openembedded-core.git/meta/recipes-devtools/patch, branch thud Mirror of openembedded-core patch: fix CVE-2018-6952 2018-08-23T06:45:32+00:00 Hongxu Jia hongxu.jia@windriver.com 2018-08-22T12:10:40+00:00 1314a6953aa647706107557faaba8574e307d2bd Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
patch: fix CVE-2018-1000156 2018-04-13T15:55:26+00:00 Jackie Huang jackie.huang@windriver.com 2018-04-11T06:56:10+00:00 6b6ae212837a07aaefd2b675b5b527fbce2a4270 * CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2018-1000156 * upstream tracking: https://savannah.gnu.org/bugs/index.php?53566 * Fix arbitrary command execution in ed-style patches: - src/pch.c (do_ed_script): Write ed script to a temporary file instead of piping it to ed: this will cause ed to abort on invalid commands instead of rejecting them and carrying on. - tests/ed-style: New test case. - tests/Makefile.am (TESTS): Add test case. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
* CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2018-1000156

* upstream tracking: https://savannah.gnu.org/bugs/index.php?53566

* Fix arbitrary command execution in ed-style patches:
  - src/pch.c (do_ed_script): Write ed script to a temporary file instead
    of piping it to ed: this will cause ed to abort on invalid commands
    instead of rejecting them and carrying on.
  - tests/ed-style: New test case.
  - tests/Makefile.am (TESTS): Add test case.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
patch: fix CVE-2018-6951 2018-04-13T15:55:26+00:00 Jackie Huang jackie.huang@windriver.com 2018-04-11T06:56:09+00:00 cdf74e1c67698b2d44a7460ff7d365d6da7b7b96 * CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2018-6951 * upstream tracking: http://savannah.gnu.org/bugs/?53132 * Fix segfault with mangled rename patch - src/pch.c (intuit_diff_type): Ensure that two filenames are specified for renames and copies (fix the existing check). Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
* CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2018-6951

* upstream tracking: http://savannah.gnu.org/bugs/?53132

* Fix segfault with mangled rename patch
  - src/pch.c (intuit_diff_type): Ensure that two filenames are specified
    for renames and copies (fix the existing check).

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
patch:2.7.5 -> 2.7.6 2018-03-08T18:31:57+00:00 Huang Qiyu huangqy.fnst@cn.fujitsu.com 2018-03-07T03:10:10+00:00 e5dcd58e5b2ef0b8e2bbe90e9bb1cede4e76bf75 Upgrade patch from 2.7.5 to 2.7.6. Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Upgrade patch from 2.7.5 to 2.7.6.

Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
recipes: Move out stale GPLv2 versions to a seperate layer 2017-03-07T20:04:58+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2017-03-02T12:04:08+00:00 19b7e950346fb1dde6505c45236eba6cd9b33b4b These are recipes where the upstream has moved to GPLv3 and these old versions are the last ones under the GPLv2 license. There are several reasons for making this move. There is a different quality of service with these recipes in that they don't get security fixes and upstream no longer care about them, in fact they're actively hostile against people using old versions. The recipes tend to need a different kind of maintenance to work with changes in the wider ecosystem and there needs to be isolation between changes made in the v3 versions and those in the v2 versions. There are probably better ways to handle a "non-GPLv3" system but right now having these in OE-Core makes them look like a first class citizen when I believe they have potential for a variety of undesireable issues. Moving them into a separate layer makes their different needs clearer, it also makes it clear how many of these there are. Some are probably not needed (e.g. mc), I also wonder whether some are useful (e.g. gmp) since most things that use them are GPLv3 only already. Someone could now more clearly see how to streamline the list of recipes here. I'm proposing we mmove to this separate layer for 2.3 with its future maintinership and testing to be determined in 2.4 and beyond. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
These are recipes where the upstream has moved to GPLv3 and these old
versions are the last ones under the GPLv2 license.

There are several reasons for making this move. There is a different
quality of service with these recipes in that they don't get security
fixes and upstream no longer care about them, in fact they're actively
hostile against people using old versions. The recipes tend to need a
different kind of maintenance to work with changes in the wider ecosystem
and there needs to be isolation between changes made in the v3 versions
and those in the v2 versions.

There are probably better ways to handle a "non-GPLv3" system but right
now having these in OE-Core makes them look like a first class citizen
when I believe they have potential for a variety of undesireable issues.

Moving them into a separate layer makes their different needs clearer, it
also makes it clear how many of these there are. Some are probably not
needed (e.g. mc), I also wonder whether some are useful (e.g. gmp)
since most things that use them are GPLv3 only already. Someone could
now more clearly see how to streamline the list of recipes here.

I'm proposing we mmove to this separate layer for 2.3 with its future
maintinership and testing to be determined in 2.4 and beyond.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
recipes: Make use of the new bb.utils.filter() function 2017-03-01T11:17:22+00:00 Peter Kjellerstedt peter.kjellerstedt@axis.com 2017-02-27T13:02:50+00:00 0a1427bf9aeeda6bee2cc0af8da4ea5fd90aef6f Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta: Fix Upstream-Status statements 2015-09-12T21:59:01+00:00 Ross Burton ross.burton@intel.com 2015-09-10T18:59:47+00:00 bd220fe6ce8c3a0805f13a14706d3130ea872604 Fix a variety of problems such as typos, bad punctuations, or incorrect Upstream-Status values. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Fix a variety of problems such as typos, bad punctuations, or incorrect
Upstream-Status values.

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
recipes: Fix charset.alias for musl 2015-04-21T06:19:05+00:00 Khem Raj raj.khem@gmail.com 2015-04-16T02:00:25+00:00 fbe6d2c12aa9f7956bc87efeb68cb64b26b60c7a This is same gnulib fix replicated across needed recipes Change-Id: I756713407111a726eae98e26c9c1ff64981371c0 Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
This is same gnulib fix replicated across needed recipes

Change-Id: I756713407111a726eae98e26c9c1ff64981371c0
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
patch: 2.7.1 -> 2.7.5 2015-04-07T16:32:02+00:00 Robert Yang liezhi.yang@windriver.com 2015-04-07T11:24:24+00:00 c35135d5b99e852bc3ae718281c33925630a4cfb * Removed backport patch patch-CVE-2015-1196.patch * Add HOMEPAGE Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
* Removed backport patch patch-CVE-2015-1196.patch
* Add HOMEPAGE

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
patch: fix CVE-2015-1196 2015-03-29T22:07:14+00:00 Robert Yang liezhi.yang@windriver.com 2015-03-26T06:42:34+00:00 4c389880dc9c6221344f7aed221fe8356e8c2056 A directory traversal flaw was reported in patch: References: http://www.openwall.com/lists/oss-security/2015/01/18/6 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227 https://bugzilla.redhat.com/show_bug.cgi?id=1182154 [YOCTO #7182] Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
A directory traversal flaw was reported in patch:

References:
http://www.openwall.com/lists/oss-security/2015/01/18/6
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775227
https://bugzilla.redhat.com/show_bug.cgi?id=1182154

[YOCTO #7182]

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>