summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* linux-yocto: Update SRCREV for genericx86* for 4.1, fixes CVE-2016-0728Alejandro Hernandez2016-02-041-2/+5
| | | | | | | | | This addresses CVE-2016-0728: KEYS: Fix keyring ref leak in join_session_keyring(), and upgrades to LINUX_VERSION 4.1.17 (From meta-yocto rev: 2aab8657999c2bcf6e7a54f1085664207ba3ac93) Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* linux-yocto: Update SRCREV for genericx86* for 3.19, fixes CVE-2016-0728Alejandro Hernandez2016-02-041-2/+2
| | | | | | | | | This addresses CVE-2016-0728: KEYS: Fix keyring ref leak in join_session_keyring() (From meta-yocto rev: 20c1e1e8ec2f18fbbb47b6dbc27dd7dfa15922fb) Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* linux-yocto: Update SRCREV for genericx86* for 3.14, fixes CVE-2016-0728Alejandro Hernandez2016-02-041-2/+5
| | | | | | | | | This addresses CVE-2016-0728: KEYS: Fix keyring ref leak in join_session_keyring(), and upgrades to LINUX_VERSION 3.14.39 (From meta-yocto rev: 47a81a47c5f1f2625365ab7a2f130b75fb5764fd) Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta-yocto-bsp: Remove uvesafb (v86d) from generic x86 featuresJianxun Zhang2016-02-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | When uvesafb is automatically loaded during boot and FW doesn't support legacy video bios and frame buffer, its user space helper will throw error messages in kernel log: [6.843790] uvesafb: Getting VBE info block failed (eax=0x4f00, err=1) [6.843864] uvesafb: vbe_init() failed with -22 [6.843916] uvesafb: probe of uvesafb.0 failed with error -22 Assuming most x86 boards today don't really rely on this module, this change simply removes it from the common feature list to get rid of these harmless messages. [YOCTO #6584] (From meta-yocto rev: d58fc630b1114dbafa8342de7dcaef8e7d798848) (From meta-yocto rev: 8b08977dc9f2d9ff4fd5ecf4ead24a36dcbda542) Signed-off-by: Jianxun Zhang <jianxun.zhang@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6af89812e8a9931ffed63768ed85367519bf7aef) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* yocto-bsp: Set SRCREV meta/machine revisions to AUTOREVLeonardo Sandoval2016-02-0449-152/+152
| | | | | | | | | | | | | | | | By default, checkout to latest revision from the machine branch specified by the user. (From meta-yocto rev: f79a43406b5b323587415380ecffc87527c64653) (From meta-yocto rev: 311e084bb321701624785ce56a1ad23d7b20b396) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a35f79ddd8afe54835ad927b21b8f7cfbd86202a) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* yocto-bsp: Set KTYPE to user selected base branchLeonardo Sandoval2016-02-0421-21/+42
| | | | | | | | | | | | | | | | | | Fixes the hardcode branch name set to KTYPE, where its value is used as a base branch when user decides to create a new branch. Tested on x86_64 architecture. [YOCTO #8630] (From meta-yocto rev: ab895be90a0cae7dfa77a8aab3b19e5571e7e7bc) (From meta-yocto rev: bc5aec2348b2c314953806734a8fbabf798d142c) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9d585b5025187f059f75ffbdc01bda72d17e8a86) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* yocto-bsp: Avoid duplication of user patches ({{=machine}}-user-patches.scc)Leonardo Sandoval2016-02-0428-36/+8
| | | | | | | | | | | | | | | | | | | On linux-yocto-dev or linux-yocto_X.YY bbappend files, the SRC_URI includes {{=machine}}-standard.scc, which in turn includes {{=machine}}-user-parches.scc, thus there is no need to include it again on the corresponding bbappend file. [YOCTO #8486] (From meta-yocto rev: 11c93b5dd8c651df478d4810e1b6ff6ad9fa57e8) (From meta-yocto rev: c1105ff0e65a24f344e5fab17402b1b4fcb1d728) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f674ffa528b06e22d2c70c12f2e17cf308e26173) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* yocto-bsp: Default kernel version to 4.1 on x86_64Leonardo Sandoval2016-02-041-1/+1
| | | | | | | | | | | | | | | | | | On the 3.19 to 4.1 migration, the target x86_64 was not taken into account (no reason, just missing the correspoding update on the kernel-list.noinstall file), so moving it to 4.1 to be align with the rest. (From meta-yocto rev: 283665d9295c3c10f964496dc0110137e358daa6) (From meta-yocto rev: d58d3c5e65294bd6f4f3f780d746e1c3f8678c2b) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9cc221dcb6af71ae8a4faa3297269ae80c7e35dd) Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* piglit: don't use /tmp to write generated sources toRoss Burton2016-02-041-0/+6
| | | | | | | | | | | | If there are multiple builds on the same machine then piglit writing it's generated sources to /tmp will race. Instead, export TEMP to tell the tempfile module to use a temporary directory under ${B}. (From OE-Core rev: 226a26e51eb0789686509d3e22a3766e2e3e8666) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gen-lockedsig-cache: fix bad destination path joiningPaul Eggleton2016-02-041-1/+1
| | | | | | | | | | | | | | | | | When copying the sstate-cache into the extensible SDK, if the source path had a trailing / and the destination path did not, there would be a missing / between the path and the subdirectory name, and you'd end up with subdirectories like "sstate-cacheCentOS-6.7". There are functions in os.path for this sort of thing so let's just use them and avoid the problem. (From OE-Core rev: 2ed6adfea5ba16aeda7b5d908bea4303202d3774) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 5eb8f15c48b5f39a10eb2b63b026cf1ebfd05533) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* linux-yocto: Update SRCREV for qemux86* for 4.1, fixes CVE-2016-0728Alejandro Hernandez2016-02-041-2/+4
| | | | | | | | | | This addresses CVE-2016-0728: KEYS: Fix keyring ref leak in join_session_keyring(), and upgrades to LINUX_VERSION 4.1.17 (From OE-Core rev: f070d5fee56a4589a6abf422e6872373c5557c6d) Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* linux-yocto: Update SRCREV for qemux86* for 3.19, fixes CVE-2016-0728Alejandro Hernandez2016-02-041-2/+2
| | | | | | | | | | This addresses CVE-2016-0728: KEYS: Fix keyring ref leak in join_session_keyring() (From OE-Core rev: 8cb97ea8ed59ee77c0542b50d1af65bf9a3c3fef) Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* linux-yocto: Update SRCREV for qemux86* for 3.14, fixes CVE-2016-0728Alejandro Hernandez2016-02-041-2/+4
| | | | | | | | | | This addresses CVE-2016-0728: KEYS: Fix keyring ref leak in join_session_keyring(), and upgrades to LINUX_VERSION 3.14.39 (From OE-Core rev: ce53ebc001af87d169a2e0e98ca3d7d4729fdec4) Signed-off-by: Alejandro Hernandez <alejandro.hernandez@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpng12: update URL that no longer existsMaxin B. John2016-02-041-1/+1
| | | | | | | | | | | | | | | | Fix the following warning: WARNING: Failed to fetch URL http://downloads.sourceforge.net/project/ libpng/libpng12/1.2.53/libpng-1.2.53.tar.xz, attempting MIRRORS if available. [YOCTO #8739] (From OE-Core rev: 02363e50b4a3d124fa71edb2870deb820567482b) Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpng: update URL that no longer existsMaxin B. John2016-02-041-1/+1
| | | | | | | | | | | | | | | | Fix the following warning: WARNING: Failed to fetch URL http://downloads.sourceforge.net/ project/libpng/libpng16/1.6.17/libpng-1.6.17.tar.xz, attempting MIRRORS if available [YOCTO #8739] (From OE-Core rev: dbde0550ce0cc112947367eb89b914be5b3359a7) Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* busybox: fix build of last appletRoss Burton2016-02-042-0/+34
| | | | | | | | | | | | | If CONFIG_FEATURE_LAST_SMALL is enabled the build fails because of a broken __UT_NAMESIZE test. [ YOCTO #8869 ] (From OE-Core rev: 6348b2e8e0510b45f4afd2018e90796714863fc1) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: add dependency for pnglibconf.hJoe Slater2016-02-042-0/+22
| | | | | | | | | | | | | | When using parallel make jobs, we need to be sure that pnglibconf.h is created before we try to reference it, so add a rule to png.mak. (From OE-Core rev: 4b7bda9d1ac836de0c657cca28044b822e444bea) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit fad19750d23aad2d14a1726c4e3c2c0d05f6e13d) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcr: Require x11 DISTRO_FEATUREJussi Kukkonen2016-02-041-1/+3
| | | | | | | | | | | | | | | This enables a world build without x11. GTK3DISTROFEATURES is not enough because gtk+-x11.pc is still required. Fixes [YOCTO #8611]. (From OE-Core rev: b1175339287395a7ad4fe4639a73f3a1dda74358) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit dbdcd87144cc1cd6c5d50c800c7f266aaf25ca17) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* uClibc: enable utmp for shadow compatibilityBogdan-Alexandru Voiculescu2016-02-041-0/+2
| | | | | | | | | | | | | | | | | | | | with the enabling of utmpx in busybox and uClibc it was noted that shadow support for utmpx also needs utmp explicitly enabled in uclibc. this is a workaround that might be removed once shadow properly supports --enable-utmpx to check for utmpx configuration instead of utmp like it does now [YOCTO #8243] [YOCTO #8971] (From OE-Core rev: 05cab660ea956aabf6e6f971bdc5c9e2d94b9f2d) Signed-off-by: Bogdan-Alexandru Voiculescu <bogdanx.a.voiculescu@intel.com> Signed-off-by: Benjamin Esquivel <benjamin.esquivel@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 969158d63ba2c8e2e11af41c2a6d4f1aa5b0099f) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: Security fix CVE-2015-7545Armin Kuster2016-02-046-0/+897
| | | | | | | | | CVE-2015-7545 git: arbitrary code execution via crafted URLs (From OE-Core rev: 1e0780427bad448c5b3644134b581ecf1d53af84) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glibc-locale: fix QA warningArmin Kuster2016-02-041-1/+1
| | | | | | | | | | WARNING: QA Issue: glibc-locale: /glibc-binary-localedata-sd-in/usr/lib/locale/sd_IN/LC_CTYPE is owned by uid 1000, which is the same as the user running bitbake. This may be due to host contamination [host-user-contaminated] fix type (From OE-Core rev: 9d5cd7a353ec257c88d54dd9af2327b0d86d5662) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* grub: Security fix CVE-2015-8370Armin Kuster2016-02-042-0/+60
| | | | | | | | | CVE-2015-8370 grub2: buffer overflow when checking password entered during bootup (From OE-Core rev: b63e3b57b47e95003a1fb014f90333c327681d5b) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gdk-pixbuf: Security fix CVE-2015-7674Armin Kuster2016-02-042-0/+40
| | | | | | | | | CVE-2015-7674 Heap overflow with a gif file in gdk-pixbuf < 2.32.1 (From OE-Core rev: f2b16d0f9c3ad67fdf63e9e41f42a6d54f1043e4) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* librsvg: Security fix CVE-2015-7558Armin Kuster2016-02-044-1/+597
| | | | | | | | | | | CVE-2015-7558 librsvg2: Stack exhaustion causing DoS including two supporting patches. (From OE-Core rev: 4945643bab1ee6b844115cc747e5c67d874d5fe6) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: Security fix CVE-2015-8461Armin Kuster2016-02-042-0/+45
| | | | | | | | | CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c\ (From OE-Core rev: 1656eaa722952861ec73362776bd0c4826aec3da) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: Security fix CVE-2015-8000Armin Kuster2016-02-042-0/+279
| | | | | | | | | CVE-2015-8000 bind: responses with a malformed class attribute can trigger an assertion failure in db.c (From OE-Core rev: a159f9dcf3806f2c3677775d6fb131dab17a5a17) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxml2: Security fix CVE-2015-8710Armin Kuster2016-02-042-0/+72
| | | | | | | | | CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment (From OE-Core rev: 03d481070ebc6f9af799aec5d038871f9c73901c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxml2: Security fix CVE-2015-8241Armin Kuster2016-02-042-0/+41
| | | | | | | | | CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar (From OE-Core rev: f3c19a39cdec435f26a7f46a3432231ba4daa19c) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dpkg: Security fix CVE-2015-0860Armin Kuster2016-02-042-0/+53
| | | | | | | | | CVE-2015-0860 dpkg: stack overflows and out of bounds read (From OE-Core rev: 5aaec01acc9e5a19374a566307a425d43c887f4b) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: update to 2016aArmin Kuster2016-02-041-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changed LIC_CHKSUM_FILES to a new LICENSE file. Add BSD-3-clause to licenses Changes affecting future time stamps America/Cayman will not observe daylight saving this year after all. Revert our guess that it would. (Thanks to Matt Johnson.) Asia/Chita switches from +0800 to +0900 on 2016-03-27 at 02:00. (Thanks to Alexander Krivenyshev.) Asia/Tehran now has DST predictions for the year 2038 and later, to be March 21 00:00 to September 21 00:00. This is likely better than predicting no DST, albeit off by a day every now and then. Changes affecting past and future time stamps America/Metlakatla switched from PST all year to AKST/AKDT on 2015-11-01 at 02:00. (Thanks to Steffen Thorsen.) America/Santa_Isabel has been removed, and replaced with a backward compatibility link to America/Tijuana. Its contents were apparently based on a misreading of Mexican legislation. Changes affecting past time stamps Asia/Karachi's two transition times in 2002 were off by a minute. (Thanks to Matt Johnson.) (From OE-Core rev: 790315dbd2dcb5b2024948ef412f32d2788cb6b5) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit 39e231cfabda8d75906c935d2a01f37df6121b84) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzcode: update to 2016aArmin Kuster2016-02-042-25/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change LIC_CHKSUM_FILES to License. Some files are BSD clause 3 Changes affecting build procedure An installer can now combine leap seconds with use of the backzone file, e.g., with 'make PACKRATDATA=backzone REDO=posix_right zones'. The old 'make posix_packrat' rule is now marked as obsolescent. (Thanks to Ian Abbott for an initial implementation.) Changes affecting documentation and commentary A new file LICENSE makes it easier to see that the code and data are mostly public-domain. (Thanks to James Knight.) The three non-public-domain files now use the current (3-clause) BSD license instead of older versions of that license. tz-link.htm mentions the BDE library (thanks to Andrew Paprocki), CCTZ (thanks to Tim Parenti), TimeJones.com, and has a new section on editing tz source files (with a mention of Sublime zoneinfo, thanks to Gilmore Davidson). The Theory and asia files now mention the 2015 book "The Global Transformation of Time, 1870-1950", and cite a couple of reviews. The America/Chicago entry now documents the informal use of US central time in Fort Pierre, South Dakota. (Thanks to Rick McDermid, Matt Johnson, and Steve Jones.) (From OE-Core rev: 1ee9072e16d96f95d07ec5a1f63888ce4730d60e) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit b7f292b84eea202fb13730c11452ac1957e41cf0) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* kernel-yocto: fix checkout bare-cloned kernel repositoriesJianxun Zhang2016-02-041-3/+10
| | | | | | | | | | | | | | | | | | | | | The existing code doesn't tell regular (with .git) and bare cases and just move the unpacked repo to the place of kernel source. But later steps will fail on a bare-cloned repo because we can not checkout directly in a bare cloned repo. This change performs another clone to fix the issue. Note: This change doesn't cover the case that S and WORKDIR are same and the repo is bare cloned. (From OE-Core rev: f3d0ae7b174f47170fef14a699aec22d02ea1745) Signed-off-by: Jianxun Zhang <jianxun.zhang@linux.intel.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit ccfa2ee5c4f509de4c18a7054b2a66fc874d5d69) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpcre: bug fixes include securityArmin Kuster2016-01-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [Yocto # 9008] This is the next patch release for pcre. The 8.xx series now only contains bug fixes. http://www.pcre.org/original/changelog.txt The following security fixes are included: CVE-2015-3210 pcre: heap buffer overflow in pcre_compile2() / compile_regex() CVE-2015-3217 pcre: stack overflow in match() CVE-2015-5073 CVE-2015-8388 pcre: Buffer overflow caused by certain patterns with an unmatched closing parenthesis CVE-2015-8380 pcre: Heap-based buffer overflow in pcre_exec CVE-2015-8381 pcre: Heap Overflow in compile_regex() CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group CVE-2015-8384 pcre: Buffer overflow caused by recursive back reference by name within certain group CVE-2015-8385 pcre: Buffer overflow caused by forward reference by name to certain group CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion CVE-2015-8387 pcre: Integer overflow in subroutine calls CVE-2015-8389 pcre: Infinite recursion in JIT compiler when processing certain patterns CVE-2015-8390 pcre: Reading from uninitialized memory when processing certain patterns CVE-2015-8392 pcre: Buffer overflow caused by certain patterns with duplicated named groups CVE-2015-8393 pcre: Information leak when running pcgrep -q on crafted binary CVE-2015-8394 pcre: Integer overflow caused by missing check for certain conditions CVE-2015-8395 pcre: Buffer overflow caused by certain references CVE-2016-1283 pcre: Heap buffer overflow in pcre_compile2 causes DoS (From OE-Core rev: 3e403cc1bdeefd4f39e54bae2269ca56307e8468) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Security fix CVE-2015-7295Armin Kuster2016-01-304-0/+176
| | | | | | | | | CVE-2015-7295 Qemu: net: virtio-net possible remote DoS (From OE-Core rev: 74771f8c41aaede0ddfb86983c6841bd1f1c1f0f) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Security fix CVE-2016-1568Armin Kuster2016-01-302-0/+47
| | | | | | | | | CVE-2016-1568 Qemu: ide: ahci use-after-free vulnerability in aio port commands (From OE-Core rev: 166c19df8be28da255cc68032e2d11afc59d4197) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Security fix CVE-2015-8345Armin Kuster2016-01-302-0/+74
| | | | | | | | | CVE-2015-8345 Qemu: net: eepro100: infinite loop in processing command block list (From OE-Core rev: 99ffcd66895e4ba064542a1797057e45ec4d3220) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Security fix CVE-2015-7512Armin Kuster2016-01-302-0/+45
| | | | | | | | | CVE-2015-7512 Qemu: net: pcnet: buffer overflow in non-loopback mod (From OE-Core rev: e6e9be51f77c9531f49cebe0ca6b495c23cf022d) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Security fix CVE-2015-7504Armin Kuster2016-01-302-0/+57
| | | | | | | | | CVE-2015-7504 Qemu: net: pcnet: heap overflow vulnerability in loopback mode (From OE-Core rev: b01b569d7d7e651a35fa38750462f13aeb64a2f3) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Security fix CVE-2015-8504Armin Kuster2016-01-302-0/+52
| | | | | | | | | CVE-2015-8504 Qemu: ui: vnc: avoid floating point exception (From OE-Core rev: c622bdd7133d31d7fbefe87fb38187f0aea4b592) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Security fix CVE-2016-0701Armin Kuster2016-01-303-0/+260
| | | | | | | | | CVE-2016-0701 OpenSSL: DH small subgroups (From OE-Core rev: c5868a7cd0a28c5800dfa4be1c9d98d3de08cd12) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Security fix CVE-2015-3197Armin Kuster2016-01-302-0/+64
| | | | | | | | | CVE-2015-3197 OpenSSL: SSLv2 doesn't block disabled ciphers (From OE-Core rev: b387d9b8dff8e2c572ca14f9628ab8298347fd4f) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2015-8784Armin Kuster2016-01-302-0/+74
| | | | | | | | | CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode() (From OE-Core rev: 3e89477c8ad980fabd13694fa72a0be2e354bbe2) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: Security fix CVE-2015-8781Armin Kuster2016-01-302-0/+197
| | | | | | | | | CVE-2015-8781 libtiff: out-of-bounds writes for invalid images (From OE-Core rev: 29c80024bdb67477dae47d8fb903feda2efe75d4) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bind: CVE-2015-8704 and CVE-2015-8705Derek Straka2016-01-303-0/+74
| | | | | | | | | | | | | | | | | | | | | CVE-2015-8704: Allows remote authenticated users to cause a denial of service via a malformed Address Prefix List record CVE-2015-8705: When debug logging is enabled, allows remote attackers to cause a denial of service or have possibly unspecified impact via OPT data or ECS option [YOCTO 8966] References: https://kb.isc.org/article/AA-01346/0/BIND-9.10.3-P3-Release-Notes.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8705 (From OE-Core rev: 78ceabeb2df55194f16324d21ba97e81121f996b) Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* rpmresolve.c: Fix unfreed pointers that keep DB openedMariano Lopez2016-01-301-4/+6
| | | | | | | | | | | | | | | | | | | | | There are some unfreed rpmmi pointers in printDepList() function; this happens when the package have null as the requirement. This patch fixes these unfreed pointers and add small changes to keep consistency with some variables. [YOCTO #8028] (From OE-Core master rev: da7aa183f94adc1d0fff5bb81e827c584f9938ec) (From OE-Core rev: 409f19280983b8100a27a773cefbff187cca737a) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssh: CVE-2016-1907Armin Kuster2016-01-304-1/+431
| | | | | | | | | | | | | | | | This issue requires three commits: https://anongit.mindrot.org/openssh.git/commit/?id=ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c https://anongit.mindrot.org/openssh.git/commit/?id=f98a09cacff7baad8748c9aa217afd155a4d493f https://anongit.mindrot.org/openssh.git/commit/?id=2fecfd486bdba9f51b3a789277bb0733ca36e1c0 (From OE-Core master rev: a42229df424552955c0ac62da1063461f97f5938) (From OE-Core rev: 50f46e40fa2d1d126294874765f90ed5bdee0f15) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glibc: CVE-2015-8776Armin Kuster2016-01-302-0/+156
| | | | | | | | | | | | it was found that out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information. (From OE-Core rev: b9bc001ee834e4f8f756a2eaf2671aac3324b0ee) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glibc: CVE-2015-9761Armin Kuster2016-01-303-0/+1426
| | | | | | | | | | | | A stack overflow vulnerability was found in nan* functions that could cause applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (From OE-Core rev: fd3da8178c8c06b549dbc19ecec40e98ab934d49) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glibc: CVE-2015-8779Armin Kuster2016-01-302-0/+263
| | | | | | | | | | | | A stack overflow vulnerability in the catopen function was found, causing applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. (From OE-Core rev: af20e323932caba8883c91dac610e1ba2b3d4ab5) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glibc: CVE-2015-8777.patchArmin Kuster2016-01-302-0/+124
| | | | | | | | | | | | The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>