[yocto-security] [OE-core CVE] branch sumo updated. 2018-04-282-g30b055d
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Thu Oct 18 03:10:10 PDT 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, sumo has been updated
via 30b055d2296f060a4ca054d042f353a2153fdd4e (commit)
via 6e03d1d56587d93b9a9ec936ceb69350234c627a (commit)
via a2ee5c8a1ff449250e6f37fccf01b85a7361b24c (commit)
via bc030c9f5af4af5a8bad48bc8beca9324a65d25b (commit)
via 05c2a590980819e31acee29e1e7282d2ed3586b7 (commit)
via 6681ba9759b2d09945e415daf251162ac9600df7 (commit)
via 221a02355c8c2128f086f71bcbe95085a6306dcc (commit)
via da7342a774ae9bcd876ceb7c260dfb49791949d5 (commit)
via 19138a21aabe60b67015e3383f4030db0d4d37a4 (commit)
via a6b6af83e344501057b0eb28dce1077992e5a7f3 (commit)
via d145f605c274386baf0dde023f15cddf37523f3b (commit)
via 1461bcc72e6649920ecf4226e006e5667c48a21c (commit)
via 06d7f9039b005c2112e28336ac1c30e5120ec815 (commit)
via 759290ed5fedc1ce10639b3584d4532d688ea714 (commit)
from 196659ca05623996e2b36f7b1e52195a81fd3bdd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 30b055d2296f060a4ca054d042f353a2153fdd4e
Author: Ola x Nilsson <ola.x.nilsson at axis.com>
Date: Thu Oct 4 12:43:28 2018 +0200
externalsrc.bbclass: Set BB_DONT_CACHE for non-target recipes
BB_DONT_CACHE was not set for non-virtual recipes where PN != BPN, such
as quilt-native. Recipes that do not set BBCLASSEXTEND should always
have BB_DONT_CACHE set by externalsrc.
(From OE-Core rev: 4eff427a0ee629a1541a420a9591411648569a97)
Signed-off-by: Ola x Nilsson <olani at axis.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 6e03d1d56587d93b9a9ec936ceb69350234c627a
Author: Ioan-Adrian Ratiu <adrian.ratiu at ni.com>
Date: Tue Sep 25 15:38:19 2018 +0300
rootfs: always update the opkg index
The previous logic assumed that if $BUILD_IMAGES_FROM_FEEDS=1 then a
complete set of ipk feeds from which to build the image is already
present under $IPK_FEED_URIS at do_rootfs runtime.
$IPK_FEED_URIS usually contains "file://${DEPLOY_DIR_IPK}" which
renders the above assumption bad because some recipes in the current
build can contain code like do_install[nostamp] = "1" which will cause
rebuilds bumping $PR and invalidating the index.
Even when the index is manually re-created before an image build
("bitbake package-index"), the nostamp will cause failures because the
dependency gets rebuilt before do_rootfs in the "bitbake <image>" call.
So make the opkg rootfs index logic the same as for rpm/deb, to always
update the index in $DEPLOY_DIR_IPK to fix the above nostamp failure.
Feeds outside $DEPLOY_DIR_IPK added to $IPK_FEED_URIS continue to work
as usual, for eg. by using a http:// URI.
(From OE-Core rev: bce90f48d1cc136fdfdf98b3830f5d99e381271b)
Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu at ni.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit a2ee5c8a1ff449250e6f37fccf01b85a7361b24c
Author: Chen Qi <Qi.Chen at windriver.com>
Date: Tue Sep 25 15:08:25 2018 +0800
runqemu: fix handling of SIGTERM and the problem of line wrapping
The current handling of SIGTERM is incorrect as the process pid returned
by Popen call with shell setting to True is actualy the shell instead of
the qemu process. So use shlex to split cmd so that we can avoid using
shell=True. This ensures the child process is the actual qemu process.
Also, as we install a SIGTERM handler, we need handle the situation of
qemu terminated by SIGTERM, otherwise we will get ERROR message in such
case.
Besides, we have a problem that after running qemu, the terminal's behavior
is incorrect regarding long lines or long commands. Long commands or long
outputs should appear in multiple lines, but they appear in the same line,
overriding previous output. Use `tput smam' to fix this problem.
(From OE-Core rev: e8acef383767cfd1ef0c3d3c45d9d6eb1c83b3e7)
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit bc030c9f5af4af5a8bad48bc8beca9324a65d25b
Author: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
Date: Tue Aug 14 20:05:29 2018 +0530
runqemu: exit gracefully with an error message if qemu system is not evaluated
It solves below error:
-- snip --
return 'qemu-system-%s' % qbsys
UnboundLocalError: local variable 'qbsys' referenced before assignment
-- snip --
[YOCTO #12846]
(From OE-Core rev: 519273f54c0b8a6fff36afeb7646d8e37717be22)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 05c2a590980819e31acee29e1e7282d2ed3586b7
Author: Chen Qi <Qi.Chen at windriver.com>
Date: Thu Jun 7 15:52:46 2018 +0800
runqemu: add SIGTERM handler to make sure things are cleaned up
Add SIGTERM handler so that runqemu could clean things up correctly
when receving such signal.
This problem was originally observed when running testimage. On
some hosts, after running testimage task, the user has to manually
operate on the tap interface (e.g. `sudo ip link del tap0') in order
for the next runqemu command to launch successfully.
The problem is about runqemu, SIGTERM and network manager on the host.
In testimage task, the runqemu process will receive SIGTERM. In such
situation, its cleanup() function is not run, resulting in tap interface
not cleaned up. On some hosts, the network manager will bring down the
tap interface automatically, thus this problem. I saw this problem on
Fedora21.
I think we'd better just clean up the tap interface ourselves.
So this patch adds to runqemu a SIGTERM handler, in which the actual
qemu process is terminated and other things cleaned up.
(From OE-Core rev: 02709d4709c56f9b9095e3555da35b659b03a8a3)
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 6681ba9759b2d09945e415daf251162ac9600df7
Author: Joe Slater <joe.slater at windriver.com>
Date: Wed Sep 26 15:51:25 2018 -0700
libtiff: fix CVE-2017-17095
Backport fix from gitlab.com/libtiff/libtiff.
nvd.nist.gov does not yet reference this patch.
(From OE-Core rev: f72c8af3f2c1ec9e4d9ffcf0cc6e7fdf572b21b9)
Signed-off-by: Joe Slater <joe.slater at windriver.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 221a02355c8c2128f086f71bcbe95085a6306dcc
Author: Khem Raj <raj.khem at gmail.com>
Date: Sat Oct 6 18:29:17 2018 -0700
x264: Disable asm on musl/x86
Fixes
WARNING: x264-r2854+gitAUTOINC+e9a5903edf-r0 do_package_qa: QA Issue: ELF binary '/mnt/a/yoe/build/tmp/work/i586-yoe-linux-musl/x264/r2854+gitAUTOINC+e9a5903edf-r0/packages-split/x264/usr/lib/libx264.so.152'
has relocations in .text [textrel]
WARNING: x264-r2854+gitAUTOINC+e9a5903edf-r0 do_package_qa: QA Issue: ELF binary '/mnt/a/yoe/build/tmp/work/i586-yoe-linux-musl/x264/r2854+gitAUTOINC+e9a5903edf-r0/packages-split/x264-bin/usr/bin/x264'
has relocations in .text [textrel]
(From OE-Core rev: ea1204c6d9a02f0e38cf616e89d46530908972bb)
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit da7342a774ae9bcd876ceb7c260dfb49791949d5
Author: Changqing Li <changqing.li at windriver.com>
Date: Wed Oct 10 09:15:53 2018 +0800
libsndfile1: CVE-2018-13139
A stack-based buffer overflow in psf_memset in common.c in libsndfile 1.0.28.
Fixed in https://github.com/erikd/libsndfile/issues/397
(From OE-Core rev: 6b5a9078a7c5035590ee4dc2e23582da94d4a104)
Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 19138a21aabe60b67015e3383f4030db0d4d37a4
Author: Hongxu Jia <hongxu.jia at windriver.com>
Date: Sun Oct 14 02:45:59 2018 -0700
nasm: fix CVE-2018-10016
Previously fix of CVE-2018-10016 caused ovmf build failure,
I reported the failure to upstream and it replied with
this V2 fix.
Details at:
https://bugzilla.nasm.us/show_bug.cgi?id=3392473
(From OE-Core rev: e2fa6bc137faebba3c440cac93c88092421e8e82)
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit a6b6af83e344501057b0eb28dce1077992e5a7f3
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Thu Aug 30 10:03:52 2018 +0100
recipes: Update git.gnome.org addresses after upstream changes
git.gnome.org is no more. It has ceased to be. It's an ex-git.
Please see here:
https://about.gitlab.com/2018/05/31/welcome-gnome-to-gitlab/
Note that gitlab does not support git://, only https:// (and ssh).
[Commit message from Alexander Kanavin]
(From OE-Core rev: 8382cdc0888ca645a44aacaac1155afb8dcde979)
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
[Fixup for sumo context]
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit d145f605c274386baf0dde023f15cddf37523f3b
Author: Sinan Kaya <okaya at kernel.org>
Date: Fri Oct 5 03:55:15 2018 +0000
git: CVE-2018-11233
* CVE-2018-11233
Code to sanity-check pathnames on NTFS can result in reading
out-of-bounds memory.
Affects < 2.17.1
CVE: CVE-2018-11233
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1583888
Signed-off-by: Sinan Kaya <okaya at kernel.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 1461bcc72e6649920ecf4226e006e5667c48a21c
Author: Sinan Kaya <okaya at kernel.org>
Date: Fri Oct 5 00:39:08 2018 +0000
python3: CVE-2018-1061
* CVE-2018-1060
Prevent low-grade poplib REDOS:
The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.
Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.
* CVE-2018-1061
Prevent difflib REDOS
The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.
Replace it with an equivalent non-vulnerable regex.
Affects < 3.5.6rc1
CVE: CVE-2018-1060
CVE: CVE-2018-1061
Ref: https://access.redhat.com/security/cve/cve-2018-1060
Ref: https://access.redhat.com/security/cve/cve-2018-1061
Signed-off-by: Sinan Kaya <okaya at kernel.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 06d7f9039b005c2112e28336ac1c30e5120ec815
Author: Sinan Kaya <okaya at kernel.org>
Date: Fri Oct 5 00:39:07 2018 +0000
libxml2: CVE-2018-14404
* CVE-2018-14404
A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval()
function of libxml2 when parsing invalid XPath expression. Applications processing
untrusted XSL format inputs with the use of libxml2 library may be vulnerable to
denial of service attack due to crash of the application.
Affects libxml <= 2.9.8
CVE: CVE-2018-14404
Ref: https://access.redhat.com/security/cve/cve-2018-14404
Signed-off-by: Sinan Kaya <okaya at kernel.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
commit 759290ed5fedc1ce10639b3584d4532d688ea714
Author: Nicolas Dechesne <nicolas.dechesne at linaro.org>
Date: Tue Oct 2 23:54:45 2018 +0200
checklayer: avoid recursive loop in add_layer_dependencies
When Layer A and Layer B depend on each other, then we will end up in a
recursive loop in function recurse_dependencies(). To avoid such situation
before making the recursive function call we check whether or not we have
already processed this layer.
e.g. without this patch, running this script on layers with dependency loops, we are seeing:
$ yocto-check-layer -d /srv/work/oe/meta-openembedded/
INFO: Detected layers:
INFO: meta-python: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-python
INFO: meta-filesystems: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-filesystems
INFO: meta-gnome: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-gnome
INFO: meta-xfce: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-xfce
INFO: meta-networking: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-networking
INFO: meta-initramfs: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-initramfs
INFO: meta-oe: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-oe
INFO: meta-multimedia: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-multimedia
INFO: meta-perl: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-perl
INFO: meta-webserver: LayerType.SOFTWARE, /srv/work/oe/meta-openembedded/meta-webserver
INFO:
INFO: Setting up for meta-python(LayerType.SOFTWARE), /srv/work/oe/meta-openembedded/meta-python
DEBUG: Processing dependencies core openembedded-layer for layer meta-python.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
DEBUG: Processing dependencies core networking-layer for layer meta-oe.
DEBUG: Processing dependencies core openembedded-layer meta-python for layer meta-networking.
...
...
...
[keep repeating]
This patch fixes this situation.
Signed-off-by: Nicolas Dechesne <nicolas.dechesne at linaro.org>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
(cherry picked from commit 171900b4bcb06416685ce90b63114a10fefe0b94)
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
-----------------------------------------------------------------------
Summary of changes:
meta/classes/clutter.bbclass | 2 +-
meta/classes/externalsrc.bbclass | 4 +-
meta/classes/mirrors.bbclass | 2 +-
meta/conf/bitbake.conf | 2 +-
meta/lib/oe/rootfs.py | 5 +-
.../mobile-broadband-provider-info_git.bb | 3 +-
.../glib-networking/glib-networking_2.54.1.bb | 2 +-
.../libxml/libxml2/CVE-2018-14404.patch | 58 ++++++++
meta/recipes-core/libxml/libxml2_2.9.7.bb | 1 +
.../git/files/CVE-2018-11233.patch | 44 ++++++
meta/recipes-devtools/git/git.inc | 3 +-
.../0001-eval-Eliminate-division-by-zero.patch | 40 +++++
meta/recipes-devtools/nasm/nasm_2.13.03.bb | 1 +
.../python/python3/CVE-2018-1061.patch | 165 +++++++++++++++++++++
meta/recipes-devtools/python/python3_3.5.5.bb | 1 +
.../cantarell-fonts/cantarell-fonts_git.bb | 4 +-
.../libsndfile/libsndfile1/CVE-2018-13139.patch | 35 +++++
.../libsndfile/libsndfile1_1.0.28.bb | 1 +
.../libtiff/files/CVE-2017-17095.patch | 46 ++++++
meta/recipes-multimedia/libtiff/tiff_4.0.9.bb | 1 +
meta/recipes-multimedia/x264/x264_git.bb | 1 +
.../update-output-syntax.patch | 2 +-
scripts/lib/checklayer/__init__.py | 4 +
scripts/runqemu | 42 +++++-
24 files changed, 451 insertions(+), 18 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
create mode 100644 meta/recipes-devtools/git/files/CVE-2018-11233.patch
create mode 100644 meta/recipes-devtools/nasm/nasm/0001-eval-Eliminate-division-by-zero.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2018-1061.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2018-13139.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2017-17095.patch
hooks/post-receive
--
More information about the yocto-security
mailing list