Built in command "read" with "-e" use Readline to obtain the line
in an interactive shell. In this process, a string "rlbuf" is
just allocated without free operation thus cause memory leak.
This patch had been submitted to upstream:
http://lists.gnu.org/archive/html/bug-bash/2017-02/msg00061.html
(From OE-Core rev: a2b278a6eaa9e9b48d858e3be6712267c0122598)
(From OE-Core rev: 571e53024b4f924e50cf6a478ccc8d6f097816bb)
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fixup for 4.3
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2017-6508: CRLF injection vulnerability in the url_parse function in
url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary
HTTP headers via CRLF sequences in the host subcomponent of a URL.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2017-6508
Patch from:
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
(From OE-Core rev: 28404157e07a915d1445166df566c8838f2cce57)
(From OE-Core rev: 03fbdba18b767be95c5fa13d72b52c16f8a77b52)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since LTP includes a set of test cases, we need to skip file dependency
generation, as there will be dependencies that can not be satisfied. In this
case a csh and ksh dependency come from two tests.
The alternative would be to depend on csh/ksh (a bad idea as they're not
available in oe-core) or remove the tests (but this eliminates the tests if
someone DOES have csh/ksh in their configurations.)
(From OE-Core rev: 873ad32191816f89d085906635297eb17d9fc0f6)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream lsof releases are hosted on an ftp server which times out
download attempts from hosts for which it can not perform a DNS
reverse-lookup. See:
https://people.freebsd.org/~abe/http://www.mirrorservice.org seems to be the most commonly used
alternative (and using it for SRC_URI allows the custom
UPSTREAM_CHECK_URI to be removed).
(From OE-Core rev: bb14b19f2c63f88f5da372a6ad4a153da1fc0232)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 4e718242c1554021689a7946add055b22b81ec42)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Having 'lsof' as a +s (setuid) binary could lead to security issues if
a compromise in the binary is found. It is better that it be -s by
default as a precaution.
(From OE-Core rev: 6cf2891fe1526570c4e3eb8d78dc4d914d2d2079)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 346c65dd6855106069d1861ca965d3121eb084d1)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It is used in NVD for CVE's like:
https://nvd.nist.gov/vuln/detail/CVE-2012-3417
(From OE-Core rev: cc9cca186fd1d4a7f2cb02484303ebb9f889c130)
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 07be7cb9405e4a6289edad8afb3a50c1f8651620)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is generic enough, That it can be applied universally
and makes maintainence easier
(From OE-Core rev: 2df99a0cddf60944ee9e5065d693cea03f5e93b3)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit f769b8389091b4ffaff8f6f8fc7e53462ce176a5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The modern version of zone.tab is required by tzselect e.g.
(From OE-Core rev: de467998ecfa5fa1d2e9dd43a4a3d828cf9ccade)
(From OE-Core rev: c92a783a2d42a6248fc0b982889a9cdc53e6ccd3)
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The .sethalftone5 function in psi/zht2.c in Ghostscript before 9.21 allows remote
attackers to cause a denial of service (application crash) or possibly execute
arbitrary code via a crafted Postscript document that calls .sethalftone5 with an
empty operand stack.
Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds writes because
of an integer overflow in the jbig2_build_huffman_table function in jbig2_huffman.c
during operations on a crafted JBIG2 file, leading to a denial of service (application
crash) or possibly execution of arbitrary code.
References:
https://nvd.nist.gov/vuln/detail/CVE-2016-8602https://nvd.nist.gov/vuln/detail/CVE-2017-7975
Upstream patches:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=f5c7555c303http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e57e483298
(From OE-Core rev: 8f919c2df47ca93132f21160d919b6ee2207d9a6)
(From OE-Core rev: 6040b8735b79397bf49a2154f81e9aab34c15413)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This vulnerability is also called "rpcbomb".
Backport upstream patch to fix this vulnerability.
CVE: CVE-2017-8779
(From OE-Core rev: 7936c9451eb4c376a78a0ac7461d1b2430c7f1f3)
(From OE-Core rev: bab6667d44df185b4433bcd1c283105966383844)
Signed-off-by: Fan Xin<fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A vulnerability was found in a way bash expands the $HOSTNAME.
Injecting the hostname with malicious code would cause it to run
each time bash expanded \h in the prompt string.
Porting patch from <https://ftp.gnu.org/gnu/bash/bash-4.3-patches/
bash43-047> to solve CVE-2016-0634
CVE: CVE-2016-0634
(From OE-Core rev: 7dd6aa1a4bf6e9fc8a1998cda6ac5397bb5cd5cb)
(From OE-Core rev: a4b37b05140b549960baef49237ce3316e84a041)
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
After change to the rpm4, the rpm packages in lsbtest, such as:
lsb-setup-4.1.0-1.noarch.rpm
lsb-dist-checker-5.0.0.1-1.x86_64.rpm
......
lsb-cmdchk-5.0.3-1.x86_64.rpm
When install above rpm packages, the error log appears:
package lsb-setup-4.1.0-1.noarch is intended for a different operating system
......
So we should add option "--ignoreos" to the rpm install command in LSB_Test.sh
in ./meta/recipes-extended/lsb/lsbtest directory. In this way we can make sure
the correct installation of those rpm packages.
The YOCTO bug #11224 didn't create logs, this is because the above test rpm
packages didn't install.
[YOCTO #11224]
(From OE-Core rev: db2798d967dbffed834070b52fe778efa18cb4ae)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Sadly this breaks previous OE releases as it means the source mirror contains a
tarball with the same name but different checksums as was previously available.
This reverts commit 99c6e89db1.
(From OE-Core rev: eb4fee616287ae731f7af52e0fe5fc81f2eea2c0)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The previous patch added a check but incorrectly
change the elif to if, then it always return 0
for cpuid if the machine is not __i386__
getcpu01 1 TFAIL : getcpu01.c:140: getcpu() returned wrong value expected cpuid:7, returned value cpuid: 0
After this fix:
getcpu01 1 TPASS : getcpu() returned proper cpuid:7, node id:0
(From OE-Core rev: ca798705b3b8fa9b2f6467970e9bda9d9433986c)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise, the filename is r3-9-1.tar.gz which isn't straightforward.
(From OE-Core rev: b0e5c8f6a5041010347f6b70e39e41886829d928)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixed when len(TMPDIR) = 410:
aclocal: error: cannot open echo 'm4_define [snip]' configure.ac |: Argument list too long'
This is becuase it has a lot of m4 files, use relative path for them
can fix the problem.
(From OE-Core rev: 081974e75cc0cfa0a1a1bb01cd9f9cbc585b7692)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream has removed the 1.14.1 release from ftp.gnu.org and
moved to the latest 1.14.2. Since we don't want to upgrade at
this point of time, temporarily move the SRC_URI to yoctoproject
mirror.
(From OE-Core rev: a2f1026b3d8c9f9810cb4389a8a93fabb04e15a4)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Also, they were previously squashed into a single patch; restore
the original two-patch arrangement.
As requested here:
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135460.html
(From OE-Core rev: 378b333fb09d106fb04901f5a4362fc0eb076e82)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to github.com.
Update the ${PN} to ${BPN} in order to pass the autobuilder
mulitlib enable configuration.
[YOCTO #11226]
(From OE-Core rev: 73a358bdef99771b493fefb5114a936138cb78ce)
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The shebang's max length is usually 128 as defined in
/usr/include/linux/binfmts.h:
#define BINPRM_BUF_SIZE 128
There would be errors when @PERL@ (hostools/perl) is longer than 128,
use '/usr/bin/env perl' can fix the problem, but '/usr/bin/env perl -w'
doesn't work:
/usr/bin/env: perl -w: No such file or directory
So replace "perl -w" with "use warnings" to make it work.
(From OE-Core rev: 85decf26fe580acdf072baf561418bf73b7bfca4)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The shebang's max length is usually 128 as defined in
/usr/include/linux/binfmts.h:
#define BINPRM_BUF_SIZE 128
There would be errors when @PERL@ (hostools/perl) is longer than 128,
use '/usr/bin/env perl' can fix the problem, but '/usr/bin/env perl -w'
doesn't work:
/usr/bin/env: perl -w: No such file or directory
So replace "perl -w" with "use warnings" to make it work.
(From OE-Core rev: f3408bcf9d2710b07f5825683931e28571de130c)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The configuration change was already done for -native but
we really want it when USE_NLS is set.
Fixes [YOCTO #11285].
(From OE-Core rev: 95d6910bb5d9331adb7a693fcb4f7b1271c68cc6)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The md5sum & sha256sum for ethtool-4.8.tar.gz have changed upstream :(
(From OE-Core rev: bb3a0bef3b7e012ba7ce6d31d0470d43e7a21077)
Signed-off-by: Paul Barker <pbarker@toganlabs.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fedorahosted.org was retired on March 1st, 2017. This is to update
the SRC_URI to point to github.com.
[YOCTO #11226]
(From OE-Core rev: 0fb5427937576fe46d463b9c9953d0bcdc1f256a)
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to github.com.
[YOCTO #11226]
(From OE-Core rev: b0703175ed650d89870309e4065cda917199ac93)
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to pagure.io. pagure.io is a
replacement for fedorahosted.
[YOCTO #11226]
(From OE-Core rev: b85905bc8b845c9da7d2a086ea239ec00d5142e3)
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
fedorahosted.org was retired on March 1st, 2017. This is to
update the SRC_URI to point to pagure.io. pagure.io is a
replacement for fedorahosted.
[YOCTO #11226]
(From OE-Core rev: bbe3cde5fc2102fd84ba065ed14f2732bcd0d420)
Signed-off-by: Choong YinThong <yin.thong.choong@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There were two remaining cases that could end up creating /lib64
rather than ${base_prefix}/lib64. The difference matters when building
with usrmerge.
(From OE-Core rev: b791f13286c8c58ce1f3fa3745ffdd5bd5ff1d02)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use ${D}${var} rather than ${D}/${var} for variables where ${var}
contains an absolute path.
(From OE-Core rev: 2799eda9f373b430ad64c8b61f8047abce7f1e22)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
net-tools-native is needed by swtpm-wrappers (in meta-security)
because swtpm_setup.sh calls netstat, which cannot be assumed to be
present in all Linux installations (for example, it is not in OpenSUSE
minimal base).
(From OE-Core rev: 508163bef169cf0d9aa97e73c02d1ecc68480e91)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
mdadm only works with corosync 2.x which provides header file corosync/cmap.h.
If build mdadm with corosync 1.x, it fails with:
| member.c:12:27: fatal error: corosync/cmap.h: No such file or directory
| #include <corosync/cmap.h>
| ^
Build with corosync only header file corosync/cmap.h exists.
Ref:
https://github.com/neilbrown/mdadm/blob/master/mdadm.h#L63
(From OE-Core rev: b2a785f19fe25d244179b8672c846925da6d455a)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Briefly: Haiti has resumed DST.
Changes to past and future time stamps
Haiti resumed observance of DST in 2017. (Thanks to Steffen Thorsen.)
Changes to past time stamps
Liberia changed from -004430 to +00 on 1972-01-07, not 1972-05-01.
Use "MMT" to abbreviate Liberia's time zone before 1972, as "-004430"
is one byte over the POSIX limit. (Problem reported by Derick Rethans.)
(From OE-Core rev: 70ff7cfa8a7ffb537da19aeca026032bab55a00d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Default CC is same as used here, there is no need to
duplicate it, as a plus it helps in compiling acpitests with
non-gcc cross compilers
(From OE-Core rev: e23601390833fe93d58ca61a7158458dfdbd6fac)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
mips definition of kernel_sigaction was added later
and the patch did not apply to mips part which ended
in ltp failing to compile on mips parts
In file included from rt_sigaction01.c:42:0:
../../../../include/lapi/rt_sigaction.h:39:2: error: unknown type name '__sighandler_t'
__sighandler_t k_sa_handler;
^~~~~~~~~~~~~~
(From OE-Core rev: 74f4dcfd447fb528ab230e67e3f7ab37e8f93898)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Using of bitbake environment variables in-place of hardcoded strings makes this
recipe portable to all environments.
(From OE-Core rev: 61135e4134b7e0b42b57a87a9a30c32002cb1067)
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
net-tools Makefile was hardcoded sbin, bin installation paths to /bin and /sbin
respectively. This change moves the installed files to appropriate location as
per configured bitbake environment.
This might be solved much better way by patching Makefile, but that causing
build issues, as net-tools recipe is using pre-generated config.{h/status}.
(From OE-Core rev: 8be0740f8cc8d909a8983b499f200b99261124c4)
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Move binary(ies) only when ${base_bindir} != ${bindir}.
When usrmerge is enabled they both can point to same location.
(From OE-Core rev: 3a571f24b183ba0bb0795b9df2b2c9bad331d715)
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Both shadow and util-linux packages provides 'nologin' binary in ${base_sbindir}
and ${sbindir} respectively, this leads to conflict when 'usrmerge' feature is
enabled, where ${sbindir} == ${base_sbindir}. Hance, handle this to alternative
system to resolve the conflict.
(From OE-Core rev: 07d6d0fb4dc689008bb0022d7d2ecc890c9159e5)
Signed-off-by: Amarnath Valluri <amarnath.valluri@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Zhang Xiao
Joe Slater
Yi Zhao
Mark Hatle
Andre McCurdy
Kai Kang
Mikko Rapeli
Khem Raj
Enrico Scholz
Peter Kjellerstedt
Jan Kiszka
Catalin Enache
Fan Xin
Zhixiong Chi
Alexander Kanavin
Dengke Du
Ross Burton
Jackie Huang
Robert Yang
Maxin B. John
Choong YinThong
Jussi Kukkonen
Paul Barker
Patrick Ohly
Armin Kuster
Amarnath Valluri