Age | Commit message (Collapse) | Author |
|
The installed unpigz is a hardlink to pigz.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
v2 changes:
* update format for commit log
* add Upstream-Status for patch
Multiple directory traversal vulnerabilities in pam_timestamp.c in the
pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to
create aribitrary files or possibly bypass authentication via a .. (dot
dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY
value to the check_tty funtion, which is used by the
format_timestamp_name function.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2583
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 69255c84ebd99629da8174e1e73fd8c715e49b52)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
Race condition in GNU screen 4.0.3 allows local users to create or
overwrite arbitrary files via a symlink attack on the
/tmp/screen-exchange temporary file.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
(cherry picked from commit be8693bf151987f59c9622b8fd8b659ee203cefc)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org> (merge fixes)
|
|
GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
world-readable permissions, which might allow local users to obtain
sensitive session information.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
(cherry picked from commit 25a212d0154906e7a05075d015dbc1cfdfabb73a)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org> (merge fixes)
|
|
Signed-off-by: Valentin Popa <valentin.popa@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
(cherry picked from commit cdbcadee68a47e985d25ba39359f3a3fa0049a8a)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
This ensures that the dependency on lzo is deterministic rather than floating.
The configure option to libarchive refers to this library as 'lzo2' but it is
just called 'lzo' in OpenEmbedded.
Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 09d729a21a2404095279c717c88ac494e2e716d6)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
CVE description:
Integer signedness error in the archive_write_zip_data function in
archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running
on 64-bit machines, allows context-dependent attackers to cause a denial of
service (crash) via unspecified vectors, which triggers an improper conversion
between unsigned and signed types, leading to a buffer overflow.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0211
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 355a8086637b859a469e1f2dc717b4ccec00b970)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ebaa5485abda86691b0eeadaf689d75072357178)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org> (merge fixes)
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3c234df240a11903ef3588a2c078dcbce4ca1719)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
The bash-4.2-patches is obsolete.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 31eb09a888729fcfd17d02f2a47375e10e87f79a)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
Extend default config file by a directive to include config file
fragments from /etc/lighttpd.d. This allows other web application
packages to put their configuration there.
Signed-off-by: Steffen Sledz <sledz@dresearch-fe.de>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
(cherry picked from commit 949ef58cf0684147b07745bd1199014ac57b437c)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
Catch some u-a-cworth references that slipped through the move of u-a
to opkg-utils and its rename to -opkg.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a9ff0bbac5ae0688525c71f0a358f0750a277269)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org> (merge fixes)
|
|
For FHS compliance, create symbolic links to write variable data
to standard paths
Signed-off-by: Yasir-Khan <yasir_khan@mentor.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
(cherry picked from commit cd97c2b77e32ec741aa5a51e1e1799b7665a184d)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
All patches against libarchive in oe-core appear to be merged into the latest
release. The license checksum has changed because a couple of referenced files
have been renamed but there is no change to the license terms themselves.
Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
(cherry picked from commit f3fd24badd189bbb083dba9397598e1566d1e4be)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org> (merge fixes)
|
|
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bd0a5a29bf6eeba78496e5d9143bd8806fd5cce1)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
Using the contains function results in more optimal sstate checksums
resulting in better cache reuse as we as more consistent code.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9c93526756e7cbbff027c88eb972f877bcb1f057)
|
|
Signed-off-by: Valentin Popa <valentin.popa@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1d376b40552e60b1fd18d95c6dd24d30aae849c8)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
Update pigz to latest release - 2.3.1
Drop ldflags.patch as it has been merged upstream
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8081dcb03f54efd551d1c8fe8a0484f8270053e0)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
In some cases, it's unfit to use "+=" in a conditional appending, we would
end up with the variable being set rather than being appended, which is not
it mean to.
Signed-off-by: Ming Liu <ming.liu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
(cherry picked from commit 15ba35aebd7550e53e9f2f35de6b709937dbb55c)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7c4f4231dfeb5d7599f18e4b2fbb5a8a6427c01a)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
|
|
The Makefile checks for zip during installation
[YOCTO #6699]
(From OE-Core rev: a6e8ced3fa8e8e2aa3df0798b80eb26e5ebc4b15)
(Backport to older version 20130503)
Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch from OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc
by Khem Raj <raj.khem@gmail.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch based on the one from OE-Core master rev
798d833c9d4bd9ab287fa86b85b4d5f128170ed3 by Ross Burton
<ross.burton@intel.com>, with the content replaced from the
appropriate upstream patch.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
== is a bashism use = instead.
(Based on OE-Core master rev: c90d1047c41148cbd57f26b5a34563346602a71b)
Signed-off-by: Stefan Stanacar <stefanx.stanacar@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core master rev: 1d6caef7222d0c1086a08a109ea4135a388c88e6)
Signed-off-by: Krzysztof Sywula <krzysztof.m.sywula@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
(From OE-Core master rev: fb9b12121f97f59d92ec2b8fdbe0e68f336f0576)
Signed-off-by: Christopher Larson <kergoth@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
xinetd does not enforce the user and group configuration directives
for TCPMUX services, which causes these services to be run as root
and makes it easier for remote attackers to gain privileges by
leveraging another vulnerability in a service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342
the patch come from:
https://bugzilla.redhat.com/attachment.cgi?id=799732&action=diff
(From OE-Core master rev: c6ccb09cee54a7b9d953f58fbb8849fd7d7de6a9)
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
* ltp installs 2 different runtests_noltp.sh files from different
directories into /opt/ltp/testcases/bin/runtests_noltp.sh
last one installed wins and causes unexpected changes in
buildhistory's files-in-image.txt report, rename them to have
unique name as other ltp scripts have.
* also define PREFERRED_PROVIDER to resolve note shown when
building with meta-oe layer:
NOTE: multiple providers are available for ltp (ltp, ltp-ddt)
NOTE: consider defining a PREFERRED_PROVIDER entry to match ltp
* use patch generated without -M
in my builds both versions worked, but Saul reported that it fails to
apply with:
Applying patch
0001-Rename-runtests_noltp.sh-script-so-have-unique-name.patch
patch: **** Only garbage was found in the patch input.
Now I've see the same issue on different builder (with Ubuntu 12.04).
(From OE-Core master rev: ec3bb2c2203b2e8bafc1a631f623f858779e20b7)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
buildtest-TESTS is a phony target and does nothing which results in a
do_install error since the tests aren't built. Since there isn't
a suitable make target but the number of tests are small, hardcode
the two to build to unbreak the build when ptest is enabled.
(From OE-Core master rev: 5dd8653fdcda5e0e8b4f3c37a46f357bc97ec66c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
*PPC64 uses long long for u64 in the kernel, but powerpc's asm/types.h
prevents 64-bit userland from seeing this definition, instead defaulting
to u64 == long in userspace.
*fix the below error
|super-ddf.c:4542:5: error: format '%llu' expects argument of type 'long long unsigned int',
|but argument 5 has type '__u64' [-Werror=format=]
|dprintf("BVD %u has %08x at %llu\n", 0,
(From OE-Core master rev: d3caab6eb03264b4f4d744f914598022299011ba)
Signed-off-by: Chunrong Guo <B40290@freescale.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
This check was looking for /run/mdadm on the host system, this check is optional so disable it.
[YOCTO #5447]
(From OE-Core master rev: d62882794890eeee8e8d5c9ba4837ec77a58d787)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
Allow the user to provide additional packages to this image.
This lets core-image-basic behave like all other core-image*
recipes (which do support CORE_IMAGE_EXTRA_INSTALL), as well
as match the documentation which suggests this as the mode to
extend any core-image* image.
v2 - drop redundant setting of CORE_IMAGE_EXTRA_INSTALL
(From OE-Core master rev: 5faabf398819d40b55c46bc83ae03942d115024b)
Signed-off-by: Gary Thomas <gary@mlbassoc.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
When using the tar executable in the buildtools, tar will execute
gzip. If this happens before zlib-native is built, then the gzip
on the host will be used and can fail if the libz in the buildtools
is not compatible. Adding pigz to the build tools avoids this host
contamination.
(From OE-Core master rev: af6424e8c2bf3a938fddabc669c0956d68964ed0)
Signed-off-by: Konrad Scherer <Konrad.Scherer@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
(From OE-Core master rev: 89d7d46947d9bb8c7bf568c65e52d5bbe159027f)
Signed-off-by: Konrad Scherer <Konrad.Scherer@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
this init script fails when the default shell is busybox sh. This
is because busybox sh doesn't set the UID. No other init scripts
in oecore feel the need to check the UID so just remove the check.
(From OE-Core master rev: dd6a45536043af34c05a699e468cef4845f7affd)
Signed-off-by: Jack Mitchell <jmitchell@cbnl.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Buffer used for copying a "%c" character was getting
out of scope when it was required by the sprintf operation.
[YOCTO #5272]
Signed-off-by: Marius Avram <marius.avram@intel.com>
Signed-off-by: Irina Patru <irina.patru@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is a second in a series of patches to enable
offline rootfs creation from a package repository.
Some postinstall cmds are Yocto specific and needed to create a
rootfs with pre and post install hooks successfully run,
using only the toolchain tarball + a package repo.
End goal is to create a sandbox where users of a Yocto
based distribution can customize a rootfs from a package feed
with their package manager of choice.
With this patch, I can successfully create packagegroup-core-boot
with only the toolchain tarball(OPKG). More fixes for a few postinstall
hooks outside of packagegroup-core-boot will come next.
Signed-off-by: David Nyström <david.nystrom@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The po.m4 file is deleted by the more recent autotools.bbclass
autotools_do_configure code which handles gettext. There is therefore
no point in patching the file anymore.
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The po.m4 file is deleted by the more recent autotools.bbclass
autotools_do_configure code which handles gettext. There is therefore
no point in patching the file anymore.
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|