| Age | Commit message (Collapse) | Author | Files |
|---|
|
The fix backported in commit aa9fc551 of oe-core does not completely fix the
issue (Yocto #4595) as intended. The modules symlink is still created in the
working directory instead of in the deploy directory. To fix this, we just need
to use an absolute path to ${DEPLOYDIR} when creating the symlink.
Signed-off-by: Paul Barker <paul.barker@commagility.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* backported from 2.23.2, fixes:
work/x86_64-linux/binutils-native/2.23.1-r3/binutils-2.23.1/gas/write.c:409:24:
error: 'dummy.fr_type' may be used uninitialized in this function [-Werror=maybe-uninitialized]
gas_assert (prev_frag->fr_type != 0);
^
work/x86_64-linux/binutils-native/2.23.1-r3/binutils-2.23.1/gas/write.c:392:9: note: 'dummy' was declared here
fragS dummy, *prev_frag = &dummy;
^
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Patches explain the issue in detail but this is exposed
with gcc 4.9 in binutils 2.23.2
(From OE-Core rev: fc5c467b680fc5aef4b0f689e6988e17a9322ae0)
(From OE-Core rev: 4dfb8847ebf8aab90ad8888933468e2899c96998)
(From OE-Core rev: af347d3298e15552d502d5b2ce497bbda9705bc7)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core rev: 131a17f014e6373dae526cc927588ccc0fedc38d)
Signed-off-by: Krzysztof Sywula <krzysztof.m.sywula@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The modules-${MACHINE}.tgz should link to ${MODULE_TARBALL_BASE_NAME}.
But now it links to an invalid file ${MODULE_TARBALL_BASE_NAME}.bin.
Remove the extra .bin suffix.
[YOCTO #4595]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
ant reported on irc that the sstate absolute to relative symlink creation
code wasn't working in klibc. He was correct although the level of breakage is
rather surprising since it only worked for one level of symlink (usr/include) with
everything else being broken.
The reason is probably that nothing really uses absolute paths, we use relative
paths where at all possible already. Nothing in the target sysroot should use
absolute paths for a start. In this regard, the klibc-dev package is broken and
needs fixing. It will currently break when building for one machine, then switching
to another of the same TUNE_PKGARCH and installing from sstate but that is a
separate issue.
This patch fixes the symlink creation code by firstly passing in the correct
value we need (where the symlink will end up) and seccondly, actually using it.
I've also tweaked the debug message to contain appropriate information and got
right of the double "//" value the existing code created in favour of the form
'./..' which looks neater.
(From OE-Core rev: 9b05c65450526522d7358d0c0901b594de546748)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)
Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
(From OE-Core master rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
Anonymous ECDH denial of service (CVE-2014-3470)
OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224)
An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS recursion flaw (CVE-2014-0221)
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.
Only applications using OpenSSL as a DTLS client are affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora,
which is the same as the patch which was actually applied upstream for
the issue, i.e.:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Only applications using OpenSSL as a DTLS client or server affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Backported patch for CVE-2014-3466.
This patch is for dylan.
Signed-off-by: Valentin Popa <valentin.popa@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
https://access.redhat.com/security/cve/CVE-2014-0198
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We don't normally do this, but with the recent CVE fixes (most
importantly the one for the serious CVE-2014-0160 vulnerability) I am
bumping PR explicitly to make it a bit more obvious that the patch has
been applied.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes the "heartbleed" TLS vulnerability (CVE-2014-0160). More
information here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Patch borrowed from Debian; this is just a tweaked version of the
upstream commit (without patching the CHANGES file which otherwise
would fail to apply on top of this version).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
obtains a certain version number from an incorrect data structure, which
allows remote attackers to cause a denial of service (daemon crash) via
crafted traffic from a TLS 1.2 client.
(From OE-Core master rev: 3e0ac7357a962e3ef6595d21ec4843b078a764dd)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet delivery,
related to ssl/d1_both.c and ssl/t1_enc.c.
(From OE-Core master rev: 94352e694cd828aa84abd846149712535f48ab0f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
(From OE-Core master rev: 35ccce7002188c8270d2fead35f9763b22776877)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These are in the Toolchain list, so they should also be installed on the build appliance
[YOCTO #5061]
Fixes [YOCTO #5941].
(Partial backport of OE-Core master rev: 82374feece5c576f9950bad6861b1e00c6b30d84)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
I have a feeling this code exists from the time before we had proper
coverage of one sstate task by another task. At that time it was a
"poor" persons version of that idea, we now have much better
code internal to bitbake which handles this.
Worse, this code actually breaks certain rebuild scenarios,
e.g.:
bitbake libtool-cross
bitbake libtool-cross -c cleansstate
rm tmp -rf
bitbake libtool-cross
would fail as binutils-cross wasn't installed from sstate.
The easiest fix is to remove the obsolete/broken code.
[YOCTO #5773]
(From OE-Core master rev: ccad07f35fb7f959e24fd50d04c7d10dd5cf20d0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Some LSB packages appear to have the platform set to '%{_target_platform}'
which is not a valid platform field. This causes a failure of the type:
warning: package lsb-test-core-4.1.15-1.x86_64 is intended for a %{_target_platform} platform
When we detect an invalid platform, fall back and try to construct a new
platform name that may be valid based on the arch and os contents of the
package. (This should only ever be needed by invalid or older RPM packages.)
(From OE-Core master rev: 6513fa327aeb7e9fdd313290c205917952eed226)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
== is a bashism use = instead.
(Based on OE-Core master rev: c90d1047c41148cbd57f26b5a34563346602a71b)
Signed-off-by: Stefan Stanacar <stefanx.stanacar@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
|
Fixes [YOCTO #5233]
Modeled after Chen Qi's fix to [YOCTO #3924] from oe-core commit:
6b6db7b4fb7aa17b8e29076decc830149b9d35bc
init-install.sh: remove unnecessary udev rules file to avoid error messages
/etc/udev/scripts/mount.sh is removed by init-install-efi.sh, but the
udev rules file which specifies the invocation of this script is not
removed, thus causing the error message during a live install:
/etc/udev/scripts/mount.sh: No such file or directory
The /etc/udev/rules/automount.rules no longer works once the mount.sh
script is removed. Remove it to avoid the error message.
(From OE-Core master rev: 1f5a2b616d902b1158e348bf8c33b6d36e21cadc)
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Cc: mihaix.lindner@linux.intel.com
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The existing -cpu host option caused kernel panics when people attempted to use
the kvm option. After research and discussion, the best options appear to
be the kvm32/kvm64 cpu types so lets use these instead. These resolve
the kernel issues for me.
[YOCTO #3908]
(From OE-Core master rev: bdc6d3be6ffa4ed358153f9c9332b632324f5833)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
python-multiprocessing
(From OE-Core master rev: 5abf18a7f11ee9e88e0eec1b66cc63427d9097a8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add a Debian patch to fix a load of errors building the documentation
within do_compile e.g.:
| ./x509-api.texi:15: misplaced {
| ./x509-api.texi:15: misplaced }
(From OE-Core master rev: b09a9a5f298596795f17243e5ffcf7dab295a8e6)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
certificates.
This patch is for the OE-Core dylan branch - it comes from upstream:
>From 467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 12 Feb 2014 16:41:33 +0100
For more info see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
https://www.gitorious.org/gnutls/gnutls/commit/467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch is for the OE-Core dylan branch - it comes from upstream:
git://gitorious.org/gnutls/gnutls.git
branch: gnutls_2_12_x
commit: 6aa26f78150ccbdf0aec1878a41c17c41d358a3b
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Thu Feb 27 19:42:26 2014 +0100
For more info see:
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b
Signed-off-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If sysroot contains '-D' or '-I' characters, the SVN_NEON_INCLUDES and
the corresponding CFLAGS will not get the correct value.
This will cause build failures.
This patch fixes the above problem.
[YOCTO #5458]
(From OE-Core master rev: 7078397ef39de43244fca7e24683b2a83913cbbf)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The depenency on guild-native and libatomics-ops is missing
in multilib build, fix the depends with class-target.
(From OE-Core master rev: 88f1913f7cea54f0e4e1024ea506b5ce9faea96b)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If you build libx11-native then that has to be ABI-compatible with the
libX11 on the host or you'll have problems running qemu-native. Most
current distros are using libX11 1.6+. Thus, we need to backport the
_XEatDataWords API present in 1.6.
This only affects the dylan branch as dora+ has libx11 1.6+.
Fixes [YOCTO #5040].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport a patch from upstream which fixes failures building
guile-native on newer distros such as Ubuntu 13.10. (This does not
affect dora or master because we are using Guile 2.0.9 there, which
already contains this patch.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
(From OE-Core master rev: bc6258f88705b0e7989089a8666ac5e5d2355823)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Using TARGET_OS can add the ABIEXTENSION so ensure that is is removed for the Linux
TARGET_OS, we might have other TARGET_OSes so don't hard code CMAKE_SYSTEM_NAME
[YOCTO #5145]
(From OE-Core master rev: 7d8b700242b1b32c6b6d0735b497701800f54fc4)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
For unknown reasons, the cmake class is using SDK_OS as the
target system OS. This makes no sense but only shows up as a problem
when you try a different SDK OS. Fix it to use TARGET_OS which is
the correct thing to do. For the vast majority of users this will
make no difference.
(From OE-Core master rev: 57be84259f0885865c85d7bac350979430b956b5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The configure script looks for this; most of the time dependency chains
ensure this is present but we need to be explicit or failures can
occur.
Reported by Nicolas Dechesne <nicolas.dechesne@linaro.org>
(From OE-Core master rev: 22e45ed7d74ceb4a719e7b5889400c20ed4a0783)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
