Sometimes you do not want certain packages to be installed when
installing complementary packages, e.g. when using dev-pkgs in
IMAGE_FEATURES you may not want to install all packages from a
particular multilib. This introduces a new PACKAGE_EXCLUDE_COMPLEMENTARY
variable to allow specifying regexes to match packages to exclude.
(From OE-Core master rev: d4fe8f639d87d5ff35e50d07d41d0c1e9f12c4e3)
(From OE-Core rev: 5e92eb11cdf1dd06a3e2ca015f1aebaace321acd)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Brendan Le Foll <brendan.le.foll@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The newer btrfs-utils needs an empty file to build the filesystem in, so
create an empty file and use it for the mkfs to build the fs in.
[YOCTO #6804]
(From OE-Core rev: afc44fad44261677c799558ffd35f4908556bce0)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* until now all recipes were respecting VIRTUAL-RUNTIME_initscripts
variable but commit bba835fed88c3bd5bb5bd58962034aef57c408d8
hardcoded "initscripts" runtime dependency
(From OE-Core rev: 1cda75706d63c988a0fa9945bd320b71c8e8488a)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Using the export LD in the recipe does not allow for secodnary toolchain
overriding LD later, by setting it in the do_configure_append the export
is used by autotools setting LD based on the env, but would allow for
override later.
[YOCTO #6997]
(From OE-Core rev: 9b37e630f5f6e37e928f825c4f67481cf58c98a1)
(From OE-Core rev: b38f33c96b31c807306dd8b2d7b25cf8fad21026)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-connectivity/openssh/openssh_6.5p1.bb
resolvconf was missing a script and needed readlink which was in
/usr/bin. Also the /etc/resolv.conf was not being correctly linked
to /etc/resolvconf/run/resolv.conf, which is fixed by the volaties
change which is now a file as opposed to created in do_install.
Ensure that the correct scripts for ifup/ifdown get installed and that
resolvconf is correctly enabled at startup
[YOCTO #5361]
(From OE-Core rev: 853e8d2c7aff6dddc1d555af22f54c4ecef13df1)
(From OE-Core rev: cb3c7cfe00e96580db5aedc7f7c0970378ab3c6e)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-connectivity/resolvconf/resolvconf_1.74.bb
Bumping the meta SRCREV for the following fix:
[
The default watchdog behaviour is to stop the timer if the process
managing it closes the file /dev/watchdog. The system would not reboot
if watchdog daemon crashes due to a bug in it or get killed by other
malicious code. So we prefer to enable nowayout option for the
watchdong. With this enabled, there is no way of disabling the watchdog
once it has been started. This option is also enabled in the predecessor
of this BSP (beagleboard)
]
[YOCTO: 3937]
(From OE-Core rev: 7006412c285a4a6c75d5349f60dc71b0b735ff90)
(From OE-Core rev: f34de2175f1d6a443f219b8ceaaf796cfbc6efd5)
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport commit 69a3ab3 to 'daisy' which uses a different version of
file package.
Author of the original patch: Hongxu Jia <hongxu.jia@windriver.com>
(From OE-Core rev: 4bd4da1e1433ae64720f59d48188ecd1960dac28)
Signed-off-by: Javier Viguera <javier.viguera@digi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libarchive's configure script looks for ext2fs/ext2_fs.h in order to use
some defines for file attributes support if present (but doesn't link to
any additional libraries.) There is no configure option to disable this,
and if e2fsprogs is rebuilding between do_configure and do_compile you
can currently get a failure. Because it doesn't need anything else from
e2fsprogs, and e2fsprogs isn't currently buildable for nativesdk anyway,
copy the headers in from e2fsprogs-native which we're likely to have
built already (and add it to DEPENDS just to be sure we have.)
Fixes [YOCTO #6268].
(From OE-Core master rev: ad754e46ad477acfbe7543187a5c38bc333b8612)
(From OE-Core rev: 7504c2e715d675775e166a52ae83cf48504add19)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If DISTRO_FEATURES contains "largefile", force the size of off_t to 8 as
a workaround for having ac_cv_sizeof_off_t=4 on 32-bit systems. In
future we will likely drop the value from the site file, but for now
this is a slightly safer fix.
Fixes [YOCTO #6813].
(From OE-Core master rev: a8216030ee6c65531de8fbf3eed878a345a94edc)
(From OE-Core rev: 94483eff5d0858ef1b5a8850268aa6a7bc6e6463)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Tell systemd just to kill the sshd process when the ssh connection drops
instead of the entire cgroup for sshd, so that any screen sessions (and
more to the point, processes within them) do not get killed.
(This is what the Fedora sshd service file does, and what we're already
doing in the dropbear service file).
(From OE-Core master rev: 3c238dff41fbd3687457989c7b17d22b2cc844be)
(From OE-Core rev: 6e6aeb7cca52b92a0c8013473e2b8bb18738a119)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus
making them apply broader than cookies are allowed. This can allow arbitrary
sites to set cookies that then would get sent to a different and unrelated site
or domain.
(From OE-Core rev: ddbaade8afbc9767583728bfdc220639203d6853)
(From OE-Core rev: 13bb2ee98cfd159455e459501dda280a78cb5a3b)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By not detecting and rejecting domain names for partial literal IP addresses
properly when parsing received HTTP cookies, libcurl can be fooled to both
sending cookies to wrong sites and into allowing arbitrary sites to set cookies
for others.
(From OE-Core rev: 985ef933208da1dd1f17645613ce08e6ad27e2c1)
(From OE-Core rev: dbbda31ca0a29c930f3078635ae7c5a41d933b58)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-support/curl/curl_7.35.0.bb
This uprevs pseudo to 1.6. This merges in all of the existing
fixes, and also adds partial support for extended attributes,
including storing arbitrary extended attributes in the database,
and also interpreting the posix permissions ACLs as chmod
requests.
The extended attribute support means we need xattr.h, the simplest
way to be sure of this is to build attr before pseudo, which doesn't
take long.
(From OE-Core rev: 606793e7b5c129654f317e5bec9ed7f083d3383d)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
pseudo 1.6.2 fixes problems with 64-bit inodes and some underlying issues
involving file renames that could occasionally cause very strange behaviors
files being deleted, linked, or renamed, mostly observed as strange
recovery if an inode got reused.
(From OE-Core rev: b2c6a032d6e5deb07e76ed75fcd0931fad6a748c)
(From OE-Core rev: c2e56d7da8c7df330869babac198678b33eb3802)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-devtools/pseudo/pseudo_1.6.2.bb
meta/recipes-devtools/pseudo/pseudo_git.bb
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x
and possibly other products, allows local users to obtain private RSA
keys via a cache side-channel attack involving the L3 cache, aka
Flush+Reload.
Patch from commit e2202ff2b704623efc6277fb5256e4e15bac5676 in
git://git.gnupg.org/libgcrypt.git
(From OE-Core rev: 0692743b51f7daa0154fd4d8982236b4702ea2da)
Signed-off-by: Yong Zhang <yong.zhang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This address the latest set of CVE issues
(From OE-Core rev: 461e598815f8749bb26e97369e3b877f7ce749cf)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The field_end function in libavcodec/h264.c in FFmpeg before 1.1.2
allows remote attackers to have an unspecified impact via crafted H.264
data, related to an SPS and slice mismatch and an out-of-bounds array
access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0869
(From OE-Core rev: 9d0fe8f47e360ad09d4a20144da96576dd4bf82f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Conflicts:
meta/recipes-multimedia/gstreamer/gst-ffmpeg_0.10.13.bb
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
lttng-modules breaks when building with kernel 3.10.43.
This updates lttng-modules for 2.4.2 and it will also
fixes the build failure with kernel 3.10.43.
Fixes for [YOCTO #6788]
(From OE-Core rev: 29ef1c738050e536d7824bdca6f7a0b8b1528011)
Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
(From OE-Core rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0,
5.14.0, and other versions, when running with debugging enabled,
allows context-dependent attackers to cause a denial of service
(assertion failure and application exit) via crafted input that
is not properly handled when using certain regular expressions,
as demonstrated by causing SpamAssassin and OCSInventory to
crash.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4777
(From OE-Core rev: 368df9f13ddf124e6aaaec06c02ab698c9e0b6c3)
(From OE-Core rev: 73aff6efb3374427234a3615ffca07874f22f3fa)
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
v2 changes:
* update format for commit log
* add Upstream-Status for patch
Multiple directory traversal vulnerabilities in pam_timestamp.c in the
pam_timestamp module for Linux-PAM (aka pam) 1.1.8 allow local users to
create aribitrary files or possibly bypass authentication via a .. (dot
dot) in the (1) PAM_RUSER value to the get_ruser function or (2) PAM_TTY
value to the check_tty funtion, which is used by the
format_timestamp_name function.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2583
(From OE-Core rev: 69255c84ebd99629da8174e1e73fd8c715e49b52)
(From OE-Core rev: 8b9164029153fa06520bd5b6349245c2ac1f605f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
v2 changes:
* update format for commit log
* add Upstream-Status for patch
ppm2tiff does not check the return value of the TIFFScanlineSize
function, which allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a crafted PPM image that
triggers an integer overflow, a zero-memory allocation, and a heap-based
buffer overflow.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4564
(From OE-Core rev: 9f02922d44de483ef4d02ce95b55efe79a8b09a2)
(From OE-Core rev: ff60c490c4fdb9f89d2b8e8fe7f2e7c4f2ff631f)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
v2 changes:
* update format for commit log
* add Upstream-Status for patch
commit a12eb58959d0a10584a428f4a3103a49204c410f upstream
Dpkg::Source::Patch: Outright reject C-style filenames in patches
Because patch only started recognizing C-style filenames in diffs
in version 2.7, it's not safe to assume one behaviour or the other,
as the system might or might not have a recent enough version, or
a GNU patch program at all. There's also no reason we should be
supporting this kind of strange encoded filenames in patches, when
we have not done so up to now.
Let's just ban these types of diffs and be done with it.
Fixes: CVE-2014-0471, CVE-2014-3127
Closes: #746306
[drop the text for debian/changelog,because it's not suitable
for the veriosn]
(From OE-Core rev: 2c3838443eacd3a86ea8917ea53a20248e7bdf03)
(From OE-Core rev: 14273b42542151357e3299736f2b730ca3257fc0)
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
v2 changes:
* update format for commit log
* add Upstream-Status for patch
commit a82651188476841d190c58693f95827d61959b51 upstream
Dkpkg::Source::Patch: Correctly parse C-style diff filenames
We need to strip the surrounding quotes, and unescape any escape
sequence, so that we check the same files that the patch program will
be using, otherwise a malicious package could overpass those checks,
and perform directory traversal attacks on source package unpacking.
Fixes: CVE-2014-0471
Reported-by: Jakub Wilk <jwilk@debian.org>
[drop the text for debian/changelog,because it's not suitable
for the veriosn]
(From OE-Core rev: 81880b34a8261e824c5acafaa4cb321908e554a0)
(From OE-Core rev: c75316fc256d229cfad45cd57328920993d93d8d)
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Security Advisory - ffmpeg - CVE-2013-0866
The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large number of channels in an AAC file, which
triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0866
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875
The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in
FFmpeg before 1.1.3 allows remote attackers to have an unspecified
impact via a crafted PNG image, related to an out-of-bounds array
access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0875
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860
The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg
before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a
frame is fully initialized, which allows remote attackers to trigger a
NULL pointer dereference via crafted picture data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0860
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934
Double free vulnerability in the vp3_update_thread_context function in
libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have
an unspecified impact via crafted vp3 data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3934
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946
The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg
before 0.10 allows remote attackers to have an unspecified impact via
crafted Supplemental enhancement information (SEI) data, which triggers
an infinite loop.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023
The ff_combine_frame function in libavcodec/parser.c in FFmpeg before
2.1 does not properly handle certain memory-allocation errors, which
allows remote attackers to cause a denial of service (out-of-bounds
array access) or possibly have unspecified other impact via crafted
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7023
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009
The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before
2.1 does not properly maintain a pointer to pixel data, which allows
remote attackers to cause a denial of service (out-of-bounds array
access) or possibly have unspecified other impact via crafted Apple RPZA
data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
Integer overflow in the alac_decode_close function in libavcodec/alac.c
in FFmpeg before 1.1 allows remote attackers to have an unspecified
impact via a large number of samples per frame in Apple Lossless Audio
Codec (ALAC) data, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0855
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351
Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before
0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute
arbitrary code via unspecified vectors.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4351
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848
The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via a crafted
width in huffyuv data with the predictor set to median and the
colorspace set to YUV422P, which triggers an out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0848
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944
The smacker_decode_header_tree function in libavcodec/smacker.c in
FFmpeg before 0.10 allows remote attackers to have an unspecified impact
via crafted Smacker data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3944
file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010
Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg
before 2.1 allow remote attackers to cause a denial of service
(out-of-bounds array access) or possibly have unspecified other impact
via crafted data.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7010
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941
The decode_mb function in libavcodec/error_resilience.c in FFmpeg before
0.10 allows remote attackers to have an unspecified impact via vectors
related to an uninitialized block index, which triggers an out-of-bound
write.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3941
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846
Array index error in the qdm2_decode_super_block function in
libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have
an unspecified impact via crafted QDM2 data, which triggers an
out-of-bounds array access.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0846
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618
The av_probe_input_buffer function in libavformat/utils.c in FFmpeg
before 1.0.2, when running with certain -probesize values, allows remote
attackers to cause a denial of service (crash) via a crafted MP3 file,
possibly related to frame size or lack of sufficient frames to estimate
rate.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6618
gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617
The prepare_sdp_description function in ffserver.c in FFmpeg before
1.0.2 allows remote attackers to cause a denial of service (crash) via
vectors related to the rtp format.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6617
(From OE-Core rev: 58f08a96764094189b5aaf3cc8b4cc0c95e23409)
(From OE-Core rev: 9b3a2d0716540dae72376a8c2e418b244a85c0cb)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote
attackers to execute arbitrary code or cause a denial of service
(out-of-bounds write) via vectors involving the sprintf and console
functions.Per: http://cwe.mitre.org/data/definitions/787.html
(From OE-Core rev: 191cab2f679491c2b6ddba49c5cf4886dcd22f57)
(From OE-Core rev: bebfeb6d4deac18601edda8dcac0f32c3382cb06)
Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module
in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of
service (assertion failure and abort) via an empty UDP packet.
Fix it by picking a patch from pulseaudio upstream code.
(From OE-Core rev: f9d7407e54f1fa3d3a316a5bbb8b80665e6f03fd)
(From OE-Core rev: cf008bce23e897d1c3a51805af839af9241271df)
Signed-off-by: Shan Hai <shan.hai@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integrate community fix for the issue CVE-2013-1961
and migrated to version 4.0.3.
Stack-based buffer overflow in the t2p_write_pdf_page function
in tiff2pdf in libtiff before 4.0.3 allows remote attackers to
cause a denial of service (application crash) via a crafted
image length and resolution in a TIFF image file.
(From OE-Core rev: f24e3456c60951d2985d7c23bdcc1f8c15d6c167)
(From OE-Core rev: 9b8ca9d9b0b12dff8a3908da00020d253685958f)
Signed-off-by: Priyanka Shobhan <priyanka_shobhan@mentor.com>
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
Signed-off-by: Muzaffar Mahmood <muzaffar_mahmood@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When use default install directory, we can't get the environment setup
script path. The reason is that opkg-cl list incorrect files paths.
This patch sets env_script variable to make us get correct environment
setup script path.
[YOCTO #6443]
(From OE-Core rev: b0ac1ea1f7eaca92b613f874ee2cbf6830743a71)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
