Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers
to write to arbitrary files to the root directory via a / (slash) in a
crafted archive, as demonstrated using the ar program.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9447
(From OE-Core rev: 4a65944b89a76f18c8ff6e148f17508882d387cf)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An alternative approach with NO_GENERIC_LICENSE has been added
in license.bbclass to allow copying non-generic license,
add it for all firmware licenses.
(From OE-Core rev: f2e92c741bde70753163afe3839ff8d35ae5380e)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some package like linux-firmware has many licenses that aren't in any
way common, and new ones will be added from time to time, in order to
avoid adding bunch of such common license files that are only applicable
to a specific package, NO_GENERIC_LICENSE is added to allow copying license
not in common licenses, it should be used in the recipe as:
NO_GENERIC_LICENSE[<license_name>] = "<license file in fetched source>"
e.g.
NO_GENERIC_LICENSE[Firmware-Abilis] = "LICENCE.Abilis.txt"
(From OE-Core rev: 56930227128d55dab22f79138152b29cf040ceff)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixed:
Compiling lex_config.c.
src/lex_config.l:34:25: fatal error: yacc_config.h: No such file or directory
There was a patch for fixing the paralle issue before, so modify the
patch again.
(From OE-Core rev: 055a5bbfc7686c8eec3aad2bcbcf90c40031cc34)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixed:
rm -f src/yacc src/yacc.tmp
echo '#! /bin/sh' >src/yacc.tmp
/bin/bash: src/yacc.tmp: No such file or directory
Makefile:6670: recipe for target 'src/yacc' failed
(From OE-Core rev: 2d51e2ff2f77fc6b14e50bd3a32998953d809a48)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Updated 0001-Avoid-use-of-glibc-sys-cdefs.h-header.patch
* Removed 0002-uclibc-rpcsvc-defines.patch since it is already in the
source.
(From OE-Core rev: 713ac3bfbc95e58ce3332409bae838053fdeced8)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The COPYING's md5sum is changed by this commit:
commit 945f9c69af665044448b0eb6816656acc84fca77
Author: Ken Dreyer <kdreyer@redhat.com>
Date: Mon Jan 26 14:02:46 2015 -0700
update GPLv2 text in COPYING
The FSF has issued a couple of tiny updates to the GPLv2. The main
change is a new mailing address for the FSF headquarters.
This license text was taken verbatim from
https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
The main content are the same.
(From OE-Core rev: b91909e15f817294e609cffcb71c123d44cf7b4b)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
upgrade to fix two CVE defects: CVE-2014-8625 and CVE-2015-0840
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8625
Multiple format string vulnerabilities in the parse_error_msg
function in parsehelp.c in dpkg before 1.17.22 allow remote attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via format string specifiers in the (1) package or (2)
architecture name.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0840
The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before
1.17.25 allows remote attackers to bypass signature verification
via a crafted Debian source control file (.dsc).
(From OE-Core rev: 079445990f51f98c8d4f9397dec0ed91ca2490c3)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current grub2 fails on loading large initrd file (> 500M) since
the initrd size is added to the addr_min and causes the failure.
Fix it by picking a patch from grub2 upstream.
(From OE-Core rev: 156d8fecf31a7a9dc257e55e25645c561d5ba0b8)
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch fixes a warning seen with gcc 4.8 (especially on ubuntu 13.10)
(From OE-Core rev: c577a52b252ccbad9a8dde79c6a4a4f23376d9d8)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It is a backport patch, and verified that the patch is in the source.
(From OE-Core rev: a46976b9de5a2270f041a73661a6ed635bf4eb43)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removed:
- openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
- upgate-vegsion-script-for-1.0.2.patch
Since they are already in the source.
- make-targets.patch
It removed test dir from DIRS, which is not needed any more since we
need build it.
(From OE-Core rev: 5fa533c69f92f2dd46c795509b0830b36413b814)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It is a backport patch, and verified that the patch is in the source.
(From OE-Core rev: 370dc496c2d6f8fa97a18af49747d15a41fc7bcf)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It is a backport patch, and verified that the patch is in the source.
(From OE-Core rev: 9a3178b4d3c454e76a0af59afc7b326589c4c666)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It is a backport patch, and verified that the patch is in the source.
(From OE-Core rev: a7e723bd78e280ae48e6de725b2881b35ae21f5c)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removed:
- unbreak-assumptions.diff
This patch changs the dir to /non-existant-dir, the source code has
changed the dir to /deadir, so it is not needed any more.
- trycompile.diff
There is no try_compile or try_run in numpy/core/setup.py any more, so
assumed that it is not needed.
(From OE-Core rev: 56aac948ca9686d79a2c56f4f034f8de445ff37b)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove patches that are no longer needed
* git build depends on python module mako. Inherit pythonnative
for this
* source directory changed: default S is now correct in mesa recipe,
but still needs to be set in mesa-gl
(From OE-Core rev: b3035cac6f505fda2bea31da63ab381b104cfd2e)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are several entries here which are not needed with the
modern license handling code:
gcc-source - moved to direct handling in base.bbclass
(due to version appended to the name)
libgcc - Listed as GPLv3 exception for its packages
libgcc-initial - Listed as GPLv3 exception
gcc-runtime - Indivisual packages listed as GPLv3 exception where appropriate
(From OE-Core rev: 48c4922ab921a1bb2103cc331d0839febd36beb8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In an effort to clean up some of the license handling, correctly set the
LICENSE of libgcc-initial to be the same as libgcc which has a GPLv3
exception.
(From OE-Core rev: a3022665600bb3c08f8d4212ffa3516578e86d7c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This means you can have one gcc version for some gcc recipes
(e.g. crosssdk/nativesdk) and another gcc version for target code.
Also remove the preferred version entry from the default toolchains
list since the version issue is now handled automatically.
We also need to specifically handle gcc-source in the license handling
code since expanding ${PV} in the base class isn't possible. Since
gcc-source doesn't generate any packages directly this shouldn't be
an issue and whitelisting in this way is easiest (and matches the
rest of the toolchain handling).
(From OE-Core rev: 67db7182faf6742b0d971d61d8c5ba34f69d2e12)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream has already fixed the GCC 5 problem, so use the patch from upstream.
(From OE-Core rev: 15b39bfbb1a0263ac194a9833175b72ab7345ebd)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Introduced build mtime cache structure. Reset it before the build
to prevent bitbake from crashing when build/tmp/stamps hierarchy
is removed.
[YOCTO: #7562]
(Bitbake rev: f8590547a198a78334debdf14bf40acb50c22ecc)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Used sys.exit instead of assigning exit code to
variable. This way it's more clear when bitbake
exists and which exit code is used.
(Bitbake rev: 5ecb8817bd49223652ede4fe513f1a42f2196798)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bitbake program and core versions must match.
Moved __version__ from main.py back to bin/bitbake.
Implemented check for version match in bin/bitbake.
(Bitbake rev: 2fe7d8c574ddf6a30278cff1a5a5c4089dc56d6d)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
tbs
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some error messages were lost because BBMainException was
inherited from bb.BBHandledException. When bb.BBHandledException
is processed error messages are not printed as they suppose to
be printed before raising this exception.
Stopped to inherit BBMainException from bb.BBHandledException.
Handled BBMainException in bin/bitbake and printed error message
to the stderr.
(Bitbake rev: c8e2a40c4e9865ebef9936d23644f2602a5c90f5)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reverted 7c0fd561bad0250a00cef63e3d787573112a59cf
Created separate group of hardlinks for the files inside
the same package. This should prevent stripped files to be
populated outside of package directories.
This turns out not to be straightforward and has overlap with the
other hardlink handling code in this area. The code is condensed
into a more concise and documented form.
[Original patch from Ed with tweaks from RP]
[YOCTO #7586]
(From OE-Core rev: 82d00f7254b7d3bb6a167d675d798134884d1b19)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently if the strip process fails, we get a message but don't know why. This adds
code to show the return value and any error output.
(From OE-Core rev: 85e8fb1c7a3baac5633ecdfb36113aec7f4235cb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Enhance testing of the generated SDK tarballs by adding tests for
gcc/perl/python based on the existing runtime tests.
(From OE-Core rev: 18160403427b2aab4207c939312fb0981c3f2d1b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In a similar way to http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=aa1438b56f30515f9c31b306decef7f562dda81f
there are more find races in the autotools class.
For recipes with PACKAGES_remove = "${PN}", the find which removes
.la files can race against deletion of other directories in WORKDIR
e.g.:
find: '/home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7/sstate-build-populate_lic': No such file or directory
| WARNING: /home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7/temp/run.do_configure.6558:1 exit 1 from
| find /home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7 -name \*.la -delete
Fix the remaining races in the same way.
[YOCTO #7522]
(From OE-Core rev: 79770ca14a0cc2f4112fb4d8dc2d8832701b6d5d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently TEST_SUITES is used for both target image and sdk versions which
can be confusing. This introduces TEST_SUITES_SDK for the sdk version of
the code so that the different test sets can be specified independently.
(From OE-Core rev: ffd84177c68a6c86e654a9ba2512c299b40ec5e9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
pkg-config is less error prone than -config files so switch to
using it (we already do for most of the rest of the gpg stack).
(From OE-Core rev: 046c7fd45fcf0c9226f76d51425978264930653b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This isn't a test of wget so if the files we need are present in DL_DIR,
use them from there and save a bit of speed/bandwidth and skip the wget.
(From OE-Core rev: dc1d83d021afd77ca8fb948dc47bbd11e3844865)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
FILESPATH was only being overridden in one fetch location, it should be
equally handled in both.
Also use SSTATE_DIR as FILESPATH so that mirror urls which do remapping
can search the local SSTATE_DIR for other paths.
Also ensure that MIRRORS is removed in both locations, previously
it was only unset in one but both codepaths should be consistent.
(From OE-Core rev: ab6bebddbdefec323e284b6438d9c57b3d8a2cc3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix SDK_MANIFEST -> SDK_TARGET_MANIFEST and add support for host
version too which is useful in SDK QA tests.
(From OE-Core rev: df91dd8d064dc3e59c7f057d3f869500a233a76f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #7630]
I applied some feedback from Laszlo Papp suggesting that the user
can also use '-fpic' as well as '-fPIC' for a command-line option.
(From yocto-docs rev: ec79c9a39955b22cb2b8cec44ffcaab22aba479b)
Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #7386]
Apparently the "‐" ENTITY used throughout the YP manual set to
get literal "-" characters in example commands renders into a unicode
that is not a dash. This results in users getting errors if they
attempt to cut-and-paste a sample command that uses a "-" character
from the manual into a shell. I have universally replaced all the
"‐" strings in the YP manual set to "-" strings.
(From yocto-docs rev: ef6dbf591eee70866f163e3c98454b6145f4fa3a)
Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bdfReadCharacters: ensure metrics fit into xCharInfo struct
We use 32-bit ints to read from the bdf file, but then try to stick
into a 16-bit int in the xCharInfo struct, so make sure they won't
overflow that range.
(From OE-Core rev: 4dd4b96b6d60246338bb30ede9f3ab1b2e757be9)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bdfReadCharacters: bailout if a char's bitmap cannot be read
Previously would charge on ahead with a NULL pointer in ci->bits, and
then crash later in FontCharInkMetrics() trying to access the bits.
(From OE-Core rev: 2c7a15a074501beb6b8a4c7bdf30604b1a432a6b)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bdfReadProperties: property count needs range check
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
(From OE-Core rev: 0ff9f2bf0e44a7b47a98234a12714c780825e286)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It is possible that recipe specific tasks, or build processes drop
files into the kernel source directory. These files can cause problems
with the meta data detection in the kern-tools.
With this change, we have a single unified meta data detection routine,
that logs the result in a new file ".metadir", which subsequent scripts
can find, and use, thereby avoid repeating the same check many times.
We also enhance the check to look for a sentinel file in a proper meta
directory, to avoid false positives when an unexpected kernel process
leaves an uncommitted directory in the kernel dir.
[YOCTO: #7441]
(From OE-Core rev: 6b04ae2c0439b83c0445fd1b8cb9cba5cee6b9bc)
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libarchive: Updated libarchive packages fix security vulnerability
Alexander Cherepanov discovered that bsdcpio, an implementation of the "cpio"
program part of the libarchive project, is susceptible to a directory
traversal vulnerability via absolute paths.
(From OE-Core rev: e64a961e9c5e94e643896e4b68b85bd5b4c27470)
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An out of bounds read access in the UTF-8 decoding can be triggered with
a malformed file in the tool less. The access happens in the function
is_utf8_well_formed due to a truncated multibyte character in the sample
file.
The bug does not crash less, it can only be made visible by running less
with valgrind or compiling it with Address Sanitizer.
Version 475 of less contains a fix for this issue. The file version.c
contains some entry mentioning this issue (without any credit):
- v475 3/2/15 Fix possible buffer overrun with invalid UTF-8
The fix is in the file line.c. We derive this patch from:
https://blog.fuzzing-project.org/3-less-out-of-bounds-read-access-TFPA-0022014.html
Thank Claire Robinson for validating it on Mageia 4 i586. Refer to:
https://bugs.mageia.org/show_bug.cgi?id=15567
(From OE-Core rev: 68994284f3c059b737bfc5afc2600ebd09bdf47f)
Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
