aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2017-10-16wpa_supplicant: fix WPA2 key replay security bugkrogoth-nextRoss Burton
WPA2 is vulnerable to replay attacks which result in unauthenticated users having access to the network. * CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake * CVE-2017-13078: reinstallation of the group key in the Four-way handshake * CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake * CVE-2017-13080: reinstallation of the group key in the Group Key handshake * CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake * CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it * CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake * CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame * CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame Backport patches from upstream to resolve these CVEs. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-07-19libgcrypt: fix CVE-2017-9526Ross Burton
In libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from side-channel observation during the signing process) can easily recover the long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this session key in secure memory, to ensure that constant-time point operations are used in the MPI library. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-07-19libgcrypt: fix CVE-2017-7526Ross Burton
Fixes CVE-2017-7526, 'flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster"'. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-27initrdscripts/init-install*: Add rootwait when installing to USB devicesCalifornia Sullivan
It can take a bit for USB devices to be detected, so if a USB device is your rootfs and you don't set rootwait you will most likely get a kernel panic. Fix this by adding rootwait to the kernel command line on installation. Fixes [YOCTO #9462]. Signed-off-by: California Sullivan <california.l.sullivan@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-06-16package_ipk: Clean up Source entry in ipk packagesRichard Purdie
There is the potential for sensitive information to leak through the urls there and removing it brings this into the behavior of the other package backends since filtering it is likely error prone. Since ipks don't appear to be generated at all if we don't set this, set the field to the recipe name used (basename only, no paths). This avoids information leaking. We may want to drop the field if opkg can allow that at a future point but the recipe name is a suitable identifier for now. Reported-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-07oeqa/selftest/recipetool: actually fix create_github testRoss Burton
The Meson revision was locked down but the license list change wasn't actually committed... Also specify the exact path for recipetool to write to, for clarity. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-07build-appliance-image: Update to krogoth head revisionRichard Purdie
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-07grub2: enforce -no-pie if supported by compilerAlexander Kanavin
Recent distros are enabling -pie by default; in case of grub we need to turn it off. (From OE-Core rev: aaff6c99dde3f1058bb3c4b320f27753c6c992ad) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-06build-appliance-image: Update to krogoth head revisionRichard Purdie
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-06rootfs_rpm: Increase rootfs sizeSaul Wold
This doubles the amount of extra space that is provided for SMART and RPM, as they consume more disk space during qa testing via testimage [YOCTO #9800] (From OE-Core rev: 2d636068d9d3a1ea2db3ace49462be13ba9ef125) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-06oeqa/selftest: lock down Meson git revision for reliabilityRoss Burton
The test_recipetool_create_github test fetches HEAD of the repository so upstream changes can (and do) break the test. Avoid these problems by passing the rev= argument in the URL to lock the checkout to the same version that is fetched in the github_tarball test. Also pass the commands to runCmd() as a list instead of a string, the semicolon in the URL needs more quotes if the shell is involved and passing a list bypasses the shell entirely. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-06oeqa/runtime/rpm: use su instead of sudoRoss Burton
This test works fine with su, which is more likely to be installed in images than sudo. (From OE-Core rev: 59d10be745a1f7d31c68e4d5da9e1c3461b7d390) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-05libunwind: Fix build race conflict with gcc and muslRichard Purdie
Building libunwind, then gcc-runtime causes build failures. This is hard to fix since gcc-runtime wants the internal gcc unwind.h header but libunwind wants to provide this. There are differences in include behaviour between gcc and glibc which are by design. This patch hacks around the issue by looking for a define used during gcc-runtime's build and skipping to the internal header in that case. The patch is only enabled on musl and is the best workaround I could come up with to unblock failing builds on our autobuilder. [YOCTO #10129] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-05-30selftest/recipetool: Fix test for krogothRichard Purdie
This test was backported and doesn't function quite the same way under krogoth since some of the extended python license checking wasn't yet added. This tweaks the output to match the expected result in krogoth. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-05-27webkitgtk: fix racy double build of WebKit2-4.0.girAlexander Kanavin
This occasionally triggered autobuilder errors where the .gir file appeared truncated to introspection tools. (From OE-Core rev: 2154c1c803b7bd36a1401fa657e7fd8cb1060a70) RP: backported from 2.12 to 2.10 Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-05-27cryptodev-linux: update SRC_URIChang Rebecca Swee Fun
Gna! project announced that the download site from gna.org HTTP server will soon be closing down. We have verified that the site is no longer accessible without network proxy cache. We need to update SRC_URI to point to new alternative (nwl.cc HTTP server) in order to avoid fetcher issues in future. [YOCTO #11575] Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-05-18pseudo: Work around issues with glibc 2.24Richard Purdie
There are issues with a change made to RTLD_NEXT behaviour in glibc 2.24 and that change was also backported to older glibc versions in some distros like Fedora 23. This adds a workaround whilst the pseudo maintainer fixes various issues properly. (From OE-Core rev: 21c38a091c4a1917f62a942c4751b0fd11dce340) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18pseudo: obey our LDFLAGSChristopher Larson
(From OE-Core rev: fc04eae73cb99d3783b09d062120a9b7dc95210a) Signed-off-by: Christopher Larson <chris_larson@mentor.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl.inc: avoid random ptest failuresPatrick Ohly
"make alltests" is sensitive to the timestamps of the installed files. Depending on the order in which cp copies files, .o and/or executables may end up with time stamps older than the source files. Running tests then triggers recompilation attempts, which typically will fail because dev tools and files are not installed. "cp -a" is not enough because the files also have to be newer than the installed header files. Setting the file time stamps to the current time explicitly after copying solves the problem because do_install_ptest_base is guaranteed to run after do_install. (From OE-Core rev: 101e2a5e0b7822ca3de3d3a73369405c05ab3c5b) Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: fix do_configure error when cwd is not in @INCRobert Yang
Fixed when building on Debian-testing: | Can't locate find.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at perlpath.pl line 7. (From OE-Core rev: c28065671b582c140d5971c73791d2ac8bdebe69) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> fixed merge conflict Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: Security fix CVE-2016-2177Armin Kuster
Affects openssl <= 1.0.2h CVSS v2 Base Score: 7.5 HIGH (From OE-Core rev: 2848c7d3e454cbc84cba9183f23ccdf3e9200ec9) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> fixed merge conflicts Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: prevent warnings from openssl-c_rehash.shJoshua Lock
The openssl-c_rehash.sh script reports duplicate files and files which don't contain a certificate or CRL by echoing a WARNING to stdout. This warning gets picked up by the log checker during rootfs and results in several warnings getting reported to the console during an image build. To prevent the log from being overrun by warnings related to certificates change these messages in openssl-c_rehash.sh to be prefixed with NOTE not WARNING. (From OE-Core rev: 88c25318db9f8091719b317bacd636b03d50a411) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: Ensure SSL certificates are stored on sysconfdirOtavio Salvador
Debian and other generic distributions has moved the certificates for sysconfdir (/etc/ssl) and made the libdir content to link for it. This provides several advantages specially for read-only rootfs. Another benefit is that it ensures foreign implementations (e.g: BoringSSL, from Chromium, when running with OpenSSL backend for the certificates) to find the content correctly. (From OE-Core rev: 50d63fa346bbb05dafffc0cb55e21e1092272d95) Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: Add Shell-Script based c_rehash utilityOtavio Salvador
The PLD Linux distribution has ported the c_rehash[1] utility from Perl to Shell-Script, allowing it to be shipped by default. 1. https://git.pld-linux.org/?p=packages/openssl.git;a=blob;f=openssl-c_rehash.sh;h=0ea22637ee6dbce845a9e2caf62540aaaf5d0761 The OpenSSL upstream intends[2] to convert the utility for C however did not yet finished the conversion. 2. https://rt.openssl.org/Ticket/Display.html?id=2324 This patch adds this script and thus removed the Perl requirement for it. (From OE-Core rev: cb6150f1a779e356f120d5e45c91fda75789970a) Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: fix add missing dependencies building for test directoryAndrej Valek
Regarding the last commit about missing dependencies, another issue was found. The problem was found, while ptest has been built with some set extra settings. It means, when ptest is going to be built, it is necessary to rebuild dependencies for test directory too. (From OE-Core rev: 030142d0410bec85aeacfff6be27d5fed41ce808) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: fix add missing `make depend` command before `make` libraryAndrej Valek
Settings from EXTRA_OECONF like en/disable no-ssl3, are transferred only into DEPFLAGS. It means that settings have no effect on output files. DEPFLAGS will be transferred into output files with make depend command. https://wiki.openssl.org/index.php/Compilation_and_Installation#Dependencies (From OE-Core rev: e3c251427a305780d3257a011260bd978de273d5) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: Fix MIPS64be and add MIPS64leZubair Lutfullah Kakakhel
MIPS64 target was being configured for linux-mips which defaults to MIPS32. Doesn't cause any issue as far as I can see but it would be wiser to use the correct target configuration. Also add MIPS64le configuration which is missing. (From OE-Core rev: 0afec72913bc31d315cba079da317e8b28755ded) Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18mesa: update SRC_URIArmin Kuster
ERROR: mesa-2_11.1.2-r0 do_checkuri: Function failed: Fetcher failure for URL: 'ftp://ftp.freedesktop.org/pub/mesa/11.1.2/mesa-11.1.2.tar.xz'. URL ftp://ftp.freedesktop.org/pub/mesa/11.1.2/mesa-11.1.2.tar.xz doesn't work ERROR: Logfile of failure stored in: /home/akuster/oss/maint/poky/build/tmp/work/i586-poky-linux/mesa/2_11.1.2-r0/temp/log.do_checkuri.30779 Log data follows: | DEBUG: Executing python function do_checkuri | DEBUG: Testing URL ftp://ftp.freedesktop.org/pub/mesa/11.1.2/mesa-11.1.2.tar.xz | DEBUG: checkstatus() urlopen failed: <urlopen error ftp error: 550 Failed to change directory.> | DEBUG: Python function do_checkuri finished | ERROR: Function failed: Fetcher failure for URL: 'ftp://ftp.freedesktop.org/pub/mesa/11.1.2/mesa-11.1.2.tar.xz'. URL ftp://ftp.freedesktop.org/pub/mesa/11.1.2/mesa-11.1.2.tar.xz doesn't work Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18libpng -lsb: update SRC_URIArmin Kuster
ERROR: libpng12-1.2.56-r0 do_checkuri: Function failed: Fetcher failure for URL: 'http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz'. URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz doesn't work ERROR: Logfile of failure stored in: /home/akuster/oss/maint/poky/build/tmp/work/i586-poky-linux/libpng12/1.2.56-r0/temp/log.do_checkuri.19750 Log data follows: | DEBUG: Executing python function do_checkuri | DEBUG: Testing URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz | DEBUG: checkstatus() urlopen failed: HTTP Error 404: Not Found | DEBUG: Python function do_checkuri finished | ERROR: Function failed: Fetcher failure for URL: 'http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz'. URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz doesn't work Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18libxslt: update SRC_URIArmin Kuster
| ERROR: Function failed: Fetcher failure for URL: 'ftp://xmlsoft.org/libxslt/libxslt-1.1.28.tar.gz'. URL ftp://xmlsoft.org/libxslt/libxslt-1.1.28.tar.gz doesn't work ERROR: Logfile of failure stored in: /home/akuster/oss/maint/poky/build/tmp/work/x86_64-linux/libxslt-native/1.1.28-r0/temp/log.do_checkuri.16102 Log data follows: | DEBUG: Executing python function do_checkuri | DEBUG: Testing URL ftp://xmlsoft.org/libxslt/libxslt-1.1.28.tar.gz | DEBUG: checkstatus() urlopen failed: <urlopen error ftp error: [Errno 110] Connection timed out> | DEBUG: Python function do_checkuri finished | ERROR: Function failed: Fetcher failure for URL: 'ftp://xmlsoft.org/libxslt/libxslt-1.1.28.tar.gz'. URL ftp://xmlsoft.org/libxslt/libxslt-1.1.28.tar.gz doesn't work Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18libpng: update SRC_URI back to SFArmin Kuster
ERROR: Task 944 (virtual:nativesdk:/home/akuster/oss/maint/poky/meta/recipes-multimedia/libpng/libpng_1.6.21.bb, do_checkuri) failed with exit code '1' ERROR: libpng12-1.2.56-r0 do_checkuri: Function failed: Fetcher failure for URL: 'http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz'. URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz doesn't work ERROR: Logfile of failure stored in: /home/akuster/oss/maint/poky/build/tmp/work/i586-poky-linux/libpng12/1.2.56-r0/temp/log.do_checkuri.14781 Log data follows: | DEBUG: Executing python function do_checkuri | DEBUG: Testing URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz | DEBUG: checkstatus() urlopen failed: HTTP Error 404: Not Found | DEBUG: Python function do_checkuri finished | ERROR: Function failed: Fetcher failure for URL: 'http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz'. URL http://distfiles.gentoo.org/distfiles/libpng-1.2.56.tar.xz doesn't work SF now has a old releases dir which contains this tarball. It got dropped from Gentoo Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18libpcre: update SRC_URIArmin Kuster
ERROR: Task 75 (/home/akuster/oss/maint/poky/meta/recipes-support/libpcre/libpcre_8.38.bb, do_checkuri) failed with exit code '1' ERROR: libpcre-native-8.38-r0 do_checkuri: Function failed: Fetcher failure for URL: 'ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.38.tar.bz2'. URL ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.38.tar.bz2 doesn't work Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18zlib: update SRC_URI to fix fetchingJoshua Lock
Upstream have removed the file from zlib.net as a new version has been released, switch to fetching from the official sourceforge mirror. [YOCTO #10879] (From OE-Core rev: bb99e4a620efd59556539c156cd98ea23aae74c8) (From OE-Core rev: b7599330f1d629384e16a5fbeffc1a65c1555667) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18populate_sdk_ext: whitelist do_package tasksEd Bartosh
With enabled SSTATE_MIRRORS sstate code expects mirrors to contain entries for all tasks, which is not the case for ext installer as it uses reduced sstate cache. Added do_package tasks to BB_SETSCENE_ENFORCE_WHITELIST to prevent installer failing with ERROR: Sstate artifact unavailable [YOCTO #10832] (From OE-Core rev: 2ed46ada4b8e496493835e84b36f7e9c367f59d2) (From OE-Core rev: eb2fc2cd9081a4533ed30fe81c9f491b06cc5ae1) Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18populate_sdk_ext: fix working with uninative sstateEd Bartosh
Mapped uninative sstate directories to make ext SDK installer to use them when it's run on systems with gcc version different from gcc version used to build installer. [YOCTO #10832] (From OE-Core rev: fb945c0fd2e66d70461e6cf2e602020eeabe32f7) Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tiff: Security fix CVE-2016-9538Mingli Yu
* tools/tiffcrop.c: fix read of undefined buffer in readContigStripsIntoBuffer() due to uint16 overflow. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9538 Patch from: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f (From OE-Core rev: 9af5d5ea882c853e4cb15006f990d3814eeea9ae) (From OE-Core rev: 33cad1173f6d1b803b794a2ec57fe8a9ef19fb44) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tiff: Security fix CVE-2016-9535Mingli Yu
* libtiff/tif_predict.h, libtiff/tif_predict.c: Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. External References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9535 Patch from: https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 (From OE-Core rev: 61d3feb9cad9f61f6551b43f4f19bfa33cadd275) (From OE-Core rev: d55b4470c20f4a4b73b1e6f148a45d94649dfdb5) Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tiff: Security fix CVE-2016-9539Zhixiong Chi
tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9539 Patch from: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 (From OE-Core rev: 58bf0a237ca28459eb8c3afa030c0054f5bc1f16) (From OE-Core rev: 0933a11707a369c8eaefebd31e8eea634084d66e) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tiff: Security fix CVE-2016-9540Zhixiong Chi
tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow." External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9540 Patch from: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 (From OE-Core rev: cc97dc66006c7892473e3b4790d05e12445bb927) (From OE-Core rev: ad2c4710ef15c35f6dd4e7642efbceb2cbf81736) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tiff: Security fix CVE-2016-3632Yi Zhao
CVE-2016-3632 libtiff: The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3632 http://bugzilla.maptools.org/show_bug.cgi?id=2549 https://bugzilla.redhat.com/show_bug.cgi?id=1325095 The patch is from RHEL7. (From OE-Core rev: 9206c86239717718be840a32724fd1c190929370) (From OE-Core rev: 0c6928f4129e5b1e24fa2d42279353e9d15d39f0) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tiff: Security fix CVE-2016-3658Zhixiong Chi
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3658 http://bugzilla.maptools.org/show_bug.cgi?id=2546 Patch from: https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d (From OE-Core rev: c060e91d2838f976774d074ef07c9e7cf709f70a) (From OE-Core rev: cc266584158c8dfc8583d21534665b6152a4f7ee) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18expat: CVE-2012-6702, CVE-2016-5300Sona Sarmadi
References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 http://www.openwall.com/lists/oss-security/2016/06/04/5 Reference to upstream fix: https://bugzilla.redhat.com/attachment.cgi?id=1165210 Squashed backport against vanilla Expat 2.1.1, addressing: * CVE-2012-6702 -- unanticipated internal calls to srand * CVE-2016-5300 -- use of too little entropy Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18oeqa: fix hasPackage, add hasPackageMatchRoss Burton
hasPackage() was looking for the string provided as an RE substring in the manifest, which resulted in a large number of false positives (i.e. libgtkfoo would match "gtk+"). Rewrite the manifest loader to parse the files into a proper data structure, change hasPackage to do full string matches, and add hasPackageMatch which does RE substring matches. (From OE-Core rev: b9409863af71899e02275439949e3f4cdfaf2d0f) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tzdata: update to 2016iArmin Kuster
Briefly: Cyprus split into two time zones on 2016-10-30, and Tonga reintroduces DST on 2016-11-06. Changes to future time stamps Pacific/Tongatapu begins DST on 2016-11-06 at 02:00, ending on 2017-01-15 at 03:00. Assume future observances in Tonga will be from the first Sunday in November through the third Sunday in January, like Fiji. (Thanks to Pulu ʻAnau.) Switch to numeric time zone abbreviations for this zone. Changes to past and future time stamps Northern Cyprus is now +03 year round, causing a split in Cyprus time zones starting 2016-10-30 at 04:00. This creates a zone Asia/Famagusta. (Thanks to Even Scharning and Matt Johnson.) Antarctica/Casey switched from +08 to +11 on 2016-10-22. (Thanks to Steffen Thorsen.) Changes to past time stamps Several corrections were made for pre-1975 time stamps in Italy. These affect Europe/Malta, Europe/Rome, Europe/San_Marino, and Europe/Vatican. First, the 1893-11-01 00:00 transition in Italy used the new UT offset (+01), not the old (+00:49:56). (Thanks to Michael Deckers.) Second, rules for daylight saving in Italy were changed to agree with Italy's National Institute of Metrological Research (INRiM) except for 1944, as follows (thanks to Pierpaolo Bernardi, Brian Inglis, and Michael Deckers): The 1916-06-03 transition was at 24:00, not 00:00. The 1916-10-01, 1919-10-05, and 1920-09-19 transitions were at 00:00, not 01:00. The 1917-09-30 and 1918-10-06 transitions were at 24:00, not 01:00. The 1944-09-17 transition was at 03:00, not 01:00. This particular change is taken from Italian law as INRiM's table, (which says 02:00) appears to have a typo here. Also, keep the 1944-04-03 transition for Europe/Rome, as Rome was controlled by Germany then. The 1967-1970 and 1972-1974 fallback transitions were at 01:00, not 00:00. (From OE-Core rev: daf95f7fd9f7ab65685d7b764d8e50df8d00d308) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tzcode: update to 2016iArmin Kuster
Changes to code The code should now be buildable on AmigaOS merely by setting the appropriate Makefile variables. (From a patch by Carsten Larsen.) (From OE-Core rev: d2b8c4ee535684f5d874082a7f76efbda1907ea5) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18openssl: Security fix CVE-2016-8610Armin Kuster
affects openssl < 1.0.2i (From OE-Core rev: 0256b61cdafe540edb3cec2a34429e24b037cfae) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-05-18tiff: Security fix CVE-2016-3622Yi Zhao
CVE-2016-3622 libtiff: The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3622 http://www.openwall.com/lists/oss-security/2016/04/07/4 Patch from: https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286 (From OE-Core rev: 0af0466f0381a72b560f4f2852e1d19be7b6a7fb) (From OE-Core rev: 928eadf8442cf87fb2d4159602bd732336d74bb7) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-05-18tiff: Security fix CVE-2016-3623Yi Zhao
CVE-2016-3623 libtiff: The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623 http://bugzilla.maptools.org/show_bug.cgi?id=2569 Patch from: https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b (From OE-Core rev: d66824eee47b7513b919ea04bdf41dc48a9d85e9) (From OE-Core rev: f0e77ffa6bbc3adc61a2abd5dbc9228e830c055d) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-05-18tiff: Security fix CVE-2016-3991Yi Zhao
CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3991 http://bugzilla.maptools.org/show_bug.cgi?id=2543 Patch from: https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba (From OE-Core rev: d31267438a654ecb396aefced201f52164171055) (From OE-Core rev: cf58711f12425fc1c29ed1e3bf3919b3452aa2b2) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-05-18tiff: Security fix CVE-2016-3990Yi Zhao
CVE-2016-3990 libtiff: Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3990 http://bugzilla.maptools.org/show_bug.cgi?id=2544 Patch from: https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1 (From OE-Core rev: c6492563037bcdf7f9cc50c8639f7b6ace261e62) (From OE-Core rev: d7165cd738ac181fb29d2425e360f2734b0d1107) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>