Built in command "read" with "-e" use Readline to obtain the line
in an interactive shell. In this process, a string "rlbuf" is
just allocated without free operation thus cause memory leak.
This patch had been submitted to upstream:
http://lists.gnu.org/archive/html/bug-bash/2017-02/msg00061.html
(From OE-Core rev: a2b278a6eaa9e9b48d858e3be6712267c0122598)
(From OE-Core rev: 571e53024b4f924e50cf6a478ccc8d6f097816bb)
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fixup for 4.3
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The new flag doesn't work and the change even broke the XML_PARSE_NONET option.
(From OE-Core rev: 8b586f60778579ee2c9adae429128a07e8437553)
(From OE-Core rev: d2b1486bf8773d3eef36c5e77b82e70c88d9c682)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2017-12678: In TagLib 1.11.1, the rebuildAggregateFrames function in
id3v2framefactory.cpp has a pointer to cast vulnerability, which allows
remote attackers to cause a denial of service or possibly have
unspecified other impact via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-12678
Patch from:
eb9ded1206
(From OE-Core rev: 24ac12ecb19efc7c131c9711ba32e298ba860eb7)
(From OE-Core rev: bb90e08fbcbc7c60731aacdc4b82163507d9afdc)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Fix hardcoded path for ptest script which would cause failure on
mulitilib:
ls: cannot access '/usr/lib/e2fsprogs/ptest/test/[a-zA-Z]_*': No such file or directory
./test_script: line 54: /usr/lib/e2fsprogs/ptest/test/test_post: No such file or directory
* Add missing '$' for shell variable reference
(From OE-Core rev: 82d244a9225bd1fa512e696aae917febe051fcf9)
(From OE-Core rev: d2fc87e074ed41d265667383827c36ceb0302693)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The _asn1_check_identifier function in GNU Libtasn1 through 4.12 causes
a NULL pointer dereference and crash when reading crafted input that
triggers assignment of a NULL value within an asn1_node structure. It
may lead to a remote denial of service attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-10790http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;
h=d8d805e1f2e6799bb2dff4871a8598dc83088a39
(From OE-Core rev: 6176151625c971de031e14c97601ffd75a29772f)
(From OE-Core rev: 649f78102222ec156d490968c13d3222379a1956)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the patch to fix CVE-2017-8363:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8363
(From OE-Core rev: 9cc9956c5ed09f9016cb23bd763652e5ab55f3cd)
(From OE-Core rev: 201fa8f6a10469886db6d48c3a3e91712382e561)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the patch to fix CVE-2017-8362:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8362
(From OE-Core rev: 0c8da3f6f85962196f2ad54fffd839239f5c2274)
(From OE-Core rev: eec5e5ce04cfbd1e41e54be31afee72ecc9ec5dd)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
with minor changes
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the patch to fix two CVEs:
CVE-2017-8361:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a
crafted audio file.
CVE-2017-8365:
The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote
attackers to cause a denial of service (buffer over-read and application
crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8361https://nvd.nist.gov/vuln/detail/CVE-2017-8365
(From OE-Core rev: d92877ade8fd4dd9b548c6b664bf4357a1f9428a)
(From OE-Core rev: a23241c1e10c706754c19d7f69fe7c6cbac3732e)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2017-6508: CRLF injection vulnerability in the url_parse function in
url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary
HTTP headers via CRLF sequences in the host subcomponent of a URL.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2017-6508
Patch from:
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
(From OE-Core rev: 28404157e07a915d1445166df566c8838f2cce57)
(From OE-Core rev: 03fbdba18b767be95c5fa13d72b52c16f8a77b52)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport 3 patches to fix CVE-2017-10971:
In the X.Org X server before 2017-06-19, a user authenticated to an X
Session could crash or execute code in the context of the X Server by
exploiting a stack overflow in the endianness conversion of X Events.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-10971
(From OE-Core rev: 20428f660f2c046c63bbf63c4e4af95dac9f2b3d)
(From OE-Core rev: 8c42a9508bded870d1ac018e2cfa129772983c52)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2017-9226 : check too big code point value for single byte
CVE-2017-9227 : access to invalid address by reg->dmin value
CVE-2017-9228 : invalid state(CCS_VALUE) in parse_char_class()
CVE-2017-9229 : access to invalid address by reg->dmax value
(From OE-Core rev: f15f01edbaa431829a50053d07ed6d6b333584c7)
(From OE-Core rev: 4077e088b6e750c4143a59c5d89258ab682ed96b)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use DATA_ENSURE(1) before access.
(From OE-Core rev: 9db907a0bd331c47c4882b82f9f1d2a7ef1f6d1f)
(From OE-Core rev: 7ba25f0d8d95ece5f5d56ace5b1e9c8c797efbc0)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixed up to get to apply
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getrandom() is only available in glibc 2.25+ and uninative may relocate
binaries onto systems that don't have this function. For now, force
the code to the older codepath until we can come up with a better solution
for this kind of issue.
(From OE-Core rev: da9ac8092497c3f2c246d3534f47e42cb2d9e4e8)
(From OE-Core rev: 450942db7f4638eba7ec262901fe1d7e1b1f6070)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This fixes compile failures of qemu-native with new versions of glibc. Patch
is taken from upstream.
(From OE-Core rev: 9c54510632d22c12850962572ce7276170ce5488)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getentropy/random() is only available in glibc 2.25+ and uninative may relocate
binaries onto systems that don't have this function. For now, force the code to
the older codepaths until we can come up with a better solution for this kind of
issue.
(From OE-Core rev: 92bda0024d85ae78345665cc2f9646c9881ed61b)
(From OE-Core rev: ee006aac0a52709cf5524aeb17a92b8c5c44be34)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Updated two instances of "sysroot-components" to
"sysroots-components".
(From yocto-docs rev: 8f95d9ccd958c46ce5f3f4c7eb95424bee958a9e)
Signed-off-by: Kristi Rifenbark <kristi.rifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I was cherry-picking in commits from master to pyro and had a
conflict that I did not go far enough to the bottom of the
file to see the true nature, which was duplication of the
"Yocto Project Terms" section. When I resolved the conflit
I just took out the top couple lines and actually left the
duplicated terms section in. Then I pushed everthing. I should
have made the manuals first and I would have discovered the
error.
This commit fixes it.
(From yocto-docs rev: 0a9a7303fc048b59e5328a9855f8615a042ab411)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This section failed to mention the "yocto-layer create" script,
which is a simple way to create a layer. I have added this info
into the section by way of a "Tip" box.
(From yocto-docs rev: 0bda177090ef624890e94a13e622e05923185fa9)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replaced "recipe_work_directory" with "${WORKDIR}"
throughout the section.
(From yocto-docs rev: 79911f48d469f95ec026fe60585d1b4983e9c1c6)
Signed-off-by: Kristi Rifenbark <kristi.rifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Updated text for sysroot terminology, and clarity.
Fixed a capitalization error.
(From yocto-docs rev: 2ee92ccf677135ea47d621d3583a16649e5a9f13)
Signed-off-by: Kristi Rifenbark <kristi.rifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I did some rewriting for clarity in the "Using .bbappend Files
in Your Layer" section. The section needed to be retitled so
focus on the layer aspect of .bbappend files. Also, while I
was in there, I did more work on the prose in general.
Also had to fix some links in the bsp, kernel, and ref manuals
that linked into the section whose name I changes.
(From yocto-docs rev: 27003c525a05ffa2f810a038c7c8f96bb7535986)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I updated the wording to note that the steps are how to create
a layer without the aid of steps (i.e. by hand).
(From yocto-docs rev: 71956e7a2ef383c72baf3a12d2067ff04bb58ead)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
During the transition to dnf and rpm4, the functionality to
automatically make RPM determine dependencies was lost.
Before the transition, an OE specific tool called rpmdeps-oecore had
been added to the rpm suit. It was based on the rpmdeps tool that is
part of rpm. For each file specified on its command line, it would
output the provides and requires that RPM could determine.
During the transition to rpm4, rpmdeps-oecore was replaced with the
standard rpmdeps. However, what no one noticed was that unless rpmdeps
is given options, e.g., -P or -R, to tell it what it should output, it
will not output anything. Thus, it would do all the work to determine
the requirements, but would keep silent about it. And since no output
from rpmdeps is expected unless there are requirements, there were no
warnings indicating that everything was not working as expected.
Porting the old rpmdeps-oecore to work with rpm4 is not really
possible since it relied on being able to access internals of RPM that
are no longer available. However, it turned out that rpmdeps had a
debug option, --rpmfcdebug, that would output exactly the information
that we need, albeit in a different format and to stderr. To make this
usable, rpmdeps has now received a new option, --alldeps, which sends
the information we need to stdout.
Since enabling this may cause packages to break, it is required that
ENABLE_RPM_FILEDEPS_FOR_PYRO is set to "1" to activate it for Pyro.
The name of this variable has been chosen as to indicate that it only
affects Pyro (since releases before and after Pyro has it enabled by
default).
(From OE-Core rev: 1009498f23ad319825c00ba60a4693d15aada553)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Fixes:
ERROR: nativesdk-libcheck-0.10.0-r0 do_package_qa: QA Issue:
/usr/local/oecore-x86_64/sysroots/x86_64-oesdk-linux/usr/bin/checkmk
contained in package nativesdk-libcheck requires
/usr/local/oecore-x86_64/sysroots/x86_64-oesdk-linux/usr/bin/gawk,
but no providers found in RDEPENDS_nativesdk-libcheck? [file-rdeps]
(From OE-Core rev: 04e11808e6a22adfa367dd2565b20cb9ecdd6439)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When rpmdeps files a perl script, it attempts to determine what it provides
and what it requires. Often the requires are incorrect, within the context
of Wind River Linux. This results in an error that DNF is unable to install
a package due to one or more unresolved dependencies.
In RPM5 we had disabled this behavior, the alternative is to require that all
perl scripts be 'complete', in that they only require things they absolutely
need and that OE provides. If we ever enforce that, this commit can be
reverted. Until they fall back to prior behavior (which also matches ipkg
and deb style packages.)
(From OE-Core rev: bd8e5dc3ebabb3d88169e2f848219ca201fa5fdb)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since LTP includes a set of test cases, we need to skip file dependency
generation, as there will be dependencies that can not be satisfied. In this
case a csh and ksh dependency come from two tests.
The alternative would be to depend on csh/ksh (a bad idea as they're not
available in oe-core) or remove the tests (but this eliminates the tests if
someone DOES have csh/ksh in their configurations.)
(From OE-Core rev: 873ad32191816f89d085906635297eb17d9fc0f6)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The scripts currently reference "python33", fix this so they reference
python3. The move the python3 likely broke these.
(From OE-Core rev: 37a40fead443e211f0947d9d9bf2180d95630485)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Filter out any file dependencies on absolute paths and any
dependencies on Perl modules for nativesdk packages. It is assumed
that they will be provided by the native host if needed, and they mess
up the dependency handling if they are present.
(From OE-Core rev: 37f2d4df507c760ea4c12b67526db8277e5684eb)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These git commands require Perl modules that do not exist in OE-Core.
Add PACKAGECONFIGs to enable them. Be aware though that if you enable
them you must also provide the missing dependencies.
(From OE-Core rev: a803938407ee5a55fb40a6940bb6680ba21909b0)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Also modify a Python script (pythondistdeps.py) to use Python 3.
(From OE-Core rev: 18116c1490e6ef09ad5046db7f90dbcbe4caf595)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The perl-ptest package contains Perl internal modules and generating
file dependencies for it causes problems.
(From OE-Core rev: a36cf8e53122c32ef8a91759cd49d294483c6bde)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>