da75a9aaf0
http://bugs.python.org/issue21529 Python 2 and 3 are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The sole prerequisites of this attack are that the attacker is able to control or influence the two parameters of the default scanstring function: the string to be decoded and the index. The bug is caused by allowing the user to supply a negative index value. The index value is then used directly as an index to an array in the C code; internally the address of the array and its index are added to each other in order to yield the address of the value that is desired. However, by supplying a negative index value and adding this to the address of the array, the processor's register value wraps around and the calculated value will point to a position in memory which isn't within the bounds of the supplied string, causing the function to access other parts of the process memory. (From OE-Core rev: 9ec213bf67afbdfdbe25802ec86487bb22aeb2e4) Signed-off-by: Benjamin Peterson <benjamin@python.org> Applied to python-native recipe in order to fix the above mentioned vulnerability. Upstream-Status: Submitted Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Poky
Poky is an integration of various components to form a complete prepackaged build system and development environment. It features support for building customised embedded device style images. There are reference demo images featuring a X11/Matchbox/GTK themed UI called Sato. The system supports cross-architecture application development using QEMU emulation and a standalone toolchain and SDK with IDE integration.
Additional information on the specifics of hardware that Poky supports is available in README.hardware. Further hardware support can easily be added in the form of layers which extend the systems capabilities in a modular way.
As an integration layer Poky consists of several upstream projects such as BitBake, OpenEmbedded-Core, Yocto documentation and various sources of information e.g. for the hardware support. Poky is in turn a component of the Yocto Project.
The Yocto Project has extensive documentation about the system including a reference manual which can be found at: http://yoctoproject.org/documentation
OpenEmbedded-Core is a layer containing the core metadata for current versions of OpenEmbedded. It is distro-less (can build a functional image with DISTRO = "nodistro") and contains only emulated machine support.
For information about OpenEmbedded, see the OpenEmbedded website: http://www.openembedded.org/
Where to Send Patches
As Poky is an integration repository, patches against the various components should be sent to their respective upstreams.
bitbake: bitbake-devel@lists.openembedded.org
meta-yocto: poky@yoctoproject.org
Most everything else should be sent to the OpenEmbedded Core mailing list. If in doubt, check the oe-core git repository for the content you intend to modify. Before sending, be sure the patches apply cleanly to the current oe-core git repository. openembedded-core@lists.openembedded.org
Note: The scripts directory should be treated with extra care as it is a mix of oe-core and poky-specific files.