This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment
This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.
Paul Eggleton [Thu, 2 Oct 2014 14:27:26 +0000 (15:27 +0100)]
bash: add missing patch for CVE-2014-6271 to 4.2 recipe
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.
Patch based on the one from OE-Core master rev 798d833c9d4bd9ab287fa86b85b4d5f128170ed3 by Ross Burton
<ross.burton@intel.com>, with the content replaced from the
appropriate upstream patch.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Ross Burton [Thu, 25 Sep 2014 23:05:18 +0000 (00:05 +0100)]
bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.
"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Martin Jansa [Sun, 3 Aug 2014 16:59:39 +0000 (18:59 +0200)]
cairo: explicitly disable LTO support by backporting patch which removes it
* cairo-native was failing to build in gentoo with gcc-4.9 and LTO
enabled, more details in upstream bug
https://bugs.freedesktop.org/show_bug.cgi?id=77060
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
populate-extfs.sh: fix to handle special file names correctly
`debugfs' treats spaces and "" specially. So when we are dealing with
file names, great care should be taken to make sure that `debugfs'
recognizes file names correctly.
The basic solution here is:
1. Use quotation marks to handle spaces correctly.
2. Replace "xxx" with ""xxx"" so that debugfs knows that the quotation
marks are parts of the file name.
[YOCTO #6503]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Henning Heinold [Tue, 24 Jun 2014 21:34:47 +0000 (23:34 +0200)]
perf: add slang to the dependencies
* TUI/GUI support was added in 2.6.35 based on libnewt
* since 3.10 slang replaced libnewt completly
* changing TUI_DEFINES is not necessary, because NO_NEWT is
still respected with newer kernels
* add comment about the gui history to the recipe
The patch was sponsored by sysmocom
Signed-off-by: Henning Heinold <henning@itconsulting-heinold.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Khem Raj [Mon, 19 May 2014 02:14:32 +0000 (19:14 -0700)]
prelink: Fix SRC_URI
The SHA we use it actually on cross_prelink branch
if you do not use yocto source mirrors then the fetch
for prelink on dora fails due to missing branch in SRC_URI
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
console-kit-log-system-start.service fails to to start if the
/var/log/ConsoleKit directory does not exist. Normally it is created
automatically but as we mount a tmpfs at /var/log, we need to add
a tmpfiles.d entry to create it.
Signed-off-by: Jonathan Liu <net147@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Chen Qi [Thu, 19 Jun 2014 02:11:33 +0000 (10:11 +0800)]
populate-extfs.sh: error out if debugfs encounters some error
Previously, even if we encounter some error when populating the
ext filesystem, we don't error out and the rootfs process still
succeeds.
However, what's really expected is that the populate-extfs.sh script
should error out if something wrong happens when using `debugfs' to
generate the ext filesystem. For example, if there's not enough block
in the filesystem, and allocating a block for some file fails, the
failure should not be ignored. Otherwise, we will have a successful
build but a corrupted filesystem.
The debugfs returns 0 as long as the command is valid. That is, even
if the command fails, the debugfs still returns 0. That's really a
pain here. That's why this patch checks the error output to see whether
there's any error logged.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Patrick Doyle <wpdster@gmail.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Mon, 9 Jun 2014 15:53:48 +0000 (16:53 +0100)]
openssl: fix for CVE-2010-5298
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Mon, 9 Jun 2014 15:53:46 +0000 (16:53 +0100)]
openssl: fix CVE-2014-0224
http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224)
An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.
The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Mon, 9 Jun 2014 15:53:44 +0000 (16:53 +0100)]
openssl: use upstream fix for CVE-2014-0198
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora,
which is the same as the patch which was actually applied upstream for
the issue, i.e.:
Paul Eggleton [Mon, 9 Jun 2014 15:53:43 +0000 (16:53 +0100)]
openssl: fix CVE-2014-0195
http://www.openssl.org/news/secadv_20140605.txt
DTLS invalid fragment vulnerability (CVE-2014-0195)
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.
Only applications using OpenSSL as a DTLS client or server affected.
(Patch borrowed from Fedora.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Maxin B. John [Mon, 19 May 2014 15:13:04 +0000 (16:13 +0100)]
openssl: fix CVE-2014-0198
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.
Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Matt Fleming <matt.fleming@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Even if 'egl' is in PACKAGECONFIG, mesa egl support
can be disabled explicitly (changing configure flags
using a .bbappend, for example).
On dora, meta-fsl-arm is an example of this kind.
On master there are no known cases, and we should
encourge package configuration through PACKAGECONFIG.
This patch adds another check for the existence
of eglplatform.h before 'sed' can alter it.
Signed-off-by: Valentin Popa <valentin.popa@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Fri, 11 Apr 2014 12:31:10 +0000 (13:31 +0100)]
openssl: bump PR
We don't normally do this, but with the recent CVE fixes (most
importantly the one for the serious CVE-2014-0160 vulnerability) I am
bumping PR explicitly to make it a bit more obvious that the patch has
been applied.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Fri, 4 Apr 2014 14:28:58 +0000 (15:28 +0100)]
sstatesig: Anchor inherits class tests
This avoids a nasty sstate hash corruption issue where the
fact the testimage bbclass was inherited meant that the checksum
changed due to testimage.bbclass being confused with image.bbclass.
This patch anchors the bbclass names to avoid this confusion.
Paul Eggleton [Fri, 21 Mar 2014 18:02:39 +0000 (18:02 +0000)]
classes/image: ignore modules.* changing during multilib image construction
Since we now run depmod when building images (as the postinst that does
this is now on kernel-base instead of kernel-image) it is possible to
have module file differences between the two halves of the multilib image,
and the code that checks for such differences detects this and fails.
Whitelist this file to avoid the failure.
Specifically, modules.alias, modules.dep and modules.symbol can differ
along with their .bin counterparts.
Paul Eggleton [Fri, 21 Mar 2014 18:02:38 +0000 (18:02 +0000)]
classes/kernel: move module postinst commands to kernel-base
Since kernel-base is the package that contains the files that depmod
needs to run, we should be running depmod from the kernel-base
postinstall rather than kernel-image.
Richard Purdie [Wed, 27 Nov 2013 15:32:13 +0000 (15:32 +0000)]
sstatesig.py: Fix image regeneration issue
With the "ABI safe" recipes, we've been excluding those from signatures. This
is fine in the general case but in the specific case of image recipes it breaks.
A good test case is the interfaces file. Editting this causes init-ifupdown
to rebuild but not an image containing it (e.g. core-image-minimal).
We need to ensure the checksums are added to the image recipes and this change
does that.
Patch borrowed from Debian; this is just a tweaked version of the
upstream commit (without patching the CHANGES file which otherwise
would fail to apply on top of this version).
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yue Tao [Tue, 8 Apr 2014 18:15:07 +0000 (19:15 +0100)]
Security Advisory - openssl - CVE-2013-6449
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2
obtains a certain version number from an incorrect data structure, which
allows remote attackers to cause a denial of service (daemon crash) via
crafted traffic from a TLS 1.2 client.
Yue Tao [Tue, 8 Apr 2014 18:15:06 +0000 (19:15 +0100)]
Security Advisory - openssl - CVE-2013-6450
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x
through 1.0.1e does not properly maintain data structures for digest and
encryption contexts, which might allow man-in-the-middle attackers to
trigger the use of a different context by interfering with packet delivery,
related to ssl/d1_both.c and ssl/t1_enc.c.
Yue Tao [Tue, 8 Apr 2014 18:15:05 +0000 (19:15 +0100)]
Security Advisory - openssl - CVE-2013-4353
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
Concatenated fix of PowerPC time related system calls in eglibc 2.18 taken
from upstream glibc. See credits in patch header.
The effect is that some time related system calls returns nothing or garbage.
Fix tested on PowerPC e300c3.
Eglibc 2.17 does not have this issue and the patches are already part of 2.19.
Signed-off-by: Mats Karrman <mats.karrman@tritech.se> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(*) add MESA_EGL_NO_X11_HEADERS to defines
(*) avoid altering eglplatform.h from {top_srcdir}/include
using an alternative to
0003-EGL-Mutate-NativeDisplayType-depending-on-config
patch.
[YOCTO #5882]
Signed-off-by: Valentin Popa <valentin.popa@intel.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Robert Yang [Wed, 26 Mar 2014 09:26:45 +0000 (05:26 -0400)]
image_types.bbclass: use 4096 instead of 8192 bytes-per-inode
The image not correctly created if 'ptest-pkgs' is in IMAGE_FEATURES,
this is because there is no free inode left. We can use 4096 instead of
8192 bytes-per-inode to fix the problem, and most of the distributions
us 4096, such as Ubuntu, Suse, Fedora and CentOS.
There are another problems:
* There are error message when there is no free inode left if we run the
mke2fs command manually, but they are not in log.do_rootfs.
* The image generation doesn't stop when error happens because mke2fs
doesn't return failed for this case.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For each recipe, it populated license files to ${LICENSE_DIRECTORY}/${PN},
such as kernel's license dir was ${LICENSE_DIRECTORY}/kernel-3.10.17-yocto-standard;
In do_rootfs task, it copied license directories from ${LICENSE_DIRECTORY}/
${pkg}, and ${pkg} was listed in ${INSTALLED_PKGS};
We got ${INSTALLED_PKGS} by rpm query, such as the kernel were 'kernel-*',
but the kernel's PN was linux-yocto, so searching ${LICENSE_DIRECTORY}/
kernel-* failed.
Copied license directories from ${LICENSE_DIRECTORY}/${PN} fixed this
issue.
[YOCTO #5572]
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Stefan Stanacar <stefanx.stanacar@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Sébastien Mennetrier <s.mennetrier@innotis.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Tue, 11 Mar 2014 12:57:04 +0000 (12:57 +0000)]
avahi: handle SO_REUSEPORT not being available
Linux < 3.9 doesn't have the SO_REUSEPORT option so instead of failing to start
when built with >=3.9 kernel headers but booted on <3.9 kernels, continue as if
SO_REUSEPORT wasn't available.
For more info see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
https://www.gitorious.org/gnutls/gnutls/commit/467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For more info see:
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diego Sueiro [Fri, 14 Feb 2014 02:40:58 +0000 (10:40 +0800)]
systemd: journald fix ignored disk space restrictions
The upstream bug report can be seen at:
[Systemd #68161] -- https://bugs.freedesktop.org/show_bug.cgi?id=68161
This backports patches come from 207 and need to address this in the 206 version for dora branch.
Signed-off-by: Diego Sueiro <diego.sueiro@gmail.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gcc: Include patch scheduled for GCC 4.8.3 to fix epilogue on ARM
GCC 4.8.0, 4.8.1 and 4.8.2 can generate broken epilogues for the
ABI used by the kernel. Apply the patch that is included for GCC
4.8.3 from http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58854.
The issue was found on Yocto/Dora and the patch should be backported
to this branch. A kernel built with Dora's GCC 4.8.1 misbehaved on:
while true;
do
(for i in `seq 1 100`;
do
echo "Log message... $RANDOM";
done) | logger;
done
busybox's syslogd would from time to read a huge negative value and
then exit, strace would get stuck waiting on a syscall. After this
patch it appears to work better.
Signed-off-by: Holger Hans Peter Freyther <holger@moiji-mobile.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Martin Jansa [Wed, 4 Dec 2013 17:32:43 +0000 (18:32 +0100)]
cpan-base: Add vardepvalue to get_perl_version function
* without this bitbake -S perf shows following error:
ERROR: Bitbake's cached basehash does not match the one we just generated
(/OE/oe-core/meta/recipes-kernel/perf/perf.bb.do_package)!
if you run it twice, once without perl in sysroot and once with perl
already built
Ross Burton [Thu, 6 Feb 2014 23:17:18 +0000 (23:17 +0000)]
binconfig: mangle ${base_libdir}
Some recipes are installing libraries into ${base_libdir} (typically /lib) and
also use a foo-config binary to identify compile paths, for example
libusb-compat. Without mangling ${base_libdir} the ${base_libdir} path is
passed to the compiler, where it looks like a host path and results in
compile-host-path QA errors.
Laurentiu Palcu [Thu, 16 Jan 2014 14:25:08 +0000 (16:25 +0200)]
x11vnc: fix CAPS_LOCK issues
Currently, pressing CAPS_LOCK on the viewer changes the lock state on
the server and the key will not change the case.
To fix this, use -skip_lockkeys option to ignore all Caps_Lock,
Shift_Lock, Num_Lock, Scroll_Lock keysyms received from viewers, in
order to leave the lock state on the server side unchanged. However, the
keys will appear correctly on the remote side.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Exiting explicitly in pkg_postinst makes it impossible to use the
update-rc.d class in a .bbappend because the link creation is appended
to the pkg_postinst script.
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Richard Purdie [Tue, 14 Jan 2014 11:42:38 +0000 (11:42 +0000)]
eglibc-locale: Fix depends on binutils
The dependency here needs to apply for nativesdk as well as target packages
as the autobuilder just tripped over that. We'd never want a native version
so I'm not sure why the target class override was even present. The dependency
also applies to do_package so lets be explicit about that in case sstate
decides to get clever.
Anders Darander [Fri, 10 Jan 2014 14:59:01 +0000 (15:59 +0100)]
terminal.bbclass: do not export PS1
With a complex PS1 setup, PS1 might not have all characters correctly escaped
when terminal.bbclass writes the export. This caused the run.do_terminal.PID to
terminate, making it impossible to use the devshell.
As the spawned shell will parse e.g. .bashrc (or whatever rc-file is being
used), PS1 will be reset in the devshell.
Signed-off-by: Anders Darander <anders@chargestorm.se> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Phil Blundell [Fri, 10 Jan 2014 12:54:16 +0000 (12:54 +0000)]
binutils: Also add autoconf-native to DEPENDS
Commit 616354f13732d13c17434d5b60b166f691c25761 is insufficient because
gnu-config-native's gnu-configize script uses perl modules from autoconf
and hence doesn't work unless autoconf-native is staged (which it may
not be if building from sstate).
Ideally g-c-n would itself declare a dependency on autoconf-native but this
is difficult to arrange without creating a dependency loop. autoconf-native
already depends on gnu-config-native (because autoreconf invokes gnu-configize)
and has a build dependency on m4-native, which in turn build-depends on g-c-n
because it configizes itself by steam in do_configure and needs config.{guess,sub}
to be available. Adding some sort of gnu-config-initial-native recipe would
fix the latter problem, but this would be ugly because it would need special-casing
in (at least) autotools.bbclass, and in any case this still wouldn't solve
the problem of autoconf itself depending on g-c-n.
So, the easiest solution to the problem at hand is to arrange for those
few recipes that depend on g-c-n but not autoconf-native to gain that
latter dependency as well.
Signed-off-by: Phil Blundell <pb@pbcl.net> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Phil Blundell [Thu, 9 Jan 2014 11:16:10 +0000 (11:16 +0000)]
libsoup: Remove libproxy from DEPENDS
Although libsoup did use to support direct usage of libproxy, it hasn't
done so for some time. Worse, if libsoup depends on libproxy then it
is impossible to build libproxy against webkit since webkit itself
depends on libsoup in some configurations. Fix this by removing the
extraneous entry from DEPENDS.
Signed-off-by: Phil Blundell <pb@pbcl.net> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Jacob Kroon [Mon, 30 Dec 2013 18:17:58 +0000 (19:17 +0100)]
meta/lib/oe/terminal.py: Don't pass non-supported '--disable-factory' flag to gnome-terminal
By default, all GNOME terminals share a single process,
reducing memory usage. This can be disabled by starting gnome-terminal
with the --disable-factory option
However, gnome-terminal in Fedora 20 does no longer support the
'--disable-factory' flag, so remove it. As the support for 'mate' terminals was
added as a copy of the gnome code in 8cc078a9c679845464c59028f584d7aba098cc1f,
remove the flag here aswell.
Signed-off-by: Jacob Kroon <jacob.kroon@mikrodidakt.se> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Saul Wold [Fri, 20 Dec 2013 18:47:26 +0000 (10:47 -0800)]
openssl: use PACKAGECONFIG to disable perl bits
Adding perl to the RDEPENDS caused a performance hit to the overall build time since this was
the only package that depended on perl. The openssl-misc package is not installed by default
so use a PACKAGECONFIG which can be overridden to allow the perl scripts along with perl to
be installed.
Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Paul Eggleton [Fri, 20 Dec 2013 14:55:09 +0000 (14:55 +0000)]
libav: add libpostproc to PROVIDES (for 0.8.x version only)
There is a separate libpostproc recipe in meta-oe for use with 9.x and
later versions of libav for those few that need libpostproc; however if
you just add meta-oe and try to build libpostproc without selecting the
libav 9.x version recipe, you'll be building the libpostproc recipe
together with libav 0.8.x, which provides its own libpostproc; this
leads to confusing errors at packaging time. In order to flag up that
these conflict more appropriately, add libpostproc to PROVIDES
explicitly so that you at least get a multiple providers error at the
start of the build.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Tom Zanussi [Tue, 31 Dec 2013 19:59:24 +0000 (13:59 -0600)]
systemtap: Add --enable-prologues to configuration
In some cases, the debuginfo generated by the compiler is insufficient
for systemtap to figure out function param locations; using -P allows
it to use prologue searching to find the correct locations.
Enable prologue searching in the configuration so the user doesn't
have to specify it manually.
Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Scott Garman [Thu, 5 Dec 2013 21:57:31 +0000 (13:57 -0800)]
runqemu: remove core-image-* whitelist
Using a whitelist for image names to default to when none are
specified on the command line is no longer desired. Instead,
choose the most recently created image filename that conforms
to typical image naming conventions.
Signed-off-by: Scott Garman <scott.a.garman@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Krzysztof Sywula <krzysztof.m.sywula@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Ross Burton [Wed, 18 Dec 2013 16:20:02 +0000 (16:20 +0000)]
useradd.bbclass: add dependency on base-files
Packages that use useradd.bbclass should have a dependency on base-files so that
the /etc/skel directory is populated. Without this dependency base-files may or
may not be installed when the postinst runs, and the skel content may or may not
be copied.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
mykhani [Tue, 17 Dec 2013 08:28:35 +0000 (13:28 +0500)]
openssl.inc: Install c_rehash utility with openssl
c_rehash utility is not being installed with openssl.It conveniently
generates hash and symbolic links based on it for CA certificates
stored locally for SSL based server authentication
Signed-off-by: Yasir-Khan <yasir_khan@mentor.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Christopher Larson <kergoth@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Yue Tao [Thu, 5 Dec 2013 23:52:19 +0000 (17:52 -0600)]
icu: CVE-2013-2924
Use-after-free vulnerability in International Components for Unicode (ICU),
as used in Google Chrome before 30.0.1599.66 and other products, allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Yue Tao [Thu, 5 Dec 2013 23:52:18 +0000 (17:52 -0600)]
acpid: CVE-2011-1159
acpid.c in acpid before 2.0.9 does not properly handle a situation in which
a process has connected to acpid.socket but is not reading any data, which
allows local users to cause a denial of service (daemon hang) via a crafted
application that performs a connect system call but no read system calls.
Signed-off-by: Yue Tao <yue.tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Li Wang [Thu, 5 Dec 2013 23:52:17 +0000 (17:52 -0600)]
xinetd: CVE-2013-4342
xinetd does not enforce the user and group configuration directives
for TCPMUX services, which causes these services to be run as root
and makes it easier for remote attackers to gain privileges by
leveraging another vulnerability in a service.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4342
the patch come from:
https://bugzilla.redhat.com/attachment.cgi?id=799732&action=diff
Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Roy Li [Tue, 10 Dec 2013 05:46:16 +0000 (13:46 +0800)]
multilib: Ensure we map the SYSTEMD_PACKAGES variable
If we don't do this, systemd.bbclase will complain to unable to find multilib
packages since PACKAGES is expand with mlprefix, but SYSTEMD_PACKAGES is not,
like in ntp.inc:
Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Hongxu Jia [Tue, 3 Dec 2013 06:03:50 +0000 (06:03 +0000)]
nativesdk.bbclass: support nativesdk to override with the PACKAGES_DYNAMIC statement
While compiling nativesdk-mtools, there was failure:
...
Nothing PROVIDES 'nativesdk-glibc-gconv-ibm850'. Close matches:
...
This patch supports nativesdk to override with the PACKAGES_DYNAMIC statement
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
For each recipe, it populated license files to ${LICENSE_DIRECTORY}/${PN},
such as kernel's license dir was ${LICENSE_DIRECTORY}/kernel-3.10.17-yocto-standard;
In do_rootfs task, it copied license directories from ${LICENSE_DIRECTORY}/
${pkg}, and ${pkg} was listed in ${INSTALLED_PKGS};
We got ${INSTALLED_PKGS} by rpm query, such as the kernel were 'kernel-*',
but the kernel's PN was linux-yocto, so searching ${LICENSE_DIRECTORY}/
kernel-* failed.
Copied license directories from ${LICENSE_DIRECTORY}/${PN} fixed this issue.
