openembedded-core.git/meta/recipes-extended, branch pyro Mirror of openembedded-core ghostscript : CVE-2016-10219, CVE-2016-10220, CVE-2017-5951 2017-04-28T10:26:07+00:00 Catalin Enache catalin.enache@windriver.com 2017-04-21T12:04:17+00:00 6679a4d4379f6f18554ed0042546cce94d5d0b19 The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted file. The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file that is mishandled in the PDF Transparency module. The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951 Upstream patches: http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8 http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The intersect function in base/gxfill.c in Artifex Software, Inc. Ghostscript
9.20 allows remote attackers to cause a denial of service (divide-by-zero
error and application crash) via a crafted file.

The gs_makewordimagedevice function in base/gsdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file that is
mishandled in the PDF Transparency module.

The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Software, Inc.
Ghostscript 9.20 allows remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10219
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5951

Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;h=4bef1a1d32e29b68855616020dbff574b9cda08f
http://git.ghostscript.com/?p=ghostpdl.git;h=daf85701dab05f17e924a48a81edc9195b4a04e8
http://git.ghostscript.com/?p=ghostpdl.git;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
acpica: fix upstream version check 2017-04-28T10:26:06+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2017-04-21T12:40:00+00:00 a5d5a244717259c15145c65e0f44e37544afe8ee Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
lsbtest: add option --ignoreos to rpm install command 2017-04-28T10:26:06+00:00 Dengke Du dengke.du@windriver.com 2017-04-21T04:15:53+00:00 db2798d967dbffed834070b52fe778efa18cb4ae After change to the rpm4, the rpm packages in lsbtest, such as: lsb-setup-4.1.0-1.noarch.rpm lsb-dist-checker-5.0.0.1-1.x86_64.rpm ...... lsb-cmdchk-5.0.3-1.x86_64.rpm When install above rpm packages, the error log appears: package lsb-setup-4.1.0-1.noarch is intended for a different operating system ...... So we should add option "--ignoreos" to the rpm install command in LSB_Test.sh in ./meta/recipes-extended/lsb/lsbtest directory. In this way we can make sure the correct installation of those rpm packages. The YOCTO bug #11224 didn't create logs, this is because the above test rpm packages didn't install. [YOCTO #11224] Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
After change to the rpm4, the rpm packages in lsbtest, such as:

    lsb-setup-4.1.0-1.noarch.rpm
    lsb-dist-checker-5.0.0.1-1.x86_64.rpm
    ......
    lsb-cmdchk-5.0.3-1.x86_64.rpm

When install above rpm packages, the error log appears:

    package lsb-setup-4.1.0-1.noarch is intended for a different operating system
    ......

So we should add option "--ignoreos" to the rpm install command in LSB_Test.sh
in ./meta/recipes-extended/lsb/lsbtest directory. In this way we can make sure
the correct installation of those rpm packages.

The YOCTO bug #11224 didn't create logs, this is because the above test rpm
packages didn't install.

[YOCTO #11224]

Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Revert "logrotate: set downloadfilename" 2017-04-21T07:22:02+00:00 Ross Burton ross.burton@intel.com 2017-04-20T16:06:54+00:00 eb4fee616287ae731f7af52e0fe5fc81f2eea2c0 Sadly this breaks previous OE releases as it means the source mirror contains a tarball with the same name but different checksums as was previously available. This reverts commit 99c6e89db193d572e845f95eabbd9ec89c3508c7. Signed-off-by: Ross Burton <ross.burton@intel.com> 
Sadly this breaks previous OE releases as it means the source mirror contains a
tarball with the same name but different checksums as was previously available.

This reverts commit 99c6e89db193d572e845f95eabbd9ec89c3508c7.

Signed-off-by: Ross Burton <ross.burton@intel.com>
ltp: fix an incorrect macro checking 2017-04-19T09:16:24+00:00 Jackie Huang jackie.huang@windriver.com 2016-11-19T02:11:00+00:00 ca798705b3b8fa9b2f6467970e9bda9d9433986c The previous patch added a check but incorrectly change the elif to if, then it always return 0 for cpuid if the machine is not __i386__ getcpu01 1 TFAIL : getcpu01.c:140: getcpu() returned wrong value expected cpuid:7, returned value cpuid: 0 After this fix: getcpu01 1 TPASS : getcpu() returned proper cpuid:7, node id:0 Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The previous patch added a check but incorrectly
change the elif to if, then it always return 0
for cpuid if the machine is not __i386__

getcpu01    1  TFAIL  :  getcpu01.c:140: getcpu() returned wrong value expected cpuid:7, returned value cpuid: 0

After this fix:
getcpu01    1  TPASS  :  getcpu() returned proper cpuid:7, node id:0

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
logrotate: set downloadfilename 2017-04-19T09:16:23+00:00 Robert Yang liezhi.yang@windriver.com 2017-04-17T09:49:27+00:00 b0e5c8f6a5041010347f6b70e39e41886829d928 Otherwise, the filename is r3-9-1.tar.gz which isn't straightforward. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Otherwise, the filename is r3-9-1.tar.gz which isn't straightforward.

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
unzip: add missing CVE headers to patches 2017-04-13T22:58:17+00:00 Ross Burton ross.burton@intel.com 2017-04-13T22:36:43+00:00 de7ff341d18f46d68abeabcb53ba07d012090c15 Signed-off-by: Ross Burton <ross.burton@intel.com> 
Signed-off-by: Ross Burton <ross.burton@intel.com>
grep: do_configure: fix "Argument list too long" 2017-04-13T22:57:38+00:00 Robert Yang liezhi.yang@windriver.com 2017-04-13T09:57:26+00:00 081974e75cc0cfa0a1a1bb01cd9f9cbc585b7692 Fixed when len(TMPDIR) = 410: aclocal: error: cannot open echo 'm4_define [snip]' configure.ac |: Argument list too long' This is becuase it has a lot of m4 files, use relative path for them can fix the problem. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Fixed when len(TMPDIR) = 410:
aclocal: error: cannot open echo 'm4_define [snip]' configure.ac |: Argument list too long'

This is becuase it has a lot of m4 files, use relative path for them
can fix the problem.

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ed: update SRC_URI to yoctoproject mirror 2017-04-12T14:02:13+00:00 Maxin B. John maxin.john@intel.com 2017-04-11T10:47:52+00:00 a2f1026b3d8c9f9810cb4389a8a93fabb04e15a4 Upstream has removed the 1.14.1 release from ftp.gnu.org and moved to the latest 1.14.2. Since we don't want to upgrade at this point of time, temporarily move the SRC_URI to yoctoproject mirror. Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Upstream has removed the 1.14.1 release from ftp.gnu.org and
moved to the latest 1.14.2. Since we don't want to upgrade at
this point of time, temporarily move the SRC_URI to yoctoproject
mirror.

Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libsolv: correctly attribute musl fixing patches 2017-04-11T17:09:20+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2017-04-11T09:22:43+00:00 378b333fb09d106fb04901f5a4362fc0eb076e82 Also, they were previously squashed into a single patch; restore the original two-patch arrangement. As requested here: http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135460.html Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Also, they were previously squashed into a single patch; restore
the original two-patch arrangement.

As requested here:
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135460.html

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>