Commit Graph

18952 Commits

Author SHA1 Message Date
Harald Welte f77a9570d6 Revert "python-argparse: build also for nativesdk"
This reverts commit e48e48af48.

We do this with a bbappend from meta-telephony now
2017-02-10 17:03:23 +01:00
Harald Welte e48e48af48 python-argparse: build also for nativesdk
... some build scripts (like recent libosmocore) require python
argparse, so we want that to be part of the SDK.
2017-02-10 16:08:35 +01:00
Holger Hans Peter Freyther ab705eff27 openssl: Apply latest set of security fixes for OpenSSL
Apply patches from the openssl-1.0.1e-51.el7_2.4.src.rpm package
downloaded from the Oracle server.

* Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
- fix CVE-2016-0702 - side channel attack on modular exponentiation
- fix CVE-2016-0705 - double-free in DSA private key parsing
- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn

* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.3
- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement
- disable SSLv2 in the generic TLS method
2016-03-02 09:53:27 +01:00
Holger Hans Peter Freyther ceac7bd7b9 openssl: Apply patches from RHEL to address open CVEs
The patches were taken from openssl-1.0.1e-51.el7_2.2.src.rpm and
apply all CVEs that were not applied yet. Document which patches
were not applied. There should be another openssl version soon as
the next round of fixes was announced for the 1st of March.

After the upgrade "opkg update with https feeds" and "openvpn against
netport" were tested. They seem to work.

Fixes: SYS#2448
2016-02-27 17:14:08 +01:00
Holger Hans Peter Freyther 106e8cb85f package: Add hack to allow/help with the libosmocore split
Right now we have one "libosmocore" package but if we split it up
the libosmocore package will be renamed to libosmocore6 and then
even a RREPLACE_libosmocore = "libosmocore" will be replaced to
RREPLACE_libosmocore6 = "libosmocore6". Add a HACK to have a
certain start of a dependency not being replaced. This will be
used by the libosmocore upgrade.

We only need this in dora as for other distributions we start
with a fresh slate.

Related: SYS#217
2016-02-27 09:25:28 +01:00
Catalin Popeanga 6d8a902fdd bash: Fix-for-CVE-2014-6278
This vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278

(From OE-Core daisy rev: de596b5f31e837dcd2ce991245eb5548f12d72ae)

(From OE-Core rev: 1e155330f6cf132997b91a7cfdfe7de319410566)

Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:33:26 +01:00
Catalin Popeanga 731c201426 bash: Fix for CVE-2014-6277
Follow up bash42-049 to parse properly function definitions in the
values of environment variables, to not allow remote attackers to
execute arbitrary code or to cause a denial of service.

See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277

(From OE-Core daisy rev: 85961bcf81650992259cebb0ef1f1c6cdef3fefa)

(From OE-Core rev: 5a802295d1f40af6f21dd3ed7e4549fe033f03a0)

Signed-off-by: Catalin Popeanga <Catalin.Popeanga@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:33:16 +01:00
Catalin Popeanga 38c91c440f bash: Fix for CVE-2014-7186 and CVE-2014-7187
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

(From OE-Core daisy rev: 153d1125659df9e5c09e35a58bd51be184cb13c1)

(From OE-Core rev: bdfe1e3770aeee9a1a7c65d4834f1a99820d3140)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:33:08 +01:00
Catalin Popeanga ca6bbc3f99 bash: Fix for exported function namespace change
This is a followup patch to incomplete CVE-2014-6271 fix code execution via
specially-crafted environment

This patch changes the encoding bash uses for exported functions to avoid
clashes with shell variables and to avoid depending only on an environment
variable's contents to determine whether or not to interpret it as a shell
function.

(From OE-Core daisy rev: 6c51cc96d03df26d1c10867633e7a10dfbec7c45)

(From OE-Core rev: af1f65b57dbfcaf5fc7c254dce80ac55f3a632cb)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:32:58 +01:00
Paul Eggleton 7aab9b0784 bash: add missing patch for CVE-2014-7169 to 4.2 recipe
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.

Patch from OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc
by Khem Raj <raj.khem@gmail.com>

(From OE-Core rev: a71680ec6e12c17159336dc34d904cb70155d0d7)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:32:49 +01:00
Paul Eggleton 2c4b5d0e9d bash: add missing patch for CVE-2014-6271 to 4.2 recipe
The bash_4.2 recipe was missed when the fix was backported to the dora
branch.

Patch based on the one from OE-Core master rev
798d833c9d4bd9ab287fa86b85b4d5f128170ed3 by Ross Burton
<ross.burton@intel.com>, with the content replaced from the
appropriate upstream patch.

(From OE-Core rev: 74d45affd5cda2e388d42db3322b4a0d5aff07e8)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:32:39 +01:00
Khem Raj e46f9d389a bash: Fix CVE-2014-7169
This is a followup patch to incomplete CVE-2014-6271 fix
code execution via specially-crafted environment

Change-Id: Ibb0a587ee6e09b8174e92d005356e822ad40d4ed
(From OE-Core master rev: 76a2d6b83472995edbe967aed80f0fcbb784b3fc)

(From OE-Core rev: 1c8f43767c7d78872d38652ea808f30ea825bbef)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:32:31 +01:00
Ross Burton 86e38661a6 bash: fix CVE-2014-6271
CVE-2014-6271 aka ShellShock.

"GNU Bash through 4.3 processes trailing strings after function definitions in
the values of environment variables, which allows remote attackers to execute
arbitrary code via a crafted environment."

(From OE-Core master rev: 798d833c9d4bd9ab287fa86b85b4d5f128170ed3)

(From OE-Core rev: 05eecceb4d2a5821cd0ca0164610e9e6d68bb22c)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:32:20 +01:00
Sona Sarmadi f5a41d8a6f openssl: Fix for CVE-2014-3568
Fix for no-ssl3 configuration option

This patch is a backport from OpenSSL_1.0.1j.

(From OE-Core rev: 97e7b7a96178cf32411309f3e9e3e3b138d2050b)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:22:24 +01:00
Sona Sarmadi 8d139f9e3b openssl: Fix for CVE-2014-3567
Fix for session tickets memory leak.

This patch is a backport from OpenSSL_1.0.1j.

(From OE-Core rev: 420a8dc7b84b03a9c0a56280132e15b6c9a8b4df)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:22:11 +01:00
Sona Sarmadi c9caf7dfd7 openssl: Fix for CVE-2014-3513
Fix for SRTP Memory Leak

This patch is a backport from OpenSSL_1.0.1j.

(From OE-Core rev: 6c19ca0d5aa6094aa2cfede821d63c008951cfb7)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:22:00 +01:00
Sona Sarmadi d75c7e8ab7 openssl: Fix for CVE-2014-3566
OpenSSL_1.0.1 SSLV3 POODLE VULNERABILITY (CVE-2014-3566)

This patch is a backport from OpenSSL_1.0.1j.

(From OE-Core rev: 47633059a8556c03c0eaff2dd310af87d33e2b28)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-27 14:21:49 +01:00
Holger Hans Peter Freyther 588357482d initramfs: Do not attempt to put files in /etc/opkg.
The /etc/opkg directory does not exist in the initramfs. Do not
install the feeds.
2014-08-21 13:30:23 +02:00
Holger Hans Peter Freyther e12cf92023 Merge remote-tracking branch 'upstream/dora' into dora 2014-07-30 17:21:49 +02:00
Khem Raj e72727500d binutils: Fix building nativesdk binutils with gcc 4.9
Patches explain the issue in detail but this is exposed
with gcc 4.9 in binutils 2.23.2

(From OE-Core rev: fc5c467b680fc5aef4b0f689e6988e17a9322ae0)

(From OE-Core rev: 4dfb8847ebf8aab90ad8888933468e2899c96998)

(From OE-Core rev: af347d3298e15552d502d5b2ce497bbda9705bc7)

(From OE-Core rev: 07a7228392ec5157616888cee1eb119f4adb39a7)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-27 08:37:49 +01:00
Richard Purdie dc743744d8 build-appliance-image: Update to dora head revision
(From OE-Core rev: 026d26e3b6c2f608cc03aa00fe1fb1ace9e070d8)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-08 16:27:53 +01:00
Richard Purdie 5d1f0c0160 build-appliance-image: Update to dora head revision
(From OE-Core rev: 2bfb8cbe773f6e496ed6192c94a74db1293d72eb)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-08 16:23:43 +01:00
Roy Li acb65ef18e opkg: putting the service files into PN
(From OE-Core rev: f0ec7f81c1951211f049c342fd6bd1cad424564a)

[YOCTO #6392]

(From OE-Core rev: b76a5dd195000d157034f1f0a9a35d4ba4680e60)

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-08 16:16:10 +01:00
Chen Qi c4a539c8c8 populate-extfs.sh: fix to handle special file names correctly
`debugfs' treats spaces and "" specially. So when we are dealing with
file names, great care should be taken to make sure that `debugfs'
recognizes file names correctly.

The basic solution here is:
1. Use quotation marks to handle spaces correctly.
2. Replace "xxx" with ""xxx"" so that debugfs knows that the quotation
   marks are parts of the file name.

[YOCTO #6503]

(From OE-Core rev: 24f17607e996c499c8f86eda0588d02af1e960b9)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-08 16:09:58 +01:00
Richard Purdie 845df01345 libtool-cross/native: Force usage of bash due to sstate inconsistencies
Scenario:
a) libtool script is built on system with bash as /bin/sh
b) machine B installs sstate from build a)
c) machine B has dash as /bin/sh

In this scenario, the script fails to work properly since its expecting
/bin/sh to have bash like syntax and it no longer does have it.

This patch forces the configure process to use /bin/bash, not /bin/sh
and hence allows the scripts to work correctly when used from sstate.

(From OE-Core rev: 24d5b449e5f4d91119f0d8e13c457618811aadfc)

(From OE-Core rev: 330c3085317a0b0981163ff5c41c54596e0d127d)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-03 14:56:45 +01:00
Henning Heinold 2e2a6d0c4e perf: split packging
* some fundamental perf commands can work
  without the dependency on perl, python or bash
  make them separate packages and RSUGGEST them

* bump PR

The patch was sponsored by sysmocom

(From OE-Core rev: a6f79561f7a2f6bc354d5ea8d84b836ac5c9b08f)

Signed-off-by: Henning Heinold <henning@itconsulting-heinold.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-03 13:47:22 +01:00
Henning Heinold a63f07c4ce perf: add slang to the dependencies
* TUI/GUI support was added in 2.6.35 based on libnewt
* since 3.10 slang replaced libnewt completly
* changing TUI_DEFINES is not necessary, because NO_NEWT is
  still respected with newer kernels
* add comment about the gui history to the recipe

The patch was sponsored by sysmocom

(From OE-Core rev: 104e317f1fe68244d31c72897df2e5c997ff502a)

Signed-off-by: Henning Heinold <henning@itconsulting-heinold.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-03 13:47:22 +01:00
Henning Heinold 19f3e362b3 perf: fix broken shell comparsion in do_install
The patch was sponsored by sysmocom

(From OE-Core rev: 7e38d8ad6f7f4c289975acdac5c4d254ff3df7e6)

Signed-off-by: Henning Heinold <henning@itconsulting-heinold.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-03 13:47:22 +01:00
Stéphane Cerveau 4a18e162d8 e2fsprogs: Fix populate-extfs.sh
Fix the use of command dirname on ubuntu 12.04.
dirname does not accept space in file name.

(From OE-Core rev: ab6bd289d51c3c44862b43241a99d3e4f3ff13c0)

Signed-off-by: Stéphane Cerveau <scerveau@connected-labs.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-07-03 13:47:22 +01:00
Khem Raj 7c3f509c06 prelink: Fix SRC_URI
The SHA we use it actually on cross_prelink branch
if you do not use yocto source mirrors then the fetch
for prelink on dora fails due to missing branch in SRC_URI

(From OE-Core rev: 13b57cab7cdd2bf967622ec5015478dc56938b8b)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-24 11:06:32 +01:00
Chen Qi 05f172c745 populate-extfs.sh: keep file timestamps
Fix populate-extfs.sh to keep file timestamps while generating the
ext file systems.

[YOCTO #6348]

(From OE-Core rev: f8c0359edc2ce740e13e874ea189770ff99d1525)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-24 11:05:31 +01:00
Mark Hatle 47afe5bcfa rpm: Fix rpm -V usage
[YOCTO #6309]

It appears a logic issue has caused rpm -V to no longer
verify the files on the filesystem match what was installed.

(From OE-Core master rev: 117862cd0eebf6887c2ea6cc353432caee2653aa)

(From OE-Core rev: 9f9bcad51381887819d58ffdde2e41307d342473)

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-24 11:05:31 +01:00
Jonathan Liu c60886f9f5 consolekit: fix console-kit-log-system-start.service startup
console-kit-log-system-start.service fails to to start if the
/var/log/ConsoleKit directory does not exist. Normally it is created
automatically but as we mount a tmpfs at /var/log, we need to add
a tmpfiles.d entry to create it.

(From OE-Core master rev: 2a9a14bf400fe0c263c58aa85b02aba7311b1328)

(From OE-Core rev: 305da37a4dc0fba2b8f3219cfae47a1d4228f244)

Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-24 11:05:31 +01:00
Chen Qi 3ceb90eacd populate-extfs.sh: error out if debugfs encounters some error
Previously, even if we encounter some error when populating the
ext filesystem, we don't error out and the rootfs process still
succeeds.

However, what's really expected is that the populate-extfs.sh script
should error out if something wrong happens when using `debugfs' to
generate the ext filesystem. For example, if there's not enough block
in the filesystem, and allocating a block for some file fails, the
failure should not be ignored. Otherwise, we will have a successful
build but a corrupted filesystem.

The debugfs returns 0 as long as the command is valid. That is, even
if the command fails, the debugfs still returns 0. That's really a
pain here. That's why this patch checks the error output to see whether
there's any error logged.

(From OE-Core rev: 468d3e60ee10348578f78f846e87c02359fdb8bf)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-24 11:04:18 +01:00
Chen Qi 8c346a66b5 populate-extfs.sh: fix to handle /var/lib/opkg/alternatives/[[ correctly
There was a patch trying to fix this problem by using 'dirname', but it
caused some build failures, thus got reverted.

The problem is that $DIR might be empty and we should first do the check
before trying to use $(dirname $DIR).

[YOCTO #5712]

(From OE-Core rev: 8277c71747758e2ba0815a6f5cd11c9e0c9c90ce)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-24 11:04:18 +01:00
Khem Raj 527868fbfc x264: Update SRCREV to match commit in upstream git repo
It seems that 585324fee380109acd9986388f857f413a60b896 is no
longer there in git and it has been rewritten to
ffc3ad4945da69f3caa2b40e4eed715a9a8d9526

Change-Id: I9ffe8bd9bcef0d2dc5e6f6d3a6e4317bada8f4be
(master rev: b193c7f251542aa76cb5a4d6dcb71d15b27005eb)

(From OE-Core rev: b7371b49b4b83c2e864126480b65363fe9f2cfd2)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Patrick Doyle <wpdster@gmail.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-17 18:00:07 +01:00
Yue Tao 381c6b8957 openssl: fix for CVE-2010-5298
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote
attackers to inject data across sessions or cause a denial of service
(use-after-free and parsing error) via an SSL connection in a
multithreaded environment.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298

(From OE-Core master rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b)

(From OE-Core rev: 3cc799213e6528fc9fb4a0c40a01a1817484f499)

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10 17:12:24 +01:00
Paul Eggleton 8ac53f3c2d openssl: fix CVE-2014-3470
http://www.openssl.org/news/secadv_20140605.txt

Anonymous ECDH denial of service (CVE-2014-3470)

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a
denial of service attack.

(Patch borrowed from Fedora.)

(From OE-Core rev: fe4e278f1794dda2e1aded56360556fe933614ca)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10 17:12:24 +01:00
Paul Eggleton 0ea0a14bd9 openssl: fix CVE-2014-0224
http://www.openssl.org/news/secadv_20140605.txt

SSL/TLS MITM vulnerability (CVE-2014-0224)

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

(Patch borrowed from Fedora.)

(From OE-Core rev: f19dbbc864b12b0f87248d3199296b41a0dcd5b0)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10 17:12:24 +01:00
Paul Eggleton bd1a6f3d56 openssl: fix CVE-2014-0221
http://www.openssl.org/news/secadv_20140605.txt

DTLS recursion flaw (CVE-2014-0221)

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code
can be made to recurse eventually crashing in a DoS attack.

Only applications using OpenSSL as a DTLS client are affected.

(Patch borrowed from Fedora.)

(From OE-Core rev: 6506f8993c84b966642ef857bb15cf96eada32e8)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10 17:12:24 +01:00
Paul Eggleton d6f29c0154 openssl: use upstream fix for CVE-2014-0198
This replaces the fix for CVE-2014-0198 with one borrowed from Fedora,
which is the same as the patch which was actually applied upstream for
the issue, i.e.:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b107586c0c3447ea22dba8698ebbcd81bb29d48c

(From OE-Core rev: 21fa437a37dad14145b6c8c8c16c95f1b074e09c)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10 17:12:24 +01:00
Paul Eggleton c5d81c3386 openssl: fix CVE-2014-0195
http://www.openssl.org/news/secadv_20140605.txt

DTLS invalid fragment vulnerability (CVE-2014-0195)

A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Only applications using OpenSSL as a DTLS client or server affected.

(Patch borrowed from Fedora.)

(From OE-Core rev: c707b3ea9e1fbff2c6a82670e4b1af2b4f53d5e2)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-10 17:12:23 +01:00
Valentin Popa ad2c79b0fd gnutls: patch for CVE-2014-3466 backported
Backported patch for CVE-2014-3466.
This patch is for dora.

(From OE-Core rev: 68da848e0f7f026bf18707d8d59143177ff66f9b)

Signed-off-by: Valentin Popa <valentin.popa@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-06 10:27:51 +01:00
Maxin B. John 1974599046 openssl: fix CVE-2014-0198
A null pointer dereference bug was discovered in do_ssl3_write().
An attacker could possibly use this to cause OpenSSL to crash, resulting
in a denial of service.

https://access.redhat.com/security/cve/CVE-2014-0198

(From OE-Core rev: 4c58fe468790822fe48e0a570779979c831d0f10)

Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-05-21 09:32:55 +01:00
Saul Wold b626e109e8 build-appliance: Update to Dora 1.5.2
Fix to be HEAD of Dora, not master

(From OE-Core rev: abc158bf873bb7c01414e437eea2b538eb73881c)

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-29 22:46:16 +01:00
Richard Purdie e34b38b723 build-appliance-image: Update to head revision
(From OE-Core rev: d18553830ed3377b40878df1b0bef4e8e109bec3)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-29 18:01:09 +01:00
Hongxu Jia e07904836a make: fix invoking makeinfo failed at do_install time
Reproduce steps:
$ bitbake texinfo-native
$ bitbake make
$ bitbake make -cdevshell
In the devshell:
root:make-3.82# echo "" >> doc/make.texi
root:make-3.82# ../temp/run.do_install

Failed Log:
...
tmp/work/i586-poky-linux/make/3.81-r1/make-3.81/doc/make.texi:8165: @itemx must follow @item
...

Backport from make 4.0 to fix this issue.

[YOCTO #6219]

(From OE-Core rev: b191d869e86c7d4393716eee6ac27aa259d6521c)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-29 17:31:47 +01:00
Valentin Popa c65c136746 mesa: double check for eglplatform.h
Even if 'egl' is in PACKAGECONFIG, mesa egl support
can be disabled explicitly (changing configure flags
using a .bbappend, for example).
On dora, meta-fsl-arm is an example of this kind.
On master there are no known cases, and we should
encourge package configuration through PACKAGECONFIG.

This patch adds another check for the existence
of eglplatform.h before 'sed' can alter it.

(From OE-Core rev: 97bc1bce9a226cc02db8a5afc2c0d4f4f70034a6)

Signed-off-by: Valentin Popa <valentin.popa@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-19 11:04:48 +01:00
Paul Eggleton 99f46fd25c openssl: bump PR
We don't normally do this, but with the recent CVE fixes (most
importantly the one for the serious CVE-2014-0160 vulnerability) I am
bumping PR explicitly to make it a bit more obvious that the patch has
been applied.

(From OE-Core rev: 813fa9ed5e492e5dc08155d23d74127ca87304df)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-11 18:15:34 +01:00
Richard Purdie e5cb267922 sstatesig: Anchor inherits class tests
This avoids a nasty sstate hash corruption issue where the
fact the testimage bbclass was inherited meant that the checksum
changed due to testimage.bbclass being confused with image.bbclass.

This patch anchors the bbclass names to avoid this confusion.

(From OE-Core master rev: 943a75a4f3b6877e4092dae14b59b7afef8cad3d)

(From OE-Core rev: 71b15a41652e280aca2a451073a83a25fb4e6f50)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-04-11 12:02:50 +01:00