Buildroot commit e4749b826c disabled
parallel builds back in 2016. Nearly 10 years and a "Complete rewrite
[of] the BIND 9 build system" later
978c7b2e89
we enable parallel builds again, make -j1000 finished without problems.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 6a20a930fd)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commits 7b43e24818 and
8adeaec8af removed the possibility for
static builds but forgot to remove some related _CONF_OPTS.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 636b2a8503)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When run_cmd_on_host() runs a command that fails, we only get an
exception with no details to debug what happened. Let's improve that
by catching the exception, and printing the command output. This
requires redirecting stderr to stdout (instead of /dev/null) and
asking to get the output in text format.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 01dc13adfb)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
For more details on the version bump, see:
- https://github.com/ImageMagick/ImageMagick/compare/7.1.2-3...7.1.2-8
Fixes the following vulnerability:
- CVE-2025-62171
ImageMagick is an open source software suite for displaying,
converting, and editing raster image files. In ImageMagick versions
prior to 7.1.2-7 and 6.9.13-32, an integer overflow vulnerability
exists in the BMP decoder on 32-bit systems. The vulnerability
occurs in coders/bmp.c when calculating the extent value by
multiplying image columns by bits per pixel. On 32-bit systems with
size_t of 4 bytes, a malicious BMP file with specific dimensions can
cause this multiplication to overflow and wrap to zero. The overflow
check added to address CVE-2025-57803 is placed after the overflow
occurs, making it ineffective. A specially crafted 58-byte BMP file
with width set to 536,870,912 and 32 bits per pixel can trigger this
overflow, causing the bytes_per_line calculation to become zero.
This vulnerability only affects 32-bit builds of ImageMagick where
default resource limits for width, height, and area have been
manually increased beyond their defaults. 64-bit systems with size_t
of 8 bytes are not vulnerable, and systems using default ImageMagick
resource limits are not vulnerable. The vulnerability is fixed in
versions 7.1.2-7 and 6.9.13-32.
For more information, see:
- https://nvd.nist.gov/vuln/detail/CVE-2025-62171
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9pp9-cfwx-54rm
- cea1693e2d
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 3b3b2d1b72)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See https://jvn.jp/en/jp/JVN19358384/
This fixes the following vulnerability:
- CVE-2025-24912:
hostapd fails to process crafted RADIUS packets properly. When hostapd
authenticates wi-fi devices with RADIUS authentication, an attacker in
the position between the hostapd and the RADIUS server may inject
crafted RADIUS packets and force RADIUS authentications to fail.
https://www.cve.org/CVERecord?id=CVE-2025-24912
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 8282aaf094)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
iozone releases 3.507 and 3.508 seems to be only build fixes releases
for latest GCC compiler version but since there is no public vcs
it's not easy to review the history between releases and backport
any patches.
Based on the changelog from [1]:
Revision 3.507
Fix GCC compile warnings.
Revision 3.508
Put an end to the (&*% stupid GCC breaking builds for no valid reason.
So bump to the latest 508 release.
Rebase 0001-Add-new-targets-for-iozone.patch
Rebase 0002-fix-build-without-aio.patch and convert to git format
The TestIozone build issue is not yet fixed by the version bump [2].
[1] https://www.iozone.org/src/current/Changes.txt
[2] https://gitlab.com/buildroot.org/buildroot/-/jobs/11176774405
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 70cefcac9e)
[thomas: this with the next patch actually fixes build issue with GCC14 and not only GCC15]
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
In commit [1] the package netsnmp was bumped on master to version 5.9.4.
This version included fixes for CVE that were already patched in
buildroot and thus was not picked on the LTS branch.
As a consequence, the commit [2] was made on master which removed the
stale 'IGNORE_CVES' for the patches no longer presents. This commit was
wrongly picked on the LTS branch.
This reverts commit [3] which was included in 2025.02.x to set the
'IGNORE_CVES' back to the state of version 5.9.3.
[1] 1799cfebfd package/netsnmp: bump to version 5.9.4
[2] 4a3eab8341 package/netsnmp: drop stale ignore CVE entries
[3] 3ef8c1d0db package/netsnmp: drop stale ignore CVE entries
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
In commit [1], the only 'engicam' board config present on the 2025.02.x
branch was removed.
On the master branch the 'px30core' board is present because it was
added in commit [2] not picked on LTS branch.
So the DEVELOPERS entry for Jagan Teki that match every 'engicam' board
was not removed.
This patch removes this entry to remove the post commit hook warning.
[1] 13eb6c293e configs/engicam_imx6*: remove defconfigs, broken
[2] 6e6bd098c3 configs/engicam_px30_core_defconfig: new defconfig
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Signed-off-by: Arnout Vandecappelle <arnout@rnout.be>
The commit adds a backported upstream patch to fix the following build
failure:
ptp2/ptp-pack.c:3168:31: note: earlier argument should specify number of elements, later size of each element
ptp2/chdk.c: In function 'yuv_live_to_jpeg':
ptp2/chdk.c:1203:41: error: passing argument 3 of 'jpeg_mem_dest' from incompatible pointer type [-Wincompatible-pointer-types]
1203 | jpeg_mem_dest (&cinfo, &outbuf, &outlen);
| ^~~~~~~
| |
| uint64_t * {aka long long unsigned int *}
In file included from ptp2/chdk.c:31:
/home/autobuild/autobuild/instance-0/output-1/per-package/libgphoto2/host/armeb-buildroot-linux-gnueabi/sysroot/usr/include/jpeglib.h:989:43: note: expected 'long unsigned int *' but argument is of type 'uint64_t *' {aka 'long long unsigned int *'}
989 | unsigned long *outsize);
Fixes:
- https://autobuild.buildroot.org/results/db742e301a401c9f4bdf3c7e8cfde9f0ba1c4558
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ebd07998d0)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This contains many bug and security fixes since v22.12.0.
See the release notes: https://poppler.freedesktop.org/releases.html
In addition:
- Drop patch that has been applied upstream
- Update a few cmake configuration options that changed upstream
There is currently a build failure when enabling gpgme, so disable it
unconditionally for now.
Finally, this fixes the following vulnerabilities:
- CVE-2024-6239:
A flaw was found in the Poppler's Pdfinfo utility. This issue occurs
when using -dests parameter with pdfinfo utility. By using certain
malformed input files, an attacker could cause the utility to crash,
leading to a denial of service.
https://www.cve.org/CVERecord?id=CVE-2024-6239
- CVE-2024-56378:
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read
vulnerability within the JBIG2Bitmap::combine function in
JBIG2Stream.cc.
https://www.cve.org/CVERecord?id=CVE-2024-56378
- CVE-2025-32364:
A floating-point exception in the PSStack::roll function of Poppler
before 25.04.0 can cause an application to crash when handling
malformed inputs associated with INT_MIN.
https://www.cve.org/CVERecord?id=CVE-2025-32364
- CVE-2025-32365:
Poppler before 25.04.0 allows crafted input files to trigger out-of-
bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc
because of a misplaced isOk check.
https://www.cve.org/CVERecord?id=CVE-2025-32365
- CVE-2025-43903:
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the
adbe.pkcs7.sha1 signatures on documents, resulting in potential
signature forgeries.
https://www.cve.org/CVERecord?id=CVE-2025-43903
- CVE-2025-50420:
An issue in the pdfseparate utility of freedesktop poppler v25.04.0
allows attackers to cause an infinite recursion via supplying a
crafted PDF file. This can lead to a Denial of Service (DoS).
https://www.cve.org/CVERecord?id=CVE-2025-50420
- CVE-2025-52886:
Poppler is a PDF rendering library. Versions prior to 25.06.0 use
`std::atomic_int` for reference counting. Because `std::atomic_int` is
only 32 bits, it is possible to overflow the reference count and
trigger a use-after-free. Version 25.06.0 patches the issue.
https://www.cve.org/CVERecord?id=CVE-2025-52886
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: mark commit as "security" in commit log title]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit cdd1c5ca55)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Do not bump to a more recent version, as the build system has
fundamentally changed.
See the release notes:
- https://github.com/netdata/netdata/releases/tag/1.34.0
- https://github.com/netdata/netdata/releases/tag/v1.34.1
- https://github.com/netdata/netdata/releases/tag/v1.35.0
- https://github.com/netdata/netdata/releases/tag/v1.35.1
- https://github.com/netdata/netdata/releases/tag/v1.36.0
- https://github.com/netdata/netdata/releases/tag/v1.36.1
- https://github.com/netdata/netdata/releases/tag/v1.37.0
- https://github.com/netdata/netdata/releases/tag/v1.37.1
In addition, add upstream patch to fix cross-compilation.
This fixes the following vulnerabilities:
- CVE-2023-22496:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. An attacker with the ability to
establish a streaming connection can execute arbitrary commands on the
targeted Netdata agent. When an alert is triggered, the function
`health_alarm_execute` is called. This function performs different
checks and then enqueues a command by calling `spawn_enq_cmd`. This
command is populated with several arguments that are not sanitized.
One of them is the `registry_hostname` of the node for which the alert
is raised. By providing a specially crafted `registry_hostname` as
part of the health data that is streamed to a Netdata (parent) agent,
an attacker can execute arbitrary commands at the remote host as a
side-effect of the raised alert. Note that the commands are executed
as the user running the Netdata Agent. This user is usually named
`netdata`. The ability to run arbitrary commands may allow an attacker
to escalate privileges by escalating other vulnerabilities in the
system, as that user. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, streaming is not enabled by default. If you have
previously enabled this, it can be disabled. Limiting access to the
port on the recipient Agent to trusted child connections may mitigate
the impact of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22496
- CVE-2023-22497:
Netdata is an open source option for real-time infrastructure
monitoring and troubleshooting. Each Netdata Agent has an
automatically generated MACHINE GUID. It is generated when the agent
first starts and it is saved to disk, so that it will persist across
restarts and reboots. Anyone who has access to a Netdata Agent has
access to its MACHINE_GUID. Streaming is a feature that allows a
Netdata Agent to act as parent for other Netdata Agents (children),
offloading children from various functions (increased data retention,
ML, health monitoring, etc) that can now be handled by the parent
Agent. Configuration is done via `stream.conf`. On the parent side,
users configure in `stream.conf` an API key (any random UUID can do)
to provide common configuration for all children using this API key
and per MACHINE GUID configuration to customize the configuration for
each child. The way this was implemented, allowed an attacker to use a
valid MACHINE_GUID as an API key. This affects all users who expose
their Netdata Agents (children) to non-trusted users and they also
expose to the same users Netdata Agent parents that aggregate data
from all these children. The problem has been fixed in: Netdata agent
v1.37 (stable) and Netdata agent v1.36.0-409 (nightly). As a
workaround, do not enable streaming by default. If you have previously
enabled this, it can be disabled. Limiting access to the port on the
recipient Agent to trusted child connections may mitigate the impact
of this vulnerability.
https://www.cve.org/CVERecord?id=CVE-2023-22497
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: add comment before _AUTORECONF with patch name]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9cfcd906cf)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Backport upstream patch, that was released in GLib 2.84.4 [1],
such that we can apply it onto GLib 2.82 in Buildroot LTS
This fixes the following vulnerability:
- CVE-2025-7039:
A flaw was found in glib. An integer overflow during temporary file
creation leads to an out-of-bounds memory access, allowing an attacker
to potentially perform path traversal or access private temporary file
content by creating symbolic links. This vulnerability allows a local
attacker to manipulate file paths and access unauthorized data. The
core issue stems from insufficient validation of file path lengths
during temporary file operations.
https://www.cve.org/CVERecord?id=CVE-2025-7039
[1] https://gitlab.gnome.org/GNOME/glib/-/releases/2.84.4
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
(cherry picked from commit 3252f45279)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the release notes:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12352411&projectId=10510
Also update the download site to https
This fixes the following vulnerability:
- CVE-2024-23807:
The Apache Xerces C++ XML parser on versions 3.0.0 before 3.2.5
contains a use-after-free error triggered during the scanning of
external DTDs. Users are recommended to upgrade to version 3.2.5
which fixes the issue, or mitigate the issue by disabling DTD
processing. This can be accomplished via the DOM using a standard
parser feature, or via SAX using the XERCES_DISABLE_DTD environment
variable. This issue has been disclosed before as CVE-2018-1311, but
unfortunately that advisory incorrectly stated the issue would be
fixed in version 3.2.3 or 3.2.4.
https://www.cve.org/CVERecord?id=CVE-2024-23807
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 246f2eca20)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When building in parallel with per-package directories
(BR2_PER_PACKAGE_DIRECTORIES=y), brmake output is often garbled:
2025-10-08T18:39:10 >>> host-dtc 1.7.2 Building
2025-10-08T18:39:11 checking for stdint.h... >>> host-dtc 1.7.2 Installing to host directory
2025-10-08T18:39:12 checking for limits.h... >>> host-gmp 6.3.0 Installing to host directory
Remove the spurious string between the timestamp and the ">>>" marker to
fix this.
We need some extra care to preserve the preceding "term bold" special
characters sequence.
We also prevent grep and sed to buffer their output too much. This leads to
more frequent output even when we might not be connected to a terminal; for
example: when brmake's output is piped to another program or when running
in CI.
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit c9dca7f4c3)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
See the many release notes: https://github.com/libvips/libvips/releases
Along that version bump:
- Change source code archive compression from .gz to .xz as this the
new upstream delivery format
- Switch from autotools to meson build system (see upstream commit
538aa2a841)
- Update the LICENSE file (see upstream commit
057703938e)
This fixes the following vulnerabilities:
- CVE-2025-29769:
libvips is a demand-driven, horizontally threaded image processing
library. The heifsave operation could incorrectly determine the
presence of an alpha channel in an input when it was not possible to
determine the colour interpretation, known internally within libvips
as "multiband". There aren't many ways to create a "multiband" input,
but it is possible with a well-crafted TIFF image. If a "multiband"
TIFF input image had 4 channels and HEIF-based output was requested,
this led to libvips creating a 3 channel HEIF image without an alpha
channel but then attempting to write 4 channels of data. This caused a
heap buffer overflow, which could crash the process. This
vulnerability is fixed in 8.16.1.
https://www.cve.org/CVERecord?id=CVE-2025-29769
- CVE-2025-59933:
libvips is a demand-driven, horizontally threaded image processing
library. For versions 8.17.1 and below, when libvips is compiled with
support for PDF input via poppler, the pdfload operation is affected
by a buffer read overflow when parsing the header of a crafted PDF
with a page that defines a width but not a height. Those using libvips
compiled without support for PDF input are unaffected as well as
thosewith support for PDF input via PDFium. This issue is fixed in
version 8.17.2. A workaround for those affected is to block the
VipsForeignLoadPdf operation via vips_operation_block_set, which is
available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED
environment variable at runtime, which will block all untrusted
loaders including PDF input via poppler.
https://www.cve.org/CVERecord?id=CVE-2025-59933
Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
[Julien: update _LICENSE_FILES to fix check-package error]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 72c7d99e22)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch bumps the Linux kernel to version 6.1.155. The size of
xipImage has increased by only 1126 bytes (1673444 bytes compared to
1672318 in version 6.1.143).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 675bb8337d)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
The patch bumps the Linux kernel to version 6.1.143. The size of xipImage
has increased by only 514 bytes (1672318 bytes compared to 1671804 in
version 6.1.133).
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 0c9a4b7995)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
When mjpg-streamer is built with gcc >= 14 using libjpeg (rather than
jpeg-turbo), and with SDL is enabled (to enable the output_viewer),
the compilation can fail with error:
output_viewer.c:125:32: error: assignment to ‘boolean (*)(struct jpeg_decompress_struct *)’ from incompatible pointer type ‘int (*)(struct jpeg_decompress_struct *)’ [-Wincompatible-pointer-types]
The issue can be reproduced with the commands:
cat >.config <<EOF
BR2_aarch64=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
BR2_PACKAGE_LIBJPEG=y
BR2_PACKAGE_MJPG_STREAMER=y
BR2_PACKAGE_SDL=y
EOF
make olddefconfig
make mjpg-streamer
This commit adds a patch to fix this issue.
Fixes:
https://autobuild.buildroot.net/results/3a5/3a5674e4e7bb3f2894575191af24598e2a696912/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
[Julien: add commands to reproduce the issue]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit af4eef1e0f)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
Buildroot commit 553c55e9bd added the
qt6multimedia package including an option to build examples which
contains a dependency to qt6svg without selecting the package in
Config.in.
Fixes:
https://autobuild.buildroot.org/results/c94670cf255a1a6975e99d7b22a159f7fdc6f850/
Makefile:578: *** qt6svg is in the dependency chain of qt6multimedia
that has added it to its _DEPENDENCIES variable without selecting it
or depending on it from Config.in. Stop.
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit f37c48faf6)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
