| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
libtirpc prior to 1.0.2 assumed that the system provided nis.h but this isn't
always true. Until now we've been using a tarball of the missing files from
Gentoo, but libtirpc 1.0.2 added a copy of nis.h to the sources so this isn't
required anymore.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1.0.1 -> 1.0.2
Remove these Backported and upstreamed patches:
1. 0001-Fix-for-CVE-2017-8779.patch
2. libtirpc-0.2.1-fortify.patch
3. libtirpc-1.0.2-rc3.patc
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This vulnerability is also called "rpcbomb".
Backport upstream patch to fix this vulnerability.
CVE: CVE-2017-8779
Signed-off-by: Fan Xin<fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Use memset() API instead of __bzero()
Drop the patch removing des_* functions for musl
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
libnsl needs this API
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
These fixes are needed for it to work with gcc7
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The 2018c release of the tz code and data is available. It follows on the 2018a and 2018b releases, which were published but were not announced until now, due to problems discovered late in their release processes. 2018a had a build-failure typo, and 2018a and 2018b both had problems with ICU and Java, downstream packages which do not support a feature (negative DST offsets) used in 2018a and 2018b. The typo has been fixed, and data changes using negative DST offsets have been reverted pending development of a mechanism to export data to platforms lacking support for such data.
Briefly:
São Tomé and Príncipe switched from +00 to +01.
Brazil's DST will now start on November's first Sunday.
Use Debian-style installation locations, instead of 4.3BSD-style.
New zic option -t.
Changes to past and future time stamps
São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at
01:00. (Thanks to Steffen Thorsen and Michael Deckers.)
Changes to future time stamps
Starting in 2018 southern Brazil will begin DST on November's
first Sunday instead of October's third Sunday. (Thanks to
Steffen Thorsen.)
Changes to past time stamps
Japanese DST transitions (1948-1951) were Sundays at 00:00, not
Saturdays or Sundays at 02:00. (Thanks to Takayuki Nikai.)
A discrepancy of 4 s in timestamps before 1931 in South Sudan has
been corrected. The 'backzone' and 'zone.tab' files did not agree
with the 'africa' and 'zone1970.tab' files. (Problem reported by
Michael Deckers.)
The abbreviation invented for Bolivia Summer Time (1931-2) is now
BST instead of BOST, to be more consistent with the convention
used for Latvian Summer Time (1918-9) and for British Summer Time.
Changes to build procedure
The default installation locations have been changed to mostly
match Debian circa 2017, instead of being designed as an add-on to
4.3BSD circa 1986. This affects the Makefile macros TOPDIR,
TZDIR, MANDIR, and LIBDIR. New Makefile macros TZDEFAULT, USRDIR,
USRSHAREDIR, BINDIR, ZDUMPDIR, and ZICDIR let installers tailor
locations more precisely. (This responds to suggestions from
Brian Inglis and from Steve Summit.)
The default installation procedure no longer creates the
backward-compatibility link US/Pacific-New, which causes
confusion during user setup (e.g., see Debian bug 815200).
Use 'make BACKWARD="backward pacificnew"' to create the link
anyway, for now. Eventually we plan to remove the link entirely.
tzdata.zi now contains a version-number comment.
(Suggested by Tom Lane.)
The Makefile now quotes values like BACKWARD more carefully when
passing them to the shell. (Problem reported by Zefram.)
Builders no longer need to specify -DHAVE_SNPRINTF on platforms
that have snprintf and use pre-C99 compilers. (Problem reported
by Jon Skeet.)
The build procedure now works around mawk 1.3.3's lack of support
for character class expressions. (Problem reported by Ohyama.)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 97927956a6629381b54973d01e16c5f039f5e5bb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit f266d17095441dd136c490578d7aae824ab16870)
|
|
removed patches now included in update.
The 2018a through 2018c releases reflect the following changes, which were either circulated on the tz mailing list or are relatively minor technical or administrative changes. This announcement has merged the set of changes made by the three releases, to make it easier to see the difference between 2017c and 2018c; please see the 2018c NEWS file for more details about intermediate versions.
Release 2018c - 2018-01-22 23:00:44 -0800
Release 2018b - 2018-01-17 23:24:48 -0800
Release 2018a - 2018-01-12 22:29:21 -0800
Changes to code
zic has a new option -t FILE that specifies the location of the
file that determines local time when TZ is unset. The default for
this location can be configured via the new TZDEFAULT makefile
macro, which defaults to /etc/localtime.
Diagnostics and commentary now distinguish UT from UTC more
carefully; see theory.html for more information about UT vs UTC.
zic has been ported to GCC 8's -Wstringop-truncation option.
(Problem reported by Martin Sebor.)
Changes to documentation and commentary
The zic man page now documents the longstanding behavior that
times and years can be out of the usual range, with negative times
counting backwards from midnight and with year 0 preceding year 1.
(Problem reported by Michael Deckers.)
The theory.html file now mentions the POSIX limit of six chars
per abbreviation, and lists alphabetic abbreviations used.
The files tz-art.htm and tz-link.htm have been renamed to
tz-art.html and tz-link.html, respectively, for consistency with
other file names and to simplify web server configuration.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aae1131225b92d2f984a2de35b2e21592ae8195d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 017bbce4101e90388cf662e12157a788112e0727)
|
|
LICENSE changed do to rewording
https://github.com/eggert/tz/commit/7097a652778d35acf747d14f8bf7b3ced479bbc0#diff-9879d6db96fd29134fc802214163b95a
Briefly:
Northern Cyprus switches from +03 to +02/+03 on 2017-10-29.
Fiji ends DST 2018-01-14, not 2018-01-21.
Namibia switches from +01/+02 to +02 on 2018-04-01.
Sudan switches from +03 to +02 on 2017-11-01.
Tonga likely switches from +13/+14 to +13 on 2017-11-05.
Turks & Caicos switches from -04 to -05/-04 on 2018-11-04.
A new file tzdata.zi now holds a small text copy of all data.
The zic input format has been regularized slightly.
Changes to future time stamps
Northern Cyprus has decided to resume EU rules starting
2017-10-29, thus reinstituting winter time.
Fiji ends DST 2018-01-14 instead of the 2018-01-21 previously
predicted. (Thanks to Dominic Fok.) Adjust future predictions
accordingly.
Namibia will switch from +01 with DST to +02 all year on
2017-09-03 at 02:00. This affects UT offsets starting 2018-04-01
at 02:00. (Thanks to Steffen Thorsen.)
Sudan will switch from +03 to +02 on 2017-11-01. (Thanks to Ahmed
Atyya and Yahia Abdalla.) South Sudan is not switching, so
Africa/Juba is no longer a link to Africa/Khartoum.
Tonga has likely ended its experiment with DST, and will not
adjust its clocks on 2017-11-05. Although Tonga has not announced
whether it will continue to observe DST, the IATA is assuming that
it will not. (Thanks to David Wade.)
Turks & Caicos will switch from -04 all year to -05 with US DST on
2018-03-11 at 03:00. This affects UT offsets starting 2018-11-04
at 02:00. (Thanks to Steffen Thorsen.)
Changes to past time stamps
Namibia switched from +02 to +01 on 1994-03-21, not 1994-04-03.
(Thanks to Arthur David Olson.)
Detroit did not observe DST in 1967.
Use railway time for Asia/Kolkata before 1941, by switching to
Madras local time (UT +052110) in 1870, then to IST (UT +0530) in
1906. Also, treat 1941-2's +0630 as DST, like 1942-5.
Europe/Dublin's 1946 and 1947 fallback transitions occurred at
02:00 standard time, not 02:00 DST. (Thanks to Michael Deckers.)
Pacific/Apia and Pacific/Pago_Pago switched from Antipodean to
American time in 1892, not 1879. (Thanks to Michael Deckers.)
Adjust the 1867 transition in Alaska to better reflect the
historical record, by changing it to occur on 1867-10-18 at 15:30
Sitka time rather than at the start of 1867-10-17 local time.
Although strictly speaking this is accurate only for Sitka,
the rest of Alaska's blanks need to be filled in somehow.
Fix off-by-one errors in UT offsets for Adak and Nome before 1867.
(Thanks to Michael Deckers.)
Add 7 s to the UT offset in Asia/Yangon before 1920.
Changes to zone names
Remove Canada/East-Saskatchewan from the 'backward' file, as it
exceeded the 14-character limit and was an unused misnomer anyway.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 77a8256d9cbfe24d470aac9b4cc2910a41ca0ee8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 2ea37fd4fad2e5ef21c119b03f09bcf2b0e7266e)
|
|
LICENSE changes do to rewording
https://github.com/eggert/tz/commit/7097a652778d35acf747d14f8bf7b3ced479bbc0#diff-9879d6db96fd29134fc802214163b95a
Backported to fixes from upstream too.
Changes to code
zic and the reference runtime now reject multiple leap seconds
within 28 days of each other, or leap seconds before the Epoch.
As a result, support for double leap seconds, which was
obsolescent and undocumented, has been removed. Double leap
seconds were an error in the C89 standard; they have never existed
in civil timekeeping. (Thanks to Robert Elz and Bradley White for
noticing glitches in the code that uncovered this problem.)
zic now warns about use of the obsolescent and undocumented -y
option, and about use of the obsolescent TYPE field of Rule lines.
zic now allows unambiguous abbreviations like "Sa" and "Su" for
weekdays; formerly it rejected them due to a bug. Conversely, zic
no longer considers non-prefixes to be abbreviations; for example,
it no longer accepts "lF" as an abbreviation for "lastFriday".
Also, zic warns about the undocumented usage with a "last-"
prefix, e.g., "last-Fri".
Similarly, zic now accepts the unambiguous abbreviation "L" for
"Link" in ordinary context and for "Leap" in leap-second context.
Conversely, zic no longer accepts non-prefixes such as "La" as
abbreviations for words like "Leap".
zic no longer accepts leap second lines in ordinary input, or
ordinary lines in leap second input. Formerly, zic sometimes
warned about this undocumented usage and handled it incorrectly.
The new macro HAVE_TZNAME governs whether the tzname external
variable is exported, instead of USG_COMPAT. USG_COMPAT now
governs only the external variables "timezone" and "daylight".
This change is needed because the three variables are not in the
same category: although POSIX requires tzname, it specifies the
other two variables as optional. Also, USG_COMPAT is now 1 or 0:
if not defined, the code attempts to guess it from other macros.
localtime.c and difftime.c no longer require stdio.h, and .c files
other than zic.c no longer require sys/wait.h.
zdump.c no longer assumes snprintf. (Reported by Jonathan Leffler.)
Calculation of time_t extrema works around a bug in GCC 4.8.4
(Reported by Stan Shebs and Joseph Myers.)
zic.c no longer mistranslates formats of line numbers in non-English
locales. (Problem reported by Benno Schulenberg.)
Several minor changes have been made to the code to make it a
bit easier to port to MS-Windows and Solaris. (Thanks to Kees
Dekker for reporting the problems.)
Changes to documentation and commentary
The two new files 'theory.html' and 'calendars' contain the
contents of the removed file 'Theory'. The goal is to document
tzdb theory more accessibly.
The zic man page now documents abbreviation rules.
tz-link.htm now covers how to apply tzdata changes to clients.
(Thanks to Jorge Fábregas for the AIX link.) It also mentions MySQL.
The leap-seconds.list URL has been updated to something that is
more reliable for tzdb. (Thanks to Tim Parenti and Brian Inglis.)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 74af497f8d6b4e28d97c0f2cdb4ece90c2a6b8b5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 12a538bbbc8d04e875f81bd65e9754d749273aac)
|
|
Built in command "read" with "-e" use Readline to obtain the line
in an interactive shell. In this process, a string "rlbuf" is
just allocated without free operation thus cause memory leak.
This patch had been submitted to upstream:
http://lists.gnu.org/archive/html/bug-bash/2017-02/msg00061.html
(From OE-Core rev: a2b278a6eaa9e9b48d858e3be6712267c0122598)
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fixup for 4.3
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust
CVE-2017-9835: bounds check the array allocations methods
CVE-2017-11714: prevent trying to reloc a freed object
(From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2017-9611
CVE-2017-9612
CVE-2017-9739
CVE-2017-9726
(From OE-Core rev: 3e5d80c84f4c141bc3f3193d1db899b0e56993cf)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
CVE-2017-6508: CRLF injection vulnerability in the url_parse function in
url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary
HTTP headers via CRLF sequences in the host subcomponent of a URL.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2017-6508
Patch from:
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
(From OE-Core rev: 28404157e07a915d1445166df566c8838f2cce57)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Since LTP includes a set of test cases, we need to skip file dependency
generation, as there will be dependencies that can not be satisfied. In this
case a csh and ksh dependency come from two tests.
The alternative would be to depend on csh/ksh (a bad idea as they're not
available in oe-core) or remove the tests (but this eliminates the tests if
someone DOES have csh/ksh in their configurations.)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream lsof releases are hosted on an ftp server which times out
download attempts from hosts for which it can not perform a DNS
reverse-lookup. See:
https://people.freebsd.org/~abe/
http://www.mirrorservice.org seems to be the most commonly used
alternative (and using it for SRC_URI allows the custom
UPSTREAM_CHECK_URI to be removed).
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 4e718242c1554021689a7946add055b22b81ec42)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
- Add HOMEPAGE
- Remove ${S} from LIC_FILES_CHKSUM path
- Use tabs consistently to indent do_configure()
- Re-order LIC_FILES_CHKSUM definition to follow OE style guide
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 78701c5b873605240226c502de3b940097433596)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Having 'lsof' as a +s (setuid) binary could lead to security issues if
a compromise in the binary is found. It is better that it be -s by
default as a precaution.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 346c65dd6855106069d1861ca965d3121eb084d1)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
It is used in NVD for CVE's like:
https://nvd.nist.gov/vuln/detail/CVE-2012-3417
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 07be7cb9405e4a6289edad8afb3a50c1f8651620)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This patch is generic enough, That it can be applied universally
and makes maintainence easier
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit f769b8389091b4ffaff8f6f8fc7e53462ce176a5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
build fails else with
| + make -j 8 -l 6 cc=ccache gcc
| make: *** No rule to make target 'gcc'. Stop.
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 5729c1563359e12ebb4451bb1ce7ba3fff4ed2d4)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
(From OE-Core rev: c391547e95b1854960b90d93fd9f80f02f761e61)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The modern version of zone.tab is required by tzselect e.g.
(From OE-Core rev: de467998ecfa5fa1d2e9dd43a4a3d828cf9ccade)
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER
mode protection mechanism and consequently read arbitrary files via the
use of the .libfile operator in a crafted postscript document.
Use-after-free vulnerability in Ghostscript 9.20 might allow remote
attackers to execute arbitrary code via vectors related to a reference
leak in .setdevice.
Ghostscript before 9.21 might allow remote attackers to bypass the SAFER
mode protection mechanism and consequently execute arbitrary code by
leveraging type confusion in .initialize_dsc_parser.
libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscript,
has a NULL pointer dereference in the jbig2_huffman_get function in
jbig2_huffman.c. For example, the jbig2dec utility will
crash (segmentation fault) when parsing an invalid file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2016-7977
https://nvd.nist.gov/vuln/detail/CVE-2016-7978
https://nvd.nist.gov/vuln/detail/CVE-2016-7979
https://nvd.nist.gov/vuln/detail/CVE-2017-9216
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=8abd22010eb4db0fb1b10e430d5f5d83e015ef70
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=6f749c0c44e7b9e09737b9f29edf29925a34f0cf
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=875a0095f37626a721c7ff57d606a0f95af03913
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3ebffb1d96ba0cacec23016eccb4047dab365853
(From OE-Core rev: 584dfa2f780d5785aaff01f84fbabc18b3478d76)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote
attackers to cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted Postscript document that calls .sethalftone5 with an
empty operand stack.
Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because
of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c
during operations on a crafted JBIG2 file, leading to a denial of service (application
crash) or possibly execution of arbitrary code.
References:
https://nvd.nist.gov/vuln/detail/CVE-2016-8602
https://nvd.nist.gov/vuln/detail/CVE-2017-7975
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f5c7555c303
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e57e483298
(From OE-Core rev: 8f919c2df47ca93132f21160d919b6ee2207d9a6)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This vulnerability is also called "rpcbomb".
Backport upstream patch to fix this vulnerability.
CVE: CVE-2017-8779
(From OE-Core rev: 7936c9451eb4c376a78a0ac7461d1b2430c7f1f3)
Signed-off-by: Fan Xin<fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A vulnerability was found in a way bash expands the $HOSTNAME.
Injecting the hostname with malicious code would cause it to run
each time bash expanded \h in the prompt string.
Porting patch from <https://ftp.gnu.org/gnu/bash/bash-4.3-patches/
bash43-047> to solve CVE-2016-0634
CVE: CVE-2016-0634
(From OE-Core rev: 7dd6aa1a4bf6e9fc8a1998cda6ac5397bb5cd5cb)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript
9.20 allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a crafted file.
The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file that is
mishandled in the PDF Transparency module.
The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f
http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8
http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
After change to the rpm4, the rpm packages in lsbtest, such as:
lsb-setup-4.1.0-1.noarch.rpm
lsb-dist-checker-5.0.0.1-1.x86_64.rpm
......
lsb-cmdchk-5.0.3-1.x86_64.rpm
When install above rpm packages, the error log appears:
package lsb-setup-4.1.0-1.noarch is intended for a different operating system
......
So we should add option "--ignoreos" to the rpm install command in LSB_Test.sh
in ./meta/recipes-extended/lsb/lsbtest directory. In this way we can make sure
the correct installation of those rpm packages.
The YOCTO bug #11224 didn't create logs, this is because the above test rpm
packages didn't install.
[YOCTO #11224]
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Sadly this breaks previous OE releases as it means the source mirror contains a
tarball with the same name but different checksums as was previously available.
This reverts commit 99c6e89db193d572e845f95eabbd9ec89c3508c7.
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The previous patch added a check but incorrectly
change the elif to if, then it always return 0
for cpuid if the machine is not __i386__
getcpu01 1 TFAIL : getcpu01.c:140: getcpu() returned wrong value expected cpuid:7, returned value cpuid: 0
After this fix:
getcpu01 1 TPASS : getcpu() returned proper cpuid:7, node id:0
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Otherwise, the filename is r3-9-1.tar.gz which isn't straightforward.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fixed when len(TMPDIR) = 410:
aclocal: error: cannot open echo 'm4_define [snip]' configure.ac |: Argument list too long'
This is becuase it has a lot of m4 files, use relative path for them
can fix the problem.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream has removed the 1.14.1 release from ftp.gnu.org and
moved to the latest 1.14.2. Since we don't want to upgrade at
this point of time, temporarily move the SRC_URI to yoctoproject
mirror.
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Also, they were previously squashed into a single patch; restore
the original two-patch arrangement.
As requested here:
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135460.html
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to github.com.
Update the ${PN} to ${BPN} in order to pass the autobuilder
mulitlib enable configuration.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The shebang's max length is usually 128 as defined in
/usr/include/linux/binfmts.h:
#define BINPRM_BUF_SIZE 128
There would be errors when @PERL@ (hostools/perl) is longer than 128,
use '/usr/bin/env perl' can fix the problem, but '/usr/bin/env perl -w'
doesn't work:
/usr/bin/env: perl -w: No such file or directory
So replace "perl -w" with "use warnings" to make it work.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The shebang's max length is usually 128 as defined in
/usr/include/linux/binfmts.h:
#define BINPRM_BUF_SIZE 128
There would be errors when @PERL@ (hostools/perl) is longer than 128,
use '/usr/bin/env perl' can fix the problem, but '/usr/bin/env perl -w'
doesn't work:
/usr/bin/env: perl -w: No such file or directory
So replace "perl -w" with "use warnings" to make it work.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The mem_get_bits_rectangle function in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial
of service (NULL pointer dereference) via a crafted PostScript
document.
Reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7207
Upstream patch:
http://git.ghostscript.com/?p=ghostpdl.git;h=309eca4e0a31ea70dcc844812691439312dad091
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The configuration change was already done for -native but
we really want it when USE_NLS is set.
Fixes [YOCTO #11285].
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The md5sum & sha256sum for ethtool-4.8.tar.gz have changed upstream :(
Signed-off-by: Paul Barker <pbarker@toganlabs.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to update
the SRC_URI to point to github.com.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to github.com.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to pagure.io. pagure.io is a
replacement for fedorahosted.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to pagure.io. pagure.io is a
replacement for fedorahosted.
[YOCTO #11226]
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
There were two remaining cases that could end up creating /lib64
rather than ${base_prefix}/lib64. The difference matters when building
with usrmerge.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Khem Raj
Ross Burton
Maxin B. John
Fan Xin
Armin Kuster
Zhang Xiao
Joe Slater
Yi Zhao
Mark Hatle
Andre McCurdy
Kai Kang
Mikko Rapeli
Enrico Scholz
Peter Kjellerstedt
Jan Kiszka
Catalin Enache
Zhixiong Chi
Alexander Kanavin
Dengke Du
Jackie Huang
Robert Yang
Choong YinThong
Jussi Kukkonen
Paul Barker