Yi Zhao [Wed, 5 Jun 2013 09:20:50 +0000 (17:20 +0800)]
kernel.bbclass: Fix link for modules-${MACHINE}.tgz
The modules-${MACHINE}.tgz should link to ${MODULE_TARBALL_BASE_NAME}.
But now it links to an invalid file ${MODULE_TARBALL_BASE_NAME}.bin.
Remove the extra .bin suffix.
[YOCTO #4595]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
Richard Purdie [Fri, 23 Aug 2013 09:02:21 +0000 (10:02 +0100)]
sstate: Fix the relative symlink replacement code
ant reported on irc that the sstate absolute to relative symlink creation
code wasn't working in klibc. He was correct although the level of breakage is
rather surprising since it only worked for one level of symlink (usr/include) with
everything else being broken.
The reason is probably that nothing really uses absolute paths, we use relative
paths where at all possible already. Nothing in the target sysroot should use
absolute paths for a start. In this regard, the klibc-dev package is broken and
needs fixing. It will currently break when building for one machine, then switching
to another of the same TUNE_PKGARCH and installing from sstate but that is a
separate issue.
This patch fixes the symlink creation code by firstly passing in the correct
value we need (where the symlink will end up) and seccondly, actually using it.
I've also tweaked the debug message to contain appropriate information and got
right of the double "//" value the existing code created in favour of the form
'./..' which looks neater.
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Ross Burton [Thu, 2 Oct 2014 10:31:54 +0000 (11:31 +0100)]
bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Yue Tao [Mon, 19 May 2014 07:00:38 +0000 (15:00 +0800)]
openssl: fix for CVE-2010-5298
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Paul Eggleton [Mon, 9 Jun 2014 10:27:20 +0000 (11:27 +0100)]
openssl: fix CVE-2014-0224
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224)
An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Paul Eggleton [Mon, 9 Jun 2014 10:23:28 +0000 (11:23 +0100)]
openssl: use upstream fix for CVE-2014-0198
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora,
which is the same as the patch which was actually applied upstream for
the issue, i.e.:
Paul Eggleton [Mon, 9 Jun 2014 10:21:20 +0000 (11:21 +0100)]
openssl: fix CVE-2014-0195
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Only applications using OpenSSL as a DTLS client or server affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Maxin B. John [Fri, 9 May 2014 21:20:01 +0000 (14:20 -0700)]
openssl: fix CVE-2014-0198
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Fri, 11 Apr 2014 12:29:51 +0000 (13:29 +0100)]
openssl: bump PR
We don't normally do this, but with the recent CVE fixes (most
importantly the one for the serious CVE-2014-0160 vulnerability) I am
bumping PR explicitly to make it a bit more obvious that the patch has
been applied.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patch borrowed from Debian; this is just a tweaked version of the
upstream commit (without patching the CHANGES file which otherwise
would fail to apply on top of this version).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Tue, 8 Apr 2014 18:37:39 +0000 (19:37 +0100)]
Security Advisory - openssl - CVE-2013-6449
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
obtains a certain version number from an incorrect data structure, which
allows remote attackers to cause a denial of service (daemon crash) via
crafted traffic from a TLS 1.2 client.
Yue Tao [Tue, 8 Apr 2014 18:37:38 +0000 (19:37 +0100)]
Security Advisory - openssl - CVE-2013-6450
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet delivery,
related to ssl/d1_both.c and ssl/t1_enc.c.
Yue Tao [Tue, 8 Apr 2014 18:37:37 +0000 (19:37 +0100)]
Security Advisory - openssl - CVE-2013-4353
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
Richard Purdie [Mon, 17 Mar 2014 23:13:37 +0000 (23:13 +0000)]
sstate: Drop 'SafeDep' code from setscene validation function
I have a feeling this code exists from the time before we had proper
coverage of one sstate task by another task. At that time it was a
"poor" persons version of that idea, we now have much better
code internal to bitbake which handles this.
Worse, this code actually breaks certain rebuild scenarios,
e.g.:
Mark Hatle [Fri, 9 Aug 2013 22:51:30 +0000 (17:51 -0500)]
rpm: Enable compatibility with older RPM packages that have invalid platforms
Some LSB packages appear to have the platform set to '%{_target_platform}'
which is not a valid platform field. This causes a failure of the type:
warning: package lsb-test-core-4.1.15-1.x86_64 is intended for a %{_target_platform} platform
When we detect an invalid platform, fall back and try to construct a new
platform name that may be valid based on the arch and os contents of the
package. (This should only ever be needed by invalid or older RPM packages.)
Darren Hart [Mon, 23 Sep 2013 20:54:10 +0000 (20:54 +0000)]
init-install-efi.sh: Remove unnecessary udev rules file to avoid errors
Fixes [YOCTO #5233]
Modeled after Chen Qi's fix to [YOCTO #3924] from oe-core commit: 6b6db7b4fb7aa17b8e29076decc830149b9d35bc
init-install.sh: remove unnecessary udev rules file to avoid error messages
/etc/udev/scripts/mount.sh is removed by init-install-efi.sh, but the
udev rules file which specifies the invocation of this script is not
removed, thus causing the error message during a live install:
/etc/udev/scripts/mount.sh: No such file or directory
The /etc/udev/rules/automount.rules no longer works once the mount.sh
script is removed. Remove it to avoid the error message.
Richard Purdie [Wed, 25 Sep 2013 20:59:11 +0000 (21:59 +0100)]
runqemu: Use correct kvm CPU options for qemux86* with kvm
The existing -cpu host option caused kernel panics when people attempted to use
the kvm option. After research and discussion, the best options appear to
be the kvm32/kvm64 cpu types so lets use these instead. These resolve
the kernel issues for me.
For more info see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
https://www.gitorious.org/gnutls/gnutls/commit/467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For more info see:
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Thu, 6 Feb 2014 22:05:41 +0000 (22:05 +0000)]
libx11: backport _XEatDataWords API
If you build libx11-native then that has to be ABI-compatible with the
libX11 on the host or you'll have problems running qemu-native. Most
current distros are using libX11 1.6+. Thus, we need to backport the
_XEatDataWords API present in 1.6.
This only affects the dylan branch as dora+ has libx11 1.6+.
Fixes [YOCTO #5040].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Tue, 21 Jan 2014 17:30:04 +0000 (17:30 +0000)]
guile: fix build with Texinfo 5.0
Backport a patch from upstream which fixes failures building
guile-native on newer distros such as Ubuntu 13.10. (This does not
affect dora or master because we are using Guile 2.0.9 there, which
already contains this patch.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Saul Wold [Wed, 8 Jan 2014 17:23:00 +0000 (17:23 +0000)]
cmake.bbclass: ensure CMAKE_SYSTEM_NAME is correct
Using TARGET_OS can add the ABIEXTENSION so ensure that is is removed for the Linux
TARGET_OS, we might have other TARGET_OSes so don't hard code CMAKE_SYSTEM_NAME
Richard Purdie [Wed, 8 Jan 2014 17:22:59 +0000 (17:22 +0000)]
cmake: set system name correctly
For unknown reasons, the cmake class is using SDK_OS as the
target system OS. This makes no sense but only shows up as a problem
when you try a different SDK OS. Fix it to use TARGET_OS which is
the correct thing to do. For the vast majority of users this will
make no difference.
Baogen Shang [Mon, 21 Oct 2013 03:03:41 +0000 (11:03 +0800)]
libtiff: CVE-2013-4243
cve description:
Heap-based buffer overflow in the readgifimage function in the gif2tiff
tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a crafted height
and width values in a GIF image.
Signed-off-by: Baogen Shang <baogen.shang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Baogen Shang [Mon, 21 Oct 2013 03:00:05 +0000 (11:00 +0800)]
libtiff: CVE-2013-4232
cve description:
Use-after-free vulnerability in the t2p_readwrite_pdf_image function
in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause
a denial of service (crash) or possible execute arbitrary code via a
crafted TIFF image.
Signed-off-by: Baogen Shang <baogen.shang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ming Liu [Thu, 21 Nov 2013 07:05:04 +0000 (01:05 -0600)]
libtiff: fix CVE-2013-1960
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ming Liu [Thu, 21 Nov 2013 07:05:05 +0000 (01:05 -0600)]
gst-ffmpeg: fix CVE-2013-3674
The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg before
1.2.1 does not validate the presence of non-header data in a buffer, which
allows remote attackers to cause a denial of service (out-of-bounds array
access and application crash) via crafted CD Graphics Video data.
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An excluded package left its files behind, which meant they could end up in
another package instead, meaning we could ship GPLv3 binaries even with GPLv3
in INCOMPATIBLE_LICENSE. Skip the files belonging to the excluded packages to
prevent this from occurring.
license.bbclass: include all licenses in the manifest
When we don't have a generic license file for the license in question, we can
warn, but we should still include it in the manifest, otherwise the manifest
doesn't reflect reality. Failing to include a license listed in the recipe in
the manifest can't be allowed.
Chen Qi [Mon, 18 Nov 2013 07:20:44 +0000 (15:20 +0800)]
license.bbclass: fix missing of license files on ubuntu build host
The license_create_manifest function contains bashism, this will lead
to unexpected results on ubuntu build host, as sh is linked to dash on
ubuntu. Even if COPY_LIC_MANIFEST and COPY_LIC_DIRS are enabled, the
license files will still be missing on target.
Richard Purdie [Fri, 22 Nov 2013 15:07:34 +0000 (15:07 +0000)]
metadata_scm: Avoid crashing on new svn version layouts
This avoids crashing on newer svn layouts where the entries files
don't contain three lines. If someone wants to fix this to
get the right version on newer subversion checkouts, patches
welcome but this at least stops things crashing.
Laurentiu Palcu [Mon, 28 Oct 2013 20:46:20 +0000 (22:46 +0200)]
nativesdk-qt4-tools: create qt.conf file
When installing the SDK to another location than the default one, qmake
will look for libraries, headers, etc. in the default location. That's
because the paths are hard-coded in the binary itself. Luckily, QT
allows to override this using a qt.conf file installed in the same
directory with the application executable. However, we already have a
patch that allows for the installation of qt.conf in another place and
read the location from QT_CONF_PATH environment variable.
Hence, install qt.conf in ${sysconfdir}. This will allow other apps, that
use QLibraryInfo class, to find it.
Roy Li [Thu, 26 Sep 2013 01:56:08 +0000 (09:56 +0800)]
dropbear: pass SFTPSERVER_PATH explicitly
The default value of SFTPSERVER_PATH is "/usr/libexec/sftp-server" defined in
dropbear-2013.58/option.h, but after commit 406bd38b423[bitbake.conf: change
libexecdir to ${libdir}/${BPN}], sftp-server is provided by openssh package,
and is installed into ${libdir}/openssh, so we pass it explicitly.
Paul Eggleton [Thu, 26 Sep 2013 16:00:33 +0000 (17:00 +0100)]
classes/package_rpm: fix bitbake package-index for RPM
The function that "bitbake package-index" relies upon when using the RPM
package backend (package_update_index_rpm()) uses MULTILIB_PREFIX_LIST
to get the list of package architectures to be indexed, but that
variable is only set when populate_sdk_rpm or rootfs_rpm are inherited,
which is not the case for the package-index recipe. Until we're able to
refactor this properly, for minimal impact just use the value of
ALL_MULTILIB_PACKAGE_ARCHS if MULTILIB_PREFIX_LIST does not give us any
architectures (the equivalent function in the ipk backend uses the
former variable).
Having "bitbake package-index" working is important because it's the
only practical way of indexing RPM packages for use as a feed; host
versions of createrepo won't work properly because they won't support
indexing recommends relationships.
elfutils-native: Fix build on distros with gcc 4.8
The patch redhat-portability.diff causes this issue
so lets revert the portion which was using %a instead of %m
thats recommended anyway, redhat patch seems to be targetting
old compilers.
Darren Hart [Fri, 9 Aug 2013 17:58:42 +0000 (10:58 -0700)]
kernel.bbclass: Correct post(inst|rm) package association
Fixes [YOCTO #4991]
The kernel image is installed as part of the kernel-image package, but
the symlink creation/removal via alternatives is being done in
pkg_post(inst|rm)_kernel-base.
Move the postinst alternatives logic into the kernel-image functions.
Ross Burton [Tue, 17 Sep 2013 09:22:17 +0000 (10:22 +0100)]
libxml2: remove patch for CVE-2012-2871
This CVE patch is actually against Chromium as they ship an internal fork of
libxml2 and breaks ABI. The real issue has been resolved in libxslt 1.1.27, and
we're shipping 1.1.28.
Paul Eggleton [Wed, 24 Apr 2013 14:33:18 +0000 (15:33 +0100)]
sysvinit-inittab: ensure unique label for SERIAL_CONSOLES entries
The label field in /etc/inittab entries needs to be unique, and the
numeric label being used for the SERIAL_CONSOLES getty entries was
clashing with the entries added for standard ttyX entries added via
SYSVINIT_ENABLED_GETTYS. Use the part after "tty" in the device name
(which is what the comment further down explicitly says should be done)
as the label rather than a simple incrementing number.
Jason Wessel [Tue, 23 Apr 2013 15:26:12 +0000 (15:26 +0000)]
ncurses: Fix problems expanding ncurses-libtinfo when in IMAGE_INSTALL
The ncurses package was generating the following error as a result
of not specifing the PACKAGES_DYNAMIC correctly. This error only
appear when using the IMAGE_INSTALL list that has been expanded by
the hob or from the pkgdata.
ERROR: Nothing RPROVIDES 'ncurses-libtinfo'
The dynamic packages are named using "${PN}-lib%s". So we check for
${PN}-lib*
Saul Wold [Wed, 26 Jun 2013 23:33:01 +0000 (16:33 -0700)]
mc: Don't remove libdir and split helpers into packages
It contains helper programs that are needed to make mc do the right actions
for the various file formats it understands.
The helpers are perl, python and shell scripts, split them out so the core
mc does not try to pull in perl and python, it will still run without these
helpers.
Martin Jansa [Tue, 23 Jul 2013 10:37:37 +0000 (12:37 +0200)]
weston: backport patch for libunwind configure option and disable it
* it's autodetected from sysroot and runtime dependency on libunwind isn't
deterministic
* master has weston 1.1.0 which already has this option and also explicitly
disables libunwind
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Martin Jansa [Mon, 22 Jul 2013 16:51:11 +0000 (18:51 +0200)]
gettext: disable nls when INHIBIT_DEFAULT_DEPS is set
* for example in gcc-runtime DEPENDS_GETTEXT from gettext.bbclass isn't
used because gcc-runtime recipes also set INHIBIT_DEFAULT_DEPS,
explicitly disable NLS when DEPENDS_GETTEXT is empty
* this is causing undeterministic build
if you compare i586-oe-linux/libstdc++-v3/config.log in WORKDIR when building
gcc-runtime before and after building gettext-native you'll see that msgfmt
isn't found in one of them and gcc-runtime-locale-{de,fr} packages
aren't created, there is only one file in them:
gcc-runtime-locale-de/usr/share/locale/de/LC_MESSAGES/libstdc++.mo
Martin Jansa [Sun, 21 Jul 2013 13:37:07 +0000 (15:37 +0200)]
ltp: add acl, openssl dependency
* when it's not detected in sysroot it uses bundled version
* add explicit dependency to make it deterministic
* PACKAGECONFIG wasn't used because configure doesn't have an
option to select which one should be used
Martin Jansa [Sun, 21 Jul 2013 12:43:44 +0000 (14:43 +0200)]
ccache: add zlib dependency
* when it's not detected in sysroot it uses bundled version
* add explicit dependency to make it deterministic
* PACKAGECONFIG wasn't used because configure doesn't have an
option to select which one should be used
Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Wed, 19 Jun 2013 15:20:50 +0000 (16:20 +0100)]
bdwgc-native: Add missing pkgconfig DEPENDS
This fixes configure errors like:
| configure.ac:70: error: possibly undefined macro: AC_MSG_ERROR
| If this token and others are legitimate, please use m4_pattern_allow.
| See the Autoconf documentation.
| configure.ac:358: error: possibly undefined macro: AS_IF
Reproduced with bitbake bdwgc-native pkgconfig-native -c clean; bitbake bdwgc-native
