| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream fix for CVE-2016-2037 introduced a read from uninitialized memory
bug when appending to an existing archive, which is an operation we perform when
building an image.
(From OE-Core rev: 046e3e1fca925febf47b3fdd5d4e9ee2e1fad868)
(From OE-Core rev: 2ff6ab2e2944c6a53523b4b1611e1d22f6393500)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows
remote attackers to cause a denial of service (out-of-bounds write)
via a crafted cpio file."
https://nvd.nist.gov/vuln/detail/CVE-2016-2037
Note that there appear to be two versions of this fix. The original
patch posted to the bug-cpio mailing list [1] is used by Debian [2],
but apparently causes regression [3]. The patch accepted to the
upstream git repo [4] seems to be the most complete fix.
[1] https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html
[2] https://security-tracker.debian.org/tracker/CVE-2016-2037
[3] https://www.mail-archive.com/bug-cpio@gnu.org/msg00584.html
[4] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b
(From OE-Core rev: f170288ac706126e69a504a14d564b2e5c3513e4)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 7dad119dd0ee82b14a82b2a0b5a89f790e3bc007)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Merge contents of cpio_v2.inc into the only recipe which uses it.
(From OE-Core rev: 162ff3871779d646dadc7e7287f4667641d6e612)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the file is expected to exist, then we should always be using require
so that if it doesn't we get an error rather than some other more
obscure failure later on.
(From OE-Core rev: 603ae6eb487489e65da69c68e532cb767ccc1fc2)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop backported patches:
Fix-symlink-bad-length-test-for-64-bit-architectures.patch
fix-memory-overrun.patch
fix-testcase-symlink-bad-lengths.patch
0001-fix-testcase-of-symlink-bad-length.patch
statdef.patch is fixing code that doesn't exist anymore.
The problem handled by remove-gets.patch has been fixed differently.
The CVE-2015-1197 has been ignored by upstream and had to be rebased:
http://lists.gnu.org/archive/html/bug-cpio/2015-09/msg00007.html
(From OE-Core rev: feeaa86eb8b1071d56eb6d7ad7120aa389c736a0)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|