aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/cpio/cpio_2.12.bb
AgeCommit message (Collapse)Author
2018-06-15cpio: fix CVE-2016-2037Andre McCurdy
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file." https://nvd.nist.gov/vuln/detail/CVE-2016-2037 Note that there appear to be two versions of this fix. The original patch posted to the bug-cpio mailing list [1] is used by Debian [2], but apparently causes regression [3]. The patch accepted to the upstream git repo [4] seems to be the most complete fix. [1] https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html [2] https://security-tracker.debian.org/tracker/CVE-2016-2037 [3] https://www.mail-archive.com/bug-cpio@gnu.org/msg00584.html [4] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2018-06-15cpio: rely on texinfo.bbclass for texinfo-native dependencyAndre McCurdy
Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2018-06-15cpio: move contents of cpio_v2.inc into the cpio recipeAndre McCurdy
Merge contents of cpio_v2.inc into the only recipe which uses it. Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-01-09meta: use require instead of include when file should existPaul Eggleton
If the file is expected to exist, then we should always be using require so that if it doesn't we get an error rather than some other more obscure failure later on. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2015-12-16cpio: update to 2.12Alexander Kanavin
Drop backported patches: Fix-symlink-bad-length-test-for-64-bit-architectures.patch fix-memory-overrun.patch fix-testcase-symlink-bad-lengths.patch 0001-fix-testcase-of-symlink-bad-length.patch statdef.patch is fixing code that doesn't exist anymore. The problem handled by remove-gets.patch has been fixed differently. The CVE-2015-1197 has been ignored by upstream and had to be rebased: http://lists.gnu.org/archive/html/bug-cpio/2015-09/msg00007.html Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-24 07:26:39 +0000