[yocto-security] [OE-core CVE] branch master updated. uninative-2.6-985-g402eef2
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Wed Oct 2 02:10:13 PDT 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, master has been updated
via 402eef252385b391d1b60fc77d758cc4c8de1b3c (commit)
via 6ff71dd308b1611df7a8ea811a79b7cb884c99e9 (commit)
via b1afaccdba31341cace4b8d84d118ca76098587e (commit)
via 90dbe9019c81e25923ed450df80b4401d16287b4 (commit)
via f5bb06129391b62f7dff400f10a0b4d2934625d2 (commit)
via 49c4febcbf66587b01559d208873ca1d563ed3e0 (commit)
via 3bde502f612f17b6ed928b04cf5c4ba9ad54d598 (commit)
via 6792307a41c71786841f8fa6224af81be201688e (commit)
via a37aafc691ea89e326352e360bfd97ad473f4287 (commit)
via 37eabe25d1e6dffee8e96675c42c25c64dd3bc70 (commit)
via 7472bdb6ed1039b7f38afc728c034a13d0bbee0e (commit)
via eba857d3e52f83d426e95fa8373799da058f9484 (commit)
via b57304c1afb73a698a1c40a017d433e4d81a8df2 (commit)
via ebc974be12c3e83e961c99c24fde267d6c8e8bfc (commit)
via f78248a2380bbbbf271b5bb02c762f5bc7a3a92e (commit)
via 8adf98e63fefeaf2c841a038a4497f9845bc7b04 (commit)
via 14cca8246423c3af8b8478e391daf49a908d696c (commit)
from 9973f89dafdf9d21f4021f59f1f4669f4ac13aff (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 402eef252385b391d1b60fc77d758cc4c8de1b3c
Author: Ross Burton <ross.burton at intel.com>
Date: Mon Sep 30 12:10:16 2019 +0100
lttng-ust: update patch Signed-off-by
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 6ff71dd308b1611df7a8ea811a79b7cb884c99e9
Author: André Draszik <andre.draszik at jci.com>
Date: Tue Oct 1 10:54:51 2019 +0100
ruby: fix non-IPv6 support
When IPv6 support is disabled, this recipe mis-configures
ruby so that it end up non-working:
--enable-wide-getaddrinfo instructs ruby to re-implement
the standard getaddinfo(), but IPv6 support is still
automatically detected via ext/socket/extconf.rb
independently of that flag.
To re-implement getaddrinfo(), ruby uses the obsolete
getipnodebyaddr() and getipnodebyname() functions - i.e.
according to the man-page, glibc provided those only in
glibc 2.1.91-95; and of course compilation fails. [1]
Switch to ruby's standard --enable-ipv6= configure
options to make the build work without warnings, and
ruby work at runtime as well.
[1] Compilation and linking actually succeed, albeit with
a warning regarding implicit declaration / unresolved
symbols. The error is only obvious at runtime due to the
unresolved symbols...
Signed-off-by: André Draszik <andre.draszik at jci.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit b1afaccdba31341cace4b8d84d118ca76098587e
Author: André Draszik <andre.draszik at jci.com>
Date: Tue Oct 1 10:54:50 2019 +0100
ruby: configure mis-detects isnan/isinf on musl
The configure script does not detect isnan/isinf as macros
as is the case in musl:
checking for isinf... no
checking for isnan... no
Backport an upstream patch from 2.7.0-preview1 to address this:
checking whether isinf is declared... yes
checking whether isnan is declared... yes
Signed-off-by: André Draszik <andre.draszik at jci.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 90dbe9019c81e25923ed450df80b4401d16287b4
Author: André Draszik <andre.draszik at jci.com>
Date: Tue Oct 1 10:54:49 2019 +0100
ruby: drop long-merged CVE patches
The CVE patches here address the original problem in
a different way to how upstream solved it, and are
superfluous.
Ruby updated to Onigmo v6.1.3+669ac999761 before its
v2.5.0 release, and both CVEs were fixed before Onigmo
v6.1.3:
https://github.com/k-takata/Onigmo/releases/tag/Onigmo-6.1.3
https://github.com/k-takata/Onigmo/commits/Onigmo-6.1.3
https://github.com/k-takata/Onigmo/commit/40945546578004bf40e6f884834bcad4054c70f7
https://github.com/k-takata/Onigmo/commit/783b7ef491e1422e4be7407ccc3e4305e5013507
Because the issues were fixed differently here and
in Ruby (Onigmo), patch never complained about
duplicatation during recipe updates.
Signed-off-by: André Draszik <andre.draszik at jci.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit f5bb06129391b62f7dff400f10a0b4d2934625d2
Author: Ross Burton <ross.burton at intel.com>
Date: Tue Sep 24 17:05:38 2019 +0100
opkg: remove redundant systemd inherit
The service file was removed in oe-core 23dcf7ea but the inherit was not.
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 49c4febcbf66587b01559d208873ca1d563ed3e0
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
Date: Mon Sep 30 15:02:32 2019 -0400
opkg: remove pathfinder PACKAGECONFIG option
pathfinder has no recipe and its last update was in 2013
(see http://freshmeat.sourceforge.net/projects/pathfinder),
so it should be removed from the list of PACKAGECONFIG options
for opkg. --disable-pathfinder is added to EXTRA_OECONF for
good measure.
Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 3bde502f612f17b6ed928b04cf5c4ba9ad54d598
Author: He Zhe <zhe.he at windriver.com>
Date: Mon Sep 30 10:38:01 2019 +0800
ltp: Fix hang of cve test cases
Backport a patch to the fix possible hang caused by the case of CVE-2017-17052.
CVE: CVE-2017-17052
Signed-off-by: He Zhe <zhe.he at windriver.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 6792307a41c71786841f8fa6224af81be201688e
Author: Khem Raj <raj.khem at gmail.com>
Date: Sat Sep 28 16:16:17 2019 -0700
musl: Fix __riscv_mc* containers to match glibc
Fixes packages like gdb compile
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit a37aafc691ea89e326352e360bfd97ad473f4287
Author: Otavio Salvador <otavio at ossystems.com.br>
Date: Sat Sep 28 19:41:50 2019 -0300
mesa: Add freedreno PACKAGECONFIG option
Signed-off-by: Otavio Salvador <otavio at ossystems.com.br>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 37eabe25d1e6dffee8e96675c42c25c64dd3bc70
Author: Lei Maohui <leimaohui at cn.fujitsu.com>
Date: Mon Sep 30 17:57:21 2019 +0800
bluez5: update patch to fix do_patch error when PATCHTOOL = "patch".
Signed-off-by: Lei Maohui <leimaohui at cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 7472bdb6ed1039b7f38afc728c034a13d0bbee0e
Author: Ross Burton <ross.burton at intel.com>
Date: Fri Sep 27 14:39:26 2019 +0100
pango: fix the failing testiter test case
The testiter test case fails if libthai support isn't enabled because it
execises codepaths that need libthai to be correct. Backport a patch to skip
this test if libthai isn't enabled.
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit eba857d3e52f83d426e95fa8373799da058f9484
Author: Ross Burton <ross.burton at intel.com>
Date: Wed Sep 25 16:54:13 2019 +0100
python3: move runpy to core
The runpy module is used to implement 'python3 -m foo', so move it to
python3-core as it's an essential part of the CLI.
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit b57304c1afb73a698a1c40a017d433e4d81a8df2
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
Date: Fri Sep 20 14:25:11 2019 -0400
tiff: fix CVE-2019-14973
CVE reference: https://nvd.nist.gov/vuln/detail/CVE-2019-14973
Upstream merge: https://gitlab.com/libtiff/libtiff/commit/2218055c
Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit ebc974be12c3e83e961c99c24fde267d6c8e8bfc
Author: Diego Rondini <diego.rondini at kynetics.com>
Date: Thu Sep 19 09:45:09 2019 +0200
initramfs-framework: support PARTLABEL option
Since commit (kernel >= 4.20):
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f027c34d844013d9d6c902af8fa01a82d6e5073d
specifying rootfs by PARTLABEL is supported. This commit adds support to
specify root by GPT partition label.
Signed-off-by: Diego Rondini <diego.rondini at kynetics.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit f78248a2380bbbbf271b5bb02c762f5bc7a3a92e
Author: Yi Zhao <yi.zhao at windriver.com>
Date: Thu Sep 19 15:44:11 2019 +0800
python: add tk-lib as runtime dependency for python-tkinter
Fixes:
ERROR: python-2.7.16-r0 do_package_qa: QA Issue:
/usr/lib/python2.7/lib-dynload/_tkinter.so contained in package
python-tkinter requires libtk8.6.so, but no providers found in
RDEPENDS_python-tkinter? [file-rdeps]
Signed-off-by: Yi Zhao <yi.zhao at windriver.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 8adf98e63fefeaf2c841a038a4497f9845bc7b04
Author: Li Zhou <li.zhou at windriver.com>
Date: Thu Sep 19 14:15:20 2019 +0800
shadow: use relaxed usernames for all
The previous commit <shadow: use relaxed usernames> works only for
target. When test with configuration:
INHERIT += 'extrausers'
EXTRA_USERS_PARAMS += "useradd -p '' aBcD; "
and run "bitbake core-image-minimal", error occurs:
NOTE: core-image-minimal: Performing useradd with [
-R .../build/tmp-glibc/work/qemux86_64-wrs-linux/core-image-minimal/1.0-r0/rootfs -p '' aBcD]
useradd: invalid user name 'aBcD'
Here move the patch for using relaxed usernames from class_target to
the source code for all.
Signed-off-by: Li Zhou <li.zhou at windriver.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
commit 14cca8246423c3af8b8478e391daf49a908d696c
Author: Andre McCurdy <armccurdy at gmail.com>
Date: Mon Sep 16 12:24:26 2019 -0700
ffmpeg: enable more verbose build logs
Signed-off-by: Andre McCurdy <armccurdy at gmail.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
-----------------------------------------------------------------------
Summary of changes:
.../bluez5/bluez5/CVE-2018-10910.patch | 726 ++++++++-------------
.../initrdscripts/initramfs-framework/rootfs | 5 +
...ainer-for-riscv-floating-point-state-to-_.patch | 67 ++
meta/recipes-core/musl/musl_git.bb | 1 +
meta/recipes-devtools/opkg/opkg_0.4.1.bb | 4 +-
.../python/python3/python3-manifest.json | 16 +-
meta/recipes-devtools/python/python3_3.7.4.bb | 2 +-
meta/recipes-devtools/python/python_2.7.16.bb | 2 +-
...c-check-finite-isinf-isnan-as-macros-firs.patch | 101 +++
.../ruby/ruby/ruby-CVE-2017-9226.patch | 32 -
.../ruby/ruby/ruby-CVE-2017-9228.patch | 34 -
meta/recipes-devtools/ruby/ruby_2.5.5.bb | 10 +-
...-2017-17052-Avoid-unsafe-exits-in-threads.patch | 64 ++
meta/recipes-extended/ltp/ltp_20190517.bb | 1 +
meta/recipes-extended/shadow/shadow.inc | 2 +-
meta/recipes-graphics/mesa/mesa.inc | 2 +
...001-Skip-thai-break-tests-without-libthai.patch | 36 +
meta/recipes-graphics/pango/pango_1.44.6.bb | 3 +-
...gust-Makefile.am-Add-install-lib-to-setup.patch | 2 +-
meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.1.bb | 2 +
.../libtiff/tiff/CVE-2019-14973.patch | 415 ++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.0.10.bb | 4 +-
22 files changed, 972 insertions(+), 559 deletions(-)
create mode 100644 meta/recipes-core/musl/musl/0001-Change-container-for-riscv-floating-point-state-to-_.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/0001-configure.ac-check-finite-isinf-isnan-as-macros-firs.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
create mode 100644 meta/recipes-extended/ltp/ltp/0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch
create mode 100644 meta/recipes-graphics/pango/pango/0001-Skip-thai-break-tests-without-libthai.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2019-14973.patch
hooks/post-receive
--
More information about the yocto-security
mailing list