| Age | Commit message (Collapse) | Author |
|---|
|
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix out of bounds read on empty string filename for guntar, pax and v7tar
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This upgrades to 3.3.3 release and drop the backported patches when
doing the recipe update.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
iso9660: validate directory record length
Affects libarchive <= 3.3.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Reject LHA archive entries with negative size.
Affects libarchive = 3.3.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The XZ format is widely used and multiple recipes inside OE-Core
already use it, so making the XZ enabled by default align the
expectation of users. The LZO, on the other side, is commonly used in
embedded systems due its performance so it makes sense to be available
by default.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch is needed for meta-swupd. Without it, some bsdtar
invocations fail with:
bsdtar: Option -n is not permitted in mode -x
The patch was removed in the update to 3.3.1 with the claim that it
had been merged upstream, but that is not the case.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
read_header in archive_read_support_format_rar.c suffers from an
off-by-one error for UTF-16 names in RAR archives, leading to an
out-of-bounds read in archive_read_format_rar_read_header.
Backport the patch from
https://github.com/libarchive/libarchive/commit
commit 5562545b5562f6d12a4ef991fae158bf4ccf92b6
CVE: CVE-2017-14502
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
--with-lzmadec option was removed in libarchive commit:
30e1b7efd472e0439bea14df6a2d19cd8b5ac15e
See Github PR: https://github.com/libarchive/libarchive/pull/806
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1) Upgrade libarchive from 3.2.2 to 3.3.1.
2) Fix an unknown-configure-option "--without-lzmadec" when do_configure.
3) Delete three patches, since they are integrated upstream.
0001-archive_write_disk_posix.c-make-_fsobj-functions-mor.patch
0002-Fix-extracting-hardlinks-over-symlinks.patch
non-recursive-extract-and-list.patch
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The largefile distro feature has been enabled by default in oe-core
for a long time and, more recently, also in poky-tiny. Building
without the largefile distro feature receives little or no testing.
Many packages now enable LFS without exposing a configure option, so
there should be very little expectation that disabling the distro
feature will result in a distro which globally disables LFS.
Respecting the distro feature adds a maintenance over-head and may be
the source of configurations oddities (e.g. dbus-native currently
builds with LFS disabled for no clear reason - fixed by this commit).
Ignore the largefile distro feature more widely, as a first step
towards deprecating and eventually removing it.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These set of patches backported from upstream, which fixes the issues in
extracting hardlinks over softlinks while etracting packages by opkg.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
When DEPENDS=bzip2 becomes bzip2-native in libarchive-native,
the dependency ends up getting ignored because bzip2-native
is in ASSUME_PROVIDED.
But we need the library and thus have to depend on
bzip2-replacement-native, otherwise the build proceeds
without it despite the explicit --with-bz2lib.
(From OE-Core rev: 7ae1c93ab6df46dc88b0ffaa52778738849ff38d)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
'tar' utility from tar and bsdtar has the same alternative priority.
'cpio' utility from cpio and bsdcpio has the same alternative priority.
Lower the ALTERNATIVE_PRIORITY to avoid conflict.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Required for meta-swupd performance enhancements: in meta-swupd, the
so called "mega" image contains a rootfs with all files that can
potentially be installed on a device. Other virtual image recipes need
a subset of those files or directories, and a partial extraction from
a single tar archive is faster than letting all virtual image recipes
share access to a directory under a single pseudo instance.
It may be necessary to extract a directory with all of its attributes
without the content of the directory, hence this patch. Upstream
agreed to consider merging such a patch (see
https://groups.google.com/forum/#!topic/libarchive-discuss/JO3hqSaAVfs)
but has been slow in actually commenting on it, so for now it has
to be carried as distro patch.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop merged 0001-configure.ac-check-acl-libacl.h-and-sys-acl.h-based-.patch
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Update configure.ac to properly handle --disable-acl option
[YOCTO #9668]
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This avoids:
WARNING: opkg-1_0.3.1-r0 do_package_qa: QA Issue: libopkg rdepends on lz4, but it isn't a build dependency, missing lz4 in DEPENDS or PACKAGECONFIG? [build-deps]
and ERROR:
build-appliance-image-15.0.0-r0 do_rootfs: Unable to install packages. Command '/home/pokybuild/yocto-autobuilder/yocto-worker/build-appliance/build/build/tmp/sysroots/x86_64-linux/usr/bin/smart --log-level=warning --data-dir=/home/pokybuild/yocto-autobuilder/yocto-worker/build-appliance/build/build/tmp/work/qemux86_64-poky-linux/build-appliance-image/15.0.0-r0/rootfs/var/lib/smart install -y packagegroup-core-boot@qemux86_64 packagegroup-core-ssh-openssh@all psplash@core2_64 kernel-dev@qemux86_64 packagegroup-core-x11-base@all kernel-devsrc@qemux86_64 smartpm@core2_64 packagegroup-self-hosted@all rpm@core2_64 locale-base-en-us@core2_64 locale-base-en-gb@core2_64' returned 1:
Loading cache...
Updating cache... ######################################## [100%]
Computing transaction...error: Can't install libopkg1-1:0.3.1-r0.0@core2_64: no package provides lz4 >= 131+git0+d86dc9167
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
All patches are removed as they are no longer needed. Most were merged into this
release of libarchive. "0001-Set-xattrs-after-setting-times.patch" was dropped
upstream after discussion, see https://github.com/libarchive/libarchive/pull/664.
The COPYING file in libarchive had a couple of minor changes to clarify which
files are under which copyrights but the overall license is unaffected.
Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
With Integrity Measurement Architecture (IMA) enabled in Linux
kernel the security.ima extended attribute gets overwritten
when setting times on a file with a futimens() call. So it's safer
to set xattrs after times.
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
For libarchive-native, we don't really need libxml2 support. Adding this
means we need libxml2-native which means we need python-native and
makes the dependency chains pretty heavy. The target case is unaffected.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Some products might need to use a tar replacement that
1. supports xattrs and
2. has more permissive license than GNU tar.
And the bsdtar binary produced from libarchive meets these
requirements.
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The currnet patches in OE-core doesn't have the "CVE:"
tag, now part of the policy of the patches.
This is patch add this tag to several patches. There might
be patches that I miss; the tag can be added in the future.
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch is a CVE fix, so rename it to help CVE detection tools identify it as
such.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
libarchive: Updated libarchive packages fix security vulnerability
Alexander Cherepanov discovered that bsdcpio, an implementation of the "cpio"
program part of the libarchive project, is susceptible to a directory
traversal vulnerability via absolute paths.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* fixes following floating dependencies:
libarchive/libarchive/latest lost dependency on nettle
libarchive/libarchive-bin/latest lost dependency on libxml2 nettle
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
libarchive's configure script looks for ext2fs/ext2_fs.h in order to use
some defines for file attributes support if present (but doesn't link to
any additional libraries.) There is no configure option to disable this,
and if e2fsprogs is rebuilding between do_configure and do_compile you
can currently get a failure. Because it doesn't need anything else from
e2fsprogs, and e2fsprogs isn't currently buildable for nativesdk anyway,
copy the headers in from e2fsprogs-native which we're likely to have
built already (and add it to DEPENDS just to be sure we have.)
Fixes [YOCTO #6268].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These recipes all use pkg-config in some way but were missing
dependencies on the tool, this patch adds them.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This ensures that the dependency on lzo is deterministic rather than floating.
The configure option to libarchive refers to this library as 'lzo2' but it is
just called 'lzo' in OpenEmbedded.
Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE description:
Integer signedness error in the archive_write_zip_data function in
archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running
on 64-bit machines, allows context-dependent attackers to cause a denial of
service (crash) via unspecified vectors, which triggers an improper conversion
between unsigned and signed types, leading to a buffer overflow.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0211
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch goes through the OE-Core recipes and marks those which use autotools
but don't support a separate build directory (${S} != ${B}). A new class,
autotools-brokensep is used for this purpose.
This doesn't introduce any change in behaviour in its own right.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
All patches against libarchive in oe-core appear to be merged into the latest
release. The license checksum has changed because a couple of referenced files
have been renamed but there is no change to the license terms themselves.
Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The following patches are found, but not used by any recipe, so we should
remove them.
meta/recipes-connectivity/avahi/files/fix_for_automake_1.11.2.patch
meta/recipes-connectivity/dhcp/dhcp/fix-client-path.patch
meta/recipes-connectivity/libnss-mdns/files/alignment-fix.patch
meta/recipes-core/dbus/dbus-1.6.10/test-run-path.patch
meta/recipes-core/gettext/gettext-0.16.1/fixchicken.patch
meta/recipes-core/gettext/gettext-0.16.1/getline.m4.patch
meta/recipes-core/systemd/systemd/use-rootlibdir.patch
meta/recipes-core/util-linux/util-linux/remove-lscpu.patch
meta/recipes-core/util-linux/util-linux/remove_sigsetmark.patch
meta/recipes-core/util-linux/util-linux/uclibc-compile.patch
meta/recipes-devtools/autoconf/autoconf/autoconf-x.patch
meta/recipes-devtools/btrfs-tools/btrfs-tools/btrfs-progs-fix-parallel-build.patch
meta/recipes-devtools/btrfs-tools/btrfs-tools/btrfs-progs-fix-parallel-build2.patch
meta/recipes-devtools/cdrtools/cdrtools-native/no_usr_src.patch
meta/recipes-devtools/elfutils/elfutils-0.155/elfutils-robustify.patch
meta/recipes-devtools/gdb/gdb/libiberty-cross.patch
meta/recipes-devtools/perl/perl-5.14.3/asm-pageh-fix.patch
meta/recipes-devtools/python/python-native/sys_platform_is_now_always_linux2.patch
meta/recipes-devtools/python/python-pygobject/generate-constants.patch
meta/recipes-devtools/qemu/files/3f08ffb4a4741d147634761dc053ed386243a0de.patch
meta/recipes-devtools/qemu/files/enable-i386-linux-user.patch
meta/recipes-devtools/qemu/files/init-info.patch
meta/recipes-devtools/rpm/rpm/rpm_fix_for_automake-1.12.patch
meta/recipes-devtools/tcf-agent/tcf-agent/fix_tcf-agent.init.patch
meta/recipes-extended/iputils/files/arping-break-libsysfs-dependency.patch
meta/recipes-extended/libarchive/libarchive/0003-Patch-from-upstream-rev-2516.patch
meta/recipes-extended/procps/procps-3.2.8/pagesz-not-constant.patch
meta/recipes-gnome/gtk+/gtk+-2.24.22/no-demos.patch
meta/recipes-gnome/libglade/libglade-2.6.4/no-deprecation.patch
meta/recipes-graphics/mesa/mesa/0005-llvmpipe-remove-the-power-of-two-sizeof-struct-cmd_b.patch
meta/recipes-graphics/xorg-lib/libxxf86dga/libxxf86dga-1.1.3_fix_for_x32.patch
meta/recipes-kernel/kmod/kmod/fix-undefined-O_CLOEXEC.patch
meta/recipes-kernel/linux-libc-headers/linux-libc-headers/connector-msg-size-fix.patch
meta/recipes-kernel/linux/linux-yocto/tools-perf-no-scripting.patch
meta/recipes-support/gnutls/gnutls/gnutls-texinfo-euro.patch
meta/recipes-support/nspr/nspr/fix-build-on-aarch64.patch
[YOCTO #5180]
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove all PR = "r0" from all .bb files in oe-core. This was done
with the command sed -e '/^PR.*=.*r0\"/d' recipes*/*/*.bb -i
We've switching to the PR server, PR bumps are no longer needed and
this saves people either accidentally bumping them or forgetting to
remove the lines (r0 is the default anyway).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In some cases, it's unfit to use "+=" in a conditional appending, we would
end up with the variable being set rather than being appended, which is not
it mean to.
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Move to using the PACKAGECONFIG mechanism to select configure options and
dependencies. Without this the system will attempt to discover various
dependencies, and usually does so incorrectly.
We also ensure that the nativesdk version does not inherit any of the
DISTRO_FEATURES. We shouldn't need acl or xattr support for nativesdk.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is a fix up for
commit fb19df5b21e551c5dfdfa340438952560c5fa528
Author: Xiaofeng Yan <xiaofeng.yan@windriver.com>
Date: Mon Nov 7 20:03:53 2011 +0800
libarchive: update to 2.8.5
Remove patch "0003-Patch-from-upstream-rev-2516.patch" because it has been merged
to source codes.
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
removing a now obsolete comment because the undistributable content was removed [1] from upstream’s tarball.
Also remove an empty line at the end introduced in the above commit.
[1] http://code.google.com/p/libarchive/issues/detail?id=162
Signed-off-by: Paul Menzel <paulepanter@users.sourceforge.net>
|
|
Remove patch "0003-Patch-from-upstream-rev-2516.patch" because it has been merged
to source codes.
Signed-off-by: Xiaofeng Yan <xiaofeng.yan@windriver.com>
|
|
The original tarball has two undistributable files that we have
removed from the repacked tarball. The issue has been reported
upstream at:
http://code.google.com/p/libarchive/issues/detail?id=162
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This recipe has been imported from OpenEmbedded (rev
6db4b9050e0e8b963e2a6b63790e48e3042ea99e).
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
|
Ross Burton
Andrej Valek
Otavio Salvador
Jagadeesh Krishnanjanappa
Patrick Ohly
Zhixiong Chi
Fabio Berton
Huang Qiyu
Andre McCurdy
Peter Kjellerstedt
Amarnath Valluri
Chen Qi
Alexander Kanavin
Maxin B. John
Richard Purdie
Paul Barker
Dmitry Rozhkov
Dmitry Rozhkov
Mariano Lopez
Li Zhou
Martin Jansa
Paul Eggleton
Baogen Shang
Chong Lu
Ming Liu
Mark Hatle
Paul Menzel
Xiaofeng Yan