For recipes with PACKAGES_remove = "${PN}", the find which removes
.la files can race against deletion of other directories in WORKDIR
e.g.:
find: '/home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7/sstate-build-populate_lic': No such file or directory
| WARNING: /home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7/temp/run.do_configure.6558:1 exit 1 from
| find /home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7 -name \*.la -delete
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
unzip 6.0 allows remote attackers to cause a denial of service
(out-of-bounds read or write and crash) via an extra field with
an uncompressed size smaller than the compressed field size in a
zip archive that advertises STORED method compression.
Buffer overflow in the charset_to_intern function in unix/unix.c in
Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code
via a crafted string, as demonstrated by converting a string from CP866
to UTF-8.
Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bruce Ashfield [Fri, 8 May 2015 03:36:15 +0000 (23:36 -0400)]
kernel-yocto: propagate in tree defconfigs to WORKDIR
As reported by Steffen Pankratz <Steffen.Pankratz@elektrobit.com>, the
previous logic of KBUILD_DEFCONFIG processing would not propagate an in
tree defcofig to WORKDIR if one was not already present.
We fix the propagation by copying the in tee config if a defconfig is
not already in WORKDIR.
Additionally we only warn (versus copying) if an in tree configuration
is specified, is different than the WORKDIR version and isn't copied.
Bruce Ashfield [Fri, 8 May 2015 03:36:14 +0000 (23:36 -0400)]
linux-yocto: fix race between checkout and meta data generation
There are two tasks that must run before a linux-yocto kernel is built.
- Kernel checkout and relocation to work-shared (kernel_checkout)
- Meta data gathering and configuration prep (kernel_metadata)
The current task definitions for both are simply "before do_patch",
which is correct, but kernel_checkout must run before and not race with
kernel_metadata.
So we set the definition of kernel_checkout to be more specific and
enforce the proper ordering.
Ed Bartosh [Wed, 6 May 2015 20:28:39 +0000 (23:28 +0300)]
kernel.bbclass: Fix race condition
Race condition between do_compile_kernelmodules and do_shared_workdir
tasks occurs when do_compile_kernelmodules changes files in
include/generated/* while do_shared_workdir tries to copy them to
shared working directory.
Fixed race by moving do_shared_workdir after do_compile but before
do_compile_kernelmodules.
Mike Crowe [Thu, 30 Apr 2015 15:51:13 +0000 (16:51 +0100)]
libcap: Avoid passing "-e" to make
oe-core 51540b64f62234c145fc32cfa3fbbaaebbeece08 altered libcap.inc (at the
time) to append to EXTRA_OEMAKE rather than assign to it. The default value
for EXTRA_OEMAKE contains "-e". This means that the change caused "-e" to
be passed to make for the first time.
Unfortunately passing "-e" subtly changes the behaviour of libcap's
Make.Rules under recursive make when prefix="" (which it is for us since
we're using meta-micro.)
Without "-e" the prefix comes from the command line in both the parent and
submakes. This takes precedence over any attempt to reassign it with a
simple "=" operation so the headers are correctly installed in (empty
string)/include.
With "-e" the prefix still comes from the command line in the parent make
but from the environment in the submake. The attempt to assign it fails in
the parent make as before, but not in the submake so the headers are
installed incorrectly in /usr/include.
In all four cases the "ifdef prefix" else clause is executed.
So, let's assign EXTRA_OEMAKE in order to avoid using "-e" at all.
Roy Li [Tue, 28 Apr 2015 06:22:54 +0000 (14:22 +0800)]
elfutils: Security Advisory - CVE-2015-0255
Directory traversal vulnerability in the read_long_names function in
libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers
to write to arbitrary files to the root directory via a / (slash) in a
crafted archive, as demonstrated using the ar program.
Robert Yang [Tue, 28 Apr 2015 03:43:27 +0000 (20:43 -0700)]
openssl: remove 3 patches
Removed:
- openssl-avoid-NULL-pointer-dereference-in-dh_pub_encode.patch
- upgate-vegsion-script-for-1.0.2.patch
Since they are already in the source.
- make-targets.patch
It removed test dir from DIRS, which is not needed any more since we
need build it.
Robert Yang [Wed, 29 Apr 2015 09:09:18 +0000 (02:09 -0700)]
python-numpy: remove 2 dangling patches
Removed:
- unbreak-assumptions.diff
This patch changs the dir to /non-existant-dir, the source code has
changed the dir to /deadir, so it is not needed any more.
- trycompile.diff
There is no try_compile or try_run in numpy/core/setup.py any more, so
assumed that it is not needed.
Patrick Ohly [Wed, 20 May 2015 11:48:20 +0000 (13:48 +0200)]
combo-layer: handle unset dest_dir in sanity_check()
The previous "clean up dest_dir checking" patch (f8cdbe7497) improved
handling of empty dest_dir but made handling of unset dest_dir worse:
instead showing the "Option dest_dir is not defined for component ..."
error, it fails with a Python exception.
Avoid that by providing a sane fallback for the unset case. With that
change, dest_dir is no longer strictly required, but the check for it
is kept to ensure that a combo-layer.conf also works with older
combo-layer versions.
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patrick Ohly [Fri, 8 May 2015 12:37:30 +0000 (14:37 +0200)]
combo-layer: improve merge commit handling
When the head of a branch is a merge commit, combo-layer did not
record that commit as last_revision because it only considers applied
patches, and the merge commit never gets applied.
This causes problems when the merge commit leads to multiple patches
and the commit id that gets recorded only reaches some of these
patches. The next run then will try to re-apply the other patches.
This special case is now detected and dealt with by bumping
last_revision to the branch commit. The behavior where the head is a
normal commit is intentionally not changed, because some users might
prefer the traditional behavior.
Created separate group of hardlinks for the files inside
the same package. This should prevent stripped files to be
populated outside of package directories.
This turns out not to be straightforward and has overlap with the
other hardlink handling code in this area. The code is condensed
into a more concise and documented form.
There is no reason to build sed for the host, however now:
ERROR: Nothing RPROVIDES 'sed-native' (but virtual:native:/OE/sources/openembedded-core/meta/recipes-extended/groff/groff_1.22.2.bb RDEPENDS on or otherwise requires it)
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin@mentor.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If shadow is installed, sulogin from busybox cannot work correctly because
it still assumes that /etc/shadow is not there. This leads to the problem
when booting into rescue mode in an image with shadow installed but not
sulogin from util-linux.
To fix this problem, we add 'util-linux-sulogin' to RDEPENDS of shadow.
This runtime dependency is specific to OE, because we have to ensure
that sulogin can work correctly and sulogin from busybox cannot because
FEATURE_SHADOWPASSWORDS is not enabled by default. And we cannot enable
it by default for busybox, because that would lead to utilities in busybox
to assume the existence of /etc/shadow which is not always true in OE.
Richard Purdie [Tue, 28 Apr 2015 10:51:12 +0000 (11:51 +0100)]
autotools: Fix find races on source directory
In a similar way to http://git.yoctoproject.org/cgit.cgi/poky/commit/?id=aa1438b56f30515f9c31b306decef7f562dda81f
there are more find races in the autotools class.
For recipes with PACKAGES_remove = "${PN}", the find which removes
.la files can race against deletion of other directories in WORKDIR
e.g.:
find: '/home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7/sstate-build-populate_lic': No such file or directory
| WARNING: /home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7/temp/run.do_configure.6558:1 exit 1 from
| find /home/autobuilder/yocto-autobuilder/yocto-worker/nightly-oe-selftest/build/build/tmp/work/qemux86_64-poky-linux/init-ifupdown/1.0-r7 -name \*.la -delete
bdfReadCharacters: ensure metrics fit into xCharInfo struct
We use 32-bit ints to read from the bdf file, but then try to stick
into a 16-bit int in the xCharInfo struct, so make sure they won't
overflow that range.
Alexander Cherepanov discovered that bsdcpio, an implementation of the "cpio"
program part of the libarchive project, is susceptible to a directory
traversal vulnerability via absolute paths.
An out of bounds read access in the UTF-8 decoding can be triggered with
a malformed file in the tool less. The access happens in the function
is_utf8_well_formed due to a truncated multibyte character in the sample
file.
The bug does not crash less, it can only be made visible by running less
with valgrind or compiling it with Address Sanitizer.
Version 475 of less contains a fix for this issue. The file version.c
contains some entry mentioning this issue (without any credit):
- v475 3/2/15 Fix possible buffer overrun with invalid UTF-8
The fix is in the file line.c. We derive this patch from:
Robert Yang [Thu, 23 Apr 2015 09:15:20 +0000 (02:15 -0700)]
kernel-devsrc: depends on virtual/kernel:do_install
The linux-yocto.inc may remove the meta dir:
do_install_append(){
if [ -n "${KMETA}" ]; then
rm -rf ${STAGING_KERNEL_DIR}/${KMETA}
fi
}
Which may cause the error:
[snip]
find: `./meta/cfg/kernel-cache/bsp/altera-socfpga/0073-FogBugz-116676-Align-clk.c-with-kernel.org.patch': No such file or directory
find: `./meta/cfg/kernel-cache/bsp/altera-socfpga/0047-FogBugz-90657-Fix-SD-MMC-driver-for-VT.patch': No such file or directory
find: `./meta/cfg/kernel-cache/bsp/altera-socfpga/0006-spi-qspi-cadence-Add-spi-and-qspi-driver.patch': No such file or directory
[snip]
cpio: ./meta/scripts/kgit-config-cleaner: Cannot stat: No such file or directory
cpio: ./meta/scripts/kgit-s2q: Cannot stat: No such file or directory
cpio: ./meta/scripts/kgit-clean: Cannot stat: No such file or directory
[snip]
Robert Yang [Thu, 23 Apr 2015 09:15:19 +0000 (02:15 -0700)]
gnu-efi: fix parallel issue
Fixed:
Assembler messages:
Fatal error: can't create runtime/rtlock.o: No such file or directory
Assembler messages:
Fatal error: can't create runtime/rtdata.o: No such file or directory
Assembler messages:
Fatal error: can't create runtime/vm.o: No such file or directory
Assembler messages:
Fatal error: can't create runtime/efirtlib.o: No such file or directory
Ken Sharp [Tue, 21 Apr 2015 15:35:45 +0000 (10:35 -0500)]
udev-cache: improve error handling
If an error occurs while the udev cache is being populated, the system
is left in a state where udev is stopped. Remedy this with a clean up
function to restart udev and remove any intermediate files.
Signed-off-by: Ken Sharp <ken.sharp@ni.com> Reviewed-by: Ben Shelton <ben.shelton@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Tue, 21 Apr 2015 13:01:55 +0000 (14:01 +0100)]
mkefidisk.sh: fix hanging on non-writeable device
If cleanup() is called early on, as happens when the device isn't
writeable, then none of the mount point variables are set; thus the
script was calling grep with only one argument and appeared to hang
since it was waiting for input on stdin.
Bruno Bottazzini [Wed, 22 Apr 2015 17:01:10 +0000 (14:01 -0300)]
systemd 219 -> system 219-stable
The upstream systemd git repo only contains the main systemd branch that
progresses at a quick pace, continuously bringing both bugfixes and new features.
Distributions usually prefer basing their releases on stabilized versions
that receive the bugfixes but not the features.
This task is meaningless for uninative-tarball as the package task
has been deleted. Besides, sometimes it would cause problems. To
reproduce, use the following command.
0001-su.c-fix-to-exec-command-correctly.patch is removed. Below is the reason.
This patch is introduced to solve the 'su: applet not found' problem when
executing `su -l xxx -c env'. The patch references codes of previous release
of shadow. However, this patch introduces bug#5359. So it's not correct.
Let's first look at the root cause of 'su: applet not found' problem.
This problem appears when /bin/sh is provided by busybox.
When executing `su -l xxx -c env' command, the following function is invoked.
execve("/bin/sh", ["-su", "-c", "env"], [/* 6 vars */])
Note that the argv[0] provided to new executable file (/bin/sh) is "-su".
As /bin/sh is a symlink to /bin/busybox. It's /bin/busybox that is executed.
In busybox's appletlib.c, it would examine argv[0], try to find an applet
that has the same name, and then try to execute the main function of the
applet. This logic results in `su' applet from busybox to be executed.
However, we default to set 'BUSYBOX_SPLIT_SUID' to "1", so 'su' is not found.
Further more, even if we set 'BUSYBOX_SPLIT_SUID' to "0", so that 'su' applet
is found. The whole behaviour is still not correct. Because 'su' from shadow
takes higher priority than that from busybox, so 'su' from busybox should never
be executed on such system unless it's specified clearly by the end user.
The logic of busybox's appletlib.c is totally correct from the point of busybox
itself. It's an integration problem.
To solve the above problem, this patch comment out SU_NAME in /etc/login.defs
so that the final function executed in shadow's su is as below.
execve("/bin/sh", ["-sh", "-c", "env"], [/* 6 vars */])
ghostscript application fails to fetch objarch.h file while building for armeb.
The fetch failure is due to absence of this file in the default set of
directories that the OpenEmbedded build system searches (i.e FILESPATH)
for patches and files. This patch adds the required objarch.h file for
armeb in one of the default locations where OpenEmbedded build system searches.
Most of the time we shouldn't be downloading anything within the
extensible SDK (since it's all pre-built and we have the sstate
artifacts) therefore there's really no need for a connectivity
check, in fact it may just get in the way.
Paul Eggleton [Mon, 20 Apr 2015 16:47:05 +0000 (17:47 +0100)]
devtool: force use of bash when running build within extensible SDK
Ubuntu's default dash shell causes oe-init-build-env to behave a bit
differently - (a) it can't pick up the OE root directory and (b) it
can't see any build directory specified as a command-line argument
(since dash doesn't pass through any arguments specified to sourced
scripts). We could work around these but doing so requires some internal
knowledge of the script; a much simpler fix is just to force running the
command under bash since it's expected to be installed on every distro.
Thanks to Chen Qi <Qi.Chen@windriver.com> for this fix.
u-boot.inc: make sure all counter variables are properly unset
The script does "i == j" checks to retrieve the config <-> type pairs from
the UBOOT_MACHINE and UBOOT_CONFIG lists. This check however requires both
j and i to be initially unset. Ensure this by explicitely unsetting i.
This fixes broken u-boot SPL installations with SolidRun machines
(the SPL wasn't being installed and deployed.)
After selecting the "install" gummiboot option of a Live image we are
seeing boot failure resulting from the gummiboot entries not being
installed correctly. This seems to be a problem in this init-install-efi.sh
script where it incorrectly installs the gummiboot entries into the root
filesystem, not the boot partition. We fix it by installing the entries in
the boot partition.
Andre McCurdy [Wed, 15 Apr 2015 02:53:53 +0000 (19:53 -0700)]
busybox: remove CVE-2014-9645 patch (already upstream in 1.23.x)
The CVE-2014-9645 fix was merged in Busybox prior to the 1.23.0
release [1]. The fix was then reworked in Busybox 1.23.1, in such
a way that the original change was no longer required [2].
Although oe-core's CVE-2014-9645 patch still applies cleanly to
Busybox 1.23.1 and 1.23.2, applying it partially reverts the second
version of the upstream fix.
Some lsb packages depend on correct lsb-core-ARCH package being
installed (or rather provided) on the target file system. Provide this
package name by main lsb package.
Jukka Rissanen [Wed, 8 Apr 2015 11:36:19 +0000 (14:36 +0300)]
connman: Create connman.service at proper moment
ConnMan commit ac332c5d01b0737c18cb58c8ccc67cf6b0427e1d changes
how the connman.service file is created from .in file. After
that commit, the file is created by Makefile instead of configure.
This means that we need to tweak the service file in compile
time instead of configure time because the generated file will not
be there after the configuration.
This commit can be used even with older ConnMan version as the
connman.service file is there when the compilation happens.
Martin Jansa [Wed, 8 Apr 2015 12:40:44 +0000 (14:40 +0200)]
tzdata: fix postinst
* add quotes around possibly empty tz variable
* use exit instead of return, because we're not in function and postinst
fails:
line 9: return: can only `return' from a function or sourced script"
Martin Jansa [Wed, 8 Apr 2015 12:40:45 +0000 (14:40 +0200)]
pango: fix postinst
* merge postinst_prologue with the append in the do_split_packages call
Now we can call correct pango-querymodules binary and respect D
variable, otherwise we're trying to regenerate it on host which fails:
pango-module-basic-fc.postinst: line 17: /usr/bin/pango-querymodules:
No such file or directory
dpkg: add triplet entry to fix build error for armeb
Cross-compling dpkg application for armeb fails with below error
during configure task,
(snip)
configure:23141: checking dpkg cpu type
configure:23148: result: armeb
configure:23150: WARNING: armeb not found in cputable
configure:23162: checking dpkg operating system type
configure:23169: result: linux-gnueabi
configure:23171: WARNING: linux-gnueabi not found in ostable
configure:23183: checking dpkg architecture name
configure:23189: error: cannot determine host dpkg architecture
-- CUT --
Add the required combination of "gnueabi-linux-armeb" entry in
triplet list.
gst-ffmpeg: remove bogus patch that leads to build failures
'0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch'
patches the internal copy of ffmpeg with a hunk that generates a compile
failure because AV_PIX_FMT_YUV422P is undefined.
Andre McCurdy [Mon, 6 Apr 2015 18:13:20 +0000 (11:13 -0700)]
libpcap.inc: remove obsolete libnl1 PACKAGECONFIG
There's no libnl1 recipe in oe-core (or any other layer in the layer
index).
Keeping the libnl1 PACKAGECONFIG is likely to cause problems for the
libnl PACKAGECONFIG since libnl and libnl1 both use --with-libnl and
--without-libnl.
Olivier Fourdan from Red Hat has discovered a protocol handling issue in
the way the X server code base handles the XkbSetGeometry request, where
the server trusts the client to send valid string lengths. A malicious
client with string lengths exceeding the request length can cause the server
to copy adjacent memory data into the XKB structs. This data is then
available to the client via the XkbGetGeometry request. This can lead to
information disclosure issues, as well as possibly a denial of service if a
similar request can cause the server to crash (CVE-2015-0255).
| Makefile:3352: recipe for target 'test/l2test.o' failed
| make[1]: *** [test/l2test.o] Error 1
| make[1]: *** Waiting for unfinished jobs....
| test/rctest.c:82:12: error: 'encrypt' redeclared as different kind of
symbol
| static int encrypt = 0;
| ^
| In file included from test/rctest.c:33:0:
Matt Madison [Sat, 4 Apr 2015 18:04:58 +0000 (11:04 -0700)]
shadow: split files needed for PAM use into separate package
The rootfs creator automatically removes shadow for read-only
root filesystems, which breaks use of PAM plugins for login and
other process identity management utilities. Package those programs
and config files separately, so they don't get removed.
python: Change python 2.7.9 to use libffi from the system
Changes in python 2.7.9 from 2.7.3 cause issues when building the in
tree libffi for ctypes. These issues primarily affect less common
platforms (e.g. MicroBlaze) that are supported by libffi but the python
overrides for the in tree libffi are not able to detect correctly.
This patch changes the python 2.7.9 recipe to match how the python 3
recipe handles libffi by configuring the build to use the system
libffi. This brings consistency between the libffi used for different
python versions as well as with the system.
oe.sstatesig: align swspec handling with sstate.bbclass
The logic tries to remove the -native suffix from pn to handle this (though it
doesn't succeed, as it doesn't assign the new pn to the variable), but we need
to do more for the swspec tasks than just not set the extrapath, we also need
to change from SSTATE_PKGSPEC to SSTATE_SWSPEC. Alter to correct the spec for
these cases, and also add preconfigure to align with the current logic in
sstate.bbclass, which includes that task as well in the list of tasks to
adjust to use swspec.
uclibc: fix undefinition of '_dl_strchr' in libdl.a
The orign_path.patch introduced '_dl_strchr' in ldso/ldso/dl-elf.c, and
caused the following undefined referencing compiling error:
| .../libdl.a(libdl.os): In function `search_for_named_library':
| .../dl-elf.c:156: undefined reference to `_dl_strchr'
| collect2: error: ld returned 1 exit status
I found this problem when compiling gdb in static mode using uclibc.
So, add the definition of '_dl_strchr' to fix it. The '_dl_strstr' is
added as well.
And I regenerated a patch to replace the original one.
Joe Slater [Thu, 2 Apr 2015 18:41:54 +0000 (11:41 -0700)]
nss: generate debug info
Because the build of nss seems to ignore CFLAGS, we never
have put source code in the -dbg package. We do not address
the CFLAGS issue, but we do add -g to the definition of CC
so that we will generate debug info.
We also let package.bbclass populate the -dbg package instead
of forcing the contents locally.
Jun Zhu [Fri, 3 Apr 2015 14:34:09 +0000 (22:34 +0800)]
meta/lib/oe/utils.py: Corrected the return value of both_contain()
oe.utils.both_contain() should return the result as "checkvalue" or "",
but the latest implement returns as "set(['checkvalue'])" or "";
It causes that bitbake.conf generates the wrong result of COMBINED_FEATURES,
which contains the common components in both DISTRO_FEATURE and MACHINE_FEATURES.
For example, build in Dizzy branch, COMBINED_FEATURES is "alsa usbhost ...",
but recently, COMBINED_FEATURES is like "set(['alsa']) set(['usbhost']) ...".
Martin Jansa [Tue, 21 Apr 2015 10:53:39 +0000 (12:53 +0200)]
image.bbclass: Allow to remove do_rootfs -> virtual/kernel:do_packagedata dependency
* this is causing dependency loops in some cases
e.g. linux-hp-tenderloin depends on initramfs-android-image, but
commit 41f0f86ec0a3e0b6f6c9bb4ef71a4215c00bf66c
Author: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Tue Jan 27 15:24:52 2015 +0000
Subject: image: Add missing depends on virtual/kernel for depmod data
adds also dependency between <image>.do_rootfs and virtual/kernel:do_packagedata
causing this dependency loop:
