Yi Zhao [Wed, 26 Oct 2016 08:26:46 +0000 (16:26 +0800)]
tiff: Security fix CVE-2016-3991
CVE-2016-3991 libtiff: Heap-based buffer overflow in the loadImage
function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote
attackers to cause a denial of service (out-of-bounds write) or execute
arbitrary code via a crafted TIFF image with zero tiles.
Yi Zhao [Wed, 26 Oct 2016 08:26:45 +0000 (16:26 +0800)]
tiff: Security fix CVE-2016-3990
CVE-2016-3990 libtiff: Heap-based buffer overflow in the
horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and
earlier allows remote attackers to cause a denial of service (crash) or
execute arbitrary code via a crafted TIFF image to tiffcp.
Yi Zhao [Wed, 26 Oct 2016 08:26:44 +0000 (16:26 +0800)]
tiff: Security fix CVE-2016-3945
CVE-2016-3945 libtiff: Multiple integer overflows in the (1)
cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in
LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote
attackers to cause a denial of service (crash) or execute arbitrary code
via a crafted TIFF image, which triggers an out-of-bounds write.
Chen Qi [Wed, 26 Oct 2016 06:09:47 +0000 (14:09 +0800)]
systemd: CVE-2016-7795
The manager_invoke_notify_message function in systemd 231 and earlier allows
local users to cause a denial of service (assertion failure and PID 1 hang)
via a zero-length message received over a notify socket.
The patch is a backport from the latest git repo.
Please see the link below for more information.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7795
Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Robert Yang [Mon, 31 Oct 2016 15:48:58 +0000 (08:48 -0700)]
oe/copy_buildsystem.py: dereference symlink
When there is a relative symlink in the layer, for example:
symA -> ../out/of/layer/file
symA will be invalid fater copied, it would be invalid from build time
if it points to a relative path, and would be invalid after extracted
the sdk if it points to a absolute py. Dereference symlink when copy
will fix the problem.
Use tar rather than shutil.copytree() to copy is because:
1) shutil.copytree(symlinks=Fasle) has bugs when dereference symlinks:
https://bugs.python.org/issue21697
And Ubunutu 1404 doesn't upgrade python3 to fix the problem.
2) shutil.copytree(symlinks=False) raises errors when there is a invalid
symlink, and tar just prints a warning, tar is preferred here since
the real world is unpredicatable
3) tar is faster than shutil.copytree() as said by oe.path.copytree()
So use tar to copy.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Dmitry Rozhkov [Fri, 28 Oct 2016 07:22:35 +0000 (10:22 +0300)]
openssl: rehash actual mozilla certificates inside rootfs
The c_rehash utility is supposed to be run in the folder /etc/ssl/certs
of a rootfs where the package ca-certificates puts symlinks to
various CA certificates stored in /usr/share/ca-certificates/mozilla/.
These symlinks are absolute. This means that when c_rehash is run
at rootfs creation time it can't hash the actual files since they
actually reside in the build host's directory
$SYSROOT/usr/share/ca-certificates/mozilla/.
This problem doesn't reproduce when building on Debian or Ubuntu
hosts though, because these OSs have the certificates installed
in the same /usr/share/ca-certificates/mozilla/ folder.
Images built in other distros, e.g. Fedora, have problems with
connecting to https servers when using e.g. python's http lib.
The patch fixes c_rehash to check if it runs on a build host
by testing $SYSROOT and to translate the paths to certificates
accordingly.
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Ross Burton [Mon, 31 Oct 2016 15:45:58 +0000 (15:45 +0000)]
slang: add PREMIRRORS to handle upstream moving tarballs
The slang maintainer only puts the current release at
jedsoft.org/releases/slang/slang-1.2.3.tar.bz2, all previous releases are moved
into /releases/slang/old/.
As this breaks the fetch the moment a new version is released, use PREMIRRORS to
also look in the /old/ directory.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Currently, this patch is forced on these external packages too
and fails to patch cleanly in some cases. Therefore its
better to move this SRC_URI_append to the individual .bb files
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Nathan Rossi [Sat, 29 Oct 2016 13:50:19 +0000 (23:50 +1000)]
qemuboot.bbclass: Setup the vardeps for write_qemuboot_conf
Setting up the vardeps on write_qemuboot_conf forces the updating of
variables in qemuboot.conf when machine/deploy configuration changes.
This is particularly useful when developing or setting up the qemuboot
(e.g. changing QB_* variables) for new targets or when changing
deployment variables (e.g. KERNEL_IMAGETYPE).
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Paul Eggleton [Mon, 31 Oct 2016 04:02:23 +0000 (17:02 +1300)]
classes/npm: use npm install to do installation
Using "npm install" instead of "cp -a" is the more correct thing to be
doing here, and ensures that symlinks for executable scripts are put
into ${prefix}/bin. (I'd prefer ${bindir}, but npm does not allow
specifying paths at that level - only a prefix.)
Fixes [YOCTO #10460].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Paul Eggleton [Mon, 31 Oct 2016 03:59:43 +0000 (16:59 +1300)]
classes/license: fix handling of symlinks pointed to in LIC_FILES_CHKSUM
If you set LIC_FILES_CHKSUM to point to a relative symlink then you'll
get "Could not copy license file" warnings in copy_license_files() since
the symlink won't be valid after it's copied. If the source is a symlink
then we need to dereference it first.
I encountered this when I used recipetool on the sources for capnproto,
where the c++ directory contains a LICENSE.txt symlink to the LICENSE
file in the parent directory, and this symlink ends up being pointed to
in LIC_FILES_CHKSUM.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Juro Bystricky [Fri, 28 Oct 2016 22:14:56 +0000 (15:14 -0700)]
build-appliance-image: Fix incorrect PATH
When modifying the PATH variable in .bashrc, double quote characters
were used, resulting in expanding the variable $PATH with the value of
PATH of the system building the Build Appliance.
The original intent was to enter an un-expanded (literal) $PATH.
In order to that, one must use single quotes instead of double quotes.
[YOCTO#10434] [YOCTO#10504]
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
0 elf32_arm_count_additional_relocs (sec=0x79bf40) at /mnt/a/work/oe/binutils-gdb/bfd/elf32-arm.c:18210
1 0x000000000047635a in bfd_elf_final_link (abfd=abfd@entry=0x783250, info=info@entry=0x748400 <link_info>) at /mnt/a/work/oe/binutils-gdb/bfd/elflink.c:11224
2 0x000000000044df7b in elf32_arm_final_link (abfd=0x783250, info=0x748400 <link_info>) at /mnt/a/work/oe/binutils-gdb/bfd/elf32-arm.c:12131
3 0x0000000000418917 in ldwrite () at /mnt/a/work/oe/binutils-gdb/ld/ldwrite.c:577
4 0x000000000040365f in main (argc=<optimized out>, argv=<optimized out>) at /mnt/a/work/oe/binutils-gdb/ld/ldmain.c:433
gold works ok. The patch is already applied in master binutils
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Jussi Kukkonen [Mon, 31 Oct 2016 13:40:18 +0000 (15:40 +0200)]
distcc: Don't remove users/groups in postrm
There's no way to ensure that files owned by the users aren't left
on the system at postrm time: Removing the user would mean those
files are now owned by a non-existing user, and later may be owned
by a completely unrelated new user.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Jussi Kukkonen [Mon, 31 Oct 2016 13:40:17 +0000 (15:40 +0200)]
avahi: Don't remove users/groups in postrm
There's no way to ensure that files owned by the users aren't left
on the system at postrm time: Removing the user would mean those
files are now owned by a non-existing user, and later may be owned
by a completely unrelated new user.
[YOCTO #10442]
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Jussi Kukkonen [Mon, 31 Oct 2016 13:40:16 +0000 (15:40 +0200)]
e2fsprogs: Depend on attr
e2fsprogs builds fine with or without attr but it's possible to
end up with this sequence:
* e2fsprogs configure finds attr/xattr.h (coming from sstate)
* attr starts rebuild, attr/xattr.h is removed from sysroot
* e2fsprogs compile fails: "attr/xattr.h: No such file or directory"
Depend on attr to ensure reproducible build.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/kernel.py: Add new file destined for kernel related tests
[YP#7202]: Test for linux-dummy
The new kernel.py file is intended for kernel related test cases.
The test for linux-dummy will ensure it is in good shape and can
be used as a kernel replacement at build time. To do this, the
test will first clean sstate for linux-dummy target, ensuring no
file is present in the stamps directory. After, core-image-minimal
is built, ensuring linux-dummy can be used as a kernel substitute.
Signed-off-by: Costin Constantin <costin.c.constantin@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Jussi Kukkonen [Wed, 26 Oct 2016 08:37:39 +0000 (11:37 +0300)]
xserver-xf86-config: Remove legacy drivers from xorg.conf
Trying to configure evdev and mouse leads to errors in X startup
because xf86-input-libinput is now the default. No configuration
should be needed: xf86-input-libinput should just work out-of-the-box.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Jussi Kukkonen [Wed, 26 Oct 2016 08:37:38 +0000 (11:37 +0300)]
conf: Use xf86-input-libinput by default
Don't install legacy X input drivers for any machines by default,
RRECOMMEND xf86-input-libinput instead.
This is the setup suggested by upstream: install only libinput by
default, but let niche legacy drivers sort higher in configuration
so they get chosen if installed. So the order is:
evdev < libinput < (synaptics|vmmouse|...)
This also removes vmmouse X driver from the qemu config. If a VMware
virtual mouse device really needs to be supported, we should enable
CONFIG_MOUSE_PS2_VMMOUSE in kernel instead: that is directly supported
by the libinput X driver.
Fixes [YOCTO #10195].
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Andreas Müller [Thu, 27 Oct 2016 20:07:19 +0000 (22:07 +0200)]
libsdl2: update to 2.0.5
* 0001-src-video-make-it-compatible-with-wayland-1.10.patch is removed because
the problem has been resolved upstream
* Add 0001-prepend-our-sysroot-path-so-that-make-finds-our-wayl.patch
so that WAYLAND_PROTOCOLS_SYSROOT_DIR is substituted in a way similar to gtk3
Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Olaf Mandel [Fri, 21 Oct 2016 14:06:08 +0000 (14:06 +0000)]
Remove LIC_FILES_CHKSUM from recipes without SRC_URI
LICENSE and LIC_FILES_CHKSUM apply to the sources specified by SRC_URI,
not to the recipe itself. As such a license declaration for a source-less
recipe makes little sense. The LICENSE declaration is mandatory, but
LIC_FILES_CHKSUM can be removed in such cases.
Remove the LIC_FILES_CHKSUM declarations from all recipes that do not
need it.
CC: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Olaf Mandel <o.mandel@menlosystems.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The change to get rid of FuncFailed exceptions changed the behavior
of how missing uid/gid error are be handled. Instead of catching
the exception and handling that via bb.parse.SkipPackage(), a fatal
error was called.
This won't work with recipes that are unused and therefore do not have
UID/GIDs defined. The problem triggers when parsing all recipes (e.g.,
oe-selftest runs bitbake -p).
The right way to handle this is to raise bb.parse.SkipPackage(). This
will error correctly once the recipe is needed.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Yuanjie Huang [Fri, 21 Oct 2016 02:47:52 +0000 (19:47 -0700)]
binutils: enable warn system direcotories in cross-canadian ld
Warn system directories requires a configuration option to be enabled.
This patch enables the warning for cross-canadian ld, to align with the
cross version.
Signed-off-by: Yuanjie Huang <yuanjie.huang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
This class enables 'manpages' feature in packages if 'api-documentation'
is in distro features. This ensures that manpages are always built
and installed when API documentation feature is enabled.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Martin Jansa [Wed, 19 Oct 2016 15:31:56 +0000 (17:31 +0200)]
test-dependencies.sh: Strip also '\.bb: .*' before adding failed recipe to list of failed
* format of bitbake tasks changed in: 2c88afb taskdata/runqueue: Rewrite without use of ID indirection
-ERROR: Task 4 (/OE/build/oe-core/openembedded-core/meta/recipes-devtools/rpm/sftp.bb, do_fetch) failed with exit code '1'
+ERROR: Task /OE/build/oe-core/openembedded-core/meta/recipes-devtools/rpm/sftp.bb:do_fetch (/OE/build/oe-core/openembedded-core/meta/recipes-devtools/rpm/sftp.bb:do_fetch) failed with exit code '1'
so strip not only '\.bb, .*' used before, but also '\.bb:.*' to drop
the task name to get recipe name.
* for more details see:
http://lists.openembedded.org/pipermail/openembedded-core/2016-June/123132.html
* without this change you can see test-dependencies.sh trying to rebuild packages
like:
Building recipe: fbprogress (6/21)
Building recipe: fbprogress.bb:do (7/21)
where the later of course doesn't exist as a recipe
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Marek Vasut [Tue, 18 Oct 2016 21:55:09 +0000 (23:55 +0200)]
u-boot: Factor out common bits
The u-boot recipes share a couple of common variables, which makes
updating of the recipes error prone and a toil. Factor those common
bits into u-boot-common_${PV}.inc so that they are in one place.
The u-boot_${PV}.bb now explicitly require u-boot-common_${PV}.inc
before require u-boot.inc , as doing require u-boot-common_${PV}.inc
from u-boot.inc would fail due to ${PV} not being set. This is a
functional change.
Signed-off-by: Marek Vasut <marex@denx.de> Cc: Richard Purdie <richard.purdie@linuxfoundation.org> Cc: Denys Dmytriyenko <denis@denix.org> Signed-off-by: Ross Burton <ross.burton@intel.com>
