Yue Tao [Sun, 27 Apr 2014 11:51:12 +0000 (19:51 +0800)]
gst-ffmpeg: fix for Security Advisory CVE-2013-0851
The decode_frame function in libavcodec/eamad.c in FFmpeg before 1.1
allows remote attackers to have an unspecified impact via crafted
Electronic Arts Madcow video data, which triggers an out-of-bounds array
access.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Sun, 27 Apr 2014 11:44:28 +0000 (19:44 +0800)]
gst-ffmpeg: fix for Security Advisory CVE-2013-0858
The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg before
1.0.4 allows remote attackers to have an unspecified impact via ATRAC3
data with the joint stereo coding mode set and fewer than two channels.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Sun, 27 Apr 2014 07:37:10 +0000 (15:37 +0800)]
gst-ffmpeg: fix for Security Advisory CVE-2013-0852
The parse_picture_segment function in libavcodec/pgssubdec.c in FFmpeg
before 1.1 allows remote attackers to have an unspecified impact via
crafted RLE data, which triggers an out-of-bounds array access.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Sun, 27 Apr 2014 07:10:15 +0000 (15:10 +0800)]
gst-ffmpeg: fix for Security Advisory CVE-2013-0845
libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote attackers to
have an unspecified impact via a crafted block length, which triggers an
out-of-bounds write.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Sun, 27 Apr 2014 03:56:19 +0000 (11:56 +0800)]
gst-ffmpeg: fix for Security Advisory CVE-2013-0868
libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers
to have an unspecified impact via crafted Huffyuv data, related to an
out-of-bounds write and (1) unchecked return codes from the init_vlc
function and (2) len==0 cases.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Fri, 25 Apr 2014 08:26:00 +0000 (16:26 +0800)]
gst-ffmpeg: fix for Security Advisory CVE-2014-2099
The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before
2.1.4 does not properly calculate line sizes, which allows remote
attackers to cause a denial of service (out-of-bounds array access) or
possibly have unspecified other impact via crafted Microsoft RLE video
data.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Mon, 14 Apr 2014 10:58:29 +0000 (18:58 +0800)]
gst-ffmpeg: fix for Security Advisory CVE-2013-0865
The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg before
1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an
unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood
Studios VQA Video file, which triggers an out-of-bounds write.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Mon, 14 Apr 2014 10:38:34 +0000 (18:38 +0800)]
gst-ffmpeg: fix for Security Advisory CVE-2014-2263
The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB)
muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier,
allows remote attackers to have unspecified impact and vectors, which
trigger an out-of-bounds write.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Mon, 19 May 2014 07:00:38 +0000 (15:00 +0800)]
openssl: fix for CVE-2010-5298
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Mon, 19 May 2014 06:32:13 +0000 (14:32 +0800)]
tiff: fix for Security Advisory CVE-2013-4231
Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers
to cause a denial of service (out-of-bounds write) via a crafted (1)
extension block in a GIF image or (2) GIF raster image to
tools/gif2tiff.c or (3) a long filename for a TIFF image to
tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which
states that the input cannot exceed the allocated buffer size.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4231Multiple
buffer overflows in libtiff before 4.0.3 allow remote attackers to cause
a denial of service (out-of-bounds write) via a crafted (1) extension
block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3)
a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1
and 3 are disputed by Red Hat, which states that the input cannot exceed
the allocated buffer size.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Li Wang [Mon, 19 May 2014 05:42:53 +0000 (13:42 +0800)]
nss: CVE-2013-1740
the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740
https://bugzilla.mozilla.org/show_bug.cgi?id=919877
https://bugzilla.mozilla.org/show_bug.cgi?id=713933
changeset: 10946:f28426e944ae
user: Wan-Teh Chang <wtc@google.com>
date: Tue Nov 26 16:44:39 2013 -0800
summary: Bug 713933: Handle the return value of both ssl3_HandleRecord calls
changeset: 10945:774c7dec7565
user: Wan-Teh Chang <wtc@google.com>
date: Mon Nov 25 19:16:23 2013 -0800
summary: Bug 713933: Declare the |falseStart| local variable in the smallest
changeset: 10848:141fae8fb2e8
user: Wan-Teh Chang <wtc@google.com>
date: Mon Sep 23 11:25:41 2013 -0700
summary: Bug 681839: Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished, r=brian@briansmith.org
changeset: 10898:1b9c43d28713
user: Brian Smith <brian@briansmith.org>
date: Thu Oct 31 15:40:42 2013 -0700
summary: Bug 713933: Make SSL False Start work with asynchronous certificate validation, r=wtc
Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Thu, 8 May 2014 10:16:24 +0000 (18:16 +0800)]
subversion: fix for Security Advisory CVE-2013-4277
Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through
1.8.1 allows local users to overwrite arbitrary files or kill arbitrary
processes via a symlink attack on the file specified by the --pid-file
option.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Tue, 15 Apr 2014 07:22:17 +0000 (15:22 +0800)]
subversion: fix for Security Advisory CVE-2013-1847 and CVE-2013-1846
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21
and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of
service (NULL pointer dereference and crash) via a LOCK on an activity URL.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1846
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20
and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service
(NULL pointer dereference and crash) via an anonymous LOCK for a URL that does
not exist.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1847
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Tue, 15 Apr 2014 05:21:25 +0000 (13:21 +0800)]
subversion: fix for Security Advisory CVE-2013-1845
The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before
1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to
cause a denial of service (memory consumption) by (1) setting or (2)
deleting a large number of properties for a file or directory.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Tue, 15 Apr 2014 07:57:31 +0000 (15:57 +0800)]
subversion: fix for Security Advisory CVE-2013-4131
The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through
1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause
a denial of service (assertion failure or out-of-bounds read) via a
certain (1) COPY, (2) DELETE, or (3) MOVE request against a revision
root.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Tue, 15 Apr 2014 02:49:03 +0000 (10:49 +0800)]
subversion: fix for Security Advisory CVE-2013-4505
The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0
through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass
intended access restrictions and possibly cause a denial of service
(resource consumption) via a relative URL in a REPORT request.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Mon, 14 Apr 2014 05:01:16 +0000 (13:01 +0800)]
screen: fix for Security Advisory CVE-2009-1215
Race condition in GNU screen 4.0.3 allows local users to create or
overwrite arbitrary files via a symlink attack on the
/tmp/screen-exchange temporary file.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-extended/screen/screen_4.0.3.bb
Yue Tao [Mon, 14 Apr 2014 04:41:17 +0000 (12:41 +0800)]
Screen: fix for Security Advisory CVE-2009-1214
GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with
world-readable permissions, which might allow local users to obtain
sensitive session information.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-extended/screen/screen_4.0.3.bb
Chen Qi [Tue, 13 May 2014 07:46:27 +0000 (15:46 +0800)]
openssh: fix for CVE-2014-2653
The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and
earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking
by presenting an unacceptable HostCertificate.
Chen Qi [Tue, 13 May 2014 07:46:26 +0000 (15:46 +0800)]
openssh: fix for CVE-2014-2532
sshd in OpenSSH before 6.6 does not properly support wildcards on
AcceptEnv lines in sshd_config, which allows remote attackers to
bypass intended environment restrictions by using a substring located
before a wildcard character.
Joe Slater [Mon, 12 May 2014 18:54:04 +0000 (11:54 -0700)]
qemu: define PACKAGECONFIG[] for ssh2
qemu configure will search for libssh2 if we do not enable or
disable it's use, resulting in non-deterministic builds. We
define PACKAGECONFIG[] to avoid this.
Chen Qi [Tue, 13 May 2014 02:54:26 +0000 (10:54 +0800)]
gdb: add PACKAGECONFIG for babeltrace
Add PACKAGECONFIG for 'babeltrace' so that we don't have the implicit
dependency which might lead to problems when building images.
As an example of showing what problem we might have without this patch,
see the following steps which would lead to a failure.
1. IMAGE_INSTALL_append = " gdb"
2. bitbake babeltrace
3. bitbake gdb
4. bitbake babeltrace -ccleansstate
5. bitbake core-image-minimal
The rootfs process would fail with the following error message.
error: Can't install gdb-7.7-r0@i586: no package provides babeltrace >= 1.2.1+git0+66c2a20b43
Richard Purdie [Mon, 12 May 2014 10:04:26 +0000 (11:04 +0100)]
git: Fix various makefile flags
We need to pass CFLAGS and LDFLAGS to the makefile correctly so we
need to list them as part of EXTRA_OEMAKE.
We also have a problem where git hardlinks binaries in bindir with
those in its libexecdir. If we change the RPATH in one of them, it
breaks the other. We therefore set the no cross dir hardlinking flag
git already has for this kind of issue. This ensures the RPATHS for
the git-core binaries works correctly. Its pure luck this has
sometimes worked so far.
Koen Kooi [Tue, 13 May 2014 10:16:29 +0000 (12:16 +0200)]
ca-certificates: generate CAfile for -native in do_install
Git-replacement-native needs the generated files in place for https:// URIs:
WARNING: Failed to fetch URL git://github.com/kernelslacker/trinity.git;protocol=https, attempting MIRRORS if available
ERROR: Fetcher failure: Fetch command failed with exit code 128, output:
Cloning into bare repository '/build/linaro/build/build/downloads/git2/github.com.kernelslacker.trinity.git'...
fatal: unable to access 'https://github.com/kernelslacker/trinity.git/': error setting certificate verify locations:
CAfile: /build/linaro/build/build/tmp-eglibc/sysroots/x86_64-linux/etc/ssl/certs/ca-certificates.crt
CApath: none
ERROR: Function failed: Fetcher failure for URL: 'git://github.com/kernelslacker/trinity.git;protocol=https'. Unable to fetch URL from any source.
ERROR: Logfile of failure stored in: /build/linaro/build/build/tmp-eglibc/work/aarch64-oe-linux/trinity/1.3-r0/temp/log.do_fetch.7843
ERROR: Task 1378 (/build/linaro/build/meta-linaro/meta-linaro/recipes-extra/trinity/trinity_1.3.bb, do_fetch) failed with exit code '1'
Tudor Florea [Mon, 5 May 2014 22:40:11 +0000 (00:40 +0200)]
curl: remove inapporpriate file from curl release
This is the adaptation for the a bugfix upstream
The inappropriate file src/tool_hugehelp.c presence in the curl 7.36 release
interfered with the upstream fix for
https://sourceforge.net/p/curl/bugs/1350/
Ross Burton [Wed, 14 May 2014 10:13:19 +0000 (11:13 +0100)]
freetype: disable harfbuzz
Freetype has an automatically detected dependency on Harfbuzz, which has a
dependency on Freetype.
To produce deterministic builds and avoid link failures when rebuilding freetype
with harfbuzz present add a PACKAGECONFIG for Harfbuzz and disable it by
default.
Chong Lu [Thu, 15 May 2014 08:54:32 +0000 (16:54 +0800)]
syslinux-native: fix parallel building issue
There might be an error when parallel build:
[snip]
cp: cannot create directory `tmp/sysroots/x86_64-linux/usr/share/
syslinux/com32/include/gplinclude': No such file or directory
make[4]: *** [install] Error 1
make[3]: *** [gpllib] Error 2
[snip]
This is a potential issue. In ${S}/com32/gpllib/Makefile file,
install target wants to copy $(SRC)/../gplinclude to
$(INSTALLROOT)$(COM32DIR)/include/ directory, but in ${S}/com32/lib/Makefile
file, the install target will remove $(INSTALLROOT)$(COM32DIR)/include
directory. We need to do com32/lib first.
The patch make com32/gpllib depends on com32/lib to fix this issue.
Chen Qi [Mon, 19 May 2014 08:03:28 +0000 (16:03 +0800)]
runqemu-internal: add "console=ttyS0" to ramfs image kernel parameters
We need this kernel command parameter so that when we start a ramfs
image, we can actually get some output. Although we can make this
happen by specifying the 'bootparams' for the 'runqemu' command, it's
better to make this the default behaviour.
Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Martin Jansa [Mon, 16 Dec 2013 13:14:51 +0000 (14:14 +0100)]
gtk+: Add PACKAGECONFIG for directfb
* building without x11 doesn't work, because it sets default
gdkbackend to x11 and then requires cairo-xlib to be available
* checking for CAIRO_BACKEND... no
configure: error: Package requirements (cairo-xlib >= 1.6) were not met:
No package 'cairo-xlib' found
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Conflicts:
meta/recipes-multimedia/gstreamer/gst-plugins-good_0.10.31.bb
Martin Jansa [Sun, 11 May 2014 06:48:10 +0000 (08:48 +0200)]
gstreamer1.0-plugins-good: add libxfixes and libxdamange to x11 depends
* fixes following issue in test-dependencies report:
gstreamer1.0-plugins-good/gstreamer1.0-plugins-good-ximagesrc/latest lost dependency on libxdamage
Richard Purdie [Tue, 6 May 2014 12:50:55 +0000 (12:50 +0000)]
attr: Fix uclibc builds
attr needs libintl headers and libs. Add in the missing dependency and
ensure the linker flag gets passed in multilib builds by replacing the
PN == BPN check with a class-target override instead.
Maxin B. John [Wed, 7 May 2014 12:24:15 +0000 (14:24 +0200)]
libxml2: fix CVE-2014-0191
It was discovered that libxml2, a library providing support to read,
modify and write XML files, incorrectly performs entity substituton in
the doctype prolog, even if the application using libxml2 disabled any
entity substitution. A remote attacker could provide a
specially-crafted XML file that, when processed, would lead to the
exhaustion of CPU and memory resources or file descriptors.
Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Function buildhistory_list_installed_image fails with error "Argument
list too long". This patch uses a temporal file to pass the package list
to opkg-query-helper.py
ERROR: Function failed: buildhistory_list_installed_image
ERROR: Logfile of failure stored in: /var/lib/jenkins/jobs/qt5022-cesium/workspace/build/tmp/work/qt5022-poky-linux/qimage-dev/1.0-r0/temp/log.do_rootfs.16747
NOTE: recipe qimage-dev-1.0-r0: task do_rootfs: Failed
ERROR: Task 7 (/var/lib/jenkins/jobs/qt5022-cesium/workspace/repo/yocto/../qtec/meta-qt5022/recipes-core/images/qimage-dev.bb, do_rootfs) failed with exit code '1'
NOTE: Tasks Summary: Attempted 4999 tasks of which 30 didn't need to be rerun and 1 failed.
NOTE: Writing buildhistory
Auto packing the repository for optimum performance.
Summary: 1 task failed:
/var/lib/jenkins/jobs/qt5022-cesium/workspace/repo/yocto/../qtec/meta-qt5022/recipes-core/images/qimage-dev.bb, do_rootfs
Summary: There were 74 WARNING messages shown.
Summary: There were 2 ERROR messages shown, returning a non-zero exit code.
Richard Purdie [Tue, 6 May 2014 13:49:50 +0000 (14:49 +0100)]
libiconv: Fix B != S with uclibc builds
Without this, uclibc builds fail with libtool version mismatches. The issue
is that we need to remove the files in ${S}, not ${B} which is now
the default after the B != S change.
Chen Qi [Tue, 6 May 2014 07:53:12 +0000 (15:53 +0800)]
mmc-utils: fix compilation failure for mips64 target.
This patch fixes mmc-utils compilation failure for qemumips64.
Remove the 'include <asm-generic/int-ll64.h>' line from mmc.h,
because this file is automatically included if _MIPS_SZLONG
is not 64, otherwise, <asm-generic/int-l64.h> is included.
Expicitly including <asm-generic/int-ll64.h> will cause the
compilation failure for mips64 target.
Maxin B. John [Tue, 6 May 2014 00:53:34 +0000 (02:53 +0200)]
openssl: fix CVE-2014-0198
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Tyler Hall [Mon, 5 May 2014 00:06:43 +0000 (20:06 -0400)]
python3: Revert python-config to distutils.sysconfig
The newer sysconfig module shares some code with distutils.sysconfig,
but the same modifications as in
12-distutils-prefix-is-inside-staging-area.patch
makes distutils.sysconfig affect the native runtime as well as cross
building. Use the old, patched implementation which returns paths in
the staging directory and for the target, as appropriate.
This change reverts this upstream patch
http://hg.python.org/cpython/diff/712970b019f7/Misc/python-config.in
Tyler Hall [Sun, 4 May 2014 22:37:50 +0000 (18:37 -0400)]
python3: Substitute correct python version in shebang
If python2 and python3 are both available, scripts that are subject to
this substitution can possibly run with the wrong python version.
python3-config is one such script.
Radek Dostal [Mon, 5 May 2014 07:38:22 +0000 (09:38 +0200)]
distutils.bbclass: only modify *.py file if it contains path to be removed
Currently sed command touches every single *.py file. This modifies the
timestamp of the file. All *.pyo files will be recompiled during the first
boot, because timestamp will not match. This should be only necessary if
sed command changes the file.
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Tudor Florea [Fri, 2 May 2014 22:21:23 +0000 (00:21 +0200)]
curl: Backport a fix for a build issue
mkhelp: generate code for --disable-manual as well
This allows configure --disable-manual to run and build without having
to regenerate the src/tool_hugehelp.c file which otherwise is necessary
since we ship tarballs with that file present.
Irina Patru [Mon, 28 Apr 2014 11:08:46 +0000 (14:08 +0300)]
distrodata.bbclass: Fix checkpkg functionality
Currently it wasn't working because *COMMAND variables were removed
from fetcher.
Now checkpkg sets the command internally and sends it as a parameter
to _runwget() function from wget fetch.
Ming Liu [Tue, 1 Apr 2014 02:57:15 +0000 (02:57 +0000)]
kernel: don't populate source symbolic link
/usr/src/kernel/source deployed by kernel-dev package is symbolically
linking to a build-time kernel source folder, which make no sense when
cross-compiling.
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Chen Qi [Thu, 27 Mar 2014 02:34:41 +0000 (02:34 +0000)]
bind: add support for read-only rootfs
This patch adds support for read-only rootfs to the bind service.
Basically it just bind mounts several directories so that the bind
service could start correctly without reporting any error.
Mike Crowe [Wed, 16 Apr 2014 09:31:36 +0000 (10:31 +0100)]
native.bbclass: Override TARGET_ flags too
TARGET_LDFLAGS is currently defined in bitbake.conf to contain
${TARGET_LINK_HASH_STYLE} which differs between MIPS and other
targets. Since TARGET_LDFLAGS is an exported variable it affects the hash
of every shell task even if it is not used.
We don't want native recipe tasks to have different hashes purely because
they happen to have been built in order to satisfy dependencies for
different MACHINEs since this causes lots of churn in the native sysroot
when switching between MACHINEs.
Making native.bbclass override TARGET_LDFLAGS to use BUILD_LDFLAGS ensures
consistent hashes and is a sensible thing to be doing anyway.
Although they don't appear to have the same detrimental affect on task
hashes TARGET_CPPFLAGS, TARGET_CFLAGS and TARGET_CXXFLAGS should be
overridden too.
Adrian Calianu [Tue, 22 Apr 2014 08:04:14 +0000 (10:04 +0200)]
oprofileui-server_git: add avahi-daemon to RDEPENDS list
oprofileui-server recipe depends on avahi recipe. But avahi recipe
generates more packages and one of those packages(avahi-daemon) which
oprofileui-server expected to be available is not found into image.
A runtime dependency of oprofileui-server on avahi-daemon is required.
Joe Slater [Tue, 22 Apr 2014 18:00:41 +0000 (11:00 -0700)]
pixbufcache: add error exit in pixbufcache_sstate_postinst
In order to attempt recovery of a failed populate_sysroot_setscene,
we need to explicitly error exit an SSTATEPOSTINSTFUNC. So, we test
the return value of gdk-pixbuf-query-loaders.
Philip Tricca [Wed, 16 Apr 2014 01:16:48 +0000 (01:16 +0000)]
grub-efi: Use a variable to specify built-in grub modules.
The previous behavior defines a static set of modules that are built
into the grub efi executable. This works fine for a limited set of boot
environments namely the standard linux/initrd. This patch conditionally
assigns the same modules to a variable. This allows other meta layers
to add additional modules or completely override the defaults. The use
case driving this patch is the use of multiboot2 and related modules.
If you do a readelf -x .rodata /path/.../to/openssh/6.5p1-r0/packages-split/openssh-sshd/usr/sbin/sshd
You'll see two references to OE's sysroots/${BUILD_SYS} login and passwd binaries.
First one can be overridden with LOGIN_PROGRAM environment variable (see configure.ac),
second needs a cached variable definition.
Debugedit errors out on bare metal binaries. The first version of this patch limited it to 64 bit targets, but the problem now shows up on 32 bit targets (minnowboard) as well.
Andreas Müller [Thu, 17 Apr 2014 08:13:26 +0000 (10:13 +0200)]
make menuconfig work for recent xfce environment
xfce terminal was renamed 'Terminal' -> 'xfce4-teminal' mainline end of 2012,
so the distros supporting 'Terminal' will dissapear. The distros not
mentionied in __init__ do (e.g fedora 19 - tested) fail - or will fail
sooner or later.
Bruce Ashfield [Sat, 12 Apr 2014 04:10:11 +0000 (00:10 -0400)]
linux-yocto/3.14: aufs, edgerouter config and -rt
Updating the 3.14 SRCREVs to import the following changes:
- enable AUFS: a missing Kbuild patch was preventing aufs from compiling
- edgerouter: remove RTC configuration options
- preempt-rt recipe. The patch for 3.14 is availble, so we populate the recipe.
recipe_sanity.bbclass: avoid error when running 'bitbake -e'
Running 'bitbake -e' without further arguments causes a stack trace on stderr:
| ERROR: Command execution failed: Traceback (most recent call last):
| File "[...]/bitbake/lib/bb/command.py", line 99, in runAsyncCommand
| commandmethod(self.cmds_async, self, options)
| File "[...]/bitbake/lib/bb/command.py", line 405, in showEnvironment
| command.cooker.showEnvironment(bfile)
| File "[...]/bitbake/lib/bb/cooker.py", line 453, in showEnvironment
| logger.plain("\npython %s () {\n%s}\n", e, data.getVar(e, envdata, 1))
| File "[...]/bitbake/lib/bb/data.py", line 89, in getVar
| return d.getVar(var, exp)
| File "[...]/bitbake/lib/bb/data_smart.py", line 522, in getVar
| return self.getVarFlag(var, "_content", expand, noweakdefault)
| File "[...]/bitbake/lib/bb/data_smart.py", line 612, in getVarFlag
| value = self.expand(value, cachename)
| File "[...]/bitbake/lib/bb/data_smart.py", line 350, in expand
| return self.expandWithRefs(s, varname).value
| File "[...]/bitbake/lib/bb/data_smart.py", line 340, in expandWithRefs
| raise ExpansionError(varname, s, exc)
| ExpansionError: Failure expanding variable can_delete_FILESPATH, expression was def can_delete_FILESPATH(cfgdata, d):
| expected = cfgdata.get("FILESPATH")
| #expected = "${@':'.join([os.path.normpath(os.path.join(fp, p, o)) for fp in d.getVar('FILESPATHBASE', True).split(':') for p in d.getVar('FILESPATHPKG', True).split(':') for o in (d.getVar('OVERRIDES', True) + ':').split(':') if os.path.exists(os.path.join(fp, p, o))])}:${FILESDIR}"
| expectedpaths = d.expand(expected)
| unexpanded = d.getVar("FILESPATH", 0)
| filespath = d.getVar("FILESPATH", True).split(":")
| filespath = [os.path.normpath(f) for f in filespath if os.path.exists(f)]
| for fp in filespath:
| if not fp in expectedpaths:
| # __note("Path %s in FILESPATH not in the expected paths %s" %
| # (fp, expectedpaths), d)
| return False
| return expected != unexpanded
| which triggered exception AttributeError: 'NoneType' object has no attribute 'split'
Removing the commented second line in can_delete_FILESPATH() hides the error.
Stefan Stanacar [Fri, 11 Apr 2014 17:49:14 +0000 (20:49 +0300)]
scripts/send-error-report: simple hack to use proxy from the enviroment
People behind a proxy couldn't send an error report to an upstream server,
this should fix the issue if they use a proxy that doesn't require authentication,
or one that uses basic http authentication and it's correctly exported in the enviroment.
Martin Jansa [Fri, 11 Apr 2014 15:07:39 +0000 (17:07 +0200)]
icecc: don't create unnecessary 'ice' dirs in sysroots when disabled
* parsing ICE_PATH="${@icc_path(bb, d)}" causes "ice" directories
to be created in every sysroot, that could be a bit confusing for
people who inherit icecc.bbclass, but disabled it
* shorten ICECC_VERSION="${@icc_version(bb, d)}" path a bit
by returning sooner when disabled
* remove ICECC_PATH and ICECC_ENV_EXEC from signatures, we assume that
using icecc doesn't influence the output, so it shouldn't matter when
user supplies own version of icecc or env script
* always compare ICECC_DISABLED with "1", boolean typed_value isn't used
because documentation already mentions using empty value to keep icecc
enabled and that's not valid boolean value when oe.data.typed_value is
used:
ERROR: ICECC_DISABLED: Invalid boolean value ''
Andreas Müller [Thu, 10 Apr 2014 18:07:48 +0000 (20:07 +0200)]
shadow: fix building systemd with useradd-staticids.bbclass enabled
| groupadd: 'systemd-journal-gateway' is not a valid group name
Without useradd-staticids enabled, group 'systemd-journal-gateway' is created
by useradd and that seems not to care for GROUP_NAME_MAX_LENGTH which has 16 by
default.
libav: Add libsdl to DEPENDS only when x11 is enabled
When we have opengl in distro features but not x11 and try to
build libav then it calls out to build libsdl which inturn has depependency on libglu
and libglu fails to build
because gnome.bbclass was adding gconf->dbus-glib dependency
* it was also causing other recipes to fail when they were depending
on libnotify which has dbus-glib in pkg-config and dbus-glib was
missing, e.g. firefox:
| checking for libnotify >= 0.4... Package dbus-glib-1 was not found
in the pkg-config search path. Perhaps you should add the directory
containing `dbus-glib-1.pc' to the PKG_CONFIG_PATH environment
variable Package 'dbus-glib-1', required by 'libnotify', not found
| configure: error: Library requirements (libnotify >= 0.4) not met;
consider adjusting the PKG_CONFIG_PATH environment variable if your
libraries are in a nonstandard prefix so pkg-config can find them.
apr: remove the use of ${SHELL} to avoid bash/dash confliction
While multible hosts sharing a common sstate cache, the fist host using
bash as default shell and build apr, the second host using dash as
default shell and build apr-util, there was a failure in apr-util:
...
| /bin/sh: 0: Can't open i586-poky-linux-libtool
| make[1]: *** [dbm/apr_dbm_gdbm.lo] Error 127
| make[1]: *** Waiting for unfinished jobs....
| make[1]: Leaving directory
`tmp/work/i586-poky-linux/apr-util/1.5.2-r0/apr-util-1.5.2'
...
The quick way to reproduce the defect in Ubuntu 1204:
1. Create a new build
2. sudo dpkg-reconfigure dash <set bash as /bin/sh>
3. bitbake apr
4. sudo dpkg-reconfigure dash <set dash as /bin/sh>
5. bitbake apr-util
Remove the use of $(SHELL) in the apr could avoid this issue.
Alexandru DAMIAN [Fri, 11 Apr 2014 16:40:32 +0000 (17:40 +0100)]
toaster.bbclass: do not fail on non-existent files
Toaster may look up inexistent file paths in the build history
for packages that have been referenced but not built.
This triggers a failure, and this patch recovers by deleting
the reference to the non-built packages.
[YOCTO #6063]
Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
u-boot: fix beaglebone boot issue with large kernel images
Fix beaglebone boot issue with large kernel images overwriting Device Tree.
See very detailed comments inside the patch.
The original patch is being reviewed upstream and is targeting mainline U-boot
version 2014.07. This is the adaptation of the patch for 2013.07 version we use
Signed-off-by: Denys Dmytriyenko <denys@ti.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
