aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* openssl: set CVE vendor to opensslstable/warrior-nmutAnuj Mittal2019-11-171-0/+2
| | | | | | | | | Differentiate it from openssl gem for Ruby. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* flex: set CVE_PRODUCT to include vendorRoss Burton2019-11-171-0/+3
| | | | | | | | | | There are many projects called Flex and they have CVEs, so also set the vendor to remove these false positives. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* git: set CVE vendor to git-scmRoss Burton2019-11-171-0/+2
| | | | | | | | | There's a Jenkins plugin for Git. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* subversion: set CVE vendor to ApacheRoss Burton2019-11-171-0/+2
| | | | | | | | | There's a Jenkins plugin for Subversion. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ed: set CVE vendor to avoid false positivesRoss Burton2019-11-171-0/+2
| | | | | | | Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* boost: set CVE vendor to BoostRoss Burton2019-11-171-0/+2
| | | | | | | | | There's a Boost module for Drupal. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libpam: set CVE_PRODUCTRoss Burton2019-11-171-0/+2
| | | | | | | Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libxfont2: set CVE_PRODUCTChen Qi2019-11-171-0/+2
| | | | | | | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libsndfile1: whitelist CVE-2018-13419Ross Burton2019-11-171-0/+3
| | | | | | | | | | This is a memory leak that nobody else can replicate and has been rejected by upstream. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* webkitgtk: set CVE_PRODUCTChen Qi2019-11-171-0/+2
| | | | | | | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* procps: whitelist CVE-2018-1121Ross Burton2019-11-171-0/+3
| | | | | | | | | | | This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* file: fix CVE-2019-18218Ross Burton2019-11-112-1/+57
| | | | | | Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* patch: the CVE-2019-13638 fix also handles CVE-2018-20969Ross Burton2019-11-111-2/+2
| | | | | | Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* pseudo: Add statx support to fix fedora30 issuesRichard Purdie2019-11-112-0/+107
| | | | | | | | | | Modern distros (e.g. fedora30) are starting to use the new statx() syscall through the newly exposed glibc wrapper function in software like coreutils (e.g. the ls command). Add support to intercept this to pseudo. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Fixup for warrior context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* pseudo: Drop static linking to sqlite3Richard Purdie2019-11-112-19/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Back in 2010[1] we made pseudo statically link against sqlite3. Since then the world has changed, pseudo now has separate processes for the database in the server and the client and they have separate linking commands. Also, whilst there were concerns about needing specific versions of sqlite3, in the OE environment, this is always the case. [1] http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=ad0ac0ecd38fc77daf42485489fccc10a5e1e3e7 The static sqlite3-native is causing us problems, in particular: tmp/work/x86_64-linux/pseudo-native/1.9.0+gitAUTOINC+060058bb29-r0/recipe-sysroot-native/usr/lib/libsqlite3.a(sqlite3.o):(.data.rel+0xb0): undefined reference to `fcntl64' which occurs if sqlite3-native was built on a machine with glibc 2.28 or later and pseudo-native is being built on glibc before that. With dyanmical linking, libc is backwards compatible and works but with static linking it does not. There appears to be no easy way to avoid this other than adding a copy of sqlite3 into the pseudo recipe. Given the static linking doesn't seem to be required any longer due to the separate processes, drop that to fix those issues. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* pseudo: Fix openat() with a symlink pointing to a directoryJason Wessel2019-11-102-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While working with ostree disk generation in conjunction with wic, I found a problem with pseudo where it tried to resolve a symlink when it shouldn't, based on openat() flags. A C program has been constructed to test pseudo to show that it is working properly with the correct behavior around openat(). #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <dirent.h> #include <unistd.h> #include <fcntl.h> int main() { /* * Tested with: gcc -Wall -o app app.c ; echo "no pseudo" ; * ./app ; echo "pseudo"; pseudo ./app */ system("rm -rf tdir tlink"); system("mkdir tdir"); system("ln -s tdir tlink"); DIR *dir = opendir("."); int dfd = dirfd(dir); int target_dfd = openat (dfd, "tlink", O_RDONLY | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); if (target_dfd == -1) { printf("Test 1 good\n"); } else { printf("Test 1 failed\n"); close(target_dfd); } target_dfd = openat (dfd, "tlink", O_RDONLY | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC); if (target_dfd == -1) { printf("Test 2 failed\n"); } else { printf("Test 2 good\n"); close(target_dfd); } /* Test 3 make sure the owner of the link is root */ struct stat sbuf; if (!lstat("tlink", &sbuf) && sbuf.st_uid == 0) { printf("Test 3 good\n"); } else { printf("Test 3 failed\n"); } /* Test 4 tests open with the "rb" flag, owner should not change */ int ofd = openat(dfd,"./tlink", O_RDONLY|O_CLOEXEC); if (ofd >= 0) { if (fstat(ofd, &sbuf) != 0) printf("ERROR in fstat test 4\n"); else if (sbuf.st_uid == 0) printf("Test 4 good\n"); close(ofd); } else { printf("Test 4 failed with openat()\n"); } /* Test pseudo db to see the fstat() above did not delete the DB entry */ if (!lstat("tlink", &sbuf) && sbuf.st_uid == 0) printf("Test 5 good\n"); else printf("Test 5 failed... tlink is owned by %i and not 0\n", sbuf.st_uid); return 0; } int main() { /* Tested with: gcc -Wall -o app app.c ; echo "no pseudo" ; ./app ; echo "pseudo"; pseudo ./app */ system("rm -rf tdir tlink"); system("mkdir tdir"); system("ln -s tdir tlink"); DIR *dir = opendir("."); int dfd = dirfd(dir); int target_dfd = openat (dfd, "tlink", O_RDONLY | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); if (target_dfd == -1) { printf("This is right\n"); } else { printf("This is broken\n"); } return 0; } Many thanks to Peter Seebach for fixing the problem in the pseudo code to use the same logic which was already there for the AT_SYMLINK_NOFOLLOW. Also updated is the license MD5 checksum since the master branch of pseudo has had the SPDX data updated. Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: Upgrade 3.7.4 -> 3.7.5Adrian Bunk2019-11-104-137/+4
| | | | | | | | | | | Backported patch removed. 3.7.5 also includes the fix for CVE-2019-16935. Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: CVE-2019-16056Chen Qi2019-11-102-0/+133
| | | | | | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: fix the test_locale output formatMingli Yu2019-11-102-0/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | Before this patch: # python3 -m test -v test_locale [snip] test_getsetlocale_issue1813 (test.test_locale.TestMiscellaneous) ... testing with ('tr_TR', 'ISO8859-9') ok [snip] After this patch: # python3 -m test -v test_locale [snip] test_getsetlocale_issue1813 (test.test_locale.TestMiscellaneous) ... testing with ('tr_TR', 'ISO8859-9')... ok [snip] Make the test ended with "... ok" is common in python unittest world, we should make it keep consistent with other test cases in case it may be ignored to record in the report if we use the common filter "... ok". [YOCTO #13298] Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: Fix .pyc file reproduciblilityJoshua Watt2019-11-102-0/+36
| | | | | | | | | Applies a patch to python that makes the pre-compiled .pyc files generated during the build reproducible. Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: Reformat sysconfigJoshua Watt2019-11-102-0/+28
| | | | | | | | | | | | | | | | | | | | | | Reformats the sysconfig file when packaging. This file is output by using the python pprint function. This function will wrap long lines at 80 characters by default, and will even split strings at whitespace boundaries to do so, e.g.: 'A': 'B is really' ' long' This causes a problem for reproducibility however because there might be lines of differing lengths depending on the build path. These non-reproducible paths are removed, but their effect on string wrapping from pprint remains. To correct this, reformat the entire sysconfig file by re-printing using pprint with an (effectively) unlimited line length. Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: python3: Fix build error x86->x86Ricardo Ribalda Delgado2019-11-102-0/+27
| | | | | | | | | | | | | | | | | | When building x86->x86 the system will try to execute .so and related items from the default PYTHONPATH. This will fail if the target CPU contains instructions that the host CPU does not have, add CROSSPYTHONPATH into PYTHONPATH so we can prepend the list to find correct libs. Fixes: Illegal instruction (core dumped) Makefile:625: recipe for target 'sharedmods' failed make: *** [sharedmods] Error 132 make: *** Waiting for unfinished jobs.... Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: fix build on softfloat mipsMatthias Schoepfer via Openembedded-core2019-11-102-0/+202
| | | | | | | | | | | | | This patch originally only meant to correct the python3 build for mips with softfloat, as the original test only checked for mips hardfloat. Replaced custom C Program for triplet detection with autotools triplet detection. Signed-off-by: Matthias Schoepfer <matthias.schoepfer@ithinx.io> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* python3: fix do_install fail for parallel buiildChangqing Li2019-11-102-0/+35
| | | | | | | | | | | | When using make -j with the 'install' target, it's possible for altbininstall (which normally creates BINDIR) and libainstall (which doesn't, though it installs python-config there) to race, resulting in a failure due to attempting to install python-config into a nonexistent BINDIR. Ensure it also exists in the libainstall target. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libxslt: fix CVE-2019-18197Joe Slater2019-11-102-0/+34
| | | | | | | | | Use patch from upstream after 1.1.33 release. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libtiff: fix CVE-2019-17546Joe Slater2019-11-102-0/+104
| | | | | | | | | Apply unmodified patch from upstream. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tiff: fix CVE-2019-14973Trevor Gamblin2019-11-102-1/+417
| | | | | | | | | | CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2019-14973 Upstream merge: https://gitlab.com/libtiff/libtiff/commit/2218055c Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> [fixup for Warrior context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lib/oe/lsb: Make sure the distro ID is always lowercasedPeter Kjellerstedt2019-11-101-4/+4
| | | | | | | | | | | | | | | In commit 8689e561 (lib/oe/lsb: attempt to ensure consistent distro id regardless of source), the distro ID returned by oe.lsb.distro_identifier() was lowercased, but only if a release version is also present. This changes the code to always lowercase the distro ID, including the default distro ID "unknown", which is used if no other ID can be identified. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* devtool: finish: Add suppport for the --no-clean optionPeter Kjellerstedt2019-11-101-1/+2
| | | | | | | | | This works just like the already existing --no-clean option to the `devtool reset` command. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* devtool: finish: Keep patches ordered when updating bbappendNiclas Svensson2019-11-101-4/+4
| | | | | | | | | | | The _get_patchset_revs() function returns the patches in an OrderedDict to keep them ordered. However, this information was lost when the patches were added to the bbappend file. Signed-off-by: Niclas Svensson <niclas.svensson@axis.com> Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tzdata: Correct the packaging of /etc/localtime and /etc/timezonePeter Kjellerstedt2019-11-101-2/+3
| | | | | | | | | | | | | | | | During restructuring of the packaging in 2af4d6eb (tzdata: Install everything by default), these two files remained in the tzdata package, which is supposed to be empty. Move them to tzdata-core where they belong. Also simplify the definition of CONFFILES_tzdata-core. As its value only takes effect for files that actually exist, there is no need to complicate its definition by checking if a file is created before adding it to the list of configuration files. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* package_rpm.bbclass: Remove a misleading bb.note()Peter Kjellerstedt2019-11-101-3/+2
| | | | | | | | | | | | It should have been removed in 3db9d865 (classes/package_rpm.bbclass: Enhance diagnostic messages) when it was split in two new notes. Also change the casing of two other notes to align them with the other notes. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* devtool: Avoid failure for recipes with S == WORKDIR and no local filesPeter Kjellerstedt2019-11-101-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When extracting the sources for a recipe that has S == WORKDIR and no local files in the SRC_URI (which, e.g., can happen for a recipe with a URI that has the unpack=false attribute), the extraction fails with the following backtrace: Traceback (most recent call last): File ".../scripts/devtool", line 344, in <module> ret = main() File ".../scripts/devtool", line 331, in main ret = args.func(args, config, basepath, workspace) File ".../poky/scripts/lib/devtool/standard.py", line 762, in modify initial_rev, _ = _extract_source(srctree, args.keep_temp, args.branch, False, config, basepath, workspace, args.fixed_setup, rd, tinfoil, no_overrides=args.no_overrides) File ".../poky/scripts/lib/devtool/standard.py", line 647, in _extract_source bb.process.run('git %s commit -a -m "Committing local file symlinks\n\n%s"' % (' '.join(useroptions), oe.patch.GitApplyTree.ignore_commit_prefix), cwd=srctree) File ".../poky/bitbake/lib/bb/process.py", line 178, in run raise ExecutionError(cmd, pipe.returncode, stdout, stderr) bb.process.ExecutionError: Execution of 'git commit -a -m "Committing local file symlinks %% ignore"' failed with exit code 1: On branch devtool nothing to commit, working tree clean This is because no files were found in the oe-local-files directory and consequently no symbolic links were added using `git add`, but the `git commit` command was still executed. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nativesdk-meson: Remove some unused variablesPeter Kjellerstedt2019-11-101-5/+0
| | | | | | Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meson.bbclass: Remove the MESON_*_ARGS variablesPeter Kjellerstedt2019-11-101-10/+5
| | | | | | | | | | | | | | | | | | The options in ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} are already passed via ${CC}/${CXX} and there is no reason to pass them a second time. Thus we can remove MESON_TOOLCHAIN_ARGS. And when it is removed, the other MESON_*_ARGS variables revert to the standard CFLAGS, CXXFLAGS and LDFLAGS, so just use them directly instead. Apart from the obvious improvement with not passing a lot of options twice, this also solves a problem where -pie would be passed on the command line in a way that it would prevent building any dynamic libraries using meson if using a toolchain that is not built with --enable-default-pie and if security_flags.inc is used. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meson: Backport patch to handle strings in cross file argsPeter Kjellerstedt2019-11-102-0/+88
| | | | | | | | | This allows <language>_args and <language>_link_args properties, e.g., c_link_args, in meson.cross to be specified as either a string or a list. Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* go-1.12: update to 1.12.9 minor releaseKhem Raj2019-11-071-3/+3
| | | | | Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: Upgrade 1.12.5 -> 1.12.6Adrian Bunk2019-11-071-3/+3
| | | | | Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: update 1.12.1->1.12.5Alexander Kanavin2019-11-071-3/+3
| | | | | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* build-appliance-image: Update to warrior head revisionRichard Purdie2019-10-301-1/+1
| | | | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: update to 3.1.1.1Armin Kuster2019-10-3014-798/+2
| | | | | | | | | | | bug fix only update. Drop patches included in update. For full set of changes, see: https://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/tags/v3.1.1.1 Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix CVE-2019-16276Chen Qi2019-10-302-0/+164
| | | | | | | | | | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e31f87e289dfd3bbca961e927447a9c7ba816d3f) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit e02e8fa2e82cceaaa6a433466f52f97b0984762a) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sudo: fix CVE-2019-14287Changqing Li2019-10-303-0/+292
| | | | | | | | | | | | | | | | In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u \#$((0xffffffff))" command. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 4e11cd561f2bdaa6807cf02ee7c9870881826308) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit b1e0149c41e3c344a0496e64ab3b0c9dd4685ea4) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libgcrypt: fix CVE-2019-12904Yi Zhao2019-10-304-0/+603
| | | | | | | | | | | | | | | | | | | | | | | In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-12904 Patches from: https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705 https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762 https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 37e390ff05b6a4509019db358ed496731d80cc51) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 4c207cb1ad46c0d2005ab3eae70d78c937e084b5) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: make OPENSSL_ENGINES match install pathGeorge McCollister2019-10-301-1/+1
| | | | | | | | | | | | Set OPENSSL_ENGINES to the path where engines are actually installed. Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 59565fec0b3f3e24eb01c03b671913599cd3134d) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 578f41124565a7cda738c7fe3d25702ee41b08ed) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python: Fix CVE-2019-10160Changqing Li2019-10-302-0/+82
| | | | | | | | | | Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit b4240b585d7fcac2fdbf33a8e72d48cb732eb696) Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 10d87a3085665a959a5fda64ae3895cb27ddf343) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python: CVE-2019-16056Chen Qi2019-10-302-0/+91
| | | | | | | | | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit 27be9cf71a6fe906a23e81b56f1cc18a6fc9ef97) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python: add tk-lib as runtime dependency for python-tkinterYi Zhao2019-10-302-2/+2
| | | | | | | | | | | | | | Fixes: ERROR: python-2.7.16-r0 do_package_qa: QA Issue: /usr/lib/python2.7/lib-dynload/_tkinter.so contained in package python-tkinter requires libtk8.6.so, but no providers found in RDEPENDS_python-tkinter? [file-rdeps] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit f78248a2380bbbbf271b5bb02c762f5bc7a3a92e) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python: include CVE patches for python-native as wellAnuj Mittal2019-10-302-5/+5
| | | | | | | | | | Also avoids maintaining a different set of patches for both. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b3b1c00cc46b33ddbf7e008267032220e1e298af) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libcroco: Fix two CVEsMuminul Islam2019-10-302-0/+39
| | | | | | | | CVE: CVE-2017-8834 CVE-2017-8871 Signed-off-by: Muminul Islam <muislam@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>