summaryrefslogtreecommitdiffstats
path: root/meta
Commit message (Collapse)AuthorAgeFilesLines
* pseudo: handle fchmodat better, mask out unwanted write bitsPeter Seebach2014-05-272-1/+109
| | | | | | | | | | | | | | | | | | | | | | | It turns out that pseudo's decision not to report errors from the host system's fchmodat() can break GNU tar in a very strange way, resulting in directories being mode 0700 instead of whatever they should have been. Additionally, it turns out that if you make directories in your rootfs mode 777, that results in the local copies being mode 777, which could allow a hypothetical attacker with access to the machine to add files to your rootfs image. We should mask out the 022 bits when making actual mode changes in the rootfs. This patch represents a backport to the 1.5.1 branch of three patches from the 1.6 branch, because it took a couple of tries to get this quite right. (From OE-Core rev: 45371858129bbad8f4cfb874e237374a5ba8db4c) Signed-off-by: Peter Seebach <peter.seebach@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python-native : Add patch to fix configure error with gcc 4.8.Philip Balister2014-05-271-0/+1
| | | | | | | | | | | | | We apply this patch to the python recipe already. Without this patch the zeroc-ice-native recipe will not build. See: http://bugs.python.org/issue17547 for more details. (From OE-Core rev: 2335a8ed3748e687e7f34f21f27f8e4029d1e26b) Signed-off-by: Philip Balister <philip@balister.org> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bitbake.conf: add default ${CPAN_MIRROR}Tim Orling2014-05-271-0/+1
| | | | | | | | | | * Set default to http://search.cpan.org/CPAN/, as it should be (From OE-Core rev: 7cf349c3f1f195d529fbd73ce4bf63a439ffa4e6) Signed-off-by: Tim Orling <TicoTimo@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* mirrors.bbclass: add ${CPAN_MIRROR} optionTim Orling2014-05-271-0/+2
| | | | | | | | | | | * Perl modules fail to fetch because default CPAN site has been flaky lately. * Create option to use metacpan.org as a mirror. (From OE-Core rev: ffca381d9ad5de3e593c93274cfdb3d2ff4a447f) Signed-off-by: Tim Orling <TicoTimo@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* initramfs-live-install: avoid using grub.d/40_customRobert Yang2014-05-271-8/+7
| | | | | | | | | | | | | | | | | | | | | | | | | We have this in recipes-bsp/grub/grub/40_custom: [snip] menuentry "Linux" { set root=(hd0,1) linux /vmlinuz root=__ROOTFS__ rw __CONSOLE__ __VIDEO_MODE__ __VGA_MODE__ quiet } [snip] These lines are only for initrdscripts/files/init-install.sh, the side effect is that it would make the target's grub-mkconfig doesn't work well since the 40_custom will be installed to /etc/grub.d/40_custom, the grub-mkconfig will run the 40_custom, and there will always be a 'menuentry "Linux"' menu in grub.cfg no matter it is valid or not, we can do this in init-install.sh rather than grub to fix the problem, which is also much simpler. (From OE-Core rev: 8ae89d08454c11035eb2826a06e2243c9f2568b4) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* taglib: Force a disable of the floating dependency on boostRichard Purdie2014-05-271-0/+2
| | | | | | | | | | | | taglib appears to depend on boost if it finds it in the sysroot. Force it not to do this. Someone with better cmake skills may be able to do this in a neater way. (From OE-Core rev: 2c6c6c98416e5a458a02106524b5aa10a4b71d60) (From OE-Core rev: 87fd1d7331f6f64a9037d97672dbe66d93f276de) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* guile: Update to 2.0.11 versionChong Lu2014-05-212-68/+2
| | | | | | | | | | | Upgrade guile to 2.0.11 version and remove unneeded patch since it's included in new version. (From OE-Core rev: f1727bb18f35ff01e53d3d442a6ff3c613639fa6) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* byacc: Update to 20140422 versionChong Lu2014-05-211-2/+2
| | | | | | | | | | Upgrade byacc to 20140422 version. (From OE-Core rev: d58ab8819724cf460360458ac6e59a9c0ca7966c) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* flex: Update to 2.5.39 versionChong Lu2014-05-211-2/+2
| | | | | | | | | | Upgrade flex to 2.5.39 version. (From OE-Core rev: 701f1ae89926306dfbd19786fe0ddabc36fb485c) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0849Yue Tao2014-05-212-0/+37
| | | | | | | | | | | | | | | | The roq_decode_init function in libavcodec/roqvideodec.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted (1) width or (2) height dimension that is not a multiple of sixteen in id RoQ video data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0849 (From OE-Core rev: 1a43a8054f51fbd542f3f037dc35f8b501e455bf) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0850Yue Tao2014-05-212-0/+30
| | | | | | | | | | | | | | | The decode_slice_header function in libavcodec/h264.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted H.264 data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0850 (From OE-Core rev: 69f3f0f94f4fd224e5a6b275207adf0539d085c3) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0856Yue Tao2014-05-212-0/+31
| | | | | | | | | | | | | | | The lpc_prediction function in libavcodec/alac.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted Apple Lossless Audio Codec (ALAC) data, related to a large nb_samples value. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0856 (From OE-Core rev: 571ccce77859435ff8010785e11627b20d8b31f4) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0854Yue Tao2014-05-212-0/+33
| | | | | | | | | | | | | | | The mjpeg_decode_scan_progressive_ac function in libavcodec/mjpegdec.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted MJPEG data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0854 (From OE-Core rev: b3d9c8f603ebdbc21cb2ba7e62f8b5ebb57c40c1) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0851Yue Tao2014-05-212-0/+30
| | | | | | | | | | | | | | | | The decode_frame function in libavcodec/eamad.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted Electronic Arts Madcow video data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0851 (From OE-Core rev: 8c9868d074f5d09022efc9419ee09eb805f68394) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0858Yue Tao2014-05-212-0/+38
| | | | | | | | | | | | | | | The atrac3_decode_init function in libavcodec/atrac3.c in FFmpeg before 1.0.4 allows remote attackers to have an unspecified impact via ATRAC3 data with the joint stereo coding mode set and fewer than two channels. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0858 (From OE-Core rev: 0ee8754c973f5eff3ba4d00319a5308888c12b17) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0852Yue Tao2014-05-212-0/+35
| | | | | | | | | | | | | | | The parse_picture_segment function in libavcodec/pgssubdec.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted RLE data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0852 (From OE-Core rev: 37f9371b44bd914fdd64e4c4e4448a2908512203) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0845Yue Tao2014-05-212-0/+62
| | | | | | | | | | | | | | | libavcodec/alsdec.c in FFmpeg before 1.0.4 allows remote attackers to have an unspecified impact via a crafted block length, which triggers an out-of-bounds write. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0845 (From OE-Core rev: cc6e2ee53c49206aa3377c512c3bd1de2e14a7b7) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0868Yue Tao2014-05-213-0/+150
| | | | | | | | | | | | | | | | libavcodec/huffyuvdec.c in FFmpeg before 1.1.2 allows remote attackers to have an unspecified impact via crafted Huffyuv data, related to an out-of-bounds write and (1) unchecked return codes from the init_vlc function and (2) len==0 cases. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0868 (From OE-Core rev: 29dcc2c8e834cf43e415eedefb8fce9667b3aa40) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2014-2099Yue Tao2014-05-212-0/+51
| | | | | | | | | | | | | | | | | The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.1.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2099 (From OE-Core rev: 3e27099f9aad1eb48412b07a18dcea398c18245b) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2013-0865Yue Tao2014-05-212-0/+52
| | | | | | | | | | | | | | | | The vqa_decode_chunk function in libavcodec/vqavideo.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an unspecified impact via a large (1) cbp0 or (2) cbpz chunk in Westwood Studios VQA Video file, which triggers an out-of-bounds write. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0865 (From OE-Core rev: 4a93fc0a63cedbebfdc9577e2f1deb3598fb5851) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gst-ffmpeg: fix for Security Advisory CVE-2014-2263Yue Tao2014-05-212-0/+70
| | | | | | | | | | | | | | | | The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier, allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2263 (From OE-Core rev: 70bf8c8dea82e914a6dcf67aefb6386dbc7706cd) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* distro_features_check.bbclass: fix wrong indentationSebastian Wiegand2014-05-211-2/+2
| | | | | | | | | | | To fix check of REQUIRED_DISTRO_FEATURES fix indentation in python code. [YOCTO #6349] Reported and written by: Sebastian Wiegand <sebastian.wiegand@gersys.de> (From OE-Core rev: 986db87a3931edce8be79f309d07497e4179a810) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cups: fix for cups not building without avahiSaul Wold2014-05-211-0/+190
| | | | | | | | | | | Backport upstream patch for CUPS issue: STR #4402 [YOCTO #6325] (From OE-Core rev: 7decf9dce56868e39902dac5957eb72f6e1e9acd) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* harfbuzz: upgrade to 0.9.28Cristian Iorga2014-05-211-5/+3
| | | | | | | | (From OE-Core rev: 8462728aef78debaa15e33121b3ae733049a96ab) Signed-off-by: Cristian Iorga <cristian.iorga@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libav: upgrade 9.x version to 9.13Paul Eggleton2014-05-211-2/+2
| | | | | | | | (From OE-Core rev: 937a0da0861abb7656762b2a3fb69eb275dd4a9a) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libav: upgrade 0.8.x version to 0.8.11Paul Eggleton2014-05-211-2/+2
| | | | | | | | (From OE-Core rev: 206f34ac0c0b65768ec2b553a0cb8b93fe7e5ae3) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* quilt: Update to 0.63 versionChong Lu2014-05-213-2/+3
| | | | | | | | | | | Upgrade quilt to 0.63 version and add perl-module-text-parsewords to RDEPENDS of ptest. (From OE-Core rev: 48c09163db18634e3071009b94645812ade285f4) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libpcre: Update to 8.35 versionChong Lu2014-05-211-3/+3
| | | | | | | | | | Upgrade libpcre to 8.35 version. (From OE-Core rev: 32c007bfc4fe7a0ba75644584bb80f8bdff09a01) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: fix for CVE-2010-5298Yue Tao2014-05-211-0/+24
| | | | | | | | | | | | | | | | | Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298 (From OE-Core rev: 751f81ed8dc488c500837aeb3eb41ebf3237e10b) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tiff: fix for Security Advisory CVE-2013-4231Yue Tao2014-05-212-1/+46
| | | | | | | | | | | | | | | | | | | | | | | | | | Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4231Multiple buffer overflows in libtiff before 4.0.3 allow remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) extension block in a GIF image or (2) GIF raster image to tools/gif2tiff.c or (3) a long filename for a TIFF image to tools/rgb2ycbcr.c. NOTE: vectors 1 and 3 are disputed by Red Hat, which states that the input cannot exceed the allocated buffer size. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4231 (From OE-Core rev: 19e6d05161ef9f4e5f7277f6eb35eb5d94ecf629) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: CVE-2013-1740Li Wang2014-05-212-0/+917
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740 https://bugzilla.mozilla.org/show_bug.cgi?id=919877 https://bugzilla.mozilla.org/show_bug.cgi?id=713933 changeset: 10946:f28426e944ae user: Wan-Teh Chang <wtc@google.com> date: Tue Nov 26 16:44:39 2013 -0800 summary: Bug 713933: Handle the return value of both ssl3_HandleRecord calls changeset: 10945:774c7dec7565 user: Wan-Teh Chang <wtc@google.com> date: Mon Nov 25 19:16:23 2013 -0800 summary: Bug 713933: Declare the |falseStart| local variable in the smallest changeset: 10848:141fae8fb2e8 user: Wan-Teh Chang <wtc@google.com> date: Mon Sep 23 11:25:41 2013 -0700 summary: Bug 681839: Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished, r=brian@briansmith.org changeset: 10898:1b9c43d28713 user: Brian Smith <brian@briansmith.org> date: Thu Oct 31 15:40:42 2013 -0700 summary: Bug 713933: Make SSL False Start work with asynchronous certificate validation, r=wtc (From OE-Core rev: 11e728e64e37eec72ed0cb3fb4d5a49ddeb88666) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nss: CVE-2014-1492Li Wang2014-05-212-0/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492 https://bugzilla.mozilla.org/show_bug.cgi?id=903885 changeset: 11063:709d4e597979 user: Kai Engert <kaie@kuix.de> date: Wed Mar 05 18:38:55 2014 +0100 summary: Bug 903885, address requests to clarify comments from wtc changeset: 11046:2ffa40a3ff55 tag: tip user: Wan-Teh Chang <wtc@google.com> date: Tue Feb 25 18:17:08 2014 +0100 summary: Bug 903885, fix IDNA wildcard handling v4, r=kaie changeset: 11045:15ea62260c21 user: Christian Heimes <sites@cheimes.de> date: Mon Feb 24 17:50:25 2014 +0100 summary: Bug 903885, fix IDNA wildcard handling, r=kaie (From OE-Core rev: a83a1b26704f1f3aadaa235bf38094f03b3610fd) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: fix for Security Advisory CVE-2013-4277Yue Tao2014-05-214-1/+33
| | | | | | | | | | | | | | | | Svnserve in Apache Subversion 1.4.0 through 1.7.12 and 1.8.0 through 1.8.1 allows local users to overwrite arbitrary files or kill arbitrary processes via a symlink attack on the file specified by the --pid-file option. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4277 (From OE-Core rev: e0e483c5b2f481240e590ebb7d6189a211450a7e) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: fix for Security Advisory CVE-2013-1847 and CVE-2013-1846Yue Tao2014-05-212-1/+55
| | | | | | | | | | | | | | | | | | | | The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via a LOCK on an activity URL. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1846 The mod_dav_svn Apache HTTPD server module in Subversion 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an anonymous LOCK for a URL that does not exist. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1847 (From OE-Core rev: 3962b76185194fa56be7f1689204a1188ea44737) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: fix for Security Advisory CVE-2013-1845Yue Tao2014-05-212-1/+173
| | | | | | | | | | | | | | | | The mod_dav_svn Apache HTTPD server module in Subversion 1.6.x before 1.6.21 and 1.7.0 through 1.7.8 allows remote authenticated users to cause a denial of service (memory consumption) by (1) setting or (2) deleting a large number of properties for a file or directory. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1845 (From OE-Core rev: 432666b84b80f8b0d13672aa94855369f577c56d) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: fix for Security Advisory CVE-2013-4131Yue Tao2014-05-212-0/+43
| | | | | | | | | | | | | | | | | The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds read) via a certain (1) COPY, (2) DELETE, or (3) MOVE request against a revision root. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4131 (From OE-Core rev: ce41ed3ca5b6ef06c02c5ca65f285e5ee8c04e7f) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: fix for Security Advisory CVE-2013-4505Yue Tao2014-05-214-1/+259
| | | | | | | | | | | | | | | | The is_this_legal function in mod_dontdothat for Apache Subversion 1.4.0 through 1.7.13 and 1.8.0 through 1.8.4 allows remote attackers to bypass intended access restrictions and possibly cause a denial of service (resource consumption) via a relative URL in a REPORT request. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4505 (From OE-Core rev: 02314673619f44e5838ddb65bbe22f9342ee6167) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: fix for Security Advisory CVE-2013-1849Yue Tao2014-05-212-0/+26
| | | | | | | | | | | | Reject operations on getcontentlength and getcontenttype properties if the resource is an activity. (From OE-Core rev: 94e8b503e8a5ae476037d4aa86f8e27d4a8c23ea) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* screen: fix for Security Advisory CVE-2009-1215Yue Tao2014-05-212-0/+28
| | | | | | | | | | | | | Race condition in GNU screen 4.0.3 allows local users to create or overwrite arbitrary files via a symlink attack on the /tmp/screen-exchange temporary file. (From OE-Core rev: be8693bf151987f59c9622b8fd8b659ee203cefc) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Screen: fix for Security Advisory CVE-2009-1214Yue Tao2014-05-212-0/+87
| | | | | | | | | | | | | GNU screen 4.0.3 creates the /tmp/screen-exchange temporary file with world-readable permissions, which might allow local users to obtain sensitive session information. (From OE-Core rev: 25a212d0154906e7a05075d015dbc1cfdfabb73a) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lttng-modules: Fix build with older kernels for 2.3.3 as 2.4.0Martin Jansa2014-05-213-123/+157
| | | | | | | | | | | Apply the change "lttng-modules: Fix 3.14 bio tracepoints" to 2.3.3 as well as 2.4.0. (From OE-Core rev: a419ad43a5b3aa5bc3aa095af4d79abe4c24b0d7) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* initrdscripts: fix for /run/mediaChen Qi2014-05-205-27/+27
| | | | | | | | | | | | | | mount.sh in udev-extraconf was modified to use /run/media instead of /media. Unfortunately, our scripts in initrdscripts have some dependency on the auto-mounting mechanism proviced by udev-extraconf. So these scripts should also be fixed to use /run/media instead /media, otherwise, our live image cannot work correctly. (From OE-Core rev: be0327b6a900be5434b6b1f08277faf2f65d5da8) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* init-live.sh: list block devices correctlyChen Qi2014-05-201-1/+1
| | | | | | | | | | | Instead of using 'ls /dev/sd*' command to list block devices, we should rather use 'cat /proc/partitions'. (From OE-Core rev: fc5dfad6490d0b3f2529f84ae9dfbd6b00b5c380) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* udev-extraconf: fix the misuse of /run/mediaChen Qi2014-05-201-1/+1
| | | | | | | | | | | | | | | | | | | The error was introduced by the following commit. acfe3014d41de5e87cdbc58d0396349c6b9c3ffd udev-extraconf: update mount.sh to use /run/media instead of /media It accidently replaced 'device/media' by 'device/run/media' which causes error for live images to be unable to boot up correctly, complaining "Cannot find rootfs.img in /media/*". This patch fixes the above problem. (From OE-Core rev: 62ae16c40252f39ba28e072218d67f47b26b3535) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* packagegroup-core-lsb: fix warning textCristiana Voicu2014-05-201-3/+3
| | | | | | | | | | There should be just one warning thrown, instead of 3. (From OE-Core rev: 7c4fefcd7836c4f94836b96a07ad414f5ac1ca11) Signed-off-by: Cristiana Voicu <cristiana.voicu@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pango: enable ptestRoss Burton2014-05-204-18/+23
| | | | | | | | | | | Install the test suite for ptest. The test suite needs some fonts to be present to depend on liberation-fonts. (From OE-Core rev: af387e788ed73130331536c7b22c6237e7c23c71) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* syslinux-native: fix parallel building issueChong Lu2014-05-202-1/+40
| | | | | | | | | | | | | | | | | | | | | | | | | There might be an error when parallel build: [snip] cp: cannot create directory `tmp/sysroots/x86_64-linux/usr/share/ syslinux/com32/include/gplinclude': No such file or directory make[4]: *** [install] Error 1 make[3]: *** [gpllib] Error 2 [snip] This is a potential issue. In ${S}/com32/gpllib/Makefile file, install target wants to copy $(SRC)/../gplinclude to $(INSTALLROOT)$(COM32DIR)/include/ directory, but in ${S}/com32/lib/Makefile file, the install target will remove $(INSTALLROOT)$(COM32DIR)/include directory. We need to do com32/lib first. The patch make com32/gpllib depends on com32/lib to fix this issue. (From OE-Core rev: cae1a039658cfb47390650ad5b56536ff19e1217) Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libusb1: disable floating dependency on udevSaul Wold2014-05-202-16/+3
| | | | | | | | | | | | libusb added support for udev, but this causes a circular dependecny between udev and libusb, so hardcode the disable here. Also remove the patch that is no longer used. (From OE-Core rev: 5c0f8111f9ec5a2c3b2826946af5132aaa13a9b9) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gstreamer/lame: Better gcc 4.9 fixRichard Purdie2014-05-153-0/+5
| | | | | | | | | | | | | | gstreamer/lame does runtime detection to enable/disable things like SSE code. Unfortunately it is broken and will try and use this even with i586 compiler flags. This change forces it back to the approach with gcc 4.8 by disabling the problematic headers. Its suboptimal but less so that the proposed previous forced enabling of SSE on x86 everywhere. (From OE-Core rev: e273301efa0037a13c3a60b4414140364d9c9873) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* rt-tests: restore erroneously deleted patch filesGary S. Robertson2014-05-154-0/+156
| | | | | | | | | | | | | | | | | | Commit "rt-tests: bump version 0.87 => 0.89" (SHA1 ID: 7996ca) erroneously deleted several patch files which were still required for proper function of the rt-tests recipe. These missing patches adversely affected builds of the hwlatdetect and hackbench utilities as well as other components. This commit restores the missing patches and allows the recipe to properly generate all the components once more. hwlatdetect and hackbench are built properly and the /usr/src/backfire directory is properly populated on the target system. (From OE-Core rev: 66daa92582a5a5643fd2e45aace1f5c009b2ded3) Signed-off-by: Gary S. Robertson <gary.robertson@linaro.org> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>