The kernel mounts /proc and /sys with the mode 555. Fedora explicitly
sets this value in its filesystem setup package. Debian doesn't seem
to set it explictly. Having them be 755 causes permission issues on
upgrades inside a container where the guest does not have the
permission to change the modes of the mount points.
So, just bite the bullet and force them to be 555.
(From OE-Core rev: 7e311b0c7222fa9127a96945c9ded7bee5e40eb3)
(From OE-Core rev: 26d5ceb33425fa85bc84b825609e1b45b13d3ddd)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Even on multilib systems, /usr/lib is where systemd expects the
os-release file to live.
(From OE-Core rev: b7b476efee8c959a0227905e40bd9b5ef493632d)
(From OE-Core rev: 0362788144c3eff36099d8812c85cc70e8736859)
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Briefly:
Volgograd moves from +03 to +04 on 2018-10-28.
Fiji ends DST 2019-01-13, not 2019-01-20.
Most of Chile changes DST dates, effective 2019-04-06.
Changes to future timestamps
Volgograd moves from +03 to +04 on 2018-10-28 at 02:00.
(Thanks to Alexander Fetisov and Stepan Golosunov.)
Fiji ends DST 2019-01-13 instead of the 2019-01-20 previously
predicted. (Thanks to Raymond Kumar.) Adjust future predictions
accordingly.
Most of Chile will end DST on the first Saturday in April at 24:00 mainland
time, and resume DST on the first Saturday in September at 24:00 mainland
time. The changes are effective from 2019-04-06, and do not affect the
Magallanes region modeled by America/Punta_Arenas. (Thanks to Juan Correa
and Tim Parenti.) Adjust future predictions accordingly.
Changes to past timestamps
The 2018-05-05 North Korea 30-minute time zone change took place
at 23:30 the previous day, not at 00:00 that day.
China's 1988 spring-forward transition was on April 17, not
April 10. Its DST transitions in 1986/91 were at 02:00, not 00:00.
(Thanks to P Chan.)
Fix several issues for Macau before 1992. Macau's pre-1904 LMT
was off by 10 s. Macau switched to +08 in 1904 not 1912, and
temporarily switched to +09/+10 during World War II. Macau
observed DST in 1942/79, not 1961/80, and there were several
errors for transition times and dates. (Thanks to P Chan.)
The 1948-1951 fallback transitions in Japan were at 25:00 on
September's second Saturday, not at 24:00. (Thanks to Phake Nick.)
zic turns this into 01:00 on the day after September's second
Saturday, which is the best that POSIX or C platforms can do.
Incorporate 1940-1949 Asia/Shanghai DST transitions from a 2014
paper by Li Yu, replacing more-questionable data from Shanks.
Changes to time zone abbreviations
Use "PST" and "PDT" for Philippine time. (Thanks to Paul Goyette.)
Changes to documentation
New restrictions: A Rule name must start with a character that
is neither an ASCII digit nor "-" nor "+", and an unquoted name
should not use characters in the set "!$%&'()*,/:;<=>?@[\]^`{|}~".
The latter restriction makes room for future extensions (a
possibility noted by Tom Lane).
tzfile.5 now documents what time types apply before the first and
after the last transition, if any.
Documentation now uses the spelling "timezone" for a TZ setting
that determines timestamp history, and "time zone" for a
geographic region currently sharing the same standard time.
The name "TZif" is now used for the tz binary data format.
tz-link.htm now mentions the A0 TimeZone Migration utilities.
(Thanks to Aldrin Martoq for the link.)
Changes to build procedure
New 'make' target 'rearguard_tarballs' to build the rearguard
tarball only. This is a convenience on platforms that lack lzip
if you want to build the rearguard tarball. (Problem reported by
Deborah Goldsmith.)
tzdata.zi is now more stable from release to release. (Problem
noted by Tom Lane.) It is also a bit shorter.
tzdata.zi now can contain comment lines documenting configuration
information, such as which data format was selected, which input
files were used, and how leap seconds are treated. (Problems
noted by Lester Caine and Brian Inglis.) If the Makefile defaults
are used these comment lines are absent, for backward
compatibility. A redistributor intending to alter its copy of the
files should also append "-LABEL" to the 'version' file's first
line, where "LABEL" identifies the redistributor's change.
(From OE-Core rev: 9d786808fb9471eff46d95dd354f6254e468aa17)
(From OE-Core rev: 7ac4ecb04f02a7df943d1f9f0542e28e8f414cc5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes to code
zic now always generates TZif files where time type 0 is used for
timestamps before the first transition. This simplifies the
reading of TZif files and should not affect behavior of existing
TZif readers because the same set of time types is used; only
their internal indexes may have changed. This affects only the
legacy zones EST5EDT, CST6CDT, MST7MDT, PST8PDT, CET, MET, and
EET, which previously used nonzero types for these timestamps.
Because of the type 0 change, zic no longer outputs a dummy
transition at time -2**59 (before the Big Bang), as clients should
no longer need this to handle historical timestamps correctly.
This reverts a change introduced in 2013d and shrinks most TZif
files by a few bytes.
zic now supports negative time-of-day in Rule and Leap lines, e.g.,
"Rule X min max - Apr lastSun -6:00 1:00 -" means the transition
occurs at 18:00 on the Saturday before the last Sunday in April.
This behavior was documented in 2018a but the code did not
entirely match the documentation.
localtime.c no longer requires at least one time type in TZif
files that lack transitions or have a POSIX-style TZ string. This
future-proofs the code against possible future extensions to the
format that would allow TZif files with POSIX-style TZ strings and
without transitions or time types.
A read-access subscript error in localtime.c has been fixed.
It could occur only in TZif files with timecnt == 0, something that
does not happen in practice now but could happen in future versions.
localtime.c no longer ignores TZif POSIX-style TZ strings that
specify only standard time. Instead, these TZ strings now
override the default time type for timestamps after the last
transition (or for all time stamps if there are no transitions),
just as DST strings specifying DST have always done.
leapseconds.awk now outputs "#updated" and "#expires" comments,
and supports leap seconds at the ends of months other than June
and December. (Inspired by suggestions from Chris Woodbury.)
(From OE-Core rev: 4670dcdb6e2504469c30ebed828d4702d8c0003c)
(From OE-Core rev: 9702041a732ca062a9899543d05e585c930407f3)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Briefly:
North Korea switches back to +09 on 2018-05-05.
The main format uses negative DST again, for Ireland etc.
'make tarballs' now also builds a rearguard tarball.
New 's' and 'd' suffixes in SAVE columns of Rule and Zone lines.
Changes to past and future time stamps
North Korea switches back from +0830 to +09 on 2018-05-05.
(Thanks to Kang Seonghoon, Arthur David Olson, Seo Sanghyeon,
and Tim Parenti.)
Bring back the negative-DST changes of 2018a, except be more
compatible with data parsers that do not support negative DST.
Also, this now affects historical time stamps in Namibia and the
former Czechoslovakia, not just Ireland. The main format now uses
negative DST to model time stamps in Europe/Dublin (from 1971 on),
Europe/Prague (1946/7), and Africa/Windhoek (1994/2017). This
does not affect UT offsets, only time zone abbreviations and the
tm_isdst flag. Also, this does not affect rearguard or vanguard
formats; effectively the main format now uses vanguard instead of
rearguard format. Data parsers that do not support negative DST
can still use data from the rearguard tarball described below
(From OE-Core rev: f717eeff2d4823163cb72fb79101220cc48b3286)
(From OE-Core rev: 24227750484cca1c1fdf431751247960c19b926f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes to build procedure
The command 'make tarballs' now also builds the tarball
tzdataVERSION-rearguard.tar.gz, which is like tzdataVERSION.tar.gz
except that it uses rearguard format intended for trailing-edge
data parsers.
Changes to data format and to code
The SAVE column of Rule and Zone lines can now have an 's' or 'd'
suffix, which specifies whether the adjusted time is standard time
or daylight saving time. If no suffix is given, daylight saving
time is used if and only if the SAVE column is nonzero; this is
the longstanding behavior. Although this new feature is not used
in tzdata, it could be used to specify the legal time in Namibia
1994-2017, as opposed to the popular time (see below).
Changes to past time stamps
From 1994 through 2017 Namibia observed DST in winter, not summer.
That is, it used negative DST, as Ireland still does. This change
does not affect UTC offsets; it affects only the tm_isdst flag and
the abbreviation used during summer, which is now CAT, not WAST.
Although (as noted by Michael Deckers) summer and winter time were
both simply called "standard time" in Namibian law, in common
practice winter time was considered to be DST (as noted by Stephen
Colebourne). The full effect of this change is only in vanguard
format; in rearguard and main format, the tm_isdst flag is still
zero in winter and nonzero in summer.
In 1946/7 Czechoslovakia also observed negative DST in winter.
The full effect of this change is only in vanguard format; in
rearguard and main formats, it is modeled as plain GMT without
daylight saving. Also, the dates of some 1944/5 DST transitions
in Czechoslovakia have been changed.
(From OE-Core rev: aeb3d295581908ca9a9d8f1705f70b49b2de32e3)
(From OE-Core rev: a8f643726e991608d5595cd551a4c3e43a254d6a)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are both "curl" and "libcurl" CPEs in NVD.
All "curl" CVEs are now missed in the reports.
Hence, switch "CVE_PRODUCT" to a space separated list
of the items.
(From OE-Core rev: 69ff709c2450c42139fd9705e3a74464221ad754)
(From OE-Core rev: 5df0d75fe63a0e1ada396f5ecfa953ac63f65354)
Signed-off-by: Grygorii Tertychnyi <gtertych@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are both "curl" and "libcurl" CPEs in NVD.
All "curl" CVEs are currently missing in the reports.
Hence, switch "CVE_PRODUCT" to a space separated list.
It is useful for recipes generating several packages,
that have different product names in NVD.
(From OE-Core rev: 404f75e026393ddc55da87f6f04fb1201cff4e11)
(From OE-Core rev: 667d5e77e1ce0f0e531ed87f6fc30e1d65b16759)
Signed-off-by: Grygorii Tertychnyi <gtertych@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This allows us to handle distros which contain glibc 2.28 such as
Ubuntu 18.10.
(From OE-Core rev: 5c7d9abcd611d23d4340f9a0aee2564f72158a0b)
(From OE-Core rev: f01153e1782425756a40929ffb3fa72993b7a3b1)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fixed up for sumo context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With recent kernels (i.e. 4.17+) the configuration phase of the kernel
will check for capabilities/options of the compiler for CVE and other
mitigation support.
For a general kernel, we want to ensure that CC is fully defined when
the config targets are invoked (so the proper compiler will be checked).
For linux-yocto, we also need to specify the compiler/tools dependencies
for the configme task since it executes before configure and hence the
main kernel build DEPENDS will not always be in the sysroot before it
executes. Without those dependencies the kernel will be incorrectly
configured (i.e. bison is missing) or the configuration will fail the
mitigation tests.
[YOCTO #12757]
(From OE-Core rev: ff1bdd75d50f0ebac3d599e461685ace29559a82)
(From OE-Core rev: ec5cc387ca6828c5dbb3d36c9a92e2d7654c616a)
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The fix is similar to what was done for PowerPC32.
It solves below error, while compiling for PowerPC64,
-- snip --
| ../../../../valgrind-3.13.0/none/tests/ppc64/test_isa_2_06_part2.c: In function 'usage':
| ../../../../valgrind-3.13.0/none/tests/ppc64/test_isa_2_06_part2.c:1778:3: warning: implicit declaration of function 'fprintf' [-Wimplicit-function-declaration]
| fprintf(stderr,
| ^~~~~~~
| ../../../../valgrind-3.13.0/none/tests/ppc64/test_isa_2_06_part2.c:1778:3: warning: incompatible implicit declaration of built-in function 'fprintf'
| ../../../../valgrind-3.13.0/none/tests/ppc64/test_isa_2_06_part2.c:1778:3: note: include '<stdio.h>' or provide a declaration of 'fprintf'
| ../../../../valgrind-3.13.0/none/tests/ppc64/test_isa_2_06_part2.c:1778:11: error: 'stderr' undeclared (first use in this function)
| fprintf(stderr,
| ^~~~~~
-- snip --
(From OE-Core rev: 9f82bb4bf3d0ded246eb252b3f9b4b618b22fc95)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some tests, like the one that compares the hashes for a list of files
against those stored in a .dat file, don't make sense for downstream
distros packaging perl.
Backport a patch from upstream that allows skipping of these tests at
runtime. Also remove the local patch trying to keep hashes up-to-date
for one of those tests.
Fixes [YOCTO #12787]
(From OE-Core rev: 557f4618b75b8739a647e46054ab587ae2bbdc25)
(From OE-Core rev: 7157e7804b21a84ecbd809b6e171106d7ddc86a6)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
BB_DONT_CACHE was not set for non-virtual recipes where PN != BPN, such
as quilt-native. Recipes that do not set BBCLASSEXTEND should always
have BB_DONT_CACHE set by externalsrc.
(From OE-Core rev: 4eff427a0ee629a1541a420a9591411648569a97)
(From OE-Core rev: 30b055d2296f060a4ca054d042f353a2153fdd4e)
Signed-off-by: Ola x Nilsson <olani@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The previous logic assumed that if $BUILD_IMAGES_FROM_FEEDS=1 then a
complete set of ipk feeds from which to build the image is already
present under $IPK_FEED_URIS at do_rootfs runtime.
$IPK_FEED_URIS usually contains "file://${DEPLOY_DIR_IPK}" which
renders the above assumption bad because some recipes in the current
build can contain code like do_install[nostamp] = "1" which will cause
rebuilds bumping $PR and invalidating the index.
Even when the index is manually re-created before an image build
("bitbake package-index"), the nostamp will cause failures because the
dependency gets rebuilt before do_rootfs in the "bitbake <image>" call.
So make the opkg rootfs index logic the same as for rpm/deb, to always
update the index in $DEPLOY_DIR_IPK to fix the above nostamp failure.
Feeds outside $DEPLOY_DIR_IPK added to $IPK_FEED_URIS continue to work
as usual, for eg. by using a http:// URI.
(From OE-Core rev: bce90f48d1cc136fdfdf98b3830f5d99e381271b)
(From OE-Core rev: 6e03d1d56587d93b9a9ec936ceb69350234c627a)
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current handling of SIGTERM is incorrect as the process pid returned
by Popen call with shell setting to True is actualy the shell instead of
the qemu process. So use shlex to split cmd so that we can avoid using
shell=True. This ensures the child process is the actual qemu process.
Also, as we install a SIGTERM handler, we need handle the situation of
qemu terminated by SIGTERM, otherwise we will get ERROR message in such
case.
Besides, we have a problem that after running qemu, the terminal's behavior
is incorrect regarding long lines or long commands. Long commands or long
outputs should appear in multiple lines, but they appear in the same line,
overriding previous output. Use `tput smam' to fix this problem.
(From OE-Core rev: e8acef383767cfd1ef0c3d3c45d9d6eb1c83b3e7)
(From OE-Core rev: a2ee5c8a1ff449250e6f37fccf01b85a7361b24c)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add SIGTERM handler so that runqemu could clean things up correctly
when receving such signal.
This problem was originally observed when running testimage. On
some hosts, after running testimage task, the user has to manually
operate on the tap interface (e.g. `sudo ip link del tap0') in order
for the next runqemu command to launch successfully.
The problem is about runqemu, SIGTERM and network manager on the host.
In testimage task, the runqemu process will receive SIGTERM. In such
situation, its cleanup() function is not run, resulting in tap interface
not cleaned up. On some hosts, the network manager will bring down the
tap interface automatically, thus this problem. I saw this problem on
Fedora21.
I think we'd better just clean up the tap interface ourselves.
So this patch adds to runqemu a SIGTERM handler, in which the actual
qemu process is terminated and other things cleaned up.
(From OE-Core rev: 02709d4709c56f9b9095e3555da35b659b03a8a3)
(From OE-Core rev: 05c2a590980819e31acee29e1e7282d2ed3586b7)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* CVE-2018-1060
Prevent low-grade poplib REDOS:
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
* CVE-2018-1061
Prevent difflib REDOS
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Affects < 3.5.6rc1
CVE: CVE-2018-1060
CVE: CVE-2018-1061
Ref: https://access.redhat.com/security/cve/cve-2018-1060
Ref: https://access.redhat.com/security/cve/cve-2018-1061
(From OE-Core rev: 1461bcc72e6649920ecf4226e006e5667c48a21c)
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* CVE-2018-14404
A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval()
function of libxml2 when parsing invalid XPath expression. Applications processing
untrusted XSL format inputs with the use of libxml2 library may be vulnerable to
denial of service attack due to crash of the application.
Affects libxml <= 2.9.8
CVE: CVE-2018-14404
Ref: https://access.redhat.com/security/cve/cve-2018-14404
(From OE-Core rev: 06d7f9039b005c2112e28336ac1c30e5120ec815)
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before this fix it is assumed that the removal of the
remote can only fail because there is not remote to remove. This
is a false assumption. Example error which would be ignored:
git -c core.fsyncobjectfiles=0 remote rm origin failed with exit code 1, output:
Note: A branch outside the refs/remotes/ hierarchy was not removed;
to delete it, use:
git branch -d master
error: could not lock config file config
error: Could not remove config section 'remote.origin'
Due to the masking of this error a stranger error will be
presented to the user, because this time we do not mask the
exception:
git -c core.fsyncobjectfiles=0 remote add --mirror=fetch origin https://github.com/ptsneves/tl-wn722.git failed with exit code 128, output:
fatal: remote origin already exists.
The most likely reason that the remote cannot be removed nor
modified is that the DL_DIR/git2 does not have permissions
compatible with the user running bitbake.
This commit fixes:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=12728
(Bitbake rev: 67189588a68b9bcb39421ef12103507b4c8820c3)
Signed-off-by: Paulo Neves <ptsneves@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When mount command is executed in rootfs module of initrd, eudev creates
a loop0 device node, applies rules and adds a inotify watch to it. Right
after this step, we execute finish which first tries to kill any running
udevd daemon before doing a switch_root.
In some cases, it is possible that switch_root is executed before
inotify_add_watch was actually processed which would lead to errors like:
| inotify_add_watch(6, /dev/loop0, 10) failed: No such file or directory
Make sure that we process all the events in queue before actually trying
to kill udevd to prevent this race.
Fixes [YOCTO #12861]
(From OE-Core rev: a85c34d263fcf1542bbedcaf1634302466bb20cf)
(From OE-Core rev: 196659ca05623996e2b36f7b1e52195a81fd3bdd)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* CVE-2017-7961
The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco has an
"outside the range of representable values of type long" undefined
behavior issue, which might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other
impact via a crafted CSS file.
CVE: CVE-2017-7961
Ref: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7961
(From OE-Core rev: 9b321cf141c3fa18d5b85f17ffe1710f4555ca49)
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* CVE-2018-9234
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
certification requires an offline master Certify key, which results
in apparently valid certifications that occurred only with access to
a signing subkey.
Affects gnupg <= 2.2.5
CVE: CVE-2018-9234
Ref: https://access.redhat.com/security/cve/cve-2018-9234
(From OE-Core rev: af920831ed1ef607db195372f135cc56e9f53b41)
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove usage of a specific amount of memory and let it be controlled by
users. This was the default behaviour before it was changed by commit
3b79d9a78 that switched the wks file to be used for qemux86.
Also fixes the bitbake parsing issues seen because of memory starvation
using build appliance images.
Fixes [YOCTO #12894]
(From OE-Core rev: 18d6b668c52dc881cff7b107420e0de527eecce4)
(From OE-Core rev: a53026f03a1d07cef1d1590c689e036f3ee21026)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Previously cmake-dev held some files which should be in cmake.
- cmake.m4 should be in installed in cmake so it can be used out of the box
- nativesdk-specific OEToolchainConfig.cmake file used to be in cmake, but the
change of default packaging rules move it into cmake-dev. This recipe is the
exception and it should be moved back.
Add the extra paths to cmake, and clear FILES for cmake-dev to ensure nothing
else slips in.
(From OE-Core rev: a6ce79b87d3db57033a3d1710cb3292366a0a8f7)
(From OE-Core rev: 5f985f02a932ebce238a6b1c644d2e3179226aab)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Kernel image can be 'vmlinuz' for 'bzImage' but the script is written to
support 'vmlinuz' only. When building with meta-intel on sumo branch, the
kernel image is now bzImage and the installation will fail. Add option to
install bzImage as well.
(From OE-Core rev: a702a5efdaece4197ceefec2a3b4c1e872e82f11)
Signed-off-by: Chong Yi Chai <chong.yi.chai@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Static PIE doesn't work entirely right in GCC 7, for example ldconfig on ARM
with the flags enabled will something segfault during initialisation.
To mitigate this until we have GCC 8 integrated, don't enable static PIE.
(From OE-Core rev: 502de6f5db232a104eb269782a690f52fd665ef4)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The environment was being cleared before the UI imports occurred which
caused problems for graphical UIs like taskexp. The full environment was
intended to be available to UI clients and it was only meant to be cleared
for the server/cooker, so tweak the code order so this is the case.
This fixes problems reported for taskexp.
[YOCTO #12670]
(Bitbake rev: 66ac33b6888edb7077b6e94a4d3d1e1d1d53c0c5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Commit 15340edce23e63b060c75114d508e1f76757239c introduced a way which
allowed bitbake to be found from the PATH variable when directory
structures different from poky are used. This just drops a leftover
bitbake definition which made the earlier implementation meaningless
by reassigning the path relative to oe-core/meta.
[YOCTO #12942]
(Bitbake rev: 99321236c516277c9d423b1b355bbce1245d9923)
Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: David Reyna <David.Reyna@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* CVE-2018-8740
In SQLite through 3.22.0, databases whose schema is corrupted
using a CREATE TABLE AS statement could cause a NULL pointer dereference,
related to build.c and prepare.c.
Affects sqlite3 <= 3.22.0
CVE: CVE-2018-8740
Ref: https://access.redhat.com/security/cve/cve-2018-8740
(From OE-Core rev: 0469c075d904026ec37214fb39397bb1cb07ab43)
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* CVE-2018-13785
In libpng 1.6.34, a wrong calculation of row_factor in the
png_check_chunk_length function (pngrutil.c) may trigger an
integer overflow and resultant divide-by-zero while processing
a crafted PNG file, leading to a denial of service.
(cherry picked from 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2)
Affects libpng <= 1.6.34
CVE: CVE-2018-13785
Ref: https://access.redhat.com/security/cve/cve-2018-13785
(From OE-Core rev: 4cc1862695c6899b61e3900216376c1b2f338a19)
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Disable downloading of the vulnerability DB in do_check_cves() task.
When invoked in this task, cve-check-tool attempts re-download of the CVE DB
if the latter is older than certain threshold. While reasonable for a
stand-alone CVE checker, this behavior can cause errors in parallel builds
if the build time is longer than this threshold:
* Other tasks might be using the DB.
* Several packages can start the download of the same file at the same time.
This check is not really needed, as the DB has been downloaded by
cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build().
The DB will be at most (threshold + build_time) old.
(From OE-Core rev: 125789b6ee6d47ab84192230f63971c4e22418ba)
(From OE-Core rev: 2f84939b0e17dfba1fc43bf053871ea930d9a04c)
Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some backported patches fix multiple CVEs and list the corresponding
identifiers on multiple lines, rather than on a single line.
cve-check.bbclass yields false positive warnings when CVE IDs are
presented on multiple lines because re.search() returns only
the first match.
An example of this behavior may be found when running do_cve_check() on
the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077
is reported to be patched by commit de57fd8, despite the patch including
fixes for a total of 9 CVEs.
This is resolved by iterating over all regular expression matches,
rather than just the first.
(From OE-Core rev: 8fb70ce2df66fc8404395ecbe66a75d0038f22dd)
(From OE-Core rev: 1c6ae927ca8acc1e5f362b1424b2c6a5da1e8be9)
Signed-off-by: Jon Szymaniak <jon.szymaniak.foss@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Test suite test_dbm failed after gdbm upgrtade to 13.1,
from 13.1, return value of some function are changed.
* gdbm_fetch, gdbm_firstkey, and gdbm_nextkey behavior
If the requested key was not found, these functions return datum with
dptr pointing to NULL and set gdbm_errno to GDBM_ITEM_NOT_FOUND (in
prior releases, gdbm_errno was set to GDBM_NO_ERROR),
(From OE-Core rev: 0952c190fc6aec333676ce3883e8232fa8595551)
(From OE-Core rev: a8cb9b68e91db42a17bfb54591e3ea91565f9241)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
"Integer overflow in src/zm.c:zsdata() causes crash in sz and can leak
information to receiver."
Take a patch from Fedora to resolve CVE-2018-10195.
(From OE-Core rev: a7b50fcee9a295de57f743fa3637905992da722e)
(From OE-Core rev: 0a1ff2a8df4a4033b23ce1513ec02711005d6883)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
