Since llama.cpp update in Buildroot commit [1], the test_aichat can
fail for several reasons:
The loop checking for the llama-server availability can fail if curl
succeed, but the returned json data is not formatted as expected.
This can happen if the server is ready but the model is not completely
loaded. In that case, the server returns:
{"error":{"message":"Loading model","type":"unavailable_error","code":503}}
This commit ignore Python KeyError exceptions while doing the
server test, to avoid failing if this message is received.
Also, this new llama-server version introduced a prompt caching, which
uses too much memory. This commit completely disable this prompt
caching by adding "--cache-ram 0" in the llama-server options.
[1] 05c36d5d87
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://github.com/ggml-org/llama.cpp/releases
Merge BR2_PACKAGE_LLAMA_CPP_SERVER into BR2_PACKAGE_LLAMA_CPP_TOOLS, as
both of these options must be enabled to build tools like llama-cli and
llama-server. See upstream commit [1].
Since the Buildroot option BR2_PACKAGE_LLAMA_CPP_SERVER is removed, this
commit also removes it from support/testing/tests/package/test_aichat.py
which was using it.
[1] a180ba78c7
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- reindent options in .mk
- remove BR2_PACKAGE_LLAMA_CPP_SERVER in test_aichat.py
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
drm_info is a small utility to dump info about DRM devices.
Link: https://gitlab.freedesktop.org/emersion/drm_info
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Julien:
- sort selected packages in Config.in alphabetically
- remove comment for license in hash file
- move "v" from _VERSION to _SITE
- switch _SITE to use gitlab release archives and add _SOURCE
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fix a silent build issue with the host-bootgen package if host-flex is already
built. The host-flex package will install a version of the flexlexer.h header
file that is not compatible with the version embedded in bootgen.
While the build will still 'succeed', the binary will not be correct. This
can be seen by just running the binary that is built. By default, running
bootgen without any parameters should print the help menu, but if the wrong
version of flexlexer.h is used, it will print the following instead:
$ output/host/bin/bootgen
****** Bootgen v2025.1-Merged
**** Build date : Mar 18 2026-07:08:01
** Copyright 1986-2022 Xilinx, Inc. All Rights Reserved.
** Copyright 2022-2025 Advanced Micro Devices, Inc. All Rights Reserved.
ERROR: syntax error
-h
Add a patch to the bootgen package that corrects the issue.
Upstream: CR to AMD jira
Signed-off-by: Neal Frager <neal.frager@amd.com>
Tested-by: Steven J. Hill <steven.hill@collins.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Backport a patch from Xen 4.21 to fix the following build errors for Arm v7
with gcc-15:
xen-4.14.6/xen/include/asm/platforms/midway.h:1: error: header guard '__ASM_ARM_PLATFORMS_MIDWAY_H' followed by '#define' of a different macro [-Werror=header-guard]
xen-4.14.6/xen/include/asm/platforms/omap5.h:1: error: header guard '__ASM_ARM_PLATFORMS_OMAP5_H' followed by '#define' of a different macro [-Werror=header-guard]
Since the external 32b arm toolchain has been updated to a version based on
gcc-15, the tests.package.test_xen.TestXenArmv7 python test does not build
anymore.
Adding the patch repairs it.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13518318473
Fixes: 86d453a7dc ("toolchain/toolchain-external/toolchain-external-arm-arm: bump to 15.2.rel1")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
Cc: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add myself to packages recently orphaned which I am going to continue.
Signed-off-by: Manuel Diener <manuel.diener@oss.othermo.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the imxrt1050-evk_defconfig (using U-Boot v2025.07 and
binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update the defconfig to use a more recent U-Boot v2026.01, to fix the
build and at the same time bump Linux to version 6.18.18.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/13476922027
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: fix defconfig name in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- bumps the Linux kernel to 6.18.18
- bumps the U-Boot to 2026.01
- switches to a stable glibc Bootlin external toolchain
- enables force hashes check
- enlarge the rootfs size to 256M
The updated U-Boot should also fix the CI build of the board.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/13458392713
Run-tested on the board.
Signed-off-by: Dong Wang <wangdong115@foxmail.com>
[Julien:
- remove .checkpackageignore entry to fix check-package error
- move uboot.hash in its correct directory
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- bumps the Linux kernel to 6.18.18
- bumps the U-Boot to 2026.01
- switches to a stable glibc Bootlin external toolchain
The updated U-Boot should also fix the CI build of the board.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/13458392712
Run-tested on the board.
Signed-off-by: Dong Wang <wangdong115@foxmail.com>
[Julien: add missing BR2_TARGET_UBOOT_NEEDS_GNUTLS=y]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This feature was made optional in mesa3d 25.2.0 as it is deprecated,
however some packages still require it so lets add a new config
option that those packages can select until they no longer require
this feature.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Add 'source' attribute to each CVE in vulnerabilities node, including NVD
URL reference to enable proper import into Dependency-Track.
Dependency-Track's VEX importer requires the source attribute to
properly process vulnerability entries. Without it, vulnerabilities are
skipped during import with "does not have an ID and / or source" warnings.
Include the full NVD URL following the CycloneDX 1.6 documentation format:
https://nvd.nist.gov/vuln/detail/{CVE-ID}
Test Environment:
- Buildroot: 2025.02.11 (or master)
- Dependency-Track: v4.13.6
Test Results - BEFORE (without source attribute):
apiserver_1 | 2026-02-23 16:05:40,890 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #0 does not have an ID and / or source; Skipping it
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #1 does not have an ID and / or source; Skipping it
...
apiserver_1 | 2026-02-23 16:05:40,941 WARN [CycloneDXVexImporter] VEX vulnerability at position #19 does not have an ID and / or source; Skipping it
apiserver_1 | 2026-02-23 16:05:40,941 INFO [CycloneDXVexImporter] The uploaded VEX does not contain any applicable vulnerabilities; Skipping VEX import
Test Results - AFTER (with source):
apiserver_1 | 2026-02-23 16:17:13,492 INFO [VexUploadProcessingTask] Processing CycloneDX VEX uploaded to project: e43fe185-c0a3-4e3a-a908-667344a66a9c
apiserver_1 | 2026-02-23 16:17:14,054 INFO [VexUploadProcessingTask] Completed processing of CycloneDX VEX for project: e43fe185-c0a3-4e3a-a908-667344a66a9c
CVEs are correctly imported in Dependency-Track
Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Acked-By: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The 2025.11.x series was dropped with the 2026.02 release, so
(temporarily) re-add it. It will be dropped again with the 2026.02.1
release.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Following changes made it into the release:
Joris van Rantwijk (1):
Fix adjtimex() with TIME64
Waldemar Brodkorb (8):
sys/stat.h: remove _STAT_VER/_MKNOD_VER
fix gettid() declaration
add statx syscall wrapper
sparc: add optimize build support for leon3
sparc: sync with Linux kernel definition, fixes gdb compile
fix compile error on earlier Kernels predating statx
select: fix compilation failure with very old kernel
bump version for 1.0.57 release
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
uclibc 1.0.57 added a statx() syscall wrapper in upstream commit [1].
zfs fail to build with uclibc 1.0.57 (not yet in Buildroot), because:
1. uclibc <fcntl.h> internally includes <sys/stat.h>, and
2. a zfs test redefines a statx() wrapper with a slightly different
prototype.
In that case, zfs fails to compile with error:
tests/zfs-tests/cmd/statx.c:58:1: error: conflicting types for 'statx'; have 'int(int, const char *, int, unsigned int, void *)'
Issue has been reported upstream at [2].
This commit adds a package patch to fix that issue.
[1] d3a819aff2
[2] https://github.com/openzfs/zfs/pull/18316
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the iot-gate-imx8_ebbr_defconfig (using U-Boot v2025.07 and
binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update the defconfig to use a more recent U-Boot v2026.01, to fix the
build.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13476922237 [1]
Fixes: 51365ff063 ("package/python-setuptools: bump to version 82.0.0")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
[Julien: update custom uboot.hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python setuptools has removed the obsolete pkg_resources python module in
v82.0.0. This module is used by the binman command in U-Boot until
v2025.10.
Since the python-setuptools package has been updated to v82.0.0 in
Buildroot, the python test tests.boot.test_atf.TestATFAllwinner (using
U-Boot v2023.10 and binman) fails to build with the following error [1]:
ModuleNotFoundError: No module named 'pkg_resources'
Update test_atf to use a more recent U-Boot v2026.01 (and add the
dependency on GNU TLS), to fix the build.
Link: https://gitlab.com/buildroot.org/buildroot/-/jobs/13500946337 [1]
Fixes: 51365ff063 ("package/python-setuptools: bump to version 82.0.0")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Upstream removed the old license file
772c03afe1
and added a new one
5634c661b8
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: remove LICENSE.txt entry in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM external toolchain to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Verified by booting on a default Qemu configuration.
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM aarch64-be external toolchains to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
[Julien: add newline at end of file to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Update the ARM aarch64 external toolchain to the latest 15.2.rel1
release from ARM.
This involves:
- Updating the version, site URL, and source filename in .mk
- Updating the SHA256 hash in .hash
- Updating the display name and GCC version dependency in Config.in
Verified by booting on a default Qemu configuration.
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The host mkfs.xfs is needed to create XFS root filesystems
in Buildroot.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Remove incorrect $BINARIES_DIR reference from the symbolic link creation to
make a relative path and not an absolute path.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Backport upstream patches to fix a silent crash in U-Boot on
STM32MP135F-DK.
Fixes:
799d184e89
Signed-off-by: Thomas Richard <thomas.richard@bootlin.com>
[Romain: add Fixes link]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Specifying a list of br2-external trees is poorly documented, and the
only example uses a colon to separate the br2-external paths.
Adding the support for colon-separated list is the biggest mistake that
was made when introducing support for multiple br2-external [0]. Indeed,
both space and colon can be used to separate entries in the list, and it
is also possible to mix the two. However, internally, the list is stored
as a space-separated list, and all the code will split on spaces.
Besides, all other lists in Buildroot are a space-separated:
BR2_ROOTFS_DEVICE_TABLE
BR2_ROOTFS_STATIC_DEVICE_TABLE
BR2_TARGET_TZ_ZONELIST
BR2_ROOTFS_USERS_TABLES
BR2_ROOTFS_OVERLAY
BR2_ROOTFS_PRE_BUILD_SCRIPT
BR2_ROOTFS_POST_BUILD_SCRIPT
BR2_ROOTFS_POST_FAKEROOT_SCRIPT
BR2_ROOTFS_POST_IMAGE_SCRIPT
...
So, using colons is odd.
The fact that BR2_EXTERNAL is passed on the command line rather than
being a Kconfig item is not a reason enough to justify that it be
colon-separated.
Change the documentation to only mention using a space-separated list.
Of course, for backward compatibility, we keep the code as-is to accept
a colon-separated list, but we just do not advertise it.
Note that keeping the split on colons means that colons are not accepted
in pathnames of br2-external trees; in practice, this is not a new
restriction, or one that could lift as usign colons in Makefiles are
problematic anyway.
[0] in 20cd497387 core: add support for multiple br2-external trees
Reported-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Reported-by: Brandon Maier <Brandon.Maier@collins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Boring changes: either do what shellcheck suggested, or comment why we
don't want to fix the code.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The trap was initially introduced in c5fa9308ea (core/br2-external:
properly report unexpected errors), in 2017, to catch all unexpected
errors, back when a single file was generated, and errors emitted to
stderr.
Since commit d027cd75d0 (core: generate all br2-external files in
one go), in 2019 the single output file 'ofile' is no longer created,
as multiple output files were then introduced, while messages for
*expected errors* were redirected to a Makefile variable assignment
emitted on stdout, at which point the script just exits (in error);
expected failures only occur in do_validate().
Unexpected errors can only occur on failure to create, or write to,
output files, either '.br2-external.mk' in do_validate() or do_mk(),
or any of the kconfig fragments in do_kconfig(). Cause for failure to
create those can only be a no-space-left-on-device condition, as they
are created in a directory that was just created by the script earlier
in main(), and thus has the necessary mode; failure to create that
directory is now caught explicitly.
A trap on ERR is not called when the shell exits explicitly with a call
to 'exit', thus, only failures to create or write to output file would
be caught. In that case, we are better off not trying to write to those
files anyway: failure to create the file would already be reported by
the shell on stderr, while disk-full would not allow to store the output
anyway...
In any case, the script exits in error, which is going to be caught by
the caller, which will terminate.
So, drop the trap altogether.
As a side effect, that squelches a shellcheck error.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
That plugin can be used instead of the builtin support to persist the
mosquitto state across restarts.
Note that this plugin has a dependency, so we don't use the $(if)
one-liner.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Until version 2.0.x, support for using static password or ACL files, was
builtin to the broker. With version 2.1.x, two new plugins have been
introduced to replace the builtin support, which is now deprecated and
will get removed in the next version.
Add two new configuration options for those plugins.
We decided to do a single commit, rather than one per option, because
they are relatively tied together (ACL needs passwords, at least).
We also choose to make those options enabled by default, because the
traditional way to configure mosquitto is to use static files for
authentication and authorization, and the builtin support if now
deprecated in favour for the plugins.
The usual ifeq-else-endif conditional block is a bit verbose when just
setting an option ON or OFF, when no additional dependency is needed.
Instead, use the not-unusual $(if)-inline one-liner. For consistency,
switch the existing dynamic-security plugin to use that one-liner too.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The mosquitto broker (not the library) can have listeners configured to
serve HTTP requests; it can optionally accept (some) HTTP API requests
on such listeners.
Add a new option to enable the availability of http_pi.
Note that we do not just depend on libmicrohttpd to be enabled, because
the HTTP API is a security boundary, and enabling it must be an explicit
decision.
Co-developped-by: Titouan Christophe <titouan.christophe@mind.be>
[yann.morin@orange.com: make it an explicit option]
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Mosquitto 2.1.x adds the possibility to use a builtin websocket
implementation, as an alternative to using libwebsockets.
When using libwebsockets as the implementation, only the broker supports
websockets, and CLI tools do not; only when using the builtin one are
websockets usable with CLI tools (and the broker, of course).
Add a choice to select what type of websockets support to enable, if
any. Since the builtin implementation is still new, we keep the
libwebsockets one available.
Since this inverts the dependency logic to libwebsockets, we can't
provide a backward compatibility with existing (def)config files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
mosquitto_{ctrl,db_dump,passwd,signal} can be handy to interact with
the mosquitto broker during development, but are usually unnecessary
on the target.
Add an option to enable or disable them. Make that new option enabled
by default when the broker is enabled, to keep backward compatibility
with previous (def)config files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Fiona Klute <fiona.klute@gmx.de>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
mosquitto_pub/sub/rr can be handy to test a broker from the command
line, but they can get superfluous when only the broker is required
on the target.
Add an option to enable or disable them. Make that new option enabled
by default to keep backward compatibility with previous (def)config
files.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Version 2.1.x has introduced a cmake-based build, and upstream strongly
recomends using it over the legacy Makefiles, which will ultimately be
retired.
So we do the switch, which cause quite some noise in the .mk file, but
at the same time allows for a bit of cleanup in the build process, as we
can now use the cmake-package infra.
Mosquitto now wants to peek into the malloc() internals for memory
tracking, and that only works on systems with an MMU (uClibc-ng does not
expose it for noMMU builds, as it's part of its malloc-standard
implementation).
Static-only builds are broken, even when only building the library. This
seems beyond a simple repair, so just require shared libs now (since
we're requiring an MMU as well, requiring shared libs is not too much of
an additional burden).
cJSON is now a required dependency, used in common parts of the code
(not just for the plugins).
There are a few options that we forcibly disable; they'll get addressed
in followup patches.
There are still a few build failures that are difficult to account for
(except):
$ printf 'BR2_PACKAGE_MOSQUITTO=y\n' >mosq.cfg
$ ./utils/docker-run ./utils/test-pkg -d $(pwd)/run-tests -c mosq.cfg -p mosquitto
br-arm-full-static [5/6]: FAILED
=> old uClibc-ng, would need __GNU_SOURCE (with dunder) to define
getrandom(); no longer needed since uClibc-ng 1.0.50; would need
openssl otherwise
bootlin-aarch64-glibc-old [6/6]: FAILED
=> really old glibc, missing getrandom(); would need openssl
Drop our existing patches, they've either been applied upstream, or are
no longer needed. Add new patches to fix various build issues
(submission upstream pending the signature of the CLA..,).
Thanks a lot to Titouan for providing his initial work on the update!
Some of his findings ended up in this patch. 👍
Note: by lack of a trusted path back to the PGP key that signed the
archive, the comment was dropped, as checking a signature without a
trust-chain does not make much sense...
Co-developped-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Cc: Titouan Christophe <titouan.christophe@mind.be>
[Romain: remove "mosquitto broker" comment for static builds]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Updating the hash of the WHENCE file, due to firmware additions and
firmware changes, but no changes to the redistribution/licensing
conditions.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://curl.se/ch/8.19.0.htmlhttps://curl.se/docs/security.html
Fixes the following CVEs:
CVE-2026-3805: use after free in SMB connection reuse
CVE-2026-3784: wrong proxy connection reuse with credentials
CVE-2026-3783: token leak with redirect and netrc
CVE-2026-1965: bad reuse of HTTP Negotiate connection
Switch to sha256 tarball hash provided by upstream.
Updated license hash due to copyright year bump:
e83c82f05f
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add back pgp signature info in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Building Go 1.26 and later requires Go 1.24.6 or later for bootstrap.
To support this we use Go version 1.25.8 as the version for
go-bootstrap-stage5 and have the build for Go 1.26.1 depend on
go-bootstrap-stage5.
Go version 1.25.8 is the latest Go version we can build using
go-bootstrap-stage4.
The package build for go-bootstrap-stage5 is effectively identical to
go-bootstrap-stage4 with only the Go version and stage number changed.
Go 1.28 is expected to require a minor release of Go 1.26 for bootstrap.
Fixes the following security vulnerabilities:
- CVE-2026-25679: net/url: reject IPv6 literal not at start of host
- CVE-2026-27142: html/template: URLs in meta attribute actions not escaped
- CVE-2026-27137: crypto/x509: incorrect enforcement of email constraints
- CVE-2026-27138: crypto/x509: panic in name constraint checking: certificates
- CVE-2026-27139: os: FileInfo can escape from a Root
For full release notes, see:
https://go.dev/doc/devel/release#go1.26.0
Signed-off-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit switches the aarch64_efi_defconfig to an external glibc
stable Bootlin toolchain, to follow recommendation from [1].
Since an external toolchain is used, the linux-headers.hash custom
hash file is no longer needed and is removed.
[1] https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.10 to 6.18.16
- updates U-Boot from 2024.07 to 2026.01
- updates arm-trusted-firmware from v2.11 to v2.12 LTS
- switches to Bootlin external glibc stable toolchain
Replace OP-TEE TEE binary file tee-pager_v2.bin by tee-raw.bin using
the new option BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN.
Remove unsued linux-headers.hash since we now use a prebuilt toolchain.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Replace OP-TEE TEE binary file tee-pager_v2.bin by tee-raw.bin using
the new option BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN.
Remove unsued linux-headers.hash since we use a prebuilt toolchain.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
There was a previous attempt in commit [1] to bump the kernel to 6.18
but the SD card failed at boot. It seems the actual issue is related to
the "cheap" (or fake?) SD card with SD UHS SDR50 speed.
This offending SD card come from a lot recently purchased in order to
fix my “Too many boards, not enough SD cards” issue.
[1] 4abb8a98b2
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The commit [1] update arm-trusted-firmware to v2.12 LTS without
removing the custom file hash.
While at it, remove unused linux-headers.hash since we already use a
prebuilt toolchain.
[1] 4abb8a98b2
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This defconfig use BR2_TARGET_UBOOT_CUSTOM_MAKEOPTS to provide the path
to the TEE in raw binary format but use the legacy file name
"tee-pager_v2.bin" rather than the recommended "tee-raw.bin" [1][2].
Instead of just replacing the file name, use the newly introduced
BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE_RAW_BIN option. Since this option
needs BR2_TARGET_UBOOT_NEEDS_OPTEE_TEE, we now have an explicit
dependency between u-boot and optee-os package.
Previously we had an indirect dependency: optee-os <- ATF <- u-boot
with both BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE and
BR2_TARGET_UBOOT_NEEDS_ATF_BL31 options enabled at the same time.
[1] 376cb124dd
[2] 4e0b8238ee
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
OP-TEE generates a few binaries that can be used by u-boot on some
platforms (Rockchip, Texas Instruments K3) using TEE variable.
Add a link to the OP-TEE documentation were we can find easily the
desciption for each TEE format that can be used by u-boot.
For convenience, copy tee.elf and tee.bin description in each option
choice help text.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Remove myself from packages that I'm no longer personally interested in.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Subproject tarballs are not provided anymore:
https://discourse.llvm.org/t/llvm-22-1-0-released/89950
"Please note since the last release the subproject tarballs have been
removed"
https://discourse.llvm.org/t/rfc-do-something-with-the-subproject-tarballs-in-the-release-page/75024/14
Used upstream tarball llvm-project-22.1.0.src.tar.xz for all packages
and linked subproject hash files to ../llvm-project.hash.
Removed patches which fix build errors caused by subproject tarballs.
Removed handling of third-party-21.1.8.src.tar.xz which is included in
the monolithic tarball.
Added _SUBDIR variable or updated _INSTALL_CMDS when needed.
For compiler-rt:
Removed both patches, they are not needed anymore.
Added patch to fix aarch64 build.
Added dependency on gcc >= 15.x because libcxx now depends on gcc >=
15.x: https://github.com/llvm/llvm-project/pull/165684
warning "Libc++ only supports GCC 15 and later"
Building with gcc 14.x causes many build errors like
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/is_array.h:43:68:
error: expected primary-expression before ')' token
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/is_array.h:43:44:
error: there are no arguments to '__is_unbounded_array' that depend on
a template parameter, so a declaration of '__is_unbounded_array' must
be available [-fpermissive]
output/build/compiler-rt-22.1.0/compiler-rt/buildroot-build/lib/fuzzer/libcxx_fuzzer_x86_64/build/include/c++/v1/__type_traits/decay.h:22:32:
error: expected type-specifier before '__decay'
A corresponding bug report sent upstream
https://github.com/llvm/llvm-project/issues/174203
was answered:
https://github.com/llvm/llvm-project/issues/174203#issuecomment-3711113919
"Our policy is rather clear: Only the latest GCC is supported."
and an update to supported compiler versions was committed:
d1146b1ddd
Updated TestClangCompilerRT to use a gcc 15-based toolchain.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit will also switch to the Bootlin glibc stable toolchain.
Switch to Bootlin glibc stable toolchain as requested by the 2024
Buildroot meeting report:
https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Signed-off-by: Scott Fan <fancp2007@gmail.com>
[Julien:
- remove no longer needed linux-headers.hash
- change comment in linux.hash to take hash from upstream
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
FTXUI is a simple cross-platform C++ library for terminal
based user interfaces.
Signed-off-by: Gilles Talis <gilles.talis@gmail.com>
[Julien: remove FTXUI_SOURCE to use the default archive name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Replaced install_prefix with DESTDIR in _INSTALL_TARGET_OPTS following
changes in upstream Makefiles, for example:
acb9dd88dc (diff-d56275146b88014f5017f78d3eb4ccdb545c8b82d94877b09ef33bac8f228414L13)
Build-tested using this defconfig
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XSCREENSAVER=y
arm-aarch64 [ 1/32]: OK
bootlin-aarch64-glibc [ 2/32]: OK
bootlin-aarch64-glibc-old [ 3/32]: SKIPPED
bootlin-arcle-hs38-uclibc [ 4/32]: OK
bootlin-armv5-uclibc [ 5/32]: OK
bootlin-armv7-glibc [ 6/32]: OK
bootlin-armv7m-uclibc [ 7/32]: SKIPPED
bootlin-armv7-musl [ 8/32]: OK
bootlin-m68k-5208-uclibc [ 9/32]: SKIPPED
bootlin-m68k-68040-uclibc [10/32]: OK
bootlin-microblazeel-uclibc [11/32]: SKIPPED
bootlin-mips64el-glibc [12/32]: OK
bootlin-mipsel32r6-glibc [13/32]: OK
bootlin-mipsel-uclibc [14/32]: OK
bootlin-openrisc-uclibc [15/32]: OK
bootlin-powerpc64le-power8-glibc [16/32]: OK
bootlin-powerpc-e500mc-uclibc [17/32]: OK
bootlin-riscv32-glibc [18/32]: OK
bootlin-riscv64-glibc [19/32]: OK
bootlin-riscv64-musl [20/32]: OK
bootlin-s390x-z13-glibc [21/32]: OK
bootlin-sh4-uclibc [22/32]: OK
bootlin-sparc64-glibc [23/32]: OK
bootlin-sparc-uclibc [24/32]: SKIPPED
bootlin-x86-64-glibc [25/32]: OK
bootlin-x86-64-musl [26/32]: OK
bootlin-x86-64-uclibc [27/32]: OK
bootlin-x86-i686-musl [28/32]: OK
bootlin-xtensa-uclibc [29/32]: OK
br-arm-basic [30/32]: SKIPPED
br-arm-full-nothread [31/32]: SKIPPED
br-arm-full-static [32/32]: SKIPPED
32 builds, 8 skipped, 0 build failed, 0 legal-info failed, 0 show-info failed
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes build error with gcc 9.x:
output/build/libheif-1.21.1/libheif/nclx.h:128:50: error:
'bool nclx_profile::operator==(const nclx_profile&)
const' cannot be defaulted
using this defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-static-2020.11.2.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_9=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_4=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
# BR2_TOOLCHAIN_EXTERNAL_HAS_THREADS_DEBUG is not set
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_STATIC_LIBS=y
BR2_PACKAGE_LIBHEIF=y
According to https://github.com/strukturag/libheif/issues/1615#issuecomment-3457979167
gcc >= 10 with support for C++20 is needed for the package.
The failing code was introduced upstream in version 0.21.0 with commit
a62f933e38
which was added to buildroot with commit
a8aed698c7.
Also removed -std=c++11 from CXXFLAGS.
The build error was not yet recorded by the autobuilders.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 72c7d99e22 switched the
build system to meson which causes an error during configure:
output/build/libvips-8.17.2/meson.build:108:4:
ERROR: Problem encountered: GModule is not supported on your system,
please reconfigure with -Dmodules=disabled
using this defconfig:
BR2_arm=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://autobuild.buildroot.org/toolchains/tarballs/br-arm-full-static-2020.11.2.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_9=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_4=y
BR2_TOOLCHAIN_EXTERNAL_LOCALE=y
# BR2_TOOLCHAIN_EXTERNAL_HAS_THREADS_DEBUG is not set
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_STATIC_LIBS=y
BR2_PACKAGE_LIBVIPS=y
Added configure options for -Dmodules to fix the problem which was not
yet caught by the autobuilders.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
These modules were dropped in Python 3.13 as per PEP 594.
The current version in Buildroot is 3.14.3.
- Remove the TODO and related config overrides in python3.mk.
- Remove BR2_PACKAGE_PYTHON3_OSSAUDIODEV from Config.in.
- Add BR2_PACKAGE_PYTHON3_OSSAUDIODEV to Config.in.legacy.
See [1] [2] [3].
[1] https://peps.python.org/pep-0594/
[2] fc07fe4e37
[3] 17e1fe0f9b
Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
[Julien:
- add links in commit log
- move legacy option in 2026.05 section
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a035a0f99f bumped the
package to 6.0.2 which includes upstream commit
e806051f40
that adds optional support for libkrb5, enabled by default.
When building without libkrb5 we need to disable its support to avoid
a configure error:
configure: Build with gssapi_krb5 support
checking for gssapi/gssapi.h... no
configure: error: You need gssapi development files to compile libsmb2.
Fixes:
https://autobuild.buildroot.net/results/166/166fb283ef8830930ce191b4418d01e6c82176f5/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop no longer required python-pytz runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://codeberg.org/tenacityteam/libid3tag/releases/tag/0.16.4
"We now provide our own source packages instead of using Codeberg's
pre-generated sources, guaranteeing that the hash won't change."
Removed patches which are included in this bump.
Used tarball and its hashes provided by upstream.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
sntp/crypto.c includes sntp/config.h, then sntp/crypto.h which includes
ntp_stdlib.h which in turn includes l_stdlib.h that contains
#ifndef HAVE_MEMCHR
extern void *memchr(const void *s, int c, size_t n);
#endif
and breaks the build with glibc 2.43.
sntp/config.h does not contain any information about memchr() while the
top-level config.h does but this top-level config.h is not included
because sntp/Makefile lacks -I$(top_builddir) so sntp/config.h gets
included which does not define HAVE_MEMCHR although glibc does provide
memchr() but sntp/configure lacks a check for memchr().
This was not a problem with previous glibc versions but due to recent
C23 changes in glibc the ntp build is now broken.
To fix the problem we add a configure check for memchr() to
sntp/configure so HAVE_MEMCHR gets defined in sntp/config.h.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The artifacts URL has been moved to https and domain to .org to
improve security and avoid redirection issues. This ensures that
downloads of kernels and rootfs images during runtime tests are
encrypted and verified.
The change has been tested by running a runtime test, confirming the
correct download and renaming of artifacts from the new URL:
Downloading to .../tmpyotq8uor
Renaming from .../tmpyotq8uor to .../kernel-versatile-5.10.202
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With U-Boot 2022.04 gnutls is required for building the hostool
mkeficapsule.
mkeficapsule tool is built by default if EFI_LOADER is set since u-boot
2024.10 [1].
Thus the BR2_TARGET_UBOOT_NEEDS_GNUTLS config is needed.
This commit also updates the defconfig to the new convention:
- It adds custom hashes, enable BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and
BR2_GLOBAL_PATCH_DIR="board/khadas/vim3/patches" to store the files.
[1] b7a625b1ce
Signed-off-by: Dowan Gullient <dowan.gullient@smile.fr>
[Julien:
- squashed linux and u-boot bumps
- change linux.hash comment reuse hashes published upstream
- increase BR2_TARGET_ROOTFS_EXT2_SIZE to 256M
- remove partition size constraint in genimage.cfg
- remove .checkpackageignore entry to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit [1] was applied without fixing the edk2-platform patch
newlines which are changed by the mailing list. As a result,
the patch fails to apply.
This commit fixes the issue.
[1] 21baec5ef5
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since edk2-stable202508, see:
https://github.com/tianocore/edk2/releases/tag/edk2-stable202511
This commit also updates the edk2-platforms packages with the last
commit merged at the edk2 release date (2025-11-19), which corresponds
to commit [1].
The edk2-non-osi package is also updated the same way, which
corresponds to commit [2].
This commit also adds an edk2-platforms package patch to fix a Marvell
build failure seen with the SolidRun MacchiatoBin platform.
This commit has been runtime tested with tests using EDK2 package,
with commands:
support/testing/run-tests \
-d dl -o output_folder \
tests.boot.test_edk2 \
tests.boot.test_grub.TestGrubAArch64EFI \
tests.boot.test_grub.TestGrubRiscV64EFI \
tests.boot.test_grub.TestGrubX8664EFI \
tests.package.test_fwts
It has also been runtime tested (by booting in qemu) with defconfigs
using EDK2 package:
qemu_aarch64_sbsa_defconfig
qemu_loongarch64_virt_efi_defconfig
qemu_riscv64_virt_efi_defconfig
qemu_x86_64_efi_defconfig
[1] 1e64c1109a
[2] 94d0489811
Cc: Dick Olsson <hi@senzilla.io>
Cc: Romain Naour <romain.naour@smile.fr>
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
EDK2 removed OVMF IA32 support in commit [1], which is included in
version edk2-stable202511. This commit removes the test relying on it.
[1] 1fb88ffe28
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
EDK2 removed OVMF IA32 support in commit [1], which is included in
version edk2-stable202511. This commit removes tests relying on it.
[1] 1fb88ffe28
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
While there is only one CVE number assigned (CVE-2025-14523) for one of
the patches included in this release, the bulk of the the changes are
security fixes.
Release notes may be found at:
25eac15300
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-14523
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The zjit option introduces a rust dependency and due to that not
being handled appropriately it can cause build failures if this
feature gets incorrectly autodetected as being available.
This feature was introduced when ruby was bumped to version 4.0.0
in f594f86f9d.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that custom arm-trusted-firmware versions can specify license files, add
license file hashes for the Xilinx custom arm-trusted-firmware version.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that custom Linux versions can specify license files, add license file
hashes for the Xilinx custom Linux version.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 127f36b406 ("package/ruby: bump to version 4.0.1") adjusted
RUBY_VERSION_EXT, but ruby 4.0.1 still installs its extensions into the
4.0.0 subdir:
ls target/usr/lib/ruby/
4.0.0 site_ruby vendor_ruby
So revert the RUBY_VERSION_EXT change to ensure the unneeded extensions are
correctly removed.
Signed-off-by: William Sherrer <william@sherrer.com>
[Peter: significantly extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patches mostly backported with the basis of the work of Ubuntu Security
team. See [1].
Fix the following vulnerabilities:
- CVE-2024-32661:
FreeRDP is a free implementation of the Remote Desktop Protocol.
FreeRDP based clients prior to version 3.5.1 are vulnerable to a
possible `NULL` access and crash. Version 3.5.1 contains a patch for
the issue. No known workarounds are available.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-32661
- CVE-2026-23530:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate
`nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before
RLE decode. A malicious server can trigger a client‑side heap buffer
overflow, causing a crash (DoS) and potential heap corruption with
code‑execution risk depending on allocator behavior and surrounding
heap layout. Version 3.21.0 contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23530
- CVE-2026-23531:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, in ClearCodec, when `glyphData` is present,
`clear_decompress` calls `freerdp_image_copy_no_overlap` without
validating the destination rectangle, allowing an out-of-bounds
read/write via crafted RDPGFX surface updates. A malicious server can
trigger a client‑side heap buffer overflow, causing a crash (DoS) and
potential heap corruption with code‑execution risk depending on
allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23531
- CVE-2026-23532:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between
destination rectangle clamping and the actual copy size. A malicious
server can trigger a client‑side heap buffer overflow, causing a crash
(DoS) and potential heap corruption with code‑execution risk depending
on allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23532
- CVE-2026-23533:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
RDPGFX ClearCodec decode path when maliciously crafted residual data
causes out-of-bounds writes during color output. A malicious server
can trigger a client‑side heap buffer overflow, causing a crash (DoS)
and potential heap corruption with code‑execution risk depending on
allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23533
- CVE-2026-23534:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to version 3.21.0, a client-side heap buffer overflow occurs in the
ClearCodec bands decode path when crafted band coordinates allow
writes past the end of the destination surface buffer. A malicious
server can trigger a client‑side heap buffer overflow, causing a crash
(DoS) and potential heap corruption with code‑execution risk depending
on allocator behavior and surrounding heap layout. Version 3.21.0
contains a patch for the issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23534
- CVE-2026-23948:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, a NULL pointer dereference vulnerability in
rdp_write_logon_info_v2() allows a malicious RDP server to crash
FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with
cbDomain=0 or cbUserName=0. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-23948
- CVE-2026-24675:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, urb_select_interface can free the device's MS config on
error but later code still dereferences it, leading to a use after
free in libusb_udev_select_interface. This vulnerability is fixed in
3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24675
- CVE-2026-24676:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, AUDIN format renegotiation frees the active format list
while the capture thread continues using audin->format, leading to a
use after free in audio_format_compatible. This vulnerability is fixed
in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24676
- CVE-2026-24679:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, The URBDRC client uses server-supplied interface numbers as
array indices without bounds checks, causing an out-of-bounds read in
libusb_udev_select_interface. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24679
- CVE-2026-24681:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, aAsynchronous bulk transfer completions can use a freed
channel callback after URBDRC channel close, leading to a use after
free in urb_write_completion. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24681
- CVE-2026-24682:
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior
to 3.22.0, audin_server_recv_formats frees an incorrect number of
audio formats on parse failure (i + i), leading to out-of-bounds
access in audio_formats_free. This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24682
- CVE-2026-24683:
FreeRDP is a free implementation of the Remote Desktop Protocol.
ainput_send_input_event caches channel_callback in a local variable
and later uses it without synchronization; a concurrent channel close
can free or reinitialize the callback, leading to a use after free.
Prior to 3.22.0, This vulnerability is fixed in 3.22.0.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24683
[1] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/freerdp2/2.6.1+dfsg1-3ubuntu2.10/freerdp2_2.6.1+dfsg1-3ubuntu2.10.debian.tar.xz
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-62168:
Squid is a caching proxy for the Web. In Squid versions prior to 7.2,
a failure to redact HTTP authentication credentials in error handling
allows information disclosure. The vulnerability allows a script to
bypass browser security protections and learn the credentials a
trusted client uses to authenticate. This potentially allows a remote
client to identify security tokens or credentials used internally by a
web application using Squid for backend load balancing. These attacks
do not require Squid to be configured with HTTP authentication. The
vulnerability is fixed in version 7.2. As a workaround, disable debug
information in administrator mailto links generated by Squid by
configuring squid.conf with email_err_data off.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-62168
- 0951a06810
The backport has been compared against debian patch [1].
[1] https://sources.debian.org/src/squid/6.13-2%2Bdeb13u1/debian/patches/CVE-2025-62168.patch
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For changes, see:
- https://github.com/vim/vim/compare/v9.1.2017...v9.1.2148
Fixes the following vulnerabilities:
- CVE-2026-25749:
Vim is an open source, command line text editor. Prior to version
9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag
file resolution logic when processing the 'helpfile' option. The
vulnerability is located in the get_tagfname() function in src/tag.c.
When processing help file tags, Vim copies the user-controlled
'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1
bytes (typically 4097 bytes) using an unsafe STRCPY() operation
without any bounds checking. This issue has been patched in version
9.1.2132.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-25749
- 0714b15940
- CVE-2026-26269:
Vim is an open source, command line text editor. Prior to 9.1.2148, a
stack buffer overflow vulnerability exists in Vim's NetBeans
integration when processing the specialKeys command, affecting Vim
builds that enable and use the NetBeans feature. The Stack buffer
overflow exists in special_keys() (in src/netbeans.c). The while
(*tok) loop writes two bytes per iteration into a 64-byte stack buffer
(keybuf) with no bounds check. A malicious NetBeans server can
overflow keybuf with a single specialKeys command. The issue has been
fixed as of Vim patch v9.1.2148.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-26269
- c5f312aad8
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 3d2141bcee("support/testing/run-tests: specify multiprocessing
method") added a call to multiprocessing.set_start_method('fork') as a
workaround for python 3.14, which changed the default start method to
forkserver - Which is incompatible with the nose2 setup.
multiprocessing.set_start_method() is only supposed to be called a maximum
of 1 time per process and throws a RuntimeError if called more than that
(even with the same arguments):
>>> import multiprocessing
>>> multiprocessing.set_start_method('fork')
>>> multiprocessing.set_start_method('fork')
Traceback (most recent call last):
File "<python-input-2>", line 1, in <module>
multiprocessing.set_start_method('fork')
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File "/usr/lib/python3.13/multiprocessing/context.py", line 247, in set_start_method
raise RuntimeError('context has already been set')
Debian included a similar patch in python3-nose2 0.51.1-2 (currently in
testing/unstable) which adds its own call to set_start_method():
https://salsa.debian.org/python-team/packages/nose2/-/blob/debian/0.15.1-2/debian/patches/0004-plugins-mp-set-context-to-fork-for-Python-3.14-mp-AP.patch?ref_type=tags
Which comes from:
https://github.com/nose-devs/nose2/pull/644
As discussed in the upstream PR, this is not a correct fix is wrong and
breaks various use cases. An issue has been opened to get this fixed in the
Debian packaging at:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129350
But until that is done, rework the patch to:
- Only override set_start_method() if needed to limit impact
- Monkey patch set_start_method() so additional calls are ignored
To unbreak run-test on affected Debian systems and add some documentation to
make it clear why this is done.
[Peter: use allow_none / force optional arguments as pointed out by Julien]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When the toolchain involved in openscap build does not support C++, the
configure step fails with the following error:
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - failed
-- Check for working CXX compiler: /bin/false
-- Check for working CXX compiler: /bin/false - broken
CMake Error at /usr/share/cmake/Modules/CMakeTestCXXCompiler.cmake:73 (message):
The C++ compiler
"/bin/false"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
Run Build Command(s): /usr/bin/cmake -E env VERBOSE=1 /usr/bin/make -f Makefile cmTC_1834b/fast
make[1]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
/usr/bin/make -f CMakeFiles/cmTC_1834b.dir/build.make CMakeFiles/cmTC_1834b.dir/build
make[2]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
Building CXX object CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o /bin/false -o CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o -c /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI/testCXXCompiler.cxx
make[2]: *** [CMakeFiles/cmTC_1834b.dir/build.make:81: CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o] Error 1
make[2]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
make[1]: *** [Makefile:134: cmTC_1834b/fast] Error 2
make[1]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI'
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
CMakeLists.txt:11 (project)
-- Configuring incomplete, errors occurred!
make: *** [package/pkg-generic.mk:263: /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/.stamp_configured] Error 1
make: Leaving directory '/home/autobuild/autobuild/instance-6/buildroot'
The openscap project does not contain any C++ file, and so does not need
a C++ capable compiler. Bring the to-be-integrated-upstream patch
enforcing C language in CMakeLists.txt to prevent this build failure.
Fixes: https://autobuild.buildroot.org/results/1fe550ffa79f0a083a450ae03fe067a8ab7336be
Fixes: https://autobuild.buildroot.org/results/e9d52b52658544916022050c78dcb137ca6c97e0
Fixes: https://autobuild.buildroot.org/results/4a9c21763aaddb217ee5f8bb8947faad9767baa3
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This defconfig can be built without problems:
BR2_x86_64=y
BR2_GCC_VERSION_15_X=y
BR2_PACKAGE_SAFECLIB=y
However adding rocketlake as architecture variant
BR2_x86_64=y
BR2_x86_rocketlake=y
BR2_GCC_VERSION_15_X=y
BR2_PACKAGE_SAFECLIB=y
causes a build error:
str/vsnprintf_s.c: In function 'safec_ftoa.isra':
str/vsnprintf_s.c:523:24: error: writing 32 bytes into a region of size
31 [-Werror=stringop-overflow=]
523 | buf[len++] = '0';
with gcc 15.x only, gcc =< 14.x is not affected, reason unknown.
This commit adds two upstream commits which fix the problem.
No autobuilder error was recorded.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 101997e334 added binutils
2.46.0 to -next branch causing a build error with shim:
output/per-package/shim/host/bin/x86_64-buildroot-linux-gnu-objcopy:
shimx64.so: file format not recognized
output/per-package/shim/host/bin/x86_64-buildroot-linux-gnu-objcopy:
mmx64.so: file format not recognized
Added an upstream patch to fix the problem.
No backport to buildroot LTS branches necessary.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-34450:
merbanan/rtl_433 versions up to and including 25.02 and prior to
commit 25e47f8 contain a stack-based buffer overflow vulnerability in
the function parse_rfraw() located in src/rfraw.c. When processing
crafted or excessively large raw RF input data, the application may
write beyond the bounds of a stack buffer, resulting in memory
corruption or a crash. This vulnerability can be exploited to cause a
denial of service and, under certain conditions, may be leveraged for
further exploitation depending on the execution environment and
available mitigations.
For mroe information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-34450
- 25e47f8932
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2026-25556:
MuPDF versions 1.23.0 through 1.27.0 contain a double-free
vulnerability in fz_fill_pixmap_from_display_list() when an exception
occurs during display list rendering. The function accepts a caller-
owned fz_pixmap pointer but incorrectly drops the pixmap in its error
handling path before rethrowing the exception. Callers (including the
barcode decoding path in fz_decode_barcode_from_display_list) also
drop the same pixmap in cleanup, resulting in a double-free that can
corrupt the heap and crash the process. This issue affects
applications that enable and use MuPDF barcode decoding and can be
triggered by processing crafted input that causes a rendering-time
error while decoding barcodes.
For more information, see
- https://www.cve.org/CVERecord?id=CVE-2026-25556
- https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* create a board/freescale/imx6ull-evk folder dedicated to upstream Linux
and U-Boot to ease maintainance.
* clean up both imx6ullevk and imx6ull-evk readme.txt files
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: fix IMX6ULLQSG url in readme.txt]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed all patches because they are included in this release.
Added two upstream patches which fix build with glibc 2.43.
Added optional dependency to gnutls introduced by upstream commit
c9215365ef
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes since version 3.12.07-3-g4546973, see:
https://github.com/electronicarts/EASTL/releases
Updated license hash due to upstream commit
c18a037660
Added patch to raise make_minimum_required in subproject EABase that was
added by upstream commit
c530255b69
using FetchContent_Declare which downloads the source during configure
so we do not have a chance to use _POST_EXTRACT_HOOKS to patch the
source code directly.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add comment in commit log about the previous version number]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Which is a 2.5G Ethernet PHY.
Signed-off-by: Mattias Walström <lazzer@gmail.com>
[Julien: add LICENSE.airoha entry in linux-firmware.hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Change summary:
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.11.4
Fixes:
CVE-2025-14821: libssh loads configuration files from the C:\etc directory
on Windows
CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request()
CVE-2026-0965: Possible Denial of Service when parsing unexpected
configuration files
CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input
CVE-2026-0967: Specially crafted patterns could cause DoS
CVE-2026-0968: OOB Read in sftp_parse_longname()
libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP
extensions
Signed-off-by: Mattias Walström <lazzer@gmail.com>
[Julien:
- add link to upstream change summary
- fix signature link in hash file
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 0433c8d02a bumped
libinput to version 1.31.0 which causes a build error with wlroot:
../backend/libinput/switch.c: In function ‘handle_switch_toggle’:
../backend/libinput/switch.c:32:9: error: enumeration value
‘LIBINPUT_SWITCH_KEYPAD_SLIDE’ not handled in switch [-Werror=switch]
32 | switch (libinput_event_switch_get_switch(sevent)) {
The build error was not yet detected by the autobuilders but can be
reproduced using this defconfig:
BR2_x86_64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_GLX=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_WLROOTS=y
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities:
- CVE-2024-50382:
Botan before 3.6.0, when certain LLVM versions are used, has compiler-
induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in
GHASH in AES-GCM. There is a branch instead of an XOR with carry. This
was observed for Clang in LLVM 15 on RISC-V.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-50382
- 53b0cfde58
- CVE-2024-50383:
Botan before 3.6.0, when certain GCC versions are used, has a
compiler-induced secret-dependent operation in lib/utils/donna128.h in
donna128 (used in Chacha-Poly1305 and x25519). An addition can be
skipped if a carry is not set. This was observed for GCC 11.3.0 with
-O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be
affected.)
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-50383
- 53b0cfde58
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add configs/versal_vpk120_defconfig to the list of files I maintain.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerability:
- CVE-2025-63938:
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in
the strip_return_port() function within src/reqs.c.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-63938
- 3c0fde9498
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerability:
- CVE-2025-50681:
igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a
denial of service (application crash) via a crafted IGMPv3 membership
report packet with a malicious source address. Due to insufficient
validation in the `recv_igmp()` function in src/igmpproxy.c, an
invalid group record type can trigger a NULL pointer dereference when
logging the address using `inet_fmtsrc()`. This vulnerability can be
exploited by sending malformed multicast traffic to a host running
igmpproxy, leading to a crash. igmpproxy is used in various embedded
networking environments and consumer-grade IoT devices (such as home
routers and media gateways) to handle multicast traffic for IPTV and
other streaming services. Affected devices that rely on unpatched
versions of igmpproxy may be vulnerable to remote denial-of-service
attacks across a LAN .
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-50681
- 2b30c36e6a
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This minor release contains a fix for building with host glibc 2.43,
which fails otherwise.
Signed-off-by: Paul Kocialkowski <paulk@sys-base.io>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more information on the version bump, see:
- https://github.com/ImageMagick/Website/blob/main/ChangeLog.md
- https://github.com/ImageMagick/ImageMagick/compare/7.1.2-12...7.1.2-15
Fixes the following vulnerabilities:
- CVE-2026-22770:
The BilateralBlurImage method will allocate a set of double buffers
inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the
last element in the set is not properly initialized. This will
result in a release of an invalid pointer inside DestroyBilateralTLS
when the memory allocation fails.
https://www.cve.org/CVERecord?id=CVE-2026-22770
- CVE-2026-23874:
Versions prior to 7.1.2-13 have a stack overflow via infinite
recursion in MSL (Magick Scripting Language) `<write>` command when
writing to MSL format.
https://www.cve.org/CVERecord?id=CVE-2026-23874
- CVE-2026-23876:
Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow
vulnerability in the XBM image decoder (ReadXBMImage) allows an
attacker to write controlled data past the allocated heap buffer
when processing a maliciously crafted image file. Any operation that
reads or identifies an image can trigger the overflow, making it
exploitable via common image upload and processing pipelines.
https://www.cve.org/CVERecord?id=CVE-2026-23876
- CVE-2026-24481:
Prior to versions 7.1.2-15 and 6.9.13-40, a heap information
disclosure vulnerability exists in ImageMagick's PSD (Adobe
Photoshop) format handler. When processing a maliciously crafted PSD
file containing ZIP-compressed layer data that decompresses to less
than the expected size, uninitialized heap memory is leaked into the
output image.
https://www.cve.org/CVERecord?id=CVE-2026-24481
- CVE-2026-25638:
Prior to versions 7.1.2-15 and 6.9.13-40, memory leak exists in
`coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file,
resources are allocated. But the function returns early without
releasing these allocated resources.
https://www.cve.org/CVERecord?id=CVE-2026-25638
- CVE-2026-25794:
`WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute
the pixel buffer size. Prior to version 7.1.2-15, when image
dimensions are large, the multiplication overflows 32-bit `int`,
causing an undersized heap allocation followed by an out-of-bounds
write. This can crash the process or potentially lead to an out of
bounds heap write.
https://www.cve.org/CVERecord?id=CVE-2026-25794
- CVE-2026-25795:
Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSFWImage()`
(`coders/sfw.c`), when temporary file creation fails, `read_info` is
destroyed before its `filename` member is accessed, causing a NULL
pointer dereference and crash.
https://www.cve.org/CVERecord?id=CVE-2026-25795
- CVE-2026-25796:
Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()`
(`coders/stegano.c`), the `watermark` Image object is not freed on
three early-return paths, resulting in a definite memory leak
(~13.5KB+ per invocation) that can be exploited for denial of
service.
https://www.cve.org/CVERecord?id=CVE-2026-25796
- CVE-2026-25798:
Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference
in ClonePixelCacheRepository allows a remote attacker to crash any
application linked against ImageMagick by supplying a crafted image
file, resulting in denial of service.
https://www.cve.org/CVERecord?id=CVE-2026-25798
- CVE-2026-25799:
Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV
sampling factor validation allows an invalid sampling factor to
bypass checks and trigger a division-by-zero during image loading,
resulting in a reliable denial-of-service.
https://www.cve.org/CVERecord?id=CVE-2026-25799
- CVE-2026-25897:
Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow
vulnerability exists in the sun decoder. On 32-bit systems/builds, a
carefully crafted image can lead to an out of bounds heap write.
https://www.cve.org/CVERecord?id=CVE-2026-25897
- CVE-2026-25989:
Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can
cause a denial of service. An off-by-one boundary check (`>` instead
of `>=`) that allows bypass the guard and reach an undefined
`(size_t)` cast.
https://www.cve.org/CVERecord?id=CVE-2026-25989
- CVE-2026-26066:
Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain
invalid IPTC data may cause an infinite loop when writing it with
`IPTCTEXT`.
https://www.cve.org/CVERecord?id=CVE-2026-26066
- CVE-2026-26283:
Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in
the JPEG extent binary search loop in the jpeg encoder causes an
infinite loop when writing persistently fails. An attacker can
trigger a 100% CPU consumption and process hang (Denial of Service)
with a crafted image.
https://www.cve.org/CVERecord?id=CVE-2026-26283
- CVE-2026-26284:
Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper
boundary checking when processing Huffman- coded data from PCD
(Photo CD) files. The decoder contains an function that has an
incorrect initialization that could cause an out of bounds read.
https://www.cve.org/CVERecord?id=CVE-2026-26284
- CVE-2026-26983:
Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter
crashes when processing a invalid `<map>` element that causes it to
use an image after it has been freed.
https://www.cve.org/CVERecord?id=CVE-2026-26983
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 2882cf4ae6 bumped the
package from 2.44.4 to 2.48.3. This bump includes upstream commit
3b54e45d63
which was added to wpewebkit 2.45.1:
https://wpewebkit.org/release/wpewebkit-2.45.1.html
"Use Skia by default instead of Cairo for rendering."
The upstream commit includes dependencies to fontconfig & freetype which
were not added to buildroot and cause build errors with this defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_WPEWEBKIT=y
BR2_PACKAGE_WPEWEBKIT_SANDBOX=y
BR2_PACKAGE_WPEWEBKIT_MULTIMEDIA=y
BR2_PACKAGE_WPEWEBKIT_MEDIA_STREAM=y
BR2_PACKAGE_WPEWEBKIT_WEBDRIVER=y
Reported-by: Julien Olivain <ju.o@free.fr>
[https://patchwork.ozlabs.org/project/buildroot/patch/20251017131035.224739-1-aperez@igalia.com/#3599999]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more information about the release, see:
- https://github.com/c-ares/c-ares/releases/tag/v1.34.6
Fixes the following vulnerability:
- CVE-2025-62408:
c-ares is an asynchronous resolver library. Versions 1.32.3 through
1.34.5 terminate a query after maximum attempts when using
read_answer() and process_answer(), which can cause a Denial of
Service. This issue is fixed in version 1.34.6.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-62408
- 714bf5675c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security vulnerability:
- CVE-2025-68615:
net-snmp is a SNMP application library, tools and daemon. Prior to
versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-
snmp snmptrapd daemon can cause a buffer overflow and the daemon to
crash. This issue has been patched in versions 5.9.5 and 5.10.pre2.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68615
- b4e6f826d9
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 2026.02-rc1 release forgot to update the series and date and the
2025.02.11 release forgot to update the data, fix that.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that binutils 2.46.0 has been introduced and binutils 2.45.1 made
the default version, drop the oldest supported version, binutils 2.43,
keeping only the 3 last versions supported: 2.44, 2.45.1 and 2.46.0.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Now that support for binutils 2.46.0 has been introduced, we follow our
policy of making binutils 2.45.1 the default version.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://sourceware.org/pipermail/binutils/2026-February/148149.html
" This release contains numerous bug fixes, and also the following new
features:
* Support for new instructions added to AMD, ARM and RISC-V
architectures.
* Support for version 3 of the SFrame standard.
* The readelf program can now display the contents of Global Offset
Tables.
* Improved linker tagging support."
We bring and rebased patches 0001 and 0002 that we carry for binutils
2.45.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed patch that fixed building with libseccomp and old kernel headers
as systemd has fixed that upstream now.
Notable changes:
- Add -Dlibmount=enabled to host and target build. Disabling this
option disables building most of systemd's tools apart from
libsystemd.
- remove gcrypt and gnutls from dependencies and build options.
openssl is the only supported crypto library now.
- Disable nspawn build for host variant and add a Config.in option
for the target variant.
- systemd now requires kernel >= 5.4 while the recommended kernel
version moved to >=5.7. This make systemd depend on
BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4, removing various dependencies
on older kernel header versions from sub options.
- The sha256sum of LICENSES/README.md changed due to various
license clarification, removal of some vendored files as well as
changing some file paths. Licensing did not actually change.
For changelog, see:
https://github.com/systemd/systemd/blob/v258.3/NEWS
Tested with `./support/testing/run-tests tests.init.test_systemd`
All tests passed
One of the tests now needs a bigger rootfs size.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: fix check-package warnings]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When trying to build host-dtc on a host with glibc 2.43, the build fails
on the following error:
libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’
qualifier from pointer target type [-Werror=discarded-qualifiers]
424 | sep = memchr(fixup_str, ':', fixup_len);
| ^
libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’
qualifier from pointer target type [-Werror=discarded-qualifiers]
434 | sep = memchr(name, ':', fixup_len);
| ^
fdtput.c: In function ‘create_node’:
fdtput.c:235:11: error: assignment discards ‘const’ qualifier from
pointer target type [-Werror=discarded-qualifiers]
235 | p = strrchr(node_name, '/');
| ^
cc1: all warnings being treated as errors
make[2]: *** [Makefile:359: fdtput.o] Error 1
make[2]: *** Waiting for unfinished jobs....
cc1: all warnings being treated as errors
make[2]: *** [Makefile:359: libfdt/fdt_overlay.o] Error 1
make[1]: *** [package/pkg-generic.mk:273:
/home/alexis/src/buildroot/dtc/build/host-dtc-1.7.2/.stamp_built] Error 2
make: *** [Makefile:83: _all] Error 2
The issue can be reproduced on master with this minimal defconfig on a
host having glibc 2.43:
BR2_x86_64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_QORIQ_MC_UTILS=y
(QORIQ_MC_UTILS will pull HOST_DTC)
This error is due to some functions prototype update in glibc 2.43 for
ISO C23 (see [1], point 3 in the NEWS list). The corresponding fix has
already been integrated upstream, but it has not been released since
then.
Bring the corresponding upstream patch to allow host-dtc to build on
affected hosts.
[1] https://lists.gnu.org/archive/html/info-gnu/2026-01/msg00005.html
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The used Linux kernel (4.14.336) does not contain the default license files
as those were only added in 4.16 with commit e00a844aca ("LICENSES: Add
Linux syscall note exception"), so specify the correct license file to fix:
make legal-info
..
cp: cannot stat '/path/to/output/build/linux-headers-4.14.336/LICENSES/preferred/GPL-2.0': No such file or directory
And add the sha256sum to the .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien:
- reword commit title
- actually add BR2_LINUX_KERNEL_LICENSE_FILES in defconfig
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The used Linux kernel (4.14.336) does not contain the default license files
as those were only added in 4.16 with commit e00a844aca ("LICENSES: Add
Linux syscall note exception"), so specify the correct license file to fix:
make legal-info
..
cp: cannot stat '/path/to/output/build/linux-headers-4.14.336/LICENSES/preferred/GPL-2.0': No such file or directory
And add the sha256sum to the .hash file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit 50958bcdac ("linux: Add support for custom license files") added a
default value for the license files and made the option visible (E.G.
editable) when a custom VCS or tarball version is used, but it is also
needed for users of an older _CUSTOM_VERSION (E.G. mainline release), as
the referenced files were only added in Linux 4.16 with commit e00a844aca
("LICENSES: Add Linux syscall note exception"), so change that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
It was recently announced on the list that Marcus joined the maintainer
team, so add a news entry about it as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When using a specific git repo and version for at91bootstrap3,
BR2_TARGET_AT91BOOTSTRAP3_LICENSE_FILES defaults to "LICENSES/MIT.txt".
However the git version we use (namely v3.10.3) does not provide this
file. Actually, it does not provide a license file at all. This causes
‘make legal-info’ to fail with:
>>> at91bootstrap3 v3.10.3 Collecting legal info
sha256sum: /builds/buildroot.org/buildroot/output/build/at91bootstrap3-v3.10.3/LICENSES/MIT.txt: No such file or directory
ERROR: while checking hashes from boot/at91bootstrap3/at91bootstrap3.hash
ERROR: LICENSES/MIT.txt has wrong sha256 hash:
ERROR: expected: 5a3809b1c2ba13b7242572322951311c584419f1f8516f665d6c06f0668d78de
ERROR: got :
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
Let's be explicit that there is no license file to check.
Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/12992815386
- https://gitlab.com/buildroot.org/buildroot/-/jobs/12992815390
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The Buildroot commit [1] introduced two small typos, while doing the
updates to announce new releases.
The version 2025.02.10 release date is 2026-01-20 (and not 2022).
See the original announce [2].
The 2025.02.10 archive link in news.html has also a missing dot.
This commit fixes those typo in order to fix the website.
[1] 21dda0665e
[2] https://lore.kernel.org/buildroot/9b9654f8-6cdd-4108-b932-79509e455148@rnout.be/
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
libxmslec1 build fails on some configurations with the following build
logs:
CC libxmlsec1_openssl_la-kw_des.lo
kw_des.c:75:8: error: unknown type name 'xmlSecKWDes3Klass'; did you mean 'xmlSecKWAesKlass'?
75 | static xmlSecKWDes3Klass xmlSecOpenSSLKWDes3ImplKlass = {
| ^~~~~~~~~~~~~~~~~
| xmlSecKWAesKlass
kw_des.c:77:5: error: initialization of 'int' from 'int (*)(struct _xmlSecTransform *, xmlSecByte *, size_t, size_t *)' {aka 'int (*)(struct _xmlSecTransform *, unsigned char *, long unsigned int, long unsigned int *)'} makes integer from pointer without a cast [-Wint-conversion]
77 | xmlSecOpenSSLKWDes3GenerateRandom, /* xmlSecKWDes3GenerateRandomMethod generateRandom; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:77:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:77:5: error: initializer element is not computable at load time
kw_des.c:77:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:78:5: error: excess elements in scalar initializer
78 | xmlSecOpenSSLKWDes3Sha1, /* xmlSecKWDes3Sha1Method sha1; */
| ^~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:78:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:79:5: error: excess elements in scalar initializer
79 | xmlSecOpenSSLKWDes3BlockEncrypt, /* xmlSecKWDes3BlockEncryptMethod encrypt; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
kw_des.c:79:5: note: (near initialization for 'xmlSecOpenSSLKWDes3ImplKlass')
kw_des.c:80:5: error: excess elements in scalar initializer
80 | xmlSecOpenSSLKWDes3BlockDecrypt, /* xmlSecKWDes3BlockDecryptMethod decrypt; */
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[...]
This build failure is due to those struct definitions being set
conditionally in src/kw_aes_des.h behind a XMLSEC_NO_DES define, and
this define ending up being 1 on some builds. We could assume that the
makefiles in libxmlsec should just not try to build any DES related file
when XMLSEC_NO_DES is set to 1 (and so, in this specific case, not try
to build src/openssl/kw_des.c), but the autotools tooling in the project
is not the one setting XMLSEC_NO_DES: there is a mismatch between
detected features at configure time and build time.
- at build time, the tooling just checks if user has passed
`--enable-des=no`. If so, it sets XMLSEC_NO_DES, otherwise it assumes
that DES support is available.
- at build time, libxmlsec tries to build openssl backend. This backend
checks OpenSSL features, especially whether OPENSSL_NO_DES is set (and
if so, it enforces XMLSEC_NO_DES to 1 as well)
- This OPENSSL_NO_DES comes from libopenssl configuration headers
installed in sysroot. Its presence is driven by the `no-des` option
passed at libopenssl configure time
- This `no-des` flag is driven by buildroot option
BR2_PACKAGE_LIBOPENSSL_ENABLE_DES
There are multiple options to fix this package here:
1. fixing upstream package to make the features detection more robust (eg
check openssl headers at configure time to ensure that DES is
supported)
2. enforce XMLSEC_NO_DES if BR2_PACKAGE_LIBOPENSSL_ENABLE_DES is not set
3. systematically enforce XMLSEC_NO_DES=1
Now:
- 1 may take time, and would then need a temporary patch to live in
buildroot while the fix is accepted upstream and released
- 2 works only for libopenssl, what if libressl is used ?
- DES usage is discouraged anyway, as stated by configure logs:
[...]
checking for DES support... yes (use discouraged)
[...]
As the package has been introduced very recently, there's a very low
chance to break any user use case by completely disabling DES support.
Systematically disable DES support in libxmlsec1 to discourage usage and
fix build failure when the corresponding SSL library does not expose DES
support.
Fixes: https://autobuild.buildroot.org/results/3e15f03dc0211c622125ebb69ff7230ce900029a/
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* bumps ATF to version 2.14.0
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit also updates
olimex_a20_olinuxino_lime_defconfig
olimex_a20_olinuxino_lime2_defconfig
to use this new rootfs_overlay_mali directory.
This is to differentiate for the upcoming patch for
a20_olinuxino_micro_defconfig
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
* switches to extlinux
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien:
- change linux.hash comment to use hash from upstream
- add "_lime" in commit title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version lf-6.12.49-2.2.0
* bumps U-Boot to version lf-6.12.49-2.2.0
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
* forces check hashes
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch:
* bumps Linux kernel to version 6.18.8
* bumps U-Boot to version 2026.01
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: change linux.hash comment to use hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The `pocoo:jinja2` CPE introduced in commit [1] is not deprecated but is
no longer used. All the security issue on the Github Advisory reference
CVE with the `palletsprojects:jinja` CPE instead (see [2]).
This commit updates the CPE accordingly.
[1] 165f60a092 package/python-jinja2: add CPE variables
[2] https://github.com/pallets/jinja/security/advisories/GHSA-cpwx-vrp4-4pq7
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Optional udisks support is useful for mounting USB sticks via
pcmanfm.
gvfs meson.build has recognized this udisks2 option for quite
some time, since upstream commit [1] first included in version
1.35.2 (released on 2017-11-13).
[1] cdc33bf54f
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
[Julien: add comment in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
commit cf686670b9 introduced a patch that
was later included in a release which made the usage of libesmtp
configurable. Later the switch was moved to the main CMakeLists.mk [0].
while the patch introduced the build flag LOG4CXX_ENABLE_ESMTP the
change to the .mk file used LOG4CXX_ENABLE_LIBESMTP.
So correct this.
Fixes:
CMake Warning:
Manually-specified variables were not used by the project:
LOG4CXX_ENABLE_LIBESMTP
[0] https://github.com/apache/logging-log4cxx/blob/rel/v1.3.1/CMakeLists.txt#L93
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit backports an upstream patch fixing CVE-2024-10963. See:
https://github.com/linux-pam/linux-pam/issues/834https://github.com/linux-pam/linux-pam/pull/854
Fixes:
- CVE-2024-10963:
Pam: improper hostname interpretation in pam_access leads to access
control bypass
A flaw was found in pam_access, where certain rules in its
configuration file are mistakenly treated as hostnames. This
vulnerability allows attackers to trick the system by pretending
to be a trusted hostname, gaining unauthorized access. This issue
poses a risk for systems that rely on this feature to control who
can access certain services or terminals.
https://www.cve.org/CVERecord?id=CVE-2024-10963
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Julien:
- fix check-package errors
- add info in commit log
- rebase patch on v1.6.1 to avoid patch offsets
- add "CVE:" tag in patch
- add comment with patch name near _IGNORE_CVES in .mk
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from LTS 6.6.30 to 6.12.70
- updates U-Boot from 2024.04 to 2026.01
- updates arm-trusted-firmware from v2.10 to v2.12 LTS
- switches to Bootlin external glibc stable toolchain
Note: Using the kernel 6.18.9, the SD card fail at boot:
mmc1: SDHCI controller on 4fb0000.mmc [4fb0000.mmc] using ADMA 64-bit
Waiting for root device /dev/mmcblk1p2...
mmc1: error -110 whilst initialising SD card
So let's use stable kernel 6.12.y for the time being.
Signed-off-by: Romain Naour <romain.naour@smile.fr>
[Julien: update linux.hash comment to use upstream hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Please note that the fix for CVE-2024-52615 introduces CVE-2025-59529
which is not fixed yet (https://github.com/avahi/avahi/pull/808). You
can mitigate this vulnerability by setting the `enable-wide-area=no`
option.
Patch `0011-properly-randomize-query-id-of-DNS-packets.patch` modify
`configure.ac` and then `AVAHI_AUTORECONF` is set.
This commit fixes the following vulnerabilities:
- CVE-2021-3468:
A flaw was found in avahi in versions 0.6 up to 0.8. The event used to
signal the termination of the client connection on the avahi Unix
socket is not correctly handled in the client_work function, allowing
a local attacker to trigger an infinite loop. The highest threat from
this vulnerability is to the availability of the avahi service, which
becomes unresponsive after this flaw is triggered.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2021-3468
- 447affe299
- CVE-2023-38469:
A vulnerability was found in Avahi, where a reachable assertion exists
in avahi_dns_packet_append_record.
https://www.cve.org/CVERecord?id=CVE-2023-38469
- CVE-2023-38470:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_escape_label() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38470
- a337a1ba7d
- CVE-2023-38471:
A vulnerability was found in Avahi. A reachable assertion exists in
the dbus_set_host_name function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38471
- github.com/avahi/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
- CVE-2023-38472:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_rdata_parse() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38472
- b024ae5749
- CVE-2023-38473:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_alternative_host_name() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38473
- b448c9f771
- CVE-2024-52615:
A flaw was found in Avahi-daemon, which relies on fixed source ports
for wide-area DNS queries. This issue simplifies attacks where
malicious DNS responses are injected.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-52615
- 4e2e1ea090
- https://github.com/avahi/avahi/issues/810 (introduce regression CVE-2025-59529)
- CVE-2024-52616:
A flaw was found in the Avahi-daemon, where it initializes DNS
transaction IDs randomly only once at startup, incrementing them
sequentially after that. This predictable behavior facilitates DNS
spoofing attacks, allowing attackers to guess transaction IDs.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-52616
- f8710bdc8b
- CVE-2025-68276:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an
unprivileged local users can crash avahi-daemon (with wide-area
disabled) by creating record browsers with the
AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by
either calling the RecordBrowserNew method directly or creating
hostname/address/service resolvers/browsers that create those browsers
internally themselves.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68276
- 2d48e42d44
- CVE-2025-68468:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier,
avahi-daemon can be crashed by sending unsolicited announcements
containing CNAME resource records pointing it to resource records with
short TTLs. As soon as they expire avahi-daemon crashes.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68468
- f66be13d7f
- CVE-2025-68471:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier,
avahi-daemon can be crashed by sending 2 unsolicited announcements
with CNAME resource records 2 seconds apart.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68471
- 9c6eb53bf2
- CVE-2026-24401:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and
below, avahi-daemon can be crashed via a segmentation fault by sending
an unsolicited mDNS response containing a recursive CNAME record,
where the alias and canonical name point to the same domain (e.g.,
"h.local" as a CNAME for "h.local"). This causes unbounded recursion
in the lookup_handle_cname function, leading to stack exhaustion. The
vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST
is set explicitly, which includes record browsers created by resolvers
used by nss-mdns. This issue is patched in commit
78eab31128479f06e30beb8c1cbf99dd921e2524.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24401
- 78eab31128
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The github repository lathiat/avahi now redirect to avahi/avahi.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Introduce the openscap package. openscap is a command line tool allowing
to scan a system configuration to perform security compliance checks.
The tool consumes XCCDF and OVAL files to perform system evaluation
against a list of policies.
The package provides both a target and a host build configuration, as it
is needed on both sides:
- it is needed on the host to allow building the security policy files
to be embedded on the target
- it is needed on the target to actually parse and evaluate those
security policy files.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Thomas:
- Drop dependency on openssl, apparently not needed
- Depend on gcrypt if !nss, as either can be used
- Add missing dependency on libxslt]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libcurl host build support has initially been added with 736e0fc5d6
("libcurl: add host variant") while adding support for host-cargo build,
and reverted with 69e84008ab ("Revert "libcurl: add host variant"")
when standalone cargo build has been removed.
In order to bring in an upcoming commit a new host package that
depends on libcurl, re-enable host-libcurl build support.
This reverts commit w9e84008abf87eaeeb3f2d53c880cf33492a3bf8, with the
exception of the post-patch hook which is no longer needed.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 7eeb574f0e introduced the
libxmlsec1 making libxslt a mandatory dependency, which it isn't.
This commit therefore make libxslt an optional dependency of the
target libxmlsec1 package, and drops the dependency entirely for the
host package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes CVE-2025-14550:
There was a potential DoS vector for users of the
``asgiref.wsgi.WsgiToAsgi`` adapter. Malicious requests, including an
unreasonably large number of values for the same header, could lead to
resource exhaustion when building the WSGI environment.
Changelog: https://github.com/django/asgiref/blob/3.11.1/CHANGELOG.txt
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The CPIO filesystem generated by the test_firewalld test is too
large, and doesn't fit as an initramfs in the 256MB of RAM available
in the versatilepb machine. This causes a "Initramfs unpacking failed:
write error" when booting, and many files being missing from the root
filesystem, ultimately causing the test to fail.
The test_firewalld test initially started to fail following a systemd
update [1][3]:
[BRTEST# systemctl is-active firewalld
failed
But really started to crash at boot following a python 3.14 update
[2][4]:
Run /init as init process
/init: exec: line 15: /sbin/init: not found
Also, update TestFirewalldSysVInit to use ext2 instead of cpio.
[1] 926e0504d0
[2] a0a6abc8b1
Fixes:
[3] https://gitlab.com/buildroot.org/buildroot/-/jobs/12944797059
[4] https://gitlab.com/buildroot.org/buildroot/-/jobs/11856840940
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issues:
- CVE-2025-13473 (low): Username enumeration through timing difference in mod_wsgi authentication handler
- CVE-2025-14550 (moderate): Potential denial-of-service vulnerability via repeated headers when using ASGI
- CVE-2026-1207 (high): Potential SQL injection via raster lookups on PostGIS
- CVE-2026-1285 (moderate): Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods
- CVE-2026-1287 (high): Potential SQL injection in column aliases via control characters
- CVE-2026-1312 (high): Potential SQL injection via QuerySet.order_by and FilteredRelation
See the release notes here:
https://docs.djangoproject.com/en/dev/releases/6.0.2/
Also includes the bugfixes from version 6.0.1:
https://docs.djangoproject.com/en/dev/releases/6.0.1/
Signed-off-by: Manuel Diener <manuel.diener@othermo.de>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Introduce the libxmlsec1 library package. libxmlsec implements XML
security standards.
The library has only a few mandatory dependencies(libxml2 and libxslt
and a crypto library). It needs one of the following cryptographic
libraries: OpenSSL, NSS, or Gcrypt/GNUTLS. Default to openssl for now to
keep the package simple.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security vulnerabilities:
CVE-2026-1584: libgnutls: Fix NULL pointer dereference in PSK binder
verification
A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
could lead to a denial of service attack via crashing the server.
The updated code guards against the problematic dereference.
CVE-2025-14831: libgnutls: Fix name constraint processing performance issue
Verifying certificates with pathological amounts of name constraints
could lead to a denial of service attack via resource exhaustion.
Reworked processing algorithms exhibit better performance characteristics.
For more details, see the release notes:
https://lists.gnupg.org/pipermail/gnutls-help/2026-February/004914.html
Drop now upstreamed 0001-audit-crau-fix-compilation-with-gcc-11.patch:
f5666f8f1f
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following vulnerabilities:
CVE-2025-61732: cmd/cgo: remove user-content from doc strings in cgo ASTs
A discrepancy between how Go and C/C++ comments were parsed allowed for code
smuggling into the resulting cgo binary.
To prevent this behavior, the cgo compiler will no longer parse
user-provided doc comments.
CVE-2025-68121: crypto/tls: unexpected session resumption when using
Config.GetConfigForClient
Config.GetConfigForClient is documented to use the original Config's session
ticket keys unless explicitly overridden. This can cause unexpected
behavior if the returned Config modifies authentication parameters, like
ClientCAs: a connection initially established with the parent (or a sibling)
Config can be resumed, bypassing the modified authentication requirements.
If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on
the server) or InsecureSkipVerify is false (on the client), crypto/tls now
checks that the root of the previously-verified chain is still in
ClientCAs/RootCAs when resuming a connection.
Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar
issue related to session ticket keys being implicitly shared by
Config.Clone. Since this fix is broader, the Config.Clone behavior change
has been reverted.
Note that VerifyPeerCertificate still behaves as documented: it does not
apply to resumed connections. Applications that use
Config.GetConfigForClient or Config.Clone and do not wish to blindly resume
connections established with the original Config must use VerifyConnection
instead (or SetSessionTicketKeys or SessionTicketsDisabled).
For more details, see the announcement:
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Blake3 unconditionally enables C++ support, which unconditionally
requires C++20 when built with cmake >= 3.12, even when this is not
required.
Fixing this does not look trivial, and rather than botching the build,
just require C++20, available from gcc 8.x onward.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Use of threading requires a C++20 compiler, and the oneTBB
implementation. oneTBB is missing from Buildroot, but a system
one may be used if found.
Even if the default for threading is disabled, explicitly state so,
in case the default changes in the future.
Also disable examples, we don't and won't need them.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Ensure that the SHA_CRYPT option is enabled when the system configuration is
set to SHA256/512, as otherwise passwd complains when a password is changed:
passwd
...
Invalid ENCRYPT_METHOD value: 'SHA512'.
Defaulting to DES.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As described in https://gitlab.com/buildroot.org/buildroot/-/issues/160, the
github mirror is getting shut down - So move to the sourceware.org git repo.
The github mirror was originally used because of performance and reliability
issues with sourceware, but that seems be resolved now after server/RAM
upgrades - E.G. from the sourceware news:
April 22, 2024
server2.sourceware.org now has 512GB RAM, thanks Red Hat.
https://sourceware.org/
So change back to fetch glibc (and localedef) from sourceware.org over git.
Notice: The git archiving leads to slightly different paths and permissions
in the tarball, but the file content is identical:
mkdir a && tar -C a -x --strip-components=1 -f \
path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125.tar.gz
mkdir b && tar -C b -x --strip-components=1 -f \
path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125-git4.tar.gz
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien:
- add missing SoB line
- fix command lines in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Unfortunately, if all optee-related packages are not updated at the same
time, optee-test will not build. This commit bumps all the optee
components at once.
The version bump is needed since optee-examples and optee-test can no
longer compile (compatibility with CMake < 3.5 has been removed from
CMake).
For release details, see:
https://github.com/OP-TEE/optee_os/blob/4.9.0/CHANGELOG.md#op-tee---version-490-2026-01-16
Signed-off-by: Jakob Kastelic <jkastelic@thinksrs.com>
[Julien: add link to release details]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 0e3ddc9dc8 "{linux,
linux-headers}: split hash file in before and from 6.17" there are two
hash file variants, and symlinks for the individual versions. These
were not updated in 48186093fd "bump
5.{10, 15}.x / 6.{1, 6, 12, 18}.x series".
Fixes: 48186093fd
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Swig has a compiled in absolute path to its data files, which can be
overridden using the SWIG_LIB environment variable:
https://github.com/swig/swig/blob/v4.1.1/Source/Modules/main.cxx#L931-L945
This unfortunately means that host-swig misbehaves when used in the SDK, as
this points to the ${HOST_DIR}/bin of the build, which may not be available
when the SDK is used.
The issue was reported upstream but rejected in
https://github.com/swig/swig/issues/253, so instead add a wrapper script
which calculates a sensible SWIG_LIB relative to the wrapper location unless
SWIG_LIB is set, similar to how we do it for E.G. gcc or pkgconf.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: add quotes to make shellcheck happy]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit [1] introduced a patch to fix CVE-2025-62291. Since [2] the
security patches neeed to reference the vulnerability with the `CVE: `
trailer in the patch header.
[1] b009935e27 package/strongswan: add patch to fix CVE-2025-62291
[2] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
On Buildroot 2025.05.3, Meson's custom LLVM parser uses llvm-config
with a default search path of /usr/bin, causing it to detect the host
system's llvm-config (version 18.1.3) instead of the buildroot-compiled
one. This forces all LLVM-related packages to match version 18.1.3, but
since the host system lacks llvmspirvlib, the build fails. This patch
forces Meson to use the buildroot-compiled llvm-config.
On the master branch, the meson is somehow able to find the right
llvm-config, so reproduction only seems to be possible if the host
machine ships with a newer version as the one buildroot is using.
llvm-config found: YES
([...]/output/host/bin/llvm-config)
21.1.8
Run-time dependency LLVM (modules: bitwriter, core, coverage, engine,
executionengine, instcombine, irreader, libdriver, linker, lto,
mcdisassembler, mcjit, native, option, scalaropts, target,
transformutils, all-targets, coroutines, frontenddriver, frontendhlsl,
lto, windowsdriver) found: YES 21.1.8
Note that LLVM_CONFIG is a CMake option, not a Meson one. This is because
Meson has custom dependency resolution logic for LLVM (see
https://mesonbuild.com/Dependencies.html#llvm). The EXTRA_BINARIES mechanism
cannot be used here, as it only applies to cross-compilation scenarios, which
does not apply to host-mesa3d builds.
Reproduction (On BR2 tag: 2025.05.3):
BR2_x86_64=y
BR2_x86_atom=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_GLIBC_STABLE=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.24"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/pc/linux.config"
BR2_LINUX_KERNEL_INSTALL_TARGET=y
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_LLVM=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_I915=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_IRIS=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
Fixes:
llvm-config found: YES (/usr/bin/llvm-config-18) 18.1.3
Run-time dependency LLVM (modules: bitwriter, core, coverage, engine, executionengine, instcombine, irreader, libdriver, linker, lto, mcdisassembler, mcjit, native, option, scalaropts, target, transformutils, all-targets, coroutines, frontenddriver, frontendhlsl, lto, windowsdriver) found: YES 18.1.3
Dependency LLVMSPIRVLib found: NO. Found 15.0.0.0 but need: '>= 18.1' ; matched: '>= 15.0.0.0', '< 18.2'
Run-time dependency llvmspirvlib found: NO (tried cmake)
output/build/host-mesa3d-25.0.6/meson.build:1882:21: ERROR: Dependency lookup for LLVMSPIRVLib with method 'pkgconfig' failed: Invalid version, need 'LLVMSPIRVLib' ['>= 18.1'] found '15.0.0.0'.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
[Romain:
- Update the commit title
- Update commit log about this issue on master branch
https://lore.kernel.org/buildroot/CACXRmJh1-5Cy92kF9TM5nDs_uB90WAe5iOGmNNL2E-cMhJE7GA@mail.gmail.com/
]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Buildroot commit [1] introduced a new Buildroot-Initialize.cmake file,
to mimic the upstream Linux-Initialize.cmake.
However, this upstream file was introduced in commit [2], which was
introduced in CMake 3.27.
When compiling a cmake package on a host with a cmake older than
version 3.27 (for example, the Buildroot Docker reference image has
cmake 3.25), the configuration fails with the error:
CMake Error at /buildroot/output/host/share/buildroot/Platform/Buildroot-Initialize.cmake:1 (include):
include could not find requested file:
Platform/Linux-Initialize
Call Stack (most recent call first):
/usr/share/cmake-3.25/Modules/CMakeSystemSpecificInitialize.cmake:21 (include)
CMakeLists.txt:20 (project)
CMake version < 3.27 is setting its LINUX predefine elsewhere (see
commit log of [1]), so this commit fixes the issue by simply making
the include optional. This will guarante thee cmake predefines will
be present in all the cases.
Fixes:
[1]
[1] ef9f0a07ed
[2] cc737ae829
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The old URL now leads to an HTTP 404 not found error.
Update it to the new one which contains the hashes for the current
release as well as older ones.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
The current 'install' target comprises 'install-libs', 'install-apps'
and 'install-docs'.
In our case we don't want to install documentation to the target, so
just run the other two.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
It should be noted that because the python bindings have wrong default
include dirs, they are useless if the includes are not provided
externally.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
When BR2_UCLIBC_INSTALL_UTILS is enabled, utils such as getconf, ldd,
locale get installed to TARGET_DIR. However, they do not get installed
to STAGING_DIR, which is annoying as it means that they are not part
of external toolchains built by Buildroot.
This commit adjusts the uclibc package to make sure those tools also
get installed to STAGING_DIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The UCLIBC_INSTALL_UTILS_STAGING is really badly named, as it doesn't
install anything to STAGING_DIR. Instead, it installs the host variant
of ldd and ldconfig into $(HOST_DIR)/bin. Therefore, rename it to
UCLIBC_INSTALL_HOST_UTILS.
This is important as a follow-up commit will re-introduce a
UCLIBC_INSTALL_UTILS_STAGING variable which really installs things
into STAGING_DIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Upstream is dead, website unreachable, and the use case in 2026 is
dubious, so drop the package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ukify tool can be used to create Unified Kernel Images.
Signed-off-by: Bram Vlerick <bram.vlerick@openpixelsystems.org>
[Arnout:
- Remove the target option.
- Use enabled/disabled instead of true/false.
- Always enable for host build.
- Add dependency on host-python-pefile.
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
When building system binaries you may not even want TCG support if you
are only intending to use KVM. Provide the options so the user can
select only what they need.
With only KVM selected the QEMU build will generally only build the
binary for your target system. We keep TCG support on by default so as
not to break existing defconfigs.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Although it is possible to configure an AArch64 CPU without support
for EL2 in practice all the common AArch64 have supported
virtualisation from the start.
If we really wanted to be strict we could blacklist known non-EL2 CPUs
but AFAICT all the current ones in the config have EL2.
I should also note KVM on Arm is deprecated and was removed from the
kernel in v6.10.
Reviewed-by: Jesse Taube <jesse@rivosinc.com>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The current generated cJSONConfig.cmake holds hard coded path of libraries and makes it impossible to use in SDKs.
Use CMakePackageConfigHelpers and @PACKAGE_INIT@ to make them suit for real environment dynamically.
Signed-off-by: Guillaume Chaye <guillaume.chaye@zeetim.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The .mk file currently states:
If LWS_MAX_SMP=1, then there is no code related to pthreads
compiled in the library. If unset, LWS_MAX_SMP defaults to 32 and a
small amount of pthread mutex code is built into the library.
However, this is incorrect: when unset, LWS_MAX_SMP is actually set to
1, so mutexes aren't built in.
To fix, set it to 32 explicitly when threads are enabled. Why 32?
Because
https://libwebsockets.org/lws-api-doc-master/html/md_README.coding.html
states:
You can control the context basic data allocation for
multithreading from Cmake using -DLWS_MAX_SMP=, if not given it's
set to 32.
Signed-off-by: Bart Van Severen <bart.vanseveren@barco.com>
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When given a certificate directory with --with-ca-path, curl doesn't
list the files in that directory. Instead, it uses the certificate hash
to directly open the requested CA certificate. Therefore, putting a
bundle in that directory and removing all the individual certificates is
not possible.
In order to support use of the bundle, a separate configuration option
--with-ca-bundle is needed. With this option, it is possible to remove
the individual certificates and include just the bundle, which reduces
the size of the root filesystem a bit.
Note that the bundle is generated by the ca-certificates package, which
also installs the individual certificates and the hash symlinks. It
keeps both individual certificates and the bundle in the target.
Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Changes:
- Fix memory leak in which() on realloc() failure
- Fix pidfile() to handle missing trailing slash in prefix path
Changes to src/pidfile.c do not affect the licensing terms, but
require updating the hash of this file that is used as one of the
license files.
https://github.com/troglobit/libite/releases/tag/v2.6.2
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Unfortunately, parts of the library is not very no-MMU friendly atm.
The below check fails due to runbg.c requiring fork().
$ ./utils/test-pkg -c libite.config -p libite
bootlin-armv5-uclibc [1/6]: OK
bootlin-armv7-glibc [2/6]: OK
bootlin-armv7m-uclibc [3/6]: FAILED
bootlin-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
arm-aarch64 [6/6]: OK
The dependency was introduced in libite v2.6.0, so this patch should
be backported to v2025.02.x.
Fixes:
https://autobuild.buildroot.net/results/6c6fd2ae410a82c44da54ee13a09a38a7ab220c1/
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the latest U-Boot update, U-Boot now handles this step in the
board setup removing the need to set this from a custom boot script.
Remove redundant fdt set command from boot script.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump Linux to latest release tag: linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a kernel bump to
v6.12.48.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump U-Boot to latest release tag: linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a U-Boot version
bump to v2025.07.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump Linux to latest release tag linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a kernel version
buump to v6.12.48 and a GPIO driver fix.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Bump U-Boot to latest release tag linux4microchip+fpga-2025.10. This
includes the latest features and bug fixes. Included is a U-Boot version
update from v2023.07 to v2025.07.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
There are several use cases for installing additional files in the boot
partition that is read by the RPi firmware.
- autoboot.txt is an optional configuration file for the RPi
firmware [1]. Supporting several autoboot files will enable A/B
setups, as using the renameat2() system call with the RENAME_EXCHANGE
flag will let users atomically replace one autoboot configuration
file with the other. This improves reliability in the case of an
update which could potentially be interrupted.
- Multiple cmdline.txt files are useful in the context of a new
[boot_partition] conditional filter introduced in config.txt in
commit [2]. This is useful for A/B systems to have identical BootFS
partitions on both slots, and not have to edit the kernel command line
to ensure the kernel will load the right rootFS after update of the
BootFS.
- rpi-firmware contains DTB overlays for many "standard" hats, but a
custom hat may require a custom overlay.
Although it is possible to install additional files in the boot
partition in the post-image script, it is very convenient to be able to
use the standard RPi post-image script in
board/raspberrypi/post-image.sh. That script looks in
$BINARIES_DIR/rpi-firmware, so it is convenient to be able to place
additional files there.
Add the option BR2_PACKAGE_RPI_FIRMWARE_EXTRA_FILES which is simply a
list of files to be copied to $BINARIES_DIR/rpi-firmware, which will
eventually end up as the boot partition. Make sure that this is done as
the last step of RPI_FIRMWARE_INSTALL_IMAGES_CMDS, so the files can
override files installed by earlier steps.
[1] https://www.raspberrypi.com/documentation/computers/config_txt.html#autoboot-txt
[2] d50b2b32f1
Signed-off-by: Olivier Benjamin <olivier.benjamin@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
For release notes, see:
https://gitlab.winehq.org/wine/wine/-/releases/wine-11.0
The --without-osmesa configure option was removed upstream, in
commit [1]. This commit removes the options from _CONF_OPTS.
Also, since upstream commit [2], the /usr/bin/wine program became
a "tool". It needs to be enabled when cross-compiling. As suggested
in [3], this commit adds --enable-tools in WINE_CONF_OPTS.
This commit also updates the LICENSE file hash, after year
update in [4].
[1] 370e7d9a50
[2] 6d28db86c9
[3] https://bugs.winehq.org/show_bug.cgi?id=57847
[4] ab59cc16c5
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Adds a new user-configurable string to arch/Config.in.riscv, and in
arch/arch.mk.riscv appends it to GCC_TARGET_ARCH.
This enables custom extensions/combinations to be easily configured.
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Reviewed-by: Jesse Taube <Mr.Bossman075@gmail.com>
[Arnout:
- fix check-package warnings
- introduce ARCH_RISV_ISA_EXTRA to simplify stripping of quotes
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This commit adds the -N/--needs-update option, disabled by default,
to list only packages with newer upstream versions. All other packages
will be excluded from the HTML or JSON output.
Signed-off-by: Kadambini Nema <kadambini.nema@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Commit 105e4618c5 added a patch to fix
CMake 4 compatibility, but due to line endings issues the patch
doesn't apply properly. This commit fixes the patch so that it does
apply as it should.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Currently, the relocate-sdk.sh script scans the whole extracted SDK tree
to find instances of paths it needs to replace, which can take a
significant amount of time when the SDK is large, particularly relative
to the number of files that actually need to change.
However, the resulting list only depends on the SDK tarball itself, so
we can calculate it at build time and ship it with the tarball so
relocate-sdk.sh can use it directly.
Testing this on my machine with somewhat IOPS-limited rotating media,
the time goes down from:
$ time ./relocate-sdk.sh
Relocating the buildroot SDK from [...] to [...] ...
./relocate-sdk.sh 5.19s user 26.21s system 9% cpu 5:34.40 total
To:
$ time ./relocate-sdk.sh
Relocating the buildroot SDK from [...] to [...] ...
./relocate-sdk.sh 0.49s user 0.29s system 103% cpu 0.749 total
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Commit [1] bumped glibc from 2.42-3-gbc13db739 to 2.42-51-gcbf39c26b
to fix some CVEs, but forgot to add those CVEs to GLIBC_IGNORE_CVES.
This was needed because the GLIBC_CPE_ID_VERSION used for CVE checks
remains to the same value "2.42" which is marked as vulnerable to
those CVEs.
This commit adds those _IGNORE_CVES with the corresponding upstream
commit references, to make sure they will not be reported by the
"make pkg-stats" command.
Fixes:
- [1]
[1] 18de297a5a
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When running "make pkg-stats" on a host with Python 3.14 (e.g.
Fedora 43 for example), the execution fails with the error:
Checking URL status
Traceback (most recent call last):
File "/buildroot/support/scripts/pkg-stats", line 1387, in <module>
__main__()
~~~~~~~~^^
File "/buildroot/support/scripts/pkg-stats", line 1368, in __main__
loop = asyncio.get_event_loop()
File "/usr/lib64/python3.14/asyncio/events.py", line 715, in get_event_loop
raise RuntimeError('There is no current event loop in thread %r.'
% threading.current_thread().name)
RuntimeError: There is no current event loop in thread 'MainThread'.
This is due to a breaking change introduced in Python 3.14
asyncio.get_event_loop(). See [1]. Before Python 3.14, this call was
creating and setting an event loop if there was none. This situation
is now a runtime error.
In order to fix this issue with newer Python version, while keeping
backward compatibility, this commit replaces the code:
loop = asyncio.get_event_loop()
by an explicit event loop creation:
loop = asyncio.new_event_loop()
asyncio.set_event_loop(loop)
This commit was tested on a Fedora 43 host with Python-3.14.2, and
with the Buildroot Docker image plus the python3-aiohttp package
which is a Debian 12 with Python-3.11.2.
[1] https://docs.python.org/3.14/library/asyncio-eventloop.html#asyncio.get_event_loop
Signed-off-by: Julien Olivain <ju.o@free.fr>
Tested-by: Vincent Fazio <vfazio@xes-inc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commits [1] and [2] are installing host SDK files
"$(HOST_DIR)/usr/share".
check-package (see [3]) reports the error:
package/pico-sdk/pico-sdk.mk:23: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
package/pico-sdk/pico-sdk.mk:24: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
package/picotool/picotool.mk:15: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/
This commit installs the host SDK files to "$(HOST_DIR)/share" to fix
this error.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/12970341499
[1] ceb800d3c6
[2] 926381d360
[3] 29a0dd4a30
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Currently, when both libnss and GnuTLS are present, NetworkManager will
get linked to libnss.
The NetworkManager project doesn't recommend one over the other
officially and has supported both from day one back in 2007.
Arguments which one to prefer can be made in either direction:
Points in favor of libnss:
- It's the default value in the NM build system, so it would be the
preferred backend if both are available and we didn't supply any
options to the build process
- It's probably the more mature of the two, given that it's being used
in Mozilla products
Points in favor of GnuTLS:
- While both backends seem feature-equivalent, the
_nm_crypto_verify_pkcs8 function is stubbed out in the libnss
code[1].
- Both Debian and Fedora explicitly select GnuTLS in their packages. At
least in the case of Fedora it seems to have been a conscious
choice[2].
Given what it's actually used for in the code base, the choice does not
matter a lot. However, since it is marginally more feature-complete and
seems to be preferred by other distributions, let's switch to GnuTLS.
[1] 36f8de25c4/src/libnm-crypto/nm-crypto-nss.c (L523-540)
[2] 29a9c41bea
Signed-off-by: Florian Larysch <fl@n621.de>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
The network-manager package currently pulls in either gnutls or libnss,
neither of which are very common and it might be the only reason why
they are present on a system.
However, most of NetworkManager works just fine without any cryptography
support, it only seems to be used in test cases and 802.1X support code.
Remove the dependency but use a library if it is present.
Note that this changes the default behavior. If network-manager was the
only package pulling in gnutls, it won't do this anymore and use the
"null" backend. Add a note about this to the manual.
Signed-off-by: Florian Larysch <fl@n621.de>
Tested-by: Marcus Hoffmann <buildroot@bubu1.eu>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Marcus: Change buildroot version to 2026.02 in migrating.adoc]
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Add BR2_PACKAGE_DPDK_APPS_LIST to control which DPDK applications are
built:
- empty : use DPDK defaults
- none : disable all apps (-Ddisable_apps='*')
- list : pass to -Denable_apps= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_LIBS_LIST to control which DPDK libraries are
built:
- empty : use DPDK defaults
- none : disable all libs (-Ddisable_libs='*')
- list : pass to -Denable_libs= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add BR2_PACKAGE_DPDK_DRIVERS_LIST to control which DPDK applications are
built:
- empty : use DPDK defaults
- none : disable all drivers (-Ddisable_drivers='*/*')
- list : pass to -Denable_drivers= (comma-separated)
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
[Julien: slightly change the drivers Config.in help text:
- rename net/ixgbe to net/intel/ixgbe
- change find -maxdepth value to 3
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
When the host system has asciidoctor and po4a/poman installed,
util-linux detect them and automatically enable manual pages and
their translations. This can significantly increase the package
build time (in my case, from 20s to 1m50s). See upstream
commit [1] and [2].
Since manual pages are not needed in Buildroot, this commit adds in
_CONF_OPTS for host host and target variants the options to always
disable the detection of those programs (--disable-asciidoc
--disable-poman). This will always disable the generation of manual
pages.
Note: Buildroot attempts to globally disable documentation for
autotools packages by passing various --disable-docs configure
options (see [3]), but those are not recognized by util-linux.
This commit also reorder the options for UTIL_LINUX_CONF_OPTS.
[1] 9acfc349e0
[2] 236421a491
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.11/package/pkg-autotools.mk#L184-186
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
There are multiple defconfig fragments we can select to modify the final
tiboot3.bin image to support different boot methods or enable features
supported by a board. Allow the ti-k3-r5-loader package to select
defconfig gragments during a build
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
LLVM is already implicitly enabled for host-mesa3d when
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER is selected. This blind
option is automatically enabled when LLVM is required by drivers such
as intel-iris, panfrost, imagination, or intel-vulkan.
The BR2_PACKAGE_MESA3D_LLVM option also independently selects host-llvm,
but this change makes the dependency more explicit for host-mesa3d
builds.
Note that disabling LLVM is not possible for host-mesa3d, as the build
will fail with:
../../../br-test-pkg/bootlin-armv5-uclibc/build/host-mesa3d-25.3.2/meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Backport two security fixes from upstream. They are in newer releases,
but to facilitate backporting to our LTS releases, this backports the
fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The dependencies on Boost.System, Boost.Filesystem were removed in
v23.0 [0][1] and Boost.Thread in v21.99 [2].
This was never reflected in the Buildroot package so do it now.
[0] 07269321f3
[1] b87f9c5edf
[2] 06e1d7d81d
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit [1] added the "Upstream:" package patch tag, but forgot to
remove the corresponding .checkpackageignore entry.
This commit fixes that.
Fixes:
package/efl/0001-ecore_fb-fix-build-with-tslib.patch:0: lib_patch.Upstream was expected to fail, did you fix the file and forget to update .checkpackageignore?
[1] bac34296bf
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: Fix flake8 warning, use http.server instead of relying on
connectivity]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patch 0001 has the upstream information, just not properly formatted,
so we fix this.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Thomas: extracted from a bigger patch from Bernd]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
According to the official requirements, bindgen needs libclang to
parse C/C++ headers. libclang is loaded at runtime by bindgen, which
is why we didn't notice any build issue. However, using bindgen on a
simple header file blows up:
thread 'main' panicked at bindgen/lib.rs:616:27:
Unable to find libclang: "couldn't find any valid shared libraries matching: ['libclang.so', 'libclang-*.so', 'libclang.so.*', 'libclang-*.so.*'], s
et the `LIBCLANG_PATH` environment variable to a path where one of these files can be found (invalid: [])"
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
So far, bindgen was only used by mesa3d, and it turns out that mesa3d
also depends on clang, which pulls in host-clang, so the problem was
not visible. However, as we're about to use bindgen for other
things (namely Rust support in Linux), this issue needs to be fixed.
See:
https://rust-lang.github.io/rust-bindgen/requirements.html
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mpg123 supports (and prefers) SDL2 as well for the sdl backends since 1.26.9
with:
792615f651
So support that here as well.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Arm Trusted Firmware (TF-A) can be used to load U-Boot or another
bootloader, which in turn loads the Linux kernel. However, TF-A is
capable of loading the kernel directly. To this end, we need to define
the BL33 and BL33_CFG compile options containing, respectively, the
zImage and the DTB.
This config introduces a new config option,
BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33, which sets the BL33 and
BL33_CFG parameters, and ensures that the kernel is built before the
TF-A by having linux as a _DEPENDENCY of the TF-A.
Signed-off-by: Jakob Kastelic <kastelic.jakob@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The new target provides a convenient way to run utils/check-package on
any external trees, using .checkpackageignore files from the
respective trees if present.
While .checkpackageignore should be used as little as possible, in a
few cases adding overrides for false-positives to the affected files
is not feasible, a practical example of this is a Markdown file
misidentified as Python by libmagic (likely due to code blocks).
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Arnout: set ${ignore} explicitly to empty, in case it exists in the
environment.]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The test failed in the past, due to kbd build failure. See [1].
This specific issue was fixed by commit [2].
This commit was originally written to workaround this issue, which was
unrelated to the actual package being tested. Since systemd-vconsole
is not needed anyway, this commit removes it from the test config.
[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/12363929666
[2] d98d9ba28f
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: reword the commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Testing with a really old toolchain is helpful to catch issues related
to kernel headers version issues, gcc version issues, etc. We chose a
glibc toolchain though as old musl or uClibc-ng versions tend to lack
a number of features that are needed by modern software.
This toolchain is placed near the top of toolchain-configs.csv, so
that it is used as part of the "base" set of toolchain that test-pkg
uses, even without the -a option.
test-pkg takes the 6 first toolchains of this CSV file for its base
test, and actually the comment in toolchain-configs.csv was wrong
since commit 53a8c5150e, which removed a
toolchain from the base set, but not realizing that test-pkg would
anyway continue to test the first 6 toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The prebuilt MIPS64 toolchains are very old, causing build issues (for
example recently with the systemd v258 update). Replace them both a
single toolchain configuration that uses one of the mips64el Bootlin
toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
- br-i386-pentium4-full.config as an x86 32-bit toolchain test is
already reasonably covered by bootlin-x86-i686-musl.config
- br-microblazeel-full-internal.config as a Microblaze toolchain test is
already reasonably covered by bootlin-microblazeel-uclibc.config
- br-powerpc-internal-full.config and br-powerpc-603e-basic-cpp.config
as PowerPC 32-bit toolchain tests are already reasonably covered by
bootlin-powerpc-e500mc-uclibc.config
- br-powerpc64-power7-glibc.config as a PowerPC 64-bit toolchain test
is already reasonably covered by
bootlin-powerpc64le-power8-glibc.config
- br-riscv64-full-internal.config as a RISC-V 64-bit toolchain test is
already reasonably covered by bootlin-riscv64-glibc.config and
bootlin-riscv64-musl.config
- br-s390x-z13-internal-glibc.config as a s390 toolchain test is
already reasonably covered by bootlin-s390x-z13-glibc.config
- br-xtensa-full-internal.config as an Xtensa toolchain test is
already reasonably covered by bootlin-xtensa-uclibc.config
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building internal toolchains takes a long time, and since the
differences between the 3 internal ARM toolchains is just the libc,
and we're already testing uclibc/musl with external toolchains, it
doesn't make much sense to build 3 different ARM internal toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We're already testing the ARC architecture with one Bootlin toolchain,
it doesn't make sense to also test with two Buildroot internal
toolchains the ARC architecture, which is not a primary architecture
for Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Added four upstream patches backported from FreeRDP 3.x.
The remaining build error:
/home/bernd/buildroot/output/build/freerdp-2.11.7-18-g0ee17e2f8e49d56ab5b90d5160fa8f87ffc445e0/
channels/client/tables.c:129:22:
error: initialization of ‘UINT (*)(void)’ {aka ‘unsigned int (*)(void)’}
from incompatible pointer type ‘UINT (*)(void *)’ {aka ‘unsigned int (*)(void *)’}
[-Wincompatible-pointer-types]
129 | { "oss", "", oss_freerdp_rdpsnd_client_subsystem_entry },
is fixed by adding -Wno-incompatible-pointer-types to CFLAGS due to
tables.c being dynamically created during the build and backporting the
supposed upstream fix
fe6d861a5c
is too invasive.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We're about to bump abseil to a version >= 20250512.02, which requires
C++17, meaning that protobuf/grpc will also C++17. This in turn means
that the grpc support in collectd will also need C++17.
So just like our current patch 0002-configure.ac-fix-grpc-build.patch
updates the collectd logic from C++11 to C++14, this new
patch (accepted upstream) updates the collectd logic again from C++14
to C++17.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In linux 6.17, the license file LICENSES/preferred/GPL-2.0 was modified.
As a result, also its hash changed, and the hash was duly updated in
commit d6c0f0015b. Of course, this is only
valid for kernel versions from 6.17 - but at the time, we only set
LINUX_LICENSE_FILES for the latest kernel version, not for any other
kernel versions.
Since commit 305a2d91731fade45f35c259cb012bdf17e8dbeb, we also set
LINUX_LICENSE_FILES for all other versions, including e.g. the CIP
versions. Similarly, we now set LICENSE_FILES for all linux-headers
versions. Thus, the hash check of the license file fails for all older
kernel versions.
Fix this by splitting the hash file in two hash files: before-6.17 and
from-6.17. We keep just two hash file rather than a separate one for
each version to limit the number of files that need to be updated when
bumping kernel versions. Create symlinks for all the CIP version in
linux and for all supported versions in linux-headers.
Include the CIP versions as well for linux-headers. They are used when
the kernel is set to the CIP version and linux-headers to
same-as-kernel.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The linux-headers package was not providing any license file for any
version other than the latest one.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
For the headers-as-kernel case, use LINUX_LICENSE_FILES and disable the
Kconfig option entirely.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The AT91Bootstrap3 package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Note that version 3.X of at91bootstrap didn't have an open source
license and no license file either. Keep that behavior.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The ATF package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The Barebox package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The OpenSBI package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The OP-TEE OS package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The U-Boot package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The Linux package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Building berkeleydb is broken with a non-threaded toolchain with gcc >=
14.x:
../src/rep/rep_method.c:1740:25: error: implicit declaration of function
'__repmgr_get_nsites'; did you mean '__rep_get_nsites'?
[-Wimplicit-function-declaration]
1740 | return (__repmgr_get_nsites(env, n));
According to src/repmgr/repmgr_util.c, line 503+, the function
'__repmgr_get_nsites' mentioned in the gcc error message "may only be
called after threads have been started".
This source file repmgr_util.c belongs to REPMGR_OBJS according to
dist/Makefile.in, line 249+, which is, according to dist/configure.ac,
line 956, only build if thread support is present.
In a non-threaded build '__repmgr_get_nsites' does not exist causing the
build error.
To fix the build error we disable replication for non-threaded
toolchains.
Using gcc 13.x the build error does not occur, tested with this
defconfig:
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_GCC_VERSION_13_X=y
BR2_PACKAGE_BERKELEYDB=y
Using this minimal gcc 14.x-based defconfig
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_PACKAGE_BERKELEYDB=y
the build error can be reproduced.
The oldest build error of this kind, afaics, dates back to 2024-06-13:
https://autobuild.buildroot.net/results/e0d/e0d6bdbef01bee277b0da83605b2906af876058a/
Fixes:
https://autobuild.buildroot.net/results/792/792ed942d17bb8d00cd321536a102f6dd63b6a8a/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The package imports itself in setup.py to get the package-name and
version number. Dping this during the buildroot build would require
buisling host-python with sqlite support, which we are currently not set
up for. It also seems wasteful for just extracting the version number
and package name, so instead we replace the import by using a hardcoded
package-name and the version number stored in buildroot.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a defconfig to run Linux on a large range of 32-bit HP PA-RISC 1.1
Workstations, such as the HP 9000 700 and Visualize workstations.
While at it, add this defconfig to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Palo is a PA-RISC/Linux boot loader.
It can be used to make bootable disk images or network bootable images.
While at it, add this boot package to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a defconfig to run Linux on a HP Visualize B160L PA-RISC
Workstation, emulated with Qemu.
While at it, add this defconfig to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Romain Naour <romain.naour@gmail.com>
[Julien: update kernel to 6.18.7 to align with other qemu defconfigs]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add support for the Precision Architecture (a.k.a. PA-RISC),
a 32-bit architecture developed by Hewlett Packard.
While at it, add this arch to myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Julien Olivain <ju.o@free.fr>
[Julien: arch "arch/" prefix in commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a host-picotool package to picotool.
This will allow users to build rpi pico applications on the host system.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add a host-pico-sdk package to pico-sdk.
This will allow users to build rpi pico applications on the host system.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
pico-sdk and picotool 2.x.x adds support for the rp2350 bump package to
latest version.
picotool needs mbedtls for --hash --sign and --offset.
Clone submodules in pico-sdk to provide the nessasaary files for
picotool to build and link mbedtls and other optional libraries.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See here for changes:
https://nginx.org/en/CHANGES-1.28
Following security related issues are fixed:
*) Security: processing of a specially crafted login/password when using
the "none" authentication method in the ngx_mail_smtp_module might
cause worker process memory disclosure to the authentication server
(CVE-2025-53859).
*) Security: insufficient check in virtual servers handling with TLSv1.3
SNI allowed to reuse SSL sessions in a different virtual server, to
bypass client SSL certificates verification (CVE-2025-23419).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
Thanks to Nils Bars of CISPA.
Update patch 0007, which does not apply cleanly.
License file was changed, year was bumped to 2025.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For change log since 1.9.0, see:
https://codeberg.org/ivarch/pv/src/tag/v1.10.3/docs/NEWS.md
Upstream commit [1], included in version 1.9.42, introduced a use
of fork(). This commit adds this new dependency.
The pgp key ID used to sign the source archive changed. This commit
updates the comment in the hash file.
[1] fb7c05c262
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit 99585db1e8 bumped the
package from version 9.21.4 to 9.33.0.
Upstream added std::atomic to drbdmon with commit
3baf945732
to version 9.25.0 causing build errors:
/home/autobuild/autobuild/instance-2/output-1/per-package/drbd-utils/host/bin/../lib/gcc/microblazeel-buildroot-linux-uclibc/14.3.0/../../../../microblazeel-buildroot-linux-uclibc/bin/ld:
MessageLogNotification.o: in function `MessageLogNotification::query_log_changed()':
(.text+0xe8): undefined reference to `__atomic_exchange_1'
Fixes:
https://autobuild.buildroot.net/results/741/741606000c26bc994f243b0b865d26ff25592caa/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since its introduction in [1], by default the `generate-cyclonedx`
script doesn't include buildroot's virtual packages in its 'components'
list, unless using the `--virtual` argument.
References to virtual packages present in the 'show-info' output are
filtered out in the resulting dependencies.
This patch fix the default CycloneDX dependencies generation
without virtual packages to reference the packages that provide the
virtual package instead of just dropping the virtual package itself.
If we use the package `lbase64` that depends on the virtual package
`luainterpreter` as an example. The 'dependency' entry looks like the
following:
```
{
"ref": "lbase64",
"dependsOn": [
"host-skeleton",
"skeleton-init-common",
"skeleton-init-sysv",
"toolchain-external-bootlin"
]
}
```
The `luainterpreter` dependency is missing.
After applying this patch, package that provides the `luainterpreter` is
present:
```
{
"ref": "lbase64",
"dependsOn": [
"host-skeleton",
"lua",
"skeleton-custom",
"skeleton-init-sysv"
]
}
```
In the case of a virtual package provided by multiple packages all those
packages will be listed. This happens when generating an SBOM on the
entire Buildroot packages.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since the introduction of the `generate-cyclonedx` script in [1] the
dependencies were 'recursive'. This means that the dependencies of a
package dependency were included.
The CycloneDX spec [2] states that only direct dependencies needs to be
included.
This patch drop the recursive dependencies.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
[2] https://cyclonedx.org/docs/1.6/json/#dependencies
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The definition of the project name & version is stored under the
`metadata:component` CycloneDX property.
Since the introduction of the `generate-cyclonedx` script [1] a
'buildroot' dependency entry that depends on every components has been
part of the generated SBOM.
Tools such as 'DependencyTrack' relies on such entry to create graph of
the entire project.
With the commit [2] that introduced the option to pass a custom project
name and version, this dependency reference was not updated to match the
custom 'bom-ref'.
This patch fixes the reference to match the custom project name.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
[2] 9cbbc47762 utils/generate-cyclonedx: add project name and version options
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Brings additional optimizations and bugfixes:
Fix to heap buffer overflow in vp9_deblock, vp9_post_proc_frame, and
vp9_pack_bitstream.
Fix to integer overflow in vp9_highbd_post_proc, vp9_rc_regulate_q,
tiny_ssim, and vp9_calc_pframe_target_size_one_pass_cbr.
Fix to use-of-uninitialized-value in vp9_highbd_post_proc, mfqe, and
vp8_datarate_test.
Fix to out-of-bounds in log_tile_cols_from_picsize_level.
Fix to double free on initialization failure in vpx_codec_enc_init_multi.
Fix to division-by-zero crash in vpxenc with 0 FPS numerator input.
Fix to various build failures for Arm/SVE2, macOS cross-compilation, and
Xcode 16.
https://chromium.googlesource.com/webm/libvpx/+/refs/tags/v1.16.0
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps the Linux kernel to version 6.18.8 and U-Boot to version 2026.01.
Tested on FriendlyElec NanoPi R3S.
Signed-off-by: Patrik Olsson <johan.patrik.olsson@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This patch bumps the Linux kernel to version 6.18.8 and U-Boot to version 2026.01.
Tested on Radxa ROCK 4SE.
Signed-off-by: Patrik Olsson <johan.patrik.olsson@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Update all qemu defconfigs to the latest Kernel LTS version.
configs/qemu_ppc_*defconfig now requires host-libelf, so this commit
selects BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF for those.
This commit also enables zstd-compressed modules support in
qemu_loongarch64_virt_efi_defconfig, due to upstream commit [1] which
added CONFIG_MODULE_COMPRESS_ZSTD=y in its arch defconfig.
This commit also updates the custom hash file comment to add the
upstream link.
All updated defconfigs were tested (compiled and booted).
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3c272a7551af1c10f6dbba0e71add7dccc7733fa
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
https://github.com/nodejs/node/blob/v22.22.0/doc/changelogs/CHANGELOG_V22.md
List of security fixes:
22.22.0:
(CVE-2025-59465) add TLSSocket default error handler
(CVE-2025-55132) disable futimes when permission model is enabled lib,
permission:
(CVE-2025-55130) require full read and write to symlink APIs src:
(CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,
lib:
(CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill
toggle tls:
(CVE-2026-21637) route callback exceptions through error handlers
22.17.1:
(CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path
Traversal Protection in path.normalize()
Version 22.18.0 includes
a2d2d36bb1
which fixes build errors with python 3.14
"ImportError: cannot import name 'FancyURLopener' from 'urllib.request'"
introduced by buildroot commit a0a6abc8b1.
Updated license hash due to upstream commits:
ec60473ab10b5613f9fe0edf17198f
Switched _SITE to https.
Fixes:
https://autobuild.buildroot.net/results/da8/da82dc03cf0d42463fff1b5d9bf7a3c18cbf44dd/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Move the content referring to the LTS information from the 'support' page
into a dedicated page.
Also add LTS specific information about the sponsoring and the benefits.
This page also contains clarification on the release cycle of the LTS.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Fixes the following vulnerabilities:
CVE-2025-11187 - Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
CVE-2025-15467 - Stack buffer overflow in CMS AuthEnvelopedData parsing.
CVE-2025-15468 - NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
CVE-2025-15469 - ‘openssl dgst’ one-shot codepath silently truncates inputs >16MB.
CVE-2025-66199 - TLS 1.3 CompressedCertificate excessive memory allocation.
CVE-2025-68160 - Heap out-of-bounds write in BIO_f_linebuffer on short writes.
CVE-2025-69418 - Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
CVE-2025-69419 - Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
CVE-2025-69420 - Missing ASN1_TYPE validation in TS_RESP_verify_response() function.
CVE-2025-69421 - NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
CVE-2026-22795 - Missing ASN1_TYPE validation in PKCS#12 parsing
CVE-2026-22796 - ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
For more details, see the announcement:
https://openssl-library.org/post/2026-01-27-release-announcement/
Drop now upstreamed 0004-Scope-aes_cfb128_vaes_encdec_wrapper-to-x64.patch:
f529d26591
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release announce, see:
https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000501.html
gnupg2 version from 2.5.13 to 2.5.16 (inclusive) are affected by
the following issue:
A crafted CMS (S/MIME) EnvelopedData message carrying an oversized
wrapped session key can cause a stack buffer overflow in gpg-agent
during the PKDECRYPT--kem=CMS handling. This can easily be used for a
DoS but, worse, the memory corruption can very likely also be used to
mount a remote code execution attack. The bug was introduced while
changing an internal API to the FIPS required KEM API.
Fixes:
https://dev.gnupg.org/T8044
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes the following vulnerabilities:
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP
archives
archive/zip used a super-linear file name indexing algorithm that is
invoked the first time a file in an archive is opened. This can lead to a
denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm
When parsing a URL-encoded form net/http may allocate an unexpected amount
of memory when provided a large number of key-value pairs. This can
result in a denial of service due to memory exhaustion.
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated
session ticket keys, session resumption does not account for the
expiration of full certificate chain
The Config.Clone methods allows cloning a Config which has already been
passed to a TLS function, allowing it to be mutated and reused.
If Config.SessionTicketKey has not been set, and
Config.SetSessionTicketKeys has not been called, crypto/tls will generate
random session ticket keys and automatically rotate them. Config.Clone
would copy these automatically generated keys into the returned Config,
meaning that the two Configs would share session ticket keys, allowing
sessions created using one Config could be used to resume sessions with
the other Config. This can allow clients to resume sessions even though
the Config may be configured such that they should not be able to do so.
- CVE-2025-61731: cmd/go: unexpected code execution when invoking toolchain
The Go toolchain supports multiple VCS which are used retrieving modules
and embedding build information into binaries.
On systems with Mercurial installed (hg) downloading modules (e.g. via go
get or go mod download) from non-standard sources (e.g. custom domains)
can cause unexpected code execution due to how external VCS commands are
constructed.
On systems with Git installed, downloading and building modules with
malicious version strings could allow an attacker to write to arbitrary
files on the system the user has access to. This can only be triggered by
explicitly providing the malicious version strings to the toolchain, and
does not affect usage of @latest or bare module paths.
The toolchain now uses safer VCS options to prevent misinterpretation of
untrusted inputs. In addition, the toolchain now disallows module version
strings prefixed with a "-" or "/" character.
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the
incorrect encryption level
During the TLS 1.3 handshake if multiple messages are sent in records that
span encryption level boundaries (for instance the Client Hello and
Encrypted Extensions messages), the subsequent messages may be processed
before the encryption level changes. This can cause some minor
information disclosure if a network-local attacker can inject messages
during the handshake.
For details, see the announcement:
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit bf3626002f ("system cfg: remove mkpasswd MD5 format option") dropped
the MD5 option, so stop referring to it from the sha256 one to limit
confusion.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Remove the '-x' option from the shebang, which was a leftover from the
debugging phase and not intended for the final submission.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a missing space in the "Creating SD card" section of the
documentation.
Fixes: 1a1239fd28 ("configs/stm32f769_disco_sd_defconfig: new defconfig")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a missing space in the "Creating SD card" section of the
documentation.
Fixes: 04a0094f0e ("configs/stm32f469_disco: fix kernel bootup")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Version 0.24.7 change log:
* decoder
- ffmpeg: allow seeking only if both AVFormatContext and InputStream allow it
* playlist
- cue: strip UTF-8 byte order marker
* Linux: disable the iowait state for io_uring
* fix GCC 16 compiler warning
* fix spurious linker failures
Signed-off-by: Andreas Ziegler <br025@umbiko.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Depends on python-numpy >= 2.0.0:
https://github.com/scipy/scipy/blob/v1.16.3/pyproject.toml#L41a3e2bb639b
Updated license hash due to copyright year bumps:
https://github.com/scipy/scipy/commits/v1.16.3/LICENSE.txt
qhull license file was moved upstream:
6d699dded496423e5279
Updated numpy path in PYTHON_SCIPY_MESON_EXTRA_PROPERTIES following
upstream commit:
923f219077
Test was successful:
$ utils/docker-run support/testing/run-tests -j33 -k -d dl -o output_folder tests.package.test_python_scipy.TestPythonPy3SciPy
09:59:22 TestPythonPy3SciPy Starting
09:59:23 TestPythonPy3SciPy Building
10:10:09 TestPythonPy3SciPy Building done
Downloading to /home/bernd/buildroot/dl/tmpw1frnmf9
Renaming from /home/bernd/buildroot/dl/tmpw1frnmf9 to /home/bernd/buildroot/dl/kernel-versatile-5.10.202
Downloading to /home/bernd/buildroot/dl/tmpiip1lach
Renaming from /home/bernd/buildroot/dl/tmpiip1lach to /home/bernd/buildroot/dl/versatile-pb-5.10.202.dtb
10:10:24 TestPythonPy3SciPy Cleaning up
.
----------------------------------------------------------------------
Ran 1 test in 661.922s
OK
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://numpy.org/news/
Add new supported architectures.
License hash changed due to date update:
c1ffdbc0c2
We need to build python-numpy with its vendored version of meson as
it currently relies on features that are not yet upstream. To do this
we can simply set the PYTHONPATH with the vendored meson path before
the normal PYTHON3_PATH so that the vendored version will have
precedence. We need to set this for both host and target numpy.
We also need to set the architecture specific longdouble_format
property as numpy is unable to determine the value for this without
being able to execute target binaries.
See:
3e7e5c3cab/doc/source/building/cross_compilation.rst
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Bernd:
Bumped to 2.4.0
Removed patch which is included in this release.
Updated license hashes due to upstream commits:
- copyright year bumps:
https://github.com/numpy/numpy/commits/v2.4.0/LICENSE.txt
- file move
tools/npy_tempita/license.txt -> numpy/_build_utils/tempita/LICENSE.txt
63a1fee8d186940987a9
- directory move core -> _core and various code updates
https://github.com/numpy/numpy/commits/v2.4.0/numpy/_core/src/multiarray/dragon4.c
- directory move core -> _core
https://github.com/numpy/numpy/commits/v2.4.0/numpy/_core/include/numpy/libdivide/LICENSE.txt
Following Romain's review
https://lists.buildroot.org/pipermail/buildroot/2024-November/767739.html
host-python-numpy was switched back to host-python-package to install the
f2py script needed by the upcoming bump of python-scipy. A dependency to
host-python-meson-python is also needed.
Removed PYTHON_NUMPY_LONGDOUBLE_FORMAT configure option for BR2_arceb
after this arch was removed from buildroot.
Changed path in PYTHON_NUMPY_FIXUP_NPY_PKG_CONFIG_FILES following
upstream commit
923f219077
and updated opencv4 as well]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Python 3.14 (not yet in Buildroot) introduced colors, enabled by
default, when the output is a terminal. This behavior can make the
pexpect pattern matching more difficult in some cases. See:
https://docs.python.org/3.14/using/cmdline.html#controlling-color
This commit globally disables the Python interpreter colors in the base
runtime Python test, by setting the NO_COLOR=1 environment variable.
Signed-off-by: Julien Olivain <ju.o@free.fr>
The --with-system-ffi was removed back in Python-3.12.0, in upstream
commit [1].
From the Python 3.12 release notes:
- gh-100540: Removed the ``--with-system-ffi`` ``configure`` option;
``libffi`` must now always be supplied by the system on all non-Windows
platforms. The option has had no effect on non-Darwin platforms for
several releases, and in 3.11 only had the non-obvious effect of invoking
``pkg-config`` to find ``libffi`` and never setting
``-DUSING_APPLE_OS_LIBFFI``. Now on Darwin platforms ``configure`` will
first check for the OS ``libffi`` and then fall back to the same
processing as other platforms if it is not found.
Buildroot includes such a Python 3.12.x version since commit [2].
When compiling python3 in Buildroot, the package configuration step
reports the warning:
configure: WARNING: unrecognized options: [...] --with-system-ffi
The commit drops the now defunct option.
[1] 25590eb5de
[2] 76cd14167f
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
[Julien: add links in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Support STM32h747i-disco board. It includes an STM32H747XI SoC with the
following resources:
- 2 Mbytes Flash
- 1 Mbyte SRAM
- LCD-TFT controller
- MIPI-DSI interface
- FD-CAN
- USB 2.0 high-speed/full-speed
- Ethernet MAC
- camera interface
Detailed information can be found at:
https://www.st.com/en/evaluation-tools/stm32h747i-disco.html
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2007, switch _SITE to active fork:
https://sourceforge.net/p/lmbench/patches/3/#4472
Removed patch 0009 which is included in this bump.
Rebased remaining patches.
Sent some existing patches to new active upstream repo and added
Upstream: tags.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Upstream added fork() to lib/canonicalize.c in version 2.34[1]
e101a9eb0f
but the resulting build errors on non-mmu archs were most likely masked
by previous build errors which are already fixed.
lib/canonicalize.c as part of libcommon is widely used so we need to add
the dependency to many Config.in options.
For an overview about its usage see
output/build/util-linux-2.41.2$ grep -r "LDADD = \$(LDADD) libcommon.la" * | grep Makemodule | cut -d ":" -f 2 | sort
Fixes:
https://autobuild.buildroot.net/results/34b/34b1f733fdfb5c5e30e631576f875398435ad115/
[1] Added to buildroot with commit bb216ed060
in 2019.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- i don't use grpc anymore and updates seem complicate to review,
so drop me from it and its dependency re2
- add packages i'm currently using
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Analysis of https://rg42.org/gitweb/?p=dbustriggerd.git:
last commit: 2014
Musl libc 1.2.5 removed the definition of the basename() function from
string.h and only provides it in libgen.h as the POSIX standard
defines it.
Instead of fixing an unmaintainted package we remove it from buildroot,
no other package depends on it.
Fixes:
https://autobuild.buildroot.net/results/811/81170fe89e1f5b70c63657684de43175e621f762/
dbus-triggerd.c:150:27: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
150 | argv[argc++] = strdup(basename(handler_cmd));
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The CVS project is no longer maintained upstream. It no longer builds
with GCC 14.x, has been failing to build for months in our
autobuilders with nobody caring about it.
We managed to fix the GCC 14.x build issue, then there are GCC 15.x,
some of them fixed by Debian patches, but some not. Overall, this is
too much effort, while upstream is completely dead.
So let's get rid of cvs entirely.
Fixes:
https://autobuild.buildroot.net/results/59f6e77106ac98535688ff5b9392b0b3ad3041ae/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The criu package was added in Nov 2023, and then bumped once in
December 2023. Since then, it has never been bumped again, and all
follow-up fixes were provided by other people than the original
package submitter listed in the DEVELOPERS file.
criu has seen several upstream releases since then, and most notably
is causing a number of build issues in our autobuilders:
https://autobuild.buildroot.net/?reason=criu-3.19
The package was never updated to those newer upstream releases, and
the autobuilder issues have not been addressed.
Therefore, let's drop this package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
gconf has not seen any release since 2013, and the last commit in
https://gitlab.gnome.org/Archive/gconf is from 2015.
The package example application basic-gconf-app fails to build with a
recent compiler such as GCC 14.x:
basic-gconf-app.c:458:60: error: passing argument 1 of ‘gtk_dialog_get_content_area’ from incompatible pointer type [-Wincompatible-pointer-types]
It is not entirely clear since when this breakage takes place, but
most likely since GCC 14.x was introduced. This issue can be
reproduced including on 2025.02.x with the following defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_LIBGTK3=y
BR2_PACKAGE_GCONF=y
However, for the build issue to happen you need to run:
$ make libgtk3
$ make
So that libgtk3 gets built before gconf. Indeed, there's a hidden
dependency between the two, and the example programs of gconf only get
build if libgtk3 is built before. We've however encountered the
problem in a (real) bigger build where the dependency relationship of
packages have caused libgtk3 to get built before gconf.
Note that we could perhaps have fixed the problem by disabling the
examples, but gconf is anyway so old and deprecated that it isn't
worth the effort.
There are no known autobuilder issues.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package is no longer maintained, no release since 2005, and it
has build issues as it uses too old XML APIs:
/home/thomas/projets/buildroot/output/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/include/libxml2/libxml/SAX.h:18:4: warning: #warning "libxml/SAX.h is deprecated" [-Wcpp]
18 | #warning "libxml/SAX.h is deprecated"
| ^~~~~~~
svgint.h:42:9: error: unknown type name 'xmlParserCtxtPtr'
42 | typedef xmlParserCtxtPtr svg_xml_parser_context_t;
| ^~~~~~~~~~~~~~~~
Fixes:
https://autobuild.buildroot.net/results/895fdba2f3fcaa42aa93946f2532351d39b16647/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This package is no longer maintained, no release since 2005, and its
dependency libsvg has build issues as it uses too old XML APIs:
/home/thomas/projets/buildroot/output/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/include/libxml2/libxml/SAX.h:18:4: warning: #warning "libxml/SAX.h is deprecated" [-Wcpp]
18 | #warning "libxml/SAX.h is deprecated"
| ^~~~~~~
svgint.h:42:9: error: unknown type name 'xmlParserCtxtPtr'
42 | typedef xmlParserCtxtPtr svg_xml_parser_context_t;
| ^~~~~~~~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
For release announce, see:
https://lists.gnupg.org/pipermail/gnupg-announce/2025q4/000500.html
Quoting the announce:
"""
Note that the 2.5 series is now declared the stable version of GnuPG.
The oldstable 2.4 series will reach end-of-life in just 6 months.
"""
Also, an important feature in the 2.5 series is the introduction of
Kyber (aka ML-KEM or FIPS-203) as PQC (Post-Quantum Cryptography)
encryption algorithm.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
EDK2 build may include extra options. Those are usually in the form
of "-D SOMEFLAG_ENABLE" and might be specific for a processor
architecture or a platform. For example:
"-D NETWORK_HTTP_BOOT_ENABLE", "-D NETWORK_TLS_ENABLE", ...
Those options are generally documented in their respective packages.
See for example:
https://github.com/tianocore/edk2/blob/master/OvmfPkg/README
This commit adds a new Kconfig string option to let the use define
arbitrary build flags.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In version 2.0.0 Linux support was removed:
https://lists.x.org/archives/xorg-announce/2025-August/003624.html
"This mouse driver is primarily used with BSD, GNU Hurd, illumos, &
Solaris systems. Linux systems should instead use either xf86-input-
libinput or xf86-input-evdev.
While versions 1.9.5 and earlier had rudimentary support for Linux as
well, that has been removed in this release."
Alternative packages can not be selected due to udev dependencies.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add extra info in Config.in.legacy comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
https://lists.x.org/archives/xorg-announce/2025-December/003649.html
Updated license hashes due to upstream commit:
f717637569
Added dependencies to host-pkgconf to fix a build error which would be
introduced by this bump due to configure being created by autoconf 2.72
instead of 2.71 which was used for xorgproto 2024.1.
The configure script at line 5146 now contains
if test -z "$PKG_CONFIG"; then
as_fn_error $? "pkg-config not found" "$LINENO" 5
fi
where the previous script would continue:
2024.1:
checking pkg-config is at least version 0.9.0... ./configure: line 4796:
/home/bernd/buildroot/output/per-package/xorgproto/host/bin/pkg-config: No such file or directory
no
checking build system type... x86_64-pc-linux-gnu
2025.1:
checking pkg-config is at least version 0.9.0... ./configure: line 5137:
/home/bernd/buildroot/output/per-package/xorgproto/host/bin/pkg-config: No such file or directory
no
configure: error: pkg-config not found
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.12.18 to 6.18.4
- updates arm-trusted-firmware from v2.12 to v2.14
- updates optee-os and clients from 4.5.0 to 4.8.0
- updates U-Boot from 2025.01 to 2026.01
- switches to Bootlin external glibc stable toolchain
- removes hash for linux-headers (no longer needed)
Those changes aligns components version of this defconfig
with rockpro64_defconfig.
Tested on board Rockpro64_V2.1 2018-07-02.
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit:
- updates the Kernel from 6.10.14 to 6.18.4
- updates arm-trusted-firmware from v2.11 to v2.14
- updates U-Boot from 2024.10 to 2026.01
- switches to Bootlin external glibc stable toolchain
- removes hash for linux-headers (no longer needed)
In order to reduce the differences with the rockpro64_ebbr_defconfig,
this commit also:
- slightly increases the rootfs size from 120M to 128M,
- unsets the rootfs tar archive which is not needed,
- removes rootfs.tar from board/pine64/rockpro64/readme.txt
Tested on board Rockpro64_V2.1 2018-07-02.
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Tested-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switch a handful of documentation/website links from http to https.
Signed-off-by: Preyas Sharma <preyas17@zohomail.in>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
For more info on the release, see:
- https://github.com/obgm/libcoap/compare/v4.3.5...v4.3.5a
- https://github.com/obgm/libcoap/blob/release-4.3.5-patches/ChangeLog
Fixes the following vulnerabilities:
- CVE-2025-59391:
A memory disclosure vulnerability exists in libcoap's OSCORE
configuration parser in libcoap before release-4.3.5-patches. An out-
of-bounds read may occur when parsing certain configuration values,
allowing an attacker to infer or read memory beyond string boundaries
in the .rodata section. This could potentially lead to information
disclosure or denial of service.
https://www.cve.org/CVERecord?id=CVE-2025-59391
- CVE-2025-65493:
NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5
allows remote attackers to cause a denial of service via a crafted
DTLS/TLS connection that triggers BIO_get_data() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65493
- CVE-2025-65494:
NULL pointer dereference in get_san_or_cn_from_cert() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted X.509 certificate that causes
sk_GENERAL_NAME_value() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65494
- CVE-2025-65495:
Integer signedness error in tls_verify_call_back() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted TLS certificate that causes
i2d_X509() to return -1 and be misused as a malloc() size parameter.
https://www.cve.org/CVERecord?id=CVE-2025-65495
- CVE-2025-65496:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65496
- CVE-2025-65497:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65497
- CVE-2025-65498:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65498
- CVE-2025-65499:
Array index error in tls_verify_call_back() in src/coap_openssl.c in
OISM libcoap 4.3.5 allows remote attackers to cause a denial of
service via a crafted DTLS handshake that triggers
SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
https://www.cve.org/CVERecord?id=CVE-2025-65499
- CVE-2025-65500:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65500
- CVE-2025-65501:
Null pointer dereference in coap_dtls_info_callback() in OISM libcoap
4.3.5 allows remote attackers to cause a denial of service via a DTLS
handshake where SSL_get_app_data() returns NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65501
LICENSE Year updated see [1].
[1] c9135b6b26
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.64 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.64 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.1.159. The size of
xipImage has increased by only 181 bytes (1673625 bytes compared to
1673444 in version 6.1.155).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a3a88ff1c8 bumped bitcoin
to version 26.0 which includes upstream commit
b8401c3281
causing an assertion on m68k:
/home/thomas/autobuild/instance-7/output-1/build/bitcoin-30.0/src/support/allocators/pool.h:92:36:
error: static assertion failed: Units of size ELEM_SIZE_ALIGN need to
be able to store a ListNode
92 | static_assert(sizeof(ListNode) <= ELEM_ALIGN_BYTES, "Units
| ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
of size ELEM_SIZE_ALIGN need to be able to store a ListNode");
/home/thomas/autobuild/instance-7/output-1/build/bitcoin-30.0/src/support/allocators/pool.h:92:36:
note: the comparison reduces to '(4 <= 2)'
To fix the problem we disable bitcoin on m68k.
Fixes:
30.0: https://autobuild.buildroot.net/results/268/2688e4a2aa8dc34343f0218fd6727d0ae3adb132/
26.0: https://autobuild.buildroot.net/results/fb0/fb05401c7de289e0f87f5c9e3a7f92f5589b590b/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and, for the SD
configuration, also updates U-Boot to version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 5.15.197 and U-Boot to
version 2026.01.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Enhance the Xen python tests to exercise block devices: this boils down
to switching from ramdisks to disk partitions for the domains rootfs.
(Refer to the comments in the python script for block devices details.)
- Add support for PCI and Xen block to the Linux kernel configurations.
- Add a few commands to list the xvda block device for good measure.
- Generate two partitions with the rootfs in the disk images; we use the
same rootfs contents twice, once for each domain.
- Add a paravirtualized block device to the Xen dom1 configurations and
adjust both domains kernel command lines, to specify the rootfs
locations.
- Build host-qemu for Arm v7, to workaround an issue with 32b Arm and
old Qemu versions, which is what we have on CI currently.
- While at it, bump Linux kernel to 6.18.4 and U-Boot to 2026.01.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Xen tools scripts need the stat program from coreutils to work
correctly, and not the one from busybox.
One such example is the /etc/xen/scripts/locking.sh script, which will
cause timeouts for operations such as "xl block-attach", or when
starting a DomU with a disk.
Add the dependency on coreutils to fix this.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch bumps:
- U-Boot to version v2026.01
- Linux kernel to version 6.12.63 (LTS)
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The patch bumps the Linux kernel to version 6.12.63 and U-Boot to
version 2026.01 for
- stm32mp135f_dk_defconfig
- stm32mp157a_dk1_defconfig
- stm32mp157c_dk2_defconfig
Tested on STM32MP157C-DK2 Discovery Board.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
host-perl-module-build is no longer a dependency
(Build.PL was removed, so Makefile.PL is used)
now, this module has its own LICENSE file
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Now that all Xilinx boards have been bumped to Linux 6.12.60, remove the hash
for the xlnx_rebase_v6.12_LTS_2025.2 release tag.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the versal2 defconfigs to Linux 6.12.60.
Run tested on a versal2 vek385 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Package snort3 requires libtirpc rpcdb option enabled with non-glibc
toolchains since the bump of libtirpc to version 1.3.7 with buildroot
commit 3f3d6e43de which includes upstream
commit:
https://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=7cea8ad66aecc21e6caae330b5d31075af399193
These build errors, caused by the forementioned upstream commit, only
occur with non-glibc toolchains:
https://patchwork.yoctoproject.org/comment/30091/
"but I believe it breaks the build with musl".
The build error during configure stage:
-- Looking for getrpcent - not found
CMake Error at cmake/sanity_checks.cmake:51 (message):
Couldn't find an RPC program number database implementation!
Call Stack (most recent call first):
CMakeLists.txt:31 (include)
was not yet found by the autobuilders but can be reproduced by this
defconfig:
BR2_x86_64=y
BR2_x86_corei7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_MUSL_BLEEDING_EDGE=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_INIT_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_SNORT3=y
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
In addition, libglib2 already removes schemas from the target during
target finalization so the gvfs-specific cleanup can be dropped.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- suppress S40iwd shellcheck warnings:
In package/iwd/S40iwd line 8:
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
^--------------------^ SC1090 (warning): ShellCheck can't follow non-constant source. Use a directive to specify location.
In package/iwd/S40iwd line 15:
-- $IWD_ARGS
^-------^ SC2086 (info): Double quote to prevent globbing and word splitting.
- remove package/iwd/S40iwd from .checkpackageignore
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
K3CONF is a Linux user-space standalone application
designed to provide a quick'n easy way to dynamically
diagnose Texas Instruments' K3 architecture based
processors. K3CONF is intended to provide similar
experience to that of OMAPCONF that runs on legacy TI platforms.
K3CONF currently supports Texas Instruments AM654, J721E, J7200,
AM64x,AM62x,J721S2,J784S4,J722S, AM62Ax, AM62Px, and AM62Lx devices.
Along with the BeagleBoard variants of the above mentioned TI SOC's.
Signed-off-by: Mohammed Sadik Shaik <s-sadik@ti.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the versal defconfigs to Linux 6.12.60.
Run tested on a versal vek280 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the zynqmp defconfigs to Linux 6.12.60.
Run tested on a zynqmp zcu102 evaluation board.
Run tested on a kria kv260 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Bump the zynq defconfigs to Linux 6.12.60.
Run-tested on a zc702 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License hash changed due to addition of base64 license which
is BSD-2-Clause:
8f922b3d87
Add new python-librt build/runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The python-charset-normalizer package specifies an unnecessarily
strict upper version limit for mypy.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
During the build Cython creates C++ source that needs to be
compiled. The missing dependency did not show in the existing runtime
test because the Bootlin stable toolchains include C++ support.
Package was added in c2df8bab97.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This did not show in the runtime test for package/python-memray
because that package already has the dependency, so the Python zlib
module is present in the test.
Package was added in commit 26bc4b51a8.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switch from the RobertCNelson GitHub mirror to the official TI git
repository and update to version 0x192 (latest release).
The previous installation method used sysfs to load the firmware,
which was specific to old downstream Beaglebone or TI kernels. The
mainline wkup_m3_ipc driver now expects am335x-pm-firmware.elf and
*-scale-data.bin files to be installed in /lib/firmware, making the
sysfs init script obsolete.
Changes:
- Switch repository from github.com/RobertCNelson to git.ti.com
- Update version from 11107db (v05.00.00.02) to fb484c5 (v0x192)
- Refresh all patches to apply cleanly on new version
- Install .elf and scale-data files instead of .bin
- Remove obsolete S93-am335x-pm-firmware-load init script
- Update .checkpackageignore to reflect changes
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
[Julien: update .checkpackageignore to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add the am335x-bonegreen-eco device tree to enable support for the
BeagleBone Green Eco variant. This ensures the device tree is built
from the Linux kernel sources and included in the boot partition.
Tested-by: Mohammed Sadik Shaik <s-sadik@ti.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Bumps the Linux kernel to the latest 6.18.1 mainline version.
Tested on BeagleBone Black.
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In commit
1abaf013de ("package/shairport-sync: add
support for AirPlay2"), a new option was added, selecting various
packages, without properly propagating their dependencies, causing
Config.in warnings such as:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_LIBGCRYPT
Depends on [n]: BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS [=n]
Selected by [y]:
- BR2_PACKAGE_SHAIRPORT_SYNC_AIRPLAY2 [=y] && BR2_PACKAGE_SHAIRPORT_SYNC [=y]
This commit fixes this mistake.
Fixes: 1abaf013de ("package/shairport-sync: add support for AirPlay2")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 8708f3a23a ("package/mysql:
drop virtual package"), we no longer have mysql as a virtual package,
and therefore perl-dbd-mysql directly selects mariadb. However,
mariadb as stricter dependencies than what the mysql virtual package
had, and this commit forgot to properly propagate those dependencies,
causing a Config.in warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_MARIADB
Depends on [n]: BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && (BR2_TOOLCHAIN_HAS_ATOMIC [=y] || BR2_TOOLCHAIN_HAS_SYNC_8 [=n]) && BR2_USE_WCHAR [=n]
Selected by [y]:
- BR2_PACKAGE_PERL_DBD_MYSQL [=y] && BR2_PACKAGE_PERL [=y] && !BR2_STATIC_LIBS [=n] && BR2_INSTALL_LIBSTDCPP [=y] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y]
Fixes: 8708f3a23a ("package/mysql: drop virtual package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since commit 8708f3a23a ("package/mysql:
drop virtual package"), we no longer have mysql as a virtual package,
and therefore perl-dbd-mysql directly selects mariadb. As part of
that, the comments related to the dependencies have not been updated
accordingly. Fix that up.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Back when the libgtk4 package was introduced in commit
faf2a1d2ab, its
BR2_PACKAGE_LIBGTK4_GSTREAMER option did not properly propagate the
dependencies of BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL, causing the
following Config.in warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL
Depends on [n]: BR2_PACKAGE_GSTREAMER1 [=y] && BR2_PACKAGE_GST1_PLUGINS_BASE [=y] && (BR2_PACKAGE_HAS_LIBGL [=n] || BR2_PACKAGE_HAS_LIBGLES [=n])
Selected by [y]:
- BR2_PACKAGE_LIBGTK4_GSTREAMER [=y] && BR2_PACKAGE_LIBGTK4 [=y]
Fix that by properly propagating the dependency.
Fixes: faf2a1d2ab ("package/libgtk4: new package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since this option was introduced in commit
a474642fdc ("package/mender-update-modules:
new package"), its dependencies have been incorrect. It selects
BR2_PACKAGE_PYTHON3 without replicating all its dependencies, so we
fix that.
Also, it did have the !BR2_STATIC_LIBS dependency propagated, but not
mentioned in the Config.in comment, so we fix that as well.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit
5f446a8d6d ("package/python-pillow: bump
to version 12.0.0") added a select BR2_PACKAGE_PYTHON_PYBIND to
python-pillow without propagating the C++ dependency, causing:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PYTHON_PYBIND
Depends on [n]: BR2_PACKAGE_PYTHON3 [=y] && BR2_INSTALL_LIBSTDCPP [=n]
Selected by [y]:
- BR2_PACKAGE_PYTHON_PILLOW [=y] && BR2_PACKAGE_PYTHON3 [=y]
Fix this by propagating the dependency to python-pillow, and in turn
to python-pillow reverse dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The recent changes in freeswitch following the removal of OpenCV 3.x
in commit
a6db6af9ff ("package/freeswitch: remove
optional dependency to opencv3") caused some invalid dependencies.
Indeed, the new logic selects BR2_PACKAGE_OPENCV4_LIB_OBJDETECT as
soon as BR2_PACKAGE_OPENCV4 is enabled, without worrying about the
dependencies of BR2_PACKAGE_OPENCV4_LIB_OBJDETECT.
This causes the following Kconfig warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_OPENCV4_LIB_OBJDETECT
Depends on [n]: BR2_PACKAGE_OPENCV4 [=y] && !BR2_TOOLCHAIN_USES_UCLIBC [=n] && BR2_PACKAGE_PROTOBUF_ARCH_SUPPORTS [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_8 [=n]
Selected by [y]:
- BR2_PACKAGE_FREESWITCH [=y] && BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y] && BR2_PACKAGE_OPENCV4 [=y]
Since freeswitch as no visible sub-options to select extra features
and we wanted to keep it this way, we introduce a hidden sub-option
that informs freeswitch.mk whether OpenCV 4 support is usable. It
makes it easier to express the dependencies that are needed for this
OpenCV 4 to be usable.
Fixes: a6db6af9ff ("package/freeswitch: remove optional dependency to opencv3")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Commit
75ab6cf93a ("package/{python-}protobuf:
bump to version 28.1") added a whole bunch of gcc >= 8 dependencies to
opencv4 options, but forgot to create or update appropriate Config.in
comments for several options:
BR2_PACKAGE_OPENCV4_LIB_OBJDETECT
BR2_PACKAGE_OPENCV4_LIB_STITCHING
BR2_PACKAGE_OPENCV4_WITH_PROTOBUF
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The comments saying that dnn_objdetect and dnn_superres need a glibc
or musl toolchain should be shown when a uClibc toolchain is selected,
not when a toolchain NOT using uClibc is selected (as this is exactly
what's needed).
Fixes: a2e01b23fc ("package/opencv-contrib: propagate opencv4 dependencies")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes, see:
https://opus-codec.org/release/stable/2025/12/15/libopus-1_6.html
opus 1.6 introduced optimization for Arm using Neon intrinsics.
Those are not available in soft-float ABI. This commit disables the
usage of intrinsics in that case.
This commit also adds an upstream patch to the libopusenc package.
It is because libopusenc is using internal functions of opus, which
were renamed in upstream commit [1]. Without this patch, the
opus-tools package fail to compile with error:
src/opusenc.c: In function ‘main’:
/.../sysroot/usr/include/opus/opusenc.h:134:63: error: implicit declaration of function ‘__opus_check_int’; did you mean ‘opus_check_int’? [-Wimplicit-function-declaration]
[1] 7817df7908
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit dcee99507c bumped icu
from version 73-2 to 77-1.
Upstream raised the minimum C++ requirement to C++17 in version 75-1:
https://github.com/unicode-org/icu/releases/tag/release-75-1https://icu.unicode.org/download/75
"C++ code now requires C++17 [...]"
Consequently, this commit switches the minimum gcc version needed by
package/icu to 7, and propagates this to icu's reverse dependencies.
No autobuilder errors were recorded since we don't test toolchains as
old as gcc 6.x
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
License hash changed due to move to license file autogeneration:
9a81db3c77d2b8d7750f
Add new python-coherent-licensed build dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
fb5235239aad ("env: Rename DEFAULT_ENV_FILE to
ENV_DEFAULT_ENV_TEXT_FILE") renamed the Kconfig symbols and thus we need
to adapt the U-Boot package in Buildroot to support it.
Fixes: 128c26f287 ("boot/uboot: bump to version 2025.10")
Reported-by: Ozan Durgut <ozandurgut.2001@hotmail.com>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In Buildroot, we don't use the official SPDX code GPL-2.0-or-later,
but GPL-2.0+.
Fixes: 2a972212b4 package/qoriq-restool: new package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Introduce a package for the restool program, which permits the user to
modify the network configuration of the DPAA2 subsystem and create one
that is adequate to their use case.
We integrate the master branch, which is effectively the
lf-6.12.20-2.0.0 release tag, plus some extra fixups specifically made
for the Buildroot integration:
- commit b44748ed0bb3 ("Avoid use of non-portable __WORDSIZE when
defining BITS_PER_LONG")
- commit b4a734f3512b ("restool: fix format string for 64 bit time_t in
parse_obj_command()")
Signed-off-by: Vladimir Oltean <olteanv@gmail.com>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Migrate from setuptools cython based build to setuptools-rust.
Add new python-typing-extensions runtime dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
CVE-2024-46948 only affects the device management and update server part
of Mender, and not the client running on the devices
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] restricted spice compilation to x86 only.
As the log of this commit mention, this was because at that time,
spice 0.12.0 was generating an error on untested cpu architectures.
See [2] (we can also see that armv6+ platforms was apparently
supported).
Spice commit [3] (first included in spice v0.12.6) relaxed this error
to a warning. The reason was that big endian support was improved,
and also there was an intent to make testing easier.
[1] 4f452a86b8
[2] https://gitlab.freedesktop.org/spice/spice/-/blob/v0.12.0/configure.ac#L60
[3] f80eef8f9c
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
[Thomas: reduced commit to just re-enabling on all CPU architectures,
created separate commits for the BR2_USE_MMU and gcc >= 6 fixes]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
spice selects libglib2, but forgot to propagate the BR2_USE_MMU
dependency. There is no practical implication at the moment as spice
is only available for i386 and x86-64, and both always have MMU. But
as we're about to relax this architecture dependency, it makes sense
to fix the propagation of BR2_USE_MMU.
Signed-off-by: Julien Olivain <ju.o@free.fr>
[Thomas: patch extracted from
https://patchwork.ozlabs.org/project/buildroot/patch/20241122213809.176709-1-ju.o@free.fr/]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Commit 3dd73c3 "package/openjdk: allow compiling without X11 support",
dropped the need for X11, so drop it from TestOpenJdk.
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When building the arm-trusted-firmware, if the host environment has a value
configured in the BL31 variable such as the following:
export BL31=/tmp/bl31.elf
This will cause the build of the bl31.elf to be skipped leading to the
following build error:
make[1]: Nothing to be done for 'bl31'.
And then:
readelf: Error: './output/build/arm-trusted-firmware-custom/build/versal/release/bl31/bl31.elf': No such file
To fix this, clear the BL31 variable in the MAKE_OPTS, so that building the
arm-trusted-firmware will build regardless of the host environment.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Boost.System is a header only library since Boost 1.69.0 [0].
A Stub Library remained for backward compatibility. This
mainly affects CMake Packages that use FindPackage and
explicitly list 'system'.
For Boost internal modules this is not the case so remove this
dependency.
Buildroot packages should select BR2_PACKAGE_BOOST_SYSTEM explicitly
if needed and not rely on a proxy dependency from other boost packages.
[0] https://github.com/boostorg/system/blob/develop/doc/system/changes.adoc#changes-in-boost-169
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libcpprestsdk searches for the Boost.System module in its
CMakeLists. Hence it should be selected as a dependency.
This does not fix any build failure, as boost-system was implicitly
selected by one of the other boost-* options that this package
selects, but an upcoming commit is going to change how boost-system is
selected by other boost-* modules, making this preparation change
necessary.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This does not make debug info available, but allows building programs
that link against libdebuginfod.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
On Debian 13 doc generation fails. Disable it like for
the target.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
With the introduction of the production silicon Icicle Kit comes the
need to support multiple board device trees. The HSS puts a minimal dtb
in it's payload's ancillary-data immediately after U-Boot in memory.
CONFIG_OF_BOARD will use this dtb that the HSS carries with the bare
minimum of nodes enabled. It allows for firmware to provide the address
of the devicetree in memory using the `a1` register.
Use the device tree compatible from the hart software services to
essentially "detect" which board is in use and therefore select the
appropiate device tree for the board.
Add a fdt production node to the .its referencing the production Icicle
Kit DTB with appropriate attributes. Introduce matching configuration
entries to enable selection of the production Icicle kit FDT blob for
the MPFS Icicle Production Silicon board.
Update the configuration names to match the device tree compatibles for
each board configuration. With these updates, change image node and
configuration node names with more appropriate names.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Following Microchip's Linux 2025.07 release, update the assets to the
latest versions, this includes a Linux version bump and addditional
U-Boot drivers and functionality. Update the Linux headers to support
the updated v6.12 kernel. Update the corresponding package hashes.
Signed-off-by: Jamie Gibbons <jamie.gibbons@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit d6c3257e93 bumped the
package from 0.21 to 0.23. Upstream release 0.22 includes commit
d7c7c53c06
which uses CLOCK_MONOTONIC without including time.h.
Fixes:
https://autobuild.buildroot.net/results/41b/41b25ee8e66e34323eca011e4b5fe479ece9ed76/
Two minimal defconfigs to reproduce the build error:
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ATF=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_GCC_VERSION_13_X=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ATF=y
All defconfigs of the build errors recorded by the buildroot autobuilders
contain BR2_PTHREADS_NONE=y.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Update to the latest version of the gcnano-binaries blobs, which are
compatible with the last v6.6-stm32mp-r2 kernel from the
STMicroelectronics BSP.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The Vulkan option was appended to QT6BASE_CONFIGURE_OPTS instead of
QT6BASE_CONF_OPTS, which is the variable actually used during CMake
configuration. This prevented the feature from being enabled/disabled
as expected.
Fixes: 1c27f3a12d ("package/qt6base: add vulkan option")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit adds "kibi" a configurable text editor with UTF-8 support,
incremental search, syntax highlighting, line numbers and more, written
in less than 1024 lines of Rust with minimal dependencies.
https://github.com/ilai-deutel/kibi
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the introduction of duktape in [1]. This package has been present
under the "JavaScript" sub-menu.
This sub-menu was mostly used for JS libraries and programs so duktape
should have been under the "Interpreter languages and scripting"
submenu.
Since duktape is now the only entry in the JavaScript submenu, move this
package to a better suited place and remove the JavaScript submenu.
[1] 387ff26b6d duktape: new package
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds information on how to provides static JS libraries in
Buildroot with the release of the 2025.08.x version.
Because the way JavaScript project development is working the chances that your
project is using the same version of the buildroot package, and you provide
this library from `/var/www` to your users is actually really low ...
If you want to bundle JavaScript libraries in your project you should probably
either use a cdn, handle the package version and location of your choice in
your external or overlay, or just bundle it in your assets from a NPM workflow
to benefit from some minifications from your bundler.
Historically many of those JavaScript libraries were added in the 2010 eras
where it could make sense for them to be part of Buildroot.
Most of them are also way outdated/not maintained.
For more informations see https://elinux.org/Buildroot:DeveloperDaysELCE2025
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Due to the increasing number of patches applied for this package and the
lack of updates to fix the build issues as well as updating the version
to newer release. This patch removes softether from buildroot package
list.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch add several upstream patches that fix build error we are
experiencing on the autobuilder related to host-gcc15 and gcc14.
- 0010-use-bool-from-stdbool.patch
Fix a host-gcc15 error with C23 bool reserved keyword when building
host-softether package. This appeared on the autobuilder.
```
from Cfg.c:116:
../../src/Mayaqua/MayaType.h:257:33: error: 'bool' cannot be defined via 'typedef'
257 | typedef unsigned int bool;
| ^~~~
../../src/Mayaqua/MayaType.h:257:33: note: 'bool' is a keyword with '-std=c23' onwards
../../src/Mayaqua/MayaType.h:257:1: warning: useless type name in empty declaration
257 | typedef unsigned int bool;
| ^~~~~~~
```
- 0011-fix-implicit-declaration-of-function-getch.patch
Fix an implicit function declaration.
- 0012-vlanunix-fix-implicit-declaration-of-function-freetap.patch
Fix an implicit function declaration.
- 0013-fix-build-on-freebsd-version-140091.patch
Incompatible pointer type which appeared on the autobuilder as well:
```
Unix.c: In function 'UnixIgnoreSignalForThread':
Unix.c:324:25: error: assignment to 'void (*)(int, siginfo_t *, void *)' from incompatible pointer type 'void * (*)(int, siginfo_t *, void *)' [-Wincompatible-pointer-types]
324 | sa.sa_sigaction = signal_received_for_ignore;
| ^
```
- 0014-cedar-hub-properly-set-value-for-hub-admin-options.patch
Fix an incompatible pointer type error.
- 0015-adjust-types-of-variables.patch
Fix an incompatible pointer type error which appeared on the autobuilder as
well.
```
Secure.c: In function 'OpenSec':
Secure.c:1829:56: error: passing argument 3 of 'sec->Api->C_GetSlotList' from incompatible pointer type [-Wincompatible-pointer-types]
1829 | if ((err = sec->Api->C_GetSlotList(true, NULL, &sec->NumSlot)) != CKR_OK || sec->NumSlot == 0)
| ^~~~~~~~~~~~~
| |
| UINT * {aka unsigned int *}
```
- 0016-Cedar-Proto_IKE-fix-too-many-arguments-to-function-N.patch
Fix a function call.
Fixes: https://autobuild.buildroot.org/results/c43/c43a9a221896d37ee8a9d34c5b8e2725351c6eb5
Fixes: https://autobuild.buildroot.org/results/751/7517bb4d32c38d475d901769b0b2fd2c2f3dd543
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Acked-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
An advanced terminal multiplexer with batteries included. Supports
layouts, floating and stacked panes, plugins, and customization.
Provides rich functionality out of the box.
Zellij is aimed at developers, operations-oriented users, and anyone who
loves the terminal.
https://github.com/zellij-org/zellij
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The license is actually LGPL-2.1+.
Fixes: 006aab8d64 ("package/libplacebo: add libplacebo package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This patch adds libplacebo package that is used
by mpv player.
libplacebo is the core rendering algorithms and
ideas of mpv rewritten as an independent library
and contains a large assortment of video processing
shaders, focusing on both quality and performance.
Signed-off-by: Javad Rahimipetroudi <javad.rahimipetroudi@mind.be>
Tested-by: Sen Hastings <sen@hastings.org>
[Bernd:
- bumped to v7.351.0
- moved Kconfig option to Multimedia (Sen)
- rebased patch 0001 after version bump
- added project URL to Config.in helptext
- removed redundancy in Config.in comment
- added comment to hash file
- switched _SITE to official repo
- added patch to fix build error with latest python3]
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
lttng-modules fails to build in master and in our LTS branch
2025.02.x. Indeed, our LTS branch uses the 6.12 kernel as the latest
LTS, and lttng-modules in version 2.13.10 don't build with the 6.12
kernel:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_PACKAGE_LTTNG_MODULES=y
fails to build with 2025.02.x.
To fix this, let's bump to the latest point release in the 2.13.x
branch, which mostly contains fixes needed for the 2.13.x releases to
work with newer kernels. This is considered a reasonable bump for our
2025.02 LTS.
The hash of the license file is updated as the list of files under
each license has changed a bit, but that doesn't change the overall
list of licenses.
Fixes:
https://autobuild.buildroot.net/results/78d05ded97877f866d2bd7aa600a2dafa01bb364/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Added patches (17.0.12+7 and 21.0.4+7) to allow compilation
without X11 support.
0003-autoconf-libraries-drop-the-need-for-X11-in-headless.patch
is only needed for 21.0.4+7, 17.0.12+7 already has this commit:
f97ec359ec
Next to that, add a new option BR2_PACKAGE_OPENJDK_X11,
to allow compilation with both head and headless support.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
[Thomas: split into two commits]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit fixes the wrong patch folders which should have been fixed
in commit 475c79d ("package/openjdk{-bin}: bump versions to 17.0.12+7
and 21.0.4+7")
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The `utils/brmake` tool runs `make all` with logs put into `br.log`.
That file is therefore the result of a build and committing it never
makes sense, neither upstream nor on any other remote/branch.
⟩ git status --short
⟩ make beaglebone_defconfig
⟩ ./utils/brmake
⟩ git status --short
?? br.log
Add a new `/br.log` entry in the root `.gitignore` file.
Append to the end because no ordering logic was found.
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This makes it more obvious which service the PID file belongs to, and
thanks to the /var/run -> /run symlink fixes the check-package
warning.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This brings the script in line with current standards, except the
expected PIDFILE value because changing the PID file path would
require changing build options.
The stop action now uses the PID file instead of "killall", and reload
is supported using SIGHUP (with limitations described in D-Bus
documentation). "--syslog" is added to the dbus-daemon arguments to
ensure log messages will be available, otherwise log messages after
fork may be lost.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The "servicename" environment variable was never set, so the condition
in the "condrestart" case would always evaluate to false. Nobody seems
to have noticed since it was introduced with commit
ceb2859765 in 2007, so simply remove it.
Likewise, the comment in the stop function that mentions $servicename
is incorrect, there is no safety check to the "killall" call.
With those, remove the /var/lock/subsys/dbus-daemon file that was
created but never used.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
We need to set -Dprotobuf_BUILD_LIBUPB=ON for host-protobuf now
as some libupb headers now appear to be required.
Also set the new -Dprotobuf_LOCAL_DEPENDENCIES_ONLY=ON option
to ensure cmake doesn't try to download dependencies.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* Wait for process to stop before deleting PID file, instead of fixed
wait during restart
* Use long form options
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
libxshmfence has multiple paths available for the shared memory
directory, as some distros [0] opt to mount their tmpfs in a
non-standard location such as /run/shm rather than /dev/shm.
The default value of 'auto' will set this path to whatever the host is
using, leaking host configuration into the target. See [1].
With X configurations that depend on shared memory files for futexes,
(muvm [2] is a notable example), this results in applications silently
breaking during presentation with a blank window, as the configured
path doesn't have the required tmpfs mount.
Set this path explicitly to avoid situations where the host context
leaks into the package build, causing feature breakage.
[0] https://wiki.ubuntu.com/OneiricOcelot/ReleaseNotes?action=show&redirect=OneiricOcelot%2FTechnicalOverview#Upgrades
[1] https://gitlab.freedesktop.org/xorg/lib/libxshmfence/-/blob/libxshmfence-1.3.3/configure.ac#L144
[2] https://github.com/AsahiLinux/muvm
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- add link to shared memory dir detection code in commit log
- replace "+=" by "=" in _CONF_OPTS
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that the package is removed, having a trace of it in a comment is
no longer very useful.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The rpi-userland package no longer builds with CMake >= 4. While
fixing it is probably not too difficult,
https://github.com/raspberrypi/userland tells us:
"""
This repo is ancient and deprecated.
It largely contains code using proprietary APIs to interface to the
VideoCore firmware. We have since move to standard linux APIs.
V4L2, DRM/KMS and Mesa are the APIs you should be using.
The few useful tools from here (dtoverlay, dtmerge, vcmailbox,
vcgencmd) have been moved to the raspberrypi/utils repo.
Code from here is no longer installed on latest RPiOS Bookworm images.
If you are using code from here you should rethink your solution.
Consider this repo closed.
"""
Hence it is time to drop this package from Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/tvheadend.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/sdl2.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/mpv.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop the special
tweak for it from package/libwpe.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/libcec.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/libcamera-apps.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/gstreamer/gst1-plugins-base.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/glslsandbox-player.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, drop support for it
from package/ffmpeg.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
As we're about to remove the rpi-userland package, remove the only
defconfig that uses it. This defconfig is according to our DEVELOPERS
file, unmaintained.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This tool has been removed from upstream rpi-firmware, so drop the
corresponding option and logic in rpi-firmware.mk.
The tool has been removed by upstream commit
d1fcc26038186aecc1501a0b749833300afba801 ("opt: Remove builds of
deprectated userland tools").
It is Buildorot commit
28e6953ba8 ("package/rpi-firmware: bump
version to 5476720") that did a bump to a version of rpi-firmware that
no longer provided vcdbg.
Cc: Köry Maincent <kory.maincent@bootlin.com>
Cc: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Due to issues in the installation of qt5webkit, building the
corresponding Python binding fails:
Project ERROR: Unknown module(s) in QT: webkit
Error: /home/thomas/buildroot/br/output-all/host/bin/qmake failed to create a
makefile from PyQt5.pro.
make[1]: *** [package/pkg-generic.mk:263: /home/thomas/buildroot/br/output-all/build/python-pyqt5-5.15.6/.stamp_configured] Error 1
make: *** [Makefile:83: _all] Error 2
https://lore.kernel.org/buildroot/20220929181350.1026033-1-thomas.ballasi@savoirfairelinux.com/
was an attempt at fixing it, but this patch doesn't work and looks
weird.
So for the time being, disable the Webkit module in python-pyqt5. This
issue has indeed been around for as far as 2022.
Fixes:
https://autobuild.buildroot.net/results/b9d69d21e734aa62a6e0b4d4124c2bcfc027ebe4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add another patch from Fedora, also used in Arch Linux to fix a gcc >=
14.x build issue:
build/qt5webkit-5.212.0-alpha4/Source/WebCore/page/csp/ContentSecurityPolicy.cpp:235:56: required from here
235 | if ((policy.get()->*allowed)(std::make_pair(algorithm, digest)))
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
host/opt/ext-toolchain/aarch64-buildroot-linux-gnu/include/c++/14.3.0/type_traits:1246:52: error: non-constant
condition for static assertion
1246 | static_assert(std::__is_complete_or_unbounded(__type_identity<_Tp>{}),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
It is not clear which change introduce this breakage, but we suspect
it is related to GCC 14.x. In any case, the fix does no harm and is
good to backport to 2025.02.x.
Fixes:
/home/thomas/buildroot/br/output-all/build/qt5webkit-5.212.0-alpha4/Source/ThirdParty/ANGLE/src/common/mathutil.h:575:8: error: ‘uint32_t’ does not name a type
575 | inline uint32_t RotL(uint32_t x, int8_t r)
| ^~~~~~~~
/home/thomas/buildroot/br/output-all/build/qt5webkit-5.212.0-alpha4/Source/ThirdParty/ANGLE/src/common/mathutil.h:19:1: note: ‘uint32_t’ is defined in header ‘<cstdint>’; this is probably fixable by adding ‘#include <cstdint>’
18 | #include <stdlib.h>
+++ |+#include <cstdint>
19 |
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since the bump of ICU from ICU 73 to ICU 77 in commit
dcee99507c, the build of qt5webkit fails
with:
/home/thomas/buildroot/br/output-all/host/aarch64-buildroot-linux-gnu/sysroot/usr/include/unicode/char16ptr.h:271:38: error: ‘enable_if_t’ in namespace ‘std’ does not name a template type
271 | template<typename T, typename = std::enable_if_t<std::is_same_v<T, UChar>>>
| ^~~~~~~~~~~
We taken two patches from Arch Linux, one which is a partial upstream
backport, and another which was submitted upstream, to address this
build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Rasdaemon was added in previous patch.
Add a test_rasdaemon that allows to test it.
Test is done on x86. It first checks the daemon's version, then mounts
debugfs and finally ensures that the init script allows to
start/restart/stop the daemon.
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Rasdaemon is a tool that aims at replacing edac-tool and provide a way
to collect all hardware error events reported by the Linux kernel in a
common framework.
This commit adds a new package to support rasdaemon in the 'Hardware
handling' section. It depends on libtraceevent to detect the ftrace
events generated by the kernel. There is currently a build issue when
sqlite isn't availaible while it's supposed to be an optional
dependency. This build issue is fixed by patch 0001 (which has been
also submitted to the rasdaemon project itself).
Support for the PCIe AER events is optionnal and implies a dependency on
pciutils so also add a dedicated 'sub-option' to enable it.
Add a SYSV init script to start / stop the daemon
Add myself to the DEVELOPERS file.
Reviewed-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libfreeimage is not a mandatory dependency of ogre.
Due to the upcoming removal of libfreeimage due to security reasons from
buildroot we do not transform libfreeimage into an optional dependency:
https://github.com/OGRECave/ogre/issues/3069
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
OpenCV3 is unmaintained and will be removed from buildroot.
The package does not support OpenCV4:
216c090707
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
OpenCV3 is unmaintained and will be removed from buildroot.
Select needed OpenCV4 modules in Config.in and adjust freeswitch.mk.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
6d188cb199
"This project is archived. QJson was originally created when Qt3 and Qt4
lacked robust JSON support.
Since Qt5, JSON support is included in the native Qt library SDK, making
this project obsolete."
The package is broken with cmake 4 and no other package depends on it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Cc: Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
mod_md allows Apache httpd to automatically provision certificates for
HTTPS via the ACME protocol (e.g. from Let's Encrypt), if configured
to do so. The additional dependencies are non-obvious, so add a config
option instead of only enabling the module if dependencies are met.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add libavif support.
Add new python-pybind build dependency.
Set --skip-dependency-check since pybind isn't detected properly by
the pep517 build frontend.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Drop PYTHON_CRYPTOGRAPHY_CARGO_MANIFEST_PATH as package now provides
manifest in default path.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Migrate from setuptools to hatch build backend.
License hash changed due to formatting changes:
83d985db64
Drop no longer supported AUTOBAHN_STRIP_XBR env variable.
Add host-python-setuptools build dependency.
Add new python-base58 encryption dependency.
Add new python-ecdsa encryption dependency.
Serialization dependencies moved to mandatory dependencies.
Propagate new C++ reverse dependency.
Add new python-brotli compression dependency.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit dc55e7eb51 added this
package as copy from the taglib package but forgot to change all taglib-
related comments.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Suggested by Gerbera:
fcf3147223
CMake Warning at CMakeLists.txt:583 (message):
!! It is strongly recommended to build libupnp with --disable-blocking-tcp-connections !!
Without this option non-responsive control points can cause libupnp to hang.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entry introduced in [2] is then no longer matched to
the cmake package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 5ce1e773b9 package/cmake: ignore CVE-2016-10642
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entry introduced in [2] is then no longer matched to
the dovecot package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 948e71689a package/dovecot: ignore CVE-2016-4983
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The IGNORE_CVES entries introduced in [1] no longer match to the glibc
package following the bump to v2.42 in [2]. The version boundaries
specified on the NVD DB are specific to 2.40 & 2.41.
The CVE-2025-8058 though don't have any information available on the NVD
DB and will remain on the IGNORE_CVES then.
[1] feaf53585a package/glibc: security bump to version 2.41-70
[2] fb6256c0ef package/{glibc, localdef}: bump to version 2.42
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entries introduced in [2] are then no longer matched to
the glibc package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] adaae82c58 package/glibc: ignore CVEs not considered as security issues by upstream
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The IGNORE_CVES entries introduced in [2][3][4] are then no longer
matched to the grub2 package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 2495630383 boot/grub2: ignore CVE-2024-1048
[3] e2f46ed03d boot/grub2: ignore CVE-2023-4001
[4] a490687571 boot/grub2: ignore the last 3 remaining CVEs
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2024-32928 introduced in [2] is then no longer matched to the
libcurl package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 7e739d49b2 package/libcurl: ignore CVE-2024-32928
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The entry was added in commit [1]. But since then the NVD database
updated the version end specifier.
This IGNORE_CVES entry is then no longer needed.
[1] 51b1e1daf5 package/libssh: ignore CVE-2025-5318
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2023-37769 is then no longer matched to the pixman package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2017-8806 is then no longer matched to the postgresql package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2015-3243 is then no longer matched to the rsyslog package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patches header as well
as the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Disabled vulkan tests added by upstream commit:
2519c330fb
Added X11-related configure options due to upstream commit:
d958b70d1f
Added configure options to fix build errors without libdrm and with
libegl/libgles enabled but without X11.
These build errors were not seen before due to other build errors
unfixed since the bump of python3 to 3.10 with buildroot commit
25b1fc2898:
https://patchwork.ozlabs.org/project/buildroot/patch/20230723074303.603364-1-bernd@kuhls.net/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add back commit log comments from v2 patch
- add git commit id in commit log title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
For kernel patched with 440cf77625e3 ("perf: build: Setup
PKG_CONFIG_LIBDIR for cross compilation"), if neither PKG_CONFIG_LIBDIR,
PKG_CONFIG_PATH nor PKG_CONFIG_SYSROOT_DIR are provided, the perf
Makefile while try to set some default value for PKG_CONFIG_LIBDIR,
which will not point correctly to buildroot staging directory. This
issue will lead for example to a failure to find libtraceevent even
if it is correctly enabled and installed in the staging dir, and so it
will make perf fail to build.
Make sure to call the perf make command with PKG_CONFIG_LIBDIR variable
set and pointing to buildroot staging area to make sure to properly
detect perf dependencies.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
When trying to perform a custom uprobe recording on a target with perf
built by buildroot, the recording step fails as perf can not record
uprobes without libtraceevent support:
$ perf probe -x linked_list insert_name index
Target program is compiled without optimization. Skipping prologue.
Probe on address 0x808 to force probing at the function entry.
Added new event:
probe_linked_list:insert_name (on insert_name in /root/gdb/linked_list with index)
perf is not linked with libtraceevent, to use the new probe you can use tracefs:
cd /sys/kernel/tracing/
echo 1 > events/probe_linked_list/insert_name/enable
echo 1 > tracing_on
cat trace_pipe
Before removing the probe, echo 0 > events/probe_linked_list/insert_name/enable
$ perf record -e probe_linked_list:insert_name ./linked_list
event syntax error: 'probe_linked_list:insert_name'
\___ unsupported tracepoint
libtraceevent is necessary for tracepoint support
Run 'perf list' for a list of valid events
Usage: perf record [<options>] [<command>]
or: perf record [<options>] -- <command> [<options>]
-e, --event <event> event selector. use 'perf list' to list available events
libtraceevent support for perf has been disabled with commit
b4ab45a5c1 ("package/linux-tools: disable libtracevent detection")
because there was no libtraceevent package in buildroot to replace the
former libtraceevent removed from the kernel sources. Since then, commit
1474f1b34b ("package/libtraceevent: new package") has introduced a
libtraceevent package. We can then expose again the possibility to build
perf with libtraceevent support.
Make buildroot perf makefile detect if libtraceevent package has been
enabled, and if so, allow to build perf with libtraceevent support.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
With the removal of the roseapplepi defconfig in commit 56091a5818
("configs/roseapplepi: remove defconfig, broken") there are no (in-tree)
users of the s500-bootloader binary blob package, so drop it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Running in S99 makes it impossible to start any service that uses iiod
after it, at least by numerical ordering only. Move it forward to
change that.
There are two dependencies of iiod:
1. The IIO devices that it should expose must be available.
2. Network must be up, which means firewall at least should be.
The former may be covered by loading modules, e.g. using S11modules
from package/initscripts. There are different ways to handle network
setup, but with SysV init scripts they generally run before S50.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
* Fix check-package issues and remove .checkpackageignore entry
* Remove fixed wait in "restart", wait for process termination in
"stop" instead
* Print standard starting/stopping messages
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] removed the IGNORE_CVES entries for
CVE-2024-24258 & CVE-2024-24259 because they referenced a patches no
longer existing.
Those IGNORE_CVES entries are still required because the CVEs reference
the exact mupdf version Buildroot is using.
Re-introduce those IGNORE_CVES entries with an updated comment instead.
[1] f2e442a14d package/mupdf: remove stale IGNORE_CVES
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the
`0001-Disable-tests.patch` patch reference
was removed in favour of a build argument that disable the tests.
This update the reference in IGNORE_CVES accordingly.
[1] ba2fb599cd package/pixman: bump to version 0.44.2
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the
`0003-SDL_x11yuv.c-fix-possible-use-after-free.patch` patch reference
was renamed.
This update the reference in IGNORE_CVES accordingly.
[1] 9fab7bb79d package/sdl: drop directfb support
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patches header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
AIChat helps seamlessly integrate different LLM models, providing access
via the CLI and network. It can serve as a gateway to heterogeneous and
distributed LLMs.
Handy features like roles, macros, and sessions help simplify repetitive
tasks and reuse of existing solutions. Features like playgrounds and
arenas help to explore and compare models.
https://github.com/sigoden/AIChat
Signed-off-by: Alexander Shirokov <shirokovalexs@gmail.com>
[Julien:
- select BR2_PACKAGE_HOST_RUSTC instead of "depends on"
- add Apache-2.0 license (package is dual licensed)
- add LICENSE-APACHE license hash
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:4 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
Fixes:
https://autobuild.buildroot.net/results/074098fef4f8a5e89a4f04efbdd1f545f4616772/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In commit 67e84345c1 ("package/vim: fix
reinstallation"), we fixed the reinstallation of vim for the target
package by removing symlinks before calling "make installlinks".
However, this didn't fix the same problem for the host-vim package.
So instead, this commit adds a patch, accepted upstream, that uses "ln
-sf" instead of "ln -s" to create the symlinks, allowing them to be
overwriten on reinstallation.
Fixes:
ln: failed to create symbolic link 'view': File exists
on reinstallation of host-vim.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit [1] "kvmtool: bump to f77d646ba0" removed the
definition of KVMTOOL_EXTRA_LDFLAGS but forgot to remove its usage
in KVMTOOL_MAKE_OPTS.
This commit removes it since it is no longer needed.
[1] f20615b53e
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The run log of this ltp-testsuite test shows:
INFO: runltp script is deprecated, try kirk
https://github.com/linux-test-project/kirk
This commit updates this test to replace this deprecated runltp
shell script with the newer kirk Python script.
The logic of this runtime test remains the same: it runs a small number
of 'read' system call tests, and checks there is no failures and at
least one test succeed.
Cc: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] (package/tio: bump to 3.5) added the libglib2 in
the .mk file without selecting it in Config.in.
This commit fixes that.
[1] 3d85e9df43
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch fixes the information to the patch header to have a single
vulnerability per line.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The fixes for the CVE-2024-24258 & CVE-2024-24259 were introduced in [1]
and targeted the package libfreeglut.
The patches that fixed CVE-2024-24258 & CVE-2024-24259 in libfreeglut
were removed in Buildroot commit [2]. With this bump the IGNORE_CVES
entries for mupdf were not removed.
[1] 0f4fef076f package/libfreeglut: add upstream security fix for CVE-2024-2425{8, 9}
[2] b1c77090ef package/libfreeglut: bump version to 3.6.0
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Buildroot commit [1] removed the stale cpp-httplib patched but the
IGNORE_CVES entry wasn't removed.
[1] 8988278241 package/cpp-httplib: remove stale patch
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
When the ncurses UI code in irqbalance is enabled, the build fails
with gcc >= 15.x, for example with:
BR2_arm=y
BR2_cortex_a53=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_NCURSES=y
BR2_PACKAGE_NCURSES_WCHAR=y
BR2_PACKAGE_IRQBALANCE=y
Backport two upstream patches that fix those issues.
Fixes:
https://autobuild.buildroot.net/results/3b609fe191e03330480f647b09dd06916da13317/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a Buildroot package for sysrepo-cpp, providing modern C++ RAII
bindings for the sysrepo YANG datastore library.
Signed-off-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The ddresue runtime test is using the `dmsetup` command provided by the
dmraid package. This package is outdated and will be removed. This
command is also provided by the lvm2 package, which is still maintained.
This commit replaces the dmraid package by lvm2 in the test config.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes:
mb-applet-launcher.c: In function ‘get_launch_window’:
mb-applet-launcher.c:269:18: error: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
269 | time_t stime = time(NULL);
| ^~~~
No autobuilder failures, it was hidden by other failures.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Switched _SOURCE to .gz, upstream does not provide bz2 tarballs
anymore. This means in fact _SOURCE can be dropped, as it's now the
default value.
No autobuild errors recorded due to previous download error with
matchbox-lib.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Switched _SOURCE to .gz, upstream does not provide bz2 tarballs anymore.
No autobuild errors recorded due to previous download error with
matchbox-lib.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add new runtime test for python-varlink.
As always when we need to start a separate server process inside a test
case this gets slightly fiddly.
We override the test_run() function to first start the varlink example server,
then call the packages cli interface to do a varlink call against the
server. The cli defaults to pretty printing the result, which makes it
more annoying to compare to the expected result in the test case, so we
un-prettyprint it with python's builtin json.tool module.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
There are currently problems in updating the pypi.org release[1], so we
pull the package from the github generated tarball instead. This in turn
then requires manually setting the version for setuptools_scm in the
environment.
[1] https://github.com/varlink/python/issues/81
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This maintenance release introduces support for newer versions of the
Mesa library. Release notes:
https://wpewebkit.org/release/wpebackend-fdo-1.16.1.html
Also imports an upstream patch that is needed at least to successfully
build when using the Musl libc.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Dependency was made optional in 4.6.0 release here:
6058ab9dfe
python-can has a lot of optional dependencies, most of which are not
represented in buildroot. As msgpack is used for the virtual multicast
udp can interface[1], which does seem like a bit of a niche usecase,
just drop the mandatory dependency without introducing a user-visible
config option to enable it.
[1] https://python-can.readthedocs.io/en/4.0.0/interfaces/udp_multicast.html
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Libiio python bindings use ctypes and specifically the find_library()
function from there to load the libiio.so shared library. This is not
working unless glibc utils (specifically ldconfig) is installed to the
target (alternatively the target would need gcc or binutils, for objdump
or ld).
The easy fix here is to just bypass the find_library() machinery
altogether as it's not needed on a buildroot system.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Tested-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In commit a68899d49e ("package/python3:
work around GCC bug 121567"), we introduced a work around for a gcc
bug, by reducing to -O1 the optimization level on SuperH.
However, it turns out that this is not sufficient, as the build will
only succeeded at -O0.
Fixes:
https://autobuild.buildroot.net/results/31f/31f34a983036b4135c12e5797b5c2258ab33e6c2/
Which is a config with BR2_OPTIMIZE_2=y, which means
BR2_TOOLCHAIN_HAS_GCC_BUG_121567=y, and therefore -O1 is passed, but
still the build fails. At -O0 the build doesn't fail.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The test to enable NEON on AArch64 is as following:
ifeq ($(BR2_aarch64)$(BR2_ARM_CPU_HAS_NEON),yy)
It cannot be to true as $(BR2_aarch64) and $(BR2_ARM_CPU_HAS_NEON) are
mutually exclusive. NEON is compulsory on AArch64 so remove
$(BR2_ARM_CPU_HAS_NEON) from the test.
Fixes: ba2fb599cd ("package/pixman: bump to version 0.44.2")
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of pip to version 25.3 in commit
285097051d, the build of the Python
bindings of libselinux is broken for both the host and target
variants.
For the host variant, because "pip install" no longer finds the
system-provided setuptools and tries to download setuptools by itself,
causing build issues because our host-python doesn't have SSL support:
Could not fetch URL https://pypi.org/simple/setuptools/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/setuptools/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
For the target variant, because "pip install" no longer finds the
sysconfigdata package:
ModuleNotFoundError: No module named '_sysconfigdata__linux_sparc64-linux-gnu'
[end of output]
We fix this by taking a patch from Debian, which is slightly tweaked
to also cover our host package (the original Debian patch was passing
--no-build-isolation only when DESTDIR was not empty, but in Buildroot
host packages are built with DESTDIR empty, and we do need
--no-build-isolation).
Fixes:
https://autobuild.buildroot.net/results/0e9de0c0d8b6ec57eea9f8834f02076b296ba4f1/ (host-libselinux)
https://autobuild.buildroot.org/results/1b87c659f1901b0bf33fa4a2ff0ed40b13114bba/ (libselinux)
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Co-Authored-By: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This reverts commit fd991649d3, which
isn't the correct fix: indeed, host-libselinux can be built without
BR2_PACKAGE_PYTHON3 being enabled. And also having to use the network
during the build is anyway not correct.
A follow-up commit will fix this issue in a proper way.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The CPE 'cpe:2.3:a:antirez:linenoise:1.0:*:*:*:*:*:*:*' is valid for the
package linenoise [1].
Since the latest version is '1.0' since 2015 the CPE_ID_VERSION is set
to that version.
The CVE that applies on version 1.0 were checked with the 'cve-check'
script:
```
echo '{"components": [{"bom-ref": "linenoise", "name": "linenoise", "version": "1.0", "cpe": "cpe:2.3:a:antirez:linenoise:1.0:-:*:*:*:*:*:*"}]}' | support/scripts/cve-check | jq -r '.vulnerabilities[].id'
```
Only the CVE-2025-9810 exists and that was fixed in [2].
[1] https://nvd.nist.gov/products/cpe/detail/10423C23-6AAA-439E-B723-1FCDEB3A769F
[2] 3c7cbf97d7 package/linenoise: security bump to version e26268de5e
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
opencv3's code is not compatible with newer versions of ffmpeg, and
opencv3 is no longer maintained, so we have no choice but to disable
its ffmpeg support.
Fixes:
https://autobuild.buildroot.net/results/9ae3911583cccb6362f33cd82e5eaafb059fdc76/
It's not clear which ffmpeg version bump broken the build exactly, but
this issue is definitely present in 2025.02.x as the following
defconfig fails to build in a similar way on 2025.02.x:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_FFMPEG_NONFREE=y
# BR2_PACKAGE_FFMPEG_FFMPEG is not set
# BR2_PACKAGE_FFMPEG_INDEVS is not set
# BR2_PACKAGE_FFMPEG_OUTDEVS is not set
BR2_PACKAGE_OPENCV3=y
BR2_PACKAGE_OPENCV3_LIB_VIDEOIO=y
BR2_PACKAGE_OPENCV3_BUILD_PERF_TESTS=y
BR2_PACKAGE_OPENCV3_WITH_FFMPEG=y
BR2_PACKAGE_OPENCV3_INSTALL_DATA=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The protobuf support breaks the build, as protobuf includes
libabseil-cpp headers, which now require C++14. opencv3 doesn't have
any ENABLE_CXX14 option, so for the time being, disable protobuf
support until someone bothers enough to fix this up.
While we suspect a libabseil-cpp version bump to be responsible for
the issue, we are not 100% sure. However, the issue is definitely
present in Buildroot 2025.02.x, as it can be reproduced using the
following defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_OPENCV3=y
BR2_PACKAGE_OPENCV3_LIB_SHAPE=y
BR2_PACKAGE_OPENCV3_LIB_STITCHING=y
BR2_PACKAGE_OPENCV3_LIB_SUPERRES=y
BR2_PACKAGE_OPENCV3_LIB_TS=y
BR2_PACKAGE_OPENCV3_LIB_VIDEOSTAB=y
BR2_PACKAGE_OPENCV3_WITH_PROTOBUF=y
Fixes:
https://autobuild.buildroot.net/results/39432e7746e6bc5224592a7d2f744ca992bd529a/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a small patch to fix CMake 4 build issues. Unfortunately, while
cmake/OpenCVMinDepVersions.cmake provides a MIN_VER_CMAKE that we
could pass on the command line, cmake/OpenCVGenPkgconfig.cmake doesn't
use it, so we anyway have to patch the package.
Since opencv3 is basically unmaintained, there is no point sending
this patch upstream.
Fixes:
https://autobuild.buildroot.net/results/cc857993920607958dd817c6a877ed9386c05738/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
cppcms.com now points to a Github page at
https://github.com/artyom-beilis/cppcms which has a 2.0.1 version, so
let's use that. The number of differences to 2.0.0.beta2 is very
small:
$ git log --online v2.0.0.beta2..v2.0.1
b872972 (tag: v2.0.1, origin/master, origin/HEAD, master) Version to 2.0.1
a1914f7 (tag: v2.0.0) Replaced system category with one from predating C++11 (v1.2) because std::system_category does not translate WSAGetLastError results
c4febcc Merge pull request #104 from dreaming-augustin/upstream
922cd49 Python 3.12 compatibility: wrap regex in r''.
a11e9d4 Merge branch 'cpp11'
3000bc6 (origin/1.2_updates) Merge pull request #99 from dreaming-augustin/master
44e24c7 [#89] cppcms_error fix typo + consistent messages
a6d5575 (origin/cpp11) Added backtrace to system error
b3aef3b Fixed missing include for stripped down build
463a9a6 Removed IPV6 due to travis limitations
f8163c6 Merges from cpp11
31d4fe7 Added verbose log on failure
90bc996 Added Linux to build matrix - so I have fallback if normal build environment fails
f78ee39 Added Readme for github
a737d5d Merged python3 compatibility from master
0c67544 Support of python 2.7 and python 3
0d121a7 Python3 compatibility
2fc7e38 Python3 compatibility
d745869 python3 fix for tmp_cc
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since Buildroot commit dcee99507c that
bumped package/icu to version 77-1, the build of cppcms with ICU
support enabled fails.
Indeed, ICU now requires C++17, and while cppcms.mk has some logic to
get C++ flags using icu-config, the -std=c++17 gets ultimately
overridden by the built-in -std=c++11 flag encoded in cppcms
CMakeLists.txt.
To fix this, we have submitted a patch upstream that ensures the
CMAKE_CXX_FLAGS passed on the command line take precedence over the
built-in flags defined in cppcms CMakeLists.txt.
Fixes:
https://autobuild.buildroot.net/results/9c34a08ea02499b28093ad3fa184cee10b2883ac/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
Fixes:
https://autobuild.buildroot.net/results/30c1645d04b9d2b581aa7a866aa19c4001538e17/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes:
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
Compatibility with CMake < 3.5 has been removed from CMake.
Update the VERSION argument <min> value. Or, use the <min>...<max> syntax
to tell CMake that the project requires at least <min> but has been updated
to work with policies introduced by <max> or earlier.
Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
We didn't submit the patch upstream, because contrary to cppcms, cppdb
seems completely dead. Last commit is from 2012 at
https://sourceforge.net/p/cppcms/code/HEAD/tree/cppdb/.
There are no known autobuilder failures for this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
No autobuilder issues, as this problem was hidden by the libcuefile
CMake 4 build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This patch adds the dependencies necessary to enable the newer version
of shairplay-sync support for the AirPlay2 protocol.
Signed-off-by: Trammell Hudson <hudson@trmm.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This is the Not Quite PTP timing library necessary for
AirPlay2 support with shairport-sync.
Signed-off-by: Trammell Hudson <hudson@trmm.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of bpftrace to version 0.24.2 in Buildroot commit
97e2f63bdf, the build of bpftrace fails
with:
CMake Error at cmake/Embed.cmake:3 (find_program):
Could not find XXD using the following names: xxd
Call Stack (most recent call first):
src/stdlib/CMakeLists.txt:1 (include)
This is due to upstream commit
df21d917d9cced77ebde1202c1b3508a169f46a0, which was merged in 0.24.0.
There are no autobuilder failures for this issue at this point, but
the following defconfig exhibits the issue (of course on a host where
xxd is not installed system-wide):
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_BPFTRACE=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Switched _SITE to github, old project site is down.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use 'git describe --abbrev=40' format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Removed patch which is included in this release.
Backported bump to fix cmake 4 compatibility.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Drop now upstreamed patch 0001:
84d68c6285
And rename remaining patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The VIM_REMOVE_DOCS variable is currently a post install target hook,
but it can just as well be done inside VIM_INSTALL_TARGET_CMDS
directly.
The hook was registered conditionally based on BR2_PACKAGE_VIM_RUNTIME
because prior to commit f7a07f42f7, the
hook's logic was:
find $(TARGET_DIR)/usr/share/vim -type f -name "*.txt" -delete
which was failing if BR2_PACKAGE_VIM_RUNTIME was not enabled, as
$(TARGET_DIR)/usr/share/vim would not exist.
But since this commit, the hook logic is:
$(RM) -rf $(TARGET_DIR)/usr/share/vim/vim*/doc/
which obviously won't fail if $(TARGET_DIR)/usr/share/vim doesn't
exist.
So let's simplify the whole logic.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Instead of calling $(MAKE) multiple times, let's call it once, with
all installation targets needed. We introduce a VIM_INSTALL_TARGETS
variable to collect the list of make install targets that need to be
invoked.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
In Buildroot, we more commonly do:
$(MAKE) -C $(@D)/src
than:
cd $(@D)/src; $(MAKE)
so let's adopt this more conventional style.
This coding style in vim.mk dates from when the package was introduced
by Peter Korsgaard back in 2010.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
While not very common, it is nice when package re-installation
works. Unfortunately the "installlinks" target of vim installs links
with "ln -s", causing a package reinstallation to fail with:
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim ex
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim view
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim rvim
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim rview
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim vimdiff
ln: failed to create symbolic link 'ex': File exists
ln: failed to create symbolic link 'view': File exists
make[2]: *** [Makefile:2749: /home/thomas/buildroot/br/output-all/target/usr/bin/ex] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [Makefile:2752: /home/thomas/buildroot/br/output-all/target/usr/bin/view] Error 1
ln: failed to create symbolic link 'rvim': File exists
ln: failed to create symbolic link 'rview': File exists
To fix this, we remove the target links before proceeding with the
installation.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release Notes: https://docs.djangoproject.com/en/6.0/releases/6.0/
A few changes in the license files and an actual (sub)-license update:
* django/contrib/gis/measure.py -> formatting change
* django/contrib/admin/static/admin/img -> svg files got uupdated and
the new ones are licensed under CC-BY-4.0; separate LICENSE file got
removed, License is now mentioned in the readme
* django/utils/archive.py -> File got updated, license (which is only
the header) did not change.
Remove the comment about django site having an inconvenient download
URL. We download pretty much all python package from pypi.org, so doing
that for django shouldn't need a separate comment.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
- Add watchdogctl list-clients command to display currently subscribed
clients to the process supervisor. Outputs to stdout in either table
format (default) with colored headers, or JSON format with -j/--json
- New global -j, --json option for machine-readable output, currently
supported by list-clients and status commands
- New API: wdog_clients() returns array of wdog_client_t structs for
programmatic access to subscribed clients. See API documentation at
https://codedocs.xyz/troglobit/watchdogd/wdog_8h.html
- Enhance watchdogctl status command to display formatted output by
default, with device information, capabilities, and reset history in
a human-readable table format. Use -j/--json for JSON output
Fixes:
- Generic scripts running more than 1 second would fail with false
"critical error" reports and cause unwanted system reboots due
to uninitialized exit status variable
- watchdogctl reload with tempmon crashes watchdogd
- Issue causing unwanted reboot when watchdogctl reload was called
while a generic monitor script was running
- Fix memory leak in generic monitor with optional script path, would
be triggered on watchdogctl reload
The first of the fixes means we can now drop the backported patch.
Also, the test mode has been dropped from public use, hence it being
removed as well in this commit.
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changelog:
https://github.com/linux-test-project/ltp/releases/tag/20250930
Remove patches backported from this release.
Remove LTP_TESTSUITE_AUTORECONF (patch, which required it was backported
from this release).
Require kernel headers for uclibc >= 4.5 for uclibc due F_GETOWN_EX from <fcntl.h>.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 285097051d bumped
python-pip to version 25.3, causing build errors when host-python3 was
built without SSL support:
WARNING: pip is configured with locations that require TLS/SSL,
however the ssl module in Python is not available.
[...]
Could not fetch URL https://pypi.org/simple/setuptools/:
There was a problem confirming the ssl certificate:
HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded
with url: /simple/setuptools/ (Caused by SSLError("Can't connect to
HTTPS URL because the SSL module is not available.")) - skipping
ERROR: Could not find a version that satisfies the requirement setuptools>=40.8.0 (from versions: none)
Reverting the python-pip bump reveals the true cause of the build error
by showing these messages:
WARNING: pip is configured with locations that require TLS/SSL,
however the ssl module in Python is not available.
[...]
DEPRECATION: Building 'selinux' using the legacy setup.py bdist_wheel
mechanism, which will be removed in a future version. pip 25.3 will
enforce this behaviour change. A possible replacement is to use the
standardized build interface by setting the `--use-pep517` option,
(possibly combined with `--no-build-isolation`), or adding a
`pyproject.toml` file to the source tree of 'selinux'.
Discussion can be found at https://github.com/pypa/pip/issues/6334
Selecting BR2_PACKAGE_HOST_PYTHON3_SSL fixes the problem.
Criu, the only other buildroot package using host-python-pip as
dependency, already selects BR2_PACKAGE_HOST_PYTHON3_SSL.
Fixes:
https://autobuild.buildroot.net/results/fd6/fd6d3edd5f74d094621ac9fdb93db24520b7a6e3/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The tests check if all supported hash algorithms are usable in
mkimage, for both host and target packages. Additionally, as a
necessary tool, it verifies the previous fix for FIT output from
dumpimage.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use builtin kernel for faster testing]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Some host commands need to call other host commands: For example,
"mkimage" from host-uboot-tools needs to run "dtc". This would fail or
call system commands without adding the host bin dir to PATH.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use python functions/constants to build path]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Otherwise "dumpimage -l" produces only a newline when processing a FIT
image.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Also update the device tree: since Linux v6.15-rc1 (510a6190cf5e "ARM:
dts: microchip: fix faulty ohci/ehci node names"), the USB nodes are
named "usb" instead of "ohci" or "ehci".
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
[Julien: update linux.hash comment to take hash from upstream]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes:
- Add support for Porkbun DDNS provider
- Add support for domene.shop (Norwegian DDNS provider)
- Add support for round-robin records to Cloudflare
- Add example config for DuckDNS IPv6
- Cloudflare: omit proxy setting if unset in config
- Cloudflare: omit TTL update if unset in config
- Simply.com provider fixed and re-enabled
- Support for long ddns-path requests (increased buffer size)
Fixes:
- Do not use an IP resolution method different than the one
specified in configuration
- Fix support for Namecheap
- Fix Dynu IPv6 issue
- Default value -1 not used for ttl setting
- Fix IPv6 detection for providers with "v6" in their name,
e.g., ipv64.net and dynv6.com
- Fix dnspod error: "Communication with checkip server failed"
- Fix cache directory creation on --help or --check-config
- Fix cache directory not writeable and no $HOME
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The build of the following basic configuration enabling the
imagination Vulkan driver
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION=y
fails with:
meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Adding just LLVM as a dependency is not enough, as then libclc is
needed, then LLVMSPIRVLib, then clangBasic, then the pco_clc tool.
In fact, like the Panfrost driver, building the Imagination driver
requires building host tools using host-mesa3d. To fix this we:
- Make the BR2_PACKAGE_MESA3D_OPENCL option selectable
- Make sure that BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION depends
on BR2_PACKAGE_MESA3D_LLVM and select
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER (the latter being needed to
build host-mesa3d)
- Make sure the host-mesa3d builds imagination
tools (-Dtools=imagination) and install
pco_clc (HOST_MESA3D_INSTALL_PCO_CLC). This requires introducing
HOST_MESA3D_TOOLS as a list of tools to build, which then gets used
to construct the -Dtools argument, as we can now have both
"panfrost" and "imagination" in this list.
With all this, the defconfig above builds successfully.
This has been broken since Buildroot commit
5e818c16a3, which introduced the vulkan
driver support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since upstream commit 6e189ba6c17a2ab9b60e6fd65fc6a44a17dc9e8f, merged
in mesa-25.3.0, the imagination Vulkan driver is no longer
experimental.
Therefore, since Buildroot commit
3e296a1511, which bumped mesa3d to
version 25.3.0, the build of a configuration such as:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION=y
fails with:
build/mesa3d-25.3.1/meson.build:4:0: ERROR: Value "imagination-experimental" for option "vulkan-drivers" is not in allowed choices: "auto, amd, broadcom, freedreno, intel, intel_hasvk, panfrost, swrast, virtio, imagination, microsoft-experimental, nouveau, asahi, gfxstream, all"
Fix this by using the proper Vulkan driver name.
There are no autobuilder failures for this issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
No changes to hashes, only comments in hash files computed by our
utils/scanpypi script are updated by this patch.
During future mass package updates this patch will reduce the number of
changes created by scanpypi to be reviewed.
Please note that an updated version of scanpypi was used:
https://patchwork.ozlabs.org/project/buildroot/patch/20251001002004.3178942-1-james.hilliard1@gmail.com/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: drop packages not downloaded from pypi or where rust vendoring is
used]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Buildroot commit b243b77ebe added this
package including a hash file containing a typo of the tarball filename
for the md5 hash. Updated comment as computed by scanpypi.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
For release notes, see:
https://perldoc.perl.org/5.42.0/perl5420delta
Note: the release notes mention fixed CVE. Those were already fixed in
Buildroot commit [1] and [2]. Therefore, this update is not marked as a
security fix.
This commit also updates the `utils/scancpan` script, in order to
update the messages about the host-perl version.
[1] 61f5e2efca
[2] 164c84ee9b
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Julien: add commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
The 6.17.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
cmocka tries to find the Doxygen binary by default and if successful,
it tries to download style sheets and breaks with the following message:
CMake Error at
doxygen-awesome-css-subbuild/doxygen-awesome-css-populate-prefix/src/doxygen-awesome-css-populate-stamp/download-doxygen-awesome-css-populate.cmake:163
(message):
Each download failed!
error: downloading
'https://github.com/jothepro/doxygen-awesome-css/archive/refs/tags/v2.4.1.tar.gz'
failed
status_code: 1
status_string: "Unsupported protocol"
log:
--- LOG BEGIN ---
Protocol "https" not supported
closing connection #-1
Disable the Doxygen package search entirely.
Fixes:
https://autobuild.buildroot.org/results/e6a04cee8bc3028bd8a1a535c2852e60f362c4ba/
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
By doing so we can also drop the patches for musl which have now been
merged upstream.
Reviewed-by: Jesse Taube <jesse@rivosinc.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bump includes a patch which adds cmake4 compatibility.
Rebased patch 0001.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
the CSharp Extension was removed in grcp 1.47.0 [0] and the option in
the CMakeLists was dropped in 1.58.0 [1], which means that it is no
longer relevant since Buildroot commit
91d1207de0, which bumped grpc from
1.51.1 to 1.66.1.
So remove this option for host-grpc as well.
Fixes:
CMake Warning:
Manually-specified variables were not used by the project:
gRPC_BUILD_CSHARP_EXT
[0] https://github.com/grpc/grpc/releases/tag/v1.47.0
[1] 3a2bd221ef
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Add a simple test ensuring that
- libldns is correctly built and installed
- drill is correctly built and installed
- drill is able to execute on the target
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The libldns library also comes with a CLI tool named drill, allowing to
perform DNS requests. Drill build is currently disabled by default.
Add a KConfig option to allow building and installing drill tool. Set
the default value to n to preserve the current behavior. Similarly to
linktest (see the comment in the .mk), drill fails to build correctly as
a static binary, so make the new option depend on non-static build.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
This version allows to build with Linux 6.18.
Fixes:
In file included from core/crypto/sha256.c:11:
core/crypto/sha256.h:16:5: error: conflicting types for 'hmac_sha256'; have 'int(const u8 *, size_t, const u8 *, size_t, u8 *)' {aka 'int(const unsigned char *, long unsigned int, const unsigned char *, long unsigned int, unsigned char *)'}
Build failure still not occured in autobuilders.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add details about the error being fixed]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Alexey Brodkin from Synopsys says in [1]:
I think indeed, we may remove all the big-endian support for ARC.
Reasons are since introduction of ARC HS4x processors we no longer
support big-endian in any new processor IP, and even for older IP
which used to support big-endian it was rarely used... so basically
there's no good justification to spend any cycles on big-endian
support looking forward in this project. I.e. BE support in uClibc
could also be removed if it makes any difference.
Therefore, let's removed support for ARC big-endian.
[1] https://lore.kernel.org/buildroot/SJ2PR12MB818487232470DA4456967C73A1A3A@SJ2PR12MB8184.namprd12.prod.outlook.com/
Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: ARC Maintainers <arc-buildroot@synopsys.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
[Julien:
- move legacy option to 2026.02 section
- add link to mailing list
- remove BR2_arceb from pkg-meson.mk to fix check-symbols error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Adds documentation about adding a patch that address a vulnerability.
The patch-policy file now explain mention that patches that address a
vulnerability needs to include a `CVE:` trailer with the reference of
that vulnerability.
Until now only adding the reference to the `_IGNORE_CVES` variable was
necessary, so the documentation of this entry is modified as well to
point to the patch policy.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The CycloneDX specification for vulnerabilities defines four analysis
states ([1]) for cases where a vulnerability does not affect a component:
* resolved
* resolved_with_pedigree
* not_affected
* false_positive
Currently, the metadatas present in Buildroot does not allow an accurate
mapping of ignored CVEs to the appropriate CycloneDX vulnerability
categories. As a result, all ignored CVEs are currently marked as
'in_triage' by default.
This default analysis was established during the introduction of the
'generate-cyclonedx' script. The reasoning at the time was that SBOM
consumers might want to re-evaluate ignored vulnerabilities, as the
Buildroot infrastructure could not reliably determine their actual
state.
This patch adds support for automatically marking vulnerabilities as
'resolved_with_pedigree' when a Buildroot patch includes a 'CVE:''
tag in its header referencing the CVE identifier.
The 'CVE:' tag appears alongside the already required 'Upstream:', if
the patch address a security vulnerability and may be repeated if a
patch addresses multiple vulnerabilities.
If a vulnerability is addressed by multiple patches, each patch will need to
reference the vulnerability identifier.
For details on how CycloneDX handles 'resolved_with_pedigree', see
[1][2].
As an example, the CVE-2025-3198 from the binutils package will result
in the following pedigree for the binutils component:
```
{
"type": "unofficial",
"diff": {
"text": {
"content": "..."
}
},
"resolves": [
{
"type": "security",
"name": "CVE-2025-3198"
}
]
},
```
The `resolves` property is an array of issue the pedigree resolves. If
multiple are addressed by the same patch, then multiple identifier will be
present in this array.
In the listed vulnerabilities the entry for the CVE-2025-3198 looks like
this:
```
{
"id": "CVE-2025-3198",
"analysis": {
"state": "resolved_with_pedigree",
"detail": "The CVE 'CVE-2025-3198' has been marked as ignored by Buildroot"
},
"affects": [
{
"ref": "binutils"
}
]
}
```
[1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis_state
[2] https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches_items_resolves
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://github.com/google/brotli/blob/v1.2.0/CHANGELOG.md
Adds the following security hardening:
python: added Decompressor::can_accept_more_data method and optional
output_buffer_limit argument Decompressor::process; that allows mitigation
of unexpectedly large output
Which is needed to complete the security fixes in python-urllib3 2.6.0.
Added dependency to host-python-pkgconfig to fix build error which would
be introduced by this bump.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: mark as security bump, describe the relation with urllib3]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add the reference command line tools for interacting with Sigsum
signature transparency logs.
Signed-off-by: Florian Larysch <fl@n621.de>
[Julien:
- select sigsum-verify if all other tools are deselected
- split and sort HOST_SIGSUM_GO_BUILD_TARGETS
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This bump includes patches which add cmake4 compatibility.
Instead of adding patches for
https://github.com/greatscottgadgets/hackrf/commits/main/host/CMakeLists.txt
to the latest release from Februar 2024 we bump the package to the latest
commit from November 2025.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use "git describe --abbrev=40" format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2020 with > 120 commits since then, including
fixes for cmake 4 compatibility.
Instead of backporting several patches we bump the package to the latest
commit which allows to remove patch 0001.
Updated license hash due to upstream commit
f9dad5a35e
For list of changes, see:
142e1bda34
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add link to change list
- change _VERSION to use "git describe --abbrev=40" format
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Last release dates back to 2021 with > 50 commits since then, including
fixes for cmake 4 compatibility.
Instead of backporting several patches we bump the package to the latest
commit.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use "git describe --abbrev=40" format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes between 2.4 and 2.5:
- snagrecover:
add support for bcm2711/12 platforms
add support for several AMLogic platforms
add support for AM654x platforms
confirm Allwinner A133 support
- snagfactory:
allow changing target device mid-pipeline
tone down UI colors, increase button sizes
No changes affect the packaging or dependencies.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Bump Linux kernel to 6.18.
- Bump U-Boot to 2025.10. Add the dependency on GNU TLS. Refresh the
config fragment: add smc & poweroff commands, add ESRT and dummy
capsule update, add SMCCC features discovery.
- Bump OP-TEE to 4.8.0. Add the dependency on python-cryptography. Lock
optee-client version to be the same as optee-os. Add a patch to output
logs to the same UART as all the other components and increase log
level. Remove the unnecessary dependency on dtc.
- Bump TF-A to v2.14.0.
- Bump FVP to 11.30_27. Disable terminal 1, now that all the logs go to
a single terminal. Enable virtio network. Rate limit the simulation
by default, for convenience at U-Boot and GRUB countdown, and for more
realistic delays inside the simulation.
- Switch to Bootlin pre-built toolchain.
- Add more modules to GRUB, to have more commands available: efi
commands, plus reboot & halt.
- Add eudev to probe Linux modules during boot, for LCD support.
- Configure eth0 with DHCP automatically during boot.
- Refresh the documentation.
This configuration has been tested on an x86 and on an AArch64 machine.
The firmware and FVP of this configuration have also been tested
successfully with other OSes: Debian Live, openSUSE Tumbleweed, Yocto,
OpenWrt, Buildroot AArch64 EFI and FreeBSD.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The current upstream repo shows this note:
"This repository was archived by the owner on May 27, 2024. It is now
read-only."
Switched to fork whose only difference is a commit fixing build errors
with cmake 4:
4674816f56
Since this commit changes _SITE, the package homepage url is also update
to the same location.
Fixes:
https://autobuild.buildroot.net/results/130/13084ca4df5ae91d72f46ef51873676b05398ec9/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change homepage url in Config.in and add commit log comment]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 95c385e2d6 in -next
branch bumped libcamera to version 0.6.0 which breaks the build:
../core/options.cpp:405:44: error: conversion from
'std::basic_string_view<char>' to non-scalar type
'const std::string' {aka 'const std::__cxx11::basic_string<char>'}
requested
405 | const std::string cam_id =
*cameras[camera]->properties().get(libcamera::properties::Model);
Added upstream patch, included since version 1.10.0, to fix the problem.
Please note that since version 1.9.1 this package is incompatible with
the current version of ffmpeg used in buildroot so bumping it is not an
option atm:
cbe9921eed
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: fix Buildroot commit id of libcamera bump]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add optee_os to the default configuration for versal2 devices including an
example with the versal2_vek385_defconfig.
Since not all versal2 optee_os features are upstream, use the downstream
Xilinx release tag xlnx_rebase_v4.5.0_2025.2 for version xilinx_v2025.2
which is based on optee_os v4.5.0.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Most of the time, users will be running Vivado on their local host machine,
and will generate a XSA (Xilinx Shell Archive) locally.
Instead of requiring users to create a URL location for their XSA file,
this patch improves ease of use by allowing users to work directly with
just a path on the local host machine.
BR2_TARGET_XILINX_PREBUILT_VERSAL_XSA_LOCATION can thus be defined as either
a simple local location or a URL location for the XSA file.
In either case, a hash for the XSA file needs to be added to the
boot/xilinx-prebuilt/xilinx-prebuilt.hash when using this option.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add an example config for the Versal2 VEK385 evaluation board. This board has
the superset 2VE3858 device of the Versal AI Edge Gen 2 family with
8 Cortex-A78AE cores, 10 Cortex-R52 cores, 144 AIE-ML tiles and over 500k LUTs.
With this patch, Buildroot is capable to build a full image for the VEK385
evaluation board along with all the necessary firmware components.
More information about the VEK385 evaluation board can be found here:
https://www.amd.com/en/products/adaptive-socs-and-fpgas/evaluation-boards/vek385.html
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add support for Xilinx versal2 devices which include two new applications
for the xilinx-embeddedsw package.
BR2_TARGET_XILINX_EMBEDDEDSW_VERSAL2_PLM
There is a new PLM (platform loader and manager) application for versal2
devices. The purpose of the PLM is to act as the bootloader for loading the
boot.pdi to configure the DDR memory and then loading arm-trusted-firmware and
u-boot on the Cortex-A78 core 0.
BR2_TARGET_XILINX_EMBEDDEDSW_VERSAL2_ASUFW
Included with versal2 devices is a risc-v based security accelerator called
the ASU (application security unit). The ASUFW is the open-source application
which runs on the ASU.
Versal2 devices simplified the boot process by getting rid of the second
microblaze core called the PSM (processor system manager). There is thus no
longer a need for a separate psmfw application like with the original versal
devices, as this functionality is now fully included in the new PLM for
versal2.
For more information about the Xilinx Versal Gen2 series:
https://www.amd.com/en/products/adaptive-socs-and-fpgas/versal/gen2/ai-edge-series.htmlhttps://www.amd.com/en/products/adaptive-socs-and-fpgas/versal/gen2/prime-series.html
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
- Update the kernel, U-Boot, ATF tags and readme.txt.
- Increase the rootfs size to 200M.
Signed-off-by: Akhilesh Nema <nemaakhilesh@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Since FRR 10.5, header files can be properly installed [1]. Enable their
installation in Buildroot so that packages depending on FRR’s headers
can build against them.
With these headers available, the Grout package can build its zebra
dplane plugin, which allows FRR to configure the Grout router instead of
the kernel for packet processing.
[1] https://github.com/FRRouting/frr/pull/19351
Signed-off-by: Maxime Leroy <maxime@leroys.fr>
[Julien:
- move FRR_INSTALL_STAGING up
- add "package/" in commit title
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, bump the
default version of xilinx-prebuilt to xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, bump the
default version of xilinx-embeddedsw to xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Now that all Xilinx board configs have been bumped to xilinx_v2025.2, remove
the xilinx_v2025.1 hashes which are no longer needed.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump versal defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
plm xilinx_v2025.2
psmfw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a vek280 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hash for xilinx_v2025.2 version, so that example defconfigs can be
bumped to the latest version individually.
Since the license.txt changes with each release, move the hashes to version
specific directories instead of having a generic hash file.
xilinx_v2025.1 hash is moved to boot/xilinx-prebuilt/xilinx_v2025.1_update1
xilinx_v2025.2 hash is added to boot/xilinx-prebuilt/xilinx_v2025.2
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynqmp_kria defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
pmufw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a kv260 starter kit.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynqmp defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
arm-trusted-firmware v2.12
linux v6.12.40
pmufw xilinx_v2025.2
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a zcu102 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump zynq defconfigs to xilinx_v2025.2.
xilinx_v2025.2 includes the following software versions:
linux v6.12.40
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
xilinx_v2025.2 was run tested on a zc702 evaluation board.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hash for xilinx_v2025.2 version, so that example defconfigs can be
bumped to the latest version individually.
Since the license.txt changes with each release, move the hashes to version
specific directories instead of having a generic hash file.
xilinx_v2025.1 hash is moved to boot/xilinx-embeddedsw/xilinx_v2025.1
xilinx_v2025.2 hash is added to boot/xilinx-embeddedsw/xilinx_v2025.2
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Add hashes for xilinx_v2025.2 release tags which include the following:
arm-trusted-firmware v2.12
linux v6.12.40
uboot v2025.01
with all Xilinx downstream commits included with xilinx_v2025.2.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump bootgen to xilinx_v2025.2 version.
The 0001-bisonflex-Fix-build-on-machines-with-modern-flex.patch is no longer
needed because it has been committed upstream and included with the
xilinx_v2025.2 version.
0471f084b0
The 0001-lms-hash-sigs-hss_param.c-add-stdio.h-include.patch has now been
added to the package to fix the following potential build error:
The lms-hash-sigs/hss_param.c is missing an include of stdio.h. Without it,
the following build error can occur:
hss_param.c: In function ‘hss_get_parameter_set’:
hss_param.c:157:13: error: implicit declaration of function ‘printf’ [-Wimplicit-function-declaration]
157 | printf("Private key expired\n");
| ^~~~~~
hss_param.c:7:1: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
6 | #include "lm_common.h"
+++ |+#include <stdio.h>
7 |
hss_param.c:157:13: warning: incompatible implicit declaration of built-in function ‘printf’ [-Wbuiltin-declaration-mismatch]
157 | printf("Private key expired\n");
| ^~~~~~
hss_param.c:157:13: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
make[3]: *** [Makefile:38: hss_param.o] Error 1
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [Makefile:84: build/bin/bootgen] Error 2
The above error was reported on Debian 13 / gcc 14.2.0.
Reported-by: Peter Korsgaard <peter@korsgaard.com>
Upstream: submitted to Xilinx bootgen repo with CR-1256741
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This adds the python bindings of libgpiod for version 2+.
While the python bindings for v1 were optionally built and
installed as part of the main libgpiod build, for v2 they have now been
published to pypi.org for easier consumption in the general python
ecosystem.
We need to set LINK_SYSTEM_LIBGPIOD=1 to actually build against the
system version of libgpiod which we install and not use a separate
bundled copy.
The package is licensed as libgpiod, but as published to pypi doesn't
include the LICENSE file that's part of upstream repository.
Reference pyproject.toml as that has the license identifier as a
workaround.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that binutils 2.45 has been introduced and binutils 2.44 made the
default version, drop the oldest supported version, binutils 2.42,
keeping only the 3 last versions supported: 2.43, 2.44 and 2.45.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Now that support for binutils 2.45 has been introduced, we follow our
policy of making binutils 2.44 the default version.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
We bring patches 0001 and 0002 that we carry for binutils 2.44. Patch
0002 requires a small update as a nearby configure option has been
removed between 2.44 and 2.45. Patch 0003 that we have for binutils
2.44 is not needed as it is part of the 2.45 release.
Changes in 2.45:
* New versioned release of libsframe: libsframe.so.2. This release introduces
versioned symbols with version node name LIBSFRAME_2.0. Some new symbols
have been added to support the new flag SFRAME_F_FDE_FUNC_START_PCREL and
retrieving flags from SFrame decoder and encoder objects:
- Addition of sframe_decoder_get_flags,
sframe_decoder_get_offsetof_fde_start_addr, sframe_encoder_get_flags,
sframe_encoder_get_offsetof_fde_start_addr.
This release also includes backward-incompatible ABI changes:
- Removal of sframe_get_funcdesc_with_addr.
- Change in the behavior of sframe_decoder_get_funcdesc_v2,
sframe_encoder_add_funcdesc_v2 and sframe_encoder_write.
* On s390 64-bit (s390x), gas, ld, objdump, and readelf now support generating
and processing SFrame V2 stack trace information (.sframe). The assembler
generates SFrame info from CFI directives with option "--gsframe". The
linker generates SFrame info for the linker-generated .plt section and merges
all .sframe sections. Both objdump and readelf dump SFrame info with option
"--sframe[=<section-name>]".
* For SFrame stack trace format, the function start address in each SFrame
FDE has a changed encoding: The 32-bit signed integer now holds the offset
of the start PC of the associated function from the sfde_func_start_address
field itself (instead of the earlier where it was the offset from the start
of the SFrame section itself). All SFrame sections generated by gas and ld
now default to this new encoding, setting the (new)
SFRAME_F_FDE_FUNC_START_PCREL flag.
Relocatable SFrame links are now fixed.
* Readelf now recognizes RISC-V GNU_PROPERTY_RISCV_FEATURE_1_CFI_SS and
GNU_PROPERTY_RISCV_FEATURE_1_CFI_LP_UNLABELED for zicfiss and zicfilp
extensions.
* For RISC-V dis-assembler, the definition of mapping symbol $x is changed,
so the file needs to be rebuilt since 2.45 once used .option arch directives.
* The LoongArch disassembler now properly accepts multiple disassembly
options given by -M, such as "-M no-aliases,numeric". (Previously only the
first option took effect.)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: fix BR2_BINUTILS_VERSION_2_45_X prompt to 2.45.1]
Signed-off-by: Julien Olivain <ju.o@free.fr>
2025-11-21 12:34:33 +01:00
2714 changed files with 19071 additions and 26357 deletions
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
