mirrors/poky - poky - zepto initiative

mirror of https://git.yoctoproject.org/poky synced 2026-03-04 22:39:39 +01:00

Author	SHA1	Message	Date
Peter Kjellerstedt	4fc93977e9	sanity.bbclass: Move sanity_info from conf to cache Since this file is written during recipe parsing, having it in the ${BUILDDIR}/conf directory, which is covered by an inotify watcher, will trigger a re-parse the next time bitbake is run and the resident bitbake server is enabled. This causes the sanity_info file to be updated again, which triggers a new parse the next time bitbake is run ad infinitum. Moving it to ${BUILDDIR}/cache should avoid this. (From OE-Core rev: a63d59f64a2d1f450a7639426cae8e0373a2d764) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f98103b548aa7dba6b1be6c8e02ef41858a8e85c) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Peter Kjellerstedt	deb8463938	populate_sdk_ext.bbclass: No longer needed to clean away conf/sanity_info Since the sanity_info file has moved from the conf directory to the cache directory, there is no longer any need to clean it away explicitly in clean_esdk_builddir() since the whole cache directory is already cleaned away anyway. (From OE-Core rev: 9b92d5fbfdcf48a17efdd8c1edda4ad26def017f) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 40c30990e1be72130819c040fe471e2bdc0c6e7d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Anuj Mittal	5b7b426cff	openssl: fix CVE-2019-1551 (From OE-Core rev: 392e0299fae170995229d30036ebe8e8a494f7dc) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Adrian Bunk	7a8ac5c1c9	openssl: Whitelist CVE-2019-0190 This is only a problem with older Apache versions. (From OE-Core rev: 8e76d2508da411a1a67f3226465c83fec85dfe97) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Khem Raj	cd1d971e25	openssl: Enable os option for with-rand-seed as well with openSSL 1.1.1d we start seeing errors like Error Generating Key 139979727451584:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:../openssl-1.1.1d/crypto/rand/drbg_lib.c:342: when using openssl from openssl-native on build hosts, this is due to limiting the random seed to devrandom, to support older hosts, since the option allows to have a comma separated list of methods to try, we can try the default first and if that fails then fallback to devrandom, this will ensure that it keeps working with build systems which dont support getrandom() (From OE-Core rev: b9fb2913c72ec771e4da2931528f6f5425c14913) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Adrian Bunk	f664bebdbc	openssl: Upgrade 1.1.1c -> 1.1.1d (From OE-Core rev: d9f1bfe681f51f4cb2ad9515454162480993aadf) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Adrian Bunk	d8b1898f8c	openssl: Upgrade 1.1.1b -> 1.1.1c Backported patch removed. (From OE-Core rev: 3402c001bc585bacb6e00495a7c3c66c75d16e7c) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Adrian Bunk	dc5fd540e7	systemd: Upgrade to a more recent snapshot from the 241 branch Bugfix-only changes on the 241 stable branch, including a fix for a breakage with OpenSSL >= 1.1.1c. (From OE-Core rev: 9160dc4dbee6fb13f1a46963ced7961505154213) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Adrian Bunk	907bd3188b	systemd: Whitelist CVE-2018-21029 CVE-2019-3843 CVE-2019-3844 One does not strictly apply to 241, for the other two a fix was already backported to the 241 branch. (From OE-Core rev: d328696acfd4967d19e32680033d9594dd00b92c) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Adrian Bunk	300234fd6a	iputils: Whitelist CVE-2000-1213 CVE-2000-1214 (From OE-Core rev: 7c51ca8538f228d98a4b3411a15fde83516c0419) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Adrian Bunk	a8df2dea8d	lz4: Whitelist CVE-2014-4715 (From OE-Core rev: ca4fc78584ec5a7bbeac188f4ed935b3128eb6eb) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:02 +00:00
Anuj Mittal	33bee3d59f	sysstat: fix CVE-2019-19725 (From OE-Core rev: 7f8f018ea5ef6ecb80c5b5250df90a8b690e6f47) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Mattias Hansson	ee75698371	base.bbclass: add dependency on pseudo from do_prepare_recipe_sysroot do_prepare_recipe_sysroot may perform groupadd, which requires pseudo. However, do_prepare_recipe_sysroot does not depend on pseudo explicitly, which sometimes causes a build error when building a recipe that adds groups. This issue only occurs when executing do_prepare_recipe_sysroot for a recipe that adds groups before finishing a task that depends on pseudo for a recipe that doesn't add groups. (From OE-Core rev: 86f196dc077de7f3f6664e69703a96245b42ddc0) Signed-off-by: Mattias Hansson <mattihn@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Hongxu Jia	47de27d734	go: fix CVE-2019-17596 `2017d88dbc` (From OE-Core rev: a8adb7d23172acb587c259a28aa0c9e2df83f228) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Anuj Mittal	d8da51bd3b	nasm: fix CVE-2019-14248 See: https://bugzilla.nasm.us/show_bug.cgi?id=3392576 (From OE-Core rev: 49dca79c6e5f631d1f55422864ee57c86cafe1a4) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Anuj Mittal	dbd22b6cd7	nasm: fix CVE-2018-19755 (From OE-Core rev: 021c8ae8e115ff6bab167146d97a340d4945118d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	707e2b9d7d	glib-2.0: Backport the CVE-2019-12450 fix (From OE-Core rev: 9c4d7a92f4f6e4070102b12de44d9bfe6f944735) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	057dcb3ee3	lighttpd: Backport the CVE-2019-11072 fix (From OE-Core rev: abc2d1fad91f1378be3946e35d8f8f450823599e) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Anuj Mittal	ef2bec784b	glibc: fix CVE-2019-19126 Backport from 2.30 stable branch and drop NEWS section. (From OE-Core rev: de04ec5dcf72d76f2e8274af4bcddf27cb02e544) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Anuj Mittal	a2335757ba	libarchive: fix CVE-2019-19221 Also see: https://github.com/libarchive/libarchive/issues/1276 (From OE-Core rev: b4628dd1ef9d50e8778cadae09e6d31886bd47d2) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Vinay Kumar	c2644c6afc	gdb: Fix CVE-2019-1010180 Source: git://sourceware.org/git/binutils-gdb.git Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=23657 Backported upstream commit 950b74950f6020eda38647f22e9077ac7f68ca49 to gdb-8.3.1 sources. Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49] (From OE-Core rev: 536a2656b44fbb98a3cdc60eed32f378184cce7c) Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	60ce01fec8	bind: Whitelist CVE-2019-6470 (From OE-Core rev: a45f9d2047d7d1156fafc44554c4908a0c7d2647) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Trevor Gamblin	271da31a92	binutils: fix CVE-2019-17451 Backport upstream fix. (From OE-Core rev: 02c54859c009be191958a19a5c3549a6635cc647) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Trevor Gamblin	f4c9970227	binutils: fix CVE-2019-17450 Backport upstream fix. (From OE-Core rev: dcd3406c79bdee46fabc2310c9e278918e26ce80) Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Ross Burton	eb25d2fc66	wpa-supplicant: fix CVE-2019-16275 (From OE-Core rev: 4b764c25d7396cba41c28c66a78a7a8f0ea3a5be) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Joshua Watt	441f31d02f	python3: RDEPEND on libgcc Python uses features of glibc that require it to dynamically load (i.e. dlopen()) libgcc_s at runtime. However, since this isn't a link time dependency, it doesn't get picked up automatically by bitbake so manually add it to RDEPENDS. There is an outstanding bug in Python to make it explicitly link against libgcc at link time which would remove the need for this. See: https://bugs.python.org/issue37395 (From OE-Core rev: 04297ee03f5f4e4edafaf332a6648465f52ba1eb) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> [ merged the fix to make it glibc only ] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	37e53c426b	python3: Upgrade 3.7.5 -> 3.7.6 (From OE-Core rev: 262ac0c4d534b1858b81c7d69b6ff57c5d3a4559) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	78c2ea1877	python/python3: Whitelist CVE-2019-18348 This is not exploitable when glibc has CVE-2016-10739 fixed, which is fixed in the upstream version since warrior. (From OE-Core rev: a2507600fecdf815ad80da569c5e8ad65286b812) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Adrian Bunk	57da5247c0	python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652 One Windows-only CVE that cannot be fixed, and two CVEs where upstream agreement is that they are not vulnerabilities. (From OE-Core rev: 1b69d141b73e46cc377f8566868da44dd5b1ea42) Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-28 11:15:01 +00:00
Armin Kuster	a19e3961a4	stress: update SRC_URI Fixes: WARNING: stress-1.0.4-r0 do_fetch: Failed to fetch URL http://people.seas.harvard.edu/~apw/stress/stress-1.0.4.tar.gz, attempting MIRRORS if available (From OE-Core rev: 279c4da2e5f46dccfeff0c898c2205940be9e174) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Ferry Toth	4c5f33c8fc	sudo: Fix fetching sources It looks like https://www.sudo.ws/download.html changed certificate and directory structure. This breaks fetching sources. (From OE-Core rev: adb6af60dcf098bfce64168e6443c26d124661c4) Signed-off-by: Ferry Toth <ftoth@exalondelft.nl> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> (cherry picked from commit f02e9f46ce54fed3c7ddfad7d1003a2fb7ba3a67) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Alexander Kanavin	025e005d29	sudo: correct SRC_URI The old URI returns 404, and has an invalid TLS certificate. (From OE-Core rev: abb42b83e1a96cdc7dac73e223a87cf078979c49) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 73ff6aba0a53ffc3ee0a5859a3ad4c8021be4de0) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Oleksandr Kravchuk	178c487ed2	popt: fix SRC_URI rpm5.org has been down for about a year now. Use linuxfromscratch.org as an alternative reliable source instead. (From OE-Core rev: 2e2fb4e9db2e328dcb771951feb7f7ab5c0c4dd6) Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d9224014da9a512b1b8837e4e7a736d465c97be3) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Niko Mauno	8c7e02c9d1	cve-check: Switch to NVD CVE JSON feed version 1.1 Switch to recently released version 1.1 of NVD CVE JSON feed, as in https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release it is mentioned that Due to changes required to support CVSS v3.1 scoring, the JSON vulnerability feeds must be modified. This will require the consumers of this data to update their internal processes. We will be providing the JSON 1.1 schema on the data feeds page and the information below to prepare for this transition. ... The JSON 1.1 data feeds will be available on September 9th, 2019. At that time the current JSON 1.0 data feeds will no longer available. This change was tested briefly by issuing 'bitbake core-image-minimal' with 'cve-check.bbclass' inherited via local.conf, and then comparing the content between the resulting two 'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not seem to contain any other change, except total of 167 entries like CVSS v3 BASE SCORE: 0.0 were replaced with similar 'CVSS v3 BASE SCORE:' entries which had scores that were greater than '0.0' (up to '9.8'). (From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323) (From OE-Core rev: 72c22b8791707480c380f49305c6d394578b2a4b) Signed-off-by: Niko Mauno <niko.mauno@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c92b8804d6e59b2707332859957f0e6a46db0a73) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Ross Burton	c12415cc7c	cve-check: fetch CVE data once at a time instead of in a single call This code used to construct a single SQL statement that fetched the NVD data for every CVE requested. For recipes such as the kernel where there are over 2000 CVEs to report this can hit the variable count limit and the query fails with "sqlite3.OperationalError: too many SQL variables". The default limit is 999 variables, but some distributions such as Debian set the default to 250000. As the NVD table has an index on the ID column, whilst requesting the data CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time different is insignificant: 0.05s verses 0.01s on my machine. (From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99) (From OE-Core rev: 0f5b748a5b7fec41bac16bbc1346230e86bb99e3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:53 +00:00
Ross Burton	1ab16a1b7a	cve-check: neaten get_cve_info Remove obsolete Python 2 code, and use convenience methods for neatness. (From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff) (From OE-Core rev: 0ec6843bec3e817c3bc62d04adea5fd385307b32) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	2ea29b7c24	cve-check: rewrite look to fix false negatives A previous optimisation was premature and resulted in false-negatives in the report. Rewrite the checking algorithm to first get the list of potential CVEs by vendor:product, then iterate through every matching CPE for that CVE to determine if the bounds match or not. By doing this in two stages we can know if we've checked every CPE, instead of accidentally breaking out of the scan too early. (From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69) (From OE-Core rev: 9948dd86d100bec56e22e6c0bbf4759925a4b306) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	1fb115f221	cve-update-db-native: clean up proxy handling urllib handles adding proxy handlers if the proxies are set in the environment, so call bb.utils.export_proxies() to do that and remove the manual setup. (From OE-Core rev: 6b73004668b3b71c9c38814b79fbb58c893ed434) (From OE-Core rev: 2ddf1c0bc4267d38069f9dbb0f716fdac29a49a9) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	ee2c8e04b8	cve-update-db-native: add an index on the CVE ID column Create an index on the PRODUCTS table which contains a row for each CPE, drastically increasing the performance of lookups for a specific CVE. (From OE-Core rev: b4048b05b3a00d85c40d09961f846eadcebd812e) (From OE-Core rev: 9abd2b5c4ddfb98f3b8574954e1fd0e95a47ebcc) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	55bec749c0	cve-update-db-native: don't hardcode the database name Don't hardcode the database filename, there's a variable for this in cve-check.bbclass. (From OE-Core rev: 0d188a9dc4ae64c64cd661e9d9c3841e86f226ab) (From OE-Core rev: f774665ee4dcdc5a1fe1f51384d82fb8e1b219e1) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	933a0a255f	cve-update-db-native: don't refresh more than once an hour We already fetch the yearly CVE metadata and check that for updates before downloading the full data, but we can speed up CVE checking further by only checking the CVE metadata once an hour. (From OE-Core rev: 50d898fd360c58fe85460517d965f62b7654771a) (From OE-Core rev: fd16e1bb582d3135411e2e3dad46731114d2b955) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	df244d25f0	cve-check: we don't actually need to unpack to check The patch scanner works with patch files in the layer, not in the workdir, so it doesn't need to unpack. (From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17) (From OE-Core rev: 8bfe83d53c39e4a88f808af617db7db091694841) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	50b6a611ea	cve-check: failure to parse versions should be more visible (From OE-Core rev: d1a16e6f0edda5d9f03191d187788fc8b666bd7f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	0be3c68cf4	cve-check: ensure all known CVEs are in the report CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 430e95cd819577d4d71fe6d579a175b8776aa467) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Khem Raj	665aea195a	sdk: Install nativesdk locales for all TCLIBC variants install_locales() here is actually operating on nativesdk and only glibc is the default library for nativesdk, since thats what most of desktop/server distros use, therefore bailing out based on TCLIBC is not needed here, since nativesdk-glibc would be required for all non-glibc targetting SDKs as well. Fixes SDK install time error ERROR: OE-core's config sanity checker detected a potential misconfiguration. Either fix the cause of this error or at your own risk disable the checker (see sanity.conf). Following is the list of potential problems / advisories: Your system needs to support the en_US.UTF-8 locale. ERROR: SDK preparation failed (From OE-Core rev: 7b8f6388e0a1e1eab35918a3764e98553a2452f4) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Zang Ruochen	366e5937f3	libpcap: upgrade 1.9.0 -> 1.9.1 -libpcap/0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch Removed since this is included in 1.9.1. (From OE-Core rev: d0e3d1f9437b2e2c6284d9fad51bb11ebe72a46c) Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [CVE-2018-16301 CVE-2019-15161 CVE-2019-15162 CVE-2019-15163 CVE-2019-15164 CVE-2019-15165] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	2969279a63	procps: whitelist CVE-2018-1121 This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. (From OE-Core rev: afc529aa689daed18af29ecc64f3dae1fcbdc282) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Chen Qi	5982129110	webkitgtk: set CVE_PRODUCT (From OE-Core rev: 5fbf5eead50ab5a8cbacf277ddfff2eeca26f738) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Ross Burton	0931ac5431	libsndfile1: whitelist CVE-2018-13419 This is a memory leak that nobody else can replicate and has been rejected by upstream. (From OE-Core rev: 583990fc583a96dbf0655bff1630b2ebe199021d) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00
Chen Qi	33840314df	libxfont2: set CVE_PRODUCT (From OE-Core rev: ab5cc4a6119527e48299d7d6b7fac440c4b9bb6c) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>	2020-01-16 22:38:52 +00:00

1 2 3 4 5 ...

54309 Commits