https://github.com/google/brotli/blob/v1.2.0/CHANGELOG.md
Adds the following security hardening:
python: added Decompressor::can_accept_more_data method and optional
output_buffer_limit argument Decompressor::process; that allows mitigation
of unexpectedly large output
Which is needed to complete the security fixes in python-urllib3 2.6.0.
Added dependency to host-python-pkgconfig to fix build error which would
be introduced by this bump.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: mark as security bump, describe the relation with urllib3]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fe5dcf402c0075b6ab86a92733ec75135f9dd760)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix two vulnerabilities related to SSH support:
* The external SSH execution code lacked shell quoting on repositories
name, resulting in arbitrary command execution.
* SSH public keys were zeroed by calling memset with the wrong length,
resulting in either buffer overflow or incomplete zeroing.
Release notes:
https://github.com/libgit2/libgit2/releases/tag/v1.9.2
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Prefer HTTPS for source downloads.
No functional change; hashes unchanged.
Align comment in .hash and Config.in.
Signed-off-by: Preyas <preyas17@zohomail.in>
[Julien: also update Config.in package home page]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes of this bugfix release:
https://sqlite.org/releaselog/3_51_1.html
"Changes in this specific patch release, version 3.51.1 (2025-11-28):
Fix incorrect results from nested EXISTS queries caused by the
optimization in item 6b in the 3.51.0 release.
Fix a latent bug in fts5vocab virtual table, exposed by new
optimizations in the 3.51.0 release"
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes 1.3.6..1.3.7:
f138e68e7ffefa3f4d71857ddb137fff877fd1d0 getnetconfig.c: free linep to avoid memory leakage
eea92ef0bf2f3f0e337cfd074ebc34d91945f19b Revert "getnetconfig.c: free linep to avoid memory leakage"
d473f1e1f6ba80bfaee4daa058da159305167323 Update declarations to allow compile with gcc-15
240ee6c774729c9c24812aa8912f1fcf8996b162 update signal and key_call declarations to allow compile with gcc-15
07e45147b877c63a1d3dd1f5ae6070543b1d93cf Convert old-style function definitions into modern-style definitions
2cfe608550dbe44ac8fc6c26216f529565713fc4 Convert old-style function definitions into modern-style definitions
581152976f093f31957c48567278535ef54f6b3c Convert old-style function definitions into modern-style definitions
2832da026b0812a23e65773b313b048c68147b09 Convert old-style function definitions into modern-style definitions
d3ff4c39bbcf22e3ff736261b66a9f6c6a6bf4ca Convert old-style function definitions into modern-style definitions
791063e55d9739fa8c7c1a0d4ac1c4f8023a2843 Convert old-style function definitions into modern-style definitions
23b0aa66a34fc6de16d285fbeb60b0fd68fa40d5 Convert old-style function definitions into modern-style definitions
2c9ed28d9c364c6e7c29d9b5b740893a8baea014 Convert old-style function definitions into modern-style definitions
41cb38e2dfdc7053ebcbd777cf868f8fcbcfcf23 Convert old-style function definitions into modern-style definitions
b73283a6982f83974b48d1858735649d6acf6398 Convert old-style function definitions into modern-style definitions
c717a52ed169701b2907ac8eb8678ca41b1533ba Convert old-style function definitions into modern-style definitions
4eeb59a8dbcc6b4d3db1b81a00615f6e7832a97c Convert old-style function definitions into modern-style definitions
7cea8ad66aecc21e6caae330b5d31075af399193 Add conditional version script support
5bd87617e4b3129e76e79847c95bdea4b1290d9f Release 1.3.7
Our two patches are upstream as of
d473f1e1f6ba80bfaee4daa058da159305167323 and
240ee6c774729c9c24812aa8912f1fcf8996b162 respectively.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 930660890b bumped kbd to
version 2.9.0 which includes optional support for various compression
libraries. This commit adds the corresponding configure options and a
fix for build errors caused by zlib.
The build error was happening when a zlib was compiled before kbd.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_KBD=y
BR2_PACKAGE_ZLIB=y
EOF
make olddefconfig
make zlib
make kbd
The compilation fails with the erro:
kbdfile-zlib.c: In function 'dlopen_note':
elf-note.h:27:30: error: 'sym_gzopen' undeclared (first use in this function); did you mean 'sym_gzopen64'?
27 | #define DLSYM_ARG(symbol__) &sym_##symbol__, STRINGIFY(symbol__),
| ^~~~
Fixes:
https://autobuild.buildroot.net/results/8ff/8ff6c3d940b68069f748f12646f7516ec86172c1/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add commands to reproduce the issue
- update patch "Upstream:" link to upstream commit
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://github.com/strace/strace/blob/v6.18/NEWS
Buildroot commit a06d79862a bumped the
linux kernel to version 6.18 which broke the build of strace.
The issue can be reproduced with commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_PACKAGE_STRACE=y
EOF
make olddefconfig
make strace
The build is failing with error:
listmount.c: In function 'print_mnt_id_req':
listmount.c:39:16: error: 'struct mnt_id_req' has no member named 'spare'
39 | if (req.spare) {
| ^
Fixes:
https://autobuild.buildroot.org/results/8e3de892a1c4aa176a8b3a5defba48aa9830bc89/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- update pgp key comment in hash file
- add commands to reproduce the issue and error log
- add autobuilder failure log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a06d79862a bumped the
linux kernel to version 6.18 which broke the build of cryptodev-linux.
Added upstream patch to fix the problem.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since we bumped to glibc 2.42, the build of Python 3 is failing on
Sparc64 due to the removal of the "struct termio" definition from
glibc. Since this only affects a small number of termio operations, we
simply drop support for them, since they basically can't be used
anymore (and we don't really care that much about those specific
operations that only exist on Sparc64).
Fixes:
https://autobuild.buildroot.net/results/28fee0f8368ae3dc1d607ebad4881b736e360f07/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The NVD database has CVE entries that are not present but may be
referenced in other security trackers.
For instance the CVE-2024-12455 is documented in the Debian security
tracker [1]. However, the NVD page is empty [2] and this entry is not
present in the NVD database mirror.
The following command would make the script fail:
```
echo '{
"vulnerabilities": [
{
"id": "CVE-2024-12455"
}
]
}' | support/scripts/cve-check --enrich-only
```
No CVEs present in Buildroot ignored CVEs are affected. But when
enriching an SBOM with legitimate CVE not present on NVD, the script
will fail.
This patch change the behavior to just log to stderr unknown CVEs
instead of making the script fail.
[1] https://security-tracker.debian.org/tracker/CVE-2024-12455
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-12455
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: Tweak warning message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Building a simple configuration such as:
BR2_aarch64=y
BR2_FORCE_HOST_BUILD=y
Under our reference Docker container, as an out-of-tree build:
./utils/docker-run make O=output-test
will fail during the glibc staging installation step with:
/usr/bin/install -c -m 644 /home/thomas/buildroot/br/output-glibc/build/glibc-2.42-3-gbc13db73937730401d592b33092db6df806d193e/build/libc.a /usr/lib64/libc.a
/usr/bin/install: cannot create regular file '/usr/lib64/libc.a': Permission denied
The problem being that the install_root variable is for some reason
lost along the way. We definitely pass it during the staging
installation step, but then glibc calls a sub-make and in that
submake, install_root is empty.
Observations:
- Building the same configuration inside the Docker container, but
in-tree, doesn't exhibit the problem.
- Building outside of the Docker container, but with the same make
version as the one we build due to BR2_FORCE_HOST_BUILD=y doesn't
exhibit the problem.
However, it turns out that glibc sets install_root to $(DESTDIR). And
passing DESTDIR just works. So we drop our custom
GLIBC_INSTALL_STAGING_OPTS to rely on the default one, and this fixes
the problem. It's not extremely satisfying to not fully understand
what's going on, but after spending quite some time on this, and
having a trivial and actually pretty nice workaround, we simply
propose to use this solution.
There is no autobuilder issue as we're not using our Docker container
to do autobuild builds.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
When browsing the available Database packages, libdbi appears in the
menuconfig as "lidbi".
Fix the menuconfig entry by updating the relevant boolean name.
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The http link is broken:
Connecting to people.redhat.com (people.redhat.com)|209.132.178.26|:80...
failed: No route to host.
No autobuilder error recorded.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The http link is broken:
Connecting to people.redhat.com (people.redhat.com)|209.132.178.26|:80...
failed: No route to host.
No autobuilder error recorded.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Original site is down, unchanged tarball can be downloaded from github.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Prabhu's e-mail address at Collins is bouncing, so let's drop this stale
entry:
<prabhu.sannachi@collins.com>: host
mxb-00105402.gslb.gpphosted.com[67.231.147.145] said: 550 5.1.1 User
Unknown (in reply to RCPT TO command)
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
unzip currently fails to build with GCC 15.x. We're already fetching
from Debian, using patchlevel -27, and it turns out that Debian
patchlevel -29 has the GCC 15.x fix, and very few other fixes:
unzip (6.0-29) unstable; urgency=medium
* Ignore invalid "Total number of disks" field on Microsoft ZIP64 files.
Closes: #661956, #1064000.
* Drop conflicting declarations of gmtime() and localtime().
Should fix build with gcc-15. Closes: #1098043.
* Fix zipgrep handling of escapes. Closes: #1054628.
* Stop using update-mime. Closes: #1072396.
* Add debian/source/lintian-overrides for *.a files.
* Do not trim Debian changelog.
* Add debian/salsa-ci.yml.
* Add Vcs-Git and Vcs-Browser fields.
* Update Standards-Version.
unzip (6.0-28) unstable; urgency=medium
* Drop debian/source/lintian-overrides, obsolete since version 6.0-18.
* Update URI for Info-ZIP license in copyright file.
* Update standards version to 4.6.2.
* Run wrap-and-sort.
* Update Homepage.
So let's just bump to this patchlevel version.
Note that the .dsc file link in the .hash file was wrong, it was still
referring to patchlevel -26.
Fixes:
https://autobuild.buildroot.net/results/d81cb9d7c9e87dd233dde350d15cb03427ba2036/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Tested-by: Christian Stewart <christian@aperture.us>
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Bernd:
Updated _SITE from /debian-debug/ to /debian/ (Baruch)
Updated comment of UNZIP_IGNORE_CVES to reflect bump.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
The 5.4.x series is now EOL upstream, so drop the linux-headers
option and add legacy handling for it.
Bump kernel version in test_zfs.py.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fixes the following security issues:
1) CVE-2025-62229: Use-after-free in XPresentNotify structures creation
Using the X11 Present extension, when processing and adding the
notifications after presenting a pixmap, if an error occurs, a dangling
pointer may be left in the error code path of the function causing a
use-after-free when eventually destroying the notification structures
later.
Introduced in: Xorg 1.15
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
2) CVE-2025-62230: Use-after-free in Xkb client resource removal
When removing the Xkb resources for a client, the function
XkbRemoveResourceClient() will free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
triggers a use-after-free.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/99790a2chttps://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
3) CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap()
The XkbCompatMap structure stores some of its values using an unsigned
short, but fails to check whether the sum of the input data might
overflow the maximum unsigned short value.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
https://lists.x.org/archives/xorg-announce/2025-October/003635.html
Changelog:
https://lists.x.org/archives/xorg/2025-October/062148.html
Also update the COPYING hash for a change of copyright year.
Signed-off-by: Raphael Pavlidis <raphael.pavlidis@gmail.com>
[Peter: Mark as security bump, extend commit message, fix COPYING hash]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 00230e7 "package/pkg-golang: catch use of legacy FOO_INSTALL_BINS"
introduced a small typo, fixing that.
Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
