[yocto-security] [OE-core CVE] branch morty-next updated. 2016-10-450-g7e4ac60
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Sat Jan 13 10:12:38 PST 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, morty-next has been updated
discards 4f5082c00009227755a0a6707b25b52483d5dbda (commit)
via 7e4ac608a2ac077c68e178fd1519c8e98403cff3 (commit)
via 22f686cd6b818d27571bd42060246851cc2e093a (commit)
via 4734a4b41898e3df252b6234ed1270a915fd1f68 (commit)
This update added new revisions after undoing existing revisions. That is
to say, the old revision is not a strict subset of the new revision. This
situation occurs when you --force push a change and generate a repository
containing something like this:
* -- * -- B -- O -- O -- O (4f5082c00009227755a0a6707b25b52483d5dbda)
\
N -- N -- N (7e4ac608a2ac077c68e178fd1519c8e98403cff3)
When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7e4ac608a2ac077c68e178fd1519c8e98403cff3
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Sun Jan 7 16:59:40 2018 +0000
libunwind: Disable documentation explicitly
We don't have latex2man in HOSTTOOLs so documentaion is never built but this
dependency does cause problems on older releases like morty, pre-HOSTTOOLS.
Document the configuration explicitly in master.
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 22f686cd6b818d27571bd42060246851cc2e093a
Author: Alexander Kanavin <alexander.kanavin at linux.intel.com>
Date: Fri Jan 12 18:20:02 2018 +0200
webkitgtk: update to 2.18.5 (includes Spectre mitigations; see commit description)
This is the only available stable version with mitigation fixes for Spectre.
Webkit upstream developers do not port CVE fixes to earlier stable series,
no exception was made in this case.
More information:
https://webkit.org/blog/8048/what-spectre-and-meltdown-mean-for-webkit/
https://webkitgtk.org/security/WSA-2018-0001.html
https://webkitgtk.org/2018/01/10/webkitgtk2.18.5-released.html
This commit also contains the following commits added in master branch after morty release:
webkitgtk: update to 2.14.1
Rebase 0001-WebKitMacros-Append-to-I-and-not-to-isystem.patch
(From OE-Core rev: a44d50c827b5180ff901d31c443ea02e100b10d5)
Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkit: Reduce duplication in MIPS variants.
Reduce duplication in MIPS variants now that the MACHINEOVERRIDES
variable is defined
(From OE-Core rev: f76d972aff47412a2cbd2d47134d66046cfe574a)
Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel at imgtec.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: drop patch 0001-WebKitMacros-Append-to-I-and-not-to-isystem.patch
* This patch is not longer needed. Upstream has fixed this issue in:
https://trac.webkit.org/changeset/205672 which is already included
in WebKitGTK+ >= 2.14.0
(From OE-Core rev: 812c52f654c1bccca033163100055e3a8b8cda6e)
Signed-off-by: Carlos Alberto Lopez Perez <clopez at igalia.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Add an option to disable opengl support
(From OE-Core rev: 04e17727a3d1b52f6f93078fd16c6c7c9ba2b0d4)
Signed-off-by: Carlos Alberto Lopez Perez <clopez at igalia.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Use MIPS MACHINE_OVERRIDES
The mipsarch* MACHINE_OVERRIDES can be used to pass the same
parameters to MIPS pre-R2 and R6 ISA variants.
Use them to reduce duplication in supporting MIPS R6 ISA.
(From OE-Core rev: 8369b3568828b1dcff0f3a061a18367f018ac447)
Signed-off-by: Zubair Lutfullah Kakakhel <Zubair.Kakakhel at imgtec.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: update to 2.14.2
(From OE-Core rev: ccce954f7f0b24390ce36460cf05499c8169ed10)
Signed-off-by: Carlos Alberto Lopez Perez <clopez at igalia.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
Revert "webkitgtk: drop patch 0001-WebKitMacros-Append-to-I-and-not-to-isystem.patch"
This reverts commit 812c52f654c1bccca033163100055e3a8b8cda6e.
Upstream fixed the issue with GCC. But the build still fails with Clang.
Therefore reintroduce this patch until a better solution is found.
Upstream bug: https://bugs.webkit.org/show_bug.cgi?id=161697
(From OE-Core rev: 39be43943e3de0eb0ab9b61b405f3b76f12a307d)
Signed-off-by: Carlos Alberto Lopez Perez <clopez at igalia.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Fix atomic detection on arm architecture
(From OE-Core rev: a77fc49defcf3a30a8f026cfdbd56565750f5a61)
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: patch & disable JIT for x32
It might not be speedy, but it does build now.
(From OE-Core rev: 79f7e215ee7c176f02efafe7359aaa77dbd9430c)
Signed-off-by: Christopher Larson <chris_larson at mentor.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: add missing python-native dep
Since we can't inherit pythonnative, we need this dep explicitly.
(From OE-Core rev: 63530f59e43738bac081aaf3c89ec57006038dce)
Signed-off-by: Christopher Larson <chris_larson at mentor.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: update to 2.14.5
Remove a reference to WebKit/LICENSE, as the directory is not there anymore
(and the LICENSE file in it hasn't been moved somewhere else) - it was
a relic of webkit 1.x era.
(From OE-Core rev: 10331f42acfa5dc429198b7c025cc2360511e534)
Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Fix build on aarch64
Do not try to do runtime tests during cross compile
Fixes
| CMake Error at Source/cmake/OptionsCommon.cmake:73 (math):
| math cannot parse the expression: "-1": syntax error, unexpected exp_MINUS,
| expecting exp_OPENPARENT or exp_NUMBER (1)
(From OE-Core rev: 528006009dddd876a830e0a8f248658182a37f37)
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Upgrade to 2.16.1
Fix build with gcc7
Move all patches to webkit folder
Drop patches that were backports or have been upstreamed
(From OE-Core rev: bfbdd1a2069f199be9ba0909dd512469ff17b65e)
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: remove native python dependency
Using host python seems to be fine.
(From OE-Core rev: 7cf80640f53bd8faa4874c2dad5f630a935475f6)
Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Fix build for armv5
Detect atomics during configure
(From OE-Core rev: 424ffbde2111130137e307eb9e598ad50451c865)
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Upgrade to 2.16.3
Use bfd linker on ppc, this is because gold fails to link
webkit libraries when PIE is enabled
(From OE-Core rev: 8808d4b13a946499bc6e84a1be15f53d8ab3f673)
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Upgrade to 2.16.5
Adjust some dependencies: libgcrypt is now required (instead of gnutls)
and the following build deps where missing: gettext-native, glib-2.0
and glib-2.0-native.
Also the CMake argument ENABLE_CREDENTIAL_STORAGE has been renamed to
USE_LIBSECRET.
This new upstream release (2.16.4 actually) includes security fixes for
CVE: CVE-2017-2538
(From OE-Core rev: ef68005a8c527e9b1d05b7769f0ec8ebe9ec3f91)
Signed-off-by: Carlos Alberto Lopez Perez <clopez at igalia.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: update to 2.16.6
(From OE-Core rev: 198ccdbefa481f725492b5d8834213fe26431be5)
Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Do not use -isystem forcibly
this causes include_next <stdlib.h> to not find
this header since -isystem <sysroot> is added via
cmake, we alrady are using --sysroot so rely on that
(From OE-Core rev: a0f2d1389a7e76b64003fea391a0cd485ff5fe77)
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: Add a recommends on shared-mime-info.
* without this package installed any WebKitGTK+ based browser
will fail to correctly open html files (and other files)
from disk (file:// URIs). It will open them as plain txt files.
(From OE-Core rev: b708cb53b46d9d82a7853bcd0f25ef6bc417bd10)
Signed-off-by: Carlos Alberto Lopez Perez <clopez at igalia.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: disable gobject-introspection on armv7a
Disable gobject-introspection on armv7a and armv7ve
to avoid do_compile failure:
| qemu: uncaught target signal 11 (Segmentation fault) - core dumped
| Segmentation fault
(From OE-Core rev: bdddd81c8b4eab6bbf7a8697992b48cb5a30ae4a)
Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
===
webkitgtk: update to 2.18.3
gcc7.patch, musl-fixes.patch, and ppc-musl-fix.patch all change code that is no
longer present in upstream tree. However, a patch with different musl fixes
has been added.
The rest of the patches are rebased to the new tree.
Libtasn is a new dependency.
Disable Gstreamer GL support on x86 due to clashing headers problem.
(From OE-Core rev: 3acae2dcd130122fe76504ec855af78db829d6ec)
===
webkitgtk: fix build with musl and x32
Make the x32 check generic to make it work with musl as well.
Fixes [YOCTO #12118]
(From OE-Core rev: dbd604ccf34e304769937b15051c047561de47f7)
===
Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 4734a4b41898e3df252b6234ed1270a915fd1f68
Author: Alexander Kanavin <alexander.kanavin at linux.intel.com>
Date: Fri Jan 12 18:20:01 2018 +0200
ruby: update to 2.4.0
Existing version of ruby-native (2.2.5) was crashing on my machine (and others' too),
yet a functional ruby is necessary to upgrade webkit to a version that less vulnerable
to Spectre.
I've performed the update by copying the ruby recipe directory over from the current
pyro tree; if you want to see the list of specific commits, issue this command:
git log 99656fecf4fa6e24ba49ecb7f26f893e733818a0 meta/recipes-devtools/ruby
(up to commit e593d3aeb2ea5f08d6e0753133fe89e345b339e8)
Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
-----------------------------------------------------------------------
Summary of changes:
meta/recipes-devtools/ruby/ruby.inc | 5 +-
.../recipes-devtools/ruby/ruby/CVE-2016-7798.patch | 164 -----------
.../ruby/ruby/CVE-2017-14033.patch | 89 ------
.../ruby/ruby/CVE-2017-14064.patch | 312 +++++++++++++++++++--
.../recipes-devtools/ruby/ruby/CVE-2017-9226.patch | 33 ---
.../recipes-devtools/ruby/ruby/CVE-2017-9227.patch | 24 --
.../recipes-devtools/ruby/ruby/CVE-2017-9228.patch | 26 --
.../recipes-devtools/ruby/ruby/CVE-2017-9229.patch | 36 ---
meta/recipes-devtools/ruby/ruby/prevent-gc.patch | 32 ---
.../ruby/ruby/ruby-CVE-2017-9224.patch | 41 +++
.../ruby/ruby/ruby-CVE-2017-9226.patch | 41 +++
.../ruby/ruby/ruby-CVE-2017-9227.patch | 32 +++
.../ruby/ruby/ruby-CVE-2017-9228.patch | 34 +++
.../ruby/ruby/ruby-CVE-2017-9229.patch | 59 ++++
.../ruby/{ruby_2.2.5.bb => ruby_2.4.0.bb} | 25 +-
...bKitMacros-Append-to-I-and-not-to-isystem.patch | 223 ---------------
meta/recipes-sato/webkit/files/musl-fixes.patch | 48 ----
meta/recipes-sato/webkit/files/ppc-musl-fix.patch | 26 --
...Introspection.cmake-prefix-variables-obta.patch | 0
.../webkitgtk/0001-Fix-build-with-musl.patch | 77 +++++
...ix-racy-parallel-build-of-WebKit2-4.0.gir.patch | 23 +-
...cmake-drop-the-hardcoded-introspection-gt.patch | 0
...c-settings-so-that-gtkdoc-generation-work.patch | 25 +-
...bKitMacros-Append-to-I-and-not-to-isystem.patch | 126 +++++++++
...ng-introspection-files-add-CMAKE_C_FLAGS-.patch | 24 +-
.../webkit/webkitgtk/cross-compile.patch | 23 ++
.../detect-atomics-during-configure.patch | 46 +++
.../webkit/webkitgtk/x32_support.patch | 21 ++
.../{webkitgtk_2.12.5.bb => webkitgtk_2.18.5.bb} | 72 +++--
29 files changed, 893 insertions(+), 794 deletions(-)
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2016-7798.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2017-9226.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2017-9227.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2017-9228.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2017-9229.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/prevent-gc.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch
rename meta/recipes-devtools/ruby/{ruby_2.2.5.bb => ruby_2.4.0.bb} (71%)
delete mode 100644 meta/recipes-sato/webkit/files/0001-WebKitMacros-Append-to-I-and-not-to-isystem.patch
delete mode 100644 meta/recipes-sato/webkit/files/musl-fixes.patch
delete mode 100644 meta/recipes-sato/webkit/files/ppc-musl-fix.patch
rename meta/recipes-sato/webkit/{files => webkitgtk}/0001-FindGObjectIntrospection.cmake-prefix-variables-obta.patch (100%)
create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-Fix-build-with-musl.patch
rename meta/recipes-sato/webkit/{files => webkitgtk}/0001-Fix-racy-parallel-build-of-WebKit2-4.0.gir.patch (78%)
rename meta/recipes-sato/webkit/{files => webkitgtk}/0001-OptionsGTK.cmake-drop-the-hardcoded-introspection-gt.patch (100%)
rename meta/recipes-sato/webkit/{files => webkitgtk}/0001-Tweak-gtkdoc-settings-so-that-gtkdoc-generation-work.patch (60%)
create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-WebKitMacros-Append-to-I-and-not-to-isystem.patch
rename meta/recipes-sato/webkit/{files => webkitgtk}/0001-When-building-introspection-files-add-CMAKE_C_FLAGS-.patch (72%)
create mode 100644 meta/recipes-sato/webkit/webkitgtk/cross-compile.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/detect-atomics-during-configure.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/x32_support.patch
rename meta/recipes-sato/webkit/{webkitgtk_2.12.5.bb => webkitgtk_2.18.5.bb} (62%)
hooks/post-receive
--
More information about the yocto-security
mailing list