openembedded-core.git/meta/recipes-extended, branch danny Mirror of openembedded-core tcp-wrappers: add socklen_t.patch 2013-03-01T14:44:51+00:00 farrah rashid farrah.rashid@windriver.com 2013-02-20T21:09:48+00:00 f8d44580e7caf29f1b532c89041469847c36f45f Replace incorrect size_t data type with socket length data type Signed-off-by: farrah rashid <farrah.rashid@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Replace incorrect size_t data type with socket length data type

Signed-off-by: farrah rashid <farrah.rashid@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
tcp-wrappers: remove size_t.patch 2013-03-01T14:44:40+00:00 Roy.Li rongqing.li@windriver.com 2013-02-02T08:18:22+00:00 c98fd6606f0e253453bf5478636f6b57fc641377 1. it introduces bug in 64bit big endian process with __GLIBC__, At that condition, size_t is 8byte, and the third parameter of getpeername is socklen_t which is 4 byte. As a result, getpeername sees third parameter is always 0, and can not return right value. The similar program is below, the output is 0, not 9 on PPC64 cpu main() { long aa=9; printf("%d \n", *((int *)&aa)); } 2. The correct fix is to change getpeername/getsockopt/recvfrom.. last parameter type from int to socklen_t, but to simplify, we can remove size_t.patch, since the size of int is same as socklen_t in 32bit/64bit cpu. and size_t.patch only change three places, there are other places which uses int, and work well. 2. Fedora, redhat el4 do not use this patch, but Debian uses it, does not find why this patch is written, maybe it is gcc legency issue which does not exist. Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
1. it introduces bug in 64bit big endian process with __GLIBC__, At that
condition, size_t is 8byte, and the third parameter of getpeername is
socklen_t which is 4 byte. As a result, getpeername sees third parameter
is always 0, and can not return right value.

The similar program is below, the output is 0, not 9 on PPC64 cpu
	main()
	{
		long aa=9;
		printf("%d \n", *((int *)&aa));
	}

2. The correct fix is to change getpeername/getsockopt/recvfrom.. last
parameter type from int to socklen_t, but to simplify, we can remove
size_t.patch, since the size of int is same as socklen_t in 32bit/64bit
cpu. and size_t.patch only change three places, there are other places
which uses int, and work well.

2. Fedora, redhat el4 do not use this patch, but Debian uses it, does not
find why this patch is written, maybe it is gcc legency issue which does
not exist.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
tzdata: Simplify code removing not used cases 2013-02-27T13:48:44+00:00 Otavio Salvador otavio@ossystems.com.br 2013-02-08T14:52:20+00:00 77fed2c773d7d98f88d6e8a2f4a8617b9e8b8a62 We shouldn't have an use-case where we'd use 'FUBAR' timezone so instead of adding postinst handling for this use case we handle it at install time and keep the Universal as fallback if user did something wrong. This also ensure the /etc/localtime file is kept as a symbolic link. This will make timezone not available when /usr is in separated partition (and not mounted) however the applications ought to fallback to GMT timezone in this case and when /usr is made availble timezone will work fine. Change-Id: I9a4f05db7a0bdc06511deb5693d1d16569d2fc63 Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
We shouldn't have an use-case where we'd use 'FUBAR' timezone so
instead of adding postinst handling for this use case we handle it at
install time and keep the Universal as fallback if user did something
wrong.

This also ensure the /etc/localtime file is kept as a symbolic link.
This will make timezone not available when /usr is in separated
partition (and not mounted) however the applications ought to fallback
to GMT timezone in this case and when /usr is made availble timezone
will work fine.

Change-Id: I9a4f05db7a0bdc06511deb5693d1d16569d2fc63
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
tzdata: We shouldn't override the localtime if it is valid 2013-02-27T13:48:18+00:00 Otavio Salvador otavio@ossystems.com.br 2013-02-08T14:52:19+00:00 9e7980a88e1604b21138d1999a04e471e07edfe3 The code where mistakenly replacing the localtime file setting so we end with a copy of file instead of a symbolic link. This fixes it so now, we'll only do that in case the link is pointing to invalid data. Change-Id: I16dfa5ea4f293c48bb396f4e23a2ea53e6c9e745 Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The code where mistakenly replacing the localtime file setting so we
end with a copy of file instead of a symbolic link. This fixes it so
now, we'll only do that in case the link is pointing to invalid data.

Change-Id: I16dfa5ea4f293c48bb396f4e23a2ea53e6c9e745
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cups CVE-2011-3170 2013-01-07T11:31:48+00:00 Li Wang li.wang@windriver.com 2013-01-07T11:10:01+00:00 1f555a6a45eb68011cbe759acf486ac507a6599c the patch come from: http://cups.org/strfiles/3914/str3914.patch The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170 [YOCTO #3583] [ CQID: WIND00299594 ] Upstream-Status: Backport (From OE-Core rev: c82517bb667484854eaa05b6e9efd9ee0f164fec) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
the patch come from:
http://cups.org/strfiles/3914/str3914.patch

The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and
earlier does not properly handle the first code word in an LZW stream,
which allows remote attackers to trigger a heap-based buffer overflow,
and possibly execute arbitrary code, via a crafted stream, a different
vulnerability than CVE-2011-2896.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3170

[YOCTO #3583]
[ CQID: WIND00299594 ]
Upstream-Status: Backport

(From OE-Core rev: c82517bb667484854eaa05b6e9efd9ee0f164fec)

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cups - CVE-2011-2896 2013-01-07T11:31:41+00:00 Li Wang li.wang@windriver.com 2013-01-07T11:10:00+00:00 1518fc8febbe99fc7ce9b86e087f8bb1c02552d8 the patch come from: http://cups.org/strfiles/3867/str3867.patch The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2896 [YOCTO #3582] [ CQID: WIND00299595 ] Upstream-Status: Backport (From OE-Core rev: 0742b7aecaada435f90f39f26914906a5eb1fd4f) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
the patch come from:
http://cups.org/strfiles/3867/str3867.patch

The LZW decompressor in the LWZReadByte function in giftoppm.c
in the David Koblas GIF decoder in PBMPLUS, as used in the
gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7,
the LZWReadByte function in plug-ins/common/file-gif-load.c
in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c
in XPCE in SWI-Prolog 5.10.4 and earlier, and other products,
does not properly handle code words that are absent from the
decompression table when encountered, which allows remote attackers to
trigger an infinite loop or a heap-based buffer overflow, and possibly
execute arbitrary code, via a crafted compressed stream, a related
issue to CVE-2006-1168 and CVE-2011-2895.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2896

[YOCTO #3582]
[ CQID: WIND00299595 ]
Upstream-Status: Backport

(From OE-Core rev: 0742b7aecaada435f90f39f26914906a5eb1fd4f)

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cups: CVE-2012-5519 2013-01-07T11:31:34+00:00 Li Wang li.wang@windriver.com 2013-01-07T11:09:59+00:00 5031fedc6f8d7232fd934c66237c6dd1d84af05f lpadmin to (limited) root privilege escalation http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5519 http://www.cups.org/strfiles/4223/str4223v2-1.4.4-debian.patch [YOCTO #3579] [ CQID: WIND00392016 ] Upstream-Status: Backport (From OE-Core rev: 9f6964b489ef3e0f175bf33a94ab819408875da8) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
lpadmin to (limited) root privilege escalation
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5519
http://www.cups.org/strfiles/4223/str4223v2-1.4.4-debian.patch

[YOCTO #3579]
[ CQID: WIND00392016 ]
Upstream-Status: Backport

(From OE-Core rev: 9f6964b489ef3e0f175bf33a94ab819408875da8)

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bzip2 and busybox: Incorrect LICENSE 2012-10-03T09:04:03+00:00 Elizabeth Flanagan elizabeth.flanagan@intel.com 2012-10-02T23:01:42+00:00 a0b132798d2c1adf79414787b8317327a554f852 The license for bzip2 is not quite BSD. I have an email out to the maintainer to see if we can utilize a common BSD license (or something else) however, for now, we should revert bzip2 back to a special license. As busybox also utilizes a lightly modified bzip2, this also effects busybox. Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The license for bzip2 is not quite BSD. I have an email out to the
maintainer to see if we can utilize a common BSD license (or something
else) however, for now, we should revert bzip2 back to a special
license.

As busybox also utilizes a lightly modified bzip2, this also
effects busybox.

Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gzip: The native version should provide gzip-replacement-native 2012-10-02T16:07:11+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2012-10-02T13:13:00+00:00 9c2e5b04e40102fc7276fd3a6467725617dc33ce Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Cleanup: fix PN == BPN cases 2012-10-02T10:15:35+00:00 Mark Hatle mark.hatle@windriver.com 2012-09-30T00:19:13+00:00 acc988272b4e74a9ad1e6da5af5b2d208584197b When building target packages, it used to be enought to check for PN == BPN, however with the multilib configurations, this can lead to subtle errors. Change instances of PN == BPN, to ${CLASSOVERRIDE} == 'class-target'. Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
When building target packages, it used to be enought to check for PN == BPN, however
with the multilib configurations, this can lead to subtle errors.  Change instances
of PN == BPN, to ${CLASSOVERRIDE} == 'class-target'.

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>