Backport selected parts of three upstream commits to fix
CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read.
Upstream-Status: Backport
[ several ]
Upstream commits fully backported:
46aead6 [CVE-2017-16808/AoE: Add a missing bounds check]
Upstream commits partially backported:
7068209 [Use nd_ types in 802.x and FDDI headers.]
84ef17a [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using
pointers (1/n)]
46aead6 fixes the vulnerability and requires two macros defined in
7068209 and 84ef17a, which are committed after the release of 4.9.2.
Only the definition of the macros are taken from the two commits
as they impact a wide range of code and are difficult to integrate.
CVE: CVE-2017-16808
Signed-off-by: Peiran Hong <peiran.hong@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Uses iruserok and ruserok which are GNU extensions available in glibc
but not in musl
Cc: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
License has been changed due to reformatting, no new stuff added.
Bug fix only update include security fixes:
CVE-2019-8936
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
ntpq is the standard query program for ntp,
but ntp-utils depends on perl.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Convert all other instances of explicit PACKAGECONFIG uses
to the PACKAGECONFIG_CONFARGS infrastructure.
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Damien Riegel <damien.riegel@gmail.com>
[Damien Riegel: backport from master]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The mosquitto systemd service file instructs systemd to wait
for mosquitto to notify systemd that mosquitto has started
correctly. This isn't working as mosquitto is not *compiled*
with systemd support enabled. As such, systemd restarts
mosquitto every few seconds.
For reference, this was introduced in commit a483d344d9
("mosquitto: Make enabling systemd also enable build dep on systemd")
Because we build mosquitto using the provided Makefile
infrastructure, the solution is to add PACKAGECONFIG_CONFARGS
to EXTRA_OEMAKE, so that the required make flags are added
to the make command line.
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Damien Riegel <damien.riegel@gmail.com>
[Damien Riegel: backport from master]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Got the following error when I activated both ppp and modemmanager
options:
ERROR: networkmanager-1.14.4-r0 do_package: QA Issue: networkmanager: Files/directories were installed but not shipped in any package:
/usr/lib/pppd/2.4.5/nm-pppd-plugin.so
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
Signed-off-by: Marc Ferland <ferlandm@amotus.ca>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
includes:
wnpa-sec-2019-01 The 6LoWPAN dissector could crash. Bug 15217. CVE-2019-5716.
wnpa-sec-2019-02 The P_MUL dissector could crash. Bug 15337. CVE-2019-5717.
wnpa-sec-2019-03 The RTSE dissector and other dissectors could crash. Bug 15373. CVE-2019-5718.
wnpa-sec-2019-04 The ISAKMP dissector could crash. Bug 15374. CVE-2019-5719.
For more info see: https://www.wireshark.org/docs/relnotes/wireshark-2.6.6.html
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There is the same issue as for libldb, the header has conflicting defs
for unitptr_t. Fix it as done for the other recipe.
Fix
/cmocka/cmocka.h:126:28: error: conflicting types for 'uintptr_t'
typedef unsigned int uintptr_t;
^~~~~~~~~
Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The ptpd2 daemon consumes 100% CPU (of a single core) after
some amount of stable runtime. This fix added minimum POSIX
timer interval to prevent from timers firing to quickly for
the process to handle, resulting in 100% CPU and endless signal queue.
Reference: https://github.com/ptpd/ptpd/blob/master/ChangeLog
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Inherit ptest for net-snmp to create ${PN}-ptest. Update run-ptest as
well to avoid only could be run in the same directory.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
1.Upgrade wireshark from 2.6.4 to 2.6.5.
Signed-off-by: Hong Liu <hongl.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
previous database on maxmind website will be removed from January 2, 2019.
and also we met checksum weekly change problem, so update the SRC_URI to
http://sources.openembedded.org/
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Geolite database checksum changed today, so update it
to the lastest one.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
previous change of checksum don't trigger archive to re-downloaded,
, which will cause checksum mismatch. add downloadfilename to
trigger re-download.
1. for user with PREMIRROR, another benefit is it can still compile
success event upstream checksum change frequently.
2. but for user don't use PREMIRROR, if upstream checksum changed,
still might have checksum mismatch problem.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This fixes:
ERROR: networkmanager-1.14.4-r0 do_package: QA Issue: networkmanager: Files/directories were installed but not shipped in any package:
/usr/lib64/NetworkManager/1.14.4/libnm-settings-plugin-ifupdown.la
/usr/lib64/NetworkManager/1.14.4/libnm-device-plugin-adsl.la
/usr/lib64/NetworkManager/1.14.4/libnm-device-plugin-wifi.la
/usr/lib64/NetworkManager/1.14.4/libnm-device-plugin-ovs.la
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
networkmanager: 4 installed and not shipped files. [installed-vs-shipped]
As with similar changes in the past, if the distro makes use of
'remove-libtool' this issue is not seen but we should add .la files to
the -dev package when they do exist.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
At configure time, the ntp build goes looking on the build machine for a posix
shell, using `which` to find it. Under OE, it settles on hosttools/bash,
resulting in this build host path being written into several binaries.
This did not affect the Debian reproducibility project, presumably because it
consistently found bash at /bin/bash.
Don't go looking, just use a fixed path to /bin/sh instead.
Upstream-Status: Submitted http://bugs.ntp.org/show_bug.cgi?id=3551
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If a SOURCE_DATE_EPOCH is set in the environment, use that date in the build
version string, otherwise use the current build date.
See https://reproducible-builds.org/docs/source-date-epoch/
Should GNU date options fail, try BSD date options as a fall-back.
This patch can potentially be pushed upstream for use on Mac OSX or OpenBSD,
though it has not been tested on OSX or any BSD platform.
Upstream-Status: Submitted http://bugs.ntp.org/show_bug.cgi?id=3550
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Drop all the backports as they're upstream
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This patch fixes three issues:
1. The recipe used "libcurlpp" for its package base name. It defined
PACKAGES and corresponding package contents manually, but the
non-standard naming led to an error message when trying to depend on
it (nothing provides curlpp needed by curlpp-dev).
See also
https://lists.yoctoproject.org/pipermail/poky/2018-February/011236.html.
Fixed by removing PACKAGES and corresponding FILES_*, relying on
automatic packaging now.
2. Upstream ships a license file (MIT), which is referenced by the
recipe now (instead of the stock COPYING.MIT file).
3. There was a do_install_append() function which patched the
installed curlpp.pc file. Since it seemed to be of no use, it was
removed.
Signed-off-by: Robert Tiemann <rtie@gmx.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* License checksum: copyright year changed
* packageconfig glib: with this version (udev-)glib support hase to be enabled
explicitly. Split this out to meta-gnome where network-manager-applet lives.
* packageconfig netconfig: This was nonsense: netconfig is a SUSE tool [1]
which is not found in layer index. The error was detected now because
configuration checks for presence of netconfig.
* --disable-ifnet and --disable-ifcfg-suse are gone
* musl patches were aligned but have no resources to test them
[1] https://github.com/openSUSE/sysconfig
Signed-off-by: Andreas Müller <schnitzeltony@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When build lib32-netkit-telnet that multilib is enabled, it shows qa
warnings of alternative target:
| WARNING: lib32-netkit-telnet-0.17-r0 do_package: netkit-telnet:
| alternative target (/usr/bin/telnet or /usr/bin/telnet.netkit-telnet)
| does not exist, skipping...
| WARNING: lib32-netkit-telnet-0.17-r0 do_package: netkit-telnet: NOT
| adding alternative provide /usr/bin/telnet:
| /usr/bin/telnet.netkit-telnet does not exist
| WARNING: lib32-netkit-telnet-0.17-r0 do_package: netkit-telnet: alt_link
| == alt_target: /usr/bin/telnet == /usr/bin/telnet
Set ALTERNATIVE_TARGET to fix the issue.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Tests try to download third party code and bypass the bitbake fetcher to
do that. This will not work in environments with no internet access.
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
They are the same as the default version.
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
update SRC_URI since previous is not valid now
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
update SRC_URI since previous is not valid now
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
tar on previous link checksum changed, so changed SRC_URI to
get previous tar
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update SRC_URI for snort as the previous
one is invalid.
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
openipmi load swig/python/.libs/_OpenIPMI.so to create .pyc and .pyo
files. It fails when multilib is enable:
| ImportError: .../lib32-openipmi/2.0.25-r0/OpenIPMI-2.0.25/swig/python/.libs/_OpenIPMI.so:
| wrong ELF class: ELFCLASS32
Don't compile and install .pyc and .pyo files to fix the failure.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We don't offer /etc/radvd.conf but only radvd.conf.example which would
cause a startup error:
Starting radvd:
* /etc/radvd.conf does not exist or is empty.
Remove update-rc.d settings to make it doesn't start by default.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Update SRC_URI
In https://1.as.dl.wireshark.org/src/, it only keep the latest
release. Switch to https://1.as.dl.wireshark.org/src/all-versions/
to make sure the old release can be found.
* Drop patch fix-fatal-no-names-found-git-error.patch
Actually this piece of code should not be invoked when build from
tarball. But in previous releases the code will be performed when
building native package if host with rpmbuild and git installed, which
will cause a configure error. This issue has been fixed in 2.6.4:
commit 4fbc017e80d6d11f8c26cad12d883fd6da9d3504
CMake: Fix build from tarball under certain conditions
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The recipe wants to install a script under init.d but does not
want to it be started by default. It did so by inheriting update-rc.d
and setting INITSCRIPT_PARAMS to "remove". This is not correct.
We could just not inherit 'update-rc.d' to achieve such effect.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
it has a build dependancy on python-cython and python-pyparsing with are in
meta-python
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When building native package, the do_compile function tries to check
libnsl.so and libresolv.so on host machine and add -lnsl and -lresolv to
SYSLIBS if they exist. But finally it will link the libnsl.so from
${STAGING_LIBDIR_NATIVE}. Actually there is no need to check them since
the libnsl2 is specified in DEPENDS and libresolv.so is from c libarary.
So add -lnsl and -lresolv to SYSLIBS directly.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
during radiusd start up, it will check several CVEs of libssl,
if allow_vulnerable_openssl set to no and one of the CVEs is
matched, radiusd will not startup.
in tls.c, two CVEs's version number is wrong, and after upgrade openssl
to 1.1.1, one CVE matched, so startup failed. correct the version numner
to make radiusd startup successfully.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
When building grpc for nativesdk the project tries to execute the
nativesdk grpc_cpp_plugin instead of the host one. Apply the patch
fixing the cross-compilation for nativesdk build and modify its
contents to reflect its new purpose.
Also: add grpc-native to dependencies.
Signed-off-by: Hiram Lew <lew@avast.com>
Signed-off-by: Jan Kaisrlik <jan.kaisrlik@avast.com>
Signed-off-by: Lukas Karas <karas@avast.com>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
