[yocto-security] [OE-core CVE] branch master updated. uninative-2.6-985-g402eef2

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Wed Oct 2 02:10:13 PDT 2019


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, master has been updated
       via  402eef252385b391d1b60fc77d758cc4c8de1b3c (commit)
       via  6ff71dd308b1611df7a8ea811a79b7cb884c99e9 (commit)
       via  b1afaccdba31341cace4b8d84d118ca76098587e (commit)
       via  90dbe9019c81e25923ed450df80b4401d16287b4 (commit)
       via  f5bb06129391b62f7dff400f10a0b4d2934625d2 (commit)
       via  49c4febcbf66587b01559d208873ca1d563ed3e0 (commit)
       via  3bde502f612f17b6ed928b04cf5c4ba9ad54d598 (commit)
       via  6792307a41c71786841f8fa6224af81be201688e (commit)
       via  a37aafc691ea89e326352e360bfd97ad473f4287 (commit)
       via  37eabe25d1e6dffee8e96675c42c25c64dd3bc70 (commit)
       via  7472bdb6ed1039b7f38afc728c034a13d0bbee0e (commit)
       via  eba857d3e52f83d426e95fa8373799da058f9484 (commit)
       via  b57304c1afb73a698a1c40a017d433e4d81a8df2 (commit)
       via  ebc974be12c3e83e961c99c24fde267d6c8e8bfc (commit)
       via  f78248a2380bbbbf271b5bb02c762f5bc7a3a92e (commit)
       via  8adf98e63fefeaf2c841a038a4497f9845bc7b04 (commit)
       via  14cca8246423c3af8b8478e391daf49a908d696c (commit)
      from  9973f89dafdf9d21f4021f59f1f4669f4ac13aff (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 402eef252385b391d1b60fc77d758cc4c8de1b3c
Author: Ross Burton <ross.burton at intel.com>
Date:   Mon Sep 30 12:10:16 2019 +0100

    lttng-ust: update patch Signed-off-by
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 6ff71dd308b1611df7a8ea811a79b7cb884c99e9
Author: André Draszik <andre.draszik at jci.com>
Date:   Tue Oct 1 10:54:51 2019 +0100

    ruby: fix non-IPv6 support
    
    When IPv6 support is disabled, this recipe mis-configures
    ruby so that it end up non-working:
    --enable-wide-getaddrinfo instructs ruby to re-implement
    the standard getaddinfo(), but IPv6 support is still
    automatically detected via ext/socket/extconf.rb
    independently of that flag.
    
    To re-implement getaddrinfo(), ruby uses the obsolete
    getipnodebyaddr() and getipnodebyname() functions - i.e.
    according to the man-page, glibc provided those only in
    glibc 2.1.91-95; and of course compilation fails. [1]
    
    Switch to ruby's standard --enable-ipv6= configure
    options to make the build work without warnings, and
    ruby work at runtime as well.
    
    [1] Compilation and linking actually succeed, albeit with
    a warning regarding implicit declaration / unresolved
    symbols. The error is only obvious at runtime due to the
    unresolved symbols...
    
    Signed-off-by: André Draszik <andre.draszik at jci.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit b1afaccdba31341cace4b8d84d118ca76098587e
Author: André Draszik <andre.draszik at jci.com>
Date:   Tue Oct 1 10:54:50 2019 +0100

    ruby: configure mis-detects isnan/isinf on musl
    
    The configure script does not detect isnan/isinf as macros
    as is the case in musl:
        checking for isinf... no
        checking for isnan... no
    
    Backport an upstream patch from 2.7.0-preview1 to address this:
        checking whether isinf is declared... yes
        checking whether isnan is declared... yes
    
    Signed-off-by: André Draszik <andre.draszik at jci.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 90dbe9019c81e25923ed450df80b4401d16287b4
Author: André Draszik <andre.draszik at jci.com>
Date:   Tue Oct 1 10:54:49 2019 +0100

    ruby: drop long-merged CVE patches
    
    The CVE patches here address the original problem in
    a different way to how upstream solved it, and are
    superfluous.
    
    Ruby updated to Onigmo v6.1.3+669ac999761 before its
    v2.5.0 release, and both CVEs were fixed before Onigmo
    v6.1.3:
        https://github.com/k-takata/Onigmo/releases/tag/Onigmo-6.1.3
        https://github.com/k-takata/Onigmo/commits/Onigmo-6.1.3
            https://github.com/k-takata/Onigmo/commit/40945546578004bf40e6f884834bcad4054c70f7
            https://github.com/k-takata/Onigmo/commit/783b7ef491e1422e4be7407ccc3e4305e5013507
    
    Because the issues were fixed differently here and
    in Ruby (Onigmo), patch never complained about
    duplicatation during recipe updates.
    
    Signed-off-by: André Draszik <andre.draszik at jci.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit f5bb06129391b62f7dff400f10a0b4d2934625d2
Author: Ross Burton <ross.burton at intel.com>
Date:   Tue Sep 24 17:05:38 2019 +0100

    opkg: remove redundant systemd inherit
    
    The service file was removed in oe-core 23dcf7ea but the inherit was not.
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 49c4febcbf66587b01559d208873ca1d563ed3e0
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
Date:   Mon Sep 30 15:02:32 2019 -0400

    opkg: remove pathfinder PACKAGECONFIG option
    
    pathfinder has no recipe and its last update was in 2013
    (see http://freshmeat.sourceforge.net/projects/pathfinder),
    so it should be removed from the list of PACKAGECONFIG options
    for opkg. --disable-pathfinder is added to EXTRA_OECONF for
    good measure.
    
    Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 3bde502f612f17b6ed928b04cf5c4ba9ad54d598
Author: He Zhe <zhe.he at windriver.com>
Date:   Mon Sep 30 10:38:01 2019 +0800

    ltp: Fix hang of cve test cases
    
    Backport a patch to the fix possible hang caused by the case of CVE-2017-17052.
    
    CVE: CVE-2017-17052
    
    Signed-off-by: He Zhe <zhe.he at windriver.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 6792307a41c71786841f8fa6224af81be201688e
Author: Khem Raj <raj.khem at gmail.com>
Date:   Sat Sep 28 16:16:17 2019 -0700

    musl: Fix __riscv_mc* containers to match glibc
    
    Fixes packages like gdb compile
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit a37aafc691ea89e326352e360bfd97ad473f4287
Author: Otavio Salvador <otavio at ossystems.com.br>
Date:   Sat Sep 28 19:41:50 2019 -0300

    mesa: Add freedreno PACKAGECONFIG option
    
    Signed-off-by: Otavio Salvador <otavio at ossystems.com.br>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 37eabe25d1e6dffee8e96675c42c25c64dd3bc70
Author: Lei Maohui <leimaohui at cn.fujitsu.com>
Date:   Mon Sep 30 17:57:21 2019 +0800

    bluez5: update patch to fix do_patch error when PATCHTOOL = "patch".
    
    Signed-off-by: Lei Maohui <leimaohui at cn.fujitsu.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 7472bdb6ed1039b7f38afc728c034a13d0bbee0e
Author: Ross Burton <ross.burton at intel.com>
Date:   Fri Sep 27 14:39:26 2019 +0100

    pango: fix the failing testiter test case
    
    The testiter test case fails if libthai support isn't enabled because it
    execises codepaths that need libthai to be correct.  Backport a patch to skip
    this test if libthai isn't enabled.
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit eba857d3e52f83d426e95fa8373799da058f9484
Author: Ross Burton <ross.burton at intel.com>
Date:   Wed Sep 25 16:54:13 2019 +0100

    python3: move runpy to core
    
    The runpy module is used to implement 'python3 -m foo', so move it to
    python3-core as it's an essential part of the CLI.
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit b57304c1afb73a698a1c40a017d433e4d81a8df2
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
Date:   Fri Sep 20 14:25:11 2019 -0400

    tiff: fix CVE-2019-14973
    
    CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2019-14973
    Upstream merge: https://gitlab.com/libtiff/libtiff/commit/2218055c
    
    Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit ebc974be12c3e83e961c99c24fde267d6c8e8bfc
Author: Diego Rondini <diego.rondini at kynetics.com>
Date:   Thu Sep 19 09:45:09 2019 +0200

    initramfs-framework: support PARTLABEL option
    
    Since commit (kernel >= 4.20):
    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f027c34d844013d9d6c902af8fa01a82d6e5073d
    specifying rootfs by PARTLABEL is supported. This commit adds support to
    specify root by GPT partition label.
    
    Signed-off-by: Diego Rondini <diego.rondini at kynetics.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit f78248a2380bbbbf271b5bb02c762f5bc7a3a92e
Author: Yi Zhao <yi.zhao at windriver.com>
Date:   Thu Sep 19 15:44:11 2019 +0800

    python: add tk-lib as runtime dependency for python-tkinter
    
    Fixes:
    ERROR: python-2.7.16-r0 do_package_qa: QA Issue:
    /usr/lib/python2.7/lib-dynload/_tkinter.so contained in package
    python-tkinter requires libtk8.6.so, but no providers found in
    RDEPENDS_python-tkinter? [file-rdeps]
    
    Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 8adf98e63fefeaf2c841a038a4497f9845bc7b04
Author: Li Zhou <li.zhou at windriver.com>
Date:   Thu Sep 19 14:15:20 2019 +0800

    shadow: use relaxed usernames for all
    
    The previous commit <shadow: use relaxed usernames> works only for
    target. When test with configuration:
    INHERIT += 'extrausers'
    EXTRA_USERS_PARAMS += "useradd -p '' aBcD; "
    and run "bitbake core-image-minimal", error occurs:
    NOTE: core-image-minimal: Performing useradd with [
    -R .../build/tmp-glibc/work/qemux86_64-wrs-linux/core-image-minimal/1.0-r0/rootfs -p '' aBcD]
    useradd: invalid user name 'aBcD'
    
    Here move the patch for using relaxed usernames from class_target to
    the source code for all.
    
    Signed-off-by: Li Zhou <li.zhou at windriver.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

commit 14cca8246423c3af8b8478e391daf49a908d696c
Author: Andre McCurdy <armccurdy at gmail.com>
Date:   Mon Sep 16 12:24:26 2019 -0700

    ffmpeg: enable more verbose build logs
    
    Signed-off-by: Andre McCurdy <armccurdy at gmail.com>
    Signed-off-by: Ross Burton <ross.burton at intel.com>

-----------------------------------------------------------------------

Summary of changes:
 .../bluez5/bluez5/CVE-2018-10910.patch             | 726 ++++++++-------------
 .../initrdscripts/initramfs-framework/rootfs       |   5 +
 ...ainer-for-riscv-floating-point-state-to-_.patch |  67 ++
 meta/recipes-core/musl/musl_git.bb                 |   1 +
 meta/recipes-devtools/opkg/opkg_0.4.1.bb           |   4 +-
 .../python/python3/python3-manifest.json           |  16 +-
 meta/recipes-devtools/python/python3_3.7.4.bb      |   2 +-
 meta/recipes-devtools/python/python_2.7.16.bb      |   2 +-
 ...c-check-finite-isinf-isnan-as-macros-firs.patch | 101 +++
 .../ruby/ruby/ruby-CVE-2017-9226.patch             |  32 -
 .../ruby/ruby/ruby-CVE-2017-9228.patch             |  34 -
 meta/recipes-devtools/ruby/ruby_2.5.5.bb           |  10 +-
 ...-2017-17052-Avoid-unsafe-exits-in-threads.patch |  64 ++
 meta/recipes-extended/ltp/ltp_20190517.bb          |   1 +
 meta/recipes-extended/shadow/shadow.inc            |   2 +-
 meta/recipes-graphics/mesa/mesa.inc                |   2 +
 ...001-Skip-thai-break-tests-without-libthai.patch |  36 +
 meta/recipes-graphics/pango/pango_1.44.6.bb        |   3 +-
 ...gust-Makefile.am-Add-install-lib-to-setup.patch |   2 +-
 meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.1.bb     |   2 +
 .../libtiff/tiff/CVE-2019-14973.patch              | 415 ++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.10.bb     |   4 +-
 22 files changed, 972 insertions(+), 559 deletions(-)
 create mode 100644 meta/recipes-core/musl/musl/0001-Change-container-for-riscv-floating-point-state-to-_.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/0001-configure.ac-check-finite-isinf-isnan-as-macros-firs.patch
 delete mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
 delete mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
 create mode 100644 meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
 create mode 100644 meta/recipes-graphics/pango/pango/0001-Skip-thai-break-tests-without-libthai.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch


hooks/post-receive
-- 



More information about the yocto-security mailing list