openembedded-core.git/meta/recipes-support, branch dizzy Mirror of openembedded-core libtasn1: CVE-2015-3622 2016-01-30T12:01:40+00:00 Sona Sarmadi sona.sarmadi@enea.com 2015-09-14T10:04:32+00:00 61bee3f813127c91d75a2af5197bdc874483a1fd _asn1_extract_der_octet: prevent past of boundary access References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3622 http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=patch; h=f979435823a02f842c41d49cd41cc81f25b5d677 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster@mvista.com> 
_asn1_extract_der_octet: prevent past of boundary access

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3622
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=patch;
h=f979435823a02f842c41d49cd41cc81f25b5d677

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
icu: CVE-2014-8146-CVE-2014-8147 2015-09-19T10:52:55+00:00 Sona Sarmadi sona.sarmadi@enea.com 2015-09-04T10:51:00+00:00 1bc6391f65dec41ff0360b625b7a85a161e43955 CVE-2014-8146 icu: heap overflow via incorrect isolateCount CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function References: [1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z [2] https://www.kb.cert.org/vuls/id/602540 [3] http://bugs.icu-project.org/trac/changeset/37080 [4] http://bugs.icu-project.org/trac/changeset/37162 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
CVE-2014-8146 icu: heap overflow via incorrect isolateCount
CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function

References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
[2] https://www.kb.cert.org/vuls/id/602540
[3] http://bugs.icu-project.org/trac/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
gnutls: CVE-2015-3308 2015-09-19T10:52:50+00:00 Sona Sarmadi sona.sarmadi@enea.com 2015-09-03T11:53:34+00:00 75b25e7d463ed1af0fd9b3dd56e407e6e72b0f6a Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
gpgme: fix CVE-2014-3564 2015-07-20T19:53:07+00:00 Kai Kang kai.kang@windriver.com 2015-05-28T01:26:14+00:00 7643fe96bbce57995580162b5339674cc4a9c81f Backport patch to fix CVE-2014-3564. http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f (From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Conflicts: meta/recipes-support/gpgme/gpgme_1.4.3.bb 
Backport patch to fix CVE-2014-3564.

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f

(From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74)

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

Conflicts:
	meta/recipes-support/gpgme/gpgme_1.4.3.bb
curl: add a few missing security fixes 2015-07-20T19:53:05+00:00 Armin Kuster akuster808@gmail.com 2015-05-10T20:20:21+00:00 cfcda9db45350d03158569c8c01e448cb426de5a CVE-2014-3707 CVE-2014-8150 CVE-2015-3153 not affected by: CVE-2014-8151 Signed-off-by: Armin Kuster <akuster808@gmail.com> 
CVE-2014-3707
CVE-2014-8150
CVE-2015-3153

not affected by:  CVE-2014-8151

Signed-off-by: Armin Kuster <akuster808@gmail.com>
curl: several security fixes 2015-07-20T19:53:05+00:00 Maxin B. John maxin.john@enea.com 2015-04-23T13:11:00+00:00 e525ef63ed2b4f3a250caf0748637b7f16b34d90 Fixes below listed bugs: 1. CVE-2015-3143 2. CVE-2015-3144 3. CVE-2015-3145 Dropped: 4. CVE-2015-3148 SPNEGO was introduced in 7.39 so this version not affected Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Fixes below listed bugs:
1. CVE-2015-3143
2. CVE-2015-3144
3. CVE-2015-3145

Dropped: 4. CVE-2015-3148
SPNEGO was introduced in 7.39 so this version not affected

Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
libunwind: backport patch to link against libgcc_s intead of libgcc 2015-04-17T21:38:34+00:00 Jonathan Liu net147@gmail.com 2015-03-11T02:33:05+00:00 986b46517ed9cd0821821371faab68e92c2d6dab Signed-off-by: Jonathan Liu <net147@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
serf: fix 'ccache' builds 2015-04-17T21:38:33+00:00 Enrico Scholz enrico.scholz@sigma-chemnitz.de 2015-03-05T23:03:28+00:00 24c35c63b85621b263e7a211dc39b2257154cd28 'scons' cleans the environment which breaks ccache builds because CCACHEDIR can point to an unexpected location: | ccache arm-linux-gnueabi-gcc ... context.c | ccache: failed to create .../serf/1.3.8-r0/.home/.ccache (No such file or directory) Issue is described in http://www.scons.org/wiki/ImportingEnvironmentSettings and because 'bitbake' cleans environment we can pass it completely instead of trying to enumerate needed env. With the 'env.patch' the FULLCC variable is not needed anymore (which would break when CC is 'ccache arm-...-gcc' and host ccache is used) because the correct $PATH is available during scons build: | sh: .../sysroots/x86_64-oe-linux/usr/bin/arm-linux-gnueabi/ccache: No such file or directory | scons: *** [context.o] Error 127 Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
'scons' cleans the environment which breaks ccache builds because
CCACHEDIR can point to an unexpected location:

| ccache arm-linux-gnueabi-gcc ... context.c
| ccache: failed to create .../serf/1.3.8-r0/.home/.ccache (No such file or directory)

Issue is described in

  http://www.scons.org/wiki/ImportingEnvironmentSettings

and because 'bitbake' cleans environment we can pass it completely
instead of trying to enumerate needed env.

With the 'env.patch' the FULLCC variable is not needed anymore (which
would break when CC is 'ccache arm-...-gcc' and host ccache is used)
because the correct $PATH is available during scons build:

| sh: .../sysroots/x86_64-oe-linux/usr/bin/arm-linux-gnueabi/ccache: No such file or directory
| scons: *** [context.o] Error 127

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
liburcu: revert ARM GCC blacklist commit 2015-03-27T17:59:25+00:00 Jonathan Liu net147@gmail.com 2015-03-16T11:29:48+00:00 aaf5ae09f14578ff1961ad3b199aacbc77a1f8ff This fixes the following error when building liburcu: "Your gcc version produces clobbered frame accesses" OE-Core is using a patched GCC 4.8.2 which is able to compile liburcu properly. Signed-off-by: Jonathan Liu <net147@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
This fixes the following error when building liburcu:
"Your gcc version produces clobbered frame accesses"

OE-Core is using a patched GCC 4.8.2 which is able to compile liburcu
properly.

Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
boost: Avoid to use local host configuration 2015-02-11T17:39:50+00:00 Fabien Proriol fabien.proriol@jdsu.com 2015-01-22T14:07:48+00:00 028400fb47e6462d702c8822b9a98b4310f9ed6f (From OE-Core rev: 6586aeb3e26d58322c169dfef0228a425fe5d3fa) Signed-off-by: Fabien Proriol <fabien.proriol@jdsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
(From OE-Core rev: 6586aeb3e26d58322c169dfef0228a425fe5d3fa)

Signed-off-by: Fabien Proriol <fabien.proriol@jdsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>