With gcc bump to version 14.3.0 in [1]. The gcc-bare-metal version
was not aligned to the same version which led to the following error in
the autobuilder:
```
make[1]: Leaving directory '/workdir/instance-0/output-1/build/host-mpc-1.3.1'
ERROR: No hash found for gcc-14.2.0.tar.xz
make: *** [package/pkg-generic.mk:179: /workdir/instance-0/output-1/build/host-gcc-bare-metal-14.2.0/.stamp_downloaded] Error 1
```
This patch align gcc-bare-metal with the version of gcc 14.
[1] 1e8c1e0ef0 package/gcc: update to 14.3.0
Fixes: https://autobuild.buildroot.org/results/3a2/3a228e885cb04e0c91eee470f9622e0e44eec3d7
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This reverts commit ab7297f3c1.
It was mistakenly applied but the error described doesn't apply on the
LTS branch.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CVE-2025-3277 as been marked as a duplicate of CVE-2025-29087 by the
debian security tracker [1].
The CVE-2025-29087 has already been fixed in commit [2] so this patch
adds CVE-2025-3277 to the ignored CVEs.
[1] https://security-tracker.debian.org/tracker/CVE-2025-3277
[2] 835b5659ea package/sqlite: add patch to fix CVE-2025-29087
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 014174f00d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-6170
A flaw was found in the interactive shell of the xmllint command-line
tool, used for parsing XML files. When a user inputs an overly long
command, the program does not check the input size properly, which can
cause it to crash. This issue might allow attackers to run harmful
code in rare configurations without modern protections.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-6170
- c340e41950
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c68a14d73a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2024-8947
A vulnerability was found in MicroPython 1.22.2. It has been declared
as critical. Affected by this vulnerability is an unknown functionality
of the file py/objarray.c. The manipulation leads to use after free.
The attack can be launched remotely. The complexity of an attack is
rather high. The exploitation appears to be difficult. Upgrading to
version 1.23.0 is able to address this issue. It is recommended to
upgrade the affected component. In micropython objarray component, when
a bytes object is resized and copied into itself, it may reference
memory that has already been freed.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-8947
- 4bed614e70
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1fc0e90450)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2024-40897
Stack-based buffer overflow vulnerability exists in orcparse.c of ORC
versions prior to 0.4.39. If a developer is tricked to process a
specially crafted file with the affected ORC compiler, an arbitrary
code may be executed on the developer's build environment. This may
lead to compromise of developer machines or CI build environments.
https://www.cve.org/CVERecord?id=CVE-2024-40897
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-40897
- fb7db9ae3e
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2f7afa54ce)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] introduced an Armv7 test case for Xen named TestXenArmv7,
next to the original Aarch64 test case which was simply named TestXen.
The test list shows, for example with the command
"support/testing/run-tests -l":
tests.package.test_xen.TestXen
tests.package.test_xen.TestXenArmv7
In order to make this test list a bit more explicit, this commit
renames the TestXen to TestXenAarch64. With that change, the list
becomes:
tests.package.test_xen.TestXenAarch64
tests.package.test_xen.TestXenArmv7
[1] 5346824a83
Cc: Vincent Stehlé <vincent.stehle@arm.com>
Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d15ffdfda7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For a long while now, we only support building GCC >= 8.x, so the
dependency of BR2_GCC_ENABLE_GRAPHITE on GCC >= 5.x is useless, drop
it, together with the corresponding Config.in comment.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b5f14d65cb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The libcilkrts library was removed from gcc 8.x, and gcc 8.x is the
oldest version we allow building (to still support PowerPC SPE). So it
means the BR2_GCC_SUPPORTS_LIBCILKRTS is basically dead code because:
default y if !BR2_TOOLCHAIN_GCC_AT_LEAST_8
Will never evaluate to 'y' in current Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 62e784cb97)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The hash for the GCC 10.4.0 tarball should have been removed a long
time ago, when support for GCC 10.x has been removed.
Fixes: d37a8f3a2e ("package/gcc: remove gcc 10.x")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5fd75bfb02)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
With gcc 15-20241117 compile fails with the below error, update the
do_version declaration to match the header in command.h
../../parted/parted.c: In function '_init_commands':
../../parted/parted.c:2469:9: error: passing argument 2 of 'command_create' from incompatible pointer type [-Wincompatible-pointer-types]
2469 | do_version,
| ^~~~~~~~~~
| |
| int (*)(void)
In file included from ../../parted/parted.c:28:
../../parted/command.h:35:39: note: expected 'int (*)(PedDevice **, PedDisk **)' {aka 'int (*)(struct _PedDevice **, struct _PedDisk **)'} but argument is of type 'int (*)(void)'
35 | int (*method) (PedDevice** dev, PedDisk** diskp),
| ~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Upstream: https://cgit.git.savannah.gnu.org/cgit/parted.git/commit/?id=16343bda6ce0d41edf43f8dac368db3bbb63d271
Fixes:
https://autobuild.buildroot.org/results/283f52d50ffef91d82a1bdc1f4dde1d54c5ffc23/build-end.log
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 14b5a19486)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Starting GCC14 'implicit-function-declaration' are treated as errors by
default. When building kvmtool with musl libc, the following error
occurs due to missing declaration of 'basename':
```
vfio/core.c:537:22: error: implicit declaration of function ‘basename’ [-Wimplicit-function-declaration]
537 | group_name = basename(group_path);
| ^~~~~~~~
vfio/core.c:537:22: warning: nested extern declaration of ‘basename’ [-Wnested-externs]
vfio/core.c:537:20: error: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
537 | group_name = basename(group_path);
| ^
```
This error can be reproduced with:
```
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_KVMTOOL=y
EOF
make olddefconfig
make kvmtool
```
This patch adds the upstream commit that fixes this issue by including
the appropriate header, ensuring compatibility with musl and GCC14.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cec0acc84d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a TestXenArmv7 class with its related files in an arm/ subfolder
under test_xen/, to test Xen on 32-bit Arm v7.
We cannot boot with UEFI in this case; we use a custom U-Boot script,
which creates the Xen configuration Devicetree during boot.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5346824a83)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In preparation of adding a test for Xen on 32-bit Arm v7:
- Introduce an architecture-agnostic TestXenBase class where we move
most of the Xen test scenario and bits of the configuration.
- Re-organise the test_xen/ folder with the architecture-agnostic files
under common/ and the 64-bit Arm specific files under aarch64/.
Make the 64-bit Arm TestXen class inherit from the base class and leave
in there only the architecture-specific parts:
- The 64-bit Arm configuration bits.
- The test function, which passes the proper 64-bit Arm simulator
options to the generic test function.
No functional change intended.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a6f0d33c87)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit a954d39a58 ("package/chartjs: bump to version 3.9.1") updated the
package version and the license file hash, but also changed the path to
the license file in the hash file. However, the path to the license file
hasn't changed, causing an error during "make legal-info". Revert the
path change.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 353745e095)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since its introduction in commit [1], avrdude has a post install
target hook removing a backup configuration file.
Commit [2] updated avrdude to version 7.1 and switch to the
cmake infra.
CMake recipe doesn't create a backup of the avrdude.conf.
This commit removes this hook which is no longer needed.
[1] dc776f0d05
[2] f89f3787a0
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 51cf8e5663)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
lib/long-options.c failed to compile with musl for the same reason
0002-lib-long-options.c-include-stdlib.h.patch was added to fix,
exit() being undefined. The fix is the same as well: include stdlib.h.
Fixes: b6784a1f1f ("package/lrzsz: fix build with GCC >= 14.x")
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 54240460dc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://github.com/encode/starlette/releases/tag/0.47.2
This fixes the following vulnerability:
- CVE-2025-54121:
Starlette is a lightweight ASGI (Asynchronous Server Gateway
Interface) framework/toolkit, designed for building async web services
in Python. In versions 0.47.1 and below, when parsing a multi-part
form with large files (greater than the default max spool size)
starlette will block the main thread to roll the file over to disk.
This blocks the event thread which means the application can't accept
new connections. The UploadFile code has a minor bug where instead of
just checking for self._in_memory, the logic should also check if the
additional bytes will cause a rollover. The vulnerability is fixed in
version 0.47.2.
https://www.cve.org/CVERecord?id=CVE-2025-54121
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add link to release note]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8945ea3e67)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
A recent commit introduced a few lines that were indented with spaces
rather than a tab. Rectify this.
Fixes: 00b30f887a ("toolchain-wrapper.c: get rid of EXCLUSIVE_ARGS")
Signed-off-by: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5e4cb7607b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository [0]
rtl8821au since Larry unfortunately passed away[1](RIP) and there are
pending PRs that will never be checked as stated here. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And of course let's update
package's URL due to the moving.
[0]: https://github.com/lwfinger/rtl8812au/issues/32
[1]: https://lwn.net/Articles/979419/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2dd7a4a374)
[thomas: only change the upstream]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository [0]
rtl8723ds since Larry unfortunately passed away[1](RIP) and there are
pending PRs that will never be checked as stated here. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And let's drop local patches
that are now upstreamed as well. And of course let's update package's
URL due to the moving.
[0]: https://github.com/lwfinger/rtl8723ds/issues/53
[1]: https://lwn.net/Articles/979419/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 54ee4a71c0)
[thomas: only change the upstream]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository
rtl8723bu since Larry unfortunately passed away[0](RIP) and there are
pending PRs that will never be checked as stated here[1]. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And of course let's update
package's URL due to the moving.
[0]: https://lwn.net/Articles/979419/
[1]: https://github.com/lwfinger/rtl8723bu/issues/206
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d1fc513da7)
[thomas: only change the upstream]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Benetti Engineering just took over Larry Finger(lwfinger)'s repository
rtl8188eu since Larry unfortunately passed away[0](RIP) and there are
pending PRs that will never be checked as stated here[1]. So basically move
github user to benetti-engineering-sas and update version with latest that
fixes build failure with Linux version 6.15. And let's drop local patches
that are now upstreamed as well. Let's also drop obsolete Config.in
informations since as stated here[2]: "This driver is under development
and has a limited feature set. In particular it does not yet support 40MHz
channels and power management". At the same time drop other suggestions
like enabling CONFIG_WIRELESS_EXT or "this package needs a firmware loading
mechanism to load the binary blob for the chip to work" since they are now
part of the package. And of course let's update package's URL due to the
moving.
[0]: https://lwn.net/Articles/979419/
[1]: https://github.com/lwfinger/rtl8188eu/pull/464
Fixes:
https://autobuild.buildroot.org/results/d59537da8eb27d737718885dc81ec257a2791455/
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a9c5dc024a)
[Thomas: only change upstream]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Rather than having a hard coded amount of exclusive args (with the risk of
overflow when new logic is added), simplify the argument buffer allocation
logic to always allocate room for DEFAULT_MAX_ARGS (1024) arguments and just
realloc to grow for the rare situation where that is not enough.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 00b30f887a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
C99 section 5.1.2.2.1p2 mandates that:
- argv[argc] shall be a null pointer.
https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1256.pdf
So we might as well copy the null pointer along in the memcpy() rather than
copy everything up to the null pointer and then add one afterwards for
simplicity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6b8ffbf97b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Systemd support for the RAUC hawkbit updater was added in
4aa7a4ad8a (package/rauc-hawkbit-updater: add systemd optional dependency, 2024-07-10)
This installs the RAUC hawkbit updater service, which executes as user
"rauc-hawkbit" [1], which doesn't exist by default.
[1] 2711c0e027/script/rauc-hawkbit-updater.service
Signed-off-by: Gero Schwäricke <gero.schwaericke@sevenlab.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 69b2777291)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Nftables should be preferred over iptables if available, which
NetworkManager will do if both paths are set.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7c8cca9baa)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release notes since version 5.4.3, see:
https://github.com/assimp/assimp/releases
This fixes the following vulnerabilities:
- CVE-2025-2750:
A vulnerability, which was classified as critical, was found in Open
Asset Import Library Assimp 5.4.3. This affects the function
Assimp::CSMImporter::InternReadFile of the file
code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
manipulation leads to out-of-bounds write. It is possible to initiate
the attack remotely. The exploit has been disclosed to the public and
may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2750
- CVE-2025-2751:
A vulnerability has been found in Open Asset Import Library Assimp
5.4.3 and classified as problematic. This vulnerability affects the
function Assimp::CSMImporter::InternReadFile of the file
code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The
manipulation of the argument na leads to out-of-bounds read. The
attack can be initiated remotely. The exploit has been disclosed to
the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2751
- CVE-2025-2757:
A vulnerability classified as critical was found in Open Asset Import
Library Assimp 5.4.3. This vulnerability affects the function
AI_MD5_PARSE_STRING_IN_QUOTATION of the file
code/AssetLib/MD5/MD5Parser.cpp of the component MD5 File Handler. The
manipulation of the argument data leads to heap-based buffer overflow.
The attack can be initiated remotely. The exploit has been disclosed
to the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-2757
- CVE-2025-3158:
A vulnerability, which was classified as critical, has been found in
Open Asset Import Library Assimp 5.4.3. Affected by this issue is the
function Assimp::LWO::AnimResolver::UpdateAnimRangeSetup of the file
code/AssetLib/LWO/LWOAnimation.cpp of the component LWO File Handler.
The manipulation leads to heap-based buffer overflow. It is possible
to launch the attack on the local host. The exploit has been disclosed
to the public and may be used.
https://www.cve.org/CVERecord?id=CVE-2025-3158
Also, drop local security patches that have been applied upstream
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to relase notes]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3c312f149b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This is a security release of the Long Term Support branch, see release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.4
Also update the download location, because upstream changed the tag naming
scheme from v<...> to mbedtls-<...>
This fixes the following vulnerabilities:
- CVE-2025-47917
Fix possible use-after-free or double-free in code calling
mbedtls_x509_string_to_names(). This was caused by the function calling
mbedtls_asn1_free_named_data_list() on its head argument, while the
documentation did no suggest it did, making it likely for callers relying
on the documented behaviour to still hold pointers to memory blocks after
they were free()d, resulting in high risk of use-after-free or double-free,
with consequences ranging up to arbitrary code execution.
In particular, the two sample programs x509/cert_write and x509/cert_req
were affected (use-after-free if the san string contains more than one DN).
Code that does not call mbedtls_string_to_names() directly is not affected.
- CVE-2025-48965
Fix a bug in mbedtls_asn1_store_named_data() where it would sometimes leave
an item in the output list in an inconsistent state with val.p == NULL but
val.len > 0. This impacts applications that call this function directly,
or indirectly via mbedtls_x509_string_to_names() or one of the
mbedtls_x509write_{crt,csr}set{subject,issuer}_name() functions. The
inconsistent state of the output could then cause a NULL dereference either
inside the same call to mbedtls_x509_string_to_names(), or in subsequent
users of the output structure, such as mbedtls_x509_write_names(). This
only affects applications that create (as opposed to consume) X.509
certificates, CSRs or CRLs, or that call mbedtls_asn1_store_named_data()
- CVE-2025-49087
Fix a timing side channel in the implementation of PKCS#7 padding
which would allow an attacker who can request decryption of arbitrary
ciphertexts to recover the plaintext through a timing oracle attack.
- CVE-2025-49600:
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid
signatures if hash computation fails and internal errors go unchecked,
enabling LMS (Leighton-Micali Signature) forgery in a fault scenario.
Specifically, unchecked return values in mbedtls_lms_verify allow an
attacker (who can induce a hardware hash accelerator fault) to bypass
LMS signature verification by reusing stale stack data, resulting in
acceptance of an invalid signature. In mbedtls_lms_verify, the return
values of the internal Merkle tree functions create_merkle_leaf_value
and create_merkle_internal_value are not checked. These functions
return an integer that indicates whether the call succeeded or not. If
a failure occurs, the output buffer (Tc_candidate_root_node) may
remain uninitialized, and the result of the signature verification is
unpredictable. When the software implementation of SHA-256 is used,
these functions will not fail. However, with hardware-accelerated
hashing, an attacker could use fault injection against the accelerator
to bypass verification.
https://www.cve.org/CVERecord?id=CVE-2025-49600
- CVE-2025-49601:
In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not
check that the input buffer is at least 4 bytes before reading a
32-bit field, allowing a possible out-of-bounds read on truncated
input. Specifically, an out-of-bounds read in
mbedtls_lms_import_public_key allows context-dependent attackers to
trigger a crash or limited adjacent-memory disclosure by supplying a
truncated LMS (Leighton-Micali Signature) public-key buffer under four
bytes. An LMS public key starts with a 4-byte type indicator. The
function mbedtls_lms_import_public_key reads this type indicator
before validating the size of its input.
https://www.cve.org/CVERecord?id=CVE-2025-49601
- CVE-2025-52496:
Mbed TLS before 3.6.4 has a race condition in AESNI detection if
certain compiler optimizations occur. An attacker may be able to
extract an AES key from a multithreaded program, or perform a GCM
forgery.
https://www.cve.org/CVERecord?id=CVE-2025-52496
- CVE-2025-52497:
Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer
underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse
functions, via untrusted PEM input.
https://www.cve.org/CVERecord?id=CVE-2025-52497
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: fix upstream hash URL in hash file]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 24639e0f72)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since python-cython bump to 3.1.2 in commit [1], python-dbus-fast
is failing to build.
Set --skip-dependency-check as dbus-fast specifies an unnecessarily
strict maximum cython version.
Fixes:
ERROR Missing dependencies:
Cython<3.1.0,>=3
[1] b536caaec0
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: add reference to buildroot commit introducing the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f38d4e63d7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The previous url pointed to an unrelated but similarly named project.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 90fdb03f47)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libcddb fail to build with gcc-14 with error:
cddb_net.c: In function 'timeout_connect':
cddb_net.c:328:63: error: passing argument 5 of 'getsockopt' from incompatible pointer type [-Wincompatible-pointer-types]
328 | getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &rv, &l);
| ^~
| |
| size_t * {aka long unsigned int *}
This commit adds a patch to fix the issue.
Fixes:
https://autobuild.buildroot.net/results/723/7236cf5fd4f33aabd3178586f877dff04d754abe/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add error message in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f1b4657bc0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2025-53643:
In aiohttp prior to version 3.12.14, the Python parser is vulnerable
to a request smuggling vulnerability due to not parsing trailer
sections of an HTTP request. If a pure Python version of aiohttp is
installed (i.e. without the usual C extensions) or
AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to
execute a request smuggling attack to bypass certain firewalls or
proxy protections. Version 3.12.14 contains a patch for this issue.
https://www.cve.org/CVERecord?id=CVE-2025-53643
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit e4451602eb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Via the docker-compose runtime test, we can exercise the full suite of
the docker-related packages: docker-compose, of course, but also
docker-engine, which in turn allows exercising containerd. The latter
by defualt uses runc as the container runtime, but can alternatively use
crun.
Extend the docker-compose runtime test with a variant that enables crun.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 34e4480950)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building libesmtp on the autobuilder with gcc-14, the
following error occurs:
/workdir/instance-0/output-1/per-package/libesmtp/host/bin/arc-linux-gcc -Ilibesmtp.so.6.2.0.p -I. -I.. -I/workdir/instance-0/output-1/per-package/libesmtp/host/arc-buildroot-linux-gnu/sysroot/usr/include -fdiagnostics-color=always -Wall -Winvalid-pch -std=c11 -O3 -D_POSIX_C_SOURCE=200809L -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -D_FORTIFY_SOURCE=2 -fPIC -pthread -MD -MQ libesmtp.so.6.2.0.p/smtp-api.c.o -MF libesmtp.so.6.2.0.p/smtp-api.c.o.d -o libesmtp.so.6.2.0.p/smtp-api.c.o -c ../smtp-api.c
../smtp-api.c: In function 'smtp_version':
../smtp-api.c:1183:7: error: implicit declaration of function 'strlcpy'; did you mean 'strncpy'? [-Wimplicit-function-declaration]
1183 | if (strlcpy (buf, v, len) > len)
| ^~~~~~~
| strncpy
This error has been fixed upstream in commit [1], but no new release
has been made since.
This patch update the package version to fetch the latest upstream
commit v1.1.0-14-g335ee8d.
For the changes, see:
- https://github.com/libesmtp/libESMTP/compare/v1.1.0...335ee8d2fa5cb7d30db7b818ec05563ad139ee2f
[1] 972eb54749
Fixes: https://autobuild.buildroot.org/results/ced/ceda012506edccda1727904eb3327017b07e27d8
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien:
- mention gcc-14 as the root cause of the build failure
- use "git describe --tags --abbrev=40" format in _VERSION
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 84077c7776)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In Buildroot 2025.02, the vendor specific kernel version used for the
rapsberrypi5 does not yet include any dts named bcm2712-rpi-500.dts, which
results in a build error.
This reverts commit fa0ee12fcc, which was
mistakenly cherry picked regardless of the needed vendor kernel version bump.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Needed for kodi 22.x.
Added build fix for >= gcc-13.
Switched build system to cmake following upstream:
13683c56e5
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: use "git describe --tags --abbrev=40" format for _VERSION]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c61d7d61b1)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Minimum python version is now 3.9, but also it's not really relevant to
mention this in the package description.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8d1d851d78)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Currently, both BR2_TARGET_ROOTFS_EROFS_ALL_FRAGMENTS and
BR2_TARGET_ROOTFS_EROFS_FRAGMENTS have the same Kconfig prompt, making
them hard to distinguish.
Reword the one for -Eall-fragments to be distinct.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit df7e428cf5)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The error appears on autobuilder with the build using GCC14:
FAILED: ncmpc.p/src_Styles.cxx.o
In file included from ../src/Styles.cxx:7:
/home/buildroot/instance-0/output-1/host/microblazeel-buildroot-linux-gnu/sysroot/usr/include/libintl.h:39:14: error: expected unqualified-id before 'const'
39 | extern char *gettext (const char *__msgid)
| ^~~~~~~
/home/buildroot/instance-0/output-1/host/microblazeel-buildroot-linux-gnu/sysroot/usr/include/libintl.h:39:14: error: expected ')' before 'const'
../src/i18n.h:22:20: note: to match this '('
22 | #define gettext(x) (x)
| ^
[80/102] Compiling C++ object ncmpc.p/src_xterm_title.cxx.o
[81/102] Compiling C++ object ncmpc.p/src_db_completion.cxx.o
[82/102] Compiling C++ object ncmpc.p/src_signals.cxx.o
ninja: build stopped: subcommand failed.
make: *** [package/pkg-generic.mk:273: /home/buildroot/instance-0/output-1/build/ncmpc-0.49/.stamp_built] Error 1
make: Leaving directory '/home/buildroot/instance-0/buildroot'
Starting GCC14 the C++ standard library includes libintl.h that contains
a definition of gettext which caused a clash with the definition present
in ncmpc. This patch resolved this build error seen in [1] by
backporting an upstream commit [2] that renamed the internal gettext
implementation.
Applying the commits of [2], fixes the build error [1].
[1] https://autobuild.buildroot.org/results/cb2/cb292f2c99cdca742a8f52dbfc25f193fe513c6e/build-end.log
[2] 249b62fc9f
Fixes: https://autobuild.buildroot.org/results/cb2/cb292f2c99cdca742a8f52dbfc25f193fe513c6e/build-end.log
Signed-off-by: Tim Soubry <tim.soubry@mind.be>
[Julien:
- mention gcc-14 in commit title
- remove patch numbering to fix check-package error
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a52269e221)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
It was removed from eudev with version 1.5.1, when introspection
became part of the gudev option [1]. This has in turn been removed and
replaced by package/libgudev, yet somehow the flag stayed. Remove it
to remove a warning during configure stage.
[1] d5d6a7f304
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 993c0ba460)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The following build error is happening on the autobuilder:
```
arg_int.c:60:12: error: implicit declaration of function 'isspace' [-Wimplicit-function-declaration]
60 | while (isspace(*ptr))
| ^~~~~~~
arg_int.c:33:1: note: include '<ctype.h>' or provide a declaration of 'isspace'
32 | #include <limits.h>
+++ |+#include <ctype.h>
33 |
arg_int.c:89:8: error: implicit declaration of function 'toupper' [-Wimplicit-function-declaration]
89 | if (toupper(*ptr++)!=toupper(X))
| ^~~~~~~
arg_int.c:89:8: note: include '<ctype.h>' or provide a declaration of 'toupper'
```
Both `isspace` and `toupper` are declared in the `ctype.h` header.
This build error started to happen with gcc-14.
The `ctype.h` include was added in a later upstream commit.
This patch adds that upstream commit and strip everything else to only
patch that include.
Fixes: https://autobuild.buildroot.org/results/d38/d38e3e12f52c3fde08ab446ca14a1a7bd65c9469//
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: add comment about gcc-14]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cd6f2b465b)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since the version bump of sudo to 1.9.17p1 [1], the sed command in
SUDO_ENABLE_SUDO_GROUP_RULE no longer matches the the line in the
example sudoers file shipped with the sudo package. This is due to
upstream commit [2].
This commit fixes the regexp to match the new sudoers file.
[1] ee86844e63
[2] 7c121ff834
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: add link to upstream commit introducing the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 35708db024)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since the mbedtls bump to v3.6 [1] the libiec61850 package is failling
on the autobuilder with the following error:
```
[ 2%] Building C object hal/CMakeFiles/hal.dir/tls/mbedtls/tls_mbedtls.c.o
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c: In function 'compareCertificates':
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c:122:17: error: 'mbedtls_x509_crt' has no member named 'sig'
122 | if (crt1->sig.len == crt2->sig.len)
| ^~
/workdir/instance-0/output-1/build/libiec61850-1.6.0/hal/tls/mbedtls/tls_mbedtls.c:122:34: error: 'mbedtls_x509_crt' has no member named 'sig'
122 | if (crt1->sig.len == crt2->sig.len)
| ^~
...
```
The logic to support mbedtls v3 is already present on the version
present in buildroot.
This patch ensures that the CMake build uses the mbedtls headers and
libraries provided by buildroot rather than the bundled copy.
By setting the following variable the mbedtls v3.6 is correctly found
during the configuration of the package.
```
Found mbedtls 3.6 -> can compile HAL with TLS 1.3 support
```
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
Fixes: https://autobuild.buildroot.org/results/5fc/5fca384510d2fb9dd1d01736dee34b53339d62ff/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 30fc97c2c5)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since [1] when trying to build this package with mbedtls v3.6 the
following error is happening:
```
player.h:12:10: fatal error: mbedtls/havege.h: No such file or directory
12 | #include <mbedtls/havege.h>
| ^~~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_SHAIRPORT_SYNC=y
EOF
make olddefconfig
make
```
This patch backport the upstream commit [2] that add support for
mbedtls v3.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] d73b585c6f
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d53f8f2691)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Since the mbedtls bump to v3.6 [1] the ustream-ssl package is failling
on the autobuilder with the following error:
```
In file included from /home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-internal.h:25,
from /home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-ssl.c:25:
/home/buildroot/instance-0/output-1/build/ustream-ssl-68d09243b6fd4473004b27ff6483352e76e6af1a/ustream-mbedtls.h:24:10: fatal error: mbedtls/certs.h: No such file or directory
24 | #include <mbedtls/certs.h>
| ^~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_USTREAM_SSL=y
EOF
make olddefconfig
make
```
This patch backport upstream commit that address the compatibility with
mbedtls v3.6.
- [2] rename the `_random` function used by the mbedtls functions
- [3] update `mbedtls_pk_parse_keyfile` function to support new mbedtls
definition and use `mbedtls_pk_get_type`.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 0001-ustream-mbedtls-use-getrandom-instead-of-dev-urandom.patch
[3] 0002-ustream-mbedtls-add-compatibility-with-mbed-tls-3-0-0.patch
Fixes: https://autobuild.buildroot.org/results/c20/c20dac7cbe5def2c6036d2e1d06de0bfea68b57c
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d28ae8b00b)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Xen currently fails to build for 32-bit Arm v7 with binutils >= 2.41,
with the following error:
proc-v7.S:33: Error: junk at end of line, first unrecognized character is `#'
The failure can be reproduced with the commands:
cat >.config <<EOF
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_ARM_EABIHF=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_XEN=y
BR2_PACKAGE_XEN_HYPERVISOR=y
BR2_PACKAGE_XEN_TOOLS=y
EOF
make olddefconfig
make xen
Backport a patch from Xen 4.18 plus one patch it depends on to fix the
build.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
[Julien:
- reword commit title
- add commands to reproduce the issue in commit log
- add missing SoB lines to patches
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2c868ca44d)
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
The patch has been integrated upstream as part of sudo 1.9.16p2, and was
therefore removed from Buildroot in [1]. However, because that change in
Buildroot was not considered as a security bump at that time, it hasn't
been cherry-picked to the 2025.02.x LTS branch.
Later on, sudo issued a new security version, which has been promptly
merged into Buildroot master in [2]. Since this addressed a security issue,
the patch has also been backported into the 2025.02.x LTS branch [3]. The
backport integrated the 2 versions bumps into one change, but the patch
removal was lost in the process.
Fixes: https://autobuild.buildroot.net/results/260/260a8e8da6e459b7c723fbeaeb23fb1fcf0db155//
[1] 969bdb9d2e
[2] ee86844e63
[3] 9bcbbcc37f
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Read the announcement: https://lwn.net/ml/all/xmqq5xg2wrd1.fsf@gitster.g/
This fixes the following vulnerabilities:
- CVE-2025-27613 (Gitk):
When a user clones an untrusted repository and runs Gitk without
additional command arguments, any writable file can be created and
truncated. The option "Support per-file encoding" must have been
enabled. The operation "Show origin of this line" is affected as
well, regardless of the option being enabled or not.
https://www.cve.org/CVERecord?id=CVE-2025-27613
- CVE-2025-27614 (Gitk):
A Git repository can be crafted in such a way that a user who has
cloned the repository can be tricked into running any script
supplied by the attacker by invoking `gitk filename`, where
`filename` has a particular structure.
https://www.cve.org/CVERecord?id=CVE-2025-27614
- CVE-2025-46835 (Git GUI):
When a user clones an untrusted repository and is tricked into
editing a file located in a maliciously named directory in the
repository, then Git GUI can create and overwrite any writable
file.
https://www.cve.org/CVERecord?id=CVE-2025-46835
- CVE-2025-48384:
When reading a config value, Git strips any trailing carriage
return and line feed (CRLF). When writing a config entry, values
with a trailing CR are not quoted, causing the CR to be lost when
the config is later read. When initializing a submodule, if the
submodule path contains a trailing CR, the altered path is read
resulting in the submodule being checked out to an incorrect
location. If a symlink exists that points the altered path to the
submodule hooks directory, and the submodule contains an executable
post-checkout hook, the script may be unintentionally executed
after checkout.
https://www.cve.org/CVERecord?id=CVE-2025-48384
- CVE-2025-48385:
When cloning a repository Git knows to optionally fetch a bundle
advertised by the remote server, which allows the server-side to
offload parts of the clone to a CDN. The Git client does not
perform sufficient validation of the advertised bundles, which
allows the remote side to perform protocol injection.
This protocol injection can cause the client to write the fetched
bundle to a location controlled by the adversary. The fetched
content is fully controlled by the server, which can in the worst
case lead to arbitrary code execution.
https://www.cve.org/CVERecord?id=CVE-2025-48385
- CVE-2025-48386:
The wincred credential helper uses a static buffer (`target`) as a
unique key for storing and comparing against internal storage. This
credential helper does not properly bounds check the available
space remaining in the buffer before appending to it with
`wcsncat()`, leading to potential buffer overflows.
https://www.cve.org/CVERecord?id=CVE-2025-48386
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
(cherry picked from commit 62788e0e49)
[thomas: bumped to v2.48.2 instead]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 1e97b27873 ("ccache: support changing the output directory") added
the CCACHE_BASEDIR logic, but added a comment (presumably from cut'n'paste)
about compilercheck instead, fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f66e4c2568)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the introduction of CMake 4 in several distributions, build errors
started occurring on those distributions for cmake packages that
included calls to cmake_minimum_required() or cmake_policy() with a
version older than 3.50 (see [1]).
To avoid backporting numerous individual fixes for affected packages,
commit [2] was previously applied to the LTS branch as a workaround.
Following further discussion (see [2][3]), that raised concerns about
policy changes between CMake versions that could lead to breaking builds
in non-obvious ways, a different approach was chosen.
This patch reverts commit [2] and instead of applying a global
compatibility variable, we now enforce building host-cmake when the host
system provides CMake 4 or newer.
[1] https://cmake.org/cmake/help/latest/release/4.0.html#deprecated-and-removed-features
[2] 70aac2d9e8 package/pkg-cmake.mk: force config version >=3.5
[3] https://lists.buildroot.org/pipermail/buildroot/2025-May/780262.html
[4] https://lists.buildroot.org/pipermail/buildroot/2025-June/780372.html
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the mbedtls bump to v3.6 [1] the libuhttpd fails to build with the
following error:
```
[ 8%] Building C object src/ssl/CMakeFiles/xssl.dir/mbedtls.c.o
.../buildroot/output/build/libuhttpd-3.14.1/src/ssl/mbedtls.c:52:10: fatal error: mbedtls/certs.h: No such file or directory
52 | #include <mbedtls/certs.h>
| ^~~~~~~~~~~~~~~~~
compilation terminated.
```
This error can be reproduced with the following config:
```
cat <<EOF >.config
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MBEDTLS=y
BR2_PACKAGE_LIBUHTTPD=y
EOF
make olddefconfig
make
```
The compatibility with mbedtls v3 has been addressed upstream in the
zhaojh329/ssl project included as a submodule of libuhttpd [2].
This patch backport this upstream commit to be applied on the submodule
directory. This required adaptation of the line numbers (see [3]) and
renaming a function reference passed as parameter of
'mbedtls_pk_parse_keyfile' caused by the commit [4].
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 28cc9b5d98
[3] 8092b5a490 (diff-fbc46fa2db83f8649ccf1f46c6a044473b7b228edc7d4c0f7cc04b5a879f6fb7)
[4] 0e7d2f73d7 (diff-fbc46fa2db83f8649ccf1f46c6a044473b7b228edc7d4c0f7cc04b5a879f6fb7R92)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1a8e868623)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the mbedtls bump to v3.6 [1] the bmx7 package is failling on the
autobuilder:
```
/workdir/instance-0/output-1/host/bin/xtensa-buildroot-linux-uclibc-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -mlongcalls -mauto-litpools -Os -g3 -pedantic -W -Wall -Wstrict-prototypes -Wno-unused-parameter -Os -g3 -std=gnu99 -DGIT_REV=\"0\" -DAVL_5XLINKED -DDEBUG_MALLOC -DCORE_LIMIT=20000 -pedantic -W -Wall -Wstrict-prototypes -Wno-unused-parameter -Os -g3 -std=gnu99 -DGIT_REV=\"0\" -DAVL_5XLINKED -DDEBUG_MALLOC -DCORE_LIMIT=20000 -c crypt.c -o crypt.o
crypt.c:66:10: fatal error: mbedtls/compat-1.3.h: No such file or directory
66 | #include "mbedtls/compat-1.3.h"
| ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
```
This patch includes a set of upstream patches that address the
compatibility with the v3.6 of mbedtls.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
Fixes: https://autobuild.buildroot.org/results/b77/b776e34d1c5bc3904ea7138bd6c4ac17a1f0fd34/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c32230fe35)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the mbedtls bump to v3.6 [1] the shadowsocks-libev package is
failling on the autobuilder:
```
checking for mbedtls_cipher_setup in -lmbedcrypto... yes
checking whether mbedtls supports Cipher Feedback mode or not... configure: error: MBEDTLS_CIPHER_MODE_CFB required
make: *** [package/pkg-generic.mk:263: /workdir/instance-0/output-1/build/shadowsocks-libev-3.3.5/.stamp_configured] Error 1
make: Leaving directory '/workdir/instance-0/buildroot'
```
This is due to the breaking changes in the mbedtls API with the version
bump.
This patch adds the upstream patch [2] that address this issue by verifying
conditionally the version of mbedtls we are running on to make the API
calls and includes.
[1] 3481a9643f package/mbedtls: bump to version 3.6.3.1
[2] 9afa3cacf9#
Fixes: https://autobuild.buildroot.org/results/070/070581d95f2739cee3b4cb8252639dd92b5a8421
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 78198bc0f3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When SIGINT is issued for a package test run, it will abort the active
toolchain run then proceed to the next. If a user is running the entire
default toolchain set (`-a`), they can be required to invoke SIGINT
multiple times to stop a run.
This commit uses a SIGINT hook to flag a shutdown state and stop further
attempts to run anymore toolchain tests.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8f09106e81)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When running check-package before completing commits for a change, if
any files are setup for removal, check-package will throw
FileNotFoundError exceptions instead of generating a warning state. For
example:
$ utils/docker-run make check-package
Traceback (most recent call last):
...
FileNotFoundError: [Errno 2] No such file or directory: 'package/.../0001-some-removed-patch.patch'
make: *** [Makefile:1264: check-package] Error 1
This commit will now catch FileNotFoundError and populate a warning
message:
$ utils/docker-run make check-package
package/.../0001-some-removed-patch.patch: missing; unstaged file removal?
package/.../0002-another-removed-patch.patch: missing; unstaged file removal?
427843 lines processed
3 warnings generated
make: *** [Makefile:1264: check-package] Error 1
Signed-off-by: James Knight <git@jdknight.me>
Reviewed-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c41a06bbd9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Import all security patches from OpenEmbedded for libsoup.
This fixes the following 18 known vulnerabilities:
- CVE-2024-52530:
GNOME libsoup before 3.6.0 allows HTTP request smuggling in some
configurations because '\0' characters at the end of header names are
ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the
same as a "Transfer-Encoding: chunked" header.
https://www.cve.org/CVERecord?id=CVE-2024-52530
- CVE-2024-52531:
GNOME libsoup before 3.6.1 allows a buffer overflow in applications that
perform conversion to UTF-8 in soup_header_parse_param_list_strict.
There is a plausible way to reach this remotely via
soup_message_headers_get_content_type (e.g., an application may want to
retrieve the content type of a request or response).
https://www.cve.org/CVERecord?id=CVE-2024-52531
- CVE-2024-52532:
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption.
During the reading of certain patterns of WebSocket data from clients.
https://www.cve.org/CVERecord?id=CVE-2024-52532
- CVE-2025-2784:
Libsoup: heap buffer over-read in `skip_insignificant_space`
when sniffing content
https://www.cve.org/CVERecord?id=CVE-2025-2784
- CVE-2025-4476:
Libsoup: null pointer dereference in libsoup may lead to denial of service
https://www.cve.org/CVERecord?id=CVE-2025-4476
- CVE-2025-4948:
Libsoup: integer underflow in soup_multipart_new_from_message() leading to
denial of service in libsoup
https://www.cve.org/CVERecord?id=CVE-2025-4948
- CVE-2025-4969:
Libsoup: off-by-one out-of-bounds read in find_boundary() in soup-multipart.c
https://www.cve.org/CVERecord?id=CVE-2025-4969
- CVE-2025-32050:
Libsoup: integer overflow in append_param_quoted
https://www.cve.org/CVERecord?id=CVE-2025-32050
- CVE-2025-32052:
Libsoup: heap buffer overflow in sniff_unknown()
https://www.cve.org/CVERecord?id=CVE-2025-32052
- CVE-2025-32053:
Libsoup: heap buffer overflows in sniff_feed_or_html() and
skip_insignificant_space()
https://www.cve.org/CVERecord?id=CVE-2025-32053
- CVE-2025-32906:
Libsoup: out of bounds reads in soup_headers_parse_request()
https://www.cve.org/CVERecord?id=CVE-2025-32906
- CVE-2025-32910:
Libsoup: null pointer deference on libsoup via /auth/soup-auth-digest.c
through "soup_auth_digest_authenticate" on client when server omits the
"realm" parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32910
- CVE-2025-32911:
Libsoup: double free on soup_message_headers_get_content_disposition()
through "soup-message-headers.c" via "params" ghashtable value
https://www.cve.org/CVERecord?id=CVE-2025-32911
- CVE-2025-32912:
Libsoup: null pointer dereference in client when server omits the "nonce"
parameter in an unauthorized response with digest authentication
https://www.cve.org/CVERecord?id=CVE-2025-32912
- CVE-2025-32913:
Libsoup: null pointer dereference in
soup_message_headers_get_content_disposition when "filename" parameter is
present, but has no value in content-disposition header
https://www.cve.org/CVERecord?id=CVE-2025-32913
- CVE-2025-32914:
Libsoup: oob read on libsoup through function
"soup_multipart_new_from_message" in soup-multipart.c leads to crash or
exit of process
https://www.cve.org/CVERecord?id=CVE-2025-32914
- CVE-2025-46420:
Libsoup: memory leak on soup_header_parse_quality_list() via soup-headers.c
https://www.cve.org/CVERecord?id=CVE-2025-46420
- CVE-2025-46421:
Libsoup: information disclosure may leads libsoup client sends authorization
header to a different host when being redirected by a server
https://www.cve.org/CVERecord?id=CVE-2025-46421
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit eee0f6c078)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] introduced a patch addressing CVE-2021-23159. Since then,
CVE-2023-34432 ([2]) remained the only unresolved CVE reported
against the sox package in pkg-stat. This patch adds CVE-2023-34432
to the list of ignored CVEs for sox, based on the report from the
Debian Security Tracker ([3]) and the sox issue tracker ([4]), both
indicate that the patch introduced in [1] also resolves this CVE.
[1] 14aa0f5ec1 package/sox: add fix for CVE-2021-23159, CVE-2021-23172, CVE-2023-34318
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-34432
[3] https://security-tracker.debian.org/tracker/CVE-2023-34432
[4] https://sourceforge.net/p/sox/bugs/367/
Signed-off-by: Tim Soubry <tim.soubry@mind.be>
[Julien: change commit ref [1] to use commit id from master branch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e868b974a7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The following error appeared on the autobuilder for host using
host-gcc15:
```
p11_attr.c: In function 'pkcs11_addattr_bool':
p11_attr.c:126:25: error: expected identifier or '(' before 'true'
126 | static CK_BBOOL true = CK_TRUE;
| ^~~~
p11_attr.c:127:25: error: expected identifier or '(' before 'false'
127 | static CK_BBOOL false = CK_FALSE;
| ^~~~~
p11_attr.c:128:44: error: lvalue required as unary '&' operand
128 | pkcs11_addattr(tmpl, type, value ? &true : &false, sizeof(CK_BBOOL));
| ^
p11_attr.c:128:52: error: lvalue required as unary '&' operand
128 | pkcs11_addattr(tmpl, type, value ? &true : &false, sizeof(CK_BBOOL));
| ^
make[3]: *** [Makefile:646: libp11_la-p11_attr.lo] Error 1
```
This is due to the change in the default C language version in GCC15.
This patch backport the upstream patch that fix that issue by not using
the keywords.
Fixes: https://autobuild.buildroot.org/results/da7/da71db9b04f181b9d2e72df73ac8541709f5a1d4
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit df60b105b4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerabilities:
- CVE-2023-4256:
Within tcpreplay's tcprewrite, a double free vulnerability has been
identified in the tcpedit_dlt_cleanup() function within
plugins/dlt_plugins.c. This vulnerability can be exploited by
supplying a specifically crafted file to the tcprewrite binary. This
flaw enables a local attacker to initiate a Denial of Service (DoS)
attack.
https://www.cve.org/CVERecord?id=CVE-2023-4256
- CVE-2023-43279:
Null Pointer Dereference in mask_cidr6 component at cidr.c in
Tcpreplay 4.4.4 allows attackers to crash the application via crafted
tcprewrite command.
https://www.cve.org/CVERecord?id=CVE-2023-43279
- CVE-2024-22654:
tcpreplay v4.4.4 was discovered to contain an infinite loop via the
tcprewrite function at get.c.
https://www.cve.org/CVERecord?id=CVE-2024-22654
See the release notes:
https://github.com/appneta/tcpreplay/releases/tag/v4.5.1
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 31619696b9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://www.sudo.ws/releases/stable/#1.9.17p1
Fixes the following security issues:
- CVE-2025-32462: Sudo before 1.9.17p1, when used with a sudoers file that
specifies a host that is neither the current host nor ALL, allows listed
users to execute commands on unintended machines (since sudo 1.8.8)
https://www.sudo.ws/security/advisories/host_any/
- CVE-2025-32463: Sudo before 1.9.17p1 allows local users to obtain root
access because /etc/nsswitch.conf from a user-controlled directory is used
with the --chroot option (since sudo 1.9.4)
https://www.sudo.ws/security/advisories/chroot_bug/
Update the LICENSE.md hash for a change in copyright years:
30729312c2
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add link to release note in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ee86844e63)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The daq package fails to build with GCC14 toolchains:
```
daq_nfq.c: In function 'SetPktHdr':
daq_nfq.c:395:37: error: passing argument 2 of 'nfq_get_payload' from incompatible pointer type [-Wincompatible-pointer-types]
395 | int len = nfq_get_payload(nfad, (char**)pkt);
| ^~~~~~~~~~~
| |
| char **
```
The issue can be reproduced with the following config:
```
cat > daq.config <<EOF
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_DAQ=y
BR2_PACKAGE_LIBDNET=y
BR2_PACKAGE_LIBNETFILTER_QUEUE=y
EOF
```
This patch port a patch taken from openembedded meta-networking [1] and
is tested with test-pkg:
```
$ ./utils/test-pkg -c daq.config -p daq
```
[1] https://layers.openembedded.org/layerindex/recipe/37594/
Fixes: https://autobuild.buildroot.org/results/c69/c69ab134463a18eec65ded836aecf89a5cb4a75c/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 533c0aac28)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] backported an upstream patch to address CVE-2025-46836 that
included a regression.
Upstream later fixed this regression in commit [2].
This patch add that fix to correct the issue introduced by the original
patch.
[1] 323aaa9f54 package/net-tools: add upstream security fix for CVE-2025-46836
[2] ddb0e375fb/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d3274210f9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://github.com/urllib3/urllib3/releases/tag/2.5.0
This fixes the following vulnerabilities:
- CVE-2025-50181:
urllib3 redirects are not disabled when retries are disabled on
PoolManager instantiation
- CVE-2025-50182:
urllib3 does not control redirects in browsers and Node.js
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add link to release note in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7006854ce1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following vulnerability:
- CVE-2023-34194:
StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML
through 2.6.2 has a reachable assertion (and application exit) via a
crafted XML document with a '\0' located after whitespace.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 184a1b94a5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Jose-13 fixed the following security issue:
- CVE-2023-50967: latchset jose through version 11 allows attackers to cause
a denial of service (CPU consumption) via a large p2c (aka PBES2 Count)
value.
https://github.com/latchset/jose/issues/151
In addition, jose-14 worked around another DoS issue related to
decompression:
https://github.com/latchset/jose/pull/157
Drop now upstreamed patches:
- 0001-lib-hsh.c-rename-hsh-local-variable.patch: Upstream as of
3d5b287243
- 0002-man-add-option-to-skip-building-man-pages.patch: Upstream after
getting reworked to use -Ddocs=disabled as of
786b426df0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: remove .checkpackageignore entries to fix check-package errors]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 394a8fb406)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The syslinux runtime test (which is in fact a build-only test) ensures
that syslinux does get build at least once a week (via the gitlab-CI
weekly pipeline). Runtime testing would need much more work, though, but
nothing in syslinux is currently runtime tested anyway.
Reported-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a6ddf2b91d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The following error occurs on the autobuilder for builds with musl
libc.
```
CC util/bitmap.o
In file included from include/linux/bitmap.h:7,
from util/bitmap.c:9:
include/linux/bitops.h:4:10: fatal error: bits/wordsize.h: No such file or directory
4 | #include <bits/wordsize.h>
| ^~~~~~~~~~~~~~~~~
```
The error occurs because bits/wordsize.h is specific to glibc.
This patch applies an upstream fix that replaces the use of __WORDSIZE
with an internal macro, making the code portable across different libc.
Fixes: https://autobuild.buildroot.org/results/30d/30d6e407e6a0fc7d85062c2d56008755c70ca733/build-end.log
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 901b9e19ed)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The 0.192 release of elfutils introduced the src/srcfiles.cxx program,
that lists all source files of a given ELF binary. As this is a C++
program, we need a toolchain that supports it.
Without it, the build system tries to use "no" as the CXX compiler,
resulting in the following errors :
/bin/sh: line 1: no: command not found
as can be seen here for example :
https://autobuild.buildroot.net/results/849/849221c794a469a423857a290db775d150b84900
Add a dependency to a CPP toolchain for the elfutils programs.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 268d7ad180)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The elfutils programs require Glibc to be used as the C library. Show a
comment when this libc isn't used in the toolchain.
Suggested-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 52ba3ed657)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
As specified in the 2.28.10 release notes:
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.10
Mbed TLS 2.28.10 is the last release of the 2.28 LTS and won't receive bug
fixes or security fixes anymore. Users are advised to upgrade to a
maintained version.
So move to 3.6.x, which is the new LTS version:
Mbed TLS 3.6 is a long-term support (LTS) branch. It will be supported with
bug-fixes and security fixes until at least March 2027.
Drop BR2_PACKAGE_MBEDTLS_COMPRESSION and all related references
as native zlib support has been entirely removed from mbedtls.
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Peter: add note about 2.28.x / 3.6.x, add Config.in.legacy]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 3481a9643f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For release note, see:
https://dev.gnupg.org/T7166
This version fixes a build error which can happen with 32-bit arm
configurations.
The issue can be reproduced with commands:
cat >.config <<EOF
BR2_arm=y
BR2_cortex_a8=y
BR2_ARM_INSTRUCTIONS_THUMB2=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_LIBGCRYPT=y
EOF
make olddefconfig
make libgcrypt
Build is failing with output:
ec-nist.c: In function '_gcry_mpi_ec_nist256_mod':
ec-inline.h:902:5: error: 'asm' operand has impossible constraints or there are not enough registers
902 | __asm__ ("subs %3, %7, %10\n" \
| ^~~~~~~
Details for this buggix: https://dev.gnupg.org/T7226
Signed-off-by: Bram Oosterhuis <dev@bybram.com>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 89ca1bd4f4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
syslinux is... special. It is a target package, but it is installed in
HOST_DIR *in the target install commands*: in addition to the boot files
that run on the target, syslinux installs a set of host tools that are
to be used at build time (e.g. extlinux, to prepare bootable media, like
an iso96660 image). Then, from HOST_DIR, the actual boot files are
copied into BINARIES_DIR (i.e. images/); we do it that way because the
boot files are scattered about everywhere in the build tree, while they
are all packed together in a single directory once installed.
However, there is no dependency between the target and image install
steps. So, when using top-level parallel builds, there is no guarantee
that the target install commands are finished before the image install
commands are started.
We fix that by first installing into a temporary location, as part of
the build step, and by then copying from there as part of the install
step. This ensures that the boot files are easily available, without
needing a dependency on the target install step, that we can't express.
Note that we do not change the actual installation into HOST_DIR: it can
be set up differently that our temporary location, and we do not want
to duplicate that setup here (it's going to diverge over time).
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 90e76818a1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
At the moment, package stats indicates that libmpeg2 is affected by
https://nvd.nist.gov/vuln/detail/CVE-2022-37416
However, this CVE applies to a completely different piece of software,
that has the same name "libmpeg2" [1].
To avoid the confusion, let's add a proper CPE vendor to Buildroot's libmpeg2.
The library itself does not clearly identify any vendor name, and there isn't
any existing CPE on the NVD website. Since this library is not updated for
many years (maybe even before the introduction of the CPE system), but the
code is somehow related to the Videolan project, let's add this as the
vendor, which sould solve the matched CVE issue.
[1] https://github.com/ittiam-systems/libmpeg2
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: fix typo in commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 585ee147dd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When a new gcc version is introduced, for example gcc 15 in
commit [1], it should have also added a "depends on
!BR2_ARCH_NEEDS_GCC_AT_LEAST_15" to the previous gcc version.
This logic is described for external toolchains in commit [2],
for example. The internal Buildroot toolchains should have the
same logic. This logic existed for previous gcc version. See for
example the removal of gcc 12 in commit [3].
There is usually no problem, because all the three latest active gcc
versions supports all CPUs present in Buildroot.
However, the commit [4] recently added the support for the Arm
Cortex-A720 CPU, which needs at least gcc 14. Since there is no
logic preventing the selection of the gcc version, it is possible
to select an unsupported gcc version (i.e. gcc 13).
In such a case, the host-gcc-initial package configuration fails
with output:
Unknown cpu used in --with-cpu=cortex-a720
This commit fixes the issue by adding those missing dependencies.
Fixes:
https://autobuild.buildroot.org/results/918b90aee0b65f01efc241622015cb847b4e23a8/
[1] 75891397ab
[2] f577d8218f
[3] 58cf7c51da (66f7e875db173e5538d3511c8297acc1ba30da33_27_25)
[4] de374e06d8
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6f231d3003)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The new test requires a br2-external directory because we compile a
small test program on the host and install it on the target, but it's
not useful to have it in the main Buildroot package tree.
The test program loads and parses a sample HTML document. Taking
inspiration from 'examples/get_title.c' in gumbo-parser, it also
searches for the title of the document just to check that we can do
more than the parsing.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit da23be6338)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Development on Google's GitHub repository has stopped a long time ago.
A fork exists on Codeberg, and multiple distributions (Fedora, Arch
Linux, ...) are already using it (see [1]).
Update the source URL to use the new upstream location.
The new upstream has a different hash for the 0.10.1 tarball, so
update it as well.
[1]: https://repology.org/project/gumbo-parser/versions
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1e106d8412)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This test verifies that we can run nginx with the modsecurity
directives.
It also checks a very simple rule that blocks requests containing the
keyword "blockme".
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[Julien:
- add / at directory end in DEVELOPERS
- sort DEVELOPERS entries alphabetically
- remove unneeded test configs already present in
BASIC_TOOLCHAIN_CONFIG
- sort test config directives alphabetically
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5cda85cb56)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Backport the upstream patch that fixes the following build error when
compiling for mips with gcc 15:
In file included from mips-opc.c:29:
mips-opc.c: In function 'decode_mips_operand':
mips-formats.h:86:7: error: expected identifier or '(' before
'static_assert'
86 | static_assert[(1 << (SIZE)) == ARRAY_SIZE (MAP)]; \
| ^~~~~~~~~~~~~
The patch is already part of upstream binutils 2.44, so we only need
it for 2.42 and 2.43.1.
All 3 versions we have of host-binutils were build-tested using the
defconfig from the autobuilder failure (see the link below) and gcc 15
on the host.
Fixes:
- https://autobuild.buildroot.org/results/873/873ec25cf01d5f2b9ae7044e0b1d8d8791b781e6/
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 430aa91c3d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The upstream Github repository payden/libwebsock is no longer available,
and its URL now redirects to some completely unrelated software.
We don't know for sure what happened, but at least the package does not
build anymore, because its source code has vanished.
Since no other buildroot package depends on libwebsock, and it hasn't
received any update; let's simply remove it from here.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9f2dbf1486)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following CVE:
- CVE-2025-29481:
Buffer Overflow vulnerability in libbpf 1.5.0 allows a local attacker to
execute arbitrary code via the bpf_object__init_prog` function of libbpf.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-29481
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add direct link to CVE in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fba60c7732)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Actually DTB_LIST accepts only file and not files with relative path
preprended. This leads to have vfat without .dtb files and so Linux
doesn't start. Let's fix this by including slash in sed command as done
for mxc as well as basename in front of $dt.dtb to remove possible
useless folders present in the dts path. Let's also add set -e at the
top of the script to make it more verbose on error and modify this
section according to spellcheck as done for mxc.
This commit align this "mxs/post-image.sh" with its "imx/post-image.sh"
counterpart which was improved for arm64 in commit [1].
[1] 4755bf2bd4
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien:
- change space indentation to tabs for consistency
- add note in commit log about imx/post-image.sh
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 50297207a8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
gnu-efi fails to build if TOPDIR is exported in the environment since the
move to version 3.0.18 in commit 9efeb7e914 ("package/gnu-efi: bump to
version 3.0.18").
The reason is the change in TOPDIR logic introduced by upstream commit
31913f8489 ("Make: make TOPDIR actually work and get rid of unused CDIR"):
31913f8489
export TOPDIR=foo; make gnu-efi
...
/path/to/buildroot/output-gnuefi/host/bin/aarch64-linux-ld: cannot find
/path/to/buildroot/output-gnuefi/build/gnu-efi-4.0.0//apps/../aarch64/gnuefi/crt0-efi-aarch64.o:
No such file or director
make[2]: *** [Makefile:89: apps] Error 2
make[1]: *** [package/pkg-generic.mk:273: /path/to/buildroot/output-gnuefi/build/gnu-efi-4.0.0/.stamp_built] Error 2
make: *** [Makefile:23: _all] Error 2
As a workaround, unexport TOPDIR like we do for other sensitive environment
variables.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2b5544ab7a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The list of environment variables to unexport has grown organically over the
years and is no longer sorted. Sort it alphabetically for clarity.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit da04cfa26c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The current homepage URL leads to an HTTP 404 error.
Fix it by using the homepage URL currently mentioned in mupdf's git
repository.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d1ea9a64e6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Bump from v5.15.1 to the latest patchlevel bump, v5.15.186.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Joachim Wiberg <troglobit@gmail.com>
[Julien: reword commit title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3953bd3e9c)
[thomas: bump to latest 5.15 instead of 6.12]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 0fce7a9623 ("package/libcurl: fix build w/ threads + c-ares") added a
conditional for threads + c-ares, but ended up with a end-parenthesis too
many - so the condition is never true. Fix that.
Reported-by: Tibault Damman <tibault.damman@basalte.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 17399baa7c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In Linux v6.8, the rtla Makefile was rewritten :
01474dc706ca ("tools/rtla: Use tools/build makefiles to build rtla")
The new Makefile uses default linker values, so the host linker being used to
produce the final rtla binary.
This results in the following error :
ld: [...] trace.o: error adding symbols: file in wrong format
Add LD=$(TARGET_LD) to the RTLA_MAKE_OPTS to fix rtla cross-compilation.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f28f34e200)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
According to
https://lists.samba.org/archive/samba-technical/2025-June/139484.html:
A new update, version 7.4, of cifs-utils has been released today.
Users of cifs-utils version 7.3 on older kernels are encouraged to
update to 7.4 since it includes a fix for a mount problem with version
7.3 of cifs-utils on older kernels when using namespaces.
[...]
Detailed list of changes since version 7.3 was released
----------------------------------------------------------------
Enzo Matsumiya (1):
mount.cifs: retry mount on -EINPROGRESS
Henrique Carvalho (1):
cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP
Paulo Alcantara (1):
cifs.upcall: fix memory leaks in check_service_ticket_exits()
Pavel Shilovsky (1):
cifs-utils: bump version to 7.4
Z. Liu (2):
getcifsacl, setcifsacl: use <libgen.h> for basename
cifscreds: use <libgen.h> for basename
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4abd7bb9df)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changes 7.1..7.2:
- Security enhancements including support for password rotation,
better credential management, and namespaces
- Various improvements to man pages
Changes 7.2..7.3:
- Three fixes, including a fix for "guest" mount problem introduced
with version 7.2
Our patch is upstream as of 7.2, so we can drop it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit efdf0cdbcb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit 8f69974c20 switched the
buildsystem of mpv from waf to meson but forgot to remove a patch which
fixed a waf-related build error.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 942b88e693)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The squashfs 4.6.1 archive hash has been changed suddenly two weeks
ago by Github without any intended changes from the squashfs maintainer
[1].
The orginal squashfs 4.6.1 archive has been manually uploaded again.
Update the URL to download the archive that match the expected hash.
Since we don't use the github download helper anymore, the squashfs
archive name is changed from squashfs-4.6.1.tar.gz to
squashfs-tools-4.6.1.tar.gz.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10355448207
(and many more...)
See:
[1] https://github.com/plougher/squashfs-tools/issues/313
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e374ae03b5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
REMI hasn't received new release since July 2022 and is currently broken
with error:
Traceback (most recent call last):
File "<string>", line 26, in <module>
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 116, in setup
_install_setup_requires(attrs)
~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 89, in _install_setup_requires
_fetch_build_eggs(dist)
~~~~~~~~~~~~~~~~~^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 94, in _fetch_build_eggs
dist.fetch_build_eggs(dist.setup_requires)
~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 80, in fetch_build_eggs
raise SetupRequirementsError(specifier_list)
setuptools.build_meta.SetupRequirementsError: ['setuptools_scm']
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 389, in <module>
main()
~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 373, in main
json_out["return_val"] = hook(**hook_input["kwargs"])
~~~~^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/pyproject_hooks/_in_process/_in_process.py", line 143, in get_requires_for_build_wheel
return hook(config_settings)
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 331, in get_requires_for_build_wheel
return self._get_build_requires(config_settings, requirements=[])
~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 301, in _get_build_requires
self.run_setup()
~~~~~~~~~~~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 512, in run_setup
super().run_setup(setup_script=setup_script)
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/build_meta.py", line 317, in run_setup
exec(code, locals())
~~~~^^^^^^^^^^^^^^^^
File "<string>", line 31, in <module>
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/__init__.py", line 117, in setup
return distutils.core.setup(**attrs)
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/_distutils/core.py", line 148, in setup
_setup_distribution = dist = klass(attrs)
~~~~~^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 323, in __init__
_Distribution.__init__(self, dist_attrs)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/_distutils/dist.py", line 309, in __init__
self.finalize_options()
~~~~~~~~~~~~~~~~~~~~~^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 786, in finalize_options
ep(self)
~~^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools/dist.py", line 806, in _finalize_setup_keywords
ep.load()(self, ep.name, value)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
File "/workdir/instance-0/output-1/host/lib/python3.13/site-packages/setuptools_scm/_integration/setuptools.py", line 82, in version_keyword
assert isinstance(value, dict), "version_keyword expects a dict or True"
~~~~~~~~~~^^^^^^^^^^^^^
AssertionError: version_keyword expects a dict or True
ERROR Backend subprocess exited when trying to invoke get_requires_for_build_wheel
make: *** [package/pkg-generic.mk:273: /workdir/instance-0/output-1/build/python-remi-2022.7.27/.stamp_built] Error 1
make: Leaving directory '/workdir/instance-0/buildroot'
Since last release code has been corrected and now build end
successfully.
Another issue with remi is related to python CGI library no more available with
python 3.13. This patch also updates Config.in to add a select BR2_PACKAGE_PYTHON_LEGACY_CGI
This commit also updates the LICENSE file hash, because line ending
changed from "CR-LF" (Windows) in old release archive to "LF" (Unix)
in the github download. Apart from that, the content is the same.
Fixes:
- https://autobuild.buildroot.org/results/f0409533ebdc31e522f2ee2ea8a5acc11dbc7430/
- https://autobuild.buildroot.org/results/a16cf5105d4b726b5d4136a2d8f82abcfdc0faba/
- https://autobuild.buildroot.org/results/e7ac28e20ad92863d337e96c225463346ee6c690/
Signed-off-by: Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
[Julien:
- use "git describe --abbrev=40" format in _VERSION
- fix LICENSE hash
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 14ce0d2e6e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
python-glslang is a host-only package and the host-python3 dependency
was wrongly added as target dependency with buildroot commit
f9fe0cf8f6.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 27a38cbcad)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
- CVE-2025-48432: Internal HTTP response logging does not escape
request.path, which allows remote attackers to potentially manipulate
log output via crafted URLs. This may lead to log injection or forgery
when logs are viewed in terminals or processed by external systems.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-48432
For more details on the version bump, see the release notes:
- https://docs.djangoproject.com/en/5.1/releases/5.1.11/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Those security patches have been fetched from the debian patches for
this package version [1].
Fixes the following CVEs:
- CVE-2024-23337: an integer overflow arises when assigning value using
an index of 2147483647, the signed integer limit. This causes a denial
of service.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2024-23337
- de21386681
- CVE-2024-53427: decNumberCopy in decNumber.c does not properly
consider that NaN is interpreted as numeric, which has a resultant
stack-based buffer overflow and out-of-bounds write, as demonstrated
by use of --slurp with subtraction, such as a filter of .-. when the
input has a certain form of digit string with NaN (e.g., "1 NaN123"
immediately followed by many more digits).
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2024-53427
- a09a4dfd55
[1] https://udd.debian.org/patches.cgi?src=jq&version=1.7.1-6
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the package bump [1] the fluent-bit package started to fail
because of an update introduced in fluent-bit v3.2.7 (see [2]).
The following error appeared on the autobuilder in the LTS branch.
```
CMake Error at /home/buildroot/instance-0/output-1/host/share/cmake-3.31/Modules/CMakeTestCXXCompiler.cmake:73 (message):
The C++ compiler
"/bin/false"
is not able to compile a simple test program.
It fails with the following output:
Change Dir: '/home/buildroot/instance-0/output-1/build/fluent-bit-3.2.10/CMakeFiles/CMakeScratch/TryCompile-u4rLgc'
Run Build Command(s): /home/buildroot/instance-0/output-1/host/bin/ninja -v cmTC_71bbf
[1/2] /bin/false -o CMakeFiles/cmTC_71bbf.dir/testCXXCompiler.cxx.o -c /home/buildroot/instance-0/output-1/build/fluent-bit-3.2.10/CMakeFiles/CMakeScratch/TryCompile-u4rLgc/testCXXCompiler.cxx
FAILED: CMakeFiles/cmTC_71bbf.dir/testCXXCompiler.cxx.o
/bin/false -o CMakeFiles/cmTC_71bbf.dir/testCXXCompiler.cxx.o -c /home/buildroot/instance-0/output-1/build/fluent-bit-3.2.10/CMakeFiles/CMakeScratch/TryCompile-u4rLgc/testCXXCompiler.cxx
ninja: build stopped: subcommand failed.
CMake will not be able to correctly generate this project.
Call Stack (most recent call first):
lib/zstd-1.5.7/build/cmake/CMakeLists.txt:36 (project)
```
The commit [3] included two patches to fix the build error
for configs using toolchains without CXX.
Since the build error was already present on v3.2.10,
those patches actually fix the error for LTS version as well.
This patch pick them from the series to apply them on the LTS
branch.
[1] 8bc18fad29 package/fluent-bit: bump to 3.2.10
[2] 0ce59cecdc
[3] 8181727e23 package/fluent-bit: bump to 4.0.0
Fixes: https://autobuild.buildroot.org/results/4b0/4b0646e8fcc3f023ab0173ea8725f381e5055152/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit [1] removed mysql and replaced it by mariadb in all
packages, but did not propagated all dependencies.
This commit fixes the issue.
Fixes:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_MARIADB
Depends on [n]: BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && (BR2_TOOLCHAIN_HAS_ATOMIC [=n] || BR2_TOOLCHAIN_HAS_SYNC_8 [=n]) && BR2_USE_WCHAR [=y]
Selected by [y]:
- BR2_PACKAGE_DOVECOT_MYSQL [=y] && BR2_PACKAGE_DOVECOT [=y] && BR2_INSTALL_LIBSTDCPP [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y]
[1] 8708f3a23a
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6967ed93b6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] "package/gstreamer1/gst1-plugins-bad: bump version
to 1.24.11" added new requirements for webrtc which selects the
sctp plugin, but forgot to propagate its dependencies. The sctp
plugin depends on BR2_TOOLCHAIN_HAS_SYNC_4.
This commit fixes this issue.
Fixes:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_SCTP
Depends on [n]: BR2_PACKAGE_GSTREAMER1 [=y] && BR2_PACKAGE_GST1_PLUGINS_BAD [=y] && BR2_TOOLCHAIN_HAS_SYNC_4 [=n]
Selected by [y]:
- BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_WEBRTC [=y] && BR2_PACKAGE_GSTREAMER1 [=y] && BR2_PACKAGE_GST1_PLUGINS_BAD [=y] && !BR2_STATIC_LIBS [=n]
[1] 90b3cfedf4
Cc: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e34a113b32)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following autobuild error on configs with host GCC15.
```
/workdir/instance-0/output-1/host/bin/ccache /usr/bin/gcc -O2 -DNDEBUG -Wall -Wstrict-prototypes -Wundef -Wmissing-declarations -Wmissing-prototypes -Wwrite-strings -fno-strict-aliasing -Werror=declaration-after-statement -fno-builtin -fno-common -Werror=return-type -Wno-unused-local-typedefs -DHAVE_STDINT_H=1 -DHAVE_DIRENT_H=1 -DHAVE_SYS_DIR_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_SYS_TIMES_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_LIBDL=1 -DGX_COLOR_INDEX_TYPE="unsigned long long" -D__USE_UNIX98=1 -DHAVE_SNPRINTF -O2 -I/workdir/instance-0/output-1/host/include -L/workdir/instance-0/output-1/host/lib -Wl,-rpath,/workdir/instance-0/output-1/host/lib -DNOCONTRIB -DHAVE_RESTRICT=1 -DHAVE_LIMITS_H=1 -DHAVE_STRING_H=1 -fno-strict-aliasing -O2 -I/workdir/instance-0/output-1/host/include -L/workdir/instance-0/output-1/host/lib -Wl,-rpath,/workdir/instance-0/output-1/host/lib -DHAVE_POPEN_PROTO=1 -I./base -o ./obj/aux/genconf ./base/genconf.c -lz
In file included from ./base/genconf.c:18:
./base/stdpre.h:348:13: error: 'bool' cannot be defined via 'typedef'
348 | typedef int bool;
| ^~~~
./base/stdpre.h:348:13: note: 'bool' is a keyword with '-std=c23' onwards
./base/stdpre.h:348:1: warning: useless type name in empty declaration
348 | typedef int bool;
| ^~~~~~~
```
This is due to the change in the default C language version in GCC15.
The patch included is not exactly the same as the upstream one, it only
picks the part that fix the `bool` definition and dropped the declaration
type changes.
Fixes: https://autobuild.buildroot.org/results/9c6/9c6cbff256635c6ab4be4c5b7bf18f9d3c4b46681
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fa45c47fcb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
go1.23.9 (released 2025-05-06) includes fixes to the runtime and the linker.
go1.23.10 (released 2025-06-05) includes security fixes to the net/http and
os packages, as well as bug fixes to the linker.
Fixes the following security vulnerabilities:
- CVE-2025-4673: net/http: sensitive headers not cleared on cross-origin
redirect
Proxy-Authorization and Proxy-Authenticate headers persisted on
cross-origin redirects potentially leaking sensitive information
- CVE-2025-0913: os: inconsistent handling of O_CREATE|O_EXCL on Unix and
Windows
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and
Windows systems when the target path was a dangling symlink. On Unix
systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks.
On Windows, when the target path was a symlink to a nonexistent location,
OpenFile would create a file in that location.
- CVE-2025-22874: crypto/x509: usage of ExtKeyUsageAny disables policy validation
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny
unintentionally disabled policy validation. This only affected
certificate chains which contain policy graphs, which are rather uncommon.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 00f0fca15a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following autobuild error that started appearing with host GCC15
configs.
```
/usr/bin/gcc -DHAVE_CONFIG_H -I. -I/workdir/instance-0/output-1/host/include -O2 -I/workdir/instance-0/output-1/host/include -c -o modules/arch/x86/x86arch.o modules/arch/x86/x86arch.c
In file included from modules/arch/x86/x86arch.h:30,
from modules/arch/x86/x86arch.c:31:
./libyasm/bitvect.h:86:32: error: cannot use keyword 'false' as enumeration constant
86 | typedef enum boolean { false = FALSE, true = TRUE } boolean;
| ^~~~~
./libyasm/bitvect.h:86:32: note: 'false' is a keyword with '-std=c23' onwards
```
This is due to the change in the default C language version in GCC15.
Fixes: https://autobuild.buildroot.org/results/d1d/d1d9a6e73c2ec278941dd90c6b07cce01b372feb/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit aa9ee17701)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
If external clang is available on the host system, the buildsystem tries
to use it. The result will be unpredictable. We can't use the version of
clang that is shipped with buildroot either, because it is too old. See:
https://code.qt.io/cgit/qt/qttools.git/tree/.cmake.conf?h=6.8.1. So we
disable clang support in qt6tools for now.
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit ac7f65d83e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The previous commit removed its only user. It was a blind option so no
legacy handling is needed.
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 1fad08d32f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since we don't need assistant, designer or linguist on target, and we
don't need assistant or designer on host, we unconditionally disable
these tools, to avoid build failures without inreasing the complexity of
the package.
Fixes target linguist build:
-- Could NOT find Qt6LinguistTools (missing: Qt6LinguistTools_DIR)
CMake Error at <...>/output/build/qt6base-6.8.1/cmake/QtToolHelpers.cmake:768 (message):
Failed to find the host tool "Qt6::lconvert". It is part of the
Qt6LinguistTools package, but the package could not be found. Make sure
you have built and installed the host Linguist module, which will ensure
the creation of the Qt6LinguistTools package.
Call Stack (most recent call first):
<...>/output/build/qt6base-6.8.1/cmake/QtToolHelpers.cmake:83 (qt_internal_find_tool)
src/linguist/lconvert/CMakeLists.txt:9 (qt_internal_add_tool)
The following defconfig triggers a target linguist build without
building the necessary lconvert host tool. See:
https://code.qt.io/cgit/qt/qttools.git/tree/src/linguist/CMakeLists.txt?h=6.8.1#n17
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_GUI=y
BR2_PACKAGE_QT6BASE_PNG=y
BR2_PACKAGE_QT6BASE_WIDGETS=y
BR2_PACKAGE_QT6TOOLS=y
Fixes target designer build:
CMake Error at <...>/output/build/qt6base-6.8.1/cmake/QtPublicWalkLibsHelpers.cmake:267 (message):
The Xml target is mentioned as a dependency for Designer, but not declared.
Call Stack (most recent call first):
<...>/output/build/qt6base-6.8.1/cmake/QtPrlHelpers.cmake:8 (__qt_internal_walk_libs)
<...>/output/build/qt6base-6.8.1/cmake/QtPrlHelpers.cmake:47 (qt_collect_libs)
<...>/buildroot/output/build/qt6base-6.8.1/cmake/QtModuleHelpers.cmake:1027 (qt_generate_prl_file)
<...>/buildroot/output/build/qt6base-6.8.1/cmake/QtScopeFinalizerHelpers.cmake:24:EVAL:1 (qt_finalize_module)
src/designer/src/lib/CMakeLists.txt:DEFERRED
The following defconfig triggers a target designer build, without
selecting the necessary xml qt6base option. See:
https://code.qt.io/cgit/qt/qttools.git/tree/configure.cmake?h=6.8.1#n64https://code.qt.io/cgit/qt/qttools.git/tree/src/designer/src/lib/CMakeLists.txt?h=6.8.1#n182
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_GUI=y
BR2_PACKAGE_QT6BASE_PNG=y
BR2_PACKAGE_QT6BASE_WIDGETS=y
BR2_PACKAGE_QT6TOOLS=y
Fixes target assistant build:
CMake Error at <...>/output/build/qt6base-6.8.1/cmake/QtToolHelpers.cmake:768 (message):
Failed to find the host tool "Qt6::qhelpgenerator". It is part of the
Qt6ToolsTools package, but the package did not contain the tool. Make sure
that the host module Tools was built with all features enabled (no
explicitly disabled tools).
Call Stack (most recent call first):
<...>/buildroot/output/build/qt6base-6.8.1/cmake/QtToolHelpers.cmake:83 (qt_internal_find_tool)
src/assistant/qhelpgenerator/CMakeLists.txt:9 (qt_internal_add_tool)
The following defconfig triggers a target assistant build, without
building the necessary qhelpgenerator host tool. See:
https://code.qt.io/cgit/qt/qttools.git/tree/configure.cmake?h=6.8.1#n45https://code.qt.io/cgit/qt/qttools.git/tree/src/assistant/CMakeLists.txt?h=6.8.1#n4https://code.qt.io/cgit/qt/qttools.git/tree/src/assistant/CMakeLists.txt?h=6.8.1#n21
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_GUI=y
BR2_PACKAGE_QT6BASE_PNG=y
BR2_PACKAGE_QT6BASE_PRINTSUPPORT=y
BR2_PACKAGE_QT6BASE_SQL=y
BR2_PACKAGE_QT6BASE_SQLITE=y
BR2_PACKAGE_QT6BASE_WIDGETS=y
BR2_PACKAGE_QT6TOOLS=y
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit bd255e9e9c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since version bump to 7.12 (upstream commit [1]) the openssl/mbedtls support
defines changed from MG_ENABLE_OPENSSL/MG_ENABLE_MBEDTLS to
MG_TLS=MG_TLS_OPENSSL and MG_TLS=MG_TLS_MBED.
[1] 0613cc62f4
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 77d6929804)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The aarch64 virt platform doesn't have any default VGA devices so we
don't need to configure them here.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b877b8379f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a patch that removes part of the logic that attempts to detect if
thumb is supported. This logic simply doesn't work at all in the
Buildroot context. In fact, thumb is supported on all 32-bit ARM on
which we can build qt5webengine.
Fixes:
WARNING: Thumb instruction set is required to build ffmpeg for QtWebEngine.
[...]
FAILED: obj/third_party/ffmpeg/ffmpeg_internal/vp8.o
[...] -c ../../3rdparty/chromium/third_party/ffmpeg/libavcodec/vp8.c -o obj/third_party/ffmpeg/ffmpeg_internal/vp8.o
{standard input}: Assembler messages:
{standard input}:1119: Error: bad instruction `ldrhcs r0,[ip],#2'
{standard input}:1156: Error: bad instruction `ldrhcs r9,[ip],#2'
{standard input}:1190: Error: bad instruction `ldrhcs lr,[ip],#2'
{standard input}:1253: Error: bad instruction `ldrhcs r9,[r7],#2'
[...]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Cc: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2b2120dc4a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Ideally we should update our version of qt5webengine-chromium first,
we're more than 600 commits behind on the stable branch from KDE.
However, this is a quick fix solution that allows us to build the
current state in Fedora 42.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c9ae932c94)
[thomas: rename patch from 0012-.. to 0011-..]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a patch that adds missing #include statements, which becomes an
error in GCC 15.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1495863b98)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1], the runtime test emulator infra is setting
the emulated system date to the host date.
While this is desired in general, this behaviour is introducing a
variability in the test execution. Depending if the test is executed
during winter or summer time, the output of the command "date +%Z"
will produce a different output.
This commit fixes the issue by setting a fixed date and time on the
emulated system. The date is fixed to Unix Epoch plus one hour. This
is because Linux cannot set the system date to a value less than the
system uptime. So we cannot set the time back to Unix Epoch with the
command "date -s @0" (this would result to a EINVAL Invalid argument).
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/9922589073https://gitlab.com/buildroot.org/buildroot/-/jobs/9922589081
[1] cf8641b73e
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0839545a9b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 4e95062f8 ("package/pkg-meson: use buildroot-build for build
directory") changed the build directory for meson packages to
'buildroot-build', so update the find invocation to match.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit c9355a3869)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 4e95062f8 ("package/pkg-meson: use buildroot-build for build directory")
changed the build directory for meson packages to 'buildroot-build'.
Thus accessing the build directory for installing the extra utils needs
to be adopted to this directory. Otherwise the install will fail when
BR2_PACKAGE_KMSXX_INSTALL_TESTS is enabled.
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 55979f081d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When the meson build directory was changed to buildroot-build in
4e95062f82 we forgot to update the
install path for the systemd-boot efi binary.
Fixes:
/usr/bin/install: cannot stat '/home/buildroot/buildroot/output/build/systemd-256.7/build/src/boot/efi/systemd-bootx64.efi': No such file or directory
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b6b96b7bdc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit d1757fdfb0, at-spi2-core
depends on !BR2_STATIC_LIBS, but this wasn't properly propagated to
reverse dependencies, so let's do this propagation now.
Fixes the following warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_AT_SPI2_CORE
Depends on [n]: BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y] && !BR2_STATIC_LIBS [=y]
Selected by [y]:
- BR2_PACKAGE_ATKMM [=y] && BR2_INSTALL_LIBSTDCPP [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_7 [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && BR2_USE_WCHAR [=y]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a9bfc39660)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 8c9c1222b7 (package/uacme: bump version to 1.7.6) bumperd the
version to 1.7.6 which includes the patch we carried, so the patch was
dropped, but the corresponding autoreconf was not.
Do so now.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Nicola Di Lieto <nicola.dilieto@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2fb527fcf9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The esp-hosted package was introduced in [1] defining the variable
ESP_HOSTED_LICENSE_FILE (singular). The name should be
ESP_HOSTED_LICENSE_FILES (plural). This typo makes the license file
being ignored during a "make legal-info" which shows a warning at
the end:
WARNING: esp-hosted-9a2312b0b: cannot save license (ESP_HOSTED_LICENSE_FILES not defined)
Fixing the variable name also reveals the license file path was
incorrect. The "esp_hosted_ng/host/" directory prefix is missing.
Finally, setting the correct path shows the hash was wrong (it was
the hash of the Apache-2.0 [2] file, which corresponds to another
unused code portion). So the license file hash is also changed to
correspond to the correct GPL-2.0 license file.
This commit fixes all the needed esp-hosted legal-info.
[1] 7b2e5e6550
[2] https://github.com/espressif/esp-hosted/blob/release/ng-v1.0.4.0.0/LICENSES/Apache-2.0
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit bd9a6c2b36)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following CVEs:
- CVE-2025-3015: A vulnerability classified as critical has been found in
Open Asset Import Library Assimp 5.4.3. This affects the
function Assimp::ASEImporter::BuildUniqueRepresentation of
the file code/AssetLib/ASE/ASELoader.cpp of the component
ASE File Handler. The manipulation of the argument mIndices
leads to out-of-bounds read. It is possible to initiate the
attack remotely. The exploit has been disclosed to the
public and may be used.
See: https://www.cve.org/CVERecord?id=CVE-2025-3015
- CVE-2025-3016: A vulnerability classified as problematic was found in
Open Asset Import Library Assimp 5.4.3. This vulnerability
affects the function Assimp::MDLImporter::ParseTextureColorData
of the file code/AssetLib/MDL/MDLMaterialLoader.cpp of the
component MDL File Handler. The manipulation of the argument
mWidth/mHeight leads to resource consumption.
The attack can be initiated remotely
See: https://www.cve.org/CVERecord?id=CVE-2025-3016
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9d92c7e3ff)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following CVE:
- CVE-2025-48432: An issue was discovered in Django 5.2 before 5.2.2,
5.1 before 5.1.10, and 4.2 before 4.2.22.
Internal HTTP response logging does not escape request.path,
which allows remote attackers to potentially manipulate log
output via crafted URLs.
This may lead to log injection or forgery when logs are
viewed in terminals or processed by external systems.
See https://www.cve.org/CVERecord?id=CVE-2025-48432
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit introduces the silicon revision number configuration.
This value will be used by packages for specific configurations
(such as security firmware).
Signed-off-by: Juan Pablo MONTERO CASTRO <juanpablo.monterocastro@nxp.com>
[Julien: split original commit 1/3]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0645c83cd6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Django includes code from a couple of other projects, add their
respective license files and licenses to the django package.
./utils/scanpypi finds most of these. Additionally this was
cross-checked against debian's license list [1], not including some
things that no longer exist or no longer indicate separate licensing
upstream:
* django/contrib/admin/static/admin/fonts/
* django/utils/baseconv.py
* django/utils/ipv6.py
* django/utils/autoreload.py
Also not included are separate licensing for docs, which buildroot
doesn't package:
* docs/_theme/djangodocs/static/reset-fonts-grids.css
* docs/_theme/djangodocs/static/fontawesome/LICENSE.txt
[1] https://metadata.ftp-master.debian.org/changelogs//main/p/python-django/python-django_5.2-1_copyright
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: Indent with single tab]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 15fdc8b0ca)
[Thomas: Changed the hash of
django/contrib/admin/static/admin/js/inlines.js to match 5.1.9
]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following CVE:
- CVE-2025-47287: When Tornado's ``multipart/form-data`` parser encounters
certain errors, it logs a warning but continues trying to
parse the remainder of the data. This allows remote
attackers to generate an extremely high volume of logs,
constituting a DoS attack.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-47287
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4c890bc46d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes a memory leaks that affects both binutils 2.43 and 2.44,
see https://www.cve.org/CVERecord?id=CVE-2025-3198
Fixes the following CVE:
- CVE-2025-3198: A vulnerability has been found in GNU Binutils 2.43/2.44
and classified as problematic. Affected by this
vulnerability is the function display_info of the file
binutils/bucomm.c of the component objdump.
The manipulation leads to memory leak.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4dc951f3ee)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The test_xen.py runtime test, introduced in [1] and improved in [2],
is calling a "stty raw" command, just after the emulated machine
login, to avoid double-cooking the consoles. This double-cooking
prevents the test controller to correctly get the command error codes.
Buildroot commit [3] "support/testing: set date in emulated machine"
introduced an invocation of the date command to set time on the
emulated machine, just after the login. The returned error code is also
checked. Since this commit [3], the test_xen runtime test is failing
while attempting to set the date. This is because it is invoked before
the test script executes this "stty raw" command.
The need of executing a command just after the login, and just
before we set the emulated machine date is very limited. It is almost
specific to this test. So, rather than changing the test
infrastructure, this commit simply moves this "stty raw" invocation
from the runtime test script to a custom /etc/profile.d/stty-raw.sh
file on target rootfs overlay, to do this call just at the login.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10000011350
[1] 055f82ebbd
[2] cd0ffd598c
[3] cf8641b73e
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Tested-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 04c9ecd788)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issues:
- CVE-2025-23166: Improper error handling in async cryptographic operations
crashes process
- CVE-2025-23165: Corrupted pointer in node::fs::ReadFileUtf8(const
FunctionCallbackInfo<Value>& args) when args[0] is a string
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
Update the license hash for the addition of zstd 1.5.6 (BSD-3-Clause):
f9f611fb58
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c84fcef123)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the bump of Samba to version 4.21.4 in commit
716461af94, <crypt.h> is needed, due to
upstream comit 0dccda38f27b3bbda5d2a4de588a333ff554651a. Since
<crypt.h> is no longer provided by glibc, a dependency on libxcrypt is
needed, to avoid the following build failure:
../../lib/util/util_crypt.c:5:10: fatal error: crypt.h: No such file or directory
5 | #include <crypt.h>
| ^~~~~~~~~
compilation terminated.
This has not been detected by the autobuilders, presumably because a
lot of glibc configurations end up having libxcrypt selected by other
packages, but the issue is reproducible by building:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_SAMBA4=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6c3f01fde1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
We currently check for unsafe paths right between adding our arguments,
and adding the one passed from the command line. This not very
consistent.
Unsafe paths can only come from the command line, as we are not adding
any of our own (hopefully, we know better!), so we can run the check as
early as possible.
Move the check very early, but not before we handle --help.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 53e1772682)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
With the recent addition in pkg-stats to detect stale ignore CVE
entries, the CVE-2021-42260 ignore CVE entry is reported as
stale. This is because TINYXML_VERSION is 2.6.2_2, and the CVE is
annotated as affecting versions up to and including 2.6.2.
But in fact, 2.6.2_2 is a special version from the Kodi community, but
it's close to the 2.6.2 release, and CVE-2021-42260 is not fixed in
it. To get meaningful results, let's tell our CVE checking logic that
the tinyxml version is 2.6.2 by setting TINYXML_CPE_ID_VERSION (we're
splitting on the _ and keeping the part before).
Because we're now setting TINYXML_CPE_ID_VERSION, we must drop
TINYXML_CPE_ID_VALID to avoid a check-package warning.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 677b24ebaf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Due to the "From:" in the commit log itself, this patch was not
applicable using git am:
$ git am 0001-Make-SoX-support-uclibc-based-toolchains.patch
Applying: Make SoX support uclibc-based toolchains
fatal: empty ident name (for <>) not allowed
Thanks to Arnout who found the issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit aea1dd9b20)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit b6871f9d93 ("package/sox:
security bump to latest git commit") forgot to annotate the ignore CVE
entries, so let's do this.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e3a15862fb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
All ignore CVE entries of the sox package are considered stale because
SOX_VERSION is a Git commit and therefore the version matching logic
doesn't do the right thing.
This commit sets SOX_CPE_ID_VERSION to 14.4.2, which is the closest
upstream version on which we are based: our Git commit is 14.4.2 plus
a number of commits that fix a large number of CVEs.
Thanks to this change, the ignore CVE entries are no longer stale.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9c482f525a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The ignore CVE entry was added because the vulnerability only affects
Windows. But it also only affected ripgrep versions < 13, and we're
using ripgrep 14.x now, so the CVE is anyway no longer relevant, and
the ignore CVE entry can be dropped.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 107e935e1c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The qt5base was reported to have 2 stale ignore CVE entries, one not
stale. Turns out that because the version is a Git commit hash, the
version comparaison did not make a lot of sense.
This commit adds QT5BASE_CPE_ID_VERSION, assigned to the closest
upstream version that we package (the Git repo we fetch is 5.15.14
plus a number of fixes). With this done, all 3 ignore CVE entries are
stale because the vulnerabilities have been fixed prior to 5.15.14.
In addition, setting QT5BASE_CPE_ID_VERSION allows to reduce the
number of CVEs affecting qt5base from 20 to 8.
Cc: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Cc: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Cc: Christian Hitz <christian.hitz@bbv.ch>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 381ff2bf69)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The 0001-snmp_agent-disallow-SET-with-NULL-varbind.patch patch has
been dropped as part of the bump from 5.9.3 to 5.9.4 in commit
1799cfebfd, which means 5.9.4 has the
security fix, and therefore the ignore CVE entry is no longer needed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4a3eab8341)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
CVE-2023-3603 has never affected any release, but NVD decided to
document it as affecting all versions up to 0.8.9. While this is
incorrect, we don't really care much, as we're now using 0.11 which
according to NVD is not affected, making our ignore CVE entry stale.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ae116161ac)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
We no longer have the patch fixing CVE-2022-3559 because we've updated
to a version of exim that includes it. However, the ignore CVE entry
is not stale because the NVD database is incorrect on this CVE. We
reported the issue to upstream NVD at:
https://lore.kernel.org/buildroot/20250517183423.07951665@windsurf/
Let's document this above the ignore CVE entry.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 114784cb7b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CVE-2022-3620 entry is not reported as affecting our exim package
by pkg-stats. Currently it's because the NVD entry is
incorrect (incorrect exim version), but we sent a bug report [1] to
the NVD database so that it gets updated. Once updated, pkg-stats
still won't report the CVE as affecting us because the issue has been
fixed in exim 4.97, and we're using a newer version.
[1] https://lore.kernel.org/buildroot/20250517183000.40b28b4d@windsurf/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 463e21fdcb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The 0001-set-default-maximum-dns-udp-package-size.patch is no longer
in Buildroot since the bump to 2.90 in commit
213cfb3435, which renders the
CVE-2023-28450 ignore CVE entry no longer needed.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1799aa7eb4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
All of CVE-2023-42363, CVE-2023-42364, CVE-2023-42365, CVE-2023-42366
were fixed by patches that we no longer have since we bumped
Busybox. Those IGNORE_CVES entries are therefore no longer needed.
The CVE-2022-28391 ignore CVE entry is also reported as stale, but we
believe the NVD database is incorrect in saying this vulnerability
only affects Busybox up to 1.35.0. Indeed, Busybox 1.37.0 still
doesn't have the fixes and is therefore still affected.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f88537c46b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
CVE-2020-15705 is only applicable to grub versions up to 2.04, and
we're using a more recent version, so it is no longer needed to ignore
it.
CVE-2021-46705 is only applicable to grub versions up to 2.06, and
we're using a more recent version, so it is no longer needed to ignore
it.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 06afaf5347)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The configure flag -feature-webengine-system-jpeg[1] checks if a jpeg
library is in the sysroot.
It compiles a test file linked against the symbols jpeg_crop_scanline()
and jpeg_skip_scanlines()[2] that are specific to jpep-turbo.
As a consequence, the configure scripts fails if the libjpeg is selected
as the jpeg variant as the symbols mentionend above are not part of the
jpeg library installed in the sysroots.
ERROR: Feature 'webengine-system-jpeg' was enabled, but the pre-condition 'config.unix && features.system-jpeg && libs.webengine-jpeglib' failed.
Additionally, see the log below, extracted from config.log:
> /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ -c -pipe -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g0 -D_FORTIFY_SOURCE=1 -mtune=arm1176jzf-s -march=armv6 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -w -fPIC -I. -I/home/gportay/src/buildroot/output/host/mkspecs/devices/linux-buildroot-g++ -o main.o main.cpp
> main.cpp: In function ‘int main(int, char**)’:
> main.cpp:12:5: error: ‘jpeg_crop_scanline’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 12 | jpeg_crop_scanline(nullptr, &dummy, &dummy);
> | ^~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> main.cpp:13:5: error: ‘jpeg_skip_scanlines’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 13 | jpeg_skip_scanlines(nullptr, dummy);
> | ^~~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> make[1]: *** [Makefile:334: main.o] Error 1
> make[1]: Leaving directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
We could build some complicated logic to make sure what qt5webengine is
only used with jpeg-turbo. However, Chromium bundles jpeg-turbo[3][4]
and uses it if not using the system jpeg library or qt-jpeg[5]. It is
simpler to just always use that version instead of the system jpeg
library.
This sets the configure option -nofeature-webengine-system-jpeg and
removes jpeg from the dependencies.
Note that host-libjpeg and qt-jpeg (and therefore, system libjpeg or
jpeg-turbo) are still needed for the Qt integration layer, even if
chromium uses the bundled jpeg-turbo.
[1]: https://github.com/qt/qtwebengine/blob/v5.15.14-lts/src/buildtools/configure.json#L609-L613
[2]: https://github.com/qt/qtwebengine/blob/v5.15.14-lts/src/buildtools/configure.json#L95-L116
[3]: 18c9261dc5/chromium/third_party/libjpeg_turbo
[4]: 18c9261dc5/chromium/third_party/libjpeg.gni
[5]: https://github.com/qt/qtwebengine/blob/v5.15.14-lts/src/buildtools/configure.json#L614-618
Fixes:
looking for library webengine-jpeglib
Trying source 0 (type pkgConfig) of library webengine-jpeglib ...
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --exists --silence-errors libjpeg
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --modversion libjpeg
> 9.6.0
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --libs-only-L libjpeg
> -L/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --libs-only-l libjpeg
> -ljpeg
+ PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/pkg-config --cflags libjpeg
> -I/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/include
+ cd /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib && PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/qmake "CONFIG -= qt debug_and_release app_bundle lib_bundle" "CONFIG += shared warn_off console single_arch" -early "CONFIG += cross_compile" 'QMAKE_USE += webengine-jpeglib' 'QMAKE_LIBS_WEBENGINE_JPEGLIB = -L/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -ljpeg' /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib
+ cd /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib && MAKEFLAGS= make
> make[1]: Entering directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
> /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ -c -pipe -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g0 -D_FORTIFY_SOURCE=1 -mtune=arm1176jzf-s -march=armv6 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -w -fPIC -I. -I/home/gportay/src/buildroot/output/host/mkspecs/devices/linux-buildroot-g++ -o main.o main.cpp
> main.cpp: In function ‘int main(int, char**)’:
> main.cpp:12:5: error: ‘jpeg_crop_scanline’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 12 | jpeg_crop_scanline(nullptr, &dummy, &dummy);
> | ^~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> main.cpp:13:5: error: ‘jpeg_skip_scanlines’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 13 | jpeg_skip_scanlines(nullptr, dummy);
> | ^~~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> make[1]: *** [Makefile:334: main.o] Error 1
> make[1]: Leaving directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
=> source failed verification.
Trying source 1 (type inline) of library webengine-jpeglib ...
+ cd /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib && PKG_CONFIG_SYSROOT_DIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot PKG_CONFIG_LIBDIR=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/share/pkgconfig:/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/arm-buildroot-linux-gnueabihf/pkgconfig /home/gportay/src/buildroot/output/host/bin/qmake "CONFIG -= qt debug_and_release app_bundle lib_bundle" "CONFIG += shared warn_off console single_arch" -early "CONFIG += cross_compile" 'QMAKE_USE += webengine-jpeglib' 'QMAKE_LIBS_WEBENGINE_JPEGLIB = -ljpeg' /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib
+ cd /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib && MAKEFLAGS= make clean && MAKEFLAGS= make
> make[1]: Entering directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
> rm -f main.o
> rm -f *~ core *.core
> make[1]: Leaving directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
> make[1]: Entering directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
> /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ -c -pipe -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g0 -D_FORTIFY_SOURCE=1 -mtune=arm1176jzf-s -march=armv6 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -w -fPIC -I. -I/home/gportay/src/buildroot/output/host/mkspecs/devices/linux-buildroot-g++ -o main.o main.cpp
> main.cpp: In function ‘int main(int, char**)’:
> main.cpp:12:5: error: ‘jpeg_crop_scanline’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 12 | jpeg_crop_scanline(nullptr, &dummy, &dummy);
> | ^~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> main.cpp:13:5: error: ‘jpeg_skip_scanlines’ was not declared in this scope; did you mean ‘jpeg_write_scanlines’?
> 13 | jpeg_skip_scanlines(nullptr, dummy);
> | ^~~~~~~~~~~~~~~~~~~
> | jpeg_write_scanlines
> make[1]: *** [Makefile:334: main.o] Error 1
> make[1]: Leaving directory '/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/config.tests/webengine-jpeglib'
=> source failed verification.
test config.qtwebengine_buildtools.libraries.webengine-jpeglib FAILED
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
[Arnout: always use the bundled jpeg-turbo]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 3271ce10f2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For portability reason, it isn't preferable to include an absolute path
in the link to fw_printenv which is in the same directory as fw_setenv.
Fixes: 42646265d5 ("package/uboot-tools: add fw_printenv to host uboot tools")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0b02091235)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
https://autobuild.buildroot.net/results/924b1015d4b81385409ef00f1a14be3ca1959c8e/
As part of building flex for the target a few files are built for the host,
including a rpl_malloc() implementation containing a malloc() forward
declaration without any function parameters.
GCC 15 defaults to -std=gnu23, which handles function declarations without
parameters differently from earlier C standards leading to compilation
errors:
../lib/malloc.c:6:12: warning: conflicting types for built-in function 'malloc'; expected 'void *(long unsigned int)' [-Wbuiltin-declaration-mismatch]
6 | void *malloc ();
| ^~~~~~
../lib/malloc.c:5:1: note: 'malloc' is declared in header '<stdlib.h>'
4 | #include <sys/types.h>
+++ |+#include <stdlib.h>
5 |
../lib/malloc.c: In function 'rpl_malloc':
../lib/malloc.c:16:15: error: too many arguments to function 'malloc'; expected 0, have 1
https://gcc.gnu.org/gcc-15/porting_to.html#c23-fn-decls-without-parameters
Add a patch submitted upstream to correct the prototype.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7b98e2ce2c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
It allows to download files from smb share in buildroot packages.
Usage is specified in manual.
Signed-off-by: Guillaume Chaye <guillaume.chaye@zeetim.com>
[Peter: reword documentation]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit e240b889f1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The NVD database contains some CPEs that are wrongly not associated
with any version number. They are for example sometimes associated
with very old CVEs.
Those CPEs are annoying, because they pollute our pkg-stat CVE results
with CVE entries which actually don't affect us.
The proper way to solve it is, and should remain, to fix the NVD
database by reporting these issues. Having to deal with a lot of
CVEs/CPEs, the NVD database is however slow to be updated.
To reduce the noise in our pkg-stats results in the meantime, one
possibility is to add <PKG_IGNORE_CVES> entries for those CVEs. This
however comes with the downside that even once the NVD database gets
fixed, those ignored entries risk remaining in Buildroot forever
because they are undetected.
This commit tries to address this downside by checking for and
reporting CVEs that are ignored in Buildroot, but where the
NVD reports our package version as unaffected. Those CVEs will appear
in the 'CVEs Ignored' column as '(stale)', and the cell will be
colored the same way warnings are. This should allow us to detect and
remove those entries.
It can be tested for example by adding the following variable to the
apache package (for a CVE that was recently fixed in the NVD database):
APACHE_IGNORE_CVES = CVE-1999-0236
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 56ea5a0226)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building the bluez5_utils package with HoG plugin without enabling
the HID plugin the following linker error would occur:
```
/workdir/instance-0/output-1/per-package/bluez5_utils/host/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/13.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: profiles/input/bluetoothd-hog.o: in function `hog_disconnect':
hog.c:(.text.hog_disconnect+0x12): undefined reference to `input_get_userspace_hid'
collect2: error: ld returned 1 exit status
```
This patch adds two upstream commits that decouple both the HID
and the HoG plugin.
As a consequence of this patch the HID plugin can be compiled without
the HoG one as well but to keep the compatibility the same in buildroot
the selection of the HoG plugin is kept when selecting the HID plugin.
The error can be reproduced with the following defconfig
```
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_BLUEZ5_UTILS=y
BR2_PACKAGE_BLUEZ5_UTILS_PLUGINS_HOG=y
```
Fixes: https://autobuild.buildroot.org/results/78e/78ed7664f3a2dd5858fd71bd63836c822c106cc0
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 57eb26837b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The package opus is selected but it is not listed in the dependencies.
This adds opus to QT5WEBENGINE_DEPENDENCIES.
Fixes:
$ make qt5webengine
(...)
ERROR: Feature 'webengine-system-opus' was enabled, but the pre-condition 'config.unix && libs.webengine-opus' failed.
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 7319e4af19)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
TL;DR; This turns the configure flag -no-feature-webengine-noexecstack
to -feature-webengine-noexecstack to workaround a link issue on ARM
32-bit if chromium requests for an executable stack.
And now, the long story...
The configure flag -no-feature-webengine-noexecstack was introduced with
commit 675cbaf9aa (package/qt5/qt5webengine: bump to version 5.15.8).
That configure flag controls the feature webengine-noexecstack[1][2];
the -no-feature-webengine-noexecstack causes qmake to **NOT** append the
linker flags -Wl,-z,noexecstack[3] to QMAKE_LFLAGS.
It results in the linkage issue below on ARM 32-bit at the creation of
its Qt module, i.e. after qmake has built the chromium third party via
gn:
ulimit -n 4096 && /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot @/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/QtWebEngineCore_o.rsp -Wl,--start-group @/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/QtWebEngineCore_a.rsp -Wl,--end-group -Wl,--fatal-warnings -Wl,--build-id=sha1 -fPIC -Wl,-z,relro -Wl,-z,now -Wl,-z,defs -Wl,-O2 -Wl,--gc-sections --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -Wl,-O1 -Wl,--enable-new-dtags -Wl,-whole-archive -lqtwebenginecoreapi -Wl,-no-whole-archive -Wl,--no-undefined -Wl,--version-script,QtWebEngineCore.version -Wl,-O1 -Wl,--enable-new-dtags -shared -Wl,-soname,libQt5WebEngineCore.so.5 -o libQt5WebEngineCore.so.5.15.14 -latomic /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Quick.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Gui.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5QmlModels.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5WebChannel.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Qml.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Network.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Core.so -lpthread -L/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -latomic -lGLESv2 -lpthread -ldl -lrt -lnss3 -lnssutil3 -lsmime3 -lplds4 -lplc4 -lnspr4 -levent -lresolv -ljpeg -lopus -lm -lz -lvpx -lpng16 -lwebp -lwebpmux -lwebpdemux -lfreetype -lexpat -lfontconfig -lharfbuzz-subset -lharfbuzz -lsnappy -lxml2 -lxslt -ldbus-1 -L/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/api/release -lGLESv2 -lrt -lpthread -ldl
/home/gportay/src/buildroot/output/host/lib/gcc/arm-buildroot-linux-gnueabihf/13.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: warning: /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o: missing .note.GNU-stack section implies executable stack
/home/gportay/src/buildroot/output/host/lib/gcc/arm-buildroot-linux-gnueabihf/13.3.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker
collect2: error: ld returned 1 exit status
The link succeeds if the missing linker flags are appended manually to
the command-line:
ulimit -n 4096 && /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-g++ --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot @/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/QtWebEngineCore_o.rsp -Wl,--start-group @/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/QtWebEngineCore_a.rsp -Wl,--end-group -Wl,--fatal-warnings -Wl,--build-id=sha1 -fPIC -Wl,-z,relro -Wl,-z,now -Wl,-z,defs -Wl,-O2 -Wl,--gc-sections --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -Wl,-O1 -Wl,--enable-new-dtags -Wl,-whole-archive -lqtwebenginecoreapi -Wl,-no-whole-archive -Wl,--no-undefined -Wl,--version-script,QtWebEngineCore.version -Wl,-O1 -Wl,--enable-new-dtags -shared -Wl,-soname,libQt5WebEngineCore.so.5 -o libQt5WebEngineCore.so.5.15.14 -latomic /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Quick.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Gui.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5QmlModels.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5WebChannel.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Qml.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Network.so /home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib/libQt5Core.so -lpthread -L/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot/usr/lib -latomic -lGLESv2 -lpthread -ldl -lrt -lnss3 -lnssutil3 -lsmime3 -lplds4 -lplc4 -lnspr4 -levent -lresolv -ljpeg -lopus -lvpx -lm -lpng16 -lwebp -lwebpmux -lwebpdemux -lfreetype -lexpat -lfontconfig -lharfbuzz-subset -lharfbuzz -lsnappy -lxml2 -lxslt -ldbus-1 -L/home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/api/release -lGLESv2 -lrt -lpthread -ldl -Wl,-z,noexecstack && echo completed
completed
Note: The configure flag is not forwarded to chromium in any manner; its
scope is limited to the Qt WebEngine module. That configure flag appears
to be a workaround if the does not assemble, compile and link the Elf
object correctly[4][5].
The linker flag -z noexecstack is responsible for marking the object as
not requiring an executable stack by adding the section .note.GNU-stack
in the Elf object.
The file SaveRegisters_arm.S is assembled from the command-line below;
there is no noexecstack flag set:
/home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-gcc -MMD -MF obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o.d -DARM=1 -DUSE_UDEV -DUSE_AURA=1 -DUSE_NSS_CERTS=1 -DUSE_OZONE=1 -DOFFICIAL_BUILD -DTOOLKIT_QT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DNO_UNWIND_TABLES -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -DCR_SYSROOT_HASH=c2e54f675b83a61301dcdb22e8e7a2b85c01d58c -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -Igen -I../../3rdparty/chromium -fPIC -fno-strict-aliasing --param=ssp-buffer-size=4 -fstack-protector -fno-unwind-tables -fno-asynchronous-unwind-tables -fPIC -pipe -pthread -std=gnu11 -march=armv7-a -mfloat-abi=hard -mtune=generic-armv7-a -mfpu=vfpv3-d16 -marm -g0 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -c ../../3rdparty/chromium/third_party/blink/renderer/platform/heap/asm/SaveRegisters_arm.S -o obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o
The GNU assembler supports the assembler flag -Wa,--{,no}execstack to
require, or not, an executable stack for the object to assemble.
The BUILD.gn does **NOT** set it for the assembler files of the blink
third-party; but it does it for boringssl[6] (see also the project file
CMakeLists.txt[7]).
See below what readelf says if the file is assembled manually with the
flag --noexecstack:
$ /home/gportay/src/buildroot/output/host/bin/arm-buildroot-linux-gnueabihf-gcc -MMD -MF obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o.d -DARM=1 -DUSE_UDEV -DUSE_AURA=1 -DUSE_NSS_CERTS=1 -DUSE_OZONE=1 -DOFFICIAL_BUILD -DTOOLKIT_QT -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DNO_UNWIND_TABLES -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -DCR_SYSROOT_HASH=c2e54f675b83a61301dcdb22e8e7a2b85c01d58c -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -Igen -I../../3rdparty/chromium -fPIC -fno-strict-aliasing --param=ssp-buffer-size=4 -fstack-protector -fno-unwind-tables -fno-asynchronous-unwind-tables -fPIC -pipe -pthread -std=gnu11 -march=armv7-a -mfloat-abi=hard -mtune=generic-armv7-a -mfpu=vfpv3-d16 -marm -g0 --sysroot=/home/gportay/src/buildroot/output/host/arm-buildroot-linux-gnueabihf/sysroot -c ../../3rdparty/chromium/third_party/blink/renderer/platform/heap/asm/SaveRegisters_arm.S -o obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o -Wa,--noexecstack
$ readelf -a /home/gportay/src/buildroot/output/build/qt5webengine-5.15.14/src/core/release/obj/third_party/blink/renderer/platform/heap/asm/asm/SaveRegisters_arm.o
(...)
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
(...)
[ 4] .note.GNU-stack PROGBITS 00000000 000058 000000 00 0 0 1
The section the linker claims for is now part of the Elf object; and
qmake is now able to link its Qt WebEngine module.
Note: Alternatively, the patching the file SaveRegisters_arm.S to set
explicitly the section in the source file works as well (this reduces
the impact to the very single file causing the link issue):
#if defined(__linux__) && defined(__ELF__)
.section .note.GNU-stack,"",%progbits
#endif
Instead of fixing directly the origin of the issue and setting the
missing assembler flag -Wa,--noexecstack to blink; this works around the
link issue by turning on the feature noexecstack to qtwebengine to force
qmake to link its module using the linker flag -Wl,-z,noexecstack.
[1]: https://github.com/qt/qtwebengine/blob/5.15.14/src/buildtools/configure.json#L353-L357
[2]: https://github.com/qt/qtwebengine/blob/5.15.14/src/buildtools/configure.json#L720-L724
[3]: https://github.com/qt/qtwebengine/blob/5.15.14/src/buildtools/config/linking.pri#L61-L62
[4]: 597359a16a
[5]: https://codereview.qt-project.org/c/qt/qtwebengine/+/263545
[6]: https://github.com/qt/qtwebengine-chromium/blob/87-based/chromium/third_party/boringssl/src/util/BUILD.toplevel#L64
[7]: https://github.com/qt/qtwebengine-chromium/blob/87-based/chromium/third_party/boringssl/src/crypto/CMakeLists.txt#L33
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit aa017484ea)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the code snippet below, which typically is used to check if
C++ support can be enabled.
If we manually set CMAKE_CXX_COMPILER to /bin/false, then cmake
will assume that it's fine, without having a real check. Otherwise,
it will do a test run but somehow it falls back to /bin/c++, even
when cross-compiling. Fix that by setting CXX to /bin/false.
```cmake
include(CheckLanguage)
check_language(CXX)
if(CMAKE_CXX_COMPILER)
enable_language(CXX)
endif()
```
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit b34e0d27ab)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This updates the VC4/V3D driver messages with the addition of the
current supported hardwares (VideoCore and Raspberry Pi).
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 15cfdf4915)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The Gallium VC4 driver does not require NEON[1]; Gallium V3D does. Also,
the Gallium VC4 driver supports the Raspberry Pi from 0 to 3[2].
Mesa’s VC4 graphics driver supports multiple implementations of
Broadcom’s VideoCore IV GPU. It is notably used in the Raspberry
Pi 0 through Raspberry Pi 3 hardware, and the driver is included
as an option as of the 2016-02-09 Raspbian release using
raspi-config. On most other distributions such as Debian or
Fedora, you need no configuration to enable the driver.
This reverts commit a5cdb54ed7.
That commit is superseded by 85c95e3614
that patches the sources to disable NEON via an option[3]; the sources
using NEON (tiling) are disabled if the CPU does not have that feature.
Thus, the VC4 driver compiles with toolchain without the NEON support
enabled as the one targetting the Raspberry Pi (ARMv6).
This removes the depends on BR2_ARM_CPU_HAS_NEON config since a meson
option disables NEON if the CPU does not support for it. It allows
building Gallium VC4 on Raspberry Pi, Raspberry Pi Zero and Compute
Module.
Note: kmscube with OpenGLES and Gallium/VC4 runs on Raspberry Pi B+ Rev
1.2.
# uname -a
Linux buildroot 6.12.20 #1 Fri Apr 25 02:54:03 CEST 2025 armv6l GNU/Linux
# cat /sys/firmware/devicetree/base/model
Raspberry Pi Model B Plus Rev 1.2#
# dmesg
(...)
[ 39.817806] rpi-gpiomem 20200000.gpiomem: window base 0x20200000 size 0x00001000
[ 39.837139] rpi-gpiomem 20200000.gpiomem: initialised 1 regions as /dev/gpiomem
[ 40.693845] Console: switching to colour dummy device 80x30
[ 40.717223] vc4-drm soc:gpu: bound 20400000.hvs (ops vc4_hvs_ops [vc4])
[ 40.793911] vc4-drm soc:gpu: bound 20400000.hvs (ops vc4_hvs_ops [vc4])
[ 40.824330] Registered IR keymap rc-cec
[ 40.828596] rc rc0: vc4-hdmi as /devices/platform/soc/20902000.hdmi/rc/rc0
[ 40.844139] input: vc4-hdmi as /devices/platform/soc/20902000.hdmi/rc/rc0/input0
[ 40.873434] input: vc4-hdmi HDMI Jack as /devices/platform/soc/20902000.hdmi/sound/card0/input1
[ 40.895848] vc4-drm soc:gpu: bound 20902000.hdmi (ops vc4_hdmi_ops [vc4])
[ 40.914034] vc4-drm soc:gpu: bound 20004000.txp (ops vc4_txp_ops [vc4])
[ 40.921843] vc4-drm soc:gpu: bound 20206000.pixelvalve (ops vc4_crtc_ops [vc4])
[ 40.943543] vc4-drm soc:gpu: bound 20207000.pixelvalve (ops vc4_crtc_ops [vc4])
[ 40.951969] vc4-drm soc:gpu: bound 20807000.pixelvalve (ops vc4_crtc_ops [vc4])
[ 40.983322] vc4-drm soc:gpu: bound 20c00000.v3d (ops vc4_v3d_ops [vc4])
[ 41.010210] [drm] Initialized vc4 0.0.0 for soc:gpu on minor 0
[ 41.151906] Console: switching to colour frame buffer device 240x67
[ 41.223414] vc4-drm soc:gpu: [drm] fb0: vc4drmfb frame buffer device
# kmscube
Using display 0x1f12530 with EGL version 1.4
===================================
EGL information:
version: "1.4"
vendor: "Mesa Project"
client extensions: "EGL_EXT_client_extensions EGL_EXT_device_base EGL_EXT_device_enumeration EGL_EXT_device_query EGL_EXT_platform_base EGL_KHR_client_get_all_proc_addresses EGL_KHR_debug EGL_EXT_platform_device EGL_EXT_explicit_device EGL_MESA_platform_gbm EGL_KHR_platform_gbm EGL_MESA_platform_surfaceless"
display extensions: "EGL_ANDROID_blob_cache EGL_ANDROID_native_fence_sync EGL_EXT_buffer_age EGL_EXT_image_dma_buf_import EGL_EXT_image_dma_buf_import_modifiers EGL_KHR_cl_event2 EGL_KHR_config_attribs EGL_KHR_context_flush_control EGL_KHR_create_context EGL_KHR_create_context_no_error EGL_KHR_fence_sync EGL_KHR_get_all_proc_addresses EGL_KHR_gl_colorspace EGL_KHR_gl_renderbuffer_image EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_image EGL_KHR_image_base EGL_KHR_image_pixmap EGL_KHR_no_config_context EGL_KHR_reusable_sync EGL_KHR_surfaceless_context EGL_EXT_pixel_format_float EGL_KHR_wait_sync EGL_MESA_configless_context EGL_MESA_drm_image EGL_MESA_gl_interop EGL_MESA_image_dma_buf_export EGL_MESA_query_driver "
===================================
OpenGL ES 2.x information:
version: "OpenGL ES 2.0 Mesa 24.0.9"
shading language version: "OpenGL ES GLSL ES 1.0.16"
vendor: "Broadcom"
renderer: "VC4 V3D 2.1"
extensions: "GL_EXT_blend_minmax GL_EXT_multi_draw_arrays GL_EXT_texture_compression_s3tc GL_EXT_texture_compression_dxt1 GL_EXT_texture_format_BGRA8888 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth24 GL_OES_element_index_uint GL_OES_fbo_render_mipmap GL_OES_mapbuffer GL_OES_rgb8_rgba8 GL_OES_stencil8 GL_OES_texture_npot GL_OES_vertex_half_float GL_OES_EGL_image GL_OES_depth_texture GL_AMD_performance_monitor GL_OES_packed_depth_stencil GL_OES_get_program_binary GL_APPLE_texture_max_level GL_EXT_discard_framebuffer GL_EXT_read_format_bgra GL_NV_pack_subimage GL_NV_texture_barrier GL_EXT_frag_depth GL_NV_fbo_color_attachments GL_OES_EGL_image_external GL_OES_EGL_sync GL_OES_vertex_array_object GL_ANGLE_pack_reverse_row_order GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_EXT_unpack_subimage GL_NV_draw_buffers GL_NV_read_buffer GL_NV_read_depth GL_NV_read_depth_stencil GL_NV_read_stencil GL_APPLE_sync GL_EXT_draw_buffers GL_EXT_map_buffer_range GL_KHR_debug GL_KHR_texture_compression_astc_ldr GL_NV_generate_mipmap_sRGB GL_NV_pixel_buffer_object GL_OES_required_internalformat GL_OES_surfaceless_context GL_EXT_debug_label GL_EXT_separate_shader_objects GL_EXT_compressed_ETC1_RGB8_sub_texture GL_EXT_draw_elements_base_vertex GL_EXT_texture_border_clamp GL_KHR_context_flush_control GL_OES_draw_elements_base_vertex GL_OES_texture_border_clamp GL_KHR_no_error GL_KHR_texture_compression_astc_sliced_3d GL_EXT_texture_compression_s3tc_srgb GL_KHR_parallel_shader_compile GL_MESA_tile_raster_order GL_MESA_sampler_objects GL_MESA_bgra "
===================================
Rendered 120 frames in 2.000020 sec (59.999400 fps)
[1]: 932ed9c00b
[2]: https://docs.mesa3d.org/drivers/vc4.html
[3]: https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/4114
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3f1f404b5c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit [1] introduced the firmware-ele-imx package and was
using the "mx93a1-ahab-container.img" firmware image for i.MX91.
For i.MX91, it is in fact the firmware file "mx91a0-ahab-container.img"
which needs to be used.
This commit adds this special case.
[1] 69d127fe29
Signed-off-by: Juan Pablo MONTERO CASTRO <juanpablo.monterocastro@nxp.com>
[Julien: split original commit 2/3]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1ce2484a8b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit [1] "package/binutils: make 2.43 the default version",
the freescale_t1040d4rdb_defconfig fails to build the Linux
kernel, with the error:
arch/powerpc/boot/util.S: Assembler messages:
arch/powerpc/boot/util.S:49: Error: junk at end of line, first unrecognized character is `0'
arch/powerpc/boot/util.S:54: Error: syntax error; found `b', expected `,'
arch/powerpc/boot/util.S:54: Error: junk at end of line: `b'
This commit fixes the issue by updating the Linux kernel to the latest
LTS version.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/9967089767
[1] 360fd01de2
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6ad8090920)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The last usage of each_product() was removed in commit
52ae092046 ("support/scripts/cve.py: use
the JSON data in 1.1 schema").
Since it's now unused, remove it.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d0a7a46813)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the bump of rpm from 4.17.0 to 4.18.0 in Buildroot commit
4b4046e919, tools/rpmuncompress.c uses
basename() without including <libgen.h> which causes a build failure
with the musl C library:
tools/rpmuncompress.c: In function ‘doUntar’:
tools/rpmuncompress.c:100:30: error: implicit declaration of function ‘basename’ [-Wimplicit-function-declaration]
100 | const char *bn = basename(fn);
| ^~~~~~~~
tools/rpmuncompress.c:100:30: error: initialization of ‘const char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
make[4]: *** [Makefile:1082: tools/rpmuncompress.o] Error 1
This issue was not found by the autobuilders, but it can be reproduced
with:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_BLEEDING_EDGE=y
BR2_PACKAGE_LUA=y
BR2_PACKAGE_RPM=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 745aa4d060)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
GCC 14.x brought some more strict checks on pointer types, causing a
build issue in the rpm package when python support is enabled. These
issues have been fixed upstream, initially because Clang >= 16 also
added similar stricter checks.
The build issue goes like this:
header-py.c:744:9: error: initialization of 'Py_hash_t (*)(PyObject *)' {aka 'int (*)(struct _object *)'} from incompatible pointer type 'long int (*)(PyObject *)' {aka 'long int (*)(struct _object *)'} [-Wincompatible-pointer-types]
744 | hdr_hash, /* tp_hash */
| ^~~~~~~~
header-py.c:744:9: note: (near initialization for 'hdr_Type.tp_hash')
make[3]: *** [Makefile:664: header-py.lo] Error 1
make[3]: *** Waiting for unfinished jobs....
It never happened in the autobuilders, but it can be reproduced with
the following configuration:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LUA=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_RPM=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 67e10ac898)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
If an attempt is made to create a UBI volume and it already exists, the
operation fails. Therefore, before requesting the creation of a UBI
volume, we erase the entire NAND to ensure that no errors occur.
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 97ac89eb11)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The V4L2 code in the ffmpeg plugin uses V4L2_PIX_FMT_BGRA32 which was
only introduced in kernel headers 5.2, in upstream kernel commit
e25ec9141114c7124eeba09385e272dd76fbe617.
Fixes:
/home/thomas/buildroot/buildroot/outputs/qt/build/qt6multimedia-6.8.1/src/plugins/multimedia/ffmpeg/qv4l2camera.cpp:36:43: error: ‘V4L2_PIX_FMT_BGRA
32’ was not declared in this scope; did you mean ‘V4L2_PIX_FMT_BGR32’?
36 | { QVideoFrameFormat::Format_BGRA8888, V4L2_PIX_FMT_BGRA32 },
| ^~~~~~~~~~~~~~~~~~~
| V4L2_PIX_FMT_BGR32
when building:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_XCB=y
BR2_PACKAGE_QT6MULTIMEDIA=y
BR2_PACKAGE_QT6MULTIMEDIA_FFMPEG=y
BR2_PACKAGE_XORG7=y
at a time when the Bootlin stable toolchain was using Linux 4.19
headers.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit fe783b16b3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The following defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_XCB=y
BR2_PACKAGE_QT6MULTIMEDIA=y
BR2_PACKAGE_QT6MULTIMEDIA_FFMPEG=y
BR2_PACKAGE_XORG7=y
would fail to build, due to <X11/extensions/Xext.h> being not found,
and then <X11/extensions/Xrandr.h> being not found. Fix that up by
introducing the necessary dependencies.
There are no build failures reported for qt6multimedia in the
autobuilders, so there is no reference to a build failure.
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 04d1ee0105)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
ERROR: Feature "xcb": Forcing to "ON" breaks its condition:
QT_FEATURE_thread AND TARGET XCB::XCB AND TEST_xcb_syslibs AND QT_FEATURE_xkbcommon_x11
Condition values dump:
QT_FEATURE_thread = "ON"
TARGET XCB::XCB found
TEST_xcb_syslibs = "FALSE"
QT_FEATURE_xkbcommon_x11 not evaluated
The xcb feature is defined in [2].
According to [1] XCB::CURSOR is needed for xcb support.
[1] https://code.qt.io/cgit/qt/qtbase.git/tree/src/gui/configure.cmake?h=6.9.0#n522
[2] https://code.qt.io/cgit/qt/qtbase.git/tree/src/gui/configure.cmake?h=6.9.0#n1016
This bug was introduced in e634be8906,
and fixes the build with the following defconfig:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_ARMV7_EABIHF_MUSL_STABLE=y
BR2_PACKAGE_QT6=y
BR2_PACKAGE_QT6BASE_GUI=y
BR2_PACKAGE_QT6BASE_XCB=y
BR2_PACKAGE_XORG7=y
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit adff0d37ba)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot packaging pretty much assumes that the sources it downloads
are publicly available. In general, however, Buildroot is also used to
download sources from private repositories. Nowadays, that mostly means
from a github or gitlab instance.
Although git-over-ssh can be used for that, this poses a problem for CI,
because the CI runners integrated with github and gitlab only have
access to the repository itself, not to other private repositories. And
creating ssh key pairs for CI runners is tricky.
Therefore, document how standard tools can be used to make private
repositories available both to developers and to CI. There are quite a
few alternative approaches possible, but they're more complicated or
less generically applicable.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
[Peter: Fix insteadOf example, capitalize SSH/HTTPS]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1026abbcf9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixup S20audit to pass shellcheck -oall and check-package. The file now
closely resembles package/busybox/S01syslogd.
Tested with qemu_x86_64_defconfig. start, stop, restart, reload, and rotate
all work with busybox ash shell.
Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
[Arnout: remove it from .checkpackageignore]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit cbabeb5077)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The new version bundles an updated gnulib that includes support for
-std=c23 which is the default for gcc 15.
Signed-off-by: Vincent Fazio <vfazio@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit d9aabc1af3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 7dd56b6cd9 ("boot/grub2/readme.txt: don't specify /dev/loop0")
changed the description of the loopback mounting to use losetup -f <img>,
but forgot to add the --show option, causing losetup to not print the
loopback device name.
Fix that by adding the --show option.
Signed-off-by: Cherniaev Andrei <dungeonlords789@naver.com>
[Peter: Reword commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a480ae9ffe)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Currently, list-defconfigs only lists the defconfigs that live
live in the top-level configs/ directory. For the in-tree defconfigs
this is indeed the case, but it is possible to manage the configs in a
br2-external tree with sub-directories.
A few examples:
- for a given board, a first defconfig is the full system, and a
second is the rescue system;
- for a given board, two defconfigs implement an A/B feature set;
- a set of configurations targetting various famillies of systems each
running on different hardware, sorted per familly.
Extend list-defconfigs to look for and report defconfigs in
sub-directories of the top-level configs/.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 5009fd2436)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Note: this test was not working in Buildroot test infrastructure
before commit [1] was merged, because dieharder has the string "# "
in its output.
[1] 0cad947b96
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit e9498b4faa)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
PYTHON_FOO_BUILD_OPTS are passed to the build module call of the package
build, this allows passing options to the python build *backend* by
using the --config-setting= option. setup.py is no longer involved since
even the setuptools backend now used the pep517 build method.
The note about the options being passed to
support/scripts/pyinstaller.py seems to be no longer accurate.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Arnout: also mention -C (suggested by James)]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit b15cd1d8fe)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
While in theory, the fastapi tests finds problems with the pydantic
package, it's not obvious that this test should be run when the pydantic
package is updated.
Add a new test that just covers pydantic.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 45321879e1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
than the amount of remaining packet data in the current state of
parsing. As a result, values of stack memory locations may be sent
over the network in a response.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-32366
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a8cfe9986c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the board flashing by adding the bootloader, which I had mistakenly
forgotten to include in the script.
Fixes: 322e8d8451 ("configs/imx6ulz_bsh_smm_m2_defconfig: new defconfig")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a7ea1e658d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-32743
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
[Julien: add link to cve]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6c4da559cc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Release notes:
- ver 1.44:
* Fix issue with handling oFono context integration.
* Fix issue with handling web context for online detection.
* Fix issue with handling flags used when deleting routes.
* Fix issue with handling PAC proxy integration.
- ver 1.43:
* Fix issue with device creation when using LTE.
* Fix issue with regulatory domain when powering up.
* Fix issue with resolving ISO3166 code from timezone data.
* Fix issue with handling DNS proxy zero termination of buffers.
* Fix issue with handling DHCP packet length in L3 mode.
* Fix issue with handling DHCP upper length checks.
* Fix issue with handling IPv6 and URL parsing.
* Fix issue with handling online check updates.
* Fix issue with handling proxy method and WISPr.
* Fix issue with handling default gateway setup.
* Add support for low-priority default routes.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ce9a64b5d1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The commit [1] updated the version of libical to version 3.0.20 which
included a number of build fixes for newer CMake version.
This patch is not included in the 2025.02.x branch and libical remained
subject to a number of build error with CMake 4.
This patch backport the fix to remove the usage of the now deprecated
CMP0005 policy with CMake version 4 (see [2]).
[1] 8cdeeb536c package/libical: bump to version 3.0.20
[2] https://cmake.org/cmake/help/latest/policy/CMP0005.html
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issues:
CVE-2025-24223
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to rheza (@ginggilBesel) and an anonymous researcher.
Impact: Processing maliciously crafted web content may lead to
memory corruption. Description: The issue was addressed with
improved memory handling.
WebKit Bugzilla: 287577
CVE-2025-31204
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Nan Wang (@eternalsakura13).
Impact: Processing maliciously crafted web content may lead to
memory corruption. Description: The issue was addressed with
improved memory handling.
WebKit Bugzilla: 291506
CVE-2025-31205
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Ivan Fratric of Google Project Zero.
Impact: A malicious website may exfiltrate data cross-origin.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 290992
CVE-2025-31206
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to an anonymous researcher.
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash. Description: A type confusion issue was
addressed with improved state handling.
WebKit Bugzilla: 290834
CVE-2025-31215
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Jiming Wang and Jikai Ren.
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash. Description: The issue was addressed with
improved checks.
WebKit Bugzilla: 288814
CVE-2025-31257
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Juergen Schmied of Lynck GmbH.
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash. Description: This issue was addressed with
improved memory handling.
WebKit Bugzilla: 290985
https://webkitgtk.org/security/WSA-2025-0004.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7a09fcf7c6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
CVE-2025-4207: PostgreSQL GB18030 encoding validation can read one byte past
end of allocation for text that fails validation
A buffer over-read in PostgreSQL GB18030 encoding validation allows a
database input provider to achieve temporary denial of service on platforms
where a 1-byte over-read can elicit process termination. This affects the
database server and also libpq.
https://www.postgresql.org/about/news/postgresql-175-169-1513-1418-and-1321-released-3072/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a8f53a907b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit [1], the host-nodejs package was turned into a virtual
package. However, the target nodejs package was intentionally not
turned into a virtual package and became an empty package.
The reason for this is:
- No alternatives providers were introduced for the target nodejs
package.
- The Config.in remained unchaged for the target package.
As a result, running `make show-info` with a config that includes the
target nodejs package, outputs an entry for the empty package:
```
"nodejs": {
"type": "target",
"name": "nodejs",
"virtual": false,
"version": "",
...
"cpe-id": "cpe:2.3:a:nodejs:node.js::*:*:*:*:*:*:*"
},
```
This can be an issue because the CPE ID of the empty nodejs package
is the following `cpe:2.3:a:nodejs:node.js::*:*:*:*:*:*:*`.
Reporting such a CPE ID can be an issue for certain software that consume
the SBOM and could be interpreted as CPE that matches with every versions
of the package.
This patch converts the target nodejs package into a virtual package to
prevents the empty package from being included in the SBOM.
[1] 4cbc2af604 package/nodejs: rename to nodejs-src and convert to virtual package
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Tested-by: johan.derycke@barco.com
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ccf3536fcb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Version 6.1.2 of ffmpeg fails to build with GCC 14.x due to the V4L2
ioctl code:
libavdevice/v4l2.c:137:17: error: assignment to ‘int (*)(int, long unsigned int, ...)’ from incompatible pointer type ‘int (*)(int, int, ...)’ [-W
incompatible-pointer-types]
137 | s->ioctl_f = prefix ## ioctl; \
| ^
libavdevice/v4l2.c:151:9: note: in expansion of macro ‘SET_WRAPPERS’
151 | SET_WRAPPERS();
| ^~~~~~~~~~~~
This has been fixed upstream in the release/6.1 branch, which has 27
fixes on top of 6.1.2. The commits necessary to fix our issue are:
f71076c009f84917e7a0f2f1ece86b718de2d8d3 configure: improve check for POSIX ioctl
60593d6c06c9b610359bd6af26a268feff1293eb configure: restore autodetection of v4l2 and fbdev
However, since all other commits are fixes, we believe bumping to the
latest commit in the release/6.1 branch is a better idea.
This allows to drop
0008-libavcodec-arm-mlpdsp_armv5te-fix-label-format-to-wo.patch, which
is upstream as of:
4c688845a50f7dce3af9afebe60f0f7a493c4f07 libavcodec/arm/mlpdsp_armv5te: fix label format to work with binutils 2.43
Note that we set FFMPEG_CPE_ID_VERSION to get proper CVE matching even
with FFMPEG_VERSION being set to n6.1.2-27-ge16ff06adb. One who have
ideally set FFMPEG_VERSION to n$(FFMPEG_CPE_ID_VERSION)-ge16ff06adb,
but that makes check-package unhappy with:
WARNING: package/ffmpeg/ffmpeg.mk:7: expecting package version to be set before CPE_ID_VERSION
Fixes:
https://autobuild.buildroot.net/results/fe1574443acd50ca7e576bb4beb24467be1713e3/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 32df543fa3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
Build with gcc-15 was fixed upstream in 10.11.11:
https://github.com/MariaDB/server/commit/1d6f857
Remove patch, since the problem was fixed upstream:
https://github.com/MariaDB/server/commit/4375245
After bumping the version to 10.11.11 the configuration step failed for target:
CMake Error: try_run() invoked in cross-compiling mode, please set the following cache variables appropriately:
HAVE_SYSTEM_LIBFMT_EXITCODE (advanced)
To fx this problem we set HAVE_SYSTEM_LIBFMT_EXITCODE=0.
Fix legal-info after changes to README.md.
Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 6cd8f95346)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
dbus has a session socket directory configuration setting,
that, if not set, will be autodeducted based on env vars
like TMPDIR during configuration time.
Becuse of that, the builder's environment variables will
lead to an image with a broken session bus while
leaking builder's details to the image.
Add an explicit setting of session-socket-dir to /tmp dir.
Fixes: https://gitlab.com/buildroot.org/buildroot/-/issues/67
Signed-off-by: Nikita Kiryushin <kiryushin@ancud.ru>
Reviewed-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit f777c79912)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
A set of `unterminated-string-initialization` errors appeared when
building the micropython package with GCC15 on the host.
The autobuilder failed to build the package micropython with the
following error:
```
CC ../py/emitinlinethumb.c
../py/emitinlinethumb.c:153:9: error: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (4 chars into 3 available) [-Werror=unterminated-string-initialization]
153 | {0, "r0\0"},
| ^~~~~~
../py/emitinlinethumb.c:154:9: error: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (4 chars into 3 available) [-Werror=unterminated-string-initialization]
154 | {1, "r1\0"},
| ^~~~~~
...
```
This patch adds the set of upstream commits to fix the compatbility with
GCC15 (see [1]).
The patches were backported to micropython v1.22.2. The main difference
with the upstream version is that since the v1.23, the project removed the
use of the `STATIC` macro (see [2]).
Also, in the codebase of v1.22.2 the 'unterminated-string-initialization'
error occured in another file that was reworked in the patch [3] and
included in v1.25. This patch is included as well to remove the error in
v1.22.2.
[1] package/micropython/0003-Fixes-for-GCC-15-1-unterminated-string-literal-warning.patch
[2] decf8e6a8b
[3] package/micropython/0002-py-emitinlinextensa-Simplify-register-name-lookup.patch
Fixes: https://autobuild.buildroot.org/results/fdf/fdf1d7c3e3a51e6fc7fa5abea57de6c9ce792015
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0814b614c2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Inspired by
c250c61cc3
"GCC 15 defaults to C23. The last release of this package was over a
decade ago, and it is no longer maintained, therefore it should not be
expected to compile to the latest standards."
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c1d422edde)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit adds the same patch that was already added to GDB 14.x,
15.x and 16.x to fix a GCC 15.x build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit dc0691f038)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit backports an upstream patch fixing the bundled readline
library so that it builds with GCC 15.x.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 56c834400e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
bash uses K&R function declarations which have been removed in C23.
Since part of the build process (like the mkbuiltins helper) is written
in C, building bash now fails on hosts with GCC 15 (which defaults to
C23).
Since properly fixing this on the source code level is a larger
endeavor, just set the C standard to an old enough version for now.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6d09b25d08)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
On systems running GCC 15, host-cpio will fail to build with errors like
copyout.c:646:12: error: too many arguments to function 'xstat'; expected 0, have 2
and
main.c:407:13: error: assignment to 'int (*)(void)' from incompatible pointer type 'int (*)(const char * restrict, struct stat * restrict)' [-Wincompatible-pointer-types]
This was reported[1] and fixed upstream, but there is no new release
yet. Import the upstream patch for now.
Fixes:
https://autobuild.buildroot.org/results/a10c5f2b0f9cb05b2550fe97f1133deaaac97277/
(and many more)
[1] https://lists.gnu.org/archive/html/bug-cpio/2025-05/msg00000.html
Signed-off-by: Florian Larysch <fl@n621.de>
[Julien:
- add missing "Signed-off-by:" in patch to fix check-package error
- change "Upstream:" link to use the commitdiff in patch
- add "Fixes:" in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e3cae9e1ca)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When using host gcc 15, host-gmp fails at configure time with
error message:
configure: error: could not find a working compiler, see config.log for details
The error is due to the macro GMP_PROG_CC_WORKS in the file
acinclude.m4 containing C-code declaring functions without declaring
its parameters. This construct is now an error in C23, which is the
new default in gcc 15. See:
https://gcc.gnu.org/gcc-15/porting_to.html#c23
This commit fixes the issue by adding a package patch from
upstream changesets, not yet published in a release.
Even if gcc 15 is not yet included in Buildroot, this commit also
sets _AUTORECONF = YES for the target package in order to have this
package already fixed.
Fixes:
https://autobuild.buildroot.org/results/623634fa7bbeceeb6d90b15ce0abb1b9b4b24045/
Tested-by: Brigham Campbell <me@brighamcampbell.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 31569bcc1b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When compiling host-m4 1.4.19 with a host gcc 15 (which is the version
included in Fedora 42, released on 2025-04-15), compilation fails with
error:
In file included from gl_avltree_oset.h:21,
from gl_avltree_oset.c:21:
gl_oset.h:275:1: warning: 'nodiscard' attribute ignored [-Wattributes]
275 | GL_OSET_INLINE _GL_ATTRIBUTE_NODISCARD int
| ^~~~~~~~~~~~~~
gl_oset.h:275:40: error: expected identifier or '(' before 'int'
275 | GL_OSET_INLINE _GL_ATTRIBUTE_NODISCARD int
| ^~~
This error is due to the gnulib copy included in m4 1.4.19, which does
not detect properly the default C language standard of gcc 15 which
has been changed from "gnu17" to "gnu23". See [1]. Note that m4 1.4.19
is the latest version available at the time of this commit, and was
released in May 2021. The issue is tracked upstream in [2].
Upcoming m4 release is expected to fix this issue, by updating its
gnulib copy. See [3], which states: "Update to comply with newer C
standards, and inherit portability improvements from gnulib".
Until this new m4 version is released, this commit fixes the issue by
forcing the C langage standard to "-std=gnu17" (the previous gcc
default) when host-gcc 15 is detected.
Note that the "-std=gnu17" option was introduced in gcc 8. See [4].
This is the reason why this patch adds this option only when the
problematic gcc 15 version is detected.
See also the discussions around this patch at [5].
Fixes:
https://autobuild.buildroot.org/results/1c33ef0a710cfae13e496485787b351c8f951217/
(and many, many others)
[1] https://gcc.gnu.org/gcc-15/changes.html#c
[2] https://savannah.gnu.org/support/?111150
[3] https://git.savannah.gnu.org/cgit/m4.git/commit/?h=branch-1.4&id=a22c9802dd7e724eaefb21dc21d84ac2d3a49c89
[4] https://gcc.gnu.org/gcc-8/changes.html#c
[5] https://lore.kernel.org/buildroot/CAPWx8vsoJUt8YMJG1aUqFRK1=yizNbgjVjGL1Q1+9ygjJGnZLA@mail.gmail.com/
Signed-off-by: Joseph Zikusooka (ZIK) <zik@jambula.net>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
[Julien:
- change mail url to lore.kernel.org for stable link
- reword, reflow and add extra info in the commit log
- force -std=gnu17 only when host gcc-15 is detected
- add a comment in .mk to remove the workaround at next bump
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7a07a9d155)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
A basic Fedora 42 container does not have 'awk' installed, but it is
needed by Buildroot. First by check-host-python3.sh:
support/dependencies/check-host-python3.sh: line 6: awk: command not found
support/dependencies/check-host-python3.sh: line 19: awk: command not found
support/dependencies/check-host-python3.sh: line 19: awk: command not found
but then even building host-expat assumes awk is available:
config.status: creating Makefile
./config.status: line 1404: awk: command not found
config.status: creating expat.pc
./config.status: line 1404: awk: command not found
Since it's a pretty basic tool, make it part of the tools checked by
dependencies.sh. One minor annoyance is that check-host-python3.sh is
executed *before* dependencies.sh does its thing, so when 'awk' is not
available, we end up seeing:
support/dependencies/check-host-python3.sh: line 6: awk: command not found
support/dependencies/check-host-python3.sh: line 19: awk: command not found
support/dependencies/check-host-python3.sh: line 19: awk: command not found
which: no awk in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin)
You must install 'awk' on your build machine
make: *** [support/dependencies/dependencies.mk:27: dependencies] Error 1
It would be nice to have the awk check *before* it gets used in
check-host-python3.sh, but that's a topic for another patch.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 448ceefa78)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changes:
Set GDB version number to 15.2.
[gdb/python] Make sure python sys.exit makes gdb exit
[gdb/symtab] Revert "Change handling of DW_TAG_enumeration_type in DWARF scanner"
[gdb/testsuite] Add regression test for PR32158
[gdb/testsuite] Add gdb.dwarf2/enum-type-c++.exp, regression test for PR31900.
gdb-15-branch: Clear the X86_XSTATE_MPX bit in XCRO for x32
Recognize -2 as a tombstone value in .debug_line
[gdb] Handle ^C during disassembly
Mark unavailable bytes of limited-length arrays when allocating contents
gdb/solib-frv: move lm_info object to solib
Fix loading a saved recording
Bump GDB's version number to 15.1.90.DATE-git.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e40bf89e40)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changes:
Set GDB version number to 16.3.
gstack: [downstream regression] Output file names and line numbers
Fix build failure for gdbserver's raw_compare self test
Fix gdbserver crashes on SVE/SME-enabled systems
gdb: allow selecting default fg/bg colors in tui mode
gdb: Fix assertion failure when inline frame #0 is duplicated
[gdb/tdep] Rewrite i386_canonicalize_syscall
[gdb/record] Fix out-of-bounds write in aarch64_record_asimd_load_store
gdb/dwarf: save DWARF version in dwarf2_loclist_baton, remove it from dwarf2_per_cu
Fix segfault if target_fileio_read_alloc fails
gdb/tui: use wrefresh if output is not surpressed
[gdb/corefiles] Fix segfault in core_target_open
Bump GDB's version number to 16.2.90.DATE-git.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b793160964)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This patch was commited upstream, and released as part of sqlite 3.49.1
However, the configuration system changed between sqlite 3.48 and 3.49
from autotools to autosetup, and this has proven challenging to support
in Buildroot (see `git log package/sqlite`), hence why we are still on
sqlite 3.48.
Therefore, until the package build infrastructure correctly supports
building sqlite 3.49, let's simply import the upstream patch to address
the CVE.
Note: the upstream patch is on the orignal sqlite sources. Buildroot is
using the sqlite "amalgamation" source archive, which basically
concatenate all the source files in a single "sqlite3.c" file. So the
patch was reformated to apply correctly on the sqlite release archive.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-29087
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien:
- reformat patch to be applicable on amalgamated sqlite sources
- add comment in commit log about patch format
- add "Fixes:" in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 835b5659ea)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since its introduction in commit [1], the
friendlyarm_nanopi_r3s_defconfig is failing to build with error:
Incorrect selection of kernel headers: expected 6.12.x, got 6.13.x
The error happens because the defconfig has:
BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_12=y
and
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.13.4"
This commit fixes the issue by setting instead:
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.12.28"
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/9887216429
[1] 41734e00c0
Cc: Sergey Kuzminov <kuzminov.sergey81@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 74c4dd4150)
[Thomas:
Since this has been introduced in LTS branch I set the kernel
version to 6.12.x present in LTS instead of changing the linux header
version.
]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit adds BR2_DOWNLOAD_FORCE_CHECK_HASHES=y in the defconfig
and adds custom hash files. The exception entry in .checkpackageignore
is also removed.
Cc: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 683681261b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The 'bird' package with only the `BR2_PACKAGE_BIRD_BFD=y` protocol
enabled fails to build with the following error
```
bison -Dparse.lac=full -Dparse.error=verbose -dv -pcf_ -b obj/conf/cf-parse obj/conf/cf-parse.y
proto/bfd/config.Y:204.27-33: error: symbol 'ADDRESS' is used, but is not defined as a token and has no rules
204 | | bfd_show_sessions_args ADDRESS net_or_ipa { net_copy(&($$->address...
| ^~~~~~~
```
The `ADDRESS` token is defined only when certain protocols (e.g. OSPF,
RIP, RPKI, or BGP) are enabled. As a result, builds including any of
these protocols do not encounter the issue.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_PACKAGE_BIRD=y
BR2_PACKAGE_BIRD_BFD=y
# BR2_PACKAGE_BIRD_BGP is not set
EOF
make olddefconfig
make bird
This patch backports upstream commits that define the `ADDRESS` token
for the BFD protocol.
Fixes:
https://autobuild.buildroot.org/results/68c5dd84585a7018ad57ea3e7134748c08858ef7/
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 80cfdcb86b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This patch fixes the `S_IFMT` undeclared error in `statx.c` when musl
is used.
Signed-off-by: José Luis Salvador Rufo <salvador.joseluis@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9a672635a1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes a potential NULL pointer dereference
As a side note, this package has many opened CVEs, but upstream doesn't seem
to really consider them as security issues, see their disclaimer here:
https://github.com/yasm/yasm/blob/master/SECURITY.md
We could speculate that this disclaimer has been written as a consequence of
the many small CVEs opened in a short time, that don't have a substantial
security impact (besides the command line tool crashing). All of these small
CVEs have been opened for bug reports issued by a third party who used a
fuzzy tester to manipulate the assembler input
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 875f5670aa)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This fixes the following CVE:
- CVE-2025-1492: The Bundle Protocol and CBOR dissectors could crash
It may be possible to make Wireshark crash by injecting a malformed
packet onto the wire or by convincing someone to read a malformed
packet trace file.
See https://www.wireshark.org/security/wnpa-sec-2025-01
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 032b268890)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Annoyingly, using "--disable warning" does not disable the warnings
checks.
It turns out that we look for "warnings" (i.e. with an 's') to know if
we should disable the warnings check, so update the help text
accordingly.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 92e7ab78d6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit fd562315, which updated waf to v2.1.1, Buildroot has
encountered issues building mpv, likely due to an outdated version of
the waf build system.
Starting with mpv v0.35, meson was introduced as an alternative to waf,
and in mpv v0.37, waf was completely removed.
This commit updates the mpv makefile to use meson, resolving the build
issues and simplifying future updates to newer versions of mpv.
All options previously used for Waf have been translated to the new
build system by replacing `--disable-feature` with `-Dfeature=disabled`
(and similarly for enabling features). Some features have special
handling:
- The `/usr` prefix is automatically passed to meson packages by
default.
- The Android feature "has been removed since meson can detect if a
machine is Android"[1].
- The `libmpv` parameter has been enabled in the makefile as `libmpv`
must be built by default with mpv.
- Meson packages automatically set whether the library should be built
statically using the `default_library` meson parameter.
- Meson automatically detects the presence of `libatomic` and passes the
correct argument to the linker. However, it is possible to set the
`stdatomic` meson parameter to specify whether `libatomic` must or
must not be used.
Fixes:
https://autobuild.buildroot.org/results/68d42441fc0da34e1bf2a4247726f5f4ec3b8e77/
[1]: 140ec21c89/DOCS/build-system-differences.md (L48)
Signed-off-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
Tested-by: J. Neuschäfer <j.ne@posteo.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8f69974c20)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changelog:
- afa57cc libubus: add support for using channels
- d996988 libubus: close file descriptor after sending it from a request
- 252a9b0 libubus: Make UBUS_* macros work cleanly in C++
- 65bb027 CMakeLists.txt: bump minimum cmake version
- f84eb59 libubus: fix initial subscribe with autosubscribe
- 2b39a27 libubus: fix reconnect with auto subscribe
- b3e8c4e Add auto subscribe support
Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9af9b4b304)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changelog:
- 3868f47 blob: constify attr argument to blob_memdup
- eb9bcb6 ustream: prevent recursive calls to the read callback
- 12bda4b CI: add CodeQL workflow tests
- a2fce00 CI: add build test run
- c1be505 udebug: fix crash in udebug_entry_vprintf with longer strings
- 6339204 CMakeLists.txt: bump minimum cmake version
- ca3f6d0 udebug: fix file descriptor initialization for __udebug_buf_map
- df5b714 udebug: add mips specific quirk
- d27acfe udebug: add more checks for uninitialized buffers
- 40acbe3 udebug: wait for response after buffer add/remove
- e84c000 udebug: add inline helper function to test if a buffer is allocated
- 325fea5 udebug: add functions for manipulating entry length
- e80dc00 link librt if needed for shm_open
- 260ad5b udebug: add ulog support
- b77f2a4 uloop: fix build using C++ compilers
- d4c3066 udebug: add udebug library code
- b3fa3d9 uloop: reset flags after __uloop_fd_delete call
- 8a5a431 uloop: fix typo in signal handling rework
- f7d1569 uloop: properly initialize signal handler mask
- 13d9b04 uloop: add support for user defined signal handlers
- 82fa648 uloop: add support for interval timers
Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 44c11a6862)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The package strongswan relies on the `wc_RsaKeyToDer` & `wc_MakeRsaKey`
functions of WolfSSL. Building this package with the WolfSSL backend
by selecting the variable `BR2_PACKAGE_STRONGSWAN_WOLFSSL` would give
the following error:
```
libtool: compile: /home/buildroot/instance-0/output-1/host/bin/sparc-linux-gcc -DHAVE_CONFIG_H -I. -I../../../.. -I../../../../src/libstrongswan -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DWC_NO_RNG -rdynamic -Wno-format -Wno-format-security -Wno-implicit-fallthrough -Wno-missing-field-initializers -Wno-pointer-sign -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Og -g0 -include /home/buildroot/instance-0/output-1/build/strongswan-5.9.14/config.h -c wolfssl_ed_public_key.c -o wolfssl_ed_public_key.o >/dev/null 2>&1
wolfssl_rsa_private_key.c: In function 'get_encoding':
wolfssl_rsa_private_key.c:366:31: error: implicit declaration of function 'wc_RsaKeyToDer'; did you mean 'wc_EccKeyToDer'? [-Wimplicit-function-declaration]
366 | len = wc_RsaKeyToDer(&this->rsa, encoding->ptr, len);
| ^~~~~~~~~~~~~~
| wc_EccKeyToDer
libtool: compile: /home/buildroot/instance-0/output-1/host/bin/sparc-linux-gcc -DHAVE_CONFIG_H -I. -I../../../.. -I../../../../src/libstrongswan -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DWC_NO_RNG -rdynamic -Wno-format -Wno-format-security -Wno-implicit-fallthrough -Wno-missing-field-initializers -Wno-pointer-sign -Wno-sign-compare -Wno-type-limits -Wno-unused-parameter -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Og -g0 -include /home/buildroot/instance-0/output-1/build/strongswan-5.9.14/config.h -c wolfssl_ec_private_key.c -o wolfssl_ec_private_key.o >/dev/null 2>&1
wolfssl_rsa_private_key.c: In function 'wolfssl_rsa_private_key_gen':
wolfssl_rsa_private_key.c:490:13: error: implicit declaration of function 'wc_MakeRsaKey'; did you mean 'wc_FreeRsaKey'? [-Wimplicit-function-declaration]
490 | if (wc_MakeRsaKey(&this->rsa, key_size, WC_RSA_EXPONENT, &this->rng) < 0)
| ^~~~~~~~~~~~~
| wc_FreeRsaKey
```
Those functions are only present when building the WolfSSL library with
the keygen supports (`--enable-keygen`).
This patch change the selected package to enable all the option of
WolfSSL, which include the keygen as well.
Fixes:
- https://autobuild.buildroot.org/results/d0e/d0e94f501ad1afd25ae4112443f9af101dfa5dea
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6c18375434)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This version bump removes CVE-2023-7152, which was incorrectly associated
with the micropython package in pkg-stats.
Although the CVE fix was already present in 1.22.0 the CVE only applied
to the preview version of 1.22.0. The CPE ID of the 1.22.0 matched with the
CPE ID of the 1.22.0 preview version as well.
This patch bumps to the latest patch-level version available in the 1.22.x
series to include additional fixes, rather than just adding the CVE to the
'MICROPYTHON_IGNORE_CVES' list.
The LICENSE hash has been updated, as the licenses used for the ports and
libraries have also been updated in the LICENSE file.
For more details on the version bump, see the release notes:
- https://github.com/micropython/micropython/releases/tag/v1.22.2
- https://github.com/micropython/micropython/releases/tag/v1.22.1
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 294e3a40bb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The Config.in comment in the dpdk package was wrong for a number of
reasons:
- It didn't mention the glibc dependency
- It didn't mention the gcc >= 4.9 dependency
- It mentioned a wchar dependency that isn't listed in the dpdk
dependencies
- It mentioned a dynamic library dependency that isn't listed in the
dpdk dependencies
- It used "kernel headers >= 4.19", while for brievity we use "headers
>= 4.19" everywhere in Buildroot
- Minor nit: DPDK was written allcaps, while we write package names
lower-case in Buildroot
Fixes: d17d1b6bde ("package/dpdk: add 24.07")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0e0b65781b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a runtime test for the 'dust' package to verify that the binary
executes correctly in a minimal buildroot rootfs. The test checks that:
- 'dust --version' runs without error
- 'dust' can analyze a directory structure with files
- The output includes the expected directory names
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5bca9d741d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a runtime test for the 'bat' package to verify that the binary executes
correctly in a minimal Buildroot rootfs.The test cheks that:
- 'bat --version' runs without error
- 'bat' can read and display a text file
- the displayed content matches the expected string
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit dacf8e3c39)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The v1 of the patch that is in Buildroot ended up being reworked and
merged from a v2, therefore let's update the patch by using the merged
commit instead.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0f2249a484)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libcamera migrated to use an ioctl for detecting frame sizes which is
only available in kernels 6.4 and later. If it doesn't exist, default
frame sizes are used. However the min and max resolutions supported by
the pipeline weren't initialized for kernels where that ioctl isn't
available and ended up creating invalid configuration that later
crashed.
The introducing commit was part of the v0.4.0 release.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d12d1a7f5e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Release:
https://github.com/bootandy/dust/releases/tag/v1.1.2
Note: version 0.9.0 of dust fails to build when running
the runtime test on the armv7 architecture due to an
unconditional import of Atomicu64.
error:
Compiling config-file v0.2.3
error[E0432]: unresolved import `std::sync::atomic::AtomicU64`
--> src/progress.rs:6:18
|
6 | atomic::{AtomicU64, AtomicU8, AtomicUsize, Ordering},
| ^^^^^^^^^
| |
| no `AtomicU64` in `sync::atomic`
| help: a similar name exists in the module: `AtomicU32`
For more information about this error, try `rustc --explain E0432`.
error: could not compile `du-dust` (bin "dust") due to 1 previous error
This issue was discovered while writing a runtime test
for dust. upgrading to version 1.1.2 resolves the issue.
More details available in the following issue:
https://github.com/bootandy/dust/issues/423
For now, we bump to the latest compatible version
which builds and runs correctly. We can't bump to the latest
version 1.2.0 since it requires a cargo version newer than
1.82.0.
error:
-- The package requires the Cargo feature called `edition2024`, but that feature is not stabilized in this version of Cargo (1.82.0 (8f40fc59f 2024-08-21)).
Consider trying a newer version of Cargo (this may require the nightly release).
The upgrade to 1.2.0 will be considered once the patch for
Rust 1.86.0 is accepted.
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3abc3b97ba)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
1.3.44 added the following security fixes:
* TIFF: Fixed multiple heap and stack buffer overflows (directed by
the source EXIF profile) while writing EXIF into the native TIFF
IFD.
* FITS: Fix problem that the FITS reader could return invalid image
frames with rows or columns set to zero. Other code in the library
crashes, or even asserts, if invalid image frames with rows or
columns set to zero are returned.
* Coverity fixes: Various fixes for Coverity issues raised after the
update to version 2023.12.2.
* Clang Analyzer (scan-build) fixes: Various fixes for new issues
discovered by Clang Analyzer.
7046c34427
In addition 1.3.45 fixes a off-by-one issue introduced in 1.3.44:
96f765a2e3
Update the Copyright.txt hash for a change in copyright years:
f0bba104ee26fce89276
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 055547ff12)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The version bump in [1] introduced the upstream commit [2] which made
builds using toolchain without thread support fail to build libcoap.
This patch adds an option check in the libcoap.mk file to verify
the toolchain has thread support and passes the correct configuration
options introduced in [2] as well.
The build can be tested with the following config.
```
BR2_armeb=y
BR2_cortex_a76_a55=y
BR2_ARM_EABI=y
BR2_ARM_SOFT_FLOAT=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_PACKAGE_LIBCOAP=y
```
Fixes:
https://autobuild.buildroot.org/results/9c0/9c0b675a64fb2576bc34457043f118cffe5fe555//
[1] 4df4d1d312 package/libcoap: bump version to 4.3.5
[2] c69c5d5af0
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 70ca62fb49)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Jugurtha's email address is bounding:
550 5.1.1 The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces.
Remove it from the DEVELOPERS file so that utils/get-developers
doesn't send emails to non-existent addresses.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cd6141ab15)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
linux-tools opportunistically set linux as only a patch dependency. This
unfortunately introduces a race condition in the shared linux scripts
when using PER_PACKAGE_DIRECTORIES and using top level parallelism. The
race manifests as the error "/bin/sh: 1: scripts/basic/fixdep:
Permission denied". This happens when the linux package and the
linux-tools package are being compiled in parallel.
The linux-tools currently using fixdep are perf and rtla. When the
timing is correct, perf, rtla, or the kernel Makefile will try to use
fixdep while one of the others is compiling fixed, resulting in fixdep
being briefly not available.
To fix this, set linux as a build dependency instead of a patch
dependency.
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b074f6b72b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Pixman defaults to building with the riscv vector extension. Instead,
only build with vector if the buildroot user has selected
BR2_RISCV_ISA_RVV.
This option exists since pixman 0.44.0, to which the Buildroot package
was updated as part of Buildroot commit
ba2fb599cd.
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 386e6bb479)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This will be part of 6.15.0 release.
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
[Julien: fix check-package error by adding "Upstream:" tag in patch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6bcefa73b1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The "modprobe brcmfmac" command is not necessary because this driver
is automatically loaded.
Remove the "iwconfig" line as it is considered deprecated:
warning: `iwconfig' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211
Remove the "-Dwext" parameter as it is not supported by the default kernel
configuration:
wlan0: Unsupported driver 'wext'
Tested Wifi by following the updated commands.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6240b75d0c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Restart would regularly fail because it did not wait for the old
process to be gone before starting the new one. Rewrite the script
according to current style to fix that, and add reload support (see
mosquitto docs for limitations of reload).
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 340a4bd4f8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Importing urllib3 already allows us to check that for example zlib can
be loaded at runtime.
For good measure, also create the PoolManager object mentioned in the
user guide ([1]), and check that we can normalize a URL like it is
done in urllib3's 'test/test_util.py'.
[1]: https://urllib3.readthedocs.io/en/stable/user-guide.html
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3e931caf84)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See release announce [1].
The src/mygetopt.h file license was updated from BSD-4-Clause to
BSD-2-Clause in upstream commit [2]. This change makes this file using
the same license as most other files. So this commit removes the
license entry for this file and update the _LICENSE accordingly.
This commit also replaces the mention "one file" on BSD-3-Clause, to
the actual file name using it, which is "vasprintf.c".
This commit also updates the Config.in package homepage URL,
to use https.
[1] https://mailman.astron.com/pipermail/file/2024-November/001435.html
[2] d605bb4047
Signed-off-by: Julien Olivain <ju.o@free.fr>
Reviewed-by: Vincent Jardin <vjardin@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 104449d0cb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit 675cbaf9aa (package/qt5/qt5webengine: bump to version 5.15.8)
moved the chromium submodule in a separate qt5webengine-chromium
package. It removed the inclusion of
"package/qt5/qt5webengine/chromium-latest.inc" but forgot to remove
the file.
A similar file was introduced in commit 577d886886
(package/qt5/qt5webengine-chromium: new package), included in its
own qt5webengine-chromium.mk package recipe.
This commit drops the chromium-latest.inc file in qt5webengine
which is no longer used.
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
[Julien: add extra explanation in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 272e56d1ce)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The upstream URL has changed to github.com/python-sdbus/python-sdbus.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[Julien: add link to release note in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e3ba797873)
[Thomas: do not include the bump only the repo address fix]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The bump of packages rpi-firmware and linux have to by synced, since the
linux package does not install yet its device-tree overlay blobs.
This adds a note to remind to keep in sync the versions of rpi-firmware
package and kernel (set in the defconfigs).
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
[Julien: rebase patch to resolve context conflict with commit 80ccb3e667]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5926b3b3ae)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
$ fluent-bit
fluent-bit: error while loading shared libraries: libminiz.so.3: cannot open shared object file: No such file or directory
Commit 527deef "package/fluent-bit: bump to 3.2.10",
dropped the BUILD_SHARED_LIBS=OFF off part, because miniz uses
static linking by default now, but runtime execution shows otherwise,
so revert to fix.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f2c15f00d4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] "support/testing: improve weston test reliability" moved
out the wait time from the emulator (to run on the test controller).
While doing so, the sleep time which was initially _after_ the
"killall weston" invocation to in stop_weston() was incorrectly
moved before the command invocation. In this state, the test can
succeed on fast host computer running the test. But it will most
likely fail on an average computer.
This commit fixes this issue by moving the sleep time after
the command invocation.
[1] 6561a5d773
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit bedc44c073)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch bumps the Linux kernel to version 6.1.133. The size of xipImage
has increased by only 22 bytes (1671804 bytes compared to 1671782 in
version 6.1.126).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cb6729d214)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
lmbench dependency discovery relies on implicit return types for
main(). This causes compiler errors when -Wimplicit-int is enabled,
which has become the default with recent gcc versions. The failure of
the dependcy discovery causes lmbench to redifine typedefs the
compiler already has in an incompatible manner. Add a patch to fix the
discovery.
Fixes:
bench.h:81:13: error: conflicting types for ‘socklen_t’; have ‘int’
81 | typedef int socklen_t;
bench.h:85:15: error: conflicting types for ‘off64_t’; have ‘int64’ {aka ‘long long int’}
85 | typedef int64 off64_t;
Fixes:
http://autobuild.buildroot.net/results/33cf97a79125c20f67f620eb6a7b5ad2206b2503/
Signed-off-by: Charlie Jenkins <charlie@rivosinc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fd914e9e4c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libcamera has some optional dependencies that automatically detected at
build time.
To improve reproducibility, we should add a dependency on those optional
dependencies if the symbols that build them are enabled so that the
order in which packages are built does not influence the libcamera
package.
Note that the optional libyuv dependency isn't added as:
1) it is only used for the virtual pipeline and the android feature,
both of which are disabled/not supported right now,
2) libcamera has it in a submodule if missing (though if that works with
Buildroot is to be determined),
3) adding the dependency isn't enough as meson somehow doesn't find the
dependency,
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 028bdac7ed)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
meson allows to force all features set to "auto" to default to disabled
except if explicitly enabled via the auto_features argument, c.f.
https://mesonbuild.com/Build-options.html#features
"""
If the value of a feature option is set to auto, that value is
overridden by the global auto_features option (which defaults to auto).
This is intended to be used by packagers who want to have full control
on which dependencies are required and which are disabled, and not rely
on build-deps being installed (at the right version) to get a feature
enabled.
"""
The only auto feature that we hadn't disabled explicitly is the
gstreamer plugin. It is however expected that this wasn't a mistake as
the dependencies for the gstreamer pluging wouldn't have been met
thanks to the explicit LIBCAMERA_DEPENDENCIES we have based on the
presence of the gstreamer symbols in the global config.
This should make it less likely for future releases of libcamera to
regress in terms of reproducibility because of "auto" features (though
changes from "auto" to "enabled" wouldn't be caught and would be
susceptible to race conditions with their dependencies in case they
aren't properly specified and built after libcamera is).
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ef3c3bc9b1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
We currently disable building the documentation via the "documentation"
feature, but it is enabled nonetheless by meson if sphinx-build-3 is
found on the host.
This makes sure it doesn't happen by making the sphinx-build-3 check
only happen when the "documentation" feature is "auto" or "enabled",
which isn't the case for Buildroot.
The bug seems to have been introduced in v0.0.1 release.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 569272be91)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit c1597f989654 ("ipa: raspberrypi: Use YamlParser to replace
dependency on boost"), part of the v0.0.1 release, removed the
dependency on boost, so let's remove it from the pipeline option and
dependency for Buildroot.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 65721c6e0a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Some EDK II configurations have complex dependencies on several packages
and additional build options; build tests help keeping track of those
more easily.
Factorize some code common to all the build tests into a new
TestEdk2BuildBase class, which defines a base configuration and a method
to assert that binaries do indeed exist after the build.
While at it, add myself in DEVELOPERS.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4f7e3f0bdd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The manual states that FOO_DL_OPTS are valid for all the different
download backends, but that is not the case: at least the git backend
does not use them (it does not fail, it just ignores them).
Accept FOO_DL_OPTS in the git backend, and pass them to 'git fetch'.
There is no way that we can pass such options to submodules or lfs,
though.
Update the manual accordingly.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a1012b363a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The dependencies for pulseview are not entirely clean:
- arch deps are not first;
- second-level inherited deps are listed;
- deps are not alphabetically ordered (for deps on packages);
- the comment is hidden even when the arch deps are met, because of an
incorrect dependency on Qt5;
- qt5 is a depends-on when it could be a select.
Update the dependencies to fix all the points above.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 70bcb7655b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Some protocol decoders in libsigrokdecode need the zlib module:
srd: ModuleNotFoundError: Failed to load decoder usb_power_delivery: import by name failed: No module named 'zlib'
srd: Traceback (most recent call last):
File "/usr/share/libsigrokdecode/decoders/usb_power_delivery/__init__.py", line 24, in <module>
from .pd import *
File "/usr/share/libsigrokdecode/decoders/usb_power_delivery/pd.py", line 24, in <module>
import zlib # for crc32
^^^^^^^^^^^
ModuleNotFoundError: No module named 'zlib'
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9d6ab1244a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since iptables v1.8.11, `iptables -C` commands return unexpected zero status
even for cases when the rules don't exist. This breaks e.g. standard Docker
operation, where checking for existing rules is used extensively when creating
networks.
The patch fixing the behavior is available upstream - apply it to v1.8.11
before a newer version is available.
Signed-off-by: Jan Čermák <sairon@sairon.cz>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f5e7cefe77)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The ARMV7-A toolchains are capable to compile binaries for ARMv8-A CPU
in AArch32 execution state.
This adds the BR2_ARM_CPU_ARMV8A option in the 'conditions' to allow
ARMV8-A CPU such as Cortex-A53 or Cortex-A72 to use ARMV7-A toolchains.
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8fd537ae05)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Without this, packages using libopenmpt are not able to find
the dependency.
Signed-off-by: J. Neuschäfer <j.neuschaefer@gmx.net>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 24a41c8fb5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The VideoCore blobs for the Raspberry Pi 1, 2, 3, Zero, Zero W and Zero
2 W are differents from the ones for the Raspberry Pi 4 and the Compute
Module 4.
The VideoCore blobs for the Raspberry Pi 4 are named with a 4[1] (i.e.
start4.elf, start4x.elf, start4db.elf and start4cd.elf).
This precises which VideoCore firmware blob files are present on the
Raspberry Pi 1, 2, 3, Zero W, Zero 2 W and which files are present on
the the Rapsberry Pi 4 and the Compute Module 4.
Note: The VideoCore blobs for the Raspberry Pi 5 are self-contained in
its bootloader EEPROM[1][2]; there is no additional files for pi5.
[1]: https://www.raspberrypi.com/documentation/computers/configuration.html#start-elf
[2]: https://www.raspberrypi.com/documentation/computers/config_txt.html#start_file-fixup_file
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7ebcfe3cb9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Any Raspberry Pi may use device-tree overlays; it is not restricted to
Raspberry Pi 3 and 4.
The defconfigs for the Raspberry Pi 3, 4, 400, Zero W, Zero 2 W, Compute
Module 4 and 4s use the miniuart-bt dtoverlay to switch the Bluetooth to
the mini-UART (ttyS0) and restore UART0 (ttyAMA0) over GPIOs 14 and 15
to enable the serial console (like the Raspberry Pi 1 and 2 that have no
Bluetooth)[1][2].
As a consequence, the Raspberry Pi Zero W, Zero 2 W, 400, Compute Module
4 and 4s install the device-tree overlays as well.
This rewords the note by adding the three missing hardwares installing
the images/rpi-firmware/overlays directory. It rewords the miniuart note
at the same time.
[1]: https://www.raspberrypi.com/documentation/computers/configuration.html#uarts-and-device-tree
[2]: https://github.com/raspberrypi/linux/blob/rpi-6.6.y/arch/arm/boot/dts/overlays/miniuart-bt-overlay.dts#L4-L6
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a642bed09a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Changelog:
* v2.4.3 - 02/28/2025
* Fix memory safety with some older `strerror_r()` implementations in error
formatters for all modules.
* Build
* Fix character device GPIO support tests in Makefile for alternate
shells and older versions of make.
* Fix cross-compilation in Makefile from Windows.
* Fix CMake minimum required version.
* Add CMake package generation.
* Contributors
* Ryan Barnett, @rjbarnet - ec31b39
* javalikescript, @javalikescript - 024a25d
* HopeCollector, @HopeCollector - aca6815, b5e53e6
The hash of the license file has changed due to a copyright year
change:
- Copyright (c) 2014-2023 vsergeev / Ivan (Vanya) A. Sergeev
+ Copyright (c) 2014-2025 vsergeev / Ivan (Vanya) A. Sergeev
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 638fe82e8b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Upstream changelog from
https://github.com/google/double-conversion/releases/tag/v3.3.1:
Hash pin Github workflows by @joycebrum in #198
Create dependabot.yml by @joycebrum in #199
Add _ITERATOR_DEBUG_LEVEL=2 and _DEBUG defines by @ffa-csturdy in #202
Add bzlmod MODULE.bazel file by @jsharpe in #205
Add CIFuzz Github Action by @DavidKorczynski in #203
Update MODULE.bazel and README.md. by @BYVoid in #234
Remove the explicit dependency on rules_cc. by @BYVoid in #235
Add missing headers by @BhavikaSharma in #239
Tested with the following configuration, which includes the only two
reverse dependencies of double-conversion.
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_INIT_NONE=y
BR2_SYSTEM_BIN_SH_NONE=y
# BR2_PACKAGE_BUSYBOX is not set
BR2_PACKAGE_QT6=y
BR2_PACKAGE_PYTHON3=y
BR2_PACKAGE_PYTHON_UJSON=y
# BR2_TARGET_ROOTFS_TAR is not set
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7ffdf75311)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building a firmware for the MACCHIATObin with edk2 and
arm-trusted-firmware, the build can randomly fail with the
following make error:
make[1]: Circular output/build/edk2-edk2-stable202411/.stamp_configured <- arm-trusted-firmware dependency dropped.
The message appears also when the build is not failing, depending on
the number of parallel jobs and the build order.
The issue can be observed with the following commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TARGET_ARM_TRUSTED_FIRMWARE=y
BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="a80x0_mcbin"
BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33=y
BR2_TARGET_BINARIES_MARVELL=y
BR2_TARGET_EDK2=y
BR2_TARGET_EDK2_PLATFORM_SOLIDRUN_ARMADA80X0MCBIN=y
BR2_TARGET_MV_DDR_MARVELL=y
EOF
make olddefconfig
utils/brmake
grep -FC5 'dependency dropped' br.log
The circular dependency happen due to [1] and [2].
In fact, only TF-A depends on EDK II (passed as BL33) for building and
not vice versa. See [3]. The EDK II "SolidRun MacchiatoBin" platform
build does not need any TF-A image, compared to some other platforms
such as "Socionext DeveloperBox" or "QEMU SBSA" which are referencing
TF-A images in a hook added in EDK2_PRE_BUILD_HOOKS.
Drop the false dependency on TF-A to fix the build.
This issue has been present since the EDK2 introduction in commit [4].
[1] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.02/boot/arm-trusted-firmware/arm-trusted-firmware.mk#L121
[2] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.02/boot/edk2/edk2.mk#L118
[3] https://github.com/Semihalf/edk2-platforms/wiki/Build_firmware
[4] 1074a37e78
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
[Julien: add extra info in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7361a155ef)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When Building arm-trusted-firmware for the Macchiatobin platform
(a80x0_mcbin), which depends on the mv-ddr-marvell package, the build fails
complaining that this package's folder "does not contain valid
mv-ddr-marvell git repository".
This is expected under Buildroot, where we use intermediate archives.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TARGET_ARM_TRUSTED_FIRMWARE=y
BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="a80x0_mcbin"
BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33=y
BR2_TARGET_BINARIES_MARVELL=y
BR2_TARGET_EDK2=y
BR2_TARGET_EDK2_PLATFORM_SOLIDRUN_ARMADA80X0MCBIN=y
BR2_TARGET_MV_DDR_MARVELL=y
EOF
make olddefconfig
make
The build is failing with the error message:
plat/marvell/armada/a8k/common/ble/ble.mk:34: *** "'MV_DDR_PATH=/buildroot/output/build/mv-ddr-marvell-d5acc10c287e40cc2feeb28710b92e45c93c702c' was specified, but '/buildroot/output/build/mv-ddr-marvell-d5acc10c287e40cc2feeb28710b92e45c93c702c' does not contain valid mv-ddr-marvell git repository". Stop.
Add patches to fix the build for this platform, for a few versions of TF-A
(v2.6, v2.7, v2.8, lts-v2.8.20, v2.9, v2.10, lts-v2.10.5, v2.11, v2.12 and
lts-v2.12.1).
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Dick Olsson <hi@senzilla.io>
Cc: Sergey Matyukevich <geomatsi@gmail.com>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fd02add21b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libv4l has some really special code that is built explicitly with
_FILE_OFFSET_BITS=32, which doesn't work with _TIME_BITS=64, causing
build failures when BR2_TIME_BITS_64=y. This build issue has been
fixed upstream. While how the upstream patch exactly works is unclear,
it's the patch that upstream has decided to implement to resolve the
build issue, so we simply backport it.
The issue exists since at least upstream commit
99f245f5e2826c7ae3ac8de530bc2fbd906eb62b, which was merged in
v4l-utils 1.26.0.
Fixes:
https://autobuild.buildroot.org/results/616608ef2a44efff67fa21b3263b341da82744c4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: add upstream commit url in patch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit bdb5809adf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
host-pahole build fails with recent host-cmake versions, producing the
following error:
CMake Deprecation Warning at CMakeLists.txt:1 (cmake_minimum_required):
Compatibility with CMake < 3.5 will be removed from a future version
of
CMake.
Update the VERSION argument <min> value or use a ...<max> suffix to
tell
CMake that the project does not need compatibility with older
versions.
The issue can be reproduced with a minimal defconfig:
BR2_arm=y
BR2_cortex_a7=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_DEFCONFIG="versatile"
BR2_LINUX_KERNEL_NEEDS_HOST_PAHOLE=y
And host-cmake >= 4.0.0
The issue has already been fixed in the upstream pahole project and is
included in versions >= 1.28.
Fix the issue on the current LTS branch by bringing the fixing commit
from upstream.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Fixes the following security issues:
- CVE-2025-27830: An issue was discovered in Artifex Ghostscript before
10.05.0. A buffer overflow occurs during serialization of DollarBlend in
a font, for base/write_t1.c and psi/zfapi.c.
- CVE-2025-27831: An issue was discovered in Artifex Ghostscript before
10.05.0. The DOCXWRITE TXTWRITE device has a text buffer overflow via
long characters to devices/vector/doc_common.c.
- CVE-2025-27832: An issue was discovered in Artifex Ghostscript before
10.05.0. The NPDL device has a Compression buffer overflow for
contrib/japanese/gdevnpdl.c.
- CVE-2025-27833: An issue was discovered in Artifex Ghostscript before
10.05.0. A buffer overflow occurs for a long TTF font name to
pdf/pdf_fmap.c.
- CVE-2025-27834: An issue was discovered in Artifex Ghostscript before
10.05.0. A buffer overflow occurs via an oversized Type 4 function in a
PDF document to pdf/pdf_func.c.
- CVE-2025-27835: An issue was discovered in Artifex Ghostscript before
10.05.0. A buffer overflow occurs when converting glyphs to Unicode in
psi/zbfont.c.
- CVE-2025-27836: An issue was discovered in Artifex Ghostscript before
10.05.0. The BJ10V device has a Print buffer overflow in
contrib/japanese/gdev10v.c.
- CVE-2025-27837: An issue was discovered in Artifex Ghostscript before
10.05.0. Access to arbitrary files can occur through a truncated path
with invalid UTF-8 characters, for base/gp_mswin.c and base/winrtsup.cpp.
https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs10050
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9abf662cfd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Both openh264 2.6.0 and 2.5.1 contain the fix for this CVE (see the
release notes at [1]).
In other words the version we have is no longer vulnerable since
a7aeb5a46e ("package/libopenh264:
security bump to version 2.5.1") but pkg-stats still reports it.
An email was sent to the NVD to fix the CPE version number, but in the
meantime let's ignore it to reduce the noise in our CVE checker.
[1]: https://github.com/cisco/openh264/releases/tag/2.5.1
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 2488d97719)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Upstream did a change in sqlite3.pc.in that does work with their
default build system, but not with the autoconf-based amalgamation
that we use. This issue has been reported and fixed upstream, but the
fix is not yet in any new release.
For the time being, we just revert the upstream change. We don't do a
direct revert ("git revert") as multiple upstream commits touched this
very line, so we simply revert to what it was prior to the different
changes, and to what the upstream fix ends up doing.
This issue is causing build issue for all packages that use sqlite's
pkg-config file, in a static-linking configuration.
Fixes:
https://autobuild.buildroot.org/results/1824a76eee4a877a2f19c1fd19a710ef9f059168/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit db481210e9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
- Update syslogd -T documentation, it applies to messages originating
both locally and from remote syslog servers
- Fix hostname filtering support, introduced in v2.7.0, broken
- Fix parsing of userspace messages in /dev/kmsg, inserted an
extra space before the message payload
From https://github.com/troglobit/sysklogd/releases/tag/v2.7.1
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7a0725723b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Running pkg-stats is currently quite verbose, as it shows one line per
package when checking for the upstream URL, and another one line per
package when checking for the latest version on
release-monitoring.org.
This noisy output is a bit annoying when pkg-stats is run in a
cronjob, like we do to update https://autobuild.buildroot.net/stats/
every day. This commit adds a -v/--verbose option, off by default, to
have a less noisy output.
Suggested-by: Peter Korsgaard <peter@korsgaard.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 203e9def71)
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
This reverts commit 27ab880ebb.
With the (proposed) fix from the openssl developers added as
0004-Serialize-install-process-to-avoid-multiple-make-dep.patch, the
workaround can now be dropped so openssl can again be built and installed in
parallel, significantly speeding up builds.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 86f173a744)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The openssl developers have proposed a fix for the parallel installation
issue worked around by commit 27ab880ebb (package/libopenssl do not build
in parallel).
Add the fix here so the workaround can dropped again.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 36b0a3ef9c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] which introduced this defconfig using a
Kernel 6.6.x series, the build can fail with error:
certs/extract-cert.c:21:10: fatal error: openssl/bio.h: No such file or directory
The issue is generally masked by the build order, as
arm-trusted-firmware selects BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
which requires host-openssl.
The issue can be reproduced in the Buildroot Docker reference image,
using the commands:
utils/docker-run
make ls1043a-rdb_defconfig
make linux
This commit fixes the issue by explicitly adding
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y to the defconfig.
[1] 34b047a442
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 11315d4787)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] which introduced this defconfig using a
Kernel 6.6.x series, the build can fail with error:
certs/extract-cert.c:21:10: fatal error: openssl/bio.h: No such file or directory
The issue is generally masked by the build order, as
arm-trusted-firmware selects BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
which requires host-openssl.
The issue can be reproduced in the Buildroot Docker reference image,
using the commands:
utils/docker-run
make ls1046a-rdb_defconfig
make linux
This commit fixes the issue by explicitly adding
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y to the defconfig.
[1] 774035189f
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a83242f131)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] updating the defconfig to use Kernel 6.6.x
series, the build can fail with error:
certs/extract-cert.c:21:10: fatal error: openssl/bio.h: No such file or directory
The issue is generally masked by the build order, as
arm-trusted-firmware selects BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
which requires host-openssl.
The issue can be reproduced in the Buildroot Docker reference image,
using the commands:
utils/docker-run
make ls1046a-frwy_defconfig
make linux
This commit fixes the issue by explicitly adding
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y to the defconfig.
[1] 0344e5dae6
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 094f7a5b86)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] updating the defconfig to use Kernel 6.6.x
series, the build can fail with error:
certs/extract-cert.c:21:10: fatal error: openssl/bio.h: No such file or directory
The issue is generally masked by the build order, as
arm-trusted-firmware selects BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
which requires host-openssl.
The issue can be reproduced in the Buildroot Docker reference image,
using the commands:
utils/docker-run
make ls1028ardb_defconfig
make linux
This commit fixes the issue by explicitly adding
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y to the defconfig.
[1] 7cbc240ac2
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5d0ec3b6a4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issues:
- CVE-2024-57970: libarchive through 3.7.7 has a heap-based buffer
over-read in header_gnu_longlink in archive_read_support_format_tar.c
via a TAR archive because it mishandles truncation in the middle of a
GNU long linkname.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2024-57970
- 8291210321
- CVE-2025-1632: This affects the function list of the file bsdunzip.c.
The manipulation leads to null pointer dereference. It is possible
to launch the attack on the local host.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-1632
- c9bc934e7e
- CVE-2025-25724: list_item_verbose in tar/util.c in libarchive through 3.7.7
does not check an strftime return value, which can lead to a denial of
service or unspecified other impact via a crafted TAR archive that is read
with a verbose value of 2.
For example, the 100-byte buffer may not be sufficient for a custom locale.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-25724
- c9bc934e7e
The patch added in [1] are still needed for this version bump.
For more details on the version bump, see the release notes:
- https://github.com/libarchive/libarchive/releases/tag/v3.7.8
- https://github.com/libarchive/libarchive/releases/tag/v3.7.9
[1] 9ac63a3360 package/libarchive: fix uclibc build with libiconv (again)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fde0b3fe1c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
- CVE-2025-2588: This vulnerability affects the function
re_case_expand of the file src/fa.c. The manipulation of the
argument re leads to null pointer dereference
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-2588
- af2aa88ab3
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: add patch name in comment near _IGNORE_CVES]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c497e5fcc7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch introduced in [1] that fixed the CVE-2024-0962 is now
available upstream in the 4.3.5 release [2].
This commit also updates the LICENSE file hash, after adding reference
to wolfSSL in [3].
For more details see the release note:
https://github.com/obgm/libcoap/blob/v4.3.5/ChangeLog
[1] 9002b818be package/libcoap: fix CVE-2024-0962
[2] 2b28d8b0e9
[3] e3a662a934
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Julien: fix LICENSE file hash]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4df4d1d312)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
No functional change, but bump for consistency.
The patch that was applied by Buildroot has been applied to gstreamer.
The kate plugin has disappeared from gstreamer.
The webp plugin now requires webp_mux to compile.
The webrtc plugin now requires to be compile with plugins dtls, sctp and
srtp.
For more details, see the release notes:
https://gstreamer.freedesktop.org/releases/1.24/
Signed-off-by: Thomas Bonnefille <thomas.bonnefille@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 90b3cfedf4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Tested on QEMU using the qemu_m68k_q800_defconfig configuration, with a
switch of the toolchain to uclibc-ng and enabling rsyslog.
This patch addresses an issue where rsyslog’s pthread_cond_wait was
busy-looping due to futex_time64 repeatedly returning EINVAL. The
correction in NPTL alignment resolves the 100% CPU usage problem.
This patch is fixed upstream [1] so apply it until it is tagged.
[1]: 278ac6b30 ("m68k: fix alignment in NPTL code")
Signed-off-by: Jean-Michel Hautbois <jeanmichel.hautbois@yoseli.org>
[Julien:
- rename patch to 0002
- add "Upstream:" tag in patch to fix check-package error
- add "Signed-off-by:" in patch
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 53eae986a5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
uClibc-ng unconditionally exposes a reallocarray() prototype, but only
provides the implementation when the malloc-standard implementation is
selected in the configuration.
As noMMU configurations can't use malloc-standard, they use malloc or
malloc-simple that don't provide reallocarray().
As a result of reallocarray() being missing, some packages such as
util-linux provide their own replacement implementation... but its
prototype clashes with the one provided by uClibc, causing build
failures such as:
In file included from lib/color-names.c:7:
./include/c.h:586:21: error: static declaration of ‘reallocarray’ follows non-static declaration
586 | static inline void *reallocarray(void *ptr, size_t nmemb, size_t size)
| ^~~~~~~~~~~~
In file included from ./include/c.h:16:
/home/thomas/projets/buildroot/output/host/arm-buildroot-uclinux-uclibcgnueabi/sysroot/usr/include/stdlib.h:898:14: note: previous declaration of ‘reallocarray’ with type ‘void *(void *, size_t, size_t)’ {aka ‘void *(void *, unsigned int, unsigned int)’}
898 | extern void *reallocarray (void *__ptr, size_t __m, size_t __n);
| ^~~~~~~~~~~~
make[3]: *** [Makefile:12354: lib/libtcolors_la-color-names.lo] Error 1
This is addressed by a patch on uClibc, submitted upstream, which
makes sure the prototype is only exposed when the implementation is
provided.
The issue can be reproduced with commands:
cat <<EOF >.config
BR2_arm=y
BR2_cortex_m4=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PACKAGE_UTIL_LINUX=y
BR2_PACKAGE_UTIL_LINUX_KILL=y
EOF
make olddefconfig
make util-linux
Fixes:
https://autobuild.buildroot.net/results/157aa82aa4cd57eacc4defe6cace16e464261e9a/ (RISC-V noMMU)
https://autobuild.buildroot.net/results/ce1a24c1465b82686ae375ac688a553fb65df5ea/ (ARM noMMU)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[Julien: add commands to reproduce the issue in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 01895663d3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
glibc fails to build on RISC-V 32-bit with the ilp32f ABI and on
RISC-V 64-bit with the lp64f: both use single-point precision floating
point, which glibc doesn't support, failing during the configure step
with:
configure: error: glibc does not yet support the single floating-point ABI
Fix that by disabling glibc support on those configurations.
Fixes:
https://autobuild.buildroot.org/results/fe8d569cab507992978ef0da649278dd3a9e0b23/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8292b8fb89)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Use the 'C' locale when retrieving the date of the last change using
'svn info' since the svn download helper script expect
"Last Changed Date" string.
If another locale is used, the 'date' is empty so the generated
archive (by mk_tar_gz) will not match the expected hash since
the file timestamp is not set properly.
If LANG=fr_FR.UTF-8 is defined in the host system, svn print some
"French encrypted" text:
eval svn --non-interactive --config-option servers:global:http-timeout=10 info ''\''https://svn.code.sf.net/p/xmlrpc-c/code/advanced@r3176'\'''
...
Date de la dernière modification: 2023-09-02 19:13:35 +0200 (sam. 02 sept. 2023)
diffoscope confirm that the file timestamp is not set correctly
in the generated archive:
$ diffoscope NOK/libxmlrpc-r3176-svn5.tar.gz OK/libxmlrpc-r3176-svn5.tar.gz
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8d3b1781f6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security issue:
CVE-2025-27091: OpenH264 Decoding Functions Heap Overflow Vulnerability
A vulnerability in the decoding functions of OpenH264 codec library could
allow a remote, unauthenticated attacker to trigger a heap overflow.
This vulnerability is due to a race condition between a Sequence Parameter
Set (SPS) memory allocation and a subsequent non Instantaneous Decoder
Refresh (non-IDR) Network Abstraction Layer (NAL) unit memory usage. An
attacker could exploit this vulnerability by crafting a malicious bitstream
and tricking a victim user into processing an arbitrary video containing the
malicious bitstream. An exploit could allow the attacker to cause an
unexpected crash in the victim's user decoding client and, possibly, perform
arbitrary commands on the victim's host by abusing the heap overflow.
https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9xhttps://github.com/cisco/openh264/releases/tag/2.5.1
The upstream tag now has no 'v' prefix, so drop it from _SITE.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a7aeb5a46e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
23.2.5 fixes the following security issues:
1) CVE-2024-31080: Heap buffer overread/data leakage in ProcXIGetSelectedEvents
Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0
Found by: Alan Coopersmith of Oracle Solaris, while investigating
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
The ProcXIGetSelectedEvents() function uses the byte-swapped length of the
return data for the amount of data to return to the client, if the client
has a different endianness than the X server.
2) CVE-2024-31081: Heap buffer overread/data leakage in ProcXIPassiveGrabDevice
Introduced in: xorg-server-1.7.0 (2009)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645d
Found by: Alan Coopersmith of Oracle Solaris
The ProcXIPassiveGrabDevice() function uses the byte-swapped length of the
return data for the amount of data to return to the client, if the client
has a different endianness than the X server.
3) CVE-2024-31083: User-after-free in ProcRenderAddGlyphs
Introduced in: prior to X11R6.7 (2004)
Fixed in: xorg-server-21.1.12 and xwayland-23.2.5
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb3160
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The ProcRenderAddGlyphs() function calls the AllocateGlyph() function
to store new glyphs sent by the client to the X server. AllocateGlyph()
would return a new glyph with refcount=0 and a re-used glyph would end up
not changing the refcount at all. The resulting glyph_new array would thus
have multiple entries pointing to the same non-refcounted glyphs.
ProcRenderAddGlyphs() may free a glyph, resulting in a use-after-free when
the same glyph pointer is then later used.
https://lists.x.org/archives/xorg-announce/2024-April/003497.html
24.1.4 fixes the following security issues:
1) CVE-2024-9632: Heap-based buffer overflow privilege escalation in
_XkbSetCompatMap
Introduced in: xorg-server-1.1.1 (2006)
Fixed in: xorg-server-21.1.14 and xwayland-24.1.4
Fix:
85b7765714
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
xorg-server-21.1.14 and xwayland-24.1.4 have been patched to fix this issue.
https://lists.x.org/archives/xorg-announce/2024-October/003545.html
24.1.6 fixes the following security issues:
1) CVE-2025-26594: Use-after-free of the root cursor
Introduced in: Unknown - Prior to X11R6.6 Xorg baseline
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The root cursor is referenced in the xserver as a global variable. If
a client manages to free the root cursor, the internal reference points
to freed memory and causes a use-after-free.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
2) CVE-2025-26595: Buffer overflow in XkbVModMaskText()
Introduced in: Prior to X11R6.1
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the names of the virtual modifiers to that buffer.
The code however fails to check the bounds of the buffer correctly and
would copy the data regardless of the size, which may lead to a buffer
overflow.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
3) CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
Introduced in: initial version of xc/programs/Xserver/xkb/xkb.c in X11R6
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), which may lead to a heap based
buffer overflow.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
4) CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
Introduced in: X11R6.1
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
If XkbChangeTypesOfKey() is called with 0 group, it will resize the key
symbols table to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value of groups,
this will cause a buffer overflow because the key actions are of the wrong
size.
5) CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
Introduced in: xorg-server-1.14.0
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The function GetBarrierDevice() searches for the pointer device based on
its device id and returns the matching value, or supposedly NULL if no
match was found.
However the code will return the last element of the list if no matching
device id was found which can lead to out of bounds memory access.
6) CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
Introduced in: Xorg 6.8.0.
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84behttps://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The function compCheckRedirect() may fail if it cannot allocate the backing
pixmap. In that case, compRedirectWindow() will return a BadAlloc error
without the validation of the window tree marked just before, which leaves
the validate data partly initialized, and the use of an uninitialized pointer
later.
7) CVE-2025-26600: Use-after-free in PlayReleasedEvents()
Introduced in: X11R5
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed and replaying the events
will cause a use after free.
8) CVE-2025-26601: Use-after-free in SyncInitTrigger()
Introduced in: X11R6
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242dhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2fhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
When changing an alarm, the values of the change mask are evaluated one
after the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
If one of the changes triggers an error, the function will return early,
not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
https://lists.x.org/archives/xorg-announce/2025-February/003584.html
Drop now removed xwayland_eglstream option:
701284f057
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 57d2bdb123)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit f2a862fe60 (package/dillo: move to github) changed the source
site for the Dillo package. This change introduced a trailing slash at
the end of the URL.
This cause an error when running `make show-info` with `BR2_PACKAGE_DILLO=y`:
```
package/dillo/dillo.mk:46: *** DILLO_SITE (https://github.com/dillo-browser/dillo/releases/download/v3.0.5/) cannot have a trailing slash. Stop.
```
This commit removes the trailing slash.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a3b4ae2eac)
Fixes the following security issues:
- CVE-2024-24258: freeglut 3.4.0 was discovered to contain a memory leak
via the menuEntry variable in the glutAddSubMenu function.
- CVE-2024-24259: freeglut through 3.4.0 was discovered to contain a
memory leak via the menuEntry variable in the glutAddMenuEntry
function.
https://nvd.nist.gov/vuln/detail/CVE-2024-24258https://nvd.nist.gov/vuln/detail/CVE-2024-24259
The CVEs are not technically reported for the libfreeglut package
itself (which doesn't have a CPE identifier) but for mupdf.
Note that mudpf provides its own (old) version of freeglut, but our
mupdf package uses the Buildroot-provided freeglut (which now contains
the fix).
It also has to be noted that a more recent release of libfreeglut
exists upstream, and it fixes the same CVEs. Bumping our package
version however requires more work that can be done separately.
Including this patch first also has the advantage that it can easily
be backported wherever it's needed.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 0f4fef076f)
FreeRDP fails to build on newer gcc:
/freerdp-2.11.7/libfreerdp/core/info.c:88:39: error: initialization of 'const WCHAR *' {aka 'const short unsigned int *'} from incompatible pointer type 'BYTE *' {aka 'unsigned char *'} [-Wincompatible-pointer-types]
88 | const WCHAR* domain = Stream_Pointer(s);
| ^~~~~~~~~~~~~~
There is a patch upstream [0] to fix that one, but then another similar
build failure triggers, which is also fixed upstream, but then a third
failre triggers, again fixed upstream [2], but then...
FreeRDP 2.x has been kinda discontinued, and the new stable is 3.x.
However, bumping to 3.x looks like a huge leap.
So, rather than backport, just bump to the latest commit on the
stable-2.0 branch, which carries 12 non-merge commits with build fixes:
562ae3588 [winpr,pubsub] add NULL parameter checks
68c7c21b9 X11 client: ignore grab related LeaveNotify events
a9deecc99 fix [core]: 'invalid hHandle' errors
052c525e0 [core] eliminate rdpRdp::instance
be23ed4ba [server,proxy] deactivate capture module
5b2b53b15 [warnings] fix -Wincompatible-pointer-types
67818bddb [client,wayland] fix const correctness
d2b6771c7 X11: fix pointer/integer type mismatch
[2] 7894a7dfc redirection: Fix incompatible pointer type
[1] f3ed1f1ac redirection: Fix incompatible pointer type
[0] 4f411197d info: Fix incompatible pointer type
a383740a2 next-dev-2.11.8-dev
Fixes:
http://autobuild.buildroot.org/results/e1b/e1b95b4fb0005d4e933b027b508cec9ad510bd73/http://autobuild.buildroot.org/results/ba0/ba0beae13e1be2573878ee50b1566f4427b269a3/
...
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 15f15cfe01)
The libcap Makefile is hand-coded (i.e. not autotools), and hard-codes
calls to /sbin/ldconfig, unless it is installed out-of-tree. For target
packages, this is done, but for host package this is not done, as we
do set PREFIX instead, which causes libcap's Makefile to call ldconfig
and emits a spurious warning (twice):
install -m 0755 libcap.so.2.73 /home/ymorin/dev/buildroot/O/master/per-package/host-libcap/host/lib/libcap.so.2.73
ln -sf libcap.so.2.73 /home/ymorin/dev/buildroot/O/master/per-package/host-libcap/host/lib/libcap.so.2
ln -sf libcap.so.2 /home/ymorin/dev/buildroot/O/master/per-package/host-libcap/host/lib/libcap.so
/sbin/ldconfig
/sbin/ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied
make[4]: [Makefile:200: install-shared-cap] Error 1 (ignored)
This is just a warning, but it is incorrect still.
Fake an out-of-tree install with a non-empy DESTDIR that is just '/',
and thus does in fact not install out-of-tree. This is enough to
actually silence the warning. Add a little comment to explain that.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd@kuhls.net>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e172bb48d3)
Since upstream commit [1] the original v4l2loopback-ctl bash script was
replaced by a C version, so add a proper compile step (and remove bash
runtime dependency) to fix '[help] v4l2loopback package build fails for
raspberrypi5' [2].
The issue can be reproduced with the commands:
cat <<EOF >.config
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_PACKAGE_V4L2LOOPBACK=y
BR2_PACKAGE_V4L2LOOPBACK_UTILS=y
EOF
make olddefconfig
make v4l2loopback
Note: upstream commit [1] was introduced in version v0.13.0.
Buildroot bumped v4l2loopback to v0.13.2 in [3].
Fixes:
/usr/bin/install: cannot stat
'.../build/v4l2loopback-0.13.2/utils/v4l2loopback-ctl':
No such file or directory
[1] 33922fa4e9
[2] https://lists.busybox.net/pipermail/buildroot/2025-March/775911.html
[3] 02540771bc
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Julien:
- add commands to reproduce the issue
- add reference to buildroot commit introducing the issue
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5d85d23e16)
This is a corrective release over GDB 16.1, fixing the following issues:
PR build/32578 (cannot build GDB 16.1 out of tree when calling the configure script with a relative path)
PR tui/32592 ([gdb/tui] internal error in tui-winsource.c:340:refresh_window)
PR remote/32593 (Incompatibilities between GDB's and LLDB's 'x' packet implementation)
PR build/32610 (Missing #include file in darwin_nat.c)
None of which is really super important for Buildroot, but at least
we're using the latest without wondering why we're not.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0a5a0772c2)
21.1.14 fixes the following security issues:
1) CVE-2024-9632: Heap-based buffer overflow privilege escalation in
_XkbSetCompatMap
Introduced in: xorg-server-1.1.1 (2006)
Fixed in: xorg-server-21.1.14 and xwayland-24.1.4
Fix:
85b7765714
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The _XkbSetCompatMap() function attempts to resize the `sym_interpret`
buffer.
However, It didn't update its size properly. It updated `num_si` only,
without updating `size_si`.
This may lead to local privilege escalation if the server is run as root
or remote code execution (e.g. x11 over ssh).
xorg-server-21.1.14 and xwayland-24.1.4 have been patched to fix this issue.
https://lists.x.org/archives/xorg-announce/2024-October/003545.htmlhttps://lists.x.org/archives/xorg-announce/2024-October/003546.html
21.1.16 fixes the following security issues:
1) CVE-2025-26594: Use-after-free of the root cursor
Introduced in: Unknown - Prior to X11R6.6 Xorg baseline
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The root cursor is referenced in the xserver as a global variable. If
a client manages to free the root cursor, the internal reference points
to freed memory and causes a use-after-free.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
2) CVE-2025-26595: Buffer overflow in XkbVModMaskText()
Introduced in: Prior to X11R6.1
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The code in XkbVModMaskText() allocates a fixed sized buffer on the
stack and copies the names of the virtual modifiers to that buffer.
The code however fails to check the bounds of the buffer correctly and
would copy the data regardless of the size, which may lead to a buffer
overflow.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
3) CVE-2025-26596: Heap overflow in XkbWriteKeySyms()
Introduced in: initial version of xc/programs/Xserver/xkb/xkb.c in X11R6
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The computation of the length in XkbSizeKeySyms() differs from what is
actually written in XkbWriteKeySyms(), which may lead to a heap based
buffer overflow.
xorg-server-21.1.16 and xwayland-24.1.6 have been patched to fix this issue.
4) CVE-2025-26597: Buffer overflow in XkbChangeTypesOfKey()
Introduced in: X11R6.1
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
If XkbChangeTypesOfKey() is called with 0 group, it will resize the key
symbols table to 0 but leave the key actions unchanged.
If later, the same function is called with a non-zero value of groups,
this will cause a buffer overflow because the key actions are of the wrong
size.
5) CVE-2025-26598: Out-of-bounds write in CreatePointerBarrierClient()
Introduced in: xorg-server-1.14.0
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The function GetBarrierDevice() searches for the pointer device based on
its device id and returns the matching value, or supposedly NULL if no
match was found.
However the code will return the last element of the list if no matching
device id was found which can lead to out of bounds memory access.
6) CVE-2025-26599: Use of uninitialized pointer in compRedirectWindow()
Introduced in: Xorg 6.8.0.
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84behttps://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
The function compCheckRedirect() may fail if it cannot allocate the backing
pixmap. In that case, compRedirectWindow() will return a BadAlloc error
without the validation of the window tree marked just before, which leaves
the validate data partly initialized, and the use of an uninitialized pointer
later.
7) CVE-2025-26600: Use-after-free in PlayReleasedEvents()
Introduced in: X11R5
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
When a device is removed while still frozen, the events queued for that
device remain while the device itself is freed and replaying the events
will cause a use after free.
8) CVE-2025-26601: Use-after-free in SyncInitTrigger()
Introduced in: X11R6
Fixed in: xorg-server-21.1.16 and xwayland-24.1.6
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242dhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2fhttps://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
When changing an alarm, the values of the change mask are evaluated one
after the other, changing the trigger values as requested and eventually,
SyncInitTrigger() is called.
If one of the changes triggers an error, the function will return early,
not adding the new sync object.
This can be used to cause a use after free when the alarm eventually
triggers.
https://lists.x.org/archives/xorg-announce/2025-February/003584.htmlhttps://lists.x.org/archives/xorg-announce/2025-February/003585.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 65be2c6ac0)
Since Buildroot commit [1], the test_gstreamer1 runtime test is
failing to build the tesseract-ocr package. The root cause is that
the test uses the default arm external toolchain, which is the Linaro
ARM 2018.05 based on gcc 7.3.1.
Since [1], tesseract-orc no longer compiles with gcc 7 (it requires at
least gcc 8).
This commit fixes the issue by switching the toolchain to the
bootlin versions (based on gcc 14 at the time of this commit).
Also, changing the compiler version slightly slowed down the video
encoding. This commit also increases the encoding command timeout.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/9407846232
[1] f32da8b984
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 356c70677c)
Since Buildroot commit [1] tesseract-ocr fails to build with gcc 7,
with error:
src/api/baseapi.cpp:67:10: fatal error: filesystem: No such file or directory
#include <filesystem> // for std::filesystem
^~~~~~~~~~~~
In Buildroot, tesseract-ocr has a C++17 requirement captured as
gcc >= 7. Gcc 7 has only a partial and experimental C++17 support,
which was sufficient, prior [1].
The tesseract-ocr upstream commit [2] introduced a usage of
std::filesystem. This commit is included in version 5.5.0,
bumped in [1].
The C++17 with std::filesystem support was introduced in gcc 8.1.
See [3].
This commit fixes the issue by raising the gcc version requirement to
8.x.
Fixes: f32da8b984
[1] f32da8b984
[2] 4e42f9de54
[3] https://gcc.gnu.org/gcc-8/changes.html#libstdcxx
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit 22ffdea9e6)
The busybox date applet accepts the following:
date @1234567
but this confuses the coreutils version which doesn't implicitly set
time. As some tests might need coreutils binaries we should ensure the
emulator login will work with both. Fix this by passing the -s (set)
option to the command.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit bfb490799e)
When time comes to check certificates, the date and time in the emulated
machine should be close enough to the actual values, so that certificate
validity can be checked.
Some Qemu machines have an RTC (e.g. arm vexpress-a9 has a pl031), and
the kernel needs a driver for those RTC. It is not guaranteed that the
machine used for a test meets those two conditions; in such a case, the
time in the machine starts way back in the past (1970-01-01T00:00:00Z on
sysv, or the release date of systemd). This is the case with the default
kernel, so such tests do not have the proper time.
Set the date to the date of the host system. This is going to be accurate
to the second, which is, by far, enough for our purpose.
To avoid having to consider what combination of emulated machine and kernel
configuration are being used, we always set the date, as this is a
generic step that should be done by the infra (like login in as root is).
The Emulator() class doesn't inherit from unittest.TestCase, so we can't
call any of the usual self.assertXXX() methods; instead, we just raise
a standard exception, like is done a few lines above to detect the login
prompt.
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Ricardo Martincoski <ricardo.martincoski@datacom.com.br>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cf8641b73e)
Add the LTS sponsors who engaged already for 2025: EVS, Open Home
Foundation, and Sense Labs. There is one more sponsor but they prefer to
remain anonymous.
For Open Home Foundation, we can reuse the existing logo. For the other
two, add their logo.
Add a new class panel-lts-sponsor for sizing the panels. It is different
from panel-sponsor because there doesn't need to be space for an
explanation of what type of sponsorship is done, we just need to have
space for the company name. So the minimum height is 200px instead of
350px.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b111e07fd5)
The Open Home Foundation logo is in a white area that is too large for
how we display it on the sponsors page. As a result, it ends up at the
bottom of the logo area and it looks very unbalanced.
Crop the logo to a tigher area. Since it is going to end up being
scaled, it's difficult to predict what the best size it is, but cropping
at a height of 300 pixels gives a visually pleasing layout at at least
some resolutions.
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e287bc7f44)
Patch has been on upstream main for close to 2 years.
The "uint" use was introduced with [1] and [2], released with
mesa3d-demos 9.0.0 from March 2023, and added to Buildroot with commit
80304d9911 "package/mesa3d-demos: bump version to 9.0.0". The affected
code is built only if Wayland and Vulkan support are enabled, that is:
BR2_PACKAGE_LIBDECOR=y
BR2_PACKAGE_VULKAN_LOADER=y
BR2_PACKAGE_WAYLAND=y
[1] 813ebef767
[2] 5aaa7faeb4
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cf4f2f858d)
Vulkan support in mesa3d-demos requires vulkan-loader. Without an
explicit config flag it is autodetected, and may or may not be enabled
depending on build order, leading to unpredictable results.
Fix this by explicitly enabling Vulkan support and depending on
vulkan-loader if BR2_PACKAGE_VULKAN_LOADER=y, and disabling Vulkan
support otherwise.
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7a55e82cb8)
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: rebase patch after merge of next branch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 76f9e5dede)
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
[Julien: rebase patch after merge of next branch]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 03cda9370f)
Enabling BR2_PACKAGE_LINUX_TOOLS_SELFTESTS (on rock5b_defconfig,
which uses kernel 6.12 at the time of writing), results in:
make[1]: Leaving directory '/br/output/build/linux-endpoint-test/tools/testing/selftests'
ERROR: architecture for "/usr/lib/kselftests/tc-testing/action-ebpf" is "Linux BPF", should be "AArch64"
make: *** [package/pkg-generic.mk:402: /br/output/build/linux-tools/.stamp_installed] Error 1
To solve this, add /usr/lib/kselftests/tc-testing/ to
LINUX_TOOLS_BIN_ARCH_EXCLUDE.
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3a03cb2ad6)
support/scripts/check-bin-arch has an option -i to exclude a path
(or many paths by using -i multiple times).
This was implemented in commit 01d90f0d09 ("spport/check-bin-arch:
accept arbitrary per-package ignore paths").
Looking at this feature (which hasn't changed since being added),
we can see that check-bin-arch automatically adds a trailing slash
to all entries specified using -i.
Thus, specifying a path to a file, e.g.
"/usr/libexec/perf-core/tests/pe-file.exe" will cause check-bin-arch
to add "/usr/libexec/perf-core/tests/pe-file.exe/" to the IGNORES array.
When running the main loop, the file
"/usr/libexec/perf-core/tests/pe-file.exe" will thus not be ignored,
since it will not trigger a match the pattern that was added to the
IGNORES array ("/usr/libexec/perf-core/tests/pe-file.exe/").
This means that the -i option in check-bin-arch only supports directories
and not files.
Fix the LINUX_TOOLS_BIN_ARCH_EXCLUDE in
package/linux-tools/linux-tool-perf.mk.in to specify a directory, as the
existing LINUX_TOOLS_BIN_ARCH_EXCLUDE can never have actually worked.
Fixes: a7ad781626 ("package/linux-tools: Exclude checking PE binaries from perf test")
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 4d7292675a)
Due to how menuconfig works, a 'comment' entry following a 'config' entry
prevents correct indentation of items depending on the 'config'
entry. xilinx-embeddedsw currently shows as:
[*] xilinx-embeddedsw
*** xilinx-embeddedsw needs a bare metal toolchain for tuple microblazeel-xilinx-elf ***
(xilinx_v2024.2) xilinx-embeddedsw version (NEW)
[ ] versal plm (NEW)
[ ] versal psmfw (NEW)
[ ] zynqmp pmufw (NEW)
[ ] xilinx-prebuilt
So the 'versal *' and 'zynqmp pmufw' items are not indented even though
they should be.
Do like most other Config.in files which have the 'comment' before the
'config' entry, makeing it render as expected:
*** xilinx-embeddedsw needs a bare metal toolchain for tuple microblazeel-xilinx-elf ***
[*] xilinx-embeddedsw
(xilinx_v2024.2) xilinx-embeddedsw version (NEW)
[ ] versal plm (NEW)
[ ] versal psmfw (NEW)
[ ] zynqmp pmufw (NEW)
[ ] xilinx-prebuilt
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Neal Frager <neal.frager@amd.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 088808ccc7)
This is in the mainline kernel since v5.1-rc3:
9c38f1f04408 ("kconfig/[mn]conf: handle backspace (^H) key")
Quoting the commit's log:
"
Backspace is not working on some terminal emulators which do not send the
key code defined by terminfo. Terminals either send '^H' (8) or '^?' (127).
But currently only '^?' is handled. Let's also handle '^H' for those
terminals.
"
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d65c10c20a)
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
