| Age | Commit message (Collapse) | Author |
|---|
|
Fixes CVE-2017-5932 - Shell code execution on tab completion of specially
crafted files. For details, see the report:
https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf
We unfortunately cannot easily download these because of the file names (not
ending in patch) and patch format (p0), so convert to p1 format and include
in package/bash with the following script:
for i in 06 07 08 09 10 11 12; do
cat > bash44-0$i.patch << EOF
>From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
EOF
curl https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-0$i | \
sed -e 's|^\*\*\* \.\./|*** |' -e 's|^--- |--- b/|' >> bash44-0$i.patch
done
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
We unfortunately cannot easily download these because of the file names (not
ending in patch) and patch format (p0), so convert to p1 format and include
in package/bash.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Having the BR2_PACKAGE_BUSYBOX_SHOW_OTHERS dependencies in
package/Config.in is not very practical: it makes this file not very
readable, and puts the dependency away from the package itself, which
can sometimes be confusing. Therefore, this commit moves the dependency
in each package Config.in file.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
They don't seem to be causing any issues after bumping to the 4.3.x
series and several tests.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
When Bash attempts to find the current working directory, it uses a C
library call `getcwd` to resolve it. When cross-compiling, the
configuration process cannot determine if the target system's C library
can support an "unfixed" path length. Therefore, Bash will fallback to a
size of `PATH_MAX` for determining the current working directory. When
using OverlayFS (and possible other file systems), this becomes an issue
since file paths can commonly exceed standard `PATH_MAX` length. This
typically results in the following error appearing:
error retrieving current directory: [...]
Common C library `getcwd` calls can default to a higher limit (usually
the system's page size). The current configurable C libraries (as of at
least 2015.08) support a zero (0) size buffer length. Most use the
system's page size; musl, being an exception, which defaults to
`PATH_MAX` (as Bash was doing). Since these C libraries support
allocating buffer space with a zero (0) provided size, the following
configuration change allows Bash to support getting a larger-length'ed
working directory on target's that support it.
Signed-off-by: James Knight <james.knight@rockwellcollins.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Misc fixes.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Since a while, the semantic of BR2_PREFER_STATIC_LIB has been changed
from "prefer static libraries when possible" to "use only static
libraries". The former semantic didn't make much sense, since the user
had absolutely no control/idea of which package would use static
libraries, and which packages would not. Therefore, for quite some
time, we have been starting to enforce that BR2_PREFER_STATIC_LIB
should really build everything with static libraries.
As a consequence, this patch renames BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS, and adjust the Config.in option accordingly.
This also helps preparing the addition of other options to select
shared, shared+static or just static.
Note that we have verified that this commit can be reproduced by
simply doing a global rename of BR2_PREFER_STATIC_LIB to
BR2_STATIC_LIBS plus adding BR2_PREFER_STATIC_LIB to Config.in.legacy.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
|
|
Yay!
The release tarball allows us to drop sizable in-tree patches, so switch
to it.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
bash fails to link for static builds with uClibc toolchains due to
getenv redefinitions. This is caused because bash is unable to check if
getenv is already defined when cross-compiling, so it defaults to 'yes':
configure:14438: WARNING: cannot check getenv redefinition if cross
compiling -- defaulting to yes
We can avoid this redefinition by passing bash_cv_getenv_redef=no to the
configure script.
Related:
http://lists.gnu.org/archive/html/bug-bash/2012-03/msg00052.html
Fixes:
http://autobuild.buildroot.net/results/a20/a2007e6dbcfe53e7cd837ae642869ee26376826a/
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Not all our shells do install a pointer to /bin/sh. Besides, between
those that do and multiple ones are enabled, the last one to install
wins the the symlink.
Add a new config choice in the system sub-menu that allows the user to
explicitly select the shell to provide /bin/sh. If busybox is not
enabled, default to using dash, a POSIX shell.
Remove the symlink creation from bash.mk at the same time.
Note: for every shell, we select them, except busybox, on which we
depend, on the assumption that we do not want to force busybox in case
the user decided not to enable it.
[Peter: remove redundant !BR2_PACKAGE_BUSYBOX dependency]
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Remove the old symlink backup since we don't do uninstalls now.
Make the busybox dependency conditional shorter.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
More security issues, sigh.
Also fix typo in pl29 patch.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Apply new patches for a buffer overflow fix (pl28) and an invalid memory
access (pl29).
Rename combined patchlevel patch to be more graphic about the range.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Patches 26 and 27 are refiniments/improved checks on the CVE.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Fixes CVE-2014-6271:
Under certain circumstances, bash will execute user code while
processing the environment for exported function definitions.
Also add hash file.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Always prefix the readline directory otherwise autodetection may pick up
the host readline when headers are available and target == host (or are
link-compatible). Fixes:
http://autobuild.buildroot.org/results/44a/44a962623be757143a3d6d37fc6cd14964094f79/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Switch to external readline support to potentially reduce target size.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
|
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
The static build needs some trickery, so make it happen. Fixes:
http://autobuild.buildroot.net/results/2b12868f8297a96d7abf7fcf526ca5eace73d66d/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
Fixes:
http://autobuild.buildroot.org/results/dfedb4377a95e36e590c9a5a5853e3ed0ecbc247/build-end.log
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
Bump bash to version 4.2 patchlevel 37.
Fixes CVE-2012-3410.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Fixes the build failure at
http://autobuild.buildroot.org/results/0434d99b51f535ac73bfcf1968b1c2b81b44ba61/build-end.log.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Also remove the redundant $(call ...).
This is a purely mechanical change, performed with
find package linux toolchain boot -name \*.mk | \
xargs sed -i -e 's/$(eval $(call GENTARGETS))/$(eval $(generic-package))/' \
-e 's/$(eval $(call AUTOTARGETS))/$(eval $(autotools-package))/' \
-e 's/$(eval $(call CMAKETARGETS))/$(eval $(cmake-package))/'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
cross-compiling
There are some bash features that can not be detected automatically during
configure stage while cross-compiling. This commit forces them on.
Signed-off-by: Arkady Gilinsky <arcadyg@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
Thanks to the pkgparentdir and pkgname functions, we can rewrite the
AUTOTARGETS macro in a way that avoids the need for each package to
repeat its name and the directory in which it is present.
[Peter: pkgdir->pkgparentdir]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
Make sure bash builds after busybox when it's enabled to override
busybox's /bin/sh symlink with bash.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
Closes #1993
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
The cleanup of $(TARGET_DIR)/usr/share/man, $(TARGET_DIR)/usr/man,
$(TARGET_DIR)/usr/share/info, $(TARGET_DIR)/usr/info,
$(TARGET_DIR)/usr/share/doc and $(TARGET_DIR)/usr/doc is already done
globally in the main Makefile. Therefore, there's no need to handle
that on a per-package basis.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
|
Patch bash32-011 modifies the configure.in script. Therefor we need to
run autoconf before launching the configure script. Otherwise, once
the configure script called, the makefile's dependencies over
configure.in will relaunch autoconf without options/environnement
variables we usually set when calling configure.
[Peter: use our own host-autoconf instead of what's on the host]
Signed-off-by: Lionel Landwerlin <llandwerlin@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
So "/opt/whatever_toolchain/gcc --sysroot $(STAGING_DIR)" isn't
stripped to "/opt/whatever_toolchain/gcc", making gcc to look at
$(ORIGINAL_TOOLCHAIN_DIRECTORY)/usr/include instead of
$(STAGING_DIR)/usr/include. For more CC is already filled when
running the configure script.
This problem should only be visible with an external toolchain.
Signed-off-by: Lionel Landwerlin <llandwerlin@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
We have been passing -q to ./configure when using 'make -s' for
packages using Makefile.autotools.in for some time. Do the same
for packages using autotools, but not using the
Makefile.autotools.in infrastructure, taking care to not do it
for packages with hand written configure scripts.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
A C library will have been built by the toolchain makefiles, so there is no
need for packages to explicitly depend on uclibc.
Signed-off-by: Will Newton <will.newton@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
|
|
|
|
|
|
-Force some autoconf options so that job control
is turned on.
(Otherwise these checks fail when cross compiling.
And when job control is disabled, bash can't be
the default shell)
|
|
'default n' is the default, so there's no need to say it explicitly.
|
|
|
|
|
|
broken GNU download paths. Also fix gnuchess, xboard and classpath
packages to use $(BR2_GNU_MIRROR) rather than hardcoded urls.
|
|
|
