CVE-2017-9727: make bounds check in gx_ttfReader__Read more robust
CVE-2017-9835: bounds check the array allocations methods
CVE-2017-11714: prevent trying to reloc a freed object
(From OE-Core rev: 2eae91f9fa1cfdd3f0e6111956c8f193fd0db69f)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* e.g. with gentoo gcc-7.1 they define _FORTIFY_SOURCE by default with:
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/src/patchsets/gcc/7.1.0/gentoo/10_all_default-fortify-source.patch?view=markup
which results in following error while building grub-efi-native:
./config-util.h:1504:48: error: this use of "defined" may not be portable [-Werror=expansion-to-defined]
|| (defined _FORTIFY_SOURCE && 0 < _FORTIFY_SOURCE \
^~~~~~~~~~~~~~~
this part comes from gnulib and it's used only for Apple and BSD,
so we can ignore it, but we cannot add -Wno-error=expansion-to-defined
because this warning was introduced only in gcc-7 and older gcc
will fail with:
cc1: error: -Werror=expansion-to-defined: no option -Wexpansion-to-defined
use #pragma to work around this
(From OE-Core rev: f5302b0ad2942f7705d46c33949ebc1c5ddf3f58)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With glibc upgrade to 2.26 release (commit d6a0bc57fa07
"glibc: Upgrade to 2.26 final release") it's not possible
to build x86/x86_64 SDK for kernels lower than 3.2.0
(see glibc commit 139ace95756a "Require Linux kernel 3.2
or later on x86 / x86_64.")
Thus drop SDK_OLDEST_KERNEL overrides from machine-specific
conf files, so default version 3.2.0 from conf/bitbake.conf
will be picked up.
(From OE-Core rev: 0724896f7a2092abf2f3bafa9fac96c5210d39a5)
Signed-off-by: Ruslan Bilovol <rbilovol@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Fixes:
ERROR: nativesdk-libcheck-0.10.0-r0 do_package_qa: QA Issue: /usr/local/oecore-x86_64/sysroots/x86_64-oesdk-linux/usr/bin/checkmk contained in package nativesdk-libcheck requires /usr/local/oecore-x86_64/sysroots/x86_64-oesdk-linux/usr/bin/gawk, but no providers found in RDEPENDS_nativesdk-libcheck? [file-rdeps]
(From OE-Core rev: 71c29b53f1a44430306eeda96dc43cf7d002afe5)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add new patches for enable builds on hosts that has GCC version
minor than 5 because doesn't support std::array and std::put_time,
those patches could be removed after get rid of Debian8 and Centos7
support.
- gcc_4.x_Revert-avoid-changing-the-global-LC_TIME-for-Release.patch
- gcc_4.x_Revert-use-de-localed-std-put_time-instead-rolling-o.patch
- gcc_4.x_apt-pkg-contrib-strutl.cc-Include-array-header.patch
The LIC_FILES_CHKSUM changed because the license file now has
style changes in the text remains GPLv2+.
The patch Revert-always-run-dpkg-configure-a-at-the-end-of-our
was updated because now the precision fields use floating
point numbers.
(From OE-Core rev: da99ae14c3a5719b317ff71b8f778a7c987f6158)
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patches rebased due to don't apply, no major changes,
- 0002-Adapt-to-linux-wrs-kernel-version-which-has-characte.patch
- arch_pm.patch
- noman.patch
Patches related to move ostable/triplettable insida data/ostable and
data/tupletable instead also needs to comply the new format of the
tables for arch detection.
- 0006-add-musleabi-to-known-target-tripets.patch
- add_armeb_triplet_entry.patch
And finally a patch to avoid usage --clamp-mtime in tar needs to be
modified because the dpkg-deb internal API changed.
- 0007-dpkg-deb-build.c-Remove-usage-of-clamp-mtime-in-tar.patch
(From OE-Core rev: dc1ae641435999095e8759812b096fec1f28c90d)
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Updated update-gawk-paths.patch.
- Updated Makefile-ptest.patch
- Removed 0008-replace-struct-ucontext-with-ucontext_t.patch which is already in
the source.
- The LIC_FILES_CHKSUM is changed because the years have been updated,
the contents are the same.
(From OE-Core rev: 111e4a8642160c8441e447da32a4ef52995bbe99)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removed the following 2 patches which are already in the source:
- 0001-e2fsck-exit-with-exit-status-0-if-no-errors-were-fix.patch
- e2fsprogs-1.43-sysmacros.patch
(From OE-Core rev: ce0efa2e38611428aff6d39d52ce29f8a6571813)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Hard depending on the kernel makes it impossible to install kernel
modules without getting the kernel image installed too. This is
inconvenient in e.g. initramdisks, where the kernel is loaded from
outside the initramdisk.
Making the kernel modules rrecommend kernel-image-<version> instead of
rdepending on it, makes it possible to install kernel modules without
the kernel image by setting "kernel-image" in BAD_RECOMMENDATIONS.
(From OE-Core rev: 5dd7ddb66a6846d9bb59dc7833e8318992d0e645)
Signed-off-by: Martin Hundebøll <mnhu@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().
[YOCTO #11959]
(From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Don't hardcode the package name, it could be gdk-pixbuf or
lib32-gdk-pixbuf.
(From OE-Core rev: 92a299a550b5b9c68c0285fdeb3d4c9defa0dede)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We were being a bit prescriptive in setting LICENSE and
LIC_FILES_CHKSUM. We can't always trust what's in the metadata
accompanying some source which plugins will almost always be pulling
from, however we do want to allow plugins to set the LICENSE and
LIC_FILES_CHKSUM values. Merge what we find in our license file scan
with what the plugin sends back.
Additionally, plugins can now add a "license" item to the handled list
in order to inhibit the normal LICENSE / LIC_FILES_CHKSUM handling if
they have already taken care of it completely.
Thanks to Mark Horn <mark.d.horn@intel.com> for prompting, testing and
fixing this patch.
(From OE-Core rev: 1df60b09f7a60427795ec828c9c7180e4e52f98c)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Previously if we were able to auto-determine the name from the URL, that
took precedence over any name that might be set in extravalues by a
plugin. Some plugins might be able to get a better idea of the name and
thus we should move defaulting of the name further down after the
plugins have had a chance to set it.
(From OE-Core rev: 3bb979c13463705c4db6c59034661c4cd8100756)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By default, exports the whole workspace (all recipes) including the source code.
User can also limit what is exported with --included/--excluded flags. As
a result of this operation, a tar archive containing only workspace metadata
and its corresponding source code is created, which can be properly imported
with 'devtool import'.
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10510
[YOCTO #10510]
(From OE-Core rev: f9bc3b5101b554a72298266519dbdd1497f262a6)
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When devtool upgrade is run on a recipe with revision specified
that is not on master branch, and branch isn't set by --srcbranch or -B,
then we should get the correct branch and append the branch to the URL.
If the revision was found on multiple branches, we will display error
to inform user to provide a correct branch and exit.
[YOCTO #11484]
(From OE-Core rev: 29ced7387a92aed17b7fe93b1654790a981734c1)
Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
During recipe creation, it seems that the automation for replacing
${PV} at the SRCURI for tag, (e.g mbed-tls-${PV}) is causing some
issue due to PV assuming it's a git source. A fix is implemented in
this patch to resolve this issue.
(From OE-Core rev: 9d3ec76c1b7dd75d904f5ff47297de0fb65b21c2)
Signed-off-by: Stanley Phoong <stanley.cheong.kwan.phoong@intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This change is to improve the buildability of the recipe created by
recipetool and devtool.
When recipetool create is run on a git URL and a revision specified
that is not on master, and "branch=" isn't already in the URL, then
we should get the correct branch and append the branch to the URL.
If the revision was found on multiple branches and 'master' is not
in the list, we will display error to inform user to provide a
correct branch and exit.
[YOCTO #11389]
(From OE-Core rev: ecca596b75cfda2f798a0bdde75f4f774e23a95b)
Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When creating new recipes, we are almost certainly fetching a new
source rather that something that has already been fetched. I have
disable PREMIRRORS and MIRRORS settings in the recipe that created
by devtool while leaving an option for users to enable them manually
if needed. Since devtool already has this options, we need to ensure
that recipetool is able to handle the options passed from devtool.
(From OE-Core rev: 091cee2bdc2378a3425a4ef8558d03e6f9c021ff)
Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is an interesting bug in the current code where a sync command
is not seen until the current async command completes, by which time
the UI may have shut down.
The reason is that if there are idle commands, we may not end up sleeping
in the select call at all, partiularly under heavy load like parsing.
Fix this by calling select with a zero timeout so that we see active
fds and know to read from them. This fixes various problems toaster was
having with the recent server changes.
[YOCTO #11898]
(Bitbake rev: bbcce58e824b2793abf50efa52db158ae16e23e4)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The eSDK installation requires the meta-skeleton layer.
The build system might use the meta-skeleton recipes as layout
to create custom recipes. An example is the recipetool script
that uses the meta-skeleton kernel recipe when creating a custom
kernel recipe.
[YOCTO #11102]
(From OE-Core rev: 5c9ef0734d23909b5694ed43cdbb205c2ba9ca95)
Signed-off-by: Juan M Cruz Alcaraz <juan.m.cruz.alcaraz@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Our grub and syslinux bootloaders both define root=/dev/ram0 for live
images by default. Kernel docs show that root=/dev/ram0 is just a
sentinel value for the kernel to mount the initrd as root, which then
mounts and switches to the real root. This is exactly what our scripts
do, so just check for root=/dev/ram0 as well.
See: https://www.kernel.org/doc/html/v4.11/admin-guide/initrd.html#operation
This fixes the issue where the new initramfs-framework scripts would not
boot live images that use grub or syslinux bootloaders.
(From OE-Core rev: a30f8f60017d566d845ee5d3a8cfc338017211b0)
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
openssl 1.1 broke 3rd party layers a lot more than was expected; let's flip
the switch at the start of next development cycle.
Add a PROVIDES = "openssl10" to openssl 1.0 recipe; any dependency that is
not compatible with 1.1 should use that in its DEPENDS, as the 1.0
recipe will later be renamed back to openssl10. This does not always work:
http://lists.openembedded.org/pipermail/openembedded-core/2017-August/140957.html
but for many recipes it does.
(From OE-Core rev: 5585103c195104e85ed7ac1455bef91b2e88a04d)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The behavior before this change was to check USER_CLASSES and adjust
the install script to return either exit 0 (don't do anything) or
exit 1 (run on first boot). This enabled a user to include the prelink
package without enablign the image-prelink bbclass and get a first boot
prelink.
Checking USER_CLASSES is not desired, as an image should be able to simply
inherit the image-prelink and get the same type of behavior. Modifying
the recipe based on the inclusion of a class is a bad idea as it makes
this style work more difficult. So we move to a more defined strategy
based on exist uses. (That we know of...)
If we ae doing a cross install, we want to avoid prelinking.
Prelinking during a cross install should be handled by the image-prelink
bbclass. If the user desires this to run on the target at first boot
they will need to create a custom boot script.
[YOCTO #11169]
(From OE-Core rev: e31c9d32072b9cf62c0e9e55b4d421849d3d489b)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace the deprecated '-usbdevice' option with '-device usb-xx' option.
This would fix runqemu boot error like below.
'-usbdevice' is deprecated, please use '-device usb-...' instead
(From OE-Core rev: 2f1f3480d344f8521e01f456d2dcd6c4e989ec59)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport two patches to fix the following error when booting qemu.
Failed to unlock byte 100
(From OE-Core rev: 91eee8b08cd52f49bb1c8f8c680607b3f3a52d24)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2017-9226 : check too big code point value for single byte
CVE-2017-9227 : access to invalid address by reg->dmin value
CVE-2017-9228 : invalid state(CCS_VALUE) in parse_char_class()
CVE-2017-9229 : access to invalid address by reg->dmax value
(From OE-Core rev: f15f01edbaa431829a50053d07ed6d6b333584c7)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The release version was actually working correctly; it only makes
the warning work properly.
(From OE-Core rev: e7986a5493ccd222b82c2388ea8c3bb7004b48dd)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CURL_FORMAT_OFF_T does not seem to exist anymore, use
CURL_FORMAT_CURL_OFF_T instead. This works with old and new curl.
(From OE-Core rev: 5548f9c87c6a10cda2baf6f198762380e55f6ae2)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Optional installation of khrplatform.h was implemented upstream by a slightly
different approach -> 0001-mapi-Only-install-khrplatform.h-with-EGL-or-GLES.patch
can be removed.
(From OE-Core rev: 4473c9e846826bfb4f48cec9c6c7b1cad6666bb3)
Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* without this package installed any WebKitGTK+ based browser
will fail to correctly open html files (and other files)
from disk (file:// URIs). It will open them as plain txt files.
(From OE-Core rev: b708cb53b46d9d82a7853bcd0f25ef6bc417bd10)
Signed-off-by: Carlos Alberto Lopez Perez <clopez@igalia.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
do_configure() will no longer convert references to
/usr/include into /path/to/recipes-sysroot/usr/include
for the file "Porting/Glossary".
[YOCTO #11243]
(From OE-Core rev: cb2dfe5627df2ff235b37622260484841f39af17)
Signed-off-by: Ooi Cinly <cinly.ooi@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removed all instances of -fdebug-prefix-map in LTCFLAGS
declaration because they contain references to host system
and are not needed.
/absolute/path/to/host/dd was replaced with 'dd' in
lt_truncate_bin declaration.
Please take note that the location of regex is important
for DEBUG_PREFIX_MAP. Removal of DEBUG_PREFIX_MAP has to be
done before other regex command modify its option value.
Both are modified because they affect binary reproducibility.
[YOCTO #11656]
(From OE-Core rev: 04db02138e363898e040e33557f1296e8a43c3fd)
Signed-off-by: Ooi Cinly <cinly.ooi@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Disable build for muslx32.X32 isn't supported by valgrind at this
moment.
(From OE-Core rev: a945141062ac3d0736558be428f60af405b53a94)
Signed-off-by: sweeaun <swee.aun.khor@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In images built with pam in DISTRO_FEATURES, we end up with dangling symlinks
if su is not packaged into image
$ ls /mnt/a/oe/build/tmp/work/raspberrypi3-bec-linux-gnueabi/core-image-minimal/1.0-r0/rootfs/etc/pam.d/su-l -l
lrwxrwxrwx 1 kraj users 2 Aug 9 07:56 /mnt/a/oe/build/tmp/work/raspberrypi3-bec-linux-gnueabi/core-image-minimal/1.0-r0/rootfs/etc/pam.d/su-l -> su
This causes image do_rootfs to fail
| sed: can't read /mnt/a/oe/build/tmp/work/raspberrypi3-bec-linux-gnueabi/core-image-minimal/1.0-r0/rootfs/etc/pam.d/s
u-l: No such file or directory
| WARNING: /mnt/a/oe/build/tmp/work/raspberrypi3-bec-linux-gnueabi/core-image-minimal/1.0-r0/temp/run.ssh_allow_empty_
password.19238:1 exit 2 from 'sed -i 's/nullok_secure/nullok/' /mnt/a/oe/build/tmp/work/raspberrypi3-bec-linux-gnueabi
/core-image-minimal/1.0-r0/rootfs/etc/pam.d/*'
Therefore we need to filter out dangling symlinks before sed'ing
things out
(From OE-Core rev: b92105e5a085c8cd3c650579644922ed97163e73)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
