update minor version to 1.14.12
go1.14.8 includes security fixes to the net/http/cgi and net/http/fcgi packages.
go1.14.9 includes fixes to the compiler, linker, runtime, documentation, and the net/http and testing packages.
go1.14.10 includes fixes to the compiler, runtime, and the plugin and testing packages.
go1.14.11 includes fixes to the runtime, and the net/http and time packages.
go1.14.12 includes security fixes to the cmd/go and math/big packages.
Release notes:
https://golang.org/doc/devel/release.html#go1.14.minor
updates include fix for
CVE-2020-24553
CVE-2020-28362
CVE-2020-28366
CVE-2020-28367
Also backport patch to fix below CGO_LDFLAGS error
| Building std for target, linux/amd64.
| go build runtime/cgo: invalid flag in go:cgo_ldflag: -Wl,-O1
(From OE-Core rev: e216b2223cbe8c459348262f98b3cfbe79d12023)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When comparing builds built with different host umasks, this file jumped out.
The umask from do_compile was influencing ${D} and as cp was used to add the
file it wasn't deterministic. Fix the file mode to ensure determinism.
(From OE-Core rev: 071806feb195961e59069f778c9ae8f27a739d9a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 37f37f4a52de3711973b372160f23672b61ff6ad)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This issue describes expected behaviour, do not use tarfile with
untrusted data.
(From OE-Core rev: 267130c66dde462a0a1043ab5dffdb86781389a0)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f4c22e83f2e68ff157da5ea1303acc2931d63f5f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is issue on _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath.
Since it is .dll issue (on windows only), hence whitelist it.
https://bugs.python.org/issue29778
(From OE-Core rev: c216431d0704bd8be237e860bbdc32be34a82aee)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The ctypes module needs to use "ldconfig -p" to find the
library path and it simply has below logic if no ldconfig
installed.
except OSError:
pass
Before the patch:
>>> from ctypes.util import find_library
>>> lib_path = find_library('archive')
>>> print(lib_path)
None
After the patch:
>>> from ctypes.util import find_library
>>> lib_path = find_library('archive')
>>> print(lib_path)
libarchive.so.13
(From OE-Core rev: 84e1a32096db9deb98d282a652beec95dbfe80f1)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ddb96902a124a6e1f035f0fd868b0139989bc1bc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
powerpc 32bit Linux Kernel widely uses .stabs pseudo-op to
produce debugging information in stabs format. Faced an issue
that during Linux Kernel build with Yocto build system for 32bit
powerpc platform resulting vmlinux contains absolute path in
.stabstr section that cannot be remapped with -fdebug-prefix-map
option.
Yocto uses scripts/mkmakefile Linux Kernel build approach that
allows to store all generated files outside of kernel source
tree. With this approach each compilier invocation is performed
with an absolute path to a file that will be compiled and this
absolute path is recorded in init stab. There is no way to remap
this path.
Reuse remap_debug_filename api to make -fdebug-prefix-map flag
aplicable for init stab.
(From OE-Core rev: b90799fd0f38cd013bebadbe5b9c50b4f93e84af)
Signed-off-by: Denys Zagorui <dzagorui@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The diffstat tool is part of HOSTTOOLS. To support hosts that do not
have it installed with buildtools-tarball it must be enabled for
nativesdk.
(From OE-Core rev: 537847e60b2d0a04a1a15a857201be9f8c2aa9b4)
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0ed002422bc46539f1d71ed19ee17358b6691bf0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The license headers are clear that the code is "or later", fix LICENSE
to match.
(From OE-Core rev: f46aac0fb7c4f1777a19720b05cf0eb83f4dd988)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e565e0b908c71ad5106d1c6c73d269b819787e55)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The mkfs.vfat tool can also be provided by busybox via the CONFIG_MKFS_VFAT
configuration (not enabled by default in OE but can be enabled on
systems avoiding components based on GPLv3).
(From OE-Core rev: 4afa9f08123df819e53b5d9d586f7a34dcde1ef1)
Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1227a29974671fd52014deaca7ac859a037cdeb5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Version 3.5.0 is a security release
Reference:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
The primary purpose of the jquery recipe is to make the diffoscope
output from the autobuilder easier to navigate.
Master branch has been using 3.5.X for some time now so this should
be a safe upgrade.
(From OE-Core rev: 555cfcf53acf5e7ebe64874de33fa696670ce18c)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d0f883c4cbdcf722767b437a69002244be4cf8d9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace OE private qemu patch with one that got upstreamed
and solves the same problem: increase qemumips CI performance
by increasing number of TLBs in CPU model and reduce need to
run software TLB refill code.
(From OE-Core rev: 89e6fc44a378cb3489376d7193672cdf94c504b6)
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a99dace7463d310688f4098a51316dc0743651e2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When testing pseudo changes I realised these recipes have packaging tasks
but don't generate packages. Drop the packages tasks for cleanliness.
(From OE-Core rev: 275d504b2f979901278141a4ba217d02a099f980)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ef9c11797b5d626bdb40b4509d8b2b0d461ff9ea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
patche added in commit c271090385
failed ptest perl.t/re/pat. The patch updates incorrect test cases
count causes the ptest to fail.
864 test cases before apply the patch while the patch added only 4
test cases so it should be 868 instead of 873.
ptest-runner log :-
PASS: t/re/overload
# Looks like you planned 873 tests but ran 868.
FAIL: t/re/pat
PASS: t/re/pat_advanced
[YOCTO #14071]
(From OE-Core rev: 552739383321bd9b4780bd0026d6107ece530522)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com<mailto:chee.yang.lee@intel.com>>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is used by some of the results handling code and needed as part of
buildtools tarball on various autobuilder worker for testing.
ptest is disabled for OE-Core, at least for now since it depends on
python3-pytest which in turn has may other dependencies.
Acked-by: Tim Orling <ticotimo@gmail.com>
(From OE-Core rev: cc0f56a788c33ad3fd2bb5402dee497234fb06bb)
Signed-off-by: Tim Orling <ticotimo@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b5156e95e9e80e3e0f7eea181cd12f85e03a111d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Needed as a dependency of python3-jinja2. ptest is disabled for OE-Core, at
least for now since it depends on python3-pytest which in turn has may other
dependencies.
Acked-by: Tim Orling <ticotimo@gmail.com>
(From OE-Core rev: ec222f6af5f8629453ac8e71a1dd6c44ec9a88c8)
Signed-off-by: Tim Orling <ticotimo@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a6f2727fd309b8b46a7ac1b8d99ae1d77a6ee74c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is specific to the npm package that can install cmake, so isn't
relevant to our cmake recipe.
(From OE-Core rev: ad11e4a9afea5a4c9dd34a7fa37b82efd61952a4)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8e74ed809ec4c1f61264ecf5be4bc319e5e07766)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Depending on nativesdk- varients in a nativesdk build isn't correct, so
just collapse the DEPENDS down and let bitbake do the right thing (which
is leaving them as -native).
(From OE-Core rev: 32902a2763a7557d52bf27f3717b8f9b27275284)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4864167ad4ed4c57e49f2aa5e7c58383bddb052b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes security Fixes for CVE-2020-14039 and CVE-2020-15586
(cherry picked from commit 97d5c2d1f2dffe2518f46bbe57cb9348eb59c633)
(cherry picked from commit 6591d269792fe864d7af4e379035f1cebc4510f5)
(cherry picked from commit c9011d04eb624aeabf5d707e88de80137bcc2eb1)
(From OE-Core rev: e33d2ddaa6c8945227a5bbf4e96d63606d0fab38)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We do not have explicit patch to mark it and cve checker gets confused,
so help it out
(From OE-Core rev: 17c654c34d59b1491f41fc328222697f407c23b1)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For now, the nativesdk-rpm's %_var in /usr/lib/rpm/macros is
'/var'. This is causing error when running `rpm -qplv A.rpm'.
error: cannot open Packages index using db5 - Permission denied (13)
error: cannot open Packages database in /var/lib/rpm
The rpm in SDK should be using its own database. So we should remove
this configure option, letting the SDK's native sysroot prefix to be
there in %_var. In fact, '%_usr' in macros has already got the prefix.
After this change, we have in the macros file lines like below.
"""
%_usr /opt/windriver/wrlinux/20.29/sysroots/x86_64-wrlinuxsdk-linux/usr
%_usrsrc %{_usr}/src
%_var /opt/windriver/wrlinux/20.29/sysroots/x86_64-wrlinuxsdk-linux/var
"""
(From OE-Core rev: 4e0d1bdc6e896c7dedccf615d6d0da9eb91d9b1d)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13e17930062cb3f816516ba7dbeb70d6da7174dd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cgo is still not available in go for riscv64, we will re-evaluate it
once we upgrade to 1.15
Fixes
| /usr/src/debug/go-runtime/1.14.4-r0/go/src/runtime/cgo/gcc_util.c:23: undefined reference to `_cgo_sys_thread_start'
[YOCTO #13966]
(From OE-Core rev: 987d29d0b0dfa19ef6564996198f22c2b08f6ff9)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f512b3308ed6ee878c77f72b9235ada83d107dba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For SDK environments where people still use subversion, let it easily being
added to buildtools-tarball to invite more developers relying on Yocto
based SDKs without much requirement to setup anything on the development
workplace.
(From OE-Core rev: 795781db8a82c9268fcabc93dd54cb6b07cbe9c8)
Signed-off-by: Jens Rehsack <sno@netbsd.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 586a15b76f879f49c5224116cbf506b7ccf96cd2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fix these CVE:
CVE-2020-10702
CVE-2020-10761
CVE-2020-13362
CVE-2020-13659
CVE-2020-13800
(From OE-Core rev: 98c4642c526259fc664723145a1d6026b491032d)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add the missing rdepends to fix below error:
# python3
[snip]
>>> import libarchive
[snip]
ModuleNotFoundError: No module named 'ctypes'
ModuleNotFoundError: No module named 'mmap'
(From OE-Core rev: 347e6fafea8bd9c715d87882159fc2d4bbde0cc7)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b3a2615878bc7515a7bdace525dc27be45f158e2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On a tumbleweed system, "install X Y" was showing the error:
pseudo: ENOSYS for 'fsetxattr'.
which was being caused by dlsym() for that function returning NULL. This
appears to be due to it finding an unresolved symbol in libacl for this
symbol in libattr. It hasn't been resolved so its NULL. dlerror() returns
nothing since this is a valid symbol entry, its just not the one we want.
We can add the glibc version string for the symbol we actually want so we get
that version rather than the libattr/libacl one. The calls in libattr are just
wrappers around the libc version so our attaching to the libc versions should
intercept any accesses via these too.
[YOCTO #13952]
(From OE-Core rev: 60ae9e6d31dcfc06961fedf7622a204162d3f464)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 82655cb26ad01de9587ef41eaef155c61c361f67)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dep utility must not use 'go mod' support, so we explicitly disable it.
(From OE-Core rev: e953be6c159bfed4ac69f30fa2562d217d25c254)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b34000ae3dd6e0a1d7fc332efb35c5da84cf2275)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Glide utility must not use 'go mod' support, so we explicitly disable
it.
(From OE-Core rev: 229ee71cbc9db1dd24f14dabea7d9236b3819421)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b5a4369ba606677285b0a89a78c040b38f57767f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We were seeing a ton of empty perl modules being created such as
"perl-module-x86-64-linux-encoding" where the name would include
${TARGET_ARCH}-linux. These files were already being filtered in an
earlier do_split_packages() expression so exclude them from the latter
one to remove the pointless empty modules in PACKAGES.
This doesn't explain why some were not deterministic but will recude
the do_package execution time and clean up the build directories
at the very least.
(From OE-Core rev: 5aaf9d3a748cbad17a4a3e5d9715ac2f289b007d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f1a959d9831f43dda656e3b0c4d059db3363877)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
