An elevation of privilege vulnerability in libnl could enable a local
malicious application to execute arbitrary code within the context of
the Wi-Fi service. This issue is rated as Moderate because it first
requires compromising a privileged process and is mitigated by
current platform configurations. Product: Android. Versions: 5.0.2,
5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32342065. NOTE: this
issue also exists in the upstream libnl before 3.3.0 library.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0553
Backport fix from upstream libnl 3.3.0 release:
3e18948f17http://lists.infradead.org/pipermail/libnl/2017-May/002313.html
(From OE-Core rev: f452fbc5d2ffb9c1417079574bed0dfcdc44787a)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If a fr_FR locale is found, it is automatically tested. The test
will fail if the locale is UTF-8, as the test blindly assumes
(and expects) a non-UTF fr_FR locale.
The remedy is to skip the test.
[YOCTO #12215]
(From OE-Core rev: 4cedddb83623c79980b354642dfeaf78218ca4b7)
(From OE-Core rev: ebb6c4f6a2bb6a6be4b3c4f8b7095bad529c62ea)
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Debian anonscm service in Alioth is shutdown and thus
fetching ca-certificates sources fails.
https://wiki.debian.org/Alioth
"Alioth is broken, and there is nobody around to fix it. Don't ask the remaining people who give it life support to implement fixes and changes. It is being replaced by a cocktail of ?GitLab (see Salsa), read-only repos and keep-alive mechanisms. See below for more information."
(From OE-Core rev: fc20ff2003cee7ee3b78ba3bc236a60a8caabc35)
(From OE-Core rev: 127d1d68346bece34ccd8f6203976e2399c31a92)
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since v7.51.0, libidn2 is the only available option, libidn
support was dropped.
The configure option was renamed as of v7.53.0
Therefore, curl unconditionally tries to build against libidn2,
which in particular is a problem for curl-native, as that might
or might not build against the build-machine's libidn2 now,
which furthermore causes problems when trying to share sstate
between multiple build machines.
We therefore see the following in the config log:
...
checking whether to build with libidn2... (assumed) yes
...
checking for libidn2 options with pkg-config... no
configure: IDN_LIBS: "-lidn2"
configure: IDN_LDFLAGS: ""
configure: IDN_CPPFLAGS: ""
configure: IDN_DIR: ""
checking if idn2_lookup_ul can be linked... yes
checking idn2.h usability... yes
checking idn2.h presence... yes
checking for idn2.h... yes
...
IDN support: enabled (libidn2)
...
even though this recipe tries to disable that.
While libidn2 isn't available in OE, this change at least:
* prevents curl-native to silently build against libidn2 if
that is installed on build machine, even if not requested
* alerts people who use the PACKAGECONFIG option that it's
not actually doing what they intend to do
(From OE-Core rev: 705eaea991622bdbb2ee83eefa8df8e665e3efe4)
(From OE-Core rev: 6ec8cb59b2f58784a9f74afa6018791694f8a030)
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.Upgrade curl from 7.54.1 to 7.57.0.
2.Delete CVE-2017-1000099.patch, CVE-2017-1000100.patch, CVE-2017-1000101.patch, CVE-2017-1000254.patch, reproducible-mkhelp.patch, since it is integrated upstream.
3.Remove "do_install_append()" from curl_7.57.0.bb, since curl/curlbuild.h has been removed.
this update include CVE fixes for:
CVE-2018-1000007 CWE-522: Insufficiently Protected Credentials
CVE-2018-1000005 CWE-126: Buffer Over-read
CVE-2017-8818 CWE-125: Out-of-bounds Read
CVE-2017-8817 CWE-126: Buffer Over-read
CVE-2017-8816 CWE-131: Incorrect Calculation of Buffer Size
CVE-2017-1000257 CWE-126: Buffer Over-read
Most of the changes are bug fixes.
https://curl.haxx.se/changes.html
(From OE-Core rev: 215d5677004537fc190b5381157ac8b94db6d7e8)
(From OE-Core rev: 7f1029aff8abaadb25730fef50c495dcd6fc1e30)
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Safer to upgrade than to backport CVE-2017-8818. Lots of depends patches]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Nativesdk package has a special arrangement where the same thing is done
in do_install(). It was assumed (in the comment) that postinsts don't run when
installing nativesdk packages, but this was incorrect: they are run, but
any failures were previously silently ignored. Now this missing failure reporting has
been fixed, and so we get to see the failures.
(From OE-Core rev: 8ebb695c1429f8d57d655072a362a4f176258699)
(From OE-Core rev: 31f69f8fd8a08fadee0ea288214aa33c33ad6912)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The previous tarball URI seems to be gone.
Also, adjust a few things to make it actually build;
handling autotools-based projects from git checkouts is always harder
than taking them from tarballs :-(
(From OE-Core rev: b4542e867d54c56e6ef088fac28ae3d5e6c0d7bc)
(From OE-Core rev: af250003bdda95eb8b4eebff059a654e52d2497f)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This recipe installs the test suite by copying the entire build tree into
/usr/share/ptest, which is both wasteful and breaks packaging as lz4-ptest then
gets renamed by debian.bbclass to liblz4.
(From OE-Core rev: 68a3f33027b9ee5ed53a47dd839fc407dcbbaee9)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We don't have latex2man in HOSTTOOLs so documentaion is never built but this
dependency does cause problems on older releases like morty, pre-HOSTTOOLS.
Document the configuration explicitly in master.
(From OE-Core rev: d91a064ddd0771aebb8d61016231e4b41ef7ddde)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* RDEPENDS are now all the python3 versions
* Upstream SRC_URI has moved to github.com/intel/bmap-tools
* Missing RDEPENDS on python3-setuptools added
- Provides import for pkg_resources
Fixes [YOCTO #12148]
(From OE-Core rev: 6cc7da6477c6995e936f241b0f6f6ec147814538)
Signed-off-by: Tim Orling <timothy.t.orling@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3d63452d8d8d8dc61cd26b7759b5c0d235d70451)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nss ignores CFLAGS so we suggest them via CC.
(From OE-Core rev: 7484c62f88311dbc1e9ade524af31d04e6035bf4)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 95b65eefe7eb001752a37d1015bbf9be63bfd6bb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For recipes that depend on native ca-certificates.crt, /etc should be
added to the list of directories that automatically populate the
sysroot, otherwise the file may not be there.
(From OE-Core rev: 704e0392809b8a062433f6a4e5c5980c34b47dce)
Signed-off-by: Patrick Vacek <patrick@advancedtelematic.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Improve reproducible build of curl-dev and curl-dbg packages.
curl-dev: Correctly remove build host references from curl-config
curl-dbg: Do not generate time stamps in files generated by mkhelp.pl
(From OE-Core rev: 4b5bfbf0f474d2657c1ed54a2ff00502d5f419d9)
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Triggered by looking at why Python doesn't find db.h (because it greps db.h for
a regex, and db.h is actually a oe_multilib_header wrapper) I realised that the
only reason we have to oe_multilib_header db.h is because one typedef is
different between 32-bit and 64-bit architectures.
However, the typedef is for a 64-bit integer so instead of using long (64-bit)
or long long (32-bit), just use int64_t. Some of the overly complicated
configure tests need to be deleted after this change but that is safe as we're
building in a controlled environment and can assume int64_t exists.
With this done the header doesn't change between architectures, and it doesn't
need to be wrapped by oe_multilib_header.
(From OE-Core rev: 6c9ffa50d00a55122ed861e1818186035fd89715)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch changes the result of the nettle dlopen-test
from FAIL to PASS. The test used to fail because the test could not
find and load libnettle.so.
This patch fixes this by using absolute path instead of relative.
This was the only test out of 88 that used to fail.
(From OE-Core rev: 511db7c256dbb3f8ba95eabd025d427384d4a1cb)
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit f12d493418417c8529a97c7a768e4af58ea5c91b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This build time option is needed to use the '--dns-interface' runtime
parameter to instruct 'curl' to use a specific interface for DNS
resolution.
Not enabled by default, as it depends on 'c-ares' package from
meta-openembedded (meta-networking).
(From OE-Core rev: 8f3d34217b5b95f1f159c362c6f5dad3ba4fb290)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 4fe0aa3791db0ee6c85e7a068f69def6e7c0da46)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Feeding the output of /dev/urandom into /dev/random is pretty much insane
and not something we should encourage.
I can't really imagine a scenario where this would be a sensible idea since
/dev/urandom if effectively derived from /dev/random.
This changes the tool to default to /dev/hwrng which makes much more sense,
feeding hardware entropy into the random pool. In the QEMU case, this will
feed entropy from the host into the guests which is also what we want.
Yes, this change will cause rngd not to start if /dev/hwrng isn't present,
but it isn't needed if that isn't so I don't see this as a bad thing.
(https://wiki.archlinux.org/index.php/Rng-tools has a section in red which
agrees with the above, "this is a really bad idea, since you are simple
filling the kernel entropy pool with entropy coming from the kernel itself!")
(From OE-Core rev: d177516d846ec4bed483d7e9d80775bb341c869e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f1dc9ac46710814c27cae2d22e79c84a9522993a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is backported from the upstream git repository to fix building
libgcrypt on armv6 platforms such as raspberrypi.
(From OE-Core rev: c47ed9aa7a34ef62b3ffaea6ebd5cc9e7c052899)
Signed-off-by: Paul Barker <pbarker@toganlabs.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This ensures argp-standalone-staticdev package could be installed
correctly(without depending on the empty argp-standalone package) if
it's being required during SDK population.
(From OE-Core rev: 6d13c09fb57e13aa4aae590cd49cff7279c8685d)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recipes nspr_4.16.bb and nss_3.31.1.bb ignored BUILD_CC and it's
BUILD_CFLAGS and tried to compile with hardcoded "gcc" instead. As
result build for this recipes will fail if host use different name for
compiler or require any flags.
(From OE-Core rev: 79e3339ab9edacb9e34d3725305d5880a974364a)
Signed-off-by: Nikolay Merinov <n.merinov@inango-systems.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With default --without-nghttp2 flag set there was no way to get
http2 protocol support using nghttp2 library. Instead moved it to
PACKAGECONFIG options
(From OE-Core rev: bcc8560300c8b1218b1f3709f5a7732e17fbfa46)
Signed-off-by: baali <shantanu@senic.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ptest-runner would segfault with -t option:
root@qemux86-64:~# ptest-runner -d /usr/lib test_pkg -t 5
[ 237.234112] ptest-runner[810]: segfault at 0 ip 000000382e638060 sp
00007fff9130f400 error 4 in libc-2.26.so[382e600000+1a7000]
It is safe to bump SRCREV to latest upstream commit to fix this issue
because there is only one commit since the last update:
commit 8a93832dad621535e90aa8e1fb74ae5ba743fc3e
Author: Anders Wallin <wallinux@gmail.com>
Date: Sun May 28 11:47:00 2017 +0200
timeout option missing the argument option ":" to getopt
ptest-runner -t xx gives segfault
Signed-off-by: Anders Wallin <wallinux@gmail.com>
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
(From OE-Core rev: 503ce98bb89dfa019faff872121c8911e6465b05)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Packages which depends on attr headers fail due
to uint32_t not being defined, this needed header
to include sys/types.h
(From OE-Core rev: af7c8f8a9bfc3396dc729f3fc54c38d19f2aa3fc)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GitHub automatically-generated tarballs from tags can and do change over time,
so change libproxy to use the uploaded tarball.
(From OE-Core rev: 1a159da61a8a3d06918f838b1dcec45eed2815a7)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Both libfm and libfm-extra provide /usr/include/libfm, so remove it from libfm
to avoid sysroot conflicts.
(From OE-Core rev: 1ca7d8d89e35f55082d1708639e2146794730a0c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bmap-tools is the only recipe in oe-core that still uses
Python 2. Switching it to Python 3 should help to get rid of
building native Python 2 and its dependencies.
[YOCTO #11891]
(From OE-Core rev: 0d6130b30a1219b2bc2c57578f291311f69c676e)
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Also remove the redundant DEPENDS_class-native, as the native class generates
this value automatically.
(From OE-Core rev: 7d2d73bf5e9fba30ae79e535adff256b94248e62)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Multi-threaded applications using libcurl crash
on DNS timeouts when built using OE.
The reason is as follows:
By default, libcurl implements DNS timeouts using a
timer (alarm()) and a pair of setjmp()/longjmp().
This approach is unsafe in multi-threaded applications
for various reasons, as e.g. explained in the relevant
man-pages.
To avoid this, libcurl can be compiled with a built-in
threaded resolver, or against the c-ares asynchronous
resolver library.
To keep extra dependencies to a minimum, and to mimic
other distributions (debian at least), and because
c-ares is not available in OE-core, add a PACKAGECONFIG
to be able to enable use of of the built-in threaded
resolver and enable it by default.
(From OE-Core rev: 41f1e44fce976c4140cda62a41349e91e69d04ef)
Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
