[yocto-security] [OE-core CVE] branch sumo updated. 2018-04-268-g196659c
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Wed Oct 10 05:27:19 PDT 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, sumo has been updated
via 196659ca05623996e2b36f7b1e52195a81fd3bdd (commit)
via 9b321cf141c3fa18d5b85f17ffe1710f4555ca49 (commit)
via af920831ed1ef607db195372f135cc56e9f53b41 (commit)
via a53026f03a1d07cef1d1590c689e036f3ee21026 (commit)
via 5f985f02a932ebce238a6b1c644d2e3179226aab (commit)
via a702a5efdaece4197ceefec2a3b4c1e872e82f11 (commit)
via 80b6a08f55e322bfc41f69476509dc5a62ada83f (commit)
via 502de6f5db232a104eb269782a690f52fd665ef4 (commit)
from 361c40d4bea101875747eac9c8cc46e92ced173f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 196659ca05623996e2b36f7b1e52195a81fd3bdd
Author: Anuj Mittal <anuj.mittal at intel.com>
Date: Wed Sep 19 16:08:46 2018 +0800
initramfs-framework/udev: call settle before kill
When mount command is executed in rootfs module of initrd, eudev creates
a loop0 device node, applies rules and adds a inotify watch to it. Right
after this step, we execute finish which first tries to kill any running
udevd daemon before doing a switch_root.
In some cases, it is possible that switch_root is executed before
inotify_add_watch was actually processed which would lead to errors like:
| inotify_add_watch(6, /dev/loop0, 10) failed: No such file or directory
Make sure that we process all the events in queue before actually trying
to kill udevd to prevent this race.
Fixes [YOCTO #12861]
(From OE-Core rev: a85c34d263fcf1542bbedcaf1634302466bb20cf)
Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 9b321cf141c3fa18d5b85f17ffe1710f4555ca49
Author: Armin Kuster <akuster808 at gmail.com>
Date: Wed Sep 26 18:23:20 2018 -0700
libcroco: CVE-2017-7961
* CVE-2017-7961
The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco has an
"outside the range of representable values of type long" undefined
behavior issue, which might allow remote attackers to cause a denial
of service (application crash) or possibly have unspecified other
impact via a crafted CSS file.
CVE: CVE-2017-7961
Ref: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7961
Signed-off-by: Sinan Kaya <okaya at kernel.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit af920831ed1ef607db195372f135cc56e9f53b41
Author: Sinan Kaya <okaya at kernel.org>
Date: Mon Sep 24 16:08:07 2018 +0000
gnupg: CVE-2018-9234
* CVE-2018-9234
GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key
certification requires an offline master Certify key, which results
in apparently valid certifications that occurred only with access to
a signing subkey.
Affects gnupg <= 2.2.5
CVE: CVE-2018-9234
Ref: https://access.redhat.com/security/cve/cve-2018-9234
Signed-off-by: Sinan Kaya <okaya at kernel.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit a53026f03a1d07cef1d1590c689e036f3ee21026
Author: Anuj Mittal <anuj.mittal at intel.com>
Date: Wed Oct 3 18:27:50 2018 +0800
qemux86-directdisk: remove mem= parameter
Remove usage of a specific amount of memory and let it be controlled by
users. This was the default behaviour before it was changed by commit
3b79d9a78 that switched the wks file to be used for qemux86.
Also fixes the bitbake parsing issues seen because of memory starvation
using build appliance images.
Fixes [YOCTO #12894]
(From OE-Core rev: 18d6b668c52dc881cff7b107420e0de527eecce4)
Signed-off-by: Anuj Mittal <anuj.mittal at intel.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 5f985f02a932ebce238a6b1c644d2e3179226aab
Author: Ross Burton <ross.burton at intel.com>
Date: Wed Jul 18 16:54:50 2018 +0100
cmake: put cmake.m4 and toolchain file in PN
Previously cmake-dev held some files which should be in cmake.
- cmake.m4 should be in installed in cmake so it can be used out of the box
- nativesdk-specific OEToolchainConfig.cmake file used to be in cmake, but the
change of default packaging rules move it into cmake-dev. This recipe is the
exception and it should be moved back.
Add the extra paths to cmake, and clear FILES for cmake-dev to ensure nothing
else slips in.
(From OE-Core rev: a6ce79b87d3db57033a3d1710cb3292366a0a8f7)
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit a702a5efdaece4197ceefec2a3b4c1e872e82f11
Author: Chong Yi Chai <chong.yi.chai at intel.com>
Date: Thu Sep 6 11:29:08 2018 +0800
mkefidisk: fix installation of kernel image
Kernel image can be 'vmlinuz' for 'bzImage' but the script is written to
support 'vmlinuz' only. When building with meta-intel on sumo branch, the
kernel image is now bzImage and the installation will fail. Add option to
install bzImage as well.
Signed-off-by: Chong Yi Chai <chong.yi.chai at intel.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 80b6a08f55e322bfc41f69476509dc5a62ada83f
Author: Andreas Müller <schnitzeltony at gmail.com>
Date: Thu Sep 27 21:06:48 2018 +0200
libsdl2: Fix left rotated display for RaspPi/VC4/GLES2
The patch should increase performance for libsdl2 on GLES2 too.
(From OE-Core rev: 52f9659f2bb44affec2f67935df01f13b6ff3e02)
Signed-off-by: Andreas Müller <schnitzeltony at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 502de6f5db232a104eb269782a690f52fd665ef4
Author: Ross Burton <ross.burton at intel.com>
Date: Thu Sep 27 06:53:55 2018 -0700
security_flags: disable static PIE in glibc
Static PIE doesn't work entirely right in GCC 7, for example ldconfig on ARM
with the flags enabled will something segfault during initialisation.
To mitigate this until we have GCC 8 integrated, don't enable static PIE.
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
-----------------------------------------------------------------------
Summary of changes:
meta/conf/distro/include/security_flags.inc | 2 +-
.../initrdscripts/initramfs-framework/udev | 1 +
meta/recipes-devtools/cmake/cmake_3.10.3.bb | 3 +-
...01-GLES2-Get-sin-cos-out-of-vertex-shader.patch | 141 +++++++++++++++++++++
meta/recipes-graphics/libsdl2/libsdl2_2.0.8.bb | 1 +
.../gnupg/gnupg/CVE-2018-9234.patch | 28 ++++
meta/recipes-support/gnupg/gnupg_2.2.4.bb | 1 +
.../libcroco/libcroco/CVE-2017-7961.patch | 46 +++++++
meta/recipes-support/libcroco/libcroco_0.6.12.bb | 3 +-
scripts/contrib/mkefidisk.sh | 12 +-
scripts/lib/wic/canned-wks/qemux86-directdisk.wks | 2 +-
11 files changed, 234 insertions(+), 6 deletions(-)
create mode 100644 meta/recipes-graphics/libsdl2/libsdl2/0001-GLES2-Get-sin-cos-out-of-vertex-shader.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2018-9234.patch
create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2017-7961.patch
hooks/post-receive
--
More information about the yocto-security
mailing list