Commit Graph

5630 Commits

Author SHA1 Message Date
Anuj Mittal
f504feabb8 e2fsprogs: backport upstream patch
Fixes a bug wherein a use after free could potentially be used to run
malicious code if a user can be tricked into running e2fsck on a
maliciously crafted file system.

Also see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948517

(From OE-Core rev: 23c1b157362609bd8d85c7d35e6c7f0f60c32c88)

(From OE-Core rev: bc3c82e82e6d2dce025e84b8f398379f4fc6f249)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-30 17:41:56 +01:00
Anuj Mittal
ad00b082d8 e2fsprogs: fix CVE-2019-5188
Also see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948508

(From OE-Core rev: 09bdcef183d885025da6aa87a7c2bf7e8268774e)

(From OE-Core rev: b3fcf13e332d8830e759ef4161161f0e54591700)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-30 17:41:56 +01:00
Adrian Bunk
acb0b159be python3: Upgrade 3.7.6 -> 3.7.7
THE LICENSE checksum changed in this update due to copyright notice
added for 2020.

(From OE-Core rev: 3c40cfe7433999272e1698e2c914d6d190f76b63)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-19 09:57:51 +00:00
Lee Chee Yang
70686ed9aa qemu: fix CVE-2019-20382
(From OE-Core rev: dac4545cdf0ab848086da96eac123d0c640cd8b2)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-19 09:57:50 +00:00
Rahul Chauhan
f4f272f72c ruby: fix CVE-2019-16254
(From OE-Core rev: b8e6eb473f3697ab76f30ca8a0abe584d3d10fa6)

Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-16 16:44:53 +00:00
Nathan Rossi
917d2fc42b gcc-target.inc: Prevent sysroot from leaking into configargs.h
Prevent the full recipe-sysroot path from leaking into configargs.h. The
configargs.h header is intended to be static and unchanged as the
content is used as a means of determining that a gcc plugin is built for
the same gcc. This also effects the output of 'gcc -v'. Due to per
recipe sysroots and staging, the sysroot path would be replaced with the
sysroot local to the recipe thus changing the content of configargs.h.
This change also improves gcc binary reproducibility. The sysroot path
is replaced with the base target root "/".

(From OE-Core rev: 0f418fccab3f67a2afaa28195263d6f24831dd56)

Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b8d6e2ab68ee5e341fe970b191bfd334e6d2c40b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-16 16:44:53 +00:00
Nathan Rossi
4dabdf2ff5 gcc-cross.inc: Prevent native sysroot from leaking into configargs.h
Prevent the native(sdk) sysroot path from leaking into configargs.h. The
configargs.h header is intended to be static and unchanged as the
content is used as a means of determining that a gcc plugin is built for
the same gcc. This also effects the output of 'gcc --version'. Due to
per recipe sysroots and staging, the sysroot path would be replaced with
the sysroot local to the recipe thus changing the content of
configargs.h.

The sysroot path is replaced with a generic "/host" prefix which
represents the host sysroot (e.g. native or nativesdk).

(From OE-Core rev: 9bb270b3f12ff94b1541649078741e683020ffe9)

Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 84a78f46d59447eeec3d69532a7506148f64c979)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-16 16:44:53 +00:00
Mark Hatle
7064f9c626 gcc-cross-canadian: A missing space in an append caused an invalid option
When configuring the cross-candian toolchain for a non-linux target system,
the resulting gcc configuration included:

  --enable-initfini-array--without-headers

these should have been two separate options.

(From OE-Core rev: fdd3d65b690c9d460a5758cf1b83e7b2edfc9559)

Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7b52893632dae7bc9ac75dddc7ad625e19f41050)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-16 16:44:53 +00:00
Lee Chee Yang
89601107db qemu: Fix CVE-2020-1711
see https://git.qemu.org/?p=qemu.git;a=commit;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc

(From OE-Core rev: 3e65ad67995874c363863280e40457acc3f479e9)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Tim Orling
4495667b53 liberror-perl: upgrade 0.17028 -> 0.17029
Upstream release notes:
"
0.17029         2020-01-28
    - Rebuild for order of 'NAME' and 'VERSION' sections in the generated
    POD documentation (see 0.001004 in
    https://metacpan.org/changes/distribution/Pod-Weaver-PluginBundle-SHLOMIF
    ).
        - VERSION used to appear before NAME.
"

(From OE-Core rev: 8856aa960ff4c9c833e958082466d19259915d5f)

Signed-off-by: Tim Orling <timothy.t.orling@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f4a520cc827187d83f2997614d893bba7d74a152)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Richard Purdie
3752e41448 perl: Fix makefile race causing configuration differences
Add a missing makefile dependency which can cause differences in
configuration (submitted upstream).

[YOCTO #13800]

(From OE-Core rev: 1589115ff42e8c211bc0784bd8aca7d3a5b8f566)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fe97845a45434902c5a994e253a127a462d7d3b4)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Richard Purdie
4d11365f40 perl: Fix encode module reproducibility issues
The code is encoding host compiler parameters into target builds. Avoid
this for our target builds. This should resolve builds which aren't
reproducible between hosts with different compilers.

(From OE-Core rev: 4b41afeea632f33a490d75621e2c0d6bb2bb6aca)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 71cdbf426e46e3ca1b5038f40e9f7ba958abc537)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Alexander Kanavin
049494b87c perl: fix failing ptests
(From OE-Core rev: b84f3056591c16fa3e2bba2e4fa936390a76ee9a)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f1da6355f13e707b3ffa5025067e509e0120784d)
[Fixup for zeus context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Ross Burton
74bec4855b perl: improve reproducibility
Occasionally the reproducibility selftest fails because perl-pod differs,
specifically that the perltoc.pod file was sometimes missing modules.

Debugging revealed that there are missing dependencies so there is a build race:
building perltoc.pod from an clean build tree results in no modules being listed
at all.

A bug has been filed at https://github.com/arsv/perl-cross/issues/86 to solve
this properly, but for now we can just delete perltoc.pod after make has
finished and re-generate it.

[ YOCTO #13726 ]

(From OE-Core rev: 4ee9c60797e95674ae138245b3a4de063b2e95db)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7e0f6c9ea4f824f29dc30c6631fd8039ebe83a0b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Alexander Kanavin
5b84102650 libmodule-build-perl: fix ptests
Particularly remove a broken detection of skipped tests
(which was marking tests that actually passed), and install
additional artefacts needed for testing.

(From OE-Core rev: 559fd361440898479937c887a0e4f8cfb8c46891)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dbbce0918617c21d0e43e9727d38372c22dff3dc)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Alexander Kanavin
dd95222a3a perl: install typemap and other extutils metadata as part of perl-core
Modules actually make use of these files, so they belong in perl-core
other than perl-doc (the immediate failure was ptests for
libmodule-build-perl failing).

(From OE-Core rev: c95832dbfe4f375dadbffc8ee678052dbf7b3913)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 829e8c49833e4cb8de5db869769eb492c827e8c9)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Alexander Kanavin
19e844dc2e perl: package Config.pm from arch directory into the main perl package
Otherwise, some modules such as libmodule-build-perl fail to work
properly.

(From OE-Core rev: 2d5fae94a889cd9558e3946ecec2362c94e1c1e9)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e4072d53a7fb4fbbdacce9a20968e71ef6cff307)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Alexander Kanavin
db2edbf58c perl: update to 5.30.1
Drop fix-setgroup.patch as the upstream has fixed the issue.

(From OE-Core rev: df86f5d32dc18f25c5c4788b65cceae8905a6ef3)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 45edc6d23e20f7634c50db71e419c7e3bb7f393e)
[Bug fix only update]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-03-07 10:56:45 +00:00
Richard Purdie
02cbb680a9 perl: Fix various reproducibile build issues
Add a patch which handles the following issues:

a) Remove the \n from configure_attr.sh since it gets quoted differently depending on
   whether the shell is bash or dash which can cause the test result to be incorrect.
   Reported upstream: https://github.com/arsv/perl-cross/issues/87

b) Sort the order of the module lists from configure_mods.sh since otherwise
   the result isn't the same leading to makefile differences.
   Reported upstream: https://github.com/arsv/perl-cross/issues/88

c) Sort the Encode::Byte byte_t.fnm file output (and the makefile depends whilst
   there for good measure)
   This needs to go to upstream perl (not done)

d) Use bash for perl-cross configure since otherwise trnl gets set to "\n" with bash
   and "" with dash
   Reported upstream: https://github.com/arsv/perl-cross/issues/87

(From OE-Core rev: 482fd0d99f989b5a72a25bdf402fb2f219420b5d)

(From OE-Core rev: def3a9d748564883d71c506726554df622701b00)

(From OE-Core rev: 1f630fe43ec3c3e78c25f93d6badc8a35ff782ad)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-02-11 23:05:12 +00:00
Alexander Kanavin
ed51e1231a perl: do not install files that contain build host specific data
This was breaking reproducibility, and the files aren't needed on
target.

[YOCTO #13772]

(From OE-Core rev: 2e0f30c4680221c693495e3a0327378d502a518b)

(From OE-Core rev: 208efc88fa3c57244b272bf7e7f7f8163f14630c)

(From OE-Core rev: e120848c6bba6ce2cf910e762d53193d85280a98)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-02-11 23:05:12 +00:00
Richard Purdie
5602cc200b patch: Extend to native/nativesdk and depend upon
There is a bug in patch 2.7.3 and earlier where index lines
in patches can change file modes when they shouldn't:
http://git.savannah.gnu.org/cgit/patch.git/patch/?id=82b800c9552a088a241457948219d25ce0a407a4

This leaks into debug sources in particular (e.g. tcp-wrappers where
source files are read-only). Add the dependency to target recipes
to avoid this problem until we can rely on 2.7.4 or later.

We could try and remove all index lines from patch files but it will be a
losing battle. We could try and identify all the recipes which change
modes on files in patches but again, its a losing battle.

Instead, compromise and have patch-native as a dependency
for target recipes. We use patch-replacement-native since patch-native
is in ASSUME_PROVIDED.

Also add nativesdk-patch to buildtools-tarball.

[YOCTO #13777]

(From OE-Core rev: 5ed0840c93804488cd1c1aba6cb382b2434714a5)

(From OE-Core rev: fd3bd61a6fe5190c575dc968f3a0be9c1cbf21ed)

(From OE-Core rev: 148f1f8caf5d9a262c1f55e437326ce6139a743e)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-02-11 23:05:12 +00:00
Richard Purdie
00534e3e4c opkg-utils: Fix reproducibility issues in opkg-build
There is a sorting problem with opkg-build where the ipk generated is depending
upon the order of files on disk. The reason is the --sort option to tar only
influences the orders of files tar reads, not those passed by the -T option.

Add in a sort call to resolve this issue. To ensure consistent sorting we
also need to force to a specific locale (C) else the results are still not
deterministic.

(From OE-Core rev: a9b8287984c63420e10329a69f7ac5125f1687f8)

(From OE-Core rev: b577a6d923042cfc04e67d470e0987488ea61412)

(From OE-Core rev: ff31fa7ae18cffb1618c3859c5dff7eb3c587692)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-02-11 23:05:12 +00:00
Alejandro del Castillo
f17ff5f9ce opkg-utils: upgrade to version 0.4.2
- Drop 00001-Switch-all-scripts-to-use-Python-3.x.patch
- Drop 00001-opkg-build-clamp-mtimes-to-SOURCE_DATE_EPOCH.patch
- Drop pipefail.patch

(From OE-Core rev: bf51a4a1312562cc9b5944b7dfccba0b3d11dc3c)

(From OE-Core rev: 1b71c28e1ca4fddc0f3c340ea4bcd76854ef620c)

(From OE-Core rev: 428c8a3887c86ea882b264fdad606612b9d9eb8e)

Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-02-11 23:05:12 +00:00
Taras Kondratiuk via Openembedded-core
2b0ad2bcad gcc-9.2: fix bug #91102 'aarch64 ICE on Linux kernel with -Os'
Linux kernel compilation for aarch64 triggers ICE if
CONFIG_CC_OPTIMIZE_FOR_SIZE=y.

The rootcause is GCC bug #91102 'aarch64 ICE on Linux kernel with -Os'.
Apply the fix to 9.2.

(From OE-Core rev: 14f34d32bfdaa752f5043e62750d2e7b92c4b419)

(From OE-Core rev: 8ebd3b4ed4995f27c1568cf873067ce24b1998bd)

Signed-off-by: Taras Kondratiuk <takondra@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-02-11 23:05:12 +00:00
Lee Chee Yang
5865fb9194 rsync: whitelist CVE-2017-16548
patch for this CVE applies to v3.1.3pre1 not for v3.1.3.
patch already in v3.1.3.
see
https://git.samba.org/rsync.git/?p=rsync.git;a=commitdiff;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1;hp=bc112b0e7feece62ce98708092306639a8a53cce

(From OE-Core rev: 1e2739c821312527010fb0afbde5a20cd3f03d24)

(From OE-Core rev: be8838387b5dd06abd81cc478d3c2ab9c95930bc)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-02-11 23:05:12 +00:00
Armin Kuster
c604115e9e python2: add ntpath
python3 has this but python is missing this.
[Yocto #13740]

(From OE-Core rev: af41a2238beec0c34c1c1e5f25eed55f2a214643)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-02-04 18:43:08 +00:00
Robert Yang
0d53c40c36 pseudo: Make realpath() remove trailing slashes
Linux system's realpath() remove trailing slashes, but pseudo's doesn't, need
make them identical.

E.g., the following code (rel.c) prints '/tmp' with system's realpath, but
pseudo's realpath prints '/tmp/':

    #include <stdio.h>
    #include <limits.h>
    #include <stdlib.h>

    int main() {
        char out[PATH_MAX];
        printf("%s\n", realpath("/tmp/", out));
        return 0;
    }

$ bitbake base-passwd -cdevshell # For pseudo env
$ gcc rel.c
$ ./a.out
/tmp/ (but should be /tmp)

This patch fixes the problem.

(From OE-Core rev: c251e753486dae9b460df315a6d19d6c81098ecb)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 319bbf66e03377adf2db7efa93ef578e3460eb38)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-01-11 11:06:22 +00:00
Richard Purdie
5a9198f525 python3: Update to apply libgcc fix to libpython, glibc only
Update to account for review feedback on list.

(From OE-Core rev: 9a2748db44c4382bbba81a5a9b96c998f0fab983)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ec788594f3f6a47687c6eb321437f2d2b58b1518)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-01-11 11:06:22 +00:00
Joshua Watt
9f82054a2c python3: RDEPEND on libgcc
=help>
List-Subscribe:
 <http://lists.openembedded.org/mailman/listinfo/openembedded-core>,
 <mailto:openembedded-core-request@lists.openembedded.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Sender: openembedded-core-bounces@lists.openembedded.org
Errors-To: openembedded-core-bounces@lists.openembedded.org
X-Virus-Scanned: clamav-milter 0.101.4 at dan
X-Virus-Status: Clean
X-Evolution-Source: 1525863794.3857.16@hex
Content-Transfer-Encoding: 8bit

Python uses features of glibc that require it to dynamically load (i.e.
dlopen()) libgcc_s at runtime. However, since this isn't a link time
dependency, it doesn't get picked up automatically by bitbake so
manually add it to RDEPENDS.

There is an outstanding bug in Python to make it explicitly link against
libgcc at link time which would remove the need for this. See:
https://bugs.python.org/issue37395

(From OE-Core rev: e6c4017727008ac2f665e843d59d53b584f3f1b3)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit df107f3a149b1e88d9f869e7ff87950ccf5aaee0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-01-11 11:06:22 +00:00
Adrian Bunk
f7ef93bbb0 python3: Upgrade 3.7.5 -> 3.7.6
(From OE-Core rev: b8926f3898fbf6828b908d741ab3b450adb85643)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aee9beb12226abf7a195b8ee801ea488920b2fdb)
[Bug fix only update]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-01-11 11:06:22 +00:00
Tim Orling
f5dc7d9f69 liberror-perl: update 0.17027 -> 0.17028
HOMEPAGE change from bitbucket to github

Upstream release notes:
  - Moved the VCS repo to https://github.com/shlomif/perl-error.pm
  - No other significant changes.

(From OE-Core rev: f15419842bfdf463d987ba708e6d5f9b6aabecdf)

Signed-off-by: Tim Orling <timothy.t.orling@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 488680f45fbe28e32391e2a1a66ab350706abe93)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-01-11 11:06:22 +00:00
Adrian Bunk
b67ede4d82 python/python3: Whitelist CVE-2019-18348
This is not exploitable when glibc has CVE-2016-10739 fixed,
which is fixed in the upstream version since warrior.

(From OE-Core rev: a26ac2921a1ad96959364223920402082ccd1d61)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-31 10:37:23 +00:00
Anuj Mittal
fd8720a47e git: upgrade 2.23.0 -> 2.23.1
Fixes a bunch of CVEs:
a7312d1a28

(From OE-Core rev: 743eb9a2f10c3796266e47d4b323b8fc20593ee7)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-31 10:37:23 +00:00
Stefan Müller-Klieser
8673e91f2d recipes: change SRC_URI to use https
Change all recipes to https where we get an http 301 permanent redirect.

(From OE-Core rev: e514acda9e12bccde6d3974e0fd1a37b3837191a)

(From OE-Core rev: e62c39670241136df7f17e5784b3de7b64d8f5d0)

Signed-off-by: Stefan Müller-Klieser <s.mueller-klieser@phytec.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-16 23:08:52 +00:00
Adrian Bunk
8f8a76d319 python: Whitelist CVE-2017-17522 CVE-2017-18207 CVE-2015-5652
One Windows-only CVE that cannot be fixed, and two CVEs
where upstream agreement is that they are not vulnerabilities.

(From OE-Core rev: 56d5b181f3b119f2bbd310dedd6d3b26e76f5944)

(From OE-Core rev: 13024049625c1705108066b38396ac379aacce84)

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-16 23:08:52 +00:00
Peter Kjellerstedt
dcffd983ac opkg: Trim the text part used for the license file checksum
This avoids including irrelevant information when calculating the
license checksum.

License-Update: Trim the text part used for the license file checksum
(From OE-Core rev: c6bb87e1e9f0ee33e8778da06a64ba9c8755efcc)

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-16 23:08:51 +00:00
Christopher Larson
a34a5fb3eb dosfstools: fix CP437 error from dosfsck -l
Fix this error seen when using dosfsck -l to list fs contents:

    CP437: Invalid argument

(From OE-Core rev: 8a5fdac3c2d207b2cfac64ec2a2626c3ef154d84)

(From OE-Core rev: a6bd358a27a9346ab364734ca22f35b30f4eb590)

Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-06 14:49:33 +00:00
Anuj Mittal
e9e96e6e61 nasm: fix CVE-2019-14248
See:
https://bugzilla.nasm.us/show_bug.cgi?id=3392576

(From OE-Core rev: 5ac52e78775759d2d06514ac2ae4c98e94190875)

(From OE-Core rev: f1cc582fe1db4d0d4e87316646a7065c4051c906)

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-06 14:49:33 +00:00
Hongxu Jia
198870249e go: fix CVE-2019-17596
2017d88dbc

(From OE-Core rev: 581de91fcf73675f638e7b739dd99291baf36f50)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-06 14:49:33 +00:00
Vinay Kumar
473cb322c9 gdb: Fix CVE-2019-1010180
Source: git://sourceware.org/git/binutils-gdb.git
Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=23657

Backported upstream commit 950b74950f6020eda38647f22e9077ac7f68ca49 to gdb-8.3.1 sources.

Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=950b74950f6020eda38647f22e9077ac7f68ca49]

(From OE-Core rev: 82a227e54e704ef9237c1613b9d3350fa26fe9dd)

(From OE-Core rev: 0a20e92a02b3ba1687792b3607c0e30a6247b42b)

Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-12-06 14:49:33 +00:00
Alexander Kanavin
a629b6ca52 python: update to 2.7.17
Drop backports, rebase a couple of patches.

This is the second last release of py 2.x; upstream support ends on
1 January 2020, there will be one final 2.x afterwards.

Note that the only thing that still needs python 2.x in oe-core is
u-boot; when the next u-boot update arrives, we should find out
where the py3 migration is for that component before merging the
update.

(From OE-Core rev: 184b60eb905bb75ecc7a0c29a175e624d8555fac)

(From OE-Core rev: d8cd909e7c073eb6365732e5c906f52933fe2e66)

Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-25 21:37:40 +00:00
Richard Purdie
1c0a93e1be opkg-utils: Fix silent empty/broken opkg package creation
opkg-build was failing on hosts where tar < 1.28 and reproducibile builds
were enabled but it was doing this silently and generating corrupted
(empty) ipk files. Add a fix for this (submitted upstream).

The fix requires bash but if you're building ipk files this shoudn't be
a problem.

(From OE-Core rev: 5d774331226f967a2d00c9594c4811ee378cd572)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-25 21:34:50 +00:00
Richard Purdie
26f62a423d opkg: Add upstream fixes for empty packages
An ipk with a zero size data.tar file caused opkg to crash with a
double free abort. Add the upstream fixes for this.

(From OE-Core rev: ea1ded0b47e85d039dfad2b59580817bfb335739)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-25 21:34:50 +00:00
Chen Qi
e97c2d769f python: fix CVE-2019-16935
(From OE-Core rev: 1a7593bcdaf8a8cf15259aee8a0e2686247f2987)

(From OE-Core rev: c0fcbf327288ef61e30fdbe27453875916ca32ba)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-19 00:24:22 +00:00
Trevor Gamblin
85e3e6dfd6 binutils: fix CVE-2019-17451
Backport upstream fix. No upstream release version of
binutils it yet, so backport the fix independently.

(From OE-Core rev: 3693a0a8b9461521b95613a76b7fd79c86a3bf8f)

(From OE-Core rev: 8e2a1cdd7572d051cc23350bf8838a984dfbd2bc)

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-19 00:24:22 +00:00
Trevor Gamblin
724eb2e369 binutils: fix CVE-2019-17450
Backport upstream fix. No upstream release version of
binutils it yet, so backport the fix independently.

(From OE-Core rev: a4ead72b958ded4941f96741029f4955930ba758)

(From OE-Core rev: 8b33aeb4122be31b2aed29e40dcac01ea4643b63)

Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-19 00:24:22 +00:00
Richard Purdie
1fc208bd48 pseudo: Add statx support to fix fedora30 issues
Modern distros (e.g. fedora30) are starting to use the new statx() syscall through
the newly exposed glibc wrapper function in software like coreutils (e.g. the ls
command). Add support to intercept this to pseudo.

(From OE-Core rev: f47017ff7f1ae1731412524768af372791068689)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-13 22:02:16 +00:00
Ross Burton
006b110cdb patch: the CVE-2019-13638 fix also handles CVE-2018-20969
(From OE-Core rev: 41b1d53cea0302f1c3954c6ab048366c908cf754)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-13 22:02:16 +00:00
Ross Burton
90769125ee qemu-helper-native: pass compiler flags
Pass all of the compiler and linker flags so the build is correctly configured.

(From OE-Core rev: b5f8274d75cb61beaf7dab3420bda206e45697ae)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-13 22:02:16 +00:00
Ross Burton
c1fbd56f01 qemu-helper-native: showing help shouldn't be an error
Displaying a help message if help was requested isn't an error.

(From OE-Core rev: a1d9cfef7f247d616cd6ca482916ad0469e4fc58)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2019-11-13 22:02:16 +00:00