob/debian/0.15.1-2/debian/patches/0004-plugins-mp-set-context-to-fork-for-Python-3.14-mp-AP.patch?ref_type=tags
Which comes from:
https://github.com/nose-devs/nose2/pull/644
As discussed in the upstream PR, this is not a correct fix is wrong and
breaks various use cases. An issue has been opened to get this fixed in the
Debian packaging at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129350
But until that is done, rework the patch to:
- Only override set_start_method() if needed to limit impact
- Monkey patch set_start_method() so additional calls are ignored
To unbreak run-test on affected Debian systems and add some documentation to
make it clear why this is done.
[Peter: use allow_none / force optional arguments as pointed out by Julien]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the toolchain involved in openscap build does not support C++, the
configure step fails with the following error:
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - failed
-- Check for working CXX compiler: /bin/false
-- Check for working CXX compiler: /bin/false - broken
CMake Error at /usr/share/cmake/Modules/CMakeTestCXXCompiler.cmake:73 (message):
The C++ compiler
"/bin/false"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
Run Build Command(s): /usr/bin/cmake -E env VERBOSE=1 /usr/bin/make -f Makefile cmTC_1834b/fast
make[1]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
/usr/bin/make -f CMakeFiles/cmTC_1834b.dir/build.make CMakeFiles/cmTC_1834b.dir/build
make[2]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
Building CXX object CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o /bin/false -o CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o -c /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI/testCXXCompiler.cxx
make[2]: *** [CMakeFiles/cmTC_1834b.dir/build.make:81: CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o] Error 1
make[2]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
make[1]: *** [Makefile:134: cmTC_1834b/fast] Error 2
make[1]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:11 (project)
-- Configuring incomplete, errors occurred!
make: *** [package/pkg-generic.mk:263: /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/.stamp_configured] Error 1
make: Leaving directory '/home/autobuild/autobuild/instance-6/buildroot'
The openscap project does not contain any C++ file, and so does not need
a C++ capable compiler. Bring the to-be-integrated-upstream patch
enforcing C language in CMakeLists.txt to prevent this build failure.
Fixes: https://autobuild.buildroot.org/results/1fe550ffa79f0a083a450ae03fe067a8ab7336be
Fixes: https://autobuild.buildroot.org/results/e9d52b52658544916022050c78dcb137ca6c97e0
Fixes: https://autobuild.buildroot.org/results/4a9c21763aaddb217ee5f8bb8947faad9767baa3
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig can be built without problems:
BR2_x86_64=y
BR2_GCC_VERSION_15_X=y
BR2_PACKAGE_SAFECLIB=y
However adding rocketlake as architecture variant
BR2_x86_64=y
BR2_x86_rocketlake=y
BR2_GCC_VERSION_15_X=y
BR2_PACKAGE_SAFECLIB=y
causes a build error:
str/vsnprintf_s.c: In function 'safec_ftoa.isra':
str/vsnprintf_s.c:523:24: error: writing 32 bytes into a region of size
31 [-Werror=stringop-overflow=]
523 | buf[len++] = '0';
with gcc 15.x only, gcc =< 14.x is not affected, reason unknown.
This commit adds two upstream commits which fix the problem.
No autobuilder error was recorded.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 101997e334 added binutils
2.46.0 to -next branch causing a build error with shim:
output/per-package/shim/host/bin/x86_64-buildroot-linux-gnu-objcopy:
shimx64.so: file format not recognized
output/per-package/shim/host/bin/x86_64-buildroot-linux-gnu-objcopy:
mmx64.so: file format not recognized
Added an upstream patch to fix the problem.
No backport to buildroot LTS branches necessary.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-34450:
merbanan/rtl_433 versions up to and including 25.02 and prior to
commit 25e47f8 contain a stack-based buffer overflow vulnerability in
the function parse_rfraw() located in src/rfraw.c. When processing
crafted or excessively large raw RF input data, the application may
write beyond the bounds of a stack buffer, resulting in memory
corruption or a crash. This vulnerability can be exploited to cause a
denial of service and, under certain conditions, may be leveraged for
further exploitation depending on the execution environment and
available mitigations.
For mroe information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-34450
- 25e47f8932
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2026-25556:
MuPDF versions 1.23.0 through 1.27.0 contain a double-free
vulnerability in fz_fill_pixmap_from_display_list() when an exception
occurs during display list rendering. The function accepts a caller-
owned fz_pixmap pointer but incorrectly drops the pixmap in its error
handling path before rethrowing the exception. Callers (including the
barcode decoding path in fz_decode_barcode_from_display_list) also
drop the same pixmap in cleanup, resulting in a double-free that can
corrupt the heap and crash the process. This issue affects
applications that enable and use MuPDF barcode decoding and can be
triggered by processing crafted input that causes a rendering-time
error while decoding barcodes.
For more information, see
- https://www.cve.org/CVERecord?id=CVE-2026-25556
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* create a board/freescale/imx6ull-evk folder dedicated to upstream Linux
and U-Boot to ease maintainance.
* clean up both imx6ullevk and imx6ull-evk readme.txt files
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: fix IMX6ULLQSG url in readme.txt]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed all patches because they are included in this release.
Added two upstream patches which fix build with glibc 2.43.
Added optional dependency to gnutls introduced by upstream commit
c9215365ef
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 3.12.07-3-g4546973, see:
https://github.com/electronicarts/EASTL/releases
Updated license hash due to upstream commit
c18a037660
Added patch to raise make_minimum_required in subproject EABase that was
added by upstream commit
c530255b69
using FetchContent_Declare which downloads the source during configure
so we do not have a chance to use _POST_EXTRACT_HOOKS to patch the
source code directly.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add comment in commit log about the previous version number]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Which is a 2.5G Ethernet PHY.
Signed-off-by: Mattias Walström <lazzer@gmail.com>
[Julien: add LICENSE.airoha entry in linux-firmware.hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Change summary:
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.11.4
Fixes:
CVE-2025-14821: libssh loads configuration files from the C:\etc directory
on Windows
CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
CVE-2026-0965: Possible Denial of Service when parsing unexpected
configuration files
CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
CVE-2026-0967: Specially crafted patterns could cause DoS
CVE-2026-0968: OOB Read in sftp_parse_longname()
libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP
extensions
Signed-off-by: Mattias Walström <lazzer@gmail.com>
[Julien:
- add link to upstream change summary
- fix signature link in hash file
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 0433c8d02a bumped
libinput to version 1.31.0 which causes a build error with wlroot:
../backend/libinput/switch.c: In function ‘handle_switch_toggle’:
../backend/libinput/switch.c:32:9: error: enumeration value
‘LIBINPUT_SWITCH_KEYPAD_SLIDE’ not handled in switch [-Werror=switch]
32 | switch (libinput_event_switch_get_switch(sevent)) {
The build error was not yet detected by the autobuilders but can be
reproduced using this defconfig:
BR2_x86_64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_WLROOTS=y
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities:
- CVE-2024-50382:
Botan before 3.6.0, when certain LLVM versions are used, has compiler-
induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in
GHASH in AES-GCM. There is a branch instead of an XOR with carry. This
was observed for Clang in LLVM 15 on RISC-V.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-50382
- 53b0cfde58
- CVE-2024-50383:
Botan before 3.6.0, when certain GCC versions are used, has a
compiler-induced secret-dependent operation in lib/utils/donna128.h in
donna128 (used in Chacha-Poly1305 and x25519). An addition can be
skipped if a carry is not set. This was observed for GCC 11.3.0 with
-O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be
affected.)
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-50383
- 53b0cfde58
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add configs/versal_vpk120_defconfig to the list of files I maintain.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerability:
- CVE-2025-63938:
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in
the strip_return_port() function within src/reqs.c.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-63938
- 3c0fde9498
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-50681:
igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a
denial of service (application crash) via a crafted IGMPv3 membership
report packet with a malicious source address. Due to insufficient
validation in the `recv_igmp()` function in src/igmpproxy.c, an
invalid group record type can trigger a NULL pointer dereference when
logging the address using `inet_fmtsrc()`. This vulnerability can be
exploited by sending malformed multicast traffic to a host running
igmpproxy, leading to a crash. igmpproxy is used in various embedded
networking environments and consumer-grade IoT devices (such as home
routers and media gateways) to handle multicast traffic for IPTV and
other streaming services. Affected devices that rely on unpatched
versions of igmpproxy may be vulnerable to remote denial-of-service
attacks across a LAN .
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-50681
- 2b30c36e6a
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This minor release contains a fix for building with host glibc 2.43,
which fails otherwise.
Signed-off-by: Paul Kocialkowski <paulk@sys-base.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more information on the version bump, see:
- https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
- https://github.com/ImageMagick/ImageMagick/compare/7.1.2-12...7.1.2-15
Fixes the following vulnerabilities:
- CVE-2026-22770:
The BilateralBlurImage method will allocate a set of double buffers
inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the
last element in the set is not properly initialized. This will
result in a release of an invalid pointer inside DestroyBilateralTLS
when the memory allocation fails.
https://www.cve.org/CVERecord?id=CVE-2026-22770
- CVE-2026-23874:
Versions prior to 7.1.2-13 have a stack overflow via infinite
recursion in MSL (Magick Scripting Language) `<write>` command when
writing to MSL format.
https://www.cve.org/CVERecord?id=CVE-2026-23874
- CVE-2026-23876:
Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow
vulnerability in the XBM image decoder (ReadXBMImage) allows an
attacker to write controlled data past the allocated heap buffer
when processing a maliciously crafted image file. Any operation that
reads or identifies an image can trigger the overflow, making it
exploitable via common image upload and processing pipelines.
https://www.cve.org/CVERecord?id=CVE-2026-23876
- CVE-2026-24481:
Prior to versions 7.1.2-15 and 6.9.13-40, a heap information
disclosure vulnerability exists in ImageMagick's PSD (Adobe
Photoshop) format handler. When processing a maliciously crafted PSD
file containing ZIP-compressed layer data that decompresses to less
than the expected size, uninitialized heap memory is leaked into the
output image.
https://www.cve.org/CVERecord?id=CVE-2026-24481
- CVE-2026-25638:
Prior to versions 7.1.2-15 and 6.9.13-40, memory leak exists in
`coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file,
resources are allocated. But the function returns early without
releasing these allocated resources.
https://www.cve.org/CVERecord?id=CVE-2026-25638
- CVE-2026-25794:
`WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute
the pixel buffer size. Prior to version 7.1.2-15, when image
dimensions are large, the multiplication overflows 32-bit `int`,
causing an undersized heap allocation followed by an out-of-bounds
write. This can crash the process or potentially lead to an out of
bounds heap write.
https://www.cve.org/CVERecord?id=CVE-2026-25794
- CVE-2026-25795:
Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSFWImage()`
(`coders/sfw.c`), when temporary file creation fails, `read_info` is
destroyed before its `filename` member is accessed, causing a NULL
pointer dereference and crash.
https://www.cve.org/CVERecord?id=CVE-2026-25795
- CVE-2026-25796:
Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()`
(`coders/stegano.c`), the `watermark` Image object is not freed on
three early-return paths, resulting in a definite memory leak
(~13.5KB+ per invocation) that can be exploited for denial of
service.
https://www.cve.org/CVERecord?id=CVE-2026-25796
- CVE-2026-25798:
Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference
in ClonePixelCacheRepository allows a remote attacker to crash any
application linked against ImageMagick by supplying a crafted image
file, resulting in denial of service.
https://www.cve.org/CVERecord?id=CVE-2026-25798
- CVE-2026-25799:
Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV
sampling factor validation allows an invalid sampling factor to
bypass checks and trigger a division-by-zero during image loading,
resulting in a reliable denial-of-service.
https://www.cve.org/CVERecord?id=CVE-2026-25799
- CVE-2026-25897:
Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow
vulnerability exists in the sun decoder. On 32-bit systems/builds, a
carefully crafted image can lead to an out of bounds heap write.
https://www.cve.org/CVERecord?id=CVE-2026-25897
- CVE-2026-25989:
Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can
cause a denial of service. An off-by-one boundary check (`>` instead
of `>=`) that allows bypass the guard and reach an undefined
`(size_t)` cast.
https://www.cve.org/CVERecord?id=CVE-2026-25989
- CVE-2026-26066:
Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain
invalid IPTC data may cause an infinite loop when writing it with
`IPTCTEXT`.
https://www.cve.org/CVERecord?id=CVE-2026-26066
- CVE-2026-26283:
Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in
the JPEG extent binary search loop in the jpeg encoder causes an
infinite loop when writing persistently fails. An attacker can
trigger a 100% CPU consumption and process hang (Denial of Service)
with a crafted image.
https://www.cve.org/CVERecord?id=CVE-2026-26283
- CVE-2026-26284:
Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper
boundary checking when processing Huffman- coded data from PCD
(Photo CD) files. The decoder contains an function that has an
incorrect initialization that could cause an out of bounds read.
https://www.cve.org/CVERecord?id=CVE-2026-26284
- CVE-2026-26983:
Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter
crashes when processing a invalid `<map>` element that causes it to
use an image after it has been freed.
https://www.cve.org/CVERecord?id=CVE-2026-26983
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 2882cf4ae6 bumped the
package from 2.44.4 to 2.48.3. This bump includes upstream commit
3b54e45d63
which was added to wpewebkit 2.45.1:
https://wpewebkit.org/release/wpewebkit-2.45.1.html
"Use Skia by default instead of Cairo for rendering."
The upstream commit includes dependencies to fontconfig & freetype which
were not added to buildroot and cause build errors with this defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_WPEWEBKIT=y
BR2_PACKAGE_WPEWEBKIT_SANDBOX=y
BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA=y
BR2_PACKAGE_WPEWEBKIT_MEDIA_STREAM=y
BR2_PACKAGE_WPEWEBKIT_WEBDRIVER=y
Reported-by: Julien Olivain <ju.o@free.fr>
[https://patchwork.ozlabs.org/project/buildroot/patch/20251017131035.224739-1-aperez@igalia.com/#3599999]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more information about the release, see:
- https://github.com/c-ares/c-ares/releases/tag/v1.34.6
Fixes the following vulnerability:
- CVE-2025-62408:
c-ares is an asynchronous resolver library. Versions 1.32.3 through
1.34.5 terminate a query after maximum attempts when using
read_answer() and process_answer(), which can cause a Denial of
Service. This issue is fixed in version 1.34.6.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-62408
- 714bf5675c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security vulnerability:
- CVE-2025-68615:
net-snmp is a SNMP application library, tools and daemon. Prior to
versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-
snmp snmptrapd daemon can cause a buffer overflow and the daemon to
crash. This issue has been patched in versions 5.9.5 and 5.10.pre2.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68615
- b4e6f826d9
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 2026.02-rc1 release forgot to update the series and date and the
2025.02.11 release forgot to update the data, fix that.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that binutils 2.46.0 has been introduced and binutils 2.45.1 made
the default version, drop the oldest supported version, binutils 2.43,
keeping only the 3 last versions supported: 2.44, 2.45.1 and 2.46.0.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Now that support for binutils 2.46.0 has been introduced, we follow our
policy of making binutils 2.45.1 the default version.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://sourceware.org/pipermail/binutils/2026-February/148149.html
" This release contains numerous bug fixes, and also the following new
features:
* Support for new instructions added to AMD, ARM and RISC-V
architectures.
* Support for version 3 of the SFrame standard.
* The readelf program can now display the contents of Global Offset
Tables.
* Improved linker tagging support."
We bring and rebased patches 0001 and 0002 that we carry for binutils
2.45.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed patch that fixed building with libseccomp and old kernel headers
as systemd has fixed that upstream now.
Notable changes:
- Add -Dlibmount=enabled to host and target build. Disabling this
option disables building most of systemd's tools apart from
libsystemd.
- remove gcrypt and gnutls from dependencies and build options.
openssl is the only supported crypto library now.
- Disable nspawn build for host variant and add a Config.in option
for the target variant.
- systemd now requires kernel >= 5.4 while the recommended kernel
version moved to >=5.7. This make systemd depend on
BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4, removing various dependencies
on older kernel header versions from sub options.
- The sha256sum of LICENSES/README.md changed due to various
license clarification, removal of some vendored files as well as
changing some file paths. Licensing did not actually change.
For changelog, see:
https://github.com/systemd/systemd/blob/v258.3/NEWS
Tested with `./support/testing/run-tests tests.init.test_systemd`
All tests passed
One of the tests now needs a bigger rootfs size.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: fix check-package warnings]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When trying to build host-dtc on a host with glibc 2.43, the build fails
on the following error:
libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’
qualifier from pointer target type [-Werror=discarded-qualifiers]
424 | sep = memchr(fixup_str, ':', fixup_len);
| ^
libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’
qualifier from pointer target type [-Werror=discarded-qualifiers]
434 | sep = memchr(name, ':', fixup_len);
| ^
fdtput.c: In function ‘create_node’:
fdtput.c:235:11: error: assignment discards ‘const’ qualifier from
pointer target type [-Werror=discarded-qualifiers]
235 | p = strrchr(node_name, '/');
| ^
cc1: all warnings being treated as errors
make[2]: *** [Makefile:359: fdtput.o] Error 1
make[2]: *** Waiting for unfinished jobs....
cc1: all warnings being treated as errors
make[2]: *** [Makefile:359: libfdt/fdt_overlay.o] Error 1
make[1]: *** [package/pkg-generic.mk:273:
/home/alexis/src/buildroot/dtc/build/host-dtc-1.7.2/.stamp_built] Error 2
make: *** [Makefile:83: _all] Error 2
The issue can be reproduced on master with this minimal defconfig on a
host having glibc 2.43:
BR2_x86_64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_QORIQ_MC_UTILS=y
(QORIQ_MC_UTILS will pull HOST_DTC)
This error is due to some functions prototype update in glibc 2.43 for
ISO C23 (see [1], point 3 in the NEWS list). The corresponding fix has
already been integrated upstream, but it has not been released since
then.
Bring the corresponding upstream patch to allow host-dtc to build on
affected hosts.
[1] https://lists.gnu.org/archive/html/info-gnu/2026-01/msg00005.html
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The used Linux kernel (4.14.336) does not contain the default license files
as those were only added in 4.16 with commit e00a844aca ("LICENSES: Add
Linux syscall note exception"), so specify the correct license file to fix:
make legal-info
..
cp: cannot stat '/path/to/output/build/linux-headers-4.14.336/LICENSES/preferred/GPL-2.0': No such file or directory
And add the sha256sum to the .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien:
- reword commit title
- actually add BR2_LINUX_KERNEL_LICENSE_FILES in defconfig
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The used Linux kernel (4.14.336) does not contain the default license files
as those were only added in 4.16 with commit e00a844aca ("LICENSES: Add
Linux syscall note exception"), so specify the correct license file to fix:
make legal-info
..
cp: cannot stat '/path/to/output/build/linux-headers-4.14.336/LICENSES/preferred/GPL-2.0': No such file or directory
And add the sha256sum to the .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 50958bcdac ("linux: Add support for custom license files") added a
default value for the license files and made the option visible (E.G.
editable) when a custom VCS or tarball version is used, but it is also
needed for users of an older _CUSTOM_VERSION (E.G. mainline release), as
the referenced files were only added in Linux 4.16 with commit e00a844aca
("LICENSES: Add Linux syscall note exception"), so change that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
It was recently announced on the list that Marcus joined the maintainer
team, so add a news entry about it as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using a specific git repo and version for at91bootstrap3,
BR2_TARGET_AT91BOOTSTRAP3_LICENSE_FILES defaults to "LICENSES/MIT.txt".
However the git version we use (namely v3.10.3) does not provide this
file. Actually, it does not provide a license file at all. This causes
‘make legal-info’ to fail with:
>>> at91bootstrap3 v3.10.3 Collecting legal info
sha256sum: /builds/buildroot.org/buildroot/output/build/at91bootstrap3-v3.10.3/LICENSES/MIT.txt: No such file or directory
ERROR: while checking hashes from boot/at91bootstrap3/at91bootstrap3.hash
ERROR: LICENSES/MIT.txt has wrong sha256 hash:
ERROR: expected: 5a3809b1c2ba13b7242572322951311c584419f1f8516f665d6c06f0668d78de
ERROR: got :
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
Let's be explicit that there is no license file to check.
Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/12992815386
- https://gitlab.com/buildroot.org/buildroot/-/jobs/12992815390
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Buildroot commit [1] introduced two small typos, while doing the
updates to announce new releases.
The version 2025.02.10 release date is 2026-01-20 (and not 2022).
See the original announce [2].
The 2025.02.10 archive link in news.html has also a missing dot.
This commit fixes those typo in order to fix the website.
[1] 21dda0665e
[2] https://lore.kernel.org/buildroot/9b9654f8-6cdd-4108-b932-79509e455148@rnout.be/
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libxmslec1 build fails on some configurations with the following build
logs:
CC libxmlsec1_openssl_la-kw_des.lo
kw_des.c:75:8: error: unknown type name 'xmlSecKWDes3Klass'; did you mean 'xmlSecKWAesKlass'?
75 | static xmlSecKWDes3Klass xmlSecOpenSSLKWDes3ImplKlass = {
| ^~~~~~~~~~~~~~~~~
| xmlSecKWAesKlass
kw_des.c:77:5: error: initialization of 'int' from 'int (*)(struct _xmlSecTransform *, xmlSecByte *, size_t, size_t *)' {aka 'int (*)(struct _xmlSecTransform *, unsigned char *, long unsigned int, long unsigned int *)'} makes integer from pointer without a cast [-Wint-conversion]
77 | xmlSecOpenSSLKWDes3GenerateRandom, /* xmlSecKWDes3GenerateRandomMethod generateRandom; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:77:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:77:5: error: initializer element is not computable at load time
kw_des.c:77:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:78:5: error: excess elements in scalar initializer
78 | xmlSecOpenSSLKWDes3Sha1, /* xmlSecKWDes3Sha1Method sha1; */
| ^~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:78:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:79:5: error: excess elements in scalar initializer
79 | xmlSecOpenSSLKWDes3BlockEncrypt, /* xmlSecKWDes3BlockEncryptMethod encrypt; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:79:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:80:5: error: excess elements in scalar initializer
80 | xmlSecOpenSSLKWDes3BlockDecrypt, /* xmlSecKWDes3BlockDecryptMethod decrypt; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
This build failure is due to those struct definitions being set
conditionally in src/kw_aes_des.h behind a XMLSEC_NO_DES define, and
this define ending up being 1 on some builds. We could assume that the
makefiles in libxmlsec should just not try to build any DES related file
when XMLSEC_NO_DES is set to 1 (and so, in this specific case, not try
to build src/openssl/kw_des.c), but the autotools tooling in the project
is not the one setting XMLSEC_NO_DES: there is a mismatch between
detected features at configure time and build time.
- at build time, the tooling just checks if user has passed
`--enable-des=no`. If so, it sets XMLSEC_NO_DES, otherwise it assumes
that DES support is available.
- at build time, libxmlsec tries to build openssl backend. This backend
checks OpenSSL features, especially whether OPENSSL_NO_DES is set (and
if so, it enforces XMLSEC_NO_DES to 1 as well)
- This OPENSSL_NO_DES comes from libopenssl configuration headers
installed in sysroot. Its presence is driven by the `no-des` option
passed at libopenssl configure time
- This `no-des` flag is driven by buildroot option
BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
There are multiple options to fix this package here:
1. fixing upstream package to make the features detection more robust (eg
check openssl headers at configure time to ensure that DES is
supported)
2. enforce XMLSEC_NO_DES if BR2_PACKAGE_LIBOPENSSL_ENABLE_DES is not set
3. systematically enforce XMLSEC_NO_DES=1
Now:
- 1 may take time, and would then need a temporary patch to live in
buildroot while the fix is accepted upstream and released
- 2 works only for libopenssl, what if libressl is used ?
- DES usage is discouraged anyway, as stated by configure logs:
[...]
checking for DES support... yes (use discouraged)
[...]
As the package has been introduced very recently, there's a very low
chance to break any user use case by completely disabling DES support.
Systematically disable DES support in libxmlsec1 to discourage usage and
fix build failure when the corresponding SSL library does not expose DES
support.
Fixes: https://autobuild.buildroot.org/results/3e15f03dc0211c622125ebb69ff7230ce900029a/
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* bumps ATF to version 2.14.0
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit also updates
olimex_a20_olinuxino_lime_defconfig
olimex_a20_olinuxino_lime2_defconfig
to use this new rootfs_overlay_mali directory.
This is to differentiate for the upcoming patch for
a20_olinuxino_micro_defconfig
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien:
- change linux.hash comment to use hash from upstream
- add "_lime" in commit title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version lf-6.12.49-2.2.0
* bumps U-Boot to version lf-6.12.49-2.2.0
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The `pocoo:jinja2` CPE introduced in commit [1] is not deprecated but is
no longer used. All the security issue on the Github Advisory reference
CVE with the `palletsprojects:jinja` CPE instead (see [2]).
This commit updates the CPE accordingly.
[1] 165f60a092 package/python-jinja2: add CPE variables
[2] https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Optional udisks support is useful for mounting USB sticks via
pcmanfm.
gvfs meson.build has recognized this udisks2 option for quite
some time, since upstream commit [1] first included in version
1.35.2 (released on 2017-11-13).
[1] cdc33bf54f
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
[Julien: add comment in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
commit cf686670b9 introduced a patch that
was later included in a release which made the usage of libesmtp
configurable. Later the switch was moved to the main CMakeLists.mk [0].
while the patch introduced the build flag LOG4CXX_ENABLE_ESMTP the
change to the .mk file used LOG4CXX_ENABLE_LIBESMTP.
So correct this.
Fixes:
CMake Warning:
Manually-specified variables were not used by the project:
LOG4CXX_ENABLE_LIBESMTP
[0] https://github.com/apache/logging-log4cxx/blob/rel/v1.3.1/CMakeLists.txt#L93
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit backports an upstream patch fixing CVE-2024-10963. See:
https://github.com/linux-pam/linux-pam/issues/834https://github.com/linux-pam/linux-pam/pull/854
Fixes:
- CVE-2024-10963:
Pam: improper hostname interpretation in pam_access leads to access
control bypass
A flaw was found in pam_access, where certain rules in its
configuration file are mistakenly treated as hostnames. This
vulnerability allows attackers to trick the system by pretending
to be a trusted hostname, gaining unauthorized access. This issue
poses a risk for systems that rely on this feature to control who
can access certain services or terminals.
https://www.cve.org/CVERecord?id=CVE-2024-10963
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Julien:
- fix check-package errors
- add info in commit log
- rebase patch on v1.6.1 to avoid patch offsets
- add "CVE:" tag in patch
- add comment with patch name near _IGNORE_CVES in .mk
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from LTS 6.6.30 to 6.12.70
- updates U-Boot from 2024.04 to 2026.01
- updates arm-trusted-firmware from v2.10 to v2.12 LTS
- switches to Bootlin external glibc stable toolchain
Note: Using the kernel 6.18.9, the SD card fail at boot:
mmc1: SDHCI controller on 4fb0000.mmc [4fb0000.mmc] using ADMA 64-bit
Waiting for root device /dev/mmcblk1p2...
mmc1: error -110 whilst initialising SD card
So let's use stable kernel 6.12.y for the time being.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
[Julien: update linux.hash comment to use upstream hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Please note that the fix for CVE-2024-52615 introduces CVE-2025-59529
which is not fixed yet (https://github.com/avahi/avahi/pull/808). You
can mitigate this vulnerability by setting the `enable-wide-area=no`
option.
Patch `0011-properly-randomize-query-id-of-DNS-packets.patch` modify
`configure.ac` and then `AVAHI_AUTORECONF` is set.
This commit fixes the following vulnerabilities:
- CVE-2021-3468:
A flaw was found in avahi in versions 0.6 up to 0.8. The event used to
signal the termination of the client connection on the avahi Unix
socket is not correctly handled in the client_work function, allowing
a local attacker to trigger an infinite loop. The highest threat from
this vulnerability is to the availability of the avahi service, which
becomes unresponsive after this flaw is triggered.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2021-3468
- 447affe299
- CVE-2023-38469:
A vulnerability was found in Avahi, where a reachable assertion exists
in avahi_dns_packet_append_record.
https://www.cve.org/CVERecord?id=CVE-2023-38469
- CVE-2023-38470:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_escape_label() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38470
- a337a1ba7d
- CVE-2023-38471:
A vulnerability was found in Avahi. A reachable assertion exists in
the dbus_set_host_name function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38471
- github.com/avahi/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
- CVE-2023-38472:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_rdata_parse() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38472
- b024ae5749
- CVE-2023-38473:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_alternative_host_name() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38473
- b448c9f771
- CVE-2024-52615:
A flaw was found in Avahi-daemon, which relies on fixed source ports
for wide-area DNS queries. This issue simplifies attacks where
malicious DNS responses are injected.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-52615
- 4e2e1ea090
- https://github.com/avahi/avahi/issues/810 (introduce regression CVE-2025-59529)
- CVE-2024-52616:
A flaw was found in the Avahi-daemon, where it initializes DNS
transaction IDs randomly only once at startup, incrementing them
sequentially after that. This predictable behavior facilitates DNS
spoofing attacks, allowing attackers to guess transaction IDs.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-52616
- f8710bdc8b
- CVE-2025-68276:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an
unprivileged local users can crash avahi-daemon (with wide-area
disabled) by creating record browsers with the
AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by
either calling the RecordBrowserNew method directly or creating
hostname/address/service resolvers/browsers that create those browsers
internally themselves.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68276
- 2d48e42d44
- CVE-2025-68468:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier,
avahi-daemon can be crashed by sending unsolicited announcements
containing CNAME resource records pointing it to resource records with
short TTLs. As soon as they expire avahi-daemon crashes.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68468
- f66be13d7f
- CVE-2025-68471:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier,
avahi-daemon can be crashed by sending 2 unsolicited announcements
with CNAME resource records 2 seconds apart.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68471
- 9c6eb53bf2
- CVE-2026-24401:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and
below, avahi-daemon can be crashed via a segmentation fault by sending
an unsolicited mDNS response containing a recursive CNAME record,
where the alias and canonical name point to the same domain (e.g.,
"h.local" as a CNAME for "h.local"). This causes unbounded recursion
in the lookup_handle_cname function, leading to stack exhaustion. The
vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST
is set explicitly, which includes record browsers created by resolvers
used by nss-mdns. This issue is patched in commit
78eab31128479f06e30beb8c1cbf99dd921e2524.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24401
- 78eab31128
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The github repository lathiat/avahi now redirect to avahi/avahi.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Introduce the openscap package. openscap is a command line tool allowing
to scan a system configuration to perform security compliance checks.
The tool consumes XCCDF and OVAL files to perform system evaluation
against a list of policies.
The package provides both a target and a host build configuration, as it
is needed on both sides:
- it is needed on the host to allow building the security policy files
to be embedded on the target
- it is needed on the target to actually parse and evaluate those
security policy files.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Thomas:
- Drop dependency on openssl, apparently not needed
- Depend on gcrypt if !nss, as either can be used
- Add missing dependency on libxslt]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libcurl host build support has initially been added with 736e0fc5d6
("libcurl: add host variant") while adding support for host-cargo build,
and reverted with 69e84008ab ("Revert "libcurl: add host variant"")
when standalone cargo build has been removed.
In order to bring in an upcoming commit a new host package that
depends on libcurl, re-enable host-libcurl build support.
This reverts commit w9e84008abf87eaeeb3f2d53c880cf33492a3bf8, with the
exception of the post-patch hook which is no longer needed.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 7eeb574f0e introduced the
libxmlsec1 making libxslt a mandatory dependency, which it isn't.
This commit therefore make libxslt an optional dependency of the
target libxmlsec1 package, and drops the dependency entirely for the
host package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes CVE-2025-14550:
There was a potential DoS vector for users of the
``asgiref.wsgi.WsgiToAsgi`` adapter. Malicious requests, including an
unreasonably large number of values for the same header, could lead to
resource exhaustion when building the WSGI environment.
Changelog: https://github.com/django/asgiref/blob/3.11.1/CHANGELOG.txt
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPIO filesystem generated by the test_firewalld test is too
large, and doesn't fit as an initramfs in the 256MB of RAM available
in the versatilepb machine. This causes a "Initramfs unpacking failed:
write error" when booting, and many files being missing from the root
filesystem, ultimately causing the test to fail.
The test_firewalld test initially started to fail following a systemd
update [1][3]:
[BRTEST# systemctl is-active firewalld
failed
But really started to crash at boot following a python 3.14 update
[2][4]:
Run /init as init process
/init: exec: line 15: /sbin/init: not found
Also, update TestFirewalldSysVInit to use ext2 instead of cpio.
[1] 926e0504d0
[2] a0a6abc8b1
Fixes:
[3] https://gitlab.com/buildroot.org/buildroot/-/jobs/12944797059
[4] https://gitlab.com/buildroot.org/buildroot/-/jobs/11856840940
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issues:
- CVE-2025-13473 (low): Username enumeration through timing difference in mod_wsgi authentication handler
- CVE-2025-14550 (moderate): Potential denial-of-service vulnerability via repeated headers when using ASGI
- CVE-2026-1207 (high): Potential SQL injection via raster lookups on PostGIS
- CVE-2026-1285 (moderate): Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods
- CVE-2026-1287 (high): Potential SQL injection in column aliases via control characters
- CVE-2026-1312 (high): Potential SQL injection via QuerySet.order_by and FilteredRelation
See the release notes here:
https://docs.djangoproject.com/en/dev/releases/6.0.2/
Also includes the bugfixes from version 6.0.1:
https://docs.djangoproject.com/en/dev/releases/6.0.1/
Signed-off-by: Manuel Diener <manuel.diener@othermo.de>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Introduce the libxmlsec1 library package. libxmlsec implements XML
security standards.
The library has only a few mandatory dependencies(libxml2 and libxslt
and a crypto library). It needs one of the following cryptographic
libraries: OpenSSL, NSS, or Gcrypt/GNUTLS. Default to openssl for now to
keep the package simple.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security vulnerabilities:
CVE-2026-1584: libgnutls: Fix NULL pointer dereference in PSK binder
verification
A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
could lead to a denial of service attack via crashing the server.
The updated code guards against the problematic dereference.
CVE-2025-14831: libgnutls: Fix name constraint processing performance issue
Verifying certificates with pathological amounts of name constraints
could lead to a denial of service attack via resource exhaustion.
Reworked processing algorithms exhibit better performance characteristics.
For more details, see the release notes:
https://lists.gnupg.org/pipermail/gnutls-help/2026-February/004914.html
Drop now upstreamed 0001-audit-crau-fix-compilation-with-gcc-11.patch:
f5666f8f1f
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerabilities:
CVE-2025-61732: cmd/cgo: remove user-content from doc strings in cgo ASTs
A discrepancy between how Go and C/C++ comments were parsed allowed for code
smuggling into the resulting cgo binary.
To prevent this behavior, the cgo compiler will no longer parse
user-provided doc comments.
CVE-2025-68121: crypto/tls: unexpected session resumption when using
Config.GetConfigForClient
Config.GetConfigForClient is documented to use the original Config's session
ticket keys unless explicitly overridden. This can cause unexpected
behavior if the returned Config modifies authentication parameters, like
ClientCAs: a connection initially established with the parent (or a sibling)
Config can be resumed, bypassing the modified authentication requirements.
If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on
the server) or InsecureSkipVerify is false (on the client), crypto/tls now
checks that the root of the previously-verified chain is still in
ClientCAs/RootCAs when resuming a connection.
Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar
issue related to session ticket keys being implicitly shared by
Config.Clone. Since this fix is broader, the Config.Clone behavior change
has been reverted.
Note that VerifyPeerCertificate still behaves as documented: it does not
apply to resumed connections. Applications that use
Config.GetConfigForClient or Config.Clone and do not wish to blindly resume
connections established with the original Config must use VerifyConnection
instead (or SetSessionTicketKeys or SessionTicketsDisabled).
For more details, see the announcement:
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Blake3 unconditionally enables C++ support, which unconditionally
requires C++20 when built with cmake >= 3.12, even when this is not
required.
Fixing this does not look trivial, and rather than botching the build,
just require C++20, available from gcc 8.x onward.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Use of threading requires a C++20 compiler, and the oneTBB
implementation. oneTBB is missing from Buildroot, but a system
one may be used if found.
Even if the default for threading is disabled, explicitly state so,
in case the default changes in the future.
Also disable examples, we don't and won't need them.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Ensure that the SHA_CRYPT option is enabled when the system configuration is
set to SHA256/512, as otherwise passwd complains when a password is changed:
passwd
...
Invalid ENCRYPT_METHOD value: 'SHA512'.
Defaulting to DES.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As described in https://gitlab.com/buildroot.org/buildroot/-/issues/160, the
github mirror is getting shut down - So move to the sourceware.org git repo.
The github mirror was originally used because of performance and reliability
issues with sourceware, but that seems be resolved now after server/RAM
upgrades - E.G. from the sourceware news:
April 22, 2024
server2.sourceware.org now has 512GB RAM, thanks Red Hat.
https://sourceware.org/
So change back to fetch glibc (and localedef) from sourceware.org over git.
Notice: The git archiving leads to slightly different paths and permissions
in the tarball, but the file content is identical:
mkdir a && tar -C a -x --strip-components=1 -f \
path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125.tar.gz
mkdir b && tar -C b -x --strip-components=1 -f \
path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125-git4.tar.gz
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien:
- add missing SoB line
- fix command lines in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Unfortunately, if all optee-related packages are not updated at the same
time, optee-test will not build. This commit bumps all the optee
components at once.
The version bump is needed since optee-examples and optee-test can no
longer compile (compatibility with CMake < 3.5 has been removed from
CMake).
For release details, see:
https://github.com/OP-TEE/optee_os/blob/4.9.0/CHANGELOG.md#op-tee---version-490-2026-01-16
Signed-off-by: Jakob Kastelic <jkastelic@thinksrs.com>
[Julien: add link to release details]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 0e3ddc9dc8 "{linux,
linux-headers}: split hash file in before and from 6.17" there are two
hash file variants, and symlinks for the individual versions. These
were not updated in 48186093fd "bump
5.{10, 15}.x / 6.{1, 6, 12, 18}.x series".
Fixes: 48186093fd
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Swig has a compiled in absolute path to its data files, which can be
overridden using the SWIG_LIB environment variable:
https://github.com/swig/swig/blob/v4.1.1/Source/Modules/main.cxx#L931-L945
This unfortunately means that host-swig misbehaves when used in the SDK, as
this points to the ${HOST_DIR}/bin of the build, which may not be available
when the SDK is used.
The issue was reported upstream but rejected in
https://github.com/swig/swig/issues/253, so instead add a wrapper script
which calculates a sensible SWIG_LIB relative to the wrapper location unless
SWIG_LIB is set, similar to how we do it for E.G. gcc or pkgconf.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: add quotes to make shellcheck happy]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit [1] introduced a patch to fix CVE-2025-62291. Since [2] the
security patches neeed to reference the vulnerability with the `CVE: `
trailer in the patch header.
[1] b009935e27 package/strongswan: add patch to fix CVE-2025-62291
[2] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
On Buildroot 2025.05.3, Meson's custom LLVM parser uses llvm-config
with a default search path of /usr/bin, causing it to detect the host
system's llvm-config (version 18.1.3) instead of the buildroot-compiled
one. This forces all LLVM-related packages to match version 18.1.3, but
since the host system lacks llvmspirvlib, the build fails. This patch
forces Meson to use the buildroot-compiled llvm-config.
On the master branch, the meson is somehow able to find the right
llvm-config, so reproduction only seems to be possible if the host
machine ships with a newer version as the one buildroot is using.
llvm-config found: YES
([...]/output/host/bin/llvm-config)
21.1.8
Run-time dependency LLVM (modules: bitwriter, core, coverage, engine,
executionengine, instcombine, irreader, libdriver, linker, lto,
mcdisassembler, mcjit, native, option, scalaropts, target,
transformutils, all-targets, coroutines, frontenddriver, frontendhlsl,
lto, windowsdriver) found: YES 21.1.8
Note that LLVM_CONFIG is a CMake option, not a Meson one. This is because
Meson has custom dependency resolution logic for LLVM (see
https://mesonbuild.com/Dependencies.html#llvm). The EXTRA_BINARIES mechanism
cannot be used here, as it only applies to cross-compilation scenarios, which
does not apply to host-mesa3d builds.
Reproduction (On BR2 tag: 2025.05.3):
BR2_x86_64=y
BR2_x86_atom=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_GLIBC_STABLE=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.24"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/pc/linux.config"
BR2_LINUX_KERNEL_INSTALL_TARGET=y
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_LLVM=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_I915=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_IRIS=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
Fixes:
llvm-config found: YES (/usr/bin/llvm-config-18) 18.1.3
Run-time dependency LLVM (modules: bitwriter, core, coverage, engine, executionengine, instcombine, irreader, libdriver, linker, lto, mcdisassembler, mcjit, native, option, scalaropts, target, transformutils, all-targets, coroutines, frontenddriver, frontendhlsl, lto, windowsdriver) found: YES 18.1.3
Dependency LLVMSPIRVLib found: NO. Found 15.0.0.0 but need: '>= 18.1' ; matched: '>= 15.0.0.0', '< 18.2'
Run-time dependency llvmspirvlib found: NO (tried cmake)
output/build/host-mesa3d-25.0.6/meson.build:1882:21: ERROR: Dependency lookup for LLVMSPIRVLib with method 'pkgconfig' failed: Invalid version, need 'LLVMSPIRVLib' ['>= 18.1'] found '15.0.0.0'.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
[Romain:
- Update the commit title
- Update commit log about this issue on master branch
https://lore.kernel.org/buildroot/CACXRmJh1-5Cy92kF9TM5nDs_uB90WAe5iOGmNNL2E-cMhJE7GA@mail.gmail.com/
]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Buildroot commit [1] introduced a new Buildroot-Initialize.cmake file,
to mimic the upstream Linux-Initialize.cmake.
However, this upstream file was introduced in commit [2], which was
introduced in CMake 3.27.
When compiling a cmake package on a host with a cmake older than
version 3.27 (for example, the Buildroot Docker reference image has
cmake 3.25), the configuration fails with the error:
CMake Error at /buildroot/output/host/share/buildroot/Platform/Buildroot-Initialize.cmake:1 (include):
include could not find requested file:
Platform/Linux-Initialize
Call Stack (most recent call first):
/usr/share/cmake-3.25/Modules/CMakeSystemSpecificInitialize.cmake:21 (include)
CMakeLists.txt:20 (project)
CMake version < 3.27 is setting its LINUX predefine elsewhere (see
commit log of [1]), so this commit fixes the issue by simply making
the include optional. This will guarante thee cmake predefines will
be present in all the cases.
Fixes:
[1]
[1] ef9f0a07ed
[2] cc737ae829
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old URL now leads to an HTTP 404 not found error.
Update it to the new one which contains the hashes for the current
release as well as older ones.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The current 'install' target comprises 'install-libs', 'install-apps'
and 'install-docs'.
In our case we don't want to install documentation to the target, so
just run the other two.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
It should be noted that because the python bindings have wrong default
include dirs, they are useless if the includes are not provided
externally.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When BR2_UCLIBC_INSTALL_UTILS is enabled, utils such as getconf, ldd,
locale get installed to TARGET_DIR. However, they do not get installed
to STAGING_DIR, which is annoying as it means that they are not part
of external toolchains built by Buildroot.
This commit adjusts the uclibc package to make sure those tools also
get installed to STAGING_DIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The UCLIBC_INSTALL_UTILS_STAGING is really badly named, as it doesn't
install anything to STAGING_DIR. Instead, it installs the host variant
of ldd and ldconfig into $(HOST_DIR)/bin. Therefore, rename it to
UCLIBC_INSTALL_HOST_UTILS.
This is important as a follow-up commit will re-introduce a
UCLIBC_INSTALL_UTILS_STAGING variable which really installs things
into STAGING_DIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream is dead, website unreachable, and the use case in 2026 is
dubious, so drop the package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ukify tool can be used to create Unified Kernel Images.
Signed-off-by: Bram Vlerick <bram.vlerick@openpixelsystems.org>
[Arnout:
- Remove the target option.
- Use enabled/disabled instead of true/false.
- Always enable for host build.
- Add dependency on host-python-pefile.
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
When building system binaries you may not even want TCG support if you
are only intending to use KVM. Provide the options so the user can
select only what they need.
With only KVM selected the QEMU build will generally only build the
binary for your target system. We keep TCG support on by default so as
not to break existing defconfigs.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Although it is possible to configure an AArch64 CPU without support
for EL2 in practice all the common AArch64 have supported
virtualisation from the start.
If we really wanted to be strict we could blacklist known non-EL2 CPUs
but AFAICT all the current ones in the config have EL2.
I should also note KVM on Arm is deprecated and was removed from the
kernel in v6.10.
Reviewed-by: Jesse Taube <jesse@rivosinc.com>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The current generated cJSONConfig.cmake holds hard coded path of libraries and makes it impossible to use in SDKs.
Use CMakePackageConfigHelpers and @PACKAGE_INIT@ to make them suit for real environment dynamically.
Signed-off-by: Guillaume Chaye <guillaume.chaye@zeetim.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The .mk file currently states:
If LWS_MAX_SMP=1, then there is no code related to pthreads
compiled in the library. If unset, LWS_MAX_SMP defaults to 32 and a
small amount of pthread mutex code is built into the library.
However, this is incorrect: when unset, LWS_MAX_SMP is actually set to
1, so mutexes aren't built in.
To fix, set it to 32 explicitly when threads are enabled. Why 32?
Because
https://libwebsockets.org/lws-api-doc-master/html/md_README.coding.html
states:
You can control the context basic data allocation for
multithreading from Cmake using -DLWS_MAX_SMP=, if not given it's
set to 32.
Signed-off-by: Bart Van Severen <bart.vanseveren@barco.com>
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When given a certificate directory with --with-ca-path, curl doesn't
list the files in that directory. Instead, it uses the certificate hash
to directly open the requested CA certificate. Therefore, putting a
bundle in that directory and removing all the individual certificates is
not possible.
In order to support use of the bundle, a separate configuration option
--with-ca-bundle is needed. With this option, it is possible to remove
the individual certificates and include just the bundle, which reduces
the size of the root filesystem a bit.
Note that the bundle is generated by the ca-certificates package, which
also installs the individual certificates and the hash symlinks. It
keeps both individual certificates and the bundle in the target.
Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Changes:
- Fix memory leak in which() on realloc() failure
- Fix pidfile() to handle missing trailing slash in prefix path
Changes to src/pidfile.c do not affect the licensing terms, but
require updating the hash of this file that is used as one of the
license files.
https://github.com/troglobit/libite/releases/tag/v2.6.2
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Unfortunately, parts of the library is not very no-MMU friendly atm.
The below check fails due to runbg.c requiring fork().
$ ./utils/test-pkg -c libite.config -p libite
bootlin-armv5-uclibc [1/6]: OK
bootlin-armv7-glibc [2/6]: OK
bootlin-armv7m-uclibc [3/6]: FAILED
bootlin-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
arm-aarch64 [6/6]: OK
The dependency was introduced in libite v2.6.0, so this patch should
be backported to v2025.02.x.
Fixes:
https://autobuild.buildroot.net/results/6c6fd2ae410a82c44da54ee13a09a38a7ab220c1/
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the latest U-Boot update, U-Boot now handles this step in the
board setup removing the need to set this from a custom boot script.
Remove redundant fdt set command from boot script.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump Linux to latest release tag: linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a kernel bump to
v6.12.48.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump U-Boot to latest release tag: linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a U-Boot version
bump to v2025.07.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump Linux to latest release tag linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a kernel version
buump to v6.12.48 and a GPIO driver fix.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump U-Boot to latest release tag linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a U-Boot version
update from v2023.07 to v2025.07.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
There are several use cases for installing additional files in the boot
partition that is read by the RPi firmware.
- autoboot.txt is an optional configuration file for the RPi
firmware [1]. Supporting several autoboot files will enable A/B
setups, as using the renameat2() system call with the RENAME_EXCHANGE
flag will let users atomically replace one autoboot configuration
file with the other. This improves reliability in the case of an
update which could potentially be interrupted.
- Multiple cmdline.txt files are useful in the context of a new
[boot_partition] conditional filter introduced in config.txt in
commit [2]. This is useful for A/B systems to have identical BootFS
partitions on both slots, and not have to edit the kernel command line
to ensure the kernel will load the right rootFS after update of the
BootFS.
- rpi-firmware contains DTB overlays for many "standard" hats, but a
custom hat may require a custom overlay.
Although it is possible to install additional files in the boot
partition in the post-image script, it is very convenient to be able to
use the standard RPi post-image script in
board/raspberrypi/post-image.sh. That script looks in
$BINARIES_DIR/rpi-firmware, so it is convenient to be able to place
additional files there.
Add the option BR2_PACKAGE_RPI_FIRMWARE_EXTRA_FILES which is simply a
list of files to be copied to $BINARIES_DIR/rpi-firmware, which will
eventually end up as the boot partition. Make sure that this is done as
the last step of RPI_FIRMWARE_INSTALL_IMAGES_CMDS, so the files can
override files installed by earlier steps.
[1] https://www.raspberrypi.com/documentation/computers/config_txt.html#autoboot-txt
[2] d50b2b32f1
Signed-off-by: Olivier Benjamin <olivier.benjamin@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
For release notes, see:
https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0
The --without-osmesa configure option was removed upstream, in
commit [1]. This commit removes the options from _CONF_OPTS.
Also, since upstream commit [2], the /usr/bin/wine program became
a "tool". It needs to be enabled when cross-compiling. As suggested
in [3], this commit adds --enable-tools in WINE_CONF_OPTS.
This commit also updates the LICENSE file hash, after year
update in [4].
[1] 370e7d9a50
[2] 6d28db86c9
[3] https://bugs.winehq.org/show_bug.cgi?id=57847
[4] ab59cc16c5
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Adds a new user-configurable string to arch/Config.in.riscv, and in
arch/arch.mk.riscv appends it to GCC_TARGET_ARCH.
This enables custom extensions/combinations to be easily configured.
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Reviewed-by: Jesse Taube <Mr.Bossman075@gmail.com>
[Arnout:
- fix check-package warnings
- introduce ARCH_RISV_ISA_EXTRA to simplify stripping of quotes
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This commit adds the -N/--needs-update option, disabled by default,
to list only packages with newer upstream versions. All other packages
will be excluded from the HTML or JSON output.
Signed-off-by: Kadambini Nema <kadambini.nema@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Commit 105e4618c5 added a patch to fix
CMake 4 compatibility, but due to line endings issues the patch
doesn't apply properly. This commit fixes the patch so that it does
apply as it should.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently, the relocate-sdk.sh script scans the whole extracted SDK tree
to find instances of paths it needs to replace, which can take a
significant amount of time when the SDK is large, particularly relative
to the number of files that actually need to change.
However, the resulting list only depends on the SDK tarball itself, so
we can calculate it at build time and ship it with the tarball so
relocate-sdk.sh can use it directly.
Testing this on my machine with somewhat IOPS-limited rotating media,
the time goes down from:
$ time ./relocate-sdk.sh
Relocating the buildroot SDK from [...] to [...] ...
./relocate-sdk.sh 5.19s user 26.21s system 9% cpu 5:34.40 total
To:
$ time ./relocate-sdk.sh
Relocating the buildroot SDK from [...] to [...] ...
./relocate-sdk.sh 0.49s user 0.29s system 103% cpu 0.749 total
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Commit [1] bumped glibc from 2.42-3-gbc13db739 to 2.42-51-gcbf39c26b
to fix some CVEs, but forgot to add those CVEs to GLIBC_IGNORE_CVES.
This was needed because the GLIBC_CPE_ID_VERSION used for CVE checks
remains to the same value "2.42" which is marked as vulnerable to
those CVEs.
This commit adds those _IGNORE_CVES with the corresponding upstream
commit references, to make sure they will not be reported by the
"make pkg-stats" command.
Fixes:
- [1]
[1] 18de297a5a
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When running "make pkg-stats" on a host with Python 3.14 (e.g.
Fedora 43 for example), the execution fails with the error:
Checking URL status
Traceback (most recent call last):
File "/buildroot/support/scripts/pkg-stats", line 1387, in <module>
__main__()
~~~~~~~~^^
File "/buildroot/support/scripts/pkg-stats", line 1368, in __main__
loop = asyncio.get_event_loop()
File "/usr/lib64/python3.14/asyncio/events.py", line 715, in get_event_loop
raise RuntimeError('There is no current event loop in thread %r.'
% threading.current_thread().name)
RuntimeError: There is no current event loop in thread 'MainThread'.
This is due to a breaking change introduced in Python 3.14
asyncio.get_event_loop(). See [1]. Before Python 3.14, this call was
creating and setting an event loop if there was none. This situation
is now a runtime error.
In order to fix this issue with newer Python version, while keeping
backward compatibility, this commit replaces the code:
loop = asyncio.get_event_loop()
by an explicit event loop creation:
loop = asyncio.new_event_loop()
asyncio.set_event_loop(loop)
This commit was tested on a Fedora 43 host with Python-3.14.2, and
with the Buildroot Docker image plus the python3-aiohttp package
which is a Debian 12 with Python-3.11.2.
[1] https://docs.python.org/3.14/library/asyncio-eventloop.html#asyncio.get_event_loop
Signed-off-by: Julien Olivain <ju.o@free.fr>
Tested-by: Vincent Fazio <vfazio@xes-inc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commits [1] and [2] are installing host SDK files
"$(HOST_DIR)/usr/share".
check-package (see [3]) reports the error:
package/pico-sdk/pico-sdk.mk:23: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
package/pico-sdk/pico-sdk.mk:24: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
package/picotool/picotool.mk:15: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
This commit installs the host SDK files to "$(HOST_DIR)/share" to fix
this error.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/12970341499
[1] ceb800d3c6
[2] 926381d360
[3] 29a0dd4a30
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, when both libnss and GnuTLS are present, NetworkManager will
get linked to libnss.
The NetworkManager project doesn't recommend one over the other
officially and has supported both from day one back in 2007.
Arguments which one to prefer can be made in either direction:
Points in favor of libnss:
- It's the default value in the NM build system, so it would be the
preferred backend if both are available and we didn't supply any
options to the build process
- It's probably the more mature of the two, given that it's being used
in Mozilla products
Points in favor of GnuTLS:
- While both backends seem feature-equivalent, the
_nm_crypto_verify_pkcs8 function is stubbed out in the libnss
code[1].
- Both Debian and Fedora explicitly select GnuTLS in their packages. At
least in the case of Fedora it seems to have been a conscious
choice[2].
Given what it's actually used for in the code base, the choice does not
matter a lot. However, since it is marginally more feature-complete and
seems to be preferred by other distributions, let's switch to GnuTLS.
[1] 36f8de25c4/src/libnm-crypto/nm-crypto-nss.c (L523-540)
[2] 29a9c41bea
Signed-off-by: Florian Larysch <fl@n621.de>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
The network-manager package currently pulls in either gnutls or libnss,
neither of which are very common and it might be the only reason why
they are present on a system.
However, most of NetworkManager works just fine without any cryptography
support, it only seems to be used in test cases and 802.1X support code.
Remove the dependency but use a library if it is present.
Note that this changes the default behavior. If network-manager was the
only package pulling in gnutls, it won't do this anymore and use the
"null" backend. Add a note about this to the manual.
Signed-off-by: Florian Larysch <fl@n621.de>
Tested-by: Marcus Hoffmann <buildroot@bubu1.eu>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Marcus: Change buildroot version to 2026.02 in migrating.adoc]
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Add BR2_PACKAGE_DPDK_APPS_LIST to control which DPDK applications are
built:
- empty : use DPDK defaults
- none : disable all apps (-Ddisable_apps='*')
- list : pass to -Denable_apps= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_LIBS_LIST to control which DPDK libraries are
built:
- empty : use DPDK defaults
- none : disable all libs (-Ddisable_libs='*')
- list : pass to -Denable_libs= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_DRIVERS_LIST to control which DPDK applications are
built:
- empty : use DPDK defaults
- none : disable all drivers (-Ddisable_drivers='*/*')
- list : pass to -Denable_drivers= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
[Julien: slightly change the drivers Config.in help text:
- rename net/ixgbe to net/intel/ixgbe
- change find -maxdepth value to 3
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When the host system has asciidoctor and po4a/poman installed,
util-linux detect them and automatically enable manual pages and
their translations. This can significantly increase the package
build time (in my case, from 20s to 1m50s). See upstream
commit [1] and [2].
Since manual pages are not needed in Buildroot, this commit adds in
_CONF_OPTS for host host and target variants the options to always
disable the detection of those programs (--disable-asciidoc
--disable-poman). This will always disable the generation of manual
pages.
Note: Buildroot attempts to globally disable documentation for
autotools packages by passing various --disable-docs configure
options (see [3]), but those are not recognized by util-linux.
This commit also reorder the options for UTIL_LINUX_CONF_OPTS.
[1] 9acfc349e0
[2] 236421a491
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.11/package/pkg-autotools.mk#L184-186
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
There are multiple defconfig fragments we can select to modify the final
tiboot3.bin image to support different boot methods or enable features
supported by a board. Allow the ti-k3-r5-loader package to select
defconfig gragments during a build
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
LLVM is already implicitly enabled for host-mesa3d when
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER is selected. This blind
option is automatically enabled when LLVM is required by drivers such
as intel-iris, panfrost, imagination, or intel-vulkan.
The BR2_PACKAGE_MESA3D_LLVM option also independently selects host-llvm,
but this change makes the dependency more explicit for host-mesa3d
builds.
Note that disabling LLVM is not possible for host-mesa3d, as the build
will fail with:
../../../br-test-pkg/bootlin-armv5-uclibc/build/host-mesa3d-25.3.2/meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Backport two security fixes from upstream. They are in newer releases,
but to facilitate backporting to our LTS releases, this backports the
fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The dependencies on Boost.System, Boost.Filesystem were removed in
v23.0 [0][1] and Boost.Thread in v21.99 [2].
This was never reflected in the Buildroot package so do it now.
[0] 07269321f3
[1] b87f9c5edf
[2] 06e1d7d81d
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit [1] added the "Upstream:" package patch tag, but forgot to
remove the corresponding .checkpackageignore entry.
This commit fixes that.
Fixes:
package/efl/0001-ecore_fb-fix-build-with-tslib.patch:0: lib_patch.Upstream was expected to fail, did you fix the file and forget to update .checkpackageignore?
[1] bac34296bf
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: Fix flake8 warning, use http.server instead of relying on
connectivity]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch 0001 has the upstream information, just not properly formatted,
so we fix this.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Thomas: extracted from a bigger patch from Bernd]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
According to the official requirements, bindgen needs libclang to
parse C/C++ headers. libclang is loaded at runtime by bindgen, which
is why we didn't notice any build issue. However, using bindgen on a
simple header file blows up:
thread 'main' panicked at bindgen/lib.rs:616:27:
Unable to find libclang: "couldn't find any valid shared libraries matching: ['libclang.so', 'libclang-*.so', 'libclang.so.*', 'libclang-*.so.*'], s
et the `LIBCLANG_PATH` environment variable to a path where one of these files can be found (invalid: [])"
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
So far, bindgen was only used by mesa3d, and it turns out that mesa3d
also depends on clang, which pulls in host-clang, so the problem was
not visible. However, as we're about to use bindgen for other
things (namely Rust support in Linux), this issue needs to be fixed.
See:
https://rust-lang.github.io/rust-bindgen/requirements.html
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mpg123 supports (and prefers) SDL2 as well for the sdl backends since 1.26.9
with:
792615f651
So support that here as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Arm Trusted Firmware (TF-A) can be used to load U-Boot or another
bootloader, which in turn loads the Linux kernel. However, TF-A is
capable of loading the kernel directly. To this end, we need to define
the BL33 and BL33_CFG compile options containing, respectively, the
zImage and the DTB.
This config introduces a new config option,
BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33, which sets the BL33 and
BL33_CFG parameters, and ensures that the kernel is built before the
TF-A by having linux as a _DEPENDENCY of the TF-A.
Signed-off-by: Jakob Kastelic <kastelic.jakob@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The new target provides a convenient way to run utils/check-package on
any external trees, using .checkpackageignore files from the
respective trees if present.
While .checkpackageignore should be used as little as possible, in a
few cases adding overrides for false-positives to the affected files
is not feasible, a practical example of this is a Markdown file
misidentified as Python by libmagic (likely due to code blocks).
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Arnout: set ${ignore} explicitly to empty, in case it exists in the
environment.]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The test failed in the past, due to kbd build failure. See [1].
This specific issue was fixed by commit [2].
This commit was originally written to workaround this issue, which was
unrelated to the actual package being tested. Since systemd-vconsole
is not needed anyway, this commit removes it from the test config.
[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/12363929666
[2] d98d9ba28f
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: reword the commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Testing with a really old toolchain is helpful to catch issues related
to kernel headers version issues, gcc version issues, etc. We chose a
glibc toolchain though as old musl or uClibc-ng versions tend to lack
a number of features that are needed by modern software.
This toolchain is placed near the top of toolchain-configs.csv, so
that it is used as part of the "base" set of toolchain that test-pkg
uses, even without the -a option.
test-pkg takes the 6 first toolchains of this CSV file for its base
test, and actually the comment in toolchain-configs.csv was wrong
since commit 53a8c5150e, which removed a
toolchain from the base set, but not realizing that test-pkg would
anyway continue to test the first 6 toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The prebuilt MIPS64 toolchains are very old, causing build issues (for
example recently with the systemd v258 update). Replace them both a
single toolchain configuration that uses one of the mips64el Bootlin
toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- br-i386-pentium4-full.config as an x86 32-bit toolchain test is
already reasonably covered by bootlin-x86-i686-musl.config
- br-microblazeel-full-internal.config as a Microblaze toolchain test is
already reasonably covered by bootlin-microblazeel-uclibc.config
- br-powerpc-internal-full.config and br-powerpc-603e-basic-cpp.config
as PowerPC 32-bit toolchain tests are already reasonably covered by
bootlin-powerpc-e500mc-uclibc.config
- br-powerpc64-power7-glibc.config as a PowerPC 64-bit toolchain test
is already reasonably covered by
bootlin-powerpc64le-power8-glibc.config
- br-riscv64-full-internal.config as a RISC-V 64-bit toolchain test is
already reasonably covered by bootlin-riscv64-glibc.config and
bootlin-riscv64-musl.config
- br-s390x-z13-internal-glibc.config as a s390 toolchain test is
already reasonably covered by bootlin-s390x-z13-glibc.config
- br-xtensa-full-internal.config as an Xtensa toolchain test is
already reasonably covered by bootlin-xtensa-uclibc.config
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building internal toolchains takes a long time, and since the
differences between the 3 internal ARM toolchains is just the libc,
and we're already testing uclibc/musl with external toolchains, it
doesn't make much sense to build 3 different ARM internal toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We're already testing the ARC architecture with one Bootlin toolchain,
it doesn't make sense to also test with two Buildroot internal
toolchains the ARC architecture, which is not a primary architecture
for Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Added four upstream patches backported from FreeRDP 3.x.
The remaining build error:
/home/bernd/buildroot/output/build/freerdp-2.11.7-18-g0ee17e2f8e49d56ab5b90d5160fa8f87ffc445e0/
channels/client/tables.c:129:22:
error: initialization of ‘UINT (*)(void)’ {aka ‘unsigned int (*)(void)’}
from incompatible pointer type ‘UINT (*)(void *)’ {aka ‘unsigned int (*)(void *)’}
[-Wincompatible-pointer-types]
129 | { "oss", "", oss_freerdp_rdpsnd_client_subsystem_entry },
is fixed by adding -Wno-incompatible-pointer-types to CFLAGS due to
tables.c being dynamically created during the build and backporting the
supposed upstream fix
fe6d861a5c
is too invasive.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We're about to bump abseil to a version >= 20250512.02, which requires
C++17, meaning that protobuf/grpc will also C++17. This in turn means
that the grpc support in collectd will also need C++17.
So just like our current patch 0002-configure.ac-fix-grpc-build.patch
updates the collectd logic from C++11 to C++14, this new
patch (accepted upstream) updates the collectd logic again from C++14
to C++17.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In linux 6.17, the license file LICENSES/preferred/GPL-2.0 was modified.
As a result, also its hash changed, and the hash was duly updated in
commit d6c0f0015b. Of course, this is only
valid for kernel versions from 6.17 - but at the time, we only set
LINUX_LICENSE_FILES for the latest kernel version, not for any other
kernel versions.
Since commit 305a2d91731fade45f35c259cb012bdf17e8dbeb, we also set
LINUX_LICENSE_FILES for all other versions, including e.g. the CIP
versions. Similarly, we now set LICENSE_FILES for all linux-headers
versions. Thus, the hash check of the license file fails for all older
kernel versions.
Fix this by splitting the hash file in two hash files: before-6.17 and
from-6.17. We keep just two hash file rather than a separate one for
each version to limit the number of files that need to be updated when
bumping kernel versions. Create symlinks for all the CIP version in
linux and for all supported versions in linux-headers.
Include the CIP versions as well for linux-headers. They are used when
the kernel is set to the CIP version and linux-headers to
same-as-kernel.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The linux-headers package was not providing any license file for any
version other than the latest one.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
For the headers-as-kernel case, use LINUX_LICENSE_FILES and disable the
Kconfig option entirely.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The AT91Bootstrap3 package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Note that version 3.X of at91bootstrap didn't have an open source
license and no license file either. Keep that behavior.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The ATF package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The Barebox package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The OpenSBI package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The OP-TEE OS package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The U-Boot package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The Linux package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Building berkeleydb is broken with a non-threaded toolchain with gcc >=
14.x:
../src/rep/rep_method.c:1740:25: error: implicit declaration of function
'__repmgr_get_nsites'; did you mean '__rep_get_nsites'?
[-Wimplicit-function-declaration]
1740 | return (__repmgr_get_nsites(env, n));
According to src/repmgr/repmgr_util.c, line 503+, the function
'__repmgr_get_nsites' mentioned in the gcc error message "may only be
called after threads have been started".
This source file repmgr_util.c belongs to REPMGR_OBJS according to
dist/Makefile.in, line 249+, which is, according to dist/configure.ac,
line 956, only build if thread support is present.
In a non-threaded build '__repmgr_get_nsites' does not exist causing the
build error.
To fix the build error we disable replication for non-threaded
toolchains.
Using gcc 13.x the build error does not occur, tested with this
defconfig:
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_GCC_VERSION_13_X=y
BR2_PACKAGE_BERKELEYDB=y
Using this minimal gcc 14.x-based defconfig
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_PACKAGE_BERKELEYDB=y
the build error can be reproduced.
The oldest build error of this kind, afaics, dates back to 2024-06-13:
https://autobuild.buildroot.net/results/e0d/e0d6bdbef01bee277b0da83605b2906af876058a/
Fixes:
https://autobuild.buildroot.net/results/792/792ed942d17bb8d00cd321536a102f6dd63b6a8a/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The package imports itself in setup.py to get the package-name and
version number. Dping this during the buildroot build would require
buisling host-python with sqlite support, which we are currently not set
up for. It also seems wasteful for just extracting the version number
and package name, so instead we replace the import by using a hardcoded
package-name and the version number stored in buildroot.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a defconfig to run Linux on a large range of 32-bit HP PA-RISC 1.1
Workstations, such as the HP 9000 700 and Visualize workstations.
While at it, add this defconfig to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Palo is a PA-RISC/Linux boot loader.
It can be used to make bootable disk images or network bootable images.
While at it, add this boot package to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a defconfig to run Linux on a HP Visualize B160L PA-RISC
Workstation, emulated with Qemu.
While at it, add this defconfig to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Romain Naour <romain.naour@gmail.com>
[Julien: update kernel to 6.18.7 to align with other qemu defconfigs]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add support for the Precision Architecture (a.k.a. PA-RISC),
a 32-bit architecture developed by Hewlett Packard.
While at it, add this arch to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
[Julien: arch "arch/" prefix in commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a host-picotool package to picotool.
This will allow users to build rpi pico applications on the host system.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a host-pico-sdk package to pico-sdk.
This will allow users to build rpi pico applications on the host system.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
pico-sdk and picotool 2.x.x adds support for the rp2350 bump package to
latest version.
picotool needs mbedtls for --hash --sign and --offset.
Clone submodules in pico-sdk to provide the nessasaary files for
picotool to build and link mbedtls and other optional libraries.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for changes:
https://nginx.org/en/CHANGES-1.28
Following security related issues are fixed:
*) Security: processing of a specially crafted login/password when using
the "none" authentication method in the ngx_mail_smtp_module might
cause worker process memory disclosure to the authentication server
(CVE-2025-53859).
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
Update patch 0007, which does not apply cleanly.
License file was changed, year was bumped to 2025.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For change log since 1.9.0, see:
https://codeberg.org/ivarch/pv/src/tag/v1.10.3/docs/NEWS.md
Upstream commit [1], included in version 1.9.42, introduced a use
of fork(). This commit adds this new dependency.
The pgp key ID used to sign the source archive changed. This commit
updates the comment in the hash file.
[1] fb7c05c262
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 99585db1e8 bumped the
package from version 9.21.4 to 9.33.0.
Upstream added std::atomic to drbdmon with commit
3baf945732
to version 9.25.0 causing build errors:
/home/autobuild/autobuild/instance-2/output-1/per-package/drbd-utils/host/bin/../lib/gcc/microblazeel-buildroot-linux-uclibc/14.3.0/../../../../microblazeel-buildroot-linux-uclibc/bin/ld:
MessageLogNotification.o: in function `MessageLogNotification::query_log_changed()':
(.text+0xe8): undefined reference to `__atomic_exchange_1'
Fixes:
https://autobuild.buildroot.net/results/741/741606000c26bc994f243b0b865d26ff25592caa/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since its introduction in [1], by default the `generate-cyclonedx`
script doesn't include buildroot's virtual packages in its 'components'
list, unless using the `--virtual` argument.
References to virtual packages present in the 'show-info' output are
filtered out in the resulting dependencies.
This patch fix the default CycloneDX dependencies generation
without virtual packages to reference the packages that provide the
virtual package instead of just dropping the virtual package itself.
If we use the package `lbase64` that depends on the virtual package
`luainterpreter` as an example. The 'dependency' entry looks like the
following:
```
{
"ref": "lbase64",
"dependsOn": [
"host-skeleton",
"skeleton-init-common",
"skeleton-init-sysv",
"toolchain-external-bootlin"
]
}
```
The `luainterpreter` dependency is missing.
After applying this patch, package that provides the `luainterpreter` is
present:
```
{
"ref": "lbase64",
"dependsOn": [
"host-skeleton",
"lua",
"skeleton-custom",
"skeleton-init-sysv"
]
}
```
In the case of a virtual package provided by multiple packages all those
packages will be listed. This happens when generating an SBOM on the
entire Buildroot packages.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the introduction of the `generate-cyclonedx` script in [1] the
dependencies were 'recursive'. This means that the dependencies of a
package dependency were included.
The CycloneDX spec [2] states that only direct dependencies needs to be
included.
This patch drop the recursive dependencies.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
[2] https://cyclonedx.org/docs/1.6/json/#dependencies
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The definition of the project name & version is stored under the
`metadata:component` CycloneDX property.
Since the introduction of the `generate-cyclonedx` script [1] a
'buildroot' dependency entry that depends on every components has been
part of the generated SBOM.
Tools such as 'DependencyTrack' relies on such entry to create graph of
the entire project.
With the commit [2] that introduced the option to pass a custom project
name and version, this dependency reference was not updated to match the
custom 'bom-ref'.
This patch fixes the reference to match the custom project name.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
[2] 9cbbc47762 utils/generate-cyclonedx: add project name and version options
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Brings additional optimizations and bugfixes:
Fix to heap buffer overflow in vp9_deblock, vp9_post_proc_frame, and
vp9_pack_bitstream.
Fix to integer overflow in vp9_highbd_post_proc, vp9_rc_regulate_q,
tiny_ssim, and vp9_calc_pframe_target_size_one_pass_cbr.
Fix to use-of-uninitialized-value in vp9_highbd_post_proc, mfqe, and
vp8_datarate_test.
Fix to out-of-bounds in log_tile_cols_from_picsize_level.
Fix to double free on initialization failure in vpx_codec_enc_init_multi.
Fix to division-by-zero crash in vpxenc with 0 FPS numerator input.
Fix to various build failures for Arm/SVE2, macOS cross-compilation, and
Xcode 16.
https://chromium.googlesource.com/webm/libvpx/+/refs/tags/v1.16.0
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps the Linux kernel to version 6.18.8 and U-Boot to version 2026.01.
Tested on FriendlyElec NanoPi R3S.
Signed-off-by: Patrik Olsson <johan.patrik.olsson@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps the Linux kernel to version 6.18.8 and U-Boot to version 2026.01.
Tested on Radxa ROCK 4SE.
Signed-off-by: Patrik Olsson <johan.patrik.olsson@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update all qemu defconfigs to the latest Kernel LTS version.
configs/qemu_ppc_*defconfig now requires host-libelf, so this commit
selects BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF for those.
This commit also enables zstd-compressed modules support in
qemu_loongarch64_virt_efi_defconfig, due to upstream commit [1] which
added CONFIG_MODULE_COMPRESS_ZSTD=y in its arch defconfig.
This commit also updates the custom hash file comment to add the
upstream link.
All updated defconfigs were tested (compiled and booted).
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3c272a7551af1c10f6dbba0e71add7dccc7733fa
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
https://github.com/nodejs/node/blob/v22.22.0/doc/changelogs/CHANGELOG_V22.md
List of security fixes:
22.22.0:
(CVE-2025-59465) add TLSSocket default error handler
(CVE-2025-55132) disable futimes when permission model is enabled lib,
permission:
(CVE-2025-55130) require full read and write to symlink APIs src:
(CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,
lib:
(CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill
toggle tls:
(CVE-2026-21637) route callback exceptions through error handlers
22.17.1:
(CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path
Traversal Protection in path.normalize()
Version 22.18.0 includes
a2d2d36bb1
which fixes build errors with python 3.14
"ImportError: cannot import name 'FancyURLopener' from 'urllib.request'"
introduced by buildroot commit a0a6abc8b1.
Updated license hash due to upstream commits:
ec60473ab10b5613f9fe0edf17198f
Switched _SITE to https.
Fixes:
https://autobuild.buildroot.net/results/da8/da82dc03cf0d42463fff1b5d9bf7a3c18cbf44dd/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Move the content referring to the LTS information from the 'support' page
into a dedicated page.
Also add LTS specific information about the sponsoring and the benefits.
This page also contains clarification on the release cycle of the LTS.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Fixes the following vulnerabilities:
CVE-2025-11187 - Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
CVE-2025-15467 - Stack buffer overflow in CMS AuthEnvelopedData parsing.
CVE-2025-15468 - NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
CVE-2025-15469 - ‘openssl dgst’ one-shot codepath silently truncates inputs >16MB.
CVE-2025-66199 - TLS 1.3 CompressedCertificate excessive memory allocation.
CVE-2025-68160 - Heap out-of-bounds write in BIO_f_linebuffer on short writes.
CVE-2025-69418 - Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
CVE-2025-69419 - Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
CVE-2025-69420 - Missing ASN1_TYPE validation in TS_RESP_verify_response() function.
CVE-2025-69421 - NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
CVE-2026-22795 - Missing ASN1_TYPE validation in PKCS#12 parsing
CVE-2026-22796 - ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
For more details, see the announcement:
https://openssl-library.org/post/2026-01-27-release-announcement/
Drop now upstreamed 0004-Scope-aes_cfb128_vaes_encdec_wrapper-to-x64.patch:
f529d26591
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release announce, see:
https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html
gnupg2 version from 2.5.13 to 2.5.16 (inclusive) are affected by
the following issue:
A crafted CMS (S/MIME) EnvelopedData message carrying an oversized
wrapped session key can cause a stack buffer overflow in gpg-agent
during the PKDECRYPT--kem=CMS handling. This can easily be used for a
DoS but, worse, the memory corruption can very likely also be used to
mount a remote code execution attack. The bug was introduced while
changing an internal API to the FIPS required KEM API.
Fixes:
https://dev.gnupg.org/T8044
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities:
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP
archives
archive/zip used a super-linear file name indexing algorithm that is
invoked the first time a file in an archive is opened. This can lead to a
denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm
When parsing a URL-encoded form net/http may allocate an unexpected amount
of memory when provided a large number of key-value pairs. This can
result in a denial of service due to memory exhaustion.
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated
session ticket keys, session resumption does not account for the
expiration of full certificate chain
The Config.Clone methods allows cloning a Config which has already been
passed to a TLS function, allowing it to be mutated and reused.
If Config.SessionTicketKey has not been set, and
Config.SetSessionTicketKeys has not been called, crypto/tls will generate
random session ticket keys and automatically rotate them. Config.Clone
would copy these automatically generated keys into the returned Config,
meaning that the two Configs would share session ticket keys, allowing
sessions created using one Config could be used to resume sessions with
the other Config. This can allow clients to resume sessions even though
the Config may be configured such that they should not be able to do so.
- CVE-2025-61731: cmd/go: unexpected code execution when invoking toolchain
The Go toolchain supports multiple VCS which are used retrieving modules
and embedding build information into binaries.
On systems with Mercurial installed (hg) downloading modules (e.g. via go
get or go mod download) from non-standard sources (e.g. custom domains)
can cause unexpected code execution due to how external VCS commands are
constructed.
On systems with Git installed, downloading and building modules with
malicious version strings could allow an attacker to write to arbitrary
files on the system the user has access to. This can only be triggered by
explicitly providing the malicious version strings to the toolchain, and
does not affect usage of @latest or bare module paths.
The toolchain now uses safer VCS options to prevent misinterpretation of
untrusted inputs. In addition, the toolchain now disallows module version
strings prefixed with a "-" or "/" character.
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the
incorrect encryption level
During the TLS 1.3 handshake if multiple messages are sent in records that
span encryption level boundaries (for instance the Client Hello and
Encrypted Extensions messages), the subsequent messages may be processed
before the encryption level changes. This can cause some minor
information disclosure if a network-local attacker can inject messages
during the handshake.
For details, see the announcement:
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit bf3626002f ("system cfg: remove mkpasswd MD5 format option") dropped
the MD5 option, so stop referring to it from the sha256 one to limit
confusion.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Remove the '-x' option from the shebang, which was a leftover from the
debugging phase and not intended for the final submission.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a missing space in the "Creating SD card" section of the
documentation.
Fixes: 1a1239fd28 ("configs/stm32f769_disco_sd_defconfig: new defconfig")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a missing space in the "Creating SD card" section of the
documentation.
Fixes: 04a0094f0e ("configs/stm32f469_disco: fix kernel bootup")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Version 0.24.7 change log:
* decoder
- ffmpeg: allow seeking only if both AVFormatContext and InputStream allow it
* playlist
- cue: strip UTF-8 byte order marker
* Linux: disable the iowait state for io_uring
* fix GCC 16 compiler warning
* fix spurious linker failures
Signed-off-by: Andreas Ziegler <br025@umbiko.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Depends on python-numpy >= 2.0.0:
https://github.com/scipy/scipy/blob/v1.16.3/pyproject.toml#L41a3e2bb639b
Updated license hash due to copyright year bumps:
https://github.com/scipy/scipy/commits/v1.16.3/LICENSE.txt
qhull license file was moved upstream:
6d699dded496423e5279
Updated numpy path in PYTHON_SCIPY_MESON_EXTRA_PROPERTIES following
upstream commit:
923f219077
Test was successful:
$ utils/docker-run support/testing/run-tests -j33 -k -d dl -o output_folder tests.package.test_python_scipy.TestPythonPy3SciPy
09:59:22 TestPythonPy3SciPy Starting
09:59:23 TestPythonPy3SciPy Building
10:10:09 TestPythonPy3SciPy Building done
Downloading to /home/bernd/buildroot/dl/tmpw1frnmf9
Renaming from /home/bernd/buildroot/dl/tmpw1frnmf9 to /home/bernd/buildroot/dl/kernel-versatile-5.10.202
Downloading to /home/bernd/buildroot/dl/tmpiip1lach
Renaming from /home/bernd/buildroot/dl/tmpiip1lach to /home/bernd/buildroot/dl/versatile-pb-5.10.202.dtb
10:10:24 TestPythonPy3SciPy Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 661.922s
OK
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://numpy.org/news/
Add new supported architectures.
License hash changed due to date update:
c1ffdbc0c2
We need to build python-numpy with its vendored version of meson as
it currently relies on features that are not yet upstream. To do this
we can simply set the PYTHONPATH with the vendored meson path before
the normal PYTHON3_PATH so that the vendored version will have
precedence. We need to set this for both host and target numpy.
We also need to set the architecture specific longdouble_format
property as numpy is unable to determine the value for this without
being able to execute target binaries.
See:
3e7e5c3cab/doc/source/building/cross_compilation.rst
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Bernd:
Bumped to 2.4.0
Removed patch which is included in this release.
Updated license hashes due to upstream commits:
- copyright year bumps:
https://github.com/numpy/numpy/commits/v2.4.0/LICENSE.txt
- file move
tools/npy_tempita/license.txt -> numpy/_build_utils/tempita/LICENSE.txt
63a1fee8d186940987a9
- directory move core -> _core and various code updates
https://github.com/numpy/numpy/commits/v2.4.0/numpy/_core/src/multiarray/dragon4.c
- directory move core -> _core
https://github.com/numpy/numpy/commits/v2.4.0/numpy/_core/include/numpy/libdivide/LICENSE.txt
Following Romain's review
https://lists.buildroot.org/pipermail/buildroot/2024-November/767739.html
host-python-numpy was switched back to host-python-package to install the
f2py script needed by the upcoming bump of python-scipy. A dependency to
host-python-meson-python is also needed.
Removed PYTHON_NUMPY_LONGDOUBLE_FORMAT configure option for BR2_arceb
after this arch was removed from buildroot.
Changed path in PYTHON_NUMPY_FIXUP_NPY_PKG_CONFIG_FILES following
upstream commit
923f219077
and updated opencv4 as well]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python 3.14 (not yet in Buildroot) introduced colors, enabled by
default, when the output is a terminal. This behavior can make the
pexpect pattern matching more difficult in some cases. See:
https://docs.python.org/3.14/using/cmdline.html#controlling-color
This commit globally disables the Python interpreter colors in the base
runtime Python test, by setting the NO_COLOR=1 environment variable.
Signed-off-by: Julien Olivain <ju.o@free.fr>
The --with-system-ffi was removed back in Python-3.12.0, in upstream
commit [1].
From the Python 3.12 release notes:
- gh-100540: Removed the ``--with-system-ffi`` ``configure`` option;
``libffi`` must now always be supplied by the system on all non-Windows
platforms. The option has had no effect on non-Darwin platforms for
several releases, and in 3.11 only had the non-obvious effect of invoking
``pkg-config`` to find ``libffi`` and never setting
``-DUSING_APPLE_OS_LIBFFI``. Now on Darwin platforms ``configure`` will
first check for the OS ``libffi`` and then fall back to the same
processing as other platforms if it is not found.
Buildroot includes such a Python 3.12.x version since commit [2].
When compiling python3 in Buildroot, the package configuration step
reports the warning:
configure: WARNING: unrecognized options: [...] --with-system-ffi
The commit drops the now defunct option.
[1] 25590eb5de
[2] 76cd14167f
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
[Julien: add links in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Support STM32h747i-disco board. It includes an STM32H747XI SoC with the
following resources:
- 2 Mbytes Flash
- 1 Mbyte SRAM
- LCD-TFT controller
- MIPI-DSI interface
- FD-CAN
- USB 2.0 high-speed/full-speed
- Ethernet MAC
- camera interface
Detailed information can be found at:
https://www.st.com/en/evaluation-tools/stm32h747i-disco.html
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2007, switch _SITE to active fork:
https://sourceforge.net/p/lmbench/patches/3/#4472
Removed patch 0009 which is included in this bump.
Rebased remaining patches.
Sent some existing patches to new active upstream repo and added
Upstream: tags.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Upstream added fork() to lib/canonicalize.c in version 2.34[1]
e101a9eb0f
but the resulting build errors on non-mmu archs were most likely masked
by previous build errors which are already fixed.
lib/canonicalize.c as part of libcommon is widely used so we need to add
the dependency to many Config.in options.
For an overview about its usage see
output/build/util-linux-2.41.2$ grep -r "LDADD = \$(LDADD) libcommon.la" * | grep Makemodule | cut -d ":" -f 2 | sort
Fixes:
https://autobuild.buildroot.net/results/34b/34b1f733fdfb5c5e30e631576f875398435ad115/
[1] Added to buildroot with commit bb216ed060
in 2019.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- i don't use grpc anymore and updates seem complicate to review,
so drop me from it and its dependency re2
- add packages i'm currently using
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Analysis of https://rg42.org/gitweb/?p=dbustriggerd.git:
last commit: 2014
Musl libc 1.2.5 removed the definition of the basename() function from
string.h and only provides it in libgen.h as the POSIX standard
defines it.
Instead of fixing an unmaintainted package we remove it from buildroot,
no other package depends on it.
Fixes:
https://autobuild.buildroot.net/results/811/81170fe89e1f5b70c63657684de43175e621f762/
dbus-triggerd.c:150:27: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
150 | argv[argc++] = strdup(basename(handler_cmd));
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The CVS project is no longer maintained upstream. It no longer builds
with GCC 14.x, has been failing to build for months in our
autobuilders with nobody caring about it.
We managed to fix the GCC 14.x build issue, then there are GCC 15.x,
some of them fixed by Debian patches, but some not. Overall, this is
too much effort, while upstream is completely dead.
So let's get rid of cvs entirely.
Fixes:
https://autobuild.buildroot.net/results/59f6e77106ac98535688ff5b9392b0b3ad3041ae/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The criu package was added in Nov 2023, and then bumped once in
December 2023. Since then, it has never been bumped again, and all
follow-up fixes were provided by other people than the original
package submitter listed in the DEVELOPERS file.
criu has seen several upstream releases since then, and most notably
is causing a number of build issues in our autobuilders:
https://autobuild.buildroot.net/?reason=criu-3.19
The package was never updated to those newer upstream releases, and
the autobuilder issues have not been addressed.
Therefore, let's drop this package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
gconf has not seen any release since 2013, and the last commit in
https://gitlab.gnome.org/Archive/gconf is from 2015.
The package example application basic-gconf-app fails to build with a
recent compiler such as GCC 14.x:
basic-gconf-app.c:458:60: error: passing argument 1 of ‘gtk_dialog_get_content_area’ from incompatible pointer type [-Wincompatible-pointer-types]
It is not entirely clear since when this breakage takes place, but
most likely since GCC 14.x was introduced. This issue can be
reproduced including on 2025.02.x with the following defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_LIBGTK3=y
BR2_PACKAGE_GCONF=y
However, for the build issue to happen you need to run:
$ make libgtk3
$ make
So that libgtk3 gets built before gconf. Indeed, there's a hidden
dependency between the two, and the example programs of gconf only get
build if libgtk3 is built before. We've however encountered the
problem in a (real) bigger build where the dependency relationship of
packages have caused libgtk3 to get built before gconf.
Note that we could perhaps have fixed the problem by disabling the
examples, but gconf is anyway so old and deprecated that it isn't
worth the effort.
There are no known autobuilder issues.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package is no longer maintained, no release since 2005, and it
has build issues as it uses too old XML APIs:
/home/thomas/projets/buildroot/output/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/include/libxml2/libxml/SAX.h:18:4: warning: #warning "libxml/SAX.h is deprecated" [-Wcpp]
18 | #warning "libxml/SAX.h is deprecated"
| ^~~~~~~
svgint.h:42:9: error: unknown type name 'xmlParserCtxtPtr'
42 | typedef xmlParserCtxtPtr svg_xml_parser_context_t;
| ^~~~~~~~~~~~~~~~
Fixes:
https://autobuild.buildroot.net/results/895fdba2f3fcaa42aa93946f2532351d39b16647/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package is no longer maintained, no release since 2005, and its
dependency libsvg has build issues as it uses too old XML APIs:
/home/thomas/projets/buildroot/output/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/include/libxml2/libxml/SAX.h:18:4: warning: #warning "libxml/SAX.h is deprecated" [-Wcpp]
18 | #warning "libxml/SAX.h is deprecated"
| ^~~~~~~
svgint.h:42:9: error: unknown type name 'xmlParserCtxtPtr'
42 | typedef xmlParserCtxtPtr svg_xml_parser_context_t;
| ^~~~~~~~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For release announce, see:
https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000500.html
Quoting the announce:
"""
Note that the 2.5 series is now declared the stable version of GnuPG.
The oldstable 2.4 series will reach end-of-life in just 6 months.
"""
Also, an important feature in the 2.5 series is the introduction of
Kyber (aka ML-KEM or FIPS-203) as PQC (Post-Quantum Cryptography)
encryption algorithm.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
EDK2 build may include extra options. Those are usually in the form
of "-D SOMEFLAG_ENABLE" and might be specific for a processor
architecture or a platform. For example:
"-D NETWORK_HTTP_BOOT_ENABLE", "-D NETWORK_TLS_ENABLE", ...
Those options are generally documented in their respective packages.
See for example:
https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
This commit adds a new Kconfig string option to let the use define
arbitrary build flags.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In version 2.0.0 Linux support was removed:
https://lists.x.org/archives/xorg-announce/2025-August/003624.html
"This mouse driver is primarily used with BSD, GNU Hurd, illumos, &
Solaris systems. Linux systems should instead use either xf86-input-
libinput or xf86-input-evdev.
While versions 1.9.5 and earlier had rudimentary support for Linux as
well, that has been removed in this release."
Alternative packages can not be selected due to udev dependencies.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add extra info in Config.in.legacy comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://lists.x.org/archives/xorg-announce/2025-December/003649.html
Updated license hashes due to upstream commit:
f717637569
Added dependencies to host-pkgconf to fix a build error which would be
introduced by this bump due to configure being created by autoconf 2.72
instead of 2.71 which was used for xorgproto 2024.1.
The configure script at line 5146 now contains
if test -z "$PKG_CONFIG"; then
as_fn_error $? "pkg-config not found" "$LINENO" 5
fi
where the previous script would continue:
2024.1:
checking pkg-config is at least version 0.9.0... ./configure: line 4796:
/home/bernd/buildroot/output/per-package/xorgproto/host/bin/pkg-config: No such file or directory
no
checking build system type... x86_64-pc-linux-gnu
2025.1:
checking pkg-config is at least version 0.9.0... ./configure: line 5137:
/home/bernd/buildroot/output/per-package/xorgproto/host/bin/pkg-config: No such file or directory
no
configure: error: pkg-config not found
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.12.18 to 6.18.4
- updates arm-trusted-firmware from v2.12 to v2.14
- updates optee-os and clients from 4.5.0 to 4.8.0
- updates U-Boot from 2025.01 to 2026.01
- switches to Bootlin external glibc stable toolchain
- removes hash for linux-headers (no longer needed)
Those changes aligns components version of this defconfig
with rockpro64_defconfig.
Tested on board Rockpro64_V2.1 2018-07-02.
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.10.14 to 6.18.4
- updates arm-trusted-firmware from v2.11 to v2.14
- updates U-Boot from 2024.10 to 2026.01
- switches to Bootlin external glibc stable toolchain
- removes hash for linux-headers (no longer needed)
In order to reduce the differences with the rockpro64_ebbr_defconfig,
this commit also:
- slightly increases the rootfs size from 120M to 128M,
- unsets the rootfs tar archive which is not needed,
- removes rootfs.tar from board/pine64/rockpro64/readme.txt
Tested on board Rockpro64_V2.1 2018-07-02.
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switch a handful of documentation/website links from http to https.
Signed-off-by: Preyas Sharma <preyas17@zohomail.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more info on the release, see:
- https://github.com/obgm/libcoap/compare/v4.3.5...v4.3.5a
- https://github.com/obgm/libcoap/blob/release-4.3.5-patches/ChangeLog
Fixes the following vulnerabilities:
- CVE-2025-59391:
A memory disclosure vulnerability exists in libcoap's OSCORE
configuration parser in libcoap before release-4.3.5-patches. An out-
of-bounds read may occur when parsing certain configuration values,
allowing an attacker to infer or read memory beyond string boundaries
in the .rodata section. This could potentially lead to information
disclosure or denial of service.
https://www.cve.org/CVERecord?id=CVE-2025-59391
- CVE-2025-65493:
NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5
allows remote attackers to cause a denial of service via a crafted
DTLS/TLS connection that triggers BIO_get_data() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65493
- CVE-2025-65494:
NULL pointer dereference in get_san_or_cn_from_cert() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted X.509 certificate that causes
sk_GENERAL_NAME_value() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65494
- CVE-2025-65495:
Integer signedness error in tls_verify_call_back() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted TLS certificate that causes
i2d_X509() to return -1 and be misused as a malloc() size parameter.
https://www.cve.org/CVERecord?id=CVE-2025-65495
- CVE-2025-65496:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65496
- CVE-2025-65497:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65497
- CVE-2025-65498:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65498
- CVE-2025-65499:
Array index error in tls_verify_call_back() in src/coap_openssl.c in
OISM libcoap 4.3.5 allows remote attackers to cause a denial of
service via a crafted DTLS handshake that triggers
SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
https://www.cve.org/CVERecord?id=CVE-2025-65499
- CVE-2025-65500:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65500
- CVE-2025-65501:
Null pointer dereference in coap_dtls_info_callback() in OISM libcoap
4.3.5 allows remote attackers to cause a denial of service via a DTLS
handshake where SSL_get_app_data() returns NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65501
LICENSE Year updated see [1].
[1] c9135b6b26
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.64 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.64 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.1.159. The size of
xipImage has increased by only 181 bytes (1673625 bytes compared to
1673444 in version 6.1.155).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a3a88ff1c8 bumped bitcoin
to version 26.0 which includes upstream commit
b8401c3281
causing an assertion on m68k:
/home/thomas/autobuild/instance-7/output-1/build/bitcoin-30.0/src/support/allocators/pool.h:92:36:
error: static assertion failed: Units of size ELEM_SIZE_ALIGN need to
be able to store a ListNode
92 | static_assert(sizeof(ListNode) <= ELEM_ALIGN_BYTES, "Units
| ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
of size ELEM_SIZE_ALIGN need to be able to store a ListNode");
/home/thomas/autobuild/instance-7/output-1/build/bitcoin-30.0/src/support/allocators/pool.h:92:36:
note: the comparison reduces to '(4 <= 2)'
To fix the problem we disable bitcoin on m68k.
Fixes:
30.0: https://autobuild.buildroot.net/results/268/2688e4a2aa8dc34343f0218fd6727d0ae3adb132/
26.0: https://autobuild.buildroot.net/results/fb0/fb05401c7de289e0f87f5c9e3a7f92f5589b590b/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and, for the SD
configuration, also updates U-Boot to version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Enhance the Xen python tests to exercise block devices: this boils down
to switching from ramdisks to disk partitions for the domains rootfs.
(Refer to the comments in the python script for block devices details.)
- Add support for PCI and Xen block to the Linux kernel configurations.
- Add a few commands to list the xvda block device for good measure.
- Generate two partitions with the rootfs in the disk images; we use the
same rootfs contents twice, once for each domain.
- Add a paravirtualized block device to the Xen dom1 configurations and
adjust both domains kernel command lines, to specify the rootfs
locations.
- Build host-qemu for Arm v7, to workaround an issue with 32b Arm and
old Qemu versions, which is what we have on CI currently.
- While at it, bump Linux kernel to 6.18.4 and U-Boot to 2026.01.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Xen tools scripts need the stat program from coreutils to work
correctly, and not the one from busybox.
One such example is the /etc/xen/scripts/locking.sh script, which will
cause timeouts for operations such as "xl block-attach", or when
starting a DomU with a disk.
Add the dependency on coreutils to fix this.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps:
- U-Boot to version v2026.01
- Linux kernel to version 6.12.63 (LTS)
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.63 and U-Boot to
version 2026.01 for
- stm32mp135f_dk_defconfig
- stm32mp157a_dk1_defconfig
- stm32mp157c_dk2_defconfig
Tested on STM32MP157C-DK2 Discovery Board.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
host-perl-module-build is no longer a dependency
(Build.PL was removed, so Makefile.PL is used)
now, this module has its own LICENSE file
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that all Xilinx boards have been bumped to Linux 6.12.60, remove the hash
for the xlnx_rebase_v6.12_LTS_2025.2 release tag.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the versal2 defconfigs to Linux 6.12.60.
Run tested on a versal2 vek385 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Package snort3 requires libtirpc rpcdb option enabled with non-glibc
toolchains since the bump of libtirpc to version 1.3.7 with buildroot
commit 3f3d6e43de which includes upstream
commit:
https://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=7cea8ad66aecc21e6caae330b5d31075af399193
These build errors, caused by the forementioned upstream commit, only
occur with non-glibc toolchains:
https://patchwork.yoctoproject.org/comment/30091/
"but I believe it breaks the build with musl".
The build error during configure stage:
-- Looking for getrpcent - not found
CMake Error at cmake/sanity_checks.cmake:51 (message):
Couldn't find an RPC program number database implementation!
Call Stack (most recent call first):
CMakeLists.txt:31 (include)
was not yet found by the autobuilders but can be reproduced by this
defconfig:
BR2_x86_64=y
BR2_x86_corei7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_MUSL_BLEEDING_EDGE=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_INIT_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_SNORT3=y
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
In addition, libglib2 already removes schemas from the target during
target finalization so the gvfs-specific cleanup can be dropped.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- suppress S40iwd shellcheck warnings:
In package/iwd/S40iwd line 8:
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
^--------------------^ SC1090 (warning): ShellCheck can't follow non-constant source. Use a directive to specify location.
In package/iwd/S40iwd line 15:
-- $IWD_ARGS
^-------^ SC2086 (info): Double quote to prevent globbing and word splitting.
- remove package/iwd/S40iwd from .checkpackageignore
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
K3CONF is a Linux user-space standalone application
designed to provide a quick'n easy way to dynamically
diagnose Texas Instruments' K3 architecture based
processors. K3CONF is intended to provide similar
experience to that of OMAPCONF that runs on legacy TI platforms.
K3CONF currently supports Texas Instruments AM654, J721E, J7200,
AM64x,AM62x,J721S2,J784S4,J722S, AM62Ax, AM62Px, and AM62Lx devices.
Along with the BeagleBoard variants of the above mentioned TI SOC's.
Signed-off-by: Mohammed Sadik Shaik <s-sadik@ti.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the versal defconfigs to Linux 6.12.60.
Run tested on a versal vek280 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the zynqmp defconfigs to Linux 6.12.60.
Run tested on a zynqmp zcu102 evaluation board.
Run tested on a kria kv260 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the zynq defconfigs to Linux 6.12.60.
Run-tested on a zc702 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License hash changed due to addition of base64 license which
is BSD-2-Clause:
8f922b3d87
Add new python-librt build/runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The python-charset-normalizer package specifies an unnecessarily
strict upper version limit for mypy.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
During the build Cython creates C++ source that needs to be
compiled. The missing dependency did not show in the existing runtime
test because the Bootlin stable toolchains include C++ support.
Package was added in c2df8bab97.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This did not show in the runtime test for package/python-memray
because that package already has the dependency, so the Python zlib
module is present in the test.
Package was added in commit 26bc4b51a8.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switch from the RobertCNelson GitHub mirror to the official TI git
repository and update to version 0x192 (latest release).
The previous installation method used sysfs to load the firmware,
which was specific to old downstream Beaglebone or TI kernels. The
mainline wkup_m3_ipc driver now expects am335x-pm-firmware.elf and
*-scale-data.bin files to be installed in /lib/firmware, making the
sysfs init script obsolete.
Changes:
- Switch repository from github.com/RobertCNelson to git.ti.com
- Update version from 11107db (v05.00.00.02) to fb484c5 (v0x192)
- Refresh all patches to apply cleanly on new version
- Install .elf and scale-data files instead of .bin
- Remove obsolete S93-am335x-pm-firmware-load init script
- Update .checkpackageignore to reflect changes
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
[Julien: update .checkpackageignore to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add the am335x-bonegreen-eco device tree to enable support for the
BeagleBone Green Eco variant. This ensures the device tree is built
from the Linux kernel sources and included in the boot partition.
Tested-by: Mohammed Sadik Shaik <s-sadik@ti.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bumps the Linux kernel to the latest 6.18.1 mainline version.
Tested on BeagleBone Black.
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In commit
1abaf013de ("package/shairport-sync: add
support for AirPlay2"), a new option was added, selecting various
packages, without properly propagating their dependencies, causing
Config.in warnings such as:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_LIBGCRYPT
Depends on [n]: BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_SHAIRPORT_SYNC_AIRPLAY2 [=y] && BR2_PACKAGE_SHAIRPORT_SYNC [=y]
This commit fixes this mistake.
Fixes: 1abaf013de ("package/shairport-sync: add support for AirPlay2")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 8708f3a23a ("package/mysql:
drop virtual package"), we no longer have mysql as a virtual package,
and therefore perl-dbd-mysql directly selects mariadb. However,
mariadb as stricter dependencies than what the mysql virtual package
had, and this commit forgot to properly propagate those dependencies,
causing a Config.in warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_MARIADB
Depends on [n]: BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && (BR2_TOOLCHAIN_HAS_ATOMIC [=y] || BR2_TOOLCHAIN_HAS_SYNC_8 [=n]) && BR2_USE_WCHAR [=n]
Selected by [y]:
- BR2_PACKAGE_PERL_DBD_MYSQL [=y] && BR2_PACKAGE_PERL [=y] && !BR2_STATIC_LIBS [=n] && BR2_INSTALL_LIBSTDCPP [=y] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y]
Fixes: 8708f3a23a ("package/mysql: drop virtual package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 8708f3a23a ("package/mysql:
drop virtual package"), we no longer have mysql as a virtual package,
and therefore perl-dbd-mysql directly selects mariadb. As part of
that, the comments related to the dependencies have not been updated
accordingly. Fix that up.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Back when the libgtk4 package was introduced in commit
faf2a1d2ab, its
BR2_PACKAGE_LIBGTK4_GSTREAMER option did not properly propagate the
dependencies of BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL, causing the
following Config.in warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL
Depends on [n]: BR2_PACKAGE_GSTREAMER1 [=y] && BR2_PACKAGE_GST1_PLUGINS_BASE [=y] && (BR2_PACKAGE_HAS_LIBGL [=n] || BR2_PACKAGE_HAS_LIBGLES [=n])
Selected by [y]:
- BR2_PACKAGE_LIBGTK4_GSTREAMER [=y] && BR2_PACKAGE_LIBGTK4 [=y]
Fix that by properly propagating the dependency.
Fixes: faf2a1d2ab ("package/libgtk4: new package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since this option was introduced in commit
a474642fdc ("package/mender-update-modules:
new package"), its dependencies have been incorrect. It selects
BR2_PACKAGE_PYTHON3 without replicating all its dependencies, so we
fix that.
Also, it did have the !BR2_STATIC_LIBS dependency propagated, but not
mentioned in the Config.in comment, so we fix that as well.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit
5f446a8d6d ("package/python-pillow: bump
to version 12.0.0") added a select BR2_PACKAGE_PYTHON_PYBIND to
python-pillow without propagating the C++ dependency, causing:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_PYBIND
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_INSTALL_LIBSTDCPP [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_PILLOW [=y] && BR2_PACKAGE_PYTHON3 [=y]
Fix this by propagating the dependency to python-pillow, and in turn
to python-pillow reverse dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The recent changes in freeswitch following the removal of OpenCV 3.x
in commit
a6db6af9ff ("package/freeswitch: remove
optional dependency to opencv3") caused some invalid dependencies.
Indeed, the new logic selects BR2_PACKAGE_OPENCV4_LIB_OBJDETECT as
soon as BR2_PACKAGE_OPENCV4 is enabled, without worrying about the
dependencies of BR2_PACKAGE_OPENCV4_LIB_OBJDETECT.
This causes the following Kconfig warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_OPENCV4_LIB_OBJDETECT
Depends on [n]: BR2_PACKAGE_OPENCV4 [=y] && !BR2_TOOLCHAIN_USES_UCLIBC [=n] && BR2_PACKAGE_PROTOBUF_ARCH_SUPPORTS [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_8 [=n]
Selected by [y]:
- BR2_PACKAGE_FREESWITCH [=y] && BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y] && BR2_PACKAGE_OPENCV4 [=y]
Since freeswitch as no visible sub-options to select extra features
and we wanted to keep it this way, we introduce a hidden sub-option
that informs freeswitch.mk whether OpenCV 4 support is usable. It
makes it easier to express the dependencies that are needed for this
OpenCV 4 to be usable.
Fixes: a6db6af9ff ("package/freeswitch: remove optional dependency to opencv3")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit
75ab6cf93a ("package/{python-}protobuf:
bump to version 28.1") added a whole bunch of gcc >= 8 dependencies to
opencv4 options, but forgot to create or update appropriate Config.in
comments for several options:
BR2_PACKAGE_OPENCV4_LIB_OBJDETECT
BR2_PACKAGE_OPENCV4_LIB_STITCHING
BR2_PACKAGE_OPENCV4_WITH_PROTOBUF
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The comments saying that dnn_objdetect and dnn_superres need a glibc
or musl toolchain should be shown when a uClibc toolchain is selected,
not when a toolchain NOT using uClibc is selected (as this is exactly
what's needed).
Fixes: a2e01b23fc ("package/opencv-contrib: propagate opencv4 dependencies")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes, see:
https://opus-codec.org/release/stable/2025/12/15/libopus-1_6.html
opus 1.6 introduced optimization for Arm using Neon intrinsics.
Those are not available in soft-float ABI. This commit disables the
usage of intrinsics in that case.
This commit also adds an upstream patch to the libopusenc package.
It is because libopusenc is using internal functions of opus, which
were renamed in upstream commit [1]. Without this patch, the
opus-tools package fail to compile with error:
src/opusenc.c: In function ‘main’:
/.../sysroot/usr/include/opus/opusenc.h:134:63: error: implicit declaration of function ‘__opus_check_int’; did you mean ‘opus_check_int’? [-Wimplicit-function-declaration]
[1] 7817df7908
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit dcee99507c bumped icu
from version 73-2 to 77-1.
Upstream raised the minimum C++ requirement to C++17 in version 75-1:
https://github.com/unicode-org/icu/releases/tag/release-75-1https://icu.unicode.org/download/75
"C++ code now requires C++17 [...]"
Consequently, this commit switches the minimum gcc version needed by
package/icu to 7, and propagates this to icu's reverse dependencies.
No autobuilder errors were recorded since we don't test toolchains as
old as gcc 6.x
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License hash changed due to move to license file autogeneration:
9a81db3c77d2b8d7750f
Add new python-coherent-licensed build dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
fb5235239aad ("env: Rename DEFAULT_ENV_FILE to
ENV_DEFAULT_ENV_TEXT_FILE") renamed the Kconfig symbols and thus we need
to adapt the U-Boot package in Buildroot to support it.
Fixes: 128c26f287 ("boot/uboot: bump to version 2025.10")
Reported-by: Ozan Durgut <ozandurgut.2001@hotmail.com>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In Buildroot, we don't use the official SPDX code GPL-2.0-or-later,
but GPL-2.0+.
Fixes: 2a972212b4 package/qoriq-restool: new package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Introduce a package for the restool program, which permits the user to
modify the network configuration of the DPAA2 subsystem and create one
that is adequate to their use case.
We integrate the master branch, which is effectively the
lf-6.12.20-2.0.0 release tag, plus some extra fixups specifically made
for the Buildroot integration:
- commit b44748ed0bb3 ("Avoid use of non-portable __WORDSIZE when
defining BITS_PER_LONG")
- commit b4a734f3512b ("restool: fix format string for 64 bit time_t in
parse_obj_command()")
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Migrate from setuptools cython based build to setuptools-rust.
Add new python-typing-extensions runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CVE-2024-46948 only affects the device management and update server part
of Mender, and not the client running on the devices
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] restricted spice compilation to x86 only.
As the log of this commit mention, this was because at that time,
spice 0.12.0 was generating an error on untested cpu architectures.
See [2] (we can also see that armv6+ platforms was apparently
supported).
Spice commit [3] (first included in spice v0.12.6) relaxed this error
to a warning. The reason was that big endian support was improved,
and also there was an intent to make testing easier.
[1] 4f452a86b8
[2] https://gitlab.freedesktop.org/spice/spice/-/blob/v0.12.0/configure.ac#L60
[3] f80eef8f9c
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
[Thomas: reduced commit to just re-enabling on all CPU architectures,
created separate commits for the BR2_USE_MMU and gcc >= 6 fixes]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
spice selects libglib2, but forgot to propagate the BR2_USE_MMU
dependency. There is no practical implication at the moment as spice
is only available for i386 and x86-64, and both always have MMU. But
as we're about to relax this architecture dependency, it makes sense
to fix the propagation of BR2_USE_MMU.
Signed-off-by: Julien Olivain <ju.o@free.fr>
[Thomas: patch extracted from
https://patchwork.ozlabs.org/project/buildroot/patch/20241122213809.176709-1-ju.o@free.fr/]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 3dd73c3 "package/openjdk: allow compiling without X11 support",
dropped the need for X11, so drop it from TestOpenJdk.
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When building the arm-trusted-firmware, if the host environment has a value
configured in the BL31 variable such as the following:
export BL31=/tmp/bl31.elf
This will cause the build of the bl31.elf to be skipped leading to the
following build error:
make[1]: Nothing to be done for 'bl31'.
And then:
readelf: Error: './output/build/arm-trusted-firmware-custom/build/versal/release/bl31/bl31.elf': No such file
To fix this, clear the BL31 variable in the MAKE_OPTS, so that building the
arm-trusted-firmware will build regardless of the host environment.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Boost.System is a header only library since Boost 1.69.0 [0].
A Stub Library remained for backward compatibility. This
mainly affects CMake Packages that use FindPackage and
explicitly list 'system'.
For Boost internal modules this is not the case so remove this
dependency.
Buildroot packages should select BR2_PACKAGE_BOOST_SYSTEM explicitly
if needed and not rely on a proxy dependency from other boost packages.
[0] https://github.com/boostorg/system/blob/develop/doc/system/changes.adoc#changes-in-boost-169
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libcpprestsdk searches for the Boost.System module in its
CMakeLists. Hence it should be selected as a dependency.
This does not fix any build failure, as boost-system was implicitly
selected by one of the other boost-* options that this package
selects, but an upcoming commit is going to change how boost-system is
selected by other boost-* modules, making this preparation change
necessary.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This does not make debug info available, but allows building programs
that link against libdebuginfod.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
On Debian 13 doc generation fails. Disable it like for
the target.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the introduction of the production silicon Icicle Kit comes the
need to support multiple board device trees. The HSS puts a minimal dtb
in it's payload's ancillary-data immediately after U-Boot in memory.
CONFIG_OF_BOARD will use this dtb that the HSS carries with the bare
minimum of nodes enabled. It allows for firmware to provide the address
of the devicetree in memory using the `a1` register.
Use the device tree compatible from the hart software services to
essentially "detect" which board is in use and therefore select the
appropiate device tree for the board.
Add a fdt production node to the .its referencing the production Icicle
Kit DTB with appropriate attributes. Introduce matching configuration
entries to enable selection of the production Icicle kit FDT blob for
the MPFS Icicle Production Silicon board.
Update the configuration names to match the device tree compatibles for
each board configuration. With these updates, change image node and
configuration node names with more appropriate names.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Following Microchip's Linux 2025.07 release, update the assets to the
latest versions, this includes a Linux version bump and addditional
U-Boot drivers and functionality. Update the Linux headers to support
the updated v6.12 kernel. Update the corresponding package hashes.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit d6c3257e93 bumped the
package from 0.21 to 0.23. Upstream release 0.22 includes commit
d7c7c53c06
which uses CLOCK_MONOTONIC without including time.h.
Fixes:
https://autobuild.buildroot.net/results/41b/41b25ee8e66e34323eca011e4b5fe479ece9ed76/
Two minimal defconfigs to reproduce the build error:
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ATF=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_GCC_VERSION_13_X=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ATF=y
All defconfigs of the build errors recorded by the buildroot autobuilders
contain BR2_PTHREADS_NONE=y.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update to the latest version of the gcnano-binaries blobs, which are
compatible with the last v6.6-stm32mp-r2 kernel from the
STMicroelectronics BSP.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Vulkan option was appended to QT6BASE_CONFIGURE_OPTS instead of
QT6BASE_CONF_OPTS, which is the variable actually used during CMake
configuration. This prevented the feature from being enabled/disabled
as expected.
Fixes: 1c27f3a12d ("package/qt6base: add vulkan option")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit adds "kibi" a configurable text editor with UTF-8 support,
incremental search, syntax highlighting, line numbers and more, written
in less than 1024 lines of Rust with minimal dependencies.
https://github.com/ilai-deutel/kibi
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the introduction of duktape in [1]. This package has been present
under the "JavaScript" sub-menu.
This sub-menu was mostly used for JS libraries and programs so duktape
should have been under the "Interpreter languages and scripting"
submenu.
Since duktape is now the only entry in the JavaScript submenu, move this
package to a better suited place and remove the JavaScript submenu.
[1] 387ff26b6d duktape: new package
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds information on how to provides static JS libraries in
Buildroot with the release of the 2025.08.x version.
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Due to the increasing number of patches applied for this package and the
lack of updates to fix the build issues as well as updating the version
to newer release. This patch removes softether from buildroot package
list.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch add several upstream patches that fix build error we are
experiencing on the autobuilder related to host-gcc15 and gcc14.
- 0010-use-bool-from-stdbool.patch
Fix a host-gcc15 error with C23 bool reserved keyword when building
host-softether package. This appeared on the autobuilder.
```
from Cfg.c:116:
../../src/Mayaqua/MayaType.h:257:33: error: 'bool' cannot be defined via 'typedef'
257 | typedef unsigned int bool;
| ^~~~
../../src/Mayaqua/MayaType.h:257:33: note: 'bool' is a keyword with '-std=c23' onwards
../../src/Mayaqua/MayaType.h:257:1: warning: useless type name in empty declaration
257 | typedef unsigned int bool;
| ^~~~~~~
```
- 0011-fix-implicit-declaration-of-function-getch.patch
Fix an implicit function declaration.
- 0012-vlanunix-fix-implicit-declaration-of-function-freetap.patch
Fix an implicit function declaration.
- 0013-fix-build-on-freebsd-version-140091.patch
Incompatible pointer type which appeared on the autobuilder as well:
```
Unix.c: In function 'UnixIgnoreSignalForThread':
Unix.c:324:25: error: assignment to 'void (*)(int, siginfo_t *, void *)' from incompatible pointer type 'void * (*)(int, siginfo_t *, void *)' [-Wincompatible-pointer-types]
324 | sa.sa_sigaction = signal_received_for_ignore;
| ^
```
- 0014-cedar-hub-properly-set-value-for-hub-admin-options.patch
Fix an incompatible pointer type error.
- 0015-adjust-types-of-variables.patch
Fix an incompatible pointer type error which appeared on the autobuilder as
well.
```
Secure.c: In function 'OpenSec':
Secure.c:1829:56: error: passing argument 3 of 'sec->Api->C_GetSlotList' from incompatible pointer type [-Wincompatible-pointer-types]
1829 | if ((err = sec->Api->C_GetSlotList(true, NULL, &sec->NumSlot)) != CKR_OK || sec->NumSlot == 0)
| ^~~~~~~~~~~~~
| |
| UINT * {aka unsigned int *}
```
- 0016-Cedar-Proto_IKE-fix-too-many-arguments-to-function-N.patch
Fix a function call.
Fixes: https://autobuild.buildroot.org/results/c43/c43a9a221896d37ee8a9d34c5b8e2725351c6eb5
Fixes: https://autobuild.buildroot.org/results/751/7517bb4d32c38d475d901769b0b2fd2c2f3dd543
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Acked-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
An advanced terminal multiplexer with batteries included. Supports
layouts, floating and stacked panes, plugins, and customization.
Provides rich functionality out of the box.
Zellij is aimed at developers, operations-oriented users, and anyone who
loves the terminal.
https://github.com/zellij-org/zellij
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The license is actually LGPL-2.1+.
Fixes: 006aab8d64 ("package/libplacebo: add libplacebo package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds libplacebo package that is used
by mpv player.
libplacebo is the core rendering algorithms and
ideas of mpv rewritten as an independent library
and contains a large assortment of video processing
shaders, focusing on both quality and performance.
Signed-off-by: Javad Rahimipetroudi <javad.rahimipetroudi@mind.be>
Tested-by: Sen Hastings <sen@hastings.org>
[Bernd:
- bumped to v7.351.0
- moved Kconfig option to Multimedia (Sen)
- rebased patch 0001 after version bump
- added project URL to Config.in helptext
- removed redundancy in Config.in comment
- added comment to hash file
- switched _SITE to official repo
- added patch to fix build error with latest python3]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
lttng-modules fails to build in master and in our LTS branch
2025.02.x. Indeed, our LTS branch uses the 6.12 kernel as the latest
LTS, and lttng-modules in version 2.13.10 don't build with the 6.12
kernel:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_PACKAGE_LTTNG_MODULES=y
fails to build with 2025.02.x.
To fix this, let's bump to the latest point release in the 2.13.x
branch, which mostly contains fixes needed for the 2.13.x releases to
work with newer kernels. This is considered a reasonable bump for our
2025.02 LTS.
The hash of the license file is updated as the list of files under
each license has changed a bit, but that doesn't change the overall
list of licenses.
Fixes:
https://autobuild.buildroot.net/results/78d05ded97877f866d2bd7aa600a2dafa01bb364/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Added patches (17.0.12+7 and 21.0.4+7) to allow compilation
without X11 support.
0003-autoconf-libraries-drop-the-need-for-X11-in-headless.patch
is only needed for 21.0.4+7, 17.0.12+7 already has this commit:
f97ec359ec
Next to that, add a new option BR2_PACKAGE_OPENJDK_X11,
to allow compilation with both head and headless support.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
[Thomas: split into two commits]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit fixes the wrong patch folders which should have been fixed
in commit 475c79d ("package/openjdk{-bin}: bump versions to 17.0.12+7
and 21.0.4+7")
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The `utils/brmake` tool runs `make all` with logs put into `br.log`.
That file is therefore the result of a build and committing it never
makes sense, neither upstream nor on any other remote/branch.
⟩ git status --short
⟩ make beaglebone_defconfig
⟩ ./utils/brmake
⟩ git status --short
?? br.log
Add a new `/br.log` entry in the root `.gitignore` file.
Append to the end because no ordering logic was found.
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This makes it more obvious which service the PID file belongs to, and
thanks to the /var/run -> /run symlink fixes the check-package
warning.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This brings the script in line with current standards, except the
expected PIDFILE value because changing the PID file path would
require changing build options.
The stop action now uses the PID file instead of "killall", and reload
is supported using SIGHUP (with limitations described in D-Bus
documentation). "--syslog" is added to the dbus-daemon arguments to
ensure log messages will be available, otherwise log messages after
fork may be lost.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The "servicename" environment variable was never set, so the condition
in the "condrestart" case would always evaluate to false. Nobody seems
to have noticed since it was introduced with commit
ceb2859765 in 2007, so simply remove it.
Likewise, the comment in the stop function that mentions $servicename
is incorrect, there is no safety check to the "killall" call.
With those, remove the /var/lock/subsys/dbus-daemon file that was
created but never used.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We need to set -Dprotobuf_BUILD_LIBUPB=ON for host-protobuf now
as some libupb headers now appear to be required.
Also set the new -Dprotobuf_LOCAL_DEPENDENCIES_ONLY=ON option
to ensure cmake doesn't try to download dependencies.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* Wait for process to stop before deleting PID file, instead of fixed
wait during restart
* Use long form options
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libxshmfence has multiple paths available for the shared memory
directory, as some distros [0] opt to mount their tmpfs in a
non-standard location such as /run/shm rather than /dev/shm.
The default value of 'auto' will set this path to whatever the host is
using, leaking host configuration into the target. See [1].
With X configurations that depend on shared memory files for futexes,
(muvm [2] is a notable example), this results in applications silently
breaking during presentation with a blank window, as the configured
path doesn't have the required tmpfs mount.
Set this path explicitly to avoid situations where the host context
leaks into the package build, causing feature breakage.
[0] https://wiki.ubuntu.com/OneiricOcelot/ReleaseNotes?action=show&redirect=OneiricOcelot%2FTechnicalOverview#Upgrades
[1] https://gitlab.freedesktop.org/xorg/lib/libxshmfence/-/blob/libxshmfence-1.3.3/configure.ac#L144
[2] https://github.com/AsahiLinux/muvm
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- add link to shared memory dir detection code in commit log
- replace "+=" by "=" in _CONF_OPTS
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that the package is removed, having a trace of it in a comment is
no longer very useful.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The rpi-userland package no longer builds with CMake >= 4. While
fixing it is probably not too difficult,
https://github.com/raspberrypi/userland tells us:
"""
This repo is ancient and deprecated.
It largely contains code using proprietary APIs to interface to the
VideoCore firmware. We have since move to standard linux APIs.
V4L2, DRM/KMS and Mesa are the APIs you should be using.
The few useful tools from here (dtoverlay, dtmerge, vcmailbox,
vcgencmd) have been moved to the raspberrypi/utils repo.
Code from here is no longer installed on latest RPiOS Bookworm images.
If you are using code from here you should rethink your solution.
Consider this repo closed.
"""
Hence it is time to drop this package from Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/tvheadend.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/sdl2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/mpv.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop the special
tweak for it from package/libwpe.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/libcec.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/libcamera-apps.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/gstreamer/gst1-plugins-base.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/glslsandbox-player.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/ffmpeg.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, remove the only
defconfig that uses it. This defconfig is according to our DEVELOPERS
file, unmaintained.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This tool has been removed from upstream rpi-firmware, so drop the
corresponding option and logic in rpi-firmware.mk.
The tool has been removed by upstream commit
d1fcc26038186aecc1501a0b749833300afba801 ("opt: Remove builds of
deprectated userland tools").
It is Buildorot commit
28e6953ba8 ("package/rpi-firmware: bump
version to 5476720") that did a bump to a version of rpi-firmware that
no longer provided vcdbg.
Cc: Köry Maincent <kory.maincent@bootlin.com>
Cc: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Due to issues in the installation of qt5webkit, building the
corresponding Python binding fails:
Project ERROR: Unknown module(s) in QT: webkit
Error: /home/thomas/buildroot/br/output-all/host/bin/qmake failed to create a
makefile from PyQt5.pro.
make[1]: *** [package/pkg-generic.mk:263: /home/thomas/buildroot/br/output-all/build/python-pyqt5-5.15.6/.stamp_configured] Error 1
make: *** [Makefile:83: _all] Error 2
https://lore.kernel.org/buildroot/20220929181350.1026033-1-thomas.ballasi@savoirfairelinux.com/
was an attempt at fixing it, but this patch doesn't work and looks
weird.
So for the time being, disable the Webkit module in python-pyqt5. This
issue has indeed been around for as far as 2022.
Fixes:
https://autobuild.buildroot.net/results/b9d69d21e734aa62a6e0b4d4124c2bcfc027ebe4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add another patch from Fedora, also used in Arch Linux to fix a gcc >=
14.x build issue:
build/qt5webkit-5.212.0-alpha4/Source/WebCore/page/csp/ContentSecurityPolicy.cpp:235:56: required from here
235 | if ((policy.get()->*allowed)(std::make_pair(algorithm, digest)))
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
host/opt/ext-toolchain/aarch64-buildroot-linux-gnu/include/c++/14.3.0/type_traits:1246:52: error: non-constant
condition for static assertion
1246 | static_assert(std::__is_complete_or_unbounded(__type_identity<_Tp>{}),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
It is not clear which change introduce this breakage, but we suspect
it is related to GCC 14.x. In any case, the fix does no harm and is
good to backport to 2025.02.x.
Fixes:
/home/thomas/buildroot/br/output-all/build/qt5webkit-5.212.0-alpha4/Source/ThirdParty/ANGLE/src/common/mathutil.h:575:8: error: ‘uint32_t’ does not name a type
575 | inline uint32_t RotL(uint32_t x, int8_t r)
| ^~~~~~~~
/home/thomas/buildroot/br/output-all/build/qt5webkit-5.212.0-alpha4/Source/ThirdParty/ANGLE/src/common/mathutil.h:19:1: note: ‘uint32_t’ is defined in header ‘<cstdint>’; this is probably fixable by adding ‘#include <cstdint>’
18 | #include <stdlib.h>
+++ |+#include <cstdint>
19 |
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the bump of ICU from ICU 73 to ICU 77 in commit
dcee99507c, the build of qt5webkit fails
with:
/home/thomas/buildroot/br/output-all/host/aarch64-buildroot-linux-gnu/sysroot/usr/include/unicode/char16ptr.h:271:38: error: ‘enable_if_t’ in namespace ‘std’ does not name a template type
271 | template<typename T, typename = std::enable_if_t<std::is_same_v<T, UChar>>>
| ^~~~~~~~~~~
We taken two patches from Arch Linux, one which is a partial upstream
backport, and another which was submitted upstream, to address this
build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Rasdaemon was added in previous patch.
Add a test_rasdaemon that allows to test it.
Test is done on x86. It first checks the daemon's version, then mounts
debugfs and finally ensures that the init script allows to
start/restart/stop the daemon.
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Rasdaemon is a tool that aims at replacing edac-tool and provide a way
to collect all hardware error events reported by the Linux kernel in a
common framework.
This commit adds a new package to support rasdaemon in the 'Hardware
handling' section. It depends on libtraceevent to detect the ftrace
events generated by the kernel. There is currently a build issue when
sqlite isn't availaible while it's supposed to be an optional
dependency. This build issue is fixed by patch 0001 (which has been
also submitted to the rasdaemon project itself).
Support for the PCIe AER events is optionnal and implies a dependency on
pciutils so also add a dedicated 'sub-option' to enable it.
Add a SYSV init script to start / stop the daemon
Add myself to the DEVELOPERS file.
Reviewed-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libfreeimage is not a mandatory dependency of ogre.
Due to the upcoming removal of libfreeimage due to security reasons from
buildroot we do not transform libfreeimage into an optional dependency:
https://github.com/OGRECave/ogre/issues/3069
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
OpenCV3 is unmaintained and will be removed from buildroot.
The package does not support OpenCV4:
216c090707
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
OpenCV3 is unmaintained and will be removed from buildroot.
Select needed OpenCV4 modules in Config.in and adjust freeswitch.mk.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
6d188cb199
"This project is archived. QJson was originally created when Qt3 and Qt4
lacked robust JSON support.
Since Qt5, JSON support is included in the native Qt library SDK, making
this project obsolete."
The package is broken with cmake 4 and no other package depends on it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Cc: Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mod_md allows Apache httpd to automatically provision certificates for
HTTPS via the ACME protocol (e.g. from Let's Encrypt), if configured
to do so. The additional dependencies are non-obvious, so add a config
option instead of only enabling the module if dependencies are met.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add libavif support.
Add new python-pybind build dependency.
Set --skip-dependency-check since pybind isn't detected properly by
the pep517 build frontend.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop PYTHON_CRYPTOGRAPHY_CARGO_MANIFEST_PATH as package now provides
manifest in default path.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Migrate from setuptools to hatch build backend.
License hash changed due to formatting changes:
83d985db64
Drop no longer supported AUTOBAHN_STRIP_XBR env variable.
Add host-python-setuptools build dependency.
Add new python-base58 encryption dependency.
Add new python-ecdsa encryption dependency.
Serialization dependencies moved to mandatory dependencies.
Propagate new C++ reverse dependency.
Add new python-brotli compression dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit dc55e7eb51 added this
package as copy from the taglib package but forgot to change all taglib-
related comments.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Suggested by Gerbera:
fcf3147223
CMake Warning at CMakeLists.txt:583 (message):
!! It is strongly recommended to build libupnp with --disable-blocking-tcp-connections !!
Without this option non-responsive control points can cause libupnp to hang.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entry introduced in [2] is then no longer matched to
the cmake package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 5ce1e773b9 package/cmake: ignore CVE-2016-10642
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entry introduced in [2] is then no longer matched to
the dovecot package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 948e71689a package/dovecot: ignore CVE-2016-4983
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The IGNORE_CVES entries introduced in [1] no longer match to the glibc
package following the bump to v2.42 in [2]. The version boundaries
specified on the NVD DB are specific to 2.40 & 2.41.
The CVE-2025-8058 though don't have any information available on the NVD
DB and will remain on the IGNORE_CVES then.
[1] feaf53585a package/glibc: security bump to version 2.41-70
[2] fb6256c0ef package/{glibc, localdef}: bump to version 2.42
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entries introduced in [2] are then no longer matched to
the glibc package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] adaae82c58 package/glibc: ignore CVEs not considered as security issues by upstream
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The IGNORE_CVES entries introduced in [2][3][4] are then no longer
matched to the grub2 package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 2495630383 boot/grub2: ignore CVE-2024-1048
[3] e2f46ed03d boot/grub2: ignore CVE-2023-4001
[4] a490687571 boot/grub2: ignore the last 3 remaining CVEs
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2024-32928 introduced in [2] is then no longer matched to the
libcurl package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 7e739d49b2 package/libcurl: ignore CVE-2024-32928
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The entry was added in commit [1]. But since then the NVD database
updated the version end specifier.
This IGNORE_CVES entry is then no longer needed.
[1] 51b1e1daf5 package/libssh: ignore CVE-2025-5318
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2023-37769 is then no longer matched to the pixman package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2017-8806 is then no longer matched to the postgresql package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2015-3243 is then no longer matched to the rsyslog package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patches header as well
as the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Disabled vulkan tests added by upstream commit:
2519c330fb
Added X11-related configure options due to upstream commit:
d958b70d1f
Added configure options to fix build errors without libdrm and with
libegl/libgles enabled but without X11.
These build errors were not seen before due to other build errors
unfixed since the bump of python3 to 3.10 with buildroot commit
25b1fc2898:
https://patchwork.ozlabs.org/project/buildroot/patch/20230723074303.603364-1-bernd@kuhls.net/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add back commit log comments from v2 patch
- add git commit id in commit log title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For kernel patched with 440cf77625e3 ("perf: build: Setup
PKG_CONFIG_LIBDIR for cross compilation"), if neither PKG_CONFIG_LIBDIR,
PKG_CONFIG_PATH nor PKG_CONFIG_SYSROOT_DIR are provided, the perf
Makefile while try to set some default value for PKG_CONFIG_LIBDIR,
which will not point correctly to buildroot staging directory. This
issue will lead for example to a failure to find libtraceevent even
if it is correctly enabled and installed in the staging dir, and so it
will make perf fail to build.
Make sure to call the perf make command with PKG_CONFIG_LIBDIR variable
set and pointing to buildroot staging area to make sure to properly
detect perf dependencies.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When trying to perform a custom uprobe recording on a target with perf
built by buildroot, the recording step fails as perf can not record
uprobes without libtraceevent support:
$ perf probe -x linked_list insert_name index
Target program is compiled without optimization. Skipping prologue.
Probe on address 0x808 to force probing at the function entry.
Added new event:
probe_linked_list:insert_name (on insert_name in /root/gdb/linked_list with index)
perf is not linked with libtraceevent, to use the new probe you can use tracefs:
cd /sys/kernel/tracing/
echo 1 > events/probe_linked_list/insert_name/enable
echo 1 > tracing_on
cat trace_pipe
Before removing the probe, echo 0 > events/probe_linked_list/insert_name/enable
$ perf record -e probe_linked_list:insert_name ./linked_list
event syntax error: 'probe_linked_list:insert_name'
\___ unsupported tracepoint
libtraceevent is necessary for tracepoint support
Run 'perf list' for a list of valid events
Usage: perf record [<options>] [<command>]
or: perf record [<options>] -- <command> [<options>]
-e, --event <event> event selector. use 'perf list' to list available events
libtraceevent support for perf has been disabled with commit
b4ab45a5c1 ("package/linux-tools: disable libtracevent detection")
because there was no libtraceevent package in buildroot to replace the
former libtraceevent removed from the kernel sources. Since then, commit
1474f1b34b ("package/libtraceevent: new package") has introduced a
libtraceevent package. We can then expose again the possibility to build
perf with libtraceevent support.
Make buildroot perf makefile detect if libtraceevent package has been
enabled, and if so, allow to build perf with libtraceevent support.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With the removal of the roseapplepi defconfig in commit 56091a5818
("configs/roseapplepi: remove defconfig, broken") there are no (in-tree)
users of the s500-bootloader binary blob package, so drop it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Running in S99 makes it impossible to start any service that uses iiod
after it, at least by numerical ordering only. Move it forward to
change that.
There are two dependencies of iiod:
1. The IIO devices that it should expose must be available.
2. Network must be up, which means firewall at least should be.
The former may be covered by loading modules, e.g. using S11modules
from package/initscripts. There are different ways to handle network
setup, but with SysV init scripts they generally run before S50.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* Fix check-package issues and remove .checkpackageignore entry
* Remove fixed wait in "restart", wait for process termination in
"stop" instead
* Print standard starting/stopping messages
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] removed the IGNORE_CVES entries for
CVE-2024-24258 & CVE-2024-24259 because they referenced a patches no
longer existing.
Those IGNORE_CVES entries are still required because the CVEs reference
the exact mupdf version Buildroot is using.
Re-introduce those IGNORE_CVES entries with an updated comment instead.
[1] f2e442a14d package/mupdf: remove stale IGNORE_CVES
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the
`0001-Disable-tests.patch` patch reference
was removed in favour of a build argument that disable the tests.
This update the reference in IGNORE_CVES accordingly.
[1] ba2fb599cd package/pixman: bump to version 0.44.2
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the
`0003-SDL_x11yuv.c-fix-possible-use-after-free.patch` patch reference
was renamed.
This update the reference in IGNORE_CVES accordingly.
[1] 9fab7bb79d package/sdl: drop directfb support
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patches header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
AIChat helps seamlessly integrate different LLM models, providing access
via the CLI and network. It can serve as a gateway to heterogeneous and
distributed LLMs.
Handy features like roles, macros, and sessions help simplify repetitive
tasks and reuse of existing solutions. Features like playgrounds and
arenas help to explore and compare models.
https://github.com/sigoden/AIChat
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
[Julien:
- select BR2_PACKAGE_HOST_RUSTC instead of "depends on"
- add Apache-2.0 license (package is dual licensed)
- add LICENSE-APACHE license hash
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:4 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
Fixes:
https://autobuild.buildroot.net/results/074098fef4f8a5e89a4f04efbdd1f545f4616772/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In commit 67e84345c1 ("package/vim: fix
reinstallation"), we fixed the reinstallation of vim for the target
package by removing symlinks before calling "make installlinks".
However, this didn't fix the same problem for the host-vim package.
So instead, this commit adds a patch, accepted upstream, that uses "ln
-sf" instead of "ln -s" to create the symlinks, allowing them to be
overwriten on reinstallation.
Fixes:
ln: failed to create symbolic link 'view': File exists
on reinstallation of host-vim.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit [1] "kvmtool: bump to f77d646ba0" removed the
definition of KVMTOOL_EXTRA_LDFLAGS but forgot to remove its usage
in KVMTOOL_MAKE_OPTS.
This commit removes it since it is no longer needed.
[1] f20615b53e
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The run log of this ltp-testsuite test shows:
INFO: runltp script is deprecated, try kirk
https://github.com/linux-test-project/kirk
This commit updates this test to replace this deprecated runltp
shell script with the newer kirk Python script.
The logic of this runtime test remains the same: it runs a small number
of 'read' system call tests, and checks there is no failures and at
least one test succeed.
Cc: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] (package/tio: bump to 3.5) added the libglib2 in
the .mk file without selecting it in Config.in.
This commit fixes that.
[1] 3d85e9df43
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch fixes the information to the patch header to have a single
vulnerability per line.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The fixes for the CVE-2024-24258 & CVE-2024-24259 were introduced in [1]
and targeted the package libfreeglut.
The patches that fixed CVE-2024-24258 & CVE-2024-24259 in libfreeglut
were removed in Buildroot commit [2]. With this bump the IGNORE_CVES
entries for mupdf were not removed.
[1] 0f4fef076f package/libfreeglut: add upstream security fix for CVE-2024-2425{8, 9}
[2] b1c77090ef package/libfreeglut: bump version to 3.6.0
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] removed the stale cpp-httplib patched but the
IGNORE_CVES entry wasn't removed.
[1] 8988278241 package/cpp-httplib: remove stale patch
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When the ncurses UI code in irqbalance is enabled, the build fails
with gcc >= 15.x, for example with:
BR2_arm=y
BR2_cortex_a53=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_NCURSES=y
BR2_PACKAGE_NCURSES_WCHAR=y
BR2_PACKAGE_IRQBALANCE=y
Backport two upstream patches that fix those issues.
Fixes:
https://autobuild.buildroot.net/results/3b609fe191e03330480f647b09dd06916da13317/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a Buildroot package for sysrepo-cpp, providing modern C++ RAII
bindings for the sysrepo YANG datastore library.
Signed-off-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ddresue runtime test is using the `dmsetup` command provided by the
dmraid package. This package is outdated and will be removed. This
command is also provided by the lvm2 package, which is still maintained.
This commit replaces the dmraid package by lvm2 in the test config.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
mb-applet-launcher.c: In function ‘get_launch_window’:
mb-applet-launcher.c:269:18: error: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
269 | time_t stime = time(NULL);
| ^~~~
No autobuilder failures, it was hidden by other failures.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Switched _SOURCE to .gz, upstream does not provide bz2 tarballs
anymore. This means in fact _SOURCE can be dropped, as it's now the
default value.
No autobuild errors recorded due to previous download error with
matchbox-lib.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Switched _SOURCE to .gz, upstream does not provide bz2 tarballs anymore.
No autobuild errors recorded due to previous download error with
matchbox-lib.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add new runtime test for python-varlink.
As always when we need to start a separate server process inside a test
case this gets slightly fiddly.
We override the test_run() function to first start the varlink example server,
then call the packages cli interface to do a varlink call against the
server. The cli defaults to pretty printing the result, which makes it
more annoying to compare to the expected result in the test case, so we
un-prettyprint it with python's builtin json.tool module.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
There are currently problems in updating the pypi.org release[1], so we
pull the package from the github generated tarball instead. This in turn
then requires manually setting the version for setuptools_scm in the
environment.
[1] https://github.com/varlink/python/issues/81
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This maintenance release introduces support for newer versions of the
Mesa library. Release notes:
https://wpewebkit.org/release/wpebackend-fdo-1.16.1.html
Also imports an upstream patch that is needed at least to successfully
build when using the Musl libc.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Dependency was made optional in 4.6.0 release here:
6058ab9dfe
python-can has a lot of optional dependencies, most of which are not
represented in buildroot. As msgpack is used for the virtual multicast
udp can interface[1], which does seem like a bit of a niche usecase,
just drop the mandatory dependency without introducing a user-visible
config option to enable it.
[1] https://python-can.readthedocs.io/en/4.0.0/interfaces/udp_multicast.html
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libiio python bindings use ctypes and specifically the find_library()
function from there to load the libiio.so shared library. This is not
working unless glibc utils (specifically ldconfig) is installed to the
target (alternatively the target would need gcc or binutils, for objdump
or ld).
The easy fix here is to just bypass the find_library() machinery
altogether as it's not needed on a buildroot system.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Tested-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In commit a68899d49e ("package/python3:
work around GCC bug 121567"), we introduced a work around for a gcc
bug, by reducing to -O1 the optimization level on SuperH.
However, it turns out that this is not sufficient, as the build will
only succeeded at -O0.
Fixes:
https://autobuild.buildroot.net/results/31f/31f34a983036b4135c12e5797b5c2258ab33e6c2/
Which is a config with BR2_OPTIMIZE_2=y, which means
BR2_TOOLCHAIN_HAS_GCC_BUG_121567=y, and therefore -O1 is passed, but
still the build fails. At -O0 the build doesn't fail.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The test to enable NEON on AArch64 is as following:
ifeq ($(BR2_aarch64)$(BR2_ARM_CPU_HAS_NEON),yy)
It cannot be to true as $(BR2_aarch64) and $(BR2_ARM_CPU_HAS_NEON) are
mutually exclusive. NEON is compulsory on AArch64 so remove
$(BR2_ARM_CPU_HAS_NEON) from the test.
Fixes: ba2fb599cd ("package/pixman: bump to version 0.44.2")
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of pip to version 25.3 in commit
285097051d, the build of the Python
bindings of libselinux is broken for both the host and target
variants.
For the host variant, because "pip install" no longer finds the
system-provided setuptools and tries to download setuptools by itself,
causing build issues because our host-python doesn't have SSL support:
Could not fetch URL https://pypi.org/simple/setuptools/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/setuptools/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
For the target variant, because "pip install" no longer finds the
sysconfigdata package:
ModuleNotFoundError: No module named '_sysconfigdata__linux_sparc64-linux-gnu'
[end of output]
We fix this by taking a patch from Debian, which is slightly tweaked
to also cover our host package (the original Debian patch was passing
--no-build-isolation only when DESTDIR was not empty, but in Buildroot
host packages are built with DESTDIR empty, and we do need
--no-build-isolation).
Fixes:
https://autobuild.buildroot.net/results/0e9de0c0d8b6ec57eea9f8834f02076b296ba4f1/ (host-libselinux)
https://autobuild.buildroot.org/results/1b87c659f1901b0bf33fa4a2ff0ed40b13114bba/ (libselinux)
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Co-Authored-By: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This reverts commit fd991649d3, which
isn't the correct fix: indeed, host-libselinux can be built without
BR2_PACKAGE_PYTHON3 being enabled. And also having to use the network
during the build is anyway not correct.
A follow-up commit will fix this issue in a proper way.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The CPE 'cpe:2.3:a:antirez:linenoise:1.0:*:*:*:*:*:*:*' is valid for the
package linenoise [1].
Since the latest version is '1.0' since 2015 the CPE_ID_VERSION is set
to that version.
The CVE that applies on version 1.0 were checked with the 'cve-check'
script:
```
echo '{"components": [{"bom-ref": "linenoise", "name": "linenoise", "version": "1.0", "cpe": "cpe:2.3:a:antirez:linenoise:1.0:-:*:*:*:*:*:*"}]}' | support/scripts/cve-check | jq -r '.vulnerabilities[].id'
```
Only the CVE-2025-9810 exists and that was fixed in [2].
[1] https://nvd.nist.gov/products/cpe/detail/10423C23-6AAA-439E-B723-1FCDEB3A769F
[2] 3c7cbf97d7 package/linenoise: security bump to version e26268de5e
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
opencv3's code is not compatible with newer versions of ffmpeg, and
opencv3 is no longer maintained, so we have no choice but to disable
its ffmpeg support.
Fixes:
https://autobuild.buildroot.net/results/9ae3911583cccb6362f33cd82e5eaafb059fdc76/
It's not clear which ffmpeg version bump broken the build exactly, but
this issue is definitely present in 2025.02.x as the following
defconfig fails to build in a similar way on 2025.02.x:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_FFMPEG_NONFREE=y
# BR2_PACKAGE_FFMPEG_FFMPEG is not set
# BR2_PACKAGE_FFMPEG_INDEVS is not set
# BR2_PACKAGE_FFMPEG_OUTDEVS is not set
BR2_PACKAGE_OPENCV3=y
BR2_PACKAGE_OPENCV3_LIB_VIDEOIO=y
BR2_PACKAGE_OPENCV3_BUILD_PERF_TESTS=y
BR2_PACKAGE_OPENCV3_WITH_FFMPEG=y
BR2_PACKAGE_OPENCV3_INSTALL_DATA=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The protobuf support breaks the build, as protobuf includes
libabseil-cpp headers, which now require C++14. opencv3 doesn't have
any ENABLE_CXX14 option, so for the time being, disable protobuf
support until someone bothers enough to fix this up.
While we suspect a libabseil-cpp version bump to be responsible for
the issue, we are not 100% sure. However, the issue is definitely
present in Buildroot 2025.02.x, as it can be reproduced using the
following defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_OPENCV3=y
BR2_PACKAGE_OPENCV3_LIB_SHAPE=y
BR2_PACKAGE_OPENCV3_LIB_STITCHING=y
BR2_PACKAGE_OPENCV3_LIB_SUPERRES=y
BR2_PACKAGE_OPENCV3_LIB_TS=y
BR2_PACKAGE_OPENCV3_LIB_VIDEOSTAB=y
BR2_PACKAGE_OPENCV3_WITH_PROTOBUF=y
Fixes:
https://autobuild.buildroot.net/results/39432e7746e6bc5224592a7d2f744ca992bd529a/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a small patch to fix CMake 4 build issues. Unfortunately, while
cmake/OpenCVMinDepVersions.cmake provides a MIN_VER_CMAKE that we
could pass on the command line, cmake/OpenCVGenPkgconfig.cmake doesn't
use it, so we anyway have to patch the package.
Since opencv3 is basically unmaintained, there is no point sending
this patch upstream.
Fixes:
https://autobuild.buildroot.net/results/cc857993920607958dd817c6a877ed9386c05738/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
cppcms.com now points to a Github page at
https://github.com/artyom-beilis/cppcms which has a 2.0.1 version, so
let's use that. The number of differences to 2.0.0.beta2 is very
small:
$ git log --online v2.0.0.beta2..v2.0.1
b872972 (tag: v2.0.1, origin/master, origin/HEAD, master) Version to 2.0.1
a1914f7 (tag: v2.0.0) Replaced system category with one from predating C++11 (v1.2) because std::system_category does not translate WSAGetLastError results
c4febcc Merge pull request #104 from dreaming-augustin/upstream
922cd49 Python 3.12 compatibility: wrap regex in r''.
a11e9d4 Merge branch 'cpp11'
3000bc6 (origin/1.2_updates) Merge pull request #99 from dreaming-augustin/master
44e24c7 [#89] cppcms_error fix typo + consistent messages
a6d5575 (origin/cpp11) Added backtrace to system error
b3aef3b Fixed missing include for stripped down build
463a9a6 Removed IPV6 due to travis limitations
f8163c6 Merges from cpp11
31d4fe7 Added verbose log on failure
90bc996 Added Linux to build matrix - so I have fallback if normal build environment fails
f78ee39 Added Readme for github
a737d5d Merged python3 compatibility from master
0c67544 Support of python 2.7 and python 3
0d121a7 Python3 compatibility
2fc7e38 Python3 compatibility
d745869 python3 fix for tmp_cc
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit dcee99507c that
bumped package/icu to version 77-1, the build of cppcms with ICU
support enabled fails.
Indeed, ICU now requires C++17, and while cppcms.mk has some logic to
get C++ flags using icu-config, the -std=c++17 gets ultimately
overridden by the built-in -std=c++11 flag encoded in cppcms
CMakeLists.txt.
To fix this, we have submitted a patch upstream that ensures the
CMAKE_CXX_FLAGS passed on the command line take precedence over the
built-in flags defined in cppcms CMakeLists.txt.
Fixes:
https://autobuild.buildroot.net/results/9c34a08ea02499b28093ad3fa184cee10b2883ac/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
Fixes:
https://autobuild.buildroot.net/results/30c1645d04b9d2b581aa7a866aa19c4001538e17/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
We didn't submit the patch upstream, because contrary to cppcms, cppdb
seems completely dead. Last commit is from 2012 at
https://sourceforge.net/p/cppcms/code/HEAD/tree/cppdb/.
There are no known autobuilder failures for this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
No autobuilder issues, as this problem was hidden by the libcuefile
CMake 4 build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch adds the dependencies necessary to enable the newer version
of shairplay-sync support for the AirPlay2 protocol.
Signed-off-by: Trammell Hudson <hudson@trmm.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is the Not Quite PTP timing library necessary for
AirPlay2 support with shairport-sync.
Signed-off-by: Trammell Hudson <hudson@trmm.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of bpftrace to version 0.24.2 in Buildroot commit
97e2f63bdf, the build of bpftrace fails
with:
CMake Error at cmake/Embed.cmake:3 (find_program):
Could not find XXD using the following names: xxd
Call Stack (most recent call first):
src/stdlib/CMakeLists.txt:1 (include)
This is due to upstream commit
df21d917d9cced77ebde1202c1b3508a169f46a0, which was merged in 0.24.0.
There are no autobuilder failures for this issue at this point, but
the following defconfig exhibits the issue (of course on a host where
xxd is not installed system-wide):
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_BPFTRACE=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switched _SITE to github, old project site is down.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use 'git describe --abbrev=40' format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed patch which is included in this release.
Backported bump to fix cmake 4 compatibility.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop now upstreamed patch 0001:
84d68c6285
And rename remaining patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The VIM_REMOVE_DOCS variable is currently a post install target hook,
but it can just as well be done inside VIM_INSTALL_TARGET_CMDS
directly.
The hook was registered conditionally based on BR2_PACKAGE_VIM_RUNTIME
because prior to commit f7a07f42f7, the
hook's logic was:
find $(TARGET_DIR)/usr/share/vim -type f -name "*.txt" -delete
which was failing if BR2_PACKAGE_VIM_RUNTIME was not enabled, as
$(TARGET_DIR)/usr/share/vim would not exist.
But since this commit, the hook logic is:
$(RM) -rf $(TARGET_DIR)/usr/share/vim/vim*/doc/
which obviously won't fail if $(TARGET_DIR)/usr/share/vim doesn't
exist.
So let's simplify the whole logic.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Instead of calling $(MAKE) multiple times, let's call it once, with
all installation targets needed. We introduce a VIM_INSTALL_TARGETS
variable to collect the list of make install targets that need to be
invoked.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In Buildroot, we more commonly do:
$(MAKE) -C $(@D)/src
than:
cd $(@D)/src; $(MAKE)
so let's adopt this more conventional style.
This coding style in vim.mk dates from when the package was introduced
by Peter Korsgaard back in 2010.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
While not very common, it is nice when package re-installation
works. Unfortunately the "installlinks" target of vim installs links
with "ln -s", causing a package reinstallation to fail with:
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim ex
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim view
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim rvim
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim rview
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim vimdiff
ln: failed to create symbolic link 'ex': File exists
ln: failed to create symbolic link 'view': File exists
make[2]: *** [Makefile:2749: /home/thomas/buildroot/br/output-all/target/usr/bin/ex] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [Makefile:2752: /home/thomas/buildroot/br/output-all/target/usr/bin/view] Error 1
ln: failed to create symbolic link 'rvim': File exists
ln: failed to create symbolic link 'rview': File exists
To fix this, we remove the target links before proceeding with the
installation.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release Notes: https://docs.djangoproject.com/en/6.0/releases/6.0/
A few changes in the license files and an actual (sub)-license update:
* django/contrib/gis/measure.py -> formatting change
* django/contrib/admin/static/admin/img -> svg files got uupdated and
the new ones are licensed under CC-BY-4.0; separate LICENSE file got
removed, License is now mentioned in the readme
* django/utils/archive.py -> File got updated, license (which is only
the header) did not change.
Remove the comment about django site having an inconvenient download
URL. We download pretty much all python package from pypi.org, so doing
that for django shouldn't need a separate comment.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
- Add watchdogctl list-clients command to display currently subscribed
clients to the process supervisor. Outputs to stdout in either table
format (default) with colored headers, or JSON format with -j/--json
- New global -j, --json option for machine-readable output, currently
supported by list-clients and status commands
- New API: wdog_clients() returns array of wdog_client_t structs for
programmatic access to subscribed clients. See API documentation at
https://codedocs.xyz/troglobit/watchdogd/wdog_8h.html
- Enhance watchdogctl status command to display formatted output by
default, with device information, capabilities, and reset history in
a human-readable table format. Use -j/--json for JSON output
Fixes:
- Generic scripts running more than 1 second would fail with false
"critical error" reports and cause unwanted system reboots due
to uninitialized exit status variable
- watchdogctl reload with tempmon crashes watchdogd
- Issue causing unwanted reboot when watchdogctl reload was called
while a generic monitor script was running
- Fix memory leak in generic monitor with optional script path, would
be triggered on watchdogctl reload
The first of the fixes means we can now drop the backported patch.
Also, the test mode has been dropped from public use, hence it being
removed as well in this commit.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog:
https://github.com/linux-test-project/ltp/releases/tag/20250930
Remove patches backported from this release.
Remove LTP_TESTSUITE_AUTORECONF (patch, which required it was backported
from this release).
Require kernel headers for uclibc >= 4.5 for uclibc due F_GETOWN_EX from <fcntl.h>.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 285097051d bumped
python-pip to version 25.3, causing build errors when host-python3 was
built without SSL support:
WARNING: pip is configured with locations that require TLS/SSL,
however the ssl module in Python is not available.
[...]
Could not fetch URL https://pypi.org/simple/setuptools/:
There was a problem confirming the ssl certificate:
HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded
with url: /simple/setuptools/ (Caused by SSLError("Can't connect to
HTTPS URL because the SSL module is not available.")) - skipping
ERROR: Could not find a version that satisfies the requirement setuptools>=40.8.0 (from versions: none)
Reverting the python-pip bump reveals the true cause of the build error
by showing these messages:
WARNING: pip is configured with locations that require TLS/SSL,
however the ssl module in Python is not available.
[...]
DEPRECATION: Building 'selinux' using the legacy setup.py bdist_wheel
mechanism, which will be removed in a future version. pip 25.3 will
enforce this behaviour change. A possible replacement is to use the
standardized build interface by setting the `--use-pep517` option,
(possibly combined with `--no-build-isolation`), or adding a
`pyproject.toml` file to the source tree of 'selinux'.
Discussion can be found at https://github.com/pypa/pip/issues/6334
Selecting BR2_PACKAGE_HOST_PYTHON3_SSL fixes the problem.
Criu, the only other buildroot package using host-python-pip as
dependency, already selects BR2_PACKAGE_HOST_PYTHON3_SSL.
Fixes:
https://autobuild.buildroot.net/results/fd6/fd6d3edd5f74d094621ac9fdb93db24520b7a6e3/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The tests check if all supported hash algorithms are usable in
mkimage, for both host and target packages. Additionally, as a
necessary tool, it verifies the previous fix for FIT output from
dumpimage.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use builtin kernel for faster testing]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Some host commands need to call other host commands: For example,
"mkimage" from host-uboot-tools needs to run "dtc". This would fail or
call system commands without adding the host bin dir to PATH.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use python functions/constants to build path]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Otherwise "dumpimage -l" produces only a newline when processing a FIT
image.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Also update the device tree: since Linux v6.15-rc1 (510a6190cf5e "ARM:
dts: microchip: fix faulty ohci/ehci node names"), the USB nodes are
named "usb" instead of "ohci" or "ehci".
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
[Julien: update linux.hash comment to take hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
- Add support for Porkbun DDNS provider
- Add support for domene.shop (Norwegian DDNS provider)
- Add support for round-robin records to Cloudflare
- Add example config for DuckDNS IPv6
- Cloudflare: omit proxy setting if unset in config
- Cloudflare: omit TTL update if unset in config
- Simply.com provider fixed and re-enabled
- Support for long ddns-path requests (increased buffer size)
Fixes:
- Do not use an IP resolution method different than the one
specified in configuration
- Fix support for Namecheap
- Fix Dynu IPv6 issue
- Default value -1 not used for ttl setting
- Fix IPv6 detection for providers with "v6" in their name,
e.g., ipv64.net and dynv6.com
- Fix dnspod error: "Communication with checkip server failed"
- Fix cache directory creation on --help or --check-config
- Fix cache directory not writeable and no $HOME
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The build of the following basic configuration enabling the
imagination Vulkan driver
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION=y
fails with:
meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Adding just LLVM as a dependency is not enough, as then libclc is
needed, then LLVMSPIRVLib, then clangBasic, then the pco_clc tool.
In fact, like the Panfrost driver, building the Imagination driver
requires building host tools using host-mesa3d. To fix this we:
- Make the BR2_PACKAGE_MESA3D_OPENCL option selectable
- Make sure that BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION depends
on BR2_PACKAGE_MESA3D_LLVM and select
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER (the latter being needed to
build host-mesa3d)
- Make sure the host-mesa3d builds imagination
tools (-Dtools=imagination) and install
pco_clc (HOST_MESA3D_INSTALL_PCO_CLC). This requires introducing
HOST_MESA3D_TOOLS as a list of tools to build, which then gets used
to construct the -Dtools argument, as we can now have both
"panfrost" and "imagination" in this list.
With all this, the defconfig above builds successfully.
This has been broken since Buildroot commit
5e818c16a3, which introduced the vulkan
driver support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since upstream commit 6e189ba6c17a2ab9b60e6fd65fc6a44a17dc9e8f, merged
in mesa-25.3.0, the imagination Vulkan driver is no longer
experimental.
Therefore, since Buildroot commit
3e296a1511, which bumped mesa3d to
version 25.3.0, the build of a configuration such as:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION=y
fails with:
build/mesa3d-25.3.1/meson.build:4:0: ERROR: Value "imagination-experimental" for option "vulkan-drivers" is not in allowed choices: "auto, amd, broadcom, freedreno, intel, intel_hasvk, panfrost, swrast, virtio, imagination, microsoft-experimental, nouveau, asahi, gfxstream, all"
Fix this by using the proper Vulkan driver name.
There are no autobuilder failures for this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
No changes to hashes, only comments in hash files computed by our
utils/scanpypi script are updated by this patch.
During future mass package updates this patch will reduce the number of
changes created by scanpypi to be reviewed.
Please note that an updated version of scanpypi was used:
https://patchwork.ozlabs.org/project/buildroot/patch/20251001002004.3178942-1-james.hilliard1@gmail.com/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: drop packages not downloaded from pypi or where rust vendoring is
used]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit b243b77ebe added this
package including a hash file containing a typo of the tarball filename
for the md5 hash. Updated comment as computed by scanpypi.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes, see:
https://perldoc.perl.org/5.42.0/perl5420delta
Note: the release notes mention fixed CVE. Those were already fixed in
Buildroot commit [1] and [2]. Therefore, this update is not marked as a
security fix.
This commit also updates the `utils/scancpan` script, in order to
update the messages about the host-perl version.
[1] 61f5e2efca
[2] 164c84ee9b
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Julien: add commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 6.17.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
cmocka tries to find the Doxygen binary by default and if successful,
it tries to download style sheets and breaks with the following message:
CMake Error at
doxygen-awesome-css-subbuild/doxygen-awesome-css-populate-prefix/src/doxygen-awesome-css-populate-stamp/download-doxygen-awesome-css-populate.cmake:163
(message):
Each download failed!
error: downloading
'https://github.com/jothepro/doxygen-awesome-css/archive/refs/tags/v2.4.1.tar.gz'
failed
status_code: 1
status_string: "Unsupported protocol"
log:
--- LOG BEGIN ---
Protocol "https" not supported
closing connection #-1
Disable the Doxygen package search entirely.
Fixes:
https://autobuild.buildroot.org/results/e6a04cee8bc3028bd8a1a535c2852e60f362c4ba/
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By doing so we can also drop the patches for musl which have now been
merged upstream.
Reviewed-by: Jesse Taube <jesse@rivosinc.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bump includes a patch which adds cmake4 compatibility.
Rebased patch 0001.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
the CSharp Extension was removed in grcp 1.47.0 [0] and the option in
the CMakeLists was dropped in 1.58.0 [1], which means that it is no
longer relevant since Buildroot commit
91d1207de0, which bumped grpc from
1.51.1 to 1.66.1.
So remove this option for host-grpc as well.
Fixes:
CMake Warning:
Manually-specified variables were not used by the project:
gRPC_BUILD_CSHARP_EXT
[0] https://github.com/grpc/grpc/releases/tag/v1.47.0
[1] 3a2bd221ef
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a simple test ensuring that
- libldns is correctly built and installed
- drill is correctly built and installed
- drill is able to execute on the target
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The libldns library also comes with a CLI tool named drill, allowing to
perform DNS requests. Drill build is currently disabled by default.
Add a KConfig option to allow building and installing drill tool. Set
the default value to n to preserve the current behavior. Similarly to
linktest (see the comment in the .mk), drill fails to build correctly as
a static binary, so make the new option depend on non-static build.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This version allows to build with Linux 6.18.
Fixes:
In file included from core/crypto/sha256.c:11:
core/crypto/sha256.h:16:5: error: conflicting types for 'hmac_sha256'; have 'int(const u8 *, size_t, const u8 *, size_t, u8 *)' {aka 'int(const unsigned char *, long unsigned int, const unsigned char *, long unsigned int, unsigned char *)'}
Build failure still not occured in autobuilders.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add details about the error being fixed]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Alexey Brodkin from Synopsys says in [1]:
I think indeed, we may remove all the big-endian support for ARC.
Reasons are since introduction of ARC HS4x processors we no longer
support big-endian in any new processor IP, and even for older IP
which used to support big-endian it was rarely used... so basically
there's no good justification to spend any cycles on big-endian
support looking forward in this project. I.e. BE support in uClibc
could also be removed if it makes any difference.
Therefore, let's removed support for ARC big-endian.
[1] https://lore.kernel.org/buildroot/SJ2PR12MB818487232470DA4456967C73A1A3A@SJ2PR12MB8184.namprd12.prod.outlook.com/
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: ARC Maintainers <arc-buildroot@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
[Julien:
- move legacy option to 2026.02 section
- add link to mailing list
- remove BR2_arceb from pkg-meson.mk to fix check-symbols error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Adds documentation about adding a patch that address a vulnerability.
The patch-policy file now explain mention that patches that address a
vulnerability needs to include a `CVE:` trailer with the reference of
that vulnerability.
Until now only adding the reference to the `_IGNORE_CVES` variable was
necessary, so the documentation of this entry is modified as well to
point to the patch policy.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The CycloneDX specification for vulnerabilities defines four analysis
states ([1]) for cases where a vulnerability does not affect a component:
* resolved
* resolved_with_pedigree
* not_affected
* false_positive
Currently, the metadatas present in Buildroot does not allow an accurate
mapping of ignored CVEs to the appropriate CycloneDX vulnerability
categories. As a result, all ignored CVEs are currently marked as
'in_triage' by default.
This default analysis was established during the introduction of the
'generate-cyclonedx' script. The reasoning at the time was that SBOM
consumers might want to re-evaluate ignored vulnerabilities, as the
Buildroot infrastructure could not reliably determine their actual
state.
This patch adds support for automatically marking vulnerabilities as
'resolved_with_pedigree' when a Buildroot patch includes a 'CVE:''
tag in its header referencing the CVE identifier.
The 'CVE:' tag appears alongside the already required 'Upstream:', if
the patch address a security vulnerability and may be repeated if a
patch addresses multiple vulnerabilities.
If a vulnerability is addressed by multiple patches, each patch will need to
reference the vulnerability identifier.
For details on how CycloneDX handles 'resolved_with_pedigree', see
[1][2].
As an example, the CVE-2025-3198 from the binutils package will result
in the following pedigree for the binutils component:
```
{
"type": "unofficial",
"diff": {
"text": {
"content": "..."
}
},
"resolves": [
{
"type": "security",
"name": "CVE-2025-3198"
}
]
},
```
The `resolves` property is an array of issue the pedigree resolves. If
multiple are addressed by the same patch, then multiple identifier will be
present in this array.
In the listed vulnerabilities the entry for the CVE-2025-3198 looks like
this:
```
{
"id": "CVE-2025-3198",
"analysis": {
"state": "resolved_with_pedigree",
"detail": "The CVE 'CVE-2025-3198' has been marked as ignored by Buildroot"
},
"affects": [
{
"ref": "binutils"
}
]
}
```
[1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis_state
[2] https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches_items_resolves
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://github.com/google/brotli/blob/v1.2.0/CHANGELOG.md
Adds the following security hardening:
python: added Decompressor::can_accept_more_data method and optional
output_buffer_limit argument Decompressor::process; that allows mitigation
of unexpectedly large output
Which is needed to complete the security fixes in python-urllib3 2.6.0.
Added dependency to host-python-pkgconfig to fix build error which would
be introduced by this bump.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: mark as security bump, describe the relation with urllib3]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix two vulnerabilities related to SSH support:
* The external SSH execution code lacked shell quoting on repositories
name, resulting in arbitrary command execution.
* SSH public keys were zeroed by calling memset with the wrong length,
resulting in either buffer overflow or incomplete zeroing.
Release notes:
https://github.com/libgit2/libgit2/releases/tag/v1.9.2
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add the reference command line tools for interacting with Sigsum
signature transparency logs.
Signed-off-by: Florian Larysch <fl@n621.de>
[Julien:
- select sigsum-verify if all other tools are deselected
- split and sort HOST_SIGSUM_GO_BUILD_TARGETS
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Prefer HTTPS for source downloads.
No functional change; hashes unchanged.
Align comment in .hash and Config.in.
Signed-off-by: Preyas <preyas17@zohomail.in>
[Julien: also update Config.in package home page]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes of this bugfix release:
https://sqlite.org/releaselog/3_51_1.html
"Changes in this specific patch release, version 3.51.1 (2025-11-28):
Fix incorrect results from nested EXISTS queries caused by the
optimization in item 6b in the 3.51.0 release.
Fix a latent bug in fts5vocab virtual table, exposed by new
optimizations in the 3.51.0 release"
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bump includes patches which add cmake4 compatibility.
Instead of adding patches for
https://github.com/greatscottgadgets/hackrf/commits/main/host/CMakeLists.txt
to the latest release from Februar 2024 we bump the package to the latest
commit from November 2025.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use "git describe --abbrev=40" format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2020 with > 120 commits since then, including
fixes for cmake 4 compatibility.
Instead of backporting several patches we bump the package to the latest
commit which allows to remove patch 0001.
Updated license hash due to upstream commit
f9dad5a35e
For list of changes, see:
142e1bda34
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add link to change list
- change _VERSION to use "git describe --abbrev=40" format
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2021 with > 50 commits since then, including
fixes for cmake 4 compatibility.
Instead of backporting several patches we bump the package to the latest
commit.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use "git describe --abbrev=40" format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes 1.3.6..1.3.7:
f138e68e7ffefa3f4d71857ddb137fff877fd1d0 getnetconfig.c: free linep to avoid memory leakage
eea92ef0bf2f3f0e337cfd074ebc34d91945f19b Revert "getnetconfig.c: free linep to avoid memory leakage"
d473f1e1f6ba80bfaee4daa058da159305167323 Update declarations to allow compile with gcc-15
240ee6c774729c9c24812aa8912f1fcf8996b162 update signal and key_call declarations to allow compile with gcc-15
07e45147b877c63a1d3dd1f5ae6070543b1d93cf Convert old-style function definitions into modern-style definitions
2cfe608550dbe44ac8fc6c26216f529565713fc4 Convert old-style function definitions into modern-style definitions
581152976f093f31957c48567278535ef54f6b3c Convert old-style function definitions into modern-style definitions
2832da026b0812a23e65773b313b048c68147b09 Convert old-style function definitions into modern-style definitions
d3ff4c39bbcf22e3ff736261b66a9f6c6a6bf4ca Convert old-style function definitions into modern-style definitions
791063e55d9739fa8c7c1a0d4ac1c4f8023a2843 Convert old-style function definitions into modern-style definitions
23b0aa66a34fc6de16d285fbeb60b0fd68fa40d5 Convert old-style function definitions into modern-style definitions
2c9ed28d9c364c6e7c29d9b5b740893a8baea014 Convert old-style function definitions into modern-style definitions
41cb38e2dfdc7053ebcbd777cf868f8fcbcfcf23 Convert old-style function definitions into modern-style definitions
b73283a6982f83974b48d1858735649d6acf6398 Convert old-style function definitions into modern-style definitions
c717a52ed169701b2907ac8eb8678ca41b1533ba Convert old-style function definitions into modern-style definitions
4eeb59a8dbcc6b4d3db1b81a00615f6e7832a97c Convert old-style function definitions into modern-style definitions
7cea8ad66aecc21e6caae330b5d31075af399193 Add conditional version script support
5bd87617e4b3129e76e79847c95bdea4b1290d9f Release 1.3.7
Our two patches are upstream as of
d473f1e1f6ba80bfaee4daa058da159305167323 and
240ee6c774729c9c24812aa8912f1fcf8996b162 respectively.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes between 2.4 and 2.5:
- snagrecover:
add support for bcm2711/12 platforms
add support for several AMLogic platforms
add support for AM654x platforms
confirm Allwinner A133 support
- snagfactory:
allow changing target device mid-pipeline
tone down UI colors, increase button sizes
No changes affect the packaging or dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 930660890b bumped kbd to
version 2.9.0 which includes optional support for various compression
libraries. This commit adds the corresponding configure options and a
fix for build errors caused by zlib.
The build error was happening when a zlib was compiled before kbd.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_KBD=y
BR2_PACKAGE_ZLIB=y
EOF
make olddefconfig
make zlib
make kbd
The compilation fails with the erro:
kbdfile-zlib.c: In function 'dlopen_note':
elf-note.h:27:30: error: 'sym_gzopen' undeclared (first use in this function); did you mean 'sym_gzopen64'?
27 | #define DLSYM_ARG(symbol__) &sym_##symbol__, STRINGIFY(symbol__),
| ^~~~
Fixes:
https://autobuild.buildroot.net/results/8ff/8ff6c3d940b68069f748f12646f7516ec86172c1/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add commands to reproduce the issue
- update patch "Upstream:" link to upstream commit
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Bump Linux kernel to 6.18.
- Bump U-Boot to 2025.10. Add the dependency on GNU TLS. Refresh the
config fragment: add smc & poweroff commands, add ESRT and dummy
capsule update, add SMCCC features discovery.
- Bump OP-TEE to 4.8.0. Add the dependency on python-cryptography. Lock
optee-client version to be the same as optee-os. Add a patch to output
logs to the same UART as all the other components and increase log
level. Remove the unnecessary dependency on dtc.
- Bump TF-A to v2.14.0.
- Bump FVP to 11.30_27. Disable terminal 1, now that all the logs go to
a single terminal. Enable virtio network. Rate limit the simulation
by default, for convenience at U-Boot and GRUB countdown, and for more
realistic delays inside the simulation.
- Switch to Bootlin pre-built toolchain.
- Add more modules to GRUB, to have more commands available: efi
commands, plus reboot & halt.
- Add eudev to probe Linux modules during boot, for LCD support.
- Configure eth0 with DHCP automatically during boot.
- Refresh the documentation.
This configuration has been tested on an x86 and on an AArch64 machine.
The firmware and FVP of this configuration have also been tested
successfully with other OSes: Debian Live, openSUSE Tumbleweed, Yocto,
OpenWrt, Buildroot AArch64 EFI and FreeBSD.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://github.com/strace/strace/blob/v6.18/NEWS
Buildroot commit a06d79862a bumped the
linux kernel to version 6.18 which broke the build of strace.
The issue can be reproduced with commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_PACKAGE_STRACE=y
EOF
make olddefconfig
make strace
The build is failing with error:
listmount.c: In function 'print_mnt_id_req':
listmount.c:39:16: error: 'struct mnt_id_req' has no member named 'spare'
39 | if (req.spare) {
| ^
Fixes:
https://autobuild.buildroot.org/results/8e3de892a1c4aa176a8b3a5defba48aa9830bc89/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- update pgp key comment in hash file
- add commands to reproduce the issue and error log
- add autobuilder failure log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a06d79862a bumped the
linux kernel to version 6.18 which broke the build of cryptodev-linux.
Added upstream patch to fix the problem.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since we bumped to glibc 2.42, the build of Python 3 is failing on
Sparc64 due to the removal of the "struct termio" definition from
glibc. Since this only affects a small number of termio operations, we
simply drop support for them, since they basically can't be used
anymore (and we don't really care that much about those specific
operations that only exist on Sparc64).
Fixes:
https://autobuild.buildroot.net/results/28fee0f8368ae3dc1d607ebad4881b736e360f07/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The NVD database has CVE entries that are not present but may be
referenced in other security trackers.
For instance the CVE-2024-12455 is documented in the Debian security
tracker [1]. However, the NVD page is empty [2] and this entry is not
present in the NVD database mirror.
The following command would make the script fail:
```
echo '{
"vulnerabilities": [
{
"id": "CVE-2024-12455"
}
]
}' | support/scripts/cve-check --enrich-only
```
No CVEs present in Buildroot ignored CVEs are affected. But when
enriching an SBOM with legitimate CVE not present on NVD, the script
will fail.
This patch change the behavior to just log to stderr unknown CVEs
instead of making the script fail.
[1] https://security-tracker.debian.org/tracker/CVE-2024-12455
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-12455
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: Tweak warning message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building a simple configuration such as:
BR2_aarch64=y
BR2_FORCE_HOST_BUILD=y
Under our reference Docker container, as an out-of-tree build:
./utils/docker-run make O=output-test
will fail during the glibc staging installation step with:
/usr/bin/install -c -m 644 /home/thomas/buildroot/br/output-glibc/build/glibc-2.42-3-gbc13db73937730401d592b33092db6df806d193e/build/libc.a /usr/lib64/libc.a
/usr/bin/install: cannot create regular file '/usr/lib64/libc.a': Permission denied
The problem being that the install_root variable is for some reason
lost along the way. We definitely pass it during the staging
installation step, but then glibc calls a sub-make and in that
submake, install_root is empty.
Observations:
- Building the same configuration inside the Docker container, but
in-tree, doesn't exhibit the problem.
- Building outside of the Docker container, but with the same make
version as the one we build due to BR2_FORCE_HOST_BUILD=y doesn't
exhibit the problem.
However, it turns out that glibc sets install_root to $(DESTDIR). And
passing DESTDIR just works. So we drop our custom
GLIBC_INSTALL_STAGING_OPTS to rely on the default one, and this fixes
the problem. It's not extremely satisfying to not fully understand
what's going on, but after spending quite some time on this, and
having a trivial and actually pretty nice workaround, we simply
propose to use this solution.
There is no autobuilder issue as we're not using our Docker container
to do autobuild builds.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When browsing the available Database packages, libdbi appears in the
menuconfig as "lidbi".
Fix the menuconfig entry by updating the relevant boolean name.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The http link is broken:
Connecting to people.redhat.com (people.redhat.com)|209.132.178.26|:80...
failed: No route to host.
No autobuilder error recorded.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The http link is broken:
Connecting to people.redhat.com (people.redhat.com)|209.132.178.26|:80...
failed: No route to host.
No autobuilder error recorded.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Original site is down, unchanged tarball can be downloaded from github.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prabhu's e-mail address at Collins is bouncing, so let's drop this stale
entry:
<prabhu.sannachi@collins.com>: host
mxb-00105402.gslb.gpphosted.com[67.231.147.145] said: 550 5.1.1 User
Unknown (in reply to RCPT TO command)
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
unzip currently fails to build with GCC 15.x. We're already fetching
from Debian, using patchlevel -27, and it turns out that Debian
patchlevel -29 has the GCC 15.x fix, and very few other fixes:
unzip (6.0-29) unstable; urgency=medium
* Ignore invalid "Total number of disks" field on Microsoft ZIP64 files.
Closes: #661956, #1064000.
* Drop conflicting declarations of gmtime() and localtime().
Should fix build with gcc-15. Closes: #1098043.
* Fix zipgrep handling of escapes. Closes: #1054628.
* Stop using update-mime. Closes: #1072396.
* Add debian/source/lintian-overrides for *.a files.
* Do not trim Debian changelog.
* Add debian/salsa-ci.yml.
* Add Vcs-Git and Vcs-Browser fields.
* Update Standards-Version.
unzip (6.0-28) unstable; urgency=medium
* Drop debian/source/lintian-overrides, obsolete since version 6.0-18.
* Update URI for Info-ZIP license in copyright file.
* Update standards version to 4.6.2.
* Run wrap-and-sort.
* Update Homepage.
So let's just bump to this patchlevel version.
Note that the .dsc file link in the .hash file was wrong, it was still
referring to patchlevel -26.
Fixes:
https://autobuild.buildroot.net/results/d81cb9d7c9e87dd233dde350d15cb03427ba2036/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Bernd:
Updated _SITE from /debian-debug/ to /debian/ (Baruch)
Updated comment of UNZIP_IGNORE_CVES to reflect bump.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The current upstream repo shows this note:
"This repository was archived by the owner on May 27, 2024. It is now
read-only."
Switched to fork whose only difference is a commit fixing build errors
with cmake 4:
4674816f56
Since this commit changes _SITE, the package homepage url is also update
to the same location.
Fixes:
https://autobuild.buildroot.net/results/130/13084ca4df5ae91d72f46ef51873676b05398ec9/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change homepage url in Config.in and add commit log comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 5.4.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Bump kernel version in test_zfs.py.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 95c385e2d6 in -next
branch bumped libcamera to version 0.6.0 which breaks the build:
../core/options.cpp:405:44: error: conversion from
'std::basic_string_view<char>' to non-scalar type
'const std::string' {aka 'const std::__cxx11::basic_string<char>'}
requested
405 | const std::string cam_id =
*cameras[camera]->properties().get(libcamera::properties::Model);
Added upstream patch, included since version 1.10.0, to fix the problem.
Please note that since version 1.9.1 this package is incompatible with
the current version of ffmpeg used in buildroot so bumping it is not an
option atm:
cbe9921eed
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: fix Buildroot commit id of libcamera bump]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issues:
1) CVE-2025-62229: Use-after-free in XPresentNotify structures creation
Using the X11 Present extension, when processing and adding the
notifications after presenting a pixmap, if an error occurs, a dangling
pointer may be left in the error code path of the function causing a
use-after-free when eventually destroying the notification structures
later.
Introduced in: Xorg 1.15
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
2) CVE-2025-62230: Use-after-free in Xkb client resource removal
When removing the Xkb resources for a client, the function
XkbRemoveResourceClient() will free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
triggers a use-after-free.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/99790a2chttps://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
3) CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap()
The XkbCompatMap structure stores some of its values using an unsigned
short, but fails to check whether the sum of the input data might
overflow the maximum unsigned short value.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
https://lists.x.org/archives/xorg-announce/2025-October/003635.html
Changelog:
https://lists.x.org/archives/xorg/2025-October/062148.html
Also update the COPYING hash for a change of copyright year.
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Peter: Mark as security bump, extend commit message, fix COPYING hash]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 00230e7 "package/pkg-golang: catch use of legacy FOO_INSTALL_BINS"
introduced a small typo, fixing that.
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add optee_os to the default configuration for versal2 devices including an
example with the versal2_vek385_defconfig.
Since not all versal2 optee_os features are upstream, use the downstream
Xilinx release tag xlnx_rebase_v4.5.0_2025.2 for version xilinx_v2025.2
which is based on optee_os v4.5.0.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Most of the time, users will be running Vivado on their local host machine,
and will generate a XSA (Xilinx Shell Archive) locally.
Instead of requiring users to create a URL location for their XSA file,
this patch improves ease of use by allowing users to work directly with
just a path on the local host machine.
BR2_TARGET_XILINX_PREBUILT_VERSAL_XSA_LOCATION can thus be defined as either
a simple local location or a URL location for the XSA file.
In either case, a hash for the XSA file needs to be added to the
boot/xilinx-prebuilt/xilinx-prebuilt.hash when using this option.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://lwn.net/Articles/1049060/
"This is the LAST 5.4.y release. It is now end-of-life and should not be
used by anyone, anymore. As of this point in time, there are 1539
documented unfixed CVEs for this kernel branch, and that number will
only increase over time as more CVEs get assigned for kernel bugs."
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As requested by the gnu.org admins:
"
Since August 2024, we've been under DDoS attacks from common command line
tools.
To fix this, we would need to change the user-agent from "Python/3.11
aiohttp/3.8.4" to "buildroot.org pkg-stats" instead.
"
It indeed probably makes sense to use an unique user-agent string, so rework
the script to do that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since libcap has been updated to version 2.77 in Buildroot commit
42f2b480a5, the build fails for
statically-linked configurations when the host system doesn't have a
static version of libc installed:
/usr/bin/ld: cannot find -lc: No such file or directory
/usr/bin/ld: have you installed the static version of the c library ?
This is because the -static flag that is supposed to be used when
building target code also gets passed to the host compiler... which is
obviously incorrect and leads to the build failure.
This issue was introduced by upstream commit
c3ddf45d9afaab85d3b7db0dc7bfd1aafb8fde50, which was reverted right
after the 2.77 release in commit
542d7d86ecd2129dd5fe7e5b31ba307304f5b319, which we are simply
backporting here.
Fixes:
https://autobuild.buildroot.net/results/f6d/f6dc61a9d57e282691b87a3a8fadcb5d5ea8fd8b/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add an example config for the Versal2 VEK385 evaluation board. This board has
the superset 2VE3858 device of the Versal AI Edge Gen 2 family with
8 Cortex-A78AE cores, 10 Cortex-R52 cores, 144 AIE-ML tiles and over 500k LUTs.
With this patch, Buildroot is capable to build a full image for the VEK385
evaluation board along with all the necessary firmware components.
More information about the VEK385 evaluation board can be found here:
https://www.amd.com/en/products/adaptive-socs-and-fpgas/evaluation-boards/vek385.html
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add support for Xilinx versal2 devices which include two new applications
for the xilinx-embeddedsw package.
BR2_TARGET_XILINX_EMBEDDEDSW_VERSAL2_PLM
There is a new PLM (platform loader and manager) application for versal2
devices. The purpose of the PLM is to act as the bootloader for loading the
boot.pdi to configure the DDR memory and then loading arm-trusted-firmware and
u-boot on the Cortex-A78 core 0.
BR2_TARGET_XILINX_EMBEDDEDSW_VERSAL2_ASUFW
Included with versal2 devices is a risc-v based security accelerator called
the ASU (application security unit). The ASUFW is the open-source application
which runs on the ASU.
Versal2 devices simplified the boot process by getting rid of the second
microblaze core called the PSM (processor system manager). There is thus no
longer a need for a separate psmfw application like with the original versal
devices, as this functionality is now fully included in the new PLM for
versal2.
For more information about the Xilinx Versal Gen2 series:
https://www.amd.com/en/products/adaptive-socs-and-fpgas/versal/gen2/ai-edge-series.htmlhttps://www.amd.com/en/products/adaptive-socs-and-fpgas/versal/gen2/prime-series.html
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The gnu.org admins have been blocking the IP address of machines running
pkg-stats as the GET requests for the (many) packages with gnu.org URLs are
seen as abusive.
The resource body is not used, so use a HTTP HEAD request instead of a GET
to limit server load and bandwidth use.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Update the kernel, U-Boot, ATF tags and readme.txt.
- Increase the rootfs size to 200M.
Signed-off-by: Akhilesh Nema <nemaakhilesh@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since FRR 10.5, header files can be properly installed [1]. Enable their
installation in Buildroot so that packages depending on FRR’s headers
can build against them.
With these headers available, the Grout package can build its zebra
dplane plugin, which allows FRR to configure the Grout router instead of
the kernel for packet processing.
[1] https://github.com/FRRouting/frr/pull/19351
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
[Julien:
- move FRR_INSTALL_STAGING up
- add "package/" in commit title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When using a custom skeleton where the merged symlinks are missing,
the build fails with errors like:
support/scripts/check-merged -t skeleton -u -b /usr/src/simplek8s/rootfs-skeleton
The skeleton in -t is not properly setup:
- /usr/bin should exist, be a directory, and not be a symlink
- /usr/lib should exist, be a directory, and not be a symlink
The skeleton in skeleton is not properly setup:
- /usr/bin should exist, be a directory, and not be a symlink
- /usr/lib should exist, be a directory, and not be a symlink
[...]
Commit 793ebd5d28 (support/scripts/check-merged: use getopts instead of
getopt) intoduced a flawed use of getopts: unlike getopt, getopts does not
conume the positional arguments. This causes the check for directory
validity to also check each option as if they were directories.
For overlays, this is transparently ignored, because the checks are only lax
for overlays (missing symlinks are OK).
However, for skeletons, the checks are strict. Because of that, a missing
symlink is considered an error, when it should be considered as being OK.
The fix is to actually consume the positional args to only keep the list of
directories to validate, like is done for example in
support/download/dl-wrapper.
Fixes: 793ebd5d28
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Package tmux fails to build with:
compat/utf8proc.c: In function 'utf8proc_mbtowc':
compat/utf8proc.c:51:39: error: passing argument 3 of 'utf8proc_iterate' from incompatible pointer type [-Wincompatible-pointer-types]
51 | slen = utf8proc_iterate(s, n, pwc);
| ^~~
| |
| wchar_t * {aka long int *}
Add local patch already committed upstream to fix it.
Fixes:
https://autobuild.buildroot.net/results/651/6510cfb16d0c3f3772918cd3bde0542d0b59a230/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The starfive-spltool host package was added to Buildroot to create a
bootable image for the Starfive JH7110 SoC.
Mainline U-Boot can now build an image without it so it is not required
anymore.
Signed-off-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
[Julien: remove DEVELOPERS entry]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit [1] "package/gcc: switch to GCC 14.x as the
default", pine64_star64_defconfig compilation is failing in
u-boot with error:
drivers/video/dw_hdmi.c: In function 'dw_hdmi_write':
drivers/video/dw_hdmi.c:81:42: error: passing argument 2 of 'writeb' makes pointer from integer without a cast [-Wint-conversion]
See build failure [2].
Upstream U-Boot includes a support for this board since commit [3],
first included in v2024.07.
Upstream Kernel includes a support for this board since commit [4],
first included in v6.11.
This commit switches uboot and linux from the repository
https://github.com/Fishwaldo
to their respective upstream sources.
U-Boot is updated from the fork from a v2021.10 base to v2025.10.
The Linux Kernel is updated from the fork from a v5.15.131 base
to v6.12.56.
While at it, this commit updates the defconfig to the new convention:
- It adds custom hashes and enables BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
- It switches to a glibc stable bootlin external toolchain
Note that the upstream uboot defconfig name for the pine64 star64
board is starfive_visionfive2 (which is in fact another, but very
similar board). The detection of the board is made inside the SPL.
See [5].
Finally, switching to upstream uboot and kernel required few
adjustments:
- The genimage.cfg is updated to use the "u-boot.itb" file produced by
U-Boot,
- In genimage.cfg, the uboot partition-type-uuid is changed to
xbootldr (the genimage human readable name), to follow the
recommendation of the UUID to use from [5],
- In extlinux.conf, rootwait is added in kernel arguments,
- The post-build.sh script and the star64-uboot-fit-image.its file
are removed: they are no longer needed, since U-Boot and Binman
are managing everything,
- BR2_TARGET_UBOOT_SPL_NAME is updated in the defconfig, to reflect
the file name generated by U-Boot,
- BR2_PACKAGE_HOST_STARFIVE_SPLTOOL is removed from the defconfig,
it is no longer needed, since upstream U-Boot produces the file
at the correct format,
- BR2_PACKAGE_HOST_UBOOT_TOOLS is also removed from the defconfig,
it is no longer needed since U-Boot uses Binman,
- the defconfig is updated to include the new uboot requirements
(BR2_TARGET_UBOOT_{NEEDS,USE}_*),
- the pine64_star64_defconfig entry is removed from .checkpackageignore
it is no longer needed.
This patch was tested on a Pine64 Star64 board V1.1,
PCB revision: 0xc1, BOM revision: A.
Fixes:
- [2]
[1] 1e1fafa1f0
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/11916952973
[3] 7ebf7e77c0
[4] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2606bf583b9623694b864c220fd6b3d2ed13ba13
[5] https://source.denx.de/u-boot/u-boot/-/blob/v2025.10/doc/board/starfive/pine64_star64.rst
Reviewed-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, bump the
default version of xilinx-prebuilt to xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, bump the
default version of xilinx-embeddedsw to xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, remove
the xilinx_v2025.1 hashes which are no longer needed.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump versal defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
plm xilinx_v2025.2
psmfw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a vek280 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hash for xilinx_v2025.2 version, so that example defconfigs can be
bumped to the latest version individually.
Since the license.txt changes with each release, move the hashes to version
specific directories instead of having a generic hash file.
xilinx_v2025.1 hash is moved to boot/xilinx-prebuilt/xilinx_v2025.1_update1
xilinx_v2025.2 hash is added to boot/xilinx-prebuilt/xilinx_v2025.2
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynqmp_kria defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
pmufw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a kv260 starter kit.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynqmp defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
pmufw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a zcu102 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynq defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
linux v6.12.40
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a zc702 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hash for xilinx_v2025.2 version, so that example defconfigs can be
bumped to the latest version individually.
Since the license.txt changes with each release, move the hashes to version
specific directories instead of having a generic hash file.
xilinx_v2025.1 hash is moved to boot/xilinx-embeddedsw/xilinx_v2025.1
xilinx_v2025.2 hash is added to boot/xilinx-embeddedsw/xilinx_v2025.2
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hashes for xilinx_v2025.2 release tags which include the following:
arm-trusted-firmware v2.12
linux v6.12.40
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump bootgen to xilinx_v2025.2 version.
The 0001-bisonflex-Fix-build-on-machines-with-modern-flex.patch is no longer
needed because it has been committed upstream and included with the
xilinx_v2025.2 version.
0471f084b0
The 0001-lms-hash-sigs-hss_param.c-add-stdio.h-include.patch has now been
added to the package to fix the following potential build error:
The lms-hash-sigs/hss_param.c is missing an include of stdio.h. Without it,
the following build error can occur:
hss_param.c: In function ‘hss_get_parameter_set’:
hss_param.c:157:13: error: implicit declaration of function ‘printf’ [-Wimplicit-function-declaration]
157 | printf("Private key expired\n");
| ^~~~~~
hss_param.c:7:1: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
6 | #include "lm_common.h"
+++ |+#include <stdio.h>
7 |
hss_param.c:157:13: warning: incompatible implicit declaration of built-in function ‘printf’ [-Wbuiltin-declaration-mismatch]
157 | printf("Private key expired\n");
| ^~~~~~
hss_param.c:157:13: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
make[3]: *** [Makefile:38: hss_param.o] Error 1
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [Makefile:84: build/bin/bootgen] Error 2
The above error was reported on Debian 13 / gcc 14.2.0.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Upstream: submitted to Xilinx bootgen repo with CR-1256741
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Buildroot commit [1] (package/gnutls: security bump to
version 3.8.11), gnutls fails to build with gcc or host-gcc
version < 11, with error:
In file included from audit.h:22,
from audit.c:26:
crau/crau.h:255:23: error: missing binary operator before token "("
__has_c_attribute (__maybe_unused__)
This commit adds a patch fixing the issue.
[1] 81dbfe1c2a
Reported-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Neal Frager <neal.frager@amd.com>
Tested-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As of Buildroot commit [1] which updated
the python-httplib2 package from 0.22.0 to 0.31.0, gclient.py has
been broken due to the internal socks.py file being removed from
the httplib directory (in upstream commit [2]).
As the depot-tools package doesn't have a build step, and is only
used when generating a flutter-engine tarball, no autobuild failures
have occured.
Add a simple patch that changes `import httplib2.socks` to
`import socks` and depend on the host-python-pysocks package.
[1] 55a80f89d7
[2] 1a6ff78179
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/12188741354
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Julien:
- change commit id to urls
- add "Fixes:" link
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host-depot-tools package now requires a host variant of the
python-pysocks package due to the python-httplib2 update on
commit [1].
Httplib2 removed the internal socks.py file on commit [2].
[1] 55a80f89d7
[2] 1a6ff78179
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Julien: change commit id to urls]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The bump of e2fsprogs to 1.47.3 in Buildroot commit
bb004ddba2 causes the package to fail
building when the kernel headers are >= 5.10 but < 5.12.
Indeed the new version of e2fsprogs detects the presence of
<linux/fsverity.h> (which occurred in 5.10), and when it's available,
enables some fsverity functionality, which uses an ioctl() that was
only introduced in 5.12. This causes some build breakage if the
headers used are 5.10 or 5.11.
We fix this by introducing a patch, submitted upstream, that not only
verifies the availability of the header file, but also the
availability of the ioctl().
Fixes:
https://autobuild.buildroot.net/results/c573233b1f871c61f916eda9c402c84070902432/ (host-e2fsprogs)
https://autobuild.buildroot.net/results/0ed16cad1d1f500d0e577d03166c06381be73ffc/ (e2fsprogs)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For a list of changes, see:
b147624d48...0.4.1
Removed patches which are included in this release.
Also, since Buildroot commit [1] (package/php: bump version to 8.4.13)
php-pecl-dbus is failing to build with error:
/builds/buildroot.org/buildroot/test-output/TestPhpPeclDbus/build/php-pecl-dbus-b147624d480c3353e6c700e9a2d0c6f14d853941/php_dbus.h:52:9: error: implicit declaration of function 'rebuild_object_properties'; did you mean 'rebuild_object_properties_internal'? [-Wimplicit-function-declaration]
This commits fixes the issue.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/12184413758
[1] a9e5cf6ac2
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commit log info about build failure]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog: https://pecl.php.net/package-changelog.php?package=yaml
Since Buildroot commit [1] (package/php: bump version to 8.4.13)
php-yaml is failing to build with errors such as:
/buildroot/output/build/php-yaml-2.2.3/parse.c: In function ‘handle_sequence’:
/buildroot/output/build/php-yaml-2.2.3/parse.c:534:39: error: passing argument 1 of ‘zval_ptr_dtor’ from incompatible pointer type [-Wincompatible-pointer-types]
This commits fixes the issue.
[1] a9e5cf6ac2
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commit log info about build failure]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog: https://xdebug.org/updates#x_3_4_7
Since Buildroot commit [1] (package/php: bump version to 8.4.13)
php-xdebug is failing to build with error:
/buildroot/output/build/php-xdebug-3.3.1/src/coverage/code_coverage.c: In function ‘xdebug_find_jumps’:
/buildroot/output/build/php-xdebug-3.3.1/src/coverage/code_coverage.c:349:34: error: ‘ZEND_EXIT’ undeclared (first use in this function); did you mean ‘ZEND_GINIT’?
This commits fixes the issue.
[1] a9e5cf6ac2
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commit log info about build failure]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 2ecb2d2847 removed the
dependency to BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS while still
selecting packages which depend on it:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_JSONSCHEMA
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_FLASK_RESTX [=y] && BR2_PACKAGE_PYTHON3 [=y]
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_REFERENCING
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_FLASK_RESTX [=y] && BR2_PACKAGE_PYTHON3 [=y]
Seen with defconfig:
https://autobuild.buildroot.org/results/ebf9a81f7e225ecdab20bbad8ad8daa136fddb46/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This adds the python bindings of libgpiod for version 2+.
While the python bindings for v1 were optionally built and
installed as part of the main libgpiod build, for v2 they have now been
published to pypi.org for easier consumption in the general python
ecosystem.
We need to set LINK_SYSTEM_LIBGPIOD=1 to actually build against the
system version of libgpiod which we install and not use a separate
bundled copy.
The package is licensed as libgpiod, but as published to pypi doesn't
include the LICENSE file that's part of upstream repository.
Reference pyproject.toml as that has the license identifier as a
workaround.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 1187c34d88 (support/scripts: move merged-usr errors message
into check-merged-usr.sh) introduced the use of getopt to parse its
options; doing so allowed to use long option (with two leading dashes),
which is more descriptive than the usual one-character options.
However, getopt is part of util-linux; it is not a shell built-in.
util-linux is not a prerequisite of Buildroot, so we may end up running
on a system where it is missing.
We could add host-util-linux as a dependency when the system does not
provide getopt, but that's not very nice; even though host-skeleton does
not need to check for merged-bin for now, it does not need getopt, and
thus we could add host-util-linux (which depends on host-skeleton) as a
dependency of skeleton-custom. But that will not be tenable over the
long run, especially if/when we do a merged-bin in host dir.
Requiring that util-linux be installed system-wide is not nice either;
it's an additional requirement on the host.
We can do like we do in the oter scripts, though: use the shell built-in
getopts. Its usage is slightly different, and does not support long
options. As it's just for use in an internal script, we can live with
the less descriptive options, though.
Switch to using getopts, it removes the need for a new host dependency.
Fixes: 1187c34d88
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The bump of netsnmp to version 5.9.4 with buildroot commit
1799cfebfd broke musl builds:
../include/net-snmp/net-snmp-config.h:1614:30: error: unknown type name 'unknown'; did you mean 'union'?
due to broken detection of __fd_mask introduced in 5.9.4 by upstream
commit 97df191ff8
Added two upstream patches for __fd_mask detection to fix musl builds.
Fixes:
https://autobuild.buildroot.net/results/9d7/9d75061ca917689381c3b32f3e01640701d833a7/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that binutils 2.45 has been introduced and binutils 2.44 made the
default version, drop the oldest supported version, binutils 2.42,
keeping only the 3 last versions supported: 2.43, 2.44 and 2.45.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that support for binutils 2.45 has been introduced, we follow our
policy of making binutils 2.44 the default version.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
We bring patches 0001 and 0002 that we carry for binutils 2.44. Patch
0002 requires a small update as a nearby configure option has been
removed between 2.44 and 2.45. Patch 0003 that we have for binutils
2.44 is not needed as it is part of the 2.45 release.
Changes in 2.45:
* New versioned release of libsframe: libsframe.so.2. This release introduces
versioned symbols with version node name LIBSFRAME_2.0. Some new symbols
have been added to support the new flag SFRAME_F_FDE_FUNC_START_PCREL and
retrieving flags from SFrame decoder and encoder objects:
- Addition of sframe_decoder_get_flags,
sframe_decoder_get_offsetof_fde_start_addr, sframe_encoder_get_flags,
sframe_encoder_get_offsetof_fde_start_addr.
This release also includes backward-incompatible ABI changes:
- Removal of sframe_get_funcdesc_with_addr.
- Change in the behavior of sframe_decoder_get_funcdesc_v2,
sframe_encoder_add_funcdesc_v2 and sframe_encoder_write.
* On s390 64-bit (s390x), gas, ld, objdump, and readelf now support generating
and processing SFrame V2 stack trace information (.sframe). The assembler
generates SFrame info from CFI directives with option "--gsframe". The
linker generates SFrame info for the linker-generated .plt section and merges
all .sframe sections. Both objdump and readelf dump SFrame info with option
"--sframe[=<section-name>]".
* For SFrame stack trace format, the function start address in each SFrame
FDE has a changed encoding: The 32-bit signed integer now holds the offset
of the start PC of the associated function from the sfde_func_start_address
field itself (instead of the earlier where it was the offset from the start
of the SFrame section itself). All SFrame sections generated by gas and ld
now default to this new encoding, setting the (new)
SFRAME_F_FDE_FUNC_START_PCREL flag.
Relocatable SFrame links are now fixed.
* Readelf now recognizes RISC-V GNU_PROPERTY_RISCV_FEATURE_1_CFI_SS and
GNU_PROPERTY_RISCV_FEATURE_1_CFI_LP_UNLABELED for zicfiss and zicfilp
extensions.
* For RISC-V dis-assembler, the definition of mapping symbol $x is changed,
so the file needs to be rebuilt since 2.45 once used .option arch directives.
* The LoongArch disassembler now properly accepts multiple disassembly
options given by -M, such as "-M no-aliases,numeric". (Previously only the
first option took effect.)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: fix BR2_BINUTILS_VERSION_2_45_X prompt to 2.45.1]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch adds information on how to generate a CycloneDX SBOM in
Buildroot. It also mentions how to track CVEs with that given SBOM.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: reword slightly]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Enriches the input CycloneDX SBOM with vulnerability information and
analysis from the NVD database.
The NVD database is cloned using a mirror of it and the content is compared
locally. By default the path 'dl/buildroot-nvd' is used.
Example usage to analyse vulnerabilities of an input CycloneDX SBOM:
$ make show-info | utils/generate-cyclonedx | support/script/cve-check
The 'cve-check' can also be used to only enrich the vulnerabilities
present on the input SBOM with a set metadata (description, cvss,
references, ...) without applying an analysis.
With the following command the vulnerabilities ignored by Buildroot
present in the CycloneDX SBOM are enriched with description, cvss, etc
...
$ make show-info | utils/generate-cyclonedx | support/script/cve-check --enrich-only
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: fix minor flake8 issues]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch move the 'download_nvd' call to the 'pkg-stats' script
instead of automatically calling 'read_nvd_dir'.
Since the cve.py file can be used as a library it's up to the caller to
decide whether or not to update the NVD database.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 3963c3c06e added this
package which selects python-paramiko but forgot to add its dependency.
Fixes warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_PARAMIKO
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_SCP [=y] && BR2_PACKAGE_PYTHON3 [=y]
seen with https://autobuild.buildroot.net/results/423/4235283218bc49f53bf7cafd4a67f380dba659c0/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixed the following security issues:
CVE-2025-64458: Potential denial-of-service vulnerability in
HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
CVE-2025-64459: Potential SQL injection via _connector keyword argument
https://docs.djangoproject.com/en/5.2/releases/5.2.8/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The S3 storage drivers defines the maximum size of a chunk to a value
thqt does not fit in the native integer on 32-bit architectures. This
causes build failures:
registry/storage/driver/s3-aws/s3.go:312:99: cannot use maxChunkSize
(untyped int constant 5368709120) as int value in argument to
getParameterAsInteger (overflows)
Ideally, we'd like to use a build tag that refers to whether the
architecture is 32- or 64-bit, but there is no such flag. Sigh...
Instead, backport a patch from upstream that papers over the issue, by
using the i386 build tag (of course, that still misses other 32-bit
archs, but are they really relevant in this case?).
Fixes:
https://autobuild.buildroot.org/results/8fa9c5f63f690b27336051be5178f0516e0c54d4/
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Julien: add "Fixes:" link]
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes: https://github.com/redis/redis/releases/tag/8.2.3
This fixes the following vulnerability:
- CVE-2025-62507:
Redis is an open source, in-memory database that persists on disk. In
versions 8.2.0 and above, a user can run the XACKDEL command with
multiple ID's and trigger a stack buffer overflow, which may
potentially lead to remote code execution. This issue is fixed in
version 8.2.3. To workaround this issue without patching the redis-
server executable is to prevent users from executing XACKDEL
operation. This can be done using ACL to restrict XACKDEL command.
https://www.cve.org/CVERecord?id=CVE-2025-62507
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The hash file for license (netcat.c) has changed due to copyright year
updates and changes not related to the license topic.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
[Julien: fix license hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Boolean Config.in symbols default to 'n', so we typically do not add such
redundant lines.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 53a302c6ed ("package/pppd: Add an option to enable/disable CBCP
support.") added a 'default n' line to Config.in, but booleans default to
'n', so we typically do not add such redundant lines.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit a028f0a51d ("package/psplash: add support for fullscreen config
option") added a 'default n' line to Config.in, but booleans default to 'n',
so we typically do not add such redundant lines.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The final upstream release of libgtk2 was published in December
2020. libgtk2 no longer builds with GCC 14.x, even less so with GCC
15.x. While Debian has some fixes to make it build with GCC 14.x,
those are not sufficient to allow building libgtk2 with GCC 15.x.
libgtk2 is anyway very old, largely superseded by libgtk3 and then
libgtk4. It is therefore time to remove it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Bernd: adjusted comment in package/avahi/avahi.mk]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The package is causing build errors with newer gcc versions:
sectables.c:331:22: error: initialization of 'void (*)(void)' from
incompatible pointer type 'void (*)(unsigned char *, int)'
[-Wincompatible-pointer-types]
331 | { 0x00, 0x00, section_PAT },
and many more.
The latest release dates back to 2007, the latest change in the CVS-
based source repository[1] (downloaded as dvbsnoop.zip) is also from
2007. No newer or maintained forks were found.
State of upstream ticket system[2]:
Bugs: last update 2012
Support Requests: No open tickets found.
Patches: last update 2010
Feature Requests: 1 from 2021, the rest 2012 and older
Instead of fixing build errors for an unmaintained project which is not
used by any other package we remove it from buildroot.
Fixes:
https://autobuild.buildroot.net/results/ea6/ea6786248b9ecf0eb1c1c1f7cdd0202462b75e00/
[1] https://sourceforge.net/p/dvbsnoop/cvs/
[2] https://sourceforge.net/p/dvbsnoop/_list/tickets
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The package is causing build errors with newer gcc versions:
procrank.c:381:9: error: implicit declaration of function 'asprintf';
did you mean 'vsprintf'? [-Wimplicit-function-declaration]
The latest upstream commit dates back to 2018 and no open issues/
bug reports are present so the projects seems unmaintained.
Instead of fixing build errors for such a project which is not used by
any other package we remove it from buildroot.
Fixes:
https://autobuild.buildroot.net/results/f2b/f2b41d27cf32808783b582e8ad714fb653c05713/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
bctoolbox was only needed as a dependency of linphone, as is anyway
bundled in more recent versions of linphone, making a separate package
unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
ortp was only needed as a dependency of linphone, as is anyway bundled
in more recent versions of linphone, making a separate package
unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
mediastreamer was only needed as a dependency of linphone, as is
anyway bundled in more recent versions of linphone, making a separate
package unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
belr was only needed as a dependency of linphone, as is anyway bundled
in more recent versions of linphone, making a separate package
unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
belle-sip was only needed as a dependency of linphone, as is anyway
bundled in more recent versions of linphone, making a separate package
unnecessary.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package is no longer maintained in Buildroot: no maintainer in
DEVELOPERS file, and doesn't build since we bumped mbedtls to version
3.x in commit 3481a9643f, which first
appeared in 2025.05.
Also, upstream linphone has changed their strategy, and now their
specific dependencies (bctoolbox, belle-sip, etc.) are bundled in
linphone, so anyway the packaging needs to be adapted significantly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 770f915497, libjwt was bumped
from 1.17.2 to 3.2.0, which is a big bump. And the libjwt website
states "Version 3 of LibJWT is a complete overhaul of the code. Please
see documentation for usage."
And indeed, this version bump breaks the build of Asterisk. Therefore
asterisk uses its bundled version of libjwt now and this package can be
removed as no other package depends on it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: slightly reword help text]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In commit 770f915497, libjwt was bumped
from 1.17.2 to 3.2.0, which is a big bump. And the libjwt website
states "Version 3 of LibJWT is a complete overhaul of the code. Please
see documentation for usage."
And indeed, this version bump breaks the build of Asterisk:
res_stir_shaken/attestation.c: In function 'pack_payload':
res_stir_shaken/attestation.c:357:9: error: implicit declaration of function 'jwt_add_grants_json' [-Wimplicit-function-declaration]
357 | jwt_add_grants_json(jwt, payload_str);
| ^~~~~~~~~~~~~~~~~~~
In file included from /home/autobuild/autobuild/instance-11/output-1/build/asterisk-22.3.0/include/asterisk/module.h:39,
from res_stir_shaken/attestation.c:24:
res_stir_shaken/attestation.c: In function '_dtor_jwt':
res_stir_shaken/attestation.c:367:38: error: implicit declaration of function 'jwt_free'; did you mean 'jwks_free'? [-Wimplicit-function-declaration]
367 | RAII_VAR(jwt_t *, jwt, NULL, jwt_free);
| ^~~~~~~~
To fix this, let's use the bundled version of libjwt in Asterisk,
since even Asterisk master hasn't been fixed to be compatible with
libjwt 3.x.
Of course, this raises the question of whether the separate libjwt
package should be removed, as it is anyway only used by Asterisk.
Fixes:
http://autobuild.buildroot.net/results/2d39791c65c5b71b0533d4b2bce5f073f5919552/
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Bernd: Added libopenssl dependency needed by bundled libjwt]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit adds broot, a fast and powerful file manager written
in Rust and licensed under MIT license. It supports filters, regular
expressions, and real-time "show-as-you-type" search for quick and easy
navigation, even in complex directory structures.
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
[Peter: use select rather than depends on for rustc]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
There are a number of kernel config fixups required for tailscale to
function properly, these are commonly enabled by default in various
kernel configs but lets make sure they are all enabled here as well.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Release notes from https://github.com/libts/tslib/releases :
This release includes libts version 0.10.5 and the following changes:
* improved release procedure
* debug fixes for 32bit systems
* CMake and autoconf updates for newer versions
* fixes for minor cppcheck errors
* ts_conf test program fixes
Signed-off-by: Martin Kepplinger-Novaković <martink@posteo.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For release notes since edk2-stable202505, see:
https://github.com/tianocore/edk2/releases/tag/edk2-stable202508
This commit also updates the edk2-platforms packages with the last
commit merged at the edk2 release date (2025-08-12), which corresponds
to commit [1].
The edk2-non-osi package is not updated because it did not received
any commit since the last edk2 bump.
This commit has been runtime tested with tests using EDK2 package,
with commands:
support/testing/run-tests \
-d dl -o output_folder \
tests.boot.test_edk2 \
tests.boot.test_grub.TestGrubAArch64EFI \
tests.boot.test_grub.TestGrubi386EFI \
tests.boot.test_grub.TestGrubRiscV64EFI \
tests.boot.test_grub.TestGrubX8664EFI \
tests.fs.test_iso9660.TestIso9660Grub2EFI \
tests.fs.test_iso9660.TestIso9660Grub2Hybrid \
tests.package.test_fwts
It has also been runtime tested (by booting in qemu) with defconfigs
using EDK2 package:
qemu_aarch64_sbsa_defconfig
qemu_loongarch64_virt_efi_defconfig
qemu_riscv64_virt_efi_defconfig
[1] d1b297b2aa
Cc: Dick Olsson <hi@senzilla.io>
Cc: Romain Naour <romain.naour@smile.fr>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Tested-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
As was done in dc7c6487cf (Makefile: check rootfs overlays with
BR2_ROOTFS_MERGED_USR enabled) to document how overlays should be
set up for the merged-usr case, and following 428ac6fcc4 (system:
add support for merged /usr/sbin (aka merged-bin), extend the
documentation to explain how rootfs overlays should be set up for
the merged-bin case.
Reported-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This allows using any of the hash algorithms supported by U-Boot for
checksum (hash-N) nodes when building a FIT image, instead of only
SHA-1 or SHA-256.
Fixes: 14a0169714 "package/uboot-tools:
Bump to version 2025.10"
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Brings a number of bugfixes and a (not applicable to Buildroot) security fix
for wolfssl (by dropping support for it).
https://curl.se/ch/8.17.0.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bumps opensbi to v1.6 and add proper hash file.
Signed-off-by: Leo Yu-Chi Liang <ycliang@andestech.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Use tag instead of branch to download the linux source,
and add proper hash files.
Signed-off-by: Leo Yu-Chi Liang <ycliang@andestech.com>
[Julien: change linux-headers.hash to a symlink]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since version 256, systemd will taint the system if /usr/bin and
/usr/sbin are not merged, known as merged-bin:
# systemctl --no-pager status
● buildroot
State: running
Units: 166 loaded (incl. loaded aliases)
Jobs: 0 queued
Failed: 0 units
Since: Mon 2025-07-07 19:48:05 UTC; 19s ago
systemd: 257.7
Tainted: unmerged-bin
CGroup: /
├─init.scope
[...]
Although this is not yet an error, it will be in the future.
To be as ready as we can be when that happens, forcibly enable
merged-bin, like we did when we initially added merged-usr (except
this time we carry the select from systemd, even though it is not
yet strictly required, rather than from the init entry).
Extend the runtime test to catch any tainted flag.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Norbert Lange <nolange79@gmail.com>
Cc: Sen Hastings <sen@hastings.org>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When an external toolchain does not have a merged-bin, we can end up
with a situation where the toolchain installs an staging/usr/sbin/
directory, overriding the sbin symlink with an actual directory. When
not using PPD, this does not cause any harm.
However, with PPD, the build fails when preparing the staging (the
host/) for packages when the skeleton is eventually rsynced, e.g.:
$ cat defconfig
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_INIT_NONE=y
BR2_ROOTFS_MERGED_USR=y
BR2_ROOTFS_MERGED_SBIN=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_ZLIB=y
# BR2_TARGET_ROOTFS_TAR is not set
$ make zlib
[...]
>>> zlib Configuring
mkdir -p [...]/per-package/zlib/host
rsync -a --hard-links --link-dest=[...]/per-package/host-skeleton/host/ [...]/per-package/host-skeleton/host/ [...]/per-package/zlib/host
rsync -a --hard-links --link-dest=[...]/per-package/libzlib/host/ [...]/per-package/libzlib/host/ [...]/per-package/zlib/host
rsync -a --hard-links --link-dest=[...]/per-package/skeleton/host/ [...]/per-package/skeleton/host/ [...]/per-package/zlib/host
could not make way for new symlink: aarch64-buildroot-linux-gnu/sysroot/usr/sbin
cannot delete non-empty directory: aarch64-buildroot-linux-gnu/sysroot/usr/sbin
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1338) [sender=3.3.0]
make[1]: *** [package/pkg-generic.mk:256: [...]/build/zlib/.stamp_configured] Error 23
make: *** [Makefile:23: _all] Error 2
The root cause is that, in the skeleton, we end up with
[staging]/usr/sbin as a synlink to bin, but when the external toolchain
gets installed, the symlinbk is replaced by a directory. Later, when we
aggregate the PPD before configuring a package, it often happens that a
dependant package be rsynced before the toolchain and the skeleton, as
seen above, in which case the sbin directory from the toolchain, by way
of the dependency to a package, is already present when rsync wants to
create a symlink as rsynced from the skeleton.
In the example above, this plays in this order:
1. skeleton gets installed, provides a symlink
2. toolchain-external-bootlin rsyncs from skeleton, gets a symlink
3. toolchain-external-bootlin gets installed, replaces symlink with a
directory
4. libzlib rsyncs from skeleton, gets a symlink, then rsyncs from
toolchain-e-b, gets a directory
5. zlib rsyncs from libzlib first (because alphabetical ordering), gets
a directory, then rsyncs from skeleton, which rsyncs from a symlink,
but the destination is a non-empty directory, so rsync fails.
It is perfectly legit that an external toolchain does not use a
merged-bin setup, so we must accept that as input. We do so by treating
the /usr/sbin entry specially, like we already do for a few others, of
which /sbin itself for example.
Note that the merged-usr setup has no issue, because we already handle
the lib*/ directories specially too.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
With a merged-bin setup, there is no need to move ifconfig and route, as
they would already be in the proper place.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, we partially accept that a skeleton or a rootfs overlay be
merged:
- for unmerged, we accept all kind of situations: unmerged, partially
merged, badly merged, merged-usr or merged-bin, arbitrary relative
or absolute symlinks, and whatnots;
- for merged-usr, we strictly require a properly set up merged-usr,
and we refuse a merged-bin;
- for merged-bin, we stricty require a properly set up merged-bin.
The unmerged case is inconsistent with the other cases, especially it
allows for arbitrary symlinks that may point to arbitrary locations that
may even not belong to $(TARGET_DIR) at all...
We fix that by ensuring that the skeleton and overlays strictly adhere
to the merge-level of the configuration; i.e. for an unmerged config, we
require that the skeleton and overlays be strictly unmerged, that is,
/bin, /lib, and /sbin, and their counterparts in /usr, are actual
directories.
Thus, for all three types of merge level, the skeleton and overlays must
match the configured merge level.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Starting with version 256 [0], systemd warns when /usr/bin and
/usr/sbin are different directories; in the future, it may even
refuse to boot in such a situation.
Add support for merged-bin, not unlike the support we have for
merged-usr; we also make merged-bin a sub-case of merged-usr
(i.e. it is not possible to do merged-bin without merged-usr).
[0] https://github.com/systemd/systemd/blob/v256/NEWS#L265
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Acked-by: TIAN Yuanhao <tianyuanhao3@163.com>
Cc: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
We're going to need it to check merged-bin, so the naming would be
misleading as it would no longer be just about merged-usr.
Also drop the extension, it's useless.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, we accept that the merged usr is backward, i.e. that the
/usr/bin, /usr/sbin, and /usr/lib entries be symlinks to, resp., /bin,
/sbin, and /lib. We also allow either entries to be symlinks to other
parts of the root. Both are accepted despite the comment at the top of
the script explaining what should be accepted.
However, a properly merged usr is the other way around: /bin, /sbin, and
/lib are the symlinks to resp. /usr/bin, /usr/sbin, and /usr/lib, which
are actual directories.
Fix the check-merged-usr script accordingly: implement the test as we
mean it, by testing the conditions rather than resorting to a convoluted
and incorrect use of stat(1).
Even though the split between test_dir() and test_merged() seems
superfluous, it'll come useful when we introduce support for merged-bin
in a later patch.
For skeletons, we require that the directories do exist, while we allow
them to be missing for overlays; indeed, it is perfectly legit to
provide an overlay that only contains totally unrelated directories
(e.g. /var/www to populate a webroot for example).
Extend the heading-comment to be more explicit (and drop '/' as there is
nothing to say about it).
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
By moving the loop over the overlays into the script, we can generate
better error messages about how and why a skeleton or a specific overlay
is improperly setup for merged-usr.
We can also now rely on its exit code to decide whether the skeleton or
the overlays are properly setup, rather than stash the stdout/stderr to
a Makefile variable and test the emptiness thereof.
Introduce a --type option to pass the type of root to verify, for better
error reporting. This will incidentally be usefull in a future commit,
when we need to take different actions based on whether the root is a
skeleton or an overlay.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Rather than repeat the same canned sequence over and over again, move it
to a function that we can reuse as many times as needed. This will come
handy when we later need to check merged-bin.
Switch to using bash as it allows for nicer functions (local variables),
but we anyway require it globally already so that's not an additional
dependency.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Kconfig applies the default values in the order they are defined, and
stops at the first which condition is met. In this case, the two
conditions are mutually exclusive, so we can drop the second one. This
also makes it obvious there actually is a default value.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The current prompt is overly verbose, and departs from the usual
terminology used to refer to merged /usr, which, 10 years later [0],
makes it a little bit difficult to find or understand.
Furthermore, we're going to add another similar prompt for merged
/usr/sbin, and there's no way we want to introduce as similarly
convoluted prompt then.
Reword the prompt for the merged /usr option to the explicit "merged
/usr" everyone expects and understands.
[0] see commit c5bd8af65e (system: add options for /bin /sbin and
/lib to be symlinks into /usr)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Acked-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Buildroot commit 14a0169714 added gnutls
as dependency to BR2_PACKAGE_UBOOT_TOOLS_MKEFICAPSULE in uboot-tools.mk
without adding the dependency and its reverse dependencies to the
Config.in causing a build error:
Makefile:578: *** gnutls is in the dependency chain of uboot-tools that
has added it to its _DEPENDENCIES variable without selecting it or
depending on it from Config.in. Stop.
Fixes:
https://autobuild.buildroot.net/results/39d/39db5ae9aad95e4976c3d8a40aca95b26568f8ea/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: remove "https" in comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] has made ncurses a requirement for building the package.
The added patches fix the following build errors:
/usr/bin/install -c -d ../../../lib
buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-gcc -shared -Wl,-export-dynamic -o ../../../lib/libbrlttyxfv.so screen.o -ltinfo
buildroot/output/host/lib/gcc/arm-buildroot-linux-gnueabihf/14.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: cannot find -ltinfo: No such file or directory
collect2: error: ld returned 1 exit status
./unicode.c: In function ‘getTransliteratedCharacter’:
./unicode.c:349:27: error: initialization of ‘iconv_t’ {aka ‘long int’} from ‘void *’ makes integer from pointer without a cast [-Wint-conversion]
349 | static iconv_t handle = NULL;
| ^~~~
Update README hash:
- v6.8:
- Update the copyright from 2024 to 2025.
- v6.7:
- Update the supported braille devices lists.
- Add support for the HIMS eMotion.
- Add support for HT's Activator Pro models.
- Add support for the KGS Next Touch 40.
- Change the copyright from 2023 to 2024.
- Document that HT's Basic Braille Plus models are supported.
Release notes:
https://github.com/brltty/brltty/blob/BRLTTY-6.8/Documents/ChangeLog
[1] 8f7d65569e
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.56 and U-Boot to
version 2025.10.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
On v3.2.2, testing with an Infineon SLB9673 resulted in the following
error when attempting to read from a previously written NV index.
Upgrading to the latest release, v4.1.3, resolves the issue:
```shell
~# tpm2_nvread 0x1900001
WARN: Reading full size of the NV index
ERROR:esys:../tpm2-tss-3.2.2/src/tss2-esys/esys_iutil.c:1096:esys_GetResourceObject() Error: Esys handle does not exist (70018).
ERROR: Esys_SequenceComplete(0x70018) - esapi:The ESYS_TR resource object is bad
ERROR: Failed to get shandle
ERROR: Failed to read NVRAM area at index 0x1900001
ERROR: Unable to run tpm2_nvread
```
Between v3.2.2 and v4.1.3, the most notable update is v4.1.0 [1], which
includes a fix for CVE-2024-29040, along with 40+ bug fixes and 10+ new
features. Bumping to v4.1.3 adds access to these improvements and
addresses the NV index read issue.
[1] https://github.com/tpm2-software/tpm2-tss/releases/tag/4.1.0
Fixes:
https://www.cve.org/CVERecord?id=CVE-2024-29040
Signed-off-by: Abelino Romo <abelino.romo@gmail.com>
[Fiona: rebase for package/tpm2-tss changes]
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien:
- add "security" in commit log title
- add "Fixes:" and CVE url in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit [1] set the default value of '<pkg>_CPE_ID_UPDATE' to not use
a wildcard by default. But instead of setting the value to '-' it set it
to an empty value instead.
According to document [2] section 6.1.2.1.1 the 'Not Attributed' value
bind to an hyphen ('-') and the blank statement bind to the 'Any' ('*').
Because the CPE matching function was incorrect using a blank statement
worked to remove the false positives but this is not correct according
to the CPE documentation.
[1] 53a8616460 package/pkg-generic.mk: use more sensible default value for <pkg>_CPE_ID_UPDATE
[2] https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
Fixes: 53a8616460.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Given the following criteria: `cpe:2.3:a:oneidentitty:syslog-ng:*:*:*:*:-:*:*:*`.
The former `cpe_matches` implementation would match with the following
CPE: `cpe:2.3:a:oneidentitty:syslog-ng:4.71:*:*:*:premium:*:*:*`.
The 'hyphen' ('-') meaning is "Not Attributed" (NA) a criteria with no
attributed software edition shouldn't match with a CPE with an attributed
software edition:
https://csrc.nist.gov/pubs/ir/7695/final
This patch also create a distinct 'CPE' object that aggregate the
function specifics to CPEs like it's done for 'CVE'.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The `support/script/cve.py` file is used as a library. Depending on how
you use this library you might not want to write content to stdout when
calling its function.
This patch move the 'updating' log to the 'pkg-stats' script and write
the alert when LooseVersion doesn't have a version to stderr.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Buildroot commit [1] "package/llvm-project: bump to version
21.1.4", bcc is failing at compilation time.
This commit adds an upstream patch to fix this issue.
[1] d6a7c02263
Signed-off-by: Julien Olivain <ju.o@free.fr>
The test tests.package.test_xen.TestXenArmv7 has become unstable after
commit 24ff258905 ("support/testing: test_xen: add networking"),
leading to a ~50% chance of failure on gitlab CI.
This seems to happen only with 32b (not with the 64b TestXenAarch64),
only with Qemu < 9.1, and when this happens the test will hang during a
step involving the simulated network and the dom1 (DHCP or ping).
The root cause is suspected to be a bug in the virtio-net hardware
emulation of the qemu version 7.2.15 included in the Buildroot docker
image.
As a workaround, remove all network interactions between dom1 and the
simulated network:
- Instead of the gateway, ping dom0 from dom1.
- Instead of using DHCP, configure the network with fixed IP addresses,
so that we know the IP address of the dom0.
A possible solution could have been to compile a host-qemu within the
test, by adding BR2_PACKAGE_HOST_QEMU=y and
BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y in the test configuration.
This would have used the current Buildroot version (10.1.0) not affected
by this issue, but this would also have significantly increased the test
compilation time.
Since the DHCP is not really needed here to test the Xen networking
capability, this is why the network configuration simplification was
preferred here.
After those changes both Xen tests are stable on CI and locally.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/11871454648
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
- The mkeficapsule tools need gnutls to build, and the config dependency
to build the tool has changed
- CONFIG_FIT_SIGNATURE need to be defined to build fit_check_sign
- CONFIG_FIT_PRINT does not need to be defined anymore
- Remove patch 2 and reorder patch files
- Include linux/kconfig.h to include/config.h to allow IS_ENABLED macro
to be used in c files
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Julien: update .checkpackageignore to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes:
https://lists.exim.org/lurker/message/20251028.114149.3bf19800.en.html
Rebased patch 0001 due to upstream commit
cd43f5ee0f
Rebased patch 0004 due to upstream commit
834dae5565
Added patch 0005 to fix cross-builds.
Added ldflags for mips arch to solve build error with br-mips64-n64-full
defconfig, code copied from package/linux-tools/linux-tool-perf.mk.in:
output/per-package/exim/host/bin/mips64el-linux-ld: dkim_tmp.o: ABI is incompatible with that of the selected emulation
output/per-package/exim/host/bin/mips64el-linux-ld: failed to merge target specific data of file dkim_tmp.o
output/per-package/exim/host/bin/mips64el-linux-ld: dkim_transport.o: ABI is incompatible with that of the selected emulation
output/per-package/exim/host/bin/mips64el-linux-ld: failed to merge target specific data of file dkim_transport.o
output/per-package/exim/host/bin/mips64el-linux-ld: pdkim.o: ABI is incompatible with that of the selected emulation
output/per-package/exim/host/bin/mips64el-linux-ld: failed to merge target specific data of file pdkim.o
output/per-package/exim/host/bin/mips64el-linux-ld: signing.o: ABI is incompatible with that of the selected emulation
output/per-package/exim/host/bin/mips64el-linux-ld: failed to merge target specific data of file signing.o
output/per-package/exim/host/bin/mips64el-linux-ld: attempt to do relocatable link with elf64-tradlittlemips input and elf32-ntradlittlemips output
output/per-package/exim/host/bin/mips64el-linux-ld: dkim_tmp.o: file class ELFCLASS64 incompatible with ELFCLASS32
output/per-package/exim/host/bin/mips64el-linux-ld: final link failed: file in wrong format
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add "Upstream" header in patch 5 to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 1.35.2, see:
https://github.com/janet-lang/janet/releases
remove upstream patch
diff LICENSE:
-Copyright (c) 2023 Calvin Rose and contributors
+Copyright (c) 2025 Calvin Rose and contributors
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
1.74 Timeout in bcm2835_i2c_write() increased by a factor of 10 because
some users have reported spurious timeouts at slow speeds.
1.75 Patches to bcm2835_aux_spi_transfernb() from Sean Goff to deal with
the case where the process is interrupted between filling the TX
FIFO and reading the RX FIFO.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.56 and U-Boot to
version 2025.10.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit e4749b826c disabled
parallel builds back in 2016. Nearly 10 years and a "Complete rewrite
[of] the BIND 9 build system" later
978c7b2e89
we enable parallel builds again, make -j1000 finished without problems.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commits 7b43e24818 and
8adeaec8af removed the possibility for
static builds but forgot to remove some related _CONF_OPTS.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds a package for Snagboot, the open-source
vendor-neutral recover and reflashing tool for embedded targets. We
install the dependencies needed for snagrecover and snagflash, but we
don't bother installing the dependencies of the GUI-based snagfactory,
as that would require Kivy on the host, which is Qt based.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds a new host package for python-pyfatfs, which is
needed by Snagboot.
Homepage: https://pypi.org/project/pyfatfs/
A small test doing some minimal verification that pyfatfs works is
also added.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds a host package for the Python 'fs' module, needed as
a dependency of pyfatfs, itself needed by Snagboot.
Homepage: https://pypi.org/project/fs/
In addition, a very simple test case is adding to check that
host-python-fs is minimally working.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host variant will be needed by the host-python-fs package, soon to
be added.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host variant of python-xmodem will be needed by Snagboot, so this
commit enables it. We also add a very simple test case that simply
makes sure we can import the module. Testing xmodem more extensively
is difficult without an actual serial port to open.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host variant of python-pyusb will be neded for Snagboot, so it is
enabled with this commit. In addition, we're adding a very simple test
case to validate that host-python-pyusb minimally works.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
A host variant of python-tftpy will be needed for Snagboot, so enable
it, and add a very simple test for the host package. We considered
adding a test that actually starts a TFTP server with tftpy and then
downloads from that server with the client-side of tftpy, but
allocating an available UDP port reliably is tricky, so we kept the
test case very simple for now.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Colin Foster <colin.foster@in-advantage.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This quickly tests that the host-python-serial package at least
minimally works.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds a new host only package for the crccheck Python
module, which is a dependency of Snagboot.
Homepage on PyPi: https://pypi.org/project/crccheck/
This commit also adds a very basic test case that allows to verify
that the Python module can be imported and that some minimal
functionality works.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Runtime test cases are currently mostly used to test target packages,
and the BRTest class is perfect for that as we can easily feed a
Buildroot configuration, boot it under Qemu and run commands inside
the emulator.
A few tests use the more basic BRConfigTest when they have special
needs that don't match with BRTest.
However, as we are going to add a number of tests to verify the proper
functionality of some host only packages, which have no visible
menuconfig option, it makes sense to add another BRHostPkgTest class
that allows to easily trigger the build of "make host-<foo>
host-<bar>", and then run some commands on the host machine. Such
tests could be done by using BRConfigTest, but that would require a
bit of duplicated boilerplate, which BRHostPkgTest allows to remove.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When run_cmd_on_host() runs a command that fails, we only get an
exception with no details to debug what happened. Let's improve that
by catching the exception, and printing the command output. This
requires redirecting stderr to stdout (instead of /dev/null) and
asking to get the output in text format.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes:
https://gitlab.com/NTPsec/ntpsec/-/blob/NTPsec_1_2_4/NEWS.adoc?ref_type=tags
Buildroot commit a532772468 added patch
0003 although it should have been 0002 => renumbered.
Added upstream commit as 0003 for partial build fix with gcc 14.x
Added another patch to fix build with gcc >= 14.x for
BR2_PACKAGE_NTPSEC_REFCLOCK_ALL=y
Move env variable declarations from _CONF_OPTS to _CONF_ENV to fix a
configure error caused by updated waf scripts included in this release.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a package for llama.cpp, a C/C++ LLM inference library, used in
popular projects like Ollama, RamaLama, and more.
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- add a Config.in comment justifying the dynamic libraries for uclibc
- add missing conditions in Config.in toolchain dependencies
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For more details on the version bump, see:
- https://github.com/ImageMagick/ImageMagick/compare/7.1.2-3...7.1.2-8
Fixes the following vulnerability:
- CVE-2025-62171
ImageMagick is an open source software suite for displaying,
converting, and editing raster image files. In ImageMagick versions
prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability
exists in the BMP decoder on 32-bit systems. The vulnerability
occurs in coders/bmp.c when calculating the extent value by
multiplying image columns by bits per pixel. On 32-bit systems with
size_t of 4 bytes, a malicious BMP file with specific dimensions can
cause this multiplication to overflow and wrap to zero. The overflow
check added to address CVE-2025-57803 is placed after the overflow
occurs, making it ineffective. A specially crafted 58-byte BMP file
with width set to 536,870,912 and 32 bits per pixel can trigger this
overflow, causing the bytes_per_line calculation to become zero.
This vulnerability only affects 32-bit builds of ImageMagick where
default resource limits for width, height, and area have been
manually increased beyond their defaults. 64-bit systems with size_t
of 8 bytes are not vulnerable, and systems using default ImageMagick
resource limits are not vulnerable. The vulnerability is fixed in
versions 7.1.2-7 and 6.9.13-32.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-62171
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm
- cea1693e2d
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See https://jvn.jp/en/jp/JVN19358384/
This fixes the following vulnerability:
- CVE-2025-24912:
hostapd fails to process crafted RADIUS packets properly. When hostapd
authenticates wi-fi devices with RADIUS authentication, an attacker in
the position between the hostapd and the RADIUS server may inject
crafted RADIUS packets and force RADIUS authentications to fail.
https://www.cve.org/CVERecord?id=CVE-2025-24912
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed all patches because they are included in this release, although
with different commits than mentioned in our patch files:
0001: acbbeef9f5
0002: f7ebc65f05
0003: c24909ba26
0004: c340e41950
Updated license hash due to upstream commit:
4bd66d4549
Removed python3 bindings due to their pending removal in 2.16:
https://download.gnome.org/sources/libxml2/2.15/libxml2-2.15.0.news
which prevents us from adding a dependency on host-doxygen due to
upstream commit
bbe5827c94
"Doxygen will also be required to build the Python bindings."
Removed lzma support due to upstream removal:
1763281cd6
Added configure options for threads and static/shared libs needed due to
upstream commit:
f070acc564
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The getunconfirmedbalance rpc call was marked as deprecated
in [1] (included in v0.19.0, released on 2019-11-08) and removed
in [2] (included in v30.0, released on 2025-10-09).
This commit replaces the old getbalance/getunconfirmedbalance rpc
calls with the new call getbalances (plural) returning a json
object containing all the data.
This commit is needed before updating bitcoin to v30.0.
[1] facfb4111d
[2] c3fe85e2d6
Cc: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit adds a backported upstream patch to fix the following build
failure:
ptp2/ptp-pack.c:3168:31: note: earlier argument should specify number of elements, later size of each element
ptp2/chdk.c: In function 'yuv_live_to_jpeg':
ptp2/chdk.c:1203:41: error: passing argument 3 of 'jpeg_mem_dest' from incompatible pointer type [-Wincompatible-pointer-types]
1203 | jpeg_mem_dest (&cinfo, &outbuf, &outlen);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from ptp2/chdk.c:31:
/home/autobuild/autobuild/instance-0/output-1/per-package/libgphoto2/host/armeb-buildroot-linux-gnueabi/sysroot/usr/include/jpeglib.h:989:43: note: expected 'long unsigned int *' but argument is of type 'uint64_t *' {aka 'long long unsigned int *'}
989 | unsigned long *outsize);
Fixes:
- https://autobuild.buildroot.org/results/db742e301a401c9f4bdf3c7e8cfde9f0ba1c4558
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This contains many bug and security fixes since v22.12.0.
See the release notes: https://poppler.freedesktop.org/releases.html
In addition:
- Drop patch that has been applied upstream
- Update a few cmake configuration options that changed upstream
There is currently a build failure when enabling gpgme, so disable it
unconditionally for now.
Finally, this fixes the following vulnerabilities:
- CVE-2024-6239:
A flaw was found in the Poppler's Pdfinfo utility. This issue occurs
when using -dests parameter with pdfinfo utility. By using certain
malformed input files, an attacker could cause the utility to crash,
leading to a denial of service.
https://www.cve.org/CVERecord?id=CVE-2024-6239
- CVE-2024-56378:
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read
vulnerability within the JBIG2Bitmap::combine function in
JBIG2Stream.cc.
https://www.cve.org/CVERecord?id=CVE-2024-56378
- CVE-2025-32364:
A floating-point exception in the PSStack::roll function of Poppler
before 25.04.0 can cause an application to crash when handling
malformed inputs associated with INT_MIN.
https://www.cve.org/CVERecord?id=CVE-2025-32364
- CVE-2025-32365:
Poppler before 25.04.0 allows crafted input files to trigger out-of-
bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
because of a misplaced isOk check.
https://www.cve.org/CVERecord?id=CVE-2025-32365
- CVE-2025-43903:
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
adbe.pkcs7.sha1 signatures on documents, resulting in potential
signature forgeries.
https://www.cve.org/CVERecord?id=CVE-2025-43903
- CVE-2025-50420:
An issue in the pdfseparate utility of freedesktop poppler v25.04.0
allows attackers to cause an infinite recursion via supplying a
crafted PDF file. This can lead to a Denial of Service (DoS).
https://www.cve.org/CVERecord?id=CVE-2025-50420
- CVE-2025-52886:
Poppler is a PDF rendering library. Versions prior to 25.06.0 use
`std::atomic_int` for reference counting. Because `std::atomic_int` is
only 32 bits, it is possible to overflow the reference count and
trigger a use-after-free. Version 25.06.0 patches the issue.
https://www.cve.org/CVERecord?id=CVE-2025-52886
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: mark commit as "security" in commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Do not bump to a more recent version, as the build system has
fundamentally changed.
See the release notes:
- https://github.com/netdata/netdata/releases/tag/1.34.0
- https://github.com/netdata/netdata/releases/tag/v1.34.1
- https://github.com/netdata/netdata/releases/tag/v1.35.0
- https://github.com/netdata/netdata/releases/tag/v1.35.1
- https://github.com/netdata/netdata/releases/tag/v1.36.0
- https://github.com/netdata/netdata/releases/tag/v1.36.1
- https://github.com/netdata/netdata/releases/tag/v1.37.0
- https://github.com/netdata/netdata/releases/tag/v1.37.1
In addition, add upstream patch to fix cross-compilation.
This fixes the following vulnerabilities:
- CVE-2023-22496:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. An attacker with the ability to
establish a streaming connection can execute arbitrary commands on the
targeted Netdata agent. When an alert is triggered, the function
`health_alarm_execute` is called. This function performs different
checks and then enqueues a command by calling `spawn_enq_cmd`. This
command is populated with several arguments that are not sanitized.
One of them is the `registry_hostname` of the node for which the alert
is raised. By providing a specially crafted `registry_hostname` as
part of the health data that is streamed to a Netdata (parent) agent,
an attacker can execute arbitrary commands at the remote host as a
side-effect of the raised alert. Note that the commands are executed
as the user running the Netdata Agent. This user is usually named
`netdata`. The ability to run arbitrary commands may allow an attacker
to escalate privileges by escalating other vulnerabilities in the
system, as that user. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, streaming is not enabled by default. If you have
previously enabled this, it can be disabled. Limiting access to the
port on the recipient Agent to trusted child connections may mitigate
the impact of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22496
- CVE-2023-22497:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. Each Netdata Agent has an
automatically generated MACHINE GUID. It is generated when the agent
first starts and it is saved to disk, so that it will persist across
restarts and reboots. Anyone who has access to a Netdata Agent has
access to its MACHINE_GUID. Streaming is a feature that allows a
Netdata Agent to act as parent for other Netdata Agents (children),
offloading children from various functions (increased data retention,
ML, health monitoring, etc) that can now be handled by the parent
Agent. Configuration is done via `stream.conf`. On the parent side,
users configure in `stream.conf` an API key (any random UUID can do)
to provide common configuration for all children using this API key
and per MACHINE GUID configuration to customize the configuration for
each child. The way this was implemented, allowed an attacker to use a
valid MACHINE_GUID as an API key. This affects all users who expose
their Netdata Agents (children) to non-trusted users and they also
expose to the same users Netdata Agent parents that aggregate data
from all these children. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, do not enable streaming by default. If you have previously
enabled this, it can be disabled. Limiting access to the port on the
recipient Agent to trusted child connections may mitigate the impact
of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22497
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add comment before _AUTORECONF with patch name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 3.24.43, see:
https://gitlab.gnome.org/GNOME/gtk/-/blob/3.24.51/NEWS
Note: the "+" in the project name and source archive was removed
upstream. This commit updates _SOURCE and _SITE accordingly.
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Julien: add link to release notes]
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510
Also update the download site to https
This fixes the following vulnerability:
- CVE-2024-23807:
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
contains a use-after-free error triggered during the scanning of
external DTDs. Users are recommended to upgrade to version 3.2.5
which fixes the issue, or mitigate the issue by disabling DTD
processing. This can be accomplished via the DOM using a standard
parser feature, or via SAX using the XERCES_DISABLE_DTD environment
variable. This issue has been disclosed before as CVE-2018-1311, but
unfortunately that advisory incorrectly stated the issue would be
fixed in version 3.2.3 or 3.2.4.
https://www.cve.org/CVERecord?id=CVE-2024-23807
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When building in parallel with per-package directories
(BR2_PER_PACKAGE_DIRECTORIES=y), brmake output is often garbled:
2025-10-08T18:39:10 >>> host-dtc 1.7.2 Building
2025-10-08T18:39:11 checking for stdint.h... >>> host-dtc 1.7.2 Installing to host directory
2025-10-08T18:39:12 checking for limits.h... >>> host-gmp 6.3.0 Installing to host directory
Remove the spurious string between the timestamp and the ">>>" marker to
fix this.
We need some extra care to preserve the preceding "term bold" special
characters sequence.
We also prevent grep and sed to buffer their output too much. This leads to
more frequent output even when we might not be connected to a terminal; for
example: when brmake's output is piped to another program or when running
in CI.
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the many release notes: https://github.com/libvips/libvips/releases
Along that version bump:
- Change source code archive compression from .gz to .xz as this the
new upstream delivery format
- Switch from autotools to meson build system (see upstream commit
538aa2a841)
- Update the LICENSE file (see upstream commit
057703938e)
This fixes the following vulnerabilities:
- CVE-2025-29769:
libvips is a demand-driven, horizontally threaded image processing
library. The heifsave operation could incorrectly determine the
presence of an alpha channel in an input when it was not possible to
determine the colour interpretation, known internally within libvips
as "multiband". There aren't many ways to create a "multiband" input,
but it is possible with a well-crafted TIFF image. If a "multiband"
TIFF input image had 4 channels and HEIF-based output was requested,
this led to libvips creating a 3 channel HEIF image without an alpha
channel but then attempting to write 4 channels of data. This caused a
heap buffer overflow, which could crash the process. This
vulnerability is fixed in 8.16.1.
https://www.cve.org/CVERecord?id=CVE-2025-29769
- CVE-2025-59933:
libvips is a demand-driven, horizontally threaded image processing
library. For versions 8.17.1 and below, when libvips is compiled with
support for PDF input via poppler, the pdfload operation is affected
by a buffer read overflow when parsing the header of a crafted PDF
with a page that defines a width but not a height. Those using libvips
compiled without support for PDF input are unaffected as well as
thosewith support for PDF input via PDFium. This issue is fixed in
version 8.17.2. A workaround for those affected is to block the
VipsForeignLoadPdf operation via vips_operation_block_set, which is
available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED
environment variable at runtime, which will block all untrusted
loaders including PDF input via poppler.
https://www.cve.org/CVERecord?id=CVE-2025-59933
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: update _LICENSE_FILES to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When the test was introduced in [1], a comparison of the source and
the destination file was added, with a typo (the method ".cmp" name is
missing).
The test is failing with error such as in [2]:
Traceback (most recent call last):
File "/root/sample_python_scp.py", line 15, in <module>
assert filecmp("/etc/hostname", "/tmp/hostname")
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: 'module' object is not callable
This commit fixes that.
[1] 7470587cfa
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/11781378510
Cc: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For relase notes, see:
https://go.dev/doc/devel/release#go1.25.0
go1.25.2 (released 2025-10-07) includes security fixes to the archive/tar,
crypto/tls, crypto/x509, encoding/asn1, encoding/pem, net/http, net/mail,
net/textproto, and net/url packages, as well as bug fixes to the compiler,
the runtime, and the context, debug/pe, net/http, os, and sync/atomic
packages. See release announce:
https://groups.google.com/g/golang-announce/c/4Emdl2iQ_bI
go1.25.3 (released 2025-10-13) includes fixes to the crypto/x509 package.
See release announce:
https://groups.google.com/g/golang-announce/c/YEyj6FUNbik
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add links to release notes and announces]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Adding PKGLIBDIR to CFLAGS was necessary to fix the following error
raised during the compilation of the new version:
execute.c: In function ‘set_environ’:
execute.c:107:48: error: ‘PKGLIBDIR’ undeclared (first use in this function)
107 | *ppch++ = setlocalenv("%s=%s", "PATH", PKGLIBDIR ":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
| ^~~~~~~~~
execute.c:107:48: note: each undeclared identifier is reported only once for each function it appears in
execute.c:107:57: error: expected ‘)’ before string constant
107 | *ppch++ = setlocalenv("%s=%s", "PATH", PKGLIBDIR ":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
This PKGLIBDIR define was added upstream in commit [1] in the Makefile
default CFLAGS, but since Buildroot redefines those it needs to be added
back.
Release notes since 0.8.41:
https://salsa.debian.org/debian/ifupdown/-/blob/master/debian/changelog#L1
[1] 1eee7a3040
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps:
- U-Boot to version v2025.10
- Linux kernel to version 6.12.53 (LTS)
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.53 and U-Boot to
version 2025.10 for
- stm32mp135f_dk_defconfig
- stm32mp157a_dk1_defconfig
- stm32mp157c_dk2_defconfig
Tested on STM32MP157C-DK2 Discovery Board.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.194 and U-Boot to
version 2025.10.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.194 and U-Boot to
version 2025.10.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.1.155. The size of
xipImage has increased by only 1126 bytes (1673444 bytes compared to
1672318 in version 6.1.143).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In some specific configurations (target 32bit x86, disable compiler
optimizations, and openssl binary enabled), the compilation fails
with the error:
/home/autobuild/autobuild/instance-7/output-1/host/lib/gcc/i686-buildroot-linux-gnu/14.3.0/../../../../i686-buildroot-linux-gnu/bin/ld: ./libcrypto.so: undefined reference to `ossl_aes_cfb128_vaes_dec'
/home/autobuild/autobuild/instance-7/output-1/host/lib/gcc/i686-buildroot-linux-gnu/14.3.0/../../../../i686-buildroot-linux-gnu/bin/ld: ./libcrypto.so: undefined reference to `ossl_aes_cfb128_vaes_enc'
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_x86_corei7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_OPTIMIZE_0=y
BR2_PACKAGE_OPENSSL=y
BR2_PACKAGE_LIBOPENSSL_BIN=y
EOF
make olddefconfig
make libopenssl
This commit adds a patch to fix the issue.
Fixes:
https://autobuild.buildroot.net/results/214/214b918f6b56e005b180145d245491971f3e3476/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When mjpg-streamer is built with gcc >= 14 using libjpeg (rather than
jpeg-turbo), and with SDL is enabled (to enable the output_viewer),
the compilation can fail with error:
output_viewer.c:125:32: error: assignment to ‘boolean (*)(struct jpeg_decompress_struct *)’ from incompatible pointer type ‘int (*)(struct jpeg_decompress_struct *)’ [-Wincompatible-pointer-types]
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBJPEG=y
BR2_PACKAGE_MJPG_STREAMER=y
BR2_PACKAGE_SDL=y
EOF
make olddefconfig
make mjpg-streamer
This commit adds a patch to fix this issue.
Fixes:
https://autobuild.buildroot.net/results/3a5/3a5674e4e7bb3f2894575191af24598e2a696912/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 553c55e9bd added the
qt6multimedia package including an option to build examples which
contains a dependency to qt6svg without selecting the package in
Config.in.
Fixes:
https://autobuild.buildroot.org/results/c94670cf255a1a6975e99d7b22a159f7fdc6f850/
Makefile:578: *** qt6svg is in the dependency chain of qt6multimedia
that has added it to its _DEPENDENCIES variable without selecting it
or depending on it from Config.in. Stop.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an upstream patch to fix a build issue related to uint64_t:
utils.c: In function ‘get_uint64’:
utils.c:118:18: error: passing argument 1 of ‘str_toul’ from incompatible pointer type [-Wincompatible-pointer-types]
118 | str_toul(&defval, p, NULL, 16);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from utils.c:48:
utils.h:412:29: note: expected ‘long unsigned int *’ but argument is of type ‘uint64_t *’ {aka ‘long long unsigned int *’}
Fixes:
https://autobuild.buildroot.org/results/51af1d7bf71061f22d49213951a5f6a9565710c3/
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Waffle has two build systems. In commit f162f8126ec4 ("cmake:
deprecate cmake in favour of meson") [1], cmake is not the preferred
build system, and fails when used. Bump to latest version available
(which has been released a year ago) and switch to meson build system.
This commit also removes the package patches. They make no longer
sense since they are either merged or related to deprecated cmake
build. The .checkpackageignore patch entries are also removed.
This commit also forces the meson build.pkg_config_path value. The
default path goes for $(HOST)/lib/pkgconfig. This does not work for
latest waffle version since prefix in the pkg-config file points to the
host directory. This results in the concatenation of $(STAGING_DIR)/xxx
and $(HOST_DIR)/... which ultimately resolve in a file not found.
Instead, override the default path to $(STAGING_DIR)/usr/share.
[1] f162f8126e
Signed-off-by: Raphael Gallais-Pou <rgallaispou@gmail.com>
[Julien:
- squash patches related to the bump altogether
- change _VERSION to use "git describe --abbrev=40" format
- remove .checkpackageignore entries to fix check-package errors
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a basic test involving a local SSH connection (based on dropbear
server). The test validates that we are able, through python-scp, to
fetch the /etc/hostname file.
The test needs some basic key initialization to allow connecting to the
dropbear server, hence the custom run_sample_scripts method.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Julien:
- remove unneeded os import in test script
- execute setup commands with assertRunOk()
- create /root/.ssh with 0700 mode
- run sample scripts using super()
- check in the sample file that copied files are the same
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add python-scp as a new package. python-scp allows to send and receives
files in python through the scp1 protocol, on top of paramiko.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The test is using the django integration of whitenoise as it's the most
common setup and allows to model the test case after the django one as
well.
The setup we need to do is a bit more complicated though and follows
the whitenoise getting started documentation [1].
We then request a .css file from the django admin app that is enabled
by default in template project. Due to running django's development
server with --nostatic we ensure that static file handling is taken over
by whitenoise.
[1] https://whitenoise.readthedocs.io/en/stable/django.html
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Weston 14.0.2 has a "< 0.3.0" version constraint for the
libdisplay-info dependency. Upstream has relaxed the dependency,
explicitly stating "There are no breaking changes for the high-level
API that Weston uses" [1], but there is no release with the change
yet.
The change had to be backported due to restructuring on upstream
"main" since, where libdisplay-info has become a dependency of Weston
in general, not just the DRM backend.
[1] 683eabb61e
Fixes: 1a66cdf7b3
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog:
https://github.com/jawah/charset_normalizer/blob/master/CHANGELOG.md#changelog
Upstream setuptools-scm build dependency. Also the upper bound of
mypy(c) is currently high enough that we can remove the
--skip-dependency-check hack.
mypy(c) is now also optional if CHARSET_NORMALIZER_USE_MYPYC isn't set
to one. As we don't really care about the performance optimization in
the host package we can skip the mypyc step and remove the dependency on
mypyc for the host package.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bumping pydantic requires also bumping pydantic-core (and vice versa),
so we do that in the same commit.
Release announcement for pydantic 2.12:
https://pydantic.dev/articles/pydantic-v2-12-release
pydantic-core had a build-time dependency on host-python-typing-extensions,
but that is no required, it builds fine without.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add pydantic-core in commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Enhance the Xen python tests to exercise networking:
- Add the networking support we need to the Linux kernel configurations.
- Add a virtual network interface to the Xen dom1 configurations.
- Update the test in the following way:
* Start the emulator with restricted networking.
* Create a network bridge in dom0.
* Check that networking is functional in both domains by ping'ing the
gateway.
(Refer also to the diagram in the python script.)
- While at it, bump Linux kernel to 6.17.1 and U-Boot to 2025.07.
We also need to adjust the DTB address in the Arm 32b U-Boot script to
accommodate the new U-Boot version, which does not have enough free space
around the control DTB anymore.
We disable IPv6 in both kernel configurations to make the 32b test pass
on gitlab CI.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.34-ti-arm32-r12 and
U-Boot to version 2025.10.
Tested on beaglebone black.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This new version is required to compile grout v0.13.0.
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Release notes: https://www.python.org/downloads/release/python-3138/
Fixes the following security issues:
gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only
garbage-collected once they are no longer referenced by subparsers created
by ExternalEntityParserCreate(). Patch by Sebastian Pipping.
gh-139283: sqlite3: correctly handle maximum number of rows to fetch in
Cursor.fetchmany and reject negative values for Cursor.arraysize. Patch by
Bénédikt Tran.
gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to
the HTML5 standard
https://docs.python.org/release/3.13.8/whatsnew/changelog.html#security
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: Mark as security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See the release notes:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.11
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.12
This fixes the following vulnerabilities:
- CVE-2025-52891:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before
2.9.11, an empty XML tag can cause a segmentation fault. If
SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is
application/xml, and at least one XML tag is empty (eg <foo></foo>),
then a segmentation fault occurs. This issue has been patched in
version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to
Off.
https://www.cve.org/CVERecord?id=CVE-2025-52891
- CVE-2025-54571:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below,
an attacker can override the HTTP response’s Content-Type, which could
lead to several issues depending on the HTTP scenario. For example, we
have demonstrated the potential for XSS and arbitrary script source
code disclosure in the latest version of mod_security2. This issue is
fixed in version 2.9.12.
https://www.cve.org/CVERecord?id=CVE-2025-54571
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes:
https://github.com/redis/redis/blob/8.2.2/00-RELEASENOTES
This fixes the following vulnerabilities (in the Lua scripting engine):
- CVE-2025-46817:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to cause an integer overflow and
potentially lead to remote code execution The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2.
https://www.cve.org/CVERecord?id=CVE-2025-46817
- CVE-2025-46818:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate different LUA objects and
potentially run their own code in the context of another user. The
problem exists in all versions of Redis with LUA scripting. This issue
is fixed in version 8.2.2. A workaround to mitigate the problem
without patching the redis-server executable is to prevent users from
executing LUA scripts. This can be done using ACL to block a script by
restricting both the EVAL and FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46818
- CVE-2025-46819:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted LUA script to read out-of-bound data or crash the
server and subsequent denial of service. The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2. To workaround this issue without patching the redis-server
executable is to prevent users from executing Lua scripts. This can be
done using ACL to block a script by restricting both the EVAL and
FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46819
- CVE-2025-49844:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate the garbage collector,
trigger a use-after-free and potentially lead to remote code
execution. The problem exists in all versions of Redis with Lua
scripting. This issue is fixed in version 8.2.2. To workaround this
issue without patching the redis-server executable is to prevent users
from executing Lua scripts. This can be done using ACL to restrict
EVAL and EVALSHA commands.
https://www.cve.org/CVERecord?id=CVE-2025-49844
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The website download page was updated for the latest releases of
2025.{02,05,08} in [1], but the column "Latest release date" wasn't
updated.
Moreover, indicate that 2025.05.3 is the EOL stable release.
[1] e5501d7b1a
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The 6.16.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bump to last revision and install the newly added CYW43439 firmware.
The brcmfmac4339-sdio.1CK.txt file has been removed from the firmware
therefore the Kconfig option has been removed.
The firmware files prefix have been changed from brcmfmac to cyfmac
therefore the rename helpers have change.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Policy booleans allow adjusting certain policy rules at runtime
(including whether changing policy booleans is allowed). The new
option allows setting their defaults at build time.
A monolithic policy (like built by package/refpolicy) does not support
persistent changes to policy booleans, so changing the defaults is
required to make changes across boots. Adjusting policy/booleans.conf
after "make conf" is intended for that purpose [1, 2].
[1] https://github.com/SELinuxProject/refpolicy/pull/355#issuecomment-792758725
[2] 4d97523c71/README (L186-L191)
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Updating the hash of the WHENCE file, due to firmware additions and
firmware changes, but no changes to the redistribution/licensing
conditions.
Updated paths for iwlwifi files due to upstream commits:
078946281c06205c0eb8
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since its inception in 9646e80fca (micropython: new package), the
ppc-specific CFLAGS are simply assigned, and since 9fd9f4e675
(package/micropython: define MICROPY_NLR_SETJMP for xtensa), the same
goes for the xtensa CFLAGS.
Although they are mutually exclusive (different archs) and that there is
no prior assignment, the customs are to use append assignment in
conditional blocks, to avoid accidentally overwriting a valure set
previously.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Before commit 50bc5aa17b (package/micropython: fix segfault at exit()
with gcc >= 14), only architecture-specific CFLAGS were passed, and only
one per arch. But 50bc5aa17b introduced a non-arch CFLAGS, for gcc
versions, so when the build happens for an architecture for which there
is a CFLAGS, and when gcc is 14 or newer, there are two CFLAGS added,
causing build failures:
[...] /usr/bin/make [...] CFLAGS_EXTRA=-DMICROPY_GCREGS_SETJMP=1 -DMICROPY_NLR_SETJMP=1 [...]
/usr/bin/make: invalid option -- 'D'
/usr/bin/make: invalid option -- 'M'
Usage: make [options] [target] ...
The fix is simple enough: just quote the CFLAGS.
Fixes: https://autobuild.buildroot.org/results/b18/b18d6fa9938c1267a771fdbcd8b4c3df812cd6b9/
Fixes: 50bc5aa17b
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chris Packham <judge.packham@gmail.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The update makes some warnings about unknown classes and permissions
during boot with current kernels go away.
Upstream changelogs [1, 2] list as "notable changes":
* Updates to support screen 5.0.
* Add labeling for bcachefs.
* Various systemd updates and fixes.
* Several updates and fixes for systemd
* Add new permissions and policy capabilities
* Drop reiserfs support (it was removed in kernel 6.13)
Plus a number of new modules.
[1] https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20250618
[2] https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20250923
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: keep a new line in hash file between sources and license]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a local patch pending upstream to fix build failure with Linux 6.17
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: update patch Upstream link with commit ID]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add local patch pending upstream to fix build failure with Linux 6.17.
Fixes:
Still not occured
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With this version we can build with Linux 6.17.
Fixes:
still not occured.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add new line at end of hash file to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
SELinux policies commonly contain "dontaudit" rules, which omit
certain denied actions from the audit logs to keep the log volume
manageable. When investigating issues this can become a problem in
itself because messages that could show the cause might be hidden.
The common advice is to use "semodule -DB" to temporarily disable the
dontaudit rules, but this is only possible with a modular policy,
while package/refpolicy builds a monolithic policy. Instead, the
Rules.monolithic makefile offers the "enableaudit" target, which
removes any dontaudit rules before compiling the policy.
This patch adds a config option to run the enableaudit target during
the configure stage, intended for debug builds.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: remove unneeded "default n" in Config.in]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The previous URL [1] currently redirects to [2], which as of this
commit is about two months old and contains a readme that just says
"PoC by Callgh0st". When the package was added with commit [3]
the help text URL matched REFPOLICY_SITE, so presumably the help was
forgotten when the site URL was updated in [4], and there has been
some kind of hostile takeover of the former upstream repository since.
[1] https://github.com/TresysTechnology/refpolicy
[2] https://github.com/Exact-Realty/refpolicy
[3] bb442abdf1
[4] cfa018d9f3
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: add commit ID which forgot to update the package homepage]
Signed-off-by: Julien Olivain <ju.o@free.fr>
$(PREFIX)/lib/python$(PYTHON3_VERSION_MAJOR) is for the standard
library, additional modules like this should go to site-packages.
This patch changes only the host package because Python bindings are
disabled for the target package.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
/usr/lib/python$(PYTHON3_VERSION_MAJOR) is for the standard library,
additional modules like this should go to site-packages.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop upstream patch.
Main change in this release is cmake 4 build fix.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In 2016 buildroot commit b4c050e9af added
-std=gnu++98 also to CFLAGS knowing that it will cause warnings:
https://lists.nongnu.org/archive/html/gpsd-dev/2016-09/msg00082.html
'Although this leads to lots of warnings on every compilation with gcc:
"cc1: warning: command line option '-std=gnu++98' is valid for C++/ObjC++ but not for C"'
These warnings are still present but cause a misdetection in configure
Checking if strerror_r() returns int... no
because here warnings are treated as errors, quoting config.log:
cc1: error: command-line option ‘-std=gnu++98’ is valid for C++/ObjC++ but not for C [-Werror]
cc1: all warnings being treated as errors
In 2017 upstream committed
d287c76f4f
which added "std::" namespace prefixes and fixed the original problem.
-std=gnu++98 being removed from CFLAGS lets configure correctly detect
strerror_r():
Checking if strerror_r() returns int... yes
and no new build errors occur:
arm-aarch64 [ 1/35]: OK
bootlin-aarch64-glibc [ 2/35]: OK
bootlin-arcle-hs38-uclibc [ 3/35]: OK
bootlin-armv5-uclibc [ 4/35]: OK
bootlin-armv7-glibc [ 5/35]: OK
bootlin-armv7m-uclibc [ 6/35]: SKIPPED
bootlin-armv7-musl [ 7/35]: OK
bootlin-m68k-5208-uclibc [ 8/35]: SKIPPED
bootlin-m68k-68040-uclibc [ 9/35]: OK
bootlin-microblazeel-uclibc [10/35]: OK
bootlin-mipsel32r6-glibc [11/35]: OK
bootlin-mipsel-uclibc [12/35]: OK
bootlin-openrisc-uclibc [13/35]: OK
bootlin-powerpc64le-power8-glibc [14/35]: OK
bootlin-powerpc-e500mc-uclibc [15/35]: OK
bootlin-riscv32-glibc [16/35]: OK
bootlin-riscv64-glibc [17/35]: OK
bootlin-riscv64-musl [18/35]: OK
bootlin-s390x-z13-glibc [19/35]: OK
bootlin-sh4-uclibc [20/35]: OK
bootlin-sparc64-glibc [21/35]: OK
bootlin-sparc-uclibc [22/35]: OK
bootlin-x86-64-glibc [23/35]: OK
bootlin-x86-64-musl [24/35]: OK
bootlin-x86-64-uclibc [25/35]: OK
bootlin-x86-i686-musl [26/35]: OK
bootlin-xtensa-uclibc [27/35]: OK
br-arm-basic [28/35]: SKIPPED
br-arm-full-nothread [29/35]: SKIPPED
br-arm-full-static [30/35]: SKIPPED
br-i386-pentium4-full [31/35]: FAILED
br-mips64-n64-full [32/35]: OK
br-mips64r6-el-hf-glibc [33/35]: OK
br-powerpc-603e-basic-cpp [34/35]: SKIPPED
br-powerpc64-power7-glibc [35/35]: OK
35 builds, 6 skipped, 1 build failed, 0 legal-info failed, 0 show-info failed
The br-i386-pentium4-full error is not caused by gpsd:
package/python3/python3.mk:324: *** Python3 doesn't work with uClibc and
kernel headers < 5.1. Please use a different toolchain or unselect
Python3..
Fixes:
https://autobuild.buildroot.org/results/52d747d33d714ea10b9e7ee10adeadd9e4512c2d/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Tested-by: Yann E. MORIN <yann.morin@orange.com>
Reviewed-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerability:
- CVE-2018-13410
Info-ZIP Zip 3.0, when the -T and -TT command-line options are used,
allows attackers to cause a denial of service (invalid free and
application crash) or possibly have unspecified other impact because
of an off-by-one error. NOTE: it is unclear whether there are
realistic scenarios in which an untrusted party controls the -TT
value, given that the entire purpose of -TT is execution of
arbitrary commands
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2018-13410
This patch also includes the patch 0009 which address a buffer overflow
when passing unicode characters that doesn't have a CVE assigned.
Tested with `./support/testing/run-tests -d dl -o output_folder -k tests.package.test_zip`
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] introduced an extra empty line in the hash file
which makes check-package to report the error:
package/rsyslog/rsyslog.hash:4: consecutive empty lines
This commit fixes that.
[1] b39d3d8f62
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://chrony-project.org/news.html
Enhancements:
- Add maxunreach option to limit selection of unreachable sources
- Add -u option to chronyc to drop root privileges
(default chronyc user is set by configure script)
Bug fixes:
- Hide chronyc socket to mitigate unsafe permissions change
- Fix refclock extpps option to work on Linux >= 6.15
- Validate refclock samples for reachability updates
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
/etc/audit/audit.rules is the path used by augenrules,
/etc/audit/rules.d/ should be used for snippets to be combined into
that file using augenrules.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
"mkdir -Z" tries to create the directory with the default type context
and does not accept any parameter, leading to mkdir creating a
directory by the name of "system_u:object_r:auditd_log_t" (or failing
to, with a read-only rootfs). Use "--context=" instead to specify the
context.
Letting start-stop-daemon create the auditd PID file leads to an
incorrect label, with type "initrc_runtime_t" instead of
"auditd_runtime_t", which would prevent auditd from writing or
deleting it. Auditd manages its own PID file and daemonizes by
default, so simply drop the --background and --make-pidfile options
from start-stop-daemon.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Cadence MHDP8546 DPTX IP used in TI J721E SoC needs the firmware to
work.
Signed-off-by: Andy Yan <andyshrk@163.com>
[Julien: move Config.in entry from "Wifi" to "Video" section]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://www.php.net/releases/8.4/en.php
Changelog: https://www.php.net/ChangeLog-8.php#PHP_8_4
Removed patch 0006 which is included in this release, rebased remaining
patches.
php commit 1f847a0bdf
added a check on the httpd binary which requires STAGING_DIR being part
of SBINDIR as reported by apxs, adjust apache.mk accordingly.
Upstream commit
ea4e8d513c
causes a build error with older uclibc-based toolchains when detecting
copy_file_range, disable it by adding php_cv_func_copy_file_range=no to
_CONF_ENV for uclibc-toolchains.
Upstream commit
063213b1ae
changed the name of the cache variable ac_cv_have_pcre2_jit to
php_cv_have_pcre2_jit.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
BOARD_DIR is not used, so drop it and quote $BINARIES_DIR to make shellcheck
happy.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Added optional support for gtk3 which was added upstream:
e87dcfdaf8
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Added upstream patch to fix a missing include, autobuild did not record
any build errors but Arch Linux provides the patch:
bad3196d4e
Switched to gitlab tarball because the previous site does not provide a
tarball for version 1.2.2 which was tagged in 2016:
https://gitlab.xiph.org/xiph/libao/-/tags/1.2.2
Added autoreconf due to usage of gitlab tarball which does not contain
a configure script.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes on
https://github.com/erlang/otp/releases?q=OTP-26.&expanded=true
Also, remove patch that is now applied upstream
This fixes the following vulnerabilities:
- CVE-2024-53846:
OTP is a set of Erlang libraries, which consists of the Erlang runtime
system, a number of ready-to-use components mainly written in Erlang,
and a set of design principles for Erlang programs. A regression was
introduced into the ssl application of OTP starting at OTP-25.3.2.8,
OTP-26.2, and OTP-27.0, resulting in a server or client verifying the
peer when incorrect extended key usage is presented (i.e., a server
will verify a client if they have server auth ext key usage and vice
versa).
https://www.cve.org/CVERecord?id=CVE-2024-53846
- CVE-2025-4748:
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (stdlib modules) allows
Absolute Path Traversal, File Manipulation. This vulnerability is
associated with program files lib/stdlib/src/zip.erl and program
routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless
the memory option is passed. This issue affects OTP from OTP 17.0
until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to
stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
https://www.cve.org/CVERecord?id=CVE-2025-4748
- CVE-2025-26618:
Erlang is a programming language and runtime system for building
massively scalable soft real-time systems with requirements on high
availability. OTP is a set of Erlang libraries, which consists of the
Erlang runtime system, a number of ready-to-use components mainly
written in Erlang. Packet size is not verified properly for SFTP
packets. As a result when multiple SSH packets (conforming to max SSH
packet size) are received by ssh, they might be combined into an SFTP
packet which will exceed the max allowed packet size and potentially
cause large amount of memory to be allocated. Note that situation
described above can only happen for successfully authenticated users
after completing the SSH handshake. This issue has been patched in OTP
versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known
workarounds for this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2025-26618
- CVE-2025-30211:
Erlang/OTP is a set of libraries for the Erlang programming language.
Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously
formed KEX init message can result with high memory usage.
Implementation does not verify RFC specified limits on algorithm names
(64 characters) provided in KEX init message. Big KEX init packet may
lead to inefficient processing of the error data. As a result, large
amount of memory will be allocated for processing malicious data.
Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue.
Some workarounds are available. One may set option `parallel_login` to
`false` and/or reduce the `max_sessions` option.
https://www.cve.org/CVERecord?id=CVE-2025-30211
- CVE-2025-32433:
Erlang/OTP is a set of libraries for the Erlang programming language.
Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH
server may allow an attacker to perform unauthenticated remote code
execution (RCE). By exploiting a flaw in SSH protocol message
handling, a malicious actor could gain unauthorized access to affected
systems and execute arbitrary commands without valid credentials. This
issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and
OTP-25.3.2.20. A temporary workaround involves disabling the SSH
server or to prevent access via firewall rules.
https://www.cve.org/CVERecord?id=CVE-2025-32433
- CVE-2025-46712:
Erlang/OTP is a set of libraries for the Erlang programming language.
In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for
OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to
enforce strict KEX handshake hardening measures by allowing optional
messages to be exchanged. This allows a Man-in-the-Middle attacker to
inject these messages in a connection during the handshake. This issue
has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12
(for OTP-26), and OTP-25.3.2.21 (for OTP-25).
https://www.cve.org/CVERecord?id=CVE-2025-46712
- CVE-2025-48038:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure. This vulnerability is associated with program
files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48038
- CVE-2025-48039:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure. This vulnerability is associated with program
files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48039
- CVE-2025-48040:
Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh
(ssh_sftp modules) allows Excessive Allocation, Flooding. This
vulnerability is associated with program files
lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until
OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48040
- CVE-2025-48041:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Flooding. This vulnerability is associated with program files
lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until
OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48041
NB: Since Erlang is quite a "large" package, containing the language itself,
some libraries, and some "applications", it's difficult to tell which CVEs
are exactly affecting Buildroot, but it's a good idea to update anyway
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
And adjust the dtb path to the new subdir after commit 724ba6751532 ("ARM:
dts: Move .dts files to vendor sub-directories") in v6.5.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With the change to default to gcc 14.x with commit 1e1fafa1f0
("package/gcc: switch to GCC 14.x as the default"), the old u-boot version
no longer builds:
board/ti/am57xx/board.c:948:17: error: implicit declaration of function 'do_cape_detect'; did you mean 'do_board_detect'? [-Wimplicit-function-declaration]
https://gitlab.com/buildroot.org/buildroot/-/jobs/11570241744
So move to u-boot 2025.04 to fix that. We still need a small patch as
(early) beagleboneai boards do not have the EEPROM (or eMMC partition)
populated, so include the bb.org patch from
0b161f8e89
The new u-boot version needs both openssl and gnutls on the host, so enable
them.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: remove patch entry in .checkpackageignore to
fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit [1] "package/vulkan-{headers,loader,tools}:
bump to 1.4.317 release", the vulkan-headers package is failing at
configuration time with toolchains without C++ support, with error:
The C++ compiler
"/bin/false"
is not able to compile a simple test program.
This is due to upstream commit [2], which added CXX to the CMake
project file.
This commit fixes the issue by adding the C++ dependency.
Fixes:
https://autobuild.buildroot.org/results/10f63398940d52be9a8ee306daf4203ceca25eb8
[1] 52664093de
[2] 85256c712c
Signed-off-by: Julien Olivain <ju.o@free.fr>
The roseapplepi defconfig fails to build u-boot since the move to GCC 15.x:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11501385206
The issues are mainly related to missing includes, but given that the build
has been broken for a while, there is no mainline u-boot support for the
platform and the minimal kernel support has not seen any updates since it
was added for v5.15, just drop the defconfig.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The upstream libbson repository has been archived since october 2020,
and there is a known vulnerabilities affecting it (CVE-2025-0755).
Since no other package depends on libbson, and it hasn't seen any recent
activity, let's simply remove it from Buildroot. In case anyone needs a
bson implementation, one could integrate the replacement from mongo-c-driver
instead, see https://github.com/mongodb/mongo-c-driver/tree/master/src/libbson
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Removed patch which is included in this release.
Added sha256 hash provided by upstream.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For release note, see:
https://docs.djangoproject.com/en/5.2/releases/5.2.7/
This fixes the following vulnerabilities:
- CVE-2025-59681:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
QuerySet.aggregate(), and QuerySet.extra() are subject to SQL
injection in column aliases, when using a suitably crafted dictionary,
with dictionary expansion, as the **kwargs passed to these methods (on
MySQL and MariaDB).
https://www.cve.org/CVERecord?id=CVE-2025-59681
- CVE-2025-59682:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract()
function, used by the "startapp --template" and "startproject
--template" commands, allows partial directory traversal via an
archive with file paths sharing a common prefix with the target
directory.
https://www.cve.org/CVERecord?id=CVE-2025-59682
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to release note]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The board/versal/post-image.sh script has an unnecessary mkdir command:
mkdir -p "${BINARIES_DIR}"
This directory is created before calling the post image scripts,
in [1].
Just above the command, the script is making a symlink for the Linux DTB in
the ${BINARIES_DIR}, so if the ${BINARIES_DIR} did not already exist with
images inside, the script would fail regardless of whether this mkdir is
executed or not.
For this reason, remove the mkdir call from the script because it is not
necessary.
[1] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.08/Makefile#L829
Signed-off-by: Neal Frager <neal.frager@amd.com>
[Julien: add a link showing where the directory is created]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerabilities:
- CVE-2024-57822:
In Raptor RDF Syntax Library through 2.0.16, there is a heap-based
buffer over-read when parsing triples with the nquads parser in
raptor_ntriples_parse_term_internal().
https://www.cve.org/CVERecord?id=CVE-2024-57822
- CVE-2024-57823:
In Raptor RDF Syntax Library through 2.0.16, there is an integer
underflow when normalizing a URI with the turtle parser in
raptor_uri_normalize_path().
https://www.cve.org/CVERecord?id=CVE-2024-57823
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release note, see:
https://ghostscript.readthedocs.io/en/gs10.06.0/News.html
This fixes the following vulnerabilities:
- CVE-2025-59798:
Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow
in pdf_write_cmap in devices/vector/gdevpdtw.c.
https://www.cve.org/CVERecord?id=CVE-2025-59798
- CVE-2025-59799:
Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow
in pdfmark_coerce_dest in devices/vector/gdevpdfm.c via a large size
value.
https://www.cve.org/CVERecord?id=CVE-2025-59799
- CVE-2025-59800:
In Artifex Ghostscript through 10.05.1, ocr_begin_page in
devices/gdevpdfocr.c has an integer overflow that leads to a heap-
based buffer overflow in ocr_line8.
https://www.cve.org/CVERecord?id=CVE-2025-59800
- CVE-2025-59801:
In Artifex GhostXPS before 10.06.0, there is a stack-based buffer
overflow in xps_unpredict_tiff in xpstiff.c because the
samplesperpixel value is not checked.
https://www.cve.org/CVERecord?id=CVE-2025-59801
Also remove patch that is now applied upstream, and add new patch from
upstream to fix a compilation issue on 32bits platforms
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien:
- add link to release note in commit log
- fix URL in hash file comment
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-8869:
When extracting a tar archive pip may not check symbolic links point
into the extraction directory if the tarfile module doesn't implement
PEP 706. Note that upgrading pip to a "fixed" version for this
vulnerability doesn't fix all known vulnerabilities that are
remediated by using a Python version that implements PEP 706. Note
that this is a vulnerability in pip's fallback implementation of tar
extraction for Python versions that don't implement PEP 706 and
therefore are not secure to all vulnerabilities in the Python
'tarfile' module. If you're using a Python version that implements PEP
706 then pip doesn't use the "vulnerable" fallback code. Mitigations
include upgrading to a version of pip that includes the fix, upgrading
to a Python version that implements PEP 706 (Python >=3.9.17,
>=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
inspecting source distributions (sdists) before installation as is
already a best-practice.
https://www.cve.org/CVERecord?id=CVE-2025-8869
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add options to install the WCN7850 or QCN9274 firmware.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
[Julien:
- reindent _FIRMWARE_FILES with one tab
- move ath12k license hashes near ath10k
- inverse QCN9274/WCN7850 order in Config.in
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Currently, the xilinx-prebuilt package uses an if-then-else statement for
deciding which files need to be installed from the xilinx-prebuilt repo. This
works fine for now because there are really only two options, either versal or
zynqmp/kria.
Starting with the xilinx_v2025.2 release, the versal2 family along with the
vek385 board will be added to Buildroot and thus the xilinx-prebuilt package
as well. In the future, additional families will also probably be added to
this package.
To avoid creating a long if-then-else-then-else statement which will only grow
in complexity over time, simplify the logic of the xilinx-prebuilt package by
giving each xilinx family its own if statement. In the long term, this will
make the xilinx-prebuilt package easier to understand and maintain.
For this reason, this patch moves the zynqmp/kria families from the "else"
statement to having an if statement separate from the versal family.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add optional zstd compression type support for QEMU.
In order to a file compressed with zstd on host to be applied to
target QEMU, zstd on both host and target should be enabled.
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Note:
The first file matching the pattern "iwlwifi-ty-a0-gf-a0*" was
introduced in commit [1], first included in version 20201022.
[1] 4f41e9d643
Signed-off-by: Alex McLain <alex@alexmclain.com>
[Julien: add the note in commit log when the first
firmware was introduced
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The web link www.zedboard.org is no longer valid as it routes to a generic
avnet.com boards link. Fix this issue by providing direct links to the Avnet
ZedBoard and Tria MicroZed boards.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As the xilinx.com website will soon be going away, migrate all xilinx board
web links from xilinx.com to amd.com.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since upstream commit [1] ("Deprecate the slaveOnly option in favor
of clientOnly."), included in v4.0, ptp4l complains about the
"slaveOnly" option being deprecated on startup.
Update the default config to silence this warning.
[1] fe01cc7c96
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Users may be building U-Boot outside Buildroot or Build U-Boot but not use
the rauc u-boot bootloader backend (E.G. as using the U-Boot environment is
tricky in secure boot setups) - So replace the selects by a note in the help
text.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
axfsutils is a host-only package, so drop it now that the axfs root
filesystem support has been dropped.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The file system support is not mainline and hasn't been updated since 2019,
so drop it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This defconfig no longer builds:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11161167596
It is still based on the 4.8.6 kernel, which is not even an LTS
kernel, so we cannot easily update to fix the issues which are most
likely due to the newer gcc/binutils versions we're using now.
There is no DEVELOPERS entry attached to this configuration as well,
and this defconfig has been broken for at least 2 months, probably
more (our Gitlab CI history is only kept for ~2 months). So let's drop
it, unles someone volunteers to resurrect it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The fbtft linux extension was only needed for very old kernels (<4.0)
that are no longer available in Buildroot.
Let's therefore remove it.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
wlroots 0.19.0 includes API breaking changes.
This commit bump the cage version to include the upstream commit [1]
which updates to this new wlroots API.
[1] 9ad44e4f52
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Julien: change _VERSION to use "git describe --abbrev=40" format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Requires libxkbcommon >= 1.8.0 as of commit 34d3f466
- Drop upstream 0001-box-drawings-handle-architecture-with-soft-float.patch
Tested by building an image with sway and opening foot with win + return.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The package has been abandoned for several years. The only package that
previously relied on dmenu-wayland was the swaybar option for the sway package,
and that option now relies on wmenu.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Julien:
- add select BR2_LEGACY in legacy option to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
wmenu is an efficient dynamic menu for Sway and wlroots based Wayland
compositors. It provides a Wayland-native dmenu replacement which
maintains the look and feel of dmenu.
Furthermore, as of commit [1], sway uses wmenu instead of dmenu-wayland
with the following commit message:
"""
Switch default config to wmenu-run
This removes the last dependency bit on dmenu. No need for
"swaymsg exec" anymore: wmenu-run handles the xdg-activation
shenanigans.
"""
As such, change sway/Config.in to select wmenu instead of dmenu-wayland when
a user selects swaybar.
[1] b44015578a
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This defconfig enables EDK2 UEFI firmware and grub2 x86_64-efi boot
of a Linux Kernel in QEMU virt machine.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
[Julien:
- add .in suffix to genimage.cfg and grub.cfg template file names
- change UUID_TMP template variable to %PARTUUID%
- use human readable partition-type-uuid in genimage.cfg.in
- break long qemu-system-x86_64 command line in readme.txt
- add "-serial stdio" in readme.txt qemu command line for CI
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For change log, see:
https://xmlrpc-c.sourceforge.io/change.html
Since version 1.65, Libxml2 was made the default XML parser. Hence,
if libxml2 package is not selected, disable libxml2 support
explicitly.
Remove already upstreamed patch.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
A visual editor for binary files. Bvi allows the user to edit binary files
with a VI-like interface.
Signed-off-by: Dimitrios Siganos <dimitris@siganos.org>
[Julien:
- sort DEVELOPERS entries
- reword commit log title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For more details on the version bump, see:
- https://gitlab.com/libtiff/libtiff/-/releases/v4.7.1
This bump includes the security fix for CVE-2025-8176, CVE-2025-8177
that were addressed in commit [1][2].
Also fixes the following vulnerabilities:
- CVE-2024-13978
A vulnerability was found in LibTIFF up to 4.7.0. It has been
declared as problematic. Affected by this vulnerability is the
function t2p_read_tiff_init of the file tools/tiff2pdf.c of the
component fax2ps. The manipulation leads to null pointer
dereference. The attack needs to be approached locally. The
complexity of an attack is rather high. The exploitation appears to
be difficult. The patch is named
2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply
a patch to fix this issue.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2024-13978
- 2ebfffb0e8
- CVE-2025-8961
A weakness has been identified in LibTIFF 4.7.0. This affects the
function main of the file tiffcrop.c of the component tiffcrop.
Executing manipulation can lead to memory corruption. The attack can
only be executed locally. The exploit has been made available to the
public and could be exploited.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-8961
- 0ac97aa7a5
- CVE-2025-9165
A flaw has been found in LibTIFF 4.7.0. This affects the function
_TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the
file tools/tiffcmp.c of the component tiffcmp. Executing
manipulation can lead to memory leak. The attack is restricted to
local execution. The exploit has been published and may be used.
This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is
best practice to apply a patch to resolve this issue.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-9165
- ed141286a3
This commit also updates the LICENSE.md hash file, which was updated
upstream to include a historical license. See:
a0b623c780
[1] b3974df966 package/tiff: add patches to fix CVE-2025-8176
[2] 3db725d71d package/tiff: add patch to fix CVE-2025-8177
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: fix license hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CVE-2025-8851 [1] has been fixed in upstream commit [2] that is part
of the v4.7.0 release.
Because the NVD reference includes the version '<2024-08-11' most of CVE
checker will fail to compare it against 4.7.0 and report it as a
positive.
[1] https://nvd.nist.gov//vuln/detail/CVE-2025-8851
[2] 8a7a48d7a6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bump the xilinx-prebuilt default version to xilinx_v2025.1_update1, so that
all versal defconfigs use this new release tag.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bump the versal_vek280_defconfig to use version xilinx_v2025.1_update1 of the
xilinx-prebuilt boot pacakge.
As part of this update, the vek280 pdi file has been updated and the memory
map has been corrected to match the Linux intree dts memory node, so the
vek280 dts memory node patch is no longer required.
f755d022cd
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add the xilinx_v2025.1_update1 release tag hash to the xilinx-prebuilt
package, so that Xilinx boards can use this new release tag.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
AMD / Xilinx has made the decision to change the name of plm.elf to plmfw.elf
in the prebuilt binaries repo starting with the next update.
This patch updates the xilinx-prebuilt package to support either the old
plm.elf filename or the new plmfw.elf filename.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Migrate the BR2_TARGET_UBOOT_ZYNQMP dependency to the new
BR2_TARGET_XILINX_FIRMWARE_ARCH_SUPPORTS symbol. Also, add a cpu dependency
on BR2_cortex_a53 since the zynqmp platform is based on the ARM Cortex-A53
and the BR2_TARGET_UBOOT_ZYNQMP should not be available for other CPUs with
aarch64 architecture.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With the new cpu dependencies included in the xilinx-prebuilt package,
BR2_TARGET_XILINX_PREBUILT_VERSAL is now default when BR2_cortex_a72 is
selected. This means that BR2_TARGET_XILINX_PREBUILT_VERSAL is not needed
in the versal_*_defconfig files anymore.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an architecture cpu dependency to each family to make sure that users can
only install prebuilt firmware which is applicable to their target device
family.
The versal family is based on BR2_cortex_a72.
The kria and zynqmp families are based on BR2_cortex_a53.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an architecture cpu dependency to each application to make sure that users
can only build applications which are applicable to their target device
family.
The versal_plm and versal_psmfw applications are specific to versal devices
which are based on BR2_cortex_a72.
The zynqmp_pmufw application is specific to zynqmp devices which are based on
BR2_cortex_a53.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Currently, the xilinx-embeddedsw and xilinx-prebuilt packages are appearing
for any aarch64 processor. As all Xilinx processors that need these packages
are ARM Cortex-A53 or ARM Cortex-A72, this means that these packages are
often appearing as options for non-Xilinx platforms.
To reduce this occurrence, this patch creates a new symbol
BR2_TARGET_XILINX_FIRMWARE_ARCH_SUPPORTS to limit the appearance of the
xilinx-embeddedsw and xilinx-prebuilt boot packages to only platforms based
on the BR2_cortex_a53 or BR2_cortex_a72 CPU and aarch64 architecture.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a defconfig to build an AArch64 disk image with a U-Boot based
firmware implementing the subset of UEFI defined by EBBR[1], as well as
a Linux OS booting with UEFI, to run on the IOT-GATE-iMX8 from Compulab.
The generated firmware binary can also be used to install or run another
OS supporting the EBBR specification.
This configuration is based on the work of Paul Liu[2] and is not related
with the official BSP from Compulab.
This has been tested on actual hardware.
While at it, add this defconfig to myself in DEVELOPERS.
[1] https://github.com/ARM-software/ebbr
[2] https://git.linaro.org/plugins/gitiles/people/paul.liu/systemready/build-scripts
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Ying-Chun Liu (Paul Liu) <paul.liu@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Also set BuiltForPackageManager=buildroot so that cloudflared's update
command informs the user to update cloudflared via buildroot.
Without BuiltForPackageManager set:
cloudflared update
INF cloudflared is up to date version=
With BuiltForPackageManager set:
cloudflared update
ERR cloudflared was installed by buildroot. Please update using the same method.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For relase notes, see:
https://go.dev/doc/devel/release#go1.25.0
Building Go 1.24 and later requires Go 1.22.6 or later for bootstrap.
To support this we use our previous Go version 1.23.12 as the version
for go-bootstrap-stage4 and have the build for Go 1.25.1 depend on
go-bootstrap-stage4.
Go version 1.23.12 is the latest go version we can build using
go-bootstrap-stage3.
The package build for go-bootstrap-stage4 if effectively identical to
go-bootstrap-stage3 with only the Go version and stage number changed.
Note: go version 1.25.1 release note mention a security fix
which is for CVE-2025-47910. This commit is not marked as security
bump, because the issue was introduced in version 1.25.0 which
was not included in Buildroot. See:
https://pkg.go.dev/vuln/GO-2025-3955
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Tested-by: Christian Stewart <christian@aperture.us>
[Julien: add link to release notes and
comment about CVE in commit log.
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Patches submitted to update these packages have gone ignored for
months without comment, and I no longer wish to recieve daily
emails about them being out of date.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the Xilinx Zynq SoC family is always based on ARM Cortex-A9 CPUs, the
BR2_TARGET_UBOOT_ZYNQ option should only be available when the BR2_cortex_a9
option is selected.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
On Zynq, the booloader is responsible for some basic initializations, such as
enabling peripherals, DDR and configuring pinmuxes. The ps7_init_gpl.c file
(and optionally, ps7_init_gpl.h) contains the code for such initializations.
Although U-Boot contains ps7_init_gpl.c files for some boards, each of them
describes only one specific configuration. Users of a different board, or
needing a different configuration, can generate custom files using the Xilinx
Vivado development tools.
This patch adds Buildroot support for custom zynq ps7_init_gpl.c files in the
same way that is already done for zynqmp when working with custom hardware
that is not already supported by u-boot.
To test this feature, the following configs can be added to any zynq_defconfig:
BR2_TARGET_UBOOT_ZYNQ=y
BR2_TARGET_UBOOT_ZYNQ_PS7_INIT_FILE=<path to custom board ps7_init_gpl.c>
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the binutils-bare-metal package to version 2.45. In the
process, it also decouples binutils-bare-metal from the binutils package
since the binutils package does not yet have support for version 2.45.
With the decoupling, the 3 downstream binutils 2.44 patches were evaluated.
Patches not needed for binutils-bare-metal:
0001-sh-conf.patch
0002-poison-system-directories.patch
Patches already included with binutils version 2.45:
0003-objdump-memleak.patch
https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d
Since none of these patches need to be applied to binutils-bare-metal 2.45,
the link to the binutils patch directory is deleted.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch decouples the gcc-bare-metal package from the gcc package to avoid
potential build issues when bumping the version of one package before the
other.
Such as the build issue example here:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11026775160
Since the gcc-bare-metal package does not currently require the gcc 15.2.0
downstream patches, this patch simply deletes the link for patching
gcc-bare-metal 15.2.0 with patches that are not needed for bare-metal apps.
As for the hash link, this patch creates a new file called gcc-bare-metal.hash
which has the same hashes in the gcc.hash file. But by having its own hash
file, hashes from the gcc package can be removed when version bumping without
causing build errors for the gcc-bare-metal package.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Sometimes the default GCC and newlib libraries built for a given
architecture tuple are not based on the desired ABI. Since ABI definitions are
different between architectures, the simplest solution is to allow users to
build bare-metal toolchains with --enable-multilib. This way, the libraries
for every available ABI will be built and users will be able to select the
desired library for their user applications.
This patch adds the option BR2_TOOLCHAIN_BARE_METAL_BUILDROOT_MULTILIB to give
users the choice to enable multilib, if desired.
Please note that when using a string of architecture tuples, this option will
apply to all architectures in the string, so it can significantly increase
build time.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This removes a warning reported by shellcheck: "Double quote to prevent
globbing and word splitting". As a result, the file can be removed from
.checkpackageignore.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_GLIBC_STABLE=y in the
defconfig, bumps kernel to 6.16.7, and adds custom hash files and
removes the exception entry in .checkpackageignore.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
[Julien:
- mention kernel bump in commit title
- move BR2_DOWNLOAD_FORCE_CHECK_HASHES=y down in defconfig
- remove linux-headers hash file
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Increase again the partition size to accommodate latest kernel.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV6_EABIHF_GLIBC_STABLE=y in the
defconfig, bumps kernel to 6.16.7, and adds custom hash files and
removes the exception entry in .checkpackageignore.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
[Julien:
- mention kernel bump in commit title
- move BR2_DOWNLOAD_FORCE_CHECK_HASHES=y down in defconfig
- remove linux-headers hash file
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The elfutils package provides libdw, which is required by sysprof.
It is not an optional dependency.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes building sysprof when elfutils is also selected (which is
a common setup). The debuginfod client support relies in elfutils
being built with the libdebuginfod option enabled; but Buildroot
unconditionally disables it in the elfutils package. See commit [1].
[1] 52c5c6050c
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Julien: add link to commit disabling debuginfod]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Some links are still pointing to git.buildroot.org, which is the old URL
for the official Buildroot git repository. The repository is now hosted
at gitlab.com. Update those old links accordingly.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Many links pointing to buildroot.org are still prefixed with HTTP.
Update those to HTTPS.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes:
- https://github.com/OpenPrinting/cups/releases/tag/v2.4.13
- https://github.com/OpenPrinting/cups/releases/tag/v2.4.14
This fixes the following vulnerabilities:
- CVE-2025-58060:
OpenPrinting CUPS is an open source printing system for Linux and
other Unix-like operating systems. In versions 2.4.12 and earlier,
when the `AuthType` is set to anything but `Basic`, if the request
contains an `Authorization: Basic ...` header, the password is not
checked. This results in authentication bypass. Any configuration that
allows an `AuthType` that is not `Basic` is affected. Version 2.4.13
fixes the issue.
https://www.cve.org/CVERecord?id=CVE-2025-58060
- CVE-2025-58364:
OpenPrinting CUPS is an open source printing system for Linux and
other Unix-like operating systems. In versions 2.4.12 and earlier, an
unsafe deserialization and validation of printer attributes causes
null dereference in the libcups library. This is a remote DoS
vulnerability available in local subnet in default configurations. It
can cause the cups & cups-browsed to crash, on all the machines in
local network who are listening for printers (so by default for all
regular linux machines). On systems where the vulnerability
CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was
not fixed, and the firewall on the machine does not reject incoming
communication to IPP port, and the machine is set to be available to
public internet, attack vector "Network" is possible. The current
versions of CUPS and cups-browsed projects have the attack vector
"Adjacent" in their default configurations. Version 2.4.13 contains a
patch for CVE-2025-58364.
https://www.cve.org/CVERecord?id=CVE-2025-58364
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y in the defconfig
and adds custom hash files. The exception entry in .checkpackageignore
is also removed.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
[Julien: change linux.hash comment to reuse hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When searching for the official git repository in the documentation,
readers are forwarded to the buildroot website Download page with a link
pointing to buildroot.org/download, which returns a 404.
Fix the dead link by adding the missing .html suffix.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CMake build system has logic to detect the git repo info and include it
in the version output. This unfortunately gets confused and adds the git
info of the Buildroot repository when building inside the repo:
-- Found Git version: refs/heads/rtl_433-25.02 commit a367362af0 from 2025-09-21T20:07:58+0200
-- Using Git version tag: 2025.08-283-ga367362af0 on rtl_433-25.02 at 202509212007
rtl_433 -V
rtl_433 version 2025.08-283-ga367362af0 branch rtl_433-25.02 at 202509212007 inputs file rtl_tcp RTL-SDR
Pass GIT_DIR=. to the configure step similar to how it is already done for
the build step to disable this.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update icu to 77.1.
The LICENSE file contains a lot of changes, so no diff
is presented.
Patch 0002-workaround-toolchain-bugs.patch is no longer required.
Reorder the other patches accordingly.
Update patch 0003-fix-static-linking-with-icu-uc.patch so that
it applies cleanly.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
TestGitHash and TestGitRefs are failing on Gitlab-CI since 2025-08-18
(first runtime-test failures report for master) [1] due a new Gitlab-CI
security settings that prevents the any use of localhost (127.0.0.1) on
the Gitlab-CI runner [2]:
"To prevent exploitation of insecure internal web services, all webhook
and integration requests to the following local network addresses are
not allowed:
Private network addresses, including 127.0.0.1, ::1, 0.0.0.0,
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and IPv6 site-local
(ffc0::/10) addresses."
Gitlab suggest using a second container as a Services [3] since each
containers have access to one another and can communicate when running
the job. But this is really not practical to run git daemon since the
service is started before the Buildroot git tree is fetched and git
daemon needs git-remote directory content.
See [4]:
"If you have your service that tries to write to CI_PROJECT_DIR
immediately after it's started - it will not work and fail with an
error like '/builds/nknapp/gitlab-ci-test/': No such file or directory
error. Because that directory is most probably not there yet, as the
job step that creates it is yet to be executed!"
Also, using Gitlab-CI services requires to handle GitTestBase setUp
differently on Gitlab-CI than local use of run-tests.
So Gitlab-CI services is not an option.
We could move support/testing/tests/download/git-remote to our Gitlab
group (https://gitlab.com/buildroot.org) but since it's only intended
for testing the git download backend, we don't really want to do that.
So the only remaining choice to clone the repository from the Buildroot
git tree (local machine).
To do so, we have to do the following changes:
- Replace all "git://localhost:$(GITREMOTE_PORT_NUMBER)" by
"$(GITREMOTE_DIR)". GITREMOTE_DIR will contain the absolute path to
tests/download/git-remote directory.
- Force to use git download backend using "SITE_METHOD = git" otherwise
the download infra will fall back using wget download backend.
- Cloning a git repository with submodules using the "file://" protocol
needs to be allowed from git config. It's disabled by default:
"fatal: transport 'file' not allowed"
Use a local gitconfig file generated by GitTestBase before starting
TestGitHash and TestGitRefs with:
[protocol "file"]
allow = always
This is considered safe since we are using a git repository from the
Buildroot git tree.
- Running TestGitHash and TestGitRefs on Gitlab-CI requires additional
git config settings to disable ownership check of the git tree [5].
Thanks to Arnout for advices about GIT_CONFIG_GLOBAL.
Runtime tested:
https://gitlab.com/kubu93/buildroot/-/jobs/11428504450 (TestGitHash)
https://gitlab.com/kubu93/buildroot/-/jobs/11428490035 (TestGitRefs)
[1] https://lore.kernel.org/buildroot/68a3ee65.500a0220.397724.30db@mx.google.com/
[2] https://docs.gitlab.com/security/webhooks/#allow-requests-to-the-local-network-from-webhooks-and-integrations
[3] https://docs.gitlab.com/ci/services/
[4] https://gitlab.com/gitlab-org/gitlab-runner/-/issues/25982#note_2139685797
[5] a016b693f7
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124174 (TestGitHash)
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124173 (TestGitRefs)
Cc: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As reported on the mailing list [1] while investigating the
TestZfsUclibc Gitlab-CI failure, the python 3.13 interpreter itsef
segfault at runtime:
Fatal Python error: _PyThreadState_Attach: non-NULL old thread state
Python runtime state: preinitialized
Thread 0xSegmentation fault
This issue is related to the python 3.13 version bump [2] were several
internal changes were added [3] to support PEP 703 [4].
PEP 793 is about CPython’s global interpreter lock (“GIL”) removal
for multi-threads support that requires a working C11 "thread_local"
for thread-local storage [5].
The new uclibc-ng 1.0.55 release contains a fix for this issue [6].
This version is included in Buildroot commit [7].
Since the prebuilt Bootling aarch64 uclibc stable 2025.08-1 is based
on previous uClibc-ng release (1.0.54) we have to use the internal
toolchain backend to build a new uClibc-ng toolchain using uclibc-ng
1.0.55. Note: the toolchain config defined in this commit reflects
the options enabled in the Bootling aarch64 uclibc external
toolchains.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124859 (TestZfsUclibc)
[1] https://lore.kernel.org/buildroot/7a4d245d-1556-43c9-8997-6b1f791afbfe@gmail.com/ (TestZfsUclibc)
[2] d63e207eb8
[3] 6e97a9647a
[4] https://peps.python.org/pep-0703/
[5] https://gcc.gnu.org/onlinedocs/gcc-15.1.0/gcc/Thread-Local.html
[6] 94c1297d52
[7] 5250bba8e5
Cc: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Tested-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
[Julien:
- add link to buildroot commit updating uclibc-ng to 1.0.55
- add a note in the commit log about the toolchain config
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Finally the aarch64 tls bug is fixed. (python 3.13 segfault)
Unfortunately it is not covered by any testcase of uClibc-ng-test.
Here is the git shortlog for the release:
Marius Melzer (1):
malloc-standard: Fix truncation problem in malloc
Waldemar Brodkorb (5):
Fix Sysvipc for ARM, AARCH64, RISCV64, KVX and m68k
remove uClibc specific gettext_printf
aarch64: do not force tls-model in CPU_CFLAGS, this isn't required
aarch64: respect r_addend for TLSDESC relocations
bump version for 1.0.55 release
yliu (5):
mips32: Preventing FORCE_FRAME_POINTER from being optimized away
mips32: Define __IPC_64 according to kernel version
time64: fixed msgctl/semctl/shmctl result errors for for MIPS32/RISCV32
time64: fix *ctl functions in mips32eb/mips64
time64: fix *ctl functions in mips32eb
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Tested-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-6375:
A vulnerability was found in poco up to 1.14.1. It has been rated as
problematic. Affected by this issue is the function MultipartInputStream
of the file Net/src/MultipartReader.cpp. The manipulation leads to null
pointer dereference. The attack needs to be approached locally. The
exploit has been disclosed to the public and may be used. Upgrading to
version 1.14.2 is able to address this issue. The patch is identified as
6f2f85913c191ab9ddfb8fae781f5d66afccf3bf. It is recommended to upgrade
the affected component.
For more information see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-6375
- 6f2f85913c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issue:
CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data
within a view, partition, or child table
PostgreSQL optimizer statistics allow a user to read sampled data within
a view that the user cannot access. Separately, statistics allow a user
to read sampled data that a row security policy intended to hide.
PostgreSQL maintains statistics for tables by sampling data available in
columns; this data is consulted during the query planning process. Prior
to this release, a user could craft a leaky operator that bypassed view
access control lists (ACLs) and bypassed row security policies in
partitioning or table inheritance hierarchies. Reachable statistics data
notably included histograms and most- common-values lists. CVE-2017-7484
and CVE-2019-10130 intended to close this class of vulnerability, but
this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19,
and 13.22 are affected.
CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server execute
arbitrary code in psql client
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious
superuser of the origin server to inject arbitrary code for restore-time
execution as the client operating system account running psql to restore
the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore
is affected when used to generate a plain-format dump. This is similar to
MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14,
14.19, and 13.22 are affected.
CVE-2025-8715: PostgreSQL pg_dump newline in object name executes
arbitrary code in psql client and in restore target server
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user
of the origin server to inject arbitrary code for restore-time execution
as the client operating system account running psql to restore the dump,
via psql meta-commands inside a purpose-crafted object name. The same
attacks can achieve SQL injection as a superuser of the restore target
server. pg_dumpall, pg_restore, and pg_upgrade are also affected.
Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class
of problem, but version 11.20 reintroduced it.
https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update all qemu defconfigs to the latest Kernel LTS version.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
While doing a per-package build the package is failing to
compile with this error (gcc 13.x glibc toochain):
make[3]: Entering directory
'/home/wbx/buildroot-2025.02.3/output/build/xapp_xdm-1.1.14/xdm' CC
session.o session.c:146:11: fatal error: crypt.h: No such file or
directory 146 | # include <crypt.h> | ^~~~~~~~~
compilation terminated.
Fix this error by providing the needed glibc dependencies.
Fixes:
https://autobuild.buildroot.org/results/b75/b75ad8f1159613656dce482992c800545d60ae69/
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
aespipe-v2.4i April 29 2025
- Added AES Crypto Extension opcodes for 64-bit arm64 on Linux.
- aes-armv8sca.S aes-armv8ce.S : add PAC/BTI branch protection
support. Patch from Emanuele Rocca <emanuele.rocca@arm.com>
aespipe-v2.4j September 2 2025
- Added configure script autodetection for 32-bit ARM -marm compile
flag. This option is needed with some compilers that default to
generating code in Thumb mode.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-55763
Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest)
allows a remote attacker to achieve remote code execution via a crafted
HTTP request. This vulnerability is triggered during request processing
and may allow an attacker to corrupt heap memory, potentially leading to
denial of service or arbitrary code execution.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-55763
- 76e222bcb7
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a patch fixing prototype issues with GCC 15.x. The patch cannot be
submitted upstream because the problematic code has completely changed
in newer releases.
No autobuilder failures because they were hidden by 'c-icap' not
building with GCC 15.x.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The SBSA Reference Platform was updated to neoverse-n2 (armv9.0a)
in Qemu v9.1 [1].
The Armv9-A and Neoverse N2 core support was added in Buildroot
commit [2].
Since the test_edk2 uses the Qemu sbsa-ref machine, this commit
aligns it to use the neoverse-n2 cpu.
[1] b1d592e7b0
[2] 9845bd4541
Signed-off-by: Julien Olivain <ju.o@free.fr>
The SBSA Reference Platform was updated to neoverse-n2 (armv9.0a)
in Qemu v9.1 [1].
The Armv9-A and Neoverse N2 core support was added in Buildroot
commit [2].
Since the test_fwts uses the Qemu sbsa-ref machine, this commit
aligns it to use the neoverse-n2 cpu.
[1] b1d592e7b0
[2] 9845bd4541
Signed-off-by: Julien Olivain <ju.o@free.fr>
Take two patches from the Debian jxrlib package, and integrate them to
fix the build of the bundled jxrlib library found in the libfreeimage
package.
libfreeimage isn't exactly well maintained: its last version 3.18.0 is
quite old (July 2018), there's a fairly large number of tickets in the
bug tracker claiming to be CVE
reports (https://sourceforge.net/p/freeimage/bugs/), it is still using
SVN as the version control system.
However, it is used as an optional dependency for CEGUI, and a
mandatory dependency for Ogre. However, it no longer seems to be a
dependency for more recent versions of Ogre. But in any case it cannot
simply be dropped.
Fixes:
https://autobuild.buildroot.net/results/452462285bf93b13f092fb41696952f415e75b2f/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-8835:
A vulnerability was found in JasPer up to 4.2.5. Affected by this
vulnerability is the function jas_image_chclrspc of the file
src/libjasper/base/jas_image.c of the component Image Color Space
Conversion Handler. The manipulation leads to null pointer dereference.
It is possible to launch the attack on the local host. The exploit has
been disclosed to the public and may be used. The identifier of the
patch is bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52. It is recommended to
apply a patch to fix this issue.
For more information see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-8835
- bb7d62bd0a
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2023-51257:
An invalid memory write issue in Jasper-Software Jasper v.4.1.1 and
before allows a local attacker to execute arbitrary code.
For more information see:
- https://nvd.nist.gov//vuln/detail/CVE-2023-51257
- aeef5293c9
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This CVE is specific for the version 5.1.5 still present in Buildroot.
It has been fixed in 5.2.3 and thereby doesn't affects the other
versions available in Buildroot.
- CVE-2014-5461
Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through
5.2.x before 5.2.3 allows context-dependent attackers to cause a denial
of service (crash) via a small number of arguments to a function with a
large number of fixed arguments.
For more information see:
- https://security-tracker.debian.org/tracker/CVE-2014-5461
- https://udd.debian.org/patches.cgi?src=lua5.1&version=5.1.5-11
A patch present in Debian is used to address this vulnerability.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-53644:
OpenCV is an Open Source Computer Vision Library. Versions prior to
4.12.0 have an uninitialized pointer variable on stack that may lead
to arbitrary heap buffer write when reading crafted JPEG images.
Version 4.12.0 fixes the vulnerability.
https://www.cve.org/CVERecord?id=CVE-2025-53644
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPE 'iputils_project:iputils' has been deprecated in favour of
'iputils:iputils'.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
We dropped support for python2 a while back in [1], as such we
can remove the python six module which was only needed for
backwards comaptibility with python2.
[1] 2743ce00ca
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: add commit ref removing python2 support]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add host-pkgconf dependency which is needed for finding openssl.
Set OPENSSL_NO_VENDOR=1 in the environment to ensure we use the
system openssl library.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
License has changed due to license change from regular MIT to
MIT-no-attribution:
67a170dc79
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop python-anyio runtime dependency which is now an optional
dependency of asyncclick. See:
ca93155e16
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: add commit reference for anyio dependency change]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Running the command:
make apitrace-patch
fails with error:
Applying 0003-Explicit-header-stdint.patch using patch:
patching file frametrim/ft_dependecyobject.hpp
Reversed (or previously applied) patch detected! Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file frametrim/ft_dependecyobject.hpp.rej
patching file retrace/metric_writer.cpp
Reversed (or previously applied) patch detected! Skipping patch.
1 out of 1 hunk ignored -- saving rejects to file retrace/metric_writer.cpp.rej
Commit [1] "package/apitrace: fix build with GCC 15.x" introduced a
package patch in the branch master while Buildroot was in RC cycle.
This same commit was cherry-picked in [2] in the branch "next" to also
apply cleanly the patch for commit [3] "package/apitrace: bump to
version 13".
The merge commit [4] kept the apitrace package patch
"0003-Explicit-header-stdint.patch".
This commit fixes the issue by removing this stale patch.
[1] a4b0913280
[2] bf55f4713e
[3] aec2f2ddc4
[4] 0af159ae2b
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Running the command:
make cpp-httplib-patch
fails with error:
Applying 0001-merge-commit-from-fork.patch using patch:
patching file httplib.h
Reversed (or previously applied) patch detected! Skipping patch.
2 out of 2 hunks ignored -- saving rejects to file httplib.h.rej
patching file test/test.cc
Hunk #1 FAILED at 42.
Hunk #2 FAILED at 2839.
Hunk #3 FAILED at 3624.
3 out of 3 hunks FAILED -- saving rejects to file test/test.cc.rej
Commit [1] "package/cpp-httplib: add patch for CVE-2025-46728"
introduced a package patch in the branch next while Buildroot was in
RC cycle. Just after, commit [2] "package/cpp-httplib: bump to
v0.25.0", also in branch next, removed this package patch.
This commit [1] was cherry-picked in [3] in the branch master, to
apply only the security fix for the 2025.08 release.
The merge commit [4] kept the cpp-httplib package patch
"0001-merge-commit-from-fork.patch".
This commit fixes the issue by removing this stale patch.
Fixes:
https://autobuild.buildroot.org/results/5b9843089ade428997035e49817208ce9c09a10e
[1] aea7c89396
[2] 519d03657c
[3] fd313c4ceb
[4] 0af159ae2b
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The "board/arm/foundation-v8/readme.txt" board documentation file [1]
recommends to start the Foundation_Platform emulator with a nat
network, but the corresponding defconfig does include the dhcp
network configuration for the network interface.
This commit adds the "eth0" interface to be configured by DHCP
at boot, in order to have a working network connectivity.
[1] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.08/board/arm/foundation-v8/readme.txt#L39
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog:
git log --oneline ac6742520d..b621b157b4
b621b15 aarch64: Enable access into FEAT_SPE_FDS register from EL2 and below
785302c aarch64: Enable use of ZT0
7f5a545 aarch64: Enable use of FPMR
0f3a153 aarch64: shuffle ID_AA64PFR{0,1}_EL1 definitions
0e78492 Makefile: Ensure initrd parameters in /chosen are up-to-date
1571345 aarch64: Enable access into FEAT_PMUv3p9 registers from EL2 and below
e1b9137 aarch64: Enable access into FEAT_FGT2 registers from EL2 and below
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since boot-wrapper-aarch64 introduction in commit [1]
"boot-wrapper-aarch64: new package", the package never received a hash
file. This commit adds it, including the source archive and license
hashes.
[1] 7689b72e00
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit [1] ("package: replace git:// URLs with https://
URLs where possible") switched _SITE URL from git to https, but did
not updated the package homepage in Config.in.
This commit updates it to match the package _SITE URL.
[1] 6626bf7c5f
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
From the release notes
(https://github.com/redis/redis/blob/8.2.1/00-RELEASENOTES)
=============================================================
8.2.1 (v8.2.1) Committed Mon 18 Aug 2025 12:00:00 IST
=============================================================
Update urgency: `MODERATE`: Program an upgrade of the server, but it's not urgent.
- #14240 `INFO KEYSIZES` - potential incorrect histogram updates on cluster mode with modules
- #14274 Disable Active Defrag during flushing replica
- #14276 `XADD` or `XTRIM` can crash the server after loading RDB
- #Q6601 Potential crash when running `FLUSHDB` (MOD-10681)
- Query Engine - LeanVec and LVQ proprietary Intel optimizations were removed from Redis Open Source
- #Q6621 Fix regression in `INFO` (MOD-10779)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog: https://github.com/libgeos/geos/releases/tag/3.14.0
Bump minimal GCC version to 7. (Switched to C++17 as minimum requirement)
e142764b77
Since commit 26292ce880
libgeos uses fenv.h to catch FPU exceptions. Some libc implementation may
have no fenv support. So add a patch to detect fenv.h availability.
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
[Julien:
- reformat patch title to fix check-package error
- add Upstream header in patch to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt
Notable changes related to policycoreutils: none.
However, in terms of packaging, there's a change: the top-level
Makefile of policycoreutils now uses pkg-config to find libselinux and
libsemanage. So building directly the subdirs no longer works because
the variables defined by the top-level Makefile are no longer set. So
we simplify the whole packaging by building from the top-level
Makefile. In order for this pkg-config to work for the host variant,
we need to pass $(HOST_MAKE_ENV) in the environment of make, so we
also did the same for consistency with $(TARGET_MAKE_ENV).
In terms of dependencies: policycoreutils directly links with
libselinux, libsemanage and libsepol, so all three are needed for both
the target and host variants. And host-pkgconf is now needed for the
host variant, as it's used to detect the dependent libraries.
The patches also need to be refreshed, except 0003 that is dropped
since it was a backport from upstream.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
merge policycoreutils
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
https://github.com/SELinuxProject/selinux/releases/download/3.9/RELEASE-3.9.txt
Notable changes for libsepol:
* libsepol: Add new 'netif_wildcard' policy capability
* libsepol: Allow multiple policycap statements
* libsepol: Support genfs_seclabel_wildcard
We can drop our patch since SELinux now has an official DISABLE_SHARED
variable to do a static-only build (but it needs a 'y' value and not a
'1' value like our previous variable needed).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
policycoreutils uses getpass(), which with musl is only defined with
some feature macro defined, such as _GNU_SOURCE. So let's pick-up an
upstream fix to address this issue.
There are no autobuilder failures, the issue was most likely hidden by
other failures with musl affecting the SELinux stack.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The build of libsemanage on musl configurations fails with:
direct_api.c: In function 'semanage_direct_install_file':
direct_api.c:1746:20: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
1746 | filename = basename(path);
| ^~~~~~~~
This fails to build even with a GCC 14.x toolchain, even with
libsemanage 3.7, which is the version we have in our LTS branch.
Let's backport an upstream patch fixing this issue.
Fixes:
https://autobuild.buildroot.net/results/913852e35c925888ced37e15be3731b9d3963019/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Luvi 2.14.0 fails to build with GCC 14.x for several reasons due to
too old lua-openssl 0.8.2-0 submodule:
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/ocsp.c: In function 'openssl_ocsp_request_read':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/ocsp.c:124:29: error: passing argument 1 of 'PEM_ASN1_read_bio' from incompatible pointer type [-Wincompatible-pointer-types]
124 | OCSP_REQUEST *req = pem ? PEM_read_bio_OCSP_REQUEST(bio, NULL, NULL)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
| |
| char * (*)()
Fixed in lua-openssl by [1].
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/x509.c: In function 'openssl_push_general_name':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/x509.c:377:45: error: passing argument 2 of 'openssl_push_asn1type' from incompatible pointer type [-Wincompatible-pointer-types]
377 | openssl_push_asn1type(L, general_name->d.x400Address);
| ~~~~~~~~~~~~~~~^~~~~~~~~~~~
| |
| ASN1_STRING * {aka struct asn1_string_st *}
Fixed in lua-openssl by [2].
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/openssl.c: In function 'luaclose_openssl':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/stdatomic.h:387:9: error: implicit declaration of function '__c11_atomic_fetch_sub'; did you mean '__atomic_fetch_sub'? [-Wimplicit-function-declaration]
387 | __c11_atomic_fetch_sub(object, operand, order)
Fixed in lua-openssl by [3].
Instead of fixing one by one each issues, update to the latest release
that include lua-openssl 0.9.0-0. Luvi v2.15.0 still have some GCC 14.x
issues, backport two additional patches.
Download luvi sources using git method since the release archive
no longer include the release version in its name [4].
Luvi switched to PCRE2 [5], update the optional dependency.
Update TestLuvi to select PCR2 package.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124430 (TestLuvi)
[1] bfeedbe8c0
[2] e5b5420cc5
[3] cfcaa16d1a
[4] https://github.com/luvit/luvi/releases/download/v2.15.0/luvi-source.tar.gz
[5] https://github.com/luvit/luvi/releases/tag/v2.15.0
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issue:
- CVE-2025-58050: PCRE2: heap-buffer-overflow read in match_ref due to
missing boundary restoration in SCS
Compared to 10.45, this release has only a minimal code change to prevent a
read-past-the-end memory error, of arbitrary length. An attacker-controlled
regex pattern is required, and it cannot be triggered by providing crafted
subject (match) text. The (*ACCEPT) and (*scs:) pattern features must be
used together.
Release 10.44 and earlier are not affected.
https://github.com/PCRE2Project/pcre2/security/advisories/GHSA-c2gv-xgf5-5cc2https://www.cve.org/CVERecord?id=CVE-2025-58050
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add link to CVE in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The last mariadb version bump [1] added -DHAVE_SYSTEM_LIBFMT_EXITCODE=0
to workaround cross-compiling issue during libfmt cmake check.
But it actually requies at least cmake >= 3.30 to work.
Indeed, our docker image used by Gitlab-CI uses cmake 3.25.1 and
segfault while testing for libfmt.
-- Performing Test HAVE_SYSTEM_LIBFMT
/bin/bash: line 1: 163369 Segmentation fault
$ cmake --version
cmake version 3.25.1
Using the same TestPerlDBDmysql configuration locally with
cmake 3.30.8 installed build fine.
Looking at cmake cmTryRunCommand.cxx history from 3.30.x show that
several fixes about cross-compiling isses were applied to cmake 3.26.x
[2] probably solving the issue. Requires BR2_HOST_CMAKE_AT_LEAST_3_30
for now, since only cmake 3.30.8 installed locally was tested.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124486 (TestPerlDBDmysql)
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124439 (TestMariaDB)
[1] 6cd8f95346 ("package/mariadb: bump version to 10.11.11")
[2] https://gitlab.kitware.com/cmake/cmake/-/commits/v3.30.9/Source/cmTryRunCommand.cxx?ref_type=tags
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
xlib_xtrans clients (for example xserver_xorg-server) are failing to
compile with gcc 15.1.0.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XSERVER_XORG_SERVER=y
EOF
make olddefconfig
make xserver_xorg-server
which outputs the compilation error:
auth.c: In function 'GenerateRandomData': auth.c:320:5: warning:
ignoring return value of 'read' declared with attribute
'warn_unused_result' [-Wunused-result] 320 | read(fd, buf, len);
| ^~~~~~~~~~~~~~~~~~ In file included from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/string.h:548,
from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xos.h:62,
from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtrans.h:54,
from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtransint.h:79,
from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/transport.c:55,
from xstrans.c:17: In function 'strncpy', inlined from
'_XSERVTransGetHostname' at
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtrans.c:1351:5,
inlined from '_XSERVTransConvertAddress' at
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtransutil.c:188:12:
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/bits/string_fortified.h:100:10:
error: '__builtin_strncpy' offset [130, 319] from the object at 'name'
is out of the bounds of referenced subobject 'nodename' with type
'char[65]' at offset 65 [-Werror=array-bounds=] 100 | return
__builtin___strncpy_chk (__dest, __src, __len, |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 101 |
__glibc_objsize (__dest)); |
~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/X11/Xtrans/Xtransint.h:105:
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/sys/utsname.h:
In function '_XSERVTransConvertAddress':
/home/wbx/buildroot/output/host/x86_64-buildroot-linux-gnu/sysroot/usr/include/sys/utsname.h:54:10:
note: subobject 'nodename' declared here 54 | char
nodename[_UTSNAME_NODENAME_LENGTH]; | ^~~~~~~~ cc1: some
warnings being treated as errors make[2]: *** [Makefile:696: xstrans.lo]
Error 1 make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving
directory
'/home/wbx/buildroot/output/build/xserver_xorg-server-21.1.18/os'
make[1]: *** [Makefile:796: all-recursive] Error 1 make[1]: Leaving
directory '/home/wbx/buildroot/output/build/xserver_xorg-server-21.1.18'
make: *** [package/pkg-generic.mk:273:
/home/wbx/buildroot/output/build/xserver_xorg-server-21.1.18/.stamp_built]
Error 2
The update fixes the compile error.
See here for changes:
https://lists.x.org/archives/xorg/2025-March/061900.html
The COPYRIGHT was updated from 2005 to 2025.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Using /dev/null as file source because the package doesn't provide a default
systemv service configuration file.
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
[Julien: remove S43htpdate .checkpackageignore entry
to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove libgtk2, we need to first drop support for
gtk2 in yad. It continues to support gtk3.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: simply .mk file: BR2_PACKAGE_LIBGTK3_X11 is always true]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove the libgtk2 package, we must first remove
sylpheed which requires libgtk2.
Even though there has been some upstream activity as recent as three
years ago, the package hasn't been updated for libgtk3.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, we need to drop the optional
dependency of putty on libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, we need to first remove support for
the gtk2 backend of pinentry, which this patch does.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, we need to drop libgtk2 support
from opencv4. gtk3 support remains in place.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
[Arnout: add legacy handling]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, we need to drop libgtk2 support from
opencv3. gtk3 support remains in place.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: add legacy handling.]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove the libgtk2 package, let's drop the gtk
frontend from netsurf. It is worth mentioning that the gtk3 frontend
remains in place as an alternative.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop the optional dependency
of mjpegtools on libgtk2, and forcefully disable gtk support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This window manager requires libgtk2, which we are about to remove, so
let's drop metacity.
Although metacity is still actively developed on gnome.org, it hasn't
seen an update in Buildroot since 2011, so probably nobody is using it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop the optional dependency
of lv2 on libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
libsexy requires libgtk2, which we're about to remove, so let's drop
libsexy. The last release was in 2007.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
libglade requires libgtk2, which we're about to remove, so let's drop
libglade. The last release was in 2009 and it doesn't exist any more on
gitlab.gnome.org.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, the libfm and pcmanfm packages need
to be adjusted so that they work with libgtk3 only. This requires a
bit of re-arrangment of the dependencies, to properly propagate the
libgtk3 dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to drop libgtk2, let's remove the optional dependency
of libcanberra to libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This package needs libgtk2, which we are about to remove.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This package requires libgtk2, which we are about to remove.
It has not seen an update in 20 years.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Arnout: add legacy handling.]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop the optional dependency
of gtkiostream on libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop gtk2-engines, which
obviously relies on libgtk2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The gkrellm client needs libgtk2, which we are about to drop from
Buildroot.
Even though gkrellm has a somewhat active upstream at
https://git.srcbox.net/gkrellm/gkrellm, it isn't clear whether it is
compatible with Gtk 3 or not.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Arnout: reword help text, drop legacy for BR2_PACKAGE_GKRELLM_SERVER]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we're about to remove libgtk2, let's drop the wmgui support from
cwiid, which is libgtk2 only.
Note that cwiid hasn't seen a commit in the past 16 years, so there's
no real hope to see wmgui fixed to have support for a more recent Gtk
version. And perhaps this separately calls for removing cwiid
entirely from Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
As we are about to drop support for libgtk2, let's drop the reference
to libgtk2 from the adwaita-icon-theme package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This bump, with the exception of the 5.4 series, fixes the VMSCAPE bug:
CVE-2025-40300.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Remove support for aufs, as it is outdated and unmaintained in Buildroot.
Users are encouraged to use overlayfs in place of aufs.
This patch removes support for aufs package providing sources for
the kernel extension, the related Buildroot kernel extension configuration,
as well as the userspace utilities.
This also allows to remove some special cases in configuration utilities.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Romain: fix legacy handling text]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The symlink bin/lld -> $(GNU_TARGET_NAME)/bin/lld is broken inside a
SDK containing host-lld package. The symlink still points to the
location of lld inside the build's host folder instead of the location
of lld inside the SDK. In consequence GCC is not able to find lld
linker. Changing the symlink to be relative during host-lld
installation fixes the problem.
Signed-off-by: Victor Krawiec <victor.krawiec@arturia.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toolchain is more than 7 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. There are still some
alternatives in-tree, such as Bootlin toolchains
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toolchain is more than 7 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. There are still some
alternatives in-tree, such as ARM and Bootlin toolchains
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Romain:
- rename TestExternalToolchainLinaroArm to TestExternalToolchainArmGnu
- update toolchain prefix arm-linux-gnueabihf to arm-none-linux-gnueabihf
- replace BR2_TOOLCHAIN_EXTERNAL_LINARO_ARM by BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_GLIBC_STABLE
since the ARM toolchain can't be enabled due to missing NEON support
]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toolchain is more than 7 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. There are still some
alternatives in-tree, such as ARM and Bootlin toolchains
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toolchain is more than 7 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. There are still some
alternatives in-tree, such as ARM and Bootlin toolchains
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This toollchain is almost 10 years old now, and not maintained anymore.
Let's therefore remove it from Buildroot. Newer maintained external
toolchains for MIPS are still available from Bootlin
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Romain: remove leftover link to binutils 2.27 bug 19908]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Without systemd package/docker-engine requires another way to mount
/sys/fs/cgroup, so far provided by BR2_PACKAGE_CGROUPFS_MOUNT for
cgroup v1. Replace this with BR2_PACKAGE_CGROUPFS_V2_MOUNT for cgroup
v2 support. 5.2 is the minimum recommended version for cgroup v2
support according to the Docker documentation: "v4.15 or later (v5.2
or later is recommended)" [1].
Depending on the selected container runtime users may need to adjust
kernel configurations to enable options required by that runtime with
cgroup v2 (e.g. CONFIG_CGROUP_BPF for runc).
Propagate dependencies accordingly: The Docker btrfs filesystem driver
does not need a separate and lower minimum headers version,
package/mender-update-modules needs to apply the new "depends on".
[1] https://docs.docker.com/engine/containers/runmetrics/#running-docker-on-cgroup-v2
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Since commit 947dbc92a2 the Bootlin
stable toolchain uses headers 5.4, which can lead to build outputs
incompatible with older kernels. Update to the latest 5.4 kernel to
avoid this. The kernel config is updated according to the requirements
of current Docker, runc, and crun.
Additionally switch the CPU of the test VM to Haswell, to avoid
dockerd failing to start with a "This program can only be run on AMD64
processors with v3 microarchitecture support" error.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
php-lua fails to build in buildroot 2025.08-rc3 on the following error:
in file included from [...]/usr/include/php/Zend/zend.h:32,
from [...]/usr/include/php/main/php.h:31,
from [...]/build/php-lua-2.0.7/lua.c:24:
[...]/build/php-lua-2.0.7/lua.c: In function ‘php_lua_write_property’:
[...]/build/php-lua-2.0.7/lua.c:247:37:
error: ‘val’ undeclared (first use in this function); did you mean
‘zval’?
247 | lua_pushlstring(L, ZSTR_VAL(val), ZSTR_LEN(val));
| ^~~
[...]/usr/include/php/Zend/zend_string.h:66:26:
note: in definition of macro ‘ZSTR_VAL’
66 | #define ZSTR_VAL(zstr) (zstr)->val
| ^~~~
[...]/build/php-lua-2.0.7/lua.c:247:37:
note: each undeclared identifier is reported only once for each function
it appears in
247 | lua_pushlstring(L, ZSTR_VAL(val), ZSTR_LEN(val));
| ^~~
[...]/usr/include/php/Zend/zend_string.h:66:26:
note: in definition of macro ‘ZSTR_VAL’
66 | #define ZSTR_VAL(zstr) (zstr)->val
| ^~~~
make[2]: *** [Makefile:214: lua.lo] Error 1
The issue triggers only if lua interpreter version is lower than 5.2. In
this case, php_lua_write_property calls ZSTR_VAL on the wrong variable.
Fix php-lua build by calling ZSTR_VAL on the correct variable.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124501 (TestPhpLuaLuajit)
Suggested-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Romain: add link to failing TestPhpLuaLuajit]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump to the latest tagged version of ti-linux-firmware to pull in
updates for TI's DM and TIFS firmware for TI's K3 processors
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The git.ti.com cgit server continues to be plagued with reliability
issues which are reportedly from heavy bot traffic. To combat this the
system administrators have removed the archived downloads feature from
this server.
Switch to TI's Github mirror so new downloads continue to be possible.
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
In all theory, we could iterate over CNI_PLUGINS_INSTALL_BINS, which
already contains the basenames $(notdir) of the binaries to install,
but *_INSTALL_BINS is now an internal implementation detail, and
can't be guaranteed to be stable.
Hence, iterate over the list of targets, and somewhat duplicate the
install commands from the infra, using make's $(notdir) rather than
calling to the shell's to call basename.
Note: we need to stop setting _INSTALL_BINS, as a following commit will
check that it is not explicitly set, and fail otherwise.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Christian Stewart <christian@aperture.us>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Now that the pkg-golang infra automatically sets _INSTALL_BINS by
default to the list of notdir of _BUILD_TARGETS, there is no need to do
that in packages anymore.
Most packages were already using the notdir construct, so those are
trivially fixed; a few had a hard-coded list that matched the built
targets list, so they too are trivially fixed.
host-mender-artifact was slightly different, in that it explicitly set
the _BIN_NAME to mender-artifact, which happens to be the default; it
also set _INSTALL_BINS to _BIN_NAME, so again using the default. This
package can also be fixed easily.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Angelo Compagnucci <angelo.compagnucci@gmail.com>
Cc: Christian Stewart <christian@aperture.us>
Cc: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, when a golang package defines multiple _BUILD_TARGETS, it has
to basically repeat the same list in its _INSTALL_BINS.
When a golang package defines multiple _BUILD_TARGETS, the pkg-golang
infra will forcibly use the basename (the notdir) of each target as the
name of the generated binary; there is no option to set a per-target
binary name.
However, the pkg-golang infra by default tries to install a binary named
after the package rawname. This forces packages to basically repeat the
same list as their _BUILD_TARGETS to override _INSTALL_BINS, when the
list of generated binaries is already known to the infra.
We change the pkg-golang infra to better cover such a case:
- if _BUILD_TARGET is '.' (the default), keep the current scheme:
install a single binary named after the package rwaname;
- if _BUILD_TARGET is not '.', and contains a single word, use the
notdir of the built target, but allow the user to override it with
_BIN_NAME (the current behaviour);
- otherwise (_BUILD_TARGETS is set to more than one word), do not
allow the user to set _BIN_NAME (it does not make sense), but set
_INSTALL_BINS by default to the notdir of _BUILD_TARGETS.
We still allow the user to set _INSTALL_BINS in the last case, to cover
the case for existing packages; those are going to be "fixed" in the
following commits.
We now consider that _INSTALL_BINS is an internal implementation details
that should no longer be exposed to the users, so we drop it from the
documentation; we rephrase the corresponding part for _BUILD_TARGETS.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Christian Stewart <christian@aperture.us>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Re-introduce the 2025.05.x branch on the downloads page, which was
removed with the 2025.08 release.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Since the bump to Python 3.13.2 in commit
d63e207eb8, there is a runtime assertion
in Python when the toolchain doesn't support time64 [1]. The only such
toolchain is one with uClibc and linux headers < 5.1.
Encoding this dependency in Config.in was deemed to complicated (cfr.
commit ffd0028031).
Instead, do a build-time check of the same condition. The check itself
is a bit complicated, but it is localized to python3.mk and doesn't need
to be propagated to all reverse dependencies.
Testing such a corner case toolchain is a bit complicated. It can be
done with the following configuration.
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://toolchains.bootlin.com/downloads/releases/toolchains/armv7-eabihf/tarballs/armv7-eabihf--uclibc--stable-2018.02-1.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_6=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_1=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_PACKAGE_PYTHON3=y
It needs to be built in an environment that has libmpfr.so.4 installed
as the pre-built toolchain from that era did not include it. An easy
way to achieve this is to build this configuration under an old
Buildroot Docker container:
IMAGE=buildroot/base:20180205.0730 ./utils/docker-run make python3
With a build-time check, the autobuilders could get build failures when
generating such a config. However, the autobuilders cannot use a
toolchain with this configuration (they only use more recent
toolchains). Therefore, no update to genrandconfig is needed.
[1] https://gitlab.com/buildroot.org/buildroot/-/issues/95#note_2348479811
Cc: Vincent Fazio <vfazio@xes-inc.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the TestMicroPython segfault when testing if micropython can return a
non-zero exit code.
micropython -c "import sys ; sys.exit(123)"
This issue is related to the gcc version used to build micropython
(gcc 14 or newer). Using gcc 13 (like Bootlin toolchain 2024.05-1
previously used) micropython run without issue.
The issue has been reported upstream [2] and fixed in newer micropython
releases [3]. For now, apply a temporary workaround (suggested in the
bug report) using -DMICROPY_NLR_SETJMP=1 only for gcc 14 or newer.
MICROPY_NLR_SETJMP avoid the architecture specific implementation of
nlr_push.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11176774762 (TestMicroPython)
[1] 947dbc92a2
[2] https://github.com/micropython/micropython/issues/14115
[3] 35f3f0a87d
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
TestRelroPartial is broken since the last checksec update to 2.7.1 [1]
(Buildroot 2024.08) due to a relro check fix [2] that doesn't work for
powerpc architecture where .got.plt doesn't exist for some reasons
(that's why the expected result "full" is replaced by "Partial").
From [3]:
if ${readelf} -d "${1}/exe" 2> /dev/null | grep -q 'BIND_NOW' || ! ${readelf} -l "${1}/exe" 2> /dev/null | grep -q '\.got\.plt'; then
echo_message '\033[32mFull RELRO \033[m ' 'Full RELRO,' ' relro="full"' '"relro":"full",'
else
echo_message '\033[33mPartial RELRO\033[m ' 'Partial RELRO,' ' relro="partial"' '"relro":"partial",'
checksec tool is problably tested upstream on more common architectures
like x86_64 or aarch64 than powerpc64 e5500. This may explain why
checksec broke on powerpc64 e5500 target.
Also, the Booltin powerpc64-e5500--glibc--stable-2018.02-2 toolchain
used by test_hardening tests was not updated since the hardening tests
were introduced back in 2018.11 release.
So, switch to the current Bootling aarch64 stable toolchain
(currently Bootlin aarch64 glibc stable 2025.08-1).
Checked that all 6 hardening tests pass with this new toolchain:
tests.core.test_hardening.TestFortifyConserv
tests.core.test_hardening.TestFortifyNone
tests.core.test_hardening.TestRelro
tests.core.test_hardening.TestRelroPartial
tests.core.test_hardening.TestSspNone
tests.core.test_hardening.TestSspStrong
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11176773995 (TestRelroPartial)
[1] 6150564974
[2] 1c80e39c49
[3] 1c80e39c49 (diff-9e8d1b28dfaf1c704560ac51a5613b70d70de2dcd84e87b9fa20f28811e6484aL1491)
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
iozone releases 3.507 and 3.508 seems to be only build fixes releases
for latest GCC compiler version but since there is no public vcs
it's not easy to review the history between releases and backport
any patches.
Based on the changelog from [1]:
Revision 3.507
Fix GCC compile warnings.
Revision 3.508
Put an end to the (&*% stupid GCC breaking builds for no valid reason.
So bump to the latest 508 release.
Rebase 0001-Add-new-targets-for-iozone.patch
Rebase 0002-fix-build-without-aio.patch and convert to git format
The TestIozone build issue is not yet fixed by the version bump [2].
[1] https://www.iozone.org/src/current/Changes.txt
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/11176774405
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an option to install the firmware files for Wifi in Mediatek
MT7986 SOC, which are present on BananaPi r3.
Signed-off-by: Mattias Walström <lazzer@gmail.com>
[Julien:
- fix tabs/spaces to remove check-package errors
- move config to keep alphabetical order
- add info in .mk comment
- reindent LINUX_FIRMWARE_FILES
- move .mk block to keep alphabetical order
- fix license file to LICENCE.mediatek
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
- add firmware to support BE20x devices
- extend bluetooth helptext as it already includes the required firmwares
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
[Julien: reflow BR2_PACKAGE_LINUX_FIRMWARE_IBT help string
to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 759a08633e ("package/mbpfan: fix build on musl / uclibc-ng") added a
patch for musl / uclibc-ng, but the upstream patch did not correctly apply
to the 2.4.0 release, breaking the build.
Fix that. In the mean time the patch has been applied upstream, so add a
reference to the upstream commit.
Fixes:
https://autobuild.buildroot.net/results/785be6231c1edc4e5461ce083a3d65fd27fc5843/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Include the SoC model in both hostname and /etc/issue to match the
.dts file names.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Use a newer commit ID (2023-07-24). While not the latest, this commit
marks a significant milestone in the ongoing development and support
of AST2600 SoC boards.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Linux images are growing larger, and the current kernel partition size
of 4352K is no longer sufficient. Increase the partition size to
accommodate the larger images.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Linux 6.5 moved .dts files to vendor sub-directories, adjust the
post-image.sh script to take into account the 'aspeed/' prefix in .dts
file names.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Julien Olivain <ju.o@free.fr>
We're bumping from version 10 to 13.
Version 11 doesn't really have release notes.
Version 12: https://github.com/apitrace/apitrace/releases/tag/12.0
Version 13: https://github.com/apitrace/apitrace/releases/tag/13.0
Patch 0001-thirdparty-libbacktrace-backtrace-h-include-config.h.patch
no longer makes sense: config.h no longer exists, and building with
musl works fine without it.
Both patches 0002 and 0003 were backport from upstream, so they can be
dropped.
We must switch from downloaded the auto-generated Github tarball to
fetching using Git, as fetching submodules is now mandatory to get
some bundled thirdparty libraries (yerk).
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This version builds fine with GCC 15.x, without passing -std=gnu99.
Changes are described at
https://web.mit.edu/Kerberos/www/krb5-1.22/. Most relevant details:
User experience
The libdefaults configuration variable "request_timeout" can
be set to limit the total timeout for KDC requests. When
making a KDC request, the client will now wait
indefinitely (or until the request timeout has elapsed) on a
KDC which accepts a TCP connection, without contacting any
additional KDCs. Clients will make fewer DNS queries in some
configurations.
The realm configuration variable "sitename" can be set to
cause the client to query site-specific DNS records when
making KDC requests.
Administrator experience
Principal aliases are supported in the DB2 and LMDB KDB
modules and in the kadmin protocol. (The LDAP KDB module has
supported aliases since release 1.7.)
UNIX domain sockets are supported for the Kerberos and kpasswd
protocols.
systemd socket activation is supported for krb5kdc and kadmind.
Developer experience
KDB modules can be be implemented in terms of other modules
using the new krb5_db_load_module() function.
The profile library supports the modification of empty
profiles and the copying of modified profiles, making it
possible to construct an in-memory profile and pass it to
krb5_init_context_profile().
GSS-API applications can pass the GSS_C_CHANNEL_BOUND flag to
gss_init_sec_context() to request strict enforcement of
channel bindings by the acceptor.
Protocol evolution
The PKINIT preauth module supports elliptic curve client
certificates, ECDH key exchange, and the Microsoft paChecksum2
field.
The IAKERB implementation has been changed to comply with the
most recent draft standard and to support realm discovery.
Message-Authenticator is supported in the RADIUS
implementation used by the OTP kdcpreauth module.
Code quality
Removed old-style function declarations, to accomodate
compilers which have removed support for them.
Added OSS-Fuzz to the project's continuous integration
infrastructure.
Rewrote the GSS per-message token parsing code for improved
safety.
This commit also updates the NOTICE license file hash after year update
and few other minor reformatting.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: update NOTICE license file hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The memory leak patch is included with the Linux 6.12.40 release tag, so it no
longer needs to be applied to these defconfigs:
9691533f6e
Also, since all Xilinx defconfigs have been bumped to Linux 6.12.40 with this
patch, the Linux 6.12.10 (2025.1) hash can be removed along with the
Linux 6.12.10 memory leak patch.
This patch has been run tested on the versal vek280 evaluation board.
This patch has been run tested on the versal vck190 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In the process of bumping Linux kernel 6.12.10 to 6.12.40, the size of the
default Linux kernel Image file for versal products is increasing from 23.4M
to 26.9M. This is leaving limited free space in the vfat partition meaning
users may unknowingly exceed the 32M size by just adding Linux kernel configs.
To avoid potential problems, this patch doubles the size of the vfat partition
to 64M, which should be plenty of space for any configuration.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bat pulls in the onig crate (version 6.4.0) through syntect with the
default "regex-onig" feature. This crate depends on the Oniguruma C
library (via onig_sys), which fails to build with GCC 15 due to C23
keyword conflicts. Newer versions of onig fix this issue, but bat
cannot directly update the onig version because it is pinned by syntect.
To resolve the build failure, apply a patch that replaces the
"regex-onig" feature with "regex-fancy" in bat's minimal-application
feature set. This switches bat to use the pure-Rust fancy-regex engine
instead of Oniguruma, avoiding the problematic onig_sys dependency.
Fixes:
https://autobuild.buildroot.net/results/ecc/ecc3b0c83e691e9a8ed5c7ff9d0a92ee06409f20
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
openal 1.22.0 does not build with GCC 15.x, but the backport of the
fixes to 1.22.0 turns out to be too complicated, so let's bump to
1.24.3 instead.
Since 1.24.3 uses C++17, and after testing with GCC 7.x, then GCC 8.x
then GCC 9.x, we found out that GCC 9.x at least is
necessary. Therefore, reverse dependencies are updated accordingly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On the autobuilder the mariadb package fails to build when the
BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160 variable is not set.
See the following autobuilder error:
```
/workdir/instance-0/output-1/build/mariadb-10.11.11/libmariadb/libmariadb/secure/openssl_crypt.c: In function 'ma_hash_get_algorithm':
/workdir/instance-0/output-1/build/mariadb-10.11.11/libmariadb/libmariadb/secure/openssl_crypt.c:40:12: error: implicit declaration of function 'EVP_ripemd160'; did you mean 'LN_ripemd160'? [-Wimplicit-function-declaration]
40 | return EVP_ripemd160();
| ^~~~~~~~~~~~~
| LN_ripemd160
/workdir/instance-0/output-1/build/mariadb-10.11.11/libmariadb/libmariadb/secure/openssl_crypt.c:40:12: error: returning 'int' from a function with return type 'const EVP_MD *' {aka 'const struct evp_md_st *'} makes pointer from integer without a cast [-Wint-conversion]
40 | return EVP_ripemd160();
| ^~~~~~~~~~~~~~~
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBOPENSSL=y
# BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160 is not set
BR2_PACKAGE_MARIADB=y
EOF
make olddefconfig
make mariadb
```
This patch adds a requirement to the RMD160 crypto for the MariaDB
package.
Fixes: https://autobuild.buildroot.org/results/f2b/f2b749cb7019856c5434c27987e8bfb2dc179cda
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The build of avrdude sometimes fails with:
avrdude: installs files in /home/autobuild/autobuild/instance-1/output-1/target//home/autobuild/autobuild/instance-1/output-1
This is due to an issue in the installation logic for the Python
code. However, our avrdude.mk doesn't explicitly support building
avrdude's Python support, so it's really only by luck (or lack
thereof) that sometimes host-swig and python3 end up built before
avrdude, causing avrdude to build its Python support, which installs
at the wrong location.
In order to address this, we add a small patch, submitted upstream,
that allows to explicitly disable Python support, which we then use in
avrdude.mk.
The actual Python issue can be investigated at a later point if
someone needs it. But in any case, being able to explicitly disable
Python support if not needed is useful.
Fixes:
http://autobuild.buildroot.net/results/f18d47289d8b4dee768275a468c25b4f4399cf8c/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes https://autobuild.buildroot.net/results/f32ae62961aac7e8344f4be109040e7de2eb415e/
The openssl logic in ecryptfs uses the openssl engines API, which is always
available in libressl, but only available in libopenssl when
BR2_PACKAGE_LIBOPENSSL_ENGINES is enabled, leading to build failures when it
is not:
ecryptfs_key_mod_openssl.c: In function 'ecryptfs_openssl_read_key':
ecryptfs_key_mod_openssl.c:305:9: error: implicit declaration of function 'ENGINE_load_builtin_engines' [-Wimplicit-function-declaration]
305 | ENGINE_load_builtin_engines();
Fix it by only passing --enable-openssl if libressl or (libopenssl + engines
support) is enabled.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes https://autobuild.buildroot.net/results/9d4e2f156d76e2acc83e3a25adb5e5cf0705e7c6/
configure:781: checking whether the C compiler (/home/buildroot/instance-0/output-1/host/bin/armeb-buildroot-linux-gnueabi-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Og -g0 -D_FORTIFY_SOURCE=1 ) works
configure:797: /home/buildroot/instance-0/output-1/host/bin/armeb-buildroot-linux-gnueabi-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Og -g0 -D_FORTIFY_SOURCE=1 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 conftest.c 1>&5
configure:794:1: error: return type defaults to 'int' [-Wimplicit-int]
794 | main(){return(0);}
| ^~~~
configure: failed program was:
#line 792 "configure"
#include "confdefs.h"
main(){return(0);}
Wipe uses a very old configure script where the compile checks are missing
the return type on main(), breaking the configure step with >= gcc-15.
As a workaround, use AUTORECONF to regenerate the configure script.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a major version bump, because it could break user code that depends
on the (wrong) previous logic fixed by the new release
See the release notes:
- https://github.com/corydolphin/flask-cors/releases/tag/6.0.0
- https://github.com/corydolphin/flask-cors/releases/tag/6.0.1
This fixes the following vulnerabilities:
- CVE-2024-6839:
corydolphin/flask-cors version 4.0.1 contains an improper regex path
matching vulnerability. The plugin prioritizes longer regex patterns
over more specific ones when matching paths, which can lead to less
restrictive CORS policies being applied to sensitive endpoints. This
mismatch in regex pattern priority allows unauthorized cross-origin
access to sensitive data or functionality, potentially exposing
confidential information and increasing the risk of unauthorized
actions by malicious actors.
https://www.cve.org/CVERecord?id=CVE-2024-6839
- CVE-2024-6844:
A vulnerability in corydolphin/flask-cors version 4.0.1 allows for
inconsistent CORS matching due to the handling of the '+' character in
URL paths. The request.path is passed through the unquote_plus
function, which converts the '+' character to a space ' '. This
behavior leads to incorrect path normalization, causing potential
mismatches in CORS configuration. As a result, endpoints may not be
matched correctly to their CORS settings, leading to unexpected CORS
policy application. This can cause unauthorized cross-origin access or
block valid requests, creating security vulnerabilities and usability
issues.
https://www.cve.org/CVERecord?id=CVE-2024-6844
- CVE-2024-6866:
corydolphin/flask-cors version 4.01 contains a vulnerability where the
request path matching is case-insensitive due to the use of the
`try_match` function, which is originally intended for matching hosts.
This results in a mismatch because paths in URLs are case-sensitive,
but the regex matching treats them as case-insensitive. This
misconfiguration can lead to significant security vulnerabilities,
allowing unauthorized origins to access paths meant to be restricted,
resulting in data exposure and potential data leaks.
https://www.cve.org/CVERecord?id=CVE-2024-6866
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes the following vulnerabilities:
- CVE-2023-5341:
A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.
https://www.cve.org/CVERecord?id=CVE-2023-5341
- CVE-2025-55004:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to version 7.1.2-1, ImageMagick is
vulnerable to heap-buffer overflow read around the handling of images
with separate alpha channels when performing image magnification in
ReadOneMNGIMage. This can likely be used to leak subsequent memory
contents into the output image. This issue has been patched in version
7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55004
- CVE-2025-55005:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to version 7.1.2-1, when preparing
to transform from Log to sRGB colorspaces, the logmap construction
fails to handle cases where the reference-black or reference-white
value is larger than 1024. This leads to corrupting memory beyond the
end of the allocated logmap buffer. This issue has been patched in
version 7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55005
- CVE-2025-55160:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1,
there is undefined behavior (function-type-mismatch) in splay tree
cloning callback. This results in a deterministic abort under UBSan
(DoS in sanitizer builds), with no crash in a non-sanitized build.
This issue has been patched in versions 6.9.13-27 and 7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55160
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This fixes the following vulnerability:
- CVE-2025-6965:
There exists a vulnerability in SQLite versions before 3.50.2 where
the number of aggregate terms could exceed the number of columns
available. This could lead to a memory corruption issue. We recommend
upgrading to version 3.50.2 or above.
https://www.cve.org/CVERecord?id=CVE-2025-6965
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Even though this is not mentioned in the release notes:
- https://github.com/containers/netavark/releases/tag/v1.16.0
- https://github.com/containers/netavark/releases/tag/v1.16.1
According to https://bugzilla.redhat.com/show_bug.cgi?id=2383941,
the fix for the CVE has been merged upstream, and is in netavark
since v1.16.0.
This fixes the following vulnerability:
- CVE-2025-8283:
A vulnerability was found in the netavark package, a network stack for
containers used with Podman. Due to dns.podman search domain being
removed, netavark may return external servers if a valid A/AAAA record
is sent as a response. When creating a container with a given name,
this name will be used as the hostname for the container itself, as
the podman's search domain is not added anymore the container is using
the host's resolv.conf, and the DNS resolver will try to look into the
search domains contained on it. If one of the domains contain a name
with the same hostname as the running container, the connection will
forward to unexpected external servers.
https://www.cve.org/CVERecord?id=CVE-2025-8283
Also bump package/aardvark-dns in the same lockstep, as advised in
the packages .mk version comments.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
GCC-15 defaults to C23, which changes the meaning of an empty parameter
list:
https://gcc.gnu.org/gcc-15/porting_to.html#c23-fn-decls-without-parameters
Leading to a build failure:
tsserve.c: In function ‘set_child_exit_handler’:
tsserve.c:2988:21: error: assignment to ‘__sighandler_t’ {aka ‘void (*)(int)’} from incompatible pointer type ‘void (*)(void)’ [-Wincompatible-pointer-types]
2988 | action.sa_handler = on_child_exit;
Add a patch from an upstream PR to fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 0d643a8636 which removed the
BR2_PACKAGE_LIGHTTPD_LIBEV symbol was originally meant for next and
therefore introduced the "Legacy options removed in 2025.11" comment.
However, in the end it was still applied to master for 2025.08, so the
legacy symbol was incorrectly placed.
Fix that.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The github repo was deleted and moved to codeberg, so use that instead:
https://lwn.net/Articles/926101/
It is unclear if the auto generated tarballs from codeberg are reproducible,
so instead fetch through git.
[Peter: set _CPE_ID_VERSION to the correct value]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bufix release fixing a number of issues:
- Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
- Bug 5489: Fix "make check" linking on Solaris
- Fix SNMP cacheNumObjCount -- number of cached objects
- Do not duplicate received Surrogate-Capability in sent requests
- Fix Mem::Segment::open() stub to fix build without shm_open()
- ... and CI and documentation updates
https://github.com/squid-cache/squid/releases/tag/SQUID_6_14
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Buildroot commit [1] updating qemu defconfigs from Kernel 6.6.32
to 6.12.9, qemu_aarch64_ebbr_defconfig, qemu_aarch64_sbsa_defconfig
and qemu_arm_ebbr_defconfig can fail to build with error:
/bin/sh: 1: python3: not found
make[7]: *** [drivers/gpu/drm/msm/Makefile:182: drivers/gpu/drm/msm/generated/a2xx.xml.h] Error 127
The issue can happen on build hosts without Python, and if the Linux
kernel is built before any package having host-python3 in its
dependencies (e.g. host-qemu, optee-os, ...).
Starting with Linux 6.10, the arm and arm64 architecture defconfigs need
python3 to build. [2]
This commit fixes this issue by adding
BR2_LINUX_KERNEL_NEEDS_HOST_PYTHON3=y in those defconfigs.
[1] 44075c1955
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=0fddd045f88e34d6160785a3a5e506d374566454
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Romain Naour <romain.naour@gmail.com>
[Julien:
- reword commit log to add the commit introducing the issue
- fix qemu_aarch64_sbsa_defconfig which has the same issue
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch fixes the CPE ID for both go-bin and go-src packages.
The go-src package did had a CPE ID because GO_SRC_CPE_ID_VENDOR is
defined but the generated CPE ID would be the following:
cpe:2.3:a:golang:go-src:*:*:*:*:*:*:*:*
The CPE product go-src doesn't match to anything and should be 'go'
instead.
For go-bin no CPE_ID variable were defined so no CPE ID would be
generated if using a pre-build toolchain.
This patch duplicate the definition of the CPE_ID variables, I didn't
put the definition in the 'package/go/go.mk' file to avoid generate a
CPE for the go virtual package.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes: https://autobuild.buildroot.net/results/9c40c86a42882a6d56eb6d6d1418781a980b6f8f/
The pthread support uses pthread_atfork(), which is not available on nommu:
cap-ng.c: In function 'init_lib':
cap-ng.c:225:9: error: implicit declaration of function 'pthread_atfork';
did you mean 'pthread_join'? [-Wimplicit-function-declaration]
So disable pthread support on nommu to fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Setting the "update" field in the CPE ID to * doesn't actually make
much sense, as * is a wildcard. Instead, this field should really
reflect the "subrelease" / "update" of the package, which unless
specified explicitly by the package .mk file, is empty.
Using a wildcard causes a few CVEs to be incorrectly identified as
affecting some of our packages.
For example https://nvd.nist.gov/vuln/detail/CVE-2013-1428 has a
CPE configuration that goes like this:
cpe:2.3:a:tinc-vpn:tinc:*:pre6:*:*:*:*:*:* up to including 1.1
and this CPE configuration is currently identified as affecting our
package. This isn't correct as our package is using 1.0.36, not a
"pre6" version. But because the CPE ID generated by Buildroot uses *
as the "update" field, and * is the wildcard, it does match with this
CPE configuration.
After this change, two CVEs are no longer identified as affecting
Buildroot packages:
https://nvd.nist.gov/vuln/detail/CVE-2013-1428https://nvd.nist.gov/vuln/detail/CVE-2017-9454
and in both cases they are indeed CVEs not affecting our package.
Reported-by: Titouan Christophe <titouan.christophe@mind.be>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Cc: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
These external linux drivers haven't seen any activity in Buildroot
for a while, and are anyway aimed at an old kernel version (4.19).
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Acked-by: David Lechner <david@lechnology.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Fixes: https://autobuild.buildroot.net/results/8d14173f31922a737c326be75aa24c9f9471342a/
The vde2 source code uses empty argument function pointer prototypes like:
typedef ssize_t (* ssize_fun)();
extern ssize_fun vdehist_vderead;
In C17 and earlier, such prototypes means unknown number of arguments,
whereas with C23 it means no arguments, leading to build failures:
libvdehist.c:39:27: error: initialization of 'ssize_fun' {aka 'long int
(*)(void)'} from incompatible pointer type 'ssize_t (*)(int, void *,
size_t)' {aka 'long int (*)(int, void *, long unsigned int)'}
[-Wincompatible-pointer-types]
Workaround it using -std=gnu99. Vde2 is provided both as a host and target
package, so do this unconditionally for both.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This patch bumps the zynqmp defconfigs to Linux 6.12.40.
The memory leak patch is included with the Linux 6.12.40 release tag, so it no
longer needs to be applied to these defconfigs:
9691533f6e
This patch has been run tested on the zynqmp zcu102 evaluation board.
This patch has been run tested on the kria kv260 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Now that the qspi.bin file is included for zynqmp images, the 32M vfat
partition is getting dangerously close to being full.
In the process of bumping Linux kernel 6.12.10 to 6.12.40, the size of the
default Linux kernel Image file for zynqmp products is increasing from 23.4M
to 26.9M. This is leaving less than 1M of free space in the vfat partition
meaning users may unknowingly exceed the 32M size by just adding Linux kernel
configs.
To avoid potential problems, this patch doubles the size of the vfat partition
to 64M, which should be plenty of space for any configuration.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This patch bumps the zynq defconfigs to Linux 6.12.40.
The memory leak patch is included with the Linux 6.12.40 release tag, so it no
longer needs to be applied to these defconfigs:
9691533f6e
This patch has been run tested on the zynq zc702 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
[Arnout: squash addition of the hash into the same patch]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This tool helps to update Linux stable releases.
The script uses the versions found in linux/linux.hash. For each of the
versions it downloads the related hash list and tries to find an updated
stable release. If found it updates all related files and hashes.
Signed-off-by: Gero Schwäricke <gero.schwaericke@grandcentrix.net>
[Arnout: commonalize the sed expression for linux and linux-headers]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Unbound is vulnerable to CVE-2025-5994: "Cache poisoning via the ECS-enabled
Rebirthday Attack" if built with --enable-subnet, which is not the case in
Buildroot, so mark it as not applicable.
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit fecc337d21,
re-adding optional support for pulseuadio in ffmpeg.
This is possible now that the circular dependency:
pulseaudio -> libsoxr -> ffmpeg -> pulseaudio
has been broken between libsoxr and ffmpeg.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Having support for ffmpeg in libsoxr causes several circular
dependencies:
- pulseaudio -> libsoxr -> ffmpeg -> pulseaudio
(This one was worked around in
fecc337d21 by dropping the ffmpeg ->
pulseaudio dependency, but it's annoying as being able to output
audio from ffmpeg into pulseaudio seems useful)
- libopenmpt -> pulseaudio -> libsoxr -> ffmpeg -> libopenmpt
(This is one exists, and is fixed by this commit)
To fix both circular dependencies, we propose to drop the dependency
of libsoxr on ffmpeg, which is used to get some optimized FFT
implementation. While not being useless, this is the point where
breaking the dependency seems the most logical.
Neither Debian nor Fedora build libsoxr with ffmpeg support.
In order to achieve that, we add a new patch making the option
WITH_AVFFT actually effective. Since we no longer build against
ffmpeg, the previously added patch that was fixing the pkg-config file
is no longer needed.
Fixes:
https://autobuild.buildroot.net/results/bbfce69f35cafd56245ebeae79086a8b64592a16/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
A missing include causes a build failure with GCC 15.x. There are no
known autobuilder failures for this issue, but the following defconfig
allows to reproduce the issue:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_WEBRTC_AUDIO_PROCESSING=y
# BR2_TARGET_ROOTFS_TAR is not set
The affected code has completely changed in newer versions of
webrtc-audio-processing, so we add a non-upstream patch, which can be
dropped once we upgrade to a newer release.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This host package was only used as a build dependency of libsvgtiny,
which itself has been removed, so it can be dropped as well.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This package hasn't been updated in years. It has new releases, such
as 1.0.8 from December 2023, but nobody updated to it.
Doing the version bump is not straightforward, and the original
package submitter, Peter Korsgaard, is no longer using it. This
package also had no reverse dependency, and no maintainer in the
DEVELOPERS file.
Therefore, let's drop this package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Peter: Add Config.in.legacy handling]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The new package_dir element contains the path of the package
directory. For Buildroot packages this is a path relative to the main
Buildroot directory, for packages from external trees an absolute
path.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Tested-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building the column store plugin (which gets automatically enabled
when Boost with a bunch of submodules is found) currently fails as it
requires a number of runtime checks that obviously cannot work when
cross-compiling.
OpenEmbedded has defined them as such:
-DLSTAT_FOLLOWS_SLASHED_SYMLINK_EXITCODE=0 \
-DSTAT_EMPTY_STRING_BUG_EXITCODE=0 \
-DMASK_LONGDOUBLE_EXITCODE=0 \
but it really isn't clear whether those values are completely correct
for all CPU architectures, especially the last one.
So instead, let's disable the column store plugin until someone
actually needs it and figures out how to set those variables properly.
The issue fixed by this commit can be reproduced using the following
defconfig:
BR2_aarch64=y
BR2_ARM_FPU_VFPV3D16=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MARIADB=y
BR2_PACKAGE_MARIADB_SERVER=y
BR2_PACKAGE_BOOST=y
BR2_PACKAGE_BOOST_DATE_TIME=y
BR2_PACKAGE_BOOST_FILESYSTEM=y
BR2_PACKAGE_BOOST_REGEX=y
BR2_PACKAGE_BOOST_THREAD=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Config.in comment is between the main BR2_PACKAGE_MARIADB option
and its sub-options, causing the sub-options to not appear as nicely
indented in menuconfig.
Before:
[ ] mariadb
[ ] mariadb server
[ ] mariadb embedded server
After:
[ ] mariadb
[ ] mariadb server
[ ] mariadb embedded server
which is what we want.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In cases where no hotplug is available (by choice or by the lack of a
proper hotplug method for a device), this service can be used to load
kernel module drivers by reading the /etc/modules-load.d/*.conf files.
The modules files matches the one used by systemd, which in turn has
a builtin mechanism to load a module at boot, therefore making systemv
init on par with systemd features.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
[Arnout:
- add exception for missing DAEMON variable;
- fix shellcheck warnings
]
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
check-package has a mechanism for a specific file to make an exception
to a specific checker, by preceding the offending line with
"check-package ... <checker class>". However, this is not possible for
the global checks that are done in the checker's after() function.
Allow exceptions for the global checks by writing the same
"check-package ... <checker class>" comment on the last line of the
file.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Recently when trying to reproduce a build error with test-pkg on the toolchain
br-arm-basic, I had to create a new CSV file with that toolchain only to be
able to run the test in that single case.
I believe having a command-line option right away in test-pkg would make this
much easier, as I can now run: `./utils/test-pkg -T br-arm-basic -p redis`
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
In order to remove thttpd package from Buildroot, we have to replace it
from our testsuite (TestWget and TestLibCurl).
Busybox provide an httpd server applet but it's not enabled in our
default busybox configuration.
For the sake of those tests, add a new busybox option to build and
install the Busybox's httpd server and its init script.
Import S90thttpd from thttpd package to S90httpd but with some changes
following S01syslogd init script as a reference [1].
[1] 3dc8061444
Cc: Julien Olivain <ju.o@free.fr>
Cc: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Since Buildroot commit [1] dc0f7215c6 "package/gcc: switch to 13.x as
default", sipeed_licheepi_zero_defconfig fails when building the Linux
kernel with the error message:
drivers/ata/libahci.c: In function 'ahci_led_store':
./include/linux/compiler.h:350:45: error: call to '__compiletime_assert_1138' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
350 | _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
This issue is fixed by upstream Kernel commit [2].
This commit fixes this issue by updating the Linux Kernel from v5.3.5
(which is not a LTS series) to v6.12.43 (which is a LTS series
including the fixes). With this update,
BR2_LINUX_KERNEL_INTREE_DTS_NAME is updated accordingly to follow the
new DTS organization.
This commit also updates U-Boot from 2022.01 to 2025.07. This new
version now requires BR2_TARGET_UBOOT_NEEDS_GNUTLS=y.
While at it, this commit also switches to a stable glibc Bootlin
external toolchain, to follow the new guidelines from [3].
Finally, this commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and the
corresponding hash files. The .checkpackageignore is also updated to
reflect that change.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11026771001
[1] dc0f7215c6
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f07788079f515ca4a681c5f595bdad19cfbd7b1d
[3] https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Cc: Michel Stempin <michel.stempin@wanadoo.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
- Display active Buildroot versions as a table, similarly to kernel.org
- Add latest release date for all version
- Add expected End of Life dates for all versions
- Add link to the changelog
This makes the section much more compact, which makes it easier for
users to compare the versions and know what to expect from them
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Acked-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The following dependency:
depends on !BR2_TOOLCHAIN_USES_UCLIBC || BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_1
was added by commit d63e207eb8, which
bumped python3 from 3.12.9 to 3.13.2.
The commit message doesn't state it, but this dependency was introduced
because uClibc without time64 support (i.e. with kernel headers < 5.1)
causes a runtime assertion in Python [1]:
OverflowError: timestamp too large to convert to C PyTime_t
The problem is that this dependency has not been propagated to reverse
dependencies, causing this kind of kconfig warnings:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON3
Depends on [n]: BR2_USE_WCHAR [=y] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && !BR2_STATIC_LIBS [=n] && (!BR2_TOOLCHAIN_USES_UCLIBC [=y] || BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_1 [=n])
Selected by [y]:
- BR2_PACKAGE_AVOCADO [=y] && BR2_USE_WCHAR [=y] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && !BR2_STATIC_LIBS [=n]
- BR2_PACKAGE_LIBSIGROKDECODE [=y] && BR2_USE_WCHAR [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && !BR2_STATIC_LIBS [=n]
- BR2_PACKAGE_OPKG_UTILS [=y] && BR2_PACKAGE_BUSYBOX [=y] && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && !BR2_STATIC_LIBS [=n]
However, propagating this dependency to all reverse dependencies of
python3 would be pretty annoying, especially as the dependency is kind
of "clunky". A configuration with uClibc and kernel headers < 5.1 is
such a corner case that it does not merit such complexity.
A later commit will check for this corner case at build time (while
allowing it in the .config). For now, already drop the dependency in
Config.in.
Cc: Vincent Fazio <vfazio@xes-inc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
[1] https://gitlab.com/buildroot.org/buildroot/-/issues/95#note_2348479811
Since glibc 2.28, <sys/sysmacros.h> is no longer implicitly included
by <sys/types.h>, which means major() is only defined if you include
<sys/sysmacros.h>.
This wasn't really visible for a while in loadable plugins built by
lirc-tools as they could happily be built with undefined
symbols... except they would fail to load at runtime.
But then GCC 14.x brought more strict checking of having the function
prototype around, which now detects this issue at build time.
So the actual issue has been around since we switched to glibc 2.28,
but it only started failing to build since gcc 14.x. The first failure
is on August 2024, so this patch should be backported to our stable
branches.
The fix is backport from an upstream commit, post 0.10.2.
Fixes:
https://autobuild.buildroot.net/results/2f64accd430d9467add3f1195f3f59eff8e99a4d/
Minimal reproducer:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_GLIBC_STABLE=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_LIRC_TOOLS=y
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Currently, the manual doesn't mention the checkpackageignore file at
all, leaving the user under the assumption that running "make
check-package" and running utils/check-package directly on the package
they have touched would be equivalent, when the former evaluates the
checkpackageignore file while the latter does not. This could cause them
to forget to remove stale entries from that file.
Point out this difference in behavior.
Signed-off-by: Florian Larysch <fl@n621.de>
[Arnout: add that stale lines should be removed from
.checkpackageignore]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Since the bump of libftdi1 to version v1.5-48-g22b4667a8 in commit
d8173e084e, the libftdi1.pc file is
installed in $(STAGING_DIR)/pkgconfig/libftdi1.pc instead of
$(STAGING_DIR)/lib/pkgconfig/libftdi1.pc, making it "invisible" to
pkg-config. This is turn causes flashrom to not find libftdi1 and
failing to build when libftdi1 is needed.
This issue is cause by CMAKE_INSTALL_LIBDIR being empty in libftdi1's
CMakeLists.txt, which in turn is due to include(GNUInstallDirs) being
missing. This has been fixed upstream a few commits later, so rather
than backporting a patch, let's just update to the commit containing
the fix, 5e67403c4fb5536a2effe2e91181dd73a2cff91b. The list of changes
upstream is:
5e67403c4fb5536a2effe2e91181dd73a2cff91b cmake: fix building static lib on windows/msvc
2e714eec137f86ca1950457d8226d8cb9b71c495 msvc: quiet uninteresting warnings
d96dbea887373f26755e9873b4ab020f922b7c3b fix unit var warning if ftdi_read_eeprom_location returned error, data would not be initialized
d31e3d5697eacbe87cd310b5bce615f3d8426cc0 cmake: fix elseif statement
c2b7c25e1272222c1719daea5761093fbc9c3010 msvc: fix shadowed variable warning
c4962c38a1ab470fbdc835c231567bd582eb5a5a msvc: fix warnings by using all enum values in case statements
2a992306c0acf938b29fa0cd5fbc160e24424209 Add SHAREDLIBS option
18499a2fa496c20e5e35590bb89eb701fa9fdfea Ignore VSCode temp folder
7676fb59ecd9fac9e5ea39439905c923ee7ee8c9 python/CMakeLists.txt: rework policy CMP0078
cfaec73e0a5ad9d05d62f1f5c393ab1c59ba771b C++ wrapper: get rid of the Boost dependency
12a8de0daba0816227c7010fc1b84d0abf70a500 .editorconfig: fix insert_final_newline option
3d7293651483130af9e8c5fe685d28b226baa99b Ignore clangd specific files
72e0e1e40126a2a9498fb249ca26a727bd670139 examples/async.c: remove unused includes
bfcdea286df81660b980a3bc91902b5970ff6347 examples/async.c: fix sometimes-uninitialized warning
(Yes the commit containing the fix is titled "cmake: fix building
static lib on windows/msvc", but because it adds
include(GNUInstallDirs), it also fixes our problem).
Fixes:
https://autobuild.buildroot.net/results/3600a9b7f323b4610ac67feb7171c0e10b6383d7/
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
nnn is a fast and minimal text-based file manager. It is written in C
and has minimal dependencies, which makes it portable and suitable for
embedded systems.
Project page: https://github.com/jarun/nnn
Wiki: https://en.wikipedia.org/wiki/Nnn_(file_manager)
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
[Arnout:
- add missing dependency on BR2_USE_MMU (found with test-pkg);
- add missing comment in Config.in;
- add musl-fls dependency when needed (found with test-pkg);
- add host-pkgconf dependency;
- add NNN_MAKE_ENV to collect everything in make environment;
- drop TARGET_MAKE_ENV from environment, it's already in
TARGET_CONFIGURE_OPTS;
- add PREFIX to NNN_MAKE_FLAGS: it is currently not used in the
build step, but in the future it may be used;
- use NORL=0/1 for readline optional dependency, the Makefile says that
the "norl" target is legacy;
- remove comment about readline dependency, it's obvious;
- indent continuation line with an extra tab.
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This defconfig no longer builds:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11012272989
It has been broken for at least 2 months, and it has no maintainer in
the DEVELOPERS file. We're adding Bartosz Bilas who has been the last
person doing updates to this defconfig.
Unless some fixes are provided, this defconfig will be dropped from
Buildroot.
Cc: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The old one lasted for 10 years, lately spam
levels reached a rather uncomfortable level ...
Signed-off-by: Andreas Ziegler <br015@umbiko.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_GLIBC_STABLE=y in the
defconfig, bumps kernel to 6.12.43, and adds custom hash files.
The exception entry in .checkpackageignore is also removed.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
[Peter: correct linux-headers.patch symlink]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit [1] "package/python-pyroute2: bump to version 0.9.4"
added the python3 ssl runtime dependency while updating the package
in the "next" branch. It incorrectly suggested the dependency was
introduced in version 0.9.4.
This dependency was in fact introduced in upstream commit [2],
first time included in pyroute2 0.8.1, which is the current version
in the Buildroot release stabilization branch. It is worth mentioning
that this package was updated to that version in Buildroot commit [3].
Running the command on target:
python3 -c 'import pyroute2'
Fails at runtime with error:
ModuleNotFoundError: No module named '_ssl'
This commit fixes the issue by adding this missing dependency,
the same was it was done in commit [1].
[1] 786557d859
[2] e87c14581b
[3] 816641bbe1
Signed-off-by: Yacin Belmihoub-Martel <yacin.belmihoub-martel@silabs.com>
[Julien:
- reword commit log
- add the "runtime" comment
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.36 and U-Boot to
version 2025.07 for
- stm32mp135f_dk_defconfig
- stm32mp157a_dk1_defconfig
- stm32mp157c_dk2_defconfig
The new version of U-Boot with commit [1] enabled OF_UPSTREAM flag for
STM32MP15 platforms. This required properly updating the DEVICE_TREE
parameter to pass to U-Boot in order to successfully complete the build.
Tested on STM32MP157C-DK2 Discovery Board.
[1] 35f90f76f4
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.186 and U-Boot to
version 2025.07.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.186 and U-Boot to
version 2025.07.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.186 and, for the SD
configuration, also updates U-Boot to version 2025.07.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.1.143. The size of xipImage
has increased by only 514 bytes (1672318 bytes compared to 1671804 in
version 6.1.133).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch removes the xilinx_v2024.2 hashes since all xilinx defconfigs have
been bumped to xilinx_v2025.1.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
GNU Radio contains a block to uses Soapy SDR has sink or source.
Since the SoapySDR package is now available in Buildroot, it is possible
to update GNU Radio package to enable or disable the gr-soapy block.
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following CVEs:
- CVE-2024-41957
- CVE-2024-41965
- CVE-2024-45306
- CVE-2024-47814
- CVE-2025-1215
- CVE-2025-22134
- CVE-2025-24014
- CVE-2025-26603
- CVE-2025-29768
- CVE-2025-53905
- CVE-2025-53906
README.txt got updated three times since the last bump:
- [0] updated some wording regarding who the developers are.
- [1] updated the link to the release archives
- [2] updated the goals of the project
netrw (the builtin file explorer of vim) changed maintainer and was
subsequently restructured [3]. Therefore we need to run installpack,
otherwise we run into this on startup (reported by Julien, thanks!):
Error detected while processing
/usr/share/vim/vim91/plugin/netrwPlugin.vim:
line 7:
E919: Directory not found in 'packpath': "pack/*/opt/netrw"
Press ENTER or type command to continue
[0]: b75825f749
[1]: 4225f28855
[2]: 2bfd1ee161
[3]: 9cfdabb074
Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the TestXvisor fails when building xvisor with gcc 15.1.0.
Since xvisor is now fixed, opensbi 1.5 fail to build with gcc-15 for
the same reasons.
opensbi 1.6 include a fix for C23 enabled compilers [2]
[1] 947dbc92a2
[2] d539d64a23
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the TestXvisor fails when building xvisor with gcc 15.1.0.
GCC 15 changed the default C standard version to C23 [2], resulting in
errors from the xvisor definitions of bool from core/include/vmm_types.h,
which is a reserved keyword under C23.
Since CFLAGS are hardcoded in the main Makefile, add '-std=gnu11' to
'cflags' to resolve the error.
[1] 947dbc92a2
[2] https://gcc.gnu.org/gcc-15/porting_to.html
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11042295047
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
On both Buildroot 2025.02.x and master branch, php-lua build fails on
the following error:
lua.c:862:44: error: assignment to 'zend_object_write_property_t' {aka
'struct _zval_struct * (*)(struct _zend_object *, struct _zend_string *,
struct _zval_struct *, void **)'} from incompatible pointer type 'void
(*)(zval *, zval *, zval *, void **)' {aka 'void (*)(struct _zval_struct
*, struct _zval_struct *, struct _zval_struct *, void **)'}
[-Wincompatible-pointer-types]
862 | lua_object_handlers.write_property =
php_lua_write_property;
| ^
lua.c:863:44: error: assignment to 'zend_object_read_property_t' {aka
'struct _zval_struct * (*)(struct _zend_object *, struct _zend_string *,
int, void **, struct _zval_struct *)'} from incompatible pointer type
'zval * (*)(zval *, zval *, int, void **, zval *)' {aka 'struct
_zval_struct * (*)(struct _zval_struct *, struct _zval_struct *, int,
void **, struct _zval_struct *)'} [-Wincompatible-pointer-types]
863 | lua_object_handlers.read_property =
php_lua_read_property;
| ^
make[2]: *** [Makefile:214: lua.lo] Error 1
The error can be reproduced with the following minimal defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_NEON=y
BR2_ARM_ENABLE_VFP=y
BR2_ARM_FPU_NEON=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LUA=y
BR2_PACKAGE_PHP=y
BR2_PACKAGE_PHP_LUA=y
This build failure is the result of two events/conditions:
- the update to PHP8 has changed the prototype for
zend_object_read_property_t (see [1]). But at this time, php-lua just
generated a new warning (-Wincompatible-pointer-types)
- using bootlin bleeding-edge toolchain brings in GCC14, which now turns
this warning into a systematic error (see [2])
This issue is still present on the upstream repository, but it has been
fixed on one of its forks. Bring the relevant patch from the fork to
allow building php-lua.
[1] https://github.com/php/php-src/commit/91ef4124e56
[2] https://gcc.gnu.org/gcc-14/porting_to.html#incompatible-pointer-types
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Romain: update Upstream link]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Fix the following vulnerability:
- CVE-2025-46728
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library.
Prior to version 0.20.1, the library fails to enforce configured size
limits on incoming request bodies when `Transfer-Encoding: chunked` is
used or when no `Content-Length` header is provided. A remote attacker
can send a chunked request without the terminating zero-length chunk,
causing uncontrolled memory allocation on the server. This leads to
potential exhaustion of system memory and results in a server crash or
unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits
during parsing. If the limit is exceeded at any point during reading,
the connection is terminated immediately. A short-term workaround
through a Reverse Proxy is available. If updating the library
immediately is not feasible, deploy a reverse proxy (e.g., Nginx,
HAProxy) in front of the `cpp-httplib` application. Configure the
proxy to enforce maximum request body size limits, thereby stopping
excessively large requests before they reach the vulnerable library
code.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-46728
- 7b752106ac
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
(cherry picked from commit aea7c89396)
Signed-off-by: Julien Olivain <ju.o@free.fr>
This reverts commit 559bb33ae7, which
was disabling BR2_BACKUP_SITE in our tests with the following
reasoning:
support/testing: do not use s.b.o
Currently, the runtime tests will use the sources.buildroot.org backup
mirror, which is the default setup.
However, in some cases we do not want to use the backup site, because we
want to ensure that the download actually works.
This is the case for vendored packages, like cargo or golang packages,
for whbich we want to check that gthe download still works when we
update the rust or go versions, or when our download helpers change.
So, disable the use of the backup site in all runtime tests, and drop
the no-longer needed special cases.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
However, not using the backup site is causing a LOT of random failures
in Gitlab CI, making the results barely usable. Since it's more
important to get real failures than random ones due to download
issues, let's re-enable BR2_BACKUP_SITE in our testing infrastructure.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Fix the following vulnerability:
- CVE-2025-46728
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library.
Prior to version 0.20.1, the library fails to enforce configured size
limits on incoming request bodies when `Transfer-Encoding: chunked` is
used or when no `Content-Length` header is provided. A remote attacker
can send a chunked request without the terminating zero-length chunk,
causing uncontrolled memory allocation on the server. This leads to
potential exhaustion of system memory and results in a server crash or
unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits
during parsing. If the limit is exceeded at any point during reading,
the connection is terminated immediately. A short-term workaround
through a Reverse Proxy is available. If updating the library
immediately is not feasible, deploy a reverse proxy (e.g., Nginx,
HAProxy) in front of the `cpp-httplib` application. Configure the
proxy to enforce maximum request body size limits, thereby stopping
excessively large requests before they reach the vulnerable library
code.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-46728
- 7b752106ac
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 6.15.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since upstream commit 312efb2acba7dba80b6652ccf98339dcbbd47695, the
JPEG loading code is using jpeg_read_icc_profile(), which is only
available when the jpeg-turbo implementation is used, not the classic
libjpeg. When classic jpeg is used, the build fails with:
../shared/image-loader.c:163:14: error: implicit declaration of function 'jpeg_read_icc_profile' [-Wimplicit-function-declaration]
163 | if (!jpeg_read_icc_profile(cinfo, &profdata, &proflen)) {
This commit first appeared in development version 13.0.91 and stable
version 14.0.0, which means the problem exists in Buildroot since
commit 430b80cfc1, when weston was
bumped from 13.0.3 to 14.0.0.
So let's enable the JPEG logic only when jpeg-turbo is used.
Fixes:
https://autobuild.buildroot.org/results/353e39902616bdbce40ac667e98cbaf51079f69e/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since upstream commit 66e1614122c22d455cc3a28db08b3afac2b7be29, which
first appeared in version 1.11.0, back in 2016, jpeg is no longer a
mandatory dependency. And in fact, Buildroot no longer has it
unconditionally in WESTON_DEPENDENCIES since commit
f67a6e9b7a, but BR2_PACKAGE_WESTON is
still selecting in.
A build without libjpeg works just fine, so let's drop this select.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When BR2_BINUTILS_GPROFNG=y, the build currently fails with GCC 15.x,
of course on architectures for which gprofng is actually
available. This issue only exists in binutils 2.42 and 2.43.1, as
binutils 2.44 has the necessary fixes.
Therefore, this commit backports the relevant commits from binutils
2.44 to 2.43.1 and 2.42.
Fixes:
https://autobuild.buildroot.net/results/7cf52019f87625c73ef3c4ca0b6270e20a4ab768/ (binutils 2.42)
https://autobuild.buildroot.net/results/478e24af1a03dea5ec64b77ca611b4f7225c9d39/ (binutils 2.43.1)
The following defconfig, built under a Fedora 42 Docker container
allows to reproduce the issue:
BR2_x86_nehalem=y
BR2_BINUTILS_VERSION_2_42_X=y
BR2_BINUTILS_GPROFNG=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The binutils-gdb code base in Git does have a copy of readline that is
used by gdb.
The release tarballs of binutils do NOT contain readline as it's not
needed for binutils itself (only gdb).
However, when we build the ARC binutils, taken from Git, the readline/
folder is present, and therefore readline is built even if it is not
actually needed.
This causes build failures as the copy of readline in ARC binutils
2024.12 (based on binutils 2.43) does not build with GCC 15.x.
To work around this problem, we use a suggestion from Waldemar
Brodkorb: pass --with-system-readline. Indeed, this disables the build
of readline... but it does not actually check that we have a system
readline, since we're not building gdb.
Fixes:
https://autobuild.buildroot.net/results/976243181f7000fe2790b3450bdae51e8c12769e/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Some packages such as SDL2 do this:
WAYLAND_SCANNER=`$PKG_CONFIG --variable=wayland_scanner wayland-scanner`
to find the path to the wayland-scanner tool.
Of course, since SDL2 is compiled for the target, it does that using
the pkg-config configured for cross-compilation, which looks at
$(STAGING_DIR)/usr/lib/pkgconfig/wayland-scanner.pc.
Since it looks at the variable wayland_scanner, which doesn't get
prefixed by PKG_CONFIG_SYSROOT_DIR, the SDL2 configure script is told
that wayland-scanner is in /usr/bin/wayland-scanner causing this kind
of build failure:
/bin/bash: line 1: /usr/bin/wayland-scanner: No such file or directory
/bin/bash: line 1: /usr/bin/wayland-scanner: No such file or directory
when building SDL2.
The target wayland package depends on host-wayland, which most notably
is responsible for installing wayland-scanner in $(HOST_DIR)/bin.
So in order to fix the SDL2 build issue but in a global way (possibly
helping other packages), what this patch does is tweak the
wayland-scanner.pc installed by the target wayland so that its
wayland_scanner variable points to the host wayland-scanner
executable. We find this a better solution than passing a
WAYLAND_SCANNER variable to each and every package that needs
wayland-scanner.
The issue is not visible in the autobuilders, but can be reproduced
using the following defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_SDL2=y
BR2_PACKAGE_SDL2_WAYLAND=y
BR2_PACKAGE_SDL2_OPENGLES=y
BR2_PACKAGE_RPI_USERLAND=y
BR2_PACKAGE_WAYLAND=y
# BR2_TARGET_ROOTFS_TAR is not set
Note: Make sure that wayland-scanner is not be installed on the build
host to reproduce the issue.
The issue probably exists since WAYLAND_SCANNER was retrieved using
pkg-config in SDL2's configure.ac script, in upstream commit
19d3500ae19636f3f410e270f12e0bc5e83410d4, which got first introduced
in release-2.0.5 of SDL2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain: add a comment about wayland-scanner to reproduce the issue]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The following defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_RPI_USERLAND=y
# BR2_TARGET_ROOTFS_TAR is not set
will fail to build due to two issues in various part of rpi-userland
making GCC 15.x unhappy.
Patch 0008-Fix-conflicting-types-build-error.patch is taken from a
pull request already submitted by a contributor to the upstream
project.
Patch 0009-Fix-raspicommonsettings_parse_cmdline.patch is backported
from upstream, and can be dropped next time we bump rpi-userland.
Note that there are no autobuilder failures for this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When Python 3 is built with -O2 or -O3 on SuperH, the build fails
with:
Objects/obmalloc.c:503:1: error: unable to find a register to spill in class ‘R0_REGS’
503 | }
| ^
Objects/obmalloc.c:503:1: error: this is the insn:
(insn 18 243 23 2 (parallel [
(set (subreg:SI (reg:QI 176) 0)
(unspec_volatile:SI [
(mem/v:QI (reg:SI 4 r4 [175]) [-1 S1 A32])
(reg:QI 7 r7 [178])
(reg:QI 6 r6 [180])
] UNSPECV_CMPXCHG_1))
(set (mem/v:QI (reg:SI 4 r4 [175]) [-1 S1 A32])
(unspec_volatile:QI [
(const_int 0 [0])
] UNSPECV_CMPXCHG_2))
(set (reg:SI 147 t)
(unspec_volatile:SI [
(const_int 0 [0])
] UNSPECV_CMPXCHG_3))
(clobber (scratch:SI))
(clobber (reg:SI 0 r0))
(clobber (reg:SI 1 r1))
]) "./Include/cpython/pyatomic_gcc.h":105:10 407 {atomic_compare_and_swapqi_soft_gusa}
(expr_list:REG_DEAD (reg:QI 6 r6 [180])
(expr_list:REG_DEAD (reg:QI 7 r7 [178])
(expr_list:REG_UNUSED (reg:QI 176)
(expr_list:REG_UNUSED (reg:SI 1 r1)
(expr_list:REG_UNUSED (reg:SI 0 r0)
(nil)))))))
Objects/obmalloc.c:503: confused by earlier errors, bailing out
THe bug has been reported upstream, but until it gets fixed, let's
work it around by using -O1 instead. Note that
BR2_TOOLCHAIN_HAS_GCC_BUG_121567 is only set when -O2 or -O3 is
configured, so there's no need to check again.
Fixes:
https://autobuild.buildroot.net/results/cac123ee9f3a6df6263b69dce3ac0d535518ec3f/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This will be needed to work around a GCC bug affecting python3. The
bug is reported at
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=121567.
This bug affects GCC at least since 6.x, but we couldn't test earlier
versions, so we simply assume all GCC versions are affected. Even GCC
15.x is still affected, as reported to upstream GCC.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This is a minor version bump.
Release notes of 3.13.6:
https://www.python.org/downloads/release/python-3136/
"3.13.6 is the sixth maintenance release of 3.13, containing around
200 bugfixes, build improvements and documentation changes since
3.13.5.
Release notes of 3.13.7:
https://www.python.org/downloads/release/python-3137/
"3.13.7 is an expedited release to fix a significant issue with the
3.13.6 release:
gh-137583: Regression in ssl module between 3.13.5 and 3.13.6: reading
from a TLS-encrypted connection blocks"
Patches are just refreshed, except patch
0009-3.13-gh-130577-tarfile-now-validates-archives-to-ens.patch which
is dropped as it is upstream as of commit
cdae923ffe187d6ef916c0f665a31249619193fe. The corresponding
_IGNORE_CVES entry is also removed.
Passes our basic Python 3 tests:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1990154299
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: remove _IGNORE_CVES for removed patch #0009]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit-2882cf4ae649 ("package/wpewebkit: security bump to version
2.48.3") wpewebkit depends on cmake 3.20.
Fixes build on current Debian LTS (bullseye) which has only 3.18.4.
>>> wpewebkit 2.48.3 Configuring
...
CMake Error at CMakeLists.txt:9 (cmake_minimum_required):
CMake 3.20 or higher is required. You are running version 3.18.4
-- Configuring incomplete, errors occurred!
make: *** [package/pkg-generic.mk:263: /../buildroot/output/build/wpewebkit-2.48.3/.stamp_configured] Error 1
Fixes: 2882cf4ae6
Signed-off-by: Henri Roosen <henri.roosen@ginzinger.com>
Acked-By: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When building:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_SDL=y
BR2_PACKAGE_SDL_X11=y
BR2_PACKAGE_XORG7=y
# BR2_TARGET_ROOTFS_TAR is not set
the build fails with:
./src/video/Xext/Xv/Xv.c:78:5: error: initialization of ‘int (*)(Display *, XEvent *, xEvent *)’ {aka ‘int (*)(Display *, XEvent *, struct _xEvent *)’} from incompatible pointer type ‘int (*)(void)’ [-Wincompatible-pointer-types]
and a number of similar errors in the X.org code.
We fix this by backporting an upstream commit.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
- Replace patch 0001 by a properly Git-formatted patch, cherry-picked
from the upstream Git repository at
https://github.com/libsdl-org/SDL-1.2
- Add Upstream: tags on both patches, with the upstream Git
commit. Updated .checkpackageignore accordingly.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The each_cpe() method is careful that some CVEs have no
"configurations", but some CVEs such as
https://nvd.nist.gov/vuln/detail/CVE-2025-32915 apparently have a
"configurations" node, but no "nodes" inside the "configurations",
causing an exception:
Traceback (most recent call last):
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1382, in <module>
__main__()
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1371, in __main__
check_package_cves(args.nvd_path, packages)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 679, in check_package_cves
check_package_cve_affects(cve, cpe_product_pkgs)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 638, in check_package_cve_affects
for product in cve.affected_products:
^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in affected_products
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in <genexpr>
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 173, in each_cpe
for node in nodes['nodes']:
~~~~~^^^^^^^^^
KeyError: 'nodes'
Fixes:
54f8d97c91 ("support/scripts/pkg-stats: adapt to NVD v2 json format")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain:
- add reference to buildroot commit introducing the issue
- a similar patch was sent by Daniel Lang (thanks!)
- needed on master to fix "Daily results" email]
(cherry picked from commit 67422b9d9c)
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The each_cpe() method is careful that some CVEs have no
"configurations", but some CVEs such as
https://nvd.nist.gov/vuln/detail/CVE-2025-32915 apparently have a
"configurations" node, but no "nodes" inside the "configurations",
causing an exception:
Traceback (most recent call last):
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1382, in <module>
__main__()
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1371, in __main__
check_package_cves(args.nvd_path, packages)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 679, in check_package_cves
check_package_cve_affects(cve, cpe_product_pkgs)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 638, in check_package_cve_affects
for product in cve.affected_products:
^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in affected_products
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in <genexpr>
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 173, in each_cpe
for node in nodes['nodes']:
~~~~~^^^^^^^^^
KeyError: 'nodes'
Fixes:
54f8d97c91 ("support/scripts/pkg-stats: adapt to NVD v2 json format")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain:
- add reference to buildroot commit introducing the issue
- a similar patch was sent by Daniel Lang (thanks!)]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The AC_HEADER_STDBOOL macro used in configure.ac is expanded in the
shipped ./configure by a fairly old version, which misdetects our
<stdbool.h> as being not usable. Consequently, the code defines its
own bool type, with true/false, clashing with GCC 15.x.
Doing a pass of autoreconf addresses the problem.
The autoreconf needs pkg.m4, which comes from host-pkgconf, added as a
dependency.
Note that host-pkgconf was already a dependency for one of the
optional dependencies of p11-kit, and we're keeping it there even
though host-pkgconf is now also an unconditional dependency as we
expect this unconditional host-pkgconf dependency to be removed when
we drop autoreconf.
Fixes:
https://autobuild.buildroot.net/results/760df1a8c21afa893ade5181ce797e14c1f6bdce/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add simple patch, submitted upstream, to fix the build with GCC 15.x:
userloc_formatter.c: In function 'userloc_format':
userloc_formatter.c:30:5: error: implicit declaration of function 'sd_debug' [-Wimplicit-function-declaration]
30 | sd_debug("Formatter s13_userloc checking location info for userdata %X",a_event->evt_loc->loc_data);
| ^~~~~~~~
make[4]: *** [Makefile:519: userloc_formatter.lo] Error 1
Fixes:
https://autobuild.buildroot.org/results/dab64025e6a1688d5fadc2b9bd3738a2c886aa9c/
Considering the level of upstream maintenance, we did hesitate with
dropping the package, but as the fix was quite simple, we did the fix
instead.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the kernel, U-Boot, ATF tags, as well as documentation, used by
the LS1046A-FRWY to the latest Linux Factory release.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the kernel, U-Boot, ATF tags, as well as documentation, used by
the LS1046A-RDB to the latest Linux Factory release.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the kernel, U-Boot, ATF tags, as well as documentation, used by
the LS1043A-RDB to the latest Linux Factory release.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
[Julien:
- add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y
- replace "LS1028A-RDB" by "LS1043A-RDB" in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the kernel, U-Boot, ATF tags, as well as documentation, used by
the LS1028A-RDB to the latest Linux Factory release.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit we were previously on, 45e6925, was the head of the master
branch and now became tag lf-6.12.20-2.0.0, which we can use as is.
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This is nominally a bugfix release which now also includes the patch we
previously backported, so we can remove it.
However, it also introduced some breakage:
- Builds with older toolchains (like br-arm-full-static, GCC 9) fail
because the introduction of C23 [[fallthrough]] to the code was not
properly gated on compiler support.
- Compiling for x86 without SSE2 support (e.g. with
bootlin-x86-i686-musl) fails because the check for native half-with
float arithmetic support on the target was not strict enough.
Import unreleased upstream patches that fix these issues.
Release notes: https://github.com/intel/tinycbor/releases/tag/v0.6.1
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The source code contains a number of variables named 'bool', which conflicts
with the C23 keyword. This is fixed upstream in 1.3.9 with
61be7eb14f
but that unfortunately does not cleanly backport to 1.3.8, so instead use
-std=gnu18 when building with GCC >= 15 to fix the following issues:
table.c:1280:31: error: ‘bool’ cannot be used here
1280 | int table_handling_signal(int bool) {
| ^~~~
table.c:1280:31: note: ‘bool’ is a keyword with ‘-std=c23’ onwards
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bugfix release, fixing the following issues:
1.3.8d - Released 14-Mar-2025
--------------------------------
- Issue 1855 - Use of HideNoAccess for SFTP sessions can lead to segfault
and/or unexpected behavior.
- Issue 1876 - SFTP channel allocations can lead to high memory utilization
over time.
1.3.8c - Released 11-Dec-2024
--------------------------------
- Issue 1770 - Using FTPS after upgrading from 1.3.8a to 1.3.8b leads to crash.
- Issue 1785 - Bad handling of lack of extended attributes leads to SFTP out of
memory error.
- Issue 1529 - mod_sftp_sql logs "header value too long" due to unexpected key
header text.
- Issue 1839 - SSH ECDSA host key algorithms not be used as expected despite
configuring appropriate key.
- Issue 1840 - RADIUS Message-Authenticator verification failed with ProFTPD
mod_radius.
- Issue 1830 - Supplemental group inheritance grants unintended access to
GID 0 due to lack of supplemental groups from mod_sql.
https://github.com/proftpd/proftpd/blob/1.3.8/NEWS
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes https://autobuild.buildroot.org/results/dbf55d0fd8d779f408e7ccca4c2a9083e7a11f6a/
GCC-15 has gained a new warning about non-NUL terminated strings and
dump1090 is built with -Werror leading to build errors like:
interactive.c:143:23: error: initializer-string for array of 'char' truncates
NUL terminator but destination lacks 'nonstring' attribute (5 chars into 4
available) [-Werror=unterminated-string-initialization]
143 | char spinner[4] = "|/-\\";
Add a patch from an upstream pull request to fix this by zero terminating
the strings.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
imx6ull is compatible with VFPV4. Update it from VFPV3
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Ever since upstream commit 01dd6da ("Rework the entire API"), first
introduced as part of release v3.0.0, openssl is a hard requirement for
building libjwt. As such, "-DWITH_OPENSSL=ON" also has become a no-op.
In Buildroot, this has been masked somewhat by the implicit select when
gnutls is disabled, but a failure can be reproduced using test-pkg with
a config like:
BR2_PACKAGE_GNUTLS=y
BR2_PACKAGE_LIBJWT=y
Fix this by requiring openssl. Furthermore, building against libressl
does not work because libjwt requires API surface that is not present
there[1], so we need to force libopenssl.
[1] https://autobuild.buildroot.org/results/463/4638a7d46c149ca0f46d3fe5f5f90dc5ee9d1e03
Signed-off-by: Florian Larysch <fl@n621.de>
[Peter: drop gnutls logic support for simplicity]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerability:
- CVE-2025-54874
OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and
earlier, a call to opj_jp2_read_header may lead to OOB heap memory
write when the data stream p_stream is too short and p_image is not
initialized.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-54874
- f809b80c67
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch brings the entire stack of Debian patches on grub2 titled
"cve-2025-jan" and available at:
https://salsa.debian.org/grub-team/grub/-/tree/debian/2.12-9/debian/patches/cve-2025-jan?ref_type=tags
As of this exact Debian grub2 version 2.12-9. Some minor conflicts had
to be fixed. All patches are in upstream Grub master, but mixed with
hundreds of other changes, which is why Debian's effort to backport
them has been leveraged here.
In addition to those patches, 2 extra patches are added:
0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch
0074-Constant-time-grub_crypto_memcmp.patch
The first one fixes an issue in one of the earlier patches. The fix is
not in Debian, but is in upstream Grub.
The second one fixes another CVE, not fixed in Debian, but fixed in
OpenSUSE. This fix is not upstream as upstream has decided to move to
libgcrypt instead to avoid the problem, but that's a fairly large
change.
Overall, this patch fixes all CVEs currently reported by pkg-stats
against our grub2 package, namely:
CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45782
CVE-2024-56737
CVE-2024-56738
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-1125
With the previous fixes on runtime tests added (to use glibc
toolchains to build grub2 tests), this commit successfully passes all
tests:
- The ISO9660 tests that use grub2:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234563
- The grub2 tests:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234685
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: also tested by building and booting
- qemu_aarch64_sbsa_defconfig
- qemu_arm_ebbr_defconfig
- qemu_loongarch64_virt_efi_defconfig
- qemu_riscv64_virt_efi_defconfig
- pc_x86_64_bios_defconfig
- pc_x86_64_efi_defconfig
]
Tested-by: Julien Olivain <ju.o@free.fr>
[Julien:
- fix patch #72 upstream link to point to the initial patch
sumbission rather than a reply
- merge two _IGNORE_CVES blocks for patch #50 into a single one
- order _IGNORE_CVES blocks by numerical patch order
- order numerically the CVE list in commit log
- add a "Fixes:" tag in patch #74 since its commit log does not
mention the CVE.
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Suniel's e-mail address at Amarula Solutions is bouncing, so let's
drop this stale entry:
<sunil@amarulasolutions.com>: host aspmx.l.google.com[142.250.27.26] said:
550-5.1.1 The email account that you tried to reach does not exist. Please
try 550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. For more information, go to 550 5.1.1
https://support.google.com/mail/?p=NoSuchUser
a640c23a62f3a-afcdce6d5e1si493680166b.9 - gsmtp (in reply to RCPT TO
command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The original commit (aaa2b660a9 ("setserial: convert to autotargets
and fix manpages install") wasn't entirely clear why we went for a
removal of a patch from the tarball we get from Debian.
It is assumed the original patch mainly only wanted to remove the strip
and make sure the directories are created before files are installed in
there. But doing only that made my build fail because the linker doesn't
find @CXXFLAGS@. After undoing the addition of this variable (and its
use) from 01_makefile.patch it now compiles just fine.
Therefore, instead of removing the patch from the tarball we get from
Debian, simply update the patch we carry in the tree to remove what's
necessary and simplify the patching logic.
This could also help identify notable differences between the
01_makefile.patch from two different versions whenever we upgrade.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Debian has a newer setserial which compiles on newer toolchains, so
let's update to it.
Noteworthy is the change from a big diff to a tarball containing the
whole debian directory. The series file which contains all patches to
apply is named properly so no need to rename 00list anymore. The patches
file extension is now .patch instead of .dpatch.
This fixes the build with BR2_TOOLCHAIN_EXTERNAL_ARM_AARCH64 external
toolchain (14.2.rel1).
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Newer toolchains silently fail during configure step. After some
investigation, it is because -Wimplicit-int is returned for one of the
simplest test from the in-package configure file and thus fail the
configure step early, when checking if the compiler can produce an
executable.
Let's fix this by simply regenerating the configure file, similarly to
what Debian is doing, c.f. debian/rules.
Fixes:
https://autobuild.buildroot.net/results/ff7a9c3c42f11a2ab71fb04ff0f6d593ac9ee327/
(but there are more build failures later, fixed in a follow-up commit)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since 64ac719952 ("apply-patches.sh: add recursivity when scanning
patchdir"), patches with the .dpatch file extension are simply ignored.
Unfortunately, setserial package stopped applying the patches after that
commit.
Sadly, 0002-tiocghayesesp-build-fix.patch is breaking the patch context
for patch 18 in the debian diff because we are currently applying
patches from within Buildroot tree before applying the ones we download
from Debian. Instead of doing some hacks, let's apply Debian patches
before Buildroot's. However, this requires a few changes. First, we need
to migrate away from the SETSERIAL_PATCH mechanism because currently
_PRE_PATCH_HOOKS runs before this is applied and _POST_PATCH_HOOKS runs
after the Buildroot patches are applied.
Instead, let's use an _EXTRA_DOWNLOADS we manually extract à-la
package/android-tools/android-tools.mk. Then in the _PRE_PATCH_HOOKS, we
apply the big diff the _EXTRA_DOWNLOADS contains so that the patches
from within can be applied afterwards.
Because the big diff still contains only patches with the *.dpatch
extensions that are not supported anymore, we need to either rename all
patches or use the 00list file that lists all patches in the order they
need to be applied. Fortunately, Buildroot already supports applying
patches with `patch` regardless of their extension if they are within
such a file. Unfortunately, it needs to be called "series", hence the
renaming.
Because patch 18 from the big diff is now applied before
0002-tiocghayesesp-build-fix.patch from Buildroot tree, the latter will
fail if left unmodified, so this commit also rebases it.
Finally, we keep the removal of 01_makefile.dpatch for now even though
it only exists because it generates a conflict with
0001-build-system-fix.patch from Buildroot tree. It'll be rebased in a
later commit though.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For the first, unconditional assignment, there is no reason to use
append-assignment; it can even be misleading.
Fixes: b367ca32e5
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch force the usage of `-std=gnu18` for GCC15 toolchains to fix
the following issues:
- The boolean issue with C23
```
In file included from ../../src/i_sound.h:38,
from i_sound.c:58:
../../src/doomtype.h:48:15: error: cannot use keyword ‘false’ as enumeration constant
48 | typedef enum {false, true} boolean;
| ^~~~~
../../src/doomtype.h:48:15: note: ‘false’ is a keyword with ‘-std=c23’ onwards
```
- The usage of `usleep` & `struct timezone` require usage of GNU
extensions.
```
i_system.c:58:3: error: implicit declaration of function ‘usleep’; did you mean ‘sleep’? [-Wimplicit-function-declaration]
58 | usleep(usecs);
| ^~~~~~
| sleep
i_system.c: In function ‘I_GetTime_RealTime’:
i_system.c:78:19: error: storage size of ‘tz’ isn’t known
78 | struct timezone tz;
| ^~
i_system.c: In function ‘I_GetRandomTimeSeed’:
i_system.c:105:19: error: storage size of ‘tz’ isn’t known
105 | struct timezone tz;
| ^~
```
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When building prboom with gcc-14 the following error appeared on the
autobuilder:
```
i_main.c: In function 'main':
i_main.c:359:10: error: assignment to 'const char * const*' from incompatible pointer type 'char **' [-Wincompatible-pointer-types]
359 | myargv = argv;
| ^
```
While this package did not receive any update for a while on the
sourceforge mirror, I backported the fix from a fork. For more
information see [1].
[1] 92d44b6383
Fixes: https://autobuild.buildroot.org/results/888/88846e3cb267b04da58bc17d92fd5dd385b65b5d
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When using gcc-14 the compilation fails with the following error
message:
```
close.c: In function 'EIBClose':
close.c:38:3: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]
38 | close (con->fd);
| ^~~~~
| pclose
openlocal.c: In function 'EIBSocketLocal':
openlocal.c:57:7: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]
57 | close (con->fd);
| ^~~~~
| pclose
make[6]: *** [Makefile:611: close.lo] Error 1
```
This patch include <unistd.h> to include the declaration of close.
Fixes: https://autobuild.buildroot.org/results/483/483fc4584815507c3798eb972e22e51f70f52c23/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Unlike glibc and uClibc, musl doesn't play tricks with transparent
unions for the second argument to bind() to accept the various sockaddr
variants, but rather just defines it as "struct sockaddr*". As GCC 14 no
longer allows arbitrary implicit pointer casts, this results in a build
error. Import the upstream patch that adds the cast.
Fixes: https://autobuild.buildroot.org/results/00b/00b42a35a80c2deb61f2cd40aedd231597bbb290
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
List of commits between 1.2.7..1.2.8:
f979f1b8fa202cd0d6c352de0f2b64361ce5ea33 (HEAD -> master, tag: rpcbind-1_2_8, origin/master, origin/HEAD) Release: 1.2.8
a9ecbb81940b23a4bb9814e126c1c1ae1db93b69 (tag: rpcbind-1_2_8-rc3) rpcinfo: Removed a number of "old-style function definition" warnings
8cc10d038c361f296b0a8e068c173acc33568997 rpcbind: Add -v flag to print version and config
8ef2e504df6e5ec3321c0804a8c6684d781e7a84 man/rpcbind: Update list of options
74da58dde5b1a1a7e54df1fb16315845195a69c0 (tag: rpcbind-1_2_8-rc2) Comment out ListenStream=@/run/rpcbind.sock
b78689b8f1df42eb593dc3412698aa1b8aaa3532 [nfs/nfs-utils/rpcbind] rpcbind: avoid dereferencing NULL from realloc()
fd1d5387de8078530d51eccf876afe6e6182b975 (tag: rpcbind-1_2_8-rc1) Move rpbind's default configuration to /run verses /var/run
7a6b1c58eee2e5fa74e3e4045c4950fbb4f8af0a Move rpcbind.lock to /run
be63348bd3dd9e69e151ff83f08f09e1a9df82bf systemd/rpcbind.service.in: Want/After systemd-tmpfiles-setup
626fd801a13cecd8eb79ac6e979c248d7214aad4 systemd/rpcbind.service.in: Add various hardenings options
511fc4f4bc5ca7b7c8dac877d590d0634e570e6d man/rpcbind: Add Files section to manpage
31157ba6e60b0a8c4989010df8b1cf2aa673a86c systemd/rpcbind.service.in: Add few default EnvironmentFile
So really not much.
While we're at it, let's add a sha1 hash provided directly by
Sourceforge, in addition to the locally calculated sha256.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_dmidecode fails when building its Kernel 6.6.39
with gcc 15.1.0.
This commit fixes the issue by updating the test Kernel to the
latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686001
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_msr_tools fails when building its Kernel 5.15.55
with gcc 15.1.0.
This commit fixes the issue by updating the test Kernel to the latest
LTS version (6.12.42 at the time of this commit) which includes the
fix for gcc-15. Note: the 5.15.y series does not include this fix for
the x86_64 architecture, which is why this commit switches to 6.12.y.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686294
[1] 947dbc92a2
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_dpdk fails to build its Kernel 6.6.58 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686010
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_numactl fails to build its Kernel 6.1.75 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.1.y version (6.1.148 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686336
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_wine fails to build its Kernel 6.6.27 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686766
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For more details on the version bump, see:
- https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=47bf2c6a3b1f49c7adc1d0389de375290461a44c
Fixes the following security issues:
- CVE-2025-1352
A vulnerability has been found in GNU elfutils 0.192 and classified as
critical. This vulnerability affects the function __libdw_thread_tail
in the library libdw_alloc.c of the component eu-readelf. The
manipulation of the argument w leads to memory corruption. The attack
can be initiated remotely. The complexity of an attack is rather high.
The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1352
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753
- CVE-2025-1365
A vulnerability, which was classified as critical, was found in GNU
elfutils 0.192. This affects the function process_symtab of the file
readelf.c of the component eu-readelf. The manipulation of the
argument D/a leads to buffer overflow. Local access is required to
approach this attack. The exploit has been disclosed to the public and
may be used. The identifier of the patch is
5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1365
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=5e5c0394d82c53e97750fe7b18023e6f84157b81
- CVE-2025-1371
A vulnerability has been found in GNU elfutils 0.192 and classified as
problematic. This vulnerability affects the function
handle_dynamic_symtab of the file readelf.c of the component eu-read.
The manipulation leads to null pointer dereference. Attacking locally
is a requirement. The exploit has been disclosed to the public and may
be used. The patch is identified as
b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1371
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=b38e562a4c907e08171c76b8b2def8464d5a104a
- CVE-2025-1372
A vulnerability was found in GNU elfutils 0.192. It has been declared
as critical. Affected by this vulnerability is the function
dump_data_section/print_string_section of the file readelf.c of the
component eu-readelf. The manipulation of the argument z/x leads to
buffer overflow. An attack has to be approached locally. The exploit
has been disclosed to the public and may be used. The identifier of
the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is
recommended to apply a patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1372
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db
- CVE-2025-1376
A vulnerability classified as problematic was found in GNU elfutils
0.192. This vulnerability affects the function elf_strptr in the
library /libelf/elf_strptr.c of the component eu-strip. The
manipulation leads to denial of service. It is possible to launch the
attack on the local host. The complexity of an attack is rather high.
The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1376
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=b16f441cca0a4841050e3215a9f120a6d8aea918
- CVE-2025-1377
A vulnerability, which was classified as problematic, has been found
in GNU elfutils 0.192. This issue affects the function
gelf_getsymshndx of the file strip.c of the component eu-strip. The
manipulation leads to denial of service. The attack needs to be
approached locally. The exploit has been disclosed to the public and
may be used. The identifier of the patch is
fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1377
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=fbf1df9ca286de3323ae541973b08449f8d03aba
Patch 0003 is now part of this release.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit b536caaec0 ("package/python-cython: bump to version
3.1.2"), python-numpy fails to build:
Error compiling Cython file:
------------------------------------------------------------
...
np.issubdtype(cov.dtype, np.complexfloating)):
raise TypeError("mean and cov must not be complex")
if size is None:
shape = []
elif isinstance(size, (int, long, np.integer)):
^
------------------------------------------------------------
numpy/random/_generator.pyx:3760:36: undeclared name not builtin: long
Backport upstream patch to fix that build failure.
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add OP-TEE OS Support. NXP BSP lf-6.12.3-1.0.0 version.
The i.MX93 Boot Container requires a raw TEE binary without a TEE header.
Update the imx9-bootloader-prepare.sh script and Config.in accordingly
to ensure compatibility with this requirement.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[Julien: remove empty line in hash file to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This new version v0.6.0-11-g7e06aa3 (lastest git commit)
supports more bayer formats:
b5ad78a1c6
Signed-off-by: Sébastien Tisserand <sebastien.tisserand@armadeus.com>
Reviewed-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
[Julien: use "git describe --tags --abbrev=40" format in _VERSION]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerabilities:
- CVE-2023-2794:
A flaw was found in ofono, an Open Source Telephony on Linux. A stack
overflow bug is triggered within the decode_deliver() function during
the SMS decoding. It is assumed that the attack scenario is accessible
from a compromised modem, a malicious base station, or just SMS. There
is a bound check for this memcpy length in decode_submit(), but it was
forgotten in decode_deliver().
https://www.cve.org/CVERecord?id=CVE-2023-2794
- CVE-2024-7537:
oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono.
Authentication is not required to exploit this vulnerability. The
specific flaw exists within the processing of SMS message lists. The
issue results from the lack of proper validation of user-supplied
data, which can result in a read past the end of an allocated buffer.
An attacker can leverage this in conjunction with other
vulnerabilities to execute arbitrary code in the context of root. Was
ZDI-CAN-23157.
https://www.cve.org/CVERecord?id=CVE-2024-7537
- CVE-2024-7539:
oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability.
This vulnerability allows local attackers to execute arbitrary code on
affected installations of oFono. An attacker must first obtain the
ability to execute code on the target modem in order to exploit this
vulnerability. The specific flaw exists within the parsing of
responses from AT+CUSD commands. The issue results from the lack of
proper validation of the length of user-supplied data prior to copying
it to a stack-based buffer. An attacker can leverage this
vulnerability to execute code in the context of root. Was ZDI-
CAN-23195.
https://www.cve.org/CVERecord?id=CVE-2024-7539
- CVE-2024-7540:
oFono AT CMGL Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMGL commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23307.
https://www.cve.org/CVERecord?id=CVE-2024-7540
- CVE-2024-7541:
oFono AT CMT Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMT commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23308.
https://www.cve.org/CVERecord?id=CVE-2024-7541
- CVE-2024-7542:
oFono AT CMGR Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMGR commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23309.
https://www.cve.org/CVERecord?id=CVE-2024-7542
Also drop local patch that is no longer applicable, since upstream now
relies on HAS_BACKTRACE as well.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
[Julien: remove .checkpackageignore entry to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Upstream FRR accepts --enable-multipath=N in the range 1-999. Buildroot
previously hardcoded 256.
Add a config integer to set the maximum ECMP paths at build time, keeping
256 as the default. Lower values help match hardware limits or reduce
memory; higher values are useful for software routing or lab testing.
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
[Julien:
- reword commit log title
- replace python '%' formatting with '+' concatenation
- remove IP address assertion in test controller as it
is already in sample script
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
From 0.9.1 the pyroute2 core is async, the synchronous API remains
available as a wrapper.
Upstream changelog:
https://github.com/svinota/pyroute2/blob/0.9.4/CHANGELOG.rst
pyroute2 now requires the python3 ssl module at runtime. This is
reflected in Config.in.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
[Julien:
- add comment in commit log about new ssl runtime dependency
- add runtime comment in Config.in
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Announcement:
https://gcc.gnu.org/pipermail/gcc-announce/2025/000189.html
GCC 15.2 is a bug-fix release from the GCC 15 branch
containing important fixes for regressions and serious bugs in
GCC 15.1 with more than 123 bugs fixed since the previous release.
For the list of bugs fixed in this version, see:
https://gcc.gnu.org/gcc-15/changes.html#15.2
One patch is renamed to match the filename generated by "git
format-patch" out of the box.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: add link to the bug list in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop the timestamp from the .tar.gz to make it reproducible, similar to how
it is done in support/download/helpers.
Notice: .xz files do not contain a timestamp
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The tarball created by git archive is reproducible, but when we append the
generated manual we leak current time and the username/uid of the person
running make release:
tar tvf buildroot-2025.08-rc1.tar.gz | tail
-rwxrwxr-x root/root 5512 2025-08-11 13:22 buildroot-2025.08-rc1/utils/update-rust
drwxr-xr-x peko/peko 0 2025-08-11 17:39 buildroot-2025.08-rc1/
drwxr-xr-x peko/peko 0 2025-08-11 17:38 buildroot-2025.08-rc1/docs/
drwxr-xr-x peko/peko 0 2025-08-11 17:39 buildroot-2025.08-rc1/docs/manual/
-rw-r--r-- peko/peko 5738 2025-08-11 17:38 buildroot-2025.08-rc1/docs/manual/docbook-xsl.css
-rw-r--r-- peko/peko 19029 2025-08-11 17:38 buildroot-2025.08-rc1/docs/manual/github_hash_mongrel2.png
-rw-r--r-- peko/peko 638866 2025-08-11 17:39 buildroot-2025.08-rc1/docs/manual/manual.pdf
-rw-r--r-- peko/peko 587892 2025-08-11 17:38 buildroot-2025.08-rc1/docs/manual/manual.html
-rw-r--r-- peko/peko 393514 2025-08-11 17:39 buildroot-2025.08-rc1/docs/manual/manual.text
-rw-r--r-- peko/peko 117499 2025-08-11 17:38 buildroot-2025.08-rc1/docs/manual/logo.png
Fix that by forcing uid as root and setting mtime to the latest commit,
similar to how we do it in support/download/{git,helpers}.
Notice that we do not use --numeric-owner to match the output of git
archive, so it does rely on uid 0=root, which is very likely but not
guaranteed.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The manual contains build timestamps like:
Buildroot 2025.08-rc1 manual generated on 2025-08-12 06:43:37 UTC
Making it not reproducible. Luckily asciidoc respects SOURCE_DATE_EPOCH, so
use that to use the timestamp of the latest git commit instead.
Notice: The release and manual targets are marked as noconfig targets (and
need to stay like that for make release), so we cannot use the
BR2_REPRODUCIBLE logic. Instead manually set SOURCE_DATE_EPOCH.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release e-mail:
https://inbox.sourceware.org/libc-alpha/5906001.DvuYhMxLoT@pinacolada/
Major new features:
* The following ISO C23 function families (introduced in TS
18661-4:2015) are now supported in <math.h>. Each family includes
functions for float, double, long double, _FloatN and _FloatNx, and a
type-generic macro in <tgmath.h>.
- Power and absolute-value functions: compoundn, pown, powr, rootn,
rsqrt.
* On Linux, the pthread_gettid_np function has been added.
* The ISO C2Y family of unsigned abs functions, i.e. uabs, ulabs,
ullabs, and uimaxabs, is now supported.
* On Linux, the <termios.h> interface now supports arbitrary baud rates;
speed_t is redefined to simply be the baud rate specified as an
unsigned int, which matches the kernel interface.
* The thread-local cache in malloc (tcache) now supports caching of
large blocks. This feature can be enabled by setting the tunable
glibc.malloc.tcache_max to a larger value (max 4194304). Tcache is
also significantly faster for small sizes.
* A new configure option, "--enable-sframe", can be used to enable
SFrame support of the GNU C Libraries. SFrame is a new stack trace
information format which can be used by backtrace. It requires
binutils with a minimum version of 2.45.
* Support for lightweight stack guard pages via madvise and the
MADV_GUARD_INSTALL flag has been added to pthread_create.
* Additional optimized and correctly rounded mathematical functions have
been imported from the CORE-MATH project, in particular acospif,
asinpif, atanpif, atan2pif, cospif, sinpif, tanpif.
* The testsuite has been significantly extended, including coverage of
the functionality of the printf and scanf function families in many
variants.
* The manual has been significantly extended and updated, particularly
the threads, terminal, filesystem, resource, and math chapters.
* Code has been added to detect the x86-64 Intel Arrow Lake, Panther
Lake, Clearwater Forest, and Diamond Rapids microarchitectures.
* Regarding S390, support for the new z17 platform has been added.
Deprecated and removed features, and other changes affecting compatibility:
* The glibc.rtld.execstack tunable now supports a compatibility mode to
allow programs that require an executable stack through dynamically
loaded shared libraries.
* On Linux, the <termio.h> header and the definition of struct termio
in <sys/ioctl.h> have been removed. The termio interface has been
obsolete since the very first version of POSIX.1 in 1988, replaced
with <termios.h>.
* The support for TX lock elision of pthread mutexes has been deprecated
on all architectures and will be removed in the next release.
* On AArch64 Linux targets supporting the Scalable Matrix Extension
(SME), setjmp and sigsetjmp will disable the ZA state of SME.
Changes to build and runtime requirements:
* GCC 12.1 or later is now required to build the GNU C Library.
* GNU Binutils 2.39 or later is now required to build the GNU C Library.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: resolve conflict with commit feaf53585a]
Signed-off-by: Julien Olivain <ju.o@free.fr>
glibc 2.42 drops <termio.h>, so the libsanitizer code needs to be
adjusted accordingly, by backporting upstream gcc fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien:
- renumbered 14.3.0/0003 patch to 14.3.0/0004
- renumbered 15.1.0/0002 patch to 15.1.0/0004
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
From the release notes:
(https://github.com/redis/redis/blob/8.2.0/00-RELEASENOTES)
===========================================================
8.2 GA (v8.2.0) Released Mon 4 Aug 2025 15:00:00 IST
===========================================================
This is the General Availability release of Redis Open Source 8.2.
- Streams - new commands: `XDELEX` and `XACKDEL`; extension to `XADD` and `XTRIM`
- Bitmap - `BITOP`: new operators: `DIFF`, `DIFF1`, `ANDOR`, and `ONE`
- Query Engine - new SVS-VAMANA vector index type which supports vector compression
- More than 15 performance and resource utilization improvements
- New metrics: per-slot usage metrics, key size distributions for basic data types, and more
Note: the full release note mention three CVEs fixed in 8.1.x and 8.2.x
series. Those security fixes were already included in version 8.0.2 and
8.0.3, already in Buildroot. Therefore, this commit is not marked as
security related.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add comment in commit log about CVE in release note]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit b55957fa65 ("CHANGES: Update for 2025.02.3" added an entry for
2025.02.3, but forgot to add an empty line after the title. Fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit f30bf62f53 ("CHANGES: update for 2025.02.4") added the release to
the top of the file instead of below 2025.05-rc1. Fix that and indent with
a tab like the other releases.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since this package hasn't had a proper release in a while this patch set
the CPE_VERSION and CPE_UPDATE to the latest tags available.
The annotation available on NVD all refers to this last available
version `cpe:2.3:a:luajit:luajit:2.1.0:beta3:*:*:*:*:*:*`.
See https://nvd.nist.gov/vuln/detail/CVE-2020-15890 for instance.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is a temporary fix under discussion [1], but it resolves the
problem, by implementing the same behavior as GCC 14.x for register
allocation on Microblaze.
Tested with qemu_microblazeel_mmu_defconfig and used to generate
Microblaze toolchains for the Bootlin toolchains 2025.08-1 [2].
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=121432#c10
[2] 83947c7bb6
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch adds atomic test and set support for the microblaze arch. A patch
is required to use atomic test and set with gcc 14 and 15 which has been
submitted upstream.
To test this patch with gcc 14:
$ cat > .config<<EOF
BR2_microblazeel=y
BR2_GCC_VERSION_14_X=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ACPITOOL=y
EOF
$ make olddefconfig
$ make
To test this patch with gcc 15:
$ cat > .config<<EOF
BR2_microblazeel=y
BR2_GCC_VERSION_15_X=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ACPITOOL=y
EOF
$ make olddefconfig
$ make
Fixes: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=118280
Upstream: https://patchwork.ozlabs.org/project/gcc/list/?series=466193
Signed-off-by: Neal Frager <neal.frager@amd.com>
Tested-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The company name was changed from "benetti-engineering-sas" to "benetti-engineering"
to be agnostic to the company legal form. Update all GitHub and LinkedIn links
accordingly.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The toolchains have been rebuilt with a recent Buildroot, and are
based on:
- Stable toolchains:
GCC 14.3
Binutils 2.43.1
GDB 15.2
Linux headers 5.4
glibc 2.41
musl 1.2.5
uclibc-ng 1.0.45
- Bleeding edge toolchains
GCC 15.1
Binutils 2.44
GDB 16.3
Linux headers 5.15
glibc 2.41
musl 1.2.5
uclibc-ng 1.0.45
The microblaze bleeding-edge toolchains are back, since we integrated
the "atomic issue" fix.
All tests are successful:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1976388296
(note: the test branch had one more commit doing tweaks on the wget
option and re-enabling the backup site for unit tests, which are
needed to avoid intermittent failures of Gitlab CI jobs)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This issue has been fixed in the Bootlin toolchains thanks to the
Microblaze "atomic fix" in GCC.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The AUTORECONF variable was introduced in commit [1] with reference to
the patches that modified the m4 and Makefile.am files.
The commit [2] removed the last such patch but left the reference to the
patch and the AUTORECONF variable.
Later, commit [3] updated the mirror to the gitlab URL that no longer
bundle a pre-generated `configure` file, making the execution of
AUTORECONF necessary anyway.
This patch removes the obsolete reference to the patch 0001 removed in
[2] to avoid ambiguity with the new patch 0001 introduced in commit [4].
[1] 01a82c1401 package/libapparmor: enable python bindings
[2] 27cd0b5033 package/apparmor: bump to version 3.0.4
[3] 5649202ddc package/libapparmor: bump to version 3.1.7
[4] 2640f5dcd0 package/libapparmor: fix build w/ musl
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: add a comment explaining why]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the package bump to v10.05.0 the xlib libraries detection has been
improved to error missing x libraries (see [2]).
The following error is happening on the autobuilder when building
ghostscript with xlib_libX11:
```
checking for XOpenDisplay in -lX11... yes
checking for XdbeQueryExtension in -lXext... yes
checking for XtAppCreateShell in -lXt... no
configure: error: X11 libraries (libX11, libXt, libXext) not available, either install them, or rerun configure with "--without-x"
make: *** [package/pkg-generic.mk:263: /home/buildroot/instance-0/output-1/build/ghostscript-10.05.1/.stamp_configured] Error 1
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XLIB_LIBX11=y
BR2_PACKAGE_GHOSTSCRIPT=y
EOF
make olddefconfig
make
```
This patch fixes the xlib dependencies of the ghostscript package to
correctly build with X support:
- The 'XtAppCreateShell' function is provided by the package
'xlib_libXt'.
- The 'XdbeQueryExtension' function is provided by the package
'xlib_libXext'.
They both select the 'xlib_libX11' package.
[1] 9abf662cfd package/ghostscript: security bump to version 10.05.0
[2] 37eede31e1
Fixes: https://autobuild.buildroot.org/results/45d/45d0414f341feb2354478b145396fe137f9cc6a6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
daemon provides its own getopt() declaration for non-GNU libcs. This
declaration is compatible with musl provided one with C standards before
C23. GCC 15 defaults to C23 that makes the empty params declaration
equivalent to getopt(void), which is incompatible with musl declaration.
Set C standard to gnu99 to restore the previous behaviour.
Fixes:
https://autobuild.buildroot.org/results/cc3311c86e2b14bf9a9c1ea00056e0b290ec11a3
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
GCC 15 switched to C23 by default, which made "void foo()" equivalent to
"void foo(void)". This causes a build error because init_comm() doesn't
actually take any arguments.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Add a patch fixing cmake 4 compatibility, found in upstream pull
request #349. The patch has been modified to apply on version 0.6.1
instead of the current upstream HEAD.
Signed-off-by: Benoît Monin <benoit.monin@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Since the commit [1] the janet package started failing on the
autobuilder when using musl libc:
```
[50/56] Compiling C object libjanet.so.1.35.2.p/meson-generated_.._janet.c.o
FAILED: libjanet.so.1.35.2.p/meson-generated_.._janet.c.o
/workdir/instance-0/output-1/host/bin/armeb-buildroot-linux-musleabi-gcc -Ilibjanet.so.1.35.2.p -I. -I.. -I../src/include -fdiagnostics-color=always -Wall -Winvalid-pch -std=c99 -O3 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O1 -g3 -fPIC -pthread -fvisibility=hidden -MD -MQ libjanet.so.1.35.2.p/meson-generated_.._janet.c.o -MF libjanet.so.1.35.2.p/meson-generated_.._janet.c.o.d -o libjanet.so.1.35.2.p/meson-generated_.._janet.c.o -c janet.c
src/core/util.c: In function 'janet_strerror':
src/core/util.c:977:12: error: returning 'int' from a function with return type 'const char *' makes pointer from integer without a cast [-Wint-conversion]
[51/56] Compiling C object janet-native.p/meson-generated_.._janet.c.o
```
The commit [2] introduced the issue in v1.35.0, the `strerror` function
has different definition on glibc compared to musl. This issue has been
addressed in commit [3]. This patch add the upstream commit [3].
[1] 31212c4c58 package/janet: bump to version 1.35.2
[2] 8334504f4e
[3] a5d6b22838
Fixes: https://autobuild.buildroot.org/results/ff1/ff1d6063c1a79d17cfa9910cca824e704a4a0c67/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
- add option for iwmon support
- enable linux kernel CONFIG_NLMON option needed for iwmon
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since tuxfamily.org is slowly fading away, update my mail address
to something that is more future-proof.
Signed-off-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
On the autobuilder the following build error would appear for the
libzenoh-pico package when the option BR2_ENABLE_RUNTIME_DEBUG is
enabled:
```
[ 1%] Building C object CMakeFiles/zenohpico_shared.dir/src/api/encoding.c.o
In function '_z_encoding_convert_into_string',
inlined from 'z_encoding_to_string' at /workdir/instance-0/output-1/build/libzenoh-pico-1.2.1/src/api/encoding.c:261:5:
/workdir/instance-0/output-1/build/libzenoh-pico-1.2.1/src/api/encoding.c:203:15: error: 'strncat' output truncated before terminating nul copying 1 byte from a string of the same length [-Werror=stringop-truncation]
203 | (void)strncat(value, &sep, 1);
| ^~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBZENOH_PICO=y
BR2_ENABLE_RUNTIME_DEBUG=y
EOF
make olddefconfig
make libzenoh-pico
```
This patch include the upstream commit [1] that fixes this issue.
[1] 60e635cbb1
Fixes: https://autobuild.buildroot.org/results/0c4/0c4644b17646d3ec482f0a4cf02d6fde19db2c99
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When the package was introduced in [1], it lacked a kconfig comment
indicating that it requires a toolchain with thread support.
[1] ea1cc1af55 package/cpuinfo: new package
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
On autobuilder config with BR2_TOOLCHAIN_HAS_THREADS not set the
following error happens when building the pthreadpool package:
```
-- Looking for pthread_create in pthreads
-- Looking for pthread_create in pthreads - not found
-- Looking for pthread_create in pthread
-- Looking for pthread_create in pthread - not found
-- Check if compiler accepts -pthread
-- Check if compiler accepts -pthread - no
CMake Error at /home/buildroot/instance-0/output-1/host/share/cmake-3.31/Modules/FindPackageHandleStandardArgs.cmake:233 (message):
Could NOT find Threads (missing: Threads_FOUND)
Call Stack (most recent call first):
/home/buildroot/instance-0/output-1/host/share/cmake-3.31/Modules/FindPackageHandleStandardArgs.cmake:603 (_FPHSA_FAILURE_MESSAGE)
/home/buildroot/instance-0/output-1/host/share/cmake-3.31/Modules/FindThreads.cmake:226 (FIND_PACKAGE_HANDLE_STANDARD_ARGS)
CMakeLists.txt:143 (FIND_PACKAGE)
-- Configuring incomplete, errors occurred!
```
This can be reproduced with:
```
cat >.config <<EOF
BR2_armeb=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_PACKAGE_PTHREADPOOL=y
EOF
make olddefconfig
make pthreadpool
```
Since the introduction of this package in [1], the dependency was not
included. Since this package was part of the tensorflow-lite
dependencies that required thread it was not an issue.
This patch adds BR2_TOOLCHAIN_HAS_THREADS in the dependency to avoid
errors when built as a standalone package.
[1] f2486a6cf9 package/pthreadpool: new package
Fixes: https://autobuild.buildroot.org/results/35a/35aa100d72c6875350ad10c57f028f04052cbf79
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The following error occur on the autobuilder for static build using
buildroot toolchain and uclibc:
```
/usr/bin/make -j17 -C /home/buildroot/instance-0/output-1/build/snooze-0.5/ PREFIX=/usr CC=/home/buildroot/instance-0/output-1/host/bin/arc-buildroot-linux-uclibc-gcc CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -static"
make[1]: Entering directory '/home/buildroot/instance-0/output-1/build/snooze-0.5'
/home/buildroot/instance-0/output-1/host/bin/arc-buildroot-linux-uclibc-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -static snooze.c -o snooze
snooze.c:22:10: fatal error: sys/auxv.h: No such file or directory
22 | #include <sys/auxv.h>
| ^~~~~~~~~~~~
compilation terminated.
make[1]: *** [<builtin>: snooze] Error 1
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_STATIC_LIBS=y
BR2_PACKAGE_SNOOZE=y
EOF
make olddefconfig
make snooze
```
The error doesn't occur on external toolchains.
The `#include <sys/auxv.h>` was orinally included in the initial commit
(see [1]) to use the `getauxval` function declaration. This function
usage has since been removed in commit [2].
This patch removes the include that is no longer needed.
[1] 5648088197
[2] 610e6b35ec
Fixes: https://autobuild.buildroot.org/results/aec/aec463f87094a47ee059113f08e8ee3604dcea9b
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Reviewed-by: J. Neuschäfer <j.ne@posteo.net>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When building tini with musl libc, the following error occurs dur to
missing declaration of 'basename':
```
/home/buildroot/instance-0/output-1/build/tini-0.19.0/src/tini.c: In function 'print_usage':
/home/buildroot/instance-0/output-1/build/tini-0.19.0/src/tini.c:227:36: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
| ^~~~~~~~
make: *** [package/pkg-generic.mk:273: /home/buildroot/instance-0/output-1/build/tini-0.19.0/.stamp_built] Error 1
make: Leaving directory '/home/buildroot/instance-0/buildroot'
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_TINI=y
EOF
make olddefconfig
make tini
```
This patch adds the upstream commit [1], that fixes this issue by
including `libgen.h`.
[1] 924c4bd602
Fixes: https://autobuild.buildroot.org/results/f0d/f0d10cd25f3b0e2a4af7266f7417b339ea5d242a
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The php-pecl-dbus encouters two build issues in both buildroot 2025.02.x
and master branch, both related to PHP8 and GCC14:
/home/alexis/src/buildroot/php/build/php-pecl-dbus-b147624d480c3353e6c700e9a2d0c6f14d853941/dbus.c:465:56:
error: assignment to ‘zend_object_get_properties_t’ {aka ‘struct
_zend_array * (*)(struct _zend_object *)’} from incompatible pointer
type ‘HashTable * (*)(zval *)’ {aka ‘struct _zend_array * (*)(struct
_zval_str
uct *)’} [-Wincompatible-pointer-types]
465 | dbus_object_handlers_dbus_array.get_properties =
dbus_array_get_properties;
| ^
[...]
The build failure can be reproduced with this minimal defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_NEON=y
BR2_ARM_ENABLE_VFP=y
BR2_ARM_FPU_NEON=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_PHP=y
BR2_PACKAGE_PHP_PECL_DBUS=y
This build failure is the result of two events/conditions:
- the update to PHP8 has changed the prototype for
zend_object_read_property_t and zend_hash_get_current_key(see [1]).
But at this time, php-dbus just generated a new warning
(-Wincompatible-pointer-types)
- using bootlin bleeding-edge toolchain brings in GCC14, which now turns
this warning into a systematic error (see [2])
Bring the relevant patches to fix this build.
The first patch comes from an already opened PR on the upstream source.
The second patch has been written during the build failure
investigation, and has been sent upstream as well.
Fixes: https://autobuild.buildroot.net/results/e9892bbefa781b403fd3d834b6c48527c8e078ba
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
All Go packages must depend on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS,
which ensures that we do have a Go compiler available for that target.
BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS is currently restricted to the
availability of a full host Go compiler bootstrap. However, there are
architectures like AArch64 for which a full bootstrap is not supported.
Thus, currently, on an AArch64 host, we can't build Go packages (for
target or host), because we can't bootstrap a Go compiler.
However, note that a single Go compiler can generate code for all the
architectures supported by Go and for some host architectures, there are
pre-built toolchains available. When host-go-bin was added in commit
7b2a164b74 ("package/go/go-bin: new host-go provider"), the host
dependency was properly accounted for: It is already possible to build
host-go packages with go-bin. However, the fact that a Go compiler, in
addition to its native target, can also generate code for all supported
architectures, was missed at the time.
Thus, we can fix this problem by relaxing the condition under which
BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS is set to allowing go-bin
along with go-bootstrap. This allows a situation where the host can't
bootstrap, but for which there is a pre-built toolchain to build Go
packages for a supported target.
Signed-off-by: Florian Larysch <fl@n621.de>
Cc: Yann E. MORIN <yann.morin@orange.com>
Cc: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The previous method used to determine the --gcc-install-dir relied on
'ls' over the gcc installation path, which was fragile and failed in
cases where the external toolchain contained multiple gcc versions or
paths [1].
We replace it a more reliable approach using:
$(TARGET_CC) -print-search-dirs
This helps setup to register the desired GCC architecture if a
given toolchain packages includes multiple GCC architecture
installations. Which isn't possible using the actual method using 'ls'.
For example from James's report:
└── /opt/container/my-toolchain-2025.01.01.12345/lib/gcc/
├── aarch64-example-linux-gnu/
│ └── ...
├── i686-example-linux-gnu/
│ └── ...
└── x86_64-example-linux-gnu/
└── ...
Thanks to Romain Naour for suggesting this improved method.
[1] https://lore.kernel.org/buildroot/d1c773dc-8346-4077-946a-0d3b4e30a6c8@smile.fr/T/#t
Reported by: James Knight <git@jdknight.me>
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Tested-by: James Knight <jdknight@jdknight.me>
Tested-by: James Knight <git@jdknight.me>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When a br2-external tree has no defconfig, list-defconfig currently
whines with an error from find:
find: ‘[...]/my-external/configs’: No such file or directory
Fix that by only running find if the directory exists.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When a br2-external tree description contains an odd number of single
quotes, list-defconfigs will fail with a shell error message:
/bin/sh: -c: line 1: unexpected EOF while looking for matching `"'
make[1]: *** [Makefile:1243: list-defconfigs] Error 2
Whoever wrote that code will have to write this sentence 100 times
on the blackboard:
Never, ever pass user-provided data in a printf format.
(see commit 49117c1028 (core: support description for br2-external
trees); dang, I knew it... And I should have known better when I wrote
that code, damit...)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Grout automatically creates a TUN interface at runtime, so the target
kernel must have CONFIG_TUN enabled. Add a fix-up to ensure that option
is selected.
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Toolchain failed to bootstrap with LP64F and LP64S ABIs.
As reported by Julien in [1]:
Testing the "lp64f" ABI with commands:
cat >.config <<EOF
BR2_loongarch64=y
BR2_LOONGARCH_FPU_32=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
EOF
make olddefconfig
make
fails in host-gcc-initial with output:
Assembler messages:
/tmp/ccEkwSsD.s:28: Error: register save offset not a multiple of 8
/tmp/ccEkwSsD.s:30: Error: register save offset not a multiple of 8
/tmp/ccEkwSsD.s:50: Error: register save offset not a multiple of 8
See also autobuilder failures such as [2].
Testing the "lp46s" ABI with commands:
cat >.config <<EOF
BR2_loongarch64=y
BR2_LOONGARCH_FPU_NONE=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
BR2_TARGET_ROOTFS_EXT2=y
# BR2_TARGET_ROOTFS_TAR is not set
EOF
make olddefconfig
make
fails in host-gcc-final with output:
/buildroot/output/host/loongarch64-buildroot-linux-gnusf/bin/ld: cannot find crti.o: No such file or directory
/buildroot/output/host/loongarch64-buildroot-linux-gnusf/bin/ld: cannot find -lc: No such file or directory
/buildroot/output/host/loongarch64-buildroot-linux-gnusf/bin/ld: cannot find crtn.o: No such file or directory
See also autobuilder failures with as [3].
This commit marks those ABIs as broken at the moment to allow time
for investigation. Also, since gcc defaults to the "lp64d" ABI which
requires a 64bit FPU is present, the BR2_LOONGARCH_FPU_32 and
BR2_LOONGARCH_FPU_NONE options also needs to be marked as broken
as well. See [4].
[1] https://lore.kernel.org/buildroot/e17da108d1fb4e6abda26445dc053b35@free.fr/
[2] https://autobuild.buildroot.org/results/f98570293823867e6c43a1672e1a4b43ca1e4be5
[3] https://autobuild.buildroot.org/results/cf56c37fabcae964dbf4f96eb43a7e4d964452b6
[4] https://lore.kernel.org/buildroot/7b0f1cb629fce8a57d9b644b8beb8b2a@free.fr/
Cc: Mingcong Bai <jeffbai@aosc.io>
Cc: Xi Ruoyao <xry111@xry111.site>
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
[Julien:
- add link to mailing list discussion
- add configuration to reproduce issues to help future investigations
- add links to autobuilder failures in commit log
- mark BR2_LOONGARCH_FPU_{32,NONE} as broken
]
Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Version 95be71b matches with kernel 6.12.41.
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Tested-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
[Fiona: tested on CM4 and Zero 2W, with the RPi bootloader
booting into U-Boot]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When building a toolchain with kernel headers 6.1.x, the build fail
due to missing hash for linux-6.1.147.tar.xz
The hash was removed by mistake when bumping kernel 6.{6, 12, 15}.x
series.
Fixes: 51b27bad91
Cc: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When building the libapparmor package with musl the following error
would appear:
```
test_multi.c: In function 'main':
test_multi.c:27:30: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
27 | printf("File: %s\n", basename(argv[1]));
| ^~~~~~~~
test_multi.c:27:24: warning: format '%s' expects argument of type 'char *', but argument 2 has type 'int' [-Wformat=]
27 | printf("File: %s\n", basename(argv[1]));
| ~^ ~~~~~~~~~~~~~~~~~
| | |
| | int
| char *
| %d
make[3]: *** [Makefile:466: test_multi_multi-test_multi.o] Error 1
```
This error can be reproduced with the following:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_LIBAPPARMOR=y
EOF
make olddefconfig
make libapparmor
```
On musl libc the function `basename` is provided by included libgen.h.
This error has been addressed upstream in [1] by re-defining the
function `basename`.
[1] 7fb040bde6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: drop unrelated AUTORECONF change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following vulnerability:
- CVE-2025-8177
A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as
critical. This issue affects the function setrow of the file
tools/thumbnail.c. The manipulation leads to buffer overflow. An
attack has to be approached locally. The patch is named
e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a
patch to fix this issue. This vulnerability only affects products that
are no longer supported by the maintainer.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-8177
- https://gitlab.com/libtiff/libtiff/-/merge_requests/737
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fix the following vulnerability:
- CVE-2025-8176
A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
as critical. This vulnerability affects the function get_histogram of
the file tools/tiffmedian.c. The manipulation leads to use after free.
The attack needs to be approached locally. The exploit has been
disclosed to the public and may be used. The patch is identified as
fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-8176
- https://gitlab.com/libtiff/libtiff/-/merge_requests/727
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
On my laptop (i5-8365U), running cross-tesseract-ocr in QEMU takes
longer than the default timeout (5s), causing the test to fail:
# time tesseract frame10.png output
Error in pixReadMemTiff: function not present
Error in pixReadMem: tiff: no pix returned
Error in pixaGenerateFontFromString: pix not made
Error in bmfCreate: font pixa not made
Estimating resolution as 157
real 0m 8.17s
user 0m 5.36s
sys 0m 2.79s
So extend the assertRunOk() timeout with ~2x that similar to how it is done
for the gst-launch-1.0 pipeline.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch corrects the spelling of 'Xilinx' in the help menu for the
qemu package.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Back in commit
44a6b7866c ("configs/qemu_sh4*: switch
to initramfs"), the Qemu SuperH defconfigs were switched to initramfs
due to a bug in the Qemu disk emulation.
However, the initramfs solution has an issue: if the initramfs is
slightly too large (like just 6 MB!), the system no longer boots.
Since the disk emulation problem has apparently been resolved in Qemu
10 (according to testing), let's switch back to this.
In addition to essentially reverting
44a6b7866c, we also need to adjust the
kernel configuration so that the kernel takes its command line for the
bootloader (in our case from the Qemu -append option). Otherwise an
hardcoded command line is used, which doesn't mount /dev/sda as the
root filesystem.
This update has been tested on Gitlab CI:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1968267919
Thanks to Romain Naour for pointing to the initramfs size as being the
issue.
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
CVE-2025-8194: There is a defect in the CPython “tarfile” module affecting
the “TarFile” extraction and entry enumeration APIs. The tar implementation
would process tar archives with negative offsets without error, resulting in
an infinite loop and deadlock during the parsing of maliciously crafted tar
archives.
https://nvd.nist.gov/vuln/detail/CVE-2025-8194https://www.openwall.com/lists/oss-security/2025/07/28/1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issues:
GNUTLS-SA-2025-07-08-1 CVE-2025-32989
Severity Medium; Heap read buffer overflow
When an X.509 certificate contains an SCT (signed certificate timestamp)
extension and its length field is malformed, the library could read the memory
buffer past the boundary. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1695>.
------------------------------------------------------------------------------
GNUTLS-SA-2025-07-08-2 CVE-2025-32988
Severity Low; Memory corruption on error path
When any error occurs during exporting a certificate with an otherName in the
SAN (subject alternative name) extension, the library could potentially double
free the ASN.1 structure. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1694>.
------------------------------------------------------------------------------
GNUTLS-SA-2025-07-08-3 CVE-2025-32990
Severity Low; Heap write buffer overflow
When the certtool program is invoked with a template file with a number of
string pairs for a single keyword, a NULL pointer could be written past the
memory boundary. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1696>.
------------------------------------------------------------------------------
GNUTLS-SA-2025-07-08-4 CVE-2025-6395
Severity Medium; Denial of service
When a TLS 1.3 handshake involves a Hello Retry Request and the second
Client Hello omits the PSK which was present in the first Client Hello,
the GnuTLS server can dereference a NULL pointer. The issue was reported
in the issue tracker as <https://gitlab.com/gnutls/gnutls/-/issues/1718>.
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit updates the ARC toolchain components to the 2024.12
release, keeping the same patches.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
package/binutils and package/gcc both allow to use upstream versions
on ARC, but package/gdb allows using only the ARC version. Adjust the
packaging to align package/gdb with package/binutils and package/gcc,
so that upstream versions of gdb can be built for ARC.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The SBOM is easier to read if the dependencies are sorted alphabetically.
Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add options to customize the project name and version in the generated SBOM
metadata and set buildroot generate-cyclonedx as a tool in the metadata
section.
Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This makes it more readable and easier to quickly identify basic information.
Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The ecvt(), fcvt(), and gcvt() functions from stdlib.h, used by the SIO
library packaged with the xinetd sources, are masked by _GNU_SOURCE in
musl libc.
Signed-off-by: Aaron Sierra <aaron@bubbl-tek.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changelog (see [1]):
ver 3.9:
Fix issue with Access Point mode and frequency unlocking.
Fix issue with network configuration and BSS retry logic.
Fix issue with handling busy notification from Access Point.
Fix issue with handling P-192, P-224 and P-521 for SAE.
ver 3.8:
Fix issue with handling unit tests and missing kernel features.
ver 3.7:
Fix issue with handling length of EncryptedSecurity.
Fix issue with handling empty affinities lists.
Fix issue with handling survey scanning results.
Fix issue with handling duplicate values in DPP URI.
ver 3.6:
Fix issue with handling blacklisting and roaming requests.
Fix issue with handling CQM thresholds for FullMAC devices.
Add support for PMKSA when using FullMAC devices.
ver 3.5:
Add support for option to disable blacklist handling.
Add support for option to disable SAE for broken drivers.
ver 3.4:
Add support for the Test Anything Protocol.
ver 3.3:
Fix issue with handling External Authentication.
ver 3.2:
Fix issue with GCC 15 and -std=c23 build errors.
Add support for using PMKSA over SAE if available.
Add support for HighUtilization/StationCount thresholds.
Add support for disabling Multicast RX option.
ver 3.1:
Fix issue with handling OWE transition BSS selection.
Fix issue with handling oper class 136 starting frequency.
[1] https://git.kernel.org/pub/scm/network/wireless/iwd.git/tree/ChangeLog?h=3.9
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog (see [1]):
ver 0.79:
Fix issue with D-Bus client and watch removal handling.
Fix issue with D-Bus client and service name handling.
Fix issue with D-Bus proxy and filter rule handling.
ver 0.78:
Fix issue with random ECC scalar generation.
ver 0.77:
Add support for precheck feature for unit tests.
Add support for license variable for pkg-config.
ver 0.76:
Fix issue with random scalar generation.
ver 0.75:
Add support for converting OID octets to strings.
Add support for NIST P-224 cuve usage with ECDH.
Add support for NIST P-521 cuve usage with ECDH.
Add support for SHA-3 series of hashing algorithms.
ver 0.74:
Add support for NIST P-192 curve usage with ECDH.
Add support for SHA-224 based checksums and HMACs.
ver 0.73:
Fix issue with parsing hwdb.bin child structures.
ver 0.72:
Add support for the Test Anything Protocol.
ver 0.71:
Fix issue with GCC 15 and -std=c23 build errors.
ver 0.70:
Add support for helper function for safe memcpy.
[1] https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ChangeLog?h=0.79
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CVE-2025-3277 as been marked as a duplicate of CVE-2025-29087 by the
debian security tracker [1].
The CVE-2025-29087 has already been fixed in commit [2] so this patch
adds CVE-2025-3277 to the ignored CVEs.
[1] https://security-tracker.debian.org/tracker/CVE-2025-3277
[2] 835b5659ea package/sqlite: add patch to fix CVE-2025-29087
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For change log since 3.5.0, see:
https://github.com/DMTF/libspdm/releases
Following the upgrade of libopenssl to version 3.5.0 [1], the build
process for libspdm encountered issues due to the new openssl API.
It requires some modifications in the asn1.h file of libspdm.
This build error was addressed by a specific commit [2] in libspdm.
As Buildroot 2025.02 isn't impacted, this commit bumps libspdm to the
latest libspdm version to fix the build error.
This commit also updates the license hash, after a year update in:
e8a35c8d0d
[1]: 9868ca6ec9
[2]: 88797f83da
Fixes:
https://autobuild.buildroot.org/results/87b8805975ef132a58c40e622e2e023199f6ee2a/
Signed-off-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
[Julien:
- add link to change log
- fix LICENSE.md hash
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2025-6170
A flaw was found in the interactive shell of the xmllint command-line
tool, used for parsing XML files. When a user inputs an overly long
command, the program does not check the input size properly, which can
cause it to crash. This issue might allow attackers to run harmful
code in rare configurations without modern protections.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-6170
- c340e41950
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes build error with gcc-15.x:
drivers/net/3c509-eisa.c:39:26: error: initialization of 'void (*)(void)'
from incompatible pointer type 'void (*)(struct nic *, struct eisa_device *)'
[-Wincompatible-pointer-types]
For a similar fix see https://bugzilla.suse.com/show_bug.cgi?id=1243225
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2024-8947
A vulnerability was found in MicroPython 1.22.2. It has been declared
as critical. Affected by this vulnerability is an unknown functionality
of the file py/objarray.c. The manipulation leads to use after free.
The attack can be launched remotely. The complexity of an attack is
rather high. The exploitation appears to be difficult. Upgrading to
version 1.23.0 is able to address this issue. It is recommended to
upgrade the affected component. In micropython objarray component, when
a bytes object is resized and copied into itself, it may reference
memory that has already been freed.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-8947
- 4bed614e70
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerabilities:
- CVE-2024-40897
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC
versions prior to 0.4.39. If a developer is tricked to process a
specially crafted file with the affected ORC compiler, an arbitrary
code may be executed on the developer's build environment. This may
lead to compromise of developer machines or CI build environments.
https://www.cve.org/CVERecord?id=CVE-2024-40897
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-40897
- fb7db9ae3e
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Don't define boolean macros for C23 standard as they are implemented
as keywords.
Fixes the following error:
make[2]: Entering directory
'/home/user/Documents/versioned/oss/xmlrpc-c/lib/util'
gcc -c -DNDEBUG -pthread -Wall -W -Wno-uninitialized -Wundef
-Wno-unknown-pragmas -Wmissing-declarations -Wstrict-prototypes
-Wmissing-prototypes -Wimplicit -fno-common -g -O3
-Isrcdir/lib/util/include
-I/home/user/Documents/versioned/oss/xmlrpc-c casprintf.c
In file included from casprintf.c:9:
srcdir/lib/util/include/bool.h:13:5: error: cannot use keyword ‘false’
as enumeration constant
13 | false = 0,
| ^~~~~
srcdir/lib/util/include/bool.h:13:5: note: ‘false’ is a keyword with
‘-std=c23’ onwards
srcdir/lib/util/include/bool.h:15:3: error: expected ‘;’, identifier
or ‘(’ before ‘bool’
15 | } bool;
| ^~~~
srcdir/lib/util/include/bool.h:15:3: warning: useless type name in
empty declaration
Upstream: https://sourceforge.net/p/xmlrpc-c/code/3318/
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] introduced an Armv7 test case for Xen named TestXenArmv7,
next to the original Aarch64 test case which was simply named TestXen.
The test list shows, for example with the command
"support/testing/run-tests -l":
tests.package.test_xen.TestXen
tests.package.test_xen.TestXenArmv7
In order to make this test list a bit more explicit, this commit
renames the TestXen to TestXenAarch64. With that change, the list
becomes:
tests.package.test_xen.TestXenAarch64
tests.package.test_xen.TestXenArmv7
[1] 5346824a83
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Starting GCC14 'implicit-function-declaration' are treated as errors by
default. When building kvmtool with musl libc, the following error
occurs due to missing declaration of 'basename':
```
vfio/core.c:537:22: error: implicit declaration of function ‘basename’ [-Wimplicit-function-declaration]
537 | group_name = basename(group_path);
| ^~~~~~~~
vfio/core.c:537:22: warning: nested extern declaration of ‘basename’ [-Wnested-externs]
vfio/core.c:537:20: error: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
537 | group_name = basename(group_path);
| ^
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_KVMTOOL=y
EOF
make olddefconfig
make kvmtool
```
This patch adds the upstream commit that fixes this issue by including
the appropriate header, ensuring compatibility with musl and GCC14.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Upstream removed this configure option in version 8.10.0:
269fdd4c6e
which was added to buildroot with commit
d68b999787.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Upstream removed this configure option in version 8.8.0:
50def7c881
which was added to buildroot with commit
50bdb2a3b7.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a TestXenArmv7 class with its related files in an arm/ subfolder
under test_xen/, to test Xen on 32-bit Arm v7.
We cannot boot with UEFI in this case; we use a custom U-Boot script,
which creates the Xen configuration Devicetree during boot.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In preparation of adding a test for Xen on 32-bit Arm v7:
- Introduce an architecture-agnostic TestXenBase class where we move
most of the Xen test scenario and bits of the configuration.
- Re-organise the test_xen/ folder with the architecture-agnostic files
under common/ and the 64-bit Arm specific files under aarch64/.
Make the 64-bit Arm TestXen class inherit from the base class and leave
in there only the architecture-specific parts:
- The 64-bit Arm configuration bits.
- The test function, which passes the proper 64-bit Arm simulator
options to the generic test function.
No functional change intended.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit a954d39a58 ("package/chartjs: bump to version 3.9.1") updated the
package version and the license file hash, but also changed the path to
the license file in the hash file. However, the path to the license file
hasn't changed, causing an error during "make legal-info". Revert the
path change.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The LICENSE-MIT file has changed.
Commit 432aef05 fixed it for rust package but forgot
the update-rust script.
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
ncurses from 6.4.20231021 enables "NCUSES_OPAQUE_MENU", which hides
some parts of the code away from the application. This causes
petitboot to fail building in a few spots where it tries to directly
access the name of the menu item.
Since the ncurses package was bumped to version 6.5.20250517 in
commit [0], petitboot is failing to build with error:
ui/ncurses/nc-menu.h: In function ‘pmenu_dump_item’:
ui/ncurses/nc-menu.h:129:47: error: invalid use of incomplete typedef ‘ITEM’ {aka ‘const struct tagITEM’}
129 | pb_debug("%p %s\n", item, (item ? item->name.str : "(null)"));
This commit fixes the issue by adding package patches.
These two patches were submitted to the petitboot mailing list by
Nicholas Piggin [1] resolve this issue using accessors, or by making a new item.
This has been raised upstream but not yet applied [2].
[0]: e7c091f113
[1]: https://lists.ozlabs.org/pipermail/petitboot/2024-February/thread.html#1545
[2]: https://github.com/open-power/petitboot/issues/106
Signed-off-by: Nathaniel Roach <nroach44@nroach44.id.au>
Fixes: https://autobuild.buildroot.org/results/bf1/bf173e1e0f8ad3f40534aaa358dc40993cd14ac4/build-end.log
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
[Julien:
- add Signed-off-by in patches
- add info in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Bump Linux kernel to v6.15.7 and update the hash file.
- Bump the model in the readme to version 11.29 build 27.
While at it, adjust the model's path in the readme to take the host
architecture into account.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit adds support for the i.MX 91 FRDM (Freedom) board.
The i.MX91 FRDM development board is a low-cost and compact
development board featuring the i.MX91 applications processor.
See: https://nxp.com/FRDM-IMX91
This defconfig is based on freescale_imx93frmd_defconfig, introduced in
commit 2e05f22ff8
Compared to the original freescale_imx93_frmd_defconfig, this defconfig
uses a Bootlin glibc stable external toolchain, to follow guidelines
from: https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Signed-off-by: Juan Pablo Montero Castro <juanpablo.monterocastro@nxp.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since its introduction in commit [1], avrdude has a post install
target hook removing a backup configuration file.
Commit [2] updated avrdude to version 7.1 and switch to the
cmake infra.
CMake recipe doesn't create a backup of the avrdude.conf.
This commit removes this hook which is no longer needed.
[1] dc776f0d05
[2] f89f3787a0
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
A new kvm-unit-tests version has recently been tagged, so let's
update to that version.
This version also add suport for RISC-V, add RISC-V to Config.in
Signed-off-by: Jesse Taube <jesse@rivosinc.com>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
[Julien: move riscv32 before riscv64 in .mk]
Signed-off-by: Julien Olivain <ju.o@free.fr>
lib/long-options.c failed to compile with musl for the same reason
0002-lib-long-options.c-include-stdlib.h.patch was added to fix,
exit() being undefined. The fix is the same as well: include stdlib.h.
Fixes: b6784a1f1f ("package/lrzsz: fix build with GCC >= 14.x")
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release note, see:
https://github.com/encode/starlette/releases/tag/0.47.2
This fixes the following vulnerability:
- CVE-2025-54121:
Starlette is a lightweight ASGI (Asynchronous Server Gateway
Interface) framework/toolkit, designed for building async web services
in Python. In versions 0.47.1 and below, when parsing a multi-part
form with large files (greater than the default max spool size)
starlette will block the main thread to roll the file over to disk.
This blocks the event thread which means the application can't accept
new connections. The UploadFile code has a minor bug where instead of
just checking for self._in_memory, the logic should also check if the
additional bytes will cause a rollover. The vulnerability is fixed in
version 0.47.2.
https://www.cve.org/CVERecord?id=CVE-2025-54121
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add link to release note]
Signed-off-by: Julien Olivain <ju.o@free.fr>
A recent commit introduced a few lines that were indented with spaces
rather than a tab. Rectify this.
Fixes: 00b30f887a ("toolchain-wrapper.c: get rid of EXCLUSIVE_ARGS")
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository [0]
rtl8821au since Larry unfortunately passed away[1](RIP) and there are
pending PRs that will never be checked as stated here. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And of course let's update
package's URL due to the moving.
[0]: https://github.com/lwfinger/rtl8812au/issues/32
[1]: https://lwn.net/Articles/979419/
Fixes:
still not occured.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository [0]
rtl8723ds since Larry unfortunately passed away[1](RIP) and there are
pending PRs that will never be checked as stated here. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And let's drop local patches
that are now upstreamed as well. And of course let's update package's
URL due to the moving.
[0]: https://github.com/lwfinger/rtl8723ds/issues/53
[1]: https://lwn.net/Articles/979419/
Fixes:
still not occured.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository
rtl8723bu since Larry unfortunately passed away[0](RIP) and there are
pending PRs that will never be checked as stated here[1]. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And of course let's update
package's URL due to the moving.
[0]: https://lwn.net/Articles/979419/
[1]: https://github.com/lwfinger/rtl8723bu/issues/206
Fixes:
still not occured.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 2 local patches pending upstream to fix build failure with Linux 6.15.
Fixes:
still not occured.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add local patch pending upstream to fix build failure with Linux 6.15.
Fixes:
still not occured.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With this version we can build with Linux 6.15.
Fixes:
still not occured.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: remove empty line in hash file to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository
rtl8188eu since Larry unfortunately passed away[0](RIP) and there are
pending PRs that will never be checked as stated here[1]. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And let's drop local patches
that are now upstreamed as well. Let's also drop obsolete Config.in
informations since as stated here[2]: "This driver is under development
and has a limited feature set. In particular it does not yet support 40MHz
channels and power management". At the same time drop other suggestions
like enabling CONFIG_WIRELESS_EXT or "this package needs a firmware loading
mechanism to load the binary blob for the chip to work" since they are now
part of the package. And of course let's update package's URL due to the
moving.
[0]: https://lwn.net/Articles/979419/
[1]: https://github.com/lwfinger/rtl8188eu/pull/464
Fixes:
https://autobuild.buildroot.org/results/d59537da8eb27d737718885dc81ec257a2791455/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Rather than having a hard coded amount of exclusive args (with the risk of
overflow when new logic is added), simplify the argument buffer allocation
logic to always allocate room for DEFAULT_MAX_ARGS (1024) arguments and just
realloc to grow for the rare situation where that is not enough.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
C99 section 5.1.2.2.1p2 mandates that:
- argv[argc] shall be a null pointer.
https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf
So we might as well copy the null pointer along in the memcpy() rather than
copy everything up to the null pointer and then add one afterwards for
simplicity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.39 and U-Boot to
version 2025.07. The patches applied to U-Boot by Buildroot have been
removed, as they are included in version 2025.07.
The patch has been tested on both boards.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When building LTP with a musl toolchain with kernel headers >= 6.14,
compilation fails with error:
In file included from listmount02.c:22:
listmount.h: In function ‘listmount’:
listmount.h:18:16: error: variable ‘req’ has initializer but incomplete type
18 | struct mnt_id_req req = {
| ^~~~~~~~~~
The issue can be reproduced with commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_BUILDROOT_MUSL=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_LATEST_VERSION=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_PACKAGE_LTP_TESTSUITE=y
EOF
make olddefconfig
make ltp-testsuite
Backport 2 commits from upstream which fixes LTP on musl on
kernel >= 6.14.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
[Julien:
- add commands to reproduce the issue in commit log
- move _AUTORECONF up to be nearer _VERSION
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the zynqmp readme.txt file to use BR2_TARGET_UBOOT_ZYNQMP_PSU_INIT_FILE
option for configuring custom zynqmp boards with Buildroot. There is no need
for any custom / manual steps since the support is included with Buildroot.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Systemd support for the RAUC hawkbit updater was added in
4aa7a4ad8a (package/rauc-hawkbit-updater: add systemd optional dependency, 2024-07-10)
This installs the RAUC hawkbit updater service, which executes as user
"rauc-hawkbit" [1], which doesn't exist by default.
[1] 2711c0e027/script/rauc-hawkbit-updater.service
Signed-off-by: Gero Schwäricke <gero.schwaericke@sevenlab.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Nftables should be preferred over iptables if available, which
NetworkManager will do if both paths are set.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 5.4.3, see:
https://github.com/assimp/assimp/releases
This fixes the following vulnerabilities:
- CVE-2025-2750:
A vulnerability, which was classified as critical, was found in Open
Asset Import Library Assimp 5.4.3. This affects the function
Assimp::CSMImporter::InternReadFile of the file
code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
manipulation leads to out-of-bounds write. It is possible to initiate
the attack remotely. The exploit has been disclosed to the public and
may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2750
- CVE-2025-2751:
A vulnerability has been found in Open Asset Import Library Assimp
5.4.3 and classified as problematic. This vulnerability affects the
function Assimp::CSMImporter::InternReadFile of the file
code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
manipulation of the argument na leads to out-of-bounds read. The
attack can be initiated remotely. The exploit has been disclosed to
the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2751
- CVE-2025-2757:
A vulnerability classified as critical was found in Open Asset Import
Library Assimp 5.4.3. This vulnerability affects the function
AI_MD5_PARSE_STRING_IN_QUOTATION of the file
code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The
manipulation of the argument data leads to heap-based buffer overflow.
The attack can be initiated remotely. The exploit has been disclosed
to the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2757
- CVE-2025-3158:
A vulnerability, which was classified as critical, has been found in
Open Asset Import Library Assimp 5.4.3. Affected by this issue is the
function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of the file
code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler.
The manipulation leads to heap-based buffer overflow. It is possible
to launch the attack on the local host. The exploit has been disclosed
to the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-3158
Also, drop local security patches that have been applied upstream
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to relase notes]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This is a security release of the Long Term Support branch, see release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4
Also update the download location, because upstream changed the tag naming
scheme from v<...> to mbedtls-<...>
This fixes the following vulnerabilities:
- CVE-2025-47917
Fix possible use-after-free or double-free in code calling
mbedtls_x509_string_to_names(). This was caused by the function calling
mbedtls_asn1_free_named_data_list() on its head argument, while the
documentation did no suggest it did, making it likely for callers relying
on the documented behaviour to still hold pointers to memory blocks after
they were free()d, resulting in high risk of use-after-free or double-free,
with consequences ranging up to arbitrary code execution.
In particular, the two sample programs x509/cert_write and x509/cert_req
were affected (use-after-free if the san string contains more than one DN).
Code that does not call mbedtls_string_to_names() directly is not affected.
- CVE-2025-48965
Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
an item in the output list in an inconsistent state with val.p == NULL but
val.len > 0. This impacts applications that call this function directly,
or indirectly via mbedtls_x509_string_to_names() or one of the
mbedtls_x509write_{crt,csr}set{subject,issuer}_name() functions. The
inconsistent state of the output could then cause a NULL dereference either
inside the same call to mbedtls_x509_string_to_names(), or in subsequent
users of the output structure, such as mbedtls_x509_write_names(). This
only affects applications that create (as opposed to consume) X.509
certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data()
- CVE-2025-49087
Fix a timing side channel in the implementation of PKCS#7 padding
which would allow an attacker who can request decryption of arbitrary
ciphertexts to recover the plaintext through a timing oracle attack.
- CVE-2025-49600:
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid
signatures if hash computation fails and internal errors go unchecked,
enabling LMS (Leighton-Micali Signature) forgery in a fault scenario.
Specifically, unchecked return values in mbedtls_lms_verify allow an
attacker (who can induce a hardware hash accelerator fault) to bypass
LMS signature verification by reusing stale stack data, resulting in
acceptance of an invalid signature. In mbedtls_lms_verify, the return
values of the internal Merkle tree functions create_merkle_leaf_value
and create_merkle_internal_value are not checked. These functions
return an integer that indicates whether the call succeeded or not. If
a failure occurs, the output buffer (Tc_candidate_root_node) may
remain uninitialized, and the result of the signature verification is
unpredictable. When the software implementation of SHA-256 is used,
these functions will not fail. However, with hardware-accelerated
hashing, an attacker could use fault injection against the accelerator
to bypass verification.
https://www.cve.org/CVERecord?id=CVE-2025-49600
- CVE-2025-49601:
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not
check that the input buffer is at least 4 bytes before reading a
32-bit field, allowing a possible out-of-bounds read on truncated
input. Specifically, an out-of-bounds read in
mbedtls_lms_import_public_key allows context-dependent attackers to
trigger a crash or limited adjacent-memory disclosure by supplying a
truncated LMS (Leighton-Micali Signature) public-key buffer under four
bytes. An LMS public key starts with a 4-byte type indicator. The
function mbedtls_lms_import_public_key reads this type indicator
before validating the size of its input.
https://www.cve.org/CVERecord?id=CVE-2025-49601
- CVE-2025-52496:
Mbed TLS before 3.6.4 has a race condition in AESNI detection if
certain compiler optimizations occur. An attacker may be able to
extract an AES key from a multithreaded program, or perform a GCM
forgery.
https://www.cve.org/CVERecord?id=CVE-2025-52496
- CVE-2025-52497:
Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer
underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse
functions, via untrusted PEM input.
https://www.cve.org/CVERecord?id=CVE-2025-52497
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: fix upstream hash URL in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The sunxi-mali-utgard-driver at git version 9926236a is failing
to build with kernel 6.15.
The issue has not been seen in autobuilder, but can be reproduced
with commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_LATEST_VERSION=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_PACKAGE_SUNXI_MALI_UTGARD=y
EOF
make olddefconfig
make sunxi-mali-utgard-driver
This new version fixes the issue and builds up to Linux 6.15.
Also, _SITE URL has moved to github benetti-engineering-sas so
let's modify accordingly.
Fixes:
linux/mali_osk_timers.c: In function ‘_mali_osk_timer_del’:
linux/mali_osk_timers.c:59:9: error: implicit declaration of function ‘del_timer_sync’ [-Wimplicit-function-declaration]
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add commands to reproduce the issue in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since python-cython bump to 3.1.2 in commit [1], python-dbus-fast
is failing to build.
Set --skip-dependency-check as dbus-fast specifies an unnecessarily
strict maximum cython version.
Fixes:
ERROR Missing dependencies:
Cython<3.1.0,>=3
[1] b536caaec0
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: add reference to buildroot commit introducing the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The previous url pointed to an unrelated but similarly named project.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release Notes:
* Fixed deletion of Local values affecting other contexts. (#523)
* Skip CPython specific garbage collection test on pypy. (#521)
3.9.0 (2025-07-03)
------------------
* Adds support for Python 3.13.
* Drops support for (end-of-life) Python 3.8.
* Fixes an error with conflicting kwargs between AsyncToSync and the wrapped
function. (#471)
* Fixes Local isolation between asyncio Tasks. (#478)
* Fixes a reference cycle in Local (#508)
* Fixes a deadlock in CurrentThreadExecutor with nested async_to_sync →
sync_to_async → async_to_sync → create_task calls. (#494)
* The ApplicationCommunicator testing utility will now return the task result
if it's already completed on send_input and receive_nothing. You may need to
catch (e.g.) the asyncio.exceptions.CancelledError if sending messages to
already finished consumers in your tests. (#505)
Source: https://github.com/django/asgiref/blob/main/CHANGELOG.txt
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This adds the experimental vulkan support for the PowerVR rogue
architecture.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This "powervr" directory has been present in linux-firmware since
version 20231211.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Reviewed-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an option to install the firmware files for Chips&Media Wave 521C
video processor used in the TI K3 architecture.
This "cnm/wave521c_k3_codec_fw.bin" file has been present in linux-firmware
since version 20221109.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Reviewed-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
libcddb fail to build with gcc-14 with error:
cddb_net.c: In function 'timeout_connect':
cddb_net.c:328:63: error: passing argument 5 of 'getsockopt' from incompatible pointer type [-Wincompatible-pointer-types]
328 | getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &rv, &l);
| ^~
| |
| size_t * {aka long unsigned int *}
This commit adds a patch to fix the issue.
Fixes:
https://autobuild.buildroot.net/results/723/7236cf5fd4f33aabd3178586f877dff04d754abe/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add error message in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop no longer required host-python-tomli dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Drop no longer required host-python-typing-extensions dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This fixes the following vulnerability:
- CVE-2025-53643:
In aiohttp prior to version 3.12.14, the Python parser is vulnerable
to a request smuggling vulnerability due to not parsing trailer
sections of an HTTP request. If a pure Python version of aiohttp is
installed (i.e. without the usual C extensions) or
AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to
execute a request smuggling attack to bypass certain firewalls or
proxy protections. Version 3.12.14 contains a patch for this issue.
https://www.cve.org/CVERecord?id=CVE-2025-53643
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The patch bumps the Linux kernel to version 6.12.36 and U-Boot to
version 2025.07.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This reverts commit e44aff6b1b which added
support for linking ffmpeg against libpulse if it is present to provide
libavdevice support for the PulseAudio protocol. However, it turns out
that this creates a dependency cycle when BR2_PACKAGE_LIBSOXR is
enabled, since the pulseaudio daemon can use libsoxr for resampling and
libsoxr can use the FFT implementation from ffmpeg.
Resolving this would probably mean breaking up the pulseaudio package
into the client libraries and the daemon proper (a standalone libpulse
without the daemon is still useful since it can talk to a remote daemon
via the network or more likely today talk to a local instance of
PipeWire, which also implements the PulseAudio protocol).
For now, break the dependency cycle by reverting to the original state
(no pulseaudio client support in ffmpeg).
Reported-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 27.5.1, see:
https://github.com/moby/moby/releases
Since version 28.0.0, docker-engine requires the RAW netfilter table, so
enable that as part of the kernel fixups.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Christian Stewart <christian@aperture.us>
[Julien: add link to release notes]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Via the docker-compose runtime test, we can exercise the full suite of
the docker-related packages: docker-compose, of course, but also
docker-engine, which in turn allows exercising containerd. The latter
by defualt uses runc as the container runtime, but can alternatively use
crun.
Extend the docker-compose runtime test with a variant that enables crun.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Upstream passt only documents runtime dependencies; and they advertise
being able to run on kernel 3.8 or later. However, they do not document
the build dependencies.
As reported by Julien, since 2024_12_11.09478d5, upstream requires
kernel headers >= 5.0, as they make use of linux/vhost_types.h, only
introduced in 5.0.
Add a dependency to kernel headers, and propagate it to podman's passt
backend.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When building libesmtp on the autobuilder with gcc-14, the
following error occurs:
/workdir/instance-0/output-1/per-package/libesmtp/host/bin/arc-linux-gcc -Ilibesmtp.so.6.2.0.p -I. -I.. -I/workdir/instance-0/output-1/per-package/libesmtp/host/arc-buildroot-linux-gnu/sysroot/usr/include -fdiagnostics-color=always -Wall -Winvalid-pch -std=c11 -O3 -D_POSIX_C_SOURCE=200809L -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ libesmtp.so.6.2.0.p/smtp-api.c.o -MF libesmtp.so.6.2.0.p/smtp-api.c.o.d -o libesmtp.so.6.2.0.p/smtp-api.c.o -c ../smtp-api.c
../smtp-api.c: In function 'smtp_version':
../smtp-api.c:1183:7: error: implicit declaration of function 'strlcpy'; did you mean 'strncpy'? [-Wimplicit-function-declaration]
1183 | if (strlcpy (buf, v, len) > len)
| ^~~~~~~
| strncpy
This error has been fixed upstream in commit [1], but no new release
has been made since.
This patch update the package version to fetch the latest upstream
commit v1.1.0-14-g335ee8d.
For the changes, see:
- https://github.com/libesmtp/libESMTP/compare/v1.1.0...335ee8d2fa5cb7d30db7b818ec05563ad139ee2f
[1] 972eb54749
Fixes: https://autobuild.buildroot.org/results/ced/ceda012506edccda1727904eb3327017b07e27d8
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien:
- mention gcc-14 as the root cause of the build failure
- use "git describe --tags --abbrev=40" format in _VERSION
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This brings the script in line with current init script standards, and
fixes all make check-package warnings. Other notable changes:
* Use start-stop-daemon to create a PID file, so we can monitor shutdown.
* Use "udevadm control --exit" to implement stop, instead of "killall".
* Do not require /etc/udev/udev.conf to exist, the default contains
only comments and udevd works without.
* Do not parse /etc/udev/udev.conf, the udev_root configuration option
it was used for has been removed in version 1.5.1 [1].
* Implement reload using udevadm.
[1] 6ada823a9a
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The hwdb sources are always deleted from the rootfs image (see commit
07aa585aa6), so the resulting hwdb.bin
is installed package data, not user configuration. The name of the
"--usr" flag to "udevadm hwdb" may be confusing, but it chooses the
libexecdir location, whether that is in /usr or not.
Eudev checks both locations and prefers the one in /etc if it exists,
so overriding the configuration in an installed system is possible as
before, with the advantage that /etc/udev/hwdb.bin (if any) can be
deleted to restore defaults.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
It was removed from eudev with version 1.5.1, when introspection
became part of the gudev option [1]. This has in turn been removed and
replaced by package/libgudev, yet somehow the flag stayed. Remove it
to remove a warning during configure stage.
[1] d5d6a7f304
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Minimum python version is now 3.9, but also it's not really relevant to
mention this in the package description.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Currently, both BR2_TARGET_ROOTFS_EROFS_ALL_FRAGMENTS and
BR2_TARGET_ROOTFS_EROFS_FRAGMENTS have the same Kconfig prompt, making
them hard to distinguish.
Reword the one for -Eall-fragments to be distinct.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Version 2.23 change log:
* support MPD protocol 0.24.0
- allow window for listplaylist and listplaylistinfo
- command "playlistlength", "protocol", "stickertypes",
"stickernamestypes", "searchplaylist"
- tag "ShowMovement"
- new sticker find api
- new subcommands for "tagtypes": "available", "reset"
* Support open end for mpd_search_add_window
* format floating-point numbers with the POSIX localew
Signed-off-by: Andreas Ziegler <br015@umbiko.net>
Tested-by: Andreas Ziegler <br015@umbiko.net>
[Julien: update signature link in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Needed for kodi 22.x.
Added build fix for >= gcc-13.
Switched build system to cmake following upstream:
13683c56e5
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: use "git describe --tags --abbrev=40" format for _VERSION]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch replaces the previous patch allowing to build with ffmpeg 6.x
with a patch which also allows to build with ffmpeg 7.x.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The following build error is happening on the autobuilder:
```
arg_int.c:60:12: error: implicit declaration of function 'isspace' [-Wimplicit-function-declaration]
60 | while (isspace(*ptr))
| ^~~~~~~
arg_int.c:33:1: note: include '<ctype.h>' or provide a declaration of 'isspace'
32 | #include <limits.h>
+++ |+#include <ctype.h>
33 |
arg_int.c:89:8: error: implicit declaration of function 'toupper' [-Wimplicit-function-declaration]
89 | if (toupper(*ptr++)!=toupper(X))
| ^~~~~~~
arg_int.c:89:8: note: include '<ctype.h>' or provide a declaration of 'toupper'
```
Both `isspace` and `toupper` are declared in the `ctype.h` header.
This build error started to happen with gcc-14.
The `ctype.h` include was added in a later upstream commit.
This patch adds that upstream commit and strip everything else to only
patch that include.
Fixes: https://autobuild.buildroot.org/results/d38/d38e3e12f52c3fde08ab446ca14a1a7bd65c9469//
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: add comment about gcc-14]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switch to extlinux instead of built in U-Boot script.
Drop custom U-Boot fragment and genimage config.
Update U-Boot from 2024.01 to 2025.07. This new U-Boot now
requires BR2_TARGET_UBOOT_NEEDS_PYLIBFDT=y in the defconfig.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien:
- mention U-Boot bump in commit log
- add BR2_TARGET_UBOOT_NEEDS_PYLIBFDT=y
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Adds support for BeagleY-AI board by introducing the
beagley_ai_defconfig file and related support files.
The BeagleY-AI uses the TI J722S SoC, also known as AM67A, also
known as TDA4VEN or TDA4AEN.
Retrieve BSP settings from meta-ti (may be useful for other TI boards):
- Set BR2_TARGET_ARM_TRUSTED_FIRMWARE_TARGET_BOARD = "lite"
meta-ti-bsp/conf/machine/include/j722s.inc:TFA_BOARD = "lite"
- Set BR2_TARGET_UBOOT_NEEDS_ATF_BL31 to provide BL31 variable pointing
to ATF bl31.bin to the U-Boot build process [1].
- Set BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE to OP-TEE as BL32
secure payload. meta-ti set "SPD=opteed" to build ATF [2].
- Set BR2_TARGET_OPTEE_OS_PLATFORM to "k3-am62x".
meta-ti uses the OPTEEMACHINE to set optee-os platform [3].
meta-ti]$ git grep OPTEEMACHINE
meta-ti-bsp/conf/machine/include/j722s.inc:OPTEEMACHINE = "k3-am62x"
- Use am67a_beagley_ai_a53 and am67a_beagley_ai_r5 u-boot
defconfigs introduced in u-boot v2025.07 [4]
- u-boot distroboot (bootflow) detect extlinux.conf file from the first
SDcard partition, so we have to install the kernel and its dtb file.
Use devicetreedir instead of devicetree in extlinux.conf file to
avoid hardcoding the devicetree file name. TI boards are able to
retrieve dtb file name from an EEPROM (see TI_I2C_BOARD_DETECT in
uboot).
- Use 6.15.6 stable release instead of the latest 6.12 LTS since the
k3-j722s support was only introduced in 6.11 kernels.
- Provide a hash file for all custom package version
(arm-trusted-firmware, linux, ti-k3-r5-loader, uboot) to enable
BR2_DOWNLOAD_FORCE_CHECK_HASHES.
[1] https://git.yoctoproject.org/meta-ti/commit/?id=e74b9a1746d4d04757c87c1920a0f743e55ff096
[2] https://git.yoctoproject.org/meta-ti/tree/meta-ti-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-ti.inc?h=09.02.00.004#n7
[3] https://git.yoctoproject.org/meta-arm/tree/meta-arm/recipes-security/optee/optee-os.inc?h=4.0.3#n23
[4] b27c94958b
More information about the board can be found at:
https://www.beagleboard.org/boards/beagley-ai
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.23-ti-arm32-r11 and
U-Boot to version 2025.07.
Tested on beaglebone black.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps:
- U-Boot to version v2025.07
- Linux kernel to version 6.12.36 (LTS)
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Reviewed-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Adding _GNU_SOURCE to CFLAGS was necessary to fix the following error
raised during the compilation of the new version:
ufs_emon.c: In function ‘do_emon’:
ufs_emon.c:455:51: error: ‘O_DIRECT’ undeclared (first use in this function); did you mean ‘O_DIRECTORY’?
455 | fill_data_fd = open("fill_file", O_RDWR | O_DIRECT | O_CREAT,
| ^~~~~~~~
| O_DIRECTORY
ufs_emon.c:455:51: note: each undeclared identifier is reported only once for each function it appears in
This _GNU_SOURCE define was added upstream in commit [1] in the Makefile
default CFLAGS, but since Buildroot redefines those it needs to be added
back.
Release notes:
https://github.com/SanDisk-Open-Source/ufs-utils/releases/tag/v7.14.11
[1] 183e0deb28
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
[Julien: add link to upstream commit to justify _GNU_SOURCE]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This brings the init script in line with current standards, including
PID file management.
The chown & chmod commands in the check_device function will run only
for systems without udev, and the permissions have been adjusted to
those udev would set.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Default policies should go to /usr/share, /etc should be used to
override them locally if needed.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Read the announcement: https://lwn.net/ml/all/xmqq5xg2wrd1.fsf@gitster.g/
This fixes the following vulnerabilities:
- CVE-2025-27613 (Gitk):
When a user clones an untrusted repository and runs Gitk without
additional command arguments, any writable file can be created and
truncated. The option "Support per-file encoding" must have been
enabled. The operation "Show origin of this line" is affected as
well, regardless of the option being enabled or not.
https://www.cve.org/CVERecord?id=CVE-2025-27613
- CVE-2025-27614 (Gitk):
A Git repository can be crafted in such a way that a user who has
cloned the repository can be tricked into running any script
supplied by the attacker by invoking `gitk filename`, where
`filename` has a particular structure.
https://www.cve.org/CVERecord?id=CVE-2025-27614
- CVE-2025-46835 (Git GUI):
When a user clones an untrusted repository and is tricked into
editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite any writable
file.
https://www.cve.org/CVERecord?id=CVE-2025-46835
- CVE-2025-48384:
When reading a config value, Git strips any trailing carriage
return and line feed (CRLF). When writing a config entry, values
with a trailing CR are not quoted, causing the CR to be lost when
the config is later read. When initializing a submodule, if the
submodule path contains a trailing CR, the altered path is read
resulting in the submodule being checked out to an incorrect
location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed
after checkout.
https://www.cve.org/CVERecord?id=CVE-2025-48384
- CVE-2025-48385:
When cloning a repository Git knows to optionally fetch a bundle
advertised by the remote server, which allows the server-side to
offload parts of the clone to a CDN. The Git client does not
perform sufficient validation of the advertised bundles, which
allows the remote side to perform protocol injection.
This protocol injection can cause the client to write the fetched
bundle to a location controlled by the adversary. The fetched
content is fully controlled by the server, which can in the worst
case lead to arbitrary code execution.
https://www.cve.org/CVERecord?id=CVE-2025-48385
- CVE-2025-48386:
The wincred credential helper uses a static buffer (`target`) as a
unique key for storing and comparing against internal storage. This
credential helper does not properly bounds check the available
space remaining in the buffer before appending to it with
`wcsncat()`, leading to potential buffer overflows.
https://www.cve.org/CVERecord?id=CVE-2025-48386
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
See the release notes:
- https://github.com/irontec/sngrep/releases/tag/v1.7.0
- https://github.com/irontec/sngrep/releases/tag/v1.8.0
- https://github.com/irontec/sngrep/releases/tag/v1.8.1
- https://github.com/irontec/sngrep/releases/tag/v1.8.2
This fixes the following vulnerabilities:
- CVE-2024-3119:
A buffer overflow vulnerability exists in all versions of sngrep since
v0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' SIP
headers. The functions sip_get_callid and sip_get_xcallid in sip.c use
the strncpy function to copy header contents into fixed-size buffers
without checking the data length. This flaw allows remote attackers to
execute arbitrary code or cause a denial of service (DoS) through
specially crafted SIP messages.
https://www.cve.org/CVERecord?id=CVE-2024-3119
- CVE-2024-3120:
A stack-buffer overflow vulnerability exists in all versions of sngrep
since v1.4.1. The flaw is due to inadequate bounds checking when
copying 'Content-Length' and 'Warning' headers into fixed-size buffers
in the sip_validate_packet and sip_parse_extra_headers functions
within src/sip.c. This vulnerability allows remote attackers to
execute arbitrary code or cause a denial of service (DoS) via crafted
SIP messages.
https://www.cve.org/CVERecord?id=CVE-2024-3120
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the version bump of sudo to 1.9.17p1 [1], the sed command in
SUDO_ENABLE_SUDO_GROUP_RULE no longer matches the the line in the
example sudoers file shipped with the sudo package. This is due to
upstream commit [2].
This commit fixes the regexp to match the new sudoers file.
[1] ee86844e63
[2] 7c121ff834
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add link to upstream commit introducing the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the mbedtls bump to v3.6 [1] the libiec61850 package is failling
on the autobuilder with the following error:
```
[ 2%] Building C object hal/CMakeFiles/hal.dir/tls/mbedtls/tls_mbedtls.c.o
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c: In function 'compareCertificates':
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c:122:17: error: 'mbedtls_x509_crt' has no member named 'sig'
122 | if (crt1->sig.len == crt2->sig.len)
| ^~
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c:122:34: error: 'mbedtls_x509_crt' has no member named 'sig'
122 | if (crt1->sig.len == crt2->sig.len)
| ^~
...
```
The logic to support mbedtls v3 is already present on the version
present in buildroot.
This patch ensures that the CMake build uses the mbedtls headers and
libraries provided by buildroot rather than the bundled copy.
By setting the following variable the mbedtls v3.6 is correctly found
during the configuration of the package.
```
Found mbedtls 3.6 -> can compile HAL with TLS 1.3 support
```
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
Fixes: https://autobuild.buildroot.org/results/5fc/5fca384510d2fb9dd1d01736dee34b53339d62ff/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since [1] when trying to build this package with mbedtls v3.6 the
following error is happening:
```
player.h:12:10: fatal error: mbedtls/havege.h: No such file or directory
12 | #include <mbedtls/havege.h>
| ^~~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_SHAIRPORT_SYNC=y
EOF
make olddefconfig
make
```
This patch backport the upstream commit [2] that add support for
mbedtls v3.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] d73b585c6f
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the mbedtls bump to v3.6 [1] the ustream-ssl package is failling
on the autobuilder with the following error:
```
In file included from /home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-internal.h:25,
from /home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-ssl.c:25:
/home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-mbedtls.h:24:10: fatal error: mbedtls/certs.h: No such file or directory
24 | #include <mbedtls/certs.h>
| ^~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_USTREAM_SSL=y
EOF
make olddefconfig
make
```
This patch backport upstream commit that address the compatibility with
mbedtls v3.6.
- [2] rename the `_random` function used by the mbedtls functions
- [3] update `mbedtls_pk_parse_keyfile` function to support new mbedtls
definition and use `mbedtls_pk_get_type`.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 0001-ustream-mbedtls-use-getrandom-instead-of-dev-urandom.patch
[3] 0002-ustream-mbedtls-add-compatibility-with-mbed-tls-3-0-0.patch
Fixes: https://autobuild.buildroot.org/results/c20/c20dac7cbe5def2c6036d2e1d06de0bfea68b57c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Xen currently fails to build for 32-bit Arm v7 with binutils >= 2.41,
with the following error:
proc-v7.S:33: Error: junk at end of line, first unrecognized character is `#'
The failure can be reproduced with the commands:
cat >.config <<EOF
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_ARM_EABIHF=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_XEN=y
BR2_PACKAGE_XEN_HYPERVISOR=y
BR2_PACKAGE_XEN_TOOLS=y
EOF
make olddefconfig
make xen
Backport a patch from Xen 4.18 plus one patch it depends on to fix the
build.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
[Julien:
- reword commit title
- add commands to reproduce the issue in commit log
- add missing SoB lines to patches
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 1e97b27873 ("ccache: support changing the output directory") added
the CCACHE_BASEDIR logic, but added a comment (presumably from cut'n'paste)
about compilercheck instead, fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switch to meson build system.
Remove an upstreamed patch.
The license files are now gathered in the LICENSES folder.
Add support for the libsocketcan library.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Julien:
- use "git describe --tags" format in commit title
- use "git describe --tags --abbrev=40" in _VERSION
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The error appears on autobuilder with the build using GCC14:
FAILED: ncmpc.p/src_Styles.cxx.o
In file included from ../src/Styles.cxx:7:
/home/buildroot/instance-0/output-1/host/microblazeel-buildroot-linux-gnu/sysroot/usr/include/libintl.h:39:14: error: expected unqualified-id before 'const'
39 | extern char *gettext (const char *__msgid)
| ^~~~~~~
/home/buildroot/instance-0/output-1/host/microblazeel-buildroot-linux-gnu/sysroot/usr/include/libintl.h:39:14: error: expected ')' before 'const'
../src/i18n.h:22:20: note: to match this '('
22 | #define gettext(x) (x)
| ^
[80/102] Compiling C++ object ncmpc.p/src_xterm_title.cxx.o
[81/102] Compiling C++ object ncmpc.p/src_db_completion.cxx.o
[82/102] Compiling C++ object ncmpc.p/src_signals.cxx.o
ninja: build stopped: subcommand failed.
make: *** [package/pkg-generic.mk:273: /home/buildroot/instance-0/output-1/build/ncmpc-0.49/.stamp_built] Error 1
make: Leaving directory '/home/buildroot/instance-0/buildroot'
Starting GCC14 the C++ standard library includes libintl.h that contains
a definition of gettext which caused a clash with the definition present
in ncmpc. This patch resolved this build error seen in [1] by
backporting an upstream commit [2] that renamed the internal gettext
implementation.
Applying the commits of [2], fixes the build error [1].
[1] https://autobuild.buildroot.org/results/cb2/cb292f2c99cdca742a8f52dbfc25f193fe513c6e/build-end.log
[2] 249b62fc9f
Fixes: https://autobuild.buildroot.org/results/cb2/cb292f2c99cdca742a8f52dbfc25f193fe513c6e/build-end.log
Signed-off-by: Tim Soubry <tim.soubry@mind.be>
[Julien:
- mention gcc-14 in commit title
- remove patch numbering to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
With gcc 15-20241117 compile fails with the below error, update the
do_version declaration to match the header in command.h
../../parted/parted.c: In function '_init_commands':
../../parted/parted.c:2469:9: error: passing argument 2 of 'command_create' from incompatible pointer type [-Wincompatible-pointer-types]
2469 | do_version,
| ^~~~~~~~~~
| |
| int (*)(void)
In file included from ../../parted/parted.c:28:
../../parted/command.h:35:39: note: expected 'int (*)(PedDevice **, PedDisk **)' {aka 'int (*)(struct _PedDevice **, struct _PedDisk **)'} but argument is of type 'int (*)(void)'
35 | int (*method) (PedDevice** dev, PedDisk** diskp),
| ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Upstream: https://cgit.git.savannah.gnu.org/cgit/parted.git/commit/?id=16343bda6ce0d41edf43f8dac368db3bbb63d271
Fixes:
https://autobuild.buildroot.org/results/283f52d50ffef91d82a1bdc1f4dde1d54c5ffc23/build-end.log
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since upstream commit [1], first included in version 1.6.0,
libunwind supports 64-bit riscv, at least with glibc.
[1] abd15da8af
Signed-off-by: Vladimir Kondratiev <vladimir.kondratiev@mobileye.com>
[Julien: add link to upstream commit and fix version in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This is just a minor upgrade for fixed deprecation warning
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
[Julien: fix hash file spacing to resolve check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the mbedtls bump to v3.6 [1] the libuhttpd fails to build with the
following error:
```
[ 8%] Building C object src/ssl/CMakeFiles/xssl.dir/mbedtls.c.o
.../buildroot/output/build/libuhttpd-3.14.1/src/ssl/mbedtls.c:52:10: fatal error: mbedtls/certs.h: No such file or directory
52 | #include <mbedtls/certs.h>
| ^~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_LIBUHTTPD=y
EOF
make olddefconfig
make
```
The compatibility with mbedtls v3 has been addressed upstream in the
zhaojh329/ssl project included as a submodule of libuhttpd [2].
This patch backport this upstream commit to be applied on the submodule
directory. This required adaptation of the line numbers (see [3]) and
renaming a function reference passed as parameter of
'mbedtls_pk_parse_keyfile' caused by the commit [4].
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 28cc9b5d98
[3] 8092b5a490 (diff-fbc46fa2db83f8649ccf1f46c6a044473b7b228edc7d4c0f7cc04b5a879f6fb7)
[4] 0e7d2f73d7 (diff-fbc46fa2db83f8649ccf1f46c6a044473b7b228edc7d4c0f7cc04b5a879f6fb7R92)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
nilfs-utils provides an "nilfs.h" header file and libnilfs.so that other
packages which depend upon it may require in order to build.
Signed-off-by: Matt Silva <dev@matt-silva.com>
[Romain: add libnilfs.so in commit log]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Building at91bootstrap3 with GCC 15 fails with:
include/types.h:23:23: error: ‘bool’ cannot be defined via ‘typedef’
23 | typedef unsigned char bool;
| ^~~~
include/types.h:23:23: note: ‘bool’ is a keyword with ‘-std=c23’ onwards
This is due to GCC 15 defaulting to the C23 language dialect.
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
It is a portable Python 3.x interpreter, written in C11. It has no
dependencies other than the C standard library, which can be easily
integrated into your C/C++ project
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
LoongArch64 emulation system / user emulation is supported
by QEMU.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
LoongArch64 OVMF target is introduced to EDK2 in edk2-202408.
Enable architecture support here.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Introduce bread new loongarch64-efi board, with skeleton
from aarch64-efi board.
It corverd most LoongArch64 systems.
Linux 6.12, as the most recent LTS kernel, was chosen
to ensure proper architecture support is included.
This board config is validated on my Lemote A2101
Loongson 3A5000 board.
A developer entry is created for myself for future contacts
as well.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
loongarch64-efi target presents in GRUB can be utilised
by any EFI compatible LoongArch64 machine to boot kernel.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
vmlinux.efi and vmlinuz.efi are standard file names for LoongArch
EFISTUB kernel.
Introduce them to build system.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Glibc introduced LoongArch64 support in 2.36, it requires kernel
5.19 to build.
Unselect BR2_ARCH_HAS_NO_TOOLCHAIN_BUILDROOT to reflect we can
build the toolchain.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Introduce LoongArch64 at architecture level.
Config.in.loongarch is prepared for possible loongarch32
enablement in future, thus BR2_ARCH_IS_64 is being depended
by some 64bit only options.
Internal toolchain is supported, as our minimal binutils
version is already beyond LoongArch minimal version and
GCC option is limited by BR2_ARCH_NEEDS_GCC_AT_LEAST_12.
BR2_ARCH_HAS_NO_TOOLCHAIN_BUILDROOT is selected temporary
and it's going to be rmoved after we gain libc support.
Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
[Julien: fix typo in Kconfig BR2_LOONGARCH_ABI_LP64S prompt
replace "lp64d" by "lp64s"]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the mbedtls bump to v3.6 [1] the bmx7 package is failling on the
autobuilder:
```
/workdir/instance-0/output-1/host/bin/xtensa-buildroot-linux-uclibc-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -mlongcalls -mauto-litpools -Os -g3 -pedantic -W -Wall -Wstrict-prototypes -Wno-unused-parameter -Os -g3 -std=gnu99 -DGIT_REV=\"0\" -DAVL_5XLINKED -DDEBUG_MALLOC -DCORE_LIMIT=20000 -pedantic -W -Wall -Wstrict-prototypes -Wno-unused-parameter -Os -g3 -std=gnu99 -DGIT_REV=\"0\" -DAVL_5XLINKED -DDEBUG_MALLOC -DCORE_LIMIT=20000 -c crypt.c -o crypt.o
crypt.c:66:10: fatal error: mbedtls/compat-1.3.h: No such file or directory
66 | #include "mbedtls/compat-1.3.h"
| ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
```
This patch includes a set of upstream patches that address the
compatibility with the v3.6 of mbedtls.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
Fixes: https://autobuild.buildroot.org/results/b77/b776e34d1c5bc3904ea7138bd6c4ac17a1f0fd34/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the mbedtls bump to v3.6 [1] the shadowsocks-libev package is
failling on the autobuilder:
```
checking for mbedtls_cipher_setup in -lmbedcrypto... yes
checking whether mbedtls supports Cipher Feedback mode or not... configure: error: MBEDTLS_CIPHER_MODE_CFB required
make: *** [package/pkg-generic.mk:263: /workdir/instance-0/output-1/build/shadowsocks-libev-3.3.5/.stamp_configured] Error 1
make: Leaving directory '/workdir/instance-0/buildroot'
```
This is due to the breaking changes in the mbedtls API with the version
bump.
This patch adds the upstream patch [2] that address this issue by verifying
conditionally the version of mbedtls we are running on to make the API
calls and includes.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 9afa3cacf9#
Fixes: https://autobuild.buildroot.org/results/070/070581d95f2739cee3b4cb8252639dd92b5a8421
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When SIGINT is issued for a package test run, it will abort the active
toolchain run then proceed to the next. If a user is running the entire
default toolchain set (`-a`), they can be required to invoke SIGINT
multiple times to stop a run.
This commit uses a SIGINT hook to flag a shutdown state and stop further
attempts to run anymore toolchain tests.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When running check-package before completing commits for a change, if
any files are setup for removal, check-package will throw
FileNotFoundError exceptions instead of generating a warning state. For
example:
$ utils/docker-run make check-package
Traceback (most recent call last):
...
FileNotFoundError: [Errno 2] No such file or directory: 'package/.../0001-some-removed-patch.patch'
make: *** [Makefile:1264: check-package] Error 1
This commit will now catch FileNotFoundError and populate a warning
message:
$ utils/docker-run make check-package
package/.../0001-some-removed-patch.patch: missing; unstaged file removal?
package/.../0002-another-removed-patch.patch: missing; unstaged file removal?
427843 lines processed
3 warnings generated
make: *** [Makefile:1264: check-package] Error 1
Signed-off-by: James Knight <git@jdknight.me>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Import all security patches from OpenEmbedded for libsoup.
This fixes the following 18 known vulnerabilities:
- CVE-2024-52530:
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some
configurations because '\0' characters at the end of header names are
ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the
same as a "Transfer-Encoding: chunked" header.
https://www.cve.org/CVERecord?id=CVE-2024-52530
- CVE-2024-52531:
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that
perform conversion to UTF-8 in soup_header_parse_param_list_strict.
There is a plausible way to reach this remotely via
soup_message_headers_get_content_type (e.g., an application may want to
retrieve the content type of a request or response).
https://www.cve.org/CVERecord?id=CVE-2024-52531
- CVE-2024-52532:
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption.
During the reading of certain patterns of WebSocket data from clients.
https://www.cve.org/CVERecord?id=CVE-2024-52532
- CVE-2025-2784:
Libsoup: heap buffer over-read in `skip_insignificant_space`
when sniffing content
https://www.cve.org/CVERecord?id=CVE-2025-2784
- CVE-2025-4476:
Libsoup: null pointer dereference in libsoup may lead to denial of service
https://www.cve.org/CVERecord?id=CVE-2025-4476
- CVE-2025-4948:
Libsoup: integer underflow in soup_multipart_new_from_message() leading to
denial of service in libsoup
https://www.cve.org/CVERecord?id=CVE-2025-4948
- CVE-2025-4969:
Libsoup: off-by-one out-of-bounds read in find_boundary() in soup-multipart.c
https://www.cve.org/CVERecord?id=CVE-2025-4969
- CVE-2025-32050:
Libsoup: integer overflow in append_param_quoted
https://www.cve.org/CVERecord?id=CVE-2025-32050
- CVE-2025-32052:
Libsoup: heap buffer overflow in sniff_unknown()
https://www.cve.org/CVERecord?id=CVE-2025-32052
- CVE-2025-32053:
Libsoup: heap buffer overflows in sniff_feed_or_html() and
skip_insignificant_space()
https://www.cve.org/CVERecord?id=CVE-2025-32053
- CVE-2025-32906:
Libsoup: out of bounds reads in soup_headers_parse_request()
https://www.cve.org/CVERecord?id=CVE-2025-32906
- CVE-2025-32910:
Libsoup: null pointer deference on libsoup via /auth/soup-auth-digest.c
through "soup_auth_digest_authenticate" on client when server omits the
"realm" parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32910
- CVE-2025-32911:
Libsoup: double free on soup_message_headers_get_content_disposition()
through "soup-message-headers.c" via "params" ghashtable value
https://www.cve.org/CVERecord?id=CVE-2025-32911
- CVE-2025-32912:
Libsoup: null pointer dereference in client when server omits the "nonce"
parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32912
- CVE-2025-32913:
Libsoup: null pointer dereference in
soup_message_headers_get_content_disposition when "filename" parameter is
present, but has no value in content-disposition header
https://www.cve.org/CVERecord?id=CVE-2025-32913
- CVE-2025-32914:
Libsoup: oob read on libsoup through function
"soup_multipart_new_from_message" in soup-multipart.c leads to crash or
exit of process
https://www.cve.org/CVERecord?id=CVE-2025-32914
- CVE-2025-46420:
Libsoup: memory leak on soup_header_parse_quality_list() via soup-headers.c
https://www.cve.org/CVERecord?id=CVE-2025-46420
- CVE-2025-46421:
Libsoup: information disclosure may leads libsoup client sends authorization
header to a different host when being redirected by a server
https://www.cve.org/CVERecord?id=CVE-2025-46421
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fix the patch message so that it includes the "Upstream:" tag expected by
check-package, and remove this file from the check-package ignore list.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] introduced a patch addressing CVE-2021-23159. Since then,
CVE-2023-34432 ([2]) remained the only unresolved CVE reported
against the sox package in pkg-stat. This patch adds CVE-2023-34432
to the list of ignored CVEs for sox, based on the report from the
Debian Security Tracker ([3]) and the sox issue tracker ([4]), both
indicate that the patch introduced in [1] also resolves this CVE.
[1] 14aa0f5ec1 package/sox: add fix for CVE-2021-23159, CVE-2021-23172, CVE-2023-34318
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-34432
[3] https://security-tracker.debian.org/tracker/CVE-2023-34432
[4] https://sourceforge.net/p/sox/bugs/367/
Signed-off-by: Tim Soubry <tim.soubry@mind.be>
[Julien: change commit ref [1] to use commit id from master branch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The following error appeared on the autobuilder for host using
host-gcc15:
```
p11_attr.c: In function 'pkcs11_addattr_bool':
p11_attr.c:126:25: error: expected identifier or '(' before 'true'
126 | static CK_BBOOL true = CK_TRUE;
| ^~~~
p11_attr.c:127:25: error: expected identifier or '(' before 'false'
127 | static CK_BBOOL false = CK_FALSE;
| ^~~~~
p11_attr.c:128:44: error: lvalue required as unary '&' operand
128 | pkcs11_addattr(tmpl, type, value ? &true : &false, sizeof(CK_BBOOL));
| ^
p11_attr.c:128:52: error: lvalue required as unary '&' operand
128 | pkcs11_addattr(tmpl, type, value ? &true : &false, sizeof(CK_BBOOL));
| ^
make[3]: *** [Makefile:646: libp11_la-p11_attr.lo] Error 1
```
This is due to the change in the default C language version in GCC15.
This patch backport the upstream patch that fix that issue by not using
the keywords.
Fixes: https://autobuild.buildroot.org/results/da7/da71db9b04f181b9d2e72df73ac8541709f5a1d4
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This gives a proper cpe-id string to the tailscale buildroot package
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerabilities:
- CVE-2023-4256:
Within tcpreplay's tcprewrite, a double free vulnerability has been
identified in the tcpedit_dlt_cleanup() function within
plugins/dlt_plugins.c. This vulnerability can be exploited by
supplying a specifically crafted file to the tcprewrite binary. This
flaw enables a local attacker to initiate a Denial of Service (DoS)
attack.
https://www.cve.org/CVERecord?id=CVE-2023-4256
- CVE-2023-43279:
Null Pointer Dereference in mask_cidr6 component at cidr.c in
Tcpreplay 4.4.4 allows attackers to crash the application via crafted
tcprewrite command.
https://www.cve.org/CVERecord?id=CVE-2023-43279
- CVE-2024-22654:
tcpreplay v4.4.4 was discovered to contain an infinite loop via the
tcprewrite function at get.c.
https://www.cve.org/CVERecord?id=CVE-2024-22654
See the release notes:
https://github.com/appneta/tcpreplay/releases/tag/v4.5.1
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The website URL was outdated, resulting in an HTTP error 403 Forbidden
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bump includes 23 minor or patch-level releases, mostly containing
bugfixes, and improvements on many filesystem backends and translations.
Specifically for the Buildroot package:
- Switch from libsoup (v2) to libsoup3, since gvfs v1.49.90
- Drop patch applied upstream
- Explicitely disable goa (gnome-online-accounts) which is enabled by default
in meson_options.txt
See the upstream changelog:
https://gitlab.gnome.org/GNOME/gvfs/-/blob/1.57.2/NEWS
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: remove .checkpackageignore entry to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The build complains about these being unused so drop them.
LLVM_ENABLE_TERMINFO option is removed since llvm 19.1.0 [1]
[1] 852aaf5407
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
[Romain: add upstream commit link]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This is a small bugfix release, mainly containing event handling fixes
for Wayland, and the possibility to explicitly configure the gamepad
support at build time.
Release notes:
https://wpewebkit.org/release/cog-0.18.5.html
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release note, see:
https://www.sudo.ws/releases/stable/#1.9.17p1
Fixes the following security issues:
- CVE-2025-32462: Sudo before 1.9.17p1, when used with a sudoers file that
specifies a host that is neither the current host nor ALL, allows listed
users to execute commands on unintended machines (since sudo 1.8.8)
https://www.sudo.ws/security/advisories/host_any/
- CVE-2025-32463: Sudo before 1.9.17p1 allows local users to obtain root
access because /etc/nsswitch.conf from a user-controlled directory is used
with the --chroot option (since sudo 1.9.4)
https://www.sudo.ws/security/advisories/chroot_bug/
Update the LICENSE.md hash for a change in copyright years:
30729312c2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add link to release note in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The BR2_ARCH_NEEDS_GCC_AT_LEAST_X guards were added in commit [1]
for toolchain-external-custom gcc versions from 4.8 to 12. No guard
was added for gcc 13 because is was the latest version at that time
(and the symbol BR2_ARCH_NEEDS_GCC_AT_LEAST_14 was not available
at that time).
Then, commit [2] and [3] added gcc 14 and 15 without adding
guards.
In order to prevent a Buildroot user selecting an external custom
toolchain that does not support a selected CPU, this commit adds all
the missing guards.
[1] eed1670d8a
[2] 7fa12e4f9e
[3] 5f1a38a41f
Reported-by: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
This logic is to prepare for future gcc versions and their new
supported CPUs. As of today, gcc 15 is the latest gcc version
and all architectures and CPUs in Buildroot are supported by
this version.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
gcc 15 was introduced in Buildroot in commit [1].
In Buildroot, a user creates a build configuration in Kconfig
menus by selecting the CPU architecture and CPU first, then
a toolchain that support this CPU, then packages and system
configuration.
To make sure those Kconfig menus and choices behave correctly in that
order, we use a logic in which a CPU selects the Kconfig symbol
BR2_ARCH_NEEDS_GCC_AT_LEAST_N (with N being the needed gcc version).
Then, to make sure unsupported gcc version are hidden for a selected
CPU, a gcc version N has in fact a "depends on
!BR2_ARCH_NEEDS_GCC_AT_LEAST_(N+1)". For example, Cortex-A710 needs
at least gcc 12. See [2] and [3].
This means that when we introduce the latest gcc version with this
logic in place, we already need this BR2_ARCH_NEEDS_GCC_AT_LEAST_(N+1)
symbol defined. Doing so is desirable to avoid forgetting to add it
later. See for example commit [4], adding those missing dependencies
for gcc 13 and 14.
Since in Buildroot we currently keep 3 actively maintained gcc
versions, adding a new gcc version N in Buildroot should:
- add the BR2_ARCH_NEEDS_GCC_AT_LEAST_(N+1) symbol
- add package/gcc N
- switch the default gcc from N-2 to N-1
- drop package/gcc N-3
Then, once this new gcc N is added, new CPUs supported by that version
can be introduced, by selecting BR2_ARCH_NEEDS_GCC_AT_LEAST_N.
All this logic will be ready for future gcc versions. This was also
described in commit log [5].
This commit simply adds the BR2_ARCH_NEEDS_GCC_AT_LEAST_16 symbol.
It is worth mentioning that, at the time of this commit, gcc 16 is not
released yet. This release number 16 is already known, though. See [6].
For reference, this was discussed in [7].
[1] 75891397ab
[2] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.05/arch/Config.in.arm#L514
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.05/package/gcc/Config.in.host#L27
[4] 6f231d3003
[5] eab17d763c
[6] https://gcc.gnu.org/gcc-16/changes.html
[7] https://lore.kernel.org/buildroot/877c0v1sn1.fsf@dell.be.48ers.dk/T/#m45688e25632401029e4c0d989072e1d3e1a59854
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The daq package fails to build with GCC14 toolchains:
```
daq_nfq.c: In function 'SetPktHdr':
daq_nfq.c:395:37: error: passing argument 2 of 'nfq_get_payload' from incompatible pointer type [-Wincompatible-pointer-types]
395 | int len = nfq_get_payload(nfad, (char**)pkt);
| ^~~~~~~~~~~
| |
| char **
```
The issue can be reproduced with the following config:
```
cat > daq.config <<EOF
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_DAQ=y
BR2_PACKAGE_LIBDNET=y
BR2_PACKAGE_LIBNETFILTER_QUEUE=y
EOF
```
This patch port a patch taken from openembedded meta-networking [1] and
is tested with test-pkg:
```
$ ./utils/test-pkg -c daq.config -p daq
```
[1] https://layers.openembedded.org/layerindex/recipe/37594/
Fixes: https://autobuild.buildroot.org/results/c69/c69ab134463a18eec65ded836aecf89a5cb4a75c/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] backported an upstream patch to address CVE-2025-46836 that
included a regression.
Upstream later fixed this regression in commit [2].
This patch add that fix to correct the issue introduced by the original
patch.
[1] 323aaa9f54 package/net-tools: add upstream security fix for CVE-2025-46836
[2] ddb0e375fb/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release note, see:
https://github.com/urllib3/urllib3/releases/tag/2.5.0
This fixes the following vulnerabilities:
- CVE-2025-50181:
urllib3 redirects are not disabled when retries are disabled on
PoolManager instantiation
- CVE-2025-50182:
urllib3 does not control redirects in browsers and Node.js
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to release note in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following vulnerability:
- CVE-2023-34194:
StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML
through 2.6.2 has a reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Jose-13 fixed the following security issue:
- CVE-2023-50967: latchset jose through version 11 allows attackers to cause
a denial of service (CPU consumption) via a large p2c (aka PBES2 Count)
value.
https://github.com/latchset/jose/issues/151
In addition, jose-14 worked around another DoS issue related to
decompression:
https://github.com/latchset/jose/pull/157
Drop now upstreamed patches:
- 0001-lib-hsh.c-rename-hsh-local-variable.patch: Upstream as of
3d5b287243
- 0002-man-add-option-to-skip-building-man-pages.patch: Upstream after
getting reworked to use -Ddocs=disabled as of
786b426df0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: remove .checkpackageignore entries to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The syslinux runtime test (which is in fact a build-only test) ensures
that syslinux does get build at least once a week (via the gitlab-CI
weekly pipeline). Runtime testing would need much more work, though, but
nothing in syslinux is currently runtime tested anyway.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The following error occurs on the autobuilder for builds with musl
libc.
```
CC util/bitmap.o
In file included from include/linux/bitmap.h:7,
from util/bitmap.c:9:
include/linux/bitops.h:4:10: fatal error: bits/wordsize.h: No such file or directory
4 | #include <bits/wordsize.h>
| ^~~~~~~~~~~~~~~~~
```
The error occurs because bits/wordsize.h is specific to glibc.
This patch applies an upstream fix that replaces the use of __WORDSIZE
with an internal macro, making the code portable across different libc.
Fixes: https://autobuild.buildroot.org/results/30d/30d6e407e6a0fc7d85062c2d56008755c70ca733/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 0.192 release of elfutils introduced the src/srcfiles.cxx program,
that lists all source files of a given ELF binary. As this is a C++
program, we need a toolchain that supports it.
Without it, the build system tries to use "no" as the CXX compiler,
resulting in the following errors :
/bin/sh: line 1: no: command not found
as can be seen here for example :
https://autobuild.buildroot.net/results/849/849221c794a469a423857a290db775d150b84900
Add a dependency to a CPP toolchain for the elfutils programs.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The elfutils programs require Glibc to be used as the C library. Show a
comment when this libc isn't used in the toolchain.
Suggested-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This package provides a reference, functional implementation of a
registry for distributing container images. Formerly the Docker
registry, it now also handles OCI images, so can be used to distribute
all kinds of container related images: classic Docker images, OCI
images, but also helms [0] and the likes, which are also packages as OCI
images in fact.
The upstream name of the package is just "distribution" [1], but this is
a bit too generic and unsearchable; distributions like Debian and Ubuntu
traditionally provides it as the "docker-registry" package, but this is
now misleading as it is not just for Docker anymore. So we decided to
name it "distribution-registry": it contains the upstream name and will
be searchable with the 'registry' part as well.
The built executable is named "registry", which is also a bit too
generic. Again, for the same reasons as above, we name it
"distribution-registry"; this also incidentally makes our golang-package
infra "just work" and do the right thing when it installs the package.
The upstream package provides a wrapper Makefile to build the package,
but it does not do more than our infra already does; the only little nit
is that it allows updating the version file (with git infra et al.). We
can just ignore that and update the version ourselves.
We also provide a minimalist configuration file: it exposes the registry
to localhost only, as a security measure. This file will have to be
overridden (e.g. in a rootfs-overlay) with proper authentication, and
with further locally meaningful setup anyway.
Finally, we also implement a run-time test that validates that we can
push and pull images to/from the registry. Since the registry is a big
go package, it takes time to start, so wait for it a little bit (and yet
a little bit more after it starts logging), and increase the timeouts
for commands that deal with the registry.
For this simple test, the registry is directly exposed with plain HTTP,
not HTTPS, so we must declare it as insecure, so that container tools
can reach it without custom options (e.g. without using skopeo's
--{src,dest}-tls-verify=false options).
We re-use skopeo to talk to the registry. This allows us to grab an
image from the Docker hub registry, and push it to our local registry,
then retrieve it back. Since we want to diffferentiate failures to grab
the image from the Docker Hub [2], from failures to push to our
registry, we do it in two steps: copy from Docker Hub to a local OCI
image, then push that to our registry.
Since both distribution-registry and skopeo are big go-based, statically
linked binaries, running both in the standard virtual machine does not
work: the 256MiB emulated in vexpress are not enough and cause segfaults
when running both at once. The vexpress also only accepts at most
256MiB, so we must use another machine; we decided to use the same as is
used by the podman teest case, which allows at least 1Gib, which is now
enough.
[0] https://helm.sh/
[1] https://github.com/distribution/distribution
[2] in case we reach the 100-pulls-a-day limitation
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Christian Stewart <christian@aperture.us>
Signed-off-by: Julien Olivain <ju.o@free.fr>
... and extend the skopeo runtime test to make use of those.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The container/image repository is the standards regpository that drives
the image management in container tools, like podman or skopeo. Besides
a Go library, it also prodvides the template configuration files used
by those tools; those files can also serve as default ones.
Install those files instead of the canned ones we cary in podman, and
change podman to use this new package too.
The registry file needs a fixup, as it by default does not allow
searching unqualified images (i.e. those that do not contain a registry
name) in a default registry, for security reasons. However, the Docker
Hub is traditionally a registry that can be accessed without being
specified, so we make that possible.
As was noted in ebbaac08e3 (package/podman: new package), "[p]roviding
actual files is going to be use-case dependent, and interested parties
will have to provide their own config files, e.g. in a rootfs overlay."
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release note, see:
https://dev.gnupg.org/T7166
This version fixes a build error which can happen with 32-bit arm
configurations.
The issue can be reproduced with commands:
cat >.config <<EOF
BR2_arm=y
BR2_cortex_a8=y
BR2_ARM_INSTRUCTIONS_THUMB2=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_LIBGCRYPT=y
EOF
make olddefconfig
make libgcrypt
Build is failing with output:
ec-nist.c: In function '_gcry_mpi_ec_nist256_mod':
ec-inline.h:902:5: error: 'asm' operand has impossible constraints or there are not enough registers
902 | __asm__ ("subs %3, %7, %10\n" \
| ^~~~~~~
Details for this buggix: https://dev.gnupg.org/T7226
Signed-off-by: Bram Oosterhuis <dev@bybram.com>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
lpxelinux is like pxelinux, except it allows retrieving the files for
the kernel (with the KERNEL directive) and initrd (the path to initrd=
in the APPEND directive) from FTP or HTTP, rather than just from TFTP.
Using HTTP or FTP is musch faster than TFTP, so the boot time for big
kernels or big initrds is much shorter than with TFTP.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
[Julien: fix typo in commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
syslinux is... special. It is a target package, but it is installed in
HOST_DIR *in the target install commands*: in addition to the boot files
that run on the target, syslinux installs a set of host tools that are
to be used at build time (e.g. extlinux, to prepare bootable media, like
an iso96660 image). Then, from HOST_DIR, the actual boot files are
copied into BINARIES_DIR (i.e. images/); we do it that way because the
boot files are scattered about everywhere in the build tree, while they
are all packed together in a single directory once installed.
However, there is no dependency between the target and image install
steps. So, when using top-level parallel builds, there is no guarantee
that the target install commands are finished before the image install
commands are started.
We fix that by first installing into a temporary location, as part of
the build step, and by then copying from there as part of the install
step. This ensures that the boot files are easily available, without
needing a dependency on the target install step, that we can't express.
Note that we do not change the actual installation into HOST_DIR: it can
be set up differently that our temporary location, and we do not want
to duplicate that setup here (it's going to diverge over time).
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
At the moment, package stats indicates that libmpeg2 is affected by
https://nvd.nist.gov/vuln/detail/CVE-2022-37416
However, this CVE applies to a completely different piece of software,
that has the same name "libmpeg2" [1].
To avoid the confusion, let's add a proper CPE vendor to Buildroot's libmpeg2.
The library itself does not clearly identify any vendor name, and there isn't
any existing CPE on the NVD website. Since this library is not updated for
many years (maybe even before the introduction of the CPE system), but the
code is somehow related to the Videolan project, let's add this as the
vendor, which sould solve the matched CVE issue.
[1] https://github.com/ittiam-systems/libmpeg2
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: fix typo in commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When a new gcc version is introduced, for example gcc 15 in
commit [1], it should have also added a "depends on
!BR2_ARCH_NEEDS_GCC_AT_LEAST_15" to the previous gcc version.
This logic is described for external toolchains in commit [2],
for example. The internal Buildroot toolchains should have the
same logic. This logic existed for previous gcc version. See for
example the removal of gcc 12 in commit [3].
There is usually no problem, because all the three latest active gcc
versions supports all CPUs present in Buildroot.
However, the commit [4] recently added the support for the Arm
Cortex-A720 CPU, which needs at least gcc 14. Since there is no
logic preventing the selection of the gcc version, it is possible
to select an unsupported gcc version (i.e. gcc 13).
In such a case, the host-gcc-initial package configuration fails
with output:
Unknown cpu used in --with-cpu=cortex-a720
This commit fixes the issue by adding those missing dependencies.
Fixes:
https://autobuild.buildroot.org/results/918b90aee0b65f01efc241622015cb847b4e23a8/
[1] 75891397ab
[2] f577d8218f
[3] 58cf7c51da (66f7e875db173e5538d3511c8297acc1ba30da33_27_25)
[4] de374e06d8
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Strongswan allows to specify a path for PID and UNIX socket files at
compile time via the --with-piddir argument.
This is especially useful when Strongswan is running inside a container
where we may not want to share/mount the default path of /var/run inside
the container.
Let's add an option to configure the piddir.
Considering this is a critical path, let's add a default value to the
string option (which is currently the same as strongswan's default when
the option is missing) so that it is stable across strongswan releases
in Buildroot.
Signed-off-by: Martin Elshuber <martin.elshuber@theobroma-systems.com>
[Quentin: rewriting of commit title and commit log]
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
strongSwan allows to drop unneeded capabilities[1] after the IKE daemon
has been started, based on libcap, so let's allow that via a config
option.
While the "native" (capset) way of dropping capabilities is supported,
it is deprecated so its support is not added in Buildroot.
While the documentation specifically mentions the IKE daemon (charon) as
being the one impacted by this change, the ifdefery with this autotools
option exists in various libraries in the source code, hence why this is
kept independent from the charon Kconfig option status.
[1] https://docs.strongswan.org/docs/latest/install/reducedPrivileges.html#_dropping_capabilities
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog:
https://codeberg.org/gumbo-parser/gumbo-parser/releases
Release 0.11.0 onwards dropped the 'v' version prefix in the tarball
name, so drop it on our side as well.
The patch no longer applied cleanly and needed to be refreshed.
It was also submitted to the new upstream, the upstream link is
updated accordingly.
A local test build was done with the toolchain from the config that
originally triggered the build to fail due to lack of C++ support:
http://autobuild.buildroot.org/results/a32b5d3b959433fd5c3543661c37f80d27fbd010
It is worth noting that we still build using autotools which is
deprecated in this version of gumbo-parser (in favor of meson).
The license file location was moved in a "doc" subdirectory, in upstream
commit [1]. This commit reflect that change.
[1] 814e2b43f7
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[Julien: fix license file location which has moved to "doc/"]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The new test requires a br2-external directory because we compile a
small test program on the host and install it on the target, but it's
not useful to have it in the main Buildroot package tree.
The test program loads and parses a sample HTML document. Taking
inspiration from 'examples/get_title.c' in gumbo-parser, it also
searches for the title of the document just to check that we can do
more than the parsing.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Development on Google's GitHub repository has stopped a long time ago.
A fork exists on Codeberg, and multiple distributions (Fedora, Arch
Linux, ...) are already using it (see [1]).
Update the source URL to use the new upstream location.
The new upstream has a different hash for the 0.10.1 tarball, so
update it as well.
[1]: https://repology.org/project/gumbo-parser/versions
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This test verifies that we can run nginx with the modsecurity
directives.
It also checks a very simple rule that blocks requests containing the
keyword "blockme".
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[Julien:
- add / at directory end in DEVELOPERS
- sort DEVELOPERS entries alphabetically
- remove unneeded test configs already present in
BASIC_TOOLCHAIN_CONFIG
- sort test config directives alphabetically
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Backport the upstream patch that fixes the following build error when
compiling for mips with gcc 15:
In file included from mips-opc.c:29:
mips-opc.c: In function 'decode_mips_operand':
mips-formats.h:86:7: error: expected identifier or '(' before
'static_assert'
86 | static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
| ^~~~~~~~~~~~~
The patch is already part of upstream binutils 2.44, so we only need
it for 2.42 and 2.43.1.
All 3 versions we have of host-binutils were build-tested using the
defconfig from the autobuilder failure (see the link below) and gcc 15
on the host.
Fixes:
- https://autobuild.buildroot.org/results/873/873ec25cf01d5f2b9ae7044e0b1d8d8791b781e6/
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The upstream Github repository payden/libwebsock is no longer available,
and its URL now redirects to some completely unrelated software.
We don't know for sure what happened, but at least the package does not
build anymore, because its source code has vanished.
Since no other buildroot package depends on libwebsock, and it hasn't
received any update; let's simply remove it from here.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following CVE:
- CVE-2025-29481:
Buffer Overflow vulnerability in libbpf 1.5.0 allows a local attacker to
execute arbitrary code via the bpf_object__init_prog` function of libbpf.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-29481
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add direct link to CVE in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Actually DTB_LIST accepts only file and not files with relative path
preprended. This leads to have vfat without .dtb files and so Linux
doesn't start. Let's fix this by including slash in sed command as done
for mxc as well as basename in front of $dt.dtb to remove possible
useless folders present in the dts path. Let's also add set -e at the
top of the script to make it more verbose on error and modify this
section according to spellcheck as done for mxc.
This commit align this "mxs/post-image.sh" with its "imx/post-image.sh"
counterpart which was improved for arm64 in commit [1].
[1] 4755bf2bd4
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien:
- change space indentation to tabs for consistency
- add note in commit log about imx/post-image.sh
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch allows to use an external toolchain based on gcc 15.
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
[Julien: change spaces to tabs to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since edk2-stable202411, see:
https://github.com/tianocore/edk2/releases/tag/edk2-stable202502https://github.com/tianocore/edk2/releases/tag/edk2-stable202505
Note: the edk2-stable202505 release note mention a security fix.
This fix was already backported in Buildroot in a previous commit.
For that reason, this bump is not marked as securiy, and also
removes the backported patch and its associated _IGNORE_CVES entry.
Those versions include fixes when using gcc 15 (host and target).
This commit also updates the edk2-platforms and edk2-non-osi packages
with the last commit merged at the edk2 release date (2025-05-23).
In the case of edk2-platforms, the commit id used in this update
is few days later, to include a fix for the Arm Sgi575 platform.
Exact commit should have been [1] (to be exactly aligned to the edk2
tag date), but commit [2] is used instead. The package edk2-non-osi is
updated to commit [3].
Also, the SocioNext SynQuacer platforms (including the DeveloperBox)
were removed upstream in edk2-platforms commit [4]. This commit
reflect that change by removing those platforms choices and associated
runtime tests.
This commit has been runtime tested with tests using EDK2 package,
with commands:
support/testing/run-tests \
-d dl -o output_folder \
tests.boot.test_edk2 \
tests.boot.test_grub.TestGrubAArch64EFI \
tests.boot.test_grub.TestGrubi386EFI \
tests.boot.test_grub.TestGrubRiscV64EFI \
tests.boot.test_grub.TestGrubX8664EFI \
tests.fs.test_iso9660.TestIso9660Grub2EFI \
tests.fs.test_iso9660.TestIso9660Grub2Hybrid \
tests.package.test_fwts
It has also been runtime tested (by booting in qemu) with defconfigs
using EDK2 package:
qemu_aarch64_sbsa_defconfig
qemu_riscv64_virt_efi_defconfig
[1] 2bfe3fa99e
[2] 92f7d69e8a
[3] ea2040c2d4
[4] aaba5807f1
Cc: Dick Olsson <hi@senzilla.io>
Cc: Romain Naour <romain.naour@smile.fr>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
gnu-efi fails to build if TOPDIR is exported in the environment since the
move to version 3.0.18 in commit 9efeb7e914 ("package/gnu-efi: bump to
version 3.0.18").
The reason is the change in TOPDIR logic introduced by upstream commit
31913f8489 ("Make: make TOPDIR actually work and get rid of unused CDIR"):
31913f8489
export TOPDIR=foo; make gnu-efi
...
/path/to/buildroot/output-gnuefi/host/bin/aarch64-linux-ld: cannot find
/path/to/buildroot/output-gnuefi/build/gnu-efi-4.0.0//apps/../aarch64/gnuefi/crt0-efi-aarch64.o:
No such file or director
make[2]: *** [Makefile:89: apps] Error 2
make[1]: *** [package/pkg-generic.mk:273: /path/to/buildroot/output-gnuefi/build/gnu-efi-4.0.0/.stamp_built] Error 2
make: *** [Makefile:23: _all] Error 2
As a workaround, unexport TOPDIR like we do for other sensitive environment
variables.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The list of environment variables to unexport has grown organically over the
years and is no longer sorted. Sort it alphabetically for clarity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The current homepage URL leads to an HTTP 404 error.
Fix it by using the homepage URL currently mentioned in mupdf's git
repository.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Following the bump of systemd to 257.5 in commit
7d8d48cd2b, the installation of
systemd-boot fails with:
/usr/bin/install -D -m 0644 /home/thomas/projets/buildroot/outputs/3/build/systemd-257.5/buildroot-build/src/boot/efi/systemd-bootx64.efi /home/thomas/projets/buildroot/outputs/3/images/efi-part/EFI/BOOT/bootx64.efi
/usr/bin/install: cannot stat '/home/thomas/projets/buildroot/outputs/3/build/systemd-257.5/buildroot-build/src/boot/efi/systemd-bootx64.efi': No such file or directory
Indeed, the systemd-bootx64.efi binary is no longer produced in
buildroot-build/src/boot/efi/, but in buildroot-build/src/boot/.
No autobuilder failures have been found corresponding to this issue,
but it can be reproduced with:
BR2_x86_64=y
BR2_x86_corei7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_CORE_I7_GLIBC_BLEEDING_EDGE=y
BR2_INIT_SYSTEMD=y
BR2_SYSTEM_BIN_SH_NONE=y
BR2_SYSTEM_DEFAULT_PATH="/bin:/sbin:/usr/bin:/usr/sbin"
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_SYSTEMD_BOOT=y
# BR2_TARGET_ROOTFS_TAR is not set
Most likely this was caused by upstream commit
97318131fd06a5bc35454da81dcbbc84f16d9940, even though we didn't check
if this commit was really the culprit.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 0fce7a9623 ("package/libcurl: fix build w/ threads + c-ares") added a
conditional for threads + c-ares, but ended up with a end-parenthesis too
many - so the condition is never true. Fix that.
Reported-by: Tibault Damman <tibault.damman@basalte.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This is the first tagged version of the package, so replace commit SHA
with version tag.
Change log since last version bump:
d8a8358a7207 mmc-utils: Pass key_mac buffer to rpmb_get_key()
a23ad7875b89 mmc-utils: Start to use the generic print_usage function
e769d44ecb77 mmc-utils: Introduce a generic print_usage function
6586fa5535dc mmc-utils: Simplify and streamline print_help function
ec75d4b3b671 mmc-utils: Remove unused adv_help member from struct Command
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Reviewed-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In Linux v6.8, the rtla Makefile was rewritten :
01474dc706ca ("tools/rtla: Use tools/build makefiles to build rtla")
The new Makefile uses default linker values, so the host linker being used to
produce the final rtla binary.
This results in the following error :
ld: [...] trace.o: error adding symbols: file in wrong format
Add LD=$(TARGET_LD) to the RTLA_MAKE_OPTS to fix rtla cross-compilation.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
According to
https://lists.samba.org/archive/samba-technical/2025-June/139484.html:
A new update, version 7.4, of cifs-utils has been released today.
Users of cifs-utils version 7.3 on older kernels are encouraged to
update to 7.4 since it includes a fix for a mount problem with version
7.3 of cifs-utils on older kernels when using namespaces.
[...]
Detailed list of changes since version 7.3 was released
----------------------------------------------------------------
Enzo Matsumiya (1):
mount.cifs: retry mount on -EINPROGRESS
Henrique Carvalho (1):
cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP
Paulo Alcantara (1):
cifs.upcall: fix memory leaks in check_service_ticket_exits()
Pavel Shilovsky (1):
cifs-utils: bump version to 7.4
Z. Liu (2):
getcifsacl, setcifsacl: use <libgen.h> for basename
cifscreds: use <libgen.h> for basename
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 8f69974c20 switched the
buildsystem of mpv from waf to meson but forgot to remove a patch which
fixed a waf-related build error.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update to the current release. We now need the recently added
vulkan-sdk to have access to the volk loader. Update the depends
comments appropriately.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
[Julien:
- reword commit log title to use bash brace-expansion style
- remove "vulkan-sdk" from Kconfig comment
- remove newline before Kconfig help section
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The principle component of this is the new volk meta-loader which is
required for more recent versions of vulkan-tools. There does seem to
be a little confusion with github Releases lagging behind tagged
versions of the sdk. I've gone for the latest SDK version to stay as
closely aligned to the rest of the system as I can.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
[Julien: remove _SOURCE to fix a check-package warning]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This version bump is needed for compatibility with the upcoming bump of
ffmpeg to version 7.1.x.
Use the new configure option disable_rpi_features to allow building for
non-rbpi defconfigs.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: use "git describe --tags --abbrev=40" format in _VERSION]
Signed-off-by: Julien Olivain <ju.o@free.fr>
See changelog:
https://github.com/KhronosGroup/glslang/blob/15.3.0/CHANGES.md
Fixes build issue: error: ‘uint32_t’ has not been declared, encountered
on GCC v15, caused by cstdint not being implicitly included.
https://bugs.gentoo.org/937261
This commit also adds host-spriv-tools in _DEPENDENCIES to use the
version packaged in Buildroot. It also adds
ALLOW_EXTERNAL_SPIRV_TOOLS=ON in _CONF_OPTS, which was added in upstream
commit [1], introduced in version 13.0.0.
Also, when trying to build this python-glslang version 15.3.0 on a host
providing cmake < 3.26, the configuration fails with the error message:
CMake Error at CMakeLists.txt:345 (add_test):
Error evaluating generator expression:
$<TARGET_RUNTIME_DLL_DIRS:spirv-remap>
Expression did not evaluate to a known generator expression
This happens in the Buildroot docker reference image, which provides a
cmake version 3.25. To workaround this issue which happen in glslang
testing code, this commit disable those tests by adding
GLSLANG_TESTS=OFF in _CONF_OPTS.
[1] 3805888a57
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- resolve merge conflict
- update changelog link to use version tag
- disable glslang tests
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
As Benetti Engineering I keep contributing since 8 years more or less on
many packages and I've learnt a lot by joining this community. Most of all
I've received precious reviews from maintainers of today and yesterday.
Also, finally I've found some time to create my company logo and so let's
add Benetti Engineering to commercial support using LinkedIn page as
placeholder until the final website will be ready.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Acked-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The squashfs 4.6.1 archive hash has been changed suddenly two weeks
ago by Github without any intended changes from the squashfs maintainer
[1].
The orginal squashfs 4.6.1 archive has been manually uploaded again.
Update the URL to download the archive that match the expected hash.
Since we don't use the github download helper anymore, the squashfs
archive name is changed from squashfs-4.6.1.tar.gz to
squashfs-tools-4.6.1.tar.gz.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10355448207
(and many more...)
See:
[1] https://github.com/plougher/squashfs-tools/issues/313
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add fix to build with cmake 4.x.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: use "git describe --tags --abbrev=40" format in _VERSION]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed patch which is included in this release:
e48db06c64
Use upstream-provided license file:
92220248b1
This bump includes compatibility with cmake 4.x:
d7faed1c69
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: remove patch entry in .checkpackageignore]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Patch has been pending upstream for a while [1], Alpine has merged an
older version that includes some whitespace damage but is functionally
equivalent.
[1] https://github.com/jpirko/libndp/pull/29
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
REMI hasn't received new release since July 2022 and is currently broken
with error:
Traceback (most recent call last):
File "<string>", line 26, in <module>
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 116, in setup
_install_setup_requires(attrs)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 89, in _install_setup_requires
_fetch_build_eggs(dist)
~~~~~~~~~~~~~~~~~^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 94, in _fetch_build_eggs
dist.fetch_build_eggs(dist.setup_requires)
~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 80, in fetch_build_eggs
raise SetupRequirementsError(specifier_list)
setuptools.build_meta.SetupRequirementsError: ['setuptools_scm']
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 389, in <module>
main()
~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 373, in main
json_out["return_val"] = hook(**hook_input["kwargs"])
~~~~^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 143, in get_requires_for_build_wheel
return hook(config_settings)
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 331, in get_requires_for_build_wheel
return self._get_build_requires(config_settings, requirements=[])
~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 301, in _get_build_requires
self.run_setup()
~~~~~~~~~~~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 512, in run_setup
super().run_setup(setup_script=setup_script)
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 317, in run_setup
exec(code, locals())
~~~~^^^^^^^^^^^^^^^^
File "<string>", line 31, in <module>
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 117, in setup
return distutils.core.setup(**attrs)
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/_distutils/core.py", line 148, in setup
_setup_distribution = dist = klass(attrs)
~~~~~^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 323, in __init__
_Distribution.__init__(self, dist_attrs)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/_distutils/dist.py", line 309, in __init__
self.finalize_options()
~~~~~~~~~~~~~~~~~~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 786, in finalize_options
ep(self)
~~^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 806, in _finalize_setup_keywords
ep.load()(self, ep.name, value)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools_scm/_integration/setuptools.py", line 82, in version_keyword
assert isinstance(value, dict), "version_keyword expects a dict or True"
~~~~~~~~~~^^^^^^^^^^^^^
AssertionError: version_keyword expects a dict or True
ERROR Backend subprocess exited when trying to invoke get_requires_for_build_wheel
make: *** [package/pkg-generic.mk:273: /workdir/instance-0/output-1/build/python-remi-2022.7.27/.stamp_built] Error 1
make: Leaving directory '/workdir/instance-0/buildroot'
Since last release code has been corrected and now build end
successfully.
Another issue with remi is related to python CGI library no more available with
python 3.13. This patch also updates Config.in to add a select BR2_PACKAGE_PYTHON_LEGACY_CGI
This commit also updates the LICENSE file hash, because line ending
changed from "CR-LF" (Windows) in old release archive to "LF" (Unix)
in the github download. Apart from that, the content is the same.
Fixes:
- https://autobuild.buildroot.org/results/f0409533ebdc31e522f2ee2ea8a5acc11dbc7430/
- https://autobuild.buildroot.org/results/a16cf5105d4b726b5d4136a2d8f82abcfdc0faba/
- https://autobuild.buildroot.org/results/e7ac28e20ad92863d337e96c225463346ee6c690/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
[Julien:
- use "git describe --abbrev=40" format in _VERSION
- fix LICENSE hash
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The readme.txt file for zynqmp boards does not have documentation for working
with custom boards. This patch adds documentation for custom board support.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The readme.txt file for zynq boards has some outdated information for the
custom board section. The custom ps7_init_gpl.c is now defined by
CONFIG_XILINX_PS_INIT_FILE and Buildroot always puts the Xilinx u-boot builds
in the output/build/uboot-custom directory.
This patch updates the instructions in the readme.txt file accordingly.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The readme.txt file for versal boards does not have documentation for working
with custom boards. This patch adds documentation for custom board support.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
rt_tgsigqueueinfo01.c compilation has been fixed in 20250130, don't
needed to be removed any more.
Fixes: 2bbcda7c0e ("package/ltp-testsuite: bump version to 20250130")
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes:
https://www.samba.org/samba/history/samba-4.22.2.htmlhttps://www.samba.org/samba/history/samba-4.22.1.htmlhttps://www.samba.org/samba/history/samba-4.22.0.html
Rebased patch 0001 due to upstream commit
4dbbfcb004
An import of the host-python ssl module was added to wscript with commit
549f67a9e6
Select BR2_PACKAGE_HOST_PYTHON3_SSL to provide the new dependency.
Note: the 4.22.2 release note mention a security fix
for CVE-2025-0620. This commit is not marked as a security bump
because this CVE was addressed in a previous Buildroot commit
updating samba4 to version 4.21.6, which also contain this fix.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add a note explaining why this commit is not a security bump
- add "select BR2_PACKAGE_HOST_PYTHON3" in Config.in
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes: CVE-2024-47081
Fixed an issue where a maliciously crafted URL and
trusted environment will retrieve credentials for
the wrong hostname/machine from a netrc file.
Release notes: https://github.com/psf/requests/releases/tag/v2.32.4
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
python-glslang is a host-only package and the host-python3 dependency
was wrongly added as target dependency with buildroot commit
f9fe0cf8f6.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the comment about the xilinx-embeddedsw package needing a bare-metal
toolchain was moved to the start of the Config.in file, it is now printing
in make menuconfig for virtually all defconfigs.
By adding the same dependencies as the xilinx-embeddedsw package, the
comment will appear only when the xilinx-embeddedsw package is actually
selectable.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The following patch is specific to the Xilinx Linux 6.12.10 release, and will
not apply to all Linux 6.12 releases. Starting with the next release based on
Linux 6.12.30, this patch will already be included.
For this reason, it is better to change the directory name to linux_6.12.10,
so that it is clear that it is only to be used with the Xilinx 2025.1 release
based on Linux 6.12.10 and not future Linux 6.12 releases.
So this patch moves:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
to:
board/xilinx/linux_6.12.10/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With bootgen xilinx_v2025.1, the local FlexLexer.h file is not in the same
directory as the cpp files including it, so the previous patch used to solve
the issue below needs to be updated to find the local FlexLexer.h which is in
the win_include directory of bootgen version xilinx_v2025.1.
See upstream commit [1].
So this patch corrects the path for including the local FlexLexer.h header for
fixing the below issue.
Bootgen embeds an old version of flex, but uses the system include syntax
(#include <>) to reference it, causing conflicts on systems with the
development headers for a modern flex version installed, leading to build
issues like:
../bisonflex/bif.yy.cpp: In member function 'virtual int BIF::FlexScanner::yylex()':
../bisonflex/bif.yy.cpp:1608:18: error: no match for 'operator=' (operand types are 'std::istream' {aka 'std::basic_istream'} and 'std::istream*' {aka 'std::basic_istream*'})
This build failure can also happen if the host-flex Buildroot package
is built before host-bootgen.
The failure can be reproduced, in the Buildroot docker reference image
with the commands:
utils/docker-run
make versal_vck190_defconfig
make host-flex host-bootgen
Fix it by using normal local #include statements by:
sed -i 's/<FlexLexer.h>/"../win_include/FlexLexer.h"/g' *
Fixes: https://autobuild.buildroot.org/results/60220f94cca1bcca5667afcb2acffb5aacae048b
[1] 86b862096b (diff-0d754a86508dc8a894b72796966f332c0316942c5d5ab42ae6a0766dcfcb52dc)
Signed-off-by: Neal Frager <neal.frager@amd.com>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The hash has for the license file been missing since the package was
introduced in commit 992d43b373 (package/docker-credential-gcr: new
package).
Add it now.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The hash has for the license file been missing since the package was
introduced in commit e679cd4974 (package/docker-credential-acr-env:
new package)
Add it now.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The hash has for the license file been missing since the package was
introduced in commit 9a95806225 (package/amazon-ecr-credential-helper:
new package).
Add it now.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit fc7c7d74aa ("package/mesa3d: add RustiCL support") extended the
BR2_PACKAGE_MESA3D_OPENCL dependencies to include
BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS &&
BR2_PACKAGE_MESA3D_RUSTICL_SUPPORTED_DRIVER) as an alternative provider.
This is correct as in the kconfig language && has a higher priority than ||,
E.G. A || B || C && D is parsed as A || B || (C && D)
https://docs.kernel.org/kbuild/kconfig-language.html#menu-dependencies
But it is somehat unclear, so add a parenthesis for clarity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 6.14.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Back port four upstream fixes for those issues:
- gpsprof could not log or dump GNSS messages; gpsprof is useful
to calbrate a GNSS receiver, especially when building a static
RTK base;
- the JSON blurb reported by gpsd was sometimes broken, causing
decoding errors in clients;
- the detection of 64-bit time on 32-bit systems was borked;
- UDP mode was borked;
The runtime test is extended to test all known transports: TCP, UDP,
and PTY.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that all zynqmp and versal defconfigs have bumped to version
xilinx_v2025.1, the xilinx-embeddedsw default version can also be bumped
to xilinx_v2025.1.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that all versal defconfigs have been bumped to xilinx_v2025.1, this patch
bumps the xilinx-prebuilt default version to xilinx_v2025.1.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the versal_vpk180_defconfig to xilinx-v2025.1 which includes
the following updates:
- ATF v2.12
- Linux v6.12.10
- PLM xilinx_v2025.1
- PSMFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the versal_vck190_defconfig to xilinx-v2025.1 which includes
the following updates:
- ATF v2.12
- Linux v6.12.10
- PLM xilinx_v2025.1
- PSMFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the versal_vek280_defconfig to xilinx-v2025.1 which includes
the following updates:
- ATF v2.12
- Linux v6.12.10
- PLM xilinx_v2025.1
- PSMFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch adds support for version xilinx_v2025.1 without changing the
default version. This way, the zynqmp and versal defconfigs can bump
individually from xilinx_v2024.2 to xilinx_v2025.1.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With bootgen 2025.1, the directory structure was re-done. In the process of
doing this, the source files in the bisonflex directory lost the fix below
which had been applied on an earlier version of bootgen for the issue below.
Bootgen embeds an old version of flex, but uses the system include syntax
(#include <>) to reference it, causing conflicts on systems with the
development headers for a modern flex version installed, leading to build
issues like:
../bisonflex/bif.yy.cpp: In member function 'virtual int BIF::FlexScanner::yylex()':
../bisonflex/bif.yy.cpp:1608:18: error: no match for 'operator=' (operand types are 'std::istream' {aka 'std::basic_istream'} and 'std::istream*' {aka 'std::basic_istream*'})
Fix it by using normal local #include statements by:
sed -i 's/<FlexLexer.h>/"FlexLexer.h"/g' *
This patch re-adds the patch to fix this to buildroot.
Fixes: https://autobuild.buildroot.org/results/056384322246877253cd8d0781717ce495cbe769/
Upstream: patch submitted to AMD internal jira process
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-By: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that all zynqmp boards have bumped to xilinx_v2025.1, the zynqmp u-boot
binman patches can be removed.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynqmp_zcu106_defconfig to xilinx-v2025.1 which
includes the following updates:
- ATF v2.12
- Linux v6.12.10
- PMUFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
The zynqmp specific u-boot binman patches are also included with the
xilinx-v2025.1 release tag, so these patches can also be removed.
The following patches have thus been removed from the defconfig:
board/zynqmp/patches/uboot/*
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynqmp_zcu104_defconfig to xilinx-v2025.1 which
includes the following updates:
- ATF v2.12
- Linux v6.12.10
- PMUFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
The zynqmp specific u-boot binman patches are also included with the
xilinx-v2025.1 release tag, so these patches can also be removed.
The following patches have thus been removed from the defconfig:
board/zynqmp/patches/uboot/*
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynqmp_zcu102_defconfig to xilinx-v2025.1 which
includes the following updates:
- ATF v2.12
- Linux v6.12.10
- PMUFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
The zynqmp specific u-boot binman patches are also included with the
xilinx-v2025.1 release tag, so these patches can also be removed.
The following patches have thus been removed from the defconfig:
board/zynqmp/patches/uboot/*
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that all 3 zynqmp_kria defconfigs have bumped to xilinx_v2025.1, the kria
specific u-boot patch can be removed.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynqmp_kria_kr260_defconfig to xilinx-v2025.1 which
includes the following updates:
- ATF v2.12
- Linux v6.12.10
- PMUFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
The kria specific u-boot patch is no longer necessary, as it is
included with the xilinx-v2025.1 release tag.
The following patch has thus been removed from the defconfig:
board/zynqmp/kria/patches/uboot/0001-video-zynqmp-add-support-for-reset.patch
The zynqmp specific u-boot binman patches are also included with the
xilinx-v2025.1 release tag, so these patches can also be removed.
The following patches have thus been removed from the defconfig:
board/zynqmp/patches/uboot/*
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynqmp_kria_kd240_defconfig to xilinx-v2025.1 which
includes the following updates:
- ATF v2.12
- Linux v6.12.10
- PMUFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
The kria specific u-boot patch is no longer necessary, as it is
included with the xilinx-v2025.1 release tag.
The following patch has thus been removed from the defconfig:
board/zynqmp/kria/patches/uboot/0001-video-zynqmp-add-support-for-reset.patch
The zynqmp specific u-boot binman patches are also included with the
xilinx-v2025.1 release tag, so these patches can also be removed.
The following patches have thus been removed from the defconfig:
board/zynqmp/patches/uboot/*
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynqmp_kria_kv260_defconfig to xilinx-v2025.1 which
includes the following updates:
- ATF v2.12
- Linux v6.12.10
- PMUFW xilinx_v2025.1
- U-Boot v2025.01
The Xilinx specific Linux 6.12 patch has been added to this defconfig:
board/xilinx/linux_6.12/patches/linux/0001-include-uapi-linux-xlnx-ai-engine.h-fix-CONFIG_XILIN.patch
The kria specific u-boot patch is no longer necessary, as it is
included with the xilinx-v2025.1 release tag.
The following patch has thus been removed from the defconfig:
board/zynqmp/kria/patches/uboot/0001-video-zynqmp-add-support-for-reset.patch
The zynqmp specific u-boot binman patches are also included with the
xilinx-v2025.1 release tag, so these patches can also be removed.
The following patches have thus been removed from the defconfig:
board/zynqmp/patches/uboot/*
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch adds support for version xilinx_v2025.1 without changing the
default version. This way, the zynqmp and versal defconfigs can bump
individually from xilinx_v2024.2 to xilinx_v2025.1.
In addition, new software apps were added to the Xilinx/embedddedsw repo.
While they do not change the buildroot xilinx-embeddedsw boot package, the
version xilinx_v2025.1 has a new license.txt file. For this reason, this
patch adds a hash file for the xilinx_v2025.1 version, so that both the
default xilinx_v2024.2 and xilinx_v2025.1 versions will have independent
hashes for their license.txt files.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynq_microzed_defconfig to xilinx-v2025.1 which includes
the following updates:
- Linux v6.12.10
- U-Boot v2025.01
The xilinx-v2025.1 Linux 6.12.10 release tag requires a patch to fix a
leak of the Kconfig CONFIG_XILINX_AIE, so this patch is now included.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynq_microzed_defconfig to xilinx-v2025.1 which includes
the following updates:
- Linux v6.12.10
- U-Boot v2025.01
The xilinx-v2025.1 Linux 6.12.10 release tag requires a patch to fix a
leak of the Kconfig CONFIG_XILINX_AIE, so this patch is now included.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynq_zc706_defconfig to xilinx-v2025.1 which includes
the following updates:
- Linux v6.12.10
- U-Boot v2025.01
The xilinx-v2025.1 Linux 6.12.10 release tag requires a patch to fix a
leak of the Kconfig CONFIG_XILINX_AIE, so this patch is now included.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps the zynq_zc702_defconfig to xilinx-v2025.1 which includes
the following updates:
- Linux v6.12.10
- U-Boot v2025.01
The xilinx-v2025.1 Linux 6.12.10 release tag requires a patch to fix a
leak of the Kconfig CONFIG_XILINX_AIE, so this patch is now included.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add hashes for xilinx_v2025.1 release.
xilinx_v2025.1 release includes:
- atf 2.12
- linux 6.12.10
- uboot 2025.01
In addition, the xilinx_v2025.1 linux kernel release tag has a Kconfig leak
of the CONFIG_XILINX_AIE option. This patch adds a patch that is specific to
the Xilinx Linux 6.12.10 release which fixes the problem by moving the changes
implemented by the CONFIG_XILINX_AIE option from the exposed uapi header file
to the Linux internal header file.
The patch has been added to the board/xilinx/linux_6.12/patches directory, so
that it will only be applied when a user specifies they wish to build the
xilinx_v2025.1 release or they use a defconfig that has migrated to this
release.
Since the header file that causes the issue is not yet mainline, this patch
has been "upstreamed" to the Xilinx linux-xlnx repo via the AMD internal jira
process.
Upstream: internal AMD jira process
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
[Julien: fix check-package errors:
- remove numbering in patch subject
- add "Upstream:" tag in patch
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch removes the support for the microblazeel-xilinx-elf arch tuple.
Users will now get an error message telling them to change their configuration
to the microblazeel-buildroot-elf arch tuple.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch migrates all the versal and zynqmp defconfigs to use the
microblazeel-buildroot-elf arch tuple for the toolchain-bare-metal-buildroot
toolchain.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that xilinx-embeddedsw is compatible with the toolchain vendor buildroot,
this patch modifies the toolchain-bare-metal-buildroot help example to use
the microblazeel-buildroot-elf tuple.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch renames the bare-metal toolchain vendor used by the
xilinx-embeddedsw package from Xilinx to Buildroot to be consistent with all
other toolchains built by Buildroot.
To build the Microblaze applications available with the xilinx-embeddedsw
package, the following config is now needed:
BR2_TOOLCHAIN_BARE_METAL_BUILDROOT_ARCH="microblazeel-buildroot-elf"
This change keeps backwards compatibility for users already using the
following architecture tuple:
BR2_TOOLCHAIN_BARE_METAL_BUILDROOT_ARCH="microblazeel-xilinx-elf"
Either vendor name is now valid, but there is a warning message to use the
Buildroot vendor name, and the support for the "microblazeel-xilinx-elf"
tuple will be removed once all zynqmp and versal defconfigs have migrated.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With the Segmented Configuration, the Versal PDI files will have new names:
<design>_boot.pdi - Minimal DDR and PS config for booting
<design>_pld.pdi - Remainder of FPGA design to be loaded at run-time
Since this will be the new default, this patch aligns the Buildroot file
naming by replacing the obscure vpl_gen_fixed.pdi filename with a simpler
boot.pdi filename.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
AMD has created a new segmented configuration for Versal products. It splits
the Vivado hardware design into two PDI files, one containing the minimal
required configuration for the DDR and booting the processors, and a second PDI
file which contains the rest of the FPGA design and can be loaded at run-time
via U-boot or Linux.
The file names generated when using the Vivado Segmented Configuration are as
follows:
<design>_boot.pdi - Minimal DDR and PS config for booting
<design>_pld.pdi - Remainder of FPGA design to be loaded at run-time
Since two PDI files will be included in the XSA file when using Segmented
Configuration, the xilinx-prebuilt package needs to be updated to support
this feature.
For Buildroot purposes, the <design>_boot.pdi is the file that needs to be
included in the boot.bin for booting the processors, so this patch checks
for a file named *boot*.pdi which will indicate that Segmented Configuration
is being used and will make sure to use the <design>_boot.pdi file and not
the <design>_pld.pdi file when generating the boot.bin image.
If no pdi files contain the word "boot" in the filename, it can be assumed
that Segmented Configuration is not being used, so the single file *.pdi
method is the appropriate one for this case, and this patch is thus
backwards compatible with prior designs not using Segmented Configuration.
Also, Segmented Configuration is going to become the default mode for Versal
products, so the xilinx-prebuilt github location will also soon have two PDI
files for each board. For this reason, this patch is also handling Segmented
Configuration for files downloaded from the xilinx-prebuilt repo.
For further information about the AMD Segmented Configuration, please see the
github tutorial below.
https://github.com/Xilinx/Vivado-Design-Tutorials/tree/2024.2/Versal/Boot_and_Config/Segmented_Configuration
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The versal vpl_gen_fixed.pdi file is not a target executable, so the file
permissions should be 644 instead of 755.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
CoolPi 4B is a rk3588s based SBC[0].
Specification:
- Rockchip RK3588S
- LPDDR4 2/4/8/16 GB
- TF scard slot
- eMMC 8/32/64/128 GB module
- Gigabit ethernet drived by PCIE with RTL8111HS
- HDMI Type D out
- Mini DP out
- USB 2.0 Host x 2
- USB 3.0 OTG x 1
- USB 3.0 Host x 1
- WIFI/BT module AIC8800
- 40 pin header
[0] https://www.cool-pi.com/product/cp4b/
Signed-off-by: Andy Yan <andyshrk@163.com>
[Julien:
- add missing BR2_GLOBAL_PATCH_DIR and hash files
- add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This test verifies that clinfo correctly detects the rustiCL platform
and llvmpipe as device.
We check:
- exit code,
- Platform name matches rusticl,
- Device name matches llvmpipe.
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
[Julien:
- rename file to test_mesa3d.py
- add Medhi in DEVELOPERS for this test file
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
RustiCL is an OpenCL implementation written entirely in
RUST and integrated into Mesa3D. It enables the use of OpenCL
programs on top of existing Gallium drivers. RustiCL is a
modern and maintainable replacement for the old C-implemention
Clover.
To build Rusticl in Mesa3D, the following components are required:
- host-rustc (Rust compiler)
- host-rust-bindgen (for generating bindings)
- spirv-tools
- spirv-llvm-translator (providing libLLVMSPIRVLib.so matching the LLVM version)
- LLVM built with libclc and -DLLVM_ENABLE_DUMP=ON
- Mesa headers via mesa-clc-bundle-headers=enabled
- There is a known meson bug and in order to fix it we set -Drust_std=2021, see:
https://docs.mesa3d.org/rusticl.html#known-issueshttps://github.com/mesonbuild/meson/issues/10664
More details in the Mesa documentation:
https://docs.mesa3d.org/rusticl.html
Rusticl is the provider of OpenCL in Buildroot.
However, Mesa does not provide the `libOpenCL.so` library itself.
We therefore depend on the `opencl-icd-loader` package to
install this loader in the toolchain sysroot, so that other
OpenCL-dependent packages can build and link against it.
Without the ICD loader, only `libRustiOpenCL.so` is available and
tools like `clinfo` or `clpeak` fail.
- 'Dmesa-clc-bundle-headers=enabled' ensures that the OpenCL header
files are bundled and available in the target. Without this,
runtime compilation of OpenCL kernels via clpeak or clinfo fails
with:
fatal error: 'opencl-c-base.h' file not found
see 3619611b31
We add a Rust compiler override to Meson to use Buildroot’s
host Rust toolchain using MESA3D_MESON_EXTRA_BINARIES.
Rusticl requires Meson to invoke rustc with the correct target and linker:
* 'rust=['$(HOST_DIR)/bin/rustc','--target=$(RUSTC_TARGET_NAME)']'
* 'rust_ld='$(TARGET_CROSS)gcc''
Another solution was proposed to set rust and rust_ld globally in
cross-compilation.conf, we prefer to define them locally within mesa
for now to ensure precise control over the rust toolchain behavior
during the Mesa build.
see https://lore.kernel.org/buildroot/ZcOeEMfwX4XlRXO7@landeda/
Currently, we should always use RUSTICL_ENABLE= driver to use rusticl.
More information:
https://docs.mesa3d.org/envvars.html#envvar-RUSTICL_ENABLE
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
[Julien: add references to meson bug]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This adds the OpenCL installable client driver (ICD) loader
which provides the 'libOpenCL.so' shared library needed to
run OpenCL programs.
Mesa3D can offer opencl implementations (such as rusticl),
but it does not provide 'libOpenCL.so'.
Without it, programs like 'clinfo' fail to build not
finding 'libOpenCL.so'.
see:
https://github.com/KhronosGroup/OpenCL-ICD-Loader
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
[Julien: add Medhi in DEVELOPERS for this package]
Signed-off-by: Julien Olivain <ju.o@free.fr>
MessagePack ships both in a C++ and a C variant. Add the latter to
Buildroot. This will be used by fluent-bit.
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
[Julien:
- switch homepage URL to use https
- add a note in package/msgpack{,-c}/Config.in to clarify C/C++
variants
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For change log, see:
https://gitlab.com/gpsd/gpsd/-/blob/release-3.26.1/NEWS
Support for RTCM104v2 and v3, as well as for ublox, are now
unconditionally built, so drop our corresponding options. No
needfor legacy options: users that had those enabled will
still get them.
Support for Oceanserver has been dropped upstream, so drop our
option and add legacy handling to infrom users they should
complain upstream if they needed it (very unlikely).
Also, a bug introduced in gpsd 3.26 makes the Buildroot gpsd runtime
test failing. See [1]. As a workaround, this commit also changes
this runtime test to emulate a gps over TCP, instead of UDP.
[1] https://gitlab.com/gpsd/gpsd/-/issues/337
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
[Julien:
- rebased on branch next
- add gpsd version removing OceanServer option in Config.in.legacy
- add link to NEWS in commit log
- switch test_gpsd to use tcp instead of udp
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The biggest change for 3.14 is the maximum inittab entry size has increased
from 127 charachters to 253 characters long AND it logs a warning when a line
longer than this is found AND it refuses to run a line longer than 253
characters. It doesn't truncate too-long lines anymore, it just drops them.
Changelog: https://github.com/slicer69/sysvinit/releases/tag/3.14
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Noteable changes:
- Add -Dipe=false and -Dsysupdated=disabled as defaults to CONF_OPTS and
HOST_CONF_OPTS. If another user has a use for either, they can submit a
patch at a later date.
- systemd-networkd now requires kernel >= 5.4 due to the inclusion of the
sockios.h header, which uses the SIOCGSTAMP_OLD macro. This macro was first
introduced in kernel 5.2, but the official README recommends 5.4 as a
baseline, so stick with that. Due to this change:
- systemd-networkd now depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
- default y only if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
- Add a section in migrating.adoc about the new requirement
- The sha256sum of README.md changed due to the addition of some CentOS CI
lines.
- Add the new license file LICENSES/alg-sha1-public-domain.txt.
For change log, see:
https://github.com/systemd/systemd/blob/v257.5/NEWS
Tested with `./utils/test-pkg -p systemd -a`
40 builds, 28 skipped, 0 build failed, 0 legal-info failed, 0 show-info failed
Tested with `./support/testing/run-tests tests.init.test_systemd`
All tests passed
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add link to change log in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Both packages where added as host-only dependencies to build
package/python-aiomqtt, and are not used by any other package. With
aiomqtt switching to hatchling they are not needed any more.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Aiomqtt switched its build system to hatchling with 2.3.1, change
PYTHON_AIOMQTT_SETUP_TYPE and dependencies accordingly.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop the -Djs_engine=duktape option as mozjs support has been removed entirely
and as such, the option no longer exists.
Tested with `./support/testing/run-tests tests.package.test_polkit`
Both tests pass.
Also tested with `./utils/test-pkg -p polkit -a`
40 builds, 8 skipped, 0 build failed, 0 legal-info failed, 0 show-info failed
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This fixes the following CVE:
- CVE-2025-47287: When Tornado's ``multipart/form-data`` parser encounters
certain errors, it logs a warning but continues trying to
parse the remainder of the data. This allows remote
attackers to generate an extremely high volume of logs,
constituting a DoS attack.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-47287
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
GOI now has a build option to disable tests [1], so use that and drop
the "disable tests" patch.
Meson now checks LD_LIBRARY_PATH during configure and sets the result
when calling g-ir-scanner [2]. This means overriding it in _NINJA_ENV
does not work any more, set LD_LIBRARY_PATH in _CONF_ENV instead.
The hash for giscanner/scannerlexer.l changed due to small code
additions.
Upstream changelog:
https://gitlab.gnome.org/GNOME/gobject-introspection/-/blob/1.84.0/NEWS?ref_type=tags
[1] 3e41addbd0
[2] d3f684559f
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Python 3.13 BaseSelectorEventLoop.add_reader() and
BaseSelectorEventLoop.add_writer() use the mapping returned by
selector.get_map() to detect if a file object is already
registered. This fails with the implementation in gi.events._Selector
if some calls use a file object, and others the raw file descriptor.
Full upstream bug report:
https://gitlab.gnome.org/GNOME/pygobject/-/issues/689
This bug breaks package/python-aiomqtt, because its client object uses
file objects in some places for the connection socket, and the file
descriptor in others. The result is that the connection attempt times
out because source registration fails, and the Future that marks
successful connection never resolves.
This commit adds the fix as backported to PyGObject 3.50 [1] so it can
be cherry-picked to Buildroot stable versions using that version.
[1] https://gitlab.gnome.org/GNOME/pygobject/-/merge_requests/423
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump bootgen to xilinx_v2025.1 release.
With version 2025.1, bootgen executable is now in the build/bin dir, so
the install step is changed accordingly.
The LICENSE file hash has changed as it was converted from DOS end of
lines to Unix end of lines.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For change log since 0.19.1, see:
https://github.com/bpftrace/bpftrace/blob/v0.23.3/CHANGELOG.md
Note that since commit [1] updating llvm to 20.1.5, bpftrace is
failing to build at configuration time, with error message:
CMake Error at CMakeLists.txt:184 (message):
Unsupported LLVM version found via
/buildroot/output/host/aarch64-buildroot-linux-gnu/sysroot/usr/include:
20
CMake Error at CMakeLists.txt:185 (message):
Only versions between 6 and 17 are supported
This is because bpftrace version 0.19.1 does not support this
newer llvm version. This update to bpftrace to 0.23.3 resolve this
issue.
[1] e29dae109a
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes:
https://lists.freedesktop.org/archives/mesa-announce/2025-May/000804.htmlhttps://lists.freedesktop.org/archives/mesa-announce/2025-May/000802.html
Note: Mesa3d depends on spirv-tools >= 2024.1
fe8a0d3548
which translates to spirv-tools version 1.3.280.0.
Note: AMD drivers depend on llvm >= 18:
82047fa82f
Removed patch 0001, not needed anymore due to upstream commit
e4eb5e80c3
which removes the libclc headers include.
Renumbered remaining patches.
Rebased patch 0002 due to upstream commit
6652eb0ec3
which renamed meson_options.txt to meson.options.
Panfrost driver depends on llvm:
20970bcd96
and needs the host tool panfrost_compile which is created by the same
method as mesa_clc needed by the Iris driver. Refactor the dependencies
by introducing a blind option BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER
which is selected by either the iris or the panfrost driver.
vtn_bindgen was replaced by vtn_bindgen2:
6d5375017a
OSMesa was removed upstream:
027ccd963b
Also remove optional osmesa support from mesa3d-demos and wine.
Regarding wine please see this discussion:
https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/33836#note_2805850
Configure option shared-glapi was removed upstream:
e5c76088e9fefb1a6fb3
Removed deprecated and unused configure options gallium-opencl & power8:
a0b457aca6c4b305079d
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Bernd v3: - bump to 25.1.1, rebase on -next branch, added note about
impact of osmesa removal on wine]
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
[Mehdi v2: - removed 0001-meson-Set-proper-value-for-LIBCLC_INCLUDEDIR.patch
from .checkpackageignore.
- removed OSMesa from mesa-demos and wine packages.]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release:
https://github.com/llvm/llvm-project/releases/tag/llvmorg-20.1.5
Major Changes and Fixes:
-- CMake 3.20 minimum required
-- Issue encountered during standalone LLVM build:
CMake Error at CMakeLists.txt:8 (include):
include could not find requested file:
This error is due to the line:
include(${LLVM_COMMON_CMAKE_UTILS}/Modules/CMakePolicy.cmake)
Upstream commit [1] harmonized policy handling by introducing this shared include
for all LLVM sub-projects. However, in the LLVM CMakeLists, LLVM_COMMON_CMAKE_UTILS
is set unconditionally, preventing external override — which is required in
Buildroot when building from separated archives.
To solve this:
We apply a patch to wrap the assignment of LLVM_COMMON_CMAKE_UTILS in an
`if(NOT DEFINED ...)` block, allowing Buildroot to set the path externally.
In the `llvm-cmake` package, we also **adjust the installation path** of the
CMake modules: instead of installing directly into `lib/cmake/llvm`, we now
install them under `lib/cmake/llvm/Modules` to match the expected layout.
This ensures that:
LLVM can include `${LLVM_COMMON_CMAKE_UTILS}/Modules/CMakePolicy.cmake`
without errors.
-- Also the Clang build system has removed support for
the GCC_INSTALL_PREFIX option, raising a fatal error when attempting to use it:
CMake Error at CMakeLists.txt:211 (message):
GCC_INSTALL_PREFIX is deprecated and will be removed.
Use configuration files (https://clang.llvm.org/docs/UsersManual.html#configuration-files)
to specify the default --gcc-install-dir= or --gcc-triple=.
--gcc-toolchain= is discouraged.
See https://github.com/llvm/llvm-project/pull/77537
for details.
Remove the use of GCC_INSTALL_PREFIX and replace it with a
Clang configuration file as recommended by upstream.
A configuration file is now automatically generated at:
$(HOST_DIR)/lib/clang/$(CLANG_VERSION_MAJOR)/$(GNU_TARGET_NAME).cfg
It contains:
--gcc-install-dir=<path to external toolchain's lib/gcc/...>
--target=<GNU target triplet>
We dynamically detect the GCC install path by scanning
$(TOOLCHAIN_EXTERNAL_INSTALL_DIR)/lib/gcc/<target>/<version>/
The Clang toolchain wrapper was also updated to add --config=<file> when
BR_CLANG_CONFIG_FILE is defined.
-- Fix LLVM_MAIN_SRC_DIR path:
set(LLVM_MAIN_SRC_DIR "${CMAKE_CURRENT_SOURCE_DIR}/../llvm" CACHE PATH ...)
This path isn't correct when using standalone archive builds. We explicitly pass
LLVM_MAIN_SRC_DIR=$(BUILD_DIR)/llvm-$(LLVM_PROJECT_VERSION) to fix the path. [2]
-- Add LLVM_ENABLE_RUNTIMES:
Upstream added LLVM_ENABLE_RUNTIMES for runtimes [3]
-- Removed LLVM_INCLUDE_GO_TESTS:
Upstream dropped this option; we remove it too [4]
-- Disable TensorFlow Lite integration:
LLVM_HAVE_TFLITE is added to the CMakelist
We now explicitly disable it to avoid unexpected
TensorFlow Lite dependency.
-- Clang introduced CLANG_ENABLE_LIBXML2 [5]
We now explicitly disable it by setting CLANG_ENABLE_LIBXLM2=OFF
since we set LLVM_ENABLE_LIBXML2 to OFF in LLVM
-- Host-python3, which is now always needed by Clang’s resource bundling
script. [6]
-- Clang explicitly request to disable llvm tests when llvm_gtest is missing.[7]
CMake Error at CMakeLists.txt:126 (message):
llvm-gtest not found. Please install llvm-gtest or disable tests with
-DLLVM_INCLUDE_TESTS=OFF
-- Also update the installation path in COMPILER_RT_SETUP_RUNTIME_LIBS
to use CLANG_VERSION_MAJOR instead of HOST_CLANG_VERSION,
ensuring that the runtime files are placed correctly
in the /lib/clang/<major>/ folder. [8]
-- Add llvm-runtimes dependency
libunwind needs runtimes [9]
-- Fix for libclc out of tree patch
Due to upstream changes in libclc, the old patch no longer
applies. Only the fix related to invoking './prepare_builtins'
directly is still relevant and preserved, as it is required to avoid
a build failure when the binary is not in PATH.
-- Upstream commit [10] removed the use of llvm-config in libclc and
replaced it with proper use of LLVM_CMAKE_DIR. We now pass
-DLLVM_CMAKE_DIR instead of DLLVM_CONFIG
-- Libclc expects to invoke some LLVM tools. We explicitly set
LIBCLC_CUSTOM_LLVM_TOOLS_BINARY_DIR to ensure it finds these tools. [11]
-- Remove LLAsm_COMPILER and CLC_COMPILER [12]
-- LIBUNWIND_INSTALL_HEADERS is On by default [13]
-- Update spirv-llvm-translator to align with LLVM 20.1.5
Release:
https://github.com/KhronosGroup/SPIRV-LLVM-Translator/releases/tag/v20.1.2
[1] 9dd01a5241
[2] d2b158e29e
[3] 176db3b3ab
[4] 6ce8727248
[5] df239a6c17
[6] 96962d5512
[7] 8216910395
[8] e1b88c8a09
[9] 0af67d167d
[10] b264787453
[11] 0aeeff3059
[12] 72f9881c3f
[13] f8409af354
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Bernd: rebased, removed gcc-15 patches for llvm 15, bumped to 20.1.5]
used 'git describe' to set the version number for spirv-llvm-translator]
[Mehdi: changed llvm-runtimes version to $(LLVM_PROJECT_VERSION)]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a new host package to install the CMake modules provided by the
runtimes archive of LLVM. These modules are required to build components
like libunwind since upstream refactored the common flag-handling logic
into a shared file: `HandleFlags.cmake`.
This package extracts and installs the relevant files to
`$(HOST_DIR)/lib/cmake/llvm`, where other components like libunwind
will look for them.
see 0af67d167d
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Mehdi v3: explicitly set version to 20.1.3 for now, it will
be changed in llvm-project bump commit]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a kernel fragment to enable
CONFIG_ARM64_VA_BITS_48 for the AARCH64 QEMU platform in the
clang compiler -rt runtime test.
Without this setting, this sanitize-based test fails with clang-20
due to insufficient virtual adress space.
"This might potentially affect ARM platforms with 39-bit address space." from [1]
[1] a588cfe37e
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add local patch to avoid build failure on examples folder that we don't
need. That build failure is due to missing bits/pthreadtypes.h on musl and
since we don't need examples at all let's disable its building by passing
-Dexamples=false.
For release note, see:
https://github.com/linux-nvme/libnvme/releases/tag/v1.14
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add the "Upstream:" link in patch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This configuration builds an image for the Compute Module 5 IO Board.
Note: Unlike the Raspberry Pi 5 and its dedicated debug uart connector,
the kernel console on Compute Module 5 IO Board is back to UART0
(ttyAMA0) on PIN8 (GPIO14, TX, yellow) and PIN10 (GPIO15, RX, orange) on
the 40-pin header, as the former version of the Raspberry Pi.
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Updating the hash of the WHENCE file, due to firmware additions and
firmware changes, but no changes to the redistribution/licensing
conditions.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog:
https://www.alsa-project.org/wiki/Changes_v1.2.13_v1.2.14#alsa-lib
Removed patch 0002 which is included in upstream release.
Remove Kconfig options for alisp which was removed upstream.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- move the legacy option to a new 2025.08 section
- add alsa-lib version in Congig.in.legacy comment
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For a long while now, we only support building GCC >= 8.x, so the
dependency of BR2_GCC_ENABLE_GRAPHITE on GCC >= 5.x is useless, drop
it, together with the corresponding Config.in comment.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The libcilkrts library was removed from gcc 8.x, and gcc 8.x is the
oldest version we allow building (to still support PowerPC SPE). So it
means the BR2_GCC_SUPPORTS_LIBCILKRTS is basically dead code because:
default y if !BR2_TOOLCHAIN_GCC_AT_LEAST_8
Will never evaluate to 'y' in current Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The hash for the GCC 10.4.0 tarball should have been removed a long
time ago, when support for GCC 10.x has been removed.
Fixes: d37a8f3a2e ("package/gcc: remove gcc 10.x")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that we have added support for GCC 15.x, made GCC 14.x the
default, let's drop support for GCC 12.x.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that GCC 15.x support has been added, follow our usual strategy of
making GCC 14.x the default GCC version.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog:
https://gcc.gnu.org/gcc-15/changes.html
NIOS II support has been removed, and we removed it from Buildroot
some time ago.
AArch64 ILP32 support has been deprecated, but we never supported it
in Buildroot.
In the stack of patches, just keep patch 0001.
Indeed, from 14.2.0:
- 0002-libsanitizer-also-undef-_TIME_BITS-in-sanitizer_proc.patch is
upstream as of commit fa321004f3f6288d3ee2eefa6b02177131882dca
- 0003-libquadmath-Fix-up-libquadmath-math-sqrtq.c-compilat.patch is
upstream as of commit 3ac02e67503ccffa3dfeeffc0a60fce6bdaca43b
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In order to add gcc 15 support in follow-up commits, introduce
BR2_TOOLCHAIN_GCC_AT_LEAST_15 symbol.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
