| Age | Commit message (Collapse) | Author |
|---|
|
CVE-2017-13728, CVE-2017-13731
There is an illegal address access in the function dump_uses() in progs/dump_entry.c
in ncurses 6.0 that might lead to a remote denial of service attack.
There is an illegal address access in the _nc_safe_strcat function in
strings.c in ncurses 6.0 that will lead to a remote denial of service attack.
There is an illegal address access in the function _nc_read_entry_source()
in progs/tic.c in ncurses 6.0 that might lead to a remote denial of service attack.
There is an illegal address access in the _nc_save_str function in
alloc_entry.c in ncurses 6.0. It will lead to a remote denial of service attack.
There is an infinite loop in the next_char function in comp_scan.c in
ncurses 6.0, related to libtic. A crafted input will lead to a remote denial of service attack.
There is an illegal address access in the function postprocess_termcap()
in parse_entry.c in ncurses 6.0 that will lead to a remote denial of service attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-13734
https://nvd.nist.gov/vuln/detail/CVE-2017-13732
https://nvd.nist.gov/vuln/detail/CVE-2017-13731
https://nvd.nist.gov/vuln/detail/CVE-2017-13730
https://nvd.nist.gov/vuln/detail/CVE-2017-13729
https://nvd.nist.gov/vuln/detail/CVE-2017-13728
Upstream patch:
https://anonscm.debian.org/cgit/collab-maint/ncurses.git/commit/?id=129aac80802d997b86ab0663836b7fdafb8e3926
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Rebase patches:
- tic-hang.patch -> 0001
- configure-reproducible.patch -> 0002
Drop fix-cflags-mangle.patch, which accepted by upstream
...
commit 1b74f120ab7be89011408a6ad0f1c748a314bae8
Author: Sven Joachim <svenjoac@gmx.de>
Date: Sun Feb 26 09:01:34 2017 +0100
Import upstream patch 20170225
20170225
+ fixes for CF_CC_ENV_FLAGS (report by Ross Burton).
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Build static libraries without the binutils "ar" -U option.
This option deliberately breaks deterministic mode.
The option seems to be a relic from 2015, intended as a workaround
for some unspecified build problems.
[YOCTO#11247]
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add a patch to fix the CC/CFLAGS mangling that broke builds. [RB]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
As "install.libs" also installs header files, it is
redundant to also call "install.includes".
In fact, doing so can lead to a race, as both targets could
try to install the header files at the same time if running
parallel make. Obviously, with only calling "install.libs",
there is no race with "install.includes".
If there is no race, then the patch fix-include-files-race.patch
is no longer needed.
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Both targets install.libs and install.includes install the same
files, resulting in a race condition when running parallel make.
This race is addressed in a patch file, making sure only one
of the targets (install.includes) installes the include files.
This will work properly (i.e.ncurses will install as intended
by the recipe) as long as we always install both targets.
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Also, put the revision into PV, so that a meaningful upstream version
check can be performed.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
Ovidiu Panait
Hongxu Jia
Juro Bystricky
Alexander Kanavin