Age | Commit message (Collapse) | Author |
|
* strip tmpdir prefix, so that we have shorter paths which aren't
builder specific
* use '#' for regexp delimiter so that we don't need to prefix
forward slashes in paths
* extend default whitelist to cover typical cases
* add parameter for external whitelist file
* use number of found paths as return code, so that CI can easily
report error when new untracked files are found
* use .txt suffix for all output files, so that they can be easily
viewed in browser
* add populate_sysroot task, because somewhere between dora and daisy
the populate-sysroot files in sstate-control were renamed to have
underscore instead of dash
* only few entries not covered by this default whitelist were found
in world build (but I'll leave these for people to whitelist, because
they are not generated in most builds)
* [^/]*/home/builder
home directory from meta/recipes-graphics/builder/builder_0.1.bb
* [^/]*/usr/src/kernel/patches
* [^/]*/usr/lib/gdk-pixbuf-2.0/.*/loaders.cache
3 places are using this, not sure which one creates it
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb:
GDK_PIXBUF_MODULE_FILE=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/${LIBV}/loaders.cache
meta/recipes-gnome/gtk+/gtk-update-icon-cache-native_3.4.4.bb:
GDK_PIXBUF_MODULE_FILE=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/2.10.0/loaders.cache
scripts/postinst-intercepts/update_pixbuf_cache:
>$GDK_PIXBUF_MODULEDIR/../loaders.cache && \
sed -i -e "s:$D::g" $GDK_PIXBUF_MODULEDIR/../loaders.cache
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
failure detected
* this is useful when using from jenkins job where you don't want to read
output just to dectect how bad it was
* add .log suffix to all files, so they can be easily downloaded from
http servers without default mimetype set to something useful
* add recipes failed in step 1 to steps 2 and 3 to generate standalone
logs for them
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
failure detected
* add --analyze option, which is useful when using from jenkins job
where you don't want to read output just to dectect how bad it was
* I was always using something like this inside jenkins job, but better
to share it in original script
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
The previous fix for this same issue (OE-Core rev
f31f6a70ec24e8c9515d69c5092e15effc5e7d4d) was not sufficient - we are
setting the PERLVERSION variable from the get_perl_version function, but
we're setting it using immediate expansion; thus the value is going into
the signature and is still different between the time the recipe is
cached on an empty TMPDIR and after perl is in the sysroot and we run
bitbake -S perf. We could remove the immediate expansion, but that would
mean the get_perl_version function would be called more often, so just set
vardepvalue on the PERLVERSION variable to fix the problem instead.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
* without this bitbake -S perf shows following error:
ERROR: Bitbake's cached basehash does not match the one we just generated
(/OE/oe-core/meta/recipes-kernel/perf/perf.bb.do_package)!
if you run it twice, once without perl in sysroot and once with perl
already built
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* bluetooth.h is autodetected from sysroot and influences 2 python files:
/usr/include/python2.7/pyconfig-32.h
/usr/lib/python2.7/lib-dynload/_socket.so
* it doesn't link with bluez, so it wasn't detected by
test-dependencies.sh, but still causes undeterministic builds and
should be fixed
* we can use PACKAGECONFIG, but I don't expect many people to use bt
support in python-socket
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* ltp installs 2 different runtests_noltp.sh files from different
directories into /opt/ltp/testcases/bin/runtests_noltp.sh
last one installed wins and causes unexpected changes in
buildhistory's files-in-image.txt report, rename them to have
unique name as other ltp scripts have.
* also define PREFERRED_PROVIDER to resolve note shown when
building with meta-oe layer:
NOTE: multiple providers are available for ltp (ltp, ltp-ddt)
NOTE: consider defining a PREFERRED_PROVIDER entry to match ltp
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* has runtime dependency on TUNE_PKGARCH bash
Hash for dependent task bash_4.2.bb.do_packagedata changed from d6eafb155c37bc2da7327492afa449fb to 0ae080aaa92025af690cf16ef0cd2b7e
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* depends on TUNE_PKGARCH busybox and udev
Hash for dependent task busybox_1.20.2.bb.do_packagedata changed from b814437371de0c3253bdd3610c051f30 to 7dd9c851d5f7c675dd65cc7872c30743
Hash for dependent task udev_182.bb.do_packagedata changed from 1034300ce0e27d444e0e7d9e2a239605 to c13031b26b2a86dcf9bcce33b7823477
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* depends on some TUNE_PKGARCH recipes:
base-passwd, ppp_, shadow-sysroot, shadow
Hash for dependent task base-passwd_3.5.26.bb.do_populate_sysroot changed from ff08f0198f5424a21ccb61957325ffdf to d9d962e2d8c0d591b916ed68aa826efe
Hash for dependent task ppp_2.4.5.bb.do_populate_sysroot changed from 515251fb9d5196733f9b6ca0f6cc041b to 5cfb0b7b71f4440c3147da52c22234cc
Hash for dependent task shadow-sysroot_4.1.4.3.bb.do_populate_sysroot changed from 3e5bddc578887636c1809e4cdf28c1c2 to 8f03231a1d4bb1aea6c4adce1febc1b4
Hash for dependent task shadow_4.1.4.3.bb.do_populate_sysroot changed from 518f7edcba3545e5c60c3a13cef23169 to 7dbf1646de02a117bf0d573276b878c0
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* the recipe itself is allarch, but update-alternatives adds dependency on
virtual/${MLPREFIX}update-alternatives which can be TUNE_PKGARCH opkg
causing linux-firmware signature to be different for different TUNE_PKGARCHs
Hash for dependent task opkg_svn.bb.do_populate_sysroot changed from 8d215059308161841a84542dd1dcbf3a to 80b280c741c392cf5b30dd67b61dd56e
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* it's autodetecting keyutils from meta-ivi
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* fails without it
| xrestop.c:50:20: fatal error: curses.h: No such file or directory
| #include <curses.h>
| ^
| compilation terminated.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* fails without:
| configure:10604: error: Package requirements (xrender >= 0.4) were not met:
| No package 'xrender' found
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* fails without:
| ./gstglshader.h:30:21: fatal error: GL/glew.h: No such file or directory
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
* backported from 2.23.2, fixes:
work/x86_64-linux/binutils-native/2.23.1-r3/binutils-2.23.1/gas/write.c:409:24:
error: 'dummy.fr_type' may be used uninitialized in this function [-Werror=maybe-uninitialized]
gas_assert (prev_frag->fr_type != 0);
^
work/x86_64-linux/binutils-native/2.23.1-r3/binutils-2.23.1/gas/write.c:392:9: note: 'dummy' was declared here
fragS dummy, *prev_frag = &dummy;
^
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Patches explain the issue in detail but this is exposed
with gcc 4.9 in binutils 2.23.2
(From OE-Core rev: fc5c467b680fc5aef4b0f689e6988e17a9322ae0)
(From OE-Core rev: 4dfb8847ebf8aab90ad8888933468e2899c96998)
(From OE-Core rev: af347d3298e15552d502d5b2ce497bbda9705bc7)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 131a17f014e6373dae526cc927588ccc0fedc38d)
Signed-off-by: Krzysztof Sywula <krzysztof.m.sywula@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The modules-${MACHINE}.tgz should link to ${MODULE_TARBALL_BASE_NAME}.
But now it links to an invalid file ${MODULE_TARBALL_BASE_NAME}.bin.
Remove the extra .bin suffix.
[YOCTO #4595]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
ant reported on irc that the sstate absolute to relative symlink creation
code wasn't working in klibc. He was correct although the level of breakage is
rather surprising since it only worked for one level of symlink (usr/include) with
everything else being broken.
The reason is probably that nothing really uses absolute paths, we use relative
paths where at all possible already. Nothing in the target sysroot should use
absolute paths for a start. In this regard, the klibc-dev package is broken and
needs fixing. It will currently break when building for one machine, then switching
to another of the same TUNE_PKGARCH and installing from sstate but that is a
separate issue.
This patch fixes the symlink creation code by firstly passing in the correct
value we need (where the symlink will end up) and seccondly, actually using it.
I've also tweaked the debug message to contain appropriate information and got
right of the double "//" value the existing code created in favour of the form
'./..' which looks neater.
(From OE-Core rev: 9b05c65450526522d7358d0c0901b594de546748)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
(From OE-Core master rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
Anonymous ECDH denial of service (CVE-2014-3470)
OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224)
An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS recursion flaw (CVE-2014-0221)
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.
Only applications using OpenSSL as a DTLS client are affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora,
which is the same as the patch which was actually applied upstream for
the issue, i.e.:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Only applications using OpenSSL as a DTLS client or server affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Backported patch for CVE-2014-3466.
This patch is for dylan.
Signed-off-by: Valentin Popa <valentin.popa@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
https://access.redhat.com/security/cve/CVE-2014-0198
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We don't normally do this, but with the recent CVE fixes (most
importantly the one for the serious CVE-2014-0160 vulnerability) I am
bumping PR explicitly to make it a bit more obvious that the patch has
been applied.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes the "heartbleed" TLS vulnerability (CVE-2014-0160). More
information here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Patch borrowed from Debian; this is just a tweaked version of the
upstream commit (without patching the CHANGES file which otherwise
would fail to apply on top of this version).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
obtains a certain version number from an incorrect data structure, which
allows remote attackers to cause a denial of service (daemon crash) via
crafted traffic from a TLS 1.2 client.
(From OE-Core master rev: 3e0ac7357a962e3ef6595d21ec4843b078a764dd)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet delivery,
related to ssl/d1_both.c and ssl/t1_enc.c.
(From OE-Core master rev: 94352e694cd828aa84abd846149712535f48ab0f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
(From OE-Core master rev: 35ccce7002188c8270d2fead35f9763b22776877)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These are in the Toolchain list, so they should also be installed on the build appliance
[YOCTO #5061]
Fixes [YOCTO #5941].
(Partial backport of OE-Core master rev: 82374feece5c576f9950bad6861b1e00c6b30d84)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
I have a feeling this code exists from the time before we had proper
coverage of one sstate task by another task. At that time it was a
"poor" persons version of that idea, we now have much better
code internal to bitbake which handles this.
Worse, this code actually breaks certain rebuild scenarios,
e.g.:
bitbake libtool-cross
bitbake libtool-cross -c cleansstate
rm tmp -rf
bitbake libtool-cross
would fail as binutils-cross wasn't installed from sstate.
The easiest fix is to remove the obsolete/broken code.
[YOCTO #5773]
(From OE-Core master rev: ccad07f35fb7f959e24fd50d04c7d10dd5cf20d0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Some LSB packages appear to have the platform set to '%{_target_platform}'
which is not a valid platform field. This causes a failure of the type:
warning: package lsb-test-core-4.1.15-1.x86_64 is intended for a %{_target_platform} platform
When we detect an invalid platform, fall back and try to construct a new
platform name that may be valid based on the arch and os contents of the
package. (This should only ever be needed by invalid or older RPM packages.)
(From OE-Core master rev: 6513fa327aeb7e9fdd313290c205917952eed226)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
== is a bashism use = instead.
(Based on OE-Core master rev: c90d1047c41148cbd57f26b5a34563346602a71b)
Signed-off-by: Stefan Stanacar <stefanx.stanacar@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Fixes [YOCTO #5233]
Modeled after Chen Qi's fix to [YOCTO #3924] from oe-core commit:
6b6db7b4fb7aa17b8e29076decc830149b9d35bc
init-install.sh: remove unnecessary udev rules file to avoid error messages
/etc/udev/scripts/mount.sh is removed by init-install-efi.sh, but the
udev rules file which specifies the invocation of this script is not
removed, thus causing the error message during a live install:
/etc/udev/scripts/mount.sh: No such file or directory
The /etc/udev/rules/automount.rules no longer works once the mount.sh
script is removed. Remove it to avoid the error message.
(From OE-Core master rev: 1f5a2b616d902b1158e348bf8c33b6d36e21cadc)
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: mihaix.lindner@linux.intel.com
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The existing -cpu host option caused kernel panics when people attempted to use
the kvm option. After research and discussion, the best options appear to
be the kvm32/kvm64 cpu types so lets use these instead. These resolve
the kernel issues for me.
[YOCTO #3908]
(From OE-Core master rev: bdc6d3be6ffa4ed358153f9c9332b632324f5833)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|