CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-04 16:10:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
33,935 Commits 38 Branches 615 Tags 255 MiB
f0ecaf46bb
Commit Graph

33935 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Wenzong Fan
f0ecaf46bb subversion: fix CVE-2015-3184 
mod_authz_svn in Apache Subversion 1.7.x before 1.7.21 and 1.8.x before
1.8.14, when using Apache httpd 2.4.x, does not properly restrict
anonymous access, which allows remote anonymous users to read hidden
files via the path name.

Patch is from:
http://subversion.apache.org/security/CVE-2015-3184-advisory.txt

(From OE-Core master rev: 29eb921ed074d86fa8d5b205a313eb3177473a63)

(From OE-Core rev: 7af7a3e692a6cd0d92768024efe32bfa7d83bc8f)

(From OE-Core rev: e4a1caecc5ae6b8488ec8ed7d303296af99146c0)

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
165fa6ce62 openssl: Security fix CVE-2016-0701 
CVE-2016-0701 OpenSSL: DH small subgroups

(From OE-Core rev: c5868a7cd0a28c5800dfa4be1c9d98d3de08cd12)

(From OE-Core rev: 5e73d0e88c28ca1e948f5c463b9d9d1001251a42)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
1098a7bc0c openssl: Security fix CVE-2015-3197 
CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers

(From OE-Core rev: b387d9b8dff8e2c572ca14f9628ab8298347fd4f)

(From OE-Core rev: c037cbdac6a0e871a60077703432c08be6d29677)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
e6d734904d glibc: CVE-2015-8776 
it was found that out-of-range time values passed to the strftime function may
cause it to crash, leading to a denial of service, or potentially disclosure
information.

(From OE-Core rev: b9bc001ee834e4f8f756a2eaf2671aac3324b0ee)

(From OE-Core rev: 3527ba3be7cfdfd813f5ca495bc74db559a648cd)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
b03994fe3b glibc: CVE-2015-9761 
A stack overflow vulnerability was found in nan* functions that could cause
applications which process long strings with the nan function to crash or,
potentially, execute arbitrary code.

(From OE-Core rev: fd3da8178c8c06b549dbc19ecec40e98ab934d49)

(From OE-Core rev: 6cb0465247195ec25ef1073e79997001380aa807)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:04 +00:00
Armin Kuster
ec05eebf8d glibc: CVE-2015-8779 
A stack overflow vulnerability in the catopen function was found, causing
applications which pass long strings to the catopen function to crash or,
potentially execute arbitrary code.

(From OE-Core rev: af20e323932caba8883c91dac610e1ba2b3d4ab5)

(From OE-Core rev: 2e1c8cab3bc7b70e2a05dca20cb5bcec4335f04d)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:03 +00:00
Armin Kuster
7ff74d177c glibc: CVE-2015-8777 
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or
libc6) before 2.23 allows local users to bypass a pointer-guarding protection
mechanism via a zero value of the LD_POINTER_GUARD environment variable.

(From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252)

(From OE-Core rev: 9cc998978bd67bc5569cc1478f4ddee40020b929)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-02-07 17:23:03 +00:00
Armin Kuster
9845a542a7 openssh: CVE-2016-077x 
this address two CVE's.
CVE-2016-0777 and CVE-2016-0778

(From OE-Core rev: 1c05115a906499989d2159683195ed6d2cda75ba)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:30 +00:00
Hongxu Jia
368da33ee7 logrotate: do not move binary logrotate to /usr/bin 
In oe-core commit a46d3646a3e1781be4423b508ea63996b3cfca8a
...
Author: Fahad Usman <fahad_usman@mentor.com>
Date:   Tue Aug 26 13:16:48 2014 +0500

    logrotate: obey our flags

    Needed to quiet GNU_HASH warnings, and some minor fixes.
...
it explicitly move logrotate to /usr/bin without any reason,
which is against the original Linux location /usr/sbin.

So partly revert the above commit which let logrotate be
kept in the original place /usr/sbin.

(From OE-Core rev: 88015d6d0a887969ae82b0888bf32659a6d225d3)

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:30 +00:00
Armin Kuster
48d9e00913 libxml2: security fix CVE-2015-5312 
(From OE-Core rev: 15d05f186fbe78774c933cf93f116af1a2a8e51a)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:30 +00:00
Armin Kuster
436e204445 libxml2: security fix CVE-2015-8242 
(From OE-Core rev: acbd71fe7d0571b78bbecb7464d99823411a7b22)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:29 +00:00
Armin Kuster
389549c0bb libxml2: security fix CVE-2015-7500 
includes a depend fix security issue CVE-2015-7500

(From OE-Core rev: 7d54f2f85dfcc3a56239abafd5eaefb9d7d25081)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:29 +00:00
Armin Kuster
88e28c86c5 libxml2: security fix CVE-2015-7499 
includes:
CVE-2015-7499-1
CVE-2015-7499-2

(From OE-Core rev: 3048fe24e4c5f83ad0971062a88592bcb6bf52bc)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:29 +00:00
Armin Kuster
6abe713244 libxml2: security fix CVE-2015-7497 
(From OE-Core rev: 5b72983d1a6d5ad5e9a21d2673d57d1da2333ac6)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:29 +00:00
Armin Kuster
66740c3314 libxml2: security fix CVE-2015-7498 
(From OE-Core rev: b3d6a714180199a5e0099e3d40b37c9bfa106eb1)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:29 +00:00
Armin Kuster
2390475894 libxml2: security fix CVE-2015-8035 
(From OE-Core rev: 495eaf5039596ac0fab7684cfc867569710eb0f4)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:29 +00:00
Armin Kuster
663943a802 libxml2: security fix CVE-2015-7942 
includes:
CVE-2015-7942
CVE-2015-7942-2

(From OE-Core rev: 4ca806d70cf65a66daab85898bcf5d682bef43d3)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:29 +00:00
Armin Kuster
7aaf773d32 libxml2: security fix CVE-2015-8317 
(From OE-Core rev: 34379b38919d535cd787bde4493fff61bd17f37a)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:29 +00:00
Armin Kuster
9d44210c74 libxml2: security fix CVE-2015-7941 
includes:
CVE-2015-7941-1
CVE-2015-7941-2

(From OE-Core rev: e06312c71209b2e1d19c7df1434e409ad96b58be)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:28 +00:00
Joshua Lock
d3ad918a71 libxml2: remove files for easier maintenance 
Drop a couple of CVE fixes for easy cherry-picking from jethro.
The same fixes will be pack-ported from jethro in a following
patch.

(From OE-Core rev: 02fb45bada58f03c5571baf700934154e9fc57c2)

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:28 +00:00
Armin Kuster
f9e5cc9e16 openssl: fix for CVE-2015-3195 
(From OE-Core rev: 55d09d4e2dad9d1f80e50348d44177e47e6e33e1)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:28 +00:00
Armin Kuster
0ed23c1a0a openssl: fix for CVE-2015-3194 
(From OE-Core rev: edff5fc629c8f70191bd33c731084e8217780a38)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:28 +00:00
Armin Kuster
5c12661f8c openssl: fix for CVE-2015-3193 
(From OE-Core rev: ee47f6ca78d15ec56556d5c078bf20315af457b8)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:28 +00:00
Martin Jansa
c7e2c072c2 texinfo: don't create dependency on INHERIT variable 
* we don't want the do_package signature depending on INHERIT variable
* e.g. just adding the own-mirrors causes texinfo to rebuild:
  # bitbake-diffsigs BUILD/sstate-diff/*/*/texinfo/*do_package.sig*
  basehash changed from 015df2fd8e396cc1e15622dbac843301 to 9f1d06c4f238c70a99ccb6d8da348b6a
  Variable INHERIT value changed from
  ' rm_work blacklist blacklist report-error ${PACKAGE_CLASSES} ${USER_CLASSES} ${INHERIT_DISTRO} ${INHERIT_BLACKLIST} sanity'
  to
  ' rm_work own-mirrors blacklist blacklist report-error ${PACKAGE_CLASSES} ${USER_CLASSES} ${INHERIT_DISTRO} ${INHERIT_BLACKLIST} sanity'

(From OE-Core rev: e6cae8ace890fc4322830731cb95bcc2680f4cfc)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-20 17:08:28 +00:00
Belal, Awais
c1162207c9 grub2: Fix CVE-2015-8370 
http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2

(From OE-Core rev: 3f2701c102e4e5b95fc79a8d967f9c48f8232fc6)

Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:35 +00:00
Thomas PERROT
a690c381ab openssl: fix SRC_URI 
Corrects the URI of the openssl's recipe from fido. The sources were moved
to a new subdirectory.

(From OE-Core rev: 685e861f085736a4b0bae09bab86c3d456ec84ae)

Signed-off-by: Thomas Perrot <thomas.perrot@tupi.fr>
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:35 +00:00
Sona Sarmadi
58f6a400d1 bind: CVE-2015-8000 
Fixes a denial of service in BIND.

An error in the parsing of incoming responses allows some
records with an incorrect class to be accepted by BIND
instead of being rejected as malformed. This can trigger
a REQUIRE assertion failure when those records are subsequently
cached.

[YOCTO #8838]

References:
http://www.openwall.com/lists/oss-security/2015/12/15/14
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000
https://bugzilla.redhat.com/attachment.cgi?id=1105581

(From OE-Core rev: 5e1c3942a02564904ee2b2e24004b9679d649b4e)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Stefan Müller-Klieser
152e4c11e6 gcc-4.9: backport from gcc trunk r212178 
When compiling meta-toolchain-qt5 on cortexa8, the compiler throws an
internal compiler error:

...
qttools-opensource-src-5.3.2/src/linguist/shared/po.cpp:
In function 'bool loadPO(Translator&, QIODevice&, ConversionData&)':
qttools-opensource-src-5.3.2/src/linguist/shared/po.cpp:717:1:
internal compiler error: in add_stores, at var-tracking.c:6000
...

Tracking this down led to https://bugs.linaro.org/show_bug.cgi?id=534
It seems the bug is well know and fixed upstream. So backporting from
trunk seems to be the right solution. This fixes the compiler problem
on cortexa8 and does not seem to be very invasive. The original commit
can be found at:

git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@212178 138bc75d-0d04-0410-961f-82ee72b054a4

(From OE-Core master rev: 6751ef78694783fb86e55c77afefae750ab1b610)

(From OE-Core rev: 91a001fc74dd13ea9e5249aa624ad360ce807349)

Signed-off-by: Stefan Müller-Klieser <s.mueller-klieser@phytec.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Martin Jansa
2924348da7 feature-arm-thumb.inc: Fix ARMPKGSFX_THUMB value 
* my previous thumb related commit:
  commit 3e760031f91fb87c3e2f62b77a117eb41164f259
  Author: Martin Jansa <martin.jansa@gmail.com>
  Date:   Wed Feb 18 15:40:35 2015 +0100

    feature-arm-thumb.inc: respect ARM_INSTRUCTION_SET when adding thumb
    suffix

  unfortunately removed conditional on "thumb" in TUNE_FEATURES, when
  setting ARMPKGSFX_THUMB

* in case we have MACHINE without "thumb" in TUNE_FEATURES and distro
  setting ARM_INSTRUCTION_SET to "thumb" we end with:
  ARM_INSTRUCTION_SET="thumb"
  ARM_THUMB_OPT="thumb"
  ARM_M_OPT="thumb"

  # TUNE_CCARGS correctly not adding -mthumb
  TUNE_CCARGS=" -march=armv7-a  -mthumb-interwork -mfloat-abi=softfp -mfpu=neon"

  # but ARMPKGSFX_THUMB and TUNE_PKGARCH including "t2":
  ARMPKGSFX_THUMB="t2"
  TUNE_PKGARCH="armv7at2-vfp-neon"

  # causing following error:
  Error, the PACKAGE_ARCHS variable does not contain TUNE_PKGARCH (armv7at2-vfp-neon).

(From OE-Core master rev: 951200673af27538beaef647a33308b4f15d1fb0)

(From OE-Core rev: 17b3112a3d6fc4c777429f8b5965206889c55cc3)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Mike Crowe
36ea7bd65f allarch: Force TARGET_*FLAGS variable values 
TARGET_CPPFLAGS, TARGET_CFLAGS, TARGET_CPPFLAGS and TARGET_LDFLAGS may
differ between MACHINEs. Since they are exported they affect task hashes
even if unused which leads to multiple variants of allarch packages
existing in sstate and bouncing in the sysroot when switching between
MACHINEs.

allarch packages shouldn't be using these variables anyway, so let's
ensure they have a fixed value in order to avoid this problem.

(Compare with 05a70ac30b37cab0952f1b9df501993a9dec70da and
14f4d016fef9d660da1e7e91aec4a0e807de59ab.)

(From OE-Core master rev: d08fda21bfb7d264c238af0232a22cdd751f5150)

(From OE-Core rev: 017b1992c7b9055f3a16e9c2e14535fe81dde6c8)

Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Richard Purdie
619b1c6b7d layer.conf: Add missing dependency for allarch package initramfs-framework 
Similiarly to the other previous changes, add a missing allarch package dependency
for initramfs-framework on udev.

(From OE-Core master rev: 00524d0c4449eb358dcf6c5a049a8f5371ddadee)

(From OE-Core rev: c195dfac6fd248f65f00b9d5419ab132dbc1e6c9)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Richard Purdie
61f5562730 layer.conf: Add several allarch dependency exclusions 
These are dependencies that our allarch packages have in OE-Core that cause
those allarch packages to rebuild every time MACHINE changes.

With these changes, OE-Core allarch packages all have a common sstate
signatures and no longer rebuild.

(From OE-Core rev: 63bff90fa4fb4a95e8c79f9f8e5dd90ae1dfc69d)

(From OE-Core master rev: 0b5e868d160faca041cda42b670066facd4db531)

(From OE-Core rev: 4e69cfb612520f3413be3e2a075d943a9e7c8df1)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Martin Jansa
7cbff59de8 linux-dtb.inc: drop unused DTB_NAME variable from do_install 
* this is causing do_install to depend on KERNEL_IMAGE_BASE_NAME which
  in some cases contains something like BUILD_NUMBER from CI, that
  caused do_install to be reexecuted every single time, which is very
  sad to be caused by unused variable.
* jethro and newer don't need this change, because it's also fixed in
  commit 86b3f29f93e3f87903668ea317c6bd97be4cdf62
  Author: Marek Vasut <marex@denx.de>
  Date:   Thu May 14 14:31:11 2015 +0200
  Subject: kernel: Build DTBs early

(From OE-Core rev: d17abc45f1e1ba0a08c6e7411eda52a5140faea7)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Bhuvanchandra DV
cfd74b00e5 linux-firmware: rtl8192cx: Add latest available firmware 
Add latest available firmware binaries for RTL8192CX chipsets.
These new firmwares have been released in 2012, have been used
by the mainline kernel as preferred firmware since 3.13 and
even backported to stable branches.

(From OE-Core master rev: 2dc67b53d1b7c056bbbff2f90ad16ed214b57609)

(From OE-Core rev: 89c6d043aa76c0e1eac694b92cdd95c6b02c9762)

Signed-off-by: Bhuvanchandra DV <bhuvanchandra.dv@toradex.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Armin Kuster
01b93fb33d libxml2: fix CVE-2015-7942 and CVE-2015-8035 
CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled

[YOCTO #8641]

(From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)

(From OE-Core rev: fdaf0f8f8b034f19639f66e1d30088bb9abfc68d)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2016-01-15 13:14:34 +00:00
Elliot Smith
6e3eefb997 bitbake: toaster: Rework mimetype guessing to fix artifact downloads 
Artifact download links were broken because the function to
get the mimetype for the artifact was incorrectly using the
underlying mimetype library. The function was also attached
to the build environment controller, which was unnecessary, as
we only support local controllers anyway.

Remove the mimetype getter on the build environment and
use the one in the view code instead. This prevents the download error
from occurring.

(Backport of dd957fe0f2 and
dd957fe0f2 from master to Yocto 1.8)

[YOCTO #8472]

(Bitbake rev: b09966906ef054834f0b465f0c5a2a937b4c4a4c)

Signed-off-by: Elliot Smith <elliot.smith@intel.com>
Signed-off-by: Ed Bartosh <ed.bartosh@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-18 13:52:00 +00:00
brian avery
aff2257e0b toasterconf: remove master as a branch option from fido release 
Toaster isn't designed to be forward compatible. As such,
    a release cannot build releases newer then it.

    Particularly, "fido" cannot build "master", so we remove
    "master" from the list of supported releases in "fido"

    [YOCTO #8154]

(From meta-yocto rev: e12c4cf27ccdf3f93035a8450b5ff62fe4fe9838)

Signed-off-by: brian avery <avery.brian@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:28:14 +00:00
Aníbal Limón
118acdcf67 bash: Disable custom memory allocator 
Bash is failing trying to allocate memory [1] using the custom
memory allocator if we disable it the issue is fixed.

The major distributions also disabled by default [2], so we
don't have a good reason to use it.

The underlying issue is due to bash’s malloc using brk() calls
to allocate memory, which fail when address randomization is
enabled in kernel. sbrk() based custom allocators are obsolete.
There may be some performance impact of this however correctness
is more important.

[YOCTO #8452]

[1] https://bugzilla.yoctoproject.org/show_bug.cgi?id=8452#c0
[2] https://bugzilla.yoctoproject.org/show_bug.cgi?id=8452#c5

(From OE-Core master rev: e42d8eff9eed7d1454b4f331d96dcee6dea232df)

(From OE-Core rev: 9f339f516ab03d598fae0e536b3a420ea4d8ee1a)

Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:40 +00:00
Paul Eggleton
72a8138908 tzdata: reinstate changes reverted in 2014c upgrade 
OE-Core commit 57af3fb9662106f0a65a1b4edf83e2398be0a8f1 upgraded tzdata
but also reverted a couple of changes to SUMMARY and LIC_FILES_CHKSUM.
Reinstate these (with an update to the README md5 value since that has
changed slightly, without any change to the licensing statements
within).

(From OE-Core master rev: cea4f6b86129f84a99700207777929bf7e811ed6)

(From OE-Core rev: ea1169efac715140cebf20fae67eae58b5f1caf2)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:38 +00:00
Armin Kuster
e3d6475b07 tzdata: update to 2015g 
Resend: typo in version in subject.

Changes affecting future time stamps

Turkey's 2015 fall-back transition is scheduled for Nov. 8, not Oct. 25.
(Thanks to Fatih.)

Norfolk moves from +1130 to +1100 on 2015-10-04 at 02:00 local time.
(Thanks to Alexander Krivenyshev.)

Fiji's 2016 fall-back transition is scheduled for January 17, not 24.
(Thanks to Ken Rylander.)

Fort Nelson, British Columbia will not fall back on 2015-11-01. It has
effectively been on MST (-0700) since it advanced its clocks on 2015-03-08.
New zone America/Fort_Nelson.  (Thanks to Matt Johnson.)

(From OE-Core master rev: fce47d3bd51ede32a392b53b046a4583ef1847c8)

(From OE-Core rev: a987c482584c3500c42d733f1d78b7662d46a3c1)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:37 +00:00
Armin Kuster
dd2b5c9653 tzcode: update to 2015g 
Changes affecting code

localtime no longer mishandles America/Anchorage after 2037.
(Thanks to Bradley White for reporting the bug.)

On hosts with signed 32-bit time_t, localtime no longer mishandles
Pacific/Fiji after 2038-01-16 14:00 UTC.

The localtime module allows the variables 'timezone', 'daylight',
and 'altzone' to be in common storage shared with other modules,
and declares them in case the system <time.h> does not.
(Problems reported by Kees Dekker.)

On platforms with tm_zone, strftime.c now assumes it is not NULL.
This simplifies the code and is consistent with zdump.c.
(Problem reported by Christos Zoulas.)

Changes affecting documentation
The tzfile man page now documents that transition times denote the
starts (not the ends) of the corresponding time periods.
(Ambiguity reported by Bill Seymour.)

(From OE-Core master rev: 7c9082ab1ae6f7810c7cffe137d7d232b03852f8)

(From OE-Core rev: 6c32103a8491fb0a0fa5dec905720a40877c6563)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:36 +00:00
Adrian Calianu
31aa514524 glibc: fix the big endian loader name on AArch64 
Apply a patch backported from glibc 2.22 (master) to fix
the loader name on AArch64.

(From OE-Core rev: 513e52670ea52e8143f46777accf441bb5c299fa)

Signed-off-by: Adrian Calianu <adrian.calianu@enea.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:35 +00:00
Martin Jansa
446295e866 fontcache: allow to pass extra parameters and environment to fc-cache 
* this can be useful for passing extra parameters, pass
  -v by default to see what's going on in do_rootfs
* we need to use this for extra parameter we implemented
  in fontconfig:
  --ignore-mtime always use cache file regardless of font directory mtime
  because the checksum of fontcache generated in do_rootfs
  doesn't match with /usr/share/fonts directory as seen on
  target device causing fontconfig to re-create the cache
  when fontconfig is used for first time or worse create
  new cache in every user's home directory when /usr/
  filesystem is read only and cache cannot be updated.

  Running FC_DEBUG=16 fc-cache -v on such device shows:
  FcCacheTimeValid dir "/usr/share/fonts" cache checksum 1441207803 dir checksum 1441206149
* my guess is that the checksum is different, because pseudo
  (which is unloaded when running qemuwrapper) or because some
  influence of running the rootfs under qemu.

(From OE-Core rev: 22bb7e11f9c75943efa07997a98304aa01d14699)

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:34 +00:00
Ross Burton
2761a2bd8b readline: actually apply readline63-003 (aka CVE-2014-2524) 
This file wasn't named as a patch, nor told to apply explicity, so it was just
unpacked to the work directory and not applied.  Rename the file so the patch is
applied correctly.

(thanks to Petter Mabäcker <petter@technux.se> for spotting this)

(From OE-Core master rev: 02be728762c77962f9c3034cd7995ad51afaee95)

(From OE-Core rev: 7f2e2d57c7496547b7970377547482ead2e152cf)

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:34 +00:00
Andre McCurdy
ddb058ca08 gettext_0.16.1: add -lrt and -lpthread to LDFLAGS for uclibc builds 
Fix linker errors due to posix_spawnp etc being in librt for uclibc.

 | sh4-rdk-linux-uclibc-libtool: link: sh4-rdk-linux-uclibc-gcc -ml -m4 --sysroot=/build-foo/tmp/sysroots/foo -O2 -pipe -g -feliminate-unused-debug-types -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -o .libs/test-names test-names.o  libuniname.a ../gnulib-lib/.libs/libgettextlib.so /build-foo/tmp/work/sh4-rdk-linux-uclibc/gettext/0.16.1-r6/build/gettext-tools/intl/.libs/libintl.so -lc /build-foo/tmp/sysroots/foo/usr/lib/libiconv.so
 | ../gnulib-lib/.libs/libgettextlib.so: undefined reference to `posix_spawnp'
 | ../gnulib-lib/.libs/libgettextlib.so: undefined reference to `posix_spawn_file_actions_adddup2'
 | ../gnulib-lib/.libs/libgettextlib.so: undefined reference to `posix_spawn_file_actions_addopen'
 | ../gnulib-lib/.libs/libgettextlib.so: undefined reference to `posix_spawn_file_actions_addclose'
 | collect2: error: ld returned 1 exit status

(From OE-Core rev: 28f4d6d6e926be2f5efc098eb599200301f1ab2c)

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

(From OE-Core master rev: d46333d)

Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:33 +00:00
Andre McCurdy
dfe39ea187 gettext_0.16.1: remove obsolete uclibc specific patch 
gettext-error_print_progname.patch was originally created for gettext
v0.14.6 and does not apply cleanly to gettext v0.16.1.

Since the original issue addressed by the patch isn't documented and
because gettext v0.16.1 seems to be build OK for uclibc without the
patch, assume the patch is obsolete and no longer required.

(From OE-Core rev: 66e229474271a4ae6df8b5377bb2f9fe8175fb64)

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

(From OE-Core master rev: d95d92a)

Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:32 +00:00
Andre McCurdy
4525e29979 libiconv_1.11.1: fix LICENSE declaration, LGPL -> LGPLv2.0 
(From OE-Core rev: dde08a4ba4a12a81b780b69c6ec395508b0a030f)

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

(From OE-Core master rev: 7d2da0e)

Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:31 +00:00
Andre McCurdy
dbf6599fbe libiconv_1.11.1: merge build and packaging fixes from libiconv_1.14 
054151c libiconv: Fix B != S with uclibc builds
  273c437 libiconv: Remove RPATH from binaries
  fcb8d6f libiconv_1.14.bb: Fix build failure [partial-merge]

(From OE-Core rev: 3f5b2da748bbb0417a63c69393cdd024623074a2)

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

(From OE-Core master rev: 898e9d7)

Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:30 +00:00
Andre McCurdy
442518efac uclibc: backport upstream fix for SH4 
Backport upstream fix for building uclibc for SH4 with recent gcc:

  http://git.uclibc.org/uClibc/commit/?id=2c8a7766681b704e710f51c0817534e3f9a952d1

(From OE-Core rev: 6077f09f76b05b002f21e14c62c7c986db5427a9)

Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

(From OE-Core master rev: aa20c3d)

Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:30 +00:00
Haris Okanovic
afff53db2a openssh: Backport CVE-2015-5600 fix 
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed

Source:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c?f=h#rev1.43
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/auth2-chall.c.diff?r2=1.43&r1=1.42&f=u

Bug report:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5600
https://bugzilla.redhat.com/show_bug.cgi?id=1245969

Testing:
Built in Fido and installed to x86_64 test system.
Verified both 'keyboard-interactive' and 'publickey' logon works with
root and a regular user from an openssh 7.1p1-1 client on Arch.

(From OE-Core rev: 433f66ba6c79cf49e29251af0985baf5c4b79e23)

Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Reviewed-by: Rich Tollerton <rich.tollerton@ni.com>
Reviewed-by: Ken Sharp <ken.sharp@ni.com>
Natinst-ReviewBoard-ID: 115602
Natinst-CAR-ID: 541263
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
 2015-12-08 13:27:29 +00:00