[Buildroot] [PATCH v2 1/3] package/kodi: Fix build with curl 8.16.0

[Buildroot] [PATCH v2 1/3] package/kodi: Fix build with curl 8.16.0

[Bernd Kuhls]

curl 8.16.0 bumped the enums to long, see
https://github.com/curl/curl/pull/18054

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
v2: added note in patch about patch origin (Baruch)

 package/kodi/0002-curl-8.16.0.patch | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 package/kodi/0002-curl-8.16.0.patch

diff --git a/package/kodi/0002-curl-8.16.0.patch b/package/kodi/0002-curl-8.16.0.patch
new file mode 100644
index 0000000000..31ffa7b964
--- /dev/null
+++ b/package/kodi/0002-curl-8.16.0.patch
@@ -0,0 +1,24 @@
+Fix build with curl 8.16.0
+
+Downloaded from
+https://gitlab.alpinelinux.org/alpine/aports/-/commit/106a02411488e3f71b9f2085a4a857e4be27b9ea
+
+Upstream: https://github.com/xbmc/xbmc/pull/27224
+
+The upstream patch is aimed at the upcoming release of Kodi 22.0 which
+saw many changes to CurlFile.cpp so we use the fix from Alpine.
+
+Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
+
+--- a/xbmc/filesystem/CurlFile.cpp
++++ b/xbmc/filesystem/CurlFile.cpp
+@@ -44,7 +44,7 @@ using namespace std::chrono_literals;
+ 
+ #define FITS_INT(a) (((a) <= INT_MAX) && ((a) >= INT_MIN))
+ 
+-curl_proxytype proxyType2CUrlProxyType[] = {
++long proxyType2CUrlProxyType[] = {
+     CURLPROXY_HTTP,   CURLPROXY_SOCKS4,          CURLPROXY_SOCKS4A,
+     CURLPROXY_SOCKS5, CURLPROXY_SOCKS5_HOSTNAME, CURLPROXY_HTTPS,
+ };
+
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/3] package/cmake: bump version to 4.0.4

[Bernd Kuhls]

License file was renamed upstream
https://gitlab.kitware.com/cmake/cmake/-/commit/2d42a5444f859891b6598c76ea5d51510013565e
and updated:
https://gitlab.kitware.com/cmake/cmake/-/commits/v4.0.3/LICENSE.rst?ref_type=tags

This release fixes the build with libcurl >= 8.16.0

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 package/cmake/Config.in.host | 5 +++++
 package/cmake/cmake.hash     | 6 +++---
 package/cmake/cmake.mk       | 6 +++---
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/package/cmake/Config.in.host b/package/cmake/Config.in.host
index b30ce03a1c..c1ebbeb4be 100644
--- a/package/cmake/Config.in.host
+++ b/package/cmake/Config.in.host
@@ -63,10 +63,15 @@ config BR2_HOST_CMAKE_AT_LEAST_3_31
 	bool
 	select BR2_HOST_CMAKE_AT_LEAST_3_30
 
+config BR2_HOST_CMAKE_AT_LEAST_4_0
+	bool
+	select BR2_HOST_CMAKE_AT_LEAST_3_31
+
 # This order guarantees that the highest version is set, as kconfig
 # stops affecting a value on the first matching default.
 config BR2_HOST_CMAKE_AT_LEAST
 	string
+	default "4.0"	if BR2_HOST_CMAKE_AT_LEAST_4_0
 	default "3.31"	if BR2_HOST_CMAKE_AT_LEAST_3_31
 	default "3.30"	if BR2_HOST_CMAKE_AT_LEAST_3_30
 	default "3.29"	if BR2_HOST_CMAKE_AT_LEAST_3_29
diff --git a/package/cmake/cmake.hash b/package/cmake/cmake.hash
index 6101fe16f0..5a986319b4 100644
--- a/package/cmake/cmake.hash
+++ b/package/cmake/cmake.hash
@@ -1,5 +1,5 @@
-# From https://cmake.org/files/v3.31/cmake-3.31.8-SHA-256.txt
-sha256  e3cde3ca83dc2d3212105326b8f1b565116be808394384007e7ef1c253af6caa  cmake-3.31.8.tar.gz
+# From https://cmake.org/files/v4.0/cmake-4.0.4-SHA-256.txt
+sha256  629be82af0b76e029b675a4a37569e2ddc1769d42a768957c00ec0e98407737e  cmake-4.0.4.tar.gz
 
 # Locally calculated
-sha256  0676e30827684487aa0ea8f72f01e9460a6320fa34a2888df0ad1dd3e8a06eb8  Copyright.txt
+sha256  1e0d48f16c60f400838a96989684ae12cec35cb96688db11e8cb0204058cf4b8  LICENSE.rst
diff --git a/package/cmake/cmake.mk b/package/cmake/cmake.mk
index 1eb4da90ad..13c131f596 100644
--- a/package/cmake/cmake.mk
+++ b/package/cmake/cmake.mk
@@ -5,11 +5,11 @@
 ################################################################################
 
 # When updating the version, please also update BR2_HOST_CMAKE_AT_LEAST_X_Y
-CMAKE_VERSION_MAJOR = 3.31
-CMAKE_VERSION = $(CMAKE_VERSION_MAJOR).8
+CMAKE_VERSION_MAJOR = 4.0
+CMAKE_VERSION = $(CMAKE_VERSION_MAJOR).4
 CMAKE_SITE = https://cmake.org/files/v$(CMAKE_VERSION_MAJOR)
 CMAKE_LICENSE = BSD-3-Clause
-CMAKE_LICENSE_FILES = Copyright.txt
+CMAKE_LICENSE_FILES = LICENSE.rst
 CMAKE_CPE_ID_VALID = YES
 # Tool download MITM attack warning if using npm package to install cmake
 CMAKE_IGNORE_CVES = CVE-2016-10642
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/3] package/libcurl: security bump version to 8.16.0

[Bernd Kuhls]

Changelog: https://curl.se/ch/8.16.0.html

Fixed CVEs:
CVE-2025-9086: https://curl.se/docs/CVE-2025-9086.html
CVE-2025-10148: https://curl.se/docs/CVE-2025-10148.html

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
 package/libcurl/libcurl.hash | 4 ++--
 package/libcurl/libcurl.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
index 2e36917382..4cc4da4f26 100644
--- a/package/libcurl/libcurl.hash
+++ b/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://curl.se/download/curl-8.15.0.tar.xz.asc
+# https://curl.se/download/curl-8.16.0.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  6cd0a8a5b126ddfda61c94dc2c3fc53481ba7a35461cf7c5ab66aa9d6775b609  curl-8.15.0.tar.xz
+sha256  40c8cddbcb6cc6251c03dea423a472a6cea4037be654ba5cf5dec6eb2d22ff1d  curl-8.16.0.tar.xz
 sha256  e18f1989333b70044b2adfb7dc2f905d0119dbdcac3bc9f4bc9d540e3a29de5b  COPYING
diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
index 1cfdda27d2..0aa88044bd 100644
--- a/package/libcurl/libcurl.mk
+++ b/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 8.15.0
+LIBCURL_VERSION = 8.16.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/3] package/kodi: Fix build with curl 8.16.0

[Peter Korsgaard]

>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes:

 > curl 8.16.0 bumped the enums to long, see
 > https://github.com/curl/curl/pull/18054

 > Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
 > ---
 > v2: added note in patch about patch origin (Baruch)

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/cmake: bump version to 4.0.4

[Peter Korsgaard]

>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes:

 > License file was renamed upstream
 > https://gitlab.kitware.com/cmake/cmake/-/commit/2d42a5444f859891b6598c76ea5d51510013565e
 > and updated:
 > https://gitlab.kitware.com/cmake/cmake/-/commits/v4.0.3/LICENSE.rst?ref_type=tags

 > This release fixes the build with libcurl >= 8.16.0

 > Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Given that libcurl 8.16.0 is a security fix we would like to backport it
to stable/lts. Could we do some simpler fix and only later move to cmake
4?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/libcurl: security bump version to 8.16.0

[Peter Korsgaard]

>>>>> "Bernd" == Bernd Kuhls <bernd@kuhls.net> writes:

 > Changelog: https://curl.se/ch/8.16.0.html
 > Fixed CVEs:
 > CVE-2025-9086: https://curl.se/docs/CVE-2025-9086.html
 > CVE-2025-10148: https://curl.se/docs/CVE-2025-10148.html

 > Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Committed, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/cmake: bump version to 4.0.4

[Thomas Petazzoni via buildroot]

On Fri, 12 Sep 2025 17:29:37 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:

> Given that libcurl 8.16.0 is a security fix we would like to backport it
> to stable/lts. Could we do some simpler fix and only later move to cmake
> 4?

Also worth mentioning that CMake is broken in 2025.02.x:

  https://autobuild.buildroot.net/results/bda/bdac2534f79e0def3185138f00efb189d68c7cad/build-end.log

/workdir/instance-0/output-1/build/cmake-3.31.5/Source/cmCurl.cxx: In function 'std::string cmCurlSetNETRCOption(CURL*, const std::string&, const std::string&)':
/workdir/instance-0/output-1/build/cmake-3.31.5/Source/cmCurl.cxx:178:26: error: invalid conversion from 'long int' to 'CURL_NETRC_OPTION' [-fpermissive]
  178 |       curl_netrc_level = CURL_NETRC_OPTIONAL;
      |                          ^~~~~~~~~~~~~~~~~~~
      |                          |
      |                          long int

I suspect upstream CMake commit
1b0c92a3a1b782ff3e1c4499b6ab8db614d45bcd might help, but I'm not sure.

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/3] package/kodi: Fix build with curl 8.16.0

[Thomas Perale via buildroot]

In reply of:
> curl 8.16.0 bumped the enums to long, see
> https://github.com/curl/curl/pull/18054
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks

> ---
> v2: added note in patch about patch origin (Baruch)
> 
>  package/kodi/0002-curl-8.16.0.patch | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
>  create mode 100644 package/kodi/0002-curl-8.16.0.patch
> 
> diff --git a/package/kodi/0002-curl-8.16.0.patch b/package/kodi/0002-curl-8.16.0.patch
> new file mode 100644
> index 0000000000..31ffa7b964
> --- /dev/null
> +++ b/package/kodi/0002-curl-8.16.0.patch
> @@ -0,0 +1,24 @@
> +Fix build with curl 8.16.0
> +
> +Downloaded from
> +https://gitlab.alpinelinux.org/alpine/aports/-/commit/106a02411488e3f71b9f2085a4a857e4be27b9ea
> +
> +Upstream: https://github.com/xbmc/xbmc/pull/27224
> +
> +The upstream patch is aimed at the upcoming release of Kodi 22.0 which
> +saw many changes to CurlFile.cpp so we use the fix from Alpine.
> +
> +Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
> +
> +--- a/xbmc/filesystem/CurlFile.cpp
> ++++ b/xbmc/filesystem/CurlFile.cpp
> +@@ -44,7 +44,7 @@ using namespace std::chrono_literals;
> + 
> + #define FITS_INT(a) (((a) <= INT_MAX) && ((a) >= INT_MIN))
> + 
> +-curl_proxytype proxyType2CUrlProxyType[] = {
> ++long proxyType2CUrlProxyType[] = {
> +     CURLPROXY_HTTP,   CURLPROXY_SOCKS4,          CURLPROXY_SOCKS4A,
> +     CURLPROXY_SOCKS5, CURLPROXY_SOCKS5_HOSTNAME, CURLPROXY_HTTPS,
> + };
> +
> -- 
> 2.47.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/libcurl: security bump version to 8.16.0

[Thomas Perale via buildroot]

In reply of:
> Changelog: https://curl.se/ch/8.16.0.html
> 
> Fixed CVEs:
> CVE-2025-9086: https://curl.se/docs/CVE-2025-9086.html
> CVE-2025-10148: https://curl.se/docs/CVE-2025-10148.html
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

Applied to 2025.02.x, 2025.05.x & 2025.08.x. Thanks

> ---
>  package/libcurl/libcurl.hash | 4 ++--
>  package/libcurl/libcurl.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/libcurl/libcurl.hash b/package/libcurl/libcurl.hash
> index 2e36917382..4cc4da4f26 100644
> --- a/package/libcurl/libcurl.hash
> +++ b/package/libcurl/libcurl.hash
> @@ -1,5 +1,5 @@
>  # Locally calculated after checking pgp signature
> -# https://curl.se/download/curl-8.15.0.tar.xz.asc
> +# https://curl.se/download/curl-8.16.0.tar.xz.asc
>  # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
> -sha256  6cd0a8a5b126ddfda61c94dc2c3fc53481ba7a35461cf7c5ab66aa9d6775b609  curl-8.15.0.tar.xz
> +sha256  40c8cddbcb6cc6251c03dea423a472a6cea4037be654ba5cf5dec6eb2d22ff1d  curl-8.16.0.tar.xz
>  sha256  e18f1989333b70044b2adfb7dc2f905d0119dbdcac3bc9f4bc9d540e3a29de5b  COPYING
> diff --git a/package/libcurl/libcurl.mk b/package/libcurl/libcurl.mk
> index 1cfdda27d2..0aa88044bd 100644
> --- a/package/libcurl/libcurl.mk
> +++ b/package/libcurl/libcurl.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -LIBCURL_VERSION = 8.15.0
> +LIBCURL_VERSION = 8.16.0
>  LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
>  LIBCURL_SITE = https://curl.se/download
>  LIBCURL_DEPENDENCIES = host-pkgconf \
> -- 
> 2.47.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot