openembedded-core.git/meta/recipes-extended, branch daisy Mirror of openembedded-core cpio: fix bug CVE-2014-9112 for cpio-2.8 2015-02-06T14:47:57+00:00 Bian Naimeng biannm@cn.fujitsu.com 2014-12-08T05:45:06+00:00 6f238c8293c3578eead15bf9f9ab5fdf95d1e9a5 Obtain detain from following URL. http://lists.gnu.org/archive/html/bug-cpio/2014-12/msg00000.html http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d (From OE-Core rev: 732fc8de55a9c7987608162879959c03423de907) Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Obtain detain from following URL.
http://lists.gnu.org/archive/html/bug-cpio/2014-12/msg00000.html
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d

(From OE-Core rev: 732fc8de55a9c7987608162879959c03423de907)

Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cpio: fix bug CVE-2014-9112 for cpio-2.11 2015-02-06T14:47:53+00:00 Bian Naimeng biannm@cn.fujitsu.com 2014-12-08T05:45:07+00:00 674e1b4d44c7b108a843d486178182b943607a55 Obtain detain from following URL. http://lists.gnu.org/archive/html/bug-cpio/2014-12/msg00000.html http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d (From OE-Core rev: 9a32da05f5a9bc62c592fd2d6057dc052e363261) Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Obtain detain from following URL.
  http://lists.gnu.org/archive/html/bug-cpio/2014-12/msg00000.html
  http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff670dcfcdd28fcc990e79cd6fccc7ae48d

(From OE-Core rev: 9a32da05f5a9bc62c592fd2d6057dc052e363261)

Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
wget: Fix for CVE-2014-4887 2014-11-06T11:39:41+00:00 Saul Wold sgw@linux.intel.com 2014-11-06T05:08:53+00:00 52f9eebe86e4b641229b524dd7701c01d9ed833c Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libarchive: avoid dependency on e2fsprogs 2014-11-06T11:38:50+00:00 Paul Eggleton paul.eggleton@linux.intel.com 2014-11-06T05:08:52+00:00 7504c2e715d675775e166a52ae83cf48504add19 libarchive's configure script looks for ext2fs/ext2_fs.h in order to use some defines for file attributes support if present (but doesn't link to any additional libraries.) There is no configure option to disable this, and if e2fsprogs is rebuilding between do_configure and do_compile you can currently get a failure. Because it doesn't need anything else from e2fsprogs, and e2fsprogs isn't currently buildable for nativesdk anyway, copy the headers in from e2fsprogs-native which we're likely to have built already (and add it to DEPENDS just to be sure we have.) Fixes [YOCTO #6268]. (From OE-Core master rev: ad754e46ad477acfbe7543187a5c38bc333b8612) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
libarchive's configure script looks for ext2fs/ext2_fs.h in order to use
some defines for file attributes support if present (but doesn't link to
any additional libraries.) There is no configure option to disable this,
and if e2fsprogs is rebuilding between do_configure and do_compile you
can currently get a failure. Because it doesn't need anything else from
e2fsprogs, and e2fsprogs isn't currently buildable for nativesdk anyway,
copy the headers in from e2fsprogs-native which we're likely to have
built already (and add it to DEPENDS just to be sure we have.)

Fixes [YOCTO #6268].

(From OE-Core master rev: ad754e46ad477acfbe7543187a5c38bc333b8612)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ltp: Added zip-native as a DEPENDS 2014-11-04T15:12:50+00:00 Alejandro Hernandez alejandro.hernandez@linux.intel.com 2014-10-31T21:54:48+00:00 00dc2ac9e0a7d4cec2d94f4d934dc1ab42d5b20b The Makefile checks for zip during installation [YOCTO #6699] (From OE-Core rev: a6e8ced3fa8e8e2aa3df0798b80eb26e5ebc4b15) Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-extended/ltp/ltp_20140115.bb 
The Makefile checks for zip during installation

[YOCTO #6699]

(From OE-Core rev: a6e8ced3fa8e8e2aa3df0798b80eb26e5ebc4b15)

Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Conflicts:
	meta/recipes-extended/ltp/ltp_20140115.bb
bash: Fix-for-CVE-2014-6278 2014-10-10T16:56:33+00:00 Catalin Popeanga Catalin.Popeanga@enea.com 2014-10-09T12:25:15+00:00 de596b5f31e837dcd2ce991245eb5548f12d72ae This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277 See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> 
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
bash: Fix for CVE-2014-6277 2014-10-10T16:56:33+00:00 Catalin Popeanga Catalin.Popeanga@enea.com 2014-10-09T12:24:53+00:00 85961bcf81650992259cebb0ef1f1c6cdef3fefa Follow up bash43-026 to parse properly function definitions in the values of environment variables, to not allow remote attackers to execute arbitrary code or to cause a denial of service. See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com> 
Follow up bash43-026 to parse properly function definitions in the values of environment variables, to not allow remote attackers to execute arbitrary code or to cause a denial of service.

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277

Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
bash: Fix for CVE-2014-7186 and CVE-2014-7187 2014-10-10T16:56:33+00:00 Catalin Popeanga Catalin.Popeanga@enea.com 2014-10-09T12:24:29+00:00 153d1125659df9e5c09e35a58bd51be184cb13c1 This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> 
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
bash: Fix for exported function namespace change 2014-10-10T16:56:32+00:00 Catalin Popeanga Catalin.Popeanga@enea.com 2014-10-09T12:23:24+00:00 6c51cc96d03df26d1c10867633e7a10dfbec7c45 This is a followup patch to incomplete CVE-2014-6271 fix code execution via specially-crafted environment This patch changes the encoding bash uses for exported functions to avoid clashes with shell variables and to avoid depending only on an environment variable's contents to determine whether or not to interpret it as a shell function. Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> 
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment

This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
libpam: Security Advisory - CVE-2014-2583 2014-10-10T14:05:52+00:00 Yue Tao Yue.Tao@windriver.com 2014-06-17T08:23:59+00:00 8b9164029153fa06520bd5b6349245c2ac1f605f v2 changes: * update format for commit log * add Upstream-Status for patch Multiple directory traversal vulnerabilities in pam_timestamp.c in the pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to create aribitrary files or possibly bypass authentication via a .. (dot dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY value to the check_tty funtion, which is used by the format_timestamp_name function. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2583 (From OE-Core rev: 69255c84ebd99629da8174e1e73fd8c715e49b52) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
v2 changes:
* update format for commit log
* add Upstream-Status for patch

Multiple directory traversal vulnerabilities in pam_timestamp.c in the
pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to
create aribitrary files or possibly bypass authentication via a .. (dot
dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY
value to the check_tty funtion, which is used by the
format_timestamp_name function.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2583

(From OE-Core rev: 69255c84ebd99629da8174e1e73fd8c715e49b52)

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>