The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: 44e650f961888b75797da8ecc23654f672c5fae6)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
1.Upgrade ruby form 2.4.2 to 2.5.0.
2.Update the checksum of LIC_FILES_CHKSUM.
3.Delete ruby-CVE-2017-9224.patch, ruby-CVE-2017-9227.patch, ruby-CVE-2017-9229.patch, since it is integrated upstream.
4.Modify ruby-CVE-2017-9226.patch, since the data has been changed.
(From OE-Core rev: 67b9f407f7c40c63c7f9518b4ee3d4d1cc7c75ce)
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose
arbitrary memory during a JSON.generate call. The issues lies in using
strdup in ext/json/ext/generator/generator.c, which will stop after
encountering a '\0' byte, returning a pointer to a string of length zero,
which is not the length stored in space_len.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-14064
Upstream patch:
8f782fd8e1
(From OE-Core rev: 17dbfd967019f9b50a9f6aa3f48cd3658fcccc70)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2017-9226 : check too big code point value for single byte
CVE-2017-9227 : access to invalid address by reg->dmin value
CVE-2017-9228 : invalid state(CCS_VALUE) in parse_char_class()
CVE-2017-9229 : access to invalid address by reg->dmax value
(From OE-Core rev: f15f01edbaa431829a50053d07ed6d6b333584c7)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This adds or fixes the Upstream-Status for all remaining patches missing it
in OE-Core.
(From OE-Core rev: 563cab8e823c3fde8ae4785ceaf4d68a5d3e25df)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ruby is required to build webkit.
Use trim_version() to build the major release, and remove redundant S assignment
(RB).
(From OE-Core rev: 10fd3b41449d1af15ac9432bc1a7fe26c6f1dae1)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
