openembedded-core.git/meta/recipes-devtools/dpkg, branch jethro Mirror of openembedded-core dpkg: Security fix CVE-2015-0860 2016-02-01T16:23:27+00:00 Armin Kuster akuster@mvista.com 2016-01-30T22:12:44+00:00 5aaec01acc9e5a19374a566307a425d43c887f4b CVE-2015-0860 dpkg: stack overflows and out of bounds read Signed-off-by: Armin Kuster <akuster@mvista.com> 
CVE-2015-0860 dpkg: stack overflows and out of bounds read

Signed-off-by: Armin Kuster <akuster@mvista.com>
dpkg: update to 1.18.2 2015-09-01T10:43:37+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2015-08-28T12:18:51+00:00 c11b2be13a6d5e34f2baed4b8ee8ccd66438c1de check_snprintf.patch has been dropped, because it seems to fix a problem that doesn't anymore exist, and doesn't have any description of what the problem was and how was it fixed. tarfix.patch has been merged upstream. The rest of the patches have been rebased to the new upstream release Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
check_snprintf.patch has been dropped, because it seems to fix a problem
that doesn't anymore exist, and doesn't have any description of what the
problem was and how was it fixed.

tarfix.patch has been merged upstream.

The rest of the patches have been rebased to the new upstream release

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: Fix for Fedora22 and new versions of tar 2015-07-13T12:46:45+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-07-13T11:04:52+00:00 6be698b7270f73f40d38713ecf13f12aec0ced61 They managed to 'break' tar. Again. Sorry, they fixed a regression which broke dpkg-deb. The addition of: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=163e96a0e619a900eab6de827c7c5749ecc9d3f2 ("Bugfix: entries read from the -T file did not get proper matching_flag.") means that the no-recursion option gets lost. This leads to many files getting included multiple times, along with files which shouldn't be there. The commit message is horrendous. The patch actually makes the option positional (as documnted since 2003) and therefore doesn't affect the input from the -T option. Moving the --no-reursion option to earlier in the command avoids the bug. The bug was not present in tar 1.28 however it has been backported in at least Fedora 22 and heading into Fedora 21. Redhat reports of issue: https://bugzilla.redhat.com/show_bug.cgi?id=1230762 [tar] https://bugzilla.redhat.com/show_bug.cgi?id=1241508 [dpkg] Discussion of bug in upstream tar: http://www.mail-archive.com/bug-tar@gnu.org/msg04799.html [YOCTO #7988] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
They managed to 'break' tar. Again. Sorry, they fixed a regression
which broke dpkg-deb.

The addition of:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=163e96a0e619a900eab6de827c7c5749ecc9d3f2
("Bugfix: entries read from the -T file did not get proper matching_flag.")
means that the no-recursion option gets lost. This leads to many files getting included
multiple times, along with files which shouldn't be there.

The commit message is horrendous. The patch actually makes the option positional
(as documnted since 2003) and therefore doesn't affect the input from the -T option.

Moving the --no-reursion option to earlier in the command avoids the bug.

The bug was not present in tar 1.28 however it has been backported in at least
Fedora 22 and heading into Fedora 21.

Redhat reports of issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1230762 [tar]
https://bugzilla.redhat.com/show_bug.cgi?id=1241508 [dpkg]

Discussion of bug in upstream tar:
http://www.mail-archive.com/bug-tar@gnu.org/msg04799.html

[YOCTO #7988]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: fix typo in tar-error-code.patch, Upsteam -> Upstream 2015-07-07T12:32:58+00:00 Andre McCurdy armccurdy@gmail.com 2015-07-06T20:49:59+00:00 10cbfe5194e56c9c7538c55f4f5bf5057489d169 Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: upgrade to 1.17.25 2015-04-30T22:01:28+00:00 Roy Li rongqing.li@windriver.com 2015-04-29T08:09:38+00:00 079445990f51f98c8d4f9397dec0ed91ca2490c3 upgrade to fix two CVE defects: CVE-2014-8625 and CVE-2015-0840 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8625 Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0840 The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc). Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
upgrade to fix two CVE defects: CVE-2014-8625 and CVE-2015-0840

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8625

Multiple format string vulnerabilities in the parse_error_msg
function in parsehelp.c in dpkg before 1.17.22 allow remote attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via format string specifiers in the (1) package or (2)
architecture name.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0840

The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before
1.17.25 allows remote attackers to bypass signature verification
via a crafted Debian source control file (.dsc).

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: add triplet entry to fix build error for armeb 2015-04-09T18:48:01+00:00 Krishnanjanappa, Jagadeesh jagadeesh.krishnanjanappa@caviumnetworks.com 2015-04-08T13:59:09+00:00 63eb33bced1fc1e5451988fc5249ab362fb82615 Cross-compling dpkg application for armeb fails with below error during configure task, (snip) configure:23141: checking dpkg cpu type configure:23148: result: armeb configure:23150: WARNING: armeb not found in cputable configure:23162: checking dpkg operating system type configure:23169: result: linux-gnueabi configure:23171: WARNING: linux-gnueabi not found in ostable configure:23183: checking dpkg architecture name configure:23189: error: cannot determine host dpkg architecture -- CUT -- Add the required combination of "gnueabi-linux-armeb" entry in triplet list. Signed-off-by: Krishnanjanappa, Jagadeesh <jagadeesh.krishnanjanappa@caviumnetworks.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Cross-compling dpkg application for armeb fails with below error
during configure task,

(snip)
 configure:23141: checking dpkg cpu type
 configure:23148: result: armeb
 configure:23150: WARNING: armeb not found in cputable
 configure:23162: checking dpkg operating system type
 configure:23169: result: linux-gnueabi
 configure:23171: WARNING: linux-gnueabi not found in ostable
 configure:23183: checking dpkg architecture name
 configure:23189: error: cannot determine host dpkg architecture
-- CUT --

Add the required combination of "gnueabi-linux-armeb" entry in
triplet list.

Signed-off-by: Krishnanjanappa, Jagadeesh <jagadeesh.krishnanjanappa@caviumnetworks.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg-native: Avoid 'file changed' errors from tar 2015-03-31T15:28:24+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-03-28T08:50:27+00:00 8ee36a5f2f9367550d28bf271afc53bca6ff3d5f Hardlink count duing do_package_write_deb can change causing dpkg-deb failures. We don't care about this error case so avoid it by checking the tar exit code. [YOCTO #7529] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Hardlink count duing do_package_write_deb can change causing dpkg-deb
failures. We don't care about this error case so avoid it by checking
the tar exit code.

[YOCTO #7529]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg: Don't move update-alternatives to sbindir 2015-03-24T10:07:59+00:00 Andreas Oberritter obi@opendreambox.org 2015-03-23T19:09:25+00:00 5f6faeb24ba80cdb6c9f62b185e40adc15f0fd6e Debian, Ubuntu and opkg all have it in bindir. Signed-off-by: Andreas Oberritter <obi@opendreambox.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Debian, Ubuntu and opkg all have it in bindir.

Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
recipes: Delete superfluous assignments, S = ${WORKDIR}/${BP} 2015-02-23T18:00:12+00:00 Robert P. J. Day rpjday@crashcourse.ca 2015-02-21T21:28:42+00:00 ebe8578df3f162045086cd60a129eb7ac3eacf4c Given that bitbake.conf sets the default values: BP = "${BPN}-${PV}" S = "${WORKDIR}/${BP}" there are a number of recipes that set the variable S completely superfluously, so get rid of them. Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Given that bitbake.conf sets the default values:

BP = "${BPN}-${PV}"
S = "${WORKDIR}/${BP}"

there are a number of recipes that set the variable S completely
superfluously, so get rid of them.

Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta: enable parallel build for several recipes 2015-02-14T22:26:10+00:00 Robert Yang liezhi.yang@windriver.com 2015-02-13T01:39:34+00:00 7957c5bc2771a763d26e50e716733c6335cef3c2 I used a for loop to build these packages more than 520 times, these recipes never failed. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 
I used a for loop to build these packages more than 520 times, these
recipes never failed.

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>