[yocto-security] [OE-core CVE] branch warrior updated. f4ccdf2bc3fe4f00778629088baab840c868e36b

cve-notice at lists.openembedded.org cve-notice at lists.openembedded.org
Sat Oct 12 18:10:21 PDT 2019 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".

The branch, warrior has been updated
       via  f4ccdf2bc3fe4f00778629088baab840c868e36b (commit)
       via  dc66a2a10c3bc0e1491ddd656eff10bac521d862 (commit)
       via  6f4dcd00ce677d9df3fed7e12d87a4588dc65661 (commit)
       via  0d053082ab13a2668ecc94adbc6d6dd862be1c41 (commit)
       via  73c59ca02131bf1332f059808423af49324a249f (commit)
       via  c38f20e428297104dfa6953a99201d0ca374c83b (commit)
       via  8bb6955cf8b3127ec519bc0796be06a8d473f0d8 (commit)
       via  b3a244153414fa627b247dd29f95197fdaae69e1 (commit)
       via  6a98afe854907a6263ab5f08ccbc155943470c59 (commit)
      from  3bdbf72e3a4bf18a4a2c7afbde4f7ab773aeded9 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f4ccdf2bc3fe4f00778629088baab840c868e36b
Author: Denys Dmytriyenko <denys at ti.com>
Date:   Fri Sep 27 20:56:39 2019 -0400

    mariadb: update SRC_URI to use archive.mariadb.org
    
    archive.mariadb.org does not go 404 on releases over time
    
    Signed-off-by: Denys Dmytriyenko <denys at ti.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit dc66a2a10c3bc0e1491ddd656eff10bac521d862
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
Date:   Thu Oct 3 14:58:51 2019 -0400

    gd: fix CVE-2019-6978
    
    CVE: CVE-2019-6978
    
    Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 6f4dcd00ce677d9df3fed7e12d87a4588dc65661
Author: Dan Tran <dantran at microsoft.com>
Date:   Wed Sep 25 17:12:49 2019 +0000

    polkit: Fix CVE-2018-19788
    
    Signed-off-by: Dan Tran <dantran at microsoft.com>
    [Fixup for warrior context]
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 0d053082ab13a2668ecc94adbc6d6dd862be1c41
Author: Khem Raj <raj.khem at gmail.com>
Date:   Wed Aug 28 18:27:42 2019 -0700

    bpftool.bb: Disable SECURITY_CFLAGS
    
    We do not pass CFLAGS to build and fortify sources needs some
    optimization to be enabled, its better to reset the additional flags and
    let the build system add them as it needs
    
    Fixes build failures like
    tools/include/tools/libc_compat.h:11:21: error: static declaration of 'reallocarray' follows non-static declaration
    |    11 | static inline void *reallocarray(void *ptr, size_t nmemb, size_t size)
    |       |                     ^~~~~~~~~~~~
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit d46e1e767f6b91dc25935e0c48d9d362dd50d879)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 73c59ca02131bf1332f059808423af49324a249f
Author: Khem Raj <raj.khem at gmail.com>
Date:   Sat Aug 17 12:19:05 2019 -0700

    klibc: Disable bcmp builtin for clang on glibc as well
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit 806fbbf81788648e567dc79c2bea98de69f79cc0)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit c38f20e428297104dfa6953a99201d0ca374c83b
Author: Khem Raj <raj.khem at gmail.com>
Date:   Tue Aug 6 12:00:57 2019 -0700

    klibc: Pass -fno-builtin-bcmp with musl/clang combo
    
    clang would emit bcmp built-in for musl bases system
    but here we do not link in musl C library, so its best
    to disable it
    
    Fixes
    git/usr/klibc/memmem.c:38: undefined reference to `bcmp'
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    Cc: Andrea Adami <andrea.adami at gmail.com>
    (cherry picked from commit 11bc2775af3e47399ac268a2e6fbd63185e478ef)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 8bb6955cf8b3127ec519bc0796be06a8d473f0d8
Author: Kai Kang <kai.kang at windriver.com>
Date:   Fri Sep 6 06:38:38 2019 +0800

    apache2: fix multilib file conflicts
    
    There are errors of apache2 about files conflicts when multilib enabled:
    
    | Error: Transaction check error:
    |   file /etc/apache2/extra/httpd-ssl.conf conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
    |   file /etc/apache2/httpd.conf conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
    |   file /usr/sbin/envvars conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
    |   file /usr/sbin/envvars-std conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
    
    It makes libexecdir point to ${libdir}. Reset to ${libexecdir} which could
    eliminate file conflicts of the conf files. And remove /usr/sbin/envvars and
    /usr/sbin/envvars-std which only used by apachectl. They only add standard
    library path ${libdir} to LD_LIBRARY_PATH, so remove them to avoid multilib
    file conflicts.
    
    Signed-off-by: Kai Kang <kai.kang at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit 8d4d608b4e937bb3b8e3b260bd75338c3ff7e8fd)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit b3a244153414fa627b247dd29f95197fdaae69e1
Author: Khem Raj <raj.khem at gmail.com>
Date:   Tue Sep 10 20:40:10 2019 -0700

    redis: Fix build with clang/x86
    
    Need to link with libatomics for 64bit atomics support
    Fixes
    i686-yoe-linux/i686-yoe-linux-ld: networking.o: in function `createClient':
    | /usr/src/debug/redis/4.0.14-r0/redis-4.0.14/src/networking.c:103: undefined reference to `__atomic_fetch_add_8'
    
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit 2b49254d61ca817799a206cd022617854aa5bc0b)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

commit 6a98afe854907a6263ab5f08ccbc155943470c59
Author: Peiran Hong <peiran.hong at windriver.com>
Date:   Fri Sep 13 17:27:29 2019 -0400

    tcpdump: Fix CVE-2017-16808
    
    Backport selected parts of three upstream commits to fix
    CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read.
    
    Upstream-Status: Backport
    [ several ]
    
    Upstream commits fully backported:
    46aead6  [CVE-2017-16808/AoE: Add a missing bounds check]
    
    Upstream commits partially backported:
    7068209  [Use nd_ types in 802.x and FDDI headers.]
    84ef17a  [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using
    pointers (1/n)]
    
    46aead6 fixes the vulnerability and requires two macros defined in
    7068209 and 84ef17a, which are committed after the release of 4.9.2.
    Only the definition of the macros are taken from the two commits
    as they impact a wide range of code and are difficult to integrate.
    
    CVE: CVE-2017-16808
    
    Signed-off-by: Peiran Hong <peiran.hong at windriver.com>
    Signed-off-by: Khem Raj <raj.khem at gmail.com>
    (cherry picked from commit 62fc26075afc2d56a73777aad753a643fbdafbfa)
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>

-----------------------------------------------------------------------

Summary of changes:
 meta-initramfs/recipes-devtools/klibc/klibc.inc    |   5 +-
 ...2017-16808-AoE-Add-a-missing-bounds-check.patch |  61 +++++
 .../recipes-support/tcpdump/tcpdump_4.9.2.bb       |   1 +
 meta-oe/recipes-dbs/mysql/mariadb.inc              |   2 +-
 .../polkit/polkit/CVE-2018-19788_p1.patch          | 194 +++++++++++++
 .../polkit/polkit/CVE-2018-19788_p2.patch          | 153 +++++++++++
 .../polkit/polkit/CVE-2018-19788_p3.patch          |  53 ++++
 meta-oe/recipes-extended/polkit/polkit_0.115.bb    |  12 +-
 .../redis/0001-src-Do-not-reset-FINAL_LIBS.patch   |  32 +++
 meta-oe/recipes-extended/redis/redis_4.0.14.bb     |   5 +-
 meta-oe/recipes-kernel/bpftool/bpftool.bb          |   4 +-
 meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch  | 299 +++++++++++++++++++++
 meta-oe/recipes-support/gd/gd_2.2.5.bb             |   1 +
 .../recipes-httpd/apache2/apache2_2.4.41.bb        |   6 +-
 14 files changed, 817 insertions(+), 11 deletions(-)
 create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
 create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
 create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
 create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
 create mode 100644 meta-oe/recipes-extended/redis/redis/0001-src-Do-not-reset-FINAL_LIBS.patch
 create mode 100644 meta-oe/recipes-support/gd/gd/CVE-2019-6978.patch


hooks/post-receive
--

More information about the yocto-security mailing list