| Age | Commit message (Collapse) | Author |
|---|
|
Built in command "read" with "-e" use Readline to obtain the line
in an interactive shell. In this process, a string "rlbuf" is
just allocated without free operation thus cause memory leak.
This patch had been submitted to upstream:
http://lists.gnu.org/archive/html/bug-bash/2017-02/msg00061.html
(From OE-Core rev: a2b278a6eaa9e9b48d858e3be6712267c0122598)
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fixup for 4.3
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust
CVE-2017-9835: bounds check the array allocations methods
CVE-2017-11714: prevent trying to reloc a freed object
(From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2017-9611
CVE-2017-9612
CVE-2017-9739
CVE-2017-9726
(From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2017-6508: CRLF injection vulnerability in the url_parse function in
url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary
HTTP headers via CRLF sequences in the host subcomponent of a URL.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2017-6508
Patch from:
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
(From OE-Core rev: 28404157e07a915d1445166df566c8838f2cce57)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Since LTP includes a set of test cases, we need to skip file dependency
generation, as there will be dependencies that can not be satisfied. In this
case a csh and ksh dependency come from two tests.
The alternative would be to depend on csh/ksh (a bad idea as they're not
available in oe-core) or remove the tests (but this eliminates the tests if
someone DOES have csh/ksh in their configurations.)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream lsof releases are hosted on an ftp server which times out
download attempts from hosts for which it can not perform a DNS
reverse-lookup. See:
https://people.freebsd.org/~abe/
http://www.mirrorservice.org seems to be the most commonly used
alternative (and using it for SRC_URI allows the custom
UPSTREAM_CHECK_URI to be removed).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 4e718242c1554021689a7946add055b22b81ec42)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
- Add HOMEPAGE
- Remove ${S} from LIC_FILES_CHKSUM path
- Use tabs consistently to indent do_configure()
- Re-order LIC_FILES_CHKSUM definition to follow OE style guide
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 78701c5b873605240226c502de3b940097433596)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Having 'lsof' as a +s (setuid) binary could lead to security issues if
a compromise in the binary is found. It is better that it be -s by
default as a precaution.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 346c65dd6855106069d1861ca965d3121eb084d1)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
It is used in NVD for CVE's like:
https://nvd.nist.gov/vuln/detail/CVE-2012-3417
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 07be7cb9405e4a6289edad8afb3a50c1f8651620)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This patch is generic enough, That it can be applied universally
and makes maintainence easier
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit f769b8389091b4ffaff8f6f8fc7e53462ce176a5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
build fails else with
| + make -j 8 -l 6 cc=ccache gcc
| make: *** No rule to make target 'gcc'. Stop.
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 5729c1563359e12ebb4451bb1ce7ba3fff4ed2d4)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
(From OE-Core rev: c391547e95b1854960b90d93fd9f80f02f761e61)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The modern version of zone.tab is required by tzselect e.g.
(From OE-Core rev: de467998ecfa5fa1d2e9dd43a4a3d828cf9ccade)
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER
mode protection mechanism and consequently read arbitrary files via the
use of the .libfile operator in a crafted postscript document.
Use-after-free vulnerability in Ghostscript 9.20 might allow remote
attackers to execute arbitrary code via vectors related to a reference
leak in .setdevice.
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER
mode protection mechanism and consequently execute arbitrary code by
leveraging type confusion in .initialize_dsc_parser.
libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript,
has a NULL pointer dereference in the jbig2_huffman_get function in
jbig2_huffman.c. For example, the jbig2dec utility will
crash (segmentation fault) when parsing an invalid file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2016-7977
https://nvd.nist.gov/vuln/detail/CVE-2016-7978
https://nvd.nist.gov/vuln/detail/CVE-2016-7979
https://nvd.nist.gov/vuln/detail/CVE-2017-9216
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=875a0095f37626a721c7ff57d606a0f95af03913
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ebffb1d96ba0cacec23016eccb4047dab365853
(From OE-Core rev: 584dfa2f780d5785aaff01f84fbabc18b3478d76)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote
attackers to cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted Postscript document that calls .sethalftone5 with an
empty operand stack.
Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because
of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c
during operations on a crafted JBIG2 file, leading to a denial of service (application
crash) or possibly execution of arbitrary code.
References:
https://nvd.nist.gov/vuln/detail/CVE-2016-8602
https://nvd.nist.gov/vuln/detail/CVE-2017-7975
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f5c7555c303
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e57e483298
(From OE-Core rev: 8f919c2df47ca93132f21160d919b6ee2207d9a6)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This vulnerability is also called "rpcbomb".
Backport upstream patch to fix this vulnerability.
CVE: CVE-2017-8779
(From OE-Core rev: 7936c9451eb4c376a78a0ac7461d1b2430c7f1f3)
Signed-off-by: Fan Xin<fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A vulnerability was found in a way bash expands the $HOSTNAME.
Injecting the hostname with malicious code would cause it to run
each time bash expanded \h in the prompt string.
Porting patch from <https://ftp.gnu.org/gnu/bash/bash-4.3-patches/
bash43-047> to solve CVE-2016-0634
CVE: CVE-2016-0634
(From OE-Core rev: 7dd6aa1a4bf6e9fc8a1998cda6ac5397bb5cd5cb)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript
9.20 allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a crafted file.
The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file that is
mishandled in the PDF Transparency module.
The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f
http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8
http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
After change to the rpm4, the rpm packages in lsbtest, such as:
lsb-setup-4.1.0-1.noarch.rpm
lsb-dist-checker-5.0.0.1-1.x86_64.rpm
......
lsb-cmdchk-5.0.3-1.x86_64.rpm
When install above rpm packages, the error log appears:
package lsb-setup-4.1.0-1.noarch is intended for a different operating system
......
So we should add option "--ignoreos" to the rpm install command in LSB_Test.sh
in ./meta/recipes-extended/lsb/lsbtest directory. In this way we can make sure
the correct installation of those rpm packages.
The YOCTO bug #11224 didn't create logs, this is because the above test rpm
packages didn't install.
[YOCTO #11224]
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Sadly this breaks previous OE releases as it means the source mirror contains a
tarball with the same name but different checksums as was previously available.
This reverts commit 99c6e89db193d572e845f95eabbd9ec89c3508c7.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The previous patch added a check but incorrectly
change the elif to if, then it always return 0
for cpuid if the machine is not __i386__
getcpu01 1 TFAIL : getcpu01.c:140: getcpu() returned wrong value expected cpuid:7, returned value cpuid: 0
After this fix:
getcpu01 1 TPASS : getcpu() returned proper cpuid:7, node id:0
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Otherwise, the filename is r3-9-1.tar.gz which isn't straightforward.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fixed when len(TMPDIR) = 410:
aclocal: error: cannot open echo 'm4_define [snip]' configure.ac |: Argument list too long'
This is becuase it has a lot of m4 files, use relative path for them
can fix the problem.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream has removed the 1.14.1 release from ftp.gnu.org and
moved to the latest 1.14.2. Since we don't want to upgrade at
this point of time, temporarily move the SRC_URI to yoctoproject
mirror.
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Also, they were previously squashed into a single patch; restore
the original two-patch arrangement.
As requested here:
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135460.html
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to github.com.
Update the ${PN} to ${BPN} in order to pass the autobuilder
mulitlib enable configuration.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The shebang's max length is usually 128 as defined in
/usr/include/linux/binfmts.h:
#define BINPRM_BUF_SIZE 128
There would be errors when @PERL@ (hostools/perl) is longer than 128,
use '/usr/bin/env perl' can fix the problem, but '/usr/bin/env perl -w'
doesn't work:
/usr/bin/env: perl -w: No such file or directory
So replace "perl -w" with "use warnings" to make it work.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The shebang's max length is usually 128 as defined in
/usr/include/linux/binfmts.h:
#define BINPRM_BUF_SIZE 128
There would be errors when @PERL@ (hostools/perl) is longer than 128,
use '/usr/bin/env perl' can fix the problem, but '/usr/bin/env perl -w'
doesn't work:
/usr/bin/env: perl -w: No such file or directory
So replace "perl -w" with "use warnings" to make it work.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The mem_get_bits_rectangle function in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial
of service (NULL pointer dereference) via a crafted PostScript
document.
Reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207
Upstream patch:
http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The configuration change was already done for -native but
we really want it when USE_NLS is set.
Fixes [YOCTO #11285].
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The md5sum & sha256sum for ethtool-4.8.tar.gz have changed upstream :(
Signed-off-by: Paul Barker <pbarker@toganlabs.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to update
the SRC_URI to point to github.com.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to github.com.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to pagure.io. pagure.io is a
replacement for fedorahosted.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to pagure.io. pagure.io is a
replacement for fedorahosted.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
There were two remaining cases that could end up creating /lib64
rather than ${base_prefix}/lib64. The difference matters when building
with usrmerge.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Use ${D}${var} rather than ${D}/${var} for variables where ${var}
contains an absolute path.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
net-tools-native is needed by swtpm-wrappers (in meta-security)
because swtpm_setup.sh calls netstat, which cannot be assumed to be
present in all Linux installations (for example, it is not in OpenSUSE
minimal base).
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
mdadm only works with corosync 2.x which provides header file corosync/cmap.h.
If build mdadm with corosync 1.x, it fails with:
| member.c:12:27: fatal error: corosync/cmap.h: No such file or directory
| #include <corosync/cmap.h>
| ^
Build with corosync only header file corosync/cmap.h exists.
Ref:
https://github.com/neilbrown/mdadm/blob/master/mdadm.h#L63
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Briefly: Haiti has resumed DST.
Changes to past and future time stamps
Haiti resumed observance of DST in 2017. (Thanks to Steffen Thorsen.)
Changes to past time stamps
Liberia changed from -004430 to +00 on 1972-01-07, not 1972-05-01.
Use "MMT" to abbreviate Liberia's time zone before 1972, as "-004430"
is one byte over the POSIX limit. (Problem reported by Derick Rethans.)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Default CC is same as used here, there is no need to
duplicate it, as a plus it helps in compiling acpitests with
non-gcc cross compilers
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
mips definition of kernel_sigaction was added later
and the patch did not apply to mips part which ended
in ltp failing to compile on mips parts
In file included from rt_sigaction01.c:42:0:
../../../../include/lapi/rt_sigaction.h:39:2: error: unknown type name '__sighandler_t'
__sighandler_t k_sa_handler;
^~~~~~~~~~~~~~
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Using of bitbake environment variables in-place of hardcoded strings makes this
recipe portable to all environments.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Use appropriate bitbake variable inplace of hardcoded sbin path in Makefile
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
net-tools Makefile was hardcoded sbin, bin installation paths to /bin and /sbin
respectively. This change moves the installed files to appropriate location as
per configured bitbake environment.
This might be solved much better way by patching Makefile, but that causing
build issues, as net-tools recipe is using pre-generated config.{h/status}.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
|
|
Move binary(ies) only when ${base_bindir} != ${bindir}.
When usrmerge is enabled they both can point to same location.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
|
|
Both shadow and util-linux packages provides 'nologin' binary in ${base_sbindir}
and ${sbindir} respectively, this leads to conflict when 'usrmerge' feature is
enabled, where ${sbindir} == ${base_sbindir}. Hance, handle this to alternative
system to resolve the conflict.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
|
Zhang Xiao
Joe Slater
Yi Zhao
Mark Hatle
Andre McCurdy
Kai Kang
Mikko Rapeli
Khem Raj
Enrico Scholz
Peter Kjellerstedt
Jan Kiszka
Catalin Enache
Fan Xin
Zhixiong Chi
Alexander Kanavin
Dengke Du
Ross Burton
Jackie Huang
Robert Yang
Maxin B. John
Choong YinThong
Jussi Kukkonen
Paul Barker
Patrick Ohly
Armin Kuster
Amarnath Valluri