| Age | Commit message (Collapse) | Author | Files |
|---|
|
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment
Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
__gconv_translit_find: Disable function [BZ #17187]
This functionality has never worked correctly, and the implementation
contained a security vulnerability (CVE-2014-5119).
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Mozilla Network Security Services (NSS) before 3.15.2 does
not ensure that data structures are initialized before
read operations, which allows remote attackers to cause a
denial of service or possibly have unspecified other
impact via vectors that trigger a decryption failure.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1739
(From OE-Core rev: 9b43af77d112e75fa9827a9080b7e94f41f9a116)
Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-support/nss/nss.inc
|
|
the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606
https://bugzilla.mozilla.org/show_bug.cgi?id=910438
http://hg.mozilla.org/projects/nss/rev/d29898e0981c
The CERT_VerifyCert function in lib/certhigh/certvfy.c in
Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides
an unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted certificate.
(From OE-Core rev: 1e153b1b21276d56144add464d592cd7b96a4ede)
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-support/nss/nss.inc
|
|
When using the useradd-staticids.bbclass under meta/classes,
this error occurs:
"<username> - <username>: Username does not have a static uid defined."
There was a problem with the regular expression for parsing parameters,
it was sometimes returning an empty string.
I have fixed this by skipping empty strings.
(From OE-Core rev: f249ef32709069a2680b92dc5a5b4f6545d014b7)
Signed-off-by: Fabrice Coulon <fabrice@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Without this, things like arm* can make it into OVERRIDES when we're
building a compiler to build binaries for another architecture like
x86. This can can lead to build failures dependning on the
exact configuration and overrides.
For example:
MACHINE=imx53qsb bitbake gcc-crosssdk-initial-x86_64 -e | grep EXTRA_OECONF
was showing an armv7 configuration option to gcc.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In cases where we override variables e.g PACKAGE_ARCH
conditionally and use a MACHINEOVERRIDE to qualify the
override like
PACKAGE_ARCH_<MACHINE> = "some target PACKAGE_ARCH"
This would also be effective if this recipe is
BBEXTENDED to native or nativesdk which is undesired
This particular issue will cause wrong sysroot to be
used for nativesdk case since PACKAGE_ARCH would have
been modified and eventually changing value of
STAGING_DIR_TARGET which we use as --sysroot option
to cross and cross-canadian built SDK gcc
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
"man grep" on centos:
-R, -r, --recursive
Read all files under each directory, recursively; this is equivalent to the -d recurse option.
"man grep" on a more recent ubuntu system:
-r, --recursive
Read all files under each directory, recursively, following symbolic links only if they are on the command line. This
is equivalent to the -d recurse option.
So we have an issue when the SDK installer (even with
buildtools-tarball) is used on old hosts since it may try and
dereference paths which it should not. This is caused by differences in
the behaviour of grep -r on older systems.
The fix is to wrap this in find so that only real files are found (as
elsewhere in the script.
[YOCTO #6577]
(From OE-Core rev: 7986adeac16550b33f65fded39a55f668e0e543f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Qt 4.8.5 was moved from http://download.qt-project.org/official_releases/qt/4.8/ to
http://download.qt-project.org/archive/qt/4.8/
Thi fix must be applied for dora and daisy branches.
Signed-off-by: Diego Sueiro <diego.sueiro@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* cairo-native was failing to build in gentoo with gcc-4.9 and LTO
enabled, more details in upstream bug
https://bugs.freedesktop.org/show_bug.cgi?id=77060
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In 3.16+ x86-64 kernel builds produce a vdso64.so.dbg file. If this file is
copied into the kernel source install multiple QA failures are triggered.
Specifically, this file triggers a debug package split that results in
files installed but not shipped, and invalid .debug file errors.
By ensuring that .so files are not copied, we avoid this incorrect split
with no impact on future build phases.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* it's not included in DEPENDS and it's detected from sysroot
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If building with SDKMACHINE=i686 and using the deb backend, populate_sdk
would fail. Its clear when looking at the options that the 32 bit values
were overwritten.
Replace this code with code similar to that used in package_deb itself.
[YOCTO #6458]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Make probing of "platform" bus conditional based on PROBE_PLATFORM_BUS
variable from /etc/default/udev-cache on subsequent boots when udev
cache is used. PROBE_PLATFORM_BUS has to be set to "yes" in order to
force probing on every boot, otherwise it uses the old default behaviour
of probing it just the first time.
This is helpful on modern SoCs where most of the low level peripheral
drivers are registered on the platform bus and need to be probed to load
the necessary modules and enable the connected buses and subsystems.
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It is fixed by
commit 4199e3b8669d0a36448687850374fdc2ad7240b6
Author: Alan Modra <amodra@gmail.com>
Date: Wed Jan 15 21:50:55 2014 +1030
non-PIC references to __ehdr_start in pie and shared
Rather than hacking every backend to not discard dynamic relocations
against an undefined hidden __ehdr_start, make it appear to be defined
early. We want __ehdr_start hidden before size_dynamic_sections so
that it isn't put in .dynsym, but we do need the dynamic relocations
for a PIE or shared library with a non-PIC reference. Defining it
early is wrong if we don't actually define the symbol later to its
proper value. (In some cases we want to leave the symbol undefined,
for example, when the ELF header isn't loaded, and we don't have this
infomation available in before_allocation.)
So replace the existing patches with this one.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Force probing of "platform" bus by default.
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes [YOCTO 6550]
Images installing both trace-cmd and kernelshark would fail with:
error: file /usr/bin/trace-cmd conflicts between attempted installs of
kernelshark-1.2+git0+7055ffd37b-r3.core2_32 and
trace-cmd-1.2+git0+7055ffd37b-r3.core2_32
This patch removes ${bindir}/trace-cmd from the install prior to
packaging, as is already done with the ${datadir}.
Reported-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
(cherry picked from commit eb08ae8f729ef77329892d19b23ddfdaa7953de0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add Freescale lpuart tty's (ttyLPx) to securetty. Freescale Vybrid
devices running upstream kernel use this driver.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The bootimg-efi plugin specifies the fstype internally, so remove it
from the partition definition.
Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The original move of the mkefidisk code to the bootimg-efi plugin
resulted in a bad hdddir - fix it.
Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* TUI/GUI support was added in 2.6.35 based on libnewt
* since 3.10 slang replaced libnewt completly
* changing TUI_DEFINES is not necessary, because NO_NEWT is
still respected with newer kernels
* add comment about the gui history to the recipe
The patch was sponsored by sysmocom
Signed-off-by: Henning Heinold <henning@itconsulting-heinold.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* some fundamental perf commands can work
without the dependency on perl, python or bash
make them separate packages and RSUGGEST them
* bump PR
The patch was sponsored by sysmocom
Signed-off-by: Henning Heinold <henning@itconsulting-heinold.de>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch was sponsored by sysmocom
Signed-off-by: Henning Heinold <henning@itconsulting-heinold.de>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Enable SDL by default for nativesdk as we do with natve, this will
allow qemu with ADT to use graphics no vnc by default.
[YOCTO #6446]
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We apply this patch to the python recipe already. Without this patch
the zeroc-ice-native recipe will not build.
See: http://bugs.python.org/issue17547 for more details.
Signed-off-by: Philip Balister <philip@balister.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Previously, if we have 'package-management' and 'read-only-rootfs'
both in IMAGE_FEATRUES, we would meet the following error at system
start-up.
rm: can't remove '/etc/rcS.d/S99run-postinsts': Read-only file system
However, what's really expected is that when there's no postinstall
script at system start-up, the /etc/rcS.d/S99run-postinsts should not
even be there.
Whether or not to remove the init script symlinks to run-postinsts should
not depend on whether we have 'package-management' in IMAGE_FEATURES; rather,
it should only depend on whether we have any postinstall script left to run
at system start-up.
This patch changes the _uninstall_unneeded function based on the logic
stated above.
[YOCTO #6257]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Some classes of recipe disable ptest even though its in DISTRO_FEATURES
(e.g. nativesdk). We shouldn't attempt to build ptest packages when
its disabled. This replaces some DISTRO_FEATURE checks with PTEST_ENABLED
checks instead.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
The do_configure_prepend was duplicated in gcc-4.X.inc and
gcc-configure-common.inc leading to confusion when reading the resulting
do_configure task where the file was processed twice.
The only difference was the removal of the include line for gcc 4.8/4.9.
On mingw were were seeing two issues, firstly that the if statements meant
the values we wanted weren't being set, the second that the include
paths were still wrong as there was no header path set.
To fix the first issue, the #ifdef conditionals were removed, we want
to set these things unconditionally. The second issue is addressed by
setting the NATIVE_SYSTEM_HEADER_DIR variable here (it was already
set in t-oe).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If image contains dbus and ptest is in DISTRO_FEATURES, dbus-ptest package
is installed, regardless of whether ptest-pkgs is in IMAGE_FEATURES. This
issue will increase size for most small images.
This patch fixes this problem.
[YOCTO #5702]
(From OE-Core rev: 0416583f014138656babdf78a574357ae5ff25bd)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When building on XFS filesystems, the resulting rpms can be corrupted
with the same inode number being used for multiple hardlinked files.
There are two fixes, one to stop rpm crashing when accessing a broken
binary rpm, the other to stop generating them in the first places. Full
descriptions in the patch headers.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fontconfig doesn't need to be passed large file flags through CPPFLAGS because
it's configure script uses AC_SYS_LARGEFILE.
This reverts commit 5a49a24d35794fcf9e3895469a67db992a52305e.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
http://www.openssl.org/news/secadv_20140605.txt
Anonymous ECDH denial of service (CVE-2014-3470)
OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224)
An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
http://www.openssl.org/news/secadv_20140605.txt
DTLS recursion flaw (CVE-2014-0221)
By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.
Only applications using OpenSSL as a DTLS client are affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora,
which is the same as the patch which was actually applied upstream for
the issue, i.e.:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Only applications using OpenSSL as a DTLS client or server affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
make openssl-CVE-2010-5298.patch truely work
(From OE-Core rev: eab33442480cc27a5cd00b3f46984fea74b7c0f9)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-connectivity/openssl/openssl_1.0.1g.bb
|
|
These dependcies are needed to ensure that thier packages are created
correctly since these classes have runtime dependiences in their packages
but they are not actually created yet at rootfs time.
[YOCTO #6072]
(From OE-Core rev: bba835fed88c3bd5bb5bd58962034aef57c408d8)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The alloca() function allocates space in the stack frame of the caller,
so using alloca(new_size - old_size) would possibly crash the stack,
causing a segment fault error.
This patch fixes the above problem by avoiding using this function in
journal-file.c.
[YOCTO #6201]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
If the first command returns an error, it will not cause the image generation
step to fail. Simply split up the statement into multiple lines to avoid
this issue, they no longer need to be one line expressions.
[YOCTO #6391]
(From OE-Core rev: f8125a1e9b6893a12355d55d4df584a8d97f0bff)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It seems that 585324fee380109acd9986388f857f413a60b896 is no
longer there in git and it has been rewritten to
ffc3ad4945da69f3caa2b40e4eed715a9a8d9526
Change-Id: I9ffe8bd9bcef0d2dc5e6f6d3a6e4317bada8f4be
(From OE-Core rev: b193c7f251542aa76cb5a4d6dcb71d15b27005eb)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch fixes a build warning which is promoted to an error via -Werror.
changes from v1:
* put "Upstream-Status" in patch itself, not in OE patch header
* fix commit wording
(From OE-Core rev: 4b41f4199d77144a629897173cff3d1efcfa85f9)
Signed-off-by: Trevor Woerner <trevor.woerner@linaro.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
If libsdl-native is in ASSUME_PROVIDED, check for it in the sanity tests.
This warns the user if they've said its being provided but it isn't and
prevents silent build issues.
(From OE-Core rev: d9d7b0515fcf47c4cf7533a12915ea92298ce834)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
configure.ac references the m4 directory so things like gtkdocize
will try and place m4 files there. We need to ensure the directory
exists or the builds can fail.
(From OE-Core rev: 0ced649c055dd25c500d0fd34e4ea94504d98580)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This fixes a compatibility issue between v86d
and SeaBIOS VGA BIOS where the leal instruction
is not decoded properly. Read the
http://thread.gmane.org/gmane.comp.emulators.qemu/271806
thread for more details.
Patch taken from upstream.
(From OE-Core rev: 3e890dd00ed27cc30800caefa85827cb16da5a3a)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
