| Age | Commit message (Collapse) | Author |
|---|
|
Apply point release patches from upstream which includes a fix for
indefinitely spinning process and a zombie by a simple $() statement
in a long running script.
Signed-off-by: Jeroen Hofstee <jhofstee@victronenergy.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
enabled
with thumb and debug enabled bash gets stuck forever when building for qemuarm.
bash/4.4.18-r0/build/builtins$ arm-webos-linux-gnueabi-gcc -march=armv5te -mthumb -fstack-protector-strong --sysroot=bash/4.4.18-r0/recipe-sysroot -c -DHAVE_CONFIG_H -DSHELL -I. -I.. -I../../bash-4.4.18 -I../../bash-4.4.18/include -I../../bash-4.4.18/lib -I../../bash-4.4.18/builtins -O -fno-omit-frame-pointer -g -DNON_INTERACTIVE_LOGIN_SHELLS read.c
when -mthumb, -fstack-protector-strong, -fno-omit-frame-pointer appear
together, removing one of them is enough for successful build.
similar to:
http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150654.html
but in this case the build gets stuck instead of failure
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
In Linux,8 bits of the return code and 8 bits of the number of
the killing signal are mixed into a single value on the exit code,
so the exit status offset should be 8. But the autoconf checker
can not determine it while cross compiling, and then it is set to
the default value 0, which will cause generating the wrong exit
code if program exit with an error code.
Signed-off-by: Rui Wang <rui.wang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
- Drop bash-memleak-bug-fix-for-builtin-command-read.patch which has
been accepted since 4.4.17
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1.Upgrade bash from 4.4 to 4.4.12.
2.Delete bash44-001, bash44-002, bash44-003, bash44-004, bash44-005, bash44-006, bash44-007,bash44-008, bash44-009, bash44-0010, bash44-0011, bash44-0012, since it is integrated upstream.
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
meta/conf/distro/include/tclibc-glibc.inc weakly assigns PREFERRED_PROVIDER
for virtual/libc-locale to glibc-locale, but allows adjusting it if needed.
Hence, bash should not depend on glibc-locale directly, but instead use this
virtual/libc-locale variable.
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Under musl bash uses its own libintl clone but there are some missing
dependencies so it is possible for pathexp.o to be built whilst libintl.h is
being written, leading to compile errors.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Bash hand-maintains their aclocal.m4, so stop autoreconf from invoking aclocal
and overwriting it. This means we can remove the kludge to copy aclocal.m4 to
acinclude.m4.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
bash-ptest fails several tests. This patch fixes:
FAIL: run-intl
The test used to fail because of missing locales (fr_FR, de_DE)
[YOCTO #12145]
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Remove all host build references from the following bash packages:
bash-ptest, bash-bashbug, bash-dev, bash-loadable.
[YOCTO #11918]
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Built in command "read" with "-e" use Readline to obtain the line
in an interactive shell. In this process, a string "rlbuf" is
just allocated without free operation thus cause memory leak.
This patch had been submitted to upstream:
http://lists.gnu.org/archive/html/bug-bash/2017-02/msg00061.html
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
1. Rebase patches:
- fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch
- test-output.patch
2. Drop backported patches:
- CVE-2016-9401.patch
- fix-run-intl.patch
3. Add ${PN}-loadable for loadable builtins which is new features in Bash 4.4
4. The 4.4 fixed CVE-2017-5932 and CVE-2016-0634
- https://security-tracker.debian.org/tracker/CVE-2017-5932
- https://security-tracker.debian.org/tracker/CVE-2016-0634
5. The 4.4 installed include header files, fix bash-dev confilicts
with lib32-bash-dev
.....
$ bitbake lib32-core-image-sato-sdk
...
|Error: Transaction check error: file /usr/include/bash/config.h
conflicts between attempted installs
|of lib32-bash-dev-4.4-r0.x86 and bash-dev-4.4-r0.core2_64
......
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Most of shell scripts refer to '#!/bin/{sh,bash}' inside the script. But when
'usrmege' feature is enabled this path will be /usr/bin/{sh, bash}.
so to satisify build dependency add '/bin/{sh,bash}' to its providers list.
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A vulnerability was found in a way bash expands the $HOSTNAME.
Injecting the hostname with malicious code would cause it to run
each time bash expanded \h in the prompt string.
Porting patch from <https://ftp.gnu.org/gnu/bash/bash-4.3-patches/
bash43-047> to solve CVE-2016-0634
CVE: CVE-2016-0634
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
It's a machine-specific script, which is causing conflicts
when multiple versions of bash are installed in multilib setting,
and it also does not really make sense for embedded systems anyway.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These are recipes where the upstream has moved to GPLv3 and these old
versions are the last ones under the GPLv2 license.
There are several reasons for making this move. There is a different
quality of service with these recipes in that they don't get security
fixes and upstream no longer care about them, in fact they're actively
hostile against people using old versions. The recipes tend to need a
different kind of maintenance to work with changes in the wider ecosystem
and there needs to be isolation between changes made in the v3 versions
and those in the v2 versions.
There are probably better ways to handle a "non-GPLv3" system but right
now having these in OE-Core makes them look like a first class citizen
when I believe they have potential for a variety of undesireable issues.
Moving them into a separate layer makes their different needs clearer, it
also makes it clear how many of these there are. Some are probably not
needed (e.g. mc), I also wonder whether some are useful (e.g. gmp)
since most things that use them are GPLv3 only already. Someone could
now more clearly see how to streamline the list of recipes here.
I'm proposing we mmove to this separate layer for 2.3 with its future
maintinership and testing to be determined in 2.4 and beyond.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
popd in bash might allow local users to bypass the restricted shell
and cause a use-after-free via a crafted address.
Porting patch from <https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/
bash44-006> to solve CVE-2016-9401.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Busybox may offer a bash applet. If enabled, the alternatives mechanism
avoids breaking logins if bash gets deinstalled while /bin/bash is configured
as a login shell.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Make sure the recipe version matches what we're
actually shipping, so that tools like cve-check
can do the right thing.
Rather than fetching version 3.2.48 and applying all
patches up to and including version 3.2.57, we just
fetch the latter in the first place.
Signed-off-by: André Draszik <adraszik@tycoint.com>
Acked-by: Sylvain Lemieux <slemieux@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1. Filter the extra white space in intl.right
When the sub-test unicode2.sub of intl.tests executed, it produced
compact results without extra white space, compared to intl.right,
it failed.
So we need to filter the extra white space in intl.right.
Import this patch for intl.right from bash devel branch:
http://git.savannah.gnu.org/cgit/bash.git/log/?h=devel
Commit is:
85ec0778f9d778e1820fb8c0e3e996f2d1103b45
2. Change intl.right correspond to the unicode3.sub's output
In sub-test unicode3.sub of intl.tests have this:
printf %q "$payload"
The payload variable was assigned by ASCII characters, when using
'%q' format strings, it means print the associated argument shell-quoted.
When the strings contain the non-alpha && non-digit && non-punctuation &&
non-ISO 646 character(7-bit), it would output like this: " $'...', ANSI-C
style quoted string. We can check the bash source code at:
http://git.savannah.gnu.org/cgit/bash.git/tree/builtins/printf.def#n557
http://git.savannah.gnu.org/cgit/bash.git/tree/lib/sh/strtrans.c#n331
So we need to change the intl.right contain the correct output of unicode3.sub.
Import parts of this patch for intl.right from bash devel branch:
http://git.savannah.gnu.org/cgit/bash.git/log/?h=devel
Commit is:
74b8cbb41398b4453d8ba04d0cdd1b25f9dcb9e3
3. Add the sanity check for locales
When run the intl.tests, we need the following locales:
en_US & fr_FR & de_DE
So add the locales check for the intl.tests in run-ptest.
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
If security_flags.inc is included then bash 3.2.48 fails to build:
| ../bash-3.2.48/print_cmd.c:1152:3: error: format not a string literal and no format arguments [-Werror=format-security]
| cprintf (indentation_string);
Backport a patch from upstream to solve this.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix the following QA warning:
WARNING: bash-4.3.30-r0 do_package_qa: QA Issue: bash rdepends on libiconv,
but it isn't a build dependency, missing libiconv in DEPENDS
or PACKAGECONFIG? [build-deps]
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1. redirect the stderr output of the command exec with -l option to
/dev/null.
Because when we run command exec with -l option in builtins.tests,
it is a login shell, so it would read the file /etc/profile, that
file executes the /usr/bin/resize which added by commit:
cc6360f4c4d97e0000f9d3545f381224ee99ce7d
The /usr/bin/resize is produced by busybox that source code resize.c
contains:
fprintf(stderr, ESC"7" ESC"[r" ESC"[999;999H" ESC"[6n");
In the end, it outputs an escape sequence to the stderr, so when we
compare the test output file /tmp/xx with builtins.right, it failed.
we need to redirect the stderr output to the /dev/null to solve the
problem.
2. ensure the target system contains the locales "en_US.UTF-8".
Because when run the run-builtins, it executes the source5.sub file
that contain:
LC_ALL=en_US.UTF-8
such as add the following to the local.conf:
IMAGE_LINGUAS_append = " en-us"
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Script bashbug and Makefile for ptest contain build related paths
which cause fail to pass buldpaths QA check.
Remove such paths from these 2 files.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Add user 'test' to fix the failure of 'the test suite should not
be run as root'(run-execscript and run-test)
Backport test case from git://git.sv.gnu.org/bash.git to fix run-execscript
and run-heredoc
Still failed cases:
FAIL: run-intl
FAIL: run-lastpipe
FAIL: run-trap
YOCTO: 5698
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Bash is failing trying to allocate memory [1] using the custom
memory allocator if we disable it the issue is fixed.
The major distributions also disabled by default [2], so we
don't have a good reason to use it.
The underlying issue is due to bash’s malloc using brk() calls
to allocate memory, which fail when address randomization is
enabled in kernel. sbrk() based custom allocators are obsolete.
There may be some performance impact of this however correctness
is more important.
[YOCTO #8452]
[1] https://bugzilla.yoctoproject.org/show_bug.cgi?id=8452#c0
[2] https://bugzilla.yoctoproject.org/show_bug.cgi?id=8452#c5
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
If srcdir is not set, we get below error while running ptest for bash
on qemu target,
-- snip --
root@qemux86:/usr/lib/bash/ptest# ./run-ptest
/bin/sh: line 0: cd: /home/ajay/Downloads/poky-fido-13.0.0/build/tmp/work/i586-poky-linux/bash/4.3-r1/bash-4.3/tests: No such file or directory
Makefile:879: recipe for target 'runtest' failed
make: *** [runtest] Error 1
root@qemux86:/usr/lib/bash/ptest# vi run-ptest
root@qemux86:/usr/lib/bash/ptest#
-- CUT --
So, set srcdir to current directory, where tests binaries exist.
[YOCTO #8145]
Signed-off-by: Ajay M <ajay.gju@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Building the host tool 'mkbuiltins' will fail if the target CFLAGS
contains an option which isn't supported by the host's gcc. To prevent
the issue, define LDFLAGS_FOR_BUILD based on CFLAGS_FOR_BUILD instead
of CFLAGS.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove patch001 -> patch030 since they are already in source, add
patch031 -> patch039
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
If NON_INTERACTIVE_LOGIN_SHELLS is defined, all login shells read the
startup files, even if they are not interactive.
This is the behaviour of other major distros like Ubuntu and Fedora.
We also need to set it so that when executing `su -l xxx -c env' command,
/etc/profile is parsed.
[YOCTO #5359]
[YOCTO #7137]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It's Makefile has the two rules:
$(BUILTINS_LIBRARY): $(BUILTIN_DEFS) $(BUILTIN_C_SRC) config.h ${BASHINCDIR}/memalloc.h version.h
@(cd $(DEFDIR) && $(MAKE) $(MFLAGS) DEBUG=${DEBUG} libbuiltins.a ) || exit 1
${DEFDIR}/builtext.h: $(BUILTIN_DEFS)
@(cd $(DEFDIR) && $(MAKE) $(MFLAGS) builtext.h ) || exit 1
which causes parallel issues:
mkbuiltins.o: file not recognized: File truncated
collect2: ld returned 1 exit status
I don't have any good ideas to fix the problem, so disable parallel
build for it.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
I used a for loop to build these packages more than 520 times, these
recipes never failed.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
It works well now, and bump the PR to avoid:
x86_64-poky-linux-ar: shmatch.o: No such file or directory
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
Disable autoheader by setting EXTRA_AUTORECONF to --exclude=autoheader instead
of setting AUTOHEADER to true.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
* /usr/bin/bashbug
Signed-off-by: Shiqun Lin <Shiqun.Lin@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
|
Update both bash 3.2.48 (to 57), and bash 4.3 (to 30) to fix the remaining
'shellshock' security issues, CVE-2014-6278.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We upgrade bash_4.3 to patch revision 29, and bash_3.2.48 to 56.
There are numerous community bug fixes included with this set, but the key
items are:
bash32-052 CVE-2014-6271 9/24/2014
bash32-053 CVE-2014-7169 9/26/2014
bash32-054 exported function namespace change 9/27/2014
bash32-055 CVE-2014-7186/CVE-2014-7187 10/1/2014
bash32-056 CVE-2014-6277 10/2/2014
bash43-025 CVE-2014-6271 9/24/2014
bash43-026 CVE-2014-7169 9/26/2014
bash43-027 exported function namespace change 9/27/2014
bash43-028 CVE-2014-7186/CVE-2014-7187 10/1/2014
bash43-029 CVE-2014-6277 10/2/2014
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The class itself currently does nothing. The idea is to mark all recipes that
make use of the texinfo utilities. In the future, this class could be used to
suppress the generation/formatting of documentation for performance,
explicitly track dependencies on these utilities, and eliminate Yocto's
current dependency on the host system's texinfo utilities.
Signed-off-by: Max Eliaser <max.eliaser@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The bash-4.2-patches is obsolete.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch goes through the OE-Core recipes and marks those which use autotools
but don't support a separate build directory (${S} != ${B}). A new class,
autotools-brokensep is used for this purpose.
This doesn't introduce any change in behaviour in its own right.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
A lot of our recipes had short one-line DESCRIPTION values and no
SUMMARY value set. In this case it's much better to just set SUMMARY
since DESCRIPTION is defaulted from SUMMARY anyway and then the SUMMARY
is at least useful. I also took the opportunity to fix up a lot of the
new SUMMARY values, making them concisely explain the function of the
recipe / package where possible.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
Jeroen Hofstee
Martin Jansa
Rui Wang
Hongxu Jia
Ross Burton
Huang Qiyu
Denys Dmytriyenko
Juro Bystricky
Zhang Xiao
Amarnath Valluri
Zhixiong Chi
Alexander Kanavin
Richard Purdie
Li Zhou
Andreas Oberritter
André Draszik
Dengke Du
Maxin B. John
Kai Kang
Aníbal Limón
Ajay M
Andre McCurdy
Robert Yang
Chen Qi
Shiqun Lin
Mark Hatle
Khem Raj
Max Eliaser
Paul Eggleton