Update buildroot fork to latest upstream master by tmagik · Pull Request #8 · sifive/buildroot

tmagik · 2019-02-25T07:38:10Z

Update to buildroot in preparation to switch freedom-u-sdk over to replace riscv-gnu-toolchain with the toolchain supported in buildroot, which builds faster using upstream sources and takes less space.

While `docker:docker` is not marked as deprecated by NVD after a scan through the CVEs the last entry for `docker:docker` is CVE-2022-34883 [1]. Replacing this tuple with `mobyproject:moby` that is referenced in the upstream project GHSA [2]. The last entry for this CPE is CVE-2025-54410 [3]. Note: Quoting [4], "Moby is an open framework created by Docker to assemble specialized container systems without reinventing the wheel". The old github URL [5] redirects to [6]. [1] https://nvd.nist.gov//vuln/detail/CVE-2023-5166 [2] https://github.com/moby/moby/security/advisories [3] https://nvd.nist.gov//vuln/detail/CVE-2025-54410 [4] https://mobyproject.org/ [5] https://github.com/docker/docker [6] https://github.com/moby/moby Signed-off-by: Thomas Perale <thomas.perale@mind.be> [Julien: add the note about the Moby project] Signed-off-by: Julien Olivain <ju.o@free.fr>

Add the `podman_project:podman` CPE referenced in the GHSA page [1]. The last entry with this CPE is CVE-2024-3056 [2]. Dropping the `v` prefix from the version to track the CPE version correctly. [1] https://github.com/containers/podman/security [2] https://nvd.nist.gov//vuln/detail/CVE-2024-3056 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

The CPE `mp4v2:mp4v2` is valid for the package mp4v2. See the latest CVE: CVE-2023-33719 that reference the upstream repository. [1] https://nvd.nist.gov//vuln/detail/CVE-2023-33719 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

The CPE `openvpn:easy-rsa` is valid for the EasyRsa package. The last CVE is CVE-2024-13454 [1] that is reference in the upstream bug tracker [2]. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-13454 [2] OpenVPN/easy-rsa#1122 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

The CPE `pali:igmpproxy` is a valid CPE for the package igmpproxy. See the latest CVE: CVE-2025-50681 [1] that reference the upstream repository. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-50681 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

The CPE `vstakhov:libucl` is a valid CPE for the package libucl. See the latest CVE: CVE-2025-6499 [1] that reference the upstream repository. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-6499 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu> [Peter: Fix flake8 warning, use http.server instead of relying on connectivity] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Commit [1] added the "Upstream:" package patch tag, but forgot to remove the corresponding .checkpackageignore entry. This commit fixes that. Fixes: package/efl/0001-ecore_fb-fix-build-with-tslib.patch:0: lib_patch.Upstream was expected to fail, did you fix the file and forget to update .checkpackageignore? [1] https://gitlab.com/buildroot.org/buildroot/-/commit/bac34296bfed5282df07496c845d74924beb5da6 Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

The dependencies on Boost.System, Boost.Filesystem were removed in v23.0 [0][1] and Boost.Thread in v21.99 [2]. This was never reflected in the Buildroot package so do it now. [0] bitcoin/bitcoin@0726932 [1] bitcoin/bitcoin@b87f9c5 [2] bitcoin/bitcoin@06e1d7d Signed-off-by: Michael Nosthoff <buildroot@heine.tech> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

The cpe:2.3:a:containers:aardvark-dns:*:*:*:*:*:*:*:* is valid for this package. See https://nvd.nist.gov/products/cpe/detail/5F79D5CD-D716-4190-BE08-31EB5EEB233F The CPE version strip the 'v' prefix from the version. Signed-off-by: Thomas Perale <thomas.perale@mind.be> Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Julien Olivain <ju.o@free.fr>

Backport two security fixes from upstream. They are in newer releases, but to facilitate backporting to our LTS releases, this backports the fixes. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

https://gitlab.com/gpsd/gpsd/-/blob/release-3.27.2/NEWS All patches can be dropped as they are in this upstream release. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Fixes: https://autobuild.buildroot.net/results/572669fe1f9a77083a361fee7c8acdf38d7375ae/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

LLVM is already implicitly enabled for host-mesa3d when BR2_PACKAGE_MESA3D_NEEDS_PRECOMP_COMPILER is selected. This blind option is automatically enabled when LLVM is required by drivers such as intel-iris, panfrost, imagination, or intel-vulkan. The BR2_PACKAGE_MESA3D_LLVM option also independently selects host-llvm, but this change makes the dependency more explicit for host-mesa3d builds. Note that disabling LLVM is not possible for host-mesa3d, as the build will fail with: ../../../br-test-pkg/bootlin-armv5-uclibc/build/host-mesa3d-25.3.2/meson.build:847:3: ERROR: Feature llvm cannot be disabled: CLC requires LLVM Signed-off-by: Thomas Devoogdt <thomas@devoogdt.com> Signed-off-by: Romain Naour <romain.naour@smile.fr>

Removed patches which are included in this release. License file was renamed upstream: jasper-software/jasper@688601c Added configure option to force builddir: https://github.com/jasper-software/jasper/blob/version-4.2.8/build/cmake/modules/InSourceBuild.cmake Added configure option for JAS_STDC_VERSION: jasper-software/jasper@b8ecbfb This new release also fixes compatibility with CMake 4.x, fixing build issues encountered in the autobuilders. Fixes: https://autobuild.buildroot.net/results/0b12e9428342e551e47e359598eecf18d81249b3/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Moved _SITE to https://git.madhouse-project.org/algernon/riemann-c-client according to collectd/collectd#4021 (comment) (collectd is the only package in buildroot using riemann-c-client) Release notes: https://git.madhouse-project.org/algernon/riemann-c-client/src/tag/riemann-c-client-2.2.2/NEWS.md Updated licenses due to upstream commit https://git.madhouse-project.org/algernon/riemann-c-client/commit/9bada2fabff9124245426baf7beb18e1e9480b17 Added optional dependencies to OpenSSL and wolfSSL. Fixes: https://autobuild.buildroot.net/results/29d/29d03e9ba24ae9d17ff7ad57e4906c30413d8a6e/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

There are multiple defconfig fragments we can select to modify the final tiboot3.bin image to support different boot methods or enable features supported by a board. Allow the ti-k3-r5-loader package to select defconfig gragments during a build Signed-off-by: Bryan Brattlof <bb@ti.com> Signed-off-by: Romain Naour <romain.naour@smile.fr>

When the host system has asciidoctor and po4a/poman installed, util-linux detect them and automatically enable manual pages and their translations. This can significantly increase the package build time (in my case, from 20s to 1m50s). See upstream commit [1] and [2]. Since manual pages are not needed in Buildroot, this commit adds in _CONF_OPTS for host host and target variants the options to always disable the detection of those programs (--disable-asciidoc --disable-poman). This will always disable the generation of manual pages. Note: Buildroot attempts to globally disable documentation for autotools packages by passing various --disable-docs configure options (see [3]), but those are not recognized by util-linux. This commit also reorder the options for UTIL_LINUX_CONF_OPTS. [1] util-linux/util-linux@9acfc34 [2] util-linux/util-linux@236421a [3] https://gitlab.com/buildroot.org/buildroot/-/blob/2025.11/package/pkg-autotools.mk#L184-186 Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Romain Naour <romain.naour@smile.fr>

Changelog https://gitlab.com/git-scm/git/-/blob/HEAD/Documentation/RelNotes/2.53.0.adoc Signed-off-by: Pierre-Yves Kerbrat <pyk@foss.peewhy.fr> Signed-off-by: Julien Olivain <ju.o@free.fr>

Add BR2_PACKAGE_DPDK_DRIVERS_LIST to control which DPDK applications are built: - empty : use DPDK defaults - none : disable all drivers (-Ddisable_drivers='*/*') - list : pass to -Denable_drivers= (comma-separated) Signed-off-by: Maxime Leroy <maxime@leroys.fr> [Julien: slightly change the drivers Config.in help text: - rename net/ixgbe to net/intel/ixgbe - change find -maxdepth value to 3 ] Signed-off-by: Julien Olivain <ju.o@free.fr>

Add BR2_PACKAGE_DPDK_LIBS_LIST to control which DPDK libraries are built: - empty : use DPDK defaults - none : disable all libs (-Ddisable_libs='*') - list : pass to -Denable_libs= (comma-separated) Signed-off-by: Maxime Leroy <maxime@leroys.fr> Signed-off-by: Julien Olivain <ju.o@free.fr>

Add BR2_PACKAGE_DPDK_APPS_LIST to control which DPDK applications are built: - empty : use DPDK defaults - none : disable all apps (-Ddisable_apps='*') - list : pass to -Denable_apps= (comma-separated) Signed-off-by: Maxime Leroy <maxime@leroys.fr> Signed-off-by: Julien Olivain <ju.o@free.fr>

The commit adding host-pico-sdk [1] introduced $(HOST_DIR)/usr/share while it should be $(HOST_DIR)/share. Fix the error reported by check-package. [1] ceb800d3c63fe91628f42ce749c211ebef278628 Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/12973112667 Signed-off-by: Romain Naour <romain.naour@smile.fr>

Added upstream patch to fix build error. The build error does not occur with gcc-13.x. The first build error of this kind was recorded 2024-08-23: https://autobuild.buildroot.net/results/492/4927e93e40ec8bcda107f4bc3d8aa83024deb674/ Fixes: https://autobuild.buildroot.net/results/48a/48af80bdda62ca70d73bc01e0939f548c3736c0d/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

The network-manager package currently pulls in either gnutls or libnss, neither of which are very common and it might be the only reason why they are present on a system. However, most of NetworkManager works just fine without any cryptography support, it only seems to be used in test cases and 802.1X support code. Remove the dependency but use a library if it is present. Note that this changes the default behavior. If network-manager was the only package pulling in gnutls, it won't do this anymore and use the "null" backend. Add a note about this to the manual. Signed-off-by: Florian Larysch <fl@n621.de> Tested-by: Marcus Hoffmann <buildroot@bubu1.eu> Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu> [Marcus: Change buildroot version to 2026.02 in migrating.adoc] Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

Currently, when both libnss and GnuTLS are present, NetworkManager will get linked to libnss. The NetworkManager project doesn't recommend one over the other officially and has supported both from day one back in 2007. Arguments which one to prefer can be made in either direction: Points in favor of libnss: - It's the default value in the NM build system, so it would be the preferred backend if both are available and we didn't supply any options to the build process - It's probably the more mature of the two, given that it's being used in Mozilla products Points in favor of GnuTLS: - While both backends seem feature-equivalent, the _nm_crypto_verify_pkcs8 function is stubbed out in the libnss code[1]. - Both Debian and Fedora explicitly select GnuTLS in their packages. At least in the case of Fedora it seems to have been a conscious choice[2]. Given what it's actually used for in the code base, the choice does not matter a lot. However, since it is marginally more feature-complete and seems to be preferred by other distributions, let's switch to GnuTLS. [1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/36f8de25c487fe1570a19fe917c85ec065b0339e/src/libnm-crypto/nm-crypto-nss.c#L523-540 [2] https://src.fedoraproject.org/rpms/NetworkManager/c/29a9c41beafb5e549c10bfb50ee23ee47bdbc42f?branch=rawhide Signed-off-by: Florian Larysch <fl@n621.de> Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

…IR)/share" This reverts commit 8381582 that missed that the same issue was also in picotool package. Signed-off-by: Romain Naour <romain.naour@smile.fr>

Commits [1] and [2] are installing host SDK files "$(HOST_DIR)/usr/share". check-package (see [3]) reports the error: package/pico-sdk/pico-sdk.mk:23: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/ package/pico-sdk/pico-sdk.mk:24: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/ package/picotool/picotool.mk:15: install files to $(HOST_DIR)/ instead of $(HOST_DIR)/usr/ This commit installs the host SDK files to "$(HOST_DIR)/share" to fix this error. Fixes: https://gitlab.com/buildroot.org/buildroot/-/jobs/12970341499 [1] https://gitlab.com/buildroot.org/buildroot/-/commit/ceb800d3c63fe91628f42ce749c211ebef278628 [2] https://gitlab.com/buildroot.org/buildroot/-/commit/926381d360082e926cb6be28cb1e97639d26ea0f [3] https://gitlab.com/buildroot.org/buildroot/-/commit/29a0dd4a3006c06d4b8d82821bd74b8b9f26715a Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Romain Naour <romain.naour@smile.fr>

For more information on the version bump, see: - https://www.wireshark.org/docs/relnotes/wireshark-4.4.13.html - https://www.wireshark.org/docs/relnotes/wireshark-4.4.12.html - https://www.wireshark.org/docs/relnotes/wireshark-4.4.11.html - https://www.wireshark.org/docs/relnotes/wireshark-4.4.10.html Fixes the following vulnerabilities: - CVE-2025-11626: MONGO dissector infinite loop in Wireshark 4.4.0 to 4.4.9 and 4.2.0 to 4.2.13 allows denial of service https://www.cve.org/CVERecord?id=CVE-2025-11626 - CVE-2025-13499: Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial of service https://www.cve.org/CVERecord?id=CVE-2025-13499 - CVE-2025-13946: MEGACO dissector infinite loop in Wireshark 4.6.0 to 4.6.1 and 4.4.0 to 4.4.11 allows denial of service https://www.cve.org/CVERecord?id=CVE-2025-13946 - CVE-2026-0959: IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service https://www.cve.org/CVERecord?id=CVE-2026-0959 - CVE-2026-0960: HTTP3 protocol dissector infinite loop in Wireshark 4.6.0 to 4.6.2 allows denial of service https://www.cve.org/CVERecord?id=CVE-2026-0960 - CVE-2026-0961: BLF file parser crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service https://www.cve.org/CVERecord?id=CVE-2026-0961 - CVE-2026-0962: SOME/IP-SD protocol dissector crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allows denial of service https://www.cve.org/CVERecord?id=CVE-2026-0962 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

For more information on the version bump, see: - https://github.com/ImageMagick/Website/blob/main/ChangeLog.md - ImageMagick/ImageMagick@7.1.2-12...7.1.2-15 Fixes the following vulnerabilities: - CVE-2026-22770: The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. https://www.cve.org/CVERecord?id=CVE-2026-22770 - CVE-2026-23874: Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. https://www.cve.org/CVERecord?id=CVE-2026-23874 - CVE-2026-23876: Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. https://www.cve.org/CVERecord?id=CVE-2026-23876 - CVE-2026-24481: Prior to versions 7.1.2-15 and 6.9.13-40, a heap information disclosure vulnerability exists in ImageMagick's PSD (Adobe Photoshop) format handler. When processing a maliciously crafted PSD file containing ZIP-compressed layer data that decompresses to less than the expected size, uninitialized heap memory is leaked into the output image. https://www.cve.org/CVERecord?id=CVE-2026-24481 - CVE-2026-25638: Prior to versions 7.1.2-15 and 6.9.13-40, memory leak exists in `coders/msl.c`. In the `WriteMSLImage` function of the `msl.c` file, resources are allocated. But the function returns early without releasing these allocated resources. https://www.cve.org/CVERecord?id=CVE-2026-25638 - CVE-2026-25794: `WriteUHDRImage` in `coders/uhdr.c` uses `int` arithmetic to compute the pixel buffer size. Prior to version 7.1.2-15, when image dimensions are large, the multiplication overflows 32-bit `int`, causing an undersized heap allocation followed by an out-of-bounds write. This can crash the process or potentially lead to an out of bounds heap write. https://www.cve.org/CVERecord?id=CVE-2026-25794 - CVE-2026-25795: Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSFWImage()` (`coders/sfw.c`), when temporary file creation fails, `read_info` is destroyed before its `filename` member is accessed, causing a NULL pointer dereference and crash. https://www.cve.org/CVERecord?id=CVE-2026-25795 - CVE-2026-25796: Prior to versions 7.1.2-15 and 6.9.13-40, in `ReadSTEGANOImage()` (`coders/stegano.c`), the `watermark` Image object is not freed on three early-return paths, resulting in a definite memory leak (~13.5KB+ per invocation) that can be exploited for denial of service. https://www.cve.org/CVERecord?id=CVE-2026-25796 - CVE-2026-25798: Prior to versions 7.1.2-15 and 6.9.13-40, a NULL pointer dereference in ClonePixelCacheRepository allows a remote attacker to crash any application linked against ImageMagick by supplying a crafted image file, resulting in denial of service. https://www.cve.org/CVERecord?id=CVE-2026-25798 - CVE-2026-25799: Prior to versions 7.1.2-15 and 6.9.13-40, a logic error in YUV sampling factor validation allows an invalid sampling factor to bypass checks and trigger a division-by-zero during image loading, resulting in a reliable denial-of-service. https://www.cve.org/CVERecord?id=CVE-2026-25799 - CVE-2026-25897: Prior to versions 7.1.2-15 and 6.9.13-40, an Integer Overflow vulnerability exists in the sun decoder. On 32-bit systems/builds, a carefully crafted image can lead to an out of bounds heap write. https://www.cve.org/CVERecord?id=CVE-2026-25897 - CVE-2026-25989: Prior to versions 7.1.2-15 and 6.9.13-40, a crafted SVG file can cause a denial of service. An off-by-one boundary check (`>` instead of `>=`) that allows bypass the guard and reach an undefined `(size_t)` cast. https://www.cve.org/CVERecord?id=CVE-2026-25989 - CVE-2026-26066: Prior to versions 7.1.2-15 and 6.9.13-40, a crafted profile contain invalid IPTC data may cause an infinite loop when writing it with `IPTCTEXT`. https://www.cve.org/CVERecord?id=CVE-2026-26066 - CVE-2026-26283: Prior to versions 7.1.2-15 and 6.9.13-40, a `continue` statement in the JPEG extent binary search loop in the jpeg encoder causes an infinite loop when writing persistently fails. An attacker can trigger a 100% CPU consumption and process hang (Denial of Service) with a crafted image. https://www.cve.org/CVERecord?id=CVE-2026-26283 - CVE-2026-26284: Prior to versions 7.1.2-15 and 6.9.13-40, ImageMagick lacks proper boundary checking when processing Huffman- coded data from PCD (Photo CD) files. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read. https://www.cve.org/CVERecord?id=CVE-2026-26284 - CVE-2026-26983: Prior to versions 7.1.2-15 and 6.9.13-40, the MSL interpreter crashes when processing a invalid `<map>` element that causes it to use an image after it has been freed. https://www.cve.org/CVERecord?id=CVE-2026-26983 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

For more information on the version bump, see: - https://github.com/containerd/containerd/releases/tag/v2.0.7 - https://github.com/containerd/containerd/releases/tag/v2.0.6 - https://github.com/containerd/containerd/releases/tag/v2.0.5 - https://github.com/containerd/containerd/releases/tag/v2.0.4 - https://github.com/containerd/containerd/releases/tag/v2.0.3 Fixes the following vulnerabilities: - CVE-2024-25621: Versions 2.0.0-beta.0 through 2.0.6 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. https://www.cve.org/CVERecord?id=CVE-2024-25621 - CVE-2024-40635: A bug was found in containerd prior to versions 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. https://www.cve.org/CVERecord?id=CVE-2024-40635 - CVE-2025-47291: A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. https://www.cve.org/CVERecord?id=CVE-2025-47291 - CVE-2025-64329: Versions 2.0.0-beta.0 through 2.0.6 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. https://www.cve.org/CVERecord?id=CVE-2025-64329 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

Fixes the following vulnerabilities: - CVE-2018-6952: A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2018-6952 - https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=9c986353e420ead6e706262bf204d6e03322c300 - CVE-2019-20633: GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Free vulnerability in the function another_hunk in pch.c that can cause a denial of service via a crafted patch file. NOTE: this issue exists because of an incomplete fix for CVE-2018-6952. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2019-20633 - https://cgit.git.savannah.gnu.org/cgit/patch.git/commit/?id=15b158db3ae11cb835f2eb8d2eb48e09d1a4af48 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

This minor release contains a fix for building with host glibc 2.43, which fails otherwise. Signed-off-by: Paul Kocialkowski <paulk@sys-base.io> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

For more information on the version bump, see: - https://github.com/OpenPrinting/cups/blob/v2.4.16/CHANGES.md - https://github.com/OpenPrinting/cups/releases/tag/v2.4.16 - https://github.com/OpenPrinting/cups/releases/tag/v2.4.15 Fixes the following vulnerabilities: - CVE-2025-58436: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. For more information, see - https://www.cve.org/CVERecord?id=CVE-2025-58436 - OpenPrinting/cups@40008d7 - CVE-2025-61915: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. For more information, see - https://www.cve.org/CVERecord?id=CVE-2025-61915 - OpenPrinting/cups@db8d560 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Fixes the following vulnerability: - CVE-2025-50681: igmpproxy 0.4 before commit 2b30c36 allows remote attackers to cause a denial of service (application crash) via a crafted IGMPv3 membership report packet with a malicious source address. Due to insufficient validation in the `recv_igmp()` function in src/igmpproxy.c, an invalid group record type can trigger a NULL pointer dereference when logging the address using `inet_fmtsrc()`. This vulnerability can be exploited by sending malformed multicast traffic to a host running igmpproxy, leading to a crash. igmpproxy is used in various embedded networking environments and consumer-grade IoT devices (such as home routers and media gateways) to handle multicast traffic for IPTV and other streaming services. Affected devices that rely on unpatched versions of igmpproxy may be vulnerable to remote denial-of-service attacks across a LAN . For more information, see: - https://www.cve.org/CVERecord?id=CVE-2025-50681 - younix/igmpproxy@2b30c36 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

Fixes the following vulnerability: - CVE-2025-63938: Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2025-63938 - tinyproxy/tinyproxy@3c0fde9 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

Fixes the following vulnerabilities: - CVE-2024-50382: Botan before 3.6.0, when certain LLVM versions are used, has compiler- induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V. For more information, see: - https://www.cve.org/CVERecord?id=CVE-2024-50382 - randombit/botan@53b0cfd - CVE-2024-50383: Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.) For more information, see: - https://www.cve.org/CVERecord?id=CVE-2024-50383 - randombit/botan@53b0cfd Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

Various bugfixes: https://gpsd.gitlab.io/gpsd/NEWS Signed-off-by: Mattias Walström <lazzer@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Buildroot commit 0433c8d bumped libinput to version 1.31.0 which causes a build error with wlroot: ../backend/libinput/switch.c: In function ‘handle_switch_toggle’: ../backend/libinput/switch.c:32:9: error: enumeration value ‘LIBINPUT_SWITCH_KEYPAD_SLIDE’ not handled in switch [-Werror=switch] 32 | switch (libinput_event_switch_get_switch(sevent)) { The build error was not yet detected by the autobuilders but can be reproduced using this defconfig: BR2_x86_64=y BR2_TOOLCHAIN_EXTERNAL=y BR2_PER_PACKAGE_DIRECTORIES=y BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_EUDEV=y BR2_PACKAGE_MESA3D=y BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SOFTPIPE=y BR2_PACKAGE_MESA3D_OPENGL_GLX=y BR2_PACKAGE_MESA3D_OPENGL_EGL=y BR2_PACKAGE_MESA3D_OPENGL_ES=y BR2_PACKAGE_XORG7=y BR2_PACKAGE_WLROOTS=y Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

https://gitlab.freedesktop.org/wlroots/wlroots/-/releases/0.19.2 Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

This fixes these CVEs: CVE-2026-26103: GHSA-c75h-phf8-ccjm CVE-2026-26104: GHSA-fcvx-497g-6xmw Release notes: https://github.com/storaged-project/udisks/releases/tag/udisks-2.11.1 Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Julien Olivain <ju.o@free.fr>

Release notes: https://ftp.isc.org/isc/bind9/9.18.46/doc/arm/html/notes.html Changelog: https://ftp.isc.org/isc/bind9/9.18.46/doc/arm/html/changelog.html Fixes bug: GL #5751 https://gitlab.isc.org/isc-projects/bind9/-/issues/5751 Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Signed-off-by: Julien Olivain <ju.o@free.fr>

Change summary: https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.11.4 Fixes: CVE-2025-14821: libssh loads configuration files from the C:\etc directory on Windows CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() CVE-2026-0965: Possible Denial of Service when parsing unexpected configuration files CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input CVE-2026-0967: Specially crafted patterns could cause DoS CVE-2026-0968: OOB Read in sftp_parse_longname() libssh-2026-sftp-extensions: Read buffer overrun when handling SFTP extensions Signed-off-by: Mattias Walström <lazzer@gmail.com> [Julien: - add link to upstream change summary - fix signature link in hash file ] Signed-off-by: Julien Olivain <ju.o@free.fr>

Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>

Fixes the following vulnerability: - CVE-2026-25556: MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller- owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. For more information, see - https://www.cve.org/CVERecord?id=CVE-2026-25556 - https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

Fixes the following vulnerability: - CVE-2025-34450: merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. When processing crafted or excessively large raw RF input data, the application may write beyond the bounds of a stack buffer, resulting in memory corruption or a crash. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations. For mroe information, see: - https://www.cve.org/CVERecord?id=CVE-2025-34450 - merbanan/rtl_433@25e47f8 Signed-off-by: Thomas Perale <thomas.perale@mind.be> Signed-off-by: Julien Olivain <ju.o@free.fr>

Release notes of this bugfix release: https://www.samba.org/samba/history/samba-4.23.6.html Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>

Buildroot commit 126162b disabled parallel builds in Jan 2017 due to a bug which was fixed upstream in Nov 2017: pocoproject/poco@1724e8b#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52 pocoproject/poco@076dd96 Building with -j100 worked. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>

Change the mips32r6 into a blanket BR2_mips[el] check to disable the JSC JIT. Upstream removed JIT support for all MIPS processors in January 2024 [0], and the change trickled down to stable releases starting on version 2.44.0 [1]. While at it, change the upstream bug links to point to a more appropriate bug report. [0] https://commits.webkit.org/272866@main [1] https://lists.webkit.org/archives/list/webkit-wpe@lists.webkit.org/thread/JM7GLPPKGAB6DIQ2YDHPEIWNOYSUHBC7/ Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

The original source is offline, switch to forked repo and use the same tree as before to only fix the download error. Fixes: https://autobuild.buildroot.net/results/eec/eecf2cbaafd8a170b5f5c6c24df552280a530204/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

For release notes, see: https://github.com/Kludex/python-multipart/releases/tag/0.0.22 Fixes: https://www.cve.org/CVERecord?id=CVE-2026-24486 Signed-off-by: Martin Bachmann <martin.bachmann@designwerk.com> [Julien: reword commit log to mark the commit as a security bump] Signed-off-by: Julien Olivain <ju.o@free.fr>

Buildroot commit ed12e2f in 2021 added BR2_PACKAGE_LIBVIRT_LXC which selects BR2_PACKAGE_LXC but did not add the dependency !BR2_TOOLCHAIN_USES_UCLIBC which was added to lxc in 2019 by buildroot commit 63aad8a causing Kconfig warnings: WARNING: unmet direct dependencies detected for BR2_PACKAGE_LXC Depends on [n]: BR2_TOOLCHAIN_HAS_THREADS [=y] && BR2_USE_MMU [=y] && !BR2_STATIC_LIBS [=n] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 [=y] && BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_0 [=y] && !BR2_TOOLCHAIN_USES_UCLIBC [=y] Selected by [y]: - BR2_PACKAGE_LIBVIRT_LXC [=y] && BR2_PACKAGE_LIBVIRT [=y] && BR2_PACKAGE_LIBVIRT_DAEMON [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 [=y] Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

This defconfig can be built without problems: BR2_x86_64=y BR2_GCC_VERSION_15_X=y BR2_PACKAGE_SAFECLIB=y However adding rocketlake as architecture variant BR2_x86_64=y BR2_x86_rocketlake=y BR2_GCC_VERSION_15_X=y BR2_PACKAGE_SAFECLIB=y causes a build error: str/vsnprintf_s.c: In function 'safec_ftoa.isra': str/vsnprintf_s.c:523:24: error: writing 32 bytes into a region of size 31 [-Werror=stringop-overflow=] 523 | buf[len++] = '0'; with gcc 15.x only, gcc =< 14.x is not affected, reason unknown. This commit adds two upstream commits which fix the problem. No autobuilder error was recorded. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Fixes a number of crashes. Release notes: https://webkitgtk.org/2026/02/09/webkitgtk2.50.5-released.html Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

When the toolchain involved in openscap build does not support C++, the configure step fails with the following error: -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - failed -- Check for working CXX compiler: /bin/false -- Check for working CXX compiler: /bin/false - broken CMake Error at /usr/share/cmake/Modules/CMakeTestCXXCompiler.cmake:73 (message): The C++ compiler "/bin/false" is not able to compile a simple test program. It fails with the following output: Change Dir: '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI' Run Build Command(s): /usr/bin/cmake -E env VERBOSE=1 /usr/bin/make -f Makefile cmTC_1834b/fast make[1]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI' /usr/bin/make -f CMakeFiles/cmTC_1834b.dir/build.make CMakeFiles/cmTC_1834b.dir/build make[2]: Entering directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI' Building CXX object CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o /bin/false -o CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o -c /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI/testCXXCompiler.cxx make[2]: *** [CMakeFiles/cmTC_1834b.dir/build.make:81: CMakeFiles/cmTC_1834b.dir/testCXXCompiler.cxx.o] Error 1 make[2]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI' make[1]: *** [Makefile:134: cmTC_1834b/fast] Error 2 make[1]: Leaving directory '/home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/buildroot-build/CMakeFiles/CMakeScratch/TryCompile-tUydqI' CMake will not be able to correctly generate this project. Call Stack (most recent call first): CMakeLists.txt:11 (project) -- Configuring incomplete, errors occurred! make: *** [package/pkg-generic.mk:263: /home/autobuild/autobuild/instance-6/output-1/build/openscap-1.3.12/.stamp_configured] Error 1 make: Leaving directory '/home/autobuild/autobuild/instance-6/buildroot' The openscap project does not contain any C++ file, and so does not need a C++ capable compiler. Bring the to-be-integrated-upstream patch enforcing C language in CMakeLists.txt to prevent this build failure. Fixes: https://autobuild.buildroot.org/results/1fe550ffa79f0a083a450ae03fe067a8ab7336be Fixes: https://autobuild.buildroot.org/results/e9d52b52658544916022050c78dcb137ca6c97e0 Fixes: https://autobuild.buildroot.org/results/4a9c21763aaddb217ee5f8bb8947faad9767baa3 Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com> Reviewed-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Commit 3d2141b("support/testing/run-tests: specify multiprocessing method") added a call to multiprocessing.set_start_method('fork') as a workaround for python 3.14, which changed the default start method to forkserver - Which is incompatible with the nose2 setup. multiprocessing.set_start_method() is only supposed to be called a maximum of 1 time per process and throws a RuntimeError if called more than that (even with the same arguments): >>> import multiprocessing >>> multiprocessing.set_start_method('fork') >>> multiprocessing.set_start_method('fork') Traceback (most recent call last): File "<python-input-2>", line 1, in <module> multiprocessing.set_start_method('fork') ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^ File "/usr/lib/python3.13/multiprocessing/context.py", line 247, in set_start_method raise RuntimeError('context has already been set') Debian included a similar patch in python3-nose2 0.51.1-2 (currently in testing/unstable) which adds its own call to set_start_method(): https://salsa.debian.org/python-team/packages/nose2/-/blob/debian/0.15.1-2/debian/patches/0004-plugins-mp-set-context-to-fork-for-Python-3.14-mp-AP.patch?ref_type=tags Which comes from: nose-devs/nose2#644 As discussed in the upstream PR, this is not a correct fix is wrong and breaks various use cases. An issue has been opened to get this fixed in the Debian packaging at: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129350 But until that is done, rework the patch to: - Only override set_start_method() if needed to limit impact - Monkey patch set_start_method() so additional calls are ignored To unbreak run-test on affected Debian systems and add some documentation to make it clear why this is done. [Peter: use allow_none / force optional arguments as pointed out by Julien] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

tmagik requested review from jim-wilson and palmer-dabbelt February 25, 2019 07:38

tperale and others added 28 commits February 3, 2026 14:42

support/testing: python-requests: new runtime test

425abcd

Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu> [Peter: Fix flake8 warning, use http.server instead of relying on connectivity] Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/gpsd: fix CVE-2025-67268 and CVE-2025-67269

d41ed2e

Backport two security fixes from upstream. They are in newer releases, but to facilitate backporting to our LTS releases, this backports the fixes. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/gpsd: bump version to 3.27.2

37ef4f8

https://gitlab.com/gpsd/gpsd/-/blob/release-3.27.2/NEWS All patches can be dropped as they are in this upstream release. Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/parprouted: fix build with gcc >= 15.x

eb25a63

Fixes: https://autobuild.buildroot.net/results/572669fe1f9a77083a361fee7c8acdf38d7375ae/ Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

package/git: bump to 2.53.0

6d5f9b8

Changelog https://gitlab.com/git-scm/git/-/blob/HEAD/Documentation/RelNotes/2.53.0.adoc Signed-off-by: Pierre-Yves Kerbrat <pyk@foss.peewhy.fr> Signed-off-by: Julien Olivain <ju.o@free.fr>

Revert "package/pico-sdk: replace $(HOST_DIR)/usr/share with $(HOST_D…

4aeb85d

…IR)/share" This reverts commit 8381582 that missed that the same issue was also in picotool package. Signed-off-by: Romain Naour <romain.naour@smile.fr>

tperale and others added 30 commits February 25, 2026 21:36

packages/libunistring: bump to version 1.4.2

9123849

This minor release contains a fix for building with host glibc 2.43, which fails otherwise. Signed-off-by: Paul Kocialkowski <paulk@sys-base.io> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/gpsd: Bump version to 3.27.5

13daf36

Various bugfixes: https://gpsd.gitlab.io/gpsd/NEWS Signed-off-by: Mattias Walström <lazzer@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/wlroots: bump version to 0.19.2

fbdabe5

https://gitlab.freedesktop.org/wlroots/wlroots/-/releases/0.19.2 Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

{linux, linux-headers}: bump 6.{18, 19}.x series

f47b624

Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>

package/samba4: bump version to 4.23.6

7da7f82

Release notes of this bugfix release: https://www.samba.org/samba/history/samba-4.23.6.html Signed-off-by: Bernd Kuhls <bernd@kuhls.net> Signed-off-by: Julien Olivain <ju.o@free.fr>

package/webkitgtk: bump to version 2.50.5

156e5fa

Fixes a number of crashes. Release notes: https://webkitgtk.org/2026/02/09/webkitgtk2.50.5-released.html Signed-off-by: Adrian Perez de Castro <aperez@igalia.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Update for 2026.02-rc3

8195c73

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update buildroot fork to latest upstream master#8

Update buildroot fork to latest upstream master#8
tmagik wants to merge 10000 commits intosifive:masterfrom
buildroot:master

tmagik commented Feb 25, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Conversation

tmagik commented Feb 25, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants