openembedded-core.git/meta/recipes-devtools/dpkg, branch daisy Mirror of openembedded-core dpkg: Security Advisory - CVE-2014-3127 2014-10-10T14:05:51+00:00 Guillem Jover guillem@debian.org 2014-06-17T08:25:52+00:00 14273b42542151357e3299736f2b730ca3257fc0 v2 changes: * update format for commit log * add Upstream-Status for patch commit a12eb58959d0a10584a428f4a3103a49204c410f upstream Dpkg::Source::Patch: Outright reject C-style filenames in patches Because patch only started recognizing C-style filenames in diffs in version 2.7, it's not safe to assume one behaviour or the other, as the system might or might not have a recent enough version, or a GNU patch program at all. There's also no reason we should be supporting this kind of strange encoded filenames in patches, when we have not done so up to now. Let's just ban these types of diffs and be done with it. Fixes: CVE-2014-0471, CVE-2014-3127 Closes: #746306 [drop the text for debian/changelog,because it's not suitable for the veriosn] (From OE-Core rev: 2c3838443eacd3a86ea8917ea53a20248e7bdf03) Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
v2 changes:
* update format for commit log
* add Upstream-Status for patch

commit a12eb58959d0a10584a428f4a3103a49204c410f upstream

Dpkg::Source::Patch: Outright reject C-style filenames in patches

Because patch only started recognizing C-style filenames in diffs
in version 2.7, it's not safe to assume one behaviour or the other,
as the system might or might not have a recent enough version, or
a GNU patch program at all. There's also no reason we should be
supporting this kind of strange encoded filenames in patches, when
we have not done so up to now.

Let's just ban these types of diffs and be done with it.

Fixes: CVE-2014-0471, CVE-2014-3127
Closes: #746306

[drop the text for debian/changelog,because it's not suitable
for the veriosn]
(From OE-Core rev: 2c3838443eacd3a86ea8917ea53a20248e7bdf03)

Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: Security Advisory - CVE-2014-0471 2014-10-10T14:05:51+00:00 Guillem Jover guillem@debian.org 2014-06-17T08:25:51+00:00 c75316fc256d229cfad45cd57328920993d93d8d v2 changes: * update format for commit log * add Upstream-Status for patch commit a82651188476841d190c58693f95827d61959b51 upstream Dkpkg::Source::Patch: Correctly parse C-style diff filenames We need to strip the surrounding quotes, and unescape any escape sequence, so that we check the same files that the patch program will be using, otherwise a malicious package could overpass those checks, and perform directory traversal attacks on source package unpacking. Fixes: CVE-2014-0471 Reported-by: Jakub Wilk <jwilk@debian.org> [drop the text for debian/changelog,because it's not suitable for the veriosn] (From OE-Core rev: 81880b34a8261e824c5acafaa4cb321908e554a0) Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
v2 changes:
* update format for commit log
* add Upstream-Status for patch

commit a82651188476841d190c58693f95827d61959b51 upstream

Dkpkg::Source::Patch: Correctly parse C-style diff filenames

We need to strip the surrounding quotes, and unescape any escape
sequence, so that we check the same files that the patch program will
be using, otherwise a malicious package could overpass those checks,
and perform directory traversal attacks on source package unpacking.

Fixes: CVE-2014-0471

Reported-by: Jakub Wilk <jwilk@debian.org>
[drop the text for debian/changelog,because it's not suitable
 for the veriosn]

(From OE-Core rev: 81880b34a8261e824c5acafaa4cb321908e554a0)

Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
opkg/dpkg: remove the postinstalls 2014-03-07T15:04:36+00:00 Laurentiu Palcu laurentiu.palcu@intel.com 2014-03-06T12:15:42+00:00 2dadf775f619571c273ea20eb8d3fdd7ba656052 Just use the run-postinsts recipe for running first boot postinstalls. [YOCTO #5666] Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Just use the run-postinsts recipe for running first boot postinstalls.

[YOCTO #5666]

Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: Use bzip2-replacement-native 2014-02-28T18:02:31+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2014-02-28T15:49:13+00:00 1a84333bcc73e6eba14217dd9704678a4da9ab4b bzip2-native is in ASSUME_PROVIDED so the dependency that dpkg has doesn't correctly trigger the build dependency. This shows up if you don't have bzip2 development headers on your build machine and you: bitbake dpkg-native bitbake dpkg-native -c cleansstate rm tmp -rf bitbake dpkg-native This patch uses the bzip2-replacement-native dependency as a handful of other recipes do to make sure libbz2 is available. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
bzip2-native is in ASSUME_PROVIDED so the dependency that dpkg has doesn't correctly
trigger the build dependency. This shows up if you don't have bzip2 development
headers on your build machine and you:

bitbake dpkg-native
bitbake dpkg-native -c cleansstate
rm tmp -rf
bitbake dpkg-native

This patch uses the bzip2-replacement-native dependency as a handful
of other recipes do to make sure libbz2 is available.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: Fix dpkg-native dependency on target xz 2014-02-28T13:52:44+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2014-02-27T23:59:52+00:00 1b972c56ce0fa98f4effb691f1c312ce8d19ebcd dpkg-native should not depend on the target xz. Fix this. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
dpkg-native should not depend on the target xz. Fix this.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
dpkg-compiler.m4: remove -Wvla (fix build on CentOS 5.8) 2014-02-25T17:53:55+00:00 Robert Yang liezhi.yang@windriver.com 2014-02-25T09:44:05+00:00 736ef878570ebe60845da88094907ad28f7b50ff Remove the -Wvla flag from the set of compiler warning flags, since gcc on old host systems such as CentOS 5.8 doesn't support it, and it causes a build error for dpkg-native. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Remove the -Wvla flag from the set of compiler warning flags, since gcc
on old host systems such as CentOS 5.8 doesn't support it, and it
causes a build error for dpkg-native.

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: fix a link problem for dpkg-native on CentOS 5.8 2014-02-25T17:53:55+00:00 Donn Seeley donn.seeley@windriver.com 2014-02-25T09:44:04+00:00 197dfda0d971e5e423f1b04a13fbe7ab22d2e874 [ CQID: WIND00392830 ] CentOS 5.8 provides the kernel support and headers for the sync_file_range() syscall, but glibc 2.5 doesn't implement the sync_file_range() syscall stub, so we can't link dpkg-native. Add a patch that makes dpkg require a glibc version >= 2.6 in order to use sync_file_range(). Signed-off-by: Donn Seeley <donn.seeley@windriver.com> Signed-off-by: Lei Liu <lei.liu2@windriver.com> Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
[ CQID: WIND00392830 ]

CentOS 5.8 provides the kernel support and headers for the
sync_file_range() syscall, but glibc 2.5 doesn't implement the
sync_file_range() syscall stub, so we can't link dpkg-native. Add a
patch that makes dpkg require a glibc version >= 2.6 in order to use
sync_file_range().

Signed-off-by: Donn Seeley <donn.seeley@windriver.com>
Signed-off-by: Lei Liu <lei.liu2@windriver.com>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: use systemd service for first boot configuration 2014-01-28T00:48:27+00:00 Chen Qi Qi.Chen@windriver.com 2014-01-24T09:47:37+00:00 56490921d267b784118df43cbd107925c8b94200 Use a systemd service file for first boot configuration for dpkg based images which has 'package-management' in its IMAGE_FEATURES. [YOCTO #5719] Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
Use a systemd service file for first boot configuration for dpkg
based images which has 'package-management' in its IMAGE_FEATURES.

[YOCTO #5719]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Replace one-line DESCRIPTION with SUMMARY 2014-01-02T12:47:33+00:00 Paul Eggleton paul.eggleton@linux.intel.com 2013-12-19T15:13:01+00:00 b8feee3cf21f70ba4ec3b822d2f596d4fc02a292 A lot of our recipes had short one-line DESCRIPTION values and no SUMMARY value set. In this case it's much better to just set SUMMARY since DESCRIPTION is defaulted from SUMMARY anyway and then the SUMMARY is at least useful. I also took the opportunity to fix up a lot of the new SUMMARY values, making them concisely explain the function of the recipe / package where possible. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> 
A lot of our recipes had short one-line DESCRIPTION values and no
SUMMARY value set. In this case it's much better to just set SUMMARY
since DESCRIPTION is defaulted from SUMMARY anyway and then the SUMMARY
is at least useful. I also took the opportunity to fix up a lot of the
new SUMMARY values, making them concisely explain the function of the
recipe / package where possible.

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
dpkg: fix/remove unrecognised options 2014-01-02T10:41:58+00:00 Robert Yang liezhi.yang@windriver.com 2013-12-28T03:58:17+00:00 8d30a464cdb8c6bf0b9d2757ff7f8fc3445f51ba Fix/remove the following unrecognised options: * --without-static-progs: can't find anything about this in the history, so remove it. * --without-dselect -> --disable-dselect * --with-start-stop-daemon -> --enable-start-stop-daemon * --with-bz2lib, typo, should be --with-bz2 * --without-sgml-doc: the sgml doc had been removed from dpkg, so remove it. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 
Fix/remove the following unrecognised options:
* --without-static-progs: can't find anything about this in the history,
  so remove it.
* --without-dselect -> --disable-dselect
* --with-start-stop-daemon -> --enable-start-stop-daemon
* --with-bz2lib, typo, should be --with-bz2
* --without-sgml-doc: the sgml doc had been removed from dpkg, so
  remove it.

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>