Yue Tao [Tue, 8 Apr 2014 18:37:37 +0000 (19:37 +0100)]
Security Advisory - openssl - CVE-2013-4353
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before
1.0.1f allows remote TLS servers to cause a denial of service (NULL
pointer dereference and application crash) via a crafted Next Protocol
Negotiation record in a TLS handshake.
Richard Purdie [Mon, 17 Mar 2014 23:13:37 +0000 (23:13 +0000)]
sstate: Drop 'SafeDep' code from setscene validation function
I have a feeling this code exists from the time before we had proper
coverage of one sstate task by another task. At that time it was a
"poor" persons version of that idea, we now have much better
code internal to bitbake which handles this.
Worse, this code actually breaks certain rebuild scenarios,
e.g.:
Mark Hatle [Fri, 9 Aug 2013 22:51:30 +0000 (17:51 -0500)]
rpm: Enable compatibility with older RPM packages that have invalid platforms
Some LSB packages appear to have the platform set to '%{_target_platform}'
which is not a valid platform field. This causes a failure of the type:
warning: package lsb-test-core-4.1.15-1.x86_64 is intended for a %{_target_platform} platform
When we detect an invalid platform, fall back and try to construct a new
platform name that may be valid based on the arch and os contents of the
package. (This should only ever be needed by invalid or older RPM packages.)
Darren Hart [Mon, 23 Sep 2013 20:54:10 +0000 (20:54 +0000)]
init-install-efi.sh: Remove unnecessary udev rules file to avoid errors
Fixes [YOCTO #5233]
Modeled after Chen Qi's fix to [YOCTO #3924] from oe-core commit: 6b6db7b4fb7aa17b8e29076decc830149b9d35bc
init-install.sh: remove unnecessary udev rules file to avoid error messages
/etc/udev/scripts/mount.sh is removed by init-install-efi.sh, but the
udev rules file which specifies the invocation of this script is not
removed, thus causing the error message during a live install:
/etc/udev/scripts/mount.sh: No such file or directory
The /etc/udev/rules/automount.rules no longer works once the mount.sh
script is removed. Remove it to avoid the error message.
Richard Purdie [Wed, 25 Sep 2013 20:59:11 +0000 (21:59 +0100)]
runqemu: Use correct kvm CPU options for qemux86* with kvm
The existing -cpu host option caused kernel panics when people attempted to use
the kvm option. After research and discussion, the best options appear to
be the kvm32/kvm64 cpu types so lets use these instead. These resolve
the kernel issues for me.
For more info see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://www.gnutls.org/security.html#GNUTLS-SA-2014-1
https://www.gitorious.org/gnutls/gnutls/commit/467478d8ff08a3cb4be3034ff04c9d08a0ceba3e
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For more info see:
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b
Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Thu, 6 Feb 2014 22:05:41 +0000 (22:05 +0000)]
libx11: backport _XEatDataWords API
If you build libx11-native then that has to be ABI-compatible with the
libX11 on the host or you'll have problems running qemu-native. Most
current distros are using libX11 1.6+. Thus, we need to backport the
_XEatDataWords API present in 1.6.
This only affects the dylan branch as dora+ has libx11 1.6+.
Fixes [YOCTO #5040].
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Tue, 21 Jan 2014 17:30:04 +0000 (17:30 +0000)]
guile: fix build with Texinfo 5.0
Backport a patch from upstream which fixes failures building
guile-native on newer distros such as Ubuntu 13.10. (This does not
affect dora or master because we are using Guile 2.0.9 there, which
already contains this patch.)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Saul Wold [Wed, 8 Jan 2014 17:23:00 +0000 (17:23 +0000)]
cmake.bbclass: ensure CMAKE_SYSTEM_NAME is correct
Using TARGET_OS can add the ABIEXTENSION so ensure that is is removed for the Linux
TARGET_OS, we might have other TARGET_OSes so don't hard code CMAKE_SYSTEM_NAME
Richard Purdie [Wed, 8 Jan 2014 17:22:59 +0000 (17:22 +0000)]
cmake: set system name correctly
For unknown reasons, the cmake class is using SDK_OS as the
target system OS. This makes no sense but only shows up as a problem
when you try a different SDK OS. Fix it to use TARGET_OS which is
the correct thing to do. For the vast majority of users this will
make no difference.
Baogen Shang [Mon, 21 Oct 2013 03:03:41 +0000 (11:03 +0800)]
libtiff: CVE-2013-4243
cve description:
Heap-based buffer overflow in the readgifimage function in the gif2tiff
tool in libtiff 4.0.3 and earlier allows remote attackers to cause a denial
of service (crash) and possibly execute arbitrary code via a crafted height
and width values in a GIF image.
Signed-off-by: Baogen Shang <baogen.shang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Baogen Shang [Mon, 21 Oct 2013 03:00:05 +0000 (11:00 +0800)]
libtiff: CVE-2013-4232
cve description:
Use-after-free vulnerability in the t2p_readwrite_pdf_image function
in tools/tiff2pdf.c in libtiff 4.0.3 allows remote attackers to cause
a denial of service (crash) or possible execute arbitrary code via a
crafted TIFF image.
Signed-off-by: Baogen Shang <baogen.shang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ming Liu [Thu, 21 Nov 2013 07:05:04 +0000 (01:05 -0600)]
libtiff: fix CVE-2013-1960
Heap-based buffer overflow in the tp_process_jpeg_strip function in tiff2pdf
in libtiff 4.0.3 and earlier allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted TIFF image
file.
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ming Liu [Thu, 21 Nov 2013 07:05:05 +0000 (01:05 -0600)]
gst-ffmpeg: fix CVE-2013-3674
The cdg_decode_frame function in cdgraphics.c in libavcodec in FFmpeg before
1.2.1 does not validate the presence of non-header data in a buffer, which
allows remote attackers to cause a denial of service (out-of-bounds array
access and application crash) via crafted CD Graphics Video data.
Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An excluded package left its files behind, which meant they could end up in
another package instead, meaning we could ship GPLv3 binaries even with GPLv3
in INCOMPATIBLE_LICENSE. Skip the files belonging to the excluded packages to
prevent this from occurring.
license.bbclass: include all licenses in the manifest
When we don't have a generic license file for the license in question, we can
warn, but we should still include it in the manifest, otherwise the manifest
doesn't reflect reality. Failing to include a license listed in the recipe in
the manifest can't be allowed.
Chen Qi [Mon, 18 Nov 2013 07:20:44 +0000 (15:20 +0800)]
license.bbclass: fix missing of license files on ubuntu build host
The license_create_manifest function contains bashism, this will lead
to unexpected results on ubuntu build host, as sh is linked to dash on
ubuntu. Even if COPY_LIC_MANIFEST and COPY_LIC_DIRS are enabled, the
license files will still be missing on target.
Richard Purdie [Fri, 22 Nov 2013 15:07:34 +0000 (15:07 +0000)]
metadata_scm: Avoid crashing on new svn version layouts
This avoids crashing on newer svn layouts where the entries files
don't contain three lines. If someone wants to fix this to
get the right version on newer subversion checkouts, patches
welcome but this at least stops things crashing.
Laurentiu Palcu [Mon, 28 Oct 2013 20:46:20 +0000 (22:46 +0200)]
nativesdk-qt4-tools: create qt.conf file
When installing the SDK to another location than the default one, qmake
will look for libraries, headers, etc. in the default location. That's
because the paths are hard-coded in the binary itself. Luckily, QT
allows to override this using a qt.conf file installed in the same
directory with the application executable. However, we already have a
patch that allows for the installation of qt.conf in another place and
read the location from QT_CONF_PATH environment variable.
Hence, install qt.conf in ${sysconfdir}. This will allow other apps, that
use QLibraryInfo class, to find it.
Roy Li [Thu, 26 Sep 2013 01:56:08 +0000 (09:56 +0800)]
dropbear: pass SFTPSERVER_PATH explicitly
The default value of SFTPSERVER_PATH is "/usr/libexec/sftp-server" defined in
dropbear-2013.58/option.h, but after commit 406bd38b423[bitbake.conf: change
libexecdir to ${libdir}/${BPN}], sftp-server is provided by openssh package,
and is installed into ${libdir}/openssh, so we pass it explicitly.
Paul Eggleton [Thu, 26 Sep 2013 16:00:33 +0000 (17:00 +0100)]
classes/package_rpm: fix bitbake package-index for RPM
The function that "bitbake package-index" relies upon when using the RPM
package backend (package_update_index_rpm()) uses MULTILIB_PREFIX_LIST
to get the list of package architectures to be indexed, but that
variable is only set when populate_sdk_rpm or rootfs_rpm are inherited,
which is not the case for the package-index recipe. Until we're able to
refactor this properly, for minimal impact just use the value of
ALL_MULTILIB_PACKAGE_ARCHS if MULTILIB_PREFIX_LIST does not give us any
architectures (the equivalent function in the ipk backend uses the
former variable).
Having "bitbake package-index" working is important because it's the
only practical way of indexing RPM packages for use as a feed; host
versions of createrepo won't work properly because they won't support
indexing recommends relationships.
elfutils-native: Fix build on distros with gcc 4.8
The patch redhat-portability.diff causes this issue
so lets revert the portion which was using %a instead of %m
thats recommended anyway, redhat patch seems to be targetting
old compilers.
Darren Hart [Fri, 9 Aug 2013 17:58:42 +0000 (10:58 -0700)]
kernel.bbclass: Correct post(inst|rm) package association
Fixes [YOCTO #4991]
The kernel image is installed as part of the kernel-image package, but
the symlink creation/removal via alternatives is being done in
pkg_post(inst|rm)_kernel-base.
Move the postinst alternatives logic into the kernel-image functions.
Ross Burton [Tue, 17 Sep 2013 09:22:17 +0000 (10:22 +0100)]
libxml2: remove patch for CVE-2012-2871
This CVE patch is actually against Chromium as they ship an internal fork of
libxml2 and breaks ABI. The real issue has been resolved in libxslt 1.1.27, and
we're shipping 1.1.28.
Paul Eggleton [Wed, 24 Apr 2013 14:33:18 +0000 (15:33 +0100)]
sysvinit-inittab: ensure unique label for SERIAL_CONSOLES entries
The label field in /etc/inittab entries needs to be unique, and the
numeric label being used for the SERIAL_CONSOLES getty entries was
clashing with the entries added for standard ttyX entries added via
SYSVINIT_ENABLED_GETTYS. Use the part after "tty" in the device name
(which is what the comment further down explicitly says should be done)
as the label rather than a simple incrementing number.
Jason Wessel [Tue, 23 Apr 2013 15:26:12 +0000 (15:26 +0000)]
ncurses: Fix problems expanding ncurses-libtinfo when in IMAGE_INSTALL
The ncurses package was generating the following error as a result
of not specifing the PACKAGES_DYNAMIC correctly. This error only
appear when using the IMAGE_INSTALL list that has been expanded by
the hob or from the pkgdata.
ERROR: Nothing RPROVIDES 'ncurses-libtinfo'
The dynamic packages are named using "${PN}-lib%s". So we check for
${PN}-lib*
Saul Wold [Wed, 26 Jun 2013 23:33:01 +0000 (16:33 -0700)]
mc: Don't remove libdir and split helpers into packages
It contains helper programs that are needed to make mc do the right actions
for the various file formats it understands.
The helpers are perl, python and shell scripts, split them out so the core
mc does not try to pull in perl and python, it will still run without these
helpers.
Martin Jansa [Tue, 23 Jul 2013 10:37:37 +0000 (12:37 +0200)]
weston: backport patch for libunwind configure option and disable it
* it's autodetected from sysroot and runtime dependency on libunwind isn't
deterministic
* master has weston 1.1.0 which already has this option and also explicitly
disables libunwind
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Martin Jansa [Mon, 22 Jul 2013 16:51:11 +0000 (18:51 +0200)]
gettext: disable nls when INHIBIT_DEFAULT_DEPS is set
* for example in gcc-runtime DEPENDS_GETTEXT from gettext.bbclass isn't
used because gcc-runtime recipes also set INHIBIT_DEFAULT_DEPS,
explicitly disable NLS when DEPENDS_GETTEXT is empty
* this is causing undeterministic build
if you compare i586-oe-linux/libstdc++-v3/config.log in WORKDIR when building
gcc-runtime before and after building gettext-native you'll see that msgfmt
isn't found in one of them and gcc-runtime-locale-{de,fr} packages
aren't created, there is only one file in them:
gcc-runtime-locale-de/usr/share/locale/de/LC_MESSAGES/libstdc++.mo
Martin Jansa [Sun, 21 Jul 2013 13:37:07 +0000 (15:37 +0200)]
ltp: add acl, openssl dependency
* when it's not detected in sysroot it uses bundled version
* add explicit dependency to make it deterministic
* PACKAGECONFIG wasn't used because configure doesn't have an
option to select which one should be used
Martin Jansa [Sun, 21 Jul 2013 12:43:44 +0000 (14:43 +0200)]
ccache: add zlib dependency
* when it's not detected in sysroot it uses bundled version
* add explicit dependency to make it deterministic
* PACKAGECONFIG wasn't used because configure doesn't have an
option to select which one should be used
Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Wed, 19 Jun 2013 15:20:50 +0000 (16:20 +0100)]
bdwgc-native: Add missing pkgconfig DEPENDS
This fixes configure errors like:
| configure.ac:70: error: possibly undefined macro: AC_MSG_ERROR
| If this token and others are legitimate, please use m4_pattern_allow.
| See the Autoconf documentation.
| configure.ac:358: error: possibly undefined macro: AS_IF
Reproduced with bitbake bdwgc-native pkgconfig-native -c clean; bitbake bdwgc-native
Mark Hatle [Fri, 24 May 2013 15:22:02 +0000 (15:22 +0000)]
libarchive: Fix build dependencies
Move to using the PACKAGECONFIG mechanism to select configure options and
dependencies. Without this the system will attempt to discover various
dependencies, and usually does so incorrectly.
We also ensure that the nativesdk version does not inherit any of the
DISTRO_FEATURES. We shouldn't need acl or xattr support for nativesdk.
Martin Jansa [Fri, 5 Jul 2013 01:05:22 +0000 (03:05 +0200)]
systemtap: inherit pkgconfig
* systemtap-native was failing with undefined AC_DEFINE
configure.ac:56: error: possibly undefined macro: AC_DEFINE
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
Martin Jansa [Fri, 5 Jul 2013 00:49:54 +0000 (02:49 +0200)]
libpam: inherit pkgconfig
* missing dependency on pkgconfig-native was causing
that PKG_CHECK_MODULES(DBUS, dbus-1) stayed unexpanded in
configure script:
checking for dbm_store in -lndbm... no
libpam/1.1.6-r2/Linux-PAM-1.1.6/configure:
line 14217: syntax error near unexpected token `libtirpc,'
libpam/1.1.6-r2/Linux-PAM-1.1.6/configure:
line 14217: ` PKG_CHECK_MODULES(libtirpc, libtirpc,'
Configure failed. The contents of all config.log files follows to aid
debugging
Martin Jansa [Fri, 5 Jul 2013 00:43:17 +0000 (02:43 +0200)]
quota: inherit pkgconfig
* missing dependency on pkgconfig-native was causing
that PKG_CHECK_MODULES(DBUS, dbus-1) stayed unexpanded in
configure script:
checking for ext2fs_initialize in -lext2fs... yes
quota/4.01-r1/quota-tools/configure: line 3746: syntax error near unexpected token `DBUS,'
quota/4.01-r1/quota-tools/configure: line 3746: ` PKG_CHECK_MODULES(DBUS, dbus-1)'
Configure failed. The contents of all config.log files follows to aid debugging
Martin Jansa [Thu, 4 Jul 2013 08:14:48 +0000 (10:14 +0200)]
taglib: add missing dependency on zlib
* without target zlib it tries to use native one:
| /OE/sysroots/x86_64-linux/usr/lib/libz.so: could not read symbols: File in wrong format
| collect2: error: ld returned 1 exit status
| make[2]: *** [taglib/libtag.so.1.12.0] Error 1
Martin Jansa [Thu, 4 Jul 2013 08:01:24 +0000 (10:01 +0200)]
gst-plugins-bad: inherit gsettings
* do_configure fails without native glib-compile-schemas:
| checking for glib-compile-schemas... no
| configure: error: glib-compile-schemas not found.
Signed-off-by: Eric Nelson <eric.nelson@boundarydevices.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Kai Kang [Tue, 13 Aug 2013 09:57:49 +0000 (17:57 +0800)]
dpkg: fix include header caused compile error
Build dpkg-native on Fedora 19, it fails with:
/usr/include/c++/4.8.1/cstdlib: In function ‘long long int std::abs(long long int)’:
/usr/include/c++/4.8.1/cstdlib:174:20: error: declaration of C function ‘long long int std::abs(long long int)’ conflicts with
abs(long long __x) { return __builtin_llabs (__x); }
^
/usr/include/c++/4.8.1/cstdlib:166:3: error: previous declaration ‘long int std::abs(long int)’ here
abs(long __i) { return __builtin_labs(__i); }
^
That because header cstdlib is included in a 'extern "C"' block that gcc
4.8 doesn't support. Fix it by move the header file out of the 'extern "C"'
block.
Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Chen Qi [Fri, 9 Aug 2013 07:12:32 +0000 (15:12 +0800)]
grub_0.97: Fix to correctly ship files under /usr/lib
The grub_fix_for_automake-1.12.patch replaced pkglib with pkgdata to
make grub_0.97 build with automake-1.12. However, it forgot to set up
the pkgdatadir, thus causing grub_0.97 not shipping files under /usr/lib.
This in turn resulted in an unworkable grub.
This patch fixes this problem by setting up the pkgdatadir correctly.
Paul Eggleton [Wed, 14 Aug 2013 15:18:33 +0000 (16:18 +0100)]
classes/terminal: fix pseudo exiting when launching devshell
In dylan, since the entire bitbake process is run under pseudo,
LD_PRELOAD is set when we collect BB_ORIGENV and thus when we construct
the devshell environment from the latter, LD_PRELOAD is included.
However, for a fakeroot task we explicitly run the devshell under pseudo
(e.g. "pseudo /bin/bash"), and if LD_PRELOAD is set to preload
libpseudo.so when pseudo is run, it seems to exit immediately without
error. Since LD_PRELOAD shouldn't be exported anyway, exclude this from
the environment so it doesn't prevent running the shell.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Paul Eggleton [Thu, 1 Aug 2013 17:17:59 +0000 (18:17 +0100)]
grub: disable floating ncurses dependency for GPLv2 version
A dependency was being added on ncurses conditionally upon whether it
had been built first. Explicitly disable this dependency to stop this
from happening.
Note that grub 2.x does not need this same fix because there ncurses is only
used when building grub-emu, which is only built when the specified
target platform is "emu" which we do not use.
Paul Eggleton [Thu, 1 Aug 2013 17:17:16 +0000 (18:17 +0100)]
classes/sanity: check for suid root command evility
Some users have been found to have an unnamed third-party piece of
software installed which sets chmod, chown and mknod as suid root as
part of its installation process. This interferes with the operation of
pseudo and can result in files really being owned by root within the
build output, and therefore breaks the build, apart from being a
security issue. Check for this and bail out if it is found.
This patch groups x11 dependent tools in a separete variable,
and when DISTRO_FEATURES does not contain x11, this group is
not included in the package RDEPENDS.
Ross Burton [Thu, 1 Aug 2013 10:07:36 +0000 (11:07 +0100)]
u-boot: state the MACHINE when skipping u-boot
If the user accidently tries building u-boot on a machine doesn't use u-boot
(such as qemuarm) the error message doesn't make it clear why u-boot was
skipped. To help, state the machine that was being built for again.
csl-versions.inc: instruct user to check local.conf
In case the compiler version cannot be extracted instruct user to check
that the toolchain supports MACHINE's architecture and that the latter
is set correctly in local.conf.
Peter Seebach [Fri, 26 Jul 2013 12:49:36 +0000 (07:49 -0500)]
pseudo: Always try to build 32-bit libpseudo when NO32LIBS is set to 0
This is for Yocto bug #4920. The NO32LIBS variable is intended to allow
the user to force the creation of a 32-bit libpseudo, for use with things
like prebuilt binary toolchains. Unfortunately, the tests for likely
compilability (stubs-32.h) were still present, so you would get silent
failures. And if you did cause it to try to build, the failures were not
particularly clearly explained.
So, we:
1. Emit at least a message during configuration saying we're only
building 64-bit, if we are.
2. Warn the user for at least one common case where we know builds
are likely to fail.
3. If NO32LIBS is 0, we try the compile for sure, and if it fails,
we've emitted at least some sort of message up near the top of the
compile output that tells you what might be wrong.
