[yocto-security] [OE-core CVE] branch master-next updated. uninative-2.7-131-g5cfaaed
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Fri Oct 18 06:31:48 PDT 2019
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, master-next has been updated
via 5cfaaed25cdde42949042e63abf180b570f9797e (commit)
via f8afc2e6333cdbfcc585d715a58dd0aa6de6217c (commit)
via f5f8e6eb1a22aacb109432970bb67e17cea36777 (commit)
via c41993053056f7adf14d31c02fe4f8b6387f02f2 (commit)
via 17ddb884fd278b3b1200bda2bec149c2291353c7 (commit)
via 53263b4d0632cfbc9377e7e2b14585e997d229a1 (commit)
via e2b9db317699de8b4977d6b9c2bdcf4ab5a62208 (commit)
via 9122f9a68c827952fd66c765e5949120b6f5fc69 (commit)
via fa951dcba8ac6231063aa754de0bd2bdacc08db0 (commit)
via de66550650251f46478dd8a6e891d296fc3944af (commit)
via 109b183c9a71ae08f6edd7a0d92a927c290436c7 (commit)
via 5bed093ee9be11608c438410dc8042fe639cee23 (commit)
via 164b2708c507edadfcd062fef6540806c07abc42 (commit)
via 2cd2fbfe1af45af77254705cb799a029833c7a12 (commit)
via 879baa838069747cf7f2bc2d5ad6547a1b0dac2b (commit)
via 05c8e410ea0589f63663c3a5750634518176689a (commit)
via d4d90f4f5bb34792a533608003b80225393dbbe5 (commit)
via 5a29bdb1d7d4a126a3cf888a20e00dcb04fdb769 (commit)
from 9e783ed82a0d59ee184cc81e75b12de6cdede203 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5cfaaed25cdde42949042e63abf180b570f9797e
Author: Max Tomago <max.tomago at codethink.co.uk>
Date: Tue Oct 15 17:37:44 2019 +0100
python-native: Remove debug.patch
It doesn't look like it should be there.
Signed-off-by: Max Tomago <max.tomago at codethink.co.uk>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit f8afc2e6333cdbfcc585d715a58dd0aa6de6217c
Author: Trevor Gamblin <trevor.gamblin at windriver.com>
Date: Wed Oct 16 06:23:21 2019 -0700
aspell: upgrade from 0.60.7 to 0.60.8
New version fixes CVE-2019-17544 as well as various other bugs.
CVE: CVE-2019-17544
Signed-off-by: Trevor Gamblin <trevor.gamblin at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit f5f8e6eb1a22aacb109432970bb67e17cea36777
Author: Mikko Rapeli <mikko.rapeli at bmw.de>
Date: Thu Oct 17 10:31:58 2019 +0300
systemd.bbclass: enable all services specified in ${SYSTEMD_SERVICE}
This has been the traditional way of enabling systemd services.
It may conflict with presets feature, but other layers, image classes
and recipes add services to be enabled using SYSTEMD_SERVICE
variable also with read-only rootfs, e.g. IMAGE_FEATURES has
stateless-rootfs and systemd_preset_all task is not executed.
Fixes startup of custom services from our recipes using custom
image classes with various BSP layers. In the worst case even
serial console getty service wasn't starting due to dependency
no not enabled services.
Signed-off-by: Mikko Rapeli <mikko.rapeli at bmw.de>
Cc: Peter Kjellerstedt <peter.kjellerstedt at axis.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit c41993053056f7adf14d31c02fe4f8b6387f02f2
Author: Changqing Li <changqing.li at windriver.com>
Date: Thu Oct 17 10:52:27 2019 +0800
qemu: Fix CVE-2019-12068
Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 17ddb884fd278b3b1200bda2bec149c2291353c7
Author: André Draszik <git at andred.net>
Date: Thu Oct 17 10:28:02 2019 +0100
oeqa/runtime/systemd: skip unit enable/disable on read-only-rootfs
This doesn't work on read-only-rootfs:
AssertionError: 1 != 0 : SYSTEMD_BUS_TIMEOUT=240s systemctl disable avahi-daemon.service
Failed to disable unit: File /etc/systemd/system/multi-user.target.wants/avahi-daemon.service: Read-only file system
This patch does two things:
1) Decorate the existing test to be skipped if the rootfs is
read-only
2) add a new test to be executed only if the rootfs is
read-only. This new test remounts the rootfs read-write
before continuing to execute the existing test, making
sure to clean up correctly after itself (remount r/o
again).
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 53263b4d0632cfbc9377e7e2b14585e997d229a1
Author: André Draszik <git at andred.net>
Date: Wed Oct 16 10:18:24 2019 +0100
oeqa/runtime/opkg: skip install on read-only-rootfs
Images can have package management enabled, but be
generally running as read-only. In this case, the
test fails at the moment with various errors due to
that.
Use the new @skipIfFeature decorator to also skip
this test in that case.
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit e2b9db317699de8b4977d6b9c2bdcf4ab5a62208
Author: André Draszik <git at andred.net>
Date: Wed Oct 16 10:18:23 2019 +0100
oeqa/core/decorator: add skipIfFeature
skipIfFeature will skip a test if a given DIST_FEATURE
or IMAGE_FEATURE is enabled.
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 9122f9a68c827952fd66c765e5949120b6f5fc69
Author: André Draszik <git at andred.net>
Date: Wed Oct 16 10:18:22 2019 +0100
oeqa/runtime/df: don't fail on long device names
When device names are long (more than 20 characters), the
df test will fail with an exception:
self.assertTrue(int(output)>5120, msg=msg)
ValueError: invalid literal for int() with base 10: ''
at least when busybox is in use.
The reason is that busybox breaks the line in that case:
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/disk/by-partuuid/8e991e5a-cebd-4f88-9494-c9db4f30cb02
1998672 87024 1790408 5% /
and the code tries to extract the fourth field from the
second line, which is empty of course.
df can be told not to break lines, though, using the -P
flag, which turns on the POSIX output format, and is
supported by busybox df and coreutils df:
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/disk/by-partuuid/8e991e5a-cebd-4f88-9494-c9db4f30cb02 1998672 87024 1790408 5% /
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit fa951dcba8ac6231063aa754de0bd2bdacc08db0
Author: André Draszik <git at andred.net>
Date: Wed Oct 16 10:18:21 2019 +0100
testimage.bbclass: enable ssh agent forwarding
Some targets might use ssh to do their power- or serial-
control. In that case, ssh might need access to the
ssh agent, or otherwise won't work.
So export it into the environment.
Note that the (old) oeqa/controllers/masterimage.py
tries to do that as well by exporting all of BB_ORIGENV
into the test environment. Here in testimage.bbclass we
are a bit more strict and only pass the ssh related
environment variables.
Signed-off-by: André Draszik <git at andred.net>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit de66550650251f46478dd8a6e891d296fc3944af
Author: André Draszik <andre.draszik at jci.com>
Date: Wed Oct 16 10:18:20 2019 +0100
testimage.bbclass: support hardware-controlled targets
Since the introduction of the new runtime framework for target
testing in commit 2aa5a4954d76
("testimage.bbclass: Migrate class to use new runtime framework")
commit 3857e5c91da6 in poky.git, target controllers have no
access to the global datastore 'd' anymore.
This makes it impossible for a specific OEQA (hardware)
controller to access documented properties like
TEST_POWERCONTROL_CMD, TEST_SERIALCONTROL_CMD, etc,
meaning it's impossible for those controllers to actually
control the hardware.
To solve this, simply add those documented variables into
the target_kwargs[].
Signed-off-by: André Draszik <andre.draszik at jci.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 109b183c9a71ae08f6edd7a0d92a927c290436c7
Author: Ross Burton <ross.burton at intel.com>
Date: Thu Oct 17 12:29:45 2019 +0100
gawk: add PACKAGECONFIG for readline
Add a PACKAGECONFIG so that readline can be disabled if desired.
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 5bed093ee9be11608c438410dc8042fe639cee23
Author: Ross Burton <ross.burton at intel.com>
Date: Thu Oct 17 12:29:44 2019 +0100
python3: -dev should depend on distutils
python3-config uses distutils:
Traceback (most recent call last):
File "/usr/bin/python3-config", line 9, in <module>
from distutils import sysconfig
ModuleNotFoundError: No module named 'distutils'
Add the dependency so that distutils is always present.
[ YOCTO #13592 ]
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 164b2708c507edadfcd062fef6540806c07abc42
Author: Ross Burton <ross.burton at intel.com>
Date: Thu Oct 17 12:29:43 2019 +0100
python3: ensure that all forms of python3-config are in python3-dev
In multilib builds python3-config gets renamed to eg python3-config-lib64 but
this ends up being packaged in python3-core not python3-dev.
The manifest uses an extended glob to package all python* binaries that are not
python-config into python3-core:
"${bindir}/python*[!-config]",
However, this doesn't do what was intended, as [] is a range match.
Replace the globs with more verbose but precise matches, and clear out
FILES_${PN} to ensure that new binaries don't end up in ${PN} (which shouldn't
exist).
[ YOCTO #13592 ]
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 2cd2fbfe1af45af77254705cb799a029833c7a12
Author: Ross Burton <ross.burton at intel.com>
Date: Thu Oct 17 12:29:42 2019 +0100
python3: alternative name is python3-config not python-config
With python3-config using the 'python-config' name, it's possible for
python-config to point at python3-config, which is obviously wrong.
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 879baa838069747cf7f2bc2d5ad6547a1b0dac2b
Author: Ricardo Ribalda Delgado <ricardo at ribalda.com>
Date: Thu Oct 17 16:16:19 2019 +0200
i2c-tools: Add missing RDEPEND
Fixes:
# decode-dimms
Can't locate Carp.pm in @INC (you may need to install the Carp module) (@INC contains: /usr/lib/perl5/site_perl/5.28.1/x86_64-linux /usr/lib/perl5/site_perl/5.28.1 /usr/lib/perl5/vendor_perl/5.28.1/x86_64-linux /usr/lib/perl5/vendor_perl/5.28.1 /usr/lib/perl5/5.28.1/x86_64-linux /usr/lib/perl5/5.28.1 .) at /usr/lib/perl5/5.28.1/Tie/Hash.pm line 190.
BEGIN failed--compilation aborted at /usr/lib/perl5/5.28.1/Tie/Hash.pm line 190.
Compilation failed in require at /usr/lib/perl5/5.28.1/x86_64-linux/POSIX.pm line 505.
Compilation failed in require at /usr/bin/decode-dimms line 41.
BEGIN failed--compilation aborted at /usr/bin/decode-dimms line 41.
root at qt5222:~# apt-get install perl-module-carp
Signed-off-by: Ricardo Ribalda Delgado <ricardo at ribalda.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 05c8e410ea0589f63663c3a5750634518176689a
Author: Ross Burton <ross.burton at intel.com>
Date: Fri Oct 18 12:28:19 2019 +0100
file: explicitly disable seccomp
file will automatically enable seccomp if the seccomp headers are available, but
the build will fail on Opensuse Tumbleweed because the include paths are wrong.
Enabling seccomp is a bad idea because it interacts badly with pseudo (causing
build failures), so explicitly and globally disable seccomp.
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit d4d90f4f5bb34792a533608003b80225393dbbe5
Author: Eugene Smirnov <eu.smirnoff at gmail.com>
Date: Fri Oct 18 13:16:14 2019 +0200
wic/rawcopy: Support files in sub-directories
If the source file is located in a subdirectory of DEPLOY_DIR
rawcopy will currently fail in sparse_copy function on
open(dst_fname, 'wb'), as the parent directory for destination
file does not exist.
This patch helps to avoid that by recursively creating
parent directories.
Signed-off-by: Eugene Smirnov <evgenii.smirnov at here.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 5a29bdb1d7d4a126a3cf888a20e00dcb04fdb769
Author: Hongxu Jia <hongxu.jia at windriver.com>
Date: Fri Oct 18 15:10:01 2019 +0800
openssh: fix CVE-2019-16905
Backport a patch from upstream to fix CVE-2019-16905
https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
-----------------------------------------------------------------------
Summary of changes:
meta/classes/systemd.bbclass | 6 +-
meta/classes/testimage.bbclass | 18 ++++
meta/lib/oeqa/core/decorator/data.py | 18 ++++
meta/lib/oeqa/runtime/cases/df.py | 2 +-
meta/lib/oeqa/runtime/cases/opkg.py | 4 +-
meta/lib/oeqa/runtime/cases/systemd.py | 16 ++-
...x-integer-overflow-in-XMSS-private-key-pa.patch | 40 ++++++++
meta/recipes-connectivity/openssh/openssh_8.0p1.bb | 1 +
meta/recipes-devtools/file/file_5.37.bb | 2 +
meta/recipes-devtools/i2c-tools/i2c-tools_4.1.bb | 1 +
.../python/python-native/debug.patch | 32 ------
.../python/python-native_2.7.16.bb | 1 -
.../python/python3/python3-manifest.json | 9 +-
meta/recipes-devtools/python/python3_3.7.4.bb | 11 ++-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2019-12068.patch | 108 +++++++++++++++++++++
meta/recipes-extended/gawk/gawk_5.0.1.bb | 4 +-
.../aspell/{aspell_0.60.7.bb => aspell_0.60.8.bb} | 6 +-
scripts/lib/wic/plugins/source/rawcopy.py | 3 +
19 files changed, 229 insertions(+), 54 deletions(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-fix-integer-overflow-in-XMSS-private-key-pa.patch
delete mode 100644 meta/recipes-devtools/python/python-native/debug.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch
rename meta/recipes-support/aspell/{aspell_0.60.7.bb => aspell_0.60.8.bb} (85%)
hooks/post-receive
--
More information about the yocto-security
mailing list