buildroot: bump to 2025.02.5

fhunleth · fhunleth · commit 70bc995526ae · 2025-08-18T15:25:08.000-04:00
This bumps Buildroot from 2025.02.3 to 2025.02.5. From the [2025.02.4 announcement](https://lore.kernel.org/buildroot/b8864d40-6037-4d7e-878a-6674b266c74c@rnout.be/T/): ``` Buildroot 2025.02.4 is a bugfix release, fixing a number of important / security related issues discovered since the 2025.02.3 release. Important / security related fixes: - assimp: CVE-2025-3015, CVE-2025-3016 - binutils: CVE-2025-3198 - connman: CVE-2025-32366, CVE-2025-32743 - go: CVE-2025-0913, CVE-2025-4673, CVE-2025-22874 - iputils: CVE-2025-47268, CVE-2025-48964 - jq: CVE-2024-23337, CVE-2025-48060, CVE-2024-53427 - libcurl: CVE-2025-4947, CVE-2025-5025, CVE-2025-5399 - net-tools: CVE-2025-46836 - nodejs: CVE-2025-23165, CVE-2025-23166 - openvmtools: CVE-2025-22247 - python-django: CVE-2025-48432 - python-requests: CVE-2024-47081 - python-tornado: CVE-2025-47287 - redis: CVE-2025-21605, CVE-2025-27151 - samba4: CVE-2025-0620 - sox: CVE-2021-23159, CVE-2021-23172, CVE-2021-23210, CVE-2021-3643, CVE-2021-40426, CVE-2022-31650, CVE-2022-31651, CVE-2023-26590, CVE-2023-32627, CVE-2023-34318 - webkitgtk: CVE-2025-24223, CVE-2025-31204, CVE-2025-31205, CVE-2025-31206, CVE-2025-31215, CVE-2025-31257 Updated / fixed packages: alsa-utils, atkmm, atmm2_28, audit, bluez5_utils, busybox, catch2, connman, dbus-glib, dlib, dovecot, esp-hosted, execline, firmware-ele-imx, flex, fluent-bit, freescale-imx, ghostscript, gmrender-resurrect, grub2, gst1-plugins-bad, gtkmm3, iputils, kmsxx, libcamera, libcurl, libglade, libical, libuv, llvm-project, lm-sensors, m4, mesa3d, mongoose, openvmtools, php, protobuf-c, python-django, python-fastapi, python-flit-core, python-jc, python-requests, python-uvicorn, qt5 (declarative, webengine, webengine-chromium), qt6 (base, multimedia, tools), rpm, samba4, spdlog, systemd, uacme, uboot-tools, yasm Removed package: libebur128 Infrastructure updates / fixes: - pkg-cmake now forces CMake>=3.5 - pkg-meson now uses a dedicated buildroot build directory see https://gitlab.com/buildroot.org/buildroot/-/issues/64 - include defconfigs in sub-directories in make list-defconfigs - new manual section about private repositories - pkg-autotools: handle libtool 2.5.x - pkg-cmake: force check_language(CXX) to be false when building w/o C++ - pkg-stats: add support for reporting stale CVE entries - add basic support for package file download over smb - toolchain/wrapper: check unsafe paths earlier - test_flutter: drop unneeded vga/vnc stanzas from QEMU invocation Test improvements - new python-pydantic runtime tests - new dieharder runtime test - test_xen: fix runtime test - test_timezone: fix test by setting a fixed time - new tree runtime test Boards fixes - imx6ulz-bsh-smm-m2: fix missing U-Boot - freescale: fix cpu name in i.MX9 boards - imx8mn-bsh-smm-s2: erase the entire NAND chip - freescale_t1040d4rdb: fix kernel build In addition, thanks to the new stale CVE reporting, reported vulnerabilities have been fixed for the following packages: busybox, dnsmasq, dovecot, exim, exim, freeradius-server, grub2, libopenh264, libssh, netsnmp, ninja, qt5base, ripgrep, sox, tinyxml ``` From the [2025.02.5 announcement](https://lore.kernel.org/buildroot/b8864d40-6037-4d7e-878a-6674b266c74c@rnout.be/T/): ``` Buildroot 2025.02.5 is a bugfix release, fixing a number of important / security related issues discovered since the 2025.02.4 release. Changes that are likely to affect users. - mbedtls is updated to 3.6.x, which is not API compatible with 2.28.x. Custom packages that depend on mbedtls may need to be updated. - The system CMake version must be smaller than 4.0. If the system on which you build has CMake 4.0 or later, host-cmake will be built. Important / security related fixes: - Bump mbedtls to version 3.6.4, this affect many packages depending on it. Also fixes CVE-2025-47917, CVE-2025-48965, CVE-2025-49087, CVE-2025-49600, CVE-2025-49601, CVE-2025-52496, CVE-2025-52497 - samba4: support Windows security hardening - apache: CVE-2025-53020, CVE-2025-49812, CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394, CVE-2024-43204, CVE-2024-42516, CVE-2025-54090 - assimp: CVE-2025-2750, CVE-2025-2751, CVE-2025-2757, CVE-2025-3158 - clamav: CVE-2025-20260 - edk2: CVE-2024-38805 - git: CVE-2025-27613, CVE-2025-27614, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, CVE-2025-48386 - jose: CVE-2023-50967 - libarchive: CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918 - libavif: CVE-2025-48174, CVE-2025-48175 - libblockdev: CVE-2025-6019 - libbpf: CVE-2025-29481 - libheif: CVE-2025-43966, CVE-2025-43967 - libhtp: CVE-2024-45797 - libsoup: CVE-2024-52530, CVE-2024-52531, CVE-2024-52532, CVE-2025-2784, CVE-2025-4476, CVE-2025-4948, CVE-2025-4969, CVE-2025-32050, CVE-2025-32052, CVE-2025-32053, CVE-2025-32906, CVE-2025-32910, CVE-2025-32911, CVE-2025-32912, CVE-2025-32913, CVE-2025-32914, CVE-2025-46420, CVE-2025-46421 - libxml2: CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49796, CVE-2025-49795 - micropython: CVE-2024-8947 - modsecurity2: CVE-2025-47947, CVE-2025-48866 - orc: CVE-2024-40897 - php: CVE-2025-1735, CVE-2025-6491, CVE-2025-1220 - python-aiohttp: CVE-2025-53643 - python-starlette: CVE-2025-54121 - python-urllib3: CVE-2025-50181, CVE-2025-50182 - python3: CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517 - redis: CVE-2025-32023, CVE-2025-48367 - shim: CVE-2024-2312 - sngrep: CVE-2024-3119, CVE-2024-3120 - sudo: CVE-2025-32462, CVE-2025-32463 - tcpreplay: CVE-2023-4256, CVE-2023-43279, CVE-2024-22654 - tinyxml: CVE-2023-34194 - wpewebkit: CVE-2024-27856, CVE-2024-40866, CVE-2024-44185, CVE-2024-44187, CVE-2024-44192, CVE-2024-44244, CVE-2024-44296, CVE-2024-44308, CVE-2024-44309, CVE-2024-54467, CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54534, CVE-2024-54543, CVE-2024-54551, CVE-2024-54658, CVE-2025-24143, CVE-2025-24150, CVE-2025-24158, CVE-2025-24162, CVE-2025-24201, CVE-2025-24208, CVE-2025-24209, CVE-2025-24213, CVE-2025-24216, CVE-2025-24223, CVE-2025-24264, CVE-2025-30427, CVE-2025-31204, CVE-2025-31205, CVE-2025-31206, CVE-2025-31215, CVE-2025-31257 - xorg-server / xwayland: CVE-2025-49175, CVE-2025-49176, CVE-2025-49177, CVE-2025-49178, CVE-2025-49179, CVE-2025-49180 Updated / fixed packages: avrdude, berkeleydb, binutils, bmx7, boot/shim, boot/syslinux, ca-certificates, chartjs, cifs-utils, cpp-httplib, cpulimit, daq, elfutils, eudev, fwupd, gcc, gnuplot, gstreamer1-editing-services, gumbo-parser, gvfs, haproxy, hddtemp, kvmtool, libargtable, libcddb, libconfuse, libcrossguid, libcurl, libesmtp, libgcrypt, libiec61850, libmanette, libmicrohttpd, libmpeg2, libndp, libopenssl, libp11, libssh2, libuhttpd, libva, linux, linux-tools (rtla), lrzsz, ltp-testsuite, lua, modem-manager, modsecurity2, mosquitto, mpv, mupdf, ncmpc, net-tools, network-manager, nginx-modsecurity, ntp, oniguruma, openblas, orc, parted, python-asgiref, python-cython, python-dbus-fast, python-fastapi, python-future, python-msgpack, python-multipart, python-remi, python-setuptools, qpid-proton, rauc-hawkbit-updater, rtl8188eu, rtl8723bu, rtl8723ds, rtl8821au, rust, shadowsock-libev, shairport-sync, sox, sqlite, squashfs, systemd, tailscale, tor, uclibc, ustream-ssl, watchdog, webkitgtk, xen Removed package: libolm, libwebsock Infrastructure updates / fixes: - python-glslang is now a host package only - Makefile unexports are now fixed and sorted - Hide GCC versions for unsupported CPUs - check-package: handle missing files - test-pkg: stop on sigint - check-host-cmake.mk: set host-cmake max version - toolchain/toolchain-wrapper.c: - correct CCACHE_BASEDIR comment - slightly simplify cmdline copying - get rid of EXCLUSIVE_ARGS Test improvements: - nginx-modsecurity: new test - gumbo-parser: new runtime test - add a crun-based runtime test for docker-compose - test_xen: add a base class - test_xen: test on 32-bit Arm v7 - test_xen: rename TestXen to TestXenAarch64 Boards updated / fixed: - globalscale_espressobin: update linux - freescale/mxs: fix linux booting - ti_am62x_sk: bump Linux version - raspberrypi5: fix failing build because of missing in-kernel dts ```
diff --git a/create-build.sh b/create-build.sh
@@ -20,7 +20,7 @@
 
 set -e
 
-NERVES_BR_VERSION=2025.02.3
+NERVES_BR_VERSION=2025.02.5
 
 DEFCONFIG=$1
 BUILD_DIR=$2
diff --git a/patches/buildroot/0010-Revert-package-libp11-bump-to-version-0.4.12.patch b/patches/buildroot/0010-Revert-package-libp11-bump-to-version-0.4.12.patch
@@ -1,17 +1,19 @@
-From 2a7391dd5b9d50cf7c071bdc342cb04ebdea1c11 Mon Sep 17 00:00:00 2001
+From c9172581a635293b49319eaf7ab26edfe5fe2798 Mon Sep 17 00:00:00 2001
 From: Frank Hunleth <fhunleth@troodon-software.com>
 Date: Sun, 11 Sep 2022 08:18:28 -0400
 Subject: [PATCH] Revert "package/libp11: bump to version 0.4.12"
 
 This reverts commit ecf8efb292fb410ab8080891fb017d4a01ef3cd5.
 ---
- package/libp11/0001-Update-wp11_rsa.c.patch   | 26 ++++++++++++
- ...rc-p11_attr.c-fix-build-with-gcc-4.8.patch | 42 -------------------
+ package/libp11/0001-Update-wp11_rsa.c.patch   | 26 +++++++
+ ...rc-p11_attr.c-fix-build-with-gcc-4.8.patch | 42 ------------
+ ...ange-bool-attribute-true-false-names.patch | 67 -------------------
  package/libp11/libp11.hash                    |  2 +-
  package/libp11/libp11.mk                      |  2 +-
- 4 files changed, 28 insertions(+), 44 deletions(-)
+ 5 files changed, 28 insertions(+), 111 deletions(-)
  create mode 100644 package/libp11/0001-Update-wp11_rsa.c.patch
  delete mode 100644 package/libp11/0001-src-p11_attr.c-fix-build-with-gcc-4.8.patch
+ delete mode 100644 package/libp11/0002-change-bool-attribute-true-false-names.patch
 
 diff --git a/package/libp11/0001-Update-wp11_rsa.c.patch b/package/libp11/0001-Update-wp11_rsa.c.patch
 new file mode 100644
@@ -93,6 +95,79 @@ index 60fc16d9d0..0000000000
 - 		if (tmpl->allocated & (1<<i))
 - 			OPENSSL_free(tmpl->attrs[i].pValue);
 - 	}
+diff --git a/package/libp11/0002-change-bool-attribute-true-false-names.patch b/package/libp11/0002-change-bool-attribute-true-false-names.patch
+deleted file mode 100644
+index d63ec74590..0000000000
+--- a/package/libp11/0002-change-bool-attribute-true-false-names.patch
++++ /dev/null
+@@ -1,67 +0,0 @@
+-From 89ccb1f097f56a0933f881af051422b8d67e457f Mon Sep 17 00:00:00 2001
+-From: dlegault <dlegault@blackberry.com>
+-Date: Fri, 2 Sep 2022 12:01:23 -0400
+-Subject: [PATCH] Change bool attribute true/false names to _true/_false
+-
+-This prevents conflicts with true/false defined in stdbool.h
+-
+-fixes #472
+-
+-Upstream: https://github.com/OpenSC/libp11/commit/89ccb1f097f56a0933f881af051422b8d67e457f
+-Signed-off-by: Thomas Perale <thomas.perale@mind.be>
+----
+- src/p11_attr.c |  6 +++---
+- src/p11_ec.c   | 14 +++++++-------
+- 2 files changed, 10 insertions(+), 10 deletions(-)
+-
+-diff --git a/src/p11_attr.c b/src/p11_attr.c
+-index d425241a..a420efad 100644
+---- a/src/p11_attr.c
+-+++ b/src/p11_attr.c
+-@@ -123,9 +123,9 @@ unsigned int pkcs11_addattr(PKCS11_TEMPLATE *tmpl, int type, void *data, size_t
+- 
+- void pkcs11_addattr_bool(PKCS11_TEMPLATE *tmpl, int type, int value)
+- {
+--	static CK_BBOOL true = CK_TRUE;
+--	static CK_BBOOL false = CK_FALSE;
+--	pkcs11_addattr(tmpl, type, value ? &true : &false, sizeof(CK_BBOOL));
+-+	static CK_BBOOL _true = CK_TRUE;
+-+	static CK_BBOOL _false = CK_FALSE;
+-+	pkcs11_addattr(tmpl, type, value ? &_true : &_false, sizeof(CK_BBOOL));
+- }
+- 
+- void pkcs11_addattr_s(PKCS11_TEMPLATE *tmpl, int type, const char *s)
+-diff --git a/src/p11_ec.c b/src/p11_ec.c
+-index 4fb4efc3..16e3b3af 100644
+---- a/src/p11_ec.c
+-+++ b/src/p11_ec.c
+-@@ -590,22 +590,22 @@ static int pkcs11_ecdh_derive(unsigned char **out, size_t *outlen,
+- 	CK_MECHANISM mechanism;
+- 	int rv;
+- 
+--	CK_BBOOL true = TRUE;
+--	CK_BBOOL false = FALSE;
+-+	CK_BBOOL _true = TRUE;
+-+	CK_BBOOL _false = FALSE;
+- 	CK_OBJECT_HANDLE newkey = CK_INVALID_HANDLE;
+- 	CK_OBJECT_CLASS newkey_class= CKO_SECRET_KEY;
+- 	CK_KEY_TYPE newkey_type = CKK_GENERIC_SECRET;
+- 	CK_ULONG newkey_len = key_len;
+- 	CK_OBJECT_HANDLE *tmpnewkey = (CK_OBJECT_HANDLE *)outnewkey;
+- 	CK_ATTRIBUTE newkey_template[] = {
+--		{CKA_TOKEN, &false, sizeof(false)}, /* session only object */
+-+		{CKA_TOKEN, &_false, sizeof(_false)}, /* session only object */
+- 		{CKA_CLASS, &newkey_class, sizeof(newkey_class)},
+- 		{CKA_KEY_TYPE, &newkey_type, sizeof(newkey_type)},
+- 		{CKA_VALUE_LEN, &newkey_len, sizeof(newkey_len)},
+--		{CKA_SENSITIVE, &false, sizeof(false) },
+--		{CKA_EXTRACTABLE, &true, sizeof(true) },
+--		{CKA_ENCRYPT, &true, sizeof(true)},
+--		{CKA_DECRYPT, &true, sizeof(true)}
+-+		{CKA_SENSITIVE, &_false, sizeof(_false) },
+-+		{CKA_EXTRACTABLE, &_true, sizeof(_true) },
+-+		{CKA_ENCRYPT, &_true, sizeof(_true)},
+-+		{CKA_DECRYPT, &_true, sizeof(_true)}
+- 	};
+- 
+- 	memset(&mechanism, 0, sizeof(mechanism));
 diff --git a/package/libp11/libp11.hash b/package/libp11/libp11.hash
 index 0e42bdd4cf..52d73d4206 100644
 --- a/package/libp11/libp11.hash
diff --git a/patches/buildroot/0016-package-mesa3d-mesa3d-headers-bump-version-to-25.0.2.patch b/patches/buildroot/0016-package-mesa3d-mesa3d-headers-bump-version-to-25.0.2.patch
@@ -1,4 +1,4 @@
-From 34f323efae57e74f745d631b06490bc43a5d0c0f Mon Sep 17 00:00:00 2001
+From 47548f9f23f3f0c3ade840bfb294fa606a699c7a Mon Sep 17 00:00:00 2001
 From: Bernd Kuhls <bernd@kuhls.net>
 Date: Fri, 21 Mar 2025 18:34:47 +0100
 Subject: [PATCH] package/{mesa3d, mesa3d-headers}: bump version to 25.0.2
@@ -102,7 +102,7 @@ https://gitlab.freedesktop.org/mesa/mesa/-/commit/5ddeea9a62f720e9fd3a6e5c76f74e
 
 Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
 ---
- Config.in.legacy                              | 16 ++++-
+ Config.in.legacy                              | 15 ++++
  package/mesa3d-headers/mesa3d-headers.mk      |  2 +-
  ...t-proper-value-for-LIBCLC_INCLUDEDIR.patch |  8 +--
  ...tion-to-disable-optional-neon-suppor.patch | 18 ++---
@@ -115,17 +115,16 @@ Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
  support/testing/tests/package/test_kmscube.py |  2 +-
  .../tests/package/test_python_pyqt5.py        |  2 +-
  support/testing/tests/package/test_weston.py  |  2 +-
- 13 files changed, 117 insertions(+), 56 deletions(-)
+ 13 files changed, 117 insertions(+), 55 deletions(-)
 
 diff --git a/Config.in.legacy b/Config.in.legacy
-index 44ee749329..467dcc9bd1 100644
+index 1ac87b3dc6..f0c55c4aa8 100644
 --- a/Config.in.legacy
 +++ b/Config.in.legacy
-@@ -144,7 +144,21 @@ endif
+@@ -182,6 +182,21 @@ config BR2_PACKAGE_LIBEBUR128
+ 	  The libebur128 package has been removed from Buildroot.
  
- ###############################################################################
- 
--comment "Legacy options removed in 2025.02"
+ comment "Legacy options removed in 2025.02"
 +config BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_SWRAST
 +	bool "mesa Gallium swrast driver was replaced by softpipe"
 +	select BR2_LEGACY
@@ -240,7 +239,7 @@ index f3919478a6..3b9bca0693 100644
  -  vc4_c_args += '-DUSE_ARM_ASM'
  +  vc4_c_args += '-DVC4_TILING_LT_NEON'
 diff --git a/package/mesa3d/Config.in b/package/mesa3d/Config.in
-index 0412998214..ef2c2c3258 100644
+index 37d2221946..1bd0cf60c2 100644
 --- a/package/mesa3d/Config.in
 +++ b/package/mesa3d/Config.in
 @@ -50,7 +50,8 @@ config BR2_PACKAGE_MESA3D_OPENCL
@@ -309,7 +308,7 @@ index 0412998214..ef2c2c3258 100644
  	select BR2_PACKAGE_MESA3D_GALLIUM_DRIVER
  	help
  	  This is a software opengl implementation using the Gallium3D
-@@ -307,7 +315,7 @@ comment "Vulkan drivers"
+@@ -308,7 +316,7 @@ comment "Vulkan drivers"
  config BR2_PACKAGE_MESA3D_VULKAN_DRIVER_BROADCOM
  	bool "Vulkan broadcom driver"
  	depends on BR2_arm || BR2_aarch64
@@ -318,7 +317,7 @@ index 0412998214..ef2c2c3258 100644
  	select BR2_PACKAGE_MESA3D_VULKAN_DRIVER
  	help
  	  Vulkan broadcom driver.
-@@ -331,7 +339,7 @@ comment "intel vulkan needs a glibc toolchain w/ headers >= 3.17"
+@@ -332,7 +340,7 @@ comment "intel vulkan needs a glibc toolchain w/ headers >= 3.17"
  config BR2_PACKAGE_MESA3D_VULKAN_DRIVER_SWRAST
  	bool "Vulkan swrast driver"
  	depends on BR2_PACKAGE_MESA3D_LLVM
@@ -327,7 +326,7 @@ index 0412998214..ef2c2c3258 100644
  	select BR2_PACKAGE_MESA3D_VULKAN_DRIVER
  	help
  	  Vulkan swrast driver.
-@@ -346,7 +354,7 @@ comment "Off-screen Rendering"
+@@ -347,7 +355,7 @@ comment "Off-screen Rendering"
  
  config BR2_PACKAGE_MESA3D_OSMESA_GALLIUM
  	bool "OSMesa (Gallium) library"
@@ -492,7 +491,7 @@ index 202fc5cc74..692846bae7 100644
  $(eval $(meson-package))
 +$(eval $(host-meson-package))
 diff --git a/support/testing/tests/package/test_flutter.py b/support/testing/tests/package/test_flutter.py
-index 08aa497417..e4040ca7dc 100644
+index e359a472ef..19406b7cb1 100644
 --- a/support/testing/tests/package/test_flutter.py
 +++ b/support/testing/tests/package/test_flutter.py
 @@ -22,7 +22,7 @@ class TestFlutter(infra.basetest.BRTest, GraphicsBase):
@@ -557,7 +556,7 @@ index 5f1952b559..65130f9c03 100644
          BR2_PACKAGE_MESA3D_OPENGL_EGL=y
          BR2_PACKAGE_MESA3D_OPENGL_ES=y
 diff --git a/support/testing/tests/package/test_weston.py b/support/testing/tests/package/test_weston.py
-index 2ed59a7f15..461ae50544 100644
+index 43b5240b2d..c4a522c95b 100644
 --- a/support/testing/tests/package/test_weston.py
 +++ b/support/testing/tests/package/test_weston.py
 @@ -22,7 +22,7 @@ class TestWeston(infra.basetest.BRTest, GraphicsBase):
