CVE-2022-48303.patch
removed since it's included in 1.35
License-Update: http changed to https
Changelog:
===========
* Fail when building GNU tar, if the platform supports 64-bit time_t
but the build uses only 32-bit time_t.
* Leave the devmajor and devminor fields empty (rather than zero) for
non-special files, as this is more compatible with traditional tar.
* Bug fixes
** Fix interaction of --update with --wildcards.
** When extracting archives into an empty directory, do not create
hard links to files outside that directory.
** Handle partial reads from regular files.
** Warn "file changed as we read it" less often.
** Fix --ignore-failed-read to ignore file-changed read errors
** Fix --remove-files to not remove a file that changed while we read it.
** Fix --atime-preserve=replace to not fail if there was no need to replace,
either because we did not read the file, or the atime did not change.
** Fix race when creating a parent directory while another process is
also doing so.
** Fix handling of prefix keywords not followed by "." in pax headers.
** Fix handling of out-of-range sparse entries in pax headers.
** Fix handling of --transform='s/s/@/2'.
** Fix treatment of options ending in / in files-from list.
** Fix crash on 'tar --checkpoint-action exec=\"'.
** Fix low-memory crash when reading incremental dumps.
** Fix --exclude-vcs-ignores memory allocation misuse.
(From OE-Core rev: 4910b1e46a67dcdc3f7ebbab648a2b365c1910da)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c63769de05ce08c0627d302d14316ced31816b4d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recently a number of CVEs have been logged against a nodejs project
called "node-tar". These appear as false positives against the GNU tar
being built by Yocto. Some of these have been manually excluded using
CVE_CHECK_WHITELIST.
To avoid this problem, use the vendor name (in addition to package name)
for filtering CVEs. The syntax for this is:
CVE_PRODUCT = "vendor:package"
When not specified, the vendor defaults to "%" which matches anything.
(From OE-Core rev: 45d1a0bea0c628f84a00d641a4d323491988106f)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These three CVEs are specific to the Node package node-tar.
exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713
(From OE-Core rev: 9f9317a02d73c1e5aea026683a037e52c996c7bb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These two CVEs are specific to the Node package node-tar.
(From OE-Core rev: bc7216e8148d0dee7b56e6851da6615e93647a0a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop musl fix as upstream fixed the issue.
(From OE-Core rev: 9ac95af964876752e7dae819f5b678ae4b510064)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rsh is insecure and obsolete but tar will enable support if the binary is
on the host system. Some systems point it at ssh. Lets explictly disable it
for now unless someone actually needs/uses this at which point it could
become a packageconfig.
(From OE-Core rev: d14a4b0db92a9a7d1ff72a2e0faca7f1a23a0b68)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When the original problem was fixed in gnulib the
patches were rebased on top of the upstream fix...
(From OE-Core rev: d93ad85d94ea99e3fad7e4c2f6be999088e2f9f9)
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The rmt in cpio-native and tar-native is clashing, since
tar-native has set var-NATIVE_PACKAGE_PATH_SUFFIX, we move rmt
to sbindir, and add suffix NATIVE_PACKAGE_PATH_SUFFIX to sbindir
could avoid the clashing.
And in Ubuntu, rmt is in sbindir
$ which rmt
/usr/sbin/rmt
(From OE-Core rev: e9ac5ac2f4d135734f549d17cce3ebc52132b7d0)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove the musl specific do_install, as it's not suitable for this
version.
(From OE-Core rev: 348a96a5b4016a7615f8d22c03ec1ced60367c3b)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There's only one user of tar.inc (meta-gplv2 has its own copy), so
merge the .inc file into the tar recipe.
(From OE-Core rev: cce7b627f9046c15dde49c001481003cee33fc9c)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.Upgrade tar from 1.29 to 1.30.
2.Modify musl_dirent.patch, since the data has been changed.
3.Delete CVE-2016-6321.patch, since it is integrated upstream.
(From OE-Core rev: 9dc417ef8f94b51140fe2befcd492f6ea9726a4a)
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These are recipes where the upstream has moved to GPLv3 and these old
versions are the last ones under the GPLv2 license.
There are several reasons for making this move. There is a different
quality of service with these recipes in that they don't get security
fixes and upstream no longer care about them, in fact they're actively
hostile against people using old versions. The recipes tend to need a
different kind of maintenance to work with changes in the wider ecosystem
and there needs to be isolation between changes made in the v3 versions
and those in the v2 versions.
There are probably better ways to handle a "non-GPLv3" system but right
now having these in OE-Core makes them look like a first class citizen
when I believe they have potential for a variety of undesireable issues.
Moving them into a separate layer makes their different needs clearer, it
also makes it clear how many of these there are. Some are probably not
needed (e.g. mc), I also wonder whether some are useful (e.g. gmp)
since most things that use them are GPLv3 only already. Someone could
now more clearly see how to streamline the list of recipes here.
I'm proposing we mmove to this separate layer for 2.3 with its future
maintinership and testing to be determined in 2.4 and beyond.
(From OE-Core rev: 19b7e950346fb1dde6505c45236eba6cd9b33b4b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It only considered linux-gnu hosts when cross compiling
here we add linux-musl to the mix as well
Fixes errors e.g.
1.28-r0/tar-1.28/src/tar.c:1351:5: error: 'SAVEDIR_SORT_INODE'
undeclared here (not in a function)
| SAVEDIR_SORT_INODE
| ^
(From OE-Core rev: c17d9a8d7f89b8e855f87d61583075129e4aa72c)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The currnet patches in OE-core doesn't have the "CVE:"
tag, now part of the policy of the patches.
This is patch add this tag to several patches. There might
be patches that I miss; the tag can be added in the future.
(From OE-Core rev: 065ebeb3e15311d0d45385e15bf557b1c95b1669)
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Don't try to move binaries onto themselves if ${bindir} and
${base_bindir} are the same, as is the case on systems with a
merged /usr directory.
(From OE-Core rev: 2c7149633731272df5323dd0bd5165a67b0eb2f4)
Signed-off-by: Dominic Sacré <dominic.sacre@gmx.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Building tar-replacement-native as replacement of the host's tar in
the standard path was meant to be done manually by a user in
preparation for the regular bitbake run. Such a usage has been
superseeded by installing the pre-compiled buildutils and might have
been broken on hosts which need it by the sanity check for tar >=
1.26.
Therefore tar-replacement-native_1.28.bb can be removed in favor of
adapting the normal tar recipe such that it installs an opt-in binary
under a different path.
The special do_install logic is explicitly limited to class-target,
instead of making it the default and disabling it (which would be the
case for class-native and class-nativesdk).
(From OE-Core rev: e6fee3ddb5600fc564243a96d6232b4ae097df32)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dpkg-deb accesses tar via "gtar", add a symlink to ensure that nativesdk
for example correctly catches these accesses to tar (for buildtools-tarball).
This likely also fixes on target dpkg-deb usage.
[YOCTO #7988]
(From OE-Core rev: 18ccd233810869c84af28783a9fa1906c1b30232)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There would be an error when the TMPDIR is long/deep, for example when
len(TMPDIR) = 410 while our supported longest value is 410:
aclocal: error: cannot open xxx
autoreconf: aclocal failed with exit status: 1
ERROR: autoreconf execution failed.
Let aclocal use the relative path for the m4 file rather than the
absolute would fix the problem.
[YOCTO #6138]
(From OE-Core rev: 747333764231d0320bdefbcf192b2589e70c58a1)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
WARNING: QA Issue: tar: configure was passed unrecognised options: --without-posix-acls [unknown-configure-option]
tar 1.17 doesn't support --without-posix-acls, move it from tar.inc to
tar_1.28.bb to fix the problem.
(From OE-Core rev: faf469f9b5fbf794311d83db26cdf7f1042785c0)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The class itself currently does nothing. The idea is to mark all recipes that
make use of the texinfo utilities. In the future, this class could be used to
suppress the generation/formatting of documentation for performance,
explicitly track dependencies on these utilities, and eliminate Yocto's
current dependency on the host system's texinfo utilities.
(From OE-Core rev: e6fb2f9afe2ba6b676c46d1eb297ca9cc532d405)
Signed-off-by: Max Eliaser <max.eliaser@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Previously, it still was checked when there was no sys/acl.h in sysroots directory.
Add knob to decide whether acl.h are checked or not.
Fixed by using PACKAGECONFIG to check acl, with default disabled set.
(From OE-Core rev: ab0bbeeb0b0f6c3c5c7298929cfee757d7bbb111)
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This removed patch is a workaround for gcc-4.5 manifests buffer
overflow with app-arch/tar-1.{22,23}, according to the information
from https://bugs.gentoo.org/show_bug.cgi?id=317139.
The problem with that patch is that it's only setting the magic
field of the header while the original statement sets both the magic
and the version field of the header. Because of this, all tar balls
created by the tar package in OE will be treated as old V7 format
tar balls.
As a negative effect of this behaviour, the tar package in OE cannot
handle device files correctly. This in turn leads to the udev cache
failure in images like core-image-lsb-sdk.
[YOCTO #4815]
(From OE-Core rev: 32210f73c7e9f24951306f462b25e66e1d11a6b8)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We move tar into /bin for target but it can stay in /usr/bin for nativesdk
this will also mean the paths are correct for the buildtools-tarball environment
(From OE-Core rev: b4f208f418d18f2a4e78a56bebacef481061d917)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need to be able to generate a standalone tarball containing tar/git so
add nativesdk versions of the appropriate recipes to allow this to be possible.
Tweak the git perl paths to avoid warnings when building the nativesdk version,
ensure the binaries are wrapped correctly and avoid update-alternatives in
nativesdk-tar.
(From OE-Core rev: c91bb8c76e3bd45690e66f3de79cd3adfe45f600)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
After the recent change of the libexecdir definition, the update-alternatives
for the libexec rmt broke. Fix this by moving rmt from libexec to /sbin. Also
split the rmt app from tar as it's likely not useful to many users.
(From OE-Core rev: cc5879ce75713506e76481f36d6e45dc3b31948c)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
automake 1.12.x automatically deletes empty directories, so
the additional rmdir from the do_install_append fails.
cleanup the do_install_append for automake 1.12.x
Avoid this error:
| rmdir: failed to remove `/srv/home/nitin/builds/build-gcc47/tmp/work/i586-poky-linux/tar-1.26-r1/image/usr/sbin/': No such file or directory
NOTE: package tar-1.26-r1: task do_install: Failed
no PR bump as no change in the output.
(From OE-Core rev: c3c103abb533cc9aae178d41b1bd216165f3bc9a)
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
WARNING: For recipe tar, the following files/directories were installed but not shipped in any package:
WARNING: /usr/sbin
WARNING: /usr/bin
(From OE-Core rev: bc63db7bc7dda759ee95ccef37f2ceb257c83777)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As discussed on the mailing list, this variable isn't useful and if wanted
would be better implemented by distros using pn-X overrides.
This patch executes:
find . -regex ".*\.\(bb\|inc\)$" | xargs sed -i '/^PRIORITY = ".*"$/d'
against the tree removing the referenced. Thanks to Phil Blundell for
the command.
(From OE-Core rev: d122343362669c683acc4af295971a62cbc823fc)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
grep-2.5.1a: update upstream status of patches
tar-1.17: update upstream-status of patches
at-3.1.12: update upstream-status for patches
cpio-2.8: update upstream-status for patches
(From OE-Core rev: fbc0fdbbb759b37d97de6f28daf04055531fbe0b)
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
tar < 1.24 has symlink issues where extracting a tar archive containing a symlink
to a directory where that symlink already exists will cause the symlink to be
dereferenced. If that target doesn't exist tar can fail with a permissions error.
Since we need to be able to do this for packages containing symlinks like
xorg-minimal-fonts and eglibc, we have to ensure a tar 1.25 is available early
in the build process.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
