Some host commands need to call other host commands: For example,
"mkimage" from host-uboot-tools needs to run "dtc". This would fail or
call system commands without adding the host bin dir to PATH.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: use python functions/constants to build path]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit befb6ae81d274342d316061a648c2f276e44db23)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Otherwise "dumpimage -l" produces only a newline when processing a FIT
image.
Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 39b925a0a6d80b2f347abad1fd75742c8d51a458)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The build of the following basic configuration enabling the
imagination Vulkan driver
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_GLIBC_STABLE=y
BR2_PACKAGE_MESA3D=y
BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION=y
fails with:
meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM
Adding just LLVM as a dependency is not enough, as then libclc is
needed, then LLVMSPIRVLib, then clangBasic, then the pco_clc tool.
In fact, like the Panfrost driver, building the Imagination driver
requires building host tools using host-mesa3d. To fix this we:
- Make the BR2_PACKAGE_MESA3D_OPENCL option selectable
- Make sure that BR2_PACKAGE_MESA3D_VULKAN_DRIVER_IMAGINATION depends
on BR2_PACKAGE_MESA3D_LLVM and select
BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER (the latter being needed to
build host-mesa3d)
- Make sure the host-mesa3d builds imagination
tools (-Dtools=imagination) and install
pco_clc (HOST_MESA3D_INSTALL_PCO_CLC). This requires introducing
HOST_MESA3D_TOOLS as a list of tools to build, which then gets used
to construct the -Dtools argument, as we can now have both
"panfrost" and "imagination" in this list.
With all this, the defconfig above builds successfully.
This has been broken since Buildroot commit
5e818c16a3, which introduced the vulkan
driver support.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit e1d159c5d5dc00233c74a2bc24994bc194e4e177)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
the CSharp Extension was removed in grcp 1.47.0 [0] and the option in
the CMakeLists was dropped in 1.58.0 [1], which means that it is no
longer relevant since Buildroot commit
91d1207de0, which bumped grpc from
1.51.1 to 1.66.1.
So remove this option for host-grpc as well.
Fixes:
CMake Warning:
Manually-specified variables were not used by the project:
gRPC_BUILD_CSHARP_EXT
[0] https://github.com/grpc/grpc/releases/tag/v1.47.0
[1] 3a2bd221ef
Signed-off-by: Michael Nosthoff <buildroot@heine.tech>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit e513d6a5fdf6b87eff10f759535ccc7abcef7a73)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This version allows to build with Linux 6.18.
Fixes:
In file included from core/crypto/sha256.c:11:
core/crypto/sha256.h:16:5: error: conflicting types for 'hmac_sha256'; have 'int(const u8 *, size_t, const u8 *, size_t, u8 *)' {aka 'int(const unsigned char *, long unsigned int, const unsigned char *, long unsigned int, unsigned char *)'}
Build failure still not occured in autobuilders.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
[Julien: add details about the error being fixed]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9ec337489a399f65df66dbad11317e35e44ef30d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Adds documentation about adding a patch that address a vulnerability.
The patch-policy file now explain mention that patches that address a
vulnerability needs to include a `CVE:` trailer with the reference of
that vulnerability.
Until now only adding the reference to the `_IGNORE_CVES` variable was
necessary, so the documentation of this entry is modified as well to
point to the patch policy.
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 1167d0ff3d225ca9ce2b6299da28a9307d370142)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The CycloneDX specification for vulnerabilities defines four analysis
states ([1]) for cases where a vulnerability does not affect a component:
* resolved
* resolved_with_pedigree
* not_affected
* false_positive
Currently, the metadatas present in Buildroot does not allow an accurate
mapping of ignored CVEs to the appropriate CycloneDX vulnerability
categories. As a result, all ignored CVEs are currently marked as
'in_triage' by default.
This default analysis was established during the introduction of the
'generate-cyclonedx' script. The reasoning at the time was that SBOM
consumers might want to re-evaluate ignored vulnerabilities, as the
Buildroot infrastructure could not reliably determine their actual
state.
This patch adds support for automatically marking vulnerabilities as
'resolved_with_pedigree' when a Buildroot patch includes a 'CVE:''
tag in its header referencing the CVE identifier.
The 'CVE:' tag appears alongside the already required 'Upstream:', if
the patch address a security vulnerability and may be repeated if a
patch addresses multiple vulnerabilities.
If a vulnerability is addressed by multiple patches, each patch will need to
reference the vulnerability identifier.
For details on how CycloneDX handles 'resolved_with_pedigree', see
[1][2].
As an example, the CVE-2025-3198 from the binutils package will result
in the following pedigree for the binutils component:
```
{
"type": "unofficial",
"diff": {
"text": {
"content": "..."
}
},
"resolves": [
{
"type": "security",
"name": "CVE-2025-3198"
}
]
},
```
The `resolves` property is an array of issue the pedigree resolves. If
multiple are addressed by the same patch, then multiple identifier will be
present in this array.
In the listed vulnerabilities the entry for the CVE-2025-3198 looks like
this:
```
{
"id": "CVE-2025-3198",
"analysis": {
"state": "resolved_with_pedigree",
"detail": "The CVE 'CVE-2025-3198' has been marked as ignored by Buildroot"
},
"affects": [
{
"ref": "binutils"
}
]
}
```
[1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis_state
[2] https://cyclonedx.org/docs/1.6/json/#components_items_pedigree_patches_items_resolves
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 9415529923c9f7eaeec44c8fd3eecca79bf6b8d2)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
https://github.com/google/brotli/blob/v1.2.0/CHANGELOG.md
Adds the following security hardening:
python: added Decompressor::can_accept_more_data method and optional
output_buffer_limit argument Decompressor::process; that allows mitigation
of unexpectedly large output
Which is needed to complete the security fixes in python-urllib3 2.6.0.
Added dependency to host-python-pkgconfig to fix build error which would
be introduced by this bump.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Peter: mark as security bump, describe the relation with urllib3]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit fe5dcf402c0075b6ab86a92733ec75135f9dd760)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Fix two vulnerabilities related to SSH support:
* The external SSH execution code lacked shell quoting on repositories
name, resulting in arbitrary command execution.
* SSH public keys were zeroed by calling memset with the wrong length,
resulting in either buffer overflow or incomplete zeroing.
Release notes:
https://github.com/libgit2/libgit2/releases/tag/v1.9.2
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Prefer HTTPS for source downloads.
No functional change; hashes unchanged.
Align comment in .hash and Config.in.
Signed-off-by: Preyas <preyas17@zohomail.in>
[Julien: also update Config.in package home page]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes of this bugfix release:
https://sqlite.org/releaselog/3_51_1.html
"Changes in this specific patch release, version 3.51.1 (2025-11-28):
Fix incorrect results from nested EXISTS queries caused by the
optimization in item 6b in the 3.51.0 release.
Fix a latent bug in fts5vocab virtual table, exposed by new
optimizations in the 3.51.0 release"
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Changes 1.3.6..1.3.7:
f138e68e7ffefa3f4d71857ddb137fff877fd1d0 getnetconfig.c: free linep to avoid memory leakage
eea92ef0bf2f3f0e337cfd074ebc34d91945f19b Revert "getnetconfig.c: free linep to avoid memory leakage"
d473f1e1f6ba80bfaee4daa058da159305167323 Update declarations to allow compile with gcc-15
240ee6c774729c9c24812aa8912f1fcf8996b162 update signal and key_call declarations to allow compile with gcc-15
07e45147b877c63a1d3dd1f5ae6070543b1d93cf Convert old-style function definitions into modern-style definitions
2cfe608550dbe44ac8fc6c26216f529565713fc4 Convert old-style function definitions into modern-style definitions
581152976f093f31957c48567278535ef54f6b3c Convert old-style function definitions into modern-style definitions
2832da026b0812a23e65773b313b048c68147b09 Convert old-style function definitions into modern-style definitions
d3ff4c39bbcf22e3ff736261b66a9f6c6a6bf4ca Convert old-style function definitions into modern-style definitions
791063e55d9739fa8c7c1a0d4ac1c4f8023a2843 Convert old-style function definitions into modern-style definitions
23b0aa66a34fc6de16d285fbeb60b0fd68fa40d5 Convert old-style function definitions into modern-style definitions
2c9ed28d9c364c6e7c29d9b5b740893a8baea014 Convert old-style function definitions into modern-style definitions
41cb38e2dfdc7053ebcbd777cf868f8fcbcfcf23 Convert old-style function definitions into modern-style definitions
b73283a6982f83974b48d1858735649d6acf6398 Convert old-style function definitions into modern-style definitions
c717a52ed169701b2907ac8eb8678ca41b1533ba Convert old-style function definitions into modern-style definitions
4eeb59a8dbcc6b4d3db1b81a00615f6e7832a97c Convert old-style function definitions into modern-style definitions
7cea8ad66aecc21e6caae330b5d31075af399193 Add conditional version script support
5bd87617e4b3129e76e79847c95bdea4b1290d9f Release 1.3.7
Our two patches are upstream as of
d473f1e1f6ba80bfaee4daa058da159305167323 and
240ee6c774729c9c24812aa8912f1fcf8996b162 respectively.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit 930660890b bumped kbd to
version 2.9.0 which includes optional support for various compression
libraries. This commit adds the corresponding configure options and a
fix for build errors caused by zlib.
The build error was happening when a zlib was compiled before kbd.
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_KBD=y
BR2_PACKAGE_ZLIB=y
EOF
make olddefconfig
make zlib
make kbd
The compilation fails with the erro:
kbdfile-zlib.c: In function 'dlopen_note':
elf-note.h:27:30: error: 'sym_gzopen' undeclared (first use in this function); did you mean 'sym_gzopen64'?
27 | #define DLSYM_ARG(symbol__) &sym_##symbol__, STRINGIFY(symbol__),
| ^~~~
Fixes:
https://autobuild.buildroot.net/results/8ff/8ff6c3d940b68069f748f12646f7516ec86172c1/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- add commands to reproduce the issue
- update patch "Upstream:" link to upstream commit
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Release notes: https://github.com/strace/strace/blob/v6.18/NEWS
Buildroot commit a06d79862a bumped the
linux kernel to version 6.18 which broke the build of strace.
The issue can be reproduced with commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_PACKAGE_STRACE=y
EOF
make olddefconfig
make strace
The build is failing with error:
listmount.c: In function 'print_mnt_id_req':
listmount.c:39:16: error: 'struct mnt_id_req' has no member named 'spare'
39 | if (req.spare) {
| ^
Fixes:
https://autobuild.buildroot.org/results/8e3de892a1c4aa176a8b3a5defba48aa9830bc89/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien:
- update pgp key comment in hash file
- add commands to reproduce the issue and error log
- add autobuilder failure log
]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Buildroot commit a06d79862a bumped the
linux kernel to version 6.18 which broke the build of cryptodev-linux.
Added upstream patch to fix the problem.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since we bumped to glibc 2.42, the build of Python 3 is failing on
Sparc64 due to the removal of the "struct termio" definition from
glibc. Since this only affects a small number of termio operations, we
simply drop support for them, since they basically can't be used
anymore (and we don't really care that much about those specific
operations that only exist on Sparc64).
Fixes:
https://autobuild.buildroot.net/results/28fee0f8368ae3dc1d607ebad4881b736e360f07/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The NVD database has CVE entries that are not present but may be
referenced in other security trackers.
For instance the CVE-2024-12455 is documented in the Debian security
tracker [1]. However, the NVD page is empty [2] and this entry is not
present in the NVD database mirror.
The following command would make the script fail:
```
echo '{
"vulnerabilities": [
{
"id": "CVE-2024-12455"
}
]
}' | support/scripts/cve-check --enrich-only
```
No CVEs present in Buildroot ignored CVEs are affected. But when
enriching an SBOM with legitimate CVE not present on NVD, the script
will fail.
This patch change the behavior to just log to stderr unknown CVEs
instead of making the script fail.
[1] https://security-tracker.debian.org/tracker/CVE-2024-12455
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-12455
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
[Peter: Tweak warning message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
