The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote
attackers to cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted Postscript document that calls .sethalftone5 with an
empty operand stack.
Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because
of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c
during operations on a crafted JBIG2 file, leading to a denial of service (application
crash) or possibly execution of arbitrary code.
References:
https://nvd.nist.gov/vuln/detail/CVE-2016-8602https://nvd.nist.gov/vuln/detail/CVE-2017-7975
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f5c7555c303http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e57e483298
(From OE-Core rev: 8f919c2df47ca93132f21160d919b6ee2207d9a6)
(From OE-Core rev: 6040b8735b79397bf49a2154f81e9aab34c15413)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This vulnerability is also called "rpcbomb".
Backport upstream patch to fix this vulnerability.
CVE: CVE-2017-8779
(From OE-Core rev: 7936c9451eb4c376a78a0ac7461d1b2430c7f1f3)
(From OE-Core rev: bab6667d44df185b4433bcd1c283105966383844)
Signed-off-by: Fan Xin<fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When warning users about unpatched CVE, we'd better put CVE IDs into
the warning message, so that it would be more straight forward for the
user to know which CVEs are not patched.
So instead of:
WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log.
We should have:
WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log.
(From OE-Core rev: ad46069e7b58f2fba373131716f28407816fa1a6)
(From OE-Core rev: e0e1414a4574d4165a8dc5d0d9d0d5b5a660355f)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE checking in OE didn't work as do_populate_cve_db failed with the following
error message.
[snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent
Backport a patch to fix this error.
(From OE-Core rev: ee55b5685aaa4be92d6d51f8641a559d4e34ce64)
(From OE-Core rev: e0f0a7283c597e783b69aac2c8e8a7663b70262d)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The test_recipetool_create_github test fetches HEAD of the repository so
upstream changes can (and do) break the test. Avoid these problems by passing
the rev= argument in the URL to lock the checkout to the same version that is
fetched in the github_tarball test.
Also pass the commands to runCmd() as a list instead of a string, the semicolon
in the URL needs more quotes if the shell is involved and passing a list
bypasses the shell entirely.
(From OE-Core rev: 5f02b4300fb2ed54270aede54d30317ba757f587)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since recipe-specific sysroots were implemented, devtool add and devtool
upgrade operations that fetch from a URL that requires native sysroot
dependencies will fail to work as there is no recipe-specific sysroot
set up for them during fetching. An example was any URL pointing to a
tarball compressed with xz, e.g. devtool upgrade on gnutls.
The most expedient way to fix this is to set up a dummy recipe-specific
sysroot to use for the fetch/unpack operations. We do this in the same
manner as bitbake -b does, so we're just taking all of the sysroot
components available and creating a sysroot from those rather than
ensuring the correct dependencies are there - this means that we're
still going to have problems if e.g. xz-native hasn't been built yet,
but that issue will be trickier to solve and is tracked separately.
Fixes [YOCTO #11474].
(From OE-Core master rev: 559151e783759af78b5cdd76cdbb9ce325a391e6)
(From OE-Core rev: 9e7905c7bada1bafda661fc4a6177afeef0f5015)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Gna! project announced that the download site from gna.org HTTP server
will soon be closing down. We have verified that the site is no longer
accessible without network proxy cache. We need to update SRC_URI to
point to new alternative (nwl.cc HTTP server) in order to avoid fetcher
issues in future.
[YOCTO #11575]
(From OE-Core rev: 3195f7e68eb5cfb2af3506fe4b0dcb2f8cd9ee10)
Signed-off-by: Chang Rebecca Swee Fun <rebecca.swee.fun.chang@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A vulnerability was found in a way bash expands the $HOSTNAME.
Injecting the hostname with malicious code would cause it to run
each time bash expanded \h in the prompt string.
Porting patch from <https://ftp.gnu.org/gnu/bash/bash-4.3-patches/
bash43-047> to solve CVE-2016-0634
CVE: CVE-2016-0634
(From OE-Core rev: 7dd6aa1a4bf6e9fc8a1998cda6ac5397bb5cd5cb)
(From OE-Core rev: a4b37b05140b549960baef49237ce3316e84a041)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In the limited dependency case we don't use any of the data from
BB_TASKDEPDATA. Restructure the code so this variable doesn't have
to be set. This allows the function to be called from other contexts
without creating artificial constructs. There should be no functional
change, behaviour remains unchanged.
(From OE-Core rev: 71e5243e3ebadb90b45fe418dac3eaa2c1b896bd)
(From OE-Core rev: e962e257f4c124869953d1fbb3da7dbf564f818a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The previous change to relocate HOSTTOOLS wasn't complete as some files,
particularly in gcc stashed build directories were not being correctly
relocated. This patch addresses the issue.
(From OE-Core rev: 21dd36cc12a033b012544c5d15a6f8afd84dabc9)
(From OE-Core rev: 64c2f8acd02e0e5dca234b36a2a7097c0c16f7c2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Both native and target versions of this file reference mkdir and install
in hosttools paths. Use the version from PATH instead.
(From OE-Core rev: 080197bf3bdf612da8104c2ae7f0b2c8dea32a0b)
(From OE-Core rev: 8e3134953edfc88bf3d135b5dc00d361f84b5f37)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently the file encodes full paths to various host tools in the
HOSTTOOLS directory which is bad in native and target cases. We can
simply use the versions from PATH quite safely in OE.
(From OE-Core rev: be901200d94beaa35e1d05eb502b117b3b523609)
(From OE-Core rev: 2a12c159aae9877a05e0ba023de278cdca59ac45)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Based on the same reason behind DEBIAN's switch from ftp:
https://www.debian.org/News/2017/20170425
(From OE-Core rev: ba119d836c0f4b20a39c92fa2e64abb0d5a55ad4)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
All public-facing debian.org FTP services will be shut down on November 1, 2017
The mirrors should just be accessed using HTTP instead.
https://www.debian.org/News/2017/20170425
Fixes [YOCTO #11413]
(From OE-Core rev: c2cdc4d9155d7a3b9cba60fa9cbb448cf64c62bd)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove recipe-specific-sysroot details from the preinst scripts
generated by useradd.bbclass.
This was added to match the default from bitbake.conf. Unlike the default
case, the dependencies used by useradd mean that a default passwd/group
file is always present. This means we don't need the native sysroot fallback.
Fixes [YOCTO #11460]
(From OE-Core rev: dfc9323c1cd7814989766be5bd1861fbaa739d2d)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The export of PSEUDO in useradd_sysroot() contains references to
${COMPONENTS_DIR}. These need to be handled when restoring
postinst-useradd-${PN} from the sstate cache.
(From OE-Core rev: 097875bc9ab9d60a452b01ac6825775983684d68)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The path to where to install and find the sysroot components is used
in many places. This warrants it to get its own variable.
(From OE-Core rev: 70a84b525470f72339568409daf84845904e4cab)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This scheme has changed due to recipe-specific sysroots making it
obsolete. Removed the entire section.
(From yocto-docs rev: c52a896829212863402e5532dd8fb7fe4c247fca)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The BB_SETSCENE_VERIFY_FUNCTION2 variable no longer exists. I removed
a link to the BB manual to this variable description, which no
longer exists. Also, removed a paragraph in the discussion around
setscene that talked about the variable.
(From yocto-docs rev: 1f8e3d53ee72c369cb1211332e074976737fd76b)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This should be "gdbserver" when referred to generically.
(From yocto-docs rev: 83b2be50e34b0c07cce1f27b55e595752b80b3ea)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These depend on context. In general, "DNF" is the preferred
terminology unless directly referring to an application or such.
(From yocto-docs rev: 29012a8f8e21b964e1ea6d32841dffa8dae7df9f)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Needed to add cross-links into the glossary for various variables.
(From yocto-docs rev: 45acf78a2f99e8fda91042c2bee30094255e5a10)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Entry added for HOSTTOOLS and HOSTTOOLS_NONFATAL.
(From yocto-docs rev: c766920a13071c1bb46a195ea07be38962d2e12d)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paths to host tools that have been copied to ${HOSTTOOLS_DIR} may end
up in the sstate cache. They thus need to be corrected when restoring
from the sstate cache.
(From OE-Core rev: f8671aecf05a286dd2b34b07bb5fbbe0c31e26d0)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The path to where to install and find the tools copied from the host
environment is already used in a couple of places. This warrants it to
get its own variable.
(From OE-Core rev: 8164c466943ffedff399009bf5547dba4f06d6c8)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11411]
To help clear up the importance of the naming convention a user
must follow when creating a nativesdk-myrecipe.bb recipe that
inherits the nativesdk class, I placed a warning note at the end
of the section for the "nativesdk.bbclass" section.
(From yocto-docs rev: e6dc512aaeb0267c2c15c17a599c6950728b4547)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11310]
Added the "iputils-ping" package to the list of essential host
packages.
(From yocto-docs rev: c6478419940405091d59312d22c45e3f32f9c94d)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11310]
Added this package to Ubuntu/Debina, Fedora, and OpenSUSE.
(From yocto-docs rev: e010d1abc083ed064c5340146bcac213286d973c)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Avoids parser errors if PACKAGE_ADD_METADATA_DEB is set to an
empty value.
(From OE-Core rev: f0959c0908dfb386d29f13fcd3e57b2b004c6c14)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In deb control files, each line of a long description starts with
a single space. Empty lines are represented by a single space
followed by a single full stop character.
(From OE-Core rev: f66278f471c0bf9421ce2c55a56a144a0f9332bf)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add bash to /etc/shells if busybox is built with bash applet anabled
to fix login via dropbear.
(From OE-Core rev: 86a2db0b2997fd05882ae0119ef45b1ea5411d39)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Audio playback in gtk-play is broken with vaapi because the
visualizations do not work: disable visualizations as workaround.
This should be reverted as soon as [YOCTO #11410] is fixed.
(From OE-Core rev: 1092a8d4bc78a53f60ad0137aeb08b31853db9eb)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier
and other products, does not offer a flag directly indicating that
the current document may be read but other files may not be opened,
which makes it easier for remote attackers to conduct XML External
Entity (XXE) attacks via a crafted document.
Reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9318
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0
(From OE-Core rev: 0dd44c00e3b2fbc3befc3f361624a3a60161d979)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-6170: ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and
9.11.x through 9.11.0b1 allows primary DNS servers to cause a denial of
service (secondary DNS server crash) via a large AXFR response, and
possibly allows IXFR servers to cause a denial of service (IXFR client
crash) via a large IXFR response and allows remote authenticated users
to cause a denial of service (primary DNS server crash) via a large
UPDATE message.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2016-6170
Patch from:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f
(From OE-Core rev: 14abd767349bc868ca59838f1af3aaf17dfe4350)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-8864: named in ISC BIND 9.x before 9.9.9-P4, 9.10.x before
9.10.4-P4, and 9.11.x before 9.11.0-P1 allows remote attackers to cause
a denial of service (assertion failure and daemon exit) via a DNAME
record in the answer section of a response to a recursive query,
related to db.c and resolver.c.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2016-8864
Patch from:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8
(From OE-Core rev: c06f3a5993c7d63d91840c2a4d5b621e946ef78f)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Something in the fetched webpage made the default regex matching really slow.
(From OE-Core rev: e4d1100a84e28cb97438c18df6d9f98996a7d578)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
