Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h) #40

Open
asarubbo opened this issue Feb 20, 2017 · 5 comments
Open

Comments

@asarubbo
Copy link

http://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h/

@antlarr
Copy link

antlarr commented Mar 9, 2017

This is fixed by 7d65f89 (part of pr #42)

@carnil
Copy link

carnil commented Mar 13, 2017

This is CVE-2017-6836

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Mar 31, 2017
…-2017-6836 / CVE-2017-6838

CVE-2017-6830: A heap-based buffer overflow in the alaw2linear_buf function
in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp
mpruett/audiofile#34

CVE-2017-6834: A heap-based buffer overflow in the ulaw2linear_buf function
in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp
mpruett/audiofile#38

CVE-2017-6836: A heap-based buffer overflow in the Expand3To4Module::run
function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka
audiofile) 0.3.6 allows remote attackers to cause a denial of service
(crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h
mpruett/audiofile#40

CVE-2017-6838: Integer overflow in sfcommands/sfconvert.c in Audio File
Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
mpruett/audiofile#41

Signed-off-by: Peter Korsgaard <[email protected]>
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Apr 3, 2017
…-2017-6836 / CVE-2017-6838

CVE-2017-6830: A heap-based buffer overflow in the alaw2linear_buf function
in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp
mpruett/audiofile#34

CVE-2017-6834: A heap-based buffer overflow in the ulaw2linear_buf function
in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
attackers to cause a denial of service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp
mpruett/audiofile#38

CVE-2017-6836: A heap-based buffer overflow in the Expand3To4Module::run
function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka
audiofile) 0.3.6 allows remote attackers to cause a denial of service
(crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h
mpruett/audiofile#40

CVE-2017-6838: Integer overflow in sfcommands/sfconvert.c in Audio File
Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
service (crash) via a crafted file.

https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
mpruett/audiofile#41

Signed-off-by: Peter Korsgaard <[email protected]>
(cherry picked from commit 4a1a827)
Signed-off-by: Peter Korsgaard <[email protected]>
fschuett added a commit to fschuett/oss-linbo that referenced this issue Apr 8, 2017
commit b1ae86c7f7250249ad3faeb7c473e80a71f9fd74
Merge: ddaca9d5c 476067a78
Author: Frank Schütte <[email protected]>
Date:   Sat Apr 8 14:37:16 2017 +0200

    Add 'buildroot/' from commit '604f4058d2b57f9e764aac344f72e117c852c641'

    git-subtree-dir: buildroot
    git-subtree-mainline: ddaca9d5cc201ffb618e21e86a32ac980ed327c1
    git-subtree-split: 604f4058d2b57f9e764aac344f72e117c852c641

commit ddaca9d5cc201ffb618e21e86a32ac980ed327c1
Author: Frank Schütte <[email protected]>
Date:   Sat Apr 8 14:36:04 2017 +0200

    rm subtree buildroot 2016.11

commit 476067a78d4fd1ddb141a8cccc63cf3e75cbe7a3
Author: Peter Korsgaard <[email protected]>
Date:   Wed Apr 5 13:35:15 2017 +0200

    Update for 2017.02.1

    Signed-off-by: Peter Korsgaard <[email protected]>

commit c836666c7b89936dbed15e350f4edf7e895c524c
Author: Matt Weber <[email protected]>
Date:   Mon Apr 3 21:06:11 2017 -0500

    libselinux: query for python site-packages dir directly

    With the bump to version 2.6, the following commit needs
    to be taken into consideration for overloading paths.
    https://github.com/SELinuxProject/selinux/commit/8162f10e670da963eb65ccf1e7de69ea85aba30d

    The PYLIBVER is no longer used and the PYTHONLIBDIR is
    renamed to PYSITEDIR with slightly different pathing.

    More details can be found in the issue ticket which was
    marked as a non-issue after analysis that a Buildroot fix
    was the resolution.
    https://github.com/SELinuxProject/selinux/issues/51

    Signed-off-by: Matthew Weber <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 6a6ce10eba24d43412aada7df7de2ab78e8ffee2)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit f8d1e5f1ea26f7b125bfbb4338dc24ab97e76120
Author: Thomas Petazzoni <[email protected]>
Date:   Thu Mar 23 00:04:56 2017 +0100

    gst-ffmpeg: work-around bogus configure logic on SPARC

    The libav version built into the gst-ffmpeg code produces a bogus
    binary on SPARC, which causes the following error of the
    check-bin-arch script:

      ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstffmpeg.so is Sparc v8+, should be Sparc
      ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstpostproc.so is Sparc v8+, should be Sparc
      ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstffmpegscale.so is Sparc v8+, should be Sparc

    The problem is the following bit of code in
    gst-lib/ext/libav/configure:

    elif enabled sparc; then

        enabled vis && check_asm vis '"pdist %f0, %f0, %f0"' -mcpu=ultrasparc &&
            add_cflags -mcpu=ultrasparc -mtune=ultrasparc

    I.e, it checks if the architecture supports the pdist
    instruction... but forces -mcpu to ultrasparc while doing so. So it's
    like "let's see if this Ultrasparc instruction exists when I force the
    compiler to think I'm using Ultrasparc", which is non-sensical. This
    has been fixed later on in libav upstream:

      https://git.libav.org/?p=libav.git;a=commit;h=6aa93689abe8c095cec9fa828c2dee3131008995

    However, this commit cannot be backported as-is since the shell
    function check_inline_asm did not exist in the old libav version
    bundled in gst-ffmpeg.

    Therefore, we take the simpler route of disabling the VIS
    optimizations on SPARCv8 and Leon3.

    Fixes:

      http://autobuild.buildroot.net/results/e82d179c3d4f92ad7423693a4b1d42379a3f5411/

    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit d2b73875c3b8a6ec518c1424eaf92c1257fa40aa)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c61338a628879610671826f0aa766473023c8219
Author: Julien BOIBESSOT <[email protected]>
Date:   Mon Apr 3 14:25:43 2017 +0200

    package/tyrian: fixes compilation with static libs

    Has been tested with: "./support/scripts/test-pkg -c tyrian.cfg -p opentyrian"
    Fixes: http://autobuild.buildroot.net/results/0e2345db82b33f591958fc0f72ad914adafe0522
    and some similar previous build failure.

    Thanks Thomas for the tip ;-).

    Signed-off-by: Julien BOIBESSOT <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit dd99f2cb7d10f20568cab22c498a9e1831b5a351)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit eeec31f2a05b72c5616cbdd775b326a481ecdb39
Author: Yegor Yefremov <[email protected]>
Date:   Mon Apr 3 10:14:41 2017 +0200

    libsoc: add host-pkgconf dependency

    Without pkg-config PKG_CHECK_MODULES won't be expanded
    and ./configure script produces following error message:

    ./configure: line 12237: syntax error near unexpected token `PYTHON,'
    ./configure: line 12237: `	PKG_CHECK_MODULES(PYTHON, python-"$PYTHON_VERSION")'

    Fixes:

    http://autobuild.buildroot.net/results/86e/86e04bd2b10527130306451e56a7693ed4b4befd

    Signed-off-by: Yegor Yefremov <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 8975e9f2c77c6861964906e6b5ebd894cdccf45f)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 1a58c4c7b0dade55fae1fd325b5d2a129502467b
Author: Fabio Estevam <[email protected]>
Date:   Sun Apr 2 15:15:14 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: drop 4.10.x bump]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 69356afc81cee7a1b1c749274b26db507133b8d6)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 6338df7dea0dcca5c1ff2689008dd058bce677e8
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:35 2017 +0200

    audiofile: add security patch for CVE-2017-6839

    Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka
    audiofile) 0.3.6 allows remote attackers to cause a denial of service
    (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
    https://github.com/mpruett/audiofile/issues/41

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 844a7c6281eb442881330a5d36d5a0719f2870bf)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c9890cfa67a887bf24aea7043d912ee6e8e669c0
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:34 2017 +0200

    audiofile: add security patch for CVE-2017-6831

    Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in
    Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
    denial of service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp
    https://github.com/mpruett/audiofile/issues/35

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit bd5f84d301c4e74ca200a9336eca88468ec0e1f3)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 16daa3c10dbba15bc1e2bec590c1489c967a59e0
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:33 2017 +0200

    audiofile: add security patch for CVE-2017-6830 / CVE-2017-6834 / CVE-2017-6836 / CVE-2017-6838

    CVE-2017-6830: A heap-based buffer overflow in the alaw2linear_buf function
    in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
    attackers to cause a denial of service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp
    https://github.com/mpruett/audiofile/issues/34

    CVE-2017-6834: A heap-based buffer overflow in the ulaw2linear_buf function
    in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
    attackers to cause a denial of service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp
    https://github.com/mpruett/audiofile/issues/38

    CVE-2017-6836: A heap-based buffer overflow in the Expand3To4Module::run
    function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka
    audiofile) 0.3.6 allows remote attackers to cause a denial of service
    (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h
    https://github.com/mpruett/audiofile/issues/40

    CVE-2017-6838: Integer overflow in sfcommands/sfconvert.c in Audio File
    Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
    service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
    https://github.com/mpruett/audiofile/issues/41

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 4a1a8277bba490d227f413e218138e39f1fe1203)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 5e24ed52e4513ed49810455a91c70f496efbc9cc
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:32 2017 +0200

    audiofile: add security patch for CVE-2017-6829

    The decodeSample function in IMA.cpp in Audio File Library (aka audiofile)
    0.3.6 allows remote attackers to cause a denial of service (crash) via a
    crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp
    https://github.com/mpruett/audiofile/issues/33

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 434890df2a7c131b40fec1c49e6239972ab299d2)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 4f533d049ae78647431a9384206b8fe8733b61d9
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:31 2017 +0200

    audiofile: add security patch for CVE-2017-6827 / CVE-2017-6828 / CVE-2017-6832 / CVE-2017-6833 / CVE-2017-6835 / CVE-2017-6837

    CVE-2017-6827: A heap-based buffer overflow in the
    MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka
    libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have
    unspecified impact via a crafted audio file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp
    https://github.com/mpruett/audiofile/issues/32

    CVE-2017-6828: A Heap-based buffer overflow in the readValue function in
    FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6
    allows remote attackers to have unspecified impact via a crafted WAV file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp
    https://github.com/mpruett/audiofile/issues/31

    CVE-2017-6832: A Heap-based buffer overflow in the decodeBlock in
    MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
    attackers to cause a denial of service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp
    https://github.com/mpruett/audiofile/issues/36

    CVE-2017-6833: The runPull function in libaudiofile/modules/BlockCodec.cpp
    in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause
    a denial of service (divide-by-zero error and crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp
    https://github.com/mpruett/audiofile/issues/37

    CVE-2017-6835: The reset1 function in libaudiofile/modules/BlockCodec.cpp in
    Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
    denial of service (divide-by-zero error and crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp
    https://github.com/mpruett/audiofile/issues/39

    CVE-2017-6837: WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows
    remote attackers to cause a denial of service (crash) via vectors related to
    a large number of coefficients.

    http://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
    https://github.com/mpruett/audiofile/issues/41

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit cc00bde57fc20d11f8fa4e8ec5f193c091714c55)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 9eb481bbfea238ee6c0b9258ef039a9a20a3dac4
Author: Baruch Siach <[email protected]>
Date:   Fri Mar 31 14:09:36 2017 +0300

    pcre: add upstream security fixes

    Take Debian adapted patches of upstream.

    Fixes:

    CVE-2017-6004: crafted regular expression may cause denial of service

    CVE-2017-7186: invalid Unicode property lookup may cause denial of service

    Signed-off-by: Baruch Siach <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 3143910eec12a5b23e853b3177bf316ac186b87a)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 40192c1aa1339514ec166ef1ffbf1657f47d8c86
Author: Fabio Estevam <[email protected]>
Date:   Thu Mar 30 11:24:45 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: drop 4.10.x bump]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit c720701c4d3b23e35908319e6ade082c9e5a1433)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 1244b189543a11f1d712caf12efb7ee8703eba97
Author: Thomas Petazzoni <[email protected]>
Date:   Sun Mar 26 23:43:40 2017 +0200

    system: do not overwrite /bin/sh Busybox symlink

    The BR2_SYSTEM_BIN_SH hidden option defines to what binary the /bin/sh
    symlinks should point to. If busybox is chosen, then /bin/sh is created
    to point to /bin/busybox.

    This works fine with the default installation mode of Busybox, but it
    fails with the upcoming "individual binaries" mode, in which each applet
    is installed as its own binary, and /bin/busybox doesn't exist: we get
    /bin/sh as a broken symlink to /bin/busybox.

    Since Busybox already installs its own /bin/sh symlink, properly
    pointing to /bin/ash or /bin/hush depending on the selected shell, it
    doesn't make sense for the BR2_SYSTEM_BIN_SH logic to override
    this. Just let Busybox install its own /bin/sh by making
    BR2_SYSTEM_BIN_SH empty when Busybox shell is selected as /bin/sh.

    Signed-off-by: Thomas Petazzoni <[email protected]>
    Reviewed-by: Matthew Weber <[email protected]>
    Acked-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit fc91501e6b32ef1b015ac9b0fbf6d64aa1ce0162)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit d09c7e4d45261ef03277c9f46a07c81686f5e5bb
Author: Pawel Sikora <[email protected]>
Date:   Mon Mar 27 00:44:14 2017 +0200

    syslog-ng: Bump version header in conf file to 3.9

    Package version of syslog-ng is 3.9.1.
    Bumping version number in syslog-ng.conf to 3.9

    Fixing warning message about configuration file being too old.

    Signed-off-by: Pawel Sikora <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 3dad25466d2931eeecde23867bed79b1d7213887)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 119e94b830a14a2c82d11bf5dfc16b46ece06702
Author: Peter Korsgaard <[email protected]>
Date:   Tue Mar 28 17:18:08 2017 +0200

    samba4: security bump to version 4.5.7

    Fixes CVE-2017-2619:

       All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
       a malicious client using a symlink race to allow access to areas of
       the server file system not exported under the share definition.

       Samba uses the realpath() system call to ensure when a client requests
       access to a pathname that it is under the exported share path on the
       server file system.

       Clients that have write access to the exported part of the file system
       via SMB1 unix extensions or NFS to create symlinks can race the server
       by renaming a realpath() checked path and then creating a symlink. If
       the client wins the race it can cause the server to access the new
       symlink target after the exported share path check has been done. This
       new symlink target can point to anywhere on the server file system.

       This is a difficult race to win, but theoretically possible. Note that
       the proof of concept code supplied wins the race reliably only when
       the server is slowed down using the strace utility running on the
       server. Exploitation of this bug has not been seen in the wild.

    Signed-off-by: Peter Korsgaard <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 493cedf3af061b90a899826e0c184c2f484414f6)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit e29fa95b8368f9b85a1bfb2cef9741c6218c59b3
Author: Yann E. MORIN <[email protected]>
Date:   Sat Jan 28 11:41:32 2017 +0100

    core/br2-external: properly report unexpected errors

    Unextected error in the br2-external script are properly caught, but
    they are not reported properly, and we end up in either of two
    situations:

      - the .br2-external.mk file is not generated, in which case make will
        try to find a rule to generate it (because the 'include' directive
        tries to generate missing files);

      - the .br-external.mk file is generated but does not contain the error
        variable, and thus the build might not get interrupted.

    We fix that by using a trap on the pseudo ERR signal, to emit the error
    variable on unexpected errors.

    Signed-off-by: "Yann E. MORIN" <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit c5fa9308ea4e3810a7f7d9d0df75cbf090c414c4)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 74ed2a833da74b33e0ad8c4fd77e789885b3a9fd
Author: Rahul Bedarkar <[email protected]>
Date:   Wed Mar 22 23:18:52 2017 +0530

    taglib: fix legal info

    taglib is dual licensed under LGPLv2.1 or MPLv1.1. Almost all source
    files have license text mentioning LGPLv2.1 or alternatively MPLv1.1.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    [Thomas: use MPL-1.1 instead of MPLv1.1, since MPL-1.1 is the SPDX
    license code for this license.]
    Signed-off-by: Thomas Petazzoni <[email protected]>

    (cherry picked from commit f30a3940c8dc5fc9bbe3a0ace457201808142183)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c1be21ac128640dd600da2ad5840c74d72a799ee
Author: Rahul Bedarkar <[email protected]>
Date:   Wed Mar 22 23:18:51 2017 +0530

    dbus-triggerd: add license file

    In absence of license file, use source file as a license file since it
    has license header in comments.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 50284570fbefa37c8874b47cd5998bd890e54632)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 0b670f3879eaa1bc56b6eaeeed54f36aba831219
Author: Rahul Bedarkar <[email protected]>
Date:   Wed Mar 22 23:18:50 2017 +0530

    dbus-glib: fix legal info

    dbus glib bindings are dual licensed under AFLv2.1 or GPLv2+.
    Separate licenses using 'or' keyword.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit f70f0b497f8a072eb22aff0bd934467b706cffd8)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2d7d618f7c8d53da9fb828ced4b445635ddb44c0
Author: Fabio Estevam <[email protected]>
Date:   Sun Mar 26 10:49:43 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: drop 4.10.x update]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit b718c776ca1a5d204f2ae9a765331a32e87e9560)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 3400806b9d555cf2f30154feeecd19221b8b52a0
Author: Rodrigo Rebello <[email protected]>
Date:   Sun Mar 26 03:36:54 2017 -0300

    htop: use correct ncurses config script name

    The ncurses config script can have different names depending on the
    configuration (e.g. wchar support enabled/disabled). So, use
    $(NCURSES_CONFIG_SCRIPTS) from the ncurses package as it contains the
    proper name.

    Signed-off-by: Rodrigo Rebello <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 8cd1554ee162f6344dab078233f4f6c0d93e7c24)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 9d70c89b8029cef33a3abfa2ab98f1f68656c947
Author: Rodrigo Rebello <[email protected]>
Date:   Sun Mar 26 03:36:53 2017 -0300

    slang: use correct ncurses config script name

    The ncurses config script can have different names depending on the
    configuration (e.g. wchar support enabled/disabled). So, use
    $(NCURSES_CONFIG_SCRIPTS) from the ncurses package as it contains the
    proper name.

    Fixes:

      http://autobuild.buildroot.net/results/c97554c05e121c76407be53ba37924cfcb658e9d/
      http://autobuild.buildroot.net/results/b0a31a3491a30ee0d6e6e7dbba68a86f0e00943d/
      http://autobuild.buildroot.net/results/a77241141cf8710fa945523ef62327798e3c4824/
      [...]

    Signed-off-by: Rodrigo Rebello <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit b3e4ed92380080334d3d09bb4a53dc6102edd8aa)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit ccf0e0767d6c73dd23852fad5de2900c6f88fd56
Author: Bernd Kuhls <[email protected]>
Date:   Thu Mar 23 20:37:00 2017 +0100

    package/ntp: fix build for toolchains without ssp

    ntp defaults to use ssp support
    http://bk1.ntp.org/ntp-stable/sntp/harden/README

    by using these flags
    http://bk1.ntp.org/ntp-stable/sntp/harden/linux

    If the toolchain lacks SSP support this patch forces ntp to use an
    empty set of flags: http://bk1.ntp.org/ntp-stable/sntp/harden/default

    Fixes
    http://autobuild.buildroot.net/results/1d5/1d58bd8745b22c8eb71fea4c7255d3ace69f6f7a/

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 00968bcac0674250956e99b6fafbf9b373446488)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 30a9181448690d01d3aad51d0c2458b0c5ec1761
Author: Jörg Krause <[email protected]>
Date:   Fri Mar 24 08:53:21 2017 +0100

    busybox: fix mdev.conf

    mdev does not set "/dev/snd" and "/dev/input" group and permission
    propery, because with commit c3cf1e30a3022453311a7e9fe11d94c7a381640e
    (May 2013!) the behavior of mdev has changed.

    The device name is now taken directly from the uevent file and does no
    longer match the old rule.

    Fix the rules for "/dev/snd" and "/dev/input" according to the example
    given in [1].

    [1] http://lists.busybox.net/pipermail/busybox/2015-February/082297.html

    Signed-off-by: Jörg Krause <[email protected]>
    Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit afb585468b33c76d41686cb92e7f56565fe150e4)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 03316d1719645ea47aac6de3a29877345c5e0a67
Author: Jörg Krause <[email protected]>
Date:   Fri Mar 24 09:47:43 2017 +0100

    upmpdcli: add user to the audio group

    upmpdcli runs as user and group upmpdcli. In order to allow it to access
    the ALSA devices add it to the audio group.

    Signed-off-by: Jörg Krause <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit ab9842e360ae08954b07504a20cd053fe146f383)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 5bc876f43b1954e0494b5f360c8e0f9ddc5624e4
Author: Vicente Olivert Riera <[email protected]>
Date:   Wed Mar 22 13:19:27 2017 +0000

    linux-headers: bump 3.{2, 12}.x and 4.{1, 4, 9, 10}.x series

    [Peter: drop 4.10.x update]
    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 0d70d1dbf054f4a0609ba1076bc7e097305013d2)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 13eec966adfdc6c7659bff0cb7fd27056c248127
Author: Bernd Kuhls <[email protected]>
Date:   Wed Mar 22 22:03:13 2017 +0100

    package/ntp: security bump to 4.2.8p10

    Changed NTP_SITE to https to circumvent "URL transformed to HTTPS due
    to an HSTS policy" during download.

    For details about the bugs fixed see:
    http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
    http://www.kb.cert.org/vuls/id/633847

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit b47aec79d2e19ef7e3f04d2758c3a2930d47cebe)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 293f9d2f18d28e2f5f235ba4c94a6bb695ecf6c9
Author: Arnout Vandecappelle <[email protected]>
Date:   Tue Mar 21 01:07:01 2017 +0100

    squashfs: correct hash

    When squashfs was bumped to 3de1687d in commit ee90313c64, the hash
    file was not updated. This wasn't noticed before since hashes are not
    checked for git downloads.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Thomas De Schampheleire <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 85c832247e40f00f48ac328970bb39ab7851f042)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit a2c0793636adaf44df268dc9a406d12a8bd42e7f
Author: Arnout Vandecappelle <[email protected]>
Date:   Tue Mar 21 01:07:00 2017 +0100

    linux-firmware: correct hash

    When linux-firmware was bumped to 6d3bc8886 in commit 3ff5896ff, a hash
    file was added but the hash was wrong. This wasn't noticed before since
    hashes are not checked for git downloads.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Adam Duskett <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 0409b136985ff582d561076f03685da9890fa325)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2f426dadad24fa46909ed6504d19eb7ccbd55657
Author: Arnout Vandecappelle <[email protected]>
Date:   Tue Mar 21 01:06:59 2017 +0100

    fmc: correct hash file

    It had sha256sum instead of sha256. This wasn't noticed before since
    hashes for git downloads are not checked.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Matthew Weber <[email protected]>
    Reviewed-by: Matthew Weber <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit ba717fde72c862a283a035b3b44377bb48d08284)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit e6b2152cd15bd8a9ed8a72c2ef2c07959839d46d
Author: Arnout Vandecappelle <[email protected]>
Date:   Tue Mar 21 01:06:57 2017 +0100

    download/git: create GNU format tar files

    On most distros, the tar format defaults to GNU. However, at build time
    the default format may be changed to posix. Also, future versions of
    tar will default to posix.

    Since we want the tarballs created by the git download method to be
    reproducible (so their hash can be checked), we should explicitly
    specify the format. Since existing tarballs on sources.buildroot.org
    use the GNU format, and also the existing hashes in the *.hash files
    are based on GNU format tarballs, we use the GNU format.

    In addition, the Posix format encodes atime and ctime as well as mtime,
    but tar offers no option like --mtime to override them. In the GNU
    format, atime and ctime are only encoded if the --incremental option is
    given.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Peter Seiderer <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 0f369a9231b2c67748f4f0c2dbb33ebdc2890478)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit ac75d32ae79aed38e003361503a601edad384d23
Author: Yegor Yefremov <[email protected]>
Date:   Tue Mar 21 09:22:33 2017 +0100

    graph-depends: rename pkgutil.py to brpkgutil.py

    pkgutil.py is also part of Python itself. Placing pkgutil.py as is
    in a folder with other scripts that require original pkgutil will
    break them. This is the case with scanpypi. So rename pkgutil.py
    to brpkgutil.py to avoid naming collision.

    Fixes: https://bugs.busybox.net/show_bug.cgi?id=9766

    Signed-off-by: Yegor Yefremov <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 3b627c89dc8adf8c60efd773935bf66004e8433d)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit eaadfab8e8c77d9b66b0b9b1215a6ebd0ca6307c
Author: Thomas Petazzoni <[email protected]>
Date:   Tue Mar 21 22:21:20 2017 +0100

    ltp-testsuite: disable Open POSIX testsuite

    The Open POSIX testsuite builds and installs to the target directory a
    program called 't0' that isn't cross-compiled, which is bad.

    Since the LTP build system is autoconf but not automake based, and the
    Open POSIX testsuite is a sort of sub-project inside it, fixing the
    issue is not trivial.

    Therefore, we simply disable the Open POSIX testsuite entirely. Oddly
    enough, --without-open-posix-testsuite doesn't work due to another bug,
    so we simply have to remove --with-open-posix-testsuite.

    Open POSIX testsuite cross-compilation issue reported at
    https://github.com/linux-test-project/ltp/issues/144.

    Configure script bug reported at
    https://github.com/linux-test-project/ltp/issues/143.

    Fixes:

      http://autobuild.buildroot.net/results/8326ba9eb257dfc92c1ad282ba6d3565e8250def/

    Signed-off-by: Thomas Petazzoni <[email protected]>
    Reviewed-by: "Yann E. MORIN" <[email protected]>
    Tested-by: "Yann E. MORIN" <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit b57e1355a72da407c19315cb4187767d28e4d064)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 55a23407aff9ab0b3e3c72b7c5fd6c8873a910d2
Author: Yann E. MORIN <[email protected]>
Date:   Tue Mar 21 22:33:59 2017 +0100

    package/dbus-cpp: fix cross-compilation

    dbus-cpp has an ugly hack to not cross-build the tools when it detects
    cross-compilation.

    However, we already have a host variant that builds those tools (and we
    anyway don't seem to need them to begin with).

    Drop our patch that propagates the CXXFLAGS/LDFLAGS_FOR_BUILD. Replace
    with a patch to cross-compile the tools.

    Fixes:
        http://autobuild.buildroot.org/results/110/1100539caae6ef62c61a3b96bc54f7c0a215cc62/
        and many, many more.

    Signed-off-by: "Yann E. MORIN" <[email protected]>
    Cc: Gustavo Zacarias <[email protected]>
    Cc: Thomas Petazzoni <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit f5dbd0dea159393e779f6a1f5fa53b9fa07ff34a)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 3b9349e3cb8804bf3f1d2de3823f58371e735ab9
Author: Julien Beraud <[email protected]>
Date:   Tue Mar 21 14:23:56 2017 +0100

    apr: fix size of pid_t

    pid_t is a signed 32bits integer on both 32bits and 64bits
    architectures.
    This fixes an issue with apache server which causes bad pid
    to be written in PidFile

    Signed-off-by: Julien Beraud <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit ee8cbc5fca779ff054a50ed8e6271952367147c7)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 22dd05433e0e0309628489b983569d2d47c57341
Author: Vicente Olivert Riera <[email protected]>
Date:   Tue Mar 21 15:40:08 2017 +0000

    memcached: bump version to 1.4.36

    From the release notes
    (https://github.com/memcached/memcached/wiki/ReleaseNotes1436):

    Important bug fix that could lead to a hung slab mover.  Also improves
    memory efficiency of chunked items.

    [Peter: add release notes link / mention important bug fix]
    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>

    (cherry picked from commit adfe049d85b09a2ce780ce49f8e53d9cfaf90e2d)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2239406dc1820c1b9958f559737abc9d904d5142
Author: Vicente Olivert Riera <[email protected]>
Date:   Mon Mar 13 11:43:50 2017 +0000

    memcached: bump version to 1.4.35

    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 36cabc5a744d97090784a29a4001a994728e0539)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit df0c78d61e142781b6da3d0cf789b8b7b1ae3055
Author: Baruch Siach <[email protected]>
Date:   Tue Mar 21 15:11:22 2017 +0200

    openssh: security bump to version 7.5

    From the release notes (https://www.openssh.com/txt/release-7.5):

    Security
    --------

     * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
       that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
       Note that the OpenSSH client disables CBC ciphers by default, sshd
       offers them as lowest-preference options and will remove them by
       default entriely in the next release. Reported by Jean Paul
       Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
       Royal Holloway, University of London.

     * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
       a recursive file transfer could be maniuplated by a hostile server to
       perform a path-traversal attack. creating or modifying files outside
       of the intended target directory. Reported by Jann Horn of Google
       Project Zero.

    [Peter: mention security fixes]
    Signed-off-by: Baruch Siach <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>

    (cherry picked from commit 2204f4deb1c6c6ff4accd84b5aa2d42f5930b730)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit dc9ecb90c58908ffa0d896d4da5b1d4b917253c7
Author: Peter Seiderer <[email protected]>
Date:   Mon Mar 6 21:43:47 2017 +0100

    gst1-plugins-bad: waylandsink needs wayland-protocols

    Signed-off-by: Peter Seiderer <[email protected]>
    ----
    Changes v1 -> v2:
      - use select instead of depends for BR2_PACKAGE_WAYLAND_PROTOCOLS
       (suggested by Thomas Petazzoni)
      - add select BR2_PACKAGE_WAYLAND_PROTOCOLS to missing second
        place (BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_WAYLAND)
    Signed-off-by: Thomas Petazzoni <[email protected]>

    (cherry picked from commit 5a2d37ca125c1742864af0e9324234f8f3ecc071)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 1c1b702a466023f8826cfb6a386e9b4683880875
Author: Peter Seiderer <[email protected]>
Date:   Fri Mar 10 20:54:54 2017 +0100

    libxkbcommon: disable wayland support

    Disable wayland support (only needed for the interactive-wayland
    test program). This fixes a compile failure in case wayland
    support is autodetected:

        GEN      xdg-shell-unstable-v5-protocol.c
      /bin/sh: /usr/bin/wayland-scanner: No such file or directory
      Makefile:2426: recipe for target 'xdg-shell-unstable-v5-protocol.c' failed
      make[3]: *** [xdg-shell-unstable-v5-protocol.c] Error 127
      make[3]: *** Waiting for unfinished jobs....
        GEN      xdg-shell-unstable-v5-client-protocol.h
      /bin/sh: /usr/bin/wayland-scanner: No such file or directory
      Makefile:2428: recipe for target 'xdg-shell-unstable-v5-client-protocol.h' failed
      make[3]: *** [xdg-shell-unstable-v5-client-protocol.h] Error 127

    Signed-off-by: Peter Seiderer <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 7665b5870995ef059d1654c35557b53c04a71d1d)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 51038b08eebee72d89ec7871d1ffe5c84abb2b9f
Author: Romain Naour <[email protected]>
Date:   Sun Mar 19 21:51:53 2017 +0100

    package/mesa3d: add lm-sensors optional dependency

    radeon-pci-0008
    Adapter: PCI adapter
    temp1:        +56.0 C  (crit = +120.0 C, hyst = +90.0 C)

    Signed-off-by: Romain Naour <[email protected]>
    Cc: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 73401587e5984397bedddab61ad6c89712041267)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit b277a7f0db52b02f79a29a7816169abfefd51f91
Author: Rahul Bedarkar <[email protected]>
Date:   Mon Mar 20 20:41:18 2017 +0530

    filemq: correct license

    All source files, except src/filemq_client.c and src/filemq_server.c,
    has MPL Version 2.0 license text in file header.

    As confirmed with upstream [1] (L)GPLv3 license texts COPYING and
    COPYING.LESSER are leftover from previous implementation.

    [1] - https://github.com/zeromq/filemq/issues/74

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 205a0289d4a0aefc76b0c937c2f725517114c658)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit eb021f3547a721d77de73789bd23a44c6e3ea8f7
Author: Eric Le Bihan <[email protected]>
Date:   Mon Mar 20 21:11:22 2017 +0100

    skalibs: fix endianness detection on x86

    Update the patch for compile time endianness detection so it works on
    x86 platforms using GCC <= 4.4.

    Fixes:

      http://autobuild.buildroot.net/results/c2e8e1180571976b412cbba729c45a3698aea0b2
      http://autobuild.buildroot.net/results/2ee47107d8a67470f7bc3e10cf763202d5455d17

    Signed-off-by: Eric Le Bihan <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 8eecaf2d122f7da6f59964f5eb00139a32373d06)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 05bc9b0c339d3ed0830cff3e702cdccefcf2b068
Author: Baruch Siach <[email protected]>
Date:   Mon Mar 20 06:16:56 2017 +0200

    wget: add upstream security fix

    Fixes CVE-2017-6508: CRLF injection in the url_parse function in url.c

    http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html

    Signed-off-by: Baruch Siach <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 7132fc9c11573a460243895c85e66b514b71c041)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 55c742f83a563668caf4435526a780c80bdd6014
Author: Fabio Estevam <[email protected]>
Date:   Sat Mar 18 11:21:42 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: drop 4.10.x update]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit f4978bf018d4f03834f879f3dfc4e8237846742e)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 8c6080b06cee662b409e2256cee0570684170f19
Author: Jan Kundrát <[email protected]>
Date:   Fri Mar 17 17:02:54 2017 +0100

    skeleton: fix permissions on /dev/pts/ptmx

    Without this patch, it is not possible to allocate PTYs when a generated
    rootfs image with a recent glibc and systemd is launched as a container  on
    an RHEL7 system via machinectl/systemd-nspawn. The container boots, but
    `machinectl login mycontainer` fails. The culprit is /dev/pts/ptmx with
    0000 perms.

    On a typical system, there are two `ptmx` devices. One is provided by the
    devpts at /dev/pts/ptmx and it is typically not directly accessed from
    userspace. The other one which actually *is* opened by processes is
    /dev/ptmx. Kernel's documentation says these days that /dev/ptmx should be
    either a symlink, or a bind mount of the /dev/pts/ptmx from devpts.

    When a container is launched via machinectl/machined/systemd-nspawn, the
    container manager prepares a root filesystem so that the container can live
    in an appropriate namespace (this is similar to what initramfs is doing on
    x86 desktops). During these preparations, systemd-nspawn mounts a devpts
    instance using a correct ptmxmode=0666 within the container-to-be's
    /dev/pts, and it adds a compatibility symlink at /dev/ptmx. However, once
    systemd takes over as an init in the container,
    /lib/systemd/systemd-remount-fs applies mount options from /etc/fstab to
    all fileystems. Because the buildroot's template used to not include the
    ptmxmode=... option, a default value of 0000 was taking an effect which in
    turn led to not being able to allocate any pseudo-terminals.

    The relevant kernel option was introduced upstream in commit 1f8f1e29 back
    in 2009. The oldest linux-headers referenced from buildroot's config is
    3.0, and that version definitely has that commit. Mount options that are
    not understood by the system are anyway ignored, so backward
    compatibility is preserved.

    Signed-off-by: Jan Kundrát <[email protected]>
    Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    [Thomas: fix commit title, adjust commit log.]
    Signed-off-by: Thomas Petazzoni <[email protected]>

    (cherry picked from commit 8196b299ba12bd6741bf7f4462cad180dab77fb0)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 74293a15bdfda83bb83f15f9dc459a54a6ab99f0
Author: Arnout Vandecappelle <[email protected]>
Date:   Fri Mar 17 17:06:16 2017 +0100

    fakeroot: depend on acl

    Recent versions of fakeroot have grown support for acl. We don't really
    need this since we don't use acls in Buildroot. However, it turns out
    that "cp -a" does something funky with acls, with the result that
    fakeroot without acl support looses the ownership and permissions on
    the copied file. "cp -a" may be (is even likely to be) used in a
    BR2_ROOTFS_POST_FAKEROOT_SCRIPT, so we need to support this.

    Note that host-acl itself depends on host-attr, so this pulls in two
    extra packages in each build. The impact on build time is about 10s.

    Cc: Andreas Naumann <[email protected]>
    Cc: Maxime Hadjinlian <[email protected]>
    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 2a222446b4614a38b4042df54b68b69b96939708)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit f6ba4399324396d690d95a2b1a11d87a4ffe173f
Author: Arnout Vandecappelle <[email protected]>
Date:   Fri Mar 17 17:06:15 2017 +0100

    acl: add host variant

    We need host-acl to fix issues with fakeroot.

    Unfortunately, all the hacks (except the .la fixup) have to be repeated.

    Cc: Yegor Yefremov <[email protected]>
    Cc: Andreas Naumann <[email protected]>
    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit c83446fccace19694e20b1d0a730680244d724fe)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c7c5c7e5f6837bd47fb95d2df96726aeacbaf28f
Author: Arnout Vandecappelle <[email protected]>
Date:   Fri Mar 17 17:06:14 2017 +0100

    acl: make sure build picks up TARGET_CFLAGS

    The acl build system doesn't use automake, therefore it is broken. It
    doesn't use the CFLAGS passed by configure. Work around this by passing
    CFLAGS in the environment. The makefiles append to CFLAGS, so this
    works.

    This issue hasn't led to build failures, but it is visible e.g. when
    stack protector is enabled: the stack protector options are not applied
    to acl. Also debug and optimisation options aren't applied.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Yegor Yefremov <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 99c9b0affde4fcc3270425319b98a0e5e32f5964)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 3e386020722b85aaf89b9dccc0263905763c8d08
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 16 16:31:46 2017 +0100

    xlib_libXv: correct license info

    The license is actually closer to ISC than MIT, E.G.:

    https://opensource.org/licenses/ISC
    vs
    https://opensource.org/licenses/MIT

    >From COPYING:
    Permission to use, copy, modify, and distribute this software and its
    documentation for any purpose and without fee is hereby granted,
    provided that the above copyright notice appear in all copies and that
    both that copyright notice and this permission notice appear in
    supporting documentation, and that the names of Digital or MIT not be
    used in advertising or publicity pertaining to distribution of the
    software without specific, written prior permission.

    E.G.  this is very similar to the normal ISC text which has been extended
    with a BSD-3c style advertisinc clause.  Both are permissive licenses, but
    it is more correct to call it ISC-like.

    Notice: As pointed out by Rahul Bedarkar, this may actually be more closely
    related to the OpenBSD template license:

    http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD

    But that is also based on the ISC license, so calling it ISC-like is still
    correct.

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit aad15918520391ea0952d742db9c52c3ac2b1f7e)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2a778d53fa6bf7c232ad57eedbd0fd9bf7328c84
Author: Romain Naour <[email protected]>
Date:   Fri Mar 17 00:02:06 2017 +0100

    package/cairo: update license information

    As noticed by Rahul Bedarkar, the cairo library is LGPLv2.1 only
    (not LGPLv2.1+) or MPLv1.1.

    Signed-off-by: Romain Naour <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 0768932a0229b2c201c292023f59a868ecdb1222)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit fd28c44ce87b7480a24e596f7a34e3d30e577333
Author: Baruch Siach <[email protected]>
Date:   Thu Mar 16 20:41:23 2017 +0200

    tcpreplay: patch security issue

    Add upstream patch for CVE-2017-6429: Buffer overflow when reading crafted
    pcap file with large packets.

    https://github.com/appneta/tcpreplay/issues/278

    Signed-off-by: Baruch Siach <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 62bf2bfd53885fbd62a8e9345c7f3d7a4d619342)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 8cd0e35189346419b4ca60f275f8663de21877c2
Author: Rahul Bedarkar <[email protected]>
Date:   Thu Mar 16 17:24:01 2017 +0530

    taglib: update homepage link

    Avoid redirect.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit a411212d22cb84b92201b5a02ef8b860b0a17280)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit bae94a6e65449729a1c73dc38698e11379b645d6
Author: Gustavo Zacarias <[email protected]>
Date:   Wed Mar 15 15:08:36 2017 -0300

    mbedtls: security bump to verison 2.4.2

    Fixes:
    CVE-2017-2784 - Freeing of memory allocated on stack when validating a
    public key with a secp224k1 curve.

    Signed-off-by: Gustavo Zacarias <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 465ce2ea73cc1d98972cde45114f7b0e35e32ff2)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit f2e01f9c189b3d04cae85c72263c88d49c171b8d
Author: Peter Korsgaard <[email protected]>
Date:   Wed Mar 15 11:48:32 2017 +0100

    mariadb: security bump to version 10.1.22

    Fixes:

    CVE-2017-3302 - C client library for MySQL (libmysqlclient.so) has
    use-after-free defect which can cause crash of applications using that MySQL
    client.

    CVE-2017-3313 - Difficult to exploit vulnerability allows low privileged
    attacker with logon to the infrastructure where MySQL Server executes to
    compromise MySQL Server.  Successful attacks of this vulnerability can
    result in unauthorized access to critical data or complete access to all
    MySQL Server accessible data.

    And a number of important, but non-security related fixes:

    MDEV-11842: Fix a 10.1.21 regression with failed INSERT, BEFORE INSERT
    triggers, and columns with no default value

    MDEV-12075: Fix a 10.1.21 regression in the InnoDB data file extension code

    For details, see the release notes:
    https://mariadb.com/kb/en/mariadb/mariadb-10122-release-notes/

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 467b38892aa23927ad1140119f0f17c23e896e7e)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 604b463d534943701024d7878dd2017c45ed5088
Author: Peter Korsgaard <[email protected]>
Date:   Tue Mar 14 23:58:22 2017 +0100

    jasper: add upstream security fix

    Fixes a NULL Pointer Dereference jp2_encode:

    https://github.com/mdadams/jasper/issues/120

    No CVE assigned yet.

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 76da579431a78875afeaeda76e459aca69e85d36)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 607c2635ca1f48f3aacb84404a4cd0ee49215827
Author: Peter Korsgaard <[email protected]>
Date:   Tue Mar 14 23:58:21 2017 +0100

    jasper: add upstream security fix for CVE-2017-6850

    Fixes a NULL pointer dereference in jp2_cdef_destroy:

    https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c/

    https://github.com/mdadams/jasper/issues/112

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit a105443b24f7c75b10dab44c2916fc9f2b58363a)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 1a1ec309d748d1d1cdb4f3b9dbcd7eb08c7b0e93
Author: Fabio Estevam <[email protected]>
Date:   Wed Mar 15 08:07:38 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: skip 4.10.x]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit b3d736b9b6b92b70a9020be470a4cf5f7f012b2e)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 840969ed617f772c866ea61e27cab97eaaf63eff
Author: Vicente Olivert Riera <[email protected]>
Date:   Mon Mar 13 12:31:20 2017 +0000

    rpm: bump version to 4.13.0.1 (security)

    Security fixes:
     - Fix several out of bounds reads in the OpenPGP parser
     - Fix handling of OpenPGP reserved tag (should be rejected)
     - Fix various crashes from malformed packages with invalid tags

    Release notes:
      http://rpm.org/wiki/Releases/4.13.0.1

    This patch also switches from GitHub to rpm.org since the last one seems
    to be more up-to-date.

    [Peter: use RPM_VERSION_MAJOR as suggested by Jerzy Grzegorek]
    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>

    (cherry picked from commit 7adbcd174a17ff1b74c4b20d94ca4a9e7f396d68)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit fb398d3a4d806399e52c1f970a415cd718133403
Author: Vicente Olivert Riera <[email protected]>
Date:   Mon Mar 13 11:41:44 2017 +0000

    linux-headers: bump 4.{4, 9, 10}.x and 3.12.x series

    [Peter: skip 4.10.x]
    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit d18cdcebc238706d1bf50460b85ea36eaed83b21)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 3bf15bfc84f646efbdeead006378265fa56855a9
Author: Matthew Fornero <[email protected]>
Date:   Mon Mar 13 15:35:02 2017 -0400

    libiio: explicitly disable matlab bindings

    If building on a machine with MATLAB installed, the MATLAB bindings will
    default to ON, which is not the desired behavior for a cross build.

    The bindings are designed to be called from within MATLAB, and we are
    not currently running MATLAB on buildroot-generated targets.

    This does not preclude the use of the bindings from a host connecting
    over the network backend (assuming libiio on the host has the bindings
    enabled).

    Signed-off-by: Matthew Fornero <[email protected]>
    Acked-By: Paul Cercueil <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit f358078b3374f3b316551660e89f5c463cb61608)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 14dc993718941fb0d1194fc2eedcab0b5fe33260
Author: Rahul Bedarkar <[email protected]>
Date:   Tue Mar 14 19:59:37 2017 +0530

    zmqpp: update license

    Since version 4.1.2, zmqpp is provided under MPLv2.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 87e9391e69cae06836723dcc5525e07d89c14acb)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 8ddd530004229e032dda14c64db629b862b27fa3
Author: Bernd Kuhls <[email protected]>
Date:   Sun Mar 12 12:44:57 2017 +0100

    package/mplayer: add optional support for pulseaudio

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit a085b7c3139b2c4543530fb0adf0047d8a4c1fd3)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 9739750396da0af7a449eed9e38e003e0dc2d159
Author: Bernd Kuhls <[email protected]>
Date:   Sun Mar 12 13:12:03 2017 +0100

    package/git: fix pcre support

    The current code contains some obvious typos.

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit d830807794245077e73ee1d3c78eecb8d224dc04)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 32a9eb6e5abbc1787e0a82756d35aa8fb5b411cb
Author: Bernd Kuhls <[email protected]>
Date:   Sun Mar 12 13:43:14 2017 +0100

    package/git: add optional support for gettext

    git links to libintl if available:

    $ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/bin/git | grep NEEDED
     0x00000001 (NEEDED)                     Shared library: [libz.so.1]
     0x00000001 (NEEDED)                     Shared library: [libintl.so.8]
     0x00000001 (NEEDED)                     Shared library: [libc.so.0]

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit aecab2f29c396a04d24e61479d7fc3f53149448f)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 894a37c031cce0715d28f5003ccc58db07b1cce9
Author: Bernd Kuhls <[email protected]>
Date:   Sun Mar 12 15:06:05 2017 +0100

    package/python: add optional support for libintl

    Python links to gettext when available:

    $ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/lib/python2.7/lib-dynload/_locale.so | grep NEEDED
     0x00000001 (NEEDED)                     Shared library: [libintl.so.8]
     0x00000001 (NEEDED)                     Shared library: [libpython2.7.so.1.0]
     0x00000001 (NEEDED)                     Shared library: [libc.so.0]

    In comparison the same library compiled without gettext:

    $ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/lib/python2.7/lib-dynload/_locale.so | grep NEEDED
     0x00000001 (NEEDED)                     Shared library: [libpython2.7.so.1.0]
     0x00000001 (NEEDED)                     Shared library: [libc.so.0]

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 70759f5359d6e5f7b868b74399e20d8ea7956769)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c365c42ef371d948570a2b41b4f87af193a0eab6
Author: Bernd Kuhls <[email protected]>
Date:   Sat Mar 11 17:32:59 2017 +0100

    package/tor: bump version to 0.2.9.10

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 660651491ea2ff8fc82d503a8e28bbd54e8d9131)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit b3442f2fe397bbd33f9ab745ff2601a8994a7153
Author: Yann E. MORIN <[email protected]>
Date:   Sun Mar 12 10:58:16 2017 +0100

    package/nbd: fix utilities locations

    Currently, the code expects both the client and server to be in
    /usr/bin, while the client is in /usr/sbin

    Fix that.

    Signed-off-by: "Yann E. MORIN" <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 4aabbeb245794862e8434317e885d6d028d23679)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit a3d83660c5352249d8da2bab8520442d13a06cec
Author: Peter Seiderer <[email protected]>
Date:   Fri Mar 10 23:15:47 2017 +0100

    qt5base: install libQt5EglFsKmsSupport

    According to src/plugins/platforms/eglfs/deviceintegration/deviceintegration.pro
    depends on eglfs_gbm which depends according to src/gui/configure.json
    on features.eglfs and features.gbm and features.kms, so dependency
    on BR2_PACKAGE_MESA3D_OPENGL_EGL which enables mesa3d gbm support
    should be sufficient.

    Signed-off-by: Peter Seiderer <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 5efe07f9af53c0cf0795d316cb84d58e530a9619)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 91bb73cb5a5a6764054a6f07eae1b6da12ed4086
Author: Peter Seiderer <[email protected]>
Date:   Fri Mar 10 23:15:46 2017 +0100

    qt5base: fix eglfs x11 header related compile failure

    Add egl config and QT_EGL_NO_X11 define (as all other eglfs project
    files do) to src/plugins/platforms/eglfs/eglfs-plugin.pro.

    Fixes ([1]):

      In file included from .../host/usr/arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/include/EGL/egl.h:39:0,
                       from ../../../../include/QtEglSupport/5.8.0/QtEglSupport/private/../../../../../src/platformsupport/eglconvenience/qt_egl_p.h:63,
                       from ../../../../include/QtEglSupport/5.8.0/QtEglSupport/private/qt_egl_p.h:1,
                       from api/qeglfsglobal_p.h:56,
                       from api/qeglfsintegration_p.h:54,
                       from qeglfsmain.cpp:41:
      .../host/usr/arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/include/EGL/eglplatform.h:119:22: fatal error: X11/Xlib.h: No such file or directory
      compilation terminated.
      Makefile.eglfs-plugin:1024: recipe for target '.obj/qeglfsmain.o' failed
      make[2]: *** [.obj/qeglfsmain.o] Error 1
      make[2]: Leaving directory '.../qt5base-5.8.0/src/plugins/platforms/eglfs'
      Makefile:71: recipe for target 'sub-eglfs-plugin-pro-make_first-ordered' failed
      make[1]: *** [sub-eglfs-plugin-pro-make_first-ordered] Error 2

    [1] http://lists.busybox.net/pipermail/buildroot/2017-March/186158.html

    Signed-off-by: Peter Seiderer <[email protected]>
    Acked-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 5840e8bd505cef8846ed4f8fc769f306165ee174)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2e1b15a6fba60f077fad070738801b592c794038
Author: Fabrice Fontaine <[email protected]>
Date:   Mon Feb 13 18:24:51 2017 +0100

    domoticz: fix build on powerpc64le

    There is an issue with powerpc64le and boost::uuids::random_generator on the
    following line of code (from include/boost/uuid/seed_rng.hpp):
    sha.process_bytes( (unsigned char const*)&std::rand, sizeof( void(*)() ) )
    This line "inspects the first couple bytes (here eight) of the std::rand
    function to seed some rng. Due to the implementation of process_bytes and
    inlining happening, it seems that one of the loops therein uses &rand-1 as
    some boundary, compiling with -O0 makes that reloc come out as 'rand + 0' and
    the link will succeed."
    See: https://bugzilla.suse.com/show_bug.cgi?id=955832#c7

    Fixes:
     - http://autobuild.buildroot.org/results/454c0ea393615bae2d1b44be9920f25b5c49fc33

    Signed-off-by: Fabrice Fontaine <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 00d2a3da72455213b87069af475173060750d50d)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit f63fab1bae878509a79219ebff634af208daab0b
Author: Vicente Olivert Riera <[email protected]>
Date:   Fri Mar 10 17:06:18 2017 +0000

    imagemagick: bump version to 7.0.5-0 (security)

    - Fixed memory leak when creating nested exceptions in Magick++
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634

    - Fixed fd leak for webp coder
      https://github.com/ImageMagick/ImageMagick/pull/382

    - Fixed Spurious memory allocation message
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31438

    Full changelog: http://imagemagick.org/script/changelog.php

    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit d6cc5462535acf954abccd585efc3a07623cc416)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 8d36b6d034ea07c9dbddd4f407f34f1d2d01ccd8
Author: Yann E. MORIN <[email protected]>
Date:   Tue Mar 7 22:16:28 2017 +0100

    package/rpi-userland: don't install file in random location

    Currently, rpi-userland installs files in $(@D)/../../bin/ which is
    entirely stupid, especially in cross-compilation.

    Get rid of the dubious, broken, custom install command.

    Signed-off-by: "Yann E. MORIN" <[email protected]>
    Tested-by: Peter Seiderer <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit ffa39b23f7ece3a3d9ea914c2e385ce222bdf921)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit de33cffb6631ec116679fbd6352aef5cf912df65
Author: Romain Naour <[email protected]>
Date:   Sat Mar 11 22:26:45 2017 +0100

    package/gdb: fix gnulib issue with musl and uClibc toolchains again

    The commit [1] doesn't fix this issue for all cases (it doesn't work
    when BR2_PACKAGE_GDB_DEBUGGER=y).
    So, leave the configure script alone and override
    gl_cv_func_gettimeofday_clobber from GDB_MAKE_ENV.

    [1] 560334bb2a46a77081a3944d092df7732dfca432

    Fixes:
    http://autobuild.buildroot.net/results/719/719a441421030b79c0aa1bbfb707130f3ac87338

    Signed-off-by: Romain Naour <[email protected]>
    Cc: Thomas Petazzoni <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit faf38b78aee613a732f96d5022a2894efd024a25)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 34345f1b033e338b1933381a992d9f92f4fe9ae5
Author: Julien BOIBESSOT <julien.boibesso…
fschuett added a commit to linuxmuster/linuxmuster-linbo that referenced this issue Apr 9, 2017
commit b1ae86c7f7250249ad3faeb7c473e80a71f9fd74
Merge: ddaca9d5c 476067a78
Author: Frank Schütte <[email protected]>
Date:   Sat Apr 8 14:37:16 2017 +0200

    Add 'buildroot/' from commit '604f4058d2b57f9e764aac344f72e117c852c641'

    git-subtree-dir: buildroot
    git-subtree-mainline: ddaca9d5cc201ffb618e21e86a32ac980ed327c1
    git-subtree-split: 604f4058d2b57f9e764aac344f72e117c852c641

commit ddaca9d5cc201ffb618e21e86a32ac980ed327c1
Author: Frank Schütte <[email protected]>
Date:   Sat Apr 8 14:36:04 2017 +0200

    rm subtree buildroot 2016.11

commit 476067a78d4fd1ddb141a8cccc63cf3e75cbe7a3
Author: Peter Korsgaard <[email protected]>
Date:   Wed Apr 5 13:35:15 2017 +0200

    Update for 2017.02.1

    Signed-off-by: Peter Korsgaard <[email protected]>

commit c836666c7b89936dbed15e350f4edf7e895c524c
Author: Matt Weber <[email protected]>
Date:   Mon Apr 3 21:06:11 2017 -0500

    libselinux: query for python site-packages dir directly

    With the bump to version 2.6, the following commit needs
    to be taken into consideration for overloading paths.
    https://github.com/SELinuxProject/selinux/commit/8162f10e670da963eb65ccf1e7de69ea85aba30d

    The PYLIBVER is no longer used and the PYTHONLIBDIR is
    renamed to PYSITEDIR with slightly different pathing.

    More details can be found in the issue ticket which was
    marked as a non-issue after analysis that a Buildroot fix
    was the resolution.
    https://github.com/SELinuxProject/selinux/issues/51

    Signed-off-by: Matthew Weber <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 6a6ce10eba24d43412aada7df7de2ab78e8ffee2)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit f8d1e5f1ea26f7b125bfbb4338dc24ab97e76120
Author: Thomas Petazzoni <[email protected]>
Date:   Thu Mar 23 00:04:56 2017 +0100

    gst-ffmpeg: work-around bogus configure logic on SPARC

    The libav version built into the gst-ffmpeg code produces a bogus
    binary on SPARC, which causes the following error of the
    check-bin-arch script:

      ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstffmpeg.so is Sparc v8+, should be Sparc
      ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstpostproc.so is Sparc v8+, should be Sparc
      ERROR: architecture for ./usr/lib/gstreamer-0.10/libgstffmpegscale.so is Sparc v8+, should be Sparc

    The problem is the following bit of code in
    gst-lib/ext/libav/configure:

    elif enabled sparc; then

        enabled vis && check_asm vis '"pdist %f0, %f0, %f0"' -mcpu=ultrasparc &&
            add_cflags -mcpu=ultrasparc -mtune=ultrasparc

    I.e, it checks if the architecture supports the pdist
    instruction... but forces -mcpu to ultrasparc while doing so. So it's
    like "let's see if this Ultrasparc instruction exists when I force the
    compiler to think I'm using Ultrasparc", which is non-sensical. This
    has been fixed later on in libav upstream:

      https://git.libav.org/?p=libav.git;a=commit;h=6aa93689abe8c095cec9fa828c2dee3131008995

    However, this commit cannot be backported as-is since the shell
    function check_inline_asm did not exist in the old libav version
    bundled in gst-ffmpeg.

    Therefore, we take the simpler route of disabling the VIS
    optimizations on SPARCv8 and Leon3.

    Fixes:

      http://autobuild.buildroot.net/results/e82d179c3d4f92ad7423693a4b1d42379a3f5411/

    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit d2b73875c3b8a6ec518c1424eaf92c1257fa40aa)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c61338a628879610671826f0aa766473023c8219
Author: Julien BOIBESSOT <[email protected]>
Date:   Mon Apr 3 14:25:43 2017 +0200

    package/tyrian: fixes compilation with static libs

    Has been tested with: "./support/scripts/test-pkg -c tyrian.cfg -p opentyrian"
    Fixes: http://autobuild.buildroot.net/results/0e2345db82b33f591958fc0f72ad914adafe0522
    and some similar previous build failure.

    Thanks Thomas for the tip ;-).

    Signed-off-by: Julien BOIBESSOT <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit dd99f2cb7d10f20568cab22c498a9e1831b5a351)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit eeec31f2a05b72c5616cbdd775b326a481ecdb39
Author: Yegor Yefremov <[email protected]>
Date:   Mon Apr 3 10:14:41 2017 +0200

    libsoc: add host-pkgconf dependency

    Without pkg-config PKG_CHECK_MODULES won't be expanded
    and ./configure script produces following error message:

    ./configure: line 12237: syntax error near unexpected token `PYTHON,'
    ./configure: line 12237: `	PKG_CHECK_MODULES(PYTHON, python-"$PYTHON_VERSION")'

    Fixes:

    http://autobuild.buildroot.net/results/86e/86e04bd2b10527130306451e56a7693ed4b4befd

    Signed-off-by: Yegor Yefremov <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 8975e9f2c77c6861964906e6b5ebd894cdccf45f)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 1a58c4c7b0dade55fae1fd325b5d2a129502467b
Author: Fabio Estevam <[email protected]>
Date:   Sun Apr 2 15:15:14 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: drop 4.10.x bump]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 69356afc81cee7a1b1c749274b26db507133b8d6)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 6338df7dea0dcca5c1ff2689008dd058bce677e8
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:35 2017 +0200

    audiofile: add security patch for CVE-2017-6839

    Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka
    audiofile) 0.3.6 allows remote attackers to cause a denial of service
    (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
    https://github.com/mpruett/audiofile/issues/41

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 844a7c6281eb442881330a5d36d5a0719f2870bf)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c9890cfa67a887bf24aea7043d912ee6e8e669c0
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:34 2017 +0200

    audiofile: add security patch for CVE-2017-6831

    Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp in
    Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
    denial of service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp
    https://github.com/mpruett/audiofile/issues/35

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit bd5f84d301c4e74ca200a9336eca88468ec0e1f3)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 16daa3c10dbba15bc1e2bec590c1489c967a59e0
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:33 2017 +0200

    audiofile: add security patch for CVE-2017-6830 / CVE-2017-6834 / CVE-2017-6836 / CVE-2017-6838

    CVE-2017-6830: A heap-based buffer overflow in the alaw2linear_buf function
    in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
    attackers to cause a denial of service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp
    https://github.com/mpruett/audiofile/issues/34

    CVE-2017-6834: A heap-based buffer overflow in the ulaw2linear_buf function
    in G711.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
    attackers to cause a denial of service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp
    https://github.com/mpruett/audiofile/issues/38

    CVE-2017-6836: A heap-based buffer overflow in the Expand3To4Module::run
    function in libaudiofile/modules/SimpleModule.h in Audio File Library (aka
    audiofile) 0.3.6 allows remote attackers to cause a denial of service
    (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h
    https://github.com/mpruett/audiofile/issues/40

    CVE-2017-6838: Integer overflow in sfcommands/sfconvert.c in Audio File
    Library (aka audiofile) 0.3.6 allows remote attackers to cause a denial of
    service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
    https://github.com/mpruett/audiofile/issues/41

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 4a1a8277bba490d227f413e218138e39f1fe1203)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 5e24ed52e4513ed49810455a91c70f496efbc9cc
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:32 2017 +0200

    audiofile: add security patch for CVE-2017-6829

    The decodeSample function in IMA.cpp in Audio File Library (aka audiofile)
    0.3.6 allows remote attackers to cause a denial of service (crash) via a
    crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp
    https://github.com/mpruett/audiofile/issues/33

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 434890df2a7c131b40fec1c49e6239972ab299d2)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 4f533d049ae78647431a9384206b8fe8733b61d9
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 30 23:03:31 2017 +0200

    audiofile: add security patch for CVE-2017-6827 / CVE-2017-6828 / CVE-2017-6832 / CVE-2017-6833 / CVE-2017-6835 / CVE-2017-6837

    CVE-2017-6827: A heap-based buffer overflow in the
    MSADPCM::initializeCoefficients function in MSADPCM.cpp in audiofile (aka
    libaudiofile and Audio File Library) 0.3.6 allows remote attackers to have
    unspecified impact via a crafted audio file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp
    https://github.com/mpruett/audiofile/issues/32

    CVE-2017-6828: A Heap-based buffer overflow in the readValue function in
    FileHandle.cpp in audiofile (aka libaudiofile and Audio File Library) 0.3.6
    allows remote attackers to have unspecified impact via a crafted WAV file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp
    https://github.com/mpruett/audiofile/issues/31

    CVE-2017-6832: A Heap-based buffer overflow in the decodeBlock in
    MSADPCM.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote
    attackers to cause a denial of service (crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp
    https://github.com/mpruett/audiofile/issues/36

    CVE-2017-6833: The runPull function in libaudiofile/modules/BlockCodec.cpp
    in Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause
    a denial of service (divide-by-zero error and crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp
    https://github.com/mpruett/audiofile/issues/37

    CVE-2017-6835: The reset1 function in libaudiofile/modules/BlockCodec.cpp in
    Audio File Library (aka audiofile) 0.3.6 allows remote attackers to cause a
    denial of service (divide-by-zero error and crash) via a crafted file.

    https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp
    https://github.com/mpruett/audiofile/issues/39

    CVE-2017-6837: WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows
    remote attackers to cause a denial of service (crash) via vectors related to
    a large number of coefficients.

    http://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/
    https://github.com/mpruett/audiofile/issues/41

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit cc00bde57fc20d11f8fa4e8ec5f193c091714c55)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 9eb481bbfea238ee6c0b9258ef039a9a20a3dac4
Author: Baruch Siach <[email protected]>
Date:   Fri Mar 31 14:09:36 2017 +0300

    pcre: add upstream security fixes

    Take Debian adapted patches of upstream.

    Fixes:

    CVE-2017-6004: crafted regular expression may cause denial of service

    CVE-2017-7186: invalid Unicode property lookup may cause denial of service

    Signed-off-by: Baruch Siach <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 3143910eec12a5b23e853b3177bf316ac186b87a)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 40192c1aa1339514ec166ef1ffbf1657f47d8c86
Author: Fabio Estevam <[email protected]>
Date:   Thu Mar 30 11:24:45 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: drop 4.10.x bump]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit c720701c4d3b23e35908319e6ade082c9e5a1433)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 1244b189543a11f1d712caf12efb7ee8703eba97
Author: Thomas Petazzoni <[email protected]>
Date:   Sun Mar 26 23:43:40 2017 +0200

    system: do not overwrite /bin/sh Busybox symlink

    The BR2_SYSTEM_BIN_SH hidden option defines to what binary the /bin/sh
    symlinks should point to. If busybox is chosen, then /bin/sh is created
    to point to /bin/busybox.

    This works fine with the default installation mode of Busybox, but it
    fails with the upcoming "individual binaries" mode, in which each applet
    is installed as its own binary, and /bin/busybox doesn't exist: we get
    /bin/sh as a broken symlink to /bin/busybox.

    Since Busybox already installs its own /bin/sh symlink, properly
    pointing to /bin/ash or /bin/hush depending on the selected shell, it
    doesn't make sense for the BR2_SYSTEM_BIN_SH logic to override
    this. Just let Busybox install its own /bin/sh by making
    BR2_SYSTEM_BIN_SH empty when Busybox shell is selected as /bin/sh.

    Signed-off-by: Thomas Petazzoni <[email protected]>
    Reviewed-by: Matthew Weber <[email protected]>
    Acked-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit fc91501e6b32ef1b015ac9b0fbf6d64aa1ce0162)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit d09c7e4d45261ef03277c9f46a07c81686f5e5bb
Author: Pawel Sikora <[email protected]>
Date:   Mon Mar 27 00:44:14 2017 +0200

    syslog-ng: Bump version header in conf file to 3.9

    Package version of syslog-ng is 3.9.1.
    Bumping version number in syslog-ng.conf to 3.9

    Fixing warning message about configuration file being too old.

    Signed-off-by: Pawel Sikora <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 3dad25466d2931eeecde23867bed79b1d7213887)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 119e94b830a14a2c82d11bf5dfc16b46ece06702
Author: Peter Korsgaard <[email protected]>
Date:   Tue Mar 28 17:18:08 2017 +0200

    samba4: security bump to version 4.5.7

    Fixes CVE-2017-2619:

       All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
       a malicious client using a symlink race to allow access to areas of
       the server file system not exported under the share definition.

       Samba uses the realpath() system call to ensure when a client requests
       access to a pathname that it is under the exported share path on the
       server file system.

       Clients that have write access to the exported part of the file system
       via SMB1 unix extensions or NFS to create symlinks can race the server
       by renaming a realpath() checked path and then creating a symlink. If
       the client wins the race it can cause the server to access the new
       symlink target after the exported share path check has been done. This
       new symlink target can point to anywhere on the server file system.

       This is a difficult race to win, but theoretically possible. Note that
       the proof of concept code supplied wins the race reliably only when
       the server is slowed down using the strace utility running on the
       server. Exploitation of this bug has not been seen in the wild.

    Signed-off-by: Peter Korsgaard <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 493cedf3af061b90a899826e0c184c2f484414f6)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit e29fa95b8368f9b85a1bfb2cef9741c6218c59b3
Author: Yann E. MORIN <[email protected]>
Date:   Sat Jan 28 11:41:32 2017 +0100

    core/br2-external: properly report unexpected errors

    Unextected error in the br2-external script are properly caught, but
    they are not reported properly, and we end up in either of two
    situations:

      - the .br2-external.mk file is not generated, in which case make will
        try to find a rule to generate it (because the 'include' directive
        tries to generate missing files);

      - the .br-external.mk file is generated but does not contain the error
        variable, and thus the build might not get interrupted.

    We fix that by using a trap on the pseudo ERR signal, to emit the error
    variable on unexpected errors.

    Signed-off-by: "Yann E. MORIN" <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit c5fa9308ea4e3810a7f7d9d0df75cbf090c414c4)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 74ed2a833da74b33e0ad8c4fd77e789885b3a9fd
Author: Rahul Bedarkar <[email protected]>
Date:   Wed Mar 22 23:18:52 2017 +0530

    taglib: fix legal info

    taglib is dual licensed under LGPLv2.1 or MPLv1.1. Almost all source
    files have license text mentioning LGPLv2.1 or alternatively MPLv1.1.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    [Thomas: use MPL-1.1 instead of MPLv1.1, since MPL-1.1 is the SPDX
    license code for this license.]
    Signed-off-by: Thomas Petazzoni <[email protected]>

    (cherry picked from commit f30a3940c8dc5fc9bbe3a0ace457201808142183)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c1be21ac128640dd600da2ad5840c74d72a799ee
Author: Rahul Bedarkar <[email protected]>
Date:   Wed Mar 22 23:18:51 2017 +0530

    dbus-triggerd: add license file

    In absence of license file, use source file as a license file since it
    has license header in comments.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 50284570fbefa37c8874b47cd5998bd890e54632)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 0b670f3879eaa1bc56b6eaeeed54f36aba831219
Author: Rahul Bedarkar <[email protected]>
Date:   Wed Mar 22 23:18:50 2017 +0530

    dbus-glib: fix legal info

    dbus glib bindings are dual licensed under AFLv2.1 or GPLv2+.
    Separate licenses using 'or' keyword.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit f70f0b497f8a072eb22aff0bd934467b706cffd8)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2d7d618f7c8d53da9fb828ced4b445635ddb44c0
Author: Fabio Estevam <[email protected]>
Date:   Sun Mar 26 10:49:43 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: drop 4.10.x update]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit b718c776ca1a5d204f2ae9a765331a32e87e9560)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 3400806b9d555cf2f30154feeecd19221b8b52a0
Author: Rodrigo Rebello <[email protected]>
Date:   Sun Mar 26 03:36:54 2017 -0300

    htop: use correct ncurses config script name

    The ncurses config script can have different names depending on the
    configuration (e.g. wchar support enabled/disabled). So, use
    $(NCURSES_CONFIG_SCRIPTS) from the ncurses package as it contains the
    proper name.

    Signed-off-by: Rodrigo Rebello <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 8cd1554ee162f6344dab078233f4f6c0d93e7c24)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 9d70c89b8029cef33a3abfa2ab98f1f68656c947
Author: Rodrigo Rebello <[email protected]>
Date:   Sun Mar 26 03:36:53 2017 -0300

    slang: use correct ncurses config script name

    The ncurses config script can have different names depending on the
    configuration (e.g. wchar support enabled/disabled). So, use
    $(NCURSES_CONFIG_SCRIPTS) from the ncurses package as it contains the
    proper name.

    Fixes:

      http://autobuild.buildroot.net/results/c97554c05e121c76407be53ba37924cfcb658e9d/
      http://autobuild.buildroot.net/results/b0a31a3491a30ee0d6e6e7dbba68a86f0e00943d/
      http://autobuild.buildroot.net/results/a77241141cf8710fa945523ef62327798e3c4824/
      [...]

    Signed-off-by: Rodrigo Rebello <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit b3e4ed92380080334d3d09bb4a53dc6102edd8aa)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit ccf0e0767d6c73dd23852fad5de2900c6f88fd56
Author: Bernd Kuhls <[email protected]>
Date:   Thu Mar 23 20:37:00 2017 +0100

    package/ntp: fix build for toolchains without ssp

    ntp defaults to use ssp support
    http://bk1.ntp.org/ntp-stable/sntp/harden/README

    by using these flags
    http://bk1.ntp.org/ntp-stable/sntp/harden/linux

    If the toolchain lacks SSP support this patch forces ntp to use an
    empty set of flags: http://bk1.ntp.org/ntp-stable/sntp/harden/default

    Fixes
    http://autobuild.buildroot.net/results/1d5/1d58bd8745b22c8eb71fea4c7255d3ace69f6f7a/

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 00968bcac0674250956e99b6fafbf9b373446488)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 30a9181448690d01d3aad51d0c2458b0c5ec1761
Author: Jörg Krause <[email protected]>
Date:   Fri Mar 24 08:53:21 2017 +0100

    busybox: fix mdev.conf

    mdev does not set "/dev/snd" and "/dev/input" group and permission
    propery, because with commit c3cf1e30a3022453311a7e9fe11d94c7a381640e
    (May 2013!) the behavior of mdev has changed.

    The device name is now taken directly from the uevent file and does no
    longer match the old rule.

    Fix the rules for "/dev/snd" and "/dev/input" according to the example
    given in [1].

    [1] http://lists.busybox.net/pipermail/busybox/2015-February/082297.html

    Signed-off-by: Jörg Krause <[email protected]>
    Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit afb585468b33c76d41686cb92e7f56565fe150e4)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 03316d1719645ea47aac6de3a29877345c5e0a67
Author: Jörg Krause <[email protected]>
Date:   Fri Mar 24 09:47:43 2017 +0100

    upmpdcli: add user to the audio group

    upmpdcli runs as user and group upmpdcli. In order to allow it to access
    the ALSA devices add it to the audio group.

    Signed-off-by: Jörg Krause <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit ab9842e360ae08954b07504a20cd053fe146f383)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 5bc876f43b1954e0494b5f360c8e0f9ddc5624e4
Author: Vicente Olivert Riera <[email protected]>
Date:   Wed Mar 22 13:19:27 2017 +0000

    linux-headers: bump 3.{2, 12}.x and 4.{1, 4, 9, 10}.x series

    [Peter: drop 4.10.x update]
    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 0d70d1dbf054f4a0609ba1076bc7e097305013d2)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 13eec966adfdc6c7659bff0cb7fd27056c248127
Author: Bernd Kuhls <[email protected]>
Date:   Wed Mar 22 22:03:13 2017 +0100

    package/ntp: security bump to 4.2.8p10

    Changed NTP_SITE to https to circumvent "URL transformed to HTTPS due
    to an HSTS policy" during download.

    For details about the bugs fixed see:
    http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
    http://www.kb.cert.org/vuls/id/633847

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit b47aec79d2e19ef7e3f04d2758c3a2930d47cebe)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 293f9d2f18d28e2f5f235ba4c94a6bb695ecf6c9
Author: Arnout Vandecappelle <[email protected]>
Date:   Tue Mar 21 01:07:01 2017 +0100

    squashfs: correct hash

    When squashfs was bumped to 3de1687d in commit ee90313c64, the hash
    file was not updated. This wasn't noticed before since hashes are not
    checked for git downloads.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Thomas De Schampheleire <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 85c832247e40f00f48ac328970bb39ab7851f042)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit a2c0793636adaf44df268dc9a406d12a8bd42e7f
Author: Arnout Vandecappelle <[email protected]>
Date:   Tue Mar 21 01:07:00 2017 +0100

    linux-firmware: correct hash

    When linux-firmware was bumped to 6d3bc8886 in commit 3ff5896ff, a hash
    file was added but the hash was wrong. This wasn't noticed before since
    hashes are not checked for git downloads.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Adam Duskett <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 0409b136985ff582d561076f03685da9890fa325)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2f426dadad24fa46909ed6504d19eb7ccbd55657
Author: Arnout Vandecappelle <[email protected]>
Date:   Tue Mar 21 01:06:59 2017 +0100

    fmc: correct hash file

    It had sha256sum instead of sha256. This wasn't noticed before since
    hashes for git downloads are not checked.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Matthew Weber <[email protected]>
    Reviewed-by: Matthew Weber <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit ba717fde72c862a283a035b3b44377bb48d08284)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit e6b2152cd15bd8a9ed8a72c2ef2c07959839d46d
Author: Arnout Vandecappelle <[email protected]>
Date:   Tue Mar 21 01:06:57 2017 +0100

    download/git: create GNU format tar files

    On most distros, the tar format defaults to GNU. However, at build time
    the default format may be changed to posix. Also, future versions of
    tar will default to posix.

    Since we want the tarballs created by the git download method to be
    reproducible (so their hash can be checked), we should explicitly
    specify the format. Since existing tarballs on sources.buildroot.org
    use the GNU format, and also the existing hashes in the *.hash files
    are based on GNU format tarballs, we use the GNU format.

    In addition, the Posix format encodes atime and ctime as well as mtime,
    but tar offers no option like --mtime to override them. In the GNU
    format, atime and ctime are only encoded if the --incremental option is
    given.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Peter Seiderer <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 0f369a9231b2c67748f4f0c2dbb33ebdc2890478)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit ac75d32ae79aed38e003361503a601edad384d23
Author: Yegor Yefremov <[email protected]>
Date:   Tue Mar 21 09:22:33 2017 +0100

    graph-depends: rename pkgutil.py to brpkgutil.py

    pkgutil.py is also part of Python itself. Placing pkgutil.py as is
    in a folder with other scripts that require original pkgutil will
    break them. This is the case with scanpypi. So rename pkgutil.py
    to brpkgutil.py to avoid naming collision.

    Fixes: https://bugs.busybox.net/show_bug.cgi?id=9766

    Signed-off-by: Yegor Yefremov <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 3b627c89dc8adf8c60efd773935bf66004e8433d)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit eaadfab8e8c77d9b66b0b9b1215a6ebd0ca6307c
Author: Thomas Petazzoni <[email protected]>
Date:   Tue Mar 21 22:21:20 2017 +0100

    ltp-testsuite: disable Open POSIX testsuite

    The Open POSIX testsuite builds and installs to the target directory a
    program called 't0' that isn't cross-compiled, which is bad.

    Since the LTP build system is autoconf but not automake based, and the
    Open POSIX testsuite is a sort of sub-project inside it, fixing the
    issue is not trivial.

    Therefore, we simply disable the Open POSIX testsuite entirely. Oddly
    enough, --without-open-posix-testsuite doesn't work due to another bug,
    so we simply have to remove --with-open-posix-testsuite.

    Open POSIX testsuite cross-compilation issue reported at
    https://github.com/linux-test-project/ltp/issues/144.

    Configure script bug reported at
    https://github.com/linux-test-project/ltp/issues/143.

    Fixes:

      http://autobuild.buildroot.net/results/8326ba9eb257dfc92c1ad282ba6d3565e8250def/

    Signed-off-by: Thomas Petazzoni <[email protected]>
    Reviewed-by: "Yann E. MORIN" <[email protected]>
    Tested-by: "Yann E. MORIN" <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit b57e1355a72da407c19315cb4187767d28e4d064)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 55a23407aff9ab0b3e3c72b7c5fd6c8873a910d2
Author: Yann E. MORIN <[email protected]>
Date:   Tue Mar 21 22:33:59 2017 +0100

    package/dbus-cpp: fix cross-compilation

    dbus-cpp has an ugly hack to not cross-build the tools when it detects
    cross-compilation.

    However, we already have a host variant that builds those tools (and we
    anyway don't seem to need them to begin with).

    Drop our patch that propagates the CXXFLAGS/LDFLAGS_FOR_BUILD. Replace
    with a patch to cross-compile the tools.

    Fixes:
        http://autobuild.buildroot.org/results/110/1100539caae6ef62c61a3b96bc54f7c0a215cc62/
        and many, many more.

    Signed-off-by: "Yann E. MORIN" <[email protected]>
    Cc: Gustavo Zacarias <[email protected]>
    Cc: Thomas Petazzoni <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit f5dbd0dea159393e779f6a1f5fa53b9fa07ff34a)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 3b9349e3cb8804bf3f1d2de3823f58371e735ab9
Author: Julien Beraud <[email protected]>
Date:   Tue Mar 21 14:23:56 2017 +0100

    apr: fix size of pid_t

    pid_t is a signed 32bits integer on both 32bits and 64bits
    architectures.
    This fixes an issue with apache server which causes bad pid
    to be written in PidFile

    Signed-off-by: Julien Beraud <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit ee8cbc5fca779ff054a50ed8e6271952367147c7)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 22dd05433e0e0309628489b983569d2d47c57341
Author: Vicente Olivert Riera <[email protected]>
Date:   Tue Mar 21 15:40:08 2017 +0000

    memcached: bump version to 1.4.36

    From the release notes
    (https://github.com/memcached/memcached/wiki/ReleaseNotes1436):

    Important bug fix that could lead to a hung slab mover.  Also improves
    memory efficiency of chunked items.

    [Peter: add release notes link / mention important bug fix]
    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>

    (cherry picked from commit adfe049d85b09a2ce780ce49f8e53d9cfaf90e2d)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2239406dc1820c1b9958f559737abc9d904d5142
Author: Vicente Olivert Riera <[email protected]>
Date:   Mon Mar 13 11:43:50 2017 +0000

    memcached: bump version to 1.4.35

    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 36cabc5a744d97090784a29a4001a994728e0539)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit df0c78d61e142781b6da3d0cf789b8b7b1ae3055
Author: Baruch Siach <[email protected]>
Date:   Tue Mar 21 15:11:22 2017 +0200

    openssh: security bump to version 7.5

    From the release notes (https://www.openssh.com/txt/release-7.5):

    Security
    --------

     * ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
       that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
       Note that the OpenSSH client disables CBC ciphers by default, sshd
       offers them as lowest-preference options and will remove them by
       default entriely in the next release. Reported by Jean Paul
       Degabriele, Kenny Paterson, Martin Albrecht and Torben Hansen of
       Royal Holloway, University of London.

     * sftp-client(1): [portable OpenSSH only] On Cygwin, a client making
       a recursive file transfer could be maniuplated by a hostile server to
       perform a path-traversal attack. creating or modifying files outside
       of the intended target directory. Reported by Jann Horn of Google
       Project Zero.

    [Peter: mention security fixes]
    Signed-off-by: Baruch Siach <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>

    (cherry picked from commit 2204f4deb1c6c6ff4accd84b5aa2d42f5930b730)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit dc9ecb90c58908ffa0d896d4da5b1d4b917253c7
Author: Peter Seiderer <[email protected]>
Date:   Mon Mar 6 21:43:47 2017 +0100

    gst1-plugins-bad: waylandsink needs wayland-protocols

    Signed-off-by: Peter Seiderer <[email protected]>
    ----
    Changes v1 -> v2:
      - use select instead of depends for BR2_PACKAGE_WAYLAND_PROTOCOLS
       (suggested by Thomas Petazzoni)
      - add select BR2_PACKAGE_WAYLAND_PROTOCOLS to missing second
        place (BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_WAYLAND)
    Signed-off-by: Thomas Petazzoni <[email protected]>

    (cherry picked from commit 5a2d37ca125c1742864af0e9324234f8f3ecc071)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 1c1b702a466023f8826cfb6a386e9b4683880875
Author: Peter Seiderer <[email protected]>
Date:   Fri Mar 10 20:54:54 2017 +0100

    libxkbcommon: disable wayland support

    Disable wayland support (only needed for the interactive-wayland
    test program). This fixes a compile failure in case wayland
    support is autodetected:

        GEN      xdg-shell-unstable-v5-protocol.c
      /bin/sh: /usr/bin/wayland-scanner: No such file or directory
      Makefile:2426: recipe for target 'xdg-shell-unstable-v5-protocol.c' failed
      make[3]: *** [xdg-shell-unstable-v5-protocol.c] Error 127
      make[3]: *** Waiting for unfinished jobs....
        GEN      xdg-shell-unstable-v5-client-protocol.h
      /bin/sh: /usr/bin/wayland-scanner: No such file or directory
      Makefile:2428: recipe for target 'xdg-shell-unstable-v5-client-protocol.h' failed
      make[3]: *** [xdg-shell-unstable-v5-client-protocol.h] Error 127

    Signed-off-by: Peter Seiderer <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 7665b5870995ef059d1654c35557b53c04a71d1d)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 51038b08eebee72d89ec7871d1ffe5c84abb2b9f
Author: Romain Naour <[email protected]>
Date:   Sun Mar 19 21:51:53 2017 +0100

    package/mesa3d: add lm-sensors optional dependency

    radeon-pci-0008
    Adapter: PCI adapter
    temp1:        +56.0 C  (crit = +120.0 C, hyst = +90.0 C)

    Signed-off-by: Romain Naour <[email protected]>
    Cc: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 73401587e5984397bedddab61ad6c89712041267)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit b277a7f0db52b02f79a29a7816169abfefd51f91
Author: Rahul Bedarkar <[email protected]>
Date:   Mon Mar 20 20:41:18 2017 +0530

    filemq: correct license

    All source files, except src/filemq_client.c and src/filemq_server.c,
    has MPL Version 2.0 license text in file header.

    As confirmed with upstream [1] (L)GPLv3 license texts COPYING and
    COPYING.LESSER are leftover from previous implementation.

    [1] - https://github.com/zeromq/filemq/issues/74

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 205a0289d4a0aefc76b0c937c2f725517114c658)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit eb021f3547a721d77de73789bd23a44c6e3ea8f7
Author: Eric Le Bihan <[email protected]>
Date:   Mon Mar 20 21:11:22 2017 +0100

    skalibs: fix endianness detection on x86

    Update the patch for compile time endianness detection so it works on
    x86 platforms using GCC <= 4.4.

    Fixes:

      http://autobuild.buildroot.net/results/c2e8e1180571976b412cbba729c45a3698aea0b2
      http://autobuild.buildroot.net/results/2ee47107d8a67470f7bc3e10cf763202d5455d17

    Signed-off-by: Eric Le Bihan <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 8eecaf2d122f7da6f59964f5eb00139a32373d06)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 05bc9b0c339d3ed0830cff3e702cdccefcf2b068
Author: Baruch Siach <[email protected]>
Date:   Mon Mar 20 06:16:56 2017 +0200

    wget: add upstream security fix

    Fixes CVE-2017-6508: CRLF injection in the url_parse function in url.c

    http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html

    Signed-off-by: Baruch Siach <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 7132fc9c11573a460243895c85e66b514b71c041)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 55c742f83a563668caf4435526a780c80bdd6014
Author: Fabio Estevam <[email protected]>
Date:   Sat Mar 18 11:21:42 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: drop 4.10.x update]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit f4978bf018d4f03834f879f3dfc4e8237846742e)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 8c6080b06cee662b409e2256cee0570684170f19
Author: Jan Kundrát <[email protected]>
Date:   Fri Mar 17 17:02:54 2017 +0100

    skeleton: fix permissions on /dev/pts/ptmx

    Without this patch, it is not possible to allocate PTYs when a generated
    rootfs image with a recent glibc and systemd is launched as a container  on
    an RHEL7 system via machinectl/systemd-nspawn. The container boots, but
    `machinectl login mycontainer` fails. The culprit is /dev/pts/ptmx with
    0000 perms.

    On a typical system, there are two `ptmx` devices. One is provided by the
    devpts at /dev/pts/ptmx and it is typically not directly accessed from
    userspace. The other one which actually *is* opened by processes is
    /dev/ptmx. Kernel's documentation says these days that /dev/ptmx should be
    either a symlink, or a bind mount of the /dev/pts/ptmx from devpts.

    When a container is launched via machinectl/machined/systemd-nspawn, the
    container manager prepares a root filesystem so that the container can live
    in an appropriate namespace (this is similar to what initramfs is doing on
    x86 desktops). During these preparations, systemd-nspawn mounts a devpts
    instance using a correct ptmxmode=0666 within the container-to-be's
    /dev/pts, and it adds a compatibility symlink at /dev/ptmx. However, once
    systemd takes over as an init in the container,
    /lib/systemd/systemd-remount-fs applies mount options from /etc/fstab to
    all fileystems. Because the buildroot's template used to not include the
    ptmxmode=... option, a default value of 0000 was taking an effect which in
    turn led to not being able to allocate any pseudo-terminals.

    The relevant kernel option was introduced upstream in commit 1f8f1e29 back
    in 2009. The oldest linux-headers referenced from buildroot's config is
    3.0, and that version definitely has that commit. Mount options that are
    not understood by the system are anyway ignored, so backward
    compatibility is preserved.

    Signed-off-by: Jan Kundrát <[email protected]>
    Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    [Thomas: fix commit title, adjust commit log.]
    Signed-off-by: Thomas Petazzoni <[email protected]>

    (cherry picked from commit 8196b299ba12bd6741bf7f4462cad180dab77fb0)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 74293a15bdfda83bb83f15f9dc459a54a6ab99f0
Author: Arnout Vandecappelle <[email protected]>
Date:   Fri Mar 17 17:06:16 2017 +0100

    fakeroot: depend on acl

    Recent versions of fakeroot have grown support for acl. We don't really
    need this since we don't use acls in Buildroot. However, it turns out
    that "cp -a" does something funky with acls, with the result that
    fakeroot without acl support looses the ownership and permissions on
    the copied file. "cp -a" may be (is even likely to be) used in a
    BR2_ROOTFS_POST_FAKEROOT_SCRIPT, so we need to support this.

    Note that host-acl itself depends on host-attr, so this pulls in two
    extra packages in each build. The impact on build time is about 10s.

    Cc: Andreas Naumann <[email protected]>
    Cc: Maxime Hadjinlian <[email protected]>
    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 2a222446b4614a38b4042df54b68b69b96939708)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit f6ba4399324396d690d95a2b1a11d87a4ffe173f
Author: Arnout Vandecappelle <[email protected]>
Date:   Fri Mar 17 17:06:15 2017 +0100

    acl: add host variant

    We need host-acl to fix issues with fakeroot.

    Unfortunately, all the hacks (except the .la fixup) have to be repeated.

    Cc: Yegor Yefremov <[email protected]>
    Cc: Andreas Naumann <[email protected]>
    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit c83446fccace19694e20b1d0a730680244d724fe)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c7c5c7e5f6837bd47fb95d2df96726aeacbaf28f
Author: Arnout Vandecappelle <[email protected]>
Date:   Fri Mar 17 17:06:14 2017 +0100

    acl: make sure build picks up TARGET_CFLAGS

    The acl build system doesn't use automake, therefore it is broken. It
    doesn't use the CFLAGS passed by configure. Work around this by passing
    CFLAGS in the environment. The makefiles append to CFLAGS, so this
    works.

    This issue hasn't led to build failures, but it is visible e.g. when
    stack protector is enabled: the stack protector options are not applied
    to acl. Also debug and optimisation options aren't applied.

    Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Cc: Yegor Yefremov <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 99c9b0affde4fcc3270425319b98a0e5e32f5964)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 3e386020722b85aaf89b9dccc0263905763c8d08
Author: Peter Korsgaard <[email protected]>
Date:   Thu Mar 16 16:31:46 2017 +0100

    xlib_libXv: correct license info

    The license is actually closer to ISC than MIT, E.G.:

    https://opensource.org/licenses/ISC
    vs
    https://opensource.org/licenses/MIT

    >From COPYING:
    Permission to use, copy, modify, and distribute this software and its
    documentation for any purpose and without fee is hereby granted,
    provided that the above copyright notice appear in all copies and that
    both that copyright notice and this permission notice appear in
    supporting documentation, and that the names of Digital or MIT not be
    used in advertising or publicity pertaining to distribution of the
    software without specific, written prior permission.

    E.G.  this is very similar to the normal ISC text which has been extended
    with a BSD-3c style advertisinc clause.  Both are permissive licenses, but
    it is more correct to call it ISC-like.

    Notice: As pointed out by Rahul Bedarkar, this may actually be more closely
    related to the OpenBSD template license:

    http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD

    But that is also based on the ISC license, so calling it ISC-like is still
    correct.

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit aad15918520391ea0952d742db9c52c3ac2b1f7e)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2a778d53fa6bf7c232ad57eedbd0fd9bf7328c84
Author: Romain Naour <[email protected]>
Date:   Fri Mar 17 00:02:06 2017 +0100

    package/cairo: update license information

    As noticed by Rahul Bedarkar, the cairo library is LGPLv2.1 only
    (not LGPLv2.1+) or MPLv1.1.

    Signed-off-by: Romain Naour <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 0768932a0229b2c201c292023f59a868ecdb1222)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit fd28c44ce87b7480a24e596f7a34e3d30e577333
Author: Baruch Siach <[email protected]>
Date:   Thu Mar 16 20:41:23 2017 +0200

    tcpreplay: patch security issue

    Add upstream patch for CVE-2017-6429: Buffer overflow when reading crafted
    pcap file with large packets.

    https://github.com/appneta/tcpreplay/issues/278

    Signed-off-by: Baruch Siach <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 62bf2bfd53885fbd62a8e9345c7f3d7a4d619342)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 8cd0e35189346419b4ca60f275f8663de21877c2
Author: Rahul Bedarkar <[email protected]>
Date:   Thu Mar 16 17:24:01 2017 +0530

    taglib: update homepage link

    Avoid redirect.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit a411212d22cb84b92201b5a02ef8b860b0a17280)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit bae94a6e65449729a1c73dc38698e11379b645d6
Author: Gustavo Zacarias <[email protected]>
Date:   Wed Mar 15 15:08:36 2017 -0300

    mbedtls: security bump to verison 2.4.2

    Fixes:
    CVE-2017-2784 - Freeing of memory allocated on stack when validating a
    public key with a secp224k1 curve.

    Signed-off-by: Gustavo Zacarias <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 465ce2ea73cc1d98972cde45114f7b0e35e32ff2)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit f2e01f9c189b3d04cae85c72263c88d49c171b8d
Author: Peter Korsgaard <[email protected]>
Date:   Wed Mar 15 11:48:32 2017 +0100

    mariadb: security bump to version 10.1.22

    Fixes:

    CVE-2017-3302 - C client library for MySQL (libmysqlclient.so) has
    use-after-free defect which can cause crash of applications using that MySQL
    client.

    CVE-2017-3313 - Difficult to exploit vulnerability allows low privileged
    attacker with logon to the infrastructure where MySQL Server executes to
    compromise MySQL Server.  Successful attacks of this vulnerability can
    result in unauthorized access to critical data or complete access to all
    MySQL Server accessible data.

    And a number of important, but non-security related fixes:

    MDEV-11842: Fix a 10.1.21 regression with failed INSERT, BEFORE INSERT
    triggers, and columns with no default value

    MDEV-12075: Fix a 10.1.21 regression in the InnoDB data file extension code

    For details, see the release notes:
    https://mariadb.com/kb/en/mariadb/mariadb-10122-release-notes/

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 467b38892aa23927ad1140119f0f17c23e896e7e)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 604b463d534943701024d7878dd2017c45ed5088
Author: Peter Korsgaard <[email protected]>
Date:   Tue Mar 14 23:58:22 2017 +0100

    jasper: add upstream security fix

    Fixes a NULL Pointer Dereference jp2_encode:

    https://github.com/mdadams/jasper/issues/120

    No CVE assigned yet.

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit 76da579431a78875afeaeda76e459aca69e85d36)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 607c2635ca1f48f3aacb84404a4cd0ee49215827
Author: Peter Korsgaard <[email protected]>
Date:   Tue Mar 14 23:58:21 2017 +0100

    jasper: add upstream security fix for CVE-2017-6850

    Fixes a NULL pointer dereference in jp2_cdef_destroy:

    https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-jp2_cdef_destroy-jp2_cod-c/

    https://github.com/mdadams/jasper/issues/112

    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit a105443b24f7c75b10dab44c2916fc9f2b58363a)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 1a1ec309d748d1d1cdb4f3b9dbcd7eb08c7b0e93
Author: Fabio Estevam <[email protected]>
Date:   Wed Mar 15 08:07:38 2017 -0300

    linux-headers: bump 4.{4, 9, 10}.x series

    [Peter: skip 4.10.x]
    Signed-off-by: Fabio Estevam <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit b3d736b9b6b92b70a9020be470a4cf5f7f012b2e)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 840969ed617f772c866ea61e27cab97eaaf63eff
Author: Vicente Olivert Riera <[email protected]>
Date:   Mon Mar 13 12:31:20 2017 +0000

    rpm: bump version to 4.13.0.1 (security)

    Security fixes:
     - Fix several out of bounds reads in the OpenPGP parser
     - Fix handling of OpenPGP reserved tag (should be rejected)
     - Fix various crashes from malformed packages with invalid tags

    Release notes:
      http://rpm.org/wiki/Releases/4.13.0.1

    This patch also switches from GitHub to rpm.org since the last one seems
    to be more up-to-date.

    [Peter: use RPM_VERSION_MAJOR as suggested by Jerzy Grzegorek]
    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>

    (cherry picked from commit 7adbcd174a17ff1b74c4b20d94ca4a9e7f396d68)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit fb398d3a4d806399e52c1f970a415cd718133403
Author: Vicente Olivert Riera <[email protected]>
Date:   Mon Mar 13 11:41:44 2017 +0000

    linux-headers: bump 4.{4, 9, 10}.x and 3.12.x series

    [Peter: skip 4.10.x]
    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Peter Korsgaard <[email protected]>
    (cherry picked from commit d18cdcebc238706d1bf50460b85ea36eaed83b21)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 3bf15bfc84f646efbdeead006378265fa56855a9
Author: Matthew Fornero <[email protected]>
Date:   Mon Mar 13 15:35:02 2017 -0400

    libiio: explicitly disable matlab bindings

    If building on a machine with MATLAB installed, the MATLAB bindings will
    default to ON, which is not the desired behavior for a cross build.

    The bindings are designed to be called from within MATLAB, and we are
    not currently running MATLAB on buildroot-generated targets.

    This does not preclude the use of the bindings from a host connecting
    over the network backend (assuming libiio on the host has the bindings
    enabled).

    Signed-off-by: Matthew Fornero <[email protected]>
    Acked-By: Paul Cercueil <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit f358078b3374f3b316551660e89f5c463cb61608)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 14dc993718941fb0d1194fc2eedcab0b5fe33260
Author: Rahul Bedarkar <[email protected]>
Date:   Tue Mar 14 19:59:37 2017 +0530

    zmqpp: update license

    Since version 4.1.2, zmqpp is provided under MPLv2.

    Signed-off-by: Rahul Bedarkar <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 87e9391e69cae06836723dcc5525e07d89c14acb)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 8ddd530004229e032dda14c64db629b862b27fa3
Author: Bernd Kuhls <[email protected]>
Date:   Sun Mar 12 12:44:57 2017 +0100

    package/mplayer: add optional support for pulseaudio

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit a085b7c3139b2c4543530fb0adf0047d8a4c1fd3)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 9739750396da0af7a449eed9e38e003e0dc2d159
Author: Bernd Kuhls <[email protected]>
Date:   Sun Mar 12 13:12:03 2017 +0100

    package/git: fix pcre support

    The current code contains some obvious typos.

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit d830807794245077e73ee1d3c78eecb8d224dc04)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 32a9eb6e5abbc1787e0a82756d35aa8fb5b411cb
Author: Bernd Kuhls <[email protected]>
Date:   Sun Mar 12 13:43:14 2017 +0100

    package/git: add optional support for gettext

    git links to libintl if available:

    $ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/bin/git | grep NEEDED
     0x00000001 (NEEDED)                     Shared library: [libz.so.1]
     0x00000001 (NEEDED)                     Shared library: [libintl.so.8]
     0x00000001 (NEEDED)                     Shared library: [libc.so.0]

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit aecab2f29c396a04d24e61479d7fc3f53149448f)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 894a37c031cce0715d28f5003ccc58db07b1cce9
Author: Bernd Kuhls <[email protected]>
Date:   Sun Mar 12 15:06:05 2017 +0100

    package/python: add optional support for libintl

    Python links to gettext when available:

    $ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/lib/python2.7/lib-dynload/_locale.so | grep NEEDED
     0x00000001 (NEEDED)                     Shared library: [libintl.so.8]
     0x00000001 (NEEDED)                     Shared library: [libpython2.7.so.1.0]
     0x00000001 (NEEDED)                     Shared library: [libc.so.0]

    In comparison the same library compiled without gettext:

    $ output/host/usr/bin/i586-buildroot-linux-uclibc-readelf -a output/target/usr/lib/python2.7/lib-dynload/_locale.so | grep NEEDED
     0x00000001 (NEEDED)                     Shared library: [libpython2.7.so.1.0]
     0x00000001 (NEEDED)                     Shared library: [libc.so.0]

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 70759f5359d6e5f7b868b74399e20d8ea7956769)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit c365c42ef371d948570a2b41b4f87af193a0eab6
Author: Bernd Kuhls <[email protected]>
Date:   Sat Mar 11 17:32:59 2017 +0100

    package/tor: bump version to 0.2.9.10

    Signed-off-by: Bernd Kuhls <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 660651491ea2ff8fc82d503a8e28bbd54e8d9131)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit b3442f2fe397bbd33f9ab745ff2601a8994a7153
Author: Yann E. MORIN <[email protected]>
Date:   Sun Mar 12 10:58:16 2017 +0100

    package/nbd: fix utilities locations

    Currently, the code expects both the client and server to be in
    /usr/bin, while the client is in /usr/sbin

    Fix that.

    Signed-off-by: "Yann E. MORIN" <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 4aabbeb245794862e8434317e885d6d028d23679)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit a3d83660c5352249d8da2bab8520442d13a06cec
Author: Peter Seiderer <[email protected]>
Date:   Fri Mar 10 23:15:47 2017 +0100

    qt5base: install libQt5EglFsKmsSupport

    According to src/plugins/platforms/eglfs/deviceintegration/deviceintegration.pro
    depends on eglfs_gbm which depends according to src/gui/configure.json
    on features.eglfs and features.gbm and features.kms, so dependency
    on BR2_PACKAGE_MESA3D_OPENGL_EGL which enables mesa3d gbm support
    should be sufficient.

    Signed-off-by: Peter Seiderer <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 5efe07f9af53c0cf0795d316cb84d58e530a9619)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 91bb73cb5a5a6764054a6f07eae1b6da12ed4086
Author: Peter Seiderer <[email protected]>
Date:   Fri Mar 10 23:15:46 2017 +0100

    qt5base: fix eglfs x11 header related compile failure

    Add egl config and QT_EGL_NO_X11 define (as all other eglfs project
    files do) to src/plugins/platforms/eglfs/eglfs-plugin.pro.

    Fixes ([1]):

      In file included from .../host/usr/arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/include/EGL/egl.h:39:0,
                       from ../../../../include/QtEglSupport/5.8.0/QtEglSupport/private/../../../../../src/platformsupport/eglconvenience/qt_egl_p.h:63,
                       from ../../../../include/QtEglSupport/5.8.0/QtEglSupport/private/qt_egl_p.h:1,
                       from api/qeglfsglobal_p.h:56,
                       from api/qeglfsintegration_p.h:54,
                       from qeglfsmain.cpp:41:
      .../host/usr/arm-buildroot-linux-uclibcgnueabihf/sysroot/usr/include/EGL/eglplatform.h:119:22: fatal error: X11/Xlib.h: No such file or directory
      compilation terminated.
      Makefile.eglfs-plugin:1024: recipe for target '.obj/qeglfsmain.o' failed
      make[2]: *** [.obj/qeglfsmain.o] Error 1
      make[2]: Leaving directory '.../qt5base-5.8.0/src/plugins/platforms/eglfs'
      Makefile:71: recipe for target 'sub-eglfs-plugin-pro-make_first-ordered' failed
      make[1]: *** [sub-eglfs-plugin-pro-make_first-ordered] Error 2

    [1] http://lists.busybox.net/pipermail/buildroot/2017-March/186158.html

    Signed-off-by: Peter Seiderer <[email protected]>
    Acked-by: Arnout Vandecappelle (Essensium/Mind) <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 5840e8bd505cef8846ed4f8fc769f306165ee174)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 2e1b15a6fba60f077fad070738801b592c794038
Author: Fabrice Fontaine <[email protected]>
Date:   Mon Feb 13 18:24:51 2017 +0100

    domoticz: fix build on powerpc64le

    There is an issue with powerpc64le and boost::uuids::random_generator on the
    following line of code (from include/boost/uuid/seed_rng.hpp):
    sha.process_bytes( (unsigned char const*)&std::rand, sizeof( void(*)() ) )
    This line "inspects the first couple bytes (here eight) of the std::rand
    function to seed some rng. Due to the implementation of process_bytes and
    inlining happening, it seems that one of the loops therein uses &rand-1 as
    some boundary, compiling with -O0 makes that reloc come out as 'rand + 0' and
    the link will succeed."
    See: https://bugzilla.suse.com/show_bug.cgi?id=955832#c7

    Fixes:
     - http://autobuild.buildroot.org/results/454c0ea393615bae2d1b44be9920f25b5c49fc33

    Signed-off-by: Fabrice Fontaine <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit 00d2a3da72455213b87069af475173060750d50d)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit f63fab1bae878509a79219ebff634af208daab0b
Author: Vicente Olivert Riera <[email protected]>
Date:   Fri Mar 10 17:06:18 2017 +0000

    imagemagick: bump version to 7.0.5-0 (security)

    - Fixed memory leak when creating nested exceptions in Magick++
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634

    - Fixed fd leak for webp coder
      https://github.com/ImageMagick/ImageMagick/pull/382

    - Fixed Spurious memory allocation message
      https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31438

    Full changelog: http://imagemagick.org/script/changelog.php

    Signed-off-by: Vicente Olivert Riera <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit d6cc5462535acf954abccd585efc3a07623cc416)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 8d36b6d034ea07c9dbddd4f407f34f1d2d01ccd8
Author: Yann E. MORIN <[email protected]>
Date:   Tue Mar 7 22:16:28 2017 +0100

    package/rpi-userland: don't install file in random location

    Currently, rpi-userland installs files in $(@D)/../../bin/ which is
    entirely stupid, especially in cross-compilation.

    Get rid of the dubious, broken, custom install command.

    Signed-off-by: "Yann E. MORIN" <[email protected]>
    Tested-by: Peter Seiderer <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit ffa39b23f7ece3a3d9ea914c2e385ce222bdf921)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit de33cffb6631ec116679fbd6352aef5cf912df65
Author: Romain Naour <[email protected]>
Date:   Sat Mar 11 22:26:45 2017 +0100

    package/gdb: fix gnulib issue with musl and uClibc toolchains again

    The commit [1] doesn't fix this issue for all cases (it doesn't work
    when BR2_PACKAGE_GDB_DEBUGGER=y).
    So, leave the configure script alone and override
    gl_cv_func_gettimeofday_clobber from GDB_MAKE_ENV.

    [1] 560334bb2a46a77081a3944d092df7732dfca432

    Fixes:
    http://autobuild.buildroot.net/results/719/719a441421030b79c0aa1bbfb707130f3ac87338

    Signed-off-by: Romain Naour <[email protected]>
    Cc: Thomas Petazzoni <[email protected]>
    Signed-off-by: Thomas Petazzoni <[email protected]>
    (cherry picked from commit faf38b78aee613a732f96d5022a2894efd024a25)
    Signed-off-by: Peter Korsgaard <[email protected]>

commit 34345f1b033e338b1933381a992d9f92f4fe9ae5
Author: Julien BOIBESSOT <julien.boibesso…
@insuyun
Copy link

insuyun commented Aug 19, 2017

This bug seems not patched.
My fuzzer triggers same bug even in commit ce536d7.
PoC is here https://github.com/jakkdu/poc/blob/master/000007-audiofile-heapovfl-Expand3To4Module-run

@asarubbo
Copy link
Author

Unless I'm missing something, the latest commit is on 30 August 2016, so there were no patches for all of issues reported by me.

@insuyun
Copy link

insuyun commented Aug 19, 2017

Correct me if I am wrong. I used the patch in the pull request. I though it's patch for this issue, but not applied to mainline yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants