Paul Eggleton [Mon, 9 Jun 2014 10:21:20 +0000 (11:21 +0100)]
openssl: fix CVE-2014-0195
From the OpenSSL Security Advisory [05 Jun 2014]
http://www.openssl.org/news/secadv_20140605.txt
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Only applications using OpenSSL as a DTLS client or server affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Maxin B. John [Fri, 9 May 2014 21:20:01 +0000 (14:20 -0700)]
openssl: fix CVE-2014-0198
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Fri, 11 Apr 2014 12:29:51 +0000 (13:29 +0100)]
openssl: bump PR
We don't normally do this, but with the recent CVE fixes (most
importantly the one for the serious CVE-2014-0160 vulnerability) I am
bumping PR explicitly to make it a bit more obvious that the patch has
been applied.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Patch borrowed from Debian; this is just a tweaked version of the
upstream commit (without patching the CHANGES file which otherwise
would fail to apply on top of this version).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Tue, 8 Apr 2014 18:37:39 +0000 (19:37 +0100)]
Security Advisory - openssl - CVE-2013-6449
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
obtains a certain version number from an incorrect data structure, which
allows remote attackers to cause a denial of service (daemon crash) via
crafted traffic from a TLS 1.2 client.
Yue Tao [Tue, 8 Apr 2014 18:37:38 +0000 (19:37 +0100)]
Security Advisory - openssl - CVE-2013-6450
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet delivery,
related to ssl/d1_both.c and ssl/t1_enc.c.
Yue Tao [Tue, 8 Apr 2014 18:37:37 +0000 (19:37 +0100)]
Security Advisory - openssl - CVE-2013-4353
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
Richard Purdie [Mon, 17 Mar 2014 23:13:37 +0000 (23:13 +0000)]
sstate: Drop 'SafeDep' code from setscene validation function
I have a feeling this code exists from the time before we had proper
coverage of one sstate task by another task. At that time it was a
"poor" persons version of that idea, we now have much better
code internal to bitbake which handles this.
Worse, this code actually breaks certain rebuild scenarios,
e.g.:
Mark Hatle [Fri, 9 Aug 2013 22:51:30 +0000 (17:51 -0500)]
rpm: Enable compatibility with older RPM packages that have invalid platforms
Some LSB packages appear to have the platform set to '%{_target_platform}'
which is not a valid platform field. This causes a failure of the type:
warning: package lsb-test-core-4.1.15-1.x86_64 is intended for a %{_target_platform} platform
When we detect an invalid platform, fall back and try to construct a new
platform name that may be valid based on the arch and os contents of the
package. (This should only ever be needed by invalid or older RPM packages.)
Darren Hart [Mon, 23 Sep 2013 20:54:10 +0000 (20:54 +0000)]
init-install-efi.sh: Remove unnecessary udev rules file to avoid errors
Fixes [YOCTO #5233]
Modeled after Chen Qi's fix to [YOCTO #3924] from oe-core commit: 6b6db7b4fb7aa17b8e29076decc830149b9d35bc
init-install.sh: remove unnecessary udev rules file to avoid error messages
/etc/udev/scripts/mount.sh is removed by init-install-efi.sh, but the
udev rules file which specifies the invocation of this script is not
removed, thus causing the error message during a live install:
/etc/udev/scripts/mount.sh: No such file or directory
The /etc/udev/rules/automount.rules no longer works once the mount.sh
script is removed. Remove it to avoid the error message.
Richard Purdie [Wed, 25 Sep 2013 20:59:11 +0000 (21:59 +0100)]
runqemu: Use correct kvm CPU options for qemux86* with kvm
The existing -cpu host option caused kernel panics when people attempted to use
the kvm option. After research and discussion, the best options appear to
be the kvm32/kvm64 cpu types so lets use these instead. These resolve
the kernel issues for me.
For more info see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
https://www.gitorious.org/gnutls/gnutls/commit/467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For more info see:
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Thu, 6 Feb 2014 22:05:41 +0000 (22:05 +0000)]
libx11: backport _XEatDataWords API
If you build libx11-native then that has to be ABI-compatible with the
libX11 on the host or you'll have problems running qemu-native. Most
current distros are using libX11 1.6+. Thus, we need to backport the
_XEatDataWords API present in 1.6.
This only affects the dylan branch as dora+ has libx11 1.6+.
Fixes [YOCTO #5040].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Tue, 21 Jan 2014 17:30:04 +0000 (17:30 +0000)]
guile: fix build with Texinfo 5.0
Backport a patch from upstream which fixes failures building
guile-native on newer distros such as Ubuntu 13.10. (This does not
affect dora or master because we are using Guile 2.0.9 there, which
already contains this patch.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Saul Wold [Wed, 8 Jan 2014 17:23:00 +0000 (17:23 +0000)]
cmake.bbclass: ensure CMAKE_SYSTEM_NAME is correct
Using TARGET_OS can add the ABIEXTENSION so ensure that is is removed for the Linux
TARGET_OS, we might have other TARGET_OSes so don't hard code CMAKE_SYSTEM_NAME
Richard Purdie [Wed, 8 Jan 2014 17:22:59 +0000 (17:22 +0000)]
cmake: set system name correctly
For unknown reasons, the cmake class is using SDK_OS as the
target system OS. This makes no sense but only shows up as a problem
when you try a different SDK OS. Fix it to use TARGET_OS which is
the correct thing to do. For the vast majority of users this will
make no difference.
Baogen Shang [Mon, 21 Oct 2013 03:03:41 +0000 (11:03 +0800)]
libtiff: CVE-2013-4243
cve description:
Heap-based buffer overflow in the readgifimage function in the gif2tiff
tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a crafted height
and width values in a GIF image.
Signed-off-by: Baogen Shang <baogen.shang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Baogen Shang [Mon, 21 Oct 2013 03:00:05 +0000 (11:00 +0800)]
libtiff: CVE-2013-4232
cve description:
Use-after-free vulnerability in the t2p_readwrite_pdf_image function
in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause
a denial of service (crash) or possible execute arbitrary code via a
crafted TIFF image.
Signed-off-by: Baogen Shang <baogen.shang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ming Liu [Thu, 21 Nov 2013 07:05:04 +0000 (01:05 -0600)]
libtiff: fix CVE-2013-1960
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ming Liu [Thu, 21 Nov 2013 07:05:05 +0000 (01:05 -0600)]
gst-ffmpeg: fix CVE-2013-3674
The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg before
1.2.1 does not validate the presence of non-header data in a buffer, which
allows remote attackers to cause a denial of service (out-of-bounds array
access and application crash) via crafted CD Graphics Video data.
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An excluded package left its files behind, which meant they could end up in
another package instead, meaning we could ship GPLv3 binaries even with GPLv3
in INCOMPATIBLE_LICENSE. Skip the files belonging to the excluded packages to
prevent this from occurring.
license.bbclass: include all licenses in the manifest
When we don't have a generic license file for the license in question, we can
warn, but we should still include it in the manifest, otherwise the manifest
doesn't reflect reality. Failing to include a license listed in the recipe in
the manifest can't be allowed.
Chen Qi [Mon, 18 Nov 2013 07:20:44 +0000 (15:20 +0800)]
license.bbclass: fix missing of license files on ubuntu build host
The license_create_manifest function contains bashism, this will lead
to unexpected results on ubuntu build host, as sh is linked to dash on
ubuntu. Even if COPY_LIC_MANIFEST and COPY_LIC_DIRS are enabled, the
license files will still be missing on target.
Richard Purdie [Fri, 22 Nov 2013 15:07:34 +0000 (15:07 +0000)]
metadata_scm: Avoid crashing on new svn version layouts
This avoids crashing on newer svn layouts where the entries files
don't contain three lines. If someone wants to fix this to
get the right version on newer subversion checkouts, patches
welcome but this at least stops things crashing.
Laurentiu Palcu [Mon, 28 Oct 2013 20:46:20 +0000 (22:46 +0200)]
nativesdk-qt4-tools: create qt.conf file
When installing the SDK to another location than the default one, qmake
will look for libraries, headers, etc. in the default location. That's
because the paths are hard-coded in the binary itself. Luckily, QT
allows to override this using a qt.conf file installed in the same
directory with the application executable. However, we already have a
patch that allows for the installation of qt.conf in another place and
read the location from QT_CONF_PATH environment variable.
Hence, install qt.conf in ${sysconfdir}. This will allow other apps, that
use QLibraryInfo class, to find it.
Roy Li [Thu, 26 Sep 2013 01:56:08 +0000 (09:56 +0800)]
dropbear: pass SFTPSERVER_PATH explicitly
The default value of SFTPSERVER_PATH is "/usr/libexec/sftp-server" defined in
dropbear-2013.58/option.h, but after commit 406bd38b423[bitbake.conf: change
libexecdir to ${libdir}/${BPN}], sftp-server is provided by openssh package,
and is installed into ${libdir}/openssh, so we pass it explicitly.
Paul Eggleton [Thu, 26 Sep 2013 16:00:33 +0000 (17:00 +0100)]
classes/package_rpm: fix bitbake package-index for RPM
The function that "bitbake package-index" relies upon when using the RPM
package backend (package_update_index_rpm()) uses MULTILIB_PREFIX_LIST
to get the list of package architectures to be indexed, but that
variable is only set when populate_sdk_rpm or rootfs_rpm are inherited,
which is not the case for the package-index recipe. Until we're able to
refactor this properly, for minimal impact just use the value of
ALL_MULTILIB_PACKAGE_ARCHS if MULTILIB_PREFIX_LIST does not give us any
architectures (the equivalent function in the ipk backend uses the
former variable).
Having "bitbake package-index" working is important because it's the
only practical way of indexing RPM packages for use as a feed; host
versions of createrepo won't work properly because they won't support
indexing recommends relationships.
elfutils-native: Fix build on distros with gcc 4.8
The patch redhat-portability.diff causes this issue
so lets revert the portion which was using %a instead of %m
thats recommended anyway, redhat patch seems to be targetting
old compilers.
Darren Hart [Fri, 9 Aug 2013 17:58:42 +0000 (10:58 -0700)]
kernel.bbclass: Correct post(inst|rm) package association
Fixes [YOCTO #4991]
The kernel image is installed as part of the kernel-image package, but
the symlink creation/removal via alternatives is being done in
pkg_post(inst|rm)_kernel-base.
Move the postinst alternatives logic into the kernel-image functions.
Ross Burton [Tue, 17 Sep 2013 09:22:17 +0000 (10:22 +0100)]
libxml2: remove patch for CVE-2012-2871
This CVE patch is actually against Chromium as they ship an internal fork of
libxml2 and breaks ABI. The real issue has been resolved in libxslt 1.1.27, and
we're shipping 1.1.28.
Paul Eggleton [Wed, 24 Apr 2013 14:33:18 +0000 (15:33 +0100)]
sysvinit-inittab: ensure unique label for SERIAL_CONSOLES entries
The label field in /etc/inittab entries needs to be unique, and the
numeric label being used for the SERIAL_CONSOLES getty entries was
clashing with the entries added for standard ttyX entries added via
SYSVINIT_ENABLED_GETTYS. Use the part after "tty" in the device name
(which is what the comment further down explicitly says should be done)
as the label rather than a simple incrementing number.
Jason Wessel [Tue, 23 Apr 2013 15:26:12 +0000 (15:26 +0000)]
ncurses: Fix problems expanding ncurses-libtinfo when in IMAGE_INSTALL
The ncurses package was generating the following error as a result
of not specifing the PACKAGES_DYNAMIC correctly. This error only
appear when using the IMAGE_INSTALL list that has been expanded by
the hob or from the pkgdata.
ERROR: Nothing RPROVIDES 'ncurses-libtinfo'
The dynamic packages are named using "${PN}-lib%s". So we check for
${PN}-lib*
Saul Wold [Wed, 26 Jun 2013 23:33:01 +0000 (16:33 -0700)]
mc: Don't remove libdir and split helpers into packages
It contains helper programs that are needed to make mc do the right actions
for the various file formats it understands.
The helpers are perl, python and shell scripts, split them out so the core
mc does not try to pull in perl and python, it will still run without these
helpers.
Martin Jansa [Tue, 23 Jul 2013 10:37:37 +0000 (12:37 +0200)]
weston: backport patch for libunwind configure option and disable it
* it's autodetected from sysroot and runtime dependency on libunwind isn't
deterministic
* master has weston 1.1.0 which already has this option and also explicitly
disables libunwind
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Martin Jansa [Mon, 22 Jul 2013 16:51:11 +0000 (18:51 +0200)]
gettext: disable nls when INHIBIT_DEFAULT_DEPS is set
* for example in gcc-runtime DEPENDS_GETTEXT from gettext.bbclass isn't
used because gcc-runtime recipes also set INHIBIT_DEFAULT_DEPS,
explicitly disable NLS when DEPENDS_GETTEXT is empty
* this is causing undeterministic build
if you compare i586-oe-linux/libstdc++-v3/config.log in WORKDIR when building
gcc-runtime before and after building gettext-native you'll see that msgfmt
isn't found in one of them and gcc-runtime-locale-{de,fr} packages
aren't created, there is only one file in them:
gcc-runtime-locale-de/usr/share/locale/de/LC_MESSAGES/libstdc++.mo
Martin Jansa [Sun, 21 Jul 2013 13:37:07 +0000 (15:37 +0200)]
ltp: add acl, openssl dependency
* when it's not detected in sysroot it uses bundled version
* add explicit dependency to make it deterministic
* PACKAGECONFIG wasn't used because configure doesn't have an
option to select which one should be used
Martin Jansa [Sun, 21 Jul 2013 12:43:44 +0000 (14:43 +0200)]
ccache: add zlib dependency
* when it's not detected in sysroot it uses bundled version
* add explicit dependency to make it deterministic
* PACKAGECONFIG wasn't used because configure doesn't have an
option to select which one should be used
Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Wed, 19 Jun 2013 15:20:50 +0000 (16:20 +0100)]
bdwgc-native: Add missing pkgconfig DEPENDS
This fixes configure errors like:
| configure.ac:70: error: possibly undefined macro: AC_MSG_ERROR
| If this token and others are legitimate, please use m4_pattern_allow.
| See the Autoconf documentation.
| configure.ac:358: error: possibly undefined macro: AS_IF
Reproduced with bitbake bdwgc-native pkgconfig-native -c clean; bitbake bdwgc-native
Mark Hatle [Fri, 24 May 2013 15:22:02 +0000 (15:22 +0000)]
libarchive: Fix build dependencies
Move to using the PACKAGECONFIG mechanism to select configure options and
dependencies. Without this the system will attempt to discover various
dependencies, and usually does so incorrectly.
We also ensure that the nativesdk version does not inherit any of the
DISTRO_FEATURES. We shouldn't need acl or xattr support for nativesdk.
Martin Jansa [Fri, 5 Jul 2013 01:05:22 +0000 (03:05 +0200)]
systemtap: inherit pkgconfig
* systemtap-native was failing with undefined AC_DEFINE
configure.ac:56: error: possibly undefined macro: AC_DEFINE
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
Martin Jansa [Fri, 5 Jul 2013 00:49:54 +0000 (02:49 +0200)]
libpam: inherit pkgconfig
* missing dependency on pkgconfig-native was causing
that PKG_CHECK_MODULES(DBUS, dbus-1) stayed unexpanded in
configure script:
checking for dbm_store in -lndbm... no
libpam/1.1.6-r2/Linux-PAM-1.1.6/configure:
line 14217: syntax error near unexpected token `libtirpc,'
libpam/1.1.6-r2/Linux-PAM-1.1.6/configure:
line 14217: ` PKG_CHECK_MODULES(libtirpc, libtirpc,'
Configure failed. The contents of all config.log files follows to aid
debugging
Martin Jansa [Fri, 5 Jul 2013 00:43:17 +0000 (02:43 +0200)]
quota: inherit pkgconfig
* missing dependency on pkgconfig-native was causing
that PKG_CHECK_MODULES(DBUS, dbus-1) stayed unexpanded in
configure script:
checking for ext2fs_initialize in -lext2fs... yes
quota/4.01-r1/quota-tools/configure: line 3746: syntax error near unexpected token `DBUS,'
quota/4.01-r1/quota-tools/configure: line 3746: ` PKG_CHECK_MODULES(DBUS, dbus-1)'
Configure failed. The contents of all config.log files follows to aid debugging
Martin Jansa [Thu, 4 Jul 2013 08:14:48 +0000 (10:14 +0200)]
taglib: add missing dependency on zlib
* without target zlib it tries to use native one:
| /OE/sysroots/x86_64-linux/usr/lib/libz.so: could not read symbols: File in wrong format
| collect2: error: ld returned 1 exit status
| make[2]: *** [taglib/libtag.so.1.12.0] Error 1
Martin Jansa [Thu, 4 Jul 2013 08:01:24 +0000 (10:01 +0200)]
gst-plugins-bad: inherit gsettings
* do_configure fails without native glib-compile-schemas:
| checking for glib-compile-schemas... no
| configure: error: glib-compile-schemas not found.
Signed-off-by: Eric Nelson <eric.nelson@boundarydevices.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Kai Kang [Tue, 13 Aug 2013 09:57:49 +0000 (17:57 +0800)]
dpkg: fix include header caused compile error
Build dpkg-native on Fedora 19, it fails with:
/usr/include/c++/4.8.1/cstdlib: In function ‘long long int std::abs(long long int)’:
/usr/include/c++/4.8.1/cstdlib:174:20: error: declaration of C function ‘long long int std::abs(long long int)’ conflicts with
abs(long long __x) { return __builtin_llabs (__x); }
^
/usr/include/c++/4.8.1/cstdlib:166:3: error: previous declaration ‘long int std::abs(long int)’ here
abs(long __i) { return __builtin_labs(__i); }
^
That because header cstdlib is included in a 'extern "C"' block that gcc
4.8 doesn't support. Fix it by move the header file out of the 'extern "C"'
block.
Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
