mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-22 09:29:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
52,808 Commits 38 Branches 617 Tags
70f57755d7e841748ec9cfccf6698a9f317bee5e
Commit Graph

52808 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chen Qi
70f57755d7 oeqa/selftest/context: ensure log directory exists 
Ensure log directory exists to avoid the following error.

  FileNotFoundError: [Errno 2] No such file or directory: '/.../build-selftest/tmp/log/oe-selftest-results-20181207043431.log'

(From OE-Core rev: c54411d0e03fe1cea8b6bb0c80dea029dd264f36)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-10 16:52:30 +01:00
Bruce Ashfield
87d0be72e7 linux-yocto/4.14: update to v4.14.143 
Updating to the latest 4.14 -stable. Lightly build and boot tested
on qemu*

(From OE-Core rev: f5be8c8309a932cde507ba24d042880a922df0b6)

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Anuj Mittal
d8b63d9ad6 pango: fix CVE-2019-1010238 
(From OE-Core rev: 20b23cb40917b1c83b862817b13f0eefc8fa7a64)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 65631a048f57965745dc8cc23cb80c4c3a71ba94)
[Fix up for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Anuj Mittal
65ba01d602 patch: backport fixes 
The original fix for CVE-2018-1000156 was incomplete. Backport more
fixes done later for a complete fix.

Also see:
https://savannah.gnu.org/bugs/index.php?53820

(From OE-Core rev: e2869ff2f76adb2b1ba6f003d6d02d242afe49e8)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 12f9689cba740da6b8c7d9292c74c3992c2e18f2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Trevor Gamblin
6fc3dc1af5 patch: fix CVE-2019-13638 
(From OE-Core rev: b59b1222b3f73f982286222a583de09c661dc781)

(From OE-Core rev: 308c44fd8f1d7d348c6c7cf9054f9c8403d8e8bd)

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 555b0642579c00c41bc3daab9cef08452f9834d5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Anuj Mittal
d59f2b0a74 libxslt: fix CVE-2019-13117 CVE-2019-13118 
(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5)

(From OE-Core rev: 07cd0d606fea63e683c7de7ebfaa6a55170b8318)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fixup for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Muminul Islam
94ac57739c libxslt: Cve fix CVE-2019-11068 
(From OE-Core rev: c9c3fabddb4e1779ef330f2073f85dce83cb460b)

Signed-off-by: Muminul Islam <muislam@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
26ab554fd5 python3: Fix CVEs 
Fixes CVE-2018-14647, CVE-2018-20406, CVE-2018-20852, CVE-2019-9636,
CVE-2019-9740, and CVE-2019-9747.

(From OE-Core rev: 5862716f22ca9f5745d3bca85c6ed0d8c35c437b)

Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
90e5385568 python: Fix 3 CVEs 
Fixes CVE-2018-20852, CVE-2019-9740, and CVE-2019-9747

(From OE-Core rev: 3f1c02aa7b7d485e64503d601124c335d4b7299f)

Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Dan Tran
45cebeda6e binutils: Fix 4 CVEs 
Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and
CVE-2018-1000876 for binutils 2.31.1.

(From OE-Core rev: 981eeec0f26f25db444782f40a86c558a2358215)

Signed-off-by: Dan Tran <dantran@microsoft.com>
[fixed up .inc for thud-next context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Adrian Bunk
36fa7fce02 dhcp: Replace OE specific patch for compatibility with latest bind with upstream patch 
This also fixes a dhcp breakage noticed by Enrico Scholz.

(From OE-Core rev: 5deab12cdcf1d7372634324e1fd70145ff59f9f9)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Ruslan Bilovol
458009f31a dhcp: drop lost patch 
Commit 7cb42ae87ef9 "dhcp: update 4.4.1" dropped
0008-tweak-to-support-external-bind.patch
from recipe, but left the patch itself in source tree.
Remove this patch since nobody uses it.

Cc: Armin Kuster <akuster808@gmail.com>
(From OE-Core rev: 109e8420c8a4e94dccb3c83e2b0b7fc6ceb66b04)

Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
5f125a31e1 dhcp: fix issue with new bind changes 
(From OE-Core rev: d0e2babdab1625e86d0abc7fa7dab25caa73ccb6)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
6518c248e6 go: update to 1.11.13, minor updates 
Source: golang.org
MR: 99376
Type: Security Fix
Disposition: Backport from golang.org
ChangeID: 41576ab4a0abdebbc44f1a35a83bf04e5f2fde06
Description:

https://golang.org/doc/devel/release.html

go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on our issue tracker for details.

go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details.

go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.11.13 milestone on our issue tracker for details.

Includes CVE: CVE-2019-14809

(From OE-Core rev: 6018e9755dce3eaa22a1fe691dc18546c43c9cbe)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Adrian Bunk
6eaf69d732 bind: upgrade 9.11.5 -> 9.11.5-P4 
Source: OE.org
MR: 99751, 99752, 99753
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/bind?h=warrior&id=5d286da0fbe1a7ded2f84eec990e49d221bdeab4
ChangeID: ce3719ea11bd03af3baeca51a22115badf84be01
Description:

Bugfix-only compared to 9.11.5, mostly CVE fixes.

COPYRIGHT checksum changed due to 2018 -> 2019.

(From OE-Core rev: b24447b40e4988e337bdd4b5cf194df0827f9887)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Included cves:
CVE-2018-5744
CVE-2018-5745
CVE-2019-6465
]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
3d3a165925 bind: update to latest LTS 9.11.5 
Source: bind.org
MR: 99750
Type: Security Fix
Disposition: Backport from bind.org
ChangeID: bca5c436229f1b8c7e8eb3e45fc6188ffdb5e224
Description:

includes:
CVE-2018-5738

drop patch for CVE-2018-5740 now included in update

see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html

Add RECIPE_NO_UPDATE_REASON for lts

(From OE-Core rev: 25b2f2c6fc67eabb0e7f0b7c5ffe08c554613c10)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Also includes CVE-2018-5740]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
176dc6eb01 binutils: Security fix for CVE-2019-12972 
Source: git://sourceware.org / binutils-gdb.git
MR: 98770
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c
Description:

Fixes CVE-2019-12972

(From OE-Core rev: 16f4520f5cb581eb93bd3f0e3aa1feecc5c567ba)

Signed-off-by: Armin Kuster <akuster@mvista.com>

[v2]
forgot to refresh inc file before sending

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
d39b67e491 binutils: Security fix for CVE-2019-14444 
Source: git://sourceware.org / binutils-gdb.git
MR: 99255
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7
ChangeID: 67ad4ab1ec34b941bdcfbb4f55d16176bbbd3d72
Description:

Affects: <= 2.32.0

Fixes CVE-2019-14444

(From OE-Core rev: a367928942411b36a0b0bbb95055d01548430e8e)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Armin Kuster
09d46e9131 gcc: Security fix for CVE-2019-14250 
Source: gcc.org
MR: 99120
Type: Security Fix
Disposition: Backport from https://gcc.gnu.org/viewcvs?rev=273794&root=gcc&view=rev
ChangeID: 28ab763c18f1543607181cd9657f45f7752b6fcb
Description:

Affects < 9.2

(From OE-Core rev: 79205966072bb6179d96b3af5aabc521da83e841)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Bartosz Golaszewski
0f7e6681a8 qemu: add a patch fixing the native build on newer kernels 
The build fails on qemu-native if we're using kernels after commit
0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream
patch that fixes the issue.

(From OE-Core rev: fac2d3846dadfda256e94500bdf33f546a8d1fb4)

Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Refactoried for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
4e6a44598f libcomps: fix CVE-2019-3817 
(From OE-Core rev: 2cebc7faa10c7ac6f60437658702f7adce3b3a89)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
9da2eb4bef glib-2.0: fix CVE-2019-13012 
(From OE-Core rev: 51f7ecf2259e1fb669cd84c5317cbd8810d731b7)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
fe27c50545 dbus: fix CVE-2019-12749 
(From OE-Core rev: 144363decc922ed03a584eb9b29cf9808a469d08)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:28 +01:00
Andrii Bordunov via Openembedded-core
1b62838428 curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 
(From OE-Core rev: 75a4b4d8fb14414bbe2e38be8ccda0af94ef9b40)

Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Anuj Mittal
20ee17a579 python3: fix CVE-2019-9740 
CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See:

https://bugs.python.org/issue30458

(From OE-Core rev: ad90312adabbad951f62e3bd4ad95fcc763ad0c4)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Anuj Mittal
d581f111db patch: fix CVE-2019-13636 
(From OE-Core rev: bd367f58d9d6b5f0ce213e1be36763c5a9e425b6)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Alexander Kanavin
fa4683a484 buildhistory: call a dependency parser only on actual dependency lists 
Previously it was also called on filelists and possibly other items which
broke the parser.

(From OE-Core rev: f965ecbf558b6db1959e4ba8e599d65a5c8022b2)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-10-08 22:52:27 +01:00
Armin Kuster
e694933647 bitbake: tests/fetch: Resolve fetch error in bitbake-selftest 
FAIL: test_wget_latest_versionstring (bb.tests.fetch.FetchLatestVersionTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pokybuild/yocto-worker/oe-selftest/build/bitbake/lib/bb/tests/fetch.py", line 1229, in test_wget_latest_versionstring
      self.assertTrue(verstring, msg="Could not find upstream version for %s" % k[0])
      AssertionError: '' is not true : Could not find upstream version for db

[YOCTO #13496]

The Oracle UPSTREAM_CHECK_URI used changed and does not work with logic in wget.

Update UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to match the ones used in the
recipe. Also change the version being checked.

(Bitbake rev: 8a58c3c64240c6ab14858d18e6b89febdb315311)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-09-09 09:58:09 +01:00
Scott Rifenbark
55e9d7c1e4 YP Docs: Set up the August 2019 date for 2.6.3 release. 
(From yocto-docs rev: 49abb21ec1728a8794c69997316a95ed0251a1e2)

Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-09-06 11:59:53 +01:00
Martin Jansa
dab13e1c79 bitbake: fetch2: show warning when renaming the archive with bad checksum failed 
* noticed on read-only sshfs premirror
* it was showing the warning about renaming the file:
  WARNING: laser-geometry-1.6.4-r0 do_fetch: Renaming /jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz to /jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz_bad-checksum_1ee7479b8c5914b4ffae996945121441

  and then failed because of movefile() issue with python3 (fixed in previous commit):
  ERROR: laser-geometry-1.6.4-r0 do_fetch: Error executing a python function in exec_python_func() autogenerated:

  with movefile() fixed, it let do_fetch continue and re-fetch locally with the right
  checksum, but still the renamed file didn't exist, because of movefile failure - add
  another warning when the movefile fails - for whatever reason - unfortunately movefile
  prints error messages with just print() so the real error is hidden only in log.do_fetch
  in this case:
  movefile: Failed to move /jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz to /jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz_bad-checksum_1ee7479b8c5914b4ffae996945121441 [Errno 30] Read-only file system: '/jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz' -> '/jenkins/mjansa/sshfs/webos-ose-thud/downloads/laser_geometry-1.6.4.tar.gz_bad-checksum_1ee7479b8c5914b4ffae996945121441'

(Bitbake rev: d36438759344caa447d9a0bf30749a0aa31d1fba)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-09-06 11:58:56 +01:00
Martin Jansa
3103c383b3 bitbake: utils: Fix movefile() exception handling with python3 
* with python3 this fails with:
  File: 'bitbake/lib/bb/utils.py', lineno: 799, function: movefile
       0795:        try:
       0796:            os.rename(src, destpath)
       0797:            renamefailed = 0
       0798:        except Exception as e:
   *** 0799:            if e[0] != errno.EXDEV:
       0800:                # Some random error.
       0801:                print("movefile: Failed to move", src, "to", dest, e)
       0802:                return None
       0803:            # Invalid cross-device-link 'bind' mounted or actually Cross-Device
  Exception: TypeError: 'OSError' object is not subscriptable

(Bitbake rev: 9f92322fa8d6f1a68c0c3f4984afdf65126b51dc)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-09-06 11:58:56 +01:00
Richard Purdie
cb26830f76 build-appliance-image: Update to thud head revision 
(From OE-Core rev: d3d3f443039b03f1200a14bfe99f985592632018)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
thud-20.0.3 yocto-2.6.3 		2019-08-01 11:58:15 +01:00
Richard Purdie
d43a86de1a poky.conf: Bump version for 2.6.3 thud release 
(From meta-yocto rev: 9a1d9fd77e2dd2d324654755633e143ef7730dc5)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-08-01 11:58:07 +01:00
Anuj Mittal
d49de3810a expat: fix CVE-2018-20843 
(From OE-Core rev: aad245ea1c55f8e778ae3420c5c31e94301e7cba)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ross Burton
9e0a120c8e libcroco: fix CVE-2017-7961 
(From OE-Core rev: 480f15850820746cecdfe0b8450b2be484c1f8f9)

(From OE-Core rev: f5cf064b3c138c8a6591d34f40253e10a6f01a14)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ovidiu Panait
e6058824bb ghostscript: Fix 3 CVEs 
It was discovered that the ghostscript /invalidaccess checks fail under
certain conditions. An attacker could possibly exploit this to bypass
the -dSAFER protection and, for example, execute arbitrary shell commands
via a specially crafted PostScript document.

It was found that the superexec operator was available in the internal
dictionary in ghostscript before 9.27. A specially crafted PostScript
file could use this flaw in order to, for example, have access to the
file system outside of the constrains imposed by -dSAFER.

It was found that the forceput operator could be extracted from the
DefineResource method in ghostscript before 9.27. A specially crafted
PostScript file could use this flaw in order to, for example, have
access to the file system outside of the constrains imposed by -dSAFER.

References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6116
https://www.openwall.com/lists/oss-security/2019/01/23/5
https://nvd.nist.gov/vuln/detail/CVE-2019-3835
https://nvd.nist.gov/vuln/detail/CVE-2019-3838

Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=13b0a36
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2db98f9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=99f1309
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=59d8f4d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2768d1a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=49c8092
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2ff600a
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=779664d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=e8acf6d
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2055917
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=ed9fcd9
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a82601e

(From OE-Core rev: 12e140dfdac8456772223c816e37bd869419bb18)

(From OE-Core rev: cf5d29dcac6247e8476f7af78b4e0bb129b94677)

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fix for CVE-2019-6116 is already in thud, so that has been removed]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
885459d264 bzip2: fix CVE-2019-12900 
Also include a patch to fix regression caused by it. See:

https://gitlab.com/federicomenaquintero/bzip2/issues/24

(From OE-Core rev: 7c0b2d228f51aebb4415e63a07bdd645e85b09d8)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Ross Burton
d0e65410f4 libarchive: integrate security fixes 
Fix the following CVEs by backporting patches from upstream:
- CVE-2019-1000019
- CVE-2019-1000020
- CVE-2018-1000877
- CVE-2018-1000878
- CVE-2018-1000879
- CVE-2018-1000880

(From OE-Core rev: ea251020304b9c18f31c39de867a47311b1bb46c)

(From OE-Core rev: 6cba048de29dfea44e926b00e5ea91359e7cbebd)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
acd46a34c4 gstreamer1.0-plugins-base: fix CVE-2019-9928 
(From OE-Core rev: 276567b6a8e4b21dc978b352b5c715d6381867b1)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Anuj Mittal
ecc1ac5b04 libsdl: CVE fixes 
Fixes CVE-2019-7572, CVE-2019-7574, CVE-2019-7575, CVE-2019-7576,
CVE-2019-7577, CVE-2019-7578, CVE-2019-7635, CVE-2019-7637,
CVE-2019-7638.

(From OE-Core rev: 2cfcb3b0fce7e1156eb52260df4330c95d87dc17)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Alejandro del Castillo
e8cd30ba6c OpkgPM: use --add-ignore-recommends to process BAD_RECOMMENDATIONS 
Currently, BAD_RECOMMENDATIONS on the opkg backed relies on editing the
opkg status file (it sets BAD_RECOMMENDATIONS pkg want state to
deinstalled and pinned). This is brittle, and not consistent across the
different solver backends. Use new --add-ignore-recommends flag instead.

(From OE-Core rev: 0d11e813ba9b4e8de9e6e5099ff85f5d914243bc)

(From OE-Core rev: bfb0acb6bc6bc11e4aa2c9527916359e1a763e85)

(From OE-Core rev: 13ba66338d16cc07cb0129de932f090d0edb7760)

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Alejandro del Castillo
eecc4121ad opkg: add --ignore-recommends flag 
To be used for BAD_RECOMMENDATIONS feature.

(From OE-Core rev: 788d97b4f8e4452cef1ba6bb3e565e1b52dbb7de)

(From OE-Core rev: 85007cdb260bc77ac4ae5f914b0e3a4408606dfd)

(From OE-Core rev: c60f9c47380bb53bd2b54373b72f86006edf326e)

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Backport from opkg_0.4.0.bb]
Signed-off-by: Quentin Schulz <quentin.schulz@streamunlimited.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Richard Purdie
a872c96192 scripts: Remove deprecated imp module usage 
The imp module is deprecated, port the code over to use importlib
as recently done for bb.utils as well.

(From OE-Core rev: f3ba6cee5927c7475c3dc47658fa0548aec52115)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-29 23:50:43 +01:00
Robert Yang
4d63da3fad uboot-sign.bbclass: Remove tab indentations in python code 
Use 4 spaces to replace a tab.

(From OE-Core rev: 2bf6098ac1cbbf7ed28522b7f7dce84c8341ce00)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
a51a3b1c82 glib: Security fix for CVE-2019-9633 
Source: gnome.org
MR: 98802
Type: Security Fix
Disposition: Backport from d553d92d6e
ChangeID: b73c332f27f47ddc1b1cfd7424f24778acc0c318
Description:

includes supporting patch.
Fixes CVE-2019-9633

(From OE-Core rev: 3ebf0fc043b6c9b6c2381dab893b54ebcb8ac13d)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Armin Kuster
e2f3997a84 qemu: Security fixes CVE-2018-20815 CVE-2019-9824 
Source: qemu.org
MR: 98623
Type: Security Fix
Disposition: Backport from qemu.org
ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37
Description:

Fixes both CVE-2018-20815 and CVE-2019-9824

(From OE-Core rev: 5c45cd09fb29d4a1ebda6153a25f16e312049c44)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Ross Burton
45e662b445 glibc: backport CVE fixes 
Backport the fixes for several CVEs from the 2.28 stable branch:
- CVE-2016-10739
- CVE-2018-19591

(From OE-Core rev: 950a60c0e4183037a807031ddc9167b1a81a5348)

Signed-off-by: Ross Burton <ross.burton@intel.com>
[Dropped CVE-2019-9169 as its in my contrib already]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Ross Burton
f749c69115 lighttpd: fix CVE-2019-11072 
(From OE-Core rev: 0dbd16a40a28bb75962f38c6ce450c909c22ee79)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
573a935860 uninative: Update to 2.6 release 
The 2.6 release contains both libcrypt.so.1 and libcrypt.so.2 which fixes
compatibility with recent fedora/suse releases.

The difference is one is built with obsolete APIs enabled and one disabled.
We now ship both in uninative for compatibility regardless of which distro
a binary is built on.

(From OE-Core rev: 352ab80333096df92ef0f4cd331baea98e71aa21)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00
Richard Purdie
59400377bb uninative: Switch from bz2 to xz 
(From OE-Core rev: 29fc9210b973be68de474e75068e4c72371afe5a)

(From OE-Core rev: 16785ebdc50f38ef4bc30d477a6833bdd4b541d1)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2019-07-27 18:05:18 +01:00