mirror of
https://git.yoctoproject.org/poky
synced 2026-02-21 08:59:41 +01:00
Compare commits
33 Commits
yocto-1.5.
...
yocto-1.5.
| Author | SHA1 | Date | |
|---|---|---|---|
|
dc743744d8 | ||
|
|
4278b11da9 | ||
|
|
5d1f0c0160 | ||
|
|
acb65ef18e | ||
|
|
c4a539c8c8 | ||
|
|
845df01345 | ||
|
|
2e2a6d0c4e | ||
|
|
a63f07c4ce | ||
|
|
19f3e362b3 | ||
|
|
4a18e162d8 | ||
|
|
7c3f509c06 | ||
|
|
05f172c745 | ||
|
|
47afe5bcfa | ||
|
|
c60886f9f5 | ||
|
|
3ceb90eacd | ||
|
|
8c346a66b5 | ||
|
|
09d260e3e5 | ||
|
|
8cc8941821 | ||
|
|
afec960d87 | ||
|
|
3a980abd28 | ||
|
|
780d5d0b91 | ||
|
|
3fb2ce03a2 | ||
|
|
527868fbfc | ||
|
|
381c6b8957 | ||
|
|
8ac53f3c2d | ||
|
|
0ea0a14bd9 | ||
|
|
bd1a6f3d56 | ||
|
|
d6f29c0154 | ||
|
|
c5d81c3386 | ||
|
|
ad2c79b0fd | ||
|
|
c7432a006e | ||
|
|
e6aafde7d2 | ||
|
|
1974599046 |
@@ -76,6 +76,11 @@
|
||||
<date>May 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.2 Release.</revremark>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>1.5.3</revnumber>
|
||||
<date>July 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.3 Release.</revremark>
|
||||
</revision>
|
||||
</revhistory>
|
||||
|
||||
<copyright>
|
||||
|
||||
@@ -88,6 +88,11 @@
|
||||
<date>May 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.2 Release.</revremark>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>1.5.3</revnumber>
|
||||
<date>July 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.3 Release.</revremark>
|
||||
</revision>
|
||||
</revhistory>
|
||||
|
||||
<copyright>
|
||||
|
||||
@@ -18,8 +18,7 @@
|
||||
"<ulink url='&YOCTO_DOCS_BSP_URL;#creating-a-new-bsp-layer-using-the-yocto-bsp-script'>Creating a New BSP Layer Using the yocto-bsp Script</ulink>"
|
||||
section in the Yocto Project Board Support Package (BSP) Developer's Guide.
|
||||
For more complete information on how to work with the kernel, see the
|
||||
<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;'>Yocto Project Linux Kernel
|
||||
Development Manual</ulink>.
|
||||
<ulink url='&YOCTO_DOCS_KERNEL_DEV_URL;'>Yocto Project Linux Kernel Development Manual</ulink>.
|
||||
</para></listitem>
|
||||
<listitem><para><emphasis>User Application Development:</emphasis>
|
||||
User Application Development covers development of applications that you intend
|
||||
|
||||
@@ -66,6 +66,11 @@
|
||||
<date>May 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.2 Release.</revremark>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>1.5.3</revnumber>
|
||||
<date>July 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.3 Release.</revremark>
|
||||
</revision>
|
||||
</revhistory>
|
||||
|
||||
<copyright>
|
||||
|
||||
@@ -51,6 +51,11 @@
|
||||
<date>May 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.2 Release.</revremark>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>1.5.3</revnumber>
|
||||
<date>July 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.3 Release.</revremark>
|
||||
</revision>
|
||||
</revhistory>
|
||||
|
||||
<copyright>
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
<!ENTITY DISTRO "1.5.2">
|
||||
<!ENTITY DISTRO_COMPRESSED "152">
|
||||
<!ENTITY DISTRO "1.5.3">
|
||||
<!ENTITY DISTRO_COMPRESSED "153">
|
||||
<!ENTITY DISTRO_NAME "dora">
|
||||
<!ENTITY YOCTO_DOC_VERSION "1.5.2">
|
||||
<!ENTITY POKYVERSION "10.0.2">
|
||||
<!ENTITY POKYVERSION_COMPRESSED "1002">
|
||||
<!ENTITY YOCTO_DOC_VERSION "1.5.3">
|
||||
<!ENTITY POKYVERSION "10.0.3">
|
||||
<!ENTITY POKYVERSION_COMPRESSED "1003">
|
||||
<!ENTITY YOCTO_POKY "poky-&DISTRO_NAME;-&POKYVERSION;">
|
||||
<!ENTITY COPYRIGHT_YEAR "2010-2014">
|
||||
<!ENTITY YOCTO_DL_URL "http://downloads.yoctoproject.org">
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|
||||
<chapter id='profile-manual-intro'>
|
||||
|
||||
<title>Yocto Project Tracing and Profiling Manual</title>
|
||||
<title>Yocto Project Profiling and Tracing Manual</title>
|
||||
<section id='intro'>
|
||||
<title>Introduction</title>
|
||||
|
||||
|
||||
@@ -51,6 +51,11 @@
|
||||
<date>May 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.2 Release.</revremark>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>1.5.3</revnumber>
|
||||
<date>July 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.3 Release.</revremark>
|
||||
</revision>
|
||||
</revhistory>
|
||||
|
||||
<copyright>
|
||||
|
||||
@@ -82,6 +82,11 @@
|
||||
<date>May 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.2 Release.</revremark>
|
||||
</revision>
|
||||
<revision>
|
||||
<revnumber>1.5.3</revnumber>
|
||||
<date>July 2014</date>
|
||||
<revremark>Released with the Yocto Project 1.5.3 Release.</revremark>
|
||||
</revision>
|
||||
</revhistory>
|
||||
|
||||
<copyright>
|
||||
|
||||
@@ -1,13 +1,14 @@
|
||||
# Processes ref-manual and yocto-project-qs manual (<word>-<word>-<word> style)
|
||||
s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.2\/[a-z]*-[a-z]*-[a-z]*\/[a-z]*-[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
|
||||
s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/[a-z]*-[a-z]*-[a-z]*\/[a-z]*-[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
|
||||
|
||||
# Processes all other manuals (<word>-<word> style)
|
||||
s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.2\/[a-z]*-[a-z]*\/[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
|
||||
s/\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/[a-z]*-[a-z]*\/[a-z]*-[a-z]*.html#/\"link\" href=\"#/g
|
||||
|
||||
# Process cases where just an external manual is referenced without an id anchor
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.2\/yocto-project-qs\/yocto-project-qs.html\" target=\"_top\">Yocto Project Quick Start<\/a>/Yocto Project Quick Start/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.2\/dev-manual\/dev-manual.html\" target=\"_top\">Yocto Project Development Manual<\/a>/Yocto Project Development Manual/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.2\/adt-manual\/adt-manual.html\" target=\"_top\">Yocto Project Application Developer's Guide<\/a>/Yocto Project Application Developer's Guide/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.2\/bsp-guide\/bsp-guide.html\" target=\"_top\">Yocto Project Board Support Package (BSP) Developer's Guide<\/a>/Yocto Project Board Support Package (BSP) Developer's Guide/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.2\/kernel-dev\/kernel-dev.html\" target=\"_top\">Yocto Project Linux Kernel Development Manual<\/a>/Yocto Project Linux Kernel Development Manual/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.2\/ref-manual\/ref-manual.html\" target=\"_top\">Yocto Project Reference Manual<\/a>/Yocto Project Reference Manual/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/yocto-project-qs\/yocto-project-qs.html\" target=\"_top\">Yocto Project Quick Start<\/a>/Yocto Project Quick Start/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/dev-manual\/dev-manual.html\" target=\"_top\">Yocto Project Development Manual<\/a>/Yocto Project Development Manual/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/adt-manual\/adt-manual.html\" target=\"_top\">Yocto Project Application Developer's Guide<\/a>/Yocto Project Application Developer's Guide/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/bsp-guide\/bsp-guide.html\" target=\"_top\">Yocto Project Board Support Package (BSP) Developer's Guide<\/a>/Yocto Project Board Support Package (BSP) Developer's Guide/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/profile-manual\/profile-manual.html\" target=\"_top\">Yocto Project Profiling and Tracing Manual<\/a>/Yocto Project Profiling and Tracing Manual/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/kernel-dev\/kernel-dev.html\" target=\"_top\">Yocto Project Linux Kernel Development Manual<\/a>/Yocto Project Linux Kernel Development Manual/g
|
||||
s/<a class=\"ulink\" href=\"http:\/\/www.yoctoproject.org\/docs\/1.5.3\/ref-manual\/ref-manual.html\" target=\"_top\">Yocto Project Reference Manual<\/a>/Yocto Project Reference Manual/g
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
DISTRO = "poky"
|
||||
DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
|
||||
DISTRO_VERSION = "1.5.1"
|
||||
DISTRO_CODENAME = "next"
|
||||
DISTRO_VERSION = "1.5.3"
|
||||
DISTRO_CODENAME = "dora"
|
||||
SDK_VENDOR = "-pokysdk"
|
||||
SDK_VERSION := "${@'${DISTRO_VERSION}'.replace('snapshot-${DATE}','snapshot')}"
|
||||
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
FILESEXTRAPATHS_prepend_poky := "${THISDIR}/${P}:"
|
||||
FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:"
|
||||
|
||||
|
||||
@@ -0,0 +1,40 @@
|
||||
commit 208d54db20d58c9a5e45e856a0650caadd7d9612
|
||||
Author: Dr. Stephen Henson <steve@openssl.org>
|
||||
Date: Tue May 13 18:48:31 2014 +0100
|
||||
|
||||
Fix for CVE-2014-0195
|
||||
|
||||
A buffer overrun attack can be triggered by sending invalid DTLS fragments
|
||||
to an OpenSSL DTLS client or server. This is potentially exploitable to
|
||||
run arbitrary code on a vulnerable client or server.
|
||||
|
||||
Fixed by adding consistency check for DTLS fragments.
|
||||
|
||||
Thanks to Jüri Aedla for reporting this issue.
|
||||
|
||||
Patch borrowed from Fedora
|
||||
Upstream-Status: Backport
|
||||
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
||||
|
||||
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
|
||||
index 2e8cf68..07f67f8 100644
|
||||
--- a/ssl/d1_both.c
|
||||
+++ b/ssl/d1_both.c
|
||||
@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
|
||||
frag->msg_header.frag_off = 0;
|
||||
}
|
||||
else
|
||||
+ {
|
||||
frag = (hm_fragment*) item->data;
|
||||
+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
|
||||
+ {
|
||||
+ item = NULL;
|
||||
+ frag = NULL;
|
||||
+ goto err;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
|
||||
/* If message is already reassembled, this must be a
|
||||
* retransmit and can be dropped.
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
From: Matt Caswell <matt@openssl.org>
|
||||
Date: Sun, 11 May 2014 23:38:37 +0000 (+0100)
|
||||
Subject: Fixed NULL pointer dereference. See PR#3321
|
||||
X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=b107586
|
||||
|
||||
Fixed NULL pointer dereference. See PR#3321
|
||||
|
||||
Patch borrowed from Fedora
|
||||
Upstream-Status: Backport
|
||||
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
|
||||
index 40eb0dd..d961d12 100644
|
||||
--- a/ssl/s3_pkt.c
|
||||
+++ b/ssl/s3_pkt.c
|
||||
@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
|
||||
SSL3_BUFFER *wb=&(s->s3->wbuf);
|
||||
SSL_SESSION *sess;
|
||||
|
||||
- if (wb->buf == NULL)
|
||||
- if (!ssl3_setup_write_buffer(s))
|
||||
- return -1;
|
||||
|
||||
/* first check if there is a SSL3_BUFFER still being written
|
||||
* out. This will happen with non blocking IO */
|
||||
@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
|
||||
/* if it went, fall through and send more stuff */
|
||||
}
|
||||
|
||||
+ if (wb->buf == NULL)
|
||||
+ if (!ssl3_setup_write_buffer(s))
|
||||
+ return -1;
|
||||
+
|
||||
if (len == 0 && !create_empty_fragment)
|
||||
return 0;
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
commit d30e582446b027868cdabd0994681643682045a4
|
||||
Author: Dr. Stephen Henson <steve@openssl.org>
|
||||
Date: Fri May 16 13:00:45 2014 +0100
|
||||
|
||||
Fix CVE-2014-0221
|
||||
|
||||
Unnecessary recursion when receiving a DTLS hello request can be used to
|
||||
crash a DTLS client. Fixed by handling DTLS hello request without recursion.
|
||||
|
||||
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
|
||||
|
||||
Patch borrowed from Fedora
|
||||
Upstream-Status: Backport
|
||||
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
||||
|
||||
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
|
||||
index 07f67f8..4c2fd03 100644
|
||||
--- a/ssl/d1_both.c
|
||||
+++ b/ssl/d1_both.c
|
||||
@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
|
||||
int i,al;
|
||||
struct hm_header_st msg_hdr;
|
||||
|
||||
+ redo:
|
||||
/* see if we have the required fragment already */
|
||||
if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
|
||||
{
|
||||
@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
|
||||
s->msg_callback_arg);
|
||||
|
||||
s->init_num = 0;
|
||||
- return dtls1_get_message_fragment(s, st1, stn,
|
||||
- max, ok);
|
||||
+ goto redo;
|
||||
}
|
||||
else /* Incorrectly formated Hello request */
|
||||
{
|
||||
|
||||
@@ -0,0 +1,103 @@
|
||||
Fix for CVE-2014-0224
|
||||
|
||||
Only accept change cipher spec when it is expected instead of at any
|
||||
time. This prevents premature setting of session keys before the master
|
||||
secret is determined which an attacker could use as a MITM attack.
|
||||
|
||||
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
|
||||
and providing the initial fix this patch is based on.
|
||||
|
||||
|
||||
Patch borrowed from Fedora
|
||||
Upstream-Status: Backport
|
||||
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
||||
|
||||
|
||||
diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h
|
||||
--- openssl-1.0.1e/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200
|
||||
+++ openssl-1.0.1e/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200
|
||||
@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
|
||||
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
|
||||
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
|
||||
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
|
||||
+#define SSL3_FLAGS_CCS_OK 0x0080
|
||||
|
||||
/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
|
||||
* restart a handshake because of MS SGC and so prevents us
|
||||
diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c
|
||||
--- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100
|
||||
+++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200
|
||||
@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
|
||||
case SSL3_ST_CR_FINISHED_A:
|
||||
case SSL3_ST_CR_FINISHED_B:
|
||||
|
||||
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
|
||||
ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
|
||||
SSL3_ST_CR_FINISHED_B);
|
||||
if (ret <= 0) goto end;
|
||||
@@ -916,6 +917,7 @@ int ssl3_get_server_hello(SSL *s)
|
||||
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
|
||||
goto f_err;
|
||||
}
|
||||
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
|
||||
s->hit=1;
|
||||
}
|
||||
else /* a miss or crap from the other end */
|
||||
diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c
|
||||
--- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200
|
||||
+++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200
|
||||
@@ -1298,6 +1298,15 @@ start:
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
|
||||
+ {
|
||||
+ al=SSL_AD_UNEXPECTED_MESSAGE;
|
||||
+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
|
||||
+ goto f_err;
|
||||
+ }
|
||||
+
|
||||
+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
|
||||
+
|
||||
rr->length=0;
|
||||
|
||||
if (s->msg_callback)
|
||||
@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
|
||||
|
||||
if (s->s3->tmp.key_block == NULL)
|
||||
{
|
||||
- if (s->session == NULL)
|
||||
+ if (s->session == NULL || s->session->master_key_length == 0)
|
||||
{
|
||||
/* might happen if dtls1_read_bytes() calls this */
|
||||
SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
|
||||
diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c
|
||||
--- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200
|
||||
+++ openssl-1.0.1e/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200
|
||||
@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
|
||||
case SSL3_ST_SR_CERT_VRFY_A:
|
||||
case SSL3_ST_SR_CERT_VRFY_B:
|
||||
|
||||
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
|
||||
/* we should decide if we expected this one */
|
||||
ret=ssl3_get_cert_verify(s);
|
||||
if (ret <= 0) goto end;
|
||||
@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
|
||||
|
||||
case SSL3_ST_SR_FINISHED_A:
|
||||
case SSL3_ST_SR_FINISHED_B:
|
||||
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
|
||||
ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
|
||||
SSL3_ST_SR_FINISHED_B);
|
||||
if (ret <= 0) goto end;
|
||||
@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
|
||||
s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
|
||||
#else
|
||||
if (s->s3->next_proto_neg_seen)
|
||||
+ {
|
||||
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
|
||||
s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
|
||||
+ }
|
||||
else
|
||||
s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
|
||||
#endif
|
||||
@@ -0,0 +1,31 @@
|
||||
commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86
|
||||
Author: Dr. Stephen Henson <steve@openssl.org>
|
||||
Date: Thu May 29 15:00:05 2014 +0100
|
||||
|
||||
Fix CVE-2014-3470
|
||||
|
||||
Check session_cert is not NULL before dereferencing it.
|
||||
|
||||
Patch borrowed from Fedora
|
||||
Upstream-Status: Backport
|
||||
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
|
||||
|
||||
|
||||
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
|
||||
index d35376d..4324f8d 100644
|
||||
--- a/ssl/s3_clnt.c
|
||||
+++ b/ssl/s3_clnt.c
|
||||
@@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s)
|
||||
int ecdh_clnt_cert = 0;
|
||||
int field_size = 0;
|
||||
|
||||
+ if (s->session->sess_cert == NULL)
|
||||
+ {
|
||||
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
|
||||
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
/* Did we send out the client's
|
||||
* ECDH share for use in premaster
|
||||
* computation as part of client certificate?
|
||||
@@ -0,0 +1,24 @@
|
||||
openssl fix for CVE-2010-5298
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
|
||||
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
|
||||
attackers to inject data across sessions or cause a denial of service
|
||||
(use-after-free and parsing error) via an SSL connection in a
|
||||
multithreaded environment.
|
||||
|
||||
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
|
||||
|
||||
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
|
||||
--- a/ssl/s3_pkt.c
|
||||
+++ b/ssl/s3_pkt.c
|
||||
@@ -1013,7 +1013,7 @@ start:
|
||||
{
|
||||
s->rstate=SSL_ST_READ_HEADER;
|
||||
rr->off=0;
|
||||
- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
|
||||
+ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0)
|
||||
ssl3_release_read_buffer(s);
|
||||
}
|
||||
}
|
||||
@@ -6,7 +6,7 @@ DEPENDS += "ocf-linux"
|
||||
|
||||
CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
|
||||
|
||||
PR = "${INC_PR}.1"
|
||||
PR = "${INC_PR}.2"
|
||||
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=f9a8f968107345e0b75aa8c2ecaa7ec8"
|
||||
|
||||
@@ -38,6 +38,12 @@ SRC_URI += "file://configure-targets.patch \
|
||||
file://0001-Fix-DTLS-retransmission-from-previous-session.patch \
|
||||
file://0001-Use-version-in-SSL_METHOD-not-SSL-structure.patch \
|
||||
file://CVE-2014-0160.patch \
|
||||
file://openssl-1.0.1e-cve-2014-0195.patch \
|
||||
file://openssl-1.0.1e-cve-2014-0198.patch \
|
||||
file://openssl-1.0.1e-cve-2014-0221.patch \
|
||||
file://openssl-1.0.1e-cve-2014-0224.patch \
|
||||
file://openssl-1.0.1e-cve-2014-3470.patch \
|
||||
file://openssl-CVE-2010-5298.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c"
|
||||
|
||||
@@ -21,7 +21,7 @@ IMAGE_FSTYPES = "vmdk"
|
||||
|
||||
inherit core-image
|
||||
|
||||
SRCREV ?= "e07904836a5dc71bb68577eeb4963bc7ecde0224"
|
||||
SRCREV ?= "4278b11da97f6fbb5da16dffe46e797923063da9"
|
||||
SRC_URI = "git://git.yoctoproject.org/poky \
|
||||
file://Yocto_Build_Appliance.vmx \
|
||||
file://Yocto_Build_Appliance.vmxf \
|
||||
|
||||
@@ -23,40 +23,75 @@ DEBUGFS="debugfs"
|
||||
find $SRCDIR | while read FILE; do
|
||||
TGT="${FILE##*/}"
|
||||
DIR="${FILE#$SRCDIR}"
|
||||
DIR="${DIR%$TGT}"
|
||||
|
||||
# Skip the root dir
|
||||
[ ! -z "$DIR" ] || continue
|
||||
[ ! -z "$TGT" ] || continue
|
||||
|
||||
DIR="$(dirname "$DIR")"
|
||||
|
||||
# debugfs handles the quotation mark differently from other special marks like {
|
||||
# If FILE contains quotation marks in its name, then we have to replace " with ""
|
||||
# so that debugfs could correclty recognize them. In this script, we use the prefix
|
||||
# of D_ to denote the file names that should be used by debugfs.
|
||||
#
|
||||
# The usage of case statements here is to avoid performace impact.
|
||||
case $FILE in
|
||||
*\"*)
|
||||
D_FILE="$(echo $FILE | sed -e 's#\"#\"\"#g')"
|
||||
;;
|
||||
*)
|
||||
D_FILE="$FILE"
|
||||
;;
|
||||
esac
|
||||
|
||||
case $DIR in
|
||||
*\"*)
|
||||
D_DIR="$(echo $DIR | sed -e 's#\"#\"\"#g')"
|
||||
;;
|
||||
*)
|
||||
D_DIR="$DIR"
|
||||
;;
|
||||
esac
|
||||
|
||||
case $TGT in
|
||||
*\"*)
|
||||
D_TGT="$(echo $TGT | sed -e 's#\"#\"\"#g')"
|
||||
;;
|
||||
*)
|
||||
D_TGT="$TGT"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "$DIR" != "$CWD" ]; then
|
||||
echo "cd $DIR"
|
||||
echo "cd \"$D_DIR\""
|
||||
CWD="$DIR"
|
||||
fi
|
||||
|
||||
# Only stat once since stat is a time consuming command
|
||||
STAT=$(stat -c "TYPE=\"%F\";DEVNO=\"0x%t 0x%T\";MODE=\"%f\";U=\"%u\";G=\"%g\"" "$FILE")
|
||||
STAT=$(stat -c "TYPE=\"%F\";DEVNO=\"0x%t 0x%T\";MODE=\"%f\";U=\"%u\";G=\"%g\";AT=\"%x\";MT=\"%y\";CT=\"%z\"" "$FILE")
|
||||
eval $STAT
|
||||
|
||||
case $TYPE in
|
||||
"directory")
|
||||
echo "mkdir $TGT"
|
||||
echo "mkdir \"$D_TGT\""
|
||||
;;
|
||||
"regular file" | "regular empty file")
|
||||
echo "write \"$FILE\" \"$TGT\""
|
||||
echo "write \"$D_FILE\" \"$D_TGT\""
|
||||
;;
|
||||
"symbolic link")
|
||||
LINK_TGT=$(readlink "$FILE")
|
||||
echo "symlink \"$TGT\" \"$LINK_TGT\""
|
||||
D_LINK_TGT="$(echo $LINK_TGT | sed -e 's#\"#\"\"#g')"
|
||||
echo "symlink \"$D_TGT\" \"$D_LINK_TGT\""
|
||||
;;
|
||||
"block special file")
|
||||
echo "mknod \"$TGT\" b $DEVNO"
|
||||
echo "mknod \"$D_TGT\" b $DEVNO"
|
||||
;;
|
||||
"character special file")
|
||||
echo "mknod \"$TGT\" c $DEVNO"
|
||||
echo "mknod \"$D_TGT\" c $DEVNO"
|
||||
;;
|
||||
"fifo")
|
||||
echo "mknod \"$TGT\" p"
|
||||
echo "mknod \"$D_TGT\" p"
|
||||
;;
|
||||
*)
|
||||
echo "Unknown/unhandled file type '$TYPE' file: $FILE" 1>&2
|
||||
@@ -64,11 +99,19 @@ DEBUGFS="debugfs"
|
||||
esac
|
||||
|
||||
# Set the file mode
|
||||
echo "sif \"$TGT\" mode 0x$MODE"
|
||||
echo "sif \"$D_TGT\" mode 0x$MODE"
|
||||
|
||||
# Set uid and gid
|
||||
echo "sif \"$TGT\" uid $U"
|
||||
echo "sif \"$TGT\" gid $G"
|
||||
echo "sif \"$D_TGT\" uid $U"
|
||||
echo "sif \"$D_TGT\" gid $G"
|
||||
|
||||
# Set atime, mtime and ctime
|
||||
AT=`echo $AT | cut -d'.' -f1 | sed -e 's#[- :]##g'`
|
||||
MT=`echo $MT | cut -d'.' -f1 | sed -e 's#[- :]##g'`
|
||||
CT=`echo $CT | cut -d'.' -f1 | sed -e 's#[- :]##g'`
|
||||
echo "sif \"$D_TGT\" atime $AT"
|
||||
echo "sif \"$D_TGT\" mtime $MT"
|
||||
echo "sif \"$D_TGT\" ctime $CT"
|
||||
done
|
||||
|
||||
# Handle the hard links.
|
||||
@@ -82,15 +125,22 @@ DEBUGFS="debugfs"
|
||||
# Use the debugfs' ln and "sif links_count" to handle them.
|
||||
for i in `ls $INODE_DIR`; do
|
||||
# The link source
|
||||
SRC=`head -1 $INODE_DIR/$i`
|
||||
SRC="$(head -1 $INODE_DIR/$i)"
|
||||
D_SRC="$(echo $SRC | sed -e 's#\"#\"\"#g')"
|
||||
# Remove the files and link them again except the first one
|
||||
for TGT in `sed -n -e '1!p' $INODE_DIR/$i`; do
|
||||
echo "rm $TGT"
|
||||
echo "ln $SRC $TGT"
|
||||
sed -n -e '1!p' $INODE_DIR/$i | while read TGT; do
|
||||
D_TGT="$(echo $TGT | sed -e 's#\"#\"\"#g')"
|
||||
echo "rm \"$D_TGT\""
|
||||
echo "ln \"$D_SRC\" \"$D_TGT\""
|
||||
done
|
||||
LN_CNT=`cat $INODE_DIR/$i | wc -l`
|
||||
# Set the links count
|
||||
echo "sif $SRC links_count $LN_CNT"
|
||||
echo "sif \"$D_SRC\" links_count $LN_CNT"
|
||||
done
|
||||
rm -fr $INODE_DIR
|
||||
} | $DEBUGFS -w -f - $DEVICE
|
||||
} | $DEBUGFS -w -f - $DEVICE 2>&1 1>/dev/null | grep '.*: .*'
|
||||
|
||||
if [ $? = 0 ]; then
|
||||
echo "Some error occured while executing [$DEBUGFS -w -f - $DEVICE]"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@@ -39,3 +39,5 @@ libtoolcross_sysroot_preprocess () {
|
||||
}
|
||||
|
||||
SSTATE_SCAN_FILES += "libtoolize *-libtool"
|
||||
|
||||
export CONFIG_SHELL="/bin/bash"
|
||||
|
||||
@@ -22,3 +22,4 @@ do_install () {
|
||||
install -m 0755 ${HOST_SYS}-libtool ${D}${bindir}/${HOST_SYS}-libtool
|
||||
}
|
||||
|
||||
export CONFIG_SHELL="/bin/bash"
|
||||
|
||||
@@ -51,6 +51,7 @@ FILES_update-alternatives-cworth = "${bindir}/update-alternatives"
|
||||
FILES_libopkg-dev = "${libdir}/*.la ${libdir}/*.so ${includedir}/libopkg"
|
||||
FILES_libopkg-staticdev = "${libdir}/*.a"
|
||||
FILES_libopkg = "${libdir}/*.so.* ${OPKGLIBDIR}/opkg/"
|
||||
FILES_${PN} += "${systemd_unitdir}/system/"
|
||||
|
||||
do_install_append() {
|
||||
# We need to create the lock directory
|
||||
|
||||
@@ -26,7 +26,7 @@ FILES_${PN}-cron = "${sysconfdir}/cron.daily ${sysconfdir}/default"
|
||||
|
||||
PACKAGES =+ "${PN}-cron"
|
||||
|
||||
SRC_URI = "git://git.yoctoproject.org/prelink-cross.git \
|
||||
SRC_URI = "git://git.yoctoproject.org/prelink-cross.git;branch=cross_prelink \
|
||||
file://prelink.conf \
|
||||
file://prelink.cron.daily \
|
||||
file://prelink.default \
|
||||
|
||||
22
meta/recipes-devtools/rpm/rpm/rpm-verify-files.patch
Normal file
22
meta/recipes-devtools/rpm/rpm/rpm-verify-files.patch
Normal file
@@ -0,0 +1,22 @@
|
||||
lib/verify.c: Fix rpm -V file processing
|
||||
|
||||
rpm -V should verify the md5sum and other values on individual files.
|
||||
A logic error in the query for GHOST files prevented this from working.
|
||||
|
||||
[ Upstream-Status: Submitted ]
|
||||
|
||||
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
||||
|
||||
Index: rpm-5.4.9/lib/verify.c
|
||||
===================================================================
|
||||
--- rpm-5.4.9.orig/lib/verify.c
|
||||
+++ rpm-5.4.9/lib/verify.c
|
||||
@@ -587,7 +587,7 @@ uint32_t fc = rpmfiFC(fi);
|
||||
|
||||
/* If not verifying %ghost, skip ghost files. */
|
||||
/* XXX the broken!!! logic disables %ghost queries always. */
|
||||
- if (!(FF_ISSET(qva->qva_fflags, GHOST) && FF_ISSET(fflags, GHOST)))
|
||||
+ if (!(FF_ISSET(qva->qva_fflags, GHOST)) && FF_ISSET(fflags, GHOST))
|
||||
continue;
|
||||
|
||||
/* Gather per-file data into a carrier. */
|
||||
@@ -89,6 +89,7 @@ SRC_URI = "http://www.rpm5.org/files/rpm/rpm-5.4/rpm-5.4.9-0.20120508.src.rpm;ex
|
||||
file://debugedit-valid-file-to-fix-segment-fault.patch \
|
||||
file://rpm-platform-file-fix.patch \
|
||||
file://rpm-lsb-compatibility.patch \
|
||||
file://rpm-verify-files.patch \
|
||||
"
|
||||
|
||||
# Uncomment the following line to enable platform score debugging
|
||||
|
||||
@@ -9,13 +9,16 @@ as well."
|
||||
LICENSE = "GPLv2"
|
||||
LIC_FILES_CHKSUM = "file://COPYING;md5=d7810fab7487fb0aad327b76f1be7cd7"
|
||||
|
||||
PR = "r8"
|
||||
PR = "r9"
|
||||
|
||||
require perf-features.inc
|
||||
|
||||
BUILDPERF_libc-uclibc = "no"
|
||||
|
||||
TUI_DEPENDS = "${@perf_feature_enabled('perf-tui', 'libnewt', '',d)}"
|
||||
# gui support was added with kernel 3.6.35
|
||||
# since 3.10 libnewt was replaced by slang
|
||||
# to cover a wide range of kernel we add both dependencies
|
||||
TUI_DEPENDS = "${@perf_feature_enabled('perf-tui', 'libnewt slang', '',d)}"
|
||||
SCRIPTING_DEPENDS = "${@perf_feature_enabled('perf-scripting', 'perl python', '',d)}"
|
||||
|
||||
DEPENDS = "virtual/kernel \
|
||||
@@ -27,9 +30,6 @@ DEPENDS = "virtual/kernel \
|
||||
bison flex \
|
||||
"
|
||||
|
||||
SCRIPTING_RDEPENDS = "${@perf_feature_enabled('perf-scripting', 'perl perl-modules python', '',d)}"
|
||||
RDEPENDS_${PN} += "elfutils bash ${SCRIPTING_RDEPENDS}"
|
||||
|
||||
PROVIDES = "virtual/perf"
|
||||
|
||||
inherit linux-kernel-base kernel-arch pythonnative
|
||||
@@ -109,7 +109,7 @@ do_install() {
|
||||
unset CFLAGS
|
||||
oe_runmake DESTDIR=${D} install
|
||||
# we are checking for this make target to be compatible with older perf versions
|
||||
if [ "${@perf_feature_enabled('perf-scripting', 1, 0, d)}" = "1" -a $(grep install-python_ext ${S}/tools/perf/Makefile) = "0"]; then
|
||||
if [ "${@perf_feature_enabled('perf-scripting', 1, 0, d)}" = "1" -a $(grep install-python_ext ${S}/tools/perf/Makefile) = "0" ]; then
|
||||
oe_runmake DESTDIR=${D} install-python_ext
|
||||
fi
|
||||
}
|
||||
@@ -124,6 +124,18 @@ python do_package_prepend() {
|
||||
|
||||
PACKAGE_ARCH = "${MACHINE_ARCH}"
|
||||
|
||||
FILES_${PN} += "${libexecdir}/perf-core"
|
||||
PACKAGES =+ "${PN}-archive ${PN}-tests ${PN}-perl ${PN}-python"
|
||||
|
||||
RDEPENDS_${PN} += "elfutils"
|
||||
RDEPENDS_${PN}-archive =+ "bash"
|
||||
RDEPENDS_${PN}-python =+ "bash python"
|
||||
RDEPENDS_${PN}-perl =+ "bash perl perl-modules"
|
||||
|
||||
RSUGGESTS_SCRIPTING = "${@perf_feature_enabled('perf-scripting', '${PN}-perl ${PN}-python', '',d)}"
|
||||
RSUGGESTS_${PN} += "${PN}-archive ${PN}-tests ${RSUGGESTS_SCRIPTING}"
|
||||
|
||||
FILES_${PN}-dbg += "${libdir}/python*/site-packages/.debug"
|
||||
FILES_${PN} += "${libdir}/python*/site-packages"
|
||||
FILES_${PN}-archive = "${libdir}/perf/perf-core/perf-archive"
|
||||
FILES_${PN}-tests = "${libdir}/perf/perf-core/tests"
|
||||
FILES_${PN}-python = "${libdir}/python*/site-packages ${libdir}/perf/perf-core/scripts/python"
|
||||
FILES_${PN}-perl = "${libdir}/perf/perf-core/scripts/perl"
|
||||
|
||||
@@ -11,7 +11,7 @@ SRC_URI = "git://git.videolan.org/x264.git \
|
||||
file://don-t-default-to-cortex-a9-with-neon.patch \
|
||||
"
|
||||
|
||||
SRCREV = "585324fee380109acd9986388f857f413a60b896"
|
||||
SRCREV = "ffc3ad4945da69f3caa2b40e4eed715a9a8d9526"
|
||||
|
||||
PV = "r2265+git${SRCPV}"
|
||||
|
||||
|
||||
@@ -37,6 +37,12 @@ FILES_pam-plugin-ck-connector += "${base_libdir}/security/*.so"
|
||||
RDEPENDS_pam-plugin-ck-connector += "${PN}"
|
||||
|
||||
do_install_append() {
|
||||
if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
|
||||
install -d ${D}${sysconfdir}/tmpfiles.d
|
||||
echo "d ${localstatedir}/log/ConsoleKit - - - -" \
|
||||
> ${D}${sysconfdir}/tmpfiles.d/consolekit.conf
|
||||
fi
|
||||
|
||||
# Remove /var/run from package as console-kit-daemon will populate it on startup
|
||||
rm -fr "${D}${localstatedir}/run"
|
||||
}
|
||||
|
||||
30
meta/recipes-support/gnutls/gnutls/CVE-2014-3466.patch
Normal file
30
meta/recipes-support/gnutls/gnutls/CVE-2014-3466.patch
Normal file
@@ -0,0 +1,30 @@
|
||||
From fcf3745f1d03c4a97e87ef4341269c645fdda787 Mon Sep 17 00:00:00 2001
|
||||
From: Valentin Popa <valentin.popa@intel.com>
|
||||
Date: Thu, 5 Jun 2014 11:50:11 +0300
|
||||
Subject: [PATCH] CVE-2014-3466
|
||||
|
||||
Prevent memory corruption due to server hello parsing.
|
||||
|
||||
Upstream-Status: Backport
|
||||
|
||||
Signed-off-by: Valentin Popa <valentin.popa@intel.com>
|
||||
---
|
||||
lib/gnutls_handshake.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
|
||||
index e4a63e4..e652528 100644
|
||||
--- a/lib/gnutls_handshake.c
|
||||
+++ b/lib/gnutls_handshake.c
|
||||
@@ -1797,7 +1797,7 @@ _gnutls_read_server_hello (gnutls_session_t session,
|
||||
DECR_LEN (len, 1);
|
||||
session_id_len = data[pos++];
|
||||
|
||||
- if (len < session_id_len)
|
||||
+ if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE)
|
||||
{
|
||||
gnutls_assert ();
|
||||
return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
|
||||
--
|
||||
1.9.1
|
||||
|
||||
@@ -8,6 +8,7 @@ SRC_URI += "file://gnutls-openssl.patch \
|
||||
file://avoid_AM_PROG_MKDIR_P_warning_error_with_automake_1.12.patch \
|
||||
file://CVE-2014-1959-rejection-of-v1-intermediate-cert.patch \
|
||||
file://CVE-2014-0092-corrected-return-codes.patch \
|
||||
file://CVE-2014-3466.patch \
|
||||
file://25_updatedgdocfrommaster.diff \
|
||||
${@['', 'file://fix-gettext-version.patch'][bb.data.inherits_class('native', d) or (not ((d.getVar("INCOMPATIBLE_LICENSE", True) or "").find("GPLv3") != -1))]} \
|
||||
"
|
||||
|
||||
Reference in New Issue
Block a user