Age | Commit message (Collapse) | Author |
|
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
* unlike DEPENDS/RDEPENDS the PACKAGE_WRITE_DEPS dependency isn't automatically
extended with MLPREFIX, causing lib32-cpio to depend on 64bit ptest-runner (and
all its deps)
* append it only for class-target to avoid nativesdk-cpio depending
on target ptest-runner (before this patch) and depending on non-existent
nativesdk-ptest-runner with this patch (as nativesdk.bbclass sets MLPREFIX to
"nativesdk-")
stdio: WARNING: Nothing PROVIDES 'nativesdk-ptest-runner'. Close matches:
stdio: WARNING: Nothing RPROVIDES 'nativesdk-cpio' (but virtual:nativesdk:/home/pokybuild/yocto-worker/a-full/build/meta/recipes-extended/cpio/cpio_2.14.bb RDEPENDS on or otherwise requires it)
stdio: WARNING: Nothing RPROVIDES 'nativesdk-cpio-dev' (but virtual:nativesdk:/home/pokybuild/yocto-worker/a-full/build/meta/recipes-extended/cpio/cpio_2.14.bb RDEPENDS on or otherwise requires it)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Specifically this includes the commit "Fix appending to archives bigger
than 2G".
Drop all submitted patches.
Apply a patch from git to fix the build with clang.
[ YOCTO #11674 ]
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
Running these tests under root user on musl works ok but it emits
additional diagnostic
cpio: dir: Cannot change ownership to uid 0, gid 0: Not supported
Ideally its better to run this test suite under non-root user which
is often how these are run. Moreover, tests work on musl as well.
(From OE-Core rev: 22d19266269c28f596f031fcba8f2831c6465880)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
Due to signedness, the checksum is not computed when filesize is bigger
a 2GB. Pick a fix for this problem from CPIO ML, where the fix has been
posted for 5 years. Since CPIO upstream is effectively unresponsive and
any and all attempts to communicate with the maintainer and get the fix
applied upstream failed, add the fix here instead.
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix following ptest failure:
/usr/lib64/cpio/ptest/run-ptest: line 7: cd: /usr/lib/cpio/ptest/tests/: No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add ptest function for oss 'cpio'.
Tis test takes less than 1 second with kvm enabled, so it is a fast test.
autotest files would contain TMPDIR, they are removed from script files
atconfig and atlocal.
Signed-off-by: yanxk <yanxk.fnst@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
|
|
Backport needed patches
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport a gnulib patch
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
license identifiers
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Issue applies to use of cpio in SUSE/OBS, doesn't apply to us.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Since commit [24b80d211f nativesdk.bbclass: set sbindir to bindir]
applied, sbindir = bindir in nativesdk, then routine `rmt' is
installed to bindir which break `rmdir ${D}${bindir}/' failed with
`Directory not empty'
Don't rmdir if sbindir != bindir
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It helps our stats tracking to use Backport consitently, it mreans the same
thing as Accepted in pretty much all cases.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
gcc 10 introduced "-fno-common" as default. Therefore backport the
according cpio patch to fix this issue.
Signed-off-by: Richard Leitner <richard.leitner@skidata.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
According to the home page, https://www.gnu.org/software/cpio/,
CVE-2015-1197 have been fix in version 2.13, so removed
this patch get from SUSE
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop a couple of backports.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
native clashing
The rmt in cpio-native and tar-native is clashing, since
tar-native has set var-NATIVE_PACKAGE_PATH_SUFFIX, we move rmt
to sbindir, and add suffix NATIVE_PACKAGE_PATH_SUFFIX to sbindir
could avoid the clashing.
And in Ubuntu, rmt is in sbindir
$ which rmt
/usr/sbin/rmt
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This fixes:
Error: Transaction check error:
file /usr/share/man/man8/rmt.8 conflicts between attempted installs of
cpio-doc-2.12-r0.core2_64 and tar-doc-1.31-r0.core2_64
Prior to commit 348a96a5b401 [tar: upgrade to 1.31] the copies of
rmt.8 found in the tar(-doc) and cpio(-doc) packages were the same and
thus no conflict was seen. After the upgrade there were small changes
in the manpage header which results in the conflict quoted above. The
applications themselves make use of the 'update-alternatives'
mechanism to allow a user to select which version of 'rmt' to use but
since the man pages are essentially the same we disambiguate the
source of the man pages and make them both available should both
cpio-doc and tar-doc are both installed. And as such we avoid the
conflict.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The segfault on append was fixed upstream with a different patch, so apply that
instead.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The upstream fix for CVE-2016-2037 introduced a read from uninitialized memory
bug when appending to an existing archive, which is an operation we perform when
building an image.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows
remote attackers to cause a denial of service (out-of-bounds write)
via a crafted cpio file."
https://nvd.nist.gov/vuln/detail/CVE-2016-2037
Note that there appear to be two versions of this fix. The original
patch posted to the bug-cpio mailing list [1] is used by Debian [2],
but apparently causes regression [3]. The patch accepted to the
upstream git repo [4] seems to be the most complete fix.
[1] https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
[2] https://security-tracker.debian.org/tracker/CVE-2016-2037
[3] https://www.mail-archive.com/bug-cpio@gnu.org/msg00584.html
[4] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Merge contents of cpio_v2.inc into the only recipe which uses it.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
These are recipes where the upstream has moved to GPLv3 and these old
versions are the last ones under the GPLv2 license.
There are several reasons for making this move. There is a different
quality of service with these recipes in that they don't get security
fixes and upstream no longer care about them, in fact they're actively
hostile against people using old versions. The recipes tend to need a
different kind of maintenance to work with changes in the wider ecosystem
and there needs to be isolation between changes made in the v3 versions
and those in the v2 versions.
There are probably better ways to handle a "non-GPLv3" system but right
now having these in OE-Core makes them look like a first class citizen
when I believe they have potential for a variety of undesireable issues.
Moving them into a separate layer makes their different needs clearer, it
also makes it clear how many of these there are. Some are probably not
needed (e.g. mc), I also wonder whether some are useful (e.g. gmp)
since most things that use them are GPLv3 only already. Someone could
now more clearly see how to streamline the list of recipes here.
I'm proposing we mmove to this separate layer for 2.3 with its future
maintinership and testing to be determined in 2.4 and beyond.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If the file is expected to exist, then we should always be using require
so that if it doesn't we get an error rather than some other more
obscure failure later on.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The currnet patches in OE-core doesn't have the "CVE:"
tag, now part of the policy of the patches.
This is patch add this tag to several patches. There might
be patches that I miss; the tag can be added in the future.
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Drop backported patches:
Fix-symlink-bad-length-test-for-64-bit-architectures.patch
fix-memory-overrun.patch
fix-testcase-symlink-bad-lengths.patch
0001-fix-testcase-of-symlink-bad-length.patch
statdef.patch is fixing code that doesn't exist anymore.
The problem handled by remove-gets.patch has been fixed differently.
The CVE-2015-1197 has been ignored by upstream and had to be rebased:
http://lists.gnu.org/archive/html/bug-cpio/2015-09/msg00007.html
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
* fix the output of stderr & stdout to meet latest cpio
Signed-off-by: Jun Zhang <jun.zhang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
* src/util.c: Return non-zero exit code if EOF is hit prematurely.
Backport commit:
http://git.savannah.gnu.org/cgit/cpio.git/commit/src/util.c?id=f6a8a2cbd2d5ca40ea94900b55b845dd5ca87328
Signed-off-by: Jun Zhang <jun.zhang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Don't try to move binaries onto themselves if ${bindir} and
${base_bindir} are the same, as is the case on systems with a
merged /usr directory.
Signed-off-by: Dominic Sacré <dominic.sacre@gmx.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix a variety of problems such as typos, bad punctuations, or incorrect
Upstream-Status values.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is same gnulib fix replicated across needed recipes
Change-Id: I756713407111a726eae98e26c9c1ff64981371c0
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Additional directory traversal vulnerability via symlinks
cpio CVE-2015-1197
Initial report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774669
Upstream report:
https://lists.gnu.org/archive/html/bug-cpio/2015-01/msg00000.html
And fix the indent in SRC_URI.
[YOCTO #7182]
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Obtain detain from following URL.
http://lists.gnu.org/archive/html/bug-cpio/2014-12/msg00000.html
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Obtain detain from following URL.
http://lists.gnu.org/archive/html/bug-cpio/2014-12/msg00000.html
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The class itself currently does nothing. The idea is to mark all recipes that
make use of the texinfo utilities. In the future, this class could be used to
suppress the generation/formatting of documentation for performance,
explicitly track dependencies on these utilities, and eliminate Yocto's
current dependency on the host system's texinfo utilities.
Signed-off-by: Max Eliaser <max.eliaser@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
After the recent change of the libexecdir definition, the update-alternatives
for the libexec rmt broke. Fix this by moving rmt from libexec to /sbin. Also
split the rmt app from cpio as it's likely not useful to many users.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
eglibc 2.16 does not export gets anymore
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
WARNING: For recipe cpio, the following files/directories were installed but not shipped in any package:
WARNING: /usr/bin
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
grep-2.5.1a: update upstream status of patches
tar-1.17: update upstream-status of patches
at-3.1.12: update upstream-status for patches
cpio-2.8: update upstream-status for patches
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
Add Upstream-Status tag to patches for the following recipes:
openssh
dbus-glib
expat
opensp
sgml-common
at
cpio (GPLv3 version)
libpam
icu
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
|
|
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
This fixes bug [YOCTO #982]
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|