mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-24 12:32:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
52,788 Commits 38 Branches 623 Tags
4e6a44598fe877ac4942fbdc8f0c576b234de6cc
Commit Graph

36749 Commits

Author SHA1 Message Date
Andrii Bordunov via Openembedded-core
4e6a44598f libcomps: fix CVE-2019-3817 
(From OE-Core rev: 2cebc7faa10c7ac6f60437658702f7adce3b3a89)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
9da2eb4bef glib-2.0: fix CVE-2019-13012 
(From OE-Core rev: 51f7ecf2259e1fb669cd84c5317cbd8810d731b7)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
fe27c50545 dbus: fix CVE-2019-12749 
(From OE-Core rev: 144363decc922ed03a584eb9b29cf9808a469d08)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
1b62838428 curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 
(From OE-Core rev: 75a4b4d8fb14414bbe2e38be8ccda0af94ef9b40)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Anuj Mittal
20ee17a579 python3: fix CVE-2019-9740 
CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See:

https://bugs.python.org/issue30458

(From OE-Core rev: ad90312adabbad951f62e3bd4ad95fcc763ad0c4)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Anuj Mittal
d581f111db patch: fix CVE-2019-13636 
(From OE-Core rev: bd367f58d9d6b5f0ce213e1be36763c5a9e425b6)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Alexander Kanavin
fa4683a484 buildhistory: call a dependency parser only on actual dependency lists 
Previously it was also called on filelists and possibly other items which
broke the parser.

(From OE-Core rev: f965ecbf558b6db1959e4ba8e599d65a5c8022b2)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Richard Purdie
cb26830f76 build-appliance-image: Update to thud head revision 
(From OE-Core rev: d3d3f443039b03f1200a14bfe99f985592632018)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-08-01 11:58:15 +01:00
Anuj Mittal
d49de3810a expat: fix CVE-2018-20843 
(From OE-Core rev: aad245ea1c55f8e778ae3420c5c31e94301e7cba)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ross Burton
9e0a120c8e libcroco: fix CVE-2017-7961 
(From OE-Core rev: 480f15850820746cecdfe0b8450b2be484c1f8f9)

(From OE-Core rev: f5cf064b3c138c8a6591d34f40253e10a6f01a14)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ovidiu Panait
e6058824bb ghostscript: Fix 3 CVEs 
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.

It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.

It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838

Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e

(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)

(From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677)

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fix for CVE-2019-6116 is already in thud, so that has been removed]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
885459d264 bzip2: fix CVE-2019-12900 
Also include a patch to fix regression caused by it. See:

https://gitlab.com/federicomenaquintero/bzip2/issues/24

(From OE-Core rev: 7c0b2d228f51aebb4415e63a07bdd645e85b09d8)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ross Burton
d0e65410f4 libarchive: integrate security fixes 
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880

(From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c)

(From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
acd46a34c4 gstreamer1.0-plugins-base: fix CVE-2019-9928 
(From OE-Core rev: 276567b6a8e4b21dc978b352b5c715d6381867b1)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
ecc1ac5b04 libsdl: CVE fixes 
Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576,
CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637,
CVE-2019-7638.

(From OE-Core rev: 2cfcb3b0fce7e1156eb52260df4330c95d87dc17)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Alejandro del Castillo
e8cd30ba6c OpkgPM: use --add-ignore-recommends to process BAD_RECOMMENDATIONS 
Currently, BAD_RECOMMENDATIONS on the opkg backed relies on editing the
opkg status file (it sets BAD_RECOMMENDATIONS pkg want state to
deinstalled and pinned). This is brittle, and not consistent across the
different solver backends. Use new --add-ignore-recommends flag instead.

(From OE-Core rev: 0d11e813ba9b4e8de9e6e5099ff85f5d914243bc)

(From OE-Core rev: bfb0acb6bc6bc11e4aa2c9527916359e1a763e85)

(From OE-Core rev: 13ba66338d16cc07cb0129de932f090d0edb7760)

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Alejandro del Castillo
eecc4121ad opkg: add --ignore-recommends flag 
To be used for BAD_RECOMMENDATIONS feature.

(From OE-Core rev: 788d97b4f8e4452cef1ba6bb3e565e1b52dbb7de)

(From OE-Core rev: 85007cdb260bc77ac4ae5f914b0e3a4408606dfd)

(From OE-Core rev: c60f9c47380bb53bd2b54373b72f86006edf326e)

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Backport from opkg_0.4.0.bb]
Signed-off-by: Quentin Schulz <quentin.schulz@streamunlimited.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Robert Yang
4d63da3fad uboot-sign.bbclass: Remove tab indentations in python code 
Use 4 spaces to replace a tab.

(From OE-Core rev: 2bf6098ac1cbbf7ed28522b7f7dce84c8341ce00)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
a51a3b1c82 glib: Security fix for CVE-2019-9633 
Source: gnome.org
MR: 98802
Type: Security Fix
Disposition: Backport from d553d92d6e
ChangeID: b73c332f27f47ddc1b1cfd7424f24778acc0c318
Description:

includes supporting patch.
Fixes CVE-2019-9633

(From OE-Core rev: 3ebf0fc043b6c9b6c2381dab893b54ebcb8ac13d)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
e2f3997a84 qemu: Security fixes CVE-2018-20815 CVE-2019-9824 
Source: qemu.org
MR: 98623
Type: Security Fix
Disposition: Backport from qemu.org
ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37
Description:

Fixes both CVE-2018-20815 and CVE-2019-9824

(From OE-Core rev: 5c45cd09fb29d4a1ebda6153a25f16e312049c44)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Ross Burton
45e662b445 glibc: backport CVE fixes 
Backport the fixes for several CVEs from the 2.28 stable branch:
- CVE-2016-10739
- CVE-2018-19591

(From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348)

Signed-off-by: Ross Burton <ross.burton@intel.com>
[Dropped CVE-2019-9169 as its in my contrib already]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Ross Burton
f749c69115 lighttpd: fix CVE-2019-11072 
(From OE-Core rev: 0dbd16a40a28bb75962f38c6ce450c909c22ee79)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
573a935860 uninative: Update to 2.6 release 
The 2.6 release contains both libcrypt.so.1 and libcrypt.so.2 which fixes
compatibility with recent fedora/suse releases.

The difference is one is built with obsolete APIs enabled and one disabled.
We now ship both in uninative for compatibility regardless of which distro
a binary is built on.

(From OE-Core rev: 352ab80333096df92ef0f4cd331baea98e71aa21)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
59400377bb uninative: Switch from bz2 to xz 
(From OE-Core rev: 29fc9210b973be68de474e75068e4c72371afe5a)

(From OE-Core rev: 16785ebdc50f38ef4bc30d477a6833bdd4b541d1)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
594d5c20e2 yocto-uninative: Update to 2.5 release 
This includes libstdc++ changes from gcc 9.X.

It also switches uninative from bz2 to xz compression.

(From OE-Core rev: 0497623882da714cbe098a4281982b7f9ce6030f)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
8e6d657a9c qemu: Security fix for CVE-2019-12155 
Source: qemu.org
MR: 98382
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
ChangeID: e4e5983ec1fa489eb8a0db08d1afa0606e59dde3
Description:

Fixes CVE-2019-12155
Affects: <= 4.0.0
(From OE-Core rev: 6045c57895cad301c5e3a94de740427343a08065)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
a43499cf8e Curl: Securiyt fix CVE-2019-5435 CVE-2019-5436 
Source: CUrl.org
MR: 98455
Type: Security Fix
Disposition: Backport from https://curl.haxx.se/
ChangeID: 86b094a440ea473b114764e8d64df8142d561609
Description:

Fixes CVE-2019-5435 CVE-2019-5436

(From OE-Core rev: 9d5a7dd654a17b67f5cd8a73145e5f5299bfebcc)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
21188466bc wget: Security fix for CVE-2019-5953 
Source: http://git.savannah.gnu.org/cgit/wget.git
MR: 89341
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
ChangeID: 1c19a2fd7ead88cc4ee92d425179d60d4635864b
Description:

Fixes CVE-2019-5953
Affects: < 1.20.1
(From OE-Core rev: c897b862c6cfaa341cc6155b2c9d98ea7ad02884)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
f2d2148adb glib-2.0: Security fix for CVE-2019-12450 
Source: glib-2.0
MR: 98443
Type: Security Fix
Disposition: Backport from d8f8f4d637
ChangeID: 880b9b349cb8d82c7c1314a3657ec9094baba741
Description:

(From OE-Core rev: 71bfb9dfdc806e0e95f1302d0d6c3c751f03bb4b)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
abefff23cd Tar: Security fix CVE-2019-0023 
Source: tar.git
MR: 97928
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
ChangeID: 7aee4c0daf8ce813242fe7b872583560a32bc4e3
Description:

Affects tar < 1.32

fixes CVE-2019-9923

(From OE-Core rev: fc77edc8245ab90eee1f1e857f470b6842dc256f)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
e53f7d53f4 qemu: Security fix for CVE-2018-19489 
Source: Qemu.org
MR: 97453
Type: Security Fix
Disposition: Backport from git.qemu.org/gemu.git

ChangeID: a06fcb432d447cec2ed1caf112822dd1b4831ace
Description:

In the spirt of YP Compatible, sending change upstream.

fixes CVE CVE-2018-19489

Affect < = 4.0.0

(From OE-Core rev: 249447828cd1ed13f9faf19793208b503acf0d30)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Joshua DeWeese
f381b778ae wpa_supplicant: Changed systemd template units 
I goofed up the scissor line on the last attempt. Not sure how much it matters,
but here it is correct this time.

Here it is, updated to work with wpa-supplicant_2.6.bb.

-- >8 --
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy=

When building root filesystems with any of the wpa_supplicant systemd
template service files enabled (current default is to have them disabled) the
systemd-native-fake script would not process the line:

Alias=multi-user.target.wants/wpa_supplicant@%i.service

appropriately due the the use of "%i."

According to the systemd documentation "WantedBy=foo.service in a service
bar.service is mostly equivalent to Alias=foo.service.wants/bar.service in
the same file." However, this is not really the intended purpose of install
Aliases.

All lines of the form:

Alias=multi-user.target.wants/*%i.service

Were replaced with the following lines:

WantedBy=multi-user.target

(From OE-Core rev: d05e98cdccbe36be8906c31249adeb0f0bc13ac5)

Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
47d06b4c85 go: update to minor update 1.11.10 
Source: golang.org
MR: 97548,
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/issues?q=milestone%3AGo1.11.5
ChangeID: 54377c454f038a41bf35dd447a784e3e66db6268
Description:

Bug fix updates only
https://golang.org/doc/devel/release.html#go1.11

Fixes:
Affects <= 1.11.6
CVE-2019-6486
CVE-2019-9741

(From OE-Core rev: 4e40da53851c550f1a38eff5737d4b69c8cd0afb)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Khem Raj
d89c54ee99 go: Upgrade 1.11.1 -> 1.11.4 minor release 
Source: OpenEmbedded.org
MR: 98328, 98329, 98330
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/go?h=warrior&id=b964551a0d08aa921d4e0ceea2f1e28a5e83510e

ChangeID: 0b4cc69c357ba14c4e7a6c7ff926cfc6f09489b2
Description:
include:
CVE-2018-16873
CVE-2018-16874
CVE-2018-16875

Changes: https://golang.org/doc/devel/release.html#go1.11

(From OE-Core rev: 69964488112899371b7fd88b6e86e533d968b457)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Bug fix only update]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
94bacd598d go-crosssdk: PN should use SDK_SYS, not TARGET_ARCH 
The crosssdk dependencies are handled using the virtual/ namespace so
this name doesn't matter in the general sense. We want to be able to provide
recipe maintainer information through overrides though, so this standardises it
with the behaviour from gcc-crosssdk and ensures the maintainer overrides work.

(From OE-Core rev: 025cd45d4129266d34a919573c02a8504f092c1b)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Hongxu Jia
3975d95822 go-target.inc: fix go not found while multilib enabled 
Go binaries were installed to ${libdir}/go/bin, and create symlink
in ${bindir}, while enabling multilib, libdir was extended (such as
/usr/lib64), but BASELIB was not (still /lib), so use
baselib (such as /lib64)) to replace

(From OE-Core rev: fca74928bf2002daf526ad8c1446c8d9ba891a78)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Ross Burton
fc06d9b06d cairo: fix CVE-2018-19876 CVE-2019-6461 CVE-2019-6462 
Source: OpenEmbedded.org
MR: 97538, 97543
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-graphics/cairo?h=warrior&id=078e4d5c2114d942806cd0d5ad501805a011e841
ChangeID: fa8bdd44ad8613bb0679a1f6d9d670c3b47a0677
Description:

CVE-2018-19876 is a backport from upstream.

CVE-2019-6461 and CVE-2019-6462 are patches taken from Clear Linux.

(From OE-Core rev: 8b5e68afc9767d8b6b966503e9353cadafae9bfb)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Dropped CVE-2018-19876, not affected]
Issue was introduced in 1.15.8 by:
commit 721b7ea0a785afaa04b6da63f970c3c57666fdfe

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Chen Qi
f24f361404 cups: upgrade to 2.2.10 
Source: OpenEmbedded.org
MR: 97351
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/cups?h=warrior&id=fbe7a0c9bab7c9be7fd2c0da8b2af61e66de1ebd
ChangeID: fbe7a0c9bab7c9be7fd2c0da8b2af61e66de1ebd
Description:

(From OE-Core rev: 85541b9ae8cff770e2c20a9132c0867a25d190c2)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

CUPS 2.2.10 is a bug fix release that addresses issues in the scheduler, IPP Everywhere support, CUPS library, and USB printer support. Changes include:

    CVE-2018-4300: Linux session cookies used a predictable random number seed.
    The lpoptions command now works with IPP Everywhere printers that have not yet been added as local queues (Issue #5045)
    Added USB quirk rules (Issue #5395, Issue #5443)
    The generated PPD files for IPP Everywhere printers did not contain the cupsManualCopies keyword (Issue #5433)
    Kerberos credentials might be truncated (Issue #5435)
    The handling of MaxJobTime 0 did not match the documentation (Issue #5438)
    Incorporated the page accounting changes from CUPS 2.3 (Issue #5439)
    Fixed a bug adding a queue with the -E option (Issue #5440)
    Fixed a crash bug when mapping PPD duplex options to IPP attributes (rdar://46183976)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Chen Qi
a6ffadd75f cups: upgrade to 2.2.9 
Source: OpenEmbedded.org
MR: 97351
Type: Integration
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/cups?h=warrior&id=ee57d79aec06e9b160cf2713636cda650ba68d5a
ChangeID: ee57d79aec06e9b160cf2713636cda650ba68d5a
Description:

The following patch is rebased.

  0001-don-t-try-to-run-generated-binaries.patch

(From OE-Core rev: 3c76b6660fc21a987e960dedb2631dcd27b87d07)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

CUPS 2.2.9 is a bug fix release that addresses issues in the scheduler,
IPP Everywhere support, CUPS library, and USB printer support. Changes include:

    Localization changes (Issue #5348, Issue #5362, Issue #5408)
    Documentation updates (Issue #5369)
    The lpadmin command would create a non-working printer in some error cases
    (Issue #5305)
    The scheduler would crash if an empty AccessLog directive was specified
    (Issue #5309)
    Fixed a regression in the changes to ippValidateAttribute (Issue #5322,
    Issue #5330)
    Fixed a crash bug in the Epson dot matrix driver (Issue #5323)
    Automatic debug logging of job errors did not work with systemd (Issue #5337)
    The web interface did not list the IPP Everywhere "driver" (Issue #5338)
    The IPP Everywhere "driver" now properly supports face-up printers
    (Issue #5345)
    Fixed some typos in the label printer drivers (Issue #5350)
    Multi-file jobs could get stuck if the backend failed (Issue #5359,
    Issue #5413)
    The IPP Everywhere "driver" no longer does local filtering when printing to
    a shared CUPS printer (Issue #5361)
    The lpadmin command now correctly reports IPP errors when configuring an
    IPP Everywhere printer (Issue #5370)
    Fixed some memory leaks discovered by Coverity (Issue #5375)
    The PPD compiler incorrectly terminated JCL options (Issue #5379)
    The cupstestppd utility did not generate errors for missing/mismatched
    CloseUI/JCLCloseUI keywords (Issue #5381)
    The scheduler now reports the actual location of the log file (Issue #5398)
    Added a USB quirk rule (Issue #5420)
    The scheduler was being backgrounded on macOS, causing applications to spin
    (rdar://40436080)
    The scheduler did not validate that required initial request attributes were
    in the operation group (rdar://41098178)
    Authentication in the web interface did not work on macOS (rdar://41444473)
    Fixed an issue with HTTP Digest authentication (rdar://41709086)
    The scheduler could crash when job history was purged (rdar://42198057)
    Dropped non-working RSS subscriptions UI from web interface templates.
    Fixed a memory leak for some IPP (extension) syntaxes.

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
4faf6e9e07 file: Multiple Secruity fixes 
Source: https://github.com/file
MR: 97573, 97578, 97583, 97588
Type: Security Fix
Disposition: Backport from https://github.com/file/file
ChangeID: 159e532d518623f19ba777c8edc24d2dc7e3a4e9
Description:

CVE-2019-8905 is the same fix as CVE-2019-8907

Affects < 5.36.0

Fixes:
CVE-2019-8904
CVE-2019-8906
CVE-2019-8906
CVE-2019-8907

(From OE-Core rev: 3d7375eb2e459b891b4ba16c1fc486afbfecef2c)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
015bfc5971 sqlite3: Security fixes for CVE-2018-20505 & 20506 
Source: sqlite.org
MR: 97484, 97490
Type: Security Fix
Disposition: Backport from sqilte.org
ChangeID: c6105b5d3ce4fb2c0f38c3cab745b769d2df38f5
Description:

Affects < 3.26.0
fixes:
CVE-2018-20505
CVE-2018-20506

(From OE-Core rev: e2f9efdc93068bce00b07021aa447f0b8786f69d)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
14d23c29a2 busybox: Security fixes for CVE-2018-20679 CVE-2019-5747 
Source: busybox.git
MR: 97332
Type: Security Fix
Disposition: Backport from busybox.git
ChangeID: ec203c79e7322de1ed5721d08b6f59b1eca67c7d
Description:

Affects < 1.30.0

Fixes:
CVE-2018-20679
CVE-2019-5747

(From OE-Core rev: 7db146abad6d2bbb7d7a549e7091412e0e494db2)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Martin Jansa
016a0b830e python: add a fix for CVE-2019-9948 and CVE-2019-9636 
Source: OpenEmbedded.org
MR: 98320, 98319
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/python/python_2.7.16.bb?id=9d23b982fa4e0290761b3d15f6959779fed72ad6
ChangeID: e79b6fe3b7b4253bf0d76b029070ae869d5234bd
Description:

Fixes:
CVE-2019-9948
CVE-2019-9636

CVE-2019-9940 is a dup of 9948 per python.org
CVE-2019-9947 appears to be a dup of 9940 per https://bugs.python.org/issue30458#msg295067

(From OE-Core rev: e7bdff05da6075efc21c5ac9492b06e481e5a239)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Minor clean up for thud]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
81439e7d18 python: Update to 2.7.16 
Source: Python.org
MR: 98220
Type: Security Fix & Integration
Disposition: Backport from python.org
ChangeID: 96fdd2dee9fe9317eb72584583ae0100c0be9eaa
Description:

Bug fix update per Python.org
https://www.python.org/downloads/release/python-2716/

drop backported patch

License-update: copyright years

Helps prepare Thud for 2.7 EOL support moving forward.

Update includes:
CVE-CVE-2019-5010
06b15424b0

(From OE-Core rev: 592e7de7f5208940fbcfcad3371f93f8ce2ca738)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
f2961d88af qemu: Several CVE fixes 
Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:

These issues affect qemu < 3.1.0

Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364

(From OE-Core rev: e3dfe53a334cd952cc2194fd3baad6d082659b7e)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
cd7f7bf385 elfutils: Security fixes CVE-2019-7146,7149,7150 
Source: http://sourceware.org/git/elfutils.git
MR: 97563, 97568, 97558
Type: Security Fix
Disposition: Backport from http://sourceware.org/git/elfutils.git
ChangeID: 6183c2a25d5e32eec1846a428dd165e1de659f24
Description:

Affects <= 0.175

Fixes:
CVE-2019-7146
CVE-2019-7149
CVE-2019-7150

(From OE-Core rev: ac5dca7dc68519b36aa976dfd25d8efa76af74ec)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:17 +01:00
Armin Kuster
2c225a199d glibc: Security fix CVE-2019-9169 
(From OE-Core rev: 3103f407ff0c579c7e5887fd925d52d5c92c83f9)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:17 +01:00
Richard Purdie
cdd4a52578 core-image-sato-sdk-ptest: Tweak size to stay within 4GB limit 
Adding the valgrind debug symbol information caused the genericx86-64 image to
overflow the 4GB boundary. Tweak the sizes to avoid autobuilder failures yet
leave enough space all the tests still run successfully.

(From OE-Core rev: f162d5bfe6eaeca24f441c83c87252c8d05744fc)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-05-22 00:31:49 +01:00
Richard Purdie
ef1b4d1310 core-image-sato-sdk-ptest: Try and keep image below 4GB limit 
(From OE-Core rev: 22f4d5218ad016442b8511e9ccae649faf79152c)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-05-22 00:31:49 +01:00
Hongxu Jia
87661cbe0c oeqa/targetcontrol.py: fix qemuparams not work in runqemu with launch_cmd 
As runqemu with launch_cmd means directly run the command, don't need set
rootfs or env vars.

Since commit [a847dd7202 runqemu: Let qemuparams override default settings]
applied in oe-core, if launch_cmd contains "qemuparams='***'", it does not
work, which is overridden by latter qemuparams="-serial tcp:127.0.0.1" in
QemuRunner.launch();

So we set qemuparams as a parameter in runqemu, the fix makes it work

(From OE-Core rev: 7d4450d373a297f246b8c3708fd7d2cafadd3ae9)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-05-22 00:31:49 +01:00