From 2345af9b4829ed3eed5abf60f2483055649f8af7 Mon Sep 17 00:00:00 2001 From: Richard Purdie Date: Thu, 2 Mar 2017 12:04:08 +0000 Subject: recipes: Move out stale GPLv2 versions to a seperate layer These are recipes where the upstream has moved to GPLv3 and these old versions are the last ones under the GPLv2 license. There are several reasons for making this move. There is a different quality of service with these recipes in that they don't get security fixes and upstream no longer care about them, in fact they're actively hostile against people using old versions. The recipes tend to need a different kind of maintenance to work with changes in the wider ecosystem and there needs to be isolation between changes made in the v3 versions and those in the v2 versions. There are probably better ways to handle a "non-GPLv3" system but right now having these in OE-Core makes them look like a first class citizen when I believe they have potential for a variety of undesireable issues. Moving them into a separate layer makes their different needs clearer, it also makes it clear how many of these there are. Some are probably not needed (e.g. mc), I also wonder whether some are useful (e.g. gmp) since most things that use them are GPLv3 only already. Someone could now more clearly see how to streamline the list of recipes here. I'm proposing we mmove to this separate layer for 2.3 with its future maintinership and testing to be determined in 2.4 and beyond. (From OE-Core rev: 19b7e950346fb1dde6505c45236eba6cd9b33b4b) Signed-off-by: Richard Purdie --- .../grep/grep-2.5.1a/grep-CVE-2012-5667.patch | 33 ---------------------- 1 file changed, 33 deletions(-) delete mode 100644 meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch (limited to 'meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch') diff --git a/meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch b/meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch deleted file mode 100644 index a40a9f30bc..0000000000 --- a/meta/recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch +++ /dev/null @@ -1,33 +0,0 @@ -The patch to fix CVE-2012-5667 -Reference: https://bugzilla.redhat.com/attachment.cgi?id=686605&action=diff - -Multiple integer overflows in GNU Grep before 2.11 might allow -context-dependent attackers to execute arbitrary code via vectors -involving a long input line that triggers a heap-based buffer overflow. - -http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5667 - -Upstream-Status: Inappropriate [other] -This version of GNU Grep has been abandoned upstream and they are no longer -accepting patches. This is not a backport. -CVE: CVE-2012-5667 - -Signed-off-by: Ming Liu ---- - grep.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - ---- a/src/grep.c 2013-05-15 13:39:33.359191769 +0800 -+++ a/src/grep.c 2013-05-15 13:50:22.609191882 +0800 -@@ -306,6 +306,11 @@ fillbuf (size_t save, struct stats const - int cc = 1; - char *readbuf; - size_t readsize; -+ const size_t max_save = INT_MAX / 2; -+ -+ /* Limit the amount of saved data to INT_MAX to fix CVE-2012-5667 */ -+ if (save > max_save) -+ error (2, 0, _("line too long")); - - /* Offset from start of buffer to start of old stuff - that we want to save. */ -- cgit v1.2.3-54-g00ecf