openembedded-core.git/meta/recipes-devtools/dpkg, branch dizzy Mirror of openembedded-core dpkg: Fix tarfix.patch 2015-07-27T13:20:50+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-07-27T13:19:33+00:00 5f50f90ed824ea6a8d1d1b41a5345f51a15c443f Accidentally forgot to merge the backport changes into the commit. Fix so the patch applies correctly. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Accidentally forgot to merge the backport changes into the commit. Fix
so the patch applies correctly.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: Fix for Fedora22 and new versions of tar 2015-07-27T11:25:05+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-07-13T11:04:52+00:00 386898afde40971653af646d55e64aef65807e3b They managed to 'break' tar. Again. Sorry, they fixed a regression which broke dpkg-deb. The addition of: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=163e96a0e619a900eab6de827c7c5749ecc9d3f2 ("Bugfix: entries read from the -T file did not get proper matching_flag.") means that the no-recursion option gets lost. This leads to many files getting included multiple times, along with files which shouldn't be there. The commit message is horrendous. The patch actually makes the option positional (as documnted since 2003) and therefore doesn't affect the input from the -T option. Moving the --no-reursion option to earlier in the command avoids the bug. The bug was not present in tar 1.28 however it has been backported in at least Fedora 22 and heading into Fedora 21. Redhat reports of issue: https://bugzilla.redhat.com/show_bug.cgi?id=1230762 [tar] https://bugzilla.redhat.com/show_bug.cgi?id=1241508 [dpkg] Discussion of bug in upstream tar: http://www.mail-archive.com/bug-tar@gnu.org/msg04799.html [YOCTO #7988] (From OE-Core rev: 6be698b7270f73f40d38713ecf13f12aec0ced61) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-devtools/dpkg/dpkg_1.17.25.bb 
They managed to 'break' tar. Again. Sorry, they fixed a regression
which broke dpkg-deb.

The addition of:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=163e96a0e619a900eab6de827c7c5749ecc9d3f2
("Bugfix: entries read from the -T file did not get proper matching_flag.")
means that the no-recursion option gets lost. This leads to many files getting included
multiple times, along with files which shouldn't be there.

The commit message is horrendous. The patch actually makes the option positional
(as documnted since 2003) and therefore doesn't affect the input from the -T option.

Moving the --no-reursion option to earlier in the command avoids the bug.

The bug was not present in tar 1.28 however it has been backported in at least
Fedora 22 and heading into Fedora 21.

Redhat reports of issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1230762 [tar]
https://bugzilla.redhat.com/show_bug.cgi?id=1241508 [dpkg]

Discussion of bug in upstream tar:
http://www.mail-archive.com/bug-tar@gnu.org/msg04799.html

[YOCTO #7988]

(From OE-Core rev: 6be698b7270f73f40d38713ecf13f12aec0ced61)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Conflicts:
	meta/recipes-devtools/dpkg/dpkg_1.17.25.bb
dpkg: Fix patch to adjust for older code 2015-04-18T07:56:59+00:00 Saul Wold sgw@linux.intel.com 2015-04-18T03:06:05+00:00 3e5632a02ee8f07705d5c34a57f36c6932a2e6cb The older version of dpkg uses subproc_wait_check() instead of the newer subproc_reap() Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The older version of dpkg uses subproc_wait_check() instead of the newer subproc_reap()

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg-native: Avoid 'file changed' errors from tar 2015-04-17T21:38:35+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-03-28T08:50:27+00:00 bcb124931af57dc2f9d8fe9cbbabd5f8ee58e414 Hardlink count duing do_package_write_deb can change causing dpkg-deb failures. We don't care about this error case so avoid it by checking the tar exit code. [YOCTO #7529] (From OE-Core rev: 8ee36a5f2f9367550d28bf271afc53bca6ff3d5f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Hardlink count duing do_package_write_deb can change causing dpkg-deb
failures. We don't care about this error case so avoid it by checking
the tar exit code.

[YOCTO #7529]

(From OE-Core rev: 8ee36a5f2f9367550d28bf271afc53bca6ff3d5f)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: add perl to RDEPENDS 2015-04-17T21:38:33+00:00 Robert Yang liezhi.yang@windriver.com 2015-01-19T08:21:58+00:00 bddfec608b065c54ddf2cd3c8bb7668aba929927 perl scripts: packages-split/dpkg/usr/bin/dpkg-parsechangelog:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-mergechangelogs:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-architecture:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-vendor:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-shlibdeps:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-scanpackages:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-buildpackage:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-genchanges:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-gensymbols:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-distaddfile:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-buildflags:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-checkbuilddeps:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-gencontrol:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-scansources:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-source:#!/usr/bin/perl packages-split/dpkg/usr/bin/dpkg-name:#!/usr/bin/perl packages-split/dpkg/usr/lib/dpkg/parsechangelog/debian:#!/usr/bin/perl (From OE-Core rev: eb7179e3c182dc456956fd8ae7e0b512488ad0f2) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
perl scripts:
packages-split/dpkg/usr/bin/dpkg-parsechangelog:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-mergechangelogs:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-architecture:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-vendor:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-shlibdeps:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-scanpackages:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-buildpackage:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-genchanges:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-gensymbols:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-distaddfile:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-buildflags:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-checkbuilddeps:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-gencontrol:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-scansources:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-source:#!/usr/bin/perl
packages-split/dpkg/usr/bin/dpkg-name:#!/usr/bin/perl
packages-split/dpkg/usr/lib/dpkg/parsechangelog/debian:#!/usr/bin/perl

(From OE-Core rev: eb7179e3c182dc456956fd8ae7e0b512488ad0f2)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
dpkg: fix host contamination 2015-02-11T17:39:49+00:00 Dan McGregor dan.mcgregor@usask.ca 2015-01-15T15:41:14+00:00 781d7e7fdff9d41dc962b7d35809396051a47303 Force dpkg to use "tar" on the target. The dpkg configure script looks for gnutar, gtar, and tar in order. If it finds gnutar or gtar on the host it expects to use that as its tar program on the target. Without this, if gtar exists (as it does on my system) then dpkg will consistently fail on the target with an error about gtar not being found. (From OE-Core rev: 45bcb1ea92f244df4745aca6f9f9556c43e9b6ce) Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Force dpkg to use "tar" on the target.

The dpkg configure script looks for gnutar, gtar, and
tar in order. If it finds gnutar or gtar on the host
it expects to use that as its tar program on the target.
Without this, if gtar exists (as it does on my system) then
dpkg will consistently fail on the target with an error about
gtar not being found.

(From OE-Core rev: 45bcb1ea92f244df4745aca6f9f9556c43e9b6ce)

Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
dpkg: Security Advisory - CVE-2014-3127 2014-06-17T09:23:45+00:00 Guillem Jover guillem@debian.org 2014-06-17T08:25:52+00:00 2c3838443eacd3a86ea8917ea53a20248e7bdf03 v2 changes: * update format for commit log * add Upstream-Status for patch commit a12eb58959d0a10584a428f4a3103a49204c410f upstream Dpkg::Source::Patch: Outright reject C-style filenames in patches Because patch only started recognizing C-style filenames in diffs in version 2.7, it's not safe to assume one behaviour or the other, as the system might or might not have a recent enough version, or a GNU patch program at all. There's also no reason we should be supporting this kind of strange encoded filenames in patches, when we have not done so up to now. Let's just ban these types of diffs and be done with it. Fixes: CVE-2014-0471, CVE-2014-3127 Closes: #746306 [drop the text for debian/changelog,because it's not suitable for the veriosn] Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
v2 changes:
* update format for commit log
* add Upstream-Status for patch

commit a12eb58959d0a10584a428f4a3103a49204c410f upstream

Dpkg::Source::Patch: Outright reject C-style filenames in patches

Because patch only started recognizing C-style filenames in diffs
in version 2.7, it's not safe to assume one behaviour or the other,
as the system might or might not have a recent enough version, or
a GNU patch program at all. There's also no reason we should be
supporting this kind of strange encoded filenames in patches, when
we have not done so up to now.

Let's just ban these types of diffs and be done with it.

Fixes: CVE-2014-0471, CVE-2014-3127
Closes: #746306

[drop the text for debian/changelog,because it's not suitable
for the veriosn]
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: Security Advisory - CVE-2014-0471 2014-06-17T09:23:45+00:00 Guillem Jover guillem@debian.org 2014-06-17T08:25:51+00:00 81880b34a8261e824c5acafaa4cb321908e554a0 v2 changes: * update format for commit log * add Upstream-Status for patch commit a82651188476841d190c58693f95827d61959b51 upstream Dkpkg::Source::Patch: Correctly parse C-style diff filenames We need to strip the surrounding quotes, and unescape any escape sequence, so that we check the same files that the patch program will be using, otherwise a malicious package could overpass those checks, and perform directory traversal attacks on source package unpacking. Fixes: CVE-2014-0471 Reported-by: Jakub Wilk <jwilk@debian.org> [drop the text for debian/changelog,because it's not suitable for the veriosn] Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
v2 changes:
* update format for commit log
* add Upstream-Status for patch

commit a82651188476841d190c58693f95827d61959b51 upstream

Dkpkg::Source::Patch: Correctly parse C-style diff filenames

We need to strip the surrounding quotes, and unescape any escape
sequence, so that we check the same files that the patch program will
be using, otherwise a malicious package could overpass those checks,
and perform directory traversal attacks on source package unpacking.

Fixes: CVE-2014-0471

Reported-by: Jakub Wilk <jwilk@debian.org>
[drop the text for debian/changelog,because it's not suitable
 for the veriosn]

Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Globally replace 'base_contains' calls with 'bb.utils.contains' 2014-04-25T16:10:58+00:00 Otavio Salvador otavio@ossystems.com.br 2014-04-24T18:59:20+00:00 d83b16dbf0862be387f84228710cb165c6d2b03b The base_contains is kept as a compatibility method and we ought to not use it in OE-Core so we can remove it from base metadata in future. Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The base_contains is kept as a compatibility method and we ought to
not use it in OE-Core so we can remove it from base metadata in
future.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Globally replace oe.utils.contains to bb.utils.contains 2014-04-25T16:10:58+00:00 Otavio Salvador otavio@ossystems.com.br 2014-04-24T18:59:19+00:00 93499ebc46547f5bf6dcecd5a786ead9f726de28 BitBake has the exact same code as oe.utils.contains so there's no reason to duplicate it. We now rely on the bb.utils.contains code for metadata. Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
BitBake has the exact same code as oe.utils.contains so there's no
reason to duplicate it. We now rely on the bb.utils.contains code for
metadata.

Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>