init-install-efi.sh: Avoid /mnt/mtab creation if already present
The base-files recipe installs /mnt/mtab (it is a softlink of /proc/mounts),
so if an image includes the latter, there is no new to created it again inside
the install-efi.sh script, otherwise an error may occur as indicated on the
bug's site.
Armin Kuster [Sun, 28 Feb 2016 18:53:35 +0000 (10:53 -0800)]
glibc: CVE-2015-8776
it was found that out-of-range time values passed to the strftime function may
cause it to crash, leading to a denial of service, or potentially disclosure
information.
Armin Kuster [Sun, 28 Feb 2016 18:53:34 +0000 (10:53 -0800)]
glibc: CVE-2015-9761
A stack overflow vulnerability was found in nan* functions that could cause
applications which process long strings with the nan function to crash or,
potentially, execute arbitrary code.
Armin Kuster [Sun, 28 Feb 2016 18:53:33 +0000 (10:53 -0800)]
glibc: CVE-2015-8779
A stack overflow vulnerability in the catopen function was found, causing
applications which pass long strings to the catopen function to crash or,
potentially execute arbitrary code.
Armin Kuster [Sun, 28 Feb 2016 18:53:32 +0000 (10:53 -0800)]
glibc: CVE-2015-8777
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or
libc6) before 2.23 allows local users to bypass a pointer-guarding protection
mechanism via a zero value of the LD_POINTER_GUARD environment variable.
Sona Sarmadi [Mon, 21 Dec 2015 11:35:20 +0000 (12:35 +0100)]
bind: CVE-2015-8000
Fixes a denial of service in BIND.
An error in the parsing of incoming responses allows some
records with an incorrect class to be accepted by BIND
instead of being rejected as malformed. This can trigger
a REQUIRE assertion failure when those records are subsequently
cached.
Tudor Florea [Mon, 14 Dec 2015 12:24:10 +0000 (13:24 +0100)]
unzip: CVE-2015-7696, CVE-2015-7697
CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password
CVE-2015-7697: Fixes a denial of service with a file that never finishes unzipping
Martin Jansa [Thu, 26 Nov 2015 12:55:17 +0000 (13:55 +0100)]
linux-dtb.inc: drop unused DTB_NAME variable from do_install
* this is causing do_install to depend on KERNEL_IMAGE_BASE_NAME which
in some cases contains something like BUILD_NUMBER from CI, that
caused do_install to be reexecuted every single time, which is very
sad to be caused by unused variable.
* jethro and newer don't need this change, because it's also fixed in
commit 86b3f29f93e3f87903668ea317c6bd97be4cdf62
Author: Marek Vasut <marex@denx.de>
Date: Thu May 14 14:31:11 2015 +0200
Subject: kernel: Build DTBs early
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Martin Jansa [Fri, 4 Dec 2015 18:44:23 +0000 (19:44 +0100)]
texinfo: don't create dependency on INHERIT variable
* we don't want the do_package signature depending on INHERIT variable
* e.g. just adding the own-mirrors causes texinfo to rebuild:
# bitbake-diffsigs BUILD/sstate-diff/*/*/texinfo/*do_package.sig*
basehash changed from 015df2fd8e396cc1e15622dbac843301 to 9f1d06c4f238c70a99ccb6d8da348b6a
Variable INHERIT value changed from
' rm_work blacklist blacklist report-error ${PACKAGE_CLASSES} ${USER_CLASSES} ${INHERIT_DISTRO} ${INHERIT_BLACKLIST} sanity'
to
' rm_work own-mirrors blacklist blacklist report-error ${PACKAGE_CLASSES} ${USER_CLASSES} ${INHERIT_DISTRO} ${INHERIT_BLACKLIST} sanity'
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Mike Crowe [Thu, 29 Oct 2015 12:28:21 +0000 (12:28 +0000)]
allarch: Force TARGET_*FLAGS variable values
TARGET_CPPFLAGS, TARGET_CFLAGS, TARGET_CPPFLAGS and TARGET_LDFLAGS may
differ between MACHINEs. Since they are exported they affect task hashes
even if unused which leads to multiple variants of allarch packages
existing in sstate and bouncing in the sysroot when switching between
MACHINEs.
allarch packages shouldn't be using these variables anyway, so let's
ensure they have a fixed value in order to avoid this problem.
Chen Qi [Wed, 4 Feb 2015 07:11:32 +0000 (15:11 +0800)]
image.bbclass: don't let do_rootfs depend on BUILDNAME
BUILDNAME is set by cooker as a string of current time. Letting do_rootfs
task depend on this variable gets us no benefit. Besides, letting do_rootfs
task depend on this variable will cause us trouble when executing
`bitbake -S none core-image-minimal'. With current code, this command
gives us error complaining about the different bashhash of do_rootfs task.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Martin Jansa [Thu, 3 Sep 2015 20:21:53 +0000 (22:21 +0200)]
fontcache: allow to pass extra parameters and environment to fc-cache
* this can be useful for passing extra parameters, pass
-v by default to see what's going on in do_rootfs
* we need to use this for extra parameter we implemented
in fontconfig:
--ignore-mtime always use cache file regardless of font directory mtime
because the checksum of fontcache generated in do_rootfs
doesn't match with /usr/share/fonts directory as seen on
target device causing fontconfig to re-create the cache
when fontconfig is used for first time or worse create
new cache in every user's home directory when /usr/
filesystem is read only and cache cannot be updated.
Running FC_DEBUG=16 fc-cache -v on such device shows:
FcCacheTimeValid dir "/usr/share/fonts" cache checksum 1441207803 dir checksum 1441206149
* my guess is that the checksum is different, because pseudo
(which is unloaded when running qemuwrapper) or because some
influence of running the rootfs under qemu.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support
CVE-2015-6564 (medium) openssh: Use-after-free bug related to PAM support
CVE-2015-6565 (High) openssh: Incorrectly set TTYs to be world-writable
Add check_libattr.patch to version 3.1.0 recipe, which checks
and includes libattr to linker, otherwise rsync may fail to build
with linker error below (as -lattr option gets omitted):
[..]
lib/sysxattrs.o: undefined reference to symbol 'llistxattr@@ATTR_1.0'
[..]/lib/libattr.so.1: error adding symbols: DSO missing from command line
Ross Burton [Tue, 29 Sep 2015 11:45:59 +0000 (13:45 +0200)]
sstate: run recipe-provided hooks outside of ${B}
To avoid races between the sstate tasks/hooks using ${B} as the cwd, and other
tasks such as cmake_do_configure which deletes and re-creates ${B}, ensure that
all sstate hooks are run in the right directory, and run the prefunc/postfunc in WORKDIR.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oprofileui uses gettext during the configuration task so should be inherit
gettext. This issue appears when an older version of gettext is used do to
pinning to the older non-gplv3 version.
Martin Jansa [Fri, 4 Sep 2015 12:22:27 +0000 (14:22 +0200)]
postinst_intercept: allow to pass variables with spaces
* trying to pass foo="a b" through postinst_intercept ends
with the actual script header to containing:
b
foo=a
which fails because "b" command doesn't exist.
base.bbclass: Note when including pn with INCOMPATIBLE_LICENSES
We need to be able to tell people if we WHITELIST a recipe
that contains an incompatible licese.
Example: If we set WHITELIST_GPL-3.0 ?= "foo", foo will end
up on an image even if GPL-3.0 is incompatible. This is the
correct behaviour but there is nothing telling people that it
is even happening.
Robert Yang [Fri, 18 Sep 2015 12:15:20 +0000 (14:15 +0200)]
autotools.bbclass: mkdir ${B} -> mkdir -p ${B}
${B} is the default cwd of tasks, so there might be race issues such as:
| mkdir: cannot create directory `${B}': File exists
[snip]
NOTE: recipe perf-1.0-r9: task do_configure: Failed
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Robert Yang [Fri, 18 Sep 2015 12:15:19 +0000 (14:15 +0200)]
perf: mkdir ${B} -> mkdir -p ${B}
${B} is the default cwd of tasks, so there might be race issues such as:
| mkdir: cannot create directory `/path/to/work/qemux86-poky-linux/perf/1.0-r9/perf-1.0/': File exists
[snip]
NOTE: recipe perf-1.0-r9: task do_configure: Failed
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yi Zhao [Wed, 31 Dec 2014 02:59:42 +0000 (10:59 +0800)]
oeqa/selftest: fix test_incremental_image_generation for changes in log output
test_incremental_image_generation case failed because the log output
chanaged:
FAIL: test_incremental_image_generation (oeqa.selftest.buildoptions.ImageOptionsTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File
"/buildarea3/yzhao1/poky-build/meta/lib/oeqa/utils/decorators.py", line 90, in wrapped_f
return func(*args)
File
"/buildarea3/yzhao1/poky-build/meta/lib/oeqa/selftest/buildoptions.py", line 25, in test_incremental_image_generation
self.assertEqual(0, res.status, msg="No match for openssh-sshd in log.do_rootfs")
AssertionError: 0 != 1 : No match for openssh-sshd in log.do_rootfs
----------------------------------------------------------------------
1) it prevented logging to the task log from working within bitbake
-c testimage. This is due to the logger object being set up too early
which interferes with BitBake's own logging. If we prefix the name
with "BitBake." everything works (and we don't need to set the
logging level).
2) Additionally because it called the log functions on the logging
module and not the logger object it set up, this caused the
oe-selftest logging to start printing everything from that point
forward.
Fix these two issues and return us to the desired behaviour for
do_testimage.
Martin Jansa [Mon, 24 Aug 2015 17:12:18 +0000 (12:12 -0500)]
license.bbclass: fix unexpected operator for LICENSE values with space
* add quotes around pkged_lic so that it works correctly with spaces
* fixes following error:
run.license_create_manifest.50601: 193: [: GPLv2: unexpected operator
Otavio Salvador [Thu, 6 Aug 2015 15:26:40 +0000 (12:26 -0300)]
Merge remote-tracking branch 'oe/dizzy' into pending
* oe/dizzy: (36 commits)
dpkg: Fix tarfix.patch
dpkg: Fix for Fedora22 and new versions of tar
oeqa/bbtests: Fix to ensure DL_DIR is set
oeqa/bbtests: Fix race over DL_DIR and SSTATE_DIR
subversion: Fix subversion-native on Fedora22
subversion: Add -P to CPPFLAGS
cross-localedef-native: Use older C standards for older code
grub: Backport const qualifier fix for gcc-5
binutils: fix native builds when host has gcc5
ncurses: fix native builds when host has gcc5
libxml2: Security Advisory - libxml2 - CVE-2015-1819
rpm: Fix CVE-2013-6435
rpm: Fix CVE-2014-8118
unzip: drop 12-cve-2014-9636-test-compr-eb.patch
linux-firmware: Package Marvell pci8897 and usb8897 firmware
dbus: CVE-2015-0245: prevent forged ActivationFailure
unzip: fix four CVE defects
unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315
test-dependencies.sh: strip only .bb suffix
mesa: update --with-llvm-shared-libs configure option
...
Richard Purdie [Mon, 13 Jul 2015 11:04:52 +0000 (12:04 +0100)]
dpkg: Fix for Fedora22 and new versions of tar
They managed to 'break' tar. Again. Sorry, they fixed a regression
which broke dpkg-deb.
The addition of:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=163e96a0e619a900eab6de827c7c5749ecc9d3f2
("Bugfix: entries read from the -T file did not get proper matching_flag.")
means that the no-recursion option gets lost. This leads to many files getting included
multiple times, along with files which shouldn't be there.
The commit message is horrendous. The patch actually makes the option positional
(as documnted since 2003) and therefore doesn't affect the input from the -T option.
Moving the --no-reursion option to earlier in the command avoids the bug.
The bug was not present in tar 1.28 however it has been backported in at least
Fedora 22 and heading into Fedora 21.
Redhat reports of issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1230762 [tar]
https://bugzilla.redhat.com/show_bug.cgi?id=1241508 [dpkg]
Discussion of bug in upstream tar:
http://www.mail-archive.com/bug-tar@gnu.org/msg04799.html
Richard Purdie [Tue, 7 Jul 2015 12:22:15 +0000 (13:22 +0100)]
oeqa/bbtests: Fix race over DL_DIR and SSTATE_DIR
Running "-c cleanall" on shared DL_DIR and SSTATE_DIR is antisocial.
It leads to hard to debug races where we wonder why files disappear
and reappear from those directories.
Fix this by using a specific set of directories for these tests. This
avoids a long standing bug on the autobuilder where aspell and man
sources would disappear.
we need to stop the preprocessor from generating the #line directives
or we run into issues like
| checking for apr_int64_t Python/C API format string...
| configure: error: failed to recognize APR_INT64_T_FMT on this platform
| Configure failed. The contents of all config.log files follows to aid
debugging
| ERROR: oe_runconf failed
Rightly subversion should be fixed but lets leave that to subversion
folks
Richard Purdie [Sat, 25 Jul 2015 23:19:08 +0000 (23:19 +0000)]
cross-localedef-native: Use older C standards for older code
This older code needs specific compiler options to allow it to work
with gcc 5. These options are used in the 2.21 recipe in master/fido
so this simply backports them.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
unzip 6.0 allows remote attackers to cause a denial of service
(out-of-bounds read or write and crash) via an extra field with
an uncompressed size smaller than the compressed field size in a
zip archive that advertises STORED method compression.
Buffer overflow in the charset_to_intern function in unix/unix.c in
Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code
via a crafted string, as demonstrated by converting a string from CP866
to UTF-8.
Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Martin Jansa [Tue, 17 Feb 2015 13:41:06 +0000 (14:41 +0100)]
test-dependencies.sh: strip only .bb suffix
* we were stripping too much when stripping recipe name from line like this:
ERROR: Task 12016 (/some/patch/something.dot.bar.bb, do_fetch) failed with exit code '1'
where the recipe name contains dots and doesn't end with _<version>.bb
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Martin Jansa [Tue, 28 Apr 2015 22:46:18 +0000 (00:46 +0200)]
e2fsprogs: install populate-extfs.sh
* install populate-extfs.sh from contrib, be aware that in order
to use it you need to set DEBUGFS shell variable, otherwise it will
try to use debugfs from relative path which is almost always
incorrect:
CONTRIB_DIR=$(dirname $(readlink -f $0))
DEBUGFS="$CONTRIB_DIR/../debugfs/debugfs"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Conflicts:
meta/recipes-support/gpgme/gpgme_1.4.3.bb
A buffer overflow flaw was found in the way glibc's gethostbyname_r() and
other related functions computed the size of a buffer when passed a
misaligned buffer as input. An attacker able to make an application call
any of these functions with a misaligned buffer could use this flaw to
crash the application or, potentially, execute arbitrary code with the
permissions of the user running the application.
Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Conflicts:
meta/recipes-devtools/qemu/qemu_2.1.0.bb
Buffer overflow in the rc_mksid function in plugins/radius/util.c in
Paul's PPP Package (ppp) 2.4.6 and earlier, when the PID for pppd is
greater than 65535, allows remote attackers to cause a denial of
service (crash) via a start accounting message to the RADIUS server.
oe-core is using ppp 2.4.7, and this CVE say ppp 2.4.7 was not
effected, but I found this buggy codes are same between 2.4.6 and
2.4.7, and 2.4.7 should have this issue.
Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Jonathan Liu <net147@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Conflicts:
meta/recipes-qt/qt4/qt4-4.8.6.inc
Robert Yang [Thu, 4 Jun 2015 11:37:41 +0000 (13:37 +0200)]
license.bbclass: set dirs for do_populate_lic_setscene
Fixed:
ERROR: Build of do_populate_lic failed
ERROR: Traceback (most recent call last):
File "bitbake/lib/bb/build.py", line 497, in exec_task
return _exec_task(fn, task, d, quieterr)
File "bitbake/lib/bb/build.py", line 437, in _exec_task
exec_func(func, localdata)
File "bitbake/lib/bb/build.py", line 212, in exec_func
exec_func_python(func, d, runfile, cwd=adir)
File "/home/nxadm/nx/ala-blade44.1/builds-2015-03-09-163005/qemuppc_world_oe_bp/bitbake/lib/bb/build.py", line 237, in exec_func_python
os.chdir(cwd)
OSError: [Errno 2] No such file or directory: 'bitbake_build/tmp/work/ppc7400-wrs-linux/taglib/1.9.1-r0/build'
When running setscene, the cwd is $B which maybe removed by
autotools.bbclass or cmake.bbclass when rebuild.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster@smtp.gmail.com>
Egypt will not observe DST in 2015 and will consider canceling it
permanently. For now, assume no DST indefinitely.
(Thanks to Ahmed Nazmy and Tim Parenti.)
Changes affecting past time stamps
America/Whitehorse switched from UTC-9 to UTC-8 on 1967-05-28, not
1966-07-01. Also, Yukon's time zone history is documented better.
(Thanks to Brian Inglis and Dennis Ferguson.)
Change affecting past and future time zone abbreviations
The abbreviations for Hawaii-Aleutian standard and daylight times
have been changed from HAST/HADT to HST/HDT, as per US Government
Printing Office style. This affects only America/Adak since 1983,
as America/Honolulu was already using the new style.
Otavio Salvador [Fri, 15 May 2015 21:31:04 +0000 (18:31 -0300)]
Merge remote-tracking branch 'ossystems/dizzy' into pending
* ossystems/dizzy: (39 commits)
split_and_strip_files: regroup hardlinks to make build deterministic
meta/lib/oe/package.py: fix files ownership in packages
init-install-efi.sh: fix gummiboot entry installation
busybox: unbreak tar of uncompressed files
fontcache: allow to pass different fontconfig cache dir
postinst-intercepts/update_font_cache: fix ownership of fontconfig cache
pulseaudio: use stricter PACKAGES_DYNAMIC
valgrind: enable building on 4.x kernel
build-appliance-image: Update to dizzy head revision
dpkg: Fix patch to adjust for older code
build-appliance-image: Update to dizzy head revision
gcc-target: Don't install target gcc libdir files
initscripts: Remove /etc/volatile.cache on upgrade
base-files: Check for /run and /var/lock softlinks on upgrade
dpkg-native: Avoid 'file changed' errors from tar
files/toolchain-shar-template.sh: fix replace target_sdk_dir twice in environment setup file
gcc-runtime: Remove libgfortran data from receipe
fontcache.bbclass: prepend to PACKAGEFUNCS instead of appending
libunwind: backport patch to link against libgcc_s intead of libgcc
autotools: Avoid find race for S = "${WORKDIR}"
...
Created separate group of hardlinks for the files inside
the same package. This should prevent stripped files to be
populated outside of package directories.
This turns out not to be straightforward and has overlap with the
other hardlink handling code in this area. The code is condensed
into a more concise and documented form.
Fabrice Coulon [Thu, 14 May 2015 18:01:40 +0000 (19:01 +0100)]
meta/lib/oe/package.py: fix files ownership in packages
This fix solves the problem with the ownership of files in packages.
The do_install task was producing correct and expected output but when
the files were being put in, e.g. a rpm package, the ownership could
be different than that in the do_install task.
After selecting the "install" gummiboot option of a Live image we are
seeing boot failure resulting from the gummiboot entries not being
installed correctly. This seems to be a problem in this init-install-efi.sh
script where it incorrectly installs the gummiboot entries into the root
filesystem, not the boot partition. We fix it by installing the entries in
the boot partition.
Jonathan Liu [Tue, 21 Apr 2015 10:53:02 +0000 (12:53 +0200)]
postinst-intercepts/update_font_cache: fix ownership of fontconfig cache
The file ownership of the cache files in /var/cache/fontconfig needs to
be set to root:root otherwise it inherits the user and group id of the
build user.
[YOCTO #7411]
Signed-off-by: Jonathan Liu <net147@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
