[yocto-security] [OE-core CVE] branch master-next updated. uninative-2.2-221-g3195cea
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Sat Aug 11 14:51:09 PDT 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, master-next has been updated
discards 21212c910cdb35b878a8348ed569c16853e1b7c5 (commit)
discards 74b88f379d83868a5060edd4056e269f93d3419d (commit)
discards b1d6dca240c6e3a2c8e7039088804a37b62912be (commit)
discards 232261ab62cc3c7f77f76fe2f780d0144b21b4c2 (commit)
discards ef9c0300f4f71baba5affd55304fc612490d6e3b (commit)
discards 1baac63397c20ba506b0088b758c9884f53b6346 (commit)
discards 39c6fe2994cefd8b5f446ee9e435458d8d758de3 (commit)
discards afc88799ff64eab8a807004f9b3115ec07dcd9fe (commit)
discards e12cc5eb01a1f591d0c55cf5aeb3fc24ad26448e (commit)
discards 859941f22a7cf89ecef69d03bade7bb8ce2855cc (commit)
discards 6a6b8d12b80c1ad84b9ff93adcce33e46c45d766 (commit)
discards 318540bde50c4c0febd23004511d8842071cd245 (commit)
discards d4c11b9a9e092a690e4a96dc117c63fac4ea26b8 (commit)
discards 31f79ab504b23a6f098717bd4f72e1242a049c90 (commit)
discards 197aa502fac6ebb07de8fe62e40797f35705ed7e (commit)
discards 12cc596da9a2cf453868bd917548bd345e306327 (commit)
discards 142f97239e8aadc95aeb944afba69870e210ca01 (commit)
discards e6b17441237a7ed42e6eece4eae642f0f77b2252 (commit)
discards a97b6aa39179d30b8a29e2c867b8d56965d4a95f (commit)
discards a9b4e04178bdf3e659891b172b5d6de0c3ec53aa (commit)
discards c05f27f9fa6a532e2d7aad5b1d934f07c657b3de (commit)
discards 9865e2d15a267e7a165257ad1c89831822a612aa (commit)
via 3195cea56ccd814e253ff5cd92b5bc9ddc88a008 (commit)
via 35e73c18a481979bc1fd2b0da8440304bb150a8d (commit)
via 99bf899448c765b5153cb023bd74e46d16fd8872 (commit)
via 45b2683fe7c273a25c9e2d7fb6b89031d091663c (commit)
via 41e1d5d9574ccd2012df87acb0df18b5062bd987 (commit)
via e206035db35c664101f74ef04905c4d60f4ebdc6 (commit)
via 148fcd1365ece758d863cd90a21916498eef61f1 (commit)
via 2c29d635f820cb87973a7792a32331edbe246dc5 (commit)
via f02f6b8409780c940fdb309514ae4129d4ebf747 (commit)
via ac1a05de6e0ccaed7c2701522d5dcdf8bdeee5cd (commit)
via 784e39794f2b5867b35bc873711bdc8b70f589e6 (commit)
via cbeeecf552fd70cd555acbd1b46ff6d6d5d90512 (commit)
via ecf8470fbb18163efaa44ea7f10afed53c4dda47 (commit)
via b4a1cc1d265bcec2b87f22206a5508f40a67cf26 (commit)
via 80f3dd34c854e2c8f229e2fb998ab827b1accabe (commit)
via 65690f8cd03e5e86bb12350071ffc397606f320c (commit)
via 653bf10847b42b3f06130fac8d4b3dabd7bcf63f (commit)
via 327807134d1a039ee99acf75a54b76c27a74c195 (commit)
via 342f1c3e53c541ff13483891409b4f2e0a9256c4 (commit)
This update added new revisions after undoing existing revisions. That is
to say, the old revision is not a strict subset of the new revision. This
situation occurs when you --force push a change and generate a repository
containing something like this:
* -- * -- B -- O -- O -- O (21212c910cdb35b878a8348ed569c16853e1b7c5)
\
N -- N -- N (3195cea56ccd814e253ff5cd92b5bc9ddc88a008)
When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3195cea56ccd814e253ff5cd92b5bc9ddc88a008
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Sat Aug 11 16:07:18 2018 +0000
xf86-video-intel: Fix for glibc
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 35e73c18a481979bc1fd2b0da8440304bb150a8d
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Sat Aug 11 16:06:54 2018 +0000
screen: Add virtual/crypt dependency
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 99bf899448c765b5153cb023bd74e46d16fd8872
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Sat Aug 11 11:30:28 2018 +0100
glibc: Add make-native depends
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 45b2683fe7c273a25c9e2d7fb6b89031d091663c
Author: Jaewon Lee <jaewon.lee at xilinx.com>
Date: Mon Jul 30 14:21:53 2018 -0700
kernel-yocto.bbclass: Adds oe-local-files path (devtool) to include directives
The devtool-source class moves all local files specified in SRC_URI to
an oe-local-files directory. When using devtool and a recipe space kernel-meta,
devtool modify throws an error because the paths the kernel-yocto class
is looking for feature directories in, don't include the oe-local-files
directory which devtool is using.
This patch checks for feature directories in oe-local-files,
and if present, adds that path to include directives.
[YOCTO #12855]
Signed-off-by: Jaewon Lee <jaewon.lee at xilinx.com>
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandr at xilinx.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 41e1d5d9574ccd2012df87acb0df18b5062bd987
Author: Khem Raj <raj.khem at gmail.com>
Date: Wed Aug 8 10:04:25 2018 -0700
sysvinit: Fix build with glibc 2.28 + libxcrypt
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit e206035db35c664101f74ef04905c4d60f4ebdc6
Author: Khem Raj <raj.khem at gmail.com>
Date: Wed Aug 8 10:04:24 2018 -0700
ppp, libpam: Add missing dep on virtual/crypt
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 148fcd1365ece758d863cd90a21916498eef61f1
Author: Khem Raj <raj.khem at gmail.com>
Date: Wed Aug 8 10:04:22 2018 -0700
glibc: Disable crypt support in glibc
Drop packaging libcrypt from 2.28+ onwards
We have independent crypt implementation coming from libxcrypt
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 2c29d635f820cb87973a7792a32331edbe246dc5
Author: Khem Raj <raj.khem at gmail.com>
Date: Wed Aug 8 10:04:21 2018 -0700
libxcrypt: Upgrade to 4.1.1
license update: Remove CDDL code with Public Domain pieces
https://github.com/besser82/libxcrypt/commit/c76847e3be40c4ac0d78bc8518502418c6207144#diff-fdcb2380ff1eeea2e5795ec115ba1c0d
inherit pkgconfig as it uses pkg-config during build
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit f02f6b8409780c940fdb309514ae4129d4ebf747
Author: Khem Raj <raj.khem at gmail.com>
Date: Wed Aug 8 10:04:20 2018 -0700
libxcrypt: Provide virtual/crypt for target and native as well
virtual/crypt for musl will come from libc itself
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit ac1a05de6e0ccaed7c2701522d5dcdf8bdeee5cd
Author: Khem Raj <raj.khem at gmail.com>
Date: Wed Aug 8 10:04:19 2018 -0700
cross-localedef-native: Update to build with glibc 2.28
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 784e39794f2b5867b35bc873711bdc8b70f589e6
Author: Khem Raj <raj.khem at gmail.com>
Date: Wed Aug 8 10:04:18 2018 -0700
glibc: Upgrade to 2.28
License-Update: libidn is dropped from glibc and a testcase that was a particular contributor copyrighted
see
https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=LICENSES;h=0e3a9fe39b26e97038d92f904508a4c3aa1bb43b;hp=b29efe01084af28cc40953d7317f22927c0ee3b7;hb=5a357506659f9a00fcf5bc9c5d8fc676175c89a7;hpb=7279af007c420a9d5f88a6909d11e7cb712c16a4
https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=LICENSES;h=b29efe01084af28cc40953d7317f22927c0ee3b7;hp=80f7f1487947f57815b9fe076fadc8c7f94eeb8e;hb=7f9f1ecb710eac4d65bb02785ddf288cac098323;hpb=5f7b841d3aebdccc2baed27cb4b22ddb08cd7c0c
Drop upstreamed and backported patches
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit cbeeecf552fd70cd555acbd1b46ff6d6d5d90512
Author: Chen Qi <Qi.Chen at windriver.com>
Date: Wed Aug 1 13:25:35 2018 +0800
base-files: fix handling of resize
The current handling of resize is incorrect. Using `resize > /dev/null
2>&1 && resize > /dev/null' will cause the second resize command to not
execute because 'resize > /dev/null 2>&1' will fail for resize utility
from busybox.
What we really should do is just to check whether ${bindir}/resize
is executable and execute it if so. Using '-x' is sufficient.
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit ecf8470fbb18163efaa44ea7f10afed53c4dda47
Author: Chen Qi <Qi.Chen at windriver.com>
Date: Mon Jul 30 17:41:57 2018 +0800
busybox: move init related configs to init.cfg
Move init related configs to init.cfg.
These config items do not make much sense unless busybox is selected
as the init manager. They should belong to init.cfg.
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit b4a1cc1d265bcec2b87f22206a5508f40a67cf26
Author: Andrej Valek <andrej.valek at siemens.com>
Date: Thu Aug 9 10:06:37 2018 +0200
libxml2: Fix CVE-2018-14404
Fix nullptr deref with XPath logic ops
If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.
CVE: CVE-2018-14404
Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 80f3dd34c854e2c8f229e2fb998ab827b1accabe
Author: Changqing Li <changqing.li at windriver.com>
Date: Fri Aug 10 17:35:55 2018 +0800
curl: support multilib installation of curl-config
Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 65690f8cd03e5e86bb12350071ffc397606f320c
Author: Mikko Rapeli <mikko.rapeli at bmw.de>
Date: Fri Aug 10 17:27:56 2018 +0300
perf: fail if src path does not exist
A missing src directory from a broken kernel recipe resulted
only in a warning:
WARNING: copyfile: stat of /home/builder/src/tmp-glibc/work-shared/target/kernel-source/tools/arch failed ([Errno 2] No such file or directory: '/home/builder/src/tmp-glibc/work-shared/target/kernel-source/tools/arch')
With this change it's an error which can not be missed:
ERROR: perf-1.0-r9 do_configure: Path does not exist: /home/builder/src/tmp-glibc/work-shared/target/kernel-source/tools/arch
ERROR: perf-1.0-r9 do_configure: Function failed: copy_perf_source_from_kernel
ERROR: Logfile of failure stored in: /home/builder/src/tmp-glibc/work/target-linux/perf/1.0-r9/temp/log.do_configure.21083
NOTE: recipe perf-1.0-r9: task do_configure: Failed
ERROR: Task (/home/builder/src/poky/meta/recipes-kernel/perf/perf.bb:do_configure) failed with exit code '1'
Signed-off-by: Mikko Rapeli <mikko.rapeli at bmw.de>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 653bf10847b42b3f06130fac8d4b3dabd7bcf63f
Author: Zhixiong Chi <zhixiong.chi at windriver.com>
Date: Fri Aug 10 00:31:34 2018 -0700
multilib-script: Fix ALTERNATIVE_${PN} overwrite issue
If multilib scripts handle more than one file per package, the variable
ALTERNATIVE_${PN} will be overwritten and there will be only one symbol
link file. Append to the variable to avoid this.
Signed-off-by: Zhixiong Chi <zhixiong.chi at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 327807134d1a039ee99acf75a54b76c27a74c195
Author: Christopher Clark <christopher.w.clark at gmail.com>
Date: Thu Aug 9 18:32:01 2018 -0700
libjpeg-turbo: fix timezone of reproducible build timestamp
Avoids producing different build results in different timezones.
Uses UTC with SOURCE_DATE_EPOCH.
Signed-off-by: Christopher Clark <christopher.clark6 at baesystems.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 342f1c3e53c541ff13483891409b4f2e0a9256c4
Author: Jaewon Lee <jaewon.lee at xilinx.com>
Date: Thu Aug 9 16:41:29 2018 -0700
devtool-source.bbclass: Support kernel-fragments/patch not in SRC_URI
When using a recipe space kernel-meta, scc files are added through
SRC_URI, but they may include corresponding kernel fragments or patches
that are not necessarily in SRC_URI.
For bitbake, this is not a problem because the kernel-yocto class adds
the path where the .scc file was found to includes which consequentially
makes the .cfg, .patch file available to the kernel build.
However, when using devtool, only files specified in SRC_URI are copied
to oe-local-files in devtool's workspace. So if the cfg/patch file is not in
SRC_URI, it won't be copied, causing a kernel build failure when trying
to find it.
This fix parses local .scc files in SRC_URI, copies the corresponding
.cfg/.patch file to devtool's workdir, and also adds it to local_files
so it is available when doing a devtool build for the kernel.
[YOCTO #12858]
v2: also supporting patch not in SRC_URI
v3: fix spacing issues
Signed-off-by: Jaewon Lee <jaewon.lee at xilinx.com>
Signed-off-by: Alejandro Enedino Hernandez Samaniego <alejandr at xilinx.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
-----------------------------------------------------------------------
Summary of changes:
meta/classes/testimage.bbclass | 54 +++++-----
meta/lib/oeqa/controllers/masterimage.py | 113 +++++++++++++++------
meta/lib/oeqa/controllers/simpleremote.py | 33 ------
meta/lib/oeqa/core/target/__init__.py | 4 -
.../qemutarget.py => core/target/qemu.py} | 30 ++----
.../sshtarget.py => core/target/ssh.py} | 9 +-
meta/lib/oeqa/runtime/context.py | 32 +++++-
meta/lib/oeqa/targetcontrol.py | 97 ++++++++++++------
8 files changed, 213 insertions(+), 159 deletions(-)
delete mode 100644 meta/lib/oeqa/controllers/simpleremote.py
rename meta/lib/oeqa/{controllers/qemutarget.py => core/target/qemu.py} (58%)
rename meta/lib/oeqa/{controllers/sshtarget.py => core/target/ssh.py} (98%)
hooks/post-receive
--
More information about the yocto-security
mailing list