Fixes the following CVEs:
- CVE-2025-3015: A vulnerability classified as critical has been found in
Open Asset Import Library Assimp 5.4.3. This affects the
function Assimp::ASEImporter::BuildUniqueRepresentation of
the file code/AssetLib/ASE/ASELoader.cpp of the component
ASE File Handler. The manipulation of the argument mIndices
leads to out-of-bounds read. It is possible to initiate the
attack remotely. The exploit has been disclosed to the
public and may be used.
See: https://www.cve.org/CVERecord?id=CVE-2025-3015
- CVE-2025-3016: A vulnerability classified as problematic was found in
Open Asset Import Library Assimp 5.4.3. This vulnerability
affects the function Assimp::MDLImporter::ParseTextureColorData
of the file code/AssetLib/MDL/MDLMaterialLoader.cpp of the
component MDL File Handler. The manipulation of the argument
mWidth/mHeight leads to resource consumption.
The attack can be initiated remotely
See: https://www.cve.org/CVERecord?id=CVE-2025-3016
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Django includes code from a couple of other projects, add their
respective license files and licenses to the django package.
./utils/scanpypi finds most of these. Additionally this was
cross-checked against debian's license list [1], not including some
things that no longer exist or no longer indicate separate licensing
upstream:
* django/contrib/admin/static/admin/fonts/
* django/utils/baseconv.py
* django/utils/ipv6.py
* django/utils/autoreload.py
Also not included are separate licensing for docs, which buildroot
doesn't package:
* docs/_theme/djangodocs/static/reset-fonts-grids.css
* docs/_theme/djangodocs/static/fontawesome/LICENSE.txt
[1] https://metadata.ftp-master.debian.org/changelogs//main/p/python-django/python-django_5.2-1_copyright
Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
[Peter: Indent with single tab]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This reverts commit 0586ee6cba.
The dependency is not needed any more with package/python3 providing
3.13 (since commit d63e207eb8).
Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
[Julien: reword commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes the following CVE:
- CVE-2025-47287: When Tornado's ``multipart/form-data`` parser encounters
certain errors, it logs a warning but continues trying to
parse the remainder of the data. This allows remote
attackers to generate an extremely high volume of logs,
constituting a DoS attack.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-47287
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: reword commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This fixes a memory leaks that affects both binutils 2.43 and 2.44,
see https://www.cve.org/CVERecord?id=CVE-2025-3198
Fixes the following CVE:
- CVE-2025-3198: A vulnerability has been found in GNU Binutils 2.43/2.44
and classified as problematic. Affected by this
vulnerability is the function display_info of the file
binutils/bucomm.c of the component objdump.
The manipulation leads to memory leak.
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
The test_xen.py runtime test, introduced in [1] and improved in [2],
is calling a "stty raw" command, just after the emulated machine
login, to avoid double-cooking the consoles. This double-cooking
prevents the test controller to correctly get the command error codes.
Buildroot commit [3] "support/testing: set date in emulated machine"
introduced an invocation of the date command to set time on the
emulated machine, just after the login. The returned error code is also
checked. Since this commit [3], the test_xen runtime test is failing
while attempting to set the date. This is because it is invoked before
the test script executes this "stty raw" command.
The need of executing a command just after the login, and just
before we set the emulated machine date is very limited. It is almost
specific to this test. So, rather than changing the test
infrastructure, this commit simply moves this "stty raw" invocation
from the runtime test script to a custom /etc/profile.d/stty-raw.sh
file on target rootfs overlay, to do this call just at the login.
Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/10000011350
[1] 055f82ebbd
[2] cd0ffd598c
[3] cf8641b73e
Cc: Vincent Stehlé <vincent.stehle@laposte.net>
Tested-by: Vincent Stehlé <vincent.stehle@laposte.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Add a new initscript to save the date and time to the hardware clock
on shutdown.
Signed-off-by: Michael Walle <michael@walle.cc>
[Arnout:
- package as hwclock-initscript instead of buildroot-initscripts;
- mention in help text that it isn't needed at boot;
- rewrite initscript according to our usual pattern;
- fix shellcheck errors.
]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
Back when the imx-gpu-viv package was enabled on AArch64 in commit
84afda9ca6, the fb output option was not
enabled.
However, according to meta-freescale [0] the framebuffer output can be
enabled on IMX8 by using the wayland libraries together with egl.pc.
[0] https://git.yoctoproject.org/meta-freescale/tree/recipes-graphics/imx-gpu-viv/imx-gpu-viv-6.inc
This commit does enable fb output on AArch64, which requires a few
precautions as the imx-gpu-viv logic is a bit convoluted:
- FB on ARM is supported using "pure" framebuffer libraries. However,
a specific egl.pc is needed: egl_linuxfb.pc. The supporting
libraries are found in the fb/ subdirectory in imx-gpu-viv "code".
- FB on AArch64 is supported using libraries that are linked with
wayland and libdrm, even though wayland/libdrm is obviously not used
for framebuffer output. pkg-config wise, this configuration can use
the default egl.pc. The supporting libraries are found in the
wayland/ subdirectory in imx-gpu-viv "code", as oddly as it seems.
- Wayland on ARM on AArch64 is supported using libraries that are
obviously linked against wayland and libdrm. pkg-config wise, egl.pc
needs to be symlinked to egl_wayland.pc.
This patch solves this situation by introducing a hidden boolean
option BR2_PACKAGE_IMX_GPU_VIV_USES_WAYLAND that indicates whether
wayland/libdrm is used by the currently selected output. This is of
course true when BR2_PACKAGE_IMX_GPU_VIV_OUTPUT_WL, but also when
BR2_PACKAGE_IMX_GPU_VIV_OUTPUT_FB on AArch64.
Signed-off-by: Daniel Lang <d.lang@abatec.at>
[Thomas: quite significant rework compared to the submission from
Daniel Lang, so we didn't keep the Reviewed-by from Gary Bisson]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
In preparation for some rework of the package, let's rename the
IMX_GPU_VIV_LIB_TARGET variable to IMX_GPU_VIV_OUTPUT to make it match
the BR2_PACKAGE_IMX_GPU_VIV_OUTPUT config option it corresponds to.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- CVE-2025-23166: Improper error handling in async cryptographic operations
crashes process
- CVE-2025-23165: Corrupted pointer in node::fs::ReadFileUtf8(const
FunctionCallbackInfo<Value>& args) when args[0] is a string
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases
Update the license hash for the addition of zstd 1.5.6 (BSD-3-Clause):
f9f611fb58
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issues:
CVE-2025-24223
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to rheza (@ginggilBesel) and an anonymous researcher.
Impact: Processing maliciously crafted web content may lead to
memory corruption. Description: The issue was addressed with
improved memory handling.
WebKit Bugzilla: 287577
CVE-2025-31204
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Nan Wang (@eternalsakura13).
Impact: Processing maliciously crafted web content may lead to
memory corruption. Description: The issue was addressed with
improved memory handling.
WebKit Bugzilla: 291506
CVE-2025-31205
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Ivan Fratric of Google Project Zero.
Impact: A malicious website may exfiltrate data cross-origin.
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 290992
CVE-2025-31206
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to an anonymous researcher.
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash. Description: A type confusion issue was
addressed with improved state handling.
WebKit Bugzilla: 290834
CVE-2025-31215
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Jiming Wang and Jikai Ren.
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash. Description: The issue was addressed with
improved checks.
WebKit Bugzilla: 288814
CVE-2025-31257
Versions affected: WebKitGTK and WPE WebKit before 2.48.2.
Credit to Juergen Schmied of Lynck GmbH.
Impact: Processing maliciously crafted web content may lead to an
unexpected Safari crash. Description: This issue was addressed with
improved memory handling.
WebKit Bugzilla: 290985
https://webkitgtk.org/security/WSA-2025-0004.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The current version was more than 3 years old and had known CVEs (see
CVE-2023-36328). Since this is a host only package, we don't consider
this as a security bump.
This upgrade allows the removal of the two patches currently applied:
- The commit 1b57b62, which fixes the build with autoconf 2.72, is
already included upstream.
- We no longer need to use the JSON-PP module, as it is now
optional (commit 13d3bcf).
Also, since the latest version of Heimdal no longer depends on
e2fsprogs, the host-e2fsprogs dependency has been removed.
Signed-off-by: Guillaume Chaye <guillaume.chaye@zeetim.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Since the bump of Samba to version 4.21.4 in commit
716461af94, <crypt.h> is needed, due to
upstream comit 0dccda38f27b3bbda5d2a4de588a333ff554651a. Since
<crypt.h> is no longer provided by glibc, a dependency on libxcrypt is
needed, to avoid the following build failure:
../../lib/util/util_crypt.c:5:10: fatal error: crypt.h: No such file or directory
5 | #include <crypt.h>
| ^~~~~~~~~
compilation terminated.
This has not been detected by the autobuilders, presumably because a
lot of glibc configurations end up having libxcrypt selected by other
packages, but the issue is reproducible by building:
BR2_arm=y
BR2_cortex_a9=y
BR2_ARM_ENABLE_VFP=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_SAMBA4=y
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
HEIMDAL_INSTALL_STAGING = YES makes no sense since the package was
introduced in 56258f491b ("heimdal: new
package") since it's a host only package.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
[Arnout: give a bit more explanation, simplify the example]
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
casync-nano is an implementation of a subset of the features of casync,
optimized for performing OTA updates on embedded systems.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The python-pyproj package was introduced in
7c65b4484e, and it selects
BR2_PACKAGE_PROJ, but forgot to propagate its dependencies, so let's
do that.
Fixes:
WARNING: unmet direct dependencies detected for BR2_PACKAGE_PROJ
Depends on [n]: BR2_INSTALL_LIBSTDCPP [=n] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 [=y] && BR2_TOOLCHAIN_HAS_THREADS_NPTL [=y] && BR2_USE_WCHAR [=y]
Selected by [y]:
- BR2_PACKAGE_PYTHON_PYPROJ [=y] && BR2_PACKAGE_PYTHON3 [=y]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Releases have been made to several skarnet.org packages[1]. The biggest
change is that static libraries are installed to /usr/lib by default.
https://skarnet.org/lists/skaware/2098.html
Some COPYRIGHT hashes changed because the copyright years were updated.
Signed-off-by: J. Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The prefix already defaults to /, so --prefix=/ is unnecessary. An
alternative course of action would be to start setting --prefix=/usr.
Signed-off-by: J. Neuschäfer <j.neuschaefer@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issue:
CVE-2025-22247: open-vm-tools contains an insecure file handling
vulnerability.
https://github.com/vmware/open-vm-tools/tree/CVE-2025-22247.patch
The upstream patch needs to be applied with -p2, so drop the open-vm-tools
prefix (sed -i 's|open-vm-tools/||g') and include it here.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
We currently check for unsafe paths right between adding our arguments,
and adding the one passed from the command line. This not very
consistent.
Unsafe paths can only come from the command line, as we are not adding
any of our own (hopefully, we know better!), so we can run the check as
early as possible.
Move the check very early, but not before we handle --help.
Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
Cc: Romain Naour <romain.naour@gmail.com>
Cc: Giulio Benetti <giulio.benetti@benettiengineering.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
With the recent addition in pkg-stats to detect stale ignore CVE
entries, the CVE-2021-42260 ignore CVE entry is reported as
stale. This is because TINYXML_VERSION is 2.6.2_2, and the CVE is
annotated as affecting versions up to and including 2.6.2.
But in fact, 2.6.2_2 is a special version from the Kodi community, but
it's close to the 2.6.2 release, and CVE-2021-42260 is not fixed in
it. To get meaningful results, let's tell our CVE checking logic that
the tinyxml version is 2.6.2 by setting TINYXML_CPE_ID_VERSION (we're
splitting on the _ and keeping the part before).
Because we're now setting TINYXML_CPE_ID_VERSION, we must drop
TINYXML_CPE_ID_VALID to avoid a check-package warning.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
