Backport the patch to fix CVE-2017-8363:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (heap-based buffer
over-read and application crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8363
(From OE-Core rev: 9cc9956c5ed09f9016cb23bd763652e5ab55f3cd)
(From OE-Core rev: 201fa8f6a10469886db6d48c3a3e91712382e561)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the patch to fix CVE-2017-8362:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (invalid read and
application crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8362
(From OE-Core rev: 0c8da3f6f85962196f2ad54fffd839239f5c2274)
(From OE-Core rev: eec5e5ce04cfbd1e41e54be31afee72ecc9ec5dd)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
with minor changes
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the patch to fix two CVEs:
CVE-2017-8361:
The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows
remote attackers to cause a denial of service (buffer overflow and
application crash) or possibly have unspecified other impact via a
crafted audio file.
CVE-2017-8365:
The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote
attackers to cause a denial of service (buffer over-read and application
crash) via a crafted audio file.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-8361https://nvd.nist.gov/vuln/detail/CVE-2017-8365
(From OE-Core rev: d92877ade8fd4dd9b548c6b664bf4357a1f9428a)
(From OE-Core rev: a23241c1e10c706754c19d7f69fe7c6cbac3732e)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2017-6508: CRLF injection vulnerability in the url_parse function in
url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary
HTTP headers via CRLF sequences in the host subcomponent of a URL.
External References:
https://nvd.nist.gov/vuln/detail/CVE-2017-6508
Patch from:
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
(From OE-Core rev: 28404157e07a915d1445166df566c8838f2cce57)
(From OE-Core rev: 03fbdba18b767be95c5fa13d72b52c16f8a77b52)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport 3 patches to fix CVE-2017-10971:
In the X.Org X server before 2017-06-19, a user authenticated to an X
Session could crash or execute code in the context of the X Server by
exploiting a stack overflow in the endianness conversion of X Events.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-10971
(From OE-Core rev: 20428f660f2c046c63bbf63c4e4af95dac9f2b3d)
(From OE-Core rev: 8c42a9508bded870d1ac018e2cfa129772983c52)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2017-9226 : check too big code point value for single byte
CVE-2017-9227 : access to invalid address by reg->dmin value
CVE-2017-9228 : invalid state(CCS_VALUE) in parse_char_class()
CVE-2017-9229 : access to invalid address by reg->dmax value
(From OE-Core rev: f15f01edbaa431829a50053d07ed6d6b333584c7)
(From OE-Core rev: 4077e088b6e750c4143a59c5d89258ab682ed96b)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use DATA_ENSURE(1) before access.
(From OE-Core rev: 9db907a0bd331c47c4882b82f9f1d2a7ef1f6d1f)
(From OE-Core rev: 7ba25f0d8d95ece5f5d56ace5b1e9c8c797efbc0)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixed up to get to apply
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getrandom() is only available in glibc 2.25+ and uninative may relocate
binaries onto systems that don't have this function. For now, force
the code to the older codepath until we can come up with a better solution
for this kind of issue.
(From OE-Core rev: da9ac8092497c3f2c246d3534f47e42cb2d9e4e8)
(From OE-Core rev: 450942db7f4638eba7ec262901fe1d7e1b1f6070)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This fixes compile failures of qemu-native with new versions of glibc. Patch
is taken from upstream.
(From OE-Core rev: 9c54510632d22c12850962572ce7276170ce5488)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getentropy/random() is only available in glibc 2.25+ and uninative may relocate
binaries onto systems that don't have this function. For now, force the code to
the older codepaths until we can come up with a better solution for this kind of
issue.
(From OE-Core rev: 92bda0024d85ae78345665cc2f9646c9881ed61b)
(From OE-Core rev: ee006aac0a52709cf5524aeb17a92b8c5c44be34)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Updated two instances of "sysroot-components" to
"sysroots-components".
(From yocto-docs rev: 8f95d9ccd958c46ce5f3f4c7eb95424bee958a9e)
Signed-off-by: Kristi Rifenbark <kristi.rifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I was cherry-picking in commits from master to pyro and had a
conflict that I did not go far enough to the bottom of the
file to see the true nature, which was duplication of the
"Yocto Project Terms" section. When I resolved the conflit
I just took out the top couple lines and actually left the
duplicated terms section in. Then I pushed everthing. I should
have made the manuals first and I would have discovered the
error.
This commit fixes it.
(From yocto-docs rev: 0a9a7303fc048b59e5328a9855f8615a042ab411)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This section failed to mention the "yocto-layer create" script,
which is a simple way to create a layer. I have added this info
into the section by way of a "Tip" box.
(From yocto-docs rev: 0bda177090ef624890e94a13e622e05923185fa9)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replaced "recipe_work_directory" with "${WORKDIR}"
throughout the section.
(From yocto-docs rev: 79911f48d469f95ec026fe60585d1b4983e9c1c6)
Signed-off-by: Kristi Rifenbark <kristi.rifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Updated text for sysroot terminology, and clarity.
Fixed a capitalization error.
(From yocto-docs rev: 2ee92ccf677135ea47d621d3583a16649e5a9f13)
Signed-off-by: Kristi Rifenbark <kristi.rifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I did some rewriting for clarity in the "Using .bbappend Files
in Your Layer" section. The section needed to be retitled so
focus on the layer aspect of .bbappend files. Also, while I
was in there, I did more work on the prose in general.
Also had to fix some links in the bsp, kernel, and ref manuals
that linked into the section whose name I changes.
(From yocto-docs rev: 27003c525a05ffa2f810a038c7c8f96bb7535986)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I updated the wording to note that the steps are how to create
a layer without the aid of steps (i.e. by hand).
(From yocto-docs rev: 71956e7a2ef383c72baf3a12d2067ff04bb58ead)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
During the transition to dnf and rpm4, the functionality to
automatically make RPM determine dependencies was lost.
Before the transition, an OE specific tool called rpmdeps-oecore had
been added to the rpm suit. It was based on the rpmdeps tool that is
part of rpm. For each file specified on its command line, it would
output the provides and requires that RPM could determine.
During the transition to rpm4, rpmdeps-oecore was replaced with the
standard rpmdeps. However, what no one noticed was that unless rpmdeps
is given options, e.g., -P or -R, to tell it what it should output, it
will not output anything. Thus, it would do all the work to determine
the requirements, but would keep silent about it. And since no output
from rpmdeps is expected unless there are requirements, there were no
warnings indicating that everything was not working as expected.
Porting the old rpmdeps-oecore to work with rpm4 is not really
possible since it relied on being able to access internals of RPM that
are no longer available. However, it turned out that rpmdeps had a
debug option, --rpmfcdebug, that would output exactly the information
that we need, albeit in a different format and to stderr. To make this
usable, rpmdeps has now received a new option, --alldeps, which sends
the information we need to stdout.
Since enabling this may cause packages to break, it is required that
ENABLE_RPM_FILEDEPS_FOR_PYRO is set to "1" to activate it for Pyro.
The name of this variable has been chosen as to indicate that it only
affects Pyro (since releases before and after Pyro has it enabled by
default).
(From OE-Core rev: 1009498f23ad319825c00ba60a4693d15aada553)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Fixes:
ERROR: nativesdk-libcheck-0.10.0-r0 do_package_qa: QA Issue:
/usr/local/oecore-x86_64/sysroots/x86_64-oesdk-linux/usr/bin/checkmk
contained in package nativesdk-libcheck requires
/usr/local/oecore-x86_64/sysroots/x86_64-oesdk-linux/usr/bin/gawk,
but no providers found in RDEPENDS_nativesdk-libcheck? [file-rdeps]
(From OE-Core rev: 04e11808e6a22adfa367dd2565b20cb9ecdd6439)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When rpmdeps files a perl script, it attempts to determine what it provides
and what it requires. Often the requires are incorrect, within the context
of Wind River Linux. This results in an error that DNF is unable to install
a package due to one or more unresolved dependencies.
In RPM5 we had disabled this behavior, the alternative is to require that all
perl scripts be 'complete', in that they only require things they absolutely
need and that OE provides. If we ever enforce that, this commit can be
reverted. Until they fall back to prior behavior (which also matches ipkg
and deb style packages.)
(From OE-Core rev: bd8e5dc3ebabb3d88169e2f848219ca201fa5fdb)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since LTP includes a set of test cases, we need to skip file dependency
generation, as there will be dependencies that can not be satisfied. In this
case a csh and ksh dependency come from two tests.
The alternative would be to depend on csh/ksh (a bad idea as they're not
available in oe-core) or remove the tests (but this eliminates the tests if
someone DOES have csh/ksh in their configurations.)
(From OE-Core rev: 873ad32191816f89d085906635297eb17d9fc0f6)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The scripts currently reference "python33", fix this so they reference
python3. The move the python3 likely broke these.
(From OE-Core rev: 37a40fead443e211f0947d9d9bf2180d95630485)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Filter out any file dependencies on absolute paths and any
dependencies on Perl modules for nativesdk packages. It is assumed
that they will be provided by the native host if needed, and they mess
up the dependency handling if they are present.
(From OE-Core rev: 37f2d4df507c760ea4c12b67526db8277e5684eb)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These git commands require Perl modules that do not exist in OE-Core.
Add PACKAGECONFIGs to enable them. Be aware though that if you enable
them you must also provide the missing dependencies.
(From OE-Core rev: a803938407ee5a55fb40a6940bb6680ba21909b0)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Also modify a Python script (pythondistdeps.py) to use Python 3.
(From OE-Core rev: 18116c1490e6ef09ad5046db7f90dbcbe4caf595)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The perl-ptest package contains Perl internal modules and generating
file dependencies for it causes problems.
(From OE-Core rev: a36cf8e53122c32ef8a91759cd49d294483c6bde)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This will send the output from rpmfcPrint() to stdout. This is an
alternative to using the --rpmfcdebug option, which will send the same
output to stderr. The two options have totally different use cases
though. While --alldeps is used when the output from rpmfcPrint() is
what is wanted, --rpmfcdebug can be used together with the other
output options, e.g., --requires, without affecting their output.
(From OE-Core rev: 7a4794534bb2e67c61262361f907eced18ec69cc)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This avoids the following warning:
warning: Ignoring invalid regex %{_docdir}
when runing `rpmdeps -R <file>`, since %{_docdir} is only defined when
parsing a spec file.
(From OE-Core rev: c128e19d25f2015ce1bed13b423ac0d6e619ef5e)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is nothing that requires, e.g., a DSO to be executable, but it
is still an ELF binary and should be identified as such.
(From OE-Core rev: 8d9cca4956ba1d8438e185af8baa2b64809d7c86)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rather than trying to call rpmdeps with the correct arguments to work
with the sysroot as was done in package.bbclass, create a wrapper for
it like all the other native tools already had.
(From OE-Core rev: 8279881fb0a65b238c6d484a45a71b6c4dd433e2)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use a loop rather than calling create_wrapper for each individual
tool.
(From OE-Core rev: d052c534c5099b9927ec84b23e01341f0aa3ce7d)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When using RPM, depends.dot may contain dependencies such as
"/bin/sh", which will confuse _toaster_load_pkgdatafile(). Ignore
them. While at it, also ignore dependencies that contain parentheses,
e.g., "libc.so.6(GLIBC_2.7)".
(From OE-Core rev: 80c117f46442ef442e34b7681ed3688789f505ac)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
By using a single regular expression, the parsing of the depends.dot
file can be simplified a lot. This should also make it less
susceptible to formatting changes in that file.
(From OE-Core rev: 20684149bb659b34d3bcac8f202cb95d607567c1)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Convert incorrectly formatted dependencies such as:
"bar -> "foo" ">=" "1.2.3"
into dependencies with edge labels:
"bar -> "foo" [label=">= 1.2.3"]
* Remove rpmlib() and config() dependencies such as:
"foo" -> "rpmlib(CompressedFileNames)" [label="<= 3.0.4-1"]
and:
"base-files" -> "config(base-files)" [label="= 3.0.14-r89.49"]
* Remove the trailing semicolon that was added to each line. It fills
no purpose.
(From OE-Core rev: 99ef2f26cf498e1693a947bb44e40c31c20ec525)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>