Since the introduction of CMake 4 in several distributions such as
Alpine [1] or Arch [2], build errors started occurring for cmake
packages that included calls to cmake_minimum_required() or
cmake_policy() with a version older than 3.5 (see [3]).
This patch enforce building host-cmake when the host system provides
CMake 4 or newer.
This patch is only meant for LTS maintenance branches in which
the host-cmake was kept to a version less than 4.x. This is to avoid
too many unnecessary package updates and patches.
If a package fail to build on the master branch because of this error
it should be fixed instead.
[1] 21fe3cb10d
[2] b634e8ded6
[3] https://cmake.org/cmake/help/latest/release/4.0.html#deprecated-and-removed-features
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix the following vulnerability:
- CVE-2025-53859:
NGINX Open Source and NGINX Plus have a vulnerability in the
ngx_mail_smtp_module that might allow an unauthenticated attacker to
over-read NGINX SMTP authentication process memory; as a result, the
server side may leak arbitrary bytes sent in a request to the
authentication server. This issue happens during the NGINX SMTP
authentication process and requires the attacker to make preparations
against the target system to extract the leaked data. The issue
affects NGINX only if (1) it is built with the ngx_mail_smtp_module,
(2) the smtp_auth directive is configured with method "none," and (3)
the authentication server returns the "Auth-Wait" response header.
Note: Software versions which have reached End of Technical Support
(EoTS) are not evaluated.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-53859
- https://nginx.org/download/patch.2025.smtp.txt
(cherry picked from commit a0081aa1f8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When using a specific git repo and version for at91bootstrap3,
BR2_TARGET_AT91BOOTSTRAP3_LICENSE_FILES defaults to "LICENSES/MIT.txt".
However the git version we use (namely v3.10.3) does not provide this
file. Actually, it does not provide a license file at all. This causes
‘make legal-info’ to fail with:
>>> at91bootstrap3 v3.10.3 Collecting legal info
sha256sum: /builds/buildroot.org/buildroot/output/build/at91bootstrap3-v3.10.3/LICENSES/MIT.txt: No such file or directory
ERROR: while checking hashes from boot/at91bootstrap3/at91bootstrap3.hash
ERROR: LICENSES/MIT.txt has wrong sha256 hash:
ERROR: expected: 5a3809b1c2ba13b7242572322951311c584419f1f8516f665d6c06f0668d78de
ERROR: got :
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
Let's be explicit that there is no license file to check.
Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/12992815386
- https://gitlab.com/buildroot.org/buildroot/-/jobs/12992815390
Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit df61ce39c1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit backports an upstream patch fixing CVE-2024-10963. See:
https://github.com/linux-pam/linux-pam/issues/834https://github.com/linux-pam/linux-pam/pull/854
Fixes:
- CVE-2024-10963:
Pam: improper hostname interpretation in pam_access leads to access
control bypass
A flaw was found in pam_access, where certain rules in its
configuration file are mistakenly treated as hostnames. This
vulnerability allows attackers to trick the system by pretending
to be a trusted hostname, gaining unauthorized access. This issue
poses a risk for systems that rely on this feature to control who
can access certain services or terminals.
https://www.cve.org/CVERecord?id=CVE-2024-10963
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Julien:
- fix check-package errors
- add info in commit log
- rebase patch on v1.6.1 to avoid patch offsets
- add "CVE:" tag in patch
- add comment with patch name near _IGNORE_CVES in .mk
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b95ffe208b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Please note that the fix for CVE-2024-52615 introduces CVE-2025-59529
which is not fixed yet (https://github.com/avahi/avahi/pull/808). You
can mitigate this vulnerability by setting the `enable-wide-area=no`
option.
Patch `0011-properly-randomize-query-id-of-DNS-packets.patch` modify
`configure.ac` and then `AVAHI_AUTORECONF` is set.
This commit fixes the following vulnerabilities:
- CVE-2021-3468:
A flaw was found in avahi in versions 0.6 up to 0.8. The event used to
signal the termination of the client connection on the avahi Unix
socket is not correctly handled in the client_work function, allowing
a local attacker to trigger an infinite loop. The highest threat from
this vulnerability is to the availability of the avahi service, which
becomes unresponsive after this flaw is triggered.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2021-3468
- 447affe299
- CVE-2023-38469:
A vulnerability was found in Avahi, where a reachable assertion exists
in avahi_dns_packet_append_record.
https://www.cve.org/CVERecord?id=CVE-2023-38469
- CVE-2023-38470:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_escape_label() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38470
- a337a1ba7d
- CVE-2023-38471:
A vulnerability was found in Avahi. A reachable assertion exists in
the dbus_set_host_name function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38471
- github.com/avahi/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
- CVE-2023-38472:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_rdata_parse() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38472
- b024ae5749
- CVE-2023-38473:
A vulnerability was found in Avahi. A reachable assertion exists in
the avahi_alternative_host_name() function.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2023-38473
- b448c9f771
- CVE-2024-52615:
A flaw was found in Avahi-daemon, which relies on fixed source ports
for wide-area DNS queries. This issue simplifies attacks where
malicious DNS responses are injected.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-52615
- 4e2e1ea090
- https://github.com/avahi/avahi/issues/810 (introduce regression CVE-2025-59529)
- CVE-2024-52616:
A flaw was found in the Avahi-daemon, where it initializes DNS
transaction IDs randomly only once at startup, incrementing them
sequentially after that. This predictable behavior facilitates DNS
spoofing attacks, allowing attackers to guess transaction IDs.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2024-52616
- f8710bdc8b
- CVE-2025-68276:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an
unprivileged local users can crash avahi-daemon (with wide-area
disabled) by creating record browsers with the
AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by
either calling the RecordBrowserNew method directly or creating
hostname/address/service resolvers/browsers that create those browsers
internally themselves.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68276
- 2d48e42d44
- CVE-2025-68468:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier,
avahi-daemon can be crashed by sending unsolicited announcements
containing CNAME resource records pointing it to resource records with
short TTLs. As soon as they expire avahi-daemon crashes.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68468
- f66be13d7f
- CVE-2025-68471:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier,
avahi-daemon can be crashed by sending 2 unsolicited announcements
with CNAME resource records 2 seconds apart.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2025-68471
- 9c6eb53bf2
- CVE-2026-24401:
Avahi is a system which facilitates service discovery on a local
network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and
below, avahi-daemon can be crashed via a segmentation fault by sending
an unsolicited mDNS response containing a recursive CNAME record,
where the alias and canonical name point to the same domain (e.g.,
"h.local" as a CNAME for "h.local"). This causes unbounded recursion
in the lookup_handle_cname function, leading to stack exhaustion. The
vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST
is set explicitly, which includes record browsers created by resolvers
used by nss-mdns. This issue is patched in commit
78eab31128479f06e30beb8c1cbf99dd921e2524.
For more information, see:
- https://www.cve.org/CVERecord?id=CVE-2026-24401
- 78eab31128
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e728d3506b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CPIO filesystem generated by the test_firewalld test is too
large, and doesn't fit as an initramfs in the 256MB of RAM available
in the versatilepb machine. This causes a "Initramfs unpacking failed:
write error" when booting, and many files being missing from the root
filesystem, ultimately causing the test to fail.
The test_firewalld test initially started to fail following a systemd
update [1][3]:
[BRTEST# systemctl is-active firewalld
failed
But really started to crash at boot following a python 3.14 update
[2][4]:
Run /init as init process
/init: exec: line 15: /sbin/init: not found
Also, update TestFirewalldSysVInit to use ext2 instead of cpio.
[1] 926e0504d0
[2] a0a6abc8b1
Fixes:
[3] https://gitlab.com/buildroot.org/buildroot/-/jobs/12944797059
[4] https://gitlab.com/buildroot.org/buildroot/-/jobs/11856840940
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6a7fe6382a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes:
https://docs.djangoproject.com/en/5.2/releases/5.2.11/
This is a security release on Django's LTS branch,
fixing the following vulnerabilties:
- CVE-2025-13473:
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
4.2 before 4.2.28. The
`django.contrib.auth.handlers.modwsgi.check_password()` function for
authentication via `mod_wsgi` allows remote attackers to enumerate
users via a timing attack. Earlier, unsupported Django series (such as
5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.
Django would like to thank Stackered for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2025-13473
- CVE-2025-14550:
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a
potential denial-of-service via a crafted request with multiple
duplicate headers. Earlier, unsupported Django series (such as 5.0.x,
4.1.x, and 3.2.x) were not evaluated and may also be affected. Django
would like to thank Jiyong Yang for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2025-14550
- CVE-2026-1207:
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
4.2 before 4.2.28. Raster lookups on ``RasterField`` (only implemented
on PostGIS) allows remote attackers to inject SQL via the band index
parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x,
and 3.2.x) were not evaluated and may also be affected. Django would
like to thank Tarek Nakkouch for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2026-1207
- CVE-2026-1285:
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and
`Truncator.words()` methods (with `html=True`) and the
`truncatechars_html` and `truncatewords_html` template filters allow a
remote attacker to cause a potential denial-of-service via crafted
inputs containing a large number of unmatched HTML end tags. Earlier,
unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not
evaluated and may also be affected. Django would like to thank
Seokchan Yoon for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2026-1285
- CVE-2026-1287:
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in
column aliases via control characters, using a suitably crafted
dictionary, with dictionary expansion, as the `**kwargs` passed to
`QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`,
`values_list()`, and `alias()`. Earlier, unsupported Django series
(such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be
affected. Django would like to thank Solomon Kebede for reporting this
issue.
https://www.cve.org/CVERecord?id=CVE-2026-1287
- CVE-2026-1312:
An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and
4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection
in column aliases containing periods when the same alias is, using a
suitably crafted dictionary, with dictionary expansion, used in
`FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x,
4.1.x, and 3.2.x) were not evaluated and may also be affected. Django
would like to thank Solomon Kebede for reporting this issue.
https://www.cve.org/CVERecord?id=CVE-2026-1312
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[thomas: update hash for inlines.js]
(cherry picked from commit f8e89786f9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following security vulnerabilities:
CVE-2026-1584: libgnutls: Fix NULL pointer dereference in PSK binder
verification
A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello
could lead to a denial of service attack via crashing the server.
The updated code guards against the problematic dereference.
CVE-2025-14831: libgnutls: Fix name constraint processing performance issue
Verifying certificates with pathological amounts of name constraints
could lead to a denial of service attack via resource exhaustion.
Reworked processing algorithms exhibit better performance characteristics.
For more details, see the release notes:
https://lists.gnupg.org/pipermail/gnutls-help/2026-February/004914.html
Drop now upstreamed 0001-audit-crau-fix-compilation-with-gcc-11.patch:
f5666f8f1f
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e91cf0ae73)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following vulnerabilities:
CVE-2025-61732: cmd/cgo: remove user-content from doc strings in cgo ASTs
A discrepancy between how Go and C/C++ comments were parsed allowed for code
smuggling into the resulting cgo binary.
To prevent this behavior, the cgo compiler will no longer parse
user-provided doc comments.
CVE-2025-68121: crypto/tls: unexpected session resumption when using
Config.GetConfigForClient
Config.GetConfigForClient is documented to use the original Config's session
ticket keys unless explicitly overridden. This can cause unexpected
behavior if the returned Config modifies authentication parameters, like
ClientCAs: a connection initially established with the parent (or a sibling)
Config can be resumed, bypassing the modified authentication requirements.
If ClientAuth is VerifyClientCertIfGiven or RequireAndVerifyClientCert (on
the server) or InsecureSkipVerify is false (on the client), crypto/tls now
checks that the root of the previously-verified chain is still in
ClientCAs/RootCAs when resuming a connection.
Go 1.26 Release Candidate 2, Go 1.25.6, and Go 1.24.12 had fixed a similar
issue related to session ticket keys being implicitly shared by
Config.Clone. Since this fix is broader, the Config.Clone behavior change
has been reverted.
Note that VerifyPeerCertificate still behaves as documented: it does not
apply to resumed connections. Applications that use
Config.GetConfigForClient or Config.Clone and do not wish to blindly resume
connections established with the original Config must use VerifyConnection
instead (or SetSessionTicketKeys or SessionTicketsDisabled).
For more details, see the announcement:
https://groups.google.com/g/golang-announce/c/K09ubi9FQFk
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f56dc6b122)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This release fixes the following security related issues:
* gh-144125: BytesGenerator will now refuse to serialize (write) headers that
are unsafely folded or delimited; see verify_generated_headers.
* gh-143935: Fixed a bug in the folding of comments when flattening an
email message using a modern email policy. Comments consisting of a
very long sequence of non-foldable characters could trigger a forced
line wrap that omitted the required leading space on the continuation
line, causing the remainder of the comment to be interpreted as a new
header field. This enabled header injection with carefully crafted
inputs.
* gh-143925: Reject control characters in data: URL media types.
* gh-143919: Reject control characters in http.cookies.Morsel fields and values.
* gh-143916: Reject C0 control characters within wsgiref.headers.Headers
fields, values, and parameters.
Full release notes:
https://docs.python.org/release/3.13.12/whatsnew/changelog.html
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Use of threading requires a C++20 compiler, and the oneTBB
implementation. oneTBB is missing from Buildroot, but a system
one may be used if found.
Even if the default for threading is disabled, explicitly state so,
in case the default changes in the future.
Also disable examples, we don't and won't need them.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 830726905a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Ensure that the SHA_CRYPT option is enabled when the system configuration is
set to SHA256/512, as otherwise passwd complains when a password is changed:
passwd
...
Invalid ENCRYPT_METHOD value: 'SHA512'.
Defaulting to DES.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7e72901eef)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
As described in https://gitlab.com/buildroot.org/buildroot/-/issues/160, the
github mirror is getting shut down - So move to the sourceware.org git repo.
The github mirror was originally used because of performance and reliability
issues with sourceware, but that seems be resolved now after server/RAM
upgrades - E.G. from the sourceware news:
April 22, 2024
server2.sourceware.org now has 512GB RAM, thanks Red Hat.
https://sourceware.org/
So change back to fetch glibc (and localedef) from sourceware.org over git.
Notice: The git archiving leads to slightly different paths and permissions
in the tarball, but the file content is identical:
mkdir a && tar -C a -x --strip-components=1 -f \
path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125.tar.gz
mkdir b && tar -C b -x --strip-components=1 -f \
path/to/glibc-2.42-51-gcbf39c26b25801e9bc88499b4fd361ac172d4125-git4.tar.gz
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien:
- add missing SoB line
- fix command lines in commit log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 807b0bab37)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Swig has a compiled in absolute path to its data files, which can be
overridden using the SWIG_LIB environment variable:
https://github.com/swig/swig/blob/v4.1.1/Source/Modules/main.cxx#L931-L945
This unfortunately means that host-swig misbehaves when used in the SDK, as
this points to the ${HOST_DIR}/bin of the build, which may not be available
when the SDK is used.
The issue was reported upstream but rejected in
https://github.com/swig/swig/issues/253, so instead add a wrapper script
which calculates a sensible SWIG_LIB relative to the wrapper location unless
SWIG_LIB is set, similar to how we do it for E.G. gcc or pkgconf.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Peter: add quotes to make shellcheck happy]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 20d5e36fe8)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] introduced a patch to fix CVE-2025-62291. Since [2] the
security patches neeed to reference the vulnerability with the `CVE: `
trailer in the patch header.
[1] b009935e27 package/strongswan: add patch to fix CVE-2025-62291
[2] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
(cherry picked from commit 766a6e5c0b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
On Buildroot 2025.05.3, Meson's custom LLVM parser uses llvm-config
with a default search path of /usr/bin, causing it to detect the host
system's llvm-config (version 18.1.3) instead of the buildroot-compiled
one. This forces all LLVM-related packages to match version 18.1.3, but
since the host system lacks llvmspirvlib, the build fails. This patch
forces Meson to use the buildroot-compiled llvm-config.
On the master branch, the meson is somehow able to find the right
llvm-config, so reproduction only seems to be possible if the host
machine ships with a newer version as the one buildroot is using.
llvm-config found: YES
([...]/output/host/bin/llvm-config)
21.1.8
Run-time dependency LLVM (modules: bitwriter, core, coverage, engine,
executionengine, instcombine, irreader, libdriver, linker, lto,
mcdisassembler, mcjit, native, option, scalaropts, target,
transformutils, all-targets, coroutines, frontenddriver, frontendhlsl,
lto, windowsdriver) found: YES 21.1.8
Note that LLVM_CONFIG is a CMake option, not a Meson one. This is because
Meson has custom dependency resolution logic for LLVM (see
https://mesonbuild.com/Dependencies.html#llvm). The EXTRA_BINARIES mechanism
cannot be used here, as it only applies to cross-compilation scenarios, which
does not apply to host-mesa3d builds.
Reproduction (On BR2 tag: 2025.05.3):
BR2_x86_64=y
BR2_x86_atom=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_GLIBC_STABLE=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.24"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/pc/linux.config"
BR2_LINUX_KERNEL_INSTALL_TARGET=y
BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
BR2_LINUX_KERNEL_NEEDS_HOST_LIBELF=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_LLVM=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_I915=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_IRIS=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
Fixes:
llvm-config found: YES (/usr/bin/llvm-config-18) 18.1.3
Run-time dependency LLVM (modules: bitwriter, core, coverage, engine, executionengine, instcombine, irreader, libdriver, linker, lto, mcdisassembler, mcjit, native, option, scalaropts, target, transformutils, all-targets, coroutines, frontenddriver, frontendhlsl, lto, windowsdriver) found: YES 18.1.3
Dependency LLVMSPIRVLib found: NO. Found 15.0.0.0 but need: '>= 18.1' ; matched: '>= 15.0.0.0', '< 18.2'
Run-time dependency llvmspirvlib found: NO (tried cmake)
output/build/host-mesa3d-25.0.6/meson.build:1882:21: ERROR: Dependency lookup for LLVMSPIRVLib with method 'pkgconfig' failed: Invalid version, need 'LLVMSPIRVLib' ['>= 18.1'] found '15.0.0.0'.
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
[Romain:
- Update the commit title
- Update commit log about this issue on master branch
https://lore.kernel.org/buildroot/CACXRmJh1-5Cy92kF9TM5nDs_uB90WAe5iOGmNNL2E-cMhJE7GA@mail.gmail.com/
]
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit eb0e63888b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The old URL now leads to an HTTP 404 not found error.
Update it to the new one which contains the hashes for the current
release as well as older ones.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit 6fed872e08)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The current 'install' target comprises 'install-libs', 'install-apps'
and 'install-docs'.
In our case we don't want to install documentation to the target, so
just run the other two.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit ba48197d1f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When BR2_UCLIBC_INSTALL_UTILS is enabled, utils such as getconf, ldd,
locale get installed to TARGET_DIR. However, they do not get installed
to STAGING_DIR, which is annoying as it means that they are not part
of external toolchains built by Buildroot.
This commit adjusts the uclibc package to make sure those tools also
get installed to STAGING_DIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 272d281ba9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The UCLIBC_INSTALL_UTILS_STAGING is really badly named, as it doesn't
install anything to STAGING_DIR. Instead, it installs the host variant
of ldd and ldconfig into $(HOST_DIR)/bin. Therefore, rename it to
UCLIBC_INSTALL_HOST_UTILS.
This is important as a follow-up commit will re-introduce a
UCLIBC_INSTALL_UTILS_STAGING variable which really installs things
into STAGING_DIR.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 026c635508)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Upstream is dead, website unreachable, and the use case in 2026 is
dubious, so drop the package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 95519e0464)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Although it is possible to configure an AArch64 CPU without support
for EL2 in practice all the common AArch64 have supported
virtualisation from the start.
If we really wanted to be strict we could blacklist known non-EL2 CPUs
but AFAICT all the current ones in the config have EL2.
I should also note KVM on Arm is deprecated and was removed from the
kernel in v6.10.
Reviewed-by: Jesse Taube <jesse@rivosinc.com>
Reviewed-by: Thomas Huth <huth@tuxfamily.org>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 137d6e249d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The .mk file currently states:
If LWS_MAX_SMP=1, then there is no code related to pthreads
compiled in the library. If unset, LWS_MAX_SMP defaults to 32 and a
small amount of pthread mutex code is built into the library.
However, this is incorrect: when unset, LWS_MAX_SMP is actually set to
1, so mutexes aren't built in.
To fix, set it to 32 explicitly when threads are enabled. Why 32?
Because
https://libwebsockets.org/lws-api-doc-master/html/md_README.coding.html
states:
You can control the context basic data allocation for
multithreading from Cmake using -DLWS_MAX_SMP=, if not given it's
set to 32.
Signed-off-by: Bart Van Severen <bart.vanseveren@barco.com>
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b3abf16c8e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When given a certificate directory with --with-ca-path, curl doesn't
list the files in that directory. Instead, it uses the certificate hash
to directly open the requested CA certificate. Therefore, putting a
bundle in that directory and removing all the individual certificates is
not possible.
In order to support use of the bundle, a separate configuration option
--with-ca-bundle is needed. With this option, it is possible to remove
the individual certificates and include just the bundle, which reduces
the size of the root filesystem a bit.
Note that the bundle is generated by the ca-certificates package, which
also installs the individual certificates and the hash symlinks. It
keeps both individual certificates and the bundle in the target.
Signed-off-by: Lance Fredrickson <lancethepants@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 5a63ee3c09)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Unfortunately, parts of the library is not very no-MMU friendly atm.
The below check fails due to runbg.c requiring fork().
$ ./utils/test-pkg -c libite.config -p libite
bootlin-armv5-uclibc [1/6]: OK
bootlin-armv7-glibc [2/6]: OK
bootlin-armv7m-uclibc [3/6]: FAILED
bootlin-x86-64-musl [4/6]: OK
br-arm-full-static [5/6]: OK
arm-aarch64 [6/6]: OK
The dependency was introduced in libite v2.6.0, so this patch should
be backported to v2025.02.x.
Fixes:
https://autobuild.buildroot.net/results/6c6fd2ae410a82c44da54ee13a09a38a7ab220c1/
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e0b129e36e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit adds the -N/--needs-update option, disabled by default,
to list only packages with newer upstream versions. All other packages
will be excluded from the HTML or JSON output.
Signed-off-by: Kadambini Nema <kadambini.nema@gmail.com>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit ed9466e7f9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Currently, the relocate-sdk.sh script scans the whole extracted SDK tree
to find instances of paths it needs to replace, which can take a
significant amount of time when the SDK is large, particularly relative
to the number of files that actually need to change.
However, the resulting list only depends on the SDK tarball itself, so
we can calculate it at build time and ship it with the tarball so
relocate-sdk.sh can use it directly.
Testing this on my machine with somewhat IOPS-limited rotating media,
the time goes down from:
$ time ./relocate-sdk.sh
Relocating the buildroot SDK from [...] to [...] ...
./relocate-sdk.sh 5.19s user 26.21s system 9% cpu 5:34.40 total
To:
$ time ./relocate-sdk.sh
Relocating the buildroot SDK from [...] to [...] ...
./relocate-sdk.sh 0.49s user 0.29s system 103% cpu 0.749 total
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 63877f9e86)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] bumped glibc from 2.42-3-gbc13db739 to 2.42-51-gcbf39c26b
to fix some CVEs, but forgot to add those CVEs to GLIBC_IGNORE_CVES.
This was needed because the GLIBC_CPE_ID_VERSION used for CVE checks
remains to the same value "2.42" which is marked as vulnerable to
those CVEs.
This commit adds those _IGNORE_CVES with the corresponding upstream
commit references, to make sure they will not be reported by the
"make pkg-stats" command.
Fixes:
- [1]
[1] 18de297a5a
Cc: Waldemar Brodkorb <wbx@openadk.org>
Cc: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 574aa2cfee)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When running "make pkg-stats" on a host with Python 3.14 (e.g.
Fedora 43 for example), the execution fails with the error:
Checking URL status
Traceback (most recent call last):
File "/buildroot/support/scripts/pkg-stats", line 1387, in <module>
__main__()
~~~~~~~~^^
File "/buildroot/support/scripts/pkg-stats", line 1368, in __main__
loop = asyncio.get_event_loop()
File "/usr/lib64/python3.14/asyncio/events.py", line 715, in get_event_loop
raise RuntimeError('There is no current event loop in thread %r.'
% threading.current_thread().name)
RuntimeError: There is no current event loop in thread 'MainThread'.
This is due to a breaking change introduced in Python 3.14
asyncio.get_event_loop(). See [1]. Before Python 3.14, this call was
creating and setting an event loop if there was none. This situation
is now a runtime error.
In order to fix this issue with newer Python version, while keeping
backward compatibility, this commit replaces the code:
loop = asyncio.get_event_loop()
by an explicit event loop creation:
loop = asyncio.new_event_loop()
asyncio.set_event_loop(loop)
This commit was tested on a Fedora 43 host with Python-3.14.2, and
with the Buildroot Docker image plus the python3-aiohttp package
which is a Debian 12 with Python-3.11.2.
[1] https://docs.python.org/3.14/library/asyncio-eventloop.html#asyncio.get_event_loop
Signed-off-by: Julien Olivain <ju.o@free.fr>
Tested-by: Vincent Fazio <vfazio@xes-inc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e9f426aa52)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When the host system has asciidoctor and po4a/poman installed,
util-linux detect them and automatically enable manual pages and
their translations. This can significantly increase the package
build time (in my case, from 20s to 1m50s). See upstream
commit [1] and [2].
Since manual pages are not needed in Buildroot, this commit adds in
_CONF_OPTS for host host and target variants the options to always
disable the detection of those programs (--disable-asciidoc
--disable-poman). This will always disable the generation of manual
pages.
Note: Buildroot attempts to globally disable documentation for
autotools packages by passing various --disable-docs configure
options (see [3]), but those are not recognized by util-linux.
This commit also reorder the options for UTIL_LINUX_CONF_OPTS.
[1] 9acfc349e0
[2] 236421a491
[3] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.11/package/pkg-autotools.mk#L184-186
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit dd81c1766e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
LLVM is already implicitly enabled for host-mesa3d when
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER is selected. This blind
option is automatically enabled when LLVM is required by drivers such
as intel-iris, panfrost, imagination, or intel-vulkan.
The BR2_PACKAGE_MESA3D_LLVM option also independently selects host-llvm,
but this change makes the dependency more explicit for host-mesa3d
builds.
Note that disabling LLVM is not possible for host-mesa3d, as the build
will fail with:
../../../br-test-pkg/bootlin-armv5-uclibc/build/host-mesa3d-25.3.2/meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Romain Naour <romain.naour@smile.fr>
(cherry picked from commit db1a28435d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Backport two security fixes from upstream. They are in newer releases,
but to facilitate backporting to our LTS releases, this backports the
fixes.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d41ed2ea54)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit [1] added the "Upstream:" package patch tag, but forgot to
remove the corresponding .checkpackageignore entry.
This commit fixes that.
Fixes:
package/efl/0001-ecore_fb-fix-build-with-tslib.patch:0: lib_patch.Upstream was expected to fail, did you fix the file and forget to update .checkpackageignore?
[1] bac34296bf
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d30457efd0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: Fix flake8 warning, use http.server instead of relying on
connectivity]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 425abcd025)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Patch 0001 has the upstream information, just not properly formatted,
so we fix this.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Thomas: extracted from a bigger patch from Bernd]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c15b507838)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
According to the official requirements, bindgen needs libclang to
parse C/C++ headers. libclang is loaded at runtime by bindgen, which
is why we didn't notice any build issue. However, using bindgen on a
simple header file blows up:
thread 'main' panicked at bindgen/lib.rs:616:27:
Unable to find libclang: "couldn't find any valid shared libraries matching: ['libclang.so', 'libclang-*.so', 'libclang.so.*', 'libclang-*.so.*'], s
et the `LIBCLANG_PATH` environment variable to a path where one of these files can be found (invalid: [])"
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
So far, bindgen was only used by mesa3d, and it turns out that mesa3d
also depends on clang, which pulls in host-clang, so the problem was
not visible. However, as we're about to use bindgen for other
things (namely Rust support in Linux), this issue needs to be fixed.
See:
https://rust-lang.github.io/rust-bindgen/requirements.html
Signed-off-by: El Mehdi YOUNES <elmehdi.younes@smile.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 34ed3bbf0a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The new target provides a convenient way to run utils/check-package on
any external trees, using .checkpackageignore files from the
respective trees if present.
While .checkpackageignore should be used as little as possible, in a
few cases adding overrides for false-positives to the affected files
is not feasible, a practical example of this is a Markdown file
misidentified as Python by libmagic (likely due to code blocks).
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Arnout: set ${ignore} explicitly to empty, in case it exists in the
environment.]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit fe48905080)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The test failed in the past, due to kbd build failure. See [1].
This specific issue was fixed by commit [2].
This commit was originally written to workaround this issue, which was
unrelated to the actual package being tested. Since systemd-vconsole
is not needed anyway, this commit removes it from the test config.
[1] https://gitlab.com/buildroot.org/buildroot/-/jobs/12363929666
[2] d98d9ba28f
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Julien: reword the commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 287d06f5d7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Testing with a really old toolchain is helpful to catch issues related
to kernel headers version issues, gcc version issues, etc. We chose a
glibc toolchain though as old musl or uClibc-ng versions tend to lack
a number of features that are needed by modern software.
This toolchain is placed near the top of toolchain-configs.csv, so
that it is used as part of the "base" set of toolchain that test-pkg
uses, even without the -a option.
test-pkg takes the 6 first toolchains of this CSV file for its base
test, and actually the comment in toolchain-configs.csv was wrong
since commit 53a8c5150e, which removed a
toolchain from the base set, but not realizing that test-pkg would
anyway continue to test the first 6 toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 85d47bbc40)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The prebuilt MIPS64 toolchains are very old, causing build issues (for
example recently with the systemd v258 update). Replace them both a
single toolchain configuration that uses one of the mips64el Bootlin
toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 573a113edd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
- br-i386-pentium4-full.config as an x86 32-bit toolchain test is
already reasonably covered by bootlin-x86-i686-musl.config
- br-microblazeel-full-internal.config as a Microblaze toolchain test is
already reasonably covered by bootlin-microblazeel-uclibc.config
- br-powerpc-internal-full.config and br-powerpc-603e-basic-cpp.config
as PowerPC 32-bit toolchain tests are already reasonably covered by
bootlin-powerpc-e500mc-uclibc.config
- br-powerpc64-power7-glibc.config as a PowerPC 64-bit toolchain test
is already reasonably covered by
bootlin-powerpc64le-power8-glibc.config
- br-riscv64-full-internal.config as a RISC-V 64-bit toolchain test is
already reasonably covered by bootlin-riscv64-glibc.config and
bootlin-riscv64-musl.config
- br-s390x-z13-internal-glibc.config as a s390 toolchain test is
already reasonably covered by bootlin-s390x-z13-glibc.config
- br-xtensa-full-internal.config as an Xtensa toolchain test is
already reasonably covered by bootlin-xtensa-uclibc.config
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 8bab0acff6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Building internal toolchains takes a long time, and since the
differences between the 3 internal ARM toolchains is just the libc,
and we're already testing uclibc/musl with external toolchains, it
doesn't make much sense to build 3 different ARM internal toolchains.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 61fe61af31)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
We're already testing the ARC architecture with one Bootlin toolchain,
it doesn't make sense to also test with two Buildroot internal
toolchains the ARC architecture, which is not a primary architecture
for Buildroot.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit ceaf0a2283)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The linux-headers package was not providing any license file for any
version other than the latest one.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
For the headers-as-kernel case, use LINUX_LICENSE_FILES and disable the
Kconfig option entirely.
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit d94762640e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The AT91Bootstrap3 package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Note that version 3.X of at91bootstrap didn't have an open source
license and no license file either. Keep that behavior.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit d9999aeec9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The ATF package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 77670c33d2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The Barebox package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 76dee8aadc)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The OpenSBI package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 399cc39621)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The OP-TEE OS package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 71e8ca62dd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The U-Boot package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit a4d5b20462)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The Linux package was not providing any license file when a custom
Linux version was selected.
Fix this by adding a Kconfig option to specify the license file,
with a default value set to the commonly used license paths.
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
[Arnout: use a single Kconfig option with conditional prompt]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
(cherry picked from commit 50958bcdac)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Building berkeleydb is broken with a non-threaded toolchain with gcc >=
14.x:
../src/rep/rep_method.c:1740:25: error: implicit declaration of function
'__repmgr_get_nsites'; did you mean '__rep_get_nsites'?
[-Wimplicit-function-declaration]
1740 | return (__repmgr_get_nsites(env, n));
According to src/repmgr/repmgr_util.c, line 503+, the function
'__repmgr_get_nsites' mentioned in the gcc error message "may only be
called after threads have been started".
This source file repmgr_util.c belongs to REPMGR_OBJS according to
dist/Makefile.in, line 249+, which is, according to dist/configure.ac,
line 956, only build if thread support is present.
In a non-threaded build '__repmgr_get_nsites' does not exist causing the
build error.
To fix the build error we disable replication for non-threaded
toolchains.
Using gcc 13.x the build error does not occur, tested with this
defconfig:
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_GCC_VERSION_13_X=y
BR2_PACKAGE_BERKELEYDB=y
Using this minimal gcc 14.x-based defconfig
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_PER_PACKAGE_DIRECTORIES=y
BR2_PACKAGE_BERKELEYDB=y
the build error can be reproduced.
The oldest build error of this kind, afaics, dates back to 2024-06-13:
https://autobuild.buildroot.net/results/e0d/e0d6bdbef01bee277b0da83605b2906af876058a/
Fixes:
https://autobuild.buildroot.net/results/792/792ed942d17bb8d00cd321536a102f6dd63b6a8a/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9a1a71be21)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since its introduction in [1], by default the `generate-cyclonedx`
script doesn't include buildroot's virtual packages in its 'components'
list, unless using the `--virtual` argument.
References to virtual packages present in the 'show-info' output are
filtered out in the resulting dependencies.
This patch fix the default CycloneDX dependencies generation
without virtual packages to reference the packages that provide the
virtual package instead of just dropping the virtual package itself.
If we use the package `lbase64` that depends on the virtual package
`luainterpreter` as an example. The 'dependency' entry looks like the
following:
```
{
"ref": "lbase64",
"dependsOn": [
"host-skeleton",
"skeleton-init-common",
"skeleton-init-sysv",
"toolchain-external-bootlin"
]
}
```
The `luainterpreter` dependency is missing.
After applying this patch, package that provides the `luainterpreter` is
present:
```
{
"ref": "lbase64",
"dependsOn": [
"host-skeleton",
"lua",
"skeleton-custom",
"skeleton-init-sysv"
]
}
```
In the case of a virtual package provided by multiple packages all those
packages will be listed. This happens when generating an SBOM on the
entire Buildroot packages.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 67738a6e1d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the introduction of the `generate-cyclonedx` script in [1] the
dependencies were 'recursive'. This means that the dependencies of a
package dependency were included.
The CycloneDX spec [2] states that only direct dependencies needs to be
included.
This patch drop the recursive dependencies.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
[2] https://cyclonedx.org/docs/1.6/json/#dependencies
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit dc4af8bfa9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The definition of the project name & version is stored under the
`metadata:component` CycloneDX property.
Since the introduction of the `generate-cyclonedx` script [1] a
'buildroot' dependency entry that depends on every components has been
part of the generated SBOM.
Tools such as 'DependencyTrack' relies on such entry to create graph of
the entire project.
With the commit [2] that introduced the option to pass a custom project
name and version, this dependency reference was not updated to match the
custom 'bom-ref'.
This patch fixes the reference to match the custom project name.
[1] dbab39e2d9 support/scripts/generate-cyclonedx.py: add script to generate CycloneDX-style SBOM
[2] 9cbbc47762 utils/generate-cyclonedx: add project name and version options
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 189a983c7d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Brings additional optimizations and bugfixes:
Fix to heap buffer overflow in vp9_deblock, vp9_post_proc_frame, and
vp9_pack_bitstream.
Fix to integer overflow in vp9_highbd_post_proc, vp9_rc_regulate_q,
tiny_ssim, and vp9_calc_pframe_target_size_one_pass_cbr.
Fix to use-of-uninitialized-value in vp9_highbd_post_proc, mfqe, and
vp8_datarate_test.
Fix to out-of-bounds in log_tile_cols_from_picsize_level.
Fix to double free on initialization failure in vpx_codec_enc_init_multi.
Fix to division-by-zero crash in vpxenc with 0 FPS numerator input.
Fix to various build failures for Arm/SVE2, macOS cross-compilation, and
Xcode 16.
https://chromium.googlesource.com/webm/libvpx/+/refs/tags/v1.16.0
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7e5a961eb0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
https://github.com/nodejs/node/blob/v22.22.0/doc/changelogs/CHANGELOG_V22.md
List of security fixes:
22.22.0:
(CVE-2025-59465) add TLSSocket default error handler
(CVE-2025-55132) disable futimes when permission model is enabled lib,
permission:
(CVE-2025-55130) require full read and write to symlink APIs src:
(CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,
lib:
(CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill
toggle tls:
(CVE-2026-21637) route callback exceptions through error handlers
22.17.1:
(CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path
Traversal Protection in path.normalize()
Version 22.18.0 includes
a2d2d36bb1
which fixes build errors with python 3.14
"ImportError: cannot import name 'FancyURLopener' from 'urllib.request'"
introduced by buildroot commit a0a6abc8b1.
Updated license hash due to upstream commits:
ec60473ab10b5613f9fe0edf17198f
Switched _SITE to https.
Fixes:
https://autobuild.buildroot.net/results/da8/da82dc03cf0d42463fff1b5d9bf7a3c18cbf44dd/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 224abedb06)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following vulnerabilities:
CVE-2025-11187 - Improper validation of PBMAC1 parameters in PKCS#12 MAC verification.
CVE-2025-15467 - Stack buffer overflow in CMS AuthEnvelopedData parsing.
CVE-2025-15468 - NULL dereference in SSL_CIPHER_find() function on unknown cipher ID.
CVE-2025-15469 - ‘openssl dgst’ one-shot codepath silently truncates inputs >16MB.
CVE-2025-66199 - TLS 1.3 CompressedCertificate excessive memory allocation.
CVE-2025-68160 - Heap out-of-bounds write in BIO_f_linebuffer on short writes.
CVE-2025-69418 - Unauthenticated/unencrypted trailing bytes with low-level OCB function calls
CVE-2025-69419 - Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion.
CVE-2025-69420 - Missing ASN1_TYPE validation in TS_RESP_verify_response() function.
CVE-2025-69421 - NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex function
CVE-2026-22795 - Missing ASN1_TYPE validation in PKCS#12 parsing
CVE-2026-22796 - ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() function
For more details, see the announcement:
https://openssl-library.org/post/2026-01-27-release-announcement/
Drop now upstreamed 0004-Scope-aes_cfb128_vaes_encdec_wrapper-to-x64.patch:
f529d26591
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fce7287656)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following vulnerabilities:
- CVE-2025-61728: archive/zip: denial of service when parsing arbitrary ZIP
archives
archive/zip used a super-linear file name indexing algorithm that is
invoked the first time a file in an archive is opened. This can lead to a
denial of service when consuming a maliciously constructed ZIP archive.
- CVE-2025-61726: net/http: memory exhaustion in Request.ParseForm
When parsing a URL-encoded form net/http may allocate an unexpected amount
of memory when provided a large number of key-value pairs. This can
result in a denial of service due to memory exhaustion.
- CVE-2025-68121: crypto/tls: Config.Clone copies automatically generated
session ticket keys, session resumption does not account for the
expiration of full certificate chain
The Config.Clone methods allows cloning a Config which has already been
passed to a TLS function, allowing it to be mutated and reused.
If Config.SessionTicketKey has not been set, and
Config.SetSessionTicketKeys has not been called, crypto/tls will generate
random session ticket keys and automatically rotate them. Config.Clone
would copy these automatically generated keys into the returned Config,
meaning that the two Configs would share session ticket keys, allowing
sessions created using one Config could be used to resume sessions with
the other Config. This can allow clients to resume sessions even though
the Config may be configured such that they should not be able to do so.
- CVE-2025-61731: cmd/go: unexpected code execution when invoking toolchain
The Go toolchain supports multiple VCS which are used retrieving modules
and embedding build information into binaries.
On systems with Mercurial installed (hg) downloading modules (e.g. via go
get or go mod download) from non-standard sources (e.g. custom domains)
can cause unexpected code execution due to how external VCS commands are
constructed.
On systems with Git installed, downloading and building modules with
malicious version strings could allow an attacker to write to arbitrary
files on the system the user has access to. This can only be triggered by
explicitly providing the malicious version strings to the toolchain, and
does not affect usage of @latest or bare module paths.
The toolchain now uses safer VCS options to prevent misinterpretation of
untrusted inputs. In addition, the toolchain now disallows module version
strings prefixed with a "-" or "/" character.
- CVE-2025-61730: crypto/tls: handshake messages may be processed at the
incorrect encryption level
During the TLS 1.3 handshake if multiple messages are sent in records that
span encryption level boundaries (for instance the Client Hello and
Encrypted Extensions messages), the subsequent messages may be processed
before the encryption level changes. This can cause some minor
information disclosure if a network-local attacker can inject messages
during the handshake.
For details, see the announcement:
https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 22137df16b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit bf3626002f ("system cfg: remove mkpasswd MD5 format option") dropped
the MD5 option, so stop referring to it from the sha256 one to limit
confusion.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fdeced6692)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 42411aa324)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit fb847e8379)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 374f5b66cb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 1a813ba4ee)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6b5c202856)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c22dc1b819)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3eec14e664)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Remove the '-x' option from the shebang, which was a leftover from the
debugging phase and not intended for the final submission.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d2dcd7547c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add 'set -eu' to ensure that command failures or unset variables are
properly reported to the 'make' process. This prevents silent failures
during the image generation phase.
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3c8ecc05c6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add a missing space in the "Creating SD card" section of the
documentation.
Fixes: 1a1239fd28 ("configs/stm32f769_disco_sd_defconfig: new defconfig")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7cedf74c17)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Python 3.14 (not yet in Buildroot) introduced colors, enabled by
default, when the output is a terminal. This behavior can make the
pexpect pattern matching more difficult in some cases. See:
https://docs.python.org/3.14/using/cmdline.html#controlling-color
This commit globally disables the Python interpreter colors in the base
runtime Python test, by setting the NO_COLOR=1 environment variable.
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3a6e2b4a03)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The --with-system-ffi was removed back in Python-3.12.0, in upstream
commit [1].
From the Python 3.12 release notes:
- gh-100540: Removed the ``--with-system-ffi`` ``configure`` option;
``libffi`` must now always be supplied by the system on all non-Windows
platforms. The option has had no effect on non-Darwin platforms for
several releases, and in 3.11 only had the non-obvious effect of invoking
``pkg-config`` to find ``libffi`` and never setting
``-DUSING_APPLE_OS_LIBFFI``. Now on Darwin platforms ``configure`` will
first check for the OS ``libffi`` and then fall back to the same
processing as other platforms if it is not found.
Buildroot includes such a Python 3.12.x version since commit [2].
When compiling python3 in Buildroot, the package configuration step
reports the warning:
configure: WARNING: unrecognized options: [...] --with-system-ffi
The commit drops the now defunct option.
[1] 25590eb5de
[2] 76cd14167f
Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
[Julien: add links in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit a7a3621c0b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Upstream added fork() to lib/canonicalize.c in version 2.34[1]
e101a9eb0f
but the resulting build errors on non-mmu archs were most likely masked
by previous build errors which are already fixed.
lib/canonicalize.c as part of libcommon is widely used so we need to add
the dependency to many Config.in options.
For an overview about its usage see
output/build/util-linux-2.41.2$ grep -r "LDADD = \$(LDADD) libcommon.la" * | grep Makemodule | cut -d ":" -f 2 | sort
Fixes:
https://autobuild.buildroot.net/results/34b/34b1f733fdfb5c5e30e631576f875398435ad115/
[1] Added to buildroot with commit bb216ed060
in 2019.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit faa62ce085)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
- i don't use grpc anymore and updates seem complicate to review,
so drop me from it and its dependency re2
- add packages i'm currently using
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 796dfc2c92)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CVS project is no longer maintained upstream. It no longer builds
with GCC 14.x, has been failing to build for months in our
autobuilders with nobody caring about it.
We managed to fix the GCC 14.x build issue, then there are GCC 15.x,
some of them fixed by Debian patches, but some not. Overall, this is
too much effort, while upstream is completely dead.
So let's get rid of cvs entirely.
Fixes:
https://autobuild.buildroot.net/results/59f6e77106ac98535688ff5b9392b0b3ad3041ae/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 700726db4b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The criu package was added in Nov 2023, and then bumped once in
December 2023. Since then, it has never been bumped again, and all
follow-up fixes were provided by other people than the original
package submitter listed in the DEVELOPERS file.
criu has seen several upstream releases since then, and most notably
is causing a number of build issues in our autobuilders:
https://autobuild.buildroot.net/?reason=criu-3.19
The package was never updated to those newer upstream releases, and
the autobuilder issues have not been addressed.
Therefore, let's drop this package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9cf28c6573)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
gconf has not seen any release since 2013, and the last commit in
https://gitlab.gnome.org/Archive/gconf is from 2015.
The package example application basic-gconf-app fails to build with a
recent compiler such as GCC 14.x:
basic-gconf-app.c:458:60: error: passing argument 1 of ‘gtk_dialog_get_content_area’ from incompatible pointer type [-Wincompatible-pointer-types]
It is not entirely clear since when this breakage takes place, but
most likely since GCC 14.x was introduced. This issue can be
reproduced including on 2025.02.x with the following defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST=y
BR2_PACKAGE_MESA3D_OPENGL_EGL=y
BR2_PACKAGE_MESA3D_OPENGL_ES=y
BR2_PACKAGE_LIBGTK3=y
BR2_PACKAGE_GCONF=y
However, for the build issue to happen you need to run:
$ make libgtk3
$ make
So that libgtk3 gets built before gconf. Indeed, there's a hidden
dependency between the two, and the example programs of gconf only get
build if libgtk3 is built before. We've however encountered the
problem in a (real) bigger build where the dependency relationship of
packages have caused libgtk3 to get built before gconf.
Note that we could perhaps have fixed the problem by disabling the
examples, but gconf is anyway so old and deprecated that it isn't
worth the effort.
There are no known autobuilder issues.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3e4e261a16)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This package is no longer maintained, no release since 2005, and it
has build issues as it uses too old XML APIs:
/home/thomas/projets/buildroot/output/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/include/libxml2/libxml/SAX.h:18:4: warning: #warning "libxml/SAX.h is deprecated" [-Wcpp]
18 | #warning "libxml/SAX.h is deprecated"
| ^~~~~~~
svgint.h:42:9: error: unknown type name 'xmlParserCtxtPtr'
42 | typedef xmlParserCtxtPtr svg_xml_parser_context_t;
| ^~~~~~~~~~~~~~~~
Fixes:
https://autobuild.buildroot.net/results/895fdba2f3fcaa42aa93946f2532351d39b16647/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 81bc8bbd5b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This package is no longer maintained, no release since 2005, and its
dependency libsvg has build issues as it uses too old XML APIs:
/home/thomas/projets/buildroot/output/host/bin/../aarch64-buildroot-linux-gnu/sysroot/usr/include/libxml2/libxml/SAX.h:18:4: warning: #warning "libxml/SAX.h is deprecated" [-Wcpp]
18 | #warning "libxml/SAX.h is deprecated"
| ^~~~~~~
svgint.h:42:9: error: unknown type name 'xmlParserCtxtPtr'
42 | typedef xmlParserCtxtPtr svg_xml_parser_context_t;
| ^~~~~~~~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 8680db4582)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For more info on the release, see:
- https://github.com/obgm/libcoap/compare/v4.3.5...v4.3.5a
- https://github.com/obgm/libcoap/blob/release-4.3.5-patches/ChangeLog
Fixes the following vulnerabilities:
- CVE-2025-59391:
A memory disclosure vulnerability exists in libcoap's OSCORE
configuration parser in libcoap before release-4.3.5-patches. An out-
of-bounds read may occur when parsing certain configuration values,
allowing an attacker to infer or read memory beyond string boundaries
in the .rodata section. This could potentially lead to information
disclosure or denial of service.
https://www.cve.org/CVERecord?id=CVE-2025-59391
- CVE-2025-65493:
NULL pointer dereference in src/coap_openssl.c in OISM libcoap 4.3.5
allows remote attackers to cause a denial of service via a crafted
DTLS/TLS connection that triggers BIO_get_data() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65493
- CVE-2025-65494:
NULL pointer dereference in get_san_or_cn_from_cert() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted X.509 certificate that causes
sk_GENERAL_NAME_value() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65494
- CVE-2025-65495:
Integer signedness error in tls_verify_call_back() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted TLS certificate that causes
i2d_X509() to return -1 and be misused as a malloc() size parameter.
https://www.cve.org/CVERecord?id=CVE-2025-65495
- CVE-2025-65496:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65496
- CVE-2025-65497:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65497
- CVE-2025-65498:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65498
- CVE-2025-65499:
Array index error in tls_verify_call_back() in src/coap_openssl.c in
OISM libcoap 4.3.5 allows remote attackers to cause a denial of
service via a crafted DTLS handshake that triggers
SSL_get_ex_data_X509_STORE_CTX_idx() to return -1.
https://www.cve.org/CVERecord?id=CVE-2025-65499
- CVE-2025-65500:
NULL pointer dereference in coap_dtls_generate_cookie() in
src/coap_openssl.c in OISM libcoap 4.3.5 allows remote attackers to
cause a denial of service via a crafted DTLS handshake that triggers
SSL_get_SSL_CTX() to return NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65500
- CVE-2025-65501:
Null pointer dereference in coap_dtls_info_callback() in OISM libcoap
4.3.5 allows remote attackers to cause a denial of service via a DTLS
handshake where SSL_get_app_data() returns NULL.
https://www.cve.org/CVERecord?id=CVE-2025-65501
LICENSE Year updated see [1].
[1] c9135b6b26
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d3ebc63ce7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit a3a88ff1c8 bumped bitcoin
to version 26.0 which includes upstream commit
b8401c3281
causing an assertion on m68k:
/home/thomas/autobuild/instance-7/output-1/build/bitcoin-30.0/src/support/allocators/pool.h:92:36:
error: static assertion failed: Units of size ELEM_SIZE_ALIGN need to
be able to store a ListNode
92 | static_assert(sizeof(ListNode) <= ELEM_ALIGN_BYTES, "Units
| ~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
of size ELEM_SIZE_ALIGN need to be able to store a ListNode");
/home/thomas/autobuild/instance-7/output-1/build/bitcoin-30.0/src/support/allocators/pool.h:92:36:
note: the comparison reduces to '(4 <= 2)'
To fix the problem we disable bitcoin on m68k.
Fixes:
30.0: https://autobuild.buildroot.net/results/268/2688e4a2aa8dc34343f0218fd6727d0ae3adb132/
26.0: https://autobuild.buildroot.net/results/fb0/fb05401c7de289e0f87f5c9e3a7f92f5589b590b/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 555114a0ec)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Enhance the Xen python tests to exercise block devices: this boils down
to switching from ramdisks to disk partitions for the domains rootfs.
(Refer to the comments in the python script for block devices details.)
- Add support for PCI and Xen block to the Linux kernel configurations.
- Add a few commands to list the xvda block device for good measure.
- Generate two partitions with the rootfs in the disk images; we use the
same rootfs contents twice, once for each domain.
- Add a paravirtualized block device to the Xen dom1 configurations and
adjust both domains kernel command lines, to specify the rootfs
locations.
- Build host-qemu for Arm v7, to workaround an issue with 32b Arm and
old Qemu versions, which is what we have on CI currently.
- While at it, bump Linux kernel to 6.18.4 and U-Boot to 2026.01.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Julien Olivain <ju.o@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 09baeb4653)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Xen tools scripts need the stat program from coreutils to work
correctly, and not the one from busybox.
One such example is the /etc/xen/scripts/locking.sh script, which will
cause timeouts for operations such as "xl block-attach", or when
starting a DomU with a disk.
Add the dependency on coreutils to fix this.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Alistair Francis <alistair@alistair23.me>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ca23f860d1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
In addition, libglib2 already removes schemas from the target during
target finalization so the gvfs-specific cleanup can be dropped.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7b5735cc69)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2fb684fd68)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Dropping the need for this package to compile any schemas as the
libglib2 package (a dependency) already handles this during target
finalization.
Signed-off-by: James Knight <git@jdknight.me>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f9ce4dd52f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
- suppress S40iwd shellcheck warnings:
In package/iwd/S40iwd line 8:
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
^--------------------^ SC1090 (warning): ShellCheck can't follow non-constant source. Use a directive to specify location.
In package/iwd/S40iwd line 15:
-- $IWD_ARGS
^-------^ SC2086 (info): Double quote to prevent globbing and word splitting.
- remove package/iwd/S40iwd from .checkpackageignore
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f38453f00e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit 8708f3a23a ("package/mysql:
drop virtual package"), we no longer have mysql as a virtual package,
and therefore perl-dbd-mysql directly selects mariadb. However,
mariadb as stricter dependencies than what the mysql virtual package
had, and this commit forgot to properly propagate those dependencies,
causing a Config.in warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_MARIADB
Depends on [n]: BR2_INSTALL_LIBSTDCPP [=y] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y] && (BR2_TOOLCHAIN_HAS_ATOMIC [=y] || BR2_TOOLCHAIN_HAS_SYNC_8 [=n]) && BR2_USE_WCHAR [=n]
Selected by [y]:
- BR2_PACKAGE_PERL_DBD_MYSQL [=y] && BR2_PACKAGE_PERL [=y] && !BR2_STATIC_LIBS [=n] && BR2_INSTALL_LIBSTDCPP [=y] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_HAS_THREADS [=y]
Fixes: 8708f3a23a ("package/mysql: drop virtual package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 64a288e33c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since commit 8708f3a23a ("package/mysql:
drop virtual package"), we no longer have mysql as a virtual package,
and therefore perl-dbd-mysql directly selects mariadb. As part of
that, the comments related to the dependencies have not been updated
accordingly. Fix that up.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 65fcceed89)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Back when the libgtk4 package was introduced in commit
faf2a1d2ab, its
BR2_PACKAGE_LIBGTK4_GSTREAMER option did not properly propagate the
dependencies of BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL, causing the
following Config.in warning:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL
Depends on [n]: BR2_PACKAGE_GSTREAMER1 [=y] && BR2_PACKAGE_GST1_PLUGINS_BASE [=y] && (BR2_PACKAGE_HAS_LIBGL [=n] || BR2_PACKAGE_HAS_LIBGLES [=n])
Selected by [y]:
- BR2_PACKAGE_LIBGTK4_GSTREAMER [=y] && BR2_PACKAGE_LIBGTK4 [=y]
Fix that by properly propagating the dependency.
Fixes: faf2a1d2ab ("package/libgtk4: new package")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d0034ff965)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since this option was introduced in commit
a474642fdc ("package/mender-update-modules:
new package"), its dependencies have been incorrect. It selects
BR2_PACKAGE_PYTHON3 without replicating all its dependencies, so we
fix that.
Also, it did have the !BR2_STATIC_LIBS dependency propagated, but not
mentioned in the Config.in comment, so we fix that as well.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7571ee4a36)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Commit
75ab6cf93a ("package/{python-}protobuf:
bump to version 28.1") added a whole bunch of gcc >= 8 dependencies to
opencv4 options, but forgot to create or update appropriate Config.in
comments for several options:
BR2_PACKAGE_OPENCV4_LIB_OBJDETECT
BR2_PACKAGE_OPENCV4_LIB_STITCHING
BR2_PACKAGE_OPENCV4_WITH_PROTOBUF
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 73e9b996fb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The comments saying that dnn_objdetect and dnn_superres need a glibc
or musl toolchain should be shown when a uClibc toolchain is selected,
not when a toolchain NOT using uClibc is selected (as this is exactly
what's needed).
Fixes: a2e01b23fc ("package/opencv-contrib: propagate opencv4 dependencies")
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3b84ec3ee2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
fb5235239aad ("env: Rename DEFAULT_ENV_FILE to
ENV_DEFAULT_ENV_TEXT_FILE") renamed the Kconfig symbols and thus we need
to adapt the U-Boot package in Buildroot to support it.
Fixes: 128c26f287 ("boot/uboot: bump to version 2025.10")
Reported-by: Ozan Durgut <ozandurgut.2001@hotmail.com>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 088bec09fb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
CVE-2024-46948 only affects the device management and update server part
of Mender, and not the client running on the devices
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f16475f377)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building the arm-trusted-firmware, if the host environment has a value
configured in the BL31 variable such as the following:
export BL31=/tmp/bl31.elf
This will cause the build of the bl31.elf to be skipped leading to the
following build error:
make[1]: Nothing to be done for 'bl31'.
And then:
readelf: Error: './output/build/arm-trusted-firmware-custom/build/versal/release/bl31/bl31.elf': No such file
To fix this, clear the BL31 variable in the MAKE_OPTS, so that building the
arm-trusted-firmware will build regardless of the host environment.
Signed-off-by: Neal Frager <neal.frager@amd.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6019df8f99)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Boost.System is a header only library since Boost 1.69.0 [0].
A Stub Library remained for backward compatibility. This
mainly affects CMake Packages that use FindPackage and
explicitly list 'system'.
For Boost internal modules this is not the case so remove this
dependency.
Buildroot packages should select BR2_PACKAGE_BOOST_SYSTEM explicitly
if needed and not rely on a proxy dependency from other boost packages.
[0] https://github.com/boostorg/system/blob/develop/doc/system/changes.adoc#changes-in-boost-169
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit fbb5c74058)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libcpprestsdk searches for the Boost.System module in its
CMakeLists. Hence it should be selected as a dependency.
This does not fix any build failure, as boost-system was implicitly
selected by one of the other boost-* options that this package
selects, but an upcoming commit is going to change how boost-system is
selected by other boost-* modules, making this preparation change
necessary.
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c659e0383d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit d6c3257e93 bumped the
package from 0.21 to 0.23. Upstream release 0.22 includes commit
d7c7c53c06
which uses CLOCK_MONOTONIC without including time.h.
Fixes:
https://autobuild.buildroot.net/results/41b/41b25ee8e66e34323eca011e4b5fe479ece9ed76/
Two minimal defconfigs to reproduce the build error:
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ATF=y
BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y
BR2_PTHREADS_NONE=y
BR2_GCC_VERSION_13_X=y
BR2_TOOLCHAIN_BUILDROOT_CXX=y
BR2_PACKAGE_ATF=y
All defconfigs of the build errors recorded by the buildroot autobuilders
contain BR2_PTHREADS_NONE=y.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cf383d3e13)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The Vulkan option was appended to QT6BASE_CONFIGURE_OPTS instead of
QT6BASE_CONF_OPTS, which is the variable actually used during CMake
configuration. This prevented the feature from being enabled/disabled
as expected.
Fixes: 1c27f3a12d ("package/qt6base: add vulkan option")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 451e735aa0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This patch add several upstream patches that fix build error we are
experiencing on the autobuilder related to host-gcc15 and gcc14.
- 0010-use-bool-from-stdbool.patch
Fix a host-gcc15 error with C23 bool reserved keyword when building
host-softether package. This appeared on the autobuilder.
```
from Cfg.c:116:
../../src/Mayaqua/MayaType.h:257:33: error: 'bool' cannot be defined via 'typedef'
257 | typedef unsigned int bool;
| ^~~~
../../src/Mayaqua/MayaType.h:257:33: note: 'bool' is a keyword with '-std=c23' onwards
../../src/Mayaqua/MayaType.h:257:1: warning: useless type name in empty declaration
257 | typedef unsigned int bool;
| ^~~~~~~
```
- 0011-fix-implicit-declaration-of-function-getch.patch
Fix an implicit function declaration.
- 0012-vlanunix-fix-implicit-declaration-of-function-freetap.patch
Fix an implicit function declaration.
- 0013-fix-build-on-freebsd-version-140091.patch
Incompatible pointer type which appeared on the autobuilder as well:
```
Unix.c: In function 'UnixIgnoreSignalForThread':
Unix.c:324:25: error: assignment to 'void (*)(int, siginfo_t *, void *)' from incompatible pointer type 'void * (*)(int, siginfo_t *, void *)' [-Wincompatible-pointer-types]
324 | sa.sa_sigaction = signal_received_for_ignore;
| ^
```
- 0014-cedar-hub-properly-set-value-for-hub-admin-options.patch
Fix an incompatible pointer type error.
- 0015-adjust-types-of-variables.patch
Fix an incompatible pointer type error which appeared on the autobuilder as
well.
```
Secure.c: In function 'OpenSec':
Secure.c:1829:56: error: passing argument 3 of 'sec->Api->C_GetSlotList' from incompatible pointer type [-Wincompatible-pointer-types]
1829 | if ((err = sec->Api->C_GetSlotList(true, NULL, &sec->NumSlot)) != CKR_OK || sec->NumSlot == 0)
| ^~~~~~~~~~~~~
| |
| UINT * {aka unsigned int *}
```
- 0016-Cedar-Proto_IKE-fix-too-many-arguments-to-function-N.patch
Fix a function call.
Fixes: https://autobuild.buildroot.org/results/c43/c43a9a221896d37ee8a9d34c5b8e2725351c6eb5
Fixes: https://autobuild.buildroot.org/results/751/7517bb4d32c38d475d901769b0b2fd2c2f3dd543
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Acked-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5b5aebc085)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
lttng-modules fails to build in master and in our LTS branch
2025.02.x. Indeed, our LTS branch uses the 6.12 kernel as the latest
LTS, and lttng-modules in version 2.13.10 don't build with the 6.12
kernel:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_USE_ARCH_DEFAULT_CONFIG=y
BR2_PACKAGE_LTTNG_MODULES=y
fails to build with 2025.02.x.
To fix this, let's bump to the latest point release in the 2.13.x
branch, which mostly contains fixes needed for the 2.13.x releases to
work with newer kernels. This is considered a reasonable bump for our
2025.02 LTS.
The hash of the license file is updated as the list of files under
each license has changed a bit, but that doesn't change the overall
list of licenses.
Fixes:
https://autobuild.buildroot.net/results/78d05ded97877f866d2bd7aa600a2dafa01bb364/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 63d0611b0c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit fixes the wrong patch folders which should have been fixed
in commit 475c79d ("package/openjdk{-bin}: bump versions to 17.0.12+7
and 21.0.4+7")
Signed-off-by: Thomas Devoogdt <thomas.devoogdt@barco.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f2992604a3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The `utils/brmake` tool runs `make all` with logs put into `br.log`.
That file is therefore the result of a build and committing it never
makes sense, neither upstream nor on any other remote/branch.
⟩ git status --short
⟩ make beaglebone_defconfig
⟩ ./utils/brmake
⟩ git status --short
?? br.log
Add a new `/br.log` entry in the root `.gitignore` file.
Append to the end because no ordering logic was found.
Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a5d29e752a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This brings the script in line with current standards, except the
expected PIDFILE value because changing the PID file path would
require changing build options.
The stop action now uses the PID file instead of "killall", and reload
is supported using SIGHUP (with limitations described in D-Bus
documentation). "--syslog" is added to the dbus-daemon arguments to
ensure log messages will be available, otherwise log messages after
fork may be lost.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f51a475280)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The "servicename" environment variable was never set, so the condition
in the "condrestart" case would always evaluate to false. Nobody seems
to have noticed since it was introduced with commit
ceb2859765 in 2007, so simply remove it.
Likewise, the comment in the stop function that mentions $servicename
is incorrect, there is no safety check to the "killall" call.
With those, remove the /var/lock/subsys/dbus-daemon file that was
created but never used.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3dd3944097)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
* Wait for process to stop before deleting PID file, instead of fixed
wait during restart
* Use long form options
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b91258e424)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
libxshmfence has multiple paths available for the shared memory
directory, as some distros [0] opt to mount their tmpfs in a
non-standard location such as /run/shm rather than /dev/shm.
The default value of 'auto' will set this path to whatever the host is
using, leaking host configuration into the target. See [1].
With X configurations that depend on shared memory files for futexes,
(muvm [2] is a notable example), this results in applications silently
breaking during presentation with a blank window, as the configured
path doesn't have the required tmpfs mount.
Set this path explicitly to avoid situations where the host context
leaks into the package build, causing feature breakage.
[0] https://wiki.ubuntu.com/OneiricOcelot/ReleaseNotes?action=show&redirect=OneiricOcelot%2FTechnicalOverview#Upgrades
[1] https://gitlab.freedesktop.org/xorg/lib/libxshmfence/-/blob/libxshmfence-1.3.3/configure.ac#L144
[2] https://github.com/AsahiLinux/muvm
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
[Julien:
- add link to shared memory dir detection code in commit log
- replace "+=" by "=" in _CONF_OPTS
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cb79eee7fe)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This tool has been removed from upstream rpi-firmware, so drop the
corresponding option and logic in rpi-firmware.mk.
The tool has been removed by upstream commit
d1fcc26038186aecc1501a0b749833300afba801 ("opt: Remove builds of
deprectated userland tools").
It is Buildorot commit
28e6953ba8 ("package/rpi-firmware: bump
version to 5476720") that did a bump to a version of rpi-firmware that
no longer provided vcdbg.
Cc: Köry Maincent <kory.maincent@bootlin.com>
Cc: Gaël PORTAY <gael.portay@rtone.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f53a1af56b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Due to issues in the installation of qt5webkit, building the
corresponding Python binding fails:
Project ERROR: Unknown module(s) in QT: webkit
Error: /home/thomas/buildroot/br/output-all/host/bin/qmake failed to create a
makefile from PyQt5.pro.
make[1]: *** [package/pkg-generic.mk:263: /home/thomas/buildroot/br/output-all/build/python-pyqt5-5.15.6/.stamp_configured] Error 1
make: *** [Makefile:83: _all] Error 2
https://lore.kernel.org/buildroot/20220929181350.1026033-1-thomas.ballasi@savoirfairelinux.com/
was an attempt at fixing it, but this patch doesn't work and looks
weird.
So for the time being, disable the Webkit module in python-pyqt5. This
issue has indeed been around for as far as 2022.
Fixes:
https://autobuild.buildroot.net/results/b9d69d21e734aa62a6e0b4d4124c2bcfc027ebe4/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b3e9dc303e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Add another patch from Fedora, also used in Arch Linux to fix a gcc >=
14.x build issue:
build/qt5webkit-5.212.0-alpha4/Source/WebCore/page/csp/ContentSecurityPolicy.cpp:235:56: required from here
235 | if ((policy.get()->*allowed)(std::make_pair(algorithm, digest)))
| ~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~
host/opt/ext-toolchain/aarch64-buildroot-linux-gnu/include/c++/14.3.0/type_traits:1246:52: error: non-constant
condition for static assertion
1246 | static_assert(std::__is_complete_or_unbounded(__type_identity<_Tp>{}),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit b79eb5a28f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
It is not clear which change introduce this breakage, but we suspect
it is related to GCC 14.x. In any case, the fix does no harm and is
good to backport to 2025.02.x.
Fixes:
/home/thomas/buildroot/br/output-all/build/qt5webkit-5.212.0-alpha4/Source/ThirdParty/ANGLE/src/common/mathutil.h:575:8: error: ‘uint32_t’ does not name a type
575 | inline uint32_t RotL(uint32_t x, int8_t r)
| ^~~~~~~~
/home/thomas/buildroot/br/output-all/build/qt5webkit-5.212.0-alpha4/Source/ThirdParty/ANGLE/src/common/mathutil.h:19:1: note: ‘uint32_t’ is defined in header ‘<cstdint>’; this is probably fixable by adding ‘#include <cstdint>’
18 | #include <stdlib.h>
+++ |+#include <cstdint>
19 |
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit d10726a1a1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the bump of ICU from ICU 73 to ICU 77 in commit
dcee99507c, the build of qt5webkit fails
with:
/home/thomas/buildroot/br/output-all/host/aarch64-buildroot-linux-gnu/sysroot/usr/include/unicode/char16ptr.h:271:38: error: ‘enable_if_t’ in namespace ‘std’ does not name a template type
271 | template<typename T, typename = std::enable_if_t<std::is_same_v<T, UChar>>>
| ^~~~~~~~~~~
We taken two patches from Arch Linux, one which is a partial upstream
backport, and another which was submitted upstream, to address this
build issue.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0ad3afa191)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Suggested by Gerbera:
fcf3147223
CMake Warning at CMakeLists.txt:583 (message):
!! It is strongly recommended to build libupnp with --disable-blocking-tcp-connections !!
Without this option non-responsive control points can cause libupnp to hang.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 48c1e7cc6d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entry introduced in [2] is then no longer matched to
the cmake package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 5ce1e773b9 package/cmake: ignore CVE-2016-10642
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ac47f65186)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entry introduced in [2] is then no longer matched to
the dovecot package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 948e71689a package/dovecot: ignore CVE-2016-4983
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9dbd14df22)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The IGNORE_CVES entries introduced in [1] no longer match to the glibc
package following the bump to v2.42 in [2]. The version boundaries
specified on the NVD DB are specific to 2.40 & 2.41.
The CVE-2025-8058 though don't have any information available on the NVD
DB and will remain on the IGNORE_CVES then.
[1] feaf53585a package/glibc: security bump to version 2.41-70
[2] fb6256c0ef package/{glibc, localdef}: bump to version 2.42
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6fc37d7c6e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
These IGNORE_CVES entries introduced in [2] are then no longer matched to
the glibc package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] adaae82c58 package/glibc: ignore CVEs not considered as security issues by upstream
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9383a3a726)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The IGNORE_CVES entries introduced in [2][3][4] are then no longer
matched to the grub2 package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 2495630383 boot/grub2: ignore CVE-2024-1048
[3] e2f46ed03d boot/grub2: ignore CVE-2023-4001
[4] a490687571 boot/grub2: ignore the last 3 remaining CVEs
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2a2184f317)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2024-32928 introduced in [2] is then no longer matched to the
libcurl package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
[2] 7e739d49b2 package/libcurl: ignore CVE-2024-32928
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b155395a52)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The entry was added in commit [1]. But since then the NVD database
updated the version end specifier.
This IGNORE_CVES entry is then no longer needed.
[1] 51b1e1daf5 package/libssh: ignore CVE-2025-5318
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4aacd22a85)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2023-37769 is then no longer matched to the pixman package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5043af53ed)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2017-8806 is then no longer matched to the postgresql package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Reviewed-by: Maxim Kochetkov <fido_max@inbox.ru>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit b1ca8ca4ba)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the CVEs are no longer matched to CPEs with
versions using '-'.
The CVE-2015-3243 is then no longer matched to the rsyslog package.
For more information, see the explanation in commit [1].
[1] 35f376d88e support/scripts/cve.py: fix CPE matching
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1e48fde1cb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patches header as well
as the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 74b079d9e9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7c9166cd86)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7a8524a701)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For kernel patched with 440cf77625e3 ("perf: build: Setup
PKG_CONFIG_LIBDIR for cross compilation"), if neither PKG_CONFIG_LIBDIR,
PKG_CONFIG_PATH nor PKG_CONFIG_SYSROOT_DIR are provided, the perf
Makefile while try to set some default value for PKG_CONFIG_LIBDIR,
which will not point correctly to buildroot staging directory. This
issue will lead for example to a failure to find libtraceevent even
if it is correctly enabled and installed in the staging dir, and so it
will make perf fail to build.
Make sure to call the perf make command with PKG_CONFIG_LIBDIR variable
set and pointing to buildroot staging area to make sure to properly
detect perf dependencies.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f784c823ef)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When trying to perform a custom uprobe recording on a target with perf
built by buildroot, the recording step fails as perf can not record
uprobes without libtraceevent support:
$ perf probe -x linked_list insert_name index
Target program is compiled without optimization. Skipping prologue.
Probe on address 0x808 to force probing at the function entry.
Added new event:
probe_linked_list:insert_name (on insert_name in /root/gdb/linked_list with index)
perf is not linked with libtraceevent, to use the new probe you can use tracefs:
cd /sys/kernel/tracing/
echo 1 > events/probe_linked_list/insert_name/enable
echo 1 > tracing_on
cat trace_pipe
Before removing the probe, echo 0 > events/probe_linked_list/insert_name/enable
$ perf record -e probe_linked_list:insert_name ./linked_list
event syntax error: 'probe_linked_list:insert_name'
\___ unsupported tracepoint
libtraceevent is necessary for tracepoint support
Run 'perf list' for a list of valid events
Usage: perf record [<options>] [<command>]
or: perf record [<options>] -- <command> [<options>]
-e, --event <event> event selector. use 'perf list' to list available events
libtraceevent support for perf has been disabled with commit
b4ab45a5c1 ("package/linux-tools: disable libtracevent detection")
because there was no libtraceevent package in buildroot to replace the
former libtraceevent removed from the kernel sources. Since then, commit
1474f1b34b ("package/libtraceevent: new package") has introduced a
libtraceevent package. We can then expose again the possibility to build
perf with libtraceevent support.
Make buildroot perf makefile detect if libtraceevent package has been
enabled, and if so, allow to build perf with libtraceevent support.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Tested-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5396f730d7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ba51d53019)
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Buildroot commit [1] removed the IGNORE_CVES entries for
CVE-2024-24258 & CVE-2024-24259 because they referenced a patches no
longer existing.
Those IGNORE_CVES entries are still required because the CVEs reference
the exact mupdf version Buildroot is using.
Re-introduce those IGNORE_CVES entries with an updated comment instead.
[1] f2e442a14d package/mupdf: remove stale IGNORE_CVES
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a8e7e6c852)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the
`0001-Disable-tests.patch` patch reference
was removed in favour of a build argument that disable the tests.
This update the reference in IGNORE_CVES accordingly.
[1] ba2fb599cd package/pixman: bump to version 0.44.2
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f276648692)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the
`0003-SDL_x11yuv.c-fix-possible-use-after-free.patch` patch reference
was renamed.
This update the reference in IGNORE_CVES accordingly.
[1] 9fab7bb79d package/sdl: drop directfb support
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d372b654a4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit ee647574b7)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9265e69735)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c9b63b439c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit cef136b5f0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit eb0dde58b3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 848d7dc51f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0b76139aa9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 7b8c58ae03)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 6244163284)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patches header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 9d0e4db4c4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In commit 67e84345c1 ("package/vim: fix
reinstallation"), we fixed the reinstallation of vim for the target
package by removing symlinks before calling "make installlinks".
However, this didn't fix the same problem for the host-vim package.
So instead, this commit adds a patch, accepted upstream, that uses "ln
-sf" instead of "ln -s" to create the symlinks, allowing them to be
overwriten on reinstallation.
Fixes:
ln: failed to create symbolic link 'view': File exists
on reinstallation of host-vim.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ee656a4486)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit [1] "kvmtool: bump to f77d646ba0" removed the
definition of KVMTOOL_EXTRA_LDFLAGS but forgot to remove its usage
in KVMTOOL_MAKE_OPTS.
This commit removes it since it is no longer needed.
[1] f20615b53e
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 443307ef50)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The run log of this ltp-testsuite test shows:
INFO: runltp script is deprecated, try kirk
https://github.com/linux-test-project/kirk
This commit updates this test to replace this deprecated runltp
shell script with the newer kirk Python script.
The logic of this runtime test remains the same: it runs a small number
of 'read' system call tests, and checks there is no failures and at
least one test succeed.
Cc: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Acked-by: Petr Vorel <petr.vorel@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 43e254a646)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit [1] (package/tio: bump to 3.5) added the libglib2 in
the .mk file without selecting it in Config.in.
This commit fixes that.
[1] 3d85e9df43
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 5a40d54cc3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch fixes the information to the patch header to have a single
vulnerability per line.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 96ba06347b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c0921c6b38)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 3efa0091a4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 51a3cb5db4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 04d80d13ec)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d464e5e856)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0669124d77)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The fixes for the CVE-2024-24258 & CVE-2024-24259 were introduced in [1]
and targeted the package libfreeglut.
The patches that fixed CVE-2024-24258 & CVE-2024-24259 in libfreeglut
were removed in Buildroot commit [2]. With this bump the IGNORE_CVES
entries for mupdf were not removed.
[1] 0f4fef076f package/libfreeglut: add upstream security fix for CVE-2024-2425{8, 9}
[2] b1c77090ef package/libfreeglut: bump version to 3.6.0
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit f2e442a14d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.
This patch adds the relevant information to the patch header.
[1] 1167d0ff3d docs/manual: mention CVE trailer
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 1b656345ec)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit [1] removed the stale cpp-httplib patched but the
IGNORE_CVES entry wasn't removed.
[1] 8988278241 package/cpp-httplib: remove stale patch
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 77d1dcd2ea)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The ddresue runtime test is using the `dmsetup` command provided by the
dmraid package. This package is outdated and will be removed. This
command is also provided by the lvm2 package, which is still maintained.
This commit replaces the dmraid package by lvm2 in the test config.
Signed-off-by: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 4fc6e8637b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Backport upstream patch fixing:
hash.c:76:6: error: conflicting types for ‘hash_empty’; have ‘void(struct hash *)’
76 | void hash_empty(struct hash *h)
| ^~~~~~~~~~
In file included from hash.c:22:
hash.h:41:6: note: previous declaration of ‘hash_empty’ with type ‘void(void)’
41 | void hash_empty();
| ^~~~~~~~~~
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2bfdadab43)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes:
mb-applet-launcher.c: In function ‘get_launch_window’:
mb-applet-launcher.c:269:18: error: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
269 | time_t stime = time(NULL);
| ^~~~
No autobuilder failures, it was hidden by other failures.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d5bb2902ec)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Switched _SOURCE to .gz, upstream does not provide bz2 tarballs
anymore. This means in fact _SOURCE can be dropped, as it's now the
default value.
No autobuild errors recorded due to previous download error with
matchbox-lib.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 446fea34aa)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Switched _SOURCE to .gz, upstream does not provide bz2 tarballs anymore.
No autobuild errors recorded due to previous download error with
matchbox-lib.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit c687f2fcf5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Dependency was made optional in 4.6.0 release here:
6058ab9dfe
python-can has a lot of optional dependencies, most of which are not
represented in buildroot. As msgpack is used for the virtual multicast
udp can interface[1], which does seem like a bit of a niche usecase,
just drop the mandatory dependency without introducing a user-visible
config option to enable it.
[1] https://python-can.readthedocs.io/en/4.0.0/interfaces/udp_multicast.html
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit a4cdb412f1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Libiio python bindings use ctypes and specifically the find_library()
function from there to load the libiio.so shared library. This is not
working unless glibc utils (specifically ldconfig) is installed to the
target (alternatively the target would need gcc or binutils, for objdump
or ld).
The easy fix here is to just bypass the find_library() machinery
altogether as it's not needed on a buildroot system.
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
Tested-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 193df1cbec)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In commit a68899d49e ("package/python3:
work around GCC bug 121567"), we introduced a work around for a gcc
bug, by reducing to -O1 the optimization level on SuperH.
However, it turns out that this is not sufficient, as the build will
only succeeded at -O0.
Fixes:
https://autobuild.buildroot.net/results/31f/31f34a983036b4135c12e5797b5c2258ab33e6c2/
Which is a config with BR2_OPTIMIZE_2=y, which means
BR2_TOOLCHAIN_HAS_GCC_BUG_121567=y, and therefore -O1 is passed, but
still the build fails. At -O0 the build doesn't fail.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0f938aed25)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The test to enable NEON on AArch64 is as following:
ifeq ($(BR2_aarch64)$(BR2_ARM_CPU_HAS_NEON),yy)
It cannot be to true as $(BR2_aarch64) and $(BR2_ARM_CPU_HAS_NEON) are
mutually exclusive. NEON is compulsory on AArch64 so remove
$(BR2_ARM_CPU_HAS_NEON) from the test.
Fixes: ba2fb599cd ("package/pixman: bump to version 0.44.2")
Signed-off-by: Sébastien Szymanski <sebastien.szymanski@armadeus.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit d297569eb4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since the bump of pip to version 25.3 in commit
285097051d, the build of the Python
bindings of libselinux is broken for both the host and target
variants.
For the host variant, because "pip install" no longer finds the
system-provided setuptools and tries to download setuptools by itself,
causing build issues because our host-python doesn't have SSL support:
Could not fetch URL https://pypi.org/simple/setuptools/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/setuptools/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping
For the target variant, because "pip install" no longer finds the
sysconfigdata package:
ModuleNotFoundError: No module named '_sysconfigdata__linux_sparc64-linux-gnu'
[end of output]
We fix this by taking a patch from Debian, which is slightly tweaked
to also cover our host package (the original Debian patch was passing
--no-build-isolation only when DESTDIR was not empty, but in Buildroot
host packages are built with DESTDIR empty, and we do need
--no-build-isolation).
Fixes:
https://autobuild.buildroot.net/results/0e9de0c0d8b6ec57eea9f8834f02076b296ba4f1/ (host-libselinux)
https://autobuild.buildroot.org/results/1b87c659f1901b0bf33fa4a2ff0ed40b13114bba/ (libselinux)
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Co-Authored-By: Julien Olivain <ju.o@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 0e5eef911c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CPE 'cpe:2.3:a:antirez:linenoise:1.0:*:*:*:*:*:*:*' is valid for the
package linenoise [1].
Since the latest version is '1.0' since 2015 the CPE_ID_VERSION is set
to that version.
The CVE that applies on version 1.0 were checked with the 'cve-check'
script:
```
echo '{"components": [{"bom-ref": "linenoise", "name": "linenoise", "version": "1.0", "cpe": "cpe:2.3:a:antirez:linenoise:1.0:-:*:*:*:*:*:*"}]}' | support/scripts/cve-check | jq -r '.vulnerabilities[].id'
```
Only the CVE-2025-9810 exists and that was fixed in [2].
[1] https://nvd.nist.gov/products/cpe/detail/10423C23-6AAA-439E-B723-1FCDEB3A769F
[2] 3c7cbf97d7 package/linenoise: security bump to version e26268de5e
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2668d121e5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
opencv3's code is not compatible with newer versions of ffmpeg, and
opencv3 is no longer maintained, so we have no choice but to disable
its ffmpeg support.
Fixes:
https://autobuild.buildroot.net/results/9ae3911583cccb6362f33cd82e5eaafb059fdc76/
It's not clear which ffmpeg version bump broken the build exactly, but
this issue is definitely present in 2025.02.x as the following
defconfig fails to build in a similar way on 2025.02.x:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_FFMPEG_NONFREE=y
# BR2_PACKAGE_FFMPEG_FFMPEG is not set
# BR2_PACKAGE_FFMPEG_INDEVS is not set
# BR2_PACKAGE_FFMPEG_OUTDEVS is not set
BR2_PACKAGE_OPENCV3=y
BR2_PACKAGE_OPENCV3_LIB_VIDEOIO=y
BR2_PACKAGE_OPENCV3_BUILD_PERF_TESTS=y
BR2_PACKAGE_OPENCV3_WITH_FFMPEG=y
BR2_PACKAGE_OPENCV3_INSTALL_DATA=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ef538cf4d9)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The protobuf support breaks the build, as protobuf includes
libabseil-cpp headers, which now require C++14. opencv3 doesn't have
any ENABLE_CXX14 option, so for the time being, disable protobuf
support until someone bothers enough to fix this up.
While we suspect a libabseil-cpp version bump to be responsible for
the issue, we are not 100% sure. However, the issue is definitely
present in Buildroot 2025.02.x, as it can be reproduced using the
following defconfig:
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_OPENCV3=y
BR2_PACKAGE_OPENCV3_LIB_SHAPE=y
BR2_PACKAGE_OPENCV3_LIB_STITCHING=y
BR2_PACKAGE_OPENCV3_LIB_SUPERRES=y
BR2_PACKAGE_OPENCV3_LIB_TS=y
BR2_PACKAGE_OPENCV3_LIB_VIDEOSTAB=y
BR2_PACKAGE_OPENCV3_WITH_PROTOBUF=y
Fixes:
https://autobuild.buildroot.net/results/39432e7746e6bc5224592a7d2f744ca992bd529a/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0865927da4)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
cppcms.com now points to a Github page at
https://github.com/artyom-beilis/cppcms which has a 2.0.1 version, so
let's use that. The number of differences to 2.0.0.beta2 is very
small:
$ git log --online v2.0.0.beta2..v2.0.1
b872972 (tag: v2.0.1, origin/master, origin/HEAD, master) Version to 2.0.1
a1914f7 (tag: v2.0.0) Replaced system category with one from predating C++11 (v1.2) because std::system_category does not translate WSAGetLastError results
c4febcc Merge pull request #104 from dreaming-augustin/upstream
922cd49 Python 3.12 compatibility: wrap regex in r''.
a11e9d4 Merge branch 'cpp11'
3000bc6 (origin/1.2_updates) Merge pull request #99 from dreaming-augustin/master
44e24c7 [#89] cppcms_error fix typo + consistent messages
a6d5575 (origin/cpp11) Added backtrace to system error
b3aef3b Fixed missing include for stripped down build
463a9a6 Removed IPV6 due to travis limitations
f8163c6 Merges from cpp11
31d4fe7 Added verbose log on failure
90bc996 Added Linux to build matrix - so I have fallback if normal build environment fails
f78ee39 Added Readme for github
a737d5d Merged python3 compatibility from master
0c67544 Support of python 2.7 and python 3
0d121a7 Python3 compatibility
2fc7e38 Python3 compatibility
d745869 python3 fix for tmp_cc
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 29641d1675)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Since Buildroot commit dcee99507c that
bumped package/icu to version 77-1, the build of cppcms with ICU
support enabled fails.
Indeed, ICU now requires C++17, and while cppcms.mk has some logic to
get C++ flags using icu-config, the -std=c++17 gets ultimately
overridden by the built-in -std=c++11 flag encoded in cppcms
CMakeLists.txt.
To fix this, we have submitted a patch upstream that ensures the
CMAKE_CXX_FLAGS passed on the command line take precedence over the
built-in flags defined in cppcms CMakeLists.txt.
Fixes:
https://autobuild.buildroot.net/results/9c34a08ea02499b28093ad3fa184cee10b2883ac/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 5a8811cade)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Switched _SITE to github, old project site is down.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: change _VERSION to use 'git describe --abbrev=40' format]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 652dbe71c3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The VIM_REMOVE_DOCS variable is currently a post install target hook,
but it can just as well be done inside VIM_INSTALL_TARGET_CMDS
directly.
The hook was registered conditionally based on BR2_PACKAGE_VIM_RUNTIME
because prior to commit f7a07f42f7, the
hook's logic was:
find $(TARGET_DIR)/usr/share/vim -type f -name "*.txt" -delete
which was failing if BR2_PACKAGE_VIM_RUNTIME was not enabled, as
$(TARGET_DIR)/usr/share/vim would not exist.
But since this commit, the hook logic is:
$(RM) -rf $(TARGET_DIR)/usr/share/vim/vim*/doc/
which obviously won't fail if $(TARGET_DIR)/usr/share/vim doesn't
exist.
So let's simplify the whole logic.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 7bcc99b57b)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Instead of calling $(MAKE) multiple times, let's call it once, with
all installation targets needed. We introduce a VIM_INSTALL_TARGETS
variable to collect the list of make install targets that need to be
invoked.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 525a234303)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In Buildroot, we more commonly do:
$(MAKE) -C $(@D)/src
than:
cd $(@D)/src; $(MAKE)
so let's adopt this more conventional style.
This coding style in vim.mk dates from when the package was introduced
by Peter Korsgaard back in 2010.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 21e613753e)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
While not very common, it is nice when package re-installation
works. Unfortunately the "installlinks" target of vim installs links
with "ln -s", causing a package reinstallation to fail with:
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim ex
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim view
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim rvim
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim rview
cd /home/thomas/buildroot/br/output-all/target/usr/bin; ln -s vim vimdiff
ln: failed to create symbolic link 'ex': File exists
ln: failed to create symbolic link 'view': File exists
make[2]: *** [Makefile:2749: /home/thomas/buildroot/br/output-all/target/usr/bin/ex] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: *** [Makefile:2752: /home/thomas/buildroot/br/output-all/target/usr/bin/view] Error 1
ln: failed to create symbolic link 'rvim': File exists
ln: failed to create symbolic link 'rview': File exists
To fix this, we remove the target links before proceeding with the
installation.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 67e84345c1)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fixes the following vulnerability:
- CVE-2025-68146
A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local
attackers to corrupt or truncate arbitrary user files through symlink
attacks.
For more informations, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-68146
- 18a9988008
(cherry picked from commit d9c1379d1f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The tests check if all supported hash algorithms are usable in
mkimage, for both host and target packages. Additionally, as a
necessary tool, it verifies the previous fix for FIT output from
dumpimage.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use builtin kernel for faster testing]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 2dbe71dba6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Some host commands need to call other host commands: For example,
"mkimage" from host-uboot-tools needs to run "dtc". This would fail or
call system commands without adding the host bin dir to PATH.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use python functions/constants to build path]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit befb6ae81d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Otherwise "dumpimage -l" produces only a newline when processing a FIT
image.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 39b925a0a6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The build of the following basic configuration enabling the
imagination Vulkan driver
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION=y
fails with:
meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Adding just LLVM as a dependency is not enough, as then libclc is
needed, then LLVMSPIRVLib, then clangBasic, then the pco_clc tool.
In fact, like the Panfrost driver, building the Imagination driver
requires building host tools using host-mesa3d. To fix this we:
- Make the BR2_PACKAGE_MESA3D_OPENCL option selectable
- Make sure that BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION depends
on BR2_PACKAGE_MESA3D_LLVM and select
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER (the latter being needed to
build host-mesa3d)
- Make sure the host-mesa3d builds imagination
tools (-Dtools=imagination) and install
pco_clc (HOST_MESA3D_INSTALL_PCO_CLC). This requires introducing
HOST_MESA3D_TOOLS as a list of tools to build, which then gets used
to construct the -Dtools argument, as we can now have both
"panfrost" and "imagination" in this list.
With all this, the defconfig above builds successfully.
This has been broken since Buildroot commit
5e818c16a3, which introduced the vulkan
driver support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e1d159c5d5)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
the CSharp Extension was removed in grcp 1.47.0 [0] and the option in
the CMakeLists was dropped in 1.58.0 [1], which means that it is no
longer relevant since Buildroot commit
91d1207de0, which bumped grpc from
1.51.1 to 1.66.1.
So remove this option for host-grpc as well.
Fixes:
CMake Warning:
Manually-specified variables were not used by the project:
gRPC_BUILD_CSHARP_EXT
[0] https://github.com/grpc/grpc/releases/tag/v1.47.0
[1] 3a2bd221ef
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e513d6a5fd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This version allows to build with Linux 6.18.
Fixes:
In file included from core/crypto/sha256.c:11:
core/crypto/sha256.h:16:5: error: conflicting types for 'hmac_sha256'; have 'int(const u8 *, size_t, const u8 *, size_t, u8 *)' {aka 'int(const unsigned char *, long unsigned int, const unsigned char *, long unsigned int, unsigned char *)'}
Build failure still not occured in autobuilders.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add details about the error being fixed]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9ec337489a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Adds documentation about adding a patch that address a vulnerability.
The patch-policy file now explain mention that patches that address a
vulnerability needs to include a `CVE:` trailer with the reference of
that vulnerability.
Until now only adding the reference to the `_IGNORE_CVES` variable was
necessary, so the documentation of this entry is modified as well to
point to the patch policy.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1167d0ff3d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CycloneDX specification for vulnerabilities defines four analysis
states ([1]) for cases where a vulnerability does not affect a component:
* resolved
* resolved_with_pedigree
* not_affected
* false_positive
Currently, the metadatas present in Buildroot does not allow an accurate
mapping of ignored CVEs to the appropriate CycloneDX vulnerability
categories. As a result, all ignored CVEs are currently marked as
'in_triage' by default.
This default analysis was established during the introduction of the
'generate-cyclonedx' script. The reasoning at the time was that SBOM
consumers might want to re-evaluate ignored vulnerabilities, as the
Buildroot infrastructure could not reliably determine their actual
state.
This patch adds support for automatically marking vulnerabilities as
'resolved_with_pedigree' when a Buildroot patch includes a 'CVE:''
tag in its header referencing the CVE identifier.
The 'CVE:' tag appears alongside the already required 'Upstream:', if
the patch address a security vulnerability and may be repeated if a
patch addresses multiple vulnerabilities.
If a vulnerability is addressed by multiple patches, each patch will need to
reference the vulnerability identifier.
For details on how CycloneDX handles 'resolved_with_pedigree', see
[1][2].
As an example, the CVE-2025-3198 from the binutils package will result
in the following pedigree for the binutils component:
```
{
"type": "unofficial",
"diff": {
"text": {
"content": "..."
}
},
"resolves": [
{
"type": "security",
"name": "CVE-2025-3198"
}
]
},
```
The `resolves` property is an array of issue the pedigree resolves. If
multiple are addressed by the same patch, then multiple identifier will be
present in this array.
In the listed vulnerabilities the entry for the CVE-2025-3198 looks like
this:
```
{
"id": "CVE-2025-3198",
"analysis": {
"state": "resolved_with_pedigree",
"detail": "The CVE 'CVE-2025-3198' has been marked as ignored by Buildroot"
},
"affects": [
{
"ref": "binutils"
}
]
}
```
[1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis_state
[2] https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches_items_resolves
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9415529923)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
https://github.com/google/brotli/blob/v1.2.0/CHANGELOG.md
Adds the following security hardening:
python: added Decompressor::can_accept_more_data method and optional
output_buffer_limit argument Decompressor::process; that allows mitigation
of unexpectedly large output
Which is needed to complete the security fixes in python-urllib3 2.6.0.
Added dependency to host-python-pkgconfig to fix build error which would
be introduced by this bump.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: mark as security bump, describe the relation with urllib3]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fe5dcf402c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
