The commit [1] set the default value of '<pkg>_CPE_ID_UPDATE' to not use
a wildcard by default. But instead of setting the value to '-' it set it
to an empty value instead.
According to document [2] section 6.1.2.1.1 the 'Not Attributed' value
bind to an hyphen ('-') and the blank statement bind to the 'Any' ('*').
Because the CPE matching function was incorrect using a blank statement
worked to remove the false positives but this is not correct according
to the CPE documentation.
[1] 53a8616460 package/pkg-generic.mk: use more sensible default value for <pkg>_CPE_ID_UPDATE
[2] https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
Fixes: 53a8616460.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8430ca7c28)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Setting the "update" field in the CPE ID to * doesn't actually make
much sense, as * is a wildcard. Instead, this field should really
reflect the "subrelease" / "update" of the package, which unless
specified explicitly by the package .mk file, is empty.
Using a wildcard causes a few CVEs to be incorrectly identified as
affecting some of our packages.
For example https://nvd.nist.gov/vuln/detail/CVE-2013-1428 has a
CPE configuration that goes like this:
cpe:2.3:a:tinc-vpn:tinc:*:pre6:*:*:*:*:*:* up to including 1.1
and this CPE configuration is currently identified as affecting our
package. This isn't correct as our package is using 1.0.36, not a
"pre6" version. But because the CPE ID generated by Buildroot uses *
as the "update" field, and * is the wildcard, it does match with this
CPE configuration.
After this change, two CVEs are no longer identified as affecting
Buildroot packages:
https://nvd.nist.gov/vuln/detail/CVE-2013-1428https://nvd.nist.gov/vuln/detail/CVE-2017-9454
and in both cases they are indeed CVEs not affecting our package.
Reported-by: Titouan Christophe <titouan.christophe@mind.be>
Cc: Titouan Christophe <titouan.christophe@mind.be>
Cc: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 53a8616460)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Given the following criteria: `cpe:2.3:a:oneidentitty:syslog-ng:*:*:*:*:-:*:*:*`.
The former `cpe_matches` implementation would match with the following
CPE: `cpe:2.3:a:oneidentitty:syslog-ng:4.71:*:*:*:premium:*:*:*`.
The 'hyphen' ('-') meaning is "Not Attributed" (NA) a criteria with no
attributed software edition shouldn't match with a CPE with an attributed
software edition:
https://csrc.nist.gov/pubs/ir/7695/final
This patch also create a distinct 'CPE' object that aggregate the
function specifics to CPEs like it's done for 'CVE'.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 35f376d88e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The `support/script/cve.py` file is used as a library. Depending on how
you use this library you might not want to write content to stdout when
calling its function.
This patch move the 'updating' log to the 'pkg-stats' script and write
the alert when LooseVersion doesn't have a version to stderr.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4b318dea17)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit e4749b826c disabled
parallel builds back in 2016. Nearly 10 years and a "Complete rewrite
[of] the BIND 9 build system" later
978c7b2e89
we enable parallel builds again, make -j1000 finished without problems.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6a20a930fd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commits 7b43e24818 and
8adeaec8af removed the possibility for
static builds but forgot to remove some related _CONF_OPTS.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 636b2a8503)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When run_cmd_on_host() runs a command that fails, we only get an
exception with no details to debug what happened. Let's improve that
by catching the exception, and printing the command output. This
requires redirecting stderr to stdout (instead of /dev/null) and
asking to get the output in text format.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 01dc13adfb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For more details on the version bump, see:
- https://github.com/ImageMagick/ImageMagick/compare/7.1.2-3...7.1.2-8
Fixes the following vulnerability:
- CVE-2025-62171
ImageMagick is an open source software suite for displaying,
converting, and editing raster image files. In ImageMagick versions
prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability
exists in the BMP decoder on 32-bit systems. The vulnerability
occurs in coders/bmp.c when calculating the extent value by
multiplying image columns by bits per pixel. On 32-bit systems with
size_t of 4 bytes, a malicious BMP file with specific dimensions can
cause this multiplication to overflow and wrap to zero. The overflow
check added to address CVE-2025-57803 is placed after the overflow
occurs, making it ineffective. A specially crafted 58-byte BMP file
with width set to 536,870,912 and 32 bits per pixel can trigger this
overflow, causing the bytes_per_line calculation to become zero.
This vulnerability only affects 32-bit builds of ImageMagick where
default resource limits for width, height, and area have been
manually increased beyond their defaults. 64-bit systems with size_t
of 8 bytes are not vulnerable, and systems using default ImageMagick
resource limits are not vulnerable. The vulnerability is fixed in
versions 7.1.2-7 and 6.9.13-32.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-62171
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm
- cea1693e2d
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3b3b2d1b72)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See https://jvn.jp/en/jp/JVN19358384/
This fixes the following vulnerability:
- CVE-2025-24912:
hostapd fails to process crafted RADIUS packets properly. When hostapd
authenticates wi-fi devices with RADIUS authentication, an attacker in
the position between the hostapd and the RADIUS server may inject
crafted RADIUS packets and force RADIUS authentications to fail.
https://www.cve.org/CVERecord?id=CVE-2025-24912
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8282aaf094)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
iozone releases 3.507 and 3.508 seems to be only build fixes releases
for latest GCC compiler version but since there is no public vcs
it's not easy to review the history between releases and backport
any patches.
Based on the changelog from [1]:
Revision 3.507
Fix GCC compile warnings.
Revision 3.508
Put an end to the (&*% stupid GCC breaking builds for no valid reason.
So bump to the latest 508 release.
Rebase 0001-Add-new-targets-for-iozone.patch
Rebase 0002-fix-build-without-aio.patch and convert to git format
The TestIozone build issue is not yet fixed by the version bump [2].
[1] https://www.iozone.org/src/current/Changes.txt
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/11176774405
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 70cefcac9e)
[thomas: this with the next patch actually fixes build issue with GCC14 and not only GCC15]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In commit [1] the package netsnmp was bumped on master to version 5.9.4.
This version included fixes for CVE that were already patched in
buildroot and thus was not picked on the LTS branch.
As a consequence, the commit [2] was made on master which removed the
stale 'IGNORE_CVES' for the patches no longer presents. This commit was
wrongly picked on the LTS branch.
This reverts commit [3] which was included in 2025.02.x to set the
'IGNORE_CVES' back to the state of version 5.9.3.
[1] 1799cfebfd package/netsnmp: bump to version 5.9.4
[2] 4a3eab8341 package/netsnmp: drop stale ignore CVE entries
[3] 3ef8c1d0db package/netsnmp: drop stale ignore CVE entries
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
In commit [1], the only 'engicam' board config present on the 2025.02.x
branch was removed.
On the master branch the 'px30core' board is present because it was
added in commit [2] not picked on LTS branch.
So the DEVELOPERS entry for Jagan Teki that match every 'engicam' board
was not removed.
This patch removes this entry to remove the post commit hook warning.
[1] 13eb6c293e configs/engicam_imx6*: remove defconfigs, broken
[2] 6e6bd098c3 configs/engicam_px30_core_defconfig: new defconfig
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The commit adds a backported upstream patch to fix the following build
failure:
ptp2/ptp-pack.c:3168:31: note: earlier argument should specify number of elements, later size of each element
ptp2/chdk.c: In function 'yuv_live_to_jpeg':
ptp2/chdk.c:1203:41: error: passing argument 3 of 'jpeg_mem_dest' from incompatible pointer type [-Wincompatible-pointer-types]
1203 | jpeg_mem_dest (&cinfo, &outbuf, &outlen);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from ptp2/chdk.c:31:
/home/autobuild/autobuild/instance-0/output-1/per-package/libgphoto2/host/armeb-buildroot-linux-gnueabi/sysroot/usr/include/jpeglib.h:989:43: note: expected 'long unsigned int *' but argument is of type 'uint64_t *' {aka 'long long unsigned int *'}
989 | unsigned long *outsize);
Fixes:
- https://autobuild.buildroot.org/results/db742e301a401c9f4bdf3c7e8cfde9f0ba1c4558
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ebd07998d0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This contains many bug and security fixes since v22.12.0.
See the release notes: https://poppler.freedesktop.org/releases.html
In addition:
- Drop patch that has been applied upstream
- Update a few cmake configuration options that changed upstream
There is currently a build failure when enabling gpgme, so disable it
unconditionally for now.
Finally, this fixes the following vulnerabilities:
- CVE-2024-6239:
A flaw was found in the Poppler's Pdfinfo utility. This issue occurs
when using -dests parameter with pdfinfo utility. By using certain
malformed input files, an attacker could cause the utility to crash,
leading to a denial of service.
https://www.cve.org/CVERecord?id=CVE-2024-6239
- CVE-2024-56378:
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read
vulnerability within the JBIG2Bitmap::combine function in
JBIG2Stream.cc.
https://www.cve.org/CVERecord?id=CVE-2024-56378
- CVE-2025-32364:
A floating-point exception in the PSStack::roll function of Poppler
before 25.04.0 can cause an application to crash when handling
malformed inputs associated with INT_MIN.
https://www.cve.org/CVERecord?id=CVE-2025-32364
- CVE-2025-32365:
Poppler before 25.04.0 allows crafted input files to trigger out-of-
bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
because of a misplaced isOk check.
https://www.cve.org/CVERecord?id=CVE-2025-32365
- CVE-2025-43903:
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
adbe.pkcs7.sha1 signatures on documents, resulting in potential
signature forgeries.
https://www.cve.org/CVERecord?id=CVE-2025-43903
- CVE-2025-50420:
An issue in the pdfseparate utility of freedesktop poppler v25.04.0
allows attackers to cause an infinite recursion via supplying a
crafted PDF file. This can lead to a Denial of Service (DoS).
https://www.cve.org/CVERecord?id=CVE-2025-50420
- CVE-2025-52886:
Poppler is a PDF rendering library. Versions prior to 25.06.0 use
`std::atomic_int` for reference counting. Because `std::atomic_int` is
only 32 bits, it is possible to overflow the reference count and
trigger a use-after-free. Version 25.06.0 patches the issue.
https://www.cve.org/CVERecord?id=CVE-2025-52886
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: mark commit as "security" in commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cdd1c5ca55)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Do not bump to a more recent version, as the build system has
fundamentally changed.
See the release notes:
- https://github.com/netdata/netdata/releases/tag/1.34.0
- https://github.com/netdata/netdata/releases/tag/v1.34.1
- https://github.com/netdata/netdata/releases/tag/v1.35.0
- https://github.com/netdata/netdata/releases/tag/v1.35.1
- https://github.com/netdata/netdata/releases/tag/v1.36.0
- https://github.com/netdata/netdata/releases/tag/v1.36.1
- https://github.com/netdata/netdata/releases/tag/v1.37.0
- https://github.com/netdata/netdata/releases/tag/v1.37.1
In addition, add upstream patch to fix cross-compilation.
This fixes the following vulnerabilities:
- CVE-2023-22496:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. An attacker with the ability to
establish a streaming connection can execute arbitrary commands on the
targeted Netdata agent. When an alert is triggered, the function
`health_alarm_execute` is called. This function performs different
checks and then enqueues a command by calling `spawn_enq_cmd`. This
command is populated with several arguments that are not sanitized.
One of them is the `registry_hostname` of the node for which the alert
is raised. By providing a specially crafted `registry_hostname` as
part of the health data that is streamed to a Netdata (parent) agent,
an attacker can execute arbitrary commands at the remote host as a
side-effect of the raised alert. Note that the commands are executed
as the user running the Netdata Agent. This user is usually named
`netdata`. The ability to run arbitrary commands may allow an attacker
to escalate privileges by escalating other vulnerabilities in the
system, as that user. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, streaming is not enabled by default. If you have
previously enabled this, it can be disabled. Limiting access to the
port on the recipient Agent to trusted child connections may mitigate
the impact of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22496
- CVE-2023-22497:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. Each Netdata Agent has an
automatically generated MACHINE GUID. It is generated when the agent
first starts and it is saved to disk, so that it will persist across
restarts and reboots. Anyone who has access to a Netdata Agent has
access to its MACHINE_GUID. Streaming is a feature that allows a
Netdata Agent to act as parent for other Netdata Agents (children),
offloading children from various functions (increased data retention,
ML, health monitoring, etc) that can now be handled by the parent
Agent. Configuration is done via `stream.conf`. On the parent side,
users configure in `stream.conf` an API key (any random UUID can do)
to provide common configuration for all children using this API key
and per MACHINE GUID configuration to customize the configuration for
each child. The way this was implemented, allowed an attacker to use a
valid MACHINE_GUID as an API key. This affects all users who expose
their Netdata Agents (children) to non-trusted users and they also
expose to the same users Netdata Agent parents that aggregate data
from all these children. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, do not enable streaming by default. If you have previously
enabled this, it can be disabled. Limiting access to the port on the
recipient Agent to trusted child connections may mitigate the impact
of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22497
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add comment before _AUTORECONF with patch name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9cfcd906cf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Backport upstream patch, that was released in GLib 2.84.4 [1],
such that we can apply it onto GLib 2.82 in Buildroot LTS
This fixes the following vulnerability:
- CVE-2025-7039:
A flaw was found in glib. An integer overflow during temporary file
creation leads to an out-of-bounds memory access, allowing an attacker
to potentially perform path traversal or access private temporary file
content by creating symbolic links. This vulnerability allows a local
attacker to manipulate file paths and access unauthorized data. The
core issue stems from insufficient validation of file path lengths
during temporary file operations.
https://www.cve.org/CVERecord?id=CVE-2025-7039
[1] https://gitlab.gnome.org/GNOME/glib/-/releases/2.84.4
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
(cherry picked from commit 3252f45279)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510
Also update the download site to https
This fixes the following vulnerability:
- CVE-2024-23807:
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
contains a use-after-free error triggered during the scanning of
external DTDs. Users are recommended to upgrade to version 3.2.5
which fixes the issue, or mitigate the issue by disabling DTD
processing. This can be accomplished via the DOM using a standard
parser feature, or via SAX using the XERCES_DISABLE_DTD environment
variable. This issue has been disclosed before as CVE-2018-1311, but
unfortunately that advisory incorrectly stated the issue would be
fixed in version 3.2.3 or 3.2.4.
https://www.cve.org/CVERecord?id=CVE-2024-23807
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 246f2eca20)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building in parallel with per-package directories
(BR2_PER_PACKAGE_DIRECTORIES=y), brmake output is often garbled:
2025-10-08T18:39:10 >>> host-dtc 1.7.2 Building
2025-10-08T18:39:11 checking for stdint.h... >>> host-dtc 1.7.2 Installing to host directory
2025-10-08T18:39:12 checking for limits.h... >>> host-gmp 6.3.0 Installing to host directory
Remove the spurious string between the timestamp and the ">>>" marker to
fix this.
We need some extra care to preserve the preceding "term bold" special
characters sequence.
We also prevent grep and sed to buffer their output too much. This leads to
more frequent output even when we might not be connected to a terminal; for
example: when brmake's output is piped to another program or when running
in CI.
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c9dca7f4c3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the many release notes: https://github.com/libvips/libvips/releases
Along that version bump:
- Change source code archive compression from .gz to .xz as this the
new upstream delivery format
- Switch from autotools to meson build system (see upstream commit
538aa2a841)
- Update the LICENSE file (see upstream commit
057703938e)
This fixes the following vulnerabilities:
- CVE-2025-29769:
libvips is a demand-driven, horizontally threaded image processing
library. The heifsave operation could incorrectly determine the
presence of an alpha channel in an input when it was not possible to
determine the colour interpretation, known internally within libvips
as "multiband". There aren't many ways to create a "multiband" input,
but it is possible with a well-crafted TIFF image. If a "multiband"
TIFF input image had 4 channels and HEIF-based output was requested,
this led to libvips creating a 3 channel HEIF image without an alpha
channel but then attempting to write 4 channels of data. This caused a
heap buffer overflow, which could crash the process. This
vulnerability is fixed in 8.16.1.
https://www.cve.org/CVERecord?id=CVE-2025-29769
- CVE-2025-59933:
libvips is a demand-driven, horizontally threaded image processing
library. For versions 8.17.1 and below, when libvips is compiled with
support for PDF input via poppler, the pdfload operation is affected
by a buffer read overflow when parsing the header of a crafted PDF
with a page that defines a width but not a height. Those using libvips
compiled without support for PDF input are unaffected as well as
thosewith support for PDF input via PDFium. This issue is fixed in
version 8.17.2. A workaround for those affected is to block the
VipsForeignLoadPdf operation via vips_operation_block_set, which is
available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED
environment variable at runtime, which will block all untrusted
loaders including PDF input via poppler.
https://www.cve.org/CVERecord?id=CVE-2025-59933
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: update _LICENSE_FILES to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 72c7d99e22)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch bumps the Linux kernel to version 6.1.155. The size of
xipImage has increased by only 1126 bytes (1673444 bytes compared to
1672318 in version 6.1.143).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 675bb8337d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch bumps the Linux kernel to version 6.1.143. The size of xipImage
has increased by only 514 bytes (1672318 bytes compared to 1671804 in
version 6.1.133).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0c9a4b7995)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When mjpg-streamer is built with gcc >= 14 using libjpeg (rather than
jpeg-turbo), and with SDL is enabled (to enable the output_viewer),
the compilation can fail with error:
output_viewer.c:125:32: error: assignment to ‘boolean (*)(struct jpeg_decompress_struct *)’ from incompatible pointer type ‘int (*)(struct jpeg_decompress_struct *)’ [-Wincompatible-pointer-types]
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBJPEG=y
BR2_PACKAGE_MJPG_STREAMER=y
BR2_PACKAGE_SDL=y
EOF
make olddefconfig
make mjpg-streamer
This commit adds a patch to fix this issue.
Fixes:
https://autobuild.buildroot.net/results/3a5/3a5674e4e7bb3f2894575191af24598e2a696912/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit af4eef1e0f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit 553c55e9bd added the
qt6multimedia package including an option to build examples which
contains a dependency to qt6svg without selecting the package in
Config.in.
Fixes:
https://autobuild.buildroot.org/results/c94670cf255a1a6975e99d7b22a159f7fdc6f850/
Makefile:578: *** qt6svg is in the dependency chain of qt6multimedia
that has added it to its _DEPENDENCIES variable without selecting it
or depending on it from Config.in. Stop.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f37c48faf6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add an upstream patch to fix a build issue related to uint64_t:
utils.c: In function ‘get_uint64’:
utils.c:118:18: error: passing argument 1 of ‘str_toul’ from incompatible pointer type [-Wincompatible-pointer-types]
118 | str_toul(&defval, p, NULL, 16);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from utils.c:48:
utils.h:412:29: note: expected ‘long unsigned int *’ but argument is of type ‘uint64_t *’ {aka ‘long long unsigned int *’}
Fixes:
https://autobuild.buildroot.org/results/51af1d7bf71061f22d49213951a5f6a9565710c3/
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c8923662cc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the changelog:
https://docs.python.org/release/3.12.12/whatsnew/changelog.html#python-3-12-12
And the announcement:
https://www.python.org/downloads/release/python-31212/
This provides the following security fixes:
- gh-139312: Upgraded bundled libexpat to 2.7.3 to fix CVE-2025-59375
- gh-139700: Check consistency of the zip64 end of central directory record.
Support records with “zip64 extensible data” if there are no bytes
prepended to the ZIP file.
- gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only
garbage-collected once they are no longer referenced by subparsers created
by ExternalEntityParserCreate(). Patch by Sebastian Pipping.
- gh-135661: Fix parsing start and end tags in html.parser.HTMLParser
according to the HTML5 standard.
- gh-135661: Fix CDATA section parsing in html.parser.HTMLParser according to
the HTML5 standard: ] ]> and ]] > no longer end the CDATA section. Add
private method _set_support_cdata() which can be used to specify how to
parse <[CDATA[ — as a CDATA section in foreign content (SVG or MathML) or as
a bogus comment in the HTML namespace.
- gh-102555: Fix comment parsing in html.parser.HTMLParser according to the
HTML5 standard. --!> now ends the comment. -- > no longer ends the comment.
Support abnormally ended empty comments <--> and <--->.
- gh-135462: Fix quadratic complexity in processing specially crafted input
in html.parser.HTMLParser. End-of-file errors are now handled according
to the HTML5 specs – comments and declarations are automatically closed,
tags are ignored.
- gh-118350: Fix support of escapable raw text mode (elements “textarea” and
“title”) in html.parser.HTMLParser.
- gh-86155: html.parser.HTMLParser.close() no longer loses data when the
<script> tag is not closed. Patch by Waylan Limberg.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
(cherry picked from commit d16c812b7e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes:
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.11
- https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.12
This fixes the following vulnerabilities:
- CVE-2025-52891:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before
2.9.11, an empty XML tag can cause a segmentation fault. If
SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is
application/xml, and at least one XML tag is empty (eg <foo></foo>),
then a segmentation fault occurs. This issue has been patched in
version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to
Off.
https://www.cve.org/CVERecord?id=CVE-2025-52891
- CVE-2025-54571:
ModSecurity is an open source, cross platform web application firewall
(WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below,
an attacker can override the HTTP response’s Content-Type, which could
lead to several issues depending on the HTTP scenario. For example, we
have demonstrated the potential for XSS and arbitrary script source
code disclosure in the latest version of mod_security2. This issue is
fixed in version 2.9.12.
https://www.cve.org/CVERecord?id=CVE-2025-54571
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 684462bbe8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes:
https://github.com/redis/redis/blob/7.2.11/00-RELEASENOTES
This fixes the following vulnerabilities (in the Lua scripting engine):
- CVE-2025-46817:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to cause an integer overflow and
potentially lead to remote code execution The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2.
https://www.cve.org/CVERecord?id=CVE-2025-46817
- CVE-2025-46818:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate different LUA objects and
potentially run their own code in the context of another user. The
problem exists in all versions of Redis with LUA scripting. This issue
is fixed in version 8.2.2. A workaround to mitigate the problem
without patching the redis-server executable is to prevent users from
executing LUA scripts. This can be done using ACL to block a script by
restricting both the EVAL and FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46818
- CVE-2025-46819:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted LUA script to read out-of-bound data or crash the
server and subsequent denial of service. The problem exists in all
versions of Redis with Lua scripting. This issue is fixed in version
8.2.2. To workaround this issue without patching the redis-server
executable is to prevent users from executing Lua scripts. This can be
done using ACL to block a script by restricting both the EVAL and
FUNCTION command families.
https://www.cve.org/CVERecord?id=CVE-2025-46819
- CVE-2025-49844:
Redis is an open source, in-memory database that persists on disk.
Versions 8.2.1 and below allow an authenticated user to use a
specially crafted Lua script to manipulate the garbage collector,
trigger a use-after-free and potentially lead to remote code
execution. The problem exists in all versions of Redis with Lua
scripting. This issue is fixed in version 8.2.2. To workaround this
issue without patching the redis-server executable is to prevent users
from executing Lua scripts. This can be done using ACL to restrict
EVAL and EVALSHA commands.
https://www.cve.org/CVERecord?id=CVE-2025-49844
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Since its inception in 9646e80fca (micropython: new package), the
ppc-specific CFLAGS are simply assigned, and since 9fd9f4e675
(package/micropython: define MICROPY_NLR_SETJMP for xtensa), the same
goes for the xtensa CFLAGS.
Although they are mutually exclusive (different archs) and that there is
no prior assignment, the customs are to use append assignment in
conditional blocks, to avoid accidentally overwriting a valure set
previously.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit be4fb117bc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Before commit 50bc5aa17b (package/micropython: fix segfault at exit()
with gcc >= 14), only architecture-specific CFLAGS were passed, and only
one per arch. But 50bc5aa17b introduced a non-arch CFLAGS, for gcc
versions, so when the build happens for an architecture for which there
is a CFLAGS, and when gcc is 14 or newer, there are two CFLAGS added,
causing build failures:
[...] /usr/bin/make [...] CFLAGS_EXTRA=-DMICROPY_GCREGS_SETJMP=1 -DMICROPY_NLR_SETJMP=1 [...]
/usr/bin/make: invalid option -- 'D'
/usr/bin/make: invalid option -- 'M'
Usage: make [options] [target] ...
The fix is simple enough: just quote the CFLAGS.
Fixes: https://autobuild.buildroot.org/results/b18/b18d6fa9938c1267a771fdbcd8b4c3df812cd6b9/
Fixes: 50bc5aa17b
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Chris Packham <judge.packham@gmail.com>
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ab906018c9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The previous URL [1] currently redirects to [2], which as of this
commit is about two months old and contains a readme that just says
"PoC by Callgh0st". When the package was added with commit [3]
the help text URL matched REFPOLICY_SITE, so presumably the help was
forgotten when the site URL was updated in [4], and there has been
some kind of hostile takeover of the former upstream repository since.
[1] https://github.com/TresysTechnology/refpolicy
[2] https://github.com/Exact-Realty/refpolicy
[3] bb442abdf1
[4] cfa018d9f3
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: add commit ID which forgot to update the package homepage]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b9d3a0418b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
$(PREFIX)/lib/python$(PYTHON3_VERSION_MAJOR) is for the standard
library, additional modules like this should go to site-packages.
This patch changes only the host package because Python bindings are
disabled for the target package.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8d79f712ce)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
/usr/lib/python$(PYTHON3_VERSION_MAJOR) is for the standard library,
additional modules like this should go to site-packages.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 43b8f57afd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Drop upstream patch.
Main change in this release is cmake 4 build fix.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7176f6b287)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In 2016 buildroot commit b4c050e9af added
-std=gnu++98 also to CFLAGS knowing that it will cause warnings:
https://lists.nongnu.org/archive/html/gpsd-dev/2016-09/msg00082.html
'Although this leads to lots of warnings on every compilation with gcc:
"cc1: warning: command line option '-std=gnu++98' is valid for C++/ObjC++ but not for C"'
These warnings are still present but cause a misdetection in configure
Checking if strerror_r() returns int... no
because here warnings are treated as errors, quoting config.log:
cc1: error: command-line option ‘-std=gnu++98’ is valid for C++/ObjC++ but not for C [-Werror]
cc1: all warnings being treated as errors
In 2017 upstream committed
d287c76f4f
which added "std::" namespace prefixes and fixed the original problem.
-std=gnu++98 being removed from CFLAGS lets configure correctly detect
strerror_r():
Checking if strerror_r() returns int... yes
and no new build errors occur:
arm-aarch64 [ 1/35]: OK
bootlin-aarch64-glibc [ 2/35]: OK
bootlin-arcle-hs38-uclibc [ 3/35]: OK
bootlin-armv5-uclibc [ 4/35]: OK
bootlin-armv7-glibc [ 5/35]: OK
bootlin-armv7m-uclibc [ 6/35]: SKIPPED
bootlin-armv7-musl [ 7/35]: OK
bootlin-m68k-5208-uclibc [ 8/35]: SKIPPED
bootlin-m68k-68040-uclibc [ 9/35]: OK
bootlin-microblazeel-uclibc [10/35]: OK
bootlin-mipsel32r6-glibc [11/35]: OK
bootlin-mipsel-uclibc [12/35]: OK
bootlin-openrisc-uclibc [13/35]: OK
bootlin-powerpc64le-power8-glibc [14/35]: OK
bootlin-powerpc-e500mc-uclibc [15/35]: OK
bootlin-riscv32-glibc [16/35]: OK
bootlin-riscv64-glibc [17/35]: OK
bootlin-riscv64-musl [18/35]: OK
bootlin-s390x-z13-glibc [19/35]: OK
bootlin-sh4-uclibc [20/35]: OK
bootlin-sparc64-glibc [21/35]: OK
bootlin-sparc-uclibc [22/35]: OK
bootlin-x86-64-glibc [23/35]: OK
bootlin-x86-64-musl [24/35]: OK
bootlin-x86-64-uclibc [25/35]: OK
bootlin-x86-i686-musl [26/35]: OK
bootlin-xtensa-uclibc [27/35]: OK
br-arm-basic [28/35]: SKIPPED
br-arm-full-nothread [29/35]: SKIPPED
br-arm-full-static [30/35]: SKIPPED
br-i386-pentium4-full [31/35]: FAILED
br-mips64-n64-full [32/35]: OK
br-mips64r6-el-hf-glibc [33/35]: OK
br-powerpc-603e-basic-cpp [34/35]: SKIPPED
br-powerpc64-power7-glibc [35/35]: OK
35 builds, 6 skipped, 1 build failed, 0 legal-info failed, 0 show-info failed
The br-i386-pentium4-full error is not caused by gpsd:
package/python3/python3.mk:324: *** Python3 doesn't work with uClibc and
kernel headers < 5.1. Please use a different toolchain or unselect
Python3..
Fixes:
https://autobuild.buildroot.org/results/52d747d33d714ea10b9e7ee10adeadd9e4512c2d/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Tested-by: Yann E. MORIN <yann.morin@orange.com>
Reviewed-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit f0023ca18d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following vulnerability:
- CVE-2018-13410
Info-ZIP Zip 3.0, when the -T and -TT command-line options are used,
allows attackers to cause a denial of service (invalid free and
application crash) or possibly have unspecified other impact because
of an off-by-one error. NOTE: it is unclear whether there are
realistic scenarios in which an untrusted party controls the -TT
value, given that the entire purpose of -TT is execution of
arbitrary commands
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2018-13410
This patch also includes the patch 0009 which address a buffer overflow
when passing unicode characters that doesn't have a CVE assigned.
Tested with `./support/testing/run-tests -d dl -o output_folder -k tests.package.test_zip`
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7cb0419b92)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This is a bugfix release, the commit log mentions multiple fixed
memory leaks.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e7e8bdd812)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
/etc/audit/audit.rules is the path used by augenrules,
/etc/audit/rules.d/ should be used for snippets to be combined into
that file using augenrules.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit baa05d88cf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
"mkdir -Z" tries to create the directory with the default type context
and does not accept any parameter, leading to mkdir creating a
directory by the name of "system_u:object_r:auditd_log_t" (or failing
to, with a read-only rootfs). Use "--context=" instead to specify the
context.
Letting start-stop-daemon create the auditd PID file leads to an
incorrect label, with type "initrc_runtime_t" instead of
"auditd_runtime_t", which would prevent auditd from writing or
deleting it. Auditd manages its own PID file and daemonizes by
default, so simply drop the --background and --make-pidfile options
from start-stop-daemon.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3fdce24647)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
BOARD_DIR is not used, so drop it and quote $BINARIES_DIR to make shellcheck
happy.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5f620e144d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes on
https://github.com/erlang/otp/releases?q=OTP-26.&expanded=true
Also, remove patch that is now applied upstream
This fixes the following vulnerabilities:
- CVE-2024-53846:
OTP is a set of Erlang libraries, which consists of the Erlang runtime
system, a number of ready-to-use components mainly written in Erlang,
and a set of design principles for Erlang programs. A regression was
introduced into the ssl application of OTP starting at OTP-25.3.2.8,
OTP-26.2, and OTP-27.0, resulting in a server or client verifying the
peer when incorrect extended key usage is presented (i.e., a server
will verify a client if they have server auth ext key usage and vice
versa).
https://www.cve.org/CVERecord?id=CVE-2024-53846
- CVE-2025-4748:
Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal') vulnerability in Erlang OTP (stdlib modules) allows
Absolute Path Traversal, File Manipulation. This vulnerability is
associated with program files lib/stdlib/src/zip.erl and program
routines zip:unzip/1, zip:unzip/2, zip:extract/1, zip:extract/2 unless
the memory option is passed. This issue affects OTP from OTP 17.0
until OTP 28.0.1, OTP 27.3.4.1 and OTP 26.2.5.13, corresponding to
stdlib from 2.0 until 7.0.1, 6.2.2.1 and 5.2.3.4.
https://www.cve.org/CVERecord?id=CVE-2025-4748
- CVE-2025-26618:
Erlang is a programming language and runtime system for building
massively scalable soft real-time systems with requirements on high
availability. OTP is a set of Erlang libraries, which consists of the
Erlang runtime system, a number of ready-to-use components mainly
written in Erlang. Packet size is not verified properly for SFTP
packets. As a result when multiple SSH packets (conforming to max SSH
packet size) are received by ssh, they might be combined into an SFTP
packet which will exceed the max allowed packet size and potentially
cause large amount of memory to be allocated. Note that situation
described above can only happen for successfully authenticated users
after completing the SSH handshake. This issue has been patched in OTP
versions 27.2.4, 26.2.5.9, and 25.3.2.18. There are no known
workarounds for this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2025-26618
- CVE-2025-30211:
Erlang/OTP is a set of libraries for the Erlang programming language.
Prior to versions OTP-27.3.1, 26.2.5.10, and 25.3.2.19, a maliciously
formed KEX init message can result with high memory usage.
Implementation does not verify RFC specified limits on algorithm names
(64 characters) provided in KEX init message. Big KEX init packet may
lead to inefficient processing of the error data. As a result, large
amount of memory will be allocated for processing malicious data.
Versions OTP-27.3.1, OTP-26.2.5.10, and OTP-25.3.2.19 fix the issue.
Some workarounds are available. One may set option `parallel_login` to
`false` and/or reduce the `max_sessions` option.
https://www.cve.org/CVERecord?id=CVE-2025-30211
- CVE-2025-32433:
Erlang/OTP is a set of libraries for the Erlang programming language.
Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH
server may allow an attacker to perform unauthenticated remote code
execution (RCE). By exploiting a flaw in SSH protocol message
handling, a malicious actor could gain unauthorized access to affected
systems and execute arbitrary commands without valid credentials. This
issue is patched in versions OTP-27.3.3, OTP-26.2.5.11, and
OTP-25.3.2.20. A temporary workaround involves disabling the SSH
server or to prevent access via firewall rules.
https://www.cve.org/CVERecord?id=CVE-2025-32433
- CVE-2025-46712:
Erlang/OTP is a set of libraries for the Erlang programming language.
In versions prior to OTP-27.3.4 (for OTP-27), OTP-26.2.5.12 (for
OTP-26), and OTP-25.3.2.21 (for OTP-25), Erlang/OTP SSH fails to
enforce strict KEX handshake hardening measures by allowing optional
messages to be exchanged. This allows a Man-in-the-Middle attacker to
inject these messages in a connection during the handshake. This issue
has been patched in versions OTP-27.3.4 (for OTP-27), OTP-26.2.5.12
(for OTP-26), and OTP-25.3.2.21 (for OTP-25).
https://www.cve.org/CVERecord?id=CVE-2025-46712
- CVE-2025-48038:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure. This vulnerability is associated with program
files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48038
- CVE-2025-48039:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Resource Leak Exposure. This vulnerability is associated with program
files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0
until OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from
3.0.1 until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48039
- CVE-2025-48040:
Uncontrolled Resource Consumption vulnerability in Erlang OTP ssh
(ssh_sftp modules) allows Excessive Allocation, Flooding. This
vulnerability is associated with program files
lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until
OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48040
- CVE-2025-48041:
Allocation of Resources Without Limits or Throttling vulnerability in
Erlang OTP ssh (ssh_sftp modules) allows Excessive Allocation,
Flooding. This vulnerability is associated with program files
lib/ssh/src/ssh_sftpd.erl. This issue affects OTP form OTP 17.0 until
OTP 28.0.3, OTP 27.3.4.3 and 26.2.5.15 corresponding to ssh from 3.0.1
until 5.3.3, 5.2.11.3 and 5.1.4.12.
https://www.cve.org/CVERecord?id=CVE-2025-48041
NB: Since Erlang is quite a "large" package, containing the language itself,
some libraries, and some "applications", it's difficult to tell which CVEs
are exactly affecting Buildroot, but it's a good idea to update anyway
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 88f7fed5f2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When commit bbdcb75d7f ("package/python-pyopenssl: bump to version
25.0.0") has been added, it has silently introduced a new dependency on
typing_extensions that has not been ported in the corresponding
Config.in, resulting in failures at runtime when trying to import the
module:
ModuleNotFoundError: No module named 'typing_extensions'
The upstream project has indeed introduced the following deprecation
handling snippet with commit 1b2b0ed21986 ("Use type-level deprecations
(#1389)"):
if sys.version_info >= (3, 13):
from warnings import deprecated
elif sys.version_info < (3, 8):
_T = typing.TypeVar("T")
def deprecated(msg: str, **kwargs: object) -> Callable[[_T], _T]:
return lambda f: f
else:
from typing_extensions import deprecated
This then breaks systems with pyopenssl >= 25.0.0, python < 3.13, python
>= 3.8, and without typing_extensions.
Fix the missing dependency by adding it explicitely in pyopenssl
Config.in
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
And adjust the dtb path to the new subdir after commit 724ba6751532 ("ARM:
dts: Move .dts files to vendor sub-directories") in v6.5.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e993272b32)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
With the change to default to gcc 14.x with commit 1e1fafa1f0
("package/gcc: switch to GCC 14.x as the default"), the old u-boot version
no longer builds:
board/ti/am57xx/board.c:948:17: error: implicit declaration of function 'do_cape_detect'; did you mean 'do_board_detect'? [-Wimplicit-function-declaration]
https://gitlab.com/buildroot.org/buildroot/-/jobs/11570241744
So move to u-boot 2025.04 to fix that. We still need a small patch as
(early) beagleboneai boards do not have the EEPROM (or eMMC partition)
populated, so include the bb.org patch from
0b161f8e89
The new u-boot version needs both openssl and gnutls on the host, so enable
them.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: remove patch entry in .checkpackageignore to
fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7ec419fb9c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The roseapplepi defconfig fails to build u-boot since the move to GCC 15.x:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11501385206
The issues are mainly related to missing includes, but given that the build
has been broken for a while, there is no mainline u-boot support for the
platform and the minimal kernel support has not seen any updates since it
was added for v5.15, just drop the defconfig.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 56091a5818)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2025-59681:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(),
QuerySet.aggregate(), and QuerySet.extra() are subject to SQL
injection in column aliases, when using a suitably crafted dictionary,
with dictionary expansion, as the **kwargs passed to these methods (on
MySQL and MariaDB).
https://www.cve.org/CVERecord?id=CVE-2025-59681
- CVE-2025-59682:
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before
5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract()
function, used by the "startapp --template" and "startproject
--template" commands, allows partial directory traversal via an
archive with file paths sharing a common prefix with the target
directory.
https://www.cve.org/CVERecord?id=CVE-2025-59682
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
(cherry picked from commit 7bbc66a39e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The board/versal/post-image.sh script has an unnecessary mkdir command:
mkdir -p "${BINARIES_DIR}"
This directory is created before calling the post image scripts,
in [1].
Just above the command, the script is making a symlink for the Linux DTB in
the ${BINARIES_DIR}, so if the ${BINARIES_DIR} did not already exist with
images inside, the script would fail regardless of whether this mkdir is
executed or not.
For this reason, remove the mkdir call from the script because it is not
necessary.
[1] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.08/Makefile#L829
Signed-off-by: Neal Frager <neal.frager@amd.com>
[Julien: add a link showing where the directory is created]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 018cf24c80)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2024-57822:
In Raptor RDF Syntax Library through 2.0.16, there is a heap-based
buffer over-read when parsing triples with the nquads parser in
raptor_ntriples_parse_term_internal().
https://www.cve.org/CVERecord?id=CVE-2024-57822
- CVE-2024-57823:
In Raptor RDF Syntax Library through 2.0.16, there is an integer
underflow when normalizing a URI with the turtle parser in
raptor_uri_normalize_path().
https://www.cve.org/CVERecord?id=CVE-2024-57823
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e94cd21e7b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://ghostscript.readthedocs.io/en/gs10.06.0/News.html
This fixes the following vulnerabilities:
- CVE-2025-59798:
Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow
in pdf_write_cmap in devices/vector/gdevpdtw.c.
https://www.cve.org/CVERecord?id=CVE-2025-59798
- CVE-2025-59799:
Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow
in pdfmark_coerce_dest in devices/vector/gdevpdfm.c via a large size
value.
https://www.cve.org/CVERecord?id=CVE-2025-59799
- CVE-2025-59800:
In Artifex Ghostscript through 10.05.1, ocr_begin_page in
devices/gdevpdfocr.c has an integer overflow that leads to a heap-
based buffer overflow in ocr_line8.
https://www.cve.org/CVERecord?id=CVE-2025-59800
- CVE-2025-59801:
In Artifex GhostXPS before 10.06.0, there is a stack-based buffer
overflow in xps_unpredict_tiff in xpstiff.c because the
samplesperpixel value is not checked.
https://www.cve.org/CVERecord?id=CVE-2025-59801
Also remove patch that is now applied upstream, and add new patch from
upstream to fix a compilation issue on 32bits platforms
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien:
- add link to release note in commit log
- fix URL in hash file comment
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6f984089c0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-8869:
When extracting a tar archive pip may not check symbolic links point
into the extraction directory if the tarfile module doesn't implement
PEP 706. Note that upgrading pip to a "fixed" version for this
vulnerability doesn't fix all known vulnerabilities that are
remediated by using a Python version that implements PEP 706. Note
that this is a vulnerability in pip's fallback implementation of tar
extraction for Python versions that don't implement PEP 706 and
therefore are not secure to all vulnerabilities in the Python
'tarfile' module. If you're using a Python version that implements PEP
706 then pip doesn't use the "vulnerable" fallback code. Mitigations
include upgrading to a version of pip that includes the fix, upgrading
to a Python version that implements PEP 706 (Python >=3.9.17,
>=3.10.12, >=3.11.4, or >=3.12), applying the linked patch, or
inspecting source distributions (sdists) before installation as is
already a best-practice.
https://www.cve.org/CVERecord?id=CVE-2025-8869
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 78d687d2d2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Note:
The first file matching the pattern "iwlwifi-ty-a0-gf-a0*" was
introduced in commit [1], first included in version 20201022.
[1] 4f41e9d643
Signed-off-by: Alex McLain <alex@alexmclain.com>
[Julien: add the note in commit log when the first
firmware was introduced
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4a51495d69)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The web link www.zedboard.org is no longer valid as it routes to a generic
avnet.com boards link. Fix this issue by providing direct links to the Avnet
ZedBoard and Tria MicroZed boards.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4e7f03314d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
As the xilinx.com website will soon be going away, migrate all xilinx board
web links from xilinx.com to amd.com.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 74dcda2544)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since upstream commit [1] ("Deprecate the slaveOnly option in favor
of clientOnly."), included in v4.0, ptp4l complains about the
"slaveOnly" option being deprecated on startup.
Update the default config to silence this warning.
[1] fe01cc7c96
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f70b83914f)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
This defconfig no longer builds:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11161167596
It is still based on the 4.8.6 kernel, which is not even an LTS
kernel, so we cannot easily update to fix the issues which are most
likely due to the newer gcc/binutils versions we're using now.
There is no DEVELOPERS entry attached to this configuration as well,
and this defconfig has been broken for at least 2 months, probably
more (our Gitlab CI history is only kept for ~2 months). So let's drop
it, unles someone volunteers to resurrect it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0590ef1a81)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
For more details on the version bump, see:
- https://gitlab.com/libtiff/libtiff/-/releases/v4.7.1
This bump includes the security fix for CVE-2025-8176, CVE-2025-8177
that were addressed in commit [1][2].
Also fixes the following vulnerabilities:
- CVE-2024-13978
A vulnerability was found in LibTIFF up to 4.7.0. It has been
declared as problematic. Affected by this vulnerability is the
function t2p_read_tiff_init of the file tools/tiff2pdf.c of the
component fax2ps. The manipulation leads to null pointer
dereference. The attack needs to be approached locally. The
complexity of an attack is rather high. The exploitation appears to
be difficult. The patch is named
2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply
a patch to fix this issue.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2024-13978
- 2ebfffb0e8
- CVE-2025-8961
A weakness has been identified in LibTIFF 4.7.0. This affects the
function main of the file tiffcrop.c of the component tiffcrop.
Executing manipulation can lead to memory corruption. The attack can
only be executed locally. The exploit has been made available to the
public and could be exploited.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-8961
- 0ac97aa7a5
- CVE-2025-9165
A flaw has been found in LibTIFF 4.7.0. This affects the function
_TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the
file tools/tiffcmp.c of the component tiffcmp. Executing
manipulation can lead to memory leak. The attack is restricted to
local execution. The exploit has been published and may be used.
This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is
best practice to apply a patch to resolve this issue.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-9165
- ed141286a3
This commit also updates the LICENSE.md hash file, which was updated
upstream to include a historical license. See:
a0b623c780
[1] b3974df966 package/tiff: add patches to fix CVE-2025-8176
[2] 3db725d71d package/tiff: add patch to fix CVE-2025-8177
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: fix license hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9e67ae519f)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The CVE-2025-8851 [1] has been fixed in upstream commit [2] that is part
of the v4.7.0 release.
Because the NVD reference includes the version '<2024-08-11' most of CVE
checker will fail to compare it against 4.7.0 and report it as a
positive.
[1] https://nvd.nist.gov//vuln/detail/CVE-2025-8851
[2] 8a7a48d7a6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 740412aefc)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
AMD / Xilinx has made the decision to change the name of plm.elf to plmfw.elf
in the prebuilt binaries repo starting with the next update.
This patch updates the xilinx-prebuilt package to support either the old
plm.elf filename or the new plmfw.elf filename.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6f435187c6)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Add an architecture cpu dependency to each family to make sure that users can
only install prebuilt firmware which is applicable to their target device
family.
The versal family is based on BR2_cortex_a72.
The kria and zynqmp families are based on BR2_cortex_a53.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 92f76f6c35)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Add an architecture cpu dependency to each application to make sure that users
can only build applications which are applicable to their target device
family.
The versal_plm and versal_psmfw applications are specific to versal devices
which are based on BR2_cortex_a72.
The zynqmp_pmufw application is specific to zynqmp devices which are based on
BR2_cortex_a53.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9e25bcfdab)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Patches submitted to update these packages have gone ignored for
months without comment, and I no longer wish to recieve daily
emails about them being out of date.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 20f99312c9)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
This removes a warning reported by shellcheck: "Double quote to prevent
globbing and word splitting". As a result, the file can be removed from
.checkpackageignore.
Signed-off-by: Scott Fan <fancp2007@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e7937c52b6)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The elfutils package provides libdw, which is required by sysprof.
It is not an optional dependency.
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 194a6e0391)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
This fixes building sysprof when elfutils is also selected (which is
a common setup). The debuginfod client support relies in elfutils
being built with the libdebuginfod option enabled; but Buildroot
unconditionally disables it in the elfutils package. See commit [1].
[1] 52c5c6050c
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Julien: add link to commit disabling debuginfod]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8d01dfebd3)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Some links are still pointing to git.buildroot.org, which is the old URL
for the official Buildroot git repository. The repository is now hosted
at gitlab.com. Update those old links accordingly.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3ae80441ed)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
See the release notes:
- https://github.com/OpenPrinting/cups/releases/tag/v2.4.13
- https://github.com/OpenPrinting/cups/releases/tag/v2.4.14
This fixes the following vulnerabilities:
- CVE-2025-58060:
OpenPrinting CUPS is an open source printing system for Linux and
other Unix-like operating systems. In versions 2.4.12 and earlier,
when the `AuthType` is set to anything but `Basic`, if the request
contains an `Authorization: Basic ...` header, the password is not
checked. This results in authentication bypass. Any configuration that
allows an `AuthType` that is not `Basic` is affected. Version 2.4.13
fixes the issue.
https://www.cve.org/CVERecord?id=CVE-2025-58060
- CVE-2025-58364:
OpenPrinting CUPS is an open source printing system for Linux and
other Unix-like operating systems. In versions 2.4.12 and earlier, an
unsafe deserialization and validation of printer attributes causes
null dereference in the libcups library. This is a remote DoS
vulnerability available in local subnet in default configurations. It
can cause the cups & cups-browsed to crash, on all the machines in
local network who are listening for printers (so by default for all
regular linux machines). On systems where the vulnerability
CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was
not fixed, and the firewall on the machine does not reject incoming
communication to IPP port, and the machine is set to be available to
public internet, attack vector "Network" is possible. The current
versions of CUPS and cups-browsed projects have the attack vector
"Adjacent" in their default configurations. Version 2.4.13 contains a
patch for CVE-2025-58364.
https://www.cve.org/CVERecord?id=CVE-2025-58364
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 89fd61a127)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
When searching for the official git repository in the documentation,
readers are forwarded to the buildroot website Download page with a link
pointing to buildroot.org/download, which returns a 404.
Fix the dead link by adding the missing .html suffix.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8845586fc6)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The CMake build system has logic to detect the git repo info and include it
in the version output. This unfortunately gets confused and adds the git
info of the Buildroot repository when building inside the repo:
-- Found Git version: refs/heads/rtl_433-25.02 commit a367362af0 from 2025-09-21T20:07:58+0200
-- Using Git version tag: 2025.08-283-ga367362af0 on rtl_433-25.02 at 202509212007
rtl_433 -V
rtl_433 version 2025.08-283-ga367362af0 branch rtl_433-25.02 at 202509212007 inputs file rtl_tcp RTL-SDR
Pass GIT_DIR=. to the configure step similar to how it is already done for
the build step to disable this.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 817611686a)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Build fails with:
server.c: In function 'ServerDaemonize':
server.c:1590:13: error: implicit declaration of function 'fork'
[-Wimplicit-function-declaration]
1590 | switch (fork()) {
| ^~~~
Hence, add BR2_USE_MMU to avoid building with toolchains without MMU
support.
Fixes:
https://autobuild.buildroot.org/results/10464159f2a9ff41ea0921a45ce12ecd0fa50ae7/
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Julien: move BR2_USE_MMU up to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 059138326e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
TestGitHash and TestGitRefs are failing on Gitlab-CI since 2025-08-18
(first runtime-test failures report for master) [1] due a new Gitlab-CI
security settings that prevents the any use of localhost (127.0.0.1) on
the Gitlab-CI runner [2]:
"To prevent exploitation of insecure internal web services, all webhook
and integration requests to the following local network addresses are
not allowed:
Private network addresses, including 127.0.0.1, ::1, 0.0.0.0,
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and IPv6 site-local
(ffc0::/10) addresses."
Gitlab suggest using a second container as a Services [3] since each
containers have access to one another and can communicate when running
the job. But this is really not practical to run git daemon since the
service is started before the Buildroot git tree is fetched and git
daemon needs git-remote directory content.
See [4]:
"If you have your service that tries to write to CI_PROJECT_DIR
immediately after it's started - it will not work and fail with an
error like '/builds/nknapp/gitlab-ci-test/': No such file or directory
error. Because that directory is most probably not there yet, as the
job step that creates it is yet to be executed!"
Also, using Gitlab-CI services requires to handle GitTestBase setUp
differently on Gitlab-CI than local use of run-tests.
So Gitlab-CI services is not an option.
We could move support/testing/tests/download/git-remote to our Gitlab
group (https://gitlab.com/buildroot.org) but since it's only intended
for testing the git download backend, we don't really want to do that.
So the only remaining choice to clone the repository from the Buildroot
git tree (local machine).
To do so, we have to do the following changes:
- Replace all "git://localhost:$(GITREMOTE_PORT_NUMBER)" by
"$(GITREMOTE_DIR)". GITREMOTE_DIR will contain the absolute path to
tests/download/git-remote directory.
- Force to use git download backend using "SITE_METHOD = git" otherwise
the download infra will fall back using wget download backend.
- Cloning a git repository with submodules using the "file://" protocol
needs to be allowed from git config. It's disabled by default:
"fatal: transport 'file' not allowed"
Use a local gitconfig file generated by GitTestBase before starting
TestGitHash and TestGitRefs with:
[protocol "file"]
allow = always
This is considered safe since we are using a git repository from the
Buildroot git tree.
- Running TestGitHash and TestGitRefs on Gitlab-CI requires additional
git config settings to disable ownership check of the git tree [5].
Thanks to Arnout for advices about GIT_CONFIG_GLOBAL.
Runtime tested:
https://gitlab.com/kubu93/buildroot/-/jobs/11428504450 (TestGitHash)
https://gitlab.com/kubu93/buildroot/-/jobs/11428490035 (TestGitRefs)
[1] https://lore.kernel.org/buildroot/68a3ee65.500a0220.397724.30db@mx.google.com/
[2] https://docs.gitlab.com/security/webhooks/#allow-requests-to-the-local-network-from-webhooks-and-integrations
[3] https://docs.gitlab.com/ci/services/
[4] https://gitlab.com/gitlab-org/gitlab-runner/-/issues/25982#note_2139685797
[5] a016b693f7
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124174 (TestGitHash)
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124173 (TestGitRefs)
Cc: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a367362af0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
As reported on the mailing list [1] while investigating the
TestZfsUclibc Gitlab-CI failure, the python 3.13 interpreter itsef
segfault at runtime:
Fatal Python error: _PyThreadState_Attach: non-NULL old thread state
Python runtime state: preinitialized
Thread 0xSegmentation fault
This issue is related to the python 3.13 version bump [2] were several
internal changes were added [3] to support PEP 703 [4].
PEP 793 is about CPython’s global interpreter lock (“GIL”) removal
for multi-threads support that requires a working C11 "thread_local"
for thread-local storage [5].
The new uclibc-ng 1.0.55 release contains a fix for this issue [6].
This version is included in Buildroot commit [7].
Since the prebuilt Bootling aarch64 uclibc stable 2025.08-1 is based
on previous uClibc-ng release (1.0.54) we have to use the internal
toolchain backend to build a new uClibc-ng toolchain using uclibc-ng
1.0.55. Note: the toolchain config defined in this commit reflects
the options enabled in the Bootling aarch64 uclibc external
toolchains.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124859 (TestZfsUclibc)
[1] https://lore.kernel.org/buildroot/7a4d245d-1556-43c9-8997-6b1f791afbfe@gmail.com/ (TestZfsUclibc)
[2] d63e207eb8
[3] 6e97a9647a
[4] https://peps.python.org/pep-0703/
[5] https://gcc.gnu.org/onlinedocs/gcc-15.1.0/gcc/Thread-Local.html
[6] 94c1297d52
[7] 5250bba8e5
Cc: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Tested-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
[Julien:
- add link to buildroot commit updating uclibc-ng to 1.0.55
- add a note in the commit log about the toolchain config
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5208b7a1bd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Finally the aarch64 tls bug is fixed. (python 3.13 segfault)
Unfortunately it is not covered by any testcase of uClibc-ng-test.
Here is the git shortlog for the release:
Marius Melzer (1):
malloc-standard: Fix truncation problem in malloc
Waldemar Brodkorb (5):
Fix Sysvipc for ARM, AARCH64, RISCV64, KVX and m68k
remove uClibc specific gettext_printf
aarch64: do not force tls-model in CPU_CFLAGS, this isn't required
aarch64: respect r_addend for TLSDESC relocations
bump version for 1.0.55 release
yliu (5):
mips32: Preventing FORCE_FRAME_POINTER from being optimized away
mips32: Define __IPC_64 according to kernel version
time64: fixed msgctl/semctl/shmctl result errors for for MIPS32/RISCV32
time64: fix *ctl functions in mips32eb/mips64
time64: fix *ctl functions in mips32eb
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Tested-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5250bba8e5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-6375:
A vulnerability was found in poco up to 1.14.1. It has been rated as
problematic. Affected by this issue is the function MultipartInputStream
of the file Net/src/MultipartReader.cpp. The manipulation leads to null
pointer dereference. The attack needs to be approached locally. The
exploit has been disclosed to the public and may be used. Upgrading to
version 1.14.2 is able to address this issue. The patch is identified as
6f2f85913c191ab9ddfb8fae781f5d66afccf3bf. It is recommended to upgrade
the affected component.
For more information see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-6375
- 6f2f85913c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 36357247d5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
CVE-2025-8713: PostgreSQL optimizer statistics can expose sampled data
within a view, partition, or child table
PostgreSQL optimizer statistics allow a user to read sampled data within
a view that the user cannot access. Separately, statistics allow a user
to read sampled data that a row security policy intended to hide.
PostgreSQL maintains statistics for tables by sampling data available in
columns; this data is consulted during the query planning process. Prior
to this release, a user could craft a leaky operator that bypassed view
access control lists (ACLs) and bypassed row security policies in
partitioning or table inheritance hierarchies. Reachable statistics data
notably included histograms and most- common-values lists. CVE-2017-7484
and CVE-2019-10130 intended to close this class of vulnerability, but
this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19,
and 13.22 are affected.
CVE-2025-8714: PostgreSQL pg_dump lets superuser of origin server execute
arbitrary code in psql client
Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious
superuser of the origin server to inject arbitrary code for restore-time
execution as the client operating system account running psql to restore
the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore
is affected when used to generate a plain-format dump. This is similar to
MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14,
14.19, and 13.22 are affected.
CVE-2025-8715: PostgreSQL pg_dump newline in object name executes
arbitrary code in psql client and in restore target server
Improper neutralization of newlines in pg_dump in PostgreSQL allows a user
of the origin server to inject arbitrary code for restore-time execution
as the client operating system account running psql to restore the dump,
via psql meta-commands inside a purpose-crafted object name. The same
attacks can achieve SQL injection as a superuser of the restore target
server. pg_dumpall, pg_restore, and pg_upgrade are also affected.
Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.
Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class
of problem, but version 11.20 reintroduced it.
https://www.postgresql.org/about/news/postgresql-176-1610-1514-1419-1322-and-18-beta-3-released-3118/
Signed-off-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4f0a9596e3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
While doing a per-package build the package is failing to
compile with this error (gcc 13.x glibc toochain):
make[3]: Entering directory
'/home/wbx/buildroot-2025.02.3/output/build/xapp_xdm-1.1.14/xdm' CC
session.o session.c:146:11: fatal error: crypt.h: No such file or
directory 146 | # include <crypt.h> | ^~~~~~~~~
compilation terminated.
Fix this error by providing the needed glibc dependencies.
Fixes:
https://autobuild.buildroot.org/results/b75/b75ad8f1159613656dce482992c800545d60ae69/
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2d076a1b76)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-55763
Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest)
allows a remote attacker to achieve remote code execution via a crafted
HTTP request. This vulnerability is triggered during request processing
and may allow an attacker to corrupt heap memory, potentially leading to
denial of service or arbitrary code execution.
For more information, see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-55763
- 76e222bcb7
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 426d7635c7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Take two patches from the Debian jxrlib package, and integrate them to
fix the build of the bundled jxrlib library found in the libfreeimage
package.
libfreeimage isn't exactly well maintained: its last version 3.18.0 is
quite old (July 2018), there's a fairly large number of tickets in the
bug tracker claiming to be CVE
reports (https://sourceforge.net/p/freeimage/bugs/), it is still using
SVN as the version control system.
However, it is used as an optional dependency for CEGUI, and a
mandatory dependency for Ogre. However, it no longer seems to be a
dependency for more recent versions of Ogre. But in any case it cannot
simply be dropped.
Fixes:
https://autobuild.buildroot.net/results/452462285bf93b13f092fb41696952f415e75b2f/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 21ea33c764)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-8835:
A vulnerability was found in JasPer up to 4.2.5. Affected by this
vulnerability is the function jas_image_chclrspc of the file
src/libjasper/base/jas_image.c of the component Image Color Space
Conversion Handler. The manipulation leads to null pointer dereference.
It is possible to launch the attack on the local host. The exploit has
been disclosed to the public and may be used. The identifier of the
patch is bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52. It is recommended to
apply a patch to fix this issue.
For more information see:
- https://nvd.nist.gov//vuln/detail/CVE-2025-8835
- bb7d62bd0a
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6e81b51f68)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This CVE is specific for the version 5.1.5 still present in Buildroot.
It has been fixed in 5.2.3 and thereby doesn't affects the other
versions available in Buildroot.
- CVE-2014-5461
Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through
5.2.x before 5.2.3 allows context-dependent attackers to cause a denial
of service (crash) via a small number of arguments to a function with a
large number of fixed arguments.
For more information see:
- https://security-tracker.debian.org/tracker/CVE-2014-5461
- https://udd.debian.org/patches.cgi?src=lua5.1&version=5.1.5-11
A patch present in Debian is used to address this vulnerability.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a2c906ee3b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-53644:
OpenCV is an Open Source Computer Vision Library. Versions prior to
4.12.0 have an uninitialized pointer variable on stack that may lead
to arbitrary heap buffer write when reading crafted JPEG images.
Version 4.12.0 fixes the vulnerability.
https://www.cve.org/CVERecord?id=CVE-2025-53644
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9c365fee97)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CPE 'iputils_project:iputils' has been deprecated in favour of
'iputils:iputils'.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4ac3c1de56)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
We dropped support for python2 a while back in [1], as such we
can remove the python six module which was only needed for
backwards comaptibility with python2.
[1] 2743ce00ca
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: add commit ref removing python2 support]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 53eb75ef53)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since boot-wrapper-aarch64 introduction in commit [1]
"boot-wrapper-aarch64: new package", the package never received a hash
file. This commit adds it, including the source archive and license
hashes.
[1] 7689b72e00
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4b14018a38)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit [1] ("package: replace git:// URLs with https://
URLs where possible") switched _SITE URL from git to https, but did
not updated the package homepage in Config.in.
This commit updates it to match the package _SITE URL.
[1] 6626bf7c5f
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit afff65c340)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
policycoreutils uses getpass(), which with musl is only defined with
some feature macro defined, such as _GNU_SOURCE. So let's pick-up an
upstream fix to address this issue.
There are no autobuilder failures, the issue was most likely hidden by
other failures with musl affecting the SELinux stack.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fc472cc8c7)
[thomas: fix patch]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The build of libsemanage on musl configurations fails with:
direct_api.c: In function 'semanage_direct_install_file':
direct_api.c:1746:20: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
1746 | filename = basename(path);
| ^~~~~~~~
This fails to build even with a GCC 14.x toolchain, even with
libsemanage 3.7, which is the version we have in our LTS branch.
Let's backport an upstream patch fixing this issue.
Fixes:
https://autobuild.buildroot.net/results/913852e35c925888ced37e15be3731b9d3963019/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 79031b79c2)
[thomas: backport patch to v3.7]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Luvi 2.14.0 fails to build with GCC 14.x for several reasons due to
too old lua-openssl 0.8.2-0 submodule:
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/ocsp.c: In function 'openssl_ocsp_request_read':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/ocsp.c:124:29: error: passing argument 1 of 'PEM_ASN1_read_bio' from incompatible pointer type [-Wincompatible-pointer-types]
124 | OCSP_REQUEST *req = pem ? PEM_read_bio_OCSP_REQUEST(bio, NULL, NULL)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
| |
| char * (*)()
Fixed in lua-openssl by [1].
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/x509.c: In function 'openssl_push_general_name':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/x509.c:377:45: error: passing argument 2 of 'openssl_push_asn1type' from incompatible pointer type [-Wincompatible-pointer-types]
377 | openssl_push_asn1type(L, general_name->d.x400Address);
| ~~~~~~~~~~~~~~~^~~~~~~~~~~~
| |
| ASN1_STRING * {aka struct asn1_string_st *}
Fixed in lua-openssl by [2].
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/openssl.c: In function 'luaclose_openssl':
TestLuvi/build/luvi-2.14.0/deps/lua-openssl/src/stdatomic.h:387:9: error: implicit declaration of function '__c11_atomic_fetch_sub'; did you mean '__atomic_fetch_sub'? [-Wimplicit-function-declaration]
387 | __c11_atomic_fetch_sub(object, operand, order)
Fixed in lua-openssl by [3].
Instead of fixing one by one each issues, update to the latest release
that include lua-openssl 0.9.0-0. Luvi v2.15.0 still have some GCC 14.x
issues, backport two additional patches.
Download luvi sources using git method since the release archive
no longer include the release version in its name [4].
Luvi switched to PCRE2 [5], update the optional dependency.
Update TestLuvi to select PCR2 package.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124430 (TestLuvi)
[1] bfeedbe8c0
[2] e5b5420cc5
[3] cfcaa16d1a
[4] https://github.com/luvit/luvi/releases/download/v2.15.0/luvi-source.tar.gz
[5] https://github.com/luvit/luvi/releases/tag/v2.15.0
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 00317f0aff)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
- CVE-2025-58050: PCRE2: heap-buffer-overflow read in match_ref due to
missing boundary restoration in SCS
Compared to 10.45, this release has only a minimal code change to prevent a
read-past-the-end memory error, of arbitrary length. An attacker-controlled
regex pattern is required, and it cannot be triggered by providing crafted
subject (match) text. The (*ACCEPT) and (*scs:) pattern features must be
used together.
Release 10.44 and earlier are not affected.
https://github.com/PCRE2Project/pcre2/security/advisories/GHSA-c2gv-xgf5-5cc2https://www.cve.org/CVERecord?id=CVE-2025-58050
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add link to CVE in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9fd06f212a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The last mariadb version bump [1] added -DHAVE_SYSTEM_LIBFMT_EXITCODE=0
to workaround cross-compiling issue during libfmt cmake check.
But it actually requies at least cmake >= 3.30 to work.
Indeed, our docker image used by Gitlab-CI uses cmake 3.25.1 and
segfault while testing for libfmt.
-- Performing Test HAVE_SYSTEM_LIBFMT
/bin/bash: line 1: 163369 Segmentation fault
$ cmake --version
cmake version 3.25.1
Using the same TestPerlDBDmysql configuration locally with
cmake 3.30.8 installed build fine.
Looking at cmake cmTryRunCommand.cxx history from 3.30.x show that
several fixes about cross-compiling isses were applied to cmake 3.26.x
[2] probably solving the issue. Requires BR2_HOST_CMAKE_AT_LEAST_3_30
for now, since only cmake 3.30.8 installed locally was tested.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124486 (TestPerlDBDmysql)
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124439 (TestMariaDB)
[1] 6cd8f95346 ("package/mariadb: bump version to 10.11.11")
[2] https://gitlab.kitware.com/cmake/cmake/-/commits/v3.30.9/Source/cmTryRunCommand.cxx?ref_type=tags
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit de9c0f971c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Using /dev/null as file source because the package doesn't provide a default
systemv service configuration file.
Signed-off-by: Angelo Compagnucci <angelo.compagnucci@gmail.com>
[Julien: remove S43htpdate .checkpackageignore entry
to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1f2b459b56)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The symlink bin/lld -> $(GNU_TARGET_NAME)/bin/lld is broken inside a
SDK containing host-lld package. The symlink still points to the
location of lld inside the build's host folder instead of the location
of lld inside the SDK. In consequence GCC is not able to find lld
linker. Changing the symlink to be relative during host-lld
installation fixes the problem.
Signed-off-by: Victor Krawiec <victor.krawiec@arturia.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 289dd6bd76)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit 947dbc92a2 the Bootlin
stable toolchain uses headers 5.4, which can lead to build outputs
incompatible with older kernels. Update to the latest 5.4 kernel to
avoid this. The kernel config is updated according to the requirements
of current Docker, runc, and crun.
Additionally switch the CPU of the test VM to Haswell, to avoid
dockerd failing to start with a "This program can only be run on AMD64
processors with v3 microarchitecture support" error.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit efe00fb3fb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
php-lua fails to build in buildroot 2025.08-rc3 on the following error:
in file included from [...]/usr/include/php/Zend/zend.h:32,
from [...]/usr/include/php/main/php.h:31,
from [...]/build/php-lua-2.0.7/lua.c:24:
[...]/build/php-lua-2.0.7/lua.c: In function ‘php_lua_write_property’:
[...]/build/php-lua-2.0.7/lua.c:247:37:
error: ‘val’ undeclared (first use in this function); did you mean
‘zval’?
247 | lua_pushlstring(L, ZSTR_VAL(val), ZSTR_LEN(val));
| ^~~
[...]/usr/include/php/Zend/zend_string.h:66:26:
note: in definition of macro ‘ZSTR_VAL’
66 | #define ZSTR_VAL(zstr) (zstr)->val
| ^~~~
[...]/build/php-lua-2.0.7/lua.c:247:37:
note: each undeclared identifier is reported only once for each function
it appears in
247 | lua_pushlstring(L, ZSTR_VAL(val), ZSTR_LEN(val));
| ^~~
[...]/usr/include/php/Zend/zend_string.h:66:26:
note: in definition of macro ‘ZSTR_VAL’
66 | #define ZSTR_VAL(zstr) (zstr)->val
| ^~~~
make[2]: *** [Makefile:214: lua.lo] Error 1
The issue triggers only if lua interpreter version is lower than 5.2. In
this case, php_lua_write_property calls ZSTR_VAL on the wrong variable.
Fix php-lua build by calling ZSTR_VAL on the correct variable.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11271124501 (TestPhpLuaLuajit)
Suggested-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Romain: add link to failing TestPhpLuaLuajit]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit a1daf153bf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
On both Buildroot 2025.02.x and master branch, php-lua build fails on
the following error:
lua.c:862:44: error: assignment to 'zend_object_write_property_t' {aka
'struct _zval_struct * (*)(struct _zend_object *, struct _zend_string *,
struct _zval_struct *, void **)'} from incompatible pointer type 'void
(*)(zval *, zval *, zval *, void **)' {aka 'void (*)(struct _zval_struct
*, struct _zval_struct *, struct _zval_struct *, void **)'}
[-Wincompatible-pointer-types]
862 | lua_object_handlers.write_property =
php_lua_write_property;
| ^
lua.c:863:44: error: assignment to 'zend_object_read_property_t' {aka
'struct _zval_struct * (*)(struct _zend_object *, struct _zend_string *,
int, void **, struct _zval_struct *)'} from incompatible pointer type
'zval * (*)(zval *, zval *, int, void **, zval *)' {aka 'struct
_zval_struct * (*)(struct _zval_struct *, struct _zval_struct *, int,
void **, struct _zval_struct *)'} [-Wincompatible-pointer-types]
863 | lua_object_handlers.read_property =
php_lua_read_property;
| ^
make[2]: *** [Makefile:214: lua.lo] Error 1
The error can be reproduced with the following minimal defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_NEON=y
BR2_ARM_ENABLE_VFP=y
BR2_ARM_FPU_NEON=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LUA=y
BR2_PACKAGE_PHP=y
BR2_PACKAGE_PHP_LUA=y
This build failure is the result of two events/conditions:
- the update to PHP8 has changed the prototype for
zend_object_read_property_t (see [1]). But at this time, php-lua just
generated a new warning (-Wincompatible-pointer-types)
- using bootlin bleeding-edge toolchain brings in GCC14, which now turns
this warning into a systematic error (see [2])
This issue is still present on the upstream repository, but it has been
fixed on one of its forks. Bring the relevant patch from the fork to
allow building php-lua.
[1] https://github.com/php/php-src/commit/91ef4124e56
[2] https://gcc.gnu.org/gcc-14/porting_to.html#incompatible-pointer-types
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
[Romain: update Upstream link]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit b4d8147a95)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The git.ti.com cgit server continues to be plagued with reliability
issues which are reportedly from heavy bot traffic. To combat this the
system administrators have removed the archived downloads feature from
this server.
Switch to TI's Github mirror so new downloads continue to be possible.
Signed-off-by: Bryan Brattlof <bb@ti.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit ebf0131e3e)
[thomas: adapt hash to 09.02.00 version]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This reverts commit 1a729cbf5c.
The BR2_PACKAGE_NFTABLES_JSON variable is not present on the 2025.02.x
branch and was added in commit [1]. The behaviour of commit [1] can be
immitated by just selecting BR2_PACKAGE_JANSSON in firewalld. Which is
already the case.
[1] 2795fecc50 package/nftables: add an option to force JSON support
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the TestMicroPython segfault when testing if micropython can return a
non-zero exit code.
micropython -c "import sys ; sys.exit(123)"
This issue is related to the gcc version used to build micropython
(gcc 14 or newer). Using gcc 13 (like Bootlin toolchain 2024.05-1
previously used) micropython run without issue.
The issue has been reported upstream [2] and fixed in newer micropython
releases [3]. For now, apply a temporary workaround (suggested in the
bug report) using -DMICROPY_NLR_SETJMP=1 only for gcc 14 or newer.
MICROPY_NLR_SETJMP avoid the architecture specific implementation of
nlr_push.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11176774762 (TestMicroPython)
[1] 947dbc92a2
[2] https://github.com/micropython/micropython/issues/14115
[3] 35f3f0a87d
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 50bc5aa17b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
TestRelroPartial is broken since the last checksec update to 2.7.1 [1]
(Buildroot 2024.08) due to a relro check fix [2] that doesn't work for
powerpc architecture where .got.plt doesn't exist for some reasons
(that's why the expected result "full" is replaced by "Partial").
From [3]:
if ${readelf} -d "${1}/exe" 2> /dev/null | grep -q 'BIND_NOW' || ! ${readelf} -l "${1}/exe" 2> /dev/null | grep -q '\.got\.plt'; then
echo_message '\033[32mFull RELRO \033[m ' 'Full RELRO,' ' relro="full"' '"relro":"full",'
else
echo_message '\033[33mPartial RELRO\033[m ' 'Partial RELRO,' ' relro="partial"' '"relro":"partial",'
checksec tool is problably tested upstream on more common architectures
like x86_64 or aarch64 than powerpc64 e5500. This may explain why
checksec broke on powerpc64 e5500 target.
Also, the Booltin powerpc64-e5500--glibc--stable-2018.02-2 toolchain
used by test_hardening tests was not updated since the hardening tests
were introduced back in 2018.11 release.
So, switch to the current Bootling aarch64 stable toolchain
(currently Bootlin aarch64 glibc stable 2025.08-1).
Checked that all 6 hardening tests pass with this new toolchain:
tests.core.test_hardening.TestFortifyConserv
tests.core.test_hardening.TestFortifyNone
tests.core.test_hardening.TestRelro
tests.core.test_hardening.TestRelroPartial
tests.core.test_hardening.TestSspNone
tests.core.test_hardening.TestSspStrong
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11176773995 (TestRelroPartial)
[1] 6150564974
[2] 1c80e39c49
[3] 1c80e39c49 (diff-9e8d1b28dfaf1c704560ac51a5613b70d70de2dcd84e87b9fa20f28811e6484aL1491)
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 10e289e0a9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In the process of bumping Linux kernel 6.12.10 to 6.12.40, the size of the
default Linux kernel Image file for versal products is increasing from 23.4M
to 26.9M. This is leaving limited free space in the vfat partition meaning
users may unknowingly exceed the 32M size by just adding Linux kernel configs.
To avoid potential problems, this patch doubles the size of the vfat partition
to 64M, which should be plenty of space for any configuration.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit dfed1003d9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
On the autobuilder the mariadb package fails to build when the
BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160 variable is not set.
See the following autobuilder error:
```
/workdir/instance-0/output-1/build/mariadb-10.11.11/libmariadb/libmariadb/secure/openssl_crypt.c: In function 'ma_hash_get_algorithm':
/workdir/instance-0/output-1/build/mariadb-10.11.11/libmariadb/libmariadb/secure/openssl_crypt.c:40:12: error: implicit declaration of function 'EVP_ripemd160'; did you mean 'LN_ripemd160'? [-Wimplicit-function-declaration]
40 | return EVP_ripemd160();
| ^~~~~~~~~~~~~
| LN_ripemd160
/workdir/instance-0/output-1/build/mariadb-10.11.11/libmariadb/libmariadb/secure/openssl_crypt.c:40:12: error: returning 'int' from a function with return type 'const EVP_MD *' {aka 'const struct evp_md_st *'} makes pointer from integer without a cast [-Wint-conversion]
40 | return EVP_ripemd160();
| ^~~~~~~~~~~~~~~
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBOPENSSL=y
# BR2_PACKAGE_LIBOPENSSL_ENABLE_RMD160 is not set
BR2_PACKAGE_MARIADB=y
EOF
make olddefconfig
make mariadb
```
This patch adds a requirement to the RMD160 crypto for the MariaDB
package.
Fixes: https://autobuild.buildroot.org/results/f2b/f2b749cb7019856c5434c27987e8bfb2dc179cda
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 5ce1d6f017)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The build of avrdude sometimes fails with:
avrdude: installs files in /home/autobuild/autobuild/instance-1/output-1/target//home/autobuild/autobuild/instance-1/output-1
This is due to an issue in the installation logic for the Python
code. However, our avrdude.mk doesn't explicitly support building
avrdude's Python support, so it's really only by luck (or lack
thereof) that sometimes host-swig and python3 end up built before
avrdude, causing avrdude to build its Python support, which installs
at the wrong location.
In order to address this, we add a small patch, submitted upstream,
that allows to explicitly disable Python support, which we then use in
avrdude.mk.
The actual Python issue can be investigated at a later point if
someone needs it. But in any case, being able to explicitly disable
Python support if not needed is useful.
Fixes:
http://autobuild.buildroot.net/results/f18d47289d8b4dee768275a468c25b4f4399cf8c/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d3229d7fa0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes https://autobuild.buildroot.net/results/f32ae62961aac7e8344f4be109040e7de2eb415e/
The openssl logic in ecryptfs uses the openssl engines API, which is always
available in libressl, but only available in libopenssl when
BR2_PACKAGE_LIBOPENSSL_ENGINES is enabled, leading to build failures when it
is not:
ecryptfs_key_mod_openssl.c: In function 'ecryptfs_openssl_read_key':
ecryptfs_key_mod_openssl.c:305:9: error: implicit declaration of function 'ENGINE_load_builtin_engines' [-Wimplicit-function-declaration]
305 | ENGINE_load_builtin_engines();
Fix it by only passing --enable-openssl if libressl or (libopenssl + engines
support) is enabled.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2f309a6e0f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This is a major version bump, because it could break user code that depends
on the (wrong) previous logic fixed by the new release
See the release notes:
- https://github.com/corydolphin/flask-cors/releases/tag/6.0.0
- https://github.com/corydolphin/flask-cors/releases/tag/6.0.1
This fixes the following vulnerabilities:
- CVE-2024-6839:
corydolphin/flask-cors version 4.0.1 contains an improper regex path
matching vulnerability. The plugin prioritizes longer regex patterns
over more specific ones when matching paths, which can lead to less
restrictive CORS policies being applied to sensitive endpoints. This
mismatch in regex pattern priority allows unauthorized cross-origin
access to sensitive data or functionality, potentially exposing
confidential information and increasing the risk of unauthorized
actions by malicious actors.
https://www.cve.org/CVERecord?id=CVE-2024-6839
- CVE-2024-6844:
A vulnerability in corydolphin/flask-cors version 4.0.1 allows for
inconsistent CORS matching due to the handling of the '+' character in
URL paths. The request.path is passed through the unquote_plus
function, which converts the '+' character to a space ' '. This
behavior leads to incorrect path normalization, causing potential
mismatches in CORS configuration. As a result, endpoints may not be
matched correctly to their CORS settings, leading to unexpected CORS
policy application. This can cause unauthorized cross-origin access or
block valid requests, creating security vulnerabilities and usability
issues.
https://www.cve.org/CVERecord?id=CVE-2024-6844
- CVE-2024-6866:
corydolphin/flask-cors version 4.01 contains a vulnerability where the
request path matching is case-insensitive due to the use of the
`try_match` function, which is originally intended for matching hosts.
This results in a mismatch because paths in URLs are case-sensitive,
but the regex matching treats them as case-insensitive. This
misconfiguration can lead to significant security vulnerabilities,
allowing unauthorized origins to access paths meant to be restricted,
resulting in data exposure and potential data leaks.
https://www.cve.org/CVERecord?id=CVE-2024-6866
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 04cd135b26)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2023-5341:
A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.
https://www.cve.org/CVERecord?id=CVE-2023-5341
- CVE-2025-55004:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to version 7.1.2-1, ImageMagick is
vulnerable to heap-buffer overflow read around the handling of images
with separate alpha channels when performing image magnification in
ReadOneMNGIMage. This can likely be used to leak subsequent memory
contents into the output image. This issue has been patched in version
7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55004
- CVE-2025-55005:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to version 7.1.2-1, when preparing
to transform from Log to sRGB colorspaces, the logmap construction
fails to handle cases where the reference-black or reference-white
value is larger than 1024. This leads to corrupting memory beyond the
end of the allocated logmap buffer. This issue has been patched in
version 7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55005
- CVE-2025-55160:
ImageMagick is free and open-source software used for editing and
manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1,
there is undefined behavior (function-type-mismatch) in splay tree
cloning callback. This results in a deterministic abort under UBSan
(DoS in sanitizer builds), with no crash in a non-sanitized build.
This issue has been patched in versions 6.9.13-27 and 7.1.2-1.
https://www.cve.org/CVERecord?id=CVE-2025-55160
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 0eefa1095d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-6965:
There exists a vulnerability in SQLite versions before 3.50.2 where
the number of aggregate terms could exceed the number of columns
available. This could lead to a memory corruption issue. We recommend
upgrading to version 3.50.2 or above.
https://www.cve.org/CVERecord?id=CVE-2025-6965
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c4c282f8ec)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building ipset with musl libc the following error appeared on the
autobuilder in 2025.02.x:
```
ipset.c: In function 'main':
ipset.c:35:21: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
35 | if (!strcmp(basename(argv[0]), "ipset-translate")) {
| ^~~~~~~~
ipset.c:35:21: error: passing argument 1 of 'strcmp' makes pointer from integer without a cast [-Wint-conversion]
35 | if (!strcmp(basename(argv[0]), "ipset-translate")) {
| ^~~~~~~~~~~~~~~~~
| |
| int
In file included from ipset.c:13:
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_IPSET=y
EOF
make olddefconfig
make ipset
```
This patch adds the upstream commit [1], that fixes this issue by
including explicitly `libgen.h`. This patch is part of the master
branch since commit [2].
[1] https://git.netfilter.org/ipset/commit/?id=316f592ddc547c28388da4e7cb7c5c8f89cd3591
[2] 8fdbbefa08 package/ipset: bump to version 7.23
Fixes: https://autobuild.buildroot.org/results/930/930802ecc324c4cfc697191aa6a68642a4188e7b
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Fix the following vulnerability:
- CVE-2025-46728
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library.
Prior to version 0.20.1, the library fails to enforce configured size
limits on incoming request bodies when `Transfer-Encoding: chunked` is
used or when no `Content-Length` header is provided. A remote attacker
can send a chunked request without the terminating zero-length chunk,
causing uncontrolled memory allocation on the server. This leads to
potential exhaustion of system memory and results in a server crash or
unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits
during parsing. If the limit is exceeded at any point during reading,
the connection is terminated immediately. A short-term workaround
through a Reverse Proxy is available. If updating the library
immediately is not feasible, deploy a reverse proxy (e.g., Nginx,
HAProxy) in front of the `cpp-httplib` application. Configure the
proxy to enforce maximum request body size limits, thereby stopping
excessively large requests before they reach the vulnerable library
code.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-46728
- 7b752106ac
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
(cherry picked from commit aea7c89396)
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fd313c4ceb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This reverts commit 559bb33ae7, which
was disabling BR2_BACKUP_SITE in our tests with the following
reasoning:
support/testing: do not use s.b.o
Currently, the runtime tests will use the sources.buildroot.org backup
mirror, which is the default setup.
However, in some cases we do not want to use the backup site, because we
want to ensure that the download actually works.
This is the case for vendored packages, like cargo or golang packages,
for whbich we want to check that gthe download still works when we
update the rust or go versions, or when our download helpers change.
So, disable the use of the backup site in all runtime tests, and drop
the no-longer needed special cases.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
However, not using the backup site is causing a LOT of random failures
in Gitlab CI, making the results barely usable. Since it's more
important to get real failures than random ones due to download
issues, let's re-enable BR2_BACKUP_SITE in our testing infrastructure.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit d26f371758)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since upstream commit 312efb2acba7dba80b6652ccf98339dcbbd47695, the
JPEG loading code is using jpeg_read_icc_profile(), which is only
available when the jpeg-turbo implementation is used, not the classic
libjpeg. When classic jpeg is used, the build fails with:
../shared/image-loader.c:163:14: error: implicit declaration of function 'jpeg_read_icc_profile' [-Wimplicit-function-declaration]
163 | if (!jpeg_read_icc_profile(cinfo, &profdata, &proflen)) {
This commit first appeared in development version 13.0.91 and stable
version 14.0.0, which means the problem exists in Buildroot since
commit 430b80cfc1, when weston was
bumped from 13.0.3 to 14.0.0.
So let's enable the JPEG logic only when jpeg-turbo is used.
Fixes:
https://autobuild.buildroot.org/results/353e39902616bdbce40ac667e98cbaf51079f69e/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f74f7d4a03)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since upstream commit 66e1614122c22d455cc3a28db08b3afac2b7be29, which
first appeared in version 1.11.0, back in 2016, jpeg is no longer a
mandatory dependency. And in fact, Buildroot no longer has it
unconditionally in WESTON_DEPENDENCIES since commit
f67a6e9b7a, but BR2_PACKAGE_WESTON is
still selecting in.
A build without libjpeg works just fine, so let's drop this select.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c8edd532c2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit-2882cf4ae649 ("package/wpewebkit: security bump to version
2.48.3") wpewebkit depends on cmake 3.20.
Fixes build on current Debian LTS (bullseye) which has only 3.18.4.
>>> wpewebkit 2.48.3 Configuring
...
CMake Error at CMakeLists.txt:9 (cmake_minimum_required):
CMake 3.20 or higher is required. You are running version 3.18.4
-- Configuring incomplete, errors occurred!
make: *** [package/pkg-generic.mk:263: /../buildroot/output/build/wpewebkit-2.48.3/.stamp_configured] Error 1
Fixes: 2882cf4ae6
Signed-off-by: Henri Roosen <henri.roosen@ginzinger.com>
Acked-By: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit ad75a5d478)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add simple patch, submitted upstream, to fix the build with GCC 15.x:
userloc_formatter.c: In function 'userloc_format':
userloc_formatter.c:30:5: error: implicit declaration of function 'sd_debug' [-Wimplicit-function-declaration]
30 | sd_debug("Formatter s13_userloc checking location info for userdata %X",a_event->evt_loc->loc_data);
| ^~~~~~~~
make[4]: *** [Makefile:519: userloc_formatter.lo] Error 1
Fixes:
https://autobuild.buildroot.org/results/dab64025e6a1688d5fadc2b9bd3738a2c886aa9c/
Considering the level of upstream maintenance, we did hesitate with
dropping the package, but as the fix was quite simple, we did the fix
instead.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 41463deed4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Bugfix release, fixing the following issues:
1.3.8d - Released 14-Mar-2025
--------------------------------
- Issue 1855 - Use of HideNoAccess for SFTP sessions can lead to segfault
and/or unexpected behavior.
- Issue 1876 - SFTP channel allocations can lead to high memory utilization
over time.
1.3.8c - Released 11-Dec-2024
--------------------------------
- Issue 1770 - Using FTPS after upgrading from 1.3.8a to 1.3.8b leads to crash.
- Issue 1785 - Bad handling of lack of extended attributes leads to SFTP out of
memory error.
- Issue 1529 - mod_sftp_sql logs "header value too long" due to unexpected key
header text.
- Issue 1839 - SSH ECDSA host key algorithms not be used as expected despite
configuring appropriate key.
- Issue 1840 - RADIUS Message-Authenticator verification failed with ProFTPD
mod_radius.
- Issue 1830 - Supplemental group inheritance grants unintended access to
GID 0 due to lack of supplemental groups from mod_sql.
https://github.com/proftpd/proftpd/blob/1.3.8/NEWS
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 90be04d4d3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changelog (see [1]):
ver 0.79:
Fix issue with D-Bus client and watch removal handling.
Fix issue with D-Bus client and service name handling.
Fix issue with D-Bus proxy and filter rule handling.
ver 0.78:
Fix issue with random ECC scalar generation.
ver 0.77:
Add support for precheck feature for unit tests.
Add support for license variable for pkg-config.
ver 0.76:
Fix issue with random scalar generation.
ver 0.75:
Add support for converting OID octets to strings.
Add support for NIST P-224 cuve usage with ECDH.
Add support for NIST P-521 cuve usage with ECDH.
Add support for SHA-3 series of hashing algorithms.
ver 0.74:
Add support for NIST P-192 curve usage with ECDH.
Add support for SHA-224 based checksums and HMACs.
ver 0.73:
Fix issue with parsing hwdb.bin child structures.
ver 0.72:
Add support for the Test Anything Protocol.
ver 0.71:
Fix issue with GCC 15 and -std=c23 build errors.
ver 0.70:
Add support for helper function for safe memcpy.
[1] https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ChangeLog?h=0.79
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e834d23cd7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The github repo was deleted and moved to codeberg, so use that instead:
https://lwn.net/Articles/926101/
It is unclear if the auto generated tarballs from codeberg are reproducible,
so instead fetch through git.
[Peter: set _CPE_ID_VERSION to the correct value]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c7af01f47a)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Bufix release fixing a number of issues:
- Bug 5352: Do not get stuck in RESPMOD after pausing peer read(2)
- Bug 5489: Fix "make check" linking on Solaris
- Fix SNMP cacheNumObjCount -- number of cached objects
- Do not duplicate received Surrogate-Capability in sent requests
- Fix Mem::Segment::open() stub to fix build without shm_open()
- ... and CI and documentation updates
https://github.com/squid-cache/squid/releases/tag/SQUID_6_14
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7c47e8b1b2)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since Buildroot commit [1] updating qemu defconfigs from Kernel 6.6.32
to 6.12.9, qemu_aarch64_ebbr_defconfig, qemu_aarch64_sbsa_defconfig
and qemu_arm_ebbr_defconfig can fail to build with error:
/bin/sh: 1: python3: not found
make[7]: *** [drivers/gpu/drm/msm/Makefile:182: drivers/gpu/drm/msm/generated/a2xx.xml.h] Error 127
The issue can happen on build hosts without Python, and if the Linux
kernel is built before any package having host-python3 in its
dependencies (e.g. host-qemu, optee-os, ...).
Starting with Linux 6.10, the arm and arm64 architecture defconfigs need
python3 to build. [2]
This commit fixes this issue by adding
BR2_LINUX_KERNEL_NEEDS_HOST_PYTHON3=y in those defconfigs.
[1] 44075c1955
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=0fddd045f88e34d6160785a3a5e506d374566454
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Romain Naour <romain.naour@gmail.com>
[Julien:
- reword commit log to add the commit introducing the issue
- fix qemu_aarch64_sbsa_defconfig which has the same issue
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6001601544)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
This patch fixes the CPE ID for both go-bin and go-src packages.
The go-src package did had a CPE ID because GO_SRC_CPE_ID_VENDOR is
defined but the generated CPE ID would be the following:
cpe:2.3:a:golang:go-src:*:*:*:*:*:*:*:*
The CPE product go-src doesn't match to anything and should be 'go'
instead.
For go-bin no CPE_ID variable were defined so no CPE ID would be
generated if using a pre-build toolchain.
This patch duplicate the definition of the CPE_ID variables, I didn't
put the definition in the 'package/go/go.mk' file to avoid generate a
CPE for the go virtual package.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1869b4065c)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Fixes: https://autobuild.buildroot.net/results/8d14173f31922a737c326be75aa24c9f9471342a/
The vde2 source code uses empty argument function pointer prototypes like:
typedef ssize_t (* ssize_fun)();
extern ssize_fun vdehist_vderead;
In C17 and earlier, such prototypes means unknown number of arguments,
whereas with C23 it means no arguments, leading to build failures:
libvdehist.c:39:27: error: initialization of 'ssize_fun' {aka 'long int
(*)(void)'} from incompatible pointer type 'ssize_t (*)(int, void *,
size_t)' {aka 'long int (*)(int, void *, long unsigned int)'}
[-Wincompatible-pointer-types]
Workaround it using -std=gnu99. Vde2 is provided both as a host and target
package, so do this unconditionally for both.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 2218f02155)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Now that the qspi.bin file is included for zynqmp images, the 32M vfat
partition is getting dangerously close to being full.
In the process of bumping Linux kernel 6.12.10 to 6.12.40, the size of the
default Linux kernel Image file for zynqmp products is increasing from 23.4M
to 26.9M. This is leaving less than 1M of free space in the vfat partition
meaning users may unknowingly exceed the 32M size by just adding Linux kernel
configs.
To avoid potential problems, this patch doubles the size of the vfat partition
to 64M, which should be plenty of space for any configuration.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit c7a45b8302)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
This tool helps to update Linux stable releases.
The script uses the versions found in linux/linux.hash. For each of the
versions it downloads the related hash list and tries to find an updated
stable release. If found it updates all related files and hashes.
Signed-off-by: Gero Schwäricke <gero.schwaericke@grandcentrix.net>
[Arnout: commonalize the sed expression for linux and linux-headers]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit a87b1800b9)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
This reverts commit fecc337d21,
re-adding optional support for pulseuadio in ffmpeg.
This is possible now that the circular dependency:
pulseaudio -> libsoxr -> ffmpeg -> pulseaudio
has been broken between libsoxr and ffmpeg.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8db836d292)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Having support for ffmpeg in libsoxr causes several circular
dependencies:
- pulseaudio -> libsoxr -> ffmpeg -> pulseaudio
(This one was worked around in
fecc337d21 by dropping the ffmpeg ->
pulseaudio dependency, but it's annoying as being able to output
audio from ffmpeg into pulseaudio seems useful)
- libopenmpt -> pulseaudio -> libsoxr -> ffmpeg -> libopenmpt
(This is one exists, and is fixed by this commit)
To fix both circular dependencies, we propose to drop the dependency
of libsoxr on ffmpeg, which is used to get some optimized FFT
implementation. While not being useless, this is the point where
breaking the dependency seems the most logical.
Neither Debian nor Fedora build libsoxr with ffmpeg support.
In order to achieve that, we add a new patch making the option
WITH_AVFFT actually effective. Since we no longer build against
ffmpeg, the previously added patch that was fixing the pkg-config file
is no longer needed.
Fixes:
https://autobuild.buildroot.net/results/bbfce69f35cafd56245ebeae79086a8b64592a16/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4bf2a854f9)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The new package_dir element contains the path of the package
directory. For Buildroot packages this is a path relative to the main
Buildroot directory, for packages from external trees an absolute
path.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Tested-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b10f50399a)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Building the column store plugin (which gets automatically enabled
when Boost with a bunch of submodules is found) currently fails as it
requires a number of runtime checks that obviously cannot work when
cross-compiling.
OpenEmbedded has defined them as such:
-DLSTAT_FOLLOWS_SLASHED_SYMLINK_EXITCODE=0 \
-DSTAT_EMPTY_STRING_BUG_EXITCODE=0 \
-DMASK_LONGDOUBLE_EXITCODE=0 \
but it really isn't clear whether those values are completely correct
for all CPU architectures, especially the last one.
So instead, let's disable the column store plugin until someone
actually needs it and figures out how to set those variables properly.
The issue fixed by this commit can be reproduced using the following
defconfig:
BR2_aarch64=y
BR2_ARM_FPU_VFPV3D16=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MARIADB=y
BR2_PACKAGE_MARIADB_SERVER=y
BR2_PACKAGE_BOOST=y
BR2_PACKAGE_BOOST_DATE_TIME=y
BR2_PACKAGE_BOOST_FILESYSTEM=y
BR2_PACKAGE_BOOST_REGEX=y
BR2_PACKAGE_BOOST_THREAD=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 44bba49507)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The Config.in comment is between the main BR2_PACKAGE_MARIADB option
and its sub-options, causing the sub-options to not appear as nicely
indented in menuconfig.
Before:
[ ] mariadb
[ ] mariadb server
[ ] mariadb embedded server
After:
[ ] mariadb
[ ] mariadb server
[ ] mariadb embedded server
which is what we want.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8964f0652c)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Recently when trying to reproduce a build error with test-pkg on the toolchain
br-arm-basic, I had to create a new CSV file with that toolchain only to be
able to run the test in that single case.
I believe having a command-line option right away in test-pkg would make this
much easier, as I can now run: `./utils/test-pkg -T br-arm-basic -p redis`
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit f3be464f7a)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
In order to remove thttpd package from Buildroot, we have to replace it
from our testsuite (TestWget and TestLibCurl).
Busybox provide an httpd server applet but it's not enabled in our
default busybox configuration.
For the sake of those tests, add a new busybox option to build and
install the Busybox's httpd server and its init script.
Import S90thttpd from thttpd package to S90httpd but with some changes
following S01syslogd init script as a reference [1].
[1] 3dc8061444
Cc: Julien Olivain <ju.o@free.fr>
Cc: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit bcd97e1424)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since Buildroot commit [1] dc0f7215c6 "package/gcc: switch to 13.x as
default", sipeed_licheepi_zero_defconfig fails when building the Linux
kernel with the error message:
drivers/ata/libahci.c: In function 'ahci_led_store':
./include/linux/compiler.h:350:45: error: call to '__compiletime_assert_1138' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
350 | _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
This issue is fixed by upstream Kernel commit [2].
This commit fixes this issue by updating the Linux Kernel from v5.3.5
(which is not a LTS series) to v6.12.43 (which is a LTS series
including the fixes). With this update,
BR2_LINUX_KERNEL_INTREE_DTS_NAME is updated accordingly to follow the
new DTS organization.
This commit also updates U-Boot from 2022.01 to 2025.07. This new
version now requires BR2_TARGET_UBOOT_NEEDS_GNUTLS=y.
While at it, this commit also switches to a stable glibc Bootlin
external toolchain, to follow the new guidelines from [3].
Finally, this commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y and the
corresponding hash files. The .checkpackageignore is also updated to
reflect that change.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/11026771001
[1] dc0f7215c6
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f07788079f515ca4a681c5f595bdad19cfbd7b1d
[3] https://elinux.org/Buildroot:DeveloperDaysELCE2024#Rules_for_defconfigs
Cc: Michel Stempin <michel.stempin@wanadoo.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit db951a4c71)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since glibc 2.28, <sys/sysmacros.h> is no longer implicitly included
by <sys/types.h>, which means major() is only defined if you include
<sys/sysmacros.h>.
This wasn't really visible for a while in loadable plugins built by
lirc-tools as they could happily be built with undefined
symbols... except they would fail to load at runtime.
But then GCC 14.x brought more strict checking of having the function
prototype around, which now detects this issue at build time.
So the actual issue has been around since we switched to glibc 2.28,
but it only started failing to build since gcc 14.x. The first failure
is on August 2024, so this patch should be backported to our stable
branches.
The fix is backport from an upstream commit, post 0.10.2.
Fixes:
https://autobuild.buildroot.net/results/2f64accd430d9467add3f1195f3f59eff8e99a4d/
Minimal reproducer:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_GLIBC_STABLE=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_LIRC_TOOLS=y
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2313c23242)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Currently, the manual doesn't mention the checkpackageignore file at
all, leaving the user under the assumption that running "make
check-package" and running utils/check-package directly on the package
they have touched would be equivalent, when the former evaluates the
checkpackageignore file while the latter does not. This could cause them
to forget to remove stale entries from that file.
Point out this difference in behavior.
Signed-off-by: Florian Larysch <fl@n621.de>
[Arnout: add that stale lines should be removed from
.checkpackageignore]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 47181a164c)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The old one lasted for 10 years, lately spam
levels reached a rather uncomfortable level ...
Signed-off-by: Andreas Ziegler <br015@umbiko.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e13a3c95c1)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Buildroot commit [1] "package/python-pyroute2: bump to version 0.9.4"
added the python3 ssl runtime dependency while updating the package
in the "next" branch. It incorrectly suggested the dependency was
introduced in version 0.9.4.
This dependency was in fact introduced in upstream commit [2],
first time included in pyroute2 0.8.1, which is the current version
in the Buildroot release stabilization branch. It is worth mentioning
that this package was updated to that version in Buildroot commit [3].
Running the command on target:
python3 -c 'import pyroute2'
Fails at runtime with error:
ModuleNotFoundError: No module named '_ssl'
This commit fixes the issue by adding this missing dependency,
the same was it was done in commit [1].
[1] 786557d859
[2] e87c14581b
[3] 816641bbe1
Signed-off-by: Yacin Belmihoub-Martel <yacin.belmihoub-martel@silabs.com>
[Julien:
- reword commit log
- add the "runtime" comment
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c399b6d682)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Fixes the following CVEs:
- CVE-2024-41957
- CVE-2024-41965
- CVE-2024-45306
- CVE-2024-47814
- CVE-2025-1215
- CVE-2025-22134
- CVE-2025-24014
- CVE-2025-26603
- CVE-2025-29768
- CVE-2025-53905
- CVE-2025-53906
README.txt got updated three times since the last bump:
- [0] updated some wording regarding who the developers are.
- [1] updated the link to the release archives
- [2] updated the goals of the project
netrw (the builtin file explorer of vim) changed maintainer and was
subsequently restructured [3]. Therefore we need to run installpack,
otherwise we run into this on startup (reported by Julien, thanks!):
Error detected while processing
/usr/share/vim/vim91/plugin/netrwPlugin.vim:
line 7:
E919: Directory not found in 'packpath': "pack/*/opt/netrw"
Press ENTER or type command to continue
[0]: b75825f749
[1]: 4225f28855
[2]: 2bfd1ee161
[3]: 9cfdabb074
Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 089731c8ea)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since 256.12 systemd-networkd requires kernel >=5.4 due to the inclusion of
the sockios.h header, which uses the SIOCGSTAMP_OLD macro.
The same change has already been applied to master/2025.08 in
7d8d48cd2b
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following vulnerability:
- CVE-2025-46688
quickjs-ng through 0.9.0 has an incorrect size calculation in
JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow.
QuickJS before 2025-04-26 is also affected.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-46688
- 1eb05e44fa
The patch is different from upstream since the BigInt implementation has
been added post 2024-01-13 (see commit [1]). The BigInt fix has been
stripped out to only keep the buffer overflow in the string
implementation.
On master the following CVE has been addressed with commit [2].
[1] 61e8b94428
[2] c5c7c44fa5 package/quickjs: bump to version 2025-04-26
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The each_cpe() method is careful that some CVEs have no
"configurations", but some CVEs such as
https://nvd.nist.gov/vuln/detail/CVE-2025-32915 apparently have a
"configurations" node, but no "nodes" inside the "configurations",
causing an exception:
Traceback (most recent call last):
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1382, in <module>
__main__()
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 1371, in __main__
check_package_cves(args.nvd_path, packages)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 679, in check_package_cves
check_package_cve_affects(cve, cpe_product_pkgs)
File "/home/buildroot/buildroot-stats/./support/scripts/pkg-stats", line 638, in check_package_cve_affects
for product in cve.affected_products:
^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in affected_products
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 185, in <genexpr>
return set(cpe_product(p['id']) for p in self.each_cpe())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/buildroot/buildroot-stats/support/scripts/cve.py", line 173, in each_cpe
for node in nodes['nodes']:
~~~~~^^^^^^^^^
KeyError: 'nodes'
Fixes:
54f8d97c91 ("support/scripts/pkg-stats: adapt to NVD v2 json format")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Romain:
- add reference to buildroot commit introducing the issue
- a similar patch was sent by Daniel Lang (thanks!)
- needed on 2025.02.x to fix "Daily results" email]
(cherry picked from commit 67422b9d9c)
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Fixes the following vulnerability:
- CVE-2025-54874
OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and
earlier, a call to opj_jp2_read_header may lead to OOB heap memory
write when the data stream p_stream is too short and p_image is not
initialized.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-54874
- f809b80c67
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c46fb3c8b3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This patch brings the entire stack of Debian patches on grub2 titled
"cve-2025-jan" and available at:
https://salsa.debian.org/grub-team/grub/-/tree/debian/2.12-9/debian/patches/cve-2025-jan?ref_type=tags
As of this exact Debian grub2 version 2.12-9. Some minor conflicts had
to be fixed. All patches are in upstream Grub master, but mixed with
hundreds of other changes, which is why Debian's effort to backport
them has been leveraged here.
In addition to those patches, 2 extra patches are added:
0073-net-drivers-ieee1275-ofnet-Add-missing-grub_malloc.patch
0074-Constant-time-grub_crypto_memcmp.patch
The first one fixes an issue in one of the earlier patches. The fix is
not in Debian, but is in upstream Grub.
The second one fixes another CVE, not fixed in Debian, but fixed in
OpenSUSE. This fix is not upstream as upstream has decided to move to
libgcrypt instead to avoid the problem, but that's a fairly large
change.
Overall, this patch fixes all CVEs currently reported by pkg-stats
against our grub2 package, namely:
CVE-2024-45777
CVE-2024-45778
CVE-2024-45779
CVE-2024-45780
CVE-2024-45782
CVE-2024-56737
CVE-2024-56738
CVE-2025-0678
CVE-2025-0684
CVE-2025-0685
CVE-2025-0686
CVE-2025-0689
CVE-2025-1125
With the previous fixes on runtime tests added (to use glibc
toolchains to build grub2 tests), this commit successfully passes all
tests:
- The ISO9660 tests that use grub2:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234563
- The grub2 tests:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1985234685
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: also tested by building and booting
- qemu_aarch64_sbsa_defconfig
- qemu_arm_ebbr_defconfig
- qemu_loongarch64_virt_efi_defconfig
- qemu_riscv64_virt_efi_defconfig
- pc_x86_64_bios_defconfig
- pc_x86_64_efi_defconfig
]
Tested-by: Julien Olivain <ju.o@free.fr>
[Julien:
- fix patch #72 upstream link to point to the initial patch
sumbission rather than a reply
- merge two _IGNORE_CVES blocks for patch #50 into a single one
- order _IGNORE_CVES blocks by numerical patch order
- order numerically the CVE list in commit log
- add a "Fixes:" tag in patch #74 since its commit log does not
mention the CVE.
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ded3e0045a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Suniel's e-mail address at Amarula Solutions is bouncing, so let's
drop this stale entry:
<sunil@amarulasolutions.com>: host aspmx.l.google.com[142.250.27.26] said:
550-5.1.1 The email account that you tried to reach does not exist. Please
try 550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. For more information, go to 550 5.1.1
https://support.google.com/mail/?p=NoSuchUser
a640c23a62f3a-afcdce6d5e1si493680166b.9 - gsmtp (in reply to RCPT TO
command)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3c93cf106c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The original commit (aaa2b660a9 ("setserial: convert to autotargets
and fix manpages install") wasn't entirely clear why we went for a
removal of a patch from the tarball we get from Debian.
It is assumed the original patch mainly only wanted to remove the strip
and make sure the directories are created before files are installed in
there. But doing only that made my build fail because the linker doesn't
find @CXXFLAGS@. After undoing the addition of this variable (and its
use) from 01_makefile.patch it now compiles just fine.
Therefore, instead of removing the patch from the tarball we get from
Debian, simply update the patch we carry in the tree to remove what's
necessary and simplify the patching logic.
This could also help identify notable differences between the
01_makefile.patch from two different versions whenever we upgrade.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c688a1a8a8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Debian has a newer setserial which compiles on newer toolchains, so
let's update to it.
Noteworthy is the change from a big diff to a tarball containing the
whole debian directory. The series file which contains all patches to
apply is named properly so no need to rename 00list anymore. The patches
file extension is now .patch instead of .dpatch.
This fixes the build with BR2_TOOLCHAIN_EXTERNAL_ARM_AARCH64 external
toolchain (14.2.rel1).
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 871cdeab6a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Newer toolchains silently fail during configure step. After some
investigation, it is because -Wimplicit-int is returned for one of the
simplest test from the in-package configure file and thus fail the
configure step early, when checking if the compiler can produce an
executable.
Let's fix this by simply regenerating the configure file, similarly to
what Debian is doing, c.f. debian/rules.
Fixes:
https://autobuild.buildroot.net/results/ff7a9c3c42f11a2ab71fb04ff0f6d593ac9ee327/
(but there are more build failures later, fixed in a follow-up commit)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 26077c2d41)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since 64ac719952 ("apply-patches.sh: add recursivity when scanning
patchdir"), patches with the .dpatch file extension are simply ignored.
Unfortunately, setserial package stopped applying the patches after that
commit.
Sadly, 0002-tiocghayesesp-build-fix.patch is breaking the patch context
for patch 18 in the debian diff because we are currently applying
patches from within Buildroot tree before applying the ones we download
from Debian. Instead of doing some hacks, let's apply Debian patches
before Buildroot's. However, this requires a few changes. First, we need
to migrate away from the SETSERIAL_PATCH mechanism because currently
_PRE_PATCH_HOOKS runs before this is applied and _POST_PATCH_HOOKS runs
after the Buildroot patches are applied.
Instead, let's use an _EXTRA_DOWNLOADS we manually extract à-la
package/android-tools/android-tools.mk. Then in the _PRE_PATCH_HOOKS, we
apply the big diff the _EXTRA_DOWNLOADS contains so that the patches
from within can be applied afterwards.
Because the big diff still contains only patches with the *.dpatch
extensions that are not supported anymore, we need to either rename all
patches or use the 00list file that lists all patches in the order they
need to be applied. Fortunately, Buildroot already supports applying
patches with `patch` regardless of their extension if they are within
such a file. Unfortunately, it needs to be called "series", hence the
renaming.
Because patch 18 from the big diff is now applied before
0002-tiocghayesesp-build-fix.patch from Buildroot tree, the latter will
fail if left unmodified, so this commit also rebases it.
Finally, we keep the removal of 01_makefile.dpatch for now even though
it only exists because it generates a conflict with
0001-build-system-fix.patch from Buildroot tree. It'll be rebased in a
later commit though.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 534147af94)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building prboom with gcc-14 the following error appeared on the
autobuilder:
```
i_main.c: In function 'main':
i_main.c:359:10: error: assignment to 'const char * const*' from incompatible pointer type 'char **' [-Wincompatible-pointer-types]
359 | myargv = argv;
| ^
```
While this package did not receive any update for a while on the
sourceforge mirror, I backported the fix from a fork. For more
information see [1].
[1] 92d44b6383
Fixes: https://autobuild.buildroot.org/results/888/88846e3cb267b04da58bc17d92fd5dd385b65b5d
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c0bf3da45b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When using gcc-14 the compilation fails with the following error
message:
```
close.c: In function 'EIBClose':
close.c:38:3: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]
38 | close (con->fd);
| ^~~~~
| pclose
openlocal.c: In function 'EIBSocketLocal':
openlocal.c:57:7: error: implicit declaration of function 'close'; did you mean 'pclose'? [-Wimplicit-function-declaration]
57 | close (con->fd);
| ^~~~~
| pclose
make[6]: *** [Makefile:611: close.lo] Error 1
```
This patch include <unistd.h> to include the declaration of close.
Fixes: https://autobuild.buildroot.org/results/483/483fc4584815507c3798eb972e22e51f70f52c23/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 14955941e2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Unlike glibc and uClibc, musl doesn't play tricks with transparent
unions for the second argument to bind() to accept the various sockaddr
variants, but rather just defines it as "struct sockaddr*". As GCC 14 no
longer allows arbitrary implicit pointer casts, this results in a build
error. Import the upstream patch that adds the cast.
Fixes: https://autobuild.buildroot.org/results/00b/00b42a35a80c2deb61f2cd40aedd231597bbb290
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 562eb870fe)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_dmidecode fails when building its Kernel 6.6.39
with gcc 15.1.0.
This commit fixes the issue by updating the test Kernel to the
latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686001
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 93e37c58b0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_msr_tools fails when building its Kernel 5.15.55
with gcc 15.1.0.
This commit fixes the issue by updating the test Kernel to the latest
LTS version (6.12.42 at the time of this commit) which includes the
fix for gcc-15. Note: the 5.15.y series does not include this fix for
the x86_64 architecture, which is why this commit switches to 6.12.y.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686294
[1] 947dbc92a2
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 37bc7f99fd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_dpdk fails to build its Kernel 6.6.58 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686010
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 848ffba573)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_numactl fails to build its Kernel 6.1.75 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.1.y version (6.1.148 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686336
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cc0812b6eb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] "update to Bootlin toolchains 2025.08-1",
the tests.package.test_wine fails to build its Kernel 6.6.27 with
gcc 15.1.0.
This commit fixes the issue by updating the test Kernel version to
the latest 6.6.y version (6.6.102 at the time of this commit) which
includes the fix for gcc-15.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10984686766
[1] 947dbc92a2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 20100403d3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For more details on the version bump, see:
- https://sourceware.org/git/?p=elfutils.git;a=blob;f=NEWS;h=47bf2c6a3b1f49c7adc1d0389de375290461a44c
Fixes the following security issues:
- CVE-2025-1352
A vulnerability has been found in GNU elfutils 0.192 and classified as
critical. This vulnerability affects the function __libdw_thread_tail
in the library libdw_alloc.c of the component eu-readelf. The
manipulation of the argument w leads to memory corruption. The attack
can be initiated remotely. The complexity of an attack is rather high.
The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1352
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753
- CVE-2025-1365
A vulnerability, which was classified as critical, was found in GNU
elfutils 0.192. This affects the function process_symtab of the file
readelf.c of the component eu-readelf. The manipulation of the
argument D/a leads to buffer overflow. Local access is required to
approach this attack. The exploit has been disclosed to the public and
may be used. The identifier of the patch is
5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1365
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=5e5c0394d82c53e97750fe7b18023e6f84157b81
- CVE-2025-1371
A vulnerability has been found in GNU elfutils 0.192 and classified as
problematic. This vulnerability affects the function
handle_dynamic_symtab of the file readelf.c of the component eu-read.
The manipulation leads to null pointer dereference. Attacking locally
is a requirement. The exploit has been disclosed to the public and may
be used. The patch is identified as
b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1371
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=b38e562a4c907e08171c76b8b2def8464d5a104a
- CVE-2025-1372
A vulnerability was found in GNU elfutils 0.192. It has been declared
as critical. Affected by this vulnerability is the function
dump_data_section/print_string_section of the file readelf.c of the
component eu-readelf. The manipulation of the argument z/x leads to
buffer overflow. An attack has to be approached locally. The exploit
has been disclosed to the public and may be used. The identifier of
the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is
recommended to apply a patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1372
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db
- CVE-2025-1376
A vulnerability classified as problematic was found in GNU elfutils
0.192. This vulnerability affects the function elf_strptr in the
library /libelf/elf_strptr.c of the component eu-strip. The
manipulation leads to denial of service. It is possible to launch the
attack on the local host. The complexity of an attack is rather high.
The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1376
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=b16f441cca0a4841050e3215a9f120a6d8aea918
- CVE-2025-1377
A vulnerability, which was classified as problematic, has been found
in GNU elfutils 0.192. This issue affects the function
gelf_getsymshndx of the file strip.c of the component eu-strip. The
manipulation leads to denial of service. The attack needs to be
approached locally. The exploit has been disclosed to the public and
may be used. The identifier of the patch is
fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-1377
- https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=fbf1df9ca286de3323ae541973b08449f8d03aba
Patch 0003 is now part of this release.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c7508a2324)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit b536caaec0 ("package/python-cython: bump to version
3.1.2"), python-numpy fails to build:
Error compiling Cython file:
------------------------------------------------------------
...
np.issubdtype(cov.dtype, np.complexfloating)):
raise TypeError("mean and cov must not be complex")
if size is None:
shape = []
elif isinstance(size, (int, long, np.integer)):
^
------------------------------------------------------------
numpy/random/_generator.pyx:3760:36: undeclared name not builtin: long
Backport upstream patch to fix that build failure.
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cfabe800ad)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2023-2794:
A flaw was found in ofono, an Open Source Telephony on Linux. A stack
overflow bug is triggered within the decode_deliver() function during
the SMS decoding. It is assumed that the attack scenario is accessible
from a compromised modem, a malicious base station, or just SMS. There
is a bound check for this memcpy length in decode_submit(), but it was
forgotten in decode_deliver().
https://www.cve.org/CVERecord?id=CVE-2023-2794
- CVE-2024-7537:
oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono.
Authentication is not required to exploit this vulnerability. The
specific flaw exists within the processing of SMS message lists. The
issue results from the lack of proper validation of user-supplied
data, which can result in a read past the end of an allocated buffer.
An attacker can leverage this in conjunction with other
vulnerabilities to execute arbitrary code in the context of root. Was
ZDI-CAN-23157.
https://www.cve.org/CVERecord?id=CVE-2024-7537
- CVE-2024-7539:
oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability.
This vulnerability allows local attackers to execute arbitrary code on
affected installations of oFono. An attacker must first obtain the
ability to execute code on the target modem in order to exploit this
vulnerability. The specific flaw exists within the parsing of
responses from AT+CUSD commands. The issue results from the lack of
proper validation of the length of user-supplied data prior to copying
it to a stack-based buffer. An attacker can leverage this
vulnerability to execute code in the context of root. Was ZDI-
CAN-23195.
https://www.cve.org/CVERecord?id=CVE-2024-7539
- CVE-2024-7540:
oFono AT CMGL Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMGL commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23307.
https://www.cve.org/CVERecord?id=CVE-2024-7540
- CVE-2024-7541:
oFono AT CMT Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMT commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23308.
https://www.cve.org/CVERecord?id=CVE-2024-7541
- CVE-2024-7542:
oFono AT CMGR Command Uninitialized Variable Information Disclosure
Vulnerability. This vulnerability allows local attackers to disclose
sensitive information on affected installations of oFono. An attacker
must first obtain the ability to execute code on the target modem in
order to exploit this vulnerability. The specific flaw exists within
the parsing of responses from AT+CMGR commands. The issue results from
the lack of proper initialization of memory prior to accessing it. An
attacker can leverage this in conjunction with other vulnerabilities
to execute arbitrary code in the context of root. Was ZDI-CAN-23309.
https://www.cve.org/CVERecord?id=CVE-2024-7542
Also drop local patch that is no longer applicable, since upstream now
relies on HAS_BACKTRACE as well.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Reviewed-by: Petr Vorel <petr.vorel@gmail.com>
[Julien: remove .checkpackageignore entry to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 611a795cfc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Drop the timestamp from the .tar.gz to make it reproducible, similar to how
it is done in support/download/helpers.
Notice: .xz files do not contain a timestamp
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 802d093060)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The tarball created by git archive is reproducible, but when we append the
generated manual we leak current time and the username/uid of the person
running make release:
tar tvf buildroot-2025.08-rc1.tar.gz | tail
-rwxrwxr-x root/root 5512 2025-08-11 13:22 buildroot-2025.08-rc1/utils/update-rust
drwxr-xr-x peko/peko 0 2025-08-11 17:39 buildroot-2025.08-rc1/
drwxr-xr-x peko/peko 0 2025-08-11 17:38 buildroot-2025.08-rc1/docs/
drwxr-xr-x peko/peko 0 2025-08-11 17:39 buildroot-2025.08-rc1/docs/manual/
-rw-r--r-- peko/peko 5738 2025-08-11 17:38 buildroot-2025.08-rc1/docs/manual/docbook-xsl.css
-rw-r--r-- peko/peko 19029 2025-08-11 17:38 buildroot-2025.08-rc1/docs/manual/github_hash_mongrel2.png
-rw-r--r-- peko/peko 638866 2025-08-11 17:39 buildroot-2025.08-rc1/docs/manual/manual.pdf
-rw-r--r-- peko/peko 587892 2025-08-11 17:38 buildroot-2025.08-rc1/docs/manual/manual.html
-rw-r--r-- peko/peko 393514 2025-08-11 17:39 buildroot-2025.08-rc1/docs/manual/manual.text
-rw-r--r-- peko/peko 117499 2025-08-11 17:38 buildroot-2025.08-rc1/docs/manual/logo.png
Fix that by forcing uid as root and setting mtime to the latest commit,
similar to how we do it in support/download/{git,helpers}.
Notice that we do not use --numeric-owner to match the output of git
archive, so it does rely on uid 0=root, which is very likely but not
guaranteed.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fa855cbe6e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The manual contains build timestamps like:
Buildroot 2025.08-rc1 manual generated on 2025-08-12 06:43:37 UTC
Making it not reproducible. Luckily asciidoc respects SOURCE_DATE_EPOCH, so
use that to use the timestamp of the latest git commit instead.
Notice: The release and manual targets are marked as noconfig targets (and
need to stay like that for make release), so we cannot use the
BR2_REPRODUCIBLE logic. Instead manually set SOURCE_DATE_EPOCH.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3fc5d821eb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since this package hasn't had a proper release in a while this patch set
the CPE_VERSION and CPE_UPDATE to the latest tags available.
The annotation available on NVD all refers to this last available
version `cpe:2.3:a:luajit:luajit:2.1.0:beta3:*:*:*:*:*:*`.
See https://nvd.nist.gov/vuln/detail/CVE-2020-15890 for instance.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e388ef88f0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The company name was changed from "benetti-engineering-sas" to "benetti-engineering"
to be agnostic to the company legal form. Update all GitHub and LinkedIn links
accordingly.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c38ea1d496)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot LTS 2025.02.x utilises libglib2 version 2.82.5 which is prone
to CVE-2025-6052 [1].
0001-gstring-Fix-overflow-check-when-expanding-the-string.patch is
included in the package/libglib2 directory. This patch mitigates
CVE-2025-6052 as seen in [1], by backporting to libglib2 2.82.5.
libglib2 shares part of its infrastructure with libglib2-bootstrap,
by adding the patch in package/libglib2 the patch isn't applied to
libglib2-bootstrap.
When building libglib2, the patch was correctly applied in
output/build/host-libglib2-2.82.5/glib/gstring.c . When building
libglib2-bootstrap it was verified that the patch was not applied here.
Signed-off-by: Tim Soubry <tim.soubry@mind.be>
[Arnout: fix checkpackage error]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The AUTORECONF variable was introduced in commit [1] with reference to
the patches that modified the m4 and Makefile.am files.
The commit [2] removed the last such patch but left the reference to the
patch and the AUTORECONF variable.
Later, commit [3] updated the mirror to the gitlab URL that no longer
bundle a pre-generated `configure` file, making the execution of
AUTORECONF necessary anyway.
This patch removes the obsolete reference to the patch 0001 removed in
[2] to avoid ambiguity with the new patch 0001 introduced in commit [4].
[1] 01a82c1401 package/libapparmor: enable python bindings
[2] 27cd0b5033 package/apparmor: bump to version 3.0.4
[3] 5649202ddc package/libapparmor: bump to version 3.1.7
[4] 2640f5dcd0 package/libapparmor: fix build w/ musl
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: add a comment explaining why]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 50cac72f73)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the package bump to v10.05.0 the xlib libraries detection has been
improved to error missing x libraries (see [2]).
The following error is happening on the autobuilder when building
ghostscript with xlib_libX11:
```
checking for XOpenDisplay in -lX11... yes
checking for XdbeQueryExtension in -lXext... yes
checking for XtAppCreateShell in -lXt... no
configure: error: X11 libraries (libX11, libXt, libXext) not available, either install them, or rerun configure with "--without-x"
make: *** [package/pkg-generic.mk:263: /home/buildroot/instance-0/output-1/build/ghostscript-10.05.1/.stamp_configured] Error 1
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_XORG7=y
BR2_PACKAGE_XLIB_LIBX11=y
BR2_PACKAGE_GHOSTSCRIPT=y
EOF
make olddefconfig
make
```
This patch fixes the xlib dependencies of the ghostscript package to
correctly build with X support:
- The 'XtAppCreateShell' function is provided by the package
'xlib_libXt'.
- The 'XdbeQueryExtension' function is provided by the package
'xlib_libXext'.
They both select the 'xlib_libX11' package.
[1] 9abf662cfd package/ghostscript: security bump to version 10.05.0
[2] 37eede31e1
Fixes: https://autobuild.buildroot.org/results/45d/45d0414f341feb2354478b145396fe137f9cc6a6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 9adc8a0570)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the commit [1] the janet package started failing on the
autobuilder when using musl libc:
```
[50/56] Compiling C object libjanet.so.1.35.2.p/meson-generated_.._janet.c.o
FAILED: libjanet.so.1.35.2.p/meson-generated_.._janet.c.o
/workdir/instance-0/output-1/host/bin/armeb-buildroot-linux-musleabi-gcc -Ilibjanet.so.1.35.2.p -I. -I.. -I../src/include -fdiagnostics-color=always -Wall -Winvalid-pch -std=c99 -O3 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O1 -g3 -fPIC -pthread -fvisibility=hidden -MD -MQ libjanet.so.1.35.2.p/meson-generated_.._janet.c.o -MF libjanet.so.1.35.2.p/meson-generated_.._janet.c.o.d -o libjanet.so.1.35.2.p/meson-generated_.._janet.c.o -c janet.c
src/core/util.c: In function 'janet_strerror':
src/core/util.c:977:12: error: returning 'int' from a function with return type 'const char *' makes pointer from integer without a cast [-Wint-conversion]
[51/56] Compiling C object janet-native.p/meson-generated_.._janet.c.o
```
The commit [2] introduced the issue in v1.35.0, the `strerror` function
has different definition on glibc compared to musl. This issue has been
addressed in commit [3]. This patch add the upstream commit [3].
[1] 31212c4c58 package/janet: bump to version 1.35.2
[2] 8334504f4e
[3] a5d6b22838
Fixes: https://autobuild.buildroot.org/results/ff1/ff1d6063c1a79d17cfa9910cca824e704a4a0c67/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 92a244ba8b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since tuxfamily.org is slowly fading away, update my mail address
to something that is more future-proof.
Signed-off-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b7f7bd44f9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
On the autobuilder the following build error would appear for the
libzenoh-pico package when the option BR2_ENABLE_RUNTIME_DEBUG is
enabled:
```
[ 1%] Building C object CMakeFiles/zenohpico_shared.dir/src/api/encoding.c.o
In function '_z_encoding_convert_into_string',
inlined from 'z_encoding_to_string' at /workdir/instance-0/output-1/build/libzenoh-pico-1.2.1/src/api/encoding.c:261:5:
/workdir/instance-0/output-1/build/libzenoh-pico-1.2.1/src/api/encoding.c:203:15: error: 'strncat' output truncated before terminating nul copying 1 byte from a string of the same length [-Werror=stringop-truncation]
203 | (void)strncat(value, &sep, 1);
| ^~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBZENOH_PICO=y
BR2_ENABLE_RUNTIME_DEBUG=y
EOF
make olddefconfig
make libzenoh-pico
```
This patch include the upstream commit [1] that fixes this issue.
[1] 60e635cbb1
Fixes: https://autobuild.buildroot.org/results/0c4/0c4644b17646d3ec482f0a4cf02d6fde19db2c99
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit ec12da7384)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When the package was introduced in [1], it lacked a kconfig comment
indicating that it requires a toolchain with thread support.
[1] ea1cc1af55 package/cpuinfo: new package
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 38107ec40c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
On autobuilder config with BR2_TOOLCHAIN_HAS_THREADS not set the
following error happens when building the pthreadpool package:
```
-- Looking for pthread_create in pthreads
-- Looking for pthread_create in pthreads - not found
-- Looking for pthread_create in pthread
-- Looking for pthread_create in pthread - not found
-- Check if compiler accepts -pthread
-- Check if compiler accepts -pthread - no
CMake Error at /home/buildroot/instance-0/output-1/host/share/cmake-3.31/Modules/FindPackageHandleStandardArgs.cmake:233 (message):
Could NOT find Threads (missing: Threads_FOUND)
Call Stack (most recent call first):
/home/buildroot/instance-0/output-1/host/share/cmake-3.31/Modules/FindPackageHandleStandardArgs.cmake:603 (_FPHSA_FAILURE_MESSAGE)
/home/buildroot/instance-0/output-1/host/share/cmake-3.31/Modules/FindThreads.cmake:226 (FIND_PACKAGE_HANDLE_STANDARD_ARGS)
CMakeLists.txt:143 (FIND_PACKAGE)
-- Configuring incomplete, errors occurred!
```
This can be reproduced with:
```
cat >.config <<EOF
BR2_armeb=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_PACKAGE_PTHREADPOOL=y
EOF
make olddefconfig
make pthreadpool
```
Since the introduction of this package in [1], the dependency was not
included. Since this package was part of the tensorflow-lite
dependencies that required thread it was not an issue.
This patch adds BR2_TOOLCHAIN_HAS_THREADS in the dependency to avoid
errors when built as a standalone package.
[1] f2486a6cf9 package/pthreadpool: new package
Fixes: https://autobuild.buildroot.org/results/35a/35aa100d72c6875350ad10c57f028f04052cbf79
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 627af87bda)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The following error occur on the autobuilder for static build using
buildroot toolchain and uclibc:
```
/usr/bin/make -j17 -C /home/buildroot/instance-0/output-1/build/snooze-0.5/ PREFIX=/usr CC=/home/buildroot/instance-0/output-1/host/bin/arc-buildroot-linux-uclibc-gcc CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -static"
make[1]: Entering directory '/home/buildroot/instance-0/output-1/build/snooze-0.5'
/home/buildroot/instance-0/output-1/host/bin/arc-buildroot-linux-uclibc-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static -static snooze.c -o snooze
snooze.c:22:10: fatal error: sys/auxv.h: No such file or directory
22 | #include <sys/auxv.h>
| ^~~~~~~~~~~~
compilation terminated.
make[1]: *** [<builtin>: snooze] Error 1
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_STATIC_LIBS=y
BR2_PACKAGE_SNOOZE=y
EOF
make olddefconfig
make snooze
```
The error doesn't occur on external toolchains.
The `#include <sys/auxv.h>` was orinally included in the initial commit
(see [1]) to use the `getauxval` function declaration. This function
usage has since been removed in commit [2].
This patch removes the include that is no longer needed.
[1] 5648088197
[2] 610e6b35ec
Fixes: https://autobuild.buildroot.org/results/aec/aec463f87094a47ee059113f08e8ee3604dcea9b
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Reviewed-by: J. Neuschäfer <j.ne@posteo.net>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit a00151af54)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building tini with musl libc, the following error occurs dur to
missing declaration of 'basename':
```
/home/buildroot/instance-0/output-1/build/tini-0.19.0/src/tini.c: In function 'print_usage':
/home/buildroot/instance-0/output-1/build/tini-0.19.0/src/tini.c:227:36: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
| ^~~~~~~~
make: *** [package/pkg-generic.mk:273: /home/buildroot/instance-0/output-1/build/tini-0.19.0/.stamp_built] Error 1
make: Leaving directory '/home/buildroot/instance-0/buildroot'
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_TINI=y
EOF
make olddefconfig
make tini
```
This patch adds the upstream commit [1], that fixes this issue by
including `libgen.h`.
[1] 924c4bd602
Fixes: https://autobuild.buildroot.org/results/f0d/f0d10cd25f3b0e2a4af7266f7417b339ea5d242a
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 064f7592d3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The php-pecl-dbus encouters two build issues in both buildroot 2025.02.x
and master branch, both related to PHP8 and GCC14:
/home/alexis/src/buildroot/php/build/php-pecl-dbus-b147624d480c3353e6c700e9a2d0c6f14d853941/dbus.c:465:56:
error: assignment to ‘zend_object_get_properties_t’ {aka ‘struct
_zend_array * (*)(struct _zend_object *)’} from incompatible pointer
type ‘HashTable * (*)(zval *)’ {aka ‘struct _zend_array * (*)(struct
_zval_str
uct *)’} [-Wincompatible-pointer-types]
465 | dbus_object_handlers_dbus_array.get_properties =
dbus_array_get_properties;
| ^
[...]
The build failure can be reproduced with this minimal defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_NEON=y
BR2_ARM_ENABLE_VFP=y
BR2_ARM_FPU_NEON=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_PHP=y
BR2_PACKAGE_PHP_PECL_DBUS=y
This build failure is the result of two events/conditions:
- the update to PHP8 has changed the prototype for
zend_object_read_property_t and zend_hash_get_current_key(see [1]).
But at this time, php-dbus just generated a new warning
(-Wincompatible-pointer-types)
- using bootlin bleeding-edge toolchain brings in GCC14, which now turns
this warning into a systematic error (see [2])
Bring the relevant patches to fix this build.
The first patch comes from an already opened PR on the upstream source.
The second patch has been written during the build failure
investigation, and has been sent upstream as well.
Fixes: https://autobuild.buildroot.net/results/e9892bbefa781b403fd3d834b6c48527c8e078ba
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 0ae37b712f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
All Go packages must depend on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS,
which ensures that we do have a Go compiler available for that target.
BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS is currently restricted to the
availability of a full host Go compiler bootstrap. However, there are
architectures like AArch64 for which a full bootstrap is not supported.
Thus, currently, on an AArch64 host, we can't build Go packages (for
target or host), because we can't bootstrap a Go compiler.
However, note that a single Go compiler can generate code for all the
architectures supported by Go and for some host architectures, there are
pre-built toolchains available. When host-go-bin was added in commit
7b2a164b74 ("package/go/go-bin: new host-go provider"), the host
dependency was properly accounted for: It is already possible to build
host-go packages with go-bin. However, the fact that a Go compiler, in
addition to its native target, can also generate code for all supported
architectures, was missed at the time.
Thus, we can fix this problem by relaxing the condition under which
BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS is set to allowing go-bin
along with go-bootstrap. This allows a situation where the host can't
bootstrap, but for which there is a pre-built toolchain to build Go
packages for a supported target.
Signed-off-by: Florian Larysch <fl@n621.de>
Cc: Yann E. MORIN <yann.morin@orange.com>
Cc: Romain Naour <romain.naour@smile.fr>
Reviewed-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 432cf9be9f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When a br2-external tree has no defconfig, list-defconfig currently
whines with an error from find:
find: ‘[...]/my-external/configs’: No such file or directory
Fix that by only running find if the directory exists.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 117ccb6cc4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When a br2-external tree description contains an odd number of single
quotes, list-defconfigs will fail with a shell error message:
/bin/sh: -c: line 1: unexpected EOF while looking for matching `"'
make[1]: *** [Makefile:1243: list-defconfigs] Error 2
Whoever wrote that code will have to write this sentence 100 times
on the blackboard:
Never, ever pass user-provided data in a printf format.
(see commit 49117c1028 (core: support description for br2-external
trees); dang, I knew it... And I should have known better when I wrote
that code, damit...)
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 161d7ded43)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building the libapparmor package with musl the following error
would appear:
```
test_multi.c: In function 'main':
test_multi.c:27:30: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
27 | printf("File: %s\n", basename(argv[1]));
| ^~~~~~~~
test_multi.c:27:24: warning: format '%s' expects argument of type 'char *', but argument 2 has type 'int' [-Wformat=]
27 | printf("File: %s\n", basename(argv[1]));
| ~^ ~~~~~~~~~~~~~~~~~
| | |
| | int
| char *
| %d
make[3]: *** [Makefile:466: test_multi_multi-test_multi.o] Error 1
```
This error can be reproduced with the following:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_LIBAPPARMOR=y
EOF
make olddefconfig
make libapparmor
```
On musl libc the function `basename` is provided by included libgen.h.
This error has been addressed upstream in [1] by re-defining the
function `basename`.
[1] 7fb040bde6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: drop unrelated AUTORECONF change]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2640f5dcd0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following vulnerability:
- CVE-2025-8177
A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as
critical. This issue affects the function setrow of the file
tools/thumbnail.c. The manipulation leads to buffer overflow. An
attack has to be approached locally. The patch is named
e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a
patch to fix this issue. This vulnerability only affects products that
are no longer supported by the maintainer.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-8177
- https://gitlab.com/libtiff/libtiff/-/merge_requests/737
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3db725d71d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following vulnerability:
- CVE-2025-8176
A vulnerability was found in LibTIFF up to 4.7.0. It has been declared
as critical. This vulnerability affects the function get_histogram of
the file tools/tiffmedian.c. The manipulation leads to use after free.
The attack needs to be approached locally. The exploit has been
disclosed to the public and may be used. The patch is identified as
fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a
patch to fix this issue.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-8176
- https://gitlab.com/libtiff/libtiff/-/merge_requests/727
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b3974df966)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
On my laptop (i5-8365U), running cross-tesseract-ocr in QEMU takes
longer than the default timeout (5s), causing the test to fail:
# time tesseract frame10.png output
Error in pixReadMemTiff: function not present
Error in pixReadMem: tiff: no pix returned
Error in pixaGenerateFontFromString: pix not made
Error in bmfCreate: font pixa not made
Estimating resolution as 157
real 0m 8.17s
user 0m 5.36s
sys 0m 2.79s
So extend the assertRunOk() timeout with ~2x that similar to how it is done
for the gst-launch-1.0 pipeline.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c897f16a98)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This patch corrects the spelling of 'Xilinx' in the help menu for the
qemu package.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit bd5faa8a24)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Back in commit
44a6b7866c ("configs/qemu_sh4*: switch
to initramfs"), the Qemu SuperH defconfigs were switched to initramfs
due to a bug in the Qemu disk emulation.
However, the initramfs solution has an issue: if the initramfs is
slightly too large (like just 6 MB!), the system no longer boots.
Since the disk emulation problem has apparently been resolved in Qemu
10 (according to testing), let's switch back to this.
In addition to essentially reverting
44a6b7866c, we also need to adjust the
kernel configuration so that the kernel takes its command line for the
bootloader (in our case from the Qemu -append option). Otherwise an
hardcoded command line is used, which doesn't mount /dev/sda as the
root filesystem.
This update has been tested on Gitlab CI:
https://gitlab.com/tpetazzoni/buildroot/-/pipelines/1968267919
Thanks to Romain Naour for pointing to the initramfs size as being the
issue.
Cc: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5edce69188)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-8194
There is a defect in the CPython “tarfile” module affecting the
“TarFile” extraction and entry enumeration APIs. The tar
implementation would process tar archives with negative offsets
without error, resulting in an infinite loop and deadlock during the
parsing of maliciously crafted tar archives. This vulnerability can
be mitigated by including the following patch after importing the
“tarfile” module:
https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-8194
- c9d9f78feb
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issues:
GNUTLS-SA-2025-07-08-1 CVE-2025-32989
Severity Medium; Heap read buffer overflow
When an X.509 certificate contains an SCT (signed certificate timestamp)
extension and its length field is malformed, the library could read the memory
buffer past the boundary. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1695>.
------------------------------------------------------------------------------
GNUTLS-SA-2025-07-08-2 CVE-2025-32988
Severity Low; Memory corruption on error path
When any error occurs during exporting a certificate with an otherName in the
SAN (subject alternative name) extension, the library could potentially double
free the ASN.1 structure. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1694>.
------------------------------------------------------------------------------
GNUTLS-SA-2025-07-08-3 CVE-2025-32990
Severity Low; Heap write buffer overflow
When the certtool program is invoked with a template file with a number of
string pairs for a single keyword, a NULL pointer could be written past the
memory boundary. The issue was reported in the issue tracker as
<https://gitlab.com/gnutls/gnutls/-/issues/1696>.
------------------------------------------------------------------------------
GNUTLS-SA-2025-07-08-4 CVE-2025-6395
Severity Medium; Denial of service
When a TLS 1.3 handshake involves a Hello Retry Request and the second
Client Hello omits the PSK which was present in the first Client Hello,
the GnuTLS server can dereference a NULL pointer. The issue was reported
in the issue tracker as <https://gitlab.com/gnutls/gnutls/-/issues/1718>.
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 16d4159d44)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add options to customize the project name and version in the generated SBOM
metadata and set buildroot generate-cyclonedx as a tool in the metadata
section.
Signed-off-by: Fabien Lehoussel <fabien.lehoussel@smile.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9cbbc47762)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The ecvt(), fcvt(), and gcvt() functions from stdlib.h, used by the SIO
library packaged with the xinetd sources, are masked by _GNU_SOURCE in
musl libc.
Signed-off-by: Aaron Sierra <aaron@bubbl-tek.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2982fac48e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
With gcc bump to version 14.3.0 in [1]. The gcc-bare-metal version
was not aligned to the same version which led to the following error in
the autobuilder:
```
make[1]: Leaving directory '/workdir/instance-0/output-1/build/host-mpc-1.3.1'
ERROR: No hash found for gcc-14.2.0.tar.xz
make: *** [package/pkg-generic.mk:179: /workdir/instance-0/output-1/build/host-gcc-bare-metal-14.2.0/.stamp_downloaded] Error 1
```
This patch align gcc-bare-metal with the version of gcc 14.
[1] 1e8c1e0ef0 package/gcc: update to 14.3.0
Fixes: https://autobuild.buildroot.org/results/3a2/3a228e885cb04e0c91eee470f9622e0e44eec3d7
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This reverts commit ab7297f3c1.
It was mistakenly applied but the error described doesn't apply on the
LTS branch.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CVE-2025-3277 as been marked as a duplicate of CVE-2025-29087 by the
debian security tracker [1].
The CVE-2025-29087 has already been fixed in commit [2] so this patch
adds CVE-2025-3277 to the ignored CVEs.
[1] https://security-tracker.debian.org/tracker/CVE-2025-3277
[2] 835b5659ea package/sqlite: add patch to fix CVE-2025-29087
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 014174f00d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-6170
A flaw was found in the interactive shell of the xmllint command-line
tool, used for parsing XML files. When a user inputs an overly long
command, the program does not check the input size properly, which can
cause it to crash. This issue might allow attackers to run harmful
code in rare configurations without modern protections.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-6170
- c340e41950
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c68a14d73a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2024-8947
A vulnerability was found in MicroPython 1.22.2. It has been declared
as critical. Affected by this vulnerability is an unknown functionality
of the file py/objarray.c. The manipulation leads to use after free.
The attack can be launched remotely. The complexity of an attack is
rather high. The exploitation appears to be difficult. Upgrading to
version 1.23.0 is able to address this issue. It is recommended to
upgrade the affected component. In micropython objarray component, when
a bytes object is resized and copied into itself, it may reference
memory that has already been freed.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-8947
- 4bed614e70
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1fc0e90450)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2024-40897
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC
versions prior to 0.4.39. If a developer is tricked to process a
specially crafted file with the affected ORC compiler, an arbitrary
code may be executed on the developer's build environment. This may
lead to compromise of developer machines or CI build environments.
https://www.cve.org/CVERecord?id=CVE-2024-40897
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-40897
- fb7db9ae3e
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2f7afa54ce)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] introduced an Armv7 test case for Xen named TestXenArmv7,
next to the original Aarch64 test case which was simply named TestXen.
The test list shows, for example with the command
"support/testing/run-tests -l":
tests.package.test_xen.TestXen
tests.package.test_xen.TestXenArmv7
In order to make this test list a bit more explicit, this commit
renames the TestXen to TestXenAarch64. With that change, the list
becomes:
tests.package.test_xen.TestXenAarch64
tests.package.test_xen.TestXenArmv7
[1] 5346824a83
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d15ffdfda7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For a long while now, we only support building GCC >= 8.x, so the
dependency of BR2_GCC_ENABLE_GRAPHITE on GCC >= 5.x is useless, drop
it, together with the corresponding Config.in comment.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b5f14d65cb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The libcilkrts library was removed from gcc 8.x, and gcc 8.x is the
oldest version we allow building (to still support PowerPC SPE). So it
means the BR2_GCC_SUPPORTS_LIBCILKRTS is basically dead code because:
default y if !BR2_TOOLCHAIN_GCC_AT_LEAST_8
Will never evaluate to 'y' in current Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 62e784cb97)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The hash for the GCC 10.4.0 tarball should have been removed a long
time ago, when support for GCC 10.x has been removed.
Fixes: d37a8f3a2e ("package/gcc: remove gcc 10.x")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5fd75bfb02)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
With gcc 15-20241117 compile fails with the below error, update the
do_version declaration to match the header in command.h
../../parted/parted.c: In function '_init_commands':
../../parted/parted.c:2469:9: error: passing argument 2 of 'command_create' from incompatible pointer type [-Wincompatible-pointer-types]
2469 | do_version,
| ^~~~~~~~~~
| |
| int (*)(void)
In file included from ../../parted/parted.c:28:
../../parted/command.h:35:39: note: expected 'int (*)(PedDevice **, PedDisk **)' {aka 'int (*)(struct _PedDevice **, struct _PedDisk **)'} but argument is of type 'int (*)(void)'
35 | int (*method) (PedDevice** dev, PedDisk** diskp),
| ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Upstream: https://cgit.git.savannah.gnu.org/cgit/parted.git/commit/?id=16343bda6ce0d41edf43f8dac368db3bbb63d271
Fixes:
https://autobuild.buildroot.org/results/283f52d50ffef91d82a1bdc1f4dde1d54c5ffc23/build-end.log
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 14b5a19486)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Starting GCC14 'implicit-function-declaration' are treated as errors by
default. When building kvmtool with musl libc, the following error
occurs due to missing declaration of 'basename':
```
vfio/core.c:537:22: error: implicit declaration of function ‘basename’ [-Wimplicit-function-declaration]
537 | group_name = basename(group_path);
| ^~~~~~~~
vfio/core.c:537:22: warning: nested extern declaration of ‘basename’ [-Wnested-externs]
vfio/core.c:537:20: error: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
537 | group_name = basename(group_path);
| ^
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_KVMTOOL=y
EOF
make olddefconfig
make kvmtool
```
This patch adds the upstream commit that fixes this issue by including
the appropriate header, ensuring compatibility with musl and GCC14.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cec0acc84d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a TestXenArmv7 class with its related files in an arm/ subfolder
under test_xen/, to test Xen on 32-bit Arm v7.
We cannot boot with UEFI in this case; we use a custom U-Boot script,
which creates the Xen configuration Devicetree during boot.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5346824a83)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In preparation of adding a test for Xen on 32-bit Arm v7:
- Introduce an architecture-agnostic TestXenBase class where we move
most of the Xen test scenario and bits of the configuration.
- Re-organise the test_xen/ folder with the architecture-agnostic files
under common/ and the 64-bit Arm specific files under aarch64/.
Make the 64-bit Arm TestXen class inherit from the base class and leave
in there only the architecture-specific parts:
- The 64-bit Arm configuration bits.
- The test function, which passes the proper 64-bit Arm simulator
options to the generic test function.
No functional change intended.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a6f0d33c87)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit a954d39a58 ("package/chartjs: bump to version 3.9.1") updated the
package version and the license file hash, but also changed the path to
the license file in the hash file. However, the path to the license file
hasn't changed, causing an error during "make legal-info". Revert the
path change.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 353745e095)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since its introduction in commit [1], avrdude has a post install
target hook removing a backup configuration file.
Commit [2] updated avrdude to version 7.1 and switch to the
cmake infra.
CMake recipe doesn't create a backup of the avrdude.conf.
This commit removes this hook which is no longer needed.
[1] dc776f0d05
[2] f89f3787a0
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 51cf8e5663)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
lib/long-options.c failed to compile with musl for the same reason
0002-lib-long-options.c-include-stdlib.h.patch was added to fix,
exit() being undefined. The fix is the same as well: include stdlib.h.
Fixes: b6784a1f1f ("package/lrzsz: fix build with GCC >= 14.x")
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 54240460dc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://github.com/encode/starlette/releases/tag/0.47.2
This fixes the following vulnerability:
- CVE-2025-54121:
Starlette is a lightweight ASGI (Asynchronous Server Gateway
Interface) framework/toolkit, designed for building async web services
in Python. In versions 0.47.1 and below, when parsing a multi-part
form with large files (greater than the default max spool size)
starlette will block the main thread to roll the file over to disk.
This blocks the event thread which means the application can't accept
new connections. The UploadFile code has a minor bug where instead of
just checking for self._in_memory, the logic should also check if the
additional bytes will cause a rollover. The vulnerability is fixed in
version 0.47.2.
https://www.cve.org/CVERecord?id=CVE-2025-54121
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add link to release note]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8945ea3e67)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
A recent commit introduced a few lines that were indented with spaces
rather than a tab. Rectify this.
Fixes: 00b30f887a ("toolchain-wrapper.c: get rid of EXCLUSIVE_ARGS")
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5e4cb7607b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository [0]
rtl8821au since Larry unfortunately passed away[1](RIP) and there are
pending PRs that will never be checked as stated here. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And of course let's update
package's URL due to the moving.
[0]: https://github.com/lwfinger/rtl8812au/issues/32
[1]: https://lwn.net/Articles/979419/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2dd7a4a374)
[thomas: only change the upstream]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository [0]
rtl8723ds since Larry unfortunately passed away[1](RIP) and there are
pending PRs that will never be checked as stated here. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And let's drop local patches
that are now upstreamed as well. And of course let's update package's
URL due to the moving.
[0]: https://github.com/lwfinger/rtl8723ds/issues/53
[1]: https://lwn.net/Articles/979419/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 54ee4a71c0)
[thomas: only change the upstream]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository
rtl8723bu since Larry unfortunately passed away[0](RIP) and there are
pending PRs that will never be checked as stated here[1]. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And of course let's update
package's URL due to the moving.
[0]: https://lwn.net/Articles/979419/
[1]: https://github.com/lwfinger/rtl8723bu/issues/206
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d1fc513da7)
[thomas: only change the upstream]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository
rtl8188eu since Larry unfortunately passed away[0](RIP) and there are
pending PRs that will never be checked as stated here[1]. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And let's drop local patches
that are now upstreamed as well. Let's also drop obsolete Config.in
informations since as stated here[2]: "This driver is under development
and has a limited feature set. In particular it does not yet support 40MHz
channels and power management". At the same time drop other suggestions
like enabling CONFIG_WIRELESS_EXT or "this package needs a firmware loading
mechanism to load the binary blob for the chip to work" since they are now
part of the package. And of course let's update package's URL due to the
moving.
[0]: https://lwn.net/Articles/979419/
[1]: https://github.com/lwfinger/rtl8188eu/pull/464
Fixes:
https://autobuild.buildroot.org/results/d59537da8eb27d737718885dc81ec257a2791455/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a9c5dc024a)
[Thomas: only change upstream]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Rather than having a hard coded amount of exclusive args (with the risk of
overflow when new logic is added), simplify the argument buffer allocation
logic to always allocate room for DEFAULT_MAX_ARGS (1024) arguments and just
realloc to grow for the rare situation where that is not enough.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 00b30f887a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
C99 section 5.1.2.2.1p2 mandates that:
- argv[argc] shall be a null pointer.
https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf
So we might as well copy the null pointer along in the memcpy() rather than
copy everything up to the null pointer and then add one afterwards for
simplicity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6b8ffbf97b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Systemd support for the RAUC hawkbit updater was added in
4aa7a4ad8a (package/rauc-hawkbit-updater: add systemd optional dependency, 2024-07-10)
This installs the RAUC hawkbit updater service, which executes as user
"rauc-hawkbit" [1], which doesn't exist by default.
[1] 2711c0e027/script/rauc-hawkbit-updater.service
Signed-off-by: Gero Schwäricke <gero.schwaericke@sevenlab.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 69b2777291)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Nftables should be preferred over iptables if available, which
NetworkManager will do if both paths are set.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7c8cca9baa)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release notes since version 5.4.3, see:
https://github.com/assimp/assimp/releases
This fixes the following vulnerabilities:
- CVE-2025-2750:
A vulnerability, which was classified as critical, was found in Open
Asset Import Library Assimp 5.4.3. This affects the function
Assimp::CSMImporter::InternReadFile of the file
code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
manipulation leads to out-of-bounds write. It is possible to initiate
the attack remotely. The exploit has been disclosed to the public and
may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2750
- CVE-2025-2751:
A vulnerability has been found in Open Asset Import Library Assimp
5.4.3 and classified as problematic. This vulnerability affects the
function Assimp::CSMImporter::InternReadFile of the file
code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
manipulation of the argument na leads to out-of-bounds read. The
attack can be initiated remotely. The exploit has been disclosed to
the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2751
- CVE-2025-2757:
A vulnerability classified as critical was found in Open Asset Import
Library Assimp 5.4.3. This vulnerability affects the function
AI_MD5_PARSE_STRING_IN_QUOTATION of the file
code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The
manipulation of the argument data leads to heap-based buffer overflow.
The attack can be initiated remotely. The exploit has been disclosed
to the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2757
- CVE-2025-3158:
A vulnerability, which was classified as critical, has been found in
Open Asset Import Library Assimp 5.4.3. Affected by this issue is the
function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of the file
code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler.
The manipulation leads to heap-based buffer overflow. It is possible
to launch the attack on the local host. The exploit has been disclosed
to the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-3158
Also, drop local security patches that have been applied upstream
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to relase notes]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3c312f149b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This is a security release of the Long Term Support branch, see release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4
Also update the download location, because upstream changed the tag naming
scheme from v<...> to mbedtls-<...>
This fixes the following vulnerabilities:
- CVE-2025-47917
Fix possible use-after-free or double-free in code calling
mbedtls_x509_string_to_names(). This was caused by the function calling
mbedtls_asn1_free_named_data_list() on its head argument, while the
documentation did no suggest it did, making it likely for callers relying
on the documented behaviour to still hold pointers to memory blocks after
they were free()d, resulting in high risk of use-after-free or double-free,
with consequences ranging up to arbitrary code execution.
In particular, the two sample programs x509/cert_write and x509/cert_req
were affected (use-after-free if the san string contains more than one DN).
Code that does not call mbedtls_string_to_names() directly is not affected.
- CVE-2025-48965
Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
an item in the output list in an inconsistent state with val.p == NULL but
val.len > 0. This impacts applications that call this function directly,
or indirectly via mbedtls_x509_string_to_names() or one of the
mbedtls_x509write_{crt,csr}set{subject,issuer}_name() functions. The
inconsistent state of the output could then cause a NULL dereference either
inside the same call to mbedtls_x509_string_to_names(), or in subsequent
users of the output structure, such as mbedtls_x509_write_names(). This
only affects applications that create (as opposed to consume) X.509
certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data()
- CVE-2025-49087
Fix a timing side channel in the implementation of PKCS#7 padding
which would allow an attacker who can request decryption of arbitrary
ciphertexts to recover the plaintext through a timing oracle attack.
- CVE-2025-49600:
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid
signatures if hash computation fails and internal errors go unchecked,
enabling LMS (Leighton-Micali Signature) forgery in a fault scenario.
Specifically, unchecked return values in mbedtls_lms_verify allow an
attacker (who can induce a hardware hash accelerator fault) to bypass
LMS signature verification by reusing stale stack data, resulting in
acceptance of an invalid signature. In mbedtls_lms_verify, the return
values of the internal Merkle tree functions create_merkle_leaf_value
and create_merkle_internal_value are not checked. These functions
return an integer that indicates whether the call succeeded or not. If
a failure occurs, the output buffer (Tc_candidate_root_node) may
remain uninitialized, and the result of the signature verification is
unpredictable. When the software implementation of SHA-256 is used,
these functions will not fail. However, with hardware-accelerated
hashing, an attacker could use fault injection against the accelerator
to bypass verification.
https://www.cve.org/CVERecord?id=CVE-2025-49600
- CVE-2025-49601:
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not
check that the input buffer is at least 4 bytes before reading a
32-bit field, allowing a possible out-of-bounds read on truncated
input. Specifically, an out-of-bounds read in
mbedtls_lms_import_public_key allows context-dependent attackers to
trigger a crash or limited adjacent-memory disclosure by supplying a
truncated LMS (Leighton-Micali Signature) public-key buffer under four
bytes. An LMS public key starts with a 4-byte type indicator. The
function mbedtls_lms_import_public_key reads this type indicator
before validating the size of its input.
https://www.cve.org/CVERecord?id=CVE-2025-49601
- CVE-2025-52496:
Mbed TLS before 3.6.4 has a race condition in AESNI detection if
certain compiler optimizations occur. An attacker may be able to
extract an AES key from a multithreaded program, or perform a GCM
forgery.
https://www.cve.org/CVERecord?id=CVE-2025-52496
- CVE-2025-52497:
Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer
underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse
functions, via untrusted PEM input.
https://www.cve.org/CVERecord?id=CVE-2025-52497
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: fix upstream hash URL in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 24639e0f72)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since python-cython bump to 3.1.2 in commit [1], python-dbus-fast
is failing to build.
Set --skip-dependency-check as dbus-fast specifies an unnecessarily
strict maximum cython version.
Fixes:
ERROR Missing dependencies:
Cython<3.1.0,>=3
[1] b536caaec0
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: add reference to buildroot commit introducing the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f38d4e63d7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The previous url pointed to an unrelated but similarly named project.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 90fdb03f47)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libcddb fail to build with gcc-14 with error:
cddb_net.c: In function 'timeout_connect':
cddb_net.c:328:63: error: passing argument 5 of 'getsockopt' from incompatible pointer type [-Wincompatible-pointer-types]
328 | getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &rv, &l);
| ^~
| |
| size_t * {aka long unsigned int *}
This commit adds a patch to fix the issue.
Fixes:
https://autobuild.buildroot.net/results/723/7236cf5fd4f33aabd3178586f877dff04d754abe/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add error message in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f1b4657bc0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-53643:
In aiohttp prior to version 3.12.14, the Python parser is vulnerable
to a request smuggling vulnerability due to not parsing trailer
sections of an HTTP request. If a pure Python version of aiohttp is
installed (i.e. without the usual C extensions) or
AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to
execute a request smuggling attack to bypass certain firewalls or
proxy protections. Version 3.12.14 contains a patch for this issue.
https://www.cve.org/CVERecord?id=CVE-2025-53643
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit e4451602eb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Via the docker-compose runtime test, we can exercise the full suite of
the docker-related packages: docker-compose, of course, but also
docker-engine, which in turn allows exercising containerd. The latter
by defualt uses runc as the container runtime, but can alternatively use
crun.
Extend the docker-compose runtime test with a variant that enables crun.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 34e4480950)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building libesmtp on the autobuilder with gcc-14, the
following error occurs:
/workdir/instance-0/output-1/per-package/libesmtp/host/bin/arc-linux-gcc -Ilibesmtp.so.6.2.0.p -I. -I.. -I/workdir/instance-0/output-1/per-package/libesmtp/host/arc-buildroot-linux-gnu/sysroot/usr/include -fdiagnostics-color=always -Wall -Winvalid-pch -std=c11 -O3 -D_POSIX_C_SOURCE=200809L -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ libesmtp.so.6.2.0.p/smtp-api.c.o -MF libesmtp.so.6.2.0.p/smtp-api.c.o.d -o libesmtp.so.6.2.0.p/smtp-api.c.o -c ../smtp-api.c
../smtp-api.c: In function 'smtp_version':
../smtp-api.c:1183:7: error: implicit declaration of function 'strlcpy'; did you mean 'strncpy'? [-Wimplicit-function-declaration]
1183 | if (strlcpy (buf, v, len) > len)
| ^~~~~~~
| strncpy
This error has been fixed upstream in commit [1], but no new release
has been made since.
This patch update the package version to fetch the latest upstream
commit v1.1.0-14-g335ee8d.
For the changes, see:
- https://github.com/libesmtp/libESMTP/compare/v1.1.0...335ee8d2fa5cb7d30db7b818ec05563ad139ee2f
[1] 972eb54749
Fixes: https://autobuild.buildroot.org/results/ced/ceda012506edccda1727904eb3327017b07e27d8
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien:
- mention gcc-14 as the root cause of the build failure
- use "git describe --tags --abbrev=40" format in _VERSION
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 84077c7776)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In Buildroot 2025.02, the vendor specific kernel version used for the
rapsberrypi5 does not yet include any dts named bcm2712-rpi-500.dts, which
results in a build error.
This reverts commit fa0ee12fcc, which was
mistakenly cherry picked regardless of the needed vendor kernel version bump.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Needed for kodi 22.x.
Added build fix for >= gcc-13.
Switched build system to cmake following upstream:
13683c56e5
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: use "git describe --tags --abbrev=40" format for _VERSION]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c61d7d61b1)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Minimum python version is now 3.9, but also it's not really relevant to
mention this in the package description.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8d1d851d78)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Currently, both BR2_TARGET_ROOTFS_EROFS_ALL_FRAGMENTS and
BR2_TARGET_ROOTFS_EROFS_FRAGMENTS have the same Kconfig prompt, making
them hard to distinguish.
Reword the one for -Eall-fragments to be distinct.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit df7e428cf5)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The error appears on autobuilder with the build using GCC14:
FAILED: ncmpc.p/src_Styles.cxx.o
In file included from ../src/Styles.cxx:7:
/home/buildroot/instance-0/output-1/host/microblazeel-buildroot-linux-gnu/sysroot/usr/include/libintl.h:39:14: error: expected unqualified-id before 'const'
39 | extern char *gettext (const char *__msgid)
| ^~~~~~~
/home/buildroot/instance-0/output-1/host/microblazeel-buildroot-linux-gnu/sysroot/usr/include/libintl.h:39:14: error: expected ')' before 'const'
../src/i18n.h:22:20: note: to match this '('
22 | #define gettext(x) (x)
| ^
[80/102] Compiling C++ object ncmpc.p/src_xterm_title.cxx.o
[81/102] Compiling C++ object ncmpc.p/src_db_completion.cxx.o
[82/102] Compiling C++ object ncmpc.p/src_signals.cxx.o
ninja: build stopped: subcommand failed.
make: *** [package/pkg-generic.mk:273: /home/buildroot/instance-0/output-1/build/ncmpc-0.49/.stamp_built] Error 1
make: Leaving directory '/home/buildroot/instance-0/buildroot'
Starting GCC14 the C++ standard library includes libintl.h that contains
a definition of gettext which caused a clash with the definition present
in ncmpc. This patch resolved this build error seen in [1] by
backporting an upstream commit [2] that renamed the internal gettext
implementation.
Applying the commits of [2], fixes the build error [1].
[1] https://autobuild.buildroot.org/results/cb2/cb292f2c99cdca742a8f52dbfc25f193fe513c6e/build-end.log
[2] 249b62fc9f
Fixes: https://autobuild.buildroot.org/results/cb2/cb292f2c99cdca742a8f52dbfc25f193fe513c6e/build-end.log
Signed-off-by: Tim Soubry <tim.soubry@mind.be>
[Julien:
- mention gcc-14 in commit title
- remove patch numbering to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a52269e221)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
It was removed from eudev with version 1.5.1, when introspection
became part of the gudev option [1]. This has in turn been removed and
replaced by package/libgudev, yet somehow the flag stayed. Remove it
to remove a warning during configure stage.
[1] d5d6a7f304
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 993c0ba460)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The following build error is happening on the autobuilder:
```
arg_int.c:60:12: error: implicit declaration of function 'isspace' [-Wimplicit-function-declaration]
60 | while (isspace(*ptr))
| ^~~~~~~
arg_int.c:33:1: note: include '<ctype.h>' or provide a declaration of 'isspace'
32 | #include <limits.h>
+++ |+#include <ctype.h>
33 |
arg_int.c:89:8: error: implicit declaration of function 'toupper' [-Wimplicit-function-declaration]
89 | if (toupper(*ptr++)!=toupper(X))
| ^~~~~~~
arg_int.c:89:8: note: include '<ctype.h>' or provide a declaration of 'toupper'
```
Both `isspace` and `toupper` are declared in the `ctype.h` header.
This build error started to happen with gcc-14.
The `ctype.h` include was added in a later upstream commit.
This patch adds that upstream commit and strip everything else to only
patch that include.
Fixes: https://autobuild.buildroot.org/results/d38/d38e3e12f52c3fde08ab446ca14a1a7bd65c9469//
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: add comment about gcc-14]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cd6f2b465b)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since the version bump of sudo to 1.9.17p1 [1], the sed command in
SUDO_ENABLE_SUDO_GROUP_RULE no longer matches the the line in the
example sudoers file shipped with the sudo package. This is due to
upstream commit [2].
This commit fixes the regexp to match the new sudoers file.
[1] ee86844e63
[2] 7c121ff834
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add link to upstream commit introducing the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 35708db024)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since the mbedtls bump to v3.6 [1] the libiec61850 package is failling
on the autobuilder with the following error:
```
[ 2%] Building C object hal/CMakeFiles/hal.dir/tls/mbedtls/tls_mbedtls.c.o
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c: In function 'compareCertificates':
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c:122:17: error: 'mbedtls_x509_crt' has no member named 'sig'
122 | if (crt1->sig.len == crt2->sig.len)
| ^~
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c:122:34: error: 'mbedtls_x509_crt' has no member named 'sig'
122 | if (crt1->sig.len == crt2->sig.len)
| ^~
...
```
The logic to support mbedtls v3 is already present on the version
present in buildroot.
This patch ensures that the CMake build uses the mbedtls headers and
libraries provided by buildroot rather than the bundled copy.
By setting the following variable the mbedtls v3.6 is correctly found
during the configuration of the package.
```
Found mbedtls 3.6 -> can compile HAL with TLS 1.3 support
```
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
Fixes: https://autobuild.buildroot.org/results/5fc/5fca384510d2fb9dd1d01736dee34b53339d62ff/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 30fc97c2c5)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since [1] when trying to build this package with mbedtls v3.6 the
following error is happening:
```
player.h:12:10: fatal error: mbedtls/havege.h: No such file or directory
12 | #include <mbedtls/havege.h>
| ^~~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_SHAIRPORT_SYNC=y
EOF
make olddefconfig
make
```
This patch backport the upstream commit [2] that add support for
mbedtls v3.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] d73b585c6f
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d53f8f2691)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since the mbedtls bump to v3.6 [1] the ustream-ssl package is failling
on the autobuilder with the following error:
```
In file included from /home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-internal.h:25,
from /home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-ssl.c:25:
/home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-mbedtls.h:24:10: fatal error: mbedtls/certs.h: No such file or directory
24 | #include <mbedtls/certs.h>
| ^~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_USTREAM_SSL=y
EOF
make olddefconfig
make
```
This patch backport upstream commit that address the compatibility with
mbedtls v3.6.
- [2] rename the `_random` function used by the mbedtls functions
- [3] update `mbedtls_pk_parse_keyfile` function to support new mbedtls
definition and use `mbedtls_pk_get_type`.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 0001-ustream-mbedtls-use-getrandom-instead-of-dev-urandom.patch
[3] 0002-ustream-mbedtls-add-compatibility-with-mbed-tls-3-0-0.patch
Fixes: https://autobuild.buildroot.org/results/c20/c20dac7cbe5def2c6036d2e1d06de0bfea68b57c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d28ae8b00b)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Xen currently fails to build for 32-bit Arm v7 with binutils >= 2.41,
with the following error:
proc-v7.S:33: Error: junk at end of line, first unrecognized character is `#'
The failure can be reproduced with the commands:
cat >.config <<EOF
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_ARM_EABIHF=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_XEN=y
BR2_PACKAGE_XEN_HYPERVISOR=y
BR2_PACKAGE_XEN_TOOLS=y
EOF
make olddefconfig
make xen
Backport a patch from Xen 4.18 plus one patch it depends on to fix the
build.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
[Julien:
- reword commit title
- add commands to reproduce the issue in commit log
- add missing SoB lines to patches
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2c868ca44d)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The patch has been integrated upstream as part of sudo 1.9.16p2, and was
therefore removed from Buildroot in [1]. However, because that change in
Buildroot was not considered as a security bump at that time, it hasn't
been cherry-picked to the 2025.02.x LTS branch.
Later on, sudo issued a new security version, which has been promptly
merged into Buildroot master in [2]. Since this addressed a security issue,
the patch has also been backported into the 2025.02.x LTS branch [3]. The
backport integrated the 2 versions bumps into one change, but the patch
removal was lost in the process.
Fixes: https://autobuild.buildroot.net/results/260/260a8e8da6e459b7c723fbeaeb23fb1fcf0db155//
[1] 969bdb9d2e
[2] ee86844e63
[3] 9bcbbcc37f
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Read the announcement: https://lwn.net/ml/all/xmqq5xg2wrd1.fsf@gitster.g/
This fixes the following vulnerabilities:
- CVE-2025-27613 (Gitk):
When a user clones an untrusted repository and runs Gitk without
additional command arguments, any writable file can be created and
truncated. The option "Support per-file encoding" must have been
enabled. The operation "Show origin of this line" is affected as
well, regardless of the option being enabled or not.
https://www.cve.org/CVERecord?id=CVE-2025-27613
- CVE-2025-27614 (Gitk):
A Git repository can be crafted in such a way that a user who has
cloned the repository can be tricked into running any script
supplied by the attacker by invoking `gitk filename`, where
`filename` has a particular structure.
https://www.cve.org/CVERecord?id=CVE-2025-27614
- CVE-2025-46835 (Git GUI):
When a user clones an untrusted repository and is tricked into
editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite any writable
file.
https://www.cve.org/CVERecord?id=CVE-2025-46835
- CVE-2025-48384:
When reading a config value, Git strips any trailing carriage
return and line feed (CRLF). When writing a config entry, values
with a trailing CR are not quoted, causing the CR to be lost when
the config is later read. When initializing a submodule, if the
submodule path contains a trailing CR, the altered path is read
resulting in the submodule being checked out to an incorrect
location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed
after checkout.
https://www.cve.org/CVERecord?id=CVE-2025-48384
- CVE-2025-48385:
When cloning a repository Git knows to optionally fetch a bundle
advertised by the remote server, which allows the server-side to
offload parts of the clone to a CDN. The Git client does not
perform sufficient validation of the advertised bundles, which
allows the remote side to perform protocol injection.
This protocol injection can cause the client to write the fetched
bundle to a location controlled by the adversary. The fetched
content is fully controlled by the server, which can in the worst
case lead to arbitrary code execution.
https://www.cve.org/CVERecord?id=CVE-2025-48385
- CVE-2025-48386:
The wincred credential helper uses a static buffer (`target`) as a
unique key for storing and comparing against internal storage. This
credential helper does not properly bounds check the available
space remaining in the buffer before appending to it with
`wcsncat()`, leading to potential buffer overflows.
https://www.cve.org/CVERecord?id=CVE-2025-48386
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
(cherry picked from commit 62788e0e49)
[thomas: bumped to v2.48.2 instead]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 1e97b27873 ("ccache: support changing the output directory") added
the CCACHE_BASEDIR logic, but added a comment (presumably from cut'n'paste)
about compilercheck instead, fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f66e4c2568)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the introduction of CMake 4 in several distributions, build errors
started occurring on those distributions for cmake packages that
included calls to cmake_minimum_required() or cmake_policy() with a
version older than 3.50 (see [1]).
To avoid backporting numerous individual fixes for affected packages,
commit [2] was previously applied to the LTS branch as a workaround.
Following further discussion (see [2][3]), that raised concerns about
policy changes between CMake versions that could lead to breaking builds
in non-obvious ways, a different approach was chosen.
This patch reverts commit [2] and instead of applying a global
compatibility variable, we now enforce building host-cmake when the host
system provides CMake 4 or newer.
[1] https://cmake.org/cmake/help/latest/release/4.0.html#deprecated-and-removed-features
[2] 70aac2d9e8 package/pkg-cmake.mk: force config version >=3.5
[3] https://lists.buildroot.org/pipermail/buildroot/2025-May/780262.html
[4] https://lists.buildroot.org/pipermail/buildroot/2025-June/780372.html
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the mbedtls bump to v3.6 [1] the libuhttpd fails to build with the
following error:
```
[ 8%] Building C object src/ssl/CMakeFiles/xssl.dir/mbedtls.c.o
.../buildroot/output/build/libuhttpd-3.14.1/src/ssl/mbedtls.c:52:10: fatal error: mbedtls/certs.h: No such file or directory
52 | #include <mbedtls/certs.h>
| ^~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_LIBUHTTPD=y
EOF
make olddefconfig
make
```
The compatibility with mbedtls v3 has been addressed upstream in the
zhaojh329/ssl project included as a submodule of libuhttpd [2].
This patch backport this upstream commit to be applied on the submodule
directory. This required adaptation of the line numbers (see [3]) and
renaming a function reference passed as parameter of
'mbedtls_pk_parse_keyfile' caused by the commit [4].
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 28cc9b5d98
[3] 8092b5a490 (diff-fbc46fa2db83f8649ccf1f46c6a044473b7b228edc7d4c0f7cc04b5a879f6fb7)
[4] 0e7d2f73d7 (diff-fbc46fa2db83f8649ccf1f46c6a044473b7b228edc7d4c0f7cc04b5a879f6fb7R92)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1a8e868623)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the mbedtls bump to v3.6 [1] the bmx7 package is failling on the
autobuilder:
```
/workdir/instance-0/output-1/host/bin/xtensa-buildroot-linux-uclibc-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -mlongcalls -mauto-litpools -Os -g3 -pedantic -W -Wall -Wstrict-prototypes -Wno-unused-parameter -Os -g3 -std=gnu99 -DGIT_REV=\"0\" -DAVL_5XLINKED -DDEBUG_MALLOC -DCORE_LIMIT=20000 -pedantic -W -Wall -Wstrict-prototypes -Wno-unused-parameter -Os -g3 -std=gnu99 -DGIT_REV=\"0\" -DAVL_5XLINKED -DDEBUG_MALLOC -DCORE_LIMIT=20000 -c crypt.c -o crypt.o
crypt.c:66:10: fatal error: mbedtls/compat-1.3.h: No such file or directory
66 | #include "mbedtls/compat-1.3.h"
| ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
```
This patch includes a set of upstream patches that address the
compatibility with the v3.6 of mbedtls.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
Fixes: https://autobuild.buildroot.org/results/b77/b776e34d1c5bc3904ea7138bd6c4ac17a1f0fd34/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c32230fe35)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the mbedtls bump to v3.6 [1] the shadowsocks-libev package is
failling on the autobuilder:
```
checking for mbedtls_cipher_setup in -lmbedcrypto... yes
checking whether mbedtls supports Cipher Feedback mode or not... configure: error: MBEDTLS_CIPHER_MODE_CFB required
make: *** [package/pkg-generic.mk:263: /workdir/instance-0/output-1/build/shadowsocks-libev-3.3.5/.stamp_configured] Error 1
make: Leaving directory '/workdir/instance-0/buildroot'
```
This is due to the breaking changes in the mbedtls API with the version
bump.
This patch adds the upstream patch [2] that address this issue by verifying
conditionally the version of mbedtls we are running on to make the API
calls and includes.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 9afa3cacf9#
Fixes: https://autobuild.buildroot.org/results/070/070581d95f2739cee3b4cb8252639dd92b5a8421
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 78198bc0f3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When SIGINT is issued for a package test run, it will abort the active
toolchain run then proceed to the next. If a user is running the entire
default toolchain set (`-a`), they can be required to invoke SIGINT
multiple times to stop a run.
This commit uses a SIGINT hook to flag a shutdown state and stop further
attempts to run anymore toolchain tests.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8f09106e81)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When running check-package before completing commits for a change, if
any files are setup for removal, check-package will throw
FileNotFoundError exceptions instead of generating a warning state. For
example:
$ utils/docker-run make check-package
Traceback (most recent call last):
...
FileNotFoundError: [Errno 2] No such file or directory: 'package/.../0001-some-removed-patch.patch'
make: *** [Makefile:1264: check-package] Error 1
This commit will now catch FileNotFoundError and populate a warning
message:
$ utils/docker-run make check-package
package/.../0001-some-removed-patch.patch: missing; unstaged file removal?
package/.../0002-another-removed-patch.patch: missing; unstaged file removal?
427843 lines processed
3 warnings generated
make: *** [Makefile:1264: check-package] Error 1
Signed-off-by: James Knight <git@jdknight.me>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c41a06bbd9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Import all security patches from OpenEmbedded for libsoup.
This fixes the following 18 known vulnerabilities:
- CVE-2024-52530:
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some
configurations because '\0' characters at the end of header names are
ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the
same as a "Transfer-Encoding: chunked" header.
https://www.cve.org/CVERecord?id=CVE-2024-52530
- CVE-2024-52531:
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that
perform conversion to UTF-8 in soup_header_parse_param_list_strict.
There is a plausible way to reach this remotely via
soup_message_headers_get_content_type (e.g., an application may want to
retrieve the content type of a request or response).
https://www.cve.org/CVERecord?id=CVE-2024-52531
- CVE-2024-52532:
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption.
During the reading of certain patterns of WebSocket data from clients.
https://www.cve.org/CVERecord?id=CVE-2024-52532
- CVE-2025-2784:
Libsoup: heap buffer over-read in `skip_insignificant_space`
when sniffing content
https://www.cve.org/CVERecord?id=CVE-2025-2784
- CVE-2025-4476:
Libsoup: null pointer dereference in libsoup may lead to denial of service
https://www.cve.org/CVERecord?id=CVE-2025-4476
- CVE-2025-4948:
Libsoup: integer underflow in soup_multipart_new_from_message() leading to
denial of service in libsoup
https://www.cve.org/CVERecord?id=CVE-2025-4948
- CVE-2025-4969:
Libsoup: off-by-one out-of-bounds read in find_boundary() in soup-multipart.c
https://www.cve.org/CVERecord?id=CVE-2025-4969
- CVE-2025-32050:
Libsoup: integer overflow in append_param_quoted
https://www.cve.org/CVERecord?id=CVE-2025-32050
- CVE-2025-32052:
Libsoup: heap buffer overflow in sniff_unknown()
https://www.cve.org/CVERecord?id=CVE-2025-32052
- CVE-2025-32053:
Libsoup: heap buffer overflows in sniff_feed_or_html() and
skip_insignificant_space()
https://www.cve.org/CVERecord?id=CVE-2025-32053
- CVE-2025-32906:
Libsoup: out of bounds reads in soup_headers_parse_request()
https://www.cve.org/CVERecord?id=CVE-2025-32906
- CVE-2025-32910:
Libsoup: null pointer deference on libsoup via /auth/soup-auth-digest.c
through "soup_auth_digest_authenticate" on client when server omits the
"realm" parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32910
- CVE-2025-32911:
Libsoup: double free on soup_message_headers_get_content_disposition()
through "soup-message-headers.c" via "params" ghashtable value
https://www.cve.org/CVERecord?id=CVE-2025-32911
- CVE-2025-32912:
Libsoup: null pointer dereference in client when server omits the "nonce"
parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32912
- CVE-2025-32913:
Libsoup: null pointer dereference in
soup_message_headers_get_content_disposition when "filename" parameter is
present, but has no value in content-disposition header
https://www.cve.org/CVERecord?id=CVE-2025-32913
- CVE-2025-32914:
Libsoup: oob read on libsoup through function
"soup_multipart_new_from_message" in soup-multipart.c leads to crash or
exit of process
https://www.cve.org/CVERecord?id=CVE-2025-32914
- CVE-2025-46420:
Libsoup: memory leak on soup_header_parse_quality_list() via soup-headers.c
https://www.cve.org/CVERecord?id=CVE-2025-46420
- CVE-2025-46421:
Libsoup: information disclosure may leads libsoup client sends authorization
header to a different host when being redirected by a server
https://www.cve.org/CVERecord?id=CVE-2025-46421
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit eee0f6c078)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] introduced a patch addressing CVE-2021-23159. Since then,
CVE-2023-34432 ([2]) remained the only unresolved CVE reported
against the sox package in pkg-stat. This patch adds CVE-2023-34432
to the list of ignored CVEs for sox, based on the report from the
Debian Security Tracker ([3]) and the sox issue tracker ([4]), both
indicate that the patch introduced in [1] also resolves this CVE.
[1] 14aa0f5ec1 package/sox: add fix for CVE-2021-23159, CVE-2021-23172, CVE-2023-34318
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-34432
[3] https://security-tracker.debian.org/tracker/CVE-2023-34432
[4] https://sourceforge.net/p/sox/bugs/367/
Signed-off-by: Tim Soubry <tim.soubry@mind.be>
[Julien: change commit ref [1] to use commit id from master branch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e868b974a7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The following error appeared on the autobuilder for host using
host-gcc15:
```
p11_attr.c: In function 'pkcs11_addattr_bool':
p11_attr.c:126:25: error: expected identifier or '(' before 'true'
126 | static CK_BBOOL true = CK_TRUE;
| ^~~~
p11_attr.c:127:25: error: expected identifier or '(' before 'false'
127 | static CK_BBOOL false = CK_FALSE;
| ^~~~~
p11_attr.c:128:44: error: lvalue required as unary '&' operand
128 | pkcs11_addattr(tmpl, type, value ? &true : &false, sizeof(CK_BBOOL));
| ^
p11_attr.c:128:52: error: lvalue required as unary '&' operand
128 | pkcs11_addattr(tmpl, type, value ? &true : &false, sizeof(CK_BBOOL));
| ^
make[3]: *** [Makefile:646: libp11_la-p11_attr.lo] Error 1
```
This is due to the change in the default C language version in GCC15.
This patch backport the upstream patch that fix that issue by not using
the keywords.
Fixes: https://autobuild.buildroot.org/results/da7/da71db9b04f181b9d2e72df73ac8541709f5a1d4
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit df60b105b4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2023-4256:
Within tcpreplay's tcprewrite, a double free vulnerability has been
identified in the tcpedit_dlt_cleanup() function within
plugins/dlt_plugins.c. This vulnerability can be exploited by
supplying a specifically crafted file to the tcprewrite binary. This
flaw enables a local attacker to initiate a Denial of Service (DoS)
attack.
https://www.cve.org/CVERecord?id=CVE-2023-4256
- CVE-2023-43279:
Null Pointer Dereference in mask_cidr6 component at cidr.c in
Tcpreplay 4.4.4 allows attackers to crash the application via crafted
tcprewrite command.
https://www.cve.org/CVERecord?id=CVE-2023-43279
- CVE-2024-22654:
tcpreplay v4.4.4 was discovered to contain an infinite loop via the
tcprewrite function at get.c.
https://www.cve.org/CVERecord?id=CVE-2024-22654
See the release notes:
https://github.com/appneta/tcpreplay/releases/tag/v4.5.1
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 31619696b9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://www.sudo.ws/releases/stable/#1.9.17p1
Fixes the following security issues:
- CVE-2025-32462: Sudo before 1.9.17p1, when used with a sudoers file that
specifies a host that is neither the current host nor ALL, allows listed
users to execute commands on unintended machines (since sudo 1.8.8)
https://www.sudo.ws/security/advisories/host_any/
- CVE-2025-32463: Sudo before 1.9.17p1 allows local users to obtain root
access because /etc/nsswitch.conf from a user-controlled directory is used
with the --chroot option (since sudo 1.9.4)
https://www.sudo.ws/security/advisories/chroot_bug/
Update the LICENSE.md hash for a change in copyright years:
30729312c2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add link to release note in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ee86844e63)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The daq package fails to build with GCC14 toolchains:
```
daq_nfq.c: In function 'SetPktHdr':
daq_nfq.c:395:37: error: passing argument 2 of 'nfq_get_payload' from incompatible pointer type [-Wincompatible-pointer-types]
395 | int len = nfq_get_payload(nfad, (char**)pkt);
| ^~~~~~~~~~~
| |
| char **
```
The issue can be reproduced with the following config:
```
cat > daq.config <<EOF
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_DAQ=y
BR2_PACKAGE_LIBDNET=y
BR2_PACKAGE_LIBNETFILTER_QUEUE=y
EOF
```
This patch port a patch taken from openembedded meta-networking [1] and
is tested with test-pkg:
```
$ ./utils/test-pkg -c daq.config -p daq
```
[1] https://layers.openembedded.org/layerindex/recipe/37594/
Fixes: https://autobuild.buildroot.org/results/c69/c69ab134463a18eec65ded836aecf89a5cb4a75c/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 533c0aac28)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] backported an upstream patch to address CVE-2025-46836 that
included a regression.
Upstream later fixed this regression in commit [2].
This patch add that fix to correct the issue introduced by the original
patch.
[1] 323aaa9f54 package/net-tools: add upstream security fix for CVE-2025-46836
[2] ddb0e375fb/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d3274210f9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://github.com/urllib3/urllib3/releases/tag/2.5.0
This fixes the following vulnerabilities:
- CVE-2025-50181:
urllib3 redirects are not disabled when retries are disabled on
PoolManager instantiation
- CVE-2025-50182:
urllib3 does not control redirects in browsers and Node.js
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to release note in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7006854ce1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2023-34194:
StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML
through 2.6.2 has a reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 184a1b94a5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Jose-13 fixed the following security issue:
- CVE-2023-50967: latchset jose through version 11 allows attackers to cause
a denial of service (CPU consumption) via a large p2c (aka PBES2 Count)
value.
https://github.com/latchset/jose/issues/151
In addition, jose-14 worked around another DoS issue related to
decompression:
https://github.com/latchset/jose/pull/157
Drop now upstreamed patches:
- 0001-lib-hsh.c-rename-hsh-local-variable.patch: Upstream as of
3d5b287243
- 0002-man-add-option-to-skip-building-man-pages.patch: Upstream after
getting reworked to use -Ddocs=disabled as of
786b426df0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: remove .checkpackageignore entries to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 394a8fb406)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The syslinux runtime test (which is in fact a build-only test) ensures
that syslinux does get build at least once a week (via the gitlab-CI
weekly pipeline). Runtime testing would need much more work, though, but
nothing in syslinux is currently runtime tested anyway.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a6ddf2b91d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The following error occurs on the autobuilder for builds with musl
libc.
```
CC util/bitmap.o
In file included from include/linux/bitmap.h:7,
from util/bitmap.c:9:
include/linux/bitops.h:4:10: fatal error: bits/wordsize.h: No such file or directory
4 | #include <bits/wordsize.h>
| ^~~~~~~~~~~~~~~~~
```
The error occurs because bits/wordsize.h is specific to glibc.
This patch applies an upstream fix that replaces the use of __WORDSIZE
with an internal macro, making the code portable across different libc.
Fixes: https://autobuild.buildroot.org/results/30d/30d6e407e6a0fc7d85062c2d56008755c70ca733/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 901b9e19ed)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The 0.192 release of elfutils introduced the src/srcfiles.cxx program,
that lists all source files of a given ELF binary. As this is a C++
program, we need a toolchain that supports it.
Without it, the build system tries to use "no" as the CXX compiler,
resulting in the following errors :
/bin/sh: line 1: no: command not found
as can be seen here for example :
https://autobuild.buildroot.net/results/849/849221c794a469a423857a290db775d150b84900
Add a dependency to a CPP toolchain for the elfutils programs.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 268d7ad180)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The elfutils programs require Glibc to be used as the C library. Show a
comment when this libc isn't used in the toolchain.
Suggested-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 52ba3ed657)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
As specified in the 2.28.10 release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.10
Mbed TLS 2.28.10 is the last release of the 2.28 LTS and won't receive bug
fixes or security fixes anymore. Users are advised to upgrade to a
maintained version.
So move to 3.6.x, which is the new LTS version:
Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with
bug-fixes and security fixes until at least March 2027.
Drop BR2_PACKAGE_MBEDTLS_COMPRESSION and all related references
as native zlib support has been entirely removed from mbedtls.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: add note about 2.28.x / 3.6.x, add Config.in.legacy]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3481a9643f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://dev.gnupg.org/T7166
This version fixes a build error which can happen with 32-bit arm
configurations.
The issue can be reproduced with commands:
cat >.config <<EOF
BR2_arm=y
BR2_cortex_a8=y
BR2_ARM_INSTRUCTIONS_THUMB2=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_LIBGCRYPT=y
EOF
make olddefconfig
make libgcrypt
Build is failing with output:
ec-nist.c: In function '_gcry_mpi_ec_nist256_mod':
ec-inline.h:902:5: error: 'asm' operand has impossible constraints or there are not enough registers
902 | __asm__ ("subs %3, %7, %10\n" \
| ^~~~~~~
Details for this buggix: https://dev.gnupg.org/T7226
Signed-off-by: Bram Oosterhuis <dev@bybram.com>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 89ca1bd4f4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
syslinux is... special. It is a target package, but it is installed in
HOST_DIR *in the target install commands*: in addition to the boot files
that run on the target, syslinux installs a set of host tools that are
to be used at build time (e.g. extlinux, to prepare bootable media, like
an iso96660 image). Then, from HOST_DIR, the actual boot files are
copied into BINARIES_DIR (i.e. images/); we do it that way because the
boot files are scattered about everywhere in the build tree, while they
are all packed together in a single directory once installed.
However, there is no dependency between the target and image install
steps. So, when using top-level parallel builds, there is no guarantee
that the target install commands are finished before the image install
commands are started.
We fix that by first installing into a temporary location, as part of
the build step, and by then copying from there as part of the install
step. This ensures that the boot files are easily available, without
needing a dependency on the target install step, that we can't express.
Note that we do not change the actual installation into HOST_DIR: it can
be set up differently that our temporary location, and we do not want
to duplicate that setup here (it's going to diverge over time).
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 90e76818a1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
At the moment, package stats indicates that libmpeg2 is affected by
https://nvd.nist.gov/vuln/detail/CVE-2022-37416
However, this CVE applies to a completely different piece of software,
that has the same name "libmpeg2" [1].
To avoid the confusion, let's add a proper CPE vendor to Buildroot's libmpeg2.
The library itself does not clearly identify any vendor name, and there isn't
any existing CPE on the NVD website. Since this library is not updated for
many years (maybe even before the introduction of the CPE system), but the
code is somehow related to the Videolan project, let's add this as the
vendor, which sould solve the matched CVE issue.
[1] https://github.com/ittiam-systems/libmpeg2
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: fix typo in commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 585ee147dd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When a new gcc version is introduced, for example gcc 15 in
commit [1], it should have also added a "depends on
!BR2_ARCH_NEEDS_GCC_AT_LEAST_15" to the previous gcc version.
This logic is described for external toolchains in commit [2],
for example. The internal Buildroot toolchains should have the
same logic. This logic existed for previous gcc version. See for
example the removal of gcc 12 in commit [3].
There is usually no problem, because all the three latest active gcc
versions supports all CPUs present in Buildroot.
However, the commit [4] recently added the support for the Arm
Cortex-A720 CPU, which needs at least gcc 14. Since there is no
logic preventing the selection of the gcc version, it is possible
to select an unsupported gcc version (i.e. gcc 13).
In such a case, the host-gcc-initial package configuration fails
with output:
Unknown cpu used in --with-cpu=cortex-a720
This commit fixes the issue by adding those missing dependencies.
Fixes:
https://autobuild.buildroot.org/results/918b90aee0b65f01efc241622015cb847b4e23a8/
[1] 75891397ab
[2] f577d8218f
[3] 58cf7c51da (66f7e875db173e5538d3511c8297acc1ba30da33_27_25)
[4] de374e06d8
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f231d3003)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The new test requires a br2-external directory because we compile a
small test program on the host and install it on the target, but it's
not useful to have it in the main Buildroot package tree.
The test program loads and parses a sample HTML document. Taking
inspiration from 'examples/get_title.c' in gumbo-parser, it also
searches for the title of the document just to check that we can do
more than the parsing.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit da23be6338)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Development on Google's GitHub repository has stopped a long time ago.
A fork exists on Codeberg, and multiple distributions (Fedora, Arch
Linux, ...) are already using it (see [1]).
Update the source URL to use the new upstream location.
The new upstream has a different hash for the 0.10.1 tarball, so
update it as well.
[1]: https://repology.org/project/gumbo-parser/versions
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1e106d8412)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This test verifies that we can run nginx with the modsecurity
directives.
It also checks a very simple rule that blocks requests containing the
keyword "blockme".
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[Julien:
- add / at directory end in DEVELOPERS
- sort DEVELOPERS entries alphabetically
- remove unneeded test configs already present in
BASIC_TOOLCHAIN_CONFIG
- sort test config directives alphabetically
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5cda85cb56)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Backport the upstream patch that fixes the following build error when
compiling for mips with gcc 15:
In file included from mips-opc.c:29:
mips-opc.c: In function 'decode_mips_operand':
mips-formats.h:86:7: error: expected identifier or '(' before
'static_assert'
86 | static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
| ^~~~~~~~~~~~~
The patch is already part of upstream binutils 2.44, so we only need
it for 2.42 and 2.43.1.
All 3 versions we have of host-binutils were build-tested using the
defconfig from the autobuilder failure (see the link below) and gcc 15
on the host.
Fixes:
- https://autobuild.buildroot.org/results/873/873ec25cf01d5f2b9ae7044e0b1d8d8791b781e6/
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 430aa91c3d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The upstream Github repository payden/libwebsock is no longer available,
and its URL now redirects to some completely unrelated software.
We don't know for sure what happened, but at least the package does not
build anymore, because its source code has vanished.
Since no other buildroot package depends on libwebsock, and it hasn't
received any update; let's simply remove it from here.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9f2dbf1486)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following CVE:
- CVE-2025-29481:
Buffer Overflow vulnerability in libbpf 1.5.0 allows a local attacker to
execute arbitrary code via the bpf_object__init_prog` function of libbpf.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-29481
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add direct link to CVE in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fba60c7732)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Actually DTB_LIST accepts only file and not files with relative path
preprended. This leads to have vfat without .dtb files and so Linux
doesn't start. Let's fix this by including slash in sed command as done
for mxc as well as basename in front of $dt.dtb to remove possible
useless folders present in the dts path. Let's also add set -e at the
top of the script to make it more verbose on error and modify this
section according to spellcheck as done for mxc.
This commit align this "mxs/post-image.sh" with its "imx/post-image.sh"
counterpart which was improved for arm64 in commit [1].
[1] 4755bf2bd4
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien:
- change space indentation to tabs for consistency
- add note in commit log about imx/post-image.sh
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 50297207a8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
gnu-efi fails to build if TOPDIR is exported in the environment since the
move to version 3.0.18 in commit 9efeb7e914 ("package/gnu-efi: bump to
version 3.0.18").
The reason is the change in TOPDIR logic introduced by upstream commit
31913f8489 ("Make: make TOPDIR actually work and get rid of unused CDIR"):
31913f8489
export TOPDIR=foo; make gnu-efi
...
/path/to/buildroot/output-gnuefi/host/bin/aarch64-linux-ld: cannot find
/path/to/buildroot/output-gnuefi/build/gnu-efi-4.0.0//apps/../aarch64/gnuefi/crt0-efi-aarch64.o:
No such file or director
make[2]: *** [Makefile:89: apps] Error 2
make[1]: *** [package/pkg-generic.mk:273: /path/to/buildroot/output-gnuefi/build/gnu-efi-4.0.0/.stamp_built] Error 2
make: *** [Makefile:23: _all] Error 2
As a workaround, unexport TOPDIR like we do for other sensitive environment
variables.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2b5544ab7a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The list of environment variables to unexport has grown organically over the
years and is no longer sorted. Sort it alphabetically for clarity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit da04cfa26c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The current homepage URL leads to an HTTP 404 error.
Fix it by using the homepage URL currently mentioned in mupdf's git
repository.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d1ea9a64e6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Bump from v5.15.1 to the latest patchlevel bump, v5.15.186.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Joachim Wiberg <troglobit@gmail.com>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3953bd3e9c)
[thomas: bump to latest 5.15 instead of 6.12]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 0fce7a9623 ("package/libcurl: fix build w/ threads + c-ares") added a
conditional for threads + c-ares, but ended up with a end-parenthesis too
many - so the condition is never true. Fix that.
Reported-by: Tibault Damman <tibault.damman@basalte.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 17399baa7c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In Linux v6.8, the rtla Makefile was rewritten :
01474dc706ca ("tools/rtla: Use tools/build makefiles to build rtla")
The new Makefile uses default linker values, so the host linker being used to
produce the final rtla binary.
This results in the following error :
ld: [...] trace.o: error adding symbols: file in wrong format
Add LD=$(TARGET_LD) to the RTLA_MAKE_OPTS to fix rtla cross-compilation.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f28f34e200)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
According to
https://lists.samba.org/archive/samba-technical/2025-June/139484.html:
A new update, version 7.4, of cifs-utils has been released today.
Users of cifs-utils version 7.3 on older kernels are encouraged to
update to 7.4 since it includes a fix for a mount problem with version
7.3 of cifs-utils on older kernels when using namespaces.
[...]
Detailed list of changes since version 7.3 was released
----------------------------------------------------------------
Enzo Matsumiya (1):
mount.cifs: retry mount on -EINPROGRESS
Henrique Carvalho (1):
cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP
Paulo Alcantara (1):
cifs.upcall: fix memory leaks in check_service_ticket_exits()
Pavel Shilovsky (1):
cifs-utils: bump version to 7.4
Z. Liu (2):
getcifsacl, setcifsacl: use <libgen.h> for basename
cifscreds: use <libgen.h> for basename
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4abd7bb9df)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changes 7.1..7.2:
- Security enhancements including support for password rotation,
better credential management, and namespaces
- Various improvements to man pages
Changes 7.2..7.3:
- Three fixes, including a fix for "guest" mount problem introduced
with version 7.2
Our patch is upstream as of 7.2, so we can drop it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit efdf0cdbcb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit 8f69974c20 switched the
buildsystem of mpv from waf to meson but forgot to remove a patch which
fixed a waf-related build error.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 942b88e693)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The squashfs 4.6.1 archive hash has been changed suddenly two weeks
ago by Github without any intended changes from the squashfs maintainer
[1].
The orginal squashfs 4.6.1 archive has been manually uploaded again.
Update the URL to download the archive that match the expected hash.
Since we don't use the github download helper anymore, the squashfs
archive name is changed from squashfs-4.6.1.tar.gz to
squashfs-tools-4.6.1.tar.gz.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10355448207
(and many more...)
See:
[1] https://github.com/plougher/squashfs-tools/issues/313
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e374ae03b5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
REMI hasn't received new release since July 2022 and is currently broken
with error:
Traceback (most recent call last):
File "<string>", line 26, in <module>
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 116, in setup
_install_setup_requires(attrs)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 89, in _install_setup_requires
_fetch_build_eggs(dist)
~~~~~~~~~~~~~~~~~^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 94, in _fetch_build_eggs
dist.fetch_build_eggs(dist.setup_requires)
~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 80, in fetch_build_eggs
raise SetupRequirementsError(specifier_list)
setuptools.build_meta.SetupRequirementsError: ['setuptools_scm']
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 389, in <module>
main()
~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 373, in main
json_out["return_val"] = hook(**hook_input["kwargs"])
~~~~^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 143, in get_requires_for_build_wheel
return hook(config_settings)
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 331, in get_requires_for_build_wheel
return self._get_build_requires(config_settings, requirements=[])
~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 301, in _get_build_requires
self.run_setup()
~~~~~~~~~~~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 512, in run_setup
super().run_setup(setup_script=setup_script)
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 317, in run_setup
exec(code, locals())
~~~~^^^^^^^^^^^^^^^^
File "<string>", line 31, in <module>
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 117, in setup
return distutils.core.setup(**attrs)
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/_distutils/core.py", line 148, in setup
_setup_distribution = dist = klass(attrs)
~~~~~^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 323, in __init__
_Distribution.__init__(self, dist_attrs)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/_distutils/dist.py", line 309, in __init__
self.finalize_options()
~~~~~~~~~~~~~~~~~~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 786, in finalize_options
ep(self)
~~^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 806, in _finalize_setup_keywords
ep.load()(self, ep.name, value)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools_scm/_integration/setuptools.py", line 82, in version_keyword
assert isinstance(value, dict), "version_keyword expects a dict or True"
~~~~~~~~~~^^^^^^^^^^^^^
AssertionError: version_keyword expects a dict or True
ERROR Backend subprocess exited when trying to invoke get_requires_for_build_wheel
make: *** [package/pkg-generic.mk:273: /workdir/instance-0/output-1/build/python-remi-2022.7.27/.stamp_built] Error 1
make: Leaving directory '/workdir/instance-0/buildroot'
Since last release code has been corrected and now build end
successfully.
Another issue with remi is related to python CGI library no more available with
python 3.13. This patch also updates Config.in to add a select BR2_PACKAGE_PYTHON_LEGACY_CGI
This commit also updates the LICENSE file hash, because line ending
changed from "CR-LF" (Windows) in old release archive to "LF" (Unix)
in the github download. Apart from that, the content is the same.
Fixes:
- https://autobuild.buildroot.org/results/f0409533ebdc31e522f2ee2ea8a5acc11dbc7430/
- https://autobuild.buildroot.org/results/a16cf5105d4b726b5d4136a2d8f82abcfdc0faba/
- https://autobuild.buildroot.org/results/e7ac28e20ad92863d337e96c225463346ee6c690/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
[Julien:
- use "git describe --abbrev=40" format in _VERSION
- fix LICENSE hash
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 14ce0d2e6e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
python-glslang is a host-only package and the host-python3 dependency
was wrongly added as target dependency with buildroot commit
f9fe0cf8f6.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 27a38cbcad)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
- CVE-2025-48432: Internal HTTP response logging does not escape
request.path, which allows remote attackers to potentially manipulate
log output via crafted URLs. This may lead to log injection or forgery
when logs are viewed in terminals or processed by external systems.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-48432
For more details on the version bump, see the release notes:
- https://docs.djangoproject.com/en/5.1/releases/5.1.11/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Those security patches have been fetched from the debian patches for
this package version [1].
Fixes the following CVEs:
- CVE-2024-23337: an integer overflow arises when assigning value using
an index of 2147483647, the signed integer limit. This causes a denial
of service.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2024-23337
- de21386681
- CVE-2024-53427: decNumberCopy in decNumber.c does not properly
consider that NaN is interpreted as numeric, which has a resultant
stack-based buffer overflow and out-of-bounds write, as demonstrated
by use of --slurp with subtraction, such as a filter of .-. when the
input has a certain form of digit string with NaN (e.g., "1 NaN123"
immediately followed by many more digits).
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2024-53427
- a09a4dfd55
[1] https://udd.debian.org/patches.cgi?src=jq&version=1.7.1-6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the package bump [1] the fluent-bit package started to fail
because of an update introduced in fluent-bit v3.2.7 (see [2]).
The following error appeared on the autobuilder in the LTS branch.
```
CMake Error at /home/buildroot/instance-0/output-1/host/share/cmake-3.31/Modules/CMakeTestCXXCompiler.cmake:73 (message):
The C++ compiler
"/bin/false"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: '/home/buildroot/instance-0/output-1/build/fluent-bit-3.2.10/CMakeFiles/CMakeScratch/TryCompile-u4rLgc'
Run Build Command(s): /home/buildroot/instance-0/output-1/host/bin/ninja -v cmTC_71bbf
[1/2] /bin/false -o CMakeFiles/cmTC_71bbf.dir/testCXXCompiler.cxx.o -c /home/buildroot/instance-0/output-1/build/fluent-bit-3.2.10/CMakeFiles/CMakeScratch/TryCompile-u4rLgc/testCXXCompiler.cxx
FAILED: CMakeFiles/cmTC_71bbf.dir/testCXXCompiler.cxx.o
/bin/false -o CMakeFiles/cmTC_71bbf.dir/testCXXCompiler.cxx.o -c /home/buildroot/instance-0/output-1/build/fluent-bit-3.2.10/CMakeFiles/CMakeScratch/TryCompile-u4rLgc/testCXXCompiler.cxx
ninja: build stopped: subcommand failed.
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
lib/zstd-1.5.7/build/cmake/CMakeLists.txt:36 (project)
```
The commit [3] included two patches to fix the build error
for configs using toolchains without CXX.
Since the build error was already present on v3.2.10,
those patches actually fix the error for LTS version as well.
This patch pick them from the series to apply them on the LTS
branch.
[1] 8bc18fad29 package/fluent-bit: bump to 3.2.10
[2] 0ce59cecdc
[3] 8181727e23 package/fluent-bit: bump to 4.0.0
Fixes: https://autobuild.buildroot.org/results/4b0/4b0646e8fcc3f023ab0173ea8725f381e5055152/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit [1] removed mysql and replaced it by mariadb in all
packages, but did not propagated all dependencies.
This commit fixes the issue.
Fixes:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_MARIADB
Depends on [n]: BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && (BR2_TOOLCHAIN_HAS_ATOMIC [=n] || BR2_TOOLCHAIN_HAS_SYNC_8 [=n]) && BR2_USE_WCHAR [=y]
Selected by [y]:
- BR2_PACKAGE_DOVECOT_MYSQL [=y] && BR2_PACKAGE_DOVECOT [=y] && BR2_INSTALL_LIBSTDCPP [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y]
[1] 8708f3a23a
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6967ed93b6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] "package/gstreamer1/gst1-plugins-bad: bump version
to 1.24.11" added new requirements for webrtc which selects the
sctp plugin, but forgot to propagate its dependencies. The sctp
plugin depends on BR2_TOOLCHAIN_HAS_SYNC_4.
This commit fixes this issue.
Fixes:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_SCTP
Depends on [n]: BR2_PACKAGE_GSTREAMER1 [=y] && BR2_PACKAGE_GST1_PLUGINS_BAD [=y] && BR2_TOOLCHAIN_HAS_SYNC_4 [=n]
Selected by [y]:
- BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_WEBRTC [=y] && BR2_PACKAGE_GSTREAMER1 [=y] && BR2_PACKAGE_GST1_PLUGINS_BAD [=y] && !BR2_STATIC_LIBS [=n]
[1] 90b3cfedf4
Cc: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e34a113b32)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following autobuild error on configs with host GCC15.
```
/workdir/instance-0/output-1/host/bin/ccache /usr/bin/gcc -O2 -DNDEBUG -Wall -Wstrict-prototypes -Wundef -Wmissing-declarations -Wmissing-prototypes -Wwrite-strings -fno-strict-aliasing -Werror=declaration-after-statement -fno-builtin -fno-common -Werror=return-type -Wno-unused-local-typedefs -DHAVE_STDINT_H=1 -DHAVE_DIRENT_H=1 -DHAVE_SYS_DIR_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_SYS_TIMES_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_LIBDL=1 -DGX_COLOR_INDEX_TYPE="unsigned long long" -D__USE_UNIX98=1 -DHAVE_SNPRINTF -O2 -I/workdir/instance-0/output-1/host/include -L/workdir/instance-0/output-1/host/lib -Wl,-rpath,/workdir/instance-0/output-1/host/lib -DNOCONTRIB -DHAVE_RESTRICT=1 -DHAVE_LIMITS_H=1 -DHAVE_STRING_H=1 -fno-strict-aliasing -O2 -I/workdir/instance-0/output-1/host/include -L/workdir/instance-0/output-1/host/lib -Wl,-rpath,/workdir/instance-0/output-1/host/lib -DHAVE_POPEN_PROTO=1 -I./base -o ./obj/aux/genconf ./base/genconf.c -lz
In file included from ./base/genconf.c:18:
./base/stdpre.h:348:13: error: 'bool' cannot be defined via 'typedef'
348 | typedef int bool;
| ^~~~
./base/stdpre.h:348:13: note: 'bool' is a keyword with '-std=c23' onwards
./base/stdpre.h:348:1: warning: useless type name in empty declaration
348 | typedef int bool;
| ^~~~~~~
```
This is due to the change in the default C language version in GCC15.
The patch included is not exactly the same as the upstream one, it only
picks the part that fix the `bool` definition and dropped the declaration
type changes.
Fixes: https://autobuild.buildroot.org/results/9c6/9c6cbff256635c6ab4be4c5b7bf18f9d3c4b46681
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fa45c47fcb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.
go1.23.10 (released 2025-06-05) includes security fixes to the net/http and
os packages, as well as bug fixes to the linker.
Fixes the following security vulnerabilities:
- CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
redirect
Proxy-Authorization and Proxy-Authenticate headers persisted on
cross-origin redirects potentially leaking sensitive information
- CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
Windows
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
Windows systems when the target path was a dangling symlink. On Unix
systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
On Windows, when the target path was a symlink to a nonexistent location,
OpenFile would create a file in that location.
- CVE-2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
unintentionally disabled policy validation. This only affected
certificate chains which contain policy graphs, which are rather uncommon.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 00f0fca15a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following autobuild error that started appearing with host GCC15
configs.
```
/usr/bin/gcc -DHAVE_CONFIG_H -I. -I/workdir/instance-0/output-1/host/include -O2 -I/workdir/instance-0/output-1/host/include -c -o modules/arch/x86/x86arch.o modules/arch/x86/x86arch.c
In file included from modules/arch/x86/x86arch.h:30,
from modules/arch/x86/x86arch.c:31:
./libyasm/bitvect.h:86:32: error: cannot use keyword 'false' as enumeration constant
86 | typedef enum boolean { false = FALSE, true = TRUE } boolean;
| ^~~~~
./libyasm/bitvect.h:86:32: note: 'false' is a keyword with '-std=c23' onwards
```
This is due to the change in the default C language version in GCC15.
Fixes: https://autobuild.buildroot.org/results/d1d/d1d9a6e73c2ec278941dd90c6b07cce01b372feb/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit aa9ee17701)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
If external clang is available on the host system, the buildsystem tries
to use it. The result will be unpredictable. We can't use the version of
clang that is shipped with buildroot either, because it is too old. See:
https://code.qt.io/cgit/qt/qttools.git/tree/.cmake.conf?h=6.8.1. So we
disable clang support in qt6tools for now.
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit ac7f65d83e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The previous commit removed its only user. It was a blind option so no
legacy handling is needed.
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 1fad08d32f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since we don't need assistant, designer or linguist on target, and we
don't need assistant or designer on host, we unconditionally disable
these tools, to avoid build failures without inreasing the complexity of
the package.
Fixes target linguist build:
-- Could NOT find Qt6LinguistTools (missing: Qt6LinguistTools_DIR)
CMake Error at <...>/output/build/qt6base-6.8.1/cmake/QtToolHelpers.cmake:768 (message):
Failed to find the host tool "Qt6::lconvert". It is part of the
Qt6LinguistTools package, but the package could not be found. Make sure
you have built and installed the host Linguist module, which will ensure
the creation of the Qt6LinguistTools package.
Call Stack (most recent call first):
<...>/output/build/qt6base-6.8.1/cmake/QtToolHelpers.cmake:83 (qt_internal_find_tool)
src/linguist/lconvert/CMakeLists.txt:9 (qt_internal_add_tool)
The following defconfig triggers a target linguist build without
building the necessary lconvert host tool. See:
https://code.qt.io/cgit/qt/qttools.git/tree/src/linguist/CMakeLists.txt?h=6.8.1#n17
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_GUI=y
BR2_PACKAGE_QT6BASE_PNG=y
BR2_PACKAGE_QT6BASE_WIDGETS=y
BR2_PACKAGE_QT6TOOLS=y
Fixes target designer build:
CMake Error at <...>/output/build/qt6base-6.8.1/cmake/QtPublicWalkLibsHelpers.cmake:267 (message):
The Xml target is mentioned as a dependency for Designer, but not declared.
Call Stack (most recent call first):
<...>/output/build/qt6base-6.8.1/cmake/QtPrlHelpers.cmake:8 (__qt_internal_walk_libs)
<...>/output/build/qt6base-6.8.1/cmake/QtPrlHelpers.cmake:47 (qt_collect_libs)
<...>/buildroot/output/build/qt6base-6.8.1/cmake/QtModuleHelpers.cmake:1027 (qt_generate_prl_file)
<...>/buildroot/output/build/qt6base-6.8.1/cmake/QtScopeFinalizerHelpers.cmake:24:EVAL:1 (qt_finalize_module)
src/designer/src/lib/CMakeLists.txt:DEFERRED
The following defconfig triggers a target designer build, without
selecting the necessary xml qt6base option. See:
https://code.qt.io/cgit/qt/qttools.git/tree/configure.cmake?h=6.8.1#n64https://code.qt.io/cgit/qt/qttools.git/tree/src/designer/src/lib/CMakeLists.txt?h=6.8.1#n182
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_GUI=y
BR2_PACKAGE_QT6BASE_PNG=y
BR2_PACKAGE_QT6BASE_WIDGETS=y
BR2_PACKAGE_QT6TOOLS=y
Fixes target assistant build:
CMake Error at <...>/output/build/qt6base-6.8.1/cmake/QtToolHelpers.cmake:768 (message):
Failed to find the host tool "Qt6::qhelpgenerator". It is part of the
Qt6ToolsTools package, but the package did not contain the tool. Make sure
that the host module Tools was built with all features enabled (no
explicitly disabled tools).
Call Stack (most recent call first):
<...>/buildroot/output/build/qt6base-6.8.1/cmake/QtToolHelpers.cmake:83 (qt_internal_find_tool)
src/assistant/qhelpgenerator/CMakeLists.txt:9 (qt_internal_add_tool)
The following defconfig triggers a target assistant build, without
building the necessary qhelpgenerator host tool. See:
https://code.qt.io/cgit/qt/qttools.git/tree/configure.cmake?h=6.8.1#n45https://code.qt.io/cgit/qt/qttools.git/tree/src/assistant/CMakeLists.txt?h=6.8.1#n4https://code.qt.io/cgit/qt/qttools.git/tree/src/assistant/CMakeLists.txt?h=6.8.1#n21
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_GUI=y
BR2_PACKAGE_QT6BASE_PNG=y
BR2_PACKAGE_QT6BASE_PRINTSUPPORT=y
BR2_PACKAGE_QT6BASE_SQL=y
BR2_PACKAGE_QT6BASE_SQLITE=y
BR2_PACKAGE_QT6BASE_WIDGETS=y
BR2_PACKAGE_QT6TOOLS=y
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit bd255e9e9c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since version bump to 7.12 (upstream commit [1]) the openssl/mbedtls support
defines changed from MG_ENABLE_OPENSSL/MG_ENABLE_MBEDTLS to
MG_TLS=MG_TLS_OPENSSL and MG_TLS=MG_TLS_MBED.
[1] 0613cc62f4
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 77d6929804)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The aarch64 virt platform doesn't have any default VGA devices so we
don't need to configure them here.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b877b8379f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a patch that removes part of the logic that attempts to detect if
thumb is supported. This logic simply doesn't work at all in the
Buildroot context. In fact, thumb is supported on all 32-bit ARM on
which we can build qt5webengine.
Fixes:
WARNING: Thumb instruction set is required to build ffmpeg for QtWebEngine.
[...]
FAILED: obj/third_party/ffmpeg/ffmpeg_internal/vp8.o
[...] -c ../../3rdparty/chromium/third_party/ffmpeg/libavcodec/vp8.c -o obj/third_party/ffmpeg/ffmpeg_internal/vp8.o
{standard input}: Assembler messages:
{standard input}:1119: Error: bad instruction `ldrhcs r0,[ip],#2'
{standard input}:1156: Error: bad instruction `ldrhcs r9,[ip],#2'
{standard input}:1190: Error: bad instruction `ldrhcs lr,[ip],#2'
{standard input}:1253: Error: bad instruction `ldrhcs r9,[r7],#2'
[...]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Cc: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2b2120dc4a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Ideally we should update our version of qt5webengine-chromium first,
we're more than 600 commits behind on the stable branch from KDE.
However, this is a quick fix solution that allows us to build the
current state in Fedora 42.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c9ae932c94)
[thomas: rename patch from 0012-.. to 0011-..]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a patch that adds missing #include statements, which becomes an
error in GCC 15.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1495863b98)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1], the runtime test emulator infra is setting
the emulated system date to the host date.
While this is desired in general, this behaviour is introducing a
variability in the test execution. Depending if the test is executed
during winter or summer time, the output of the command "date +%Z"
will produce a different output.
This commit fixes the issue by setting a fixed date and time on the
emulated system. The date is fixed to Unix Epoch plus one hour. This
is because Linux cannot set the system date to a value less than the
system uptime. So we cannot set the time back to Unix Epoch with the
command "date -s @0" (this would result to a EINVAL Invalid argument).
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/9922589073https://gitlab.com/buildroot.org/buildroot/-/jobs/9922589081
[1] cf8641b73e
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0839545a9b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 4e95062f8 ("package/pkg-meson: use buildroot-build for build
directory") changed the build directory for meson packages to
'buildroot-build', so update the find invocation to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c9355a3869)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 4e95062f8 ("package/pkg-meson: use buildroot-build for build directory")
changed the build directory for meson packages to 'buildroot-build'.
Thus accessing the build directory for installing the extra utils needs
to be adopted to this directory. Otherwise the install will fail when
BR2_PACKAGE_KMSXX_INSTALL_TESTS is enabled.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 55979f081d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When the meson build directory was changed to buildroot-build in
4e95062f82 we forgot to update the
install path for the systemd-boot efi binary.
Fixes:
/usr/bin/install: cannot stat '/home/buildroot/buildroot/output/build/systemd-256.7/build/src/boot/efi/systemd-bootx64.efi': No such file or directory
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6b96b7bdc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit d1757fdfb0, at-spi2-core
depends on !BR2_STATIC_LIBS, but this wasn't properly propagated to
reverse dependencies, so let's do this propagation now.
Fixes the following warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_AT_SPI2_CORE
Depends on [n]: BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y] && !BR2_STATIC_LIBS [=y]
Selected by [y]:
- BR2_PACKAGE_ATKMM [=y] && BR2_INSTALL_LIBSTDCPP [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_7 [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a9bfc39660)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 8c9c1222b7 (package/uacme: bump version to 1.7.6) bumperd the
version to 1.7.6 which includes the patch we carried, so the patch was
dropped, but the corresponding autoreconf was not.
Do so now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2fb527fcf9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The esp-hosted package was introduced in [1] defining the variable
ESP_HOSTED_LICENSE_FILE (singular). The name should be
ESP_HOSTED_LICENSE_FILES (plural). This typo makes the license file
being ignored during a "make legal-info" which shows a warning at
the end:
WARNING: esp-hosted-9a2312b0b: cannot save license (ESP_HOSTED_LICENSE_FILES not defined)
Fixing the variable name also reveals the license file path was
incorrect. The "esp_hosted_ng/host/" directory prefix is missing.
Finally, setting the correct path shows the hash was wrong (it was
the hash of the Apache-2.0 [2] file, which corresponds to another
unused code portion). So the license file hash is also changed to
correspond to the correct GPL-2.0 license file.
This commit fixes all the needed esp-hosted legal-info.
[1] 7b2e5e6550
[2] https://github.com/espressif/esp-hosted/blob/release/ng-v1.0.4.0.0/LICENSES/Apache-2.0
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit bd9a6c2b36)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following CVEs:
- CVE-2025-3015: A vulnerability classified as critical has been found in
Open Asset Import Library Assimp 5.4.3. This affects the
function Assimp::ASEImporter::BuildUniqueRepresentation of
the file code/AssetLib/ASE/ASELoader.cpp of the component
ASE File Handler. The manipulation of the argument mIndices
leads to out-of-bounds read. It is possible to initiate the
attack remotely. The exploit has been disclosed to the
public and may be used.
See: https://www.cve.org/CVERecord?id=CVE-2025-3015
- CVE-2025-3016: A vulnerability classified as problematic was found in
Open Asset Import Library Assimp 5.4.3. This vulnerability
affects the function Assimp::MDLImporter::ParseTextureColorData
of the file code/AssetLib/MDL/MDLMaterialLoader.cpp of the
component MDL File Handler. The manipulation of the argument
mWidth/mHeight leads to resource consumption.
The attack can be initiated remotely
See: https://www.cve.org/CVERecord?id=CVE-2025-3016
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9d92c7e3ff)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following CVE:
- CVE-2025-48432: An issue was discovered in Django 5.2 before 5.2.2,
5.1 before 5.1.10, and 4.2 before 4.2.22.
Internal HTTP response logging does not escape request.path,
which allows remote attackers to potentially manipulate log
output via crafted URLs.
This may lead to log injection or forgery when logs are
viewed in terminals or processed by external systems.
See https://www.cve.org/CVERecord?id=CVE-2025-48432
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit introduces the silicon revision number configuration.
This value will be used by packages for specific configurations
(such as security firmware).
Signed-off-by: Juan Pablo MONTERO CASTRO <juanpablo.monterocastro@nxp.com>
[Julien: split original commit 1/3]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0645c83cd6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Django includes code from a couple of other projects, add their
respective license files and licenses to the django package.
./utils/scanpypi finds most of these. Additionally this was
cross-checked against debian's license list [1], not including some
things that no longer exist or no longer indicate separate licensing
upstream:
* django/contrib/admin/static/admin/fonts/
* django/utils/baseconv.py
* django/utils/ipv6.py
* django/utils/autoreload.py
Also not included are separate licensing for docs, which buildroot
doesn't package:
* docs/_theme/djangodocs/static/reset-fonts-grids.css
* docs/_theme/djangodocs/static/fontawesome/LICENSE.txt
[1] https://metadata.ftp-master.debian.org/changelogs//main/p/python-django/python-django_5.2-1_copyright
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: Indent with single tab]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 15fdc8b0ca)
[Thomas: Changed the hash of
django/contrib/admin/static/admin/js/inlines.js to match 5.1.9
]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following CVE:
- CVE-2025-47287: When Tornado's ``multipart/form-data`` parser encounters
certain errors, it logs a warning but continues trying to
parse the remainder of the data. This allows remote
attackers to generate an extremely high volume of logs,
constituting a DoS attack.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-47287
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4c890bc46d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes a memory leaks that affects both binutils 2.43 and 2.44,
see https://www.cve.org/CVERecord?id=CVE-2025-3198
Fixes the following CVE:
- CVE-2025-3198: A vulnerability has been found in GNU Binutils 2.43/2.44
and classified as problematic. Affected by this
vulnerability is the function display_info of the file
binutils/bucomm.c of the component objdump.
The manipulation leads to memory leak.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4dc951f3ee)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The test_xen.py runtime test, introduced in [1] and improved in [2],
is calling a "stty raw" command, just after the emulated machine
login, to avoid double-cooking the consoles. This double-cooking
prevents the test controller to correctly get the command error codes.
Buildroot commit [3] "support/testing: set date in emulated machine"
introduced an invocation of the date command to set time on the
emulated machine, just after the login. The returned error code is also
checked. Since this commit [3], the test_xen runtime test is failing
while attempting to set the date. This is because it is invoked before
the test script executes this "stty raw" command.
The need of executing a command just after the login, and just
before we set the emulated machine date is very limited. It is almost
specific to this test. So, rather than changing the test
infrastructure, this commit simply moves this "stty raw" invocation
from the runtime test script to a custom /etc/profile.d/stty-raw.sh
file on target rootfs overlay, to do this call just at the login.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10000011350
[1] 055f82ebbd
[2] cd0ffd598c
[3] cf8641b73e
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Tested-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 04c9ecd788)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issues:
- CVE-2025-23166: Improper error handling in async cryptographic operations
crashes process
- CVE-2025-23165: Corrupted pointer in node::fs::ReadFileUtf8(const
FunctionCallbackInfo<Value>& args) when args[0] is a string
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
Update the license hash for the addition of zstd 1.5.6 (BSD-3-Clause):
f9f611fb58
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c84fcef123)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the bump of Samba to version 4.21.4 in commit
716461af94, <crypt.h> is needed, due to
upstream comit 0dccda38f27b3bbda5d2a4de588a333ff554651a. Since
<crypt.h> is no longer provided by glibc, a dependency on libxcrypt is
needed, to avoid the following build failure:
../../lib/util/util_crypt.c:5:10: fatal error: crypt.h: No such file or directory
5 | #include <crypt.h>
| ^~~~~~~~~
compilation terminated.
This has not been detected by the autobuilders, presumably because a
lot of glibc configurations end up having libxcrypt selected by other
packages, but the issue is reproducible by building:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_SAMBA4=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6c3f01fde1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
We currently check for unsafe paths right between adding our arguments,
and adding the one passed from the command line. This not very
consistent.
Unsafe paths can only come from the command line, as we are not adding
any of our own (hopefully, we know better!), so we can run the check as
early as possible.
Move the check very early, but not before we handle --help.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 53e1772682)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
With the recent addition in pkg-stats to detect stale ignore CVE
entries, the CVE-2021-42260 ignore CVE entry is reported as
stale. This is because TINYXML_VERSION is 2.6.2_2, and the CVE is
annotated as affecting versions up to and including 2.6.2.
But in fact, 2.6.2_2 is a special version from the Kodi community, but
it's close to the 2.6.2 release, and CVE-2021-42260 is not fixed in
it. To get meaningful results, let's tell our CVE checking logic that
the tinyxml version is 2.6.2 by setting TINYXML_CPE_ID_VERSION (we're
splitting on the _ and keeping the part before).
Because we're now setting TINYXML_CPE_ID_VERSION, we must drop
TINYXML_CPE_ID_VALID to avoid a check-package warning.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 677b24ebaf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Due to the "From:" in the commit log itself, this patch was not
applicable using git am:
$ git am 0001-Make-SoX-support-uclibc-based-toolchains.patch
Applying: Make SoX support uclibc-based toolchains
fatal: empty ident name (for <>) not allowed
Thanks to Arnout who found the issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit aea1dd9b20)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit b6871f9d93 ("package/sox:
security bump to latest git commit") forgot to annotate the ignore CVE
entries, so let's do this.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e3a15862fb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
All ignore CVE entries of the sox package are considered stale because
SOX_VERSION is a Git commit and therefore the version matching logic
doesn't do the right thing.
This commit sets SOX_CPE_ID_VERSION to 14.4.2, which is the closest
upstream version on which we are based: our Git commit is 14.4.2 plus
a number of commits that fix a large number of CVEs.
Thanks to this change, the ignore CVE entries are no longer stale.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9c482f525a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The ignore CVE entry was added because the vulnerability only affects
Windows. But it also only affected ripgrep versions < 13, and we're
using ripgrep 14.x now, so the CVE is anyway no longer relevant, and
the ignore CVE entry can be dropped.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 107e935e1c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The qt5base was reported to have 2 stale ignore CVE entries, one not
stale. Turns out that because the version is a Git commit hash, the
version comparaison did not make a lot of sense.
This commit adds QT5BASE_CPE_ID_VERSION, assigned to the closest
upstream version that we package (the Git repo we fetch is 5.15.14
plus a number of fixes). With this done, all 3 ignore CVE entries are
stale because the vulnerabilities have been fixed prior to 5.15.14.
In addition, setting QT5BASE_CPE_ID_VERSION allows to reduce the
number of CVEs affecting qt5base from 20 to 8.
Cc: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Cc: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Cc: Christian Hitz <christian.hitz@bbv.ch>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 381ff2bf69)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The 0001-snmp_agent-disallow-SET-with-NULL-varbind.patch patch has
been dropped as part of the bump from 5.9.3 to 5.9.4 in commit
1799cfebfd, which means 5.9.4 has the
security fix, and therefore the ignore CVE entry is no longer needed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4a3eab8341)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
CVE-2023-3603 has never affected any release, but NVD decided to
document it as affecting all versions up to 0.8.9. While this is
incorrect, we don't really care much, as we're now using 0.11 which
according to NVD is not affected, making our ignore CVE entry stale.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ae116161ac)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
We no longer have the patch fixing CVE-2022-3559 because we've updated
to a version of exim that includes it. However, the ignore CVE entry
is not stale because the NVD database is incorrect on this CVE. We
reported the issue to upstream NVD at:
https://lore.kernel.org/buildroot/20250517183423.07951665@windsurf/
Let's document this above the ignore CVE entry.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 114784cb7b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CVE-2022-3620 entry is not reported as affecting our exim package
by pkg-stats. Currently it's because the NVD entry is
incorrect (incorrect exim version), but we sent a bug report [1] to
the NVD database so that it gets updated. Once updated, pkg-stats
still won't report the CVE as affecting us because the issue has been
fixed in exim 4.97, and we're using a newer version.
[1] https://lore.kernel.org/buildroot/20250517183000.40b28b4d@windsurf/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 463e21fdcb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The 0001-set-default-maximum-dns-udp-package-size.patch is no longer
in Buildroot since the bump to 2.90 in commit
213cfb3435, which renders the
CVE-2023-28450 ignore CVE entry no longer needed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1799aa7eb4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
All of CVE-2023-42363, CVE-2023-42364, CVE-2023-42365, CVE-2023-42366
were fixed by patches that we no longer have since we bumped
Busybox. Those IGNORE_CVES entries are therefore no longer needed.
The CVE-2022-28391 ignore CVE entry is also reported as stale, but we
believe the NVD database is incorrect in saying this vulnerability
only affects Busybox up to 1.35.0. Indeed, Busybox 1.37.0 still
doesn't have the fixes and is therefore still affected.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f88537c46b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
CVE-2020-15705 is only applicable to grub versions up to 2.04, and
we're using a more recent version, so it is no longer needed to ignore
it.
CVE-2021-46705 is only applicable to grub versions up to 2.06, and
we're using a more recent version, so it is no longer needed to ignore
it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 06afaf5347)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The configure flag -feature-webengine-system-jpeg[1] checks if a jpeg
library is in the sysroot.
It compiles a test file linked against the symbols jpeg_crop_scanline()
and jpeg_skip_scanlines()[2] that are specific to jpep-turbo.
As a consequence, the configure scripts fails if the libjpeg is selected
as the jpeg variant as the symbols mentionend above are not part of the
jpeg library installed in the sysroots.
ERROR: Feature 'webengine-system-jpeg' was enabled, but the pre-condition 'config.unix && features.system-jpeg && libs.webengine-jpeglib' failed.
Additionally, see the log below, extracted from config.log:
> /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ -c -pipe -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g0 -D_FORTIFY_SOURCE=1 -mtune=arm1176jzf-s -march=armv6 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -w -fPIC -I. -I/home/gportay/src/buildroot/output/host/mkspecs/devices/linux-buildroot-g++ -o main.o main.cpp
> main.cpp: In function ‘int main(int, char**)’:
> main.cpp:12:5: error: ‘jpeg_crop_scanline’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 12 | jpeg_crop_scanline(nullptr, &dummy, &dummy);
> | ^~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> main.cpp:13:5: error: ‘jpeg_skip_scanlines’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 13 | jpeg_skip_scanlines(nullptr, dummy);
> | ^~~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> make[1]: *** [Makefile:334: main.o] Error 1
> make[1]: Leaving directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
We could build some complicated logic to make sure what qt5webengine is
only used with jpeg-turbo. However, Chromium bundles jpeg-turbo[3][4]
and uses it if not using the system jpeg library or qt-jpeg[5]. It is
simpler to just always use that version instead of the system jpeg
library.
This sets the configure option -nofeature-webengine-system-jpeg and
removes jpeg from the dependencies.
Note that host-libjpeg and qt-jpeg (and therefore, system libjpeg or
jpeg-turbo) are still needed for the Qt integration layer, even if
chromium uses the bundled jpeg-turbo.
[1]: https://github.com/qt/qtwebengine/blob/v5.15.14-lts/src/buildtools/configure.json#L609-L613
[2]: https://github.com/qt/qtwebengine/blob/v5.15.14-lts/src/buildtools/configure.json#L95-L116
[3]: 18c9261dc5/chromium/third_party/libjpeg_turbo
[4]: 18c9261dc5/chromium/third_party/libjpeg.gni
[5]: https://github.com/qt/qtwebengine/blob/v5.15.14-lts/src/buildtools/configure.json#L614-618
Fixes:
looking for library webengine-jpeglib
Trying source 0 (type pkgConfig) of library webengine-jpeglib ...
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --exists --silence-errors libjpeg
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --modversion libjpeg
> 9.6.0
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --libs-only-L libjpeg
> -L/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --libs-only-l libjpeg
> -ljpeg
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --cflags libjpeg
> -I/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include
+ cd /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib && PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/qmake "CONFIG -= qt debug_and_release app_bundle lib_bundle" "CONFIG += shared warn_off console single_arch" -early "CONFIG += cross_compile" 'QMAKE_USE += webengine-jpeglib' 'QMAKE_LIBS_WEBENGINE_JPEGLIB = -L/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -ljpeg' /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib
+ cd /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib && MAKEFLAGS= make
> make[1]: Entering directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
> /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ -c -pipe -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g0 -D_FORTIFY_SOURCE=1 -mtune=arm1176jzf-s -march=armv6 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -w -fPIC -I. -I/home/gportay/src/buildroot/output/host/mkspecs/devices/linux-buildroot-g++ -o main.o main.cpp
> main.cpp: In function ‘int main(int, char**)’:
> main.cpp:12:5: error: ‘jpeg_crop_scanline’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 12 | jpeg_crop_scanline(nullptr, &dummy, &dummy);
> | ^~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> main.cpp:13:5: error: ‘jpeg_skip_scanlines’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 13 | jpeg_skip_scanlines(nullptr, dummy);
> | ^~~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> make[1]: *** [Makefile:334: main.o] Error 1
> make[1]: Leaving directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
=> source failed verification.
Trying source 1 (type inline) of library webengine-jpeglib ...
+ cd /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib && PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/qmake "CONFIG -= qt debug_and_release app_bundle lib_bundle" "CONFIG += shared warn_off console single_arch" -early "CONFIG += cross_compile" 'QMAKE_USE += webengine-jpeglib' 'QMAKE_LIBS_WEBENGINE_JPEGLIB = -ljpeg' /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib
+ cd /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib && MAKEFLAGS= make clean && MAKEFLAGS= make
> make[1]: Entering directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
> rm -f main.o
> rm -f *~ core *.core
> make[1]: Leaving directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
> make[1]: Entering directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
> /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ -c -pipe -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g0 -D_FORTIFY_SOURCE=1 -mtune=arm1176jzf-s -march=armv6 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -w -fPIC -I. -I/home/gportay/src/buildroot/output/host/mkspecs/devices/linux-buildroot-g++ -o main.o main.cpp
> main.cpp: In function ‘int main(int, char**)’:
> main.cpp:12:5: error: ‘jpeg_crop_scanline’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 12 | jpeg_crop_scanline(nullptr, &dummy, &dummy);
> | ^~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> main.cpp:13:5: error: ‘jpeg_skip_scanlines’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 13 | jpeg_skip_scanlines(nullptr, dummy);
> | ^~~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> make[1]: *** [Makefile:334: main.o] Error 1
> make[1]: Leaving directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
=> source failed verification.
test config.qtwebengine_buildtools.libraries.webengine-jpeglib FAILED
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
[Arnout: always use the bundled jpeg-turbo]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 3271ce10f2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For portability reason, it isn't preferable to include an absolute path
in the link to fw_printenv which is in the same directory as fw_setenv.
Fixes: 42646265d5 ("package/uboot-tools: add fw_printenv to host uboot tools")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0b02091235)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
https://autobuild.buildroot.net/results/924b1015d4b81385409ef00f1a14be3ca1959c8e/
As part of building flex for the target a few files are built for the host,
including a rpl_malloc() implementation containing a malloc() forward
declaration without any function parameters.
GCC 15 defaults to -std=gnu23, which handles function declarations without
parameters differently from earlier C standards leading to compilation
errors:
../lib/malloc.c:6:12: warning: conflicting types for built-in function 'malloc'; expected 'void *(long unsigned int)' [-Wbuiltin-declaration-mismatch]
6 | void *malloc ();
| ^~~~~~
../lib/malloc.c:5:1: note: 'malloc' is declared in header '<stdlib.h>'
4 | #include <sys/types.h>
+++ |+#include <stdlib.h>
5 |
../lib/malloc.c: In function 'rpl_malloc':
../lib/malloc.c:16:15: error: too many arguments to function 'malloc'; expected 0, have 1
https://gcc.gnu.org/gcc-15/porting_to.html#c23-fn-decls-without-parameters
Add a patch submitted upstream to correct the prototype.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7b98e2ce2c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
It allows to download files from smb share in buildroot packages.
Usage is specified in manual.
Signed-off-by: Guillaume Chaye <guillaume.chaye@zeetim.com>
[Peter: reword documentation]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e240b889f1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The NVD database contains some CPEs that are wrongly not associated
with any version number. They are for example sometimes associated
with very old CVEs.
Those CPEs are annoying, because they pollute our pkg-stat CVE results
with CVE entries which actually don't affect us.
The proper way to solve it is, and should remain, to fix the NVD
database by reporting these issues. Having to deal with a lot of
CVEs/CPEs, the NVD database is however slow to be updated.
To reduce the noise in our pkg-stats results in the meantime, one
possibility is to add <PKG_IGNORE_CVES> entries for those CVEs. This
however comes with the downside that even once the NVD database gets
fixed, those ignored entries risk remaining in Buildroot forever
because they are undetected.
This commit tries to address this downside by checking for and
reporting CVEs that are ignored in Buildroot, but where the
NVD reports our package version as unaffected. Those CVEs will appear
in the 'CVEs Ignored' column as '(stale)', and the cell will be
colored the same way warnings are. This should allow us to detect and
remove those entries.
It can be tested for example by adding the following variable to the
apache package (for a CVE that was recently fixed in the NVD database):
APACHE_IGNORE_CVES = CVE-1999-0236
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56ea5a0226)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building the bluez5_utils package with HoG plugin without enabling
the HID plugin the following linker error would occur:
```
/workdir/instance-0/output-1/per-package/bluez5_utils/host/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/13.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: profiles/input/bluetoothd-hog.o: in function `hog_disconnect':
hog.c:(.text.hog_disconnect+0x12): undefined reference to `input_get_userspace_hid'
collect2: error: ld returned 1 exit status
```
This patch adds two upstream commits that decouple both the HID
and the HoG plugin.
As a consequence of this patch the HID plugin can be compiled without
the HoG one as well but to keep the compatibility the same in buildroot
the selection of the HoG plugin is kept when selecting the HID plugin.
The error can be reproduced with the following defconfig
```
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_BLUEZ5_UTILS=y
BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_HOG=y
```
Fixes: https://autobuild.buildroot.org/results/78e/78ed7664f3a2dd5858fd71bd63836c822c106cc0
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 57eb26837b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The package opus is selected but it is not listed in the dependencies.
This adds opus to QT5WEBENGINE_DEPENDENCIES.
Fixes:
$ make qt5webengine
(...)
ERROR: Feature 'webengine-system-opus' was enabled, but the pre-condition 'config.unix && libs.webengine-opus' failed.
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 7319e4af19)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
TL;DR; This turns the configure flag -no-feature-webengine-noexecstack
to -feature-webengine-noexecstack to workaround a link issue on ARM
32-bit if chromium requests for an executable stack.
And now, the long story...
The configure flag -no-feature-webengine-noexecstack was introduced with
commit 675cbaf9aa (package/qt5/qt5webengine: bump to version 5.15.8).
That configure flag controls the feature webengine-noexecstack[1][2];
the -no-feature-webengine-noexecstack causes qmake to **NOT** append the
linker flags -Wl,-z,noexecstack[3] to QMAKE_LFLAGS.
It results in the linkage issue below on ARM 32-bit at the creation of
its Qt module, i.e. after qmake has built the chromium third party via
gn:
ulimit -n 4096 && /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot @/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/QtWebEngineCore_o.rsp -Wl,--start-group @/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/QtWebEngineCore_a.rsp -Wl,--end-group -Wl,--fatal-warnings -Wl,--build-id=sha1 -fPIC -Wl,-z,relro -Wl,-z,now -Wl,-z,defs -Wl,-O2 -Wl,--gc-sections --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -Wl,-O1 -Wl,--enable-new-dtags -Wl,-whole-archive -lqtwebenginecoreapi -Wl,-no-whole-archive -Wl,--no-undefined -Wl,--version-script,QtWebEngineCore.version -Wl,-O1 -Wl,--enable-new-dtags -shared -Wl,-soname,libQt5WebEngineCore.so.5 -o libQt5WebEngineCore.so.5.15.14 -latomic /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Quick.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Gui.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5QmlModels.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5WebChannel.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Qml.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Network.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Core.so -lpthread -L/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -latomic -lGLESv2 -lpthread -ldl -lrt -lnss3 -lnssutil3 -lsmime3 -lplds4 -lplc4 -lnspr4 -levent -lresolv -ljpeg -lopus -lm -lz -lvpx -lpng16 -lwebp -lwebpmux -lwebpdemux -lfreetype -lexpat -lfontconfig -lharfbuzz-subset -lharfbuzz -lsnappy -lxml2 -lxslt -ldbus-1 -L/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/api/release -lGLESv2 -lrt -lpthread -ldl
/home/gportay/src/buildroot/output/host/lib/gcc/arm-buildroot-linux-gnueabihf/13.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: warning: /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o: missing .note.GNU-stack section implies executable stack
/home/gportay/src/buildroot/output/host/lib/gcc/arm-buildroot-linux-gnueabihf/13.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
collect2: error: ld returned 1 exit status
The link succeeds if the missing linker flags are appended manually to
the command-line:
ulimit -n 4096 && /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot @/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/QtWebEngineCore_o.rsp -Wl,--start-group @/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/QtWebEngineCore_a.rsp -Wl,--end-group -Wl,--fatal-warnings -Wl,--build-id=sha1 -fPIC -Wl,-z,relro -Wl,-z,now -Wl,-z,defs -Wl,-O2 -Wl,--gc-sections --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -Wl,-O1 -Wl,--enable-new-dtags -Wl,-whole-archive -lqtwebenginecoreapi -Wl,-no-whole-archive -Wl,--no-undefined -Wl,--version-script,QtWebEngineCore.version -Wl,-O1 -Wl,--enable-new-dtags -shared -Wl,-soname,libQt5WebEngineCore.so.5 -o libQt5WebEngineCore.so.5.15.14 -latomic /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Quick.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Gui.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5QmlModels.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5WebChannel.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Qml.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Network.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Core.so -lpthread -L/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -latomic -lGLESv2 -lpthread -ldl -lrt -lnss3 -lnssutil3 -lsmime3 -lplds4 -lplc4 -lnspr4 -levent -lresolv -ljpeg -lopus -lvpx -lm -lpng16 -lwebp -lwebpmux -lwebpdemux -lfreetype -lexpat -lfontconfig -lharfbuzz-subset -lharfbuzz -lsnappy -lxml2 -lxslt -ldbus-1 -L/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/api/release -lGLESv2 -lrt -lpthread -ldl -Wl,-z,noexecstack && echo completed
completed
Note: The configure flag is not forwarded to chromium in any manner; its
scope is limited to the Qt WebEngine module. That configure flag appears
to be a workaround if the does not assemble, compile and link the Elf
object correctly[4][5].
The linker flag -z noexecstack is responsible for marking the object as
not requiring an executable stack by adding the section .note.GNU-stack
in the Elf object.
The file SaveRegisters_arm.S is assembled from the command-line below;
there is no noexecstack flag set:
/home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-gcc -MMD -MF obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o.d -DARM=1 -DUSE_UDEV -DUSE_AURA=1 -DUSE_NSS_CERTS=1 -DUSE_OZONE=1 -DOFFICIAL_BUILD -DTOOLKIT_QT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DNO_UNWIND_TABLES -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -DCR_SYSROOT_HASH=c2e54f675b83a61301dcdb22e8e7a2b85c01d58c -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -Igen -I../../3rdparty/chromium -fPIC -fno-strict-aliasing --param=ssp-buffer-size=4 -fstack-protector -fno-unwind-tables -fno-asynchronous-unwind-tables -fPIC -pipe -pthread -std=gnu11 -march=armv7-a -mfloat-abi=hard -mtune=generic-armv7-a -mfpu=vfpv3-d16 -marm -g0 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -c ../../3rdparty/chromium/third_party/blink/renderer/platform/heap/asm/SaveRegisters_arm.S -o obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o
The GNU assembler supports the assembler flag -Wa,--{,no}execstack to
require, or not, an executable stack for the object to assemble.
The BUILD.gn does **NOT** set it for the assembler files of the blink
third-party; but it does it for boringssl[6] (see also the project file
CMakeLists.txt[7]).
See below what readelf says if the file is assembled manually with the
flag --noexecstack:
$ /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-gcc -MMD -MF obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o.d -DARM=1 -DUSE_UDEV -DUSE_AURA=1 -DUSE_NSS_CERTS=1 -DUSE_OZONE=1 -DOFFICIAL_BUILD -DTOOLKIT_QT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DNO_UNWIND_TABLES -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -DCR_SYSROOT_HASH=c2e54f675b83a61301dcdb22e8e7a2b85c01d58c -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -Igen -I../../3rdparty/chromium -fPIC -fno-strict-aliasing --param=ssp-buffer-size=4 -fstack-protector -fno-unwind-tables -fno-asynchronous-unwind-tables -fPIC -pipe -pthread -std=gnu11 -march=armv7-a -mfloat-abi=hard -mtune=generic-armv7-a -mfpu=vfpv3-d16 -marm -g0 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -c ../../3rdparty/chromium/third_party/blink/renderer/platform/heap/asm/SaveRegisters_arm.S -o obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o -Wa,--noexecstack
$ readelf -a /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o
(...)
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
(...)
[ 4] .note.GNU-stack PROGBITS 00000000 000058 000000 00 0 0 1
The section the linker claims for is now part of the Elf object; and
qmake is now able to link its Qt WebEngine module.
Note: Alternatively, the patching the file SaveRegisters_arm.S to set
explicitly the section in the source file works as well (this reduces
the impact to the very single file causing the link issue):
#if defined(__linux__) && defined(__ELF__)
.section .note.GNU-stack,"",%progbits
#endif
Instead of fixing directly the origin of the issue and setting the
missing assembler flag -Wa,--noexecstack to blink; this works around the
link issue by turning on the feature noexecstack to qtwebengine to force
qmake to link its module using the linker flag -Wl,-z,noexecstack.
[1]: https://github.com/qt/qtwebengine/blob/5.15.14/src/buildtools/configure.json#L353-L357
[2]: https://github.com/qt/qtwebengine/blob/5.15.14/src/buildtools/configure.json#L720-L724
[3]: https://github.com/qt/qtwebengine/blob/5.15.14/src/buildtools/config/linking.pri#L61-L62
[4]: 597359a16a
[5]: https://codereview.qt-project.org/c/qt/qtwebengine/+/263545
[6]: https://github.com/qt/qtwebengine-chromium/blob/87-based/chromium/third_party/boringssl/src/util/BUILD.toplevel#L64
[7]: https://github.com/qt/qtwebengine-chromium/blob/87-based/chromium/third_party/boringssl/src/crypto/CMakeLists.txt#L33
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit aa017484ea)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the code snippet below, which typically is used to check if
C++ support can be enabled.
If we manually set CMAKE_CXX_COMPILER to /bin/false, then cmake
will assume that it's fine, without having a real check. Otherwise,
it will do a test run but somehow it falls back to /bin/c++, even
when cross-compiling. Fix that by setting CXX to /bin/false.
```cmake
include(CheckLanguage)
check_language(CXX)
if(CMAKE_CXX_COMPILER)
enable_language(CXX)
endif()
```
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b34e0d27ab)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This updates the VC4/V3D driver messages with the addition of the
current supported hardwares (VideoCore and Raspberry Pi).
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 15cfdf4915)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The Gallium VC4 driver does not require NEON[1]; Gallium V3D does. Also,
the Gallium VC4 driver supports the Raspberry Pi from 0 to 3[2].
Mesa’s VC4 graphics driver supports multiple implementations of
Broadcom’s VideoCore IV GPU. It is notably used in the Raspberry
Pi 0 through Raspberry Pi 3 hardware, and the driver is included
as an option as of the 2016-02-09 Raspbian release using
raspi-config. On most other distributions such as Debian or
Fedora, you need no configuration to enable the driver.
This reverts commit a5cdb54ed7.
That commit is superseded by 85c95e3614
that patches the sources to disable NEON via an option[3]; the sources
using NEON (tiling) are disabled if the CPU does not have that feature.
Thus, the VC4 driver compiles with toolchain without the NEON support
enabled as the one targetting the Raspberry Pi (ARMv6).
This removes the depends on BR2_ARM_CPU_HAS_NEON config since a meson
option disables NEON if the CPU does not support for it. It allows
building Gallium VC4 on Raspberry Pi, Raspberry Pi Zero and Compute
Module.
Note: kmscube with OpenGLES and Gallium/VC4 runs on Raspberry Pi B+ Rev
1.2.
# uname -a
Linux buildroot 6.12.20 #1 Fri Apr 25 02:54:03 CEST 2025 armv6l GNU/Linux
# cat /sys/firmware/devicetree/base/model
Raspberry Pi Model B Plus Rev 1.2#
# dmesg
(...)
[ 39.817806] rpi-gpiomem 20200000.gpiomem: window base 0x20200000 size 0x00001000
[ 39.837139] rpi-gpiomem 20200000.gpiomem: initialised 1 regions as /dev/gpiomem
[ 40.693845] Console: switching to colour dummy device 80x30
[ 40.717223] vc4-drm soc:gpu: bound 20400000.hvs (ops vc4_hvs_ops [vc4])
[ 40.793911] vc4-drm soc:gpu: bound 20400000.hvs (ops vc4_hvs_ops [vc4])
[ 40.824330] Registered IR keymap rc-cec
[ 40.828596] rc rc0: vc4-hdmi as /devices/platform/soc/20902000.hdmi/rc/rc0
[ 40.844139] input: vc4-hdmi as /devices/platform/soc/20902000.hdmi/rc/rc0/input0
[ 40.873434] input: vc4-hdmi HDMI Jack as /devices/platform/soc/20902000.hdmi/sound/card0/input1
[ 40.895848] vc4-drm soc:gpu: bound 20902000.hdmi (ops vc4_hdmi_ops [vc4])
[ 40.914034] vc4-drm soc:gpu: bound 20004000.txp (ops vc4_txp_ops [vc4])
[ 40.921843] vc4-drm soc:gpu: bound 20206000.pixelvalve (ops vc4_crtc_ops [vc4])
[ 40.943543] vc4-drm soc:gpu: bound 20207000.pixelvalve (ops vc4_crtc_ops [vc4])
[ 40.951969] vc4-drm soc:gpu: bound 20807000.pixelvalve (ops vc4_crtc_ops [vc4])
[ 40.983322] vc4-drm soc:gpu: bound 20c00000.v3d (ops vc4_v3d_ops [vc4])
[ 41.010210] [drm] Initialized vc4 0.0.0 for soc:gpu on minor 0
[ 41.151906] Console: switching to colour frame buffer device 240x67
[ 41.223414] vc4-drm soc:gpu: [drm] fb0: vc4drmfb frame buffer device
# kmscube
Using display 0x1f12530 with EGL version 1.4
===================================
EGL information:
version: "1.4"
vendor: "Mesa Project"
client extensions: "EGL_EXT_client_extensions EGL_EXT_device_base EGL_EXT_device_enumeration EGL_EXT_device_query EGL_EXT_platform_base EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_EXT_platform_device EGL_EXT_explicit_device EGL_MESA_platform_gbm EGL_KHR_platform_gbm EGL_MESA_platform_surfaceless"
display extensions: "EGL_ANDROID_blob_cache EGL_ANDROID_native_fence_sync EGL_EXT_buffer_age EGL_EXT_image_dma_buf_import EGL_EXT_image_dma_buf_import_modifiers EGL_KHR_cl_event2 EGL_KHR_config_attribs EGL_KHR_context_flush_control EGL_KHR_create_context EGL_KHR_create_context_no_error EGL_KHR_fence_sync EGL_KHR_get_all_proc_addresses EGL_KHR_gl_colorspace EGL_KHR_gl_renderbuffer_image EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_image EGL_KHR_image_base EGL_KHR_image_pixmap EGL_KHR_no_config_context EGL_KHR_reusable_sync EGL_KHR_surfaceless_context EGL_EXT_pixel_format_float EGL_KHR_wait_sync EGL_MESA_configless_context EGL_MESA_drm_image EGL_MESA_gl_interop EGL_MESA_image_dma_buf_export EGL_MESA_query_driver "
===================================
OpenGL ES 2.x information:
version: "OpenGL ES 2.0 Mesa 24.0.9"
shading language version: "OpenGL ES GLSL ES 1.0.16"
vendor: "Broadcom"
renderer: "VC4 V3D 2.1"
extensions: "GL_EXT_blend_minmax GL_EXT_multi_draw_arrays GL_EXT_texture_compression_s3tc GL_EXT_texture_compression_dxt1 GL_EXT_texture_format_BGRA8888 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth24 GL_OES_element_index_uint GL_OES_fbo_render_mipmap GL_OES_mapbuffer GL_OES_rgb8_rgba8 GL_OES_stencil8 GL_OES_texture_npot GL_OES_vertex_half_float GL_OES_EGL_image GL_OES_depth_texture GL_AMD_performance_monitor GL_OES_packed_depth_stencil GL_OES_get_program_binary GL_APPLE_texture_max_level GL_EXT_discard_framebuffer GL_EXT_read_format_bgra GL_NV_pack_subimage GL_NV_texture_barrier GL_EXT_frag_depth GL_NV_fbo_color_attachments GL_OES_EGL_image_external GL_OES_EGL_sync GL_OES_vertex_array_object GL_ANGLE_pack_reverse_row_order GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_EXT_unpack_subimage GL_NV_draw_buffers GL_NV_read_buffer GL_NV_read_depth GL_NV_read_depth_stencil GL_NV_read_stencil GL_APPLE_sync GL_EXT_draw_buffers GL_EXT_map_buffer_range GL_KHR_debug GL_KHR_texture_compression_astc_ldr GL_NV_generate_mipmap_sRGB GL_NV_pixel_buffer_object GL_OES_required_internalformat GL_OES_surfaceless_context GL_EXT_debug_label GL_EXT_separate_shader_objects GL_EXT_compressed_ETC1_RGB8_sub_texture GL_EXT_draw_elements_base_vertex GL_EXT_texture_border_clamp GL_KHR_context_flush_control GL_OES_draw_elements_base_vertex GL_OES_texture_border_clamp GL_KHR_no_error GL_KHR_texture_compression_astc_sliced_3d GL_EXT_texture_compression_s3tc_srgb GL_KHR_parallel_shader_compile GL_MESA_tile_raster_order GL_MESA_sampler_objects GL_MESA_bgra "
===================================
Rendered 120 frames in 2.000020 sec (59.999400 fps)
[1]: 932ed9c00b
[2]: https://docs.mesa3d.org/drivers/vc4.html
[3]: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/4114
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3f1f404b5c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit [1] introduced the firmware-ele-imx package and was
using the "mx93a1-ahab-container.img" firmware image for i.MX91.
For i.MX91, it is in fact the firmware file "mx91a0-ahab-container.img"
which needs to be used.
This commit adds this special case.
[1] 69d127fe29
Signed-off-by: Juan Pablo MONTERO CASTRO <juanpablo.monterocastro@nxp.com>
[Julien: split original commit 2/3]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1ce2484a8b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit [1] "package/binutils: make 2.43 the default version",
the freescale_t1040d4rdb_defconfig fails to build the Linux
kernel, with the error:
arch/powerpc/boot/util.S: Assembler messages:
arch/powerpc/boot/util.S:49: Error: junk at end of line, first unrecognized character is `0'
arch/powerpc/boot/util.S:54: Error: syntax error; found `b', expected `,'
arch/powerpc/boot/util.S:54: Error: junk at end of line: `b'
This commit fixes the issue by updating the Linux kernel to the latest
LTS version.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/9967089767
[1] 360fd01de2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6ad8090920)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The last usage of each_product() was removed in commit
52ae092046 ("support/scripts/cve.py: use
the JSON data in 1.1 schema").
Since it's now unused, remove it.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d0a7a46813)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the bump of rpm from 4.17.0 to 4.18.0 in Buildroot commit
4b4046e919, tools/rpmuncompress.c uses
basename() without including <libgen.h> which causes a build failure
with the musl C library:
tools/rpmuncompress.c: In function ‘doUntar’:
tools/rpmuncompress.c:100:30: error: implicit declaration of function ‘basename’ [-Wimplicit-function-declaration]
100 | const char *bn = basename(fn);
| ^~~~~~~~
tools/rpmuncompress.c:100:30: error: initialization of ‘const char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
make[4]: *** [Makefile:1082: tools/rpmuncompress.o] Error 1
This issue was not found by the autobuilders, but it can be reproduced
with:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_LUA=y
BR2_PACKAGE_RPM=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 745aa4d060)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
GCC 14.x brought some more strict checks on pointer types, causing a
build issue in the rpm package when python support is enabled. These
issues have been fixed upstream, initially because Clang >= 16 also
added similar stricter checks.
The build issue goes like this:
header-py.c:744:9: error: initialization of 'Py_hash_t (*)(PyObject *)' {aka 'int (*)(struct _object *)'} from incompatible pointer type 'long int (*)(PyObject *)' {aka 'long int (*)(struct _object *)'} [-Wincompatible-pointer-types]
744 | hdr_hash, /* tp_hash */
| ^~~~~~~~
header-py.c:744:9: note: (near initialization for 'hdr_Type.tp_hash')
make[3]: *** [Makefile:664: header-py.lo] Error 1
make[3]: *** Waiting for unfinished jobs....
It never happened in the autobuilders, but it can be reproduced with
the following configuration:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LUA=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_RPM=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67e10ac898)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
If an attempt is made to create a UBI volume and it already exists, the
operation fails. Therefore, before requesting the creation of a UBI
volume, we erase the entire NAND to ensure that no errors occur.
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 97ac89eb11)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The V4L2 code in the ffmpeg plugin uses V4L2_PIX_FMT_BGRA32 which was
only introduced in kernel headers 5.2, in upstream kernel commit
e25ec9141114c7124eeba09385e272dd76fbe617.
Fixes:
/home/thomas/buildroot/buildroot/outputs/qt/build/qt6multimedia-6.8.1/src/plugins/multimedia/ffmpeg/qv4l2camera.cpp:36:43: error: ‘V4L2_PIX_FMT_BGRA
32’ was not declared in this scope; did you mean ‘V4L2_PIX_FMT_BGR32’?
36 | { QVideoFrameFormat::Format_BGRA8888, V4L2_PIX_FMT_BGRA32 },
| ^~~~~~~~~~~~~~~~~~~
| V4L2_PIX_FMT_BGR32
when building:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_XCB=y
BR2_PACKAGE_QT6MULTIMEDIA=y
BR2_PACKAGE_QT6MULTIMEDIA_FFMPEG=y
BR2_PACKAGE_XORG7=y
at a time when the Bootlin stable toolchain was using Linux 4.19
headers.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit fe783b16b3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The following defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_XCB=y
BR2_PACKAGE_QT6MULTIMEDIA=y
BR2_PACKAGE_QT6MULTIMEDIA_FFMPEG=y
BR2_PACKAGE_XORG7=y
would fail to build, due to <X11/extensions/Xext.h> being not found,
and then <X11/extensions/Xrandr.h> being not found. Fix that up by
introducing the necessary dependencies.
There are no build failures reported for qt6multimedia in the
autobuilders, so there is no reference to a build failure.
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 04d1ee0105)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
ERROR: Feature "xcb": Forcing to "ON" breaks its condition:
QT_FEATURE_thread AND TARGET XCB::XCB AND TEST_xcb_syslibs AND QT_FEATURE_xkbcommon_x11
Condition values dump:
QT_FEATURE_thread = "ON"
TARGET XCB::XCB found
TEST_xcb_syslibs = "FALSE"
QT_FEATURE_xkbcommon_x11 not evaluated
The xcb feature is defined in [2].
According to [1] XCB::CURSOR is needed for xcb support.
[1] https://code.qt.io/cgit/qt/qtbase.git/tree/src/gui/configure.cmake?h=6.9.0#n522
[2] https://code.qt.io/cgit/qt/qtbase.git/tree/src/gui/configure.cmake?h=6.9.0#n1016
This bug was introduced in e634be8906,
and fixes the build with the following defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_GUI=y
BR2_PACKAGE_QT6BASE_XCB=y
BR2_PACKAGE_XORG7=y
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit adff0d37ba)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot packaging pretty much assumes that the sources it downloads
are publicly available. In general, however, Buildroot is also used to
download sources from private repositories. Nowadays, that mostly means
from a github or gitlab instance.
Although git-over-ssh can be used for that, this poses a problem for CI,
because the CI runners integrated with github and gitlab only have
access to the repository itself, not to other private repositories. And
creating ssh key pairs for CI runners is tricky.
Therefore, document how standard tools can be used to make private
repositories available both to developers and to CI. There are quite a
few alternative approaches possible, but they're more complicated or
less generically applicable.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
[Peter: Fix insteadOf example, capitalize SSH/HTTPS]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1026abbcf9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixup S20audit to pass shellcheck -oall and check-package. The file now
closely resembles package/busybox/S01syslogd.
Tested with qemu_x86_64_defconfig. start, stop, restart, reload, and rotate
all work with busybox ash shell.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Arnout: remove it from .checkpackageignore]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit cbabeb5077)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The new version bundles an updated gnulib that includes support for
-std=c23 which is the default for gcc 15.
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit d9aabc1af3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 7dd56b6cd9 ("boot/grub2/readme.txt: don't specify /dev/loop0")
changed the description of the loopback mounting to use losetup -f <img>,
but forgot to add the --show option, causing losetup to not print the
loopback device name.
Fix that by adding the --show option.
Signed-off-by: Cherniaev Andrei <dungeonlords789@naver.com>
[Peter: Reword commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a480ae9ffe)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Currently, list-defconfigs only lists the defconfigs that live
live in the top-level configs/ directory. For the in-tree defconfigs
this is indeed the case, but it is possible to manage the configs in a
br2-external tree with sub-directories.
A few examples:
- for a given board, a first defconfig is the full system, and a
second is the rescue system;
- for a given board, two defconfigs implement an A/B feature set;
- a set of configurations targetting various famillies of systems each
running on different hardware, sorted per familly.
Extend list-defconfigs to look for and report defconfigs in
sub-directories of the top-level configs/.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 5009fd2436)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Note: this test was not working in Buildroot test infrastructure
before commit [1] was merged, because dieharder has the string "# "
in its output.
[1] 0cad947b96
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit e9498b4faa)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
PYTHON_FOO_BUILD_OPTS are passed to the build module call of the package
build, this allows passing options to the python build *backend* by
using the --config-setting= option. setup.py is no longer involved since
even the setuptools backend now used the pep517 build method.
The note about the options being passed to
support/scripts/pyinstaller.py seems to be no longer accurate.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Arnout: also mention -C (suggested by James)]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit b15cd1d8fe)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
While in theory, the fastapi tests finds problems with the pydantic
package, it's not obvious that this test should be run when the pydantic
package is updated.
Add a new test that just covers pydantic.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 45321879e1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
than the amount of remaining packet data in the current state of
parsing. As a result, values of stack memory locations may be sent
over the network in a response.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-32366
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a8cfe9986c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the board flashing by adding the bootloader, which I had mistakenly
forgotten to include in the script.
Fixes: 322e8d8451 ("configs/imx6ulz_bsh_smm_m2_defconfig: new defconfig")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a7ea1e658d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-32743
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
[Julien: add link to cve]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6c4da559cc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Release notes:
- ver 1.44:
* Fix issue with handling oFono context integration.
* Fix issue with handling web context for online detection.
* Fix issue with handling flags used when deleting routes.
* Fix issue with handling PAC proxy integration.
- ver 1.43:
* Fix issue with device creation when using LTE.
* Fix issue with regulatory domain when powering up.
* Fix issue with resolving ISO3166 code from timezone data.
* Fix issue with handling DNS proxy zero termination of buffers.
* Fix issue with handling DHCP packet length in L3 mode.
* Fix issue with handling DHCP upper length checks.
* Fix issue with handling IPv6 and URL parsing.
* Fix issue with handling online check updates.
* Fix issue with handling proxy method and WISPr.
* Fix issue with handling default gateway setup.
* Add support for low-priority default routes.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ce9a64b5d1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The commit [1] updated the version of libical to version 3.0.20 which
included a number of build fixes for newer CMake version.
This patch is not included in the 2025.02.x branch and libical remained
subject to a number of build error with CMake 4.
This patch backport the fix to remove the usage of the now deprecated
CMP0005 policy with CMake version 4 (see [2]).
[1] 8cdeeb536c package/libical: bump to version 3.0.20
[2] https://cmake.org/cmake/help/latest/policy/CMP0005.html
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issues:
CVE-2025-24223
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to rheza (@ginggilBesel) and an anonymous researcher.
Impact: Processing maliciously crafted web content may lead to
memory corruption. Description: The issue was addressed with
improved memory handling.
WebKit Bugzilla: 287577
CVE-2025-31204
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Nan Wang (@eternalsakura13).
Impact: Processing maliciously crafted web content may lead to
memory corruption. Description: The issue was addressed with
improved memory handling.
WebKit Bugzilla: 291506
CVE-2025-31205
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Ivan Fratric of Google Project Zero.
Impact: A malicious website may exfiltrate data cross-origin.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 290992
CVE-2025-31206
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to an anonymous researcher.
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash. Description: A type confusion issue was
addressed with improved state handling.
WebKit Bugzilla: 290834
CVE-2025-31215
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Jiming Wang and Jikai Ren.
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash. Description: The issue was addressed with
improved checks.
WebKit Bugzilla: 288814
CVE-2025-31257
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Juergen Schmied of Lynck GmbH.
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash. Description: This issue was addressed with
improved memory handling.
WebKit Bugzilla: 290985
https://webkitgtk.org/security/WSA-2025-0004.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a09fcf7c6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
CVE-2025-4207: PostgreSQL GB18030 encoding validation can read one byte past
end of allocation for text that fails validation
A buffer over-read in PostgreSQL GB18030 encoding validation allows a
database input provider to achieve temporary denial of service on platforms
where a 1-byte over-read can elicit process termination. This affects the
database server and also libpq.
https://www.postgresql.org/about/news/postgresql-175-169-1513-1418-and-1321-released-3072/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a8f53a907b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit [1], the host-nodejs package was turned into a virtual
package. However, the target nodejs package was intentionally not
turned into a virtual package and became an empty package.
The reason for this is:
- No alternatives providers were introduced for the target nodejs
package.
- The Config.in remained unchaged for the target package.
As a result, running `make show-info` with a config that includes the
target nodejs package, outputs an entry for the empty package:
```
"nodejs": {
"type": "target",
"name": "nodejs",
"virtual": false,
"version": "",
...
"cpe-id": "cpe:2.3:a:nodejs:node.js::*:*:*:*:*:*:*"
},
```
This can be an issue because the CPE ID of the empty nodejs package
is the following `cpe:2.3:a:nodejs:node.js::*:*:*:*:*:*:*`.
Reporting such a CPE ID can be an issue for certain software that consume
the SBOM and could be interpreted as CPE that matches with every versions
of the package.
This patch converts the target nodejs package into a virtual package to
prevents the empty package from being included in the SBOM.
[1] 4cbc2af604 package/nodejs: rename to nodejs-src and convert to virtual package
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Tested-by: johan.derycke@barco.com
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ccf3536fcb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Version 6.1.2 of ffmpeg fails to build with GCC 14.x due to the V4L2
ioctl code:
libavdevice/v4l2.c:137:17: error: assignment to ‘int (*)(int, long unsigned int, ...)’ from incompatible pointer type ‘int (*)(int, int, ...)’ [-W
incompatible-pointer-types]
137 | s->ioctl_f = prefix ## ioctl; \
| ^
libavdevice/v4l2.c:151:9: note: in expansion of macro ‘SET_WRAPPERS’
151 | SET_WRAPPERS();
| ^~~~~~~~~~~~
This has been fixed upstream in the release/6.1 branch, which has 27
fixes on top of 6.1.2. The commits necessary to fix our issue are:
f71076c009f84917e7a0f2f1ece86b718de2d8d3 configure: improve check for POSIX ioctl
60593d6c06c9b610359bd6af26a268feff1293eb configure: restore autodetection of v4l2 and fbdev
However, since all other commits are fixes, we believe bumping to the
latest commit in the release/6.1 branch is a better idea.
This allows to drop
0008-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch, which
is upstream as of:
4c688845a50f7dce3af9afebe60f0f7a493c4f07 libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43
Note that we set FFMPEG_CPE_ID_VERSION to get proper CVE matching even
with FFMPEG_VERSION being set to n6.1.2-27-ge16ff06adb. One who have
ideally set FFMPEG_VERSION to n$(FFMPEG_CPE_ID_VERSION)-ge16ff06adb,
but that makes check-package unhappy with:
WARNING: package/ffmpeg/ffmpeg.mk:7: expecting package version to be set before CPE_ID_VERSION
Fixes:
https://autobuild.buildroot.net/results/fe1574443acd50ca7e576bb4beb24467be1713e3/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 32df543fa3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
Build with gcc-15 was fixed upstream in 10.11.11:
https://github.com/MariaDB/server/commit/1d6f857
Remove patch, since the problem was fixed upstream:
https://github.com/MariaDB/server/commit/4375245
After bumping the version to 10.11.11 the configuration step failed for target:
CMake Error: try_run() invoked in cross-compiling mode, please set the following cache variables appropriately:
HAVE_SYSTEM_LIBFMT_EXITCODE (advanced)
To fx this problem we set HAVE_SYSTEM_LIBFMT_EXITCODE=0.
Fix legal-info after changes to README.md.
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6cd8f95346)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
dbus has a session socket directory configuration setting,
that, if not set, will be autodeducted based on env vars
like TMPDIR during configuration time.
Becuse of that, the builder's environment variables will
lead to an image with a broken session bus while
leaking builder's details to the image.
Add an explicit setting of session-socket-dir to /tmp dir.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/issues/67
Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
Reviewed-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit f777c79912)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
A set of `unterminated-string-initialization` errors appeared when
building the micropython package with GCC15 on the host.
The autobuilder failed to build the package micropython with the
following error:
```
CC ../py/emitinlinethumb.c
../py/emitinlinethumb.c:153:9: error: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (4 chars into 3 available) [-Werror=unterminated-string-initialization]
153 | {0, "r0\0"},
| ^~~~~~
../py/emitinlinethumb.c:154:9: error: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (4 chars into 3 available) [-Werror=unterminated-string-initialization]
154 | {1, "r1\0"},
| ^~~~~~
...
```
This patch adds the set of upstream commits to fix the compatbility with
GCC15 (see [1]).
The patches were backported to micropython v1.22.2. The main difference
with the upstream version is that since the v1.23, the project removed the
use of the `STATIC` macro (see [2]).
Also, in the codebase of v1.22.2 the 'unterminated-string-initialization'
error occured in another file that was reworked in the patch [3] and
included in v1.25. This patch is included as well to remove the error in
v1.22.2.
[1] package/micropython/0003-Fixes-for-GCC-15-1-unterminated-string-literal-warning.patch
[2] decf8e6a8b
[3] package/micropython/0002-py-emitinlinextensa-Simplify-register-name-lookup.patch
Fixes: https://autobuild.buildroot.org/results/fdf/fdf1d7c3e3a51e6fc7fa5abea57de6c9ce792015
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0814b614c2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Inspired by
c250c61cc3
"GCC 15 defaults to C23. The last release of this package was over a
decade ago, and it is no longer maintained, therefore it should not be
expected to compile to the latest standards."
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c1d422edde)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit adds the same patch that was already added to GDB 14.x,
15.x and 16.x to fix a GCC 15.x build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit dc0691f038)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit backports an upstream patch fixing the bundled readline
library so that it builds with GCC 15.x.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 56c834400e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
bash uses K&R function declarations which have been removed in C23.
Since part of the build process (like the mkbuiltins helper) is written
in C, building bash now fails on hosts with GCC 15 (which defaults to
C23).
Since properly fixing this on the source code level is a larger
endeavor, just set the C standard to an old enough version for now.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6d09b25d08)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
On systems running GCC 15, host-cpio will fail to build with errors like
copyout.c:646:12: error: too many arguments to function 'xstat'; expected 0, have 2
and
main.c:407:13: error: assignment to 'int (*)(void)' from incompatible pointer type 'int (*)(const char * restrict, struct stat * restrict)' [-Wincompatible-pointer-types]
This was reported[1] and fixed upstream, but there is no new release
yet. Import the upstream patch for now.
Fixes:
https://autobuild.buildroot.org/results/a10c5f2b0f9cb05b2550fe97f1133deaaac97277/
(and many more)
[1] https://lists.gnu.org/archive/html/bug-cpio/2025-05/msg00000.html
Signed-off-by: Florian Larysch <fl@n621.de>
[Julien:
- add missing "Signed-off-by:" in patch to fix check-package error
- change "Upstream:" link to use the commitdiff in patch
- add "Fixes:" in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e3cae9e1ca)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When using host gcc 15, host-gmp fails at configure time with
error message:
configure: error: could not find a working compiler, see config.log for details
The error is due to the macro GMP_PROG_CC_WORKS in the file
acinclude.m4 containing C-code declaring functions without declaring
its parameters. This construct is now an error in C23, which is the
new default in gcc 15. See:
https://gcc.gnu.org/gcc-15/porting_to.html#c23
This commit fixes the issue by adding a package patch from
upstream changesets, not yet published in a release.
Even if gcc 15 is not yet included in Buildroot, this commit also
sets _AUTORECONF = YES for the target package in order to have this
package already fixed.
Fixes:
https://autobuild.buildroot.org/results/623634fa7bbeceeb6d90b15ce0abb1b9b4b24045/
Tested-by: Brigham Campbell <me@brighamcampbell.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 31569bcc1b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When compiling host-m4 1.4.19 with a host gcc 15 (which is the version
included in Fedora 42, released on 2025-04-15), compilation fails with
error:
In file included from gl_avltree_oset.h:21,
from gl_avltree_oset.c:21:
gl_oset.h:275:1: warning: 'nodiscard' attribute ignored [-Wattributes]
275 | GL_OSET_INLINE _GL_ATTRIBUTE_NODISCARD int
| ^~~~~~~~~~~~~~
gl_oset.h:275:40: error: expected identifier or '(' before 'int'
275 | GL_OSET_INLINE _GL_ATTRIBUTE_NODISCARD int
| ^~~
This error is due to the gnulib copy included in m4 1.4.19, which does
not detect properly the default C language standard of gcc 15 which
has been changed from "gnu17" to "gnu23". See [1]. Note that m4 1.4.19
is the latest version available at the time of this commit, and was
released in May 2021. The issue is tracked upstream in [2].
Upcoming m4 release is expected to fix this issue, by updating its
gnulib copy. See [3], which states: "Update to comply with newer C
standards, and inherit portability improvements from gnulib".
Until this new m4 version is released, this commit fixes the issue by
forcing the C langage standard to "-std=gnu17" (the previous gcc
default) when host-gcc 15 is detected.
Note that the "-std=gnu17" option was introduced in gcc 8. See [4].
This is the reason why this patch adds this option only when the
problematic gcc 15 version is detected.
See also the discussions around this patch at [5].
Fixes:
https://autobuild.buildroot.org/results/1c33ef0a710cfae13e496485787b351c8f951217/
(and many, many others)
[1] https://gcc.gnu.org/gcc-15/changes.html#c
[2] https://savannah.gnu.org/support/?111150
[3] https://git.savannah.gnu.org/cgit/m4.git/commit/?h=branch-1.4&id=a22c9802dd7e724eaefb21dc21d84ac2d3a49c89
[4] https://gcc.gnu.org/gcc-8/changes.html#c
[5] https://lore.kernel.org/buildroot/CAPWx8vsoJUt8YMJG1aUqFRK1=yizNbgjVjGL1Q1+9ygjJGnZLA@mail.gmail.com/
Signed-off-by: Joseph Zikusooka (ZIK) <zik@jambula.net>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
[Julien:
- change mail url to lore.kernel.org for stable link
- reword, reflow and add extra info in the commit log
- force -std=gnu17 only when host gcc-15 is detected
- add a comment in .mk to remove the workaround at next bump
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7a07a9d155)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
A basic Fedora 42 container does not have 'awk' installed, but it is
needed by Buildroot. First by check-host-python3.sh:
support/dependencies/check-host-python3.sh: line 6: awk: command not found
support/dependencies/check-host-python3.sh: line 19: awk: command not found
support/dependencies/check-host-python3.sh: line 19: awk: command not found
but then even building host-expat assumes awk is available:
config.status: creating Makefile
./config.status: line 1404: awk: command not found
config.status: creating expat.pc
./config.status: line 1404: awk: command not found
Since it's a pretty basic tool, make it part of the tools checked by
dependencies.sh. One minor annoyance is that check-host-python3.sh is
executed *before* dependencies.sh does its thing, so when 'awk' is not
available, we end up seeing:
support/dependencies/check-host-python3.sh: line 6: awk: command not found
support/dependencies/check-host-python3.sh: line 19: awk: command not found
support/dependencies/check-host-python3.sh: line 19: awk: command not found
which: no awk in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
You must install 'awk' on your build machine
make: *** [support/dependencies/dependencies.mk:27: dependencies] Error 1
It would be nice to have the awk check *before* it gets used in
check-host-python3.sh, but that's a topic for another patch.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 448ceefa78)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changes:
Set GDB version number to 15.2.
[gdb/python] Make sure python sys.exit makes gdb exit
[gdb/symtab] Revert "Change handling of DW_TAG_enumeration_type in DWARF scanner"
[gdb/testsuite] Add regression test for PR32158
[gdb/testsuite] Add gdb.dwarf2/enum-type-c++.exp, regression test for PR31900.
gdb-15-branch: Clear the X86_XSTATE_MPX bit in XCRO for x32
Recognize -2 as a tombstone value in .debug_line
[gdb] Handle ^C during disassembly
Mark unavailable bytes of limited-length arrays when allocating contents
gdb/solib-frv: move lm_info object to solib
Fix loading a saved recording
Bump GDB's version number to 15.1.90.DATE-git.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e40bf89e40)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changes:
Set GDB version number to 16.3.
gstack: [downstream regression] Output file names and line numbers
Fix build failure for gdbserver's raw_compare self test
Fix gdbserver crashes on SVE/SME-enabled systems
gdb: allow selecting default fg/bg colors in tui mode
gdb: Fix assertion failure when inline frame #0 is duplicated
[gdb/tdep] Rewrite i386_canonicalize_syscall
[gdb/record] Fix out-of-bounds write in aarch64_record_asimd_load_store
gdb/dwarf: save DWARF version in dwarf2_loclist_baton, remove it from dwarf2_per_cu
Fix segfault if target_fileio_read_alloc fails
gdb/tui: use wrefresh if output is not surpressed
[gdb/corefiles] Fix segfault in core_target_open
Bump GDB's version number to 16.2.90.DATE-git.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b793160964)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This patch was commited upstream, and released as part of sqlite 3.49.1
However, the configuration system changed between sqlite 3.48 and 3.49
from autotools to autosetup, and this has proven challenging to support
in Buildroot (see `git log package/sqlite`), hence why we are still on
sqlite 3.48.
Therefore, until the package build infrastructure correctly supports
building sqlite 3.49, let's simply import the upstream patch to address
the CVE.
Note: the upstream patch is on the orignal sqlite sources. Buildroot is
using the sqlite "amalgamation" source archive, which basically
concatenate all the source files in a single "sqlite3.c" file. So the
patch was reformated to apply correctly on the sqlite release archive.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-29087
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien:
- reformat patch to be applicable on amalgamated sqlite sources
- add comment in commit log about patch format
- add "Fixes:" in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 835b5659ea)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since its introduction in commit [1], the
friendlyarm_nanopi_r3s_defconfig is failing to build with error:
Incorrect selection of kernel headers: expected 6.12.x, got 6.13.x
The error happens because the defconfig has:
BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_12=y
and
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.13.4"
This commit fixes the issue by setting instead:
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.12.28"
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/9887216429
[1] 41734e00c0
Cc: Sergey Kuzminov <kuzminov.sergey81@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 74c4dd4150)
[Thomas:
Since this has been introduced in LTS branch I set the kernel
version to 6.12.x present in LTS instead of changing the linux header
version.
]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y in the defconfig
and adds custom hash files. The exception entry in .checkpackageignore
is also removed.
Cc: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 683681261b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The 'bird' package with only the `BR2_PACKAGE_BIRD_BFD=y` protocol
enabled fails to build with the following error
```
bison -Dparse.lac=full -Dparse.error=verbose -dv -pcf_ -b obj/conf/cf-parse obj/conf/cf-parse.y
proto/bfd/config.Y:204.27-33: error: symbol 'ADDRESS' is used, but is not defined as a token and has no rules
204 | | bfd_show_sessions_args ADDRESS net_or_ipa { net_copy(&($$->address...
| ^~~~~~~
```
The `ADDRESS` token is defined only when certain protocols (e.g. OSPF,
RIP, RPKI, or BGP) are enabled. As a result, builds including any of
these protocols do not encounter the issue.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_BIRD=y
BR2_PACKAGE_BIRD_BFD=y
# BR2_PACKAGE_BIRD_BGP is not set
EOF
make olddefconfig
make bird
This patch backports upstream commits that define the `ADDRESS` token
for the BFD protocol.
Fixes:
https://autobuild.buildroot.org/results/68c5dd84585a7018ad57ea3e7134748c08858ef7/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 80cfdcb86b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This patch fixes the `S_IFMT` undeclared error in `statx.c` when musl
is used.
Signed-off-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9a672635a1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes a potential NULL pointer dereference
As a side note, this package has many opened CVEs, but upstream doesn't seem
to really consider them as security issues, see their disclaimer here:
https://github.com/yasm/yasm/blob/master/SECURITY.md
We could speculate that this disclaimer has been written as a consequence of
the many small CVEs opened in a short time, that don't have a substantial
security impact (besides the command line tool crashing). All of these small
CVEs have been opened for bug reports issued by a third party who used a
fuzzy tester to manipulate the assembler input
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 875f5670aa)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following CVE:
- CVE-2025-1492: The Bundle Protocol and CBOR dissectors could crash
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file.
See https://www.wireshark.org/security/wnpa-sec-2025-01
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 032b268890)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Annoyingly, using "--disable warning" does not disable the warnings
checks.
It turns out that we look for "warnings" (i.e. with an 's') to know if
we should disable the warnings check, so update the help text
accordingly.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 92e7ab78d6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit fd562315, which updated waf to v2.1.1, Buildroot has
encountered issues building mpv, likely due to an outdated version of
the waf build system.
Starting with mpv v0.35, meson was introduced as an alternative to waf,
and in mpv v0.37, waf was completely removed.
This commit updates the mpv makefile to use meson, resolving the build
issues and simplifying future updates to newer versions of mpv.
All options previously used for Waf have been translated to the new
build system by replacing `--disable-feature` with `-Dfeature=disabled`
(and similarly for enabling features). Some features have special
handling:
- The `/usr` prefix is automatically passed to meson packages by
default.
- The Android feature "has been removed since meson can detect if a
machine is Android"[1].
- The `libmpv` parameter has been enabled in the makefile as `libmpv`
must be built by default with mpv.
- Meson packages automatically set whether the library should be built
statically using the `default_library` meson parameter.
- Meson automatically detects the presence of `libatomic` and passes the
correct argument to the linker. However, it is possible to set the
`stdatomic` meson parameter to specify whether `libatomic` must or
must not be used.
Fixes:
https://autobuild.buildroot.org/results/68d42441fc0da34e1bf2a4247726f5f4ec3b8e77/
[1]: 140ec21c89/DOCS/build-system-differences.md (L48)
Signed-off-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
Tested-by: J. Neuschäfer <j.ne@posteo.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8f69974c20)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changelog:
- afa57cc libubus: add support for using channels
- d996988 libubus: close file descriptor after sending it from a request
- 252a9b0 libubus: Make UBUS_* macros work cleanly in C++
- 65bb027 CMakeLists.txt: bump minimum cmake version
- f84eb59 libubus: fix initial subscribe with autosubscribe
- 2b39a27 libubus: fix reconnect with auto subscribe
- b3e8c4e Add auto subscribe support
Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9af9b4b304)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changelog:
- 3868f47 blob: constify attr argument to blob_memdup
- eb9bcb6 ustream: prevent recursive calls to the read callback
- 12bda4b CI: add CodeQL workflow tests
- a2fce00 CI: add build test run
- c1be505 udebug: fix crash in udebug_entry_vprintf with longer strings
- 6339204 CMakeLists.txt: bump minimum cmake version
- ca3f6d0 udebug: fix file descriptor initialization for __udebug_buf_map
- df5b714 udebug: add mips specific quirk
- d27acfe udebug: add more checks for uninitialized buffers
- 40acbe3 udebug: wait for response after buffer add/remove
- e84c000 udebug: add inline helper function to test if a buffer is allocated
- 325fea5 udebug: add functions for manipulating entry length
- e80dc00 link librt if needed for shm_open
- 260ad5b udebug: add ulog support
- b77f2a4 uloop: fix build using C++ compilers
- d4c3066 udebug: add udebug library code
- b3fa3d9 uloop: reset flags after __uloop_fd_delete call
- 8a5a431 uloop: fix typo in signal handling rework
- f7d1569 uloop: properly initialize signal handler mask
- 13d9b04 uloop: add support for user defined signal handlers
- 82fa648 uloop: add support for interval timers
Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 44c11a6862)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The package strongswan relies on the `wc_RsaKeyToDer` & `wc_MakeRsaKey`
functions of WolfSSL. Building this package with the WolfSSL backend
by selecting the variable `BR2_PACKAGE_STRONGSWAN_WOLFSSL` would give
the following error:
```
libtool: compile: /home/buildroot/instance-0/output-1/host/bin/sparc-linux-gcc -DHAVE_CONFIG_H -I. -I../../../.. -I../../../../src/libstrongswan -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DWC_NO_RNG -rdynamic -Wno-format -Wno-format-security -Wno-implicit-fallthrough -Wno-missing-field-initializers -Wno-pointer-sign -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Og -g0 -include /home/buildroot/instance-0/output-1/build/strongswan-5.9.14/config.h -c wolfssl_ed_public_key.c -o wolfssl_ed_public_key.o >/dev/null 2>&1
wolfssl_rsa_private_key.c: In function 'get_encoding':
wolfssl_rsa_private_key.c:366:31: error: implicit declaration of function 'wc_RsaKeyToDer'; did you mean 'wc_EccKeyToDer'? [-Wimplicit-function-declaration]
366 | len = wc_RsaKeyToDer(&this->rsa, encoding->ptr, len);
| ^~~~~~~~~~~~~~
| wc_EccKeyToDer
libtool: compile: /home/buildroot/instance-0/output-1/host/bin/sparc-linux-gcc -DHAVE_CONFIG_H -I. -I../../../.. -I../../../../src/libstrongswan -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DWC_NO_RNG -rdynamic -Wno-format -Wno-format-security -Wno-implicit-fallthrough -Wno-missing-field-initializers -Wno-pointer-sign -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Og -g0 -include /home/buildroot/instance-0/output-1/build/strongswan-5.9.14/config.h -c wolfssl_ec_private_key.c -o wolfssl_ec_private_key.o >/dev/null 2>&1
wolfssl_rsa_private_key.c: In function 'wolfssl_rsa_private_key_gen':
wolfssl_rsa_private_key.c:490:13: error: implicit declaration of function 'wc_MakeRsaKey'; did you mean 'wc_FreeRsaKey'? [-Wimplicit-function-declaration]
490 | if (wc_MakeRsaKey(&this->rsa, key_size, WC_RSA_EXPONENT, &this->rng) < 0)
| ^~~~~~~~~~~~~
| wc_FreeRsaKey
```
Those functions are only present when building the WolfSSL library with
the keygen supports (`--enable-keygen`).
This patch change the selected package to enable all the option of
WolfSSL, which include the keygen as well.
Fixes:
- https://autobuild.buildroot.org/results/d0e/d0e94f501ad1afd25ae4112443f9af101dfa5dea
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6c18375434)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This version bump removes CVE-2023-7152, which was incorrectly associated
with the micropython package in pkg-stats.
Although the CVE fix was already present in 1.22.0 the CVE only applied
to the preview version of 1.22.0. The CPE ID of the 1.22.0 matched with the
CPE ID of the 1.22.0 preview version as well.
This patch bumps to the latest patch-level version available in the 1.22.x
series to include additional fixes, rather than just adding the CVE to the
'MICROPYTHON_IGNORE_CVES' list.
The LICENSE hash has been updated, as the licenses used for the ports and
libraries have also been updated in the LICENSE file.
For more details on the version bump, see the release notes:
- https://github.com/micropython/micropython/releases/tag/v1.22.2
- https://github.com/micropython/micropython/releases/tag/v1.22.1
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 294e3a40bb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The Config.in comment in the dpdk package was wrong for a number of
reasons:
- It didn't mention the glibc dependency
- It didn't mention the gcc >= 4.9 dependency
- It mentioned a wchar dependency that isn't listed in the dpdk
dependencies
- It mentioned a dynamic library dependency that isn't listed in the
dpdk dependencies
- It used "kernel headers >= 4.19", while for brievity we use "headers
>= 4.19" everywhere in Buildroot
- Minor nit: DPDK was written allcaps, while we write package names
lower-case in Buildroot
Fixes: d17d1b6bde ("package/dpdk: add 24.07")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0e0b65781b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a runtime test for the 'dust' package to verify that the binary
executes correctly in a minimal buildroot rootfs. The test checks that:
- 'dust --version' runs without error
- 'dust' can analyze a directory structure with files
- The output includes the expected directory names
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5bca9d741d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a runtime test for the 'bat' package to verify that the binary executes
correctly in a minimal Buildroot rootfs.The test cheks that:
- 'bat --version' runs without error
- 'bat' can read and display a text file
- the displayed content matches the expected string
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit dacf8e3c39)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The v1 of the patch that is in Buildroot ended up being reworked and
merged from a v2, therefore let's update the patch by using the merged
commit instead.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0f2249a484)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libcamera migrated to use an ioctl for detecting frame sizes which is
only available in kernels 6.4 and later. If it doesn't exist, default
frame sizes are used. However the min and max resolutions supported by
the pipeline weren't initialized for kernels where that ioctl isn't
available and ended up creating invalid configuration that later
crashed.
The introducing commit was part of the v0.4.0 release.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d12d1a7f5e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Release:
https://github.com/bootandy/dust/releases/tag/v1.1.2
Note: version 0.9.0 of dust fails to build when running
the runtime test on the armv7 architecture due to an
unconditional import of Atomicu64.
error:
Compiling config-file v0.2.3
error[E0432]: unresolved import `std::sync::atomic::AtomicU64`
--> src/progress.rs:6:18
|
6 | atomic::{AtomicU64, AtomicU8, AtomicUsize, Ordering},
| ^^^^^^^^^
| |
| no `AtomicU64` in `sync::atomic`
| help: a similar name exists in the module: `AtomicU32`
For more information about this error, try `rustc --explain E0432`.
error: could not compile `du-dust` (bin "dust") due to 1 previous error
This issue was discovered while writing a runtime test
for dust. upgrading to version 1.1.2 resolves the issue.
More details available in the following issue:
https://github.com/bootandy/dust/issues/423
For now, we bump to the latest compatible version
which builds and runs correctly. We can't bump to the latest
version 1.2.0 since it requires a cargo version newer than
1.82.0.
error:
-- The package requires the Cargo feature called `edition2024`, but that feature is not stabilized in this version of Cargo (1.82.0 (8f40fc59f 2024-08-21)).
Consider trying a newer version of Cargo (this may require the nightly release).
The upgrade to 1.2.0 will be considered once the patch for
Rust 1.86.0 is accepted.
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3abc3b97ba)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
1.3.44 added the following security fixes:
* TIFF: Fixed multiple heap and stack buffer overflows (directed by
the source EXIF profile) while writing EXIF into the native TIFF
IFD.
* FITS: Fix problem that the FITS reader could return invalid image
frames with rows or columns set to zero. Other code in the library
crashes, or even asserts, if invalid image frames with rows or
columns set to zero are returned.
* Coverity fixes: Various fixes for Coverity issues raised after the
update to version 2023.12.2.
* Clang Analyzer (scan-build) fixes: Various fixes for new issues
discovered by Clang Analyzer.
7046c34427
In addition 1.3.45 fixes a off-by-one issue introduced in 1.3.44:
96f765a2e3
Update the Copyright.txt hash for a change in copyright years:
f0bba104ee26fce89276
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 055547ff12)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The version bump in [1] introduced the upstream commit [2] which made
builds using toolchain without thread support fail to build libcoap.
This patch adds an option check in the libcoap.mk file to verify
the toolchain has thread support and passes the correct configuration
options introduced in [2] as well.
The build can be tested with the following config.
```
BR2_armeb=y
BR2_cortex_a76_a55=y
BR2_ARM_EABI=y
BR2_ARM_SOFT_FLOAT=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_PACKAGE_LIBCOAP=y
```
Fixes:
https://autobuild.buildroot.org/results/9c0/9c0b675a64fb2576bc34457043f118cffe5fe555//
[1] 4df4d1d312 package/libcoap: bump version to 4.3.5
[2] c69c5d5af0
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 70ca62fb49)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Jugurtha's email address is bounding:
550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces.
Remove it from the DEVELOPERS file so that utils/get-developers
doesn't send emails to non-existent addresses.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cd6141ab15)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
linux-tools opportunistically set linux as only a patch dependency. This
unfortunately introduces a race condition in the shared linux scripts
when using PER_PACKAGE_DIRECTORIES and using top level parallelism. The
race manifests as the error "/bin/sh: 1: scripts/basic/fixdep:
Permission denied". This happens when the linux package and the
linux-tools package are being compiled in parallel.
The linux-tools currently using fixdep are perf and rtla. When the
timing is correct, perf, rtla, or the kernel Makefile will try to use
fixdep while one of the others is compiling fixed, resulting in fixdep
being briefly not available.
To fix this, set linux as a build dependency instead of a patch
dependency.
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b074f6b72b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Pixman defaults to building with the riscv vector extension. Instead,
only build with vector if the buildroot user has selected
BR2_RISCV_ISA_RVV.
This option exists since pixman 0.44.0, to which the Buildroot package
was updated as part of Buildroot commit
ba2fb599cd.
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 386e6bb479)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This will be part of 6.15.0 release.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
[Julien: fix check-package error by adding "Upstream:" tag in patch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6bcefa73b1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The "modprobe brcmfmac" command is not necessary because this driver
is automatically loaded.
Remove the "iwconfig" line as it is considered deprecated:
warning: `iwconfig' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
Remove the "-Dwext" parameter as it is not supported by the default kernel
configuration:
wlan0: Unsupported driver 'wext'
Tested Wifi by following the updated commands.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6240b75d0c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Restart would regularly fail because it did not wait for the old
process to be gone before starting the new one. Rewrite the script
according to current style to fix that, and add reload support (see
mosquitto docs for limitations of reload).
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 340a4bd4f8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Importing urllib3 already allows us to check that for example zlib can
be loaded at runtime.
For good measure, also create the PoolManager object mentioned in the
user guide ([1]), and check that we can normalize a URL like it is
done in urllib3's 'test/test_util.py'.
[1]: https://urllib3.readthedocs.io/en/stable/user-guide.html
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3e931caf84)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See release announce [1].
The src/mygetopt.h file license was updated from BSD-4-Clause to
BSD-2-Clause in upstream commit [2]. This change makes this file using
the same license as most other files. So this commit removes the
license entry for this file and update the _LICENSE accordingly.
This commit also replaces the mention "one file" on BSD-3-Clause, to
the actual file name using it, which is "vasprintf.c".
This commit also updates the Config.in package homepage URL,
to use https.
[1] https://mailman.astron.com/pipermail/file/2024-November/001435.html
[2] d605bb4047
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 104449d0cb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 675cbaf9aa (package/qt5/qt5webengine: bump to version 5.15.8)
moved the chromium submodule in a separate qt5webengine-chromium
package. It removed the inclusion of
"package/qt5/qt5webengine/chromium-latest.inc" but forgot to remove
the file.
A similar file was introduced in commit 577d886886
(package/qt5/qt5webengine-chromium: new package), included in its
own qt5webengine-chromium.mk package recipe.
This commit drops the chromium-latest.inc file in qt5webengine
which is no longer used.
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
[Julien: add extra explanation in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 272e56d1ce)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The upstream URL has changed to github.com/python-sdbus/python-sdbus.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[Julien: add link to release note in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e3ba797873)
[Thomas: do not include the bump only the repo address fix]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The bump of packages rpi-firmware and linux have to by synced, since the
linux package does not install yet its device-tree overlay blobs.
This adds a note to remind to keep in sync the versions of rpi-firmware
package and kernel (set in the defconfigs).
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
[Julien: rebase patch to resolve context conflict with commit 80ccb3e667]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5926b3b3ae)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
$ fluent-bit
fluent-bit: error while loading shared libraries: libminiz.so.3: cannot open shared object file: No such file or directory
Commit 527deef "package/fluent-bit: bump to 3.2.10",
dropped the BUILD_SHARED_LIBS=OFF off part, because miniz uses
static linking by default now, but runtime execution shows otherwise,
so revert to fix.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f2c15f00d4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] "support/testing: improve weston test reliability" moved
out the wait time from the emulator (to run on the test controller).
While doing so, the sleep time which was initially _after_ the
"killall weston" invocation to in stop_weston() was incorrectly
moved before the command invocation. In this state, the test can
succeed on fast host computer running the test. But it will most
likely fail on an average computer.
This commit fixes this issue by moving the sleep time after
the command invocation.
[1] 6561a5d773
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bedc44c073)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch bumps the Linux kernel to version 6.1.133. The size of xipImage
has increased by only 22 bytes (1671804 bytes compared to 1671782 in
version 6.1.126).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cb6729d214)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
lmbench dependency discovery relies on implicit return types for
main(). This causes compiler errors when -Wimplicit-int is enabled,
which has become the default with recent gcc versions. The failure of
the dependcy discovery causes lmbench to redifine typedefs the
compiler already has in an incompatible manner. Add a patch to fix the
discovery.
Fixes:
bench.h:81:13: error: conflicting types for ‘socklen_t’; have ‘int’
81 | typedef int socklen_t;
bench.h:85:15: error: conflicting types for ‘off64_t’; have ‘int64’ {aka ‘long long int’}
85 | typedef int64 off64_t;
Fixes:
http://autobuild.buildroot.net/results/33cf97a79125c20f67f620eb6a7b5ad2206b2503/
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fd914e9e4c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libcamera has some optional dependencies that automatically detected at
build time.
To improve reproducibility, we should add a dependency on those optional
dependencies if the symbols that build them are enabled so that the
order in which packages are built does not influence the libcamera
package.
Note that the optional libyuv dependency isn't added as:
1) it is only used for the virtual pipeline and the android feature,
both of which are disabled/not supported right now,
2) libcamera has it in a submodule if missing (though if that works with
Buildroot is to be determined),
3) adding the dependency isn't enough as meson somehow doesn't find the
dependency,
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 028bdac7ed)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
meson allows to force all features set to "auto" to default to disabled
except if explicitly enabled via the auto_features argument, c.f.
https://mesonbuild.com/Build-options.html#features
"""
If the value of a feature option is set to auto, that value is
overridden by the global auto_features option (which defaults to auto).
This is intended to be used by packagers who want to have full control
on which dependencies are required and which are disabled, and not rely
on build-deps being installed (at the right version) to get a feature
enabled.
"""
The only auto feature that we hadn't disabled explicitly is the
gstreamer plugin. It is however expected that this wasn't a mistake as
the dependencies for the gstreamer pluging wouldn't have been met
thanks to the explicit LIBCAMERA_DEPENDENCIES we have based on the
presence of the gstreamer symbols in the global config.
This should make it less likely for future releases of libcamera to
regress in terms of reproducibility because of "auto" features (though
changes from "auto" to "enabled" wouldn't be caught and would be
susceptible to race conditions with their dependencies in case they
aren't properly specified and built after libcamera is).
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ef3c3bc9b1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
We currently disable building the documentation via the "documentation"
feature, but it is enabled nonetheless by meson if sphinx-build-3 is
found on the host.
This makes sure it doesn't happen by making the sphinx-build-3 check
only happen when the "documentation" feature is "auto" or "enabled",
which isn't the case for Buildroot.
The bug seems to have been introduced in v0.0.1 release.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 569272be91)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit c1597f989654 ("ipa: raspberrypi: Use YamlParser to replace
dependency on boost"), part of the v0.0.1 release, removed the
dependency on boost, so let's remove it from the pipeline option and
dependency for Buildroot.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 65721c6e0a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Some EDK II configurations have complex dependencies on several packages
and additional build options; build tests help keeping track of those
more easily.
Factorize some code common to all the build tests into a new
TestEdk2BuildBase class, which defines a base configuration and a method
to assert that binaries do indeed exist after the build.
While at it, add myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4f7e3f0bdd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The manual states that FOO_DL_OPTS are valid for all the different
download backends, but that is not the case: at least the git backend
does not use them (it does not fail, it just ignores them).
Accept FOO_DL_OPTS in the git backend, and pass them to 'git fetch'.
There is no way that we can pass such options to submodules or lfs,
though.
Update the manual accordingly.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a1012b363a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The dependencies for pulseview are not entirely clean:
- arch deps are not first;
- second-level inherited deps are listed;
- deps are not alphabetically ordered (for deps on packages);
- the comment is hidden even when the arch deps are met, because of an
incorrect dependency on Qt5;
- qt5 is a depends-on when it could be a select.
Update the dependencies to fix all the points above.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 70bcb7655b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Some protocol decoders in libsigrokdecode need the zlib module:
srd: ModuleNotFoundError: Failed to load decoder usb_power_delivery: import by name failed: No module named 'zlib'
srd: Traceback (most recent call last):
File "/usr/share/libsigrokdecode/decoders/usb_power_delivery/__init__.py", line 24, in <module>
from .pd import *
File "/usr/share/libsigrokdecode/decoders/usb_power_delivery/pd.py", line 24, in <module>
import zlib # for crc32
^^^^^^^^^^^
ModuleNotFoundError: No module named 'zlib'
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9d6ab1244a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since iptables v1.8.11, `iptables -C` commands return unexpected zero status
even for cases when the rules don't exist. This breaks e.g. standard Docker
operation, where checking for existing rules is used extensively when creating
networks.
The patch fixing the behavior is available upstream - apply it to v1.8.11
before a newer version is available.
Signed-off-by: Jan Čermák <sairon@sairon.cz>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f5e7cefe77)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The ARMV7-A toolchains are capable to compile binaries for ARMv8-A CPU
in AArch32 execution state.
This adds the BR2_ARM_CPU_ARMV8A option in the 'conditions' to allow
ARMV8-A CPU such as Cortex-A53 or Cortex-A72 to use ARMV7-A toolchains.
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8fd537ae05)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Without this, packages using libopenmpt are not able to find
the dependency.
Signed-off-by: J. Neuschäfer <j.neuschaefer@gmx.net>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 24a41c8fb5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The VideoCore blobs for the Raspberry Pi 1, 2, 3, Zero, Zero W and Zero
2 W are differents from the ones for the Raspberry Pi 4 and the Compute
Module 4.
The VideoCore blobs for the Raspberry Pi 4 are named with a 4[1] (i.e.
start4.elf, start4x.elf, start4db.elf and start4cd.elf).
This precises which VideoCore firmware blob files are present on the
Raspberry Pi 1, 2, 3, Zero W, Zero 2 W and which files are present on
the the Rapsberry Pi 4 and the Compute Module 4.
Note: The VideoCore blobs for the Raspberry Pi 5 are self-contained in
its bootloader EEPROM[1][2]; there is no additional files for pi5.
[1]: https://www.raspberrypi.com/documentation/computers/configuration.html#start-elf
[2]: https://www.raspberrypi.com/documentation/computers/config_txt.html#start_file-fixup_file
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7ebcfe3cb9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Any Raspberry Pi may use device-tree overlays; it is not restricted to
Raspberry Pi 3 and 4.
The defconfigs for the Raspberry Pi 3, 4, 400, Zero W, Zero 2 W, Compute
Module 4 and 4s use the miniuart-bt dtoverlay to switch the Bluetooth to
the mini-UART (ttyS0) and restore UART0 (ttyAMA0) over GPIOs 14 and 15
to enable the serial console (like the Raspberry Pi 1 and 2 that have no
Bluetooth)[1][2].
As a consequence, the Raspberry Pi Zero W, Zero 2 W, 400, Compute Module
4 and 4s install the device-tree overlays as well.
This rewords the note by adding the three missing hardwares installing
the images/rpi-firmware/overlays directory. It rewords the miniuart note
at the same time.
[1]: https://www.raspberrypi.com/documentation/computers/configuration.html#uarts-and-device-tree
[2]: https://github.com/raspberrypi/linux/blob/rpi-6.6.y/arch/arm/boot/dts/overlays/miniuart-bt-overlay.dts#L4-L6
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a642bed09a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changelog:
* v2.4.3 - 02/28/2025
* Fix memory safety with some older `strerror_r()` implementations in error
formatters for all modules.
* Build
* Fix character device GPIO support tests in Makefile for alternate
shells and older versions of make.
* Fix cross-compilation in Makefile from Windows.
* Fix CMake minimum required version.
* Add CMake package generation.
* Contributors
* Ryan Barnett, @rjbarnet - ec31b39
* javalikescript, @javalikescript - 024a25d
* HopeCollector, @HopeCollector - aca6815, b5e53e6
The hash of the license file has changed due to a copyright year
change:
- Copyright (c) 2014-2023 vsergeev / Ivan (Vanya) A. Sergeev
+ Copyright (c) 2014-2025 vsergeev / Ivan (Vanya) A. Sergeev
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 638fe82e8b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Upstream changelog from
https://github.com/google/double-conversion/releases/tag/v3.3.1:
Hash pin Github workflows by @joycebrum in #198
Create dependabot.yml by @joycebrum in #199
Add _ITERATOR_DEBUG_LEVEL=2 and _DEBUG defines by @ffa-csturdy in #202
Add bzlmod MODULE.bazel file by @jsharpe in #205
Add CIFuzz Github Action by @DavidKorczynski in #203
Update MODULE.bazel and README.md. by @BYVoid in #234
Remove the explicit dependency on rules_cc. by @BYVoid in #235
Add missing headers by @BhavikaSharma in #239
Tested with the following configuration, which includes the only two
reverse dependencies of double-conversion.
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_QT6=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_PYTHON_UJSON=y
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7ffdf75311)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building a firmware for the MACCHIATObin with edk2 and
arm-trusted-firmware, the build can randomly fail with the
following make error:
make[1]: Circular output/build/edk2-edk2-stable202411/.stamp_configured <- arm-trusted-firmware dependency dropped.
The message appears also when the build is not failing, depending on
the number of parallel jobs and the build order.
The issue can be observed with the following commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TARGET_ARM_TRUSTED_FIRMWARE=y
BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="a80x0_mcbin"
BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33=y
BR2_TARGET_BINARIES_MARVELL=y
BR2_TARGET_EDK2=y
BR2_TARGET_EDK2_PLATFORM_SOLIDRUN_ARMADA80X0MCBIN=y
BR2_TARGET_MV_DDR_MARVELL=y
EOF
make olddefconfig
utils/brmake
grep -FC5 'dependency dropped' br.log
The circular dependency happen due to [1] and [2].
In fact, only TF-A depends on EDK II (passed as BL33) for building and
not vice versa. See [3]. The EDK II "SolidRun MacchiatoBin" platform
build does not need any TF-A image, compared to some other platforms
such as "Socionext DeveloperBox" or "QEMU SBSA" which are referencing
TF-A images in a hook added in EDK2_PRE_BUILD_HOOKS.
Drop the false dependency on TF-A to fix the build.
This issue has been present since the EDK2 introduction in commit [4].
[1] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.02/boot/arm-trusted-firmware/arm-trusted-firmware.mk#L121
[2] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.02/boot/edk2/edk2.mk#L118
[3] https://github.com/Semihalf/edk2-platforms/wiki/Build_firmware
[4] 1074a37e78
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7361a155ef)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When Building arm-trusted-firmware for the Macchiatobin platform
(a80x0_mcbin), which depends on the mv-ddr-marvell package, the build fails
complaining that this package's folder "does not contain valid
mv-ddr-marvell git repository".
This is expected under Buildroot, where we use intermediate archives.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TARGET_ARM_TRUSTED_FIRMWARE=y
BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="a80x0_mcbin"
BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33=y
BR2_TARGET_BINARIES_MARVELL=y
BR2_TARGET_EDK2=y
BR2_TARGET_EDK2_PLATFORM_SOLIDRUN_ARMADA80X0MCBIN=y
BR2_TARGET_MV_DDR_MARVELL=y
EOF
make olddefconfig
make
The build is failing with the error message:
plat/marvell/armada/a8k/common/ble/ble.mk:34: *** "'MV_DDR_PATH=/buildroot/output/build/mv-ddr-marvell-d5acc10c287e40cc2feeb28710b92e45c93c702c' was specified, but '/buildroot/output/build/mv-ddr-marvell-d5acc10c287e40cc2feeb28710b92e45c93c702c' does not contain valid mv-ddr-marvell git repository". Stop.
Add patches to fix the build for this platform, for a few versions of TF-A
(v2.6, v2.7, v2.8, lts-v2.8.20, v2.9, v2.10, lts-v2.10.5, v2.11, v2.12 and
lts-v2.12.1).
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
Cc: Sergey Matyukevich <geomatsi@gmail.com>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fd02add21b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libv4l has some really special code that is built explicitly with
_FILE_OFFSET_BITS=32, which doesn't work with _TIME_BITS=64, causing
build failures when BR2_TIME_BITS_64=y. This build issue has been
fixed upstream. While how the upstream patch exactly works is unclear,
it's the patch that upstream has decided to implement to resolve the
build issue, so we simply backport it.
The issue exists since at least upstream commit
99f245f5e2826c7ae3ac8de530bc2fbd906eb62b, which was merged in
v4l-utils 1.26.0.
Fixes:
https://autobuild.buildroot.org/results/616608ef2a44efff67fa21b3263b341da82744c4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: add upstream commit url in patch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit bdb5809adf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
host-pahole build fails with recent host-cmake versions, producing the
following error:
CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
Compatibility with CMake < 3.5 will be removed from a future version
of
CMake.
Update the VERSION argument <min> value or use a ...<max> suffix to
tell
CMake that the project does not need compatibility with older
versions.
The issue can be reproduced with a minimal defconfig:
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_DEFCONFIG="versatile"
BR2_LINUX_KERNEL_NEEDS_HOST_PAHOLE=y
And host-cmake >= 4.0.0
The issue has already been fixed in the upstream pahole project and is
included in versions >= 1.28.
Fix the issue on the current LTS branch by bringing the fixing commit
from upstream.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Fixes the following security issues:
- CVE-2025-27830: An issue was discovered in Artifex Ghostscript before
10.05.0. A buffer overflow occurs during serialization of DollarBlend in
a font, for base/write_t1.c and psi/zfapi.c.
- CVE-2025-27831: An issue was discovered in Artifex Ghostscript before
10.05.0. The DOCXWRITE TXTWRITE device has a text buffer overflow via
long characters to devices/vector/doc_common.c.
- CVE-2025-27832: An issue was discovered in Artifex Ghostscript before
10.05.0. The NPDL device has a Compression buffer overflow for
contrib/japanese/gdevnpdl.c.
- CVE-2025-27833: An issue was discovered in Artifex Ghostscript before
10.05.0. A buffer overflow occurs for a long TTF font name to
pdf/pdf_fmap.c.
- CVE-2025-27834: An issue was discovered in Artifex Ghostscript before
10.05.0. A buffer overflow occurs via an oversized Type 4 function in a
PDF document to pdf/pdf_func.c.
- CVE-2025-27835: An issue was discovered in Artifex Ghostscript before
10.05.0. A buffer overflow occurs when converting glyphs to Unicode in
psi/zbfont.c.
- CVE-2025-27836: An issue was discovered in Artifex Ghostscript before
10.05.0. The BJ10V device has a Print buffer overflow in
contrib/japanese/gdev10v.c.
- CVE-2025-27837: An issue was discovered in Artifex Ghostscript before
10.05.0. Access to arbitrary files can occur through a truncated path
with invalid UTF-8 characters, for base/gp_mswin.c and base/winrtsup.cpp.
https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs10050
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9abf662cfd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Both openh264 2.6.0 and 2.5.1 contain the fix for this CVE (see the
release notes at [1]).
In other words the version we have is no longer vulnerable since
a7aeb5a46e ("package/libopenh264:
security bump to version 2.5.1") but pkg-stats still reports it.
An email was sent to the NVD to fix the CPE version number, but in the
meantime let's ignore it to reduce the noise in our CVE checker.
[1]: https://github.com/cisco/openh264/releases/tag/2.5.1
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2488d97719)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Upstream did a change in sqlite3.pc.in that does work with their
default build system, but not with the autoconf-based amalgamation
that we use. This issue has been reported and fixed upstream, but the
fix is not yet in any new release.
For the time being, we just revert the upstream change. We don't do a
direct revert ("git revert") as multiple upstream commits touched this
very line, so we simply revert to what it was prior to the different
changes, and to what the upstream fix ends up doing.
This issue is causing build issue for all packages that use sqlite's
pkg-config file, in a static-linking configuration.
Fixes:
https://autobuild.buildroot.org/results/1824a76eee4a877a2f19c1fd19a710ef9f059168/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit db481210e9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
- Update syslogd -T documentation, it applies to messages originating
both locally and from remote syslog servers
- Fix hostname filtering support, introduced in v2.7.0, broken
- Fix parsing of userspace messages in /dev/kmsg, inserted an
extra space before the message payload
From https://github.com/troglobit/sysklogd/releases/tag/v2.7.1
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7a0725723b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Running pkg-stats is currently quite verbose, as it shows one line per
package when checking for the upstream URL, and another one line per
package when checking for the latest version on
release-monitoring.org.
This noisy output is a bit annoying when pkg-stats is run in a
cronjob, like we do to update https://autobuild.buildroot.net/stats/
every day. This commit adds a -v/--verbose option, off by default, to
have a less noisy output.
Suggested-by: Peter Korsgaard <peter@korsgaard.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 203e9def71)
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This reverts commit 27ab880ebb.
With the (proposed) fix from the openssl developers added as
0004-Serialize-install-process-to-avoid-multiple-make-dep.patch, the
workaround can now be dropped so openssl can again be built and installed in
parallel, significantly speeding up builds.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 86f173a744)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The openssl developers have proposed a fix for the parallel installation
issue worked around by commit 27ab880ebb (package/libopenssl do not build
in parallel).
Add the fix here so the workaround can dropped again.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 36b0a3ef9c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] which introduced this defconfig using a
Kernel 6.6.x series, the build can fail with error:
certs/extract-cert.c:21:10: fatal error: openssl/bio.h: No such file or directory
The issue is generally masked by the build order, as
arm-trusted-firmware selects BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
which requires host-openssl.
The issue can be reproduced in the Buildroot Docker reference image,
using the commands:
utils/docker-run
make ls1043a-rdb_defconfig
make linux
This commit fixes the issue by explicitly adding
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y to the defconfig.
[1] 34b047a442
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 11315d4787)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] which introduced this defconfig using a
Kernel 6.6.x series, the build can fail with error:
certs/extract-cert.c:21:10: fatal error: openssl/bio.h: No such file or directory
The issue is generally masked by the build order, as
arm-trusted-firmware selects BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
which requires host-openssl.
The issue can be reproduced in the Buildroot Docker reference image,
using the commands:
utils/docker-run
make ls1046a-rdb_defconfig
make linux
This commit fixes the issue by explicitly adding
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y to the defconfig.
[1] 774035189f
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a83242f131)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] updating the defconfig to use Kernel 6.6.x
series, the build can fail with error:
certs/extract-cert.c:21:10: fatal error: openssl/bio.h: No such file or directory
The issue is generally masked by the build order, as
arm-trusted-firmware selects BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
which requires host-openssl.
The issue can be reproduced in the Buildroot Docker reference image,
using the commands:
utils/docker-run
make ls1046a-frwy_defconfig
make linux
This commit fixes the issue by explicitly adding
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y to the defconfig.
[1] 0344e5dae6
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 094f7a5b86)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] updating the defconfig to use Kernel 6.6.x
series, the build can fail with error:
certs/extract-cert.c:21:10: fatal error: openssl/bio.h: No such file or directory
The issue is generally masked by the build order, as
arm-trusted-firmware selects BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
which requires host-openssl.
The issue can be reproduced in the Buildroot Docker reference image,
using the commands:
utils/docker-run
make ls1028ardb_defconfig
make linux
This commit fixes the issue by explicitly adding
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y to the defconfig.
[1] 7cbc240ac2
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5d0ec3b6a4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issues:
- CVE-2024-57970: libarchive through 3.7.7 has a heap-based buffer
over-read in header_gnu_longlink in archive_read_support_format_tar.c
via a TAR archive because it mishandles truncation in the middle of a
GNU long linkname.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2024-57970
- 8291210321
- CVE-2025-1632: This affects the function list of the file bsdunzip.c.
The manipulation leads to null pointer dereference. It is possible
to launch the attack on the local host.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-1632
- c9bc934e7e
- CVE-2025-25724: list_item_verbose in tar/util.c in libarchive through 3.7.7
does not check an strftime return value, which can lead to a denial of
service or unspecified other impact via a crafted TAR archive that is read
with a verbose value of 2.
For example, the 100-byte buffer may not be sufficient for a custom locale.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-25724
- c9bc934e7e
The patch added in [1] are still needed for this version bump.
For more details on the version bump, see the release notes:
- https://github.com/libarchive/libarchive/releases/tag/v3.7.8
- https://github.com/libarchive/libarchive/releases/tag/v3.7.9
[1] 9ac63a3360 package/libarchive: fix uclibc build with libiconv (again)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fde0b3fe1c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
- CVE-2025-2588: This vulnerability affects the function
re_case_expand of the file src/fa.c. The manipulation of the
argument re leads to null pointer dereference
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-2588
- af2aa88ab3
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: add patch name in comment near _IGNORE_CVES]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c497e5fcc7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch introduced in [1] that fixed the CVE-2024-0962 is now
available upstream in the 4.3.5 release [2].
This commit also updates the LICENSE file hash, after adding reference
to wolfSSL in [3].
For more details see the release note:
https://github.com/obgm/libcoap/blob/v4.3.5/ChangeLog
[1] 9002b818be package/libcoap: fix CVE-2024-0962
[2] 2b28d8b0e9
[3] e3a662a934
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: fix LICENSE file hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4df4d1d312)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
No functional change, but bump for consistency.
The patch that was applied by Buildroot has been applied to gstreamer.
The kate plugin has disappeared from gstreamer.
The webp plugin now requires webp_mux to compile.
The webrtc plugin now requires to be compile with plugins dtls, sctp and
srtp.
For more details, see the release notes:
https://gstreamer.freedesktop.org/releases/1.24/
Signed-off-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 90b3cfedf4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Tested on QEMU using the qemu_m68k_q800_defconfig configuration, with a
switch of the toolchain to uclibc-ng and enabling rsyslog.
This patch addresses an issue where rsyslog’s pthread_cond_wait was
busy-looping due to futex_time64 repeatedly returning EINVAL. The
correction in NPTL alignment resolves the 100% CPU usage problem.
This patch is fixed upstream [1] so apply it until it is tagged.
[1]: 278ac6b30 ("m68k: fix alignment in NPTL code")
Signed-off-by: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
[Julien:
- rename patch to 0002
- add "Upstream:" tag in patch to fix check-package error
- add "Signed-off-by:" in patch
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 53eae986a5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
uClibc-ng unconditionally exposes a reallocarray() prototype, but only
provides the implementation when the malloc-standard implementation is
selected in the configuration.
As noMMU configurations can't use malloc-standard, they use malloc or
malloc-simple that don't provide reallocarray().
As a result of reallocarray() being missing, some packages such as
util-linux provide their own replacement implementation... but its
prototype clashes with the one provided by uClibc, causing build
failures such as:
In file included from lib/color-names.c:7:
./include/c.h:586:21: error: static declaration of ‘reallocarray’ follows non-static declaration
586 | static inline void *reallocarray(void *ptr, size_t nmemb, size_t size)
| ^~~~~~~~~~~~
In file included from ./include/c.h:16:
/home/thomas/projets/buildroot/output/host/arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/include/stdlib.h:898:14: note: previous declaration of ‘reallocarray’ with type ‘void *(void *, size_t, size_t)’ {aka ‘void *(void *, unsigned int, unsigned int)’}
898 | extern void *reallocarray (void *__ptr, size_t __m, size_t __n);
| ^~~~~~~~~~~~
make[3]: *** [Makefile:12354: lib/libtcolors_la-color-names.lo] Error 1
This is addressed by a patch on uClibc, submitted upstream, which
makes sure the prototype is only exposed when the implementation is
provided.
The issue can be reproduced with commands:
cat <<EOF >.config
BR2_arm=y
BR2_cortex_m4=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PACKAGE_UTIL_LINUX=y
BR2_PACKAGE_UTIL_LINUX_KILL=y
EOF
make olddefconfig
make util-linux
Fixes:
https://autobuild.buildroot.net/results/157aa82aa4cd57eacc4defe6cace16e464261e9a/ (RISC-V noMMU)
https://autobuild.buildroot.net/results/ce1a24c1465b82686ae375ac688a553fb65df5ea/ (ARM noMMU)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: add commands to reproduce the issue in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 01895663d3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
glibc fails to build on RISC-V 32-bit with the ilp32f ABI and on
RISC-V 64-bit with the lp64f: both use single-point precision floating
point, which glibc doesn't support, failing during the configure step
with:
configure: error: glibc does not yet support the single floating-point ABI
Fix that by disabling glibc support on those configurations.
Fixes:
https://autobuild.buildroot.org/results/fe8d569cab507992978ef0da649278dd3a9e0b23/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8292b8fb89)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Use the 'C' locale when retrieving the date of the last change using
'svn info' since the svn download helper script expect
"Last Changed Date" string.
If another locale is used, the 'date' is empty so the generated
archive (by mk_tar_gz) will not match the expected hash since
the file timestamp is not set properly.
If LANG=fr_FR.UTF-8 is defined in the host system, svn print some
"French encrypted" text:
eval svn --non-interactive --config-option servers:global:http-timeout=10 info ''\''https://svn.code.sf.net/p/xmlrpc-c/code/advanced@r3176'\'''
...
Date de la dernière modification: 2023-09-02 19:13:35 +0200 (sam. 02 sept. 2023)
diffoscope confirm that the file timestamp is not set correctly
in the generated archive:
$ diffoscope NOK/libxmlrpc-r3176-svn5.tar.gz OK/libxmlrpc-r3176-svn5.tar.gz
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8d3b1781f6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability
A vulnerability in the decoding functions of OpenH264 codec library could
allow a remote, unauthenticated attacker to trigger a heap overflow.
This vulnerability is due to a race condition between a Sequence Parameter
Set (SPS) memory allocation and a subsequent non Instantaneous Decoder
Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An
attacker could exploit this vulnerability by crafting a malicious bitstream
and tricking a victim user into processing an arbitrary video containing the
malicious bitstream. An exploit could allow the attacker to cause an
unexpected crash in the victim's user decoding client and, possibly, perform
arbitrary commands on the victim's host by abusing the heap overflow.
https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9xhttps://github.com/cisco/openh264/releases/tag/2.5.1
The upstream tag now has no 'v' prefix, so drop it from _SITE.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a7aeb5a46e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
23.2.5 fixes the following security issues:
1) CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0
Found by: Alan Coopersmith of Oracle Solaris, while investigating
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
The ProcXIGetSelectedEvents() function uses the byte-swapped length of the
return data for the amount of data to return to the client, if the client
has a different endianness than the X server.
2) CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645d
Found by: Alan Coopersmith of Oracle Solaris
The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the
return data for the amount of data to return to the client, if the client
has a different endianness than the X server.
3) CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
Introduced in: prior to X11R6.7 (2004)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb3160
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The ProcRenderAddGlyphs() function calls the AllocateGlyph() function
to store new glyphs sent by the client to the X server. AllocateGlyph()
would return a new glyph with refcount=0 and a re-used glyph would end up
not changing the refcount at all. The resulting glyph_new array would thus
have multiple entries pointing to the same non-refcounted glyphs.
ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when
the same glyph pointer is then later used.
https://lists.x.org/archives/xorg-announce/2024-April/003497.html
24.1.4 fixes the following security issues:
1) CVE-2024-9632: Heap-based buffer overflow privilege escalation in
_XkbSetCompatMap
Introduced in: xorg-server-1.1.1 (2006)
Fixed in: xorg-server-21.1.14 and xwayland-24.1.4
Fix:
85b7765714
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
xorg-server-21.1.14 and xwayland-24.1.4 have been patched to fix this issue.
https://lists.x.org/archives/xorg-announce/2024-October/003545.html
24.1.6 fixes the following security issues:
1) CVE-2025-26594: Use-after-free of the root cursor
Introduced in: Unknown - Prior to X11R6.6 Xorg baseline
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The root cursor is referenced in the xserver as a global variable. If
a client manages to free the root cursor, the internal reference points
to freed memory and causes a use-after-free.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
2) CVE-2025-26595: Buffer overflow in XkbVModMaskText()
Introduced in: Prior to X11R6.1
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the names of the virtual modifiers to that buffer.
The code however fails to check the bounds of the buffer correctly and
would copy the data regardless of the size, which may lead to a buffer
overflow.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
3) CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
Introduced in: initial version of xc/programs/Xserver/xkb/xkb.c in X11R6
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), which may lead to a heap based
buffer overflow.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
4) CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
Introduced in: X11R6.1
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
If XkbChangeTypesOfKey() is called with 0 group, it will resize the key
symbols table to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value of groups,
this will cause a buffer overflow because the key actions are of the wrong
size.
5) CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
Introduced in: xorg-server-1.14.0
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The function GetBarrierDevice() searches for the pointer device based on
its device id and returns the matching value, or supposedly NULL if no
match was found.
However the code will return the last element of the list if no matching
device id was found which can lead to out of bounds memory access.
6) CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
Introduced in: Xorg 6.8.0.
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84behttps://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The function compCheckRedirect() may fail if it cannot allocate the backing
pixmap. In that case, compRedirectWindow() will return a BadAlloc error
without the validation of the window tree marked just before, which leaves
the validate data partly initialized, and the use of an uninitialized pointer
later.
7) CVE-2025-26600: Use-after-free in PlayReleasedEvents()
Introduced in: X11R5
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed and replaying the events
will cause a use after free.
8) CVE-2025-26601: Use-after-free in SyncInitTrigger()
Introduced in: X11R6
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242dhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2fhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
When changing an alarm, the values of the change mask are evaluated one
after the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
If one of the changes triggers an error, the function will return early,
not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
https://lists.x.org/archives/xorg-announce/2025-February/003584.html
Drop now removed xwayland_eglstream option:
701284f057
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 57d2bdb123)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit f2a862fe60 (package/dillo: move to github) changed the source
site for the Dillo package. This change introduced a trailing slash at
the end of the URL.
This cause an error when running `make show-info` with `BR2_PACKAGE_DILLO=y`:
```
package/dillo/dillo.mk:46: *** DILLO_SITE (https://github.com/dillo-browser/dillo/releases/download/v3.0.5/) cannot have a trailing slash. Stop.
```
This commit removes the trailing slash.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a3b4ae2eac)
Fixes the following security issues:
- CVE-2024-24258: freeglut 3.4.0 was discovered to contain a memory leak
via the menuEntry variable in the glutAddSubMenu function.
- CVE-2024-24259: freeglut through 3.4.0 was discovered to contain a
memory leak via the menuEntry variable in the glutAddMenuEntry
function.
https://nvd.nist.gov/vuln/detail/CVE-2024-24258https://nvd.nist.gov/vuln/detail/CVE-2024-24259
The CVEs are not technically reported for the libfreeglut package
itself (which doesn't have a CPE identifier) but for mupdf.
Note that mudpf provides its own (old) version of freeglut, but our
mupdf package uses the Buildroot-provided freeglut (which now contains
the fix).
It also has to be noted that a more recent release of libfreeglut
exists upstream, and it fixes the same CVEs. Bumping our package
version however requires more work that can be done separately.
Including this patch first also has the advantage that it can easily
be backported wherever it's needed.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 0f4fef076f)
FreeRDP fails to build on newer gcc:
/freerdp-2.11.7/libfreerdp/core/info.c:88:39: error: initialization of 'const WCHAR *' {aka 'const short unsigned int *'} from incompatible pointer type 'BYTE *' {aka 'unsigned char *'} [-Wincompatible-pointer-types]
88 | const WCHAR* domain = Stream_Pointer(s);
| ^~~~~~~~~~~~~~
There is a patch upstream [0] to fix that one, but then another similar
build failure triggers, which is also fixed upstream, but then a third
failre triggers, again fixed upstream [2], but then...
FreeRDP 2.x has been kinda discontinued, and the new stable is 3.x.
However, bumping to 3.x looks like a huge leap.
So, rather than backport, just bump to the latest commit on the
stable-2.0 branch, which carries 12 non-merge commits with build fixes:
562ae3588 [winpr,pubsub] add NULL parameter checks
68c7c21b9 X11 client: ignore grab related LeaveNotify events
a9deecc99 fix [core]: 'invalid hHandle' errors
052c525e0 [core] eliminate rdpRdp::instance
be23ed4ba [server,proxy] deactivate capture module
5b2b53b15 [warnings] fix -Wincompatible-pointer-types
67818bddb [client,wayland] fix const correctness
d2b6771c7 X11: fix pointer/integer type mismatch
[2] 7894a7dfc redirection: Fix incompatible pointer type
[1] f3ed1f1ac redirection: Fix incompatible pointer type
[0] 4f411197d info: Fix incompatible pointer type
a383740a2 next-dev-2.11.8-dev
Fixes:
http://autobuild.buildroot.org/results/e1b/e1b95b4fb0005d4e933b027b508cec9ad510bd73/http://autobuild.buildroot.org/results/ba0/ba0beae13e1be2573878ee50b1566f4427b269a3/
...
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 15f15cfe01)
The libcap Makefile is hand-coded (i.e. not autotools), and hard-codes
calls to /sbin/ldconfig, unless it is installed out-of-tree. For target
packages, this is done, but for host package this is not done, as we
do set PREFIX instead, which causes libcap's Makefile to call ldconfig
and emits a spurious warning (twice):
install -m 0755 libcap.so.2.73 /home/ymorin/dev/buildroot/O/master/per-package/host-libcap/host/lib/libcap.so.2.73
ln -sf libcap.so.2.73 /home/ymorin/dev/buildroot/O/master/per-package/host-libcap/host/lib/libcap.so.2
ln -sf libcap.so.2 /home/ymorin/dev/buildroot/O/master/per-package/host-libcap/host/lib/libcap.so
/sbin/ldconfig
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied
make[4]: [Makefile:200: install-shared-cap] Error 1 (ignored)
This is just a warning, but it is incorrect still.
Fake an out-of-tree install with a non-empy DESTDIR that is just '/',
and thus does in fact not install out-of-tree. This is enough to
actually silence the warning. Add a little comment to explain that.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd@kuhls.net>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e172bb48d3)
Since upstream commit [1] the original v4l2loopback-ctl bash script was
replaced by a C version, so add a proper compile step (and remove bash
runtime dependency) to fix '[help] v4l2loopback package build fails for
raspberrypi5' [2].
The issue can be reproduced with the commands:
cat <<EOF >.config
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_PACKAGE_V4L2LOOPBACK=y
BR2_PACKAGE_V4L2LOOPBACK_UTILS=y
EOF
make olddefconfig
make v4l2loopback
Note: upstream commit [1] was introduced in version v0.13.0.
Buildroot bumped v4l2loopback to v0.13.2 in [3].
Fixes:
/usr/bin/install: cannot stat
'.../build/v4l2loopback-0.13.2/utils/v4l2loopback-ctl':
No such file or directory
[1] 33922fa4e9
[2] https://lists.busybox.net/pipermail/buildroot/2025-March/775911.html
[3] 02540771bc
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Julien:
- add commands to reproduce the issue
- add reference to buildroot commit introducing the issue
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5d85d23e16)
This is a corrective release over GDB 16.1, fixing the following issues:
PR build/32578 (cannot build GDB 16.1 out of tree when calling the configure script with a relative path)
PR tui/32592 ([gdb/tui] internal error in tui-winsource.c:340:refresh_window)
PR remote/32593 (Incompatibilities between GDB's and LLDB's 'x' packet implementation)
PR build/32610 (Missing #include file in darwin_nat.c)
None of which is really super important for Buildroot, but at least
we're using the latest without wondering why we're not.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0a5a0772c2)
21.1.14 fixes the following security issues:
1) CVE-2024-9632: Heap-based buffer overflow privilege escalation in
_XkbSetCompatMap
Introduced in: xorg-server-1.1.1 (2006)
Fixed in: xorg-server-21.1.14 and xwayland-24.1.4
Fix:
85b7765714
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
xorg-server-21.1.14 and xwayland-24.1.4 have been patched to fix this issue.
https://lists.x.org/archives/xorg-announce/2024-October/003545.htmlhttps://lists.x.org/archives/xorg-announce/2024-October/003546.html
21.1.16 fixes the following security issues:
1) CVE-2025-26594: Use-after-free of the root cursor
Introduced in: Unknown - Prior to X11R6.6 Xorg baseline
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The root cursor is referenced in the xserver as a global variable. If
a client manages to free the root cursor, the internal reference points
to freed memory and causes a use-after-free.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
2) CVE-2025-26595: Buffer overflow in XkbVModMaskText()
Introduced in: Prior to X11R6.1
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the names of the virtual modifiers to that buffer.
The code however fails to check the bounds of the buffer correctly and
would copy the data regardless of the size, which may lead to a buffer
overflow.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
3) CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
Introduced in: initial version of xc/programs/Xserver/xkb/xkb.c in X11R6
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), which may lead to a heap based
buffer overflow.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
4) CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
Introduced in: X11R6.1
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
If XkbChangeTypesOfKey() is called with 0 group, it will resize the key
symbols table to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value of groups,
this will cause a buffer overflow because the key actions are of the wrong
size.
5) CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
Introduced in: xorg-server-1.14.0
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The function GetBarrierDevice() searches for the pointer device based on
its device id and returns the matching value, or supposedly NULL if no
match was found.
However the code will return the last element of the list if no matching
device id was found which can lead to out of bounds memory access.
6) CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
Introduced in: Xorg 6.8.0.
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84behttps://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The function compCheckRedirect() may fail if it cannot allocate the backing
pixmap. In that case, compRedirectWindow() will return a BadAlloc error
without the validation of the window tree marked just before, which leaves
the validate data partly initialized, and the use of an uninitialized pointer
later.
7) CVE-2025-26600: Use-after-free in PlayReleasedEvents()
Introduced in: X11R5
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed and replaying the events
will cause a use after free.
8) CVE-2025-26601: Use-after-free in SyncInitTrigger()
Introduced in: X11R6
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242dhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2fhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
When changing an alarm, the values of the change mask are evaluated one
after the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
If one of the changes triggers an error, the function will return early,
not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
https://lists.x.org/archives/xorg-announce/2025-February/003584.htmlhttps://lists.x.org/archives/xorg-announce/2025-February/003585.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 65be2c6ac0)
Since Buildroot commit [1], the test_gstreamer1 runtime test is
failing to build the tesseract-ocr package. The root cause is that
the test uses the default arm external toolchain, which is the Linaro
ARM 2018.05 based on gcc 7.3.1.
Since [1], tesseract-orc no longer compiles with gcc 7 (it requires at
least gcc 8).
This commit fixes the issue by switching the toolchain to the
bootlin versions (based on gcc 14 at the time of this commit).
Also, changing the compiler version slightly slowed down the video
encoding. This commit also increases the encoding command timeout.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/9407846232
[1] f32da8b984
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 356c70677c)
Since Buildroot commit [1] tesseract-ocr fails to build with gcc 7,
with error:
src/api/baseapi.cpp:67:10: fatal error: filesystem: No such file or directory
#include <filesystem> // for std::filesystem
^~~~~~~~~~~~
In Buildroot, tesseract-ocr has a C++17 requirement captured as
gcc >= 7. Gcc 7 has only a partial and experimental C++17 support,
which was sufficient, prior [1].
The tesseract-ocr upstream commit [2] introduced a usage of
std::filesystem. This commit is included in version 5.5.0,
bumped in [1].
The C++17 with std::filesystem support was introduced in gcc 8.1.
See [3].
This commit fixes the issue by raising the gcc version requirement to
8.x.
Fixes: f32da8b984
[1] f32da8b984
[2] 4e42f9de54
[3] https://gcc.gnu.org/gcc-8/changes.html#libstdcxx
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 22ffdea9e6)
The busybox date applet accepts the following:
date @1234567
but this confuses the coreutils version which doesn't implicitly set
time. As some tests might need coreutils binaries we should ensure the
emulator login will work with both. Fix this by passing the -s (set)
option to the command.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit bfb490799e)
When time comes to check certificates, the date and time in the emulated
machine should be close enough to the actual values, so that certificate
validity can be checked.
Some Qemu machines have an RTC (e.g. arm vexpress-a9 has a pl031), and
the kernel needs a driver for those RTC. It is not guaranteed that the
machine used for a test meets those two conditions; in such a case, the
time in the machine starts way back in the past (1970-01-01T00:00:00Z on
sysv, or the release date of systemd). This is the case with the default
kernel, so such tests do not have the proper time.
Set the date to the date of the host system. This is going to be accurate
to the second, which is, by far, enough for our purpose.
To avoid having to consider what combination of emulated machine and kernel
configuration are being used, we always set the date, as this is a
generic step that should be done by the infra (like login in as root is).
The Emulator() class doesn't inherit from unittest.TestCase, so we can't
call any of the usual self.assertXXX() methods; instead, we just raise
a standard exception, like is done a few lines above to detect the login
prompt.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Ricardo Martincoski <ricardo.martincoski@datacom.com.br>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cf8641b73e)
Add the LTS sponsors who engaged already for 2025: EVS, Open Home
Foundation, and Sense Labs. There is one more sponsor but they prefer to
remain anonymous.
For Open Home Foundation, we can reuse the existing logo. For the other
two, add their logo.
Add a new class panel-lts-sponsor for sizing the panels. It is different
from panel-sponsor because there doesn't need to be space for an
explanation of what type of sponsorship is done, we just need to have
space for the company name. So the minimum height is 200px instead of
350px.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b111e07fd5)
The Open Home Foundation logo is in a white area that is too large for
how we display it on the sponsors page. As a result, it ends up at the
bottom of the logo area and it looks very unbalanced.
Crop the logo to a tigher area. Since it is going to end up being
scaled, it's difficult to predict what the best size it is, but cropping
at a height of 300 pixels gives a visually pleasing layout at at least
some resolutions.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e287bc7f44)
Patch has been on upstream main for close to 2 years.
The "uint" use was introduced with [1] and [2], released with
mesa3d-demos 9.0.0 from March 2023, and added to Buildroot with commit
80304d9911 "package/mesa3d-demos: bump version to 9.0.0". The affected
code is built only if Wayland and Vulkan support are enabled, that is:
BR2_PACKAGE_LIBDECOR=y
BR2_PACKAGE_VULKAN_LOADER=y
BR2_PACKAGE_WAYLAND=y
[1] 813ebef767
[2] 5aaa7faeb4
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cf4f2f858d)
Vulkan support in mesa3d-demos requires vulkan-loader. Without an
explicit config flag it is autodetected, and may or may not be enabled
depending on build order, leading to unpredictable results.
Fix this by explicitly enabling Vulkan support and depending on
vulkan-loader if BR2_PACKAGE_VULKAN_LOADER=y, and disabling Vulkan
support otherwise.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7a55e82cb8)
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: rebase patch after merge of next branch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 76f9e5dede)
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: rebase patch after merge of next branch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 03cda9370f)
Enabling BR2_PACKAGE_LINUX_TOOLS_SELFTESTS (on rock5b_defconfig,
which uses kernel 6.12 at the time of writing), results in:
make[1]: Leaving directory '/br/output/build/linux-endpoint-test/tools/testing/selftests'
ERROR: architecture for "/usr/lib/kselftests/tc-testing/action-ebpf" is "Linux BPF", should be "AArch64"
make: *** [package/pkg-generic.mk:402: /br/output/build/linux-tools/.stamp_installed] Error 1
To solve this, add /usr/lib/kselftests/tc-testing/ to
LINUX_TOOLS_BIN_ARCH_EXCLUDE.
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3a03cb2ad6)
support/scripts/check-bin-arch has an option -i to exclude a path
(or many paths by using -i multiple times).
This was implemented in commit 01d90f0d09 ("spport/check-bin-arch:
accept arbitrary per-package ignore paths").
Looking at this feature (which hasn't changed since being added),
we can see that check-bin-arch automatically adds a trailing slash
to all entries specified using -i.
Thus, specifying a path to a file, e.g.
"/usr/libexec/perf-core/tests/pe-file.exe" will cause check-bin-arch
to add "/usr/libexec/perf-core/tests/pe-file.exe/" to the IGNORES array.
When running the main loop, the file
"/usr/libexec/perf-core/tests/pe-file.exe" will thus not be ignored,
since it will not trigger a match the pattern that was added to the
IGNORES array ("/usr/libexec/perf-core/tests/pe-file.exe/").
This means that the -i option in check-bin-arch only supports directories
and not files.
Fix the LINUX_TOOLS_BIN_ARCH_EXCLUDE in
package/linux-tools/linux-tool-perf.mk.in to specify a directory, as the
existing LINUX_TOOLS_BIN_ARCH_EXCLUDE can never have actually worked.
Fixes: a7ad781626 ("package/linux-tools: Exclude checking PE binaries from perf test")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4d7292675a)
Due to how menuconfig works, a 'comment' entry following a 'config' entry
prevents correct indentation of items depending on the 'config'
entry. xilinx-embeddedsw currently shows as:
[*] xilinx-embeddedsw
*** xilinx-embeddedsw needs a bare metal toolchain for tuple microblazeel-xilinx-elf ***
(xilinx_v2024.2) xilinx-embeddedsw version (NEW)
[ ] versal plm (NEW)
[ ] versal psmfw (NEW)
[ ] zynqmp pmufw (NEW)
[ ] xilinx-prebuilt
So the 'versal *' and 'zynqmp pmufw' items are not indented even though
they should be.
Do like most other Config.in files which have the 'comment' before the
'config' entry, makeing it render as expected:
*** xilinx-embeddedsw needs a bare metal toolchain for tuple microblazeel-xilinx-elf ***
[*] xilinx-embeddedsw
(xilinx_v2024.2) xilinx-embeddedsw version (NEW)
[ ] versal plm (NEW)
[ ] versal psmfw (NEW)
[ ] zynqmp pmufw (NEW)
[ ] xilinx-prebuilt
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 088808ccc7)
This is in the mainline kernel since v5.1-rc3:
9c38f1f04408 ("kconfig/[mn]conf: handle backspace (^H) key")
Quoting the commit's log:
"
Backspace is not working on some terminal emulators which do not send the
key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127).
But currently only '^?' is handled. Let's also handle '^H' for those
terminals.
"
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d65c10c20a)
# Board Revision is P307, same nvram file can be used for P304, P305, P306 and P307 as the tssi pa params used are same
#Please force the automatic RX PER data to the respective board directory if not using P307 board, for e.g. for P305 boards force the data into the following directory /projects/BCM43362/a1_labdata/boardtests/results/sdg_rev0305
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
