<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/recipes-devtools/perl, branch sumo</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=sumo</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=sumo'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2018-11-16T16:33:08+00:00</updated>
<entry>
<title>perl: skip tests that are not useful</title>
<updated>2018-11-16T16:33:08+00:00</updated>
<author>
<name>Anuj Mittal</name>
<email>anuj.mittal@intel.com</email>
</author>
<published>2018-10-16T02:47:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8cc8988943e4c91d72db83865acdf67880e3bbb7'/>
<id>urn:sha1:8cc8988943e4c91d72db83865acdf67880e3bbb7</id>
<content type='text'>
Some tests, like the one that compares the hashes for a list of files
against those stored in a .dat file, don't make sense for downstream
distros packaging perl.

Backport a patch from upstream that allows skipping of these tests at
runtime. Also remove the local patch trying to keep hashes up-to-date
for one of those tests.

Fixes [YOCTO #12787]

(From OE-Core rev: 557f4618b75b8739a647e46054ab587ae2bbdc25)

(From OE-Core rev: 7157e7804b21a84ecbd809b6e171106d7ddc86a6)

Signed-off-by: Anuj Mittal &lt;anuj.mittal@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>perl: CVE-2018-12015</title>
<updated>2018-08-29T14:23:51+00:00</updated>
<author>
<name>Jagadeesh Krishnanjanappa</name>
<email>jkrishnanjanappa@mvista.com</email>
</author>
<published>2018-08-22T11:41:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=90cb0ee1c217a8eeaeccb237541dcc6fda057efc'/>
<id>urn:sha1:90cb0ee1c217a8eeaeccb237541dcc6fda057efc</id>
<content type='text'>
Remove existing files before overwriting them

Archive should extract only the latest same-named entry.
Extracted regular file should not be writtent into existing block
device (or any other one).

https://rt.cpan.org/Ticket/Display.html?id=125523

Affects perl &lt;= 5.26.2

(From OE-Core rev: ca005cd857f8e79b135c43526d5b792478a07eb3)

Signed-off-by: Jagadeesh Krishnanjanappa &lt;jkrishnanjanappa@mvista.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>perl: CVE-2018-6913</title>
<updated>2018-08-29T14:23:51+00:00</updated>
<author>
<name>Jagadeesh Krishnanjanappa</name>
<email>jkrishnanjanappa@mvista.com</email>
</author>
<published>2018-08-22T11:41:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=4f6ff3e60c132a5bf3633b8222ba2a9e003f8ebe'/>
<id>urn:sha1:4f6ff3e60c132a5bf3633b8222ba2a9e003f8ebe</id>
<content type='text'>
(perl #131844) fix various space calculation issues in
 pp_pack.c

- for the originally reported case, if the start/cur pointer is in the
  top 75% of the address space the add (cur) + glen addition would
  overflow, resulting in the condition failing incorrectly.

- the addition of the existing space used to the space needed could
  overflow, resulting in too small an allocation and a buffer overflow.

- the scaling for UTF8 could overflow.

- the multiply to calculate the space needed for many items could
  overflow.

For the first case, do a space calculation without making new pointers.

For the other cases, detect the overflow and croak if there's an
overflow.

Originally this used Size_t_MAX as the maximum size of a memory
allocation, but for -DDEBUGGING builds realloc() throws a panic for
allocations over half the address space in size, changing the error
reported for the allocation.

For non-DEBUGGING builds the Size_t_MAX limit has the small chance
of finding a system that has 3GB of contiguous space available, and
allocating that space, which could be a denial of servce in some cases.

Unfortunately changing the limit to half the address space means that
the exact case with the original issue can no longer occur, so the
test is no longer testing against the address + length issue that
caused the original problem, since the allocation is failing earlier.

One option would be to change the test so the size request by pack is
just under 2GB, but this has a higher (but still low) probability that
the system has the address space available, and will actually try to
allocate the memory, so let's not do that.

Note: changed
plan tests =&gt; 14713;
to
plan tests =&gt; 14712;
in a/t/op/pack.t
to apply this patch on perl 5.24.1.

Affects perl &lt; 5.26.2

(From OE-Core rev: 0542779d2f1a8977a732800a8998fd88971c0c1d)

Signed-off-by: Jagadeesh Krishnanjanappa &lt;jkrishnanjanappa@mvista.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>perl: CVE-2018-6797</title>
<updated>2018-08-29T14:23:51+00:00</updated>
<author>
<name>Jagadeesh Krishnanjanappa</name>
<email>jkrishnanjanappa@mvista.com</email>
</author>
<published>2018-08-22T11:41:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=69728984e3946a4f23f7c1a9c7d14da1b985fc48'/>
<id>urn:sha1:69728984e3946a4f23f7c1a9c7d14da1b985fc48</id>
<content type='text'>
(perl #132227) restart a node if we change to uni rules within the node and encounter...
This could lead to a buffer overflow.

(cherry picked from commit a02c70e35d1313a5f4e245e8f863c810e991172d)

Affects perl &gt;= 5.18 &amp;&amp; perl &lt;= 5.26

(From OE-Core rev: 109ffd1b3d10753bfd711a14ad59b194ca3ce831)

Signed-off-by: Jagadeesh Krishnanjanappa &lt;jkrishnanjanappa@mvista.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>perl: CVE-2018-6798</title>
<updated>2018-08-29T14:23:51+00:00</updated>
<author>
<name>Jagadeesh Krishnanjanappa</name>
<email>jkrishnanjanappa@mvista.com</email>
</author>
<published>2018-08-22T11:41:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=7273f1183faee42e2da82ecdb3056312043e01a0'/>
<id>urn:sha1:7273f1183faee42e2da82ecdb3056312043e01a0</id>
<content type='text'>
* CVE-2018-6798-1
 The proximal cause is several instances in regexec.c of the code
 assuming that the input was valid UTF-8, whereas the input was too short
 for what the start byte claimed it would be.

 I grepped through the core for any other similar uses, and did not find
 any.

 (cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84)

* CVE-2018-6798-2
 The first patch for 132063 prevented the buffer read overflow when
 dumping the warning but didn't fix the underlying problem.

 The next change treats the supplied buffer correctly, preventing the
 non-UTF-8 SV from being treated as UTF-8, preventing the warning.

 (cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f)

Affects perl &gt;= 5.22 &amp;&amp; perl &lt;= 5.26

(From OE-Core rev: 4aaf09b9d657b1c2df85bf509008beacd6a00342)

Signed-off-by: Jagadeesh Krishnanjanappa &lt;jkrishnanjanappa@mvista.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>perl: native modules will not trigger build perl for target.</title>
<updated>2018-06-15T16:56:57+00:00</updated>
<author>
<name>Krzysztof Taborski</name>
<email>taborskikrzysztof@gmail.com</email>
</author>
<published>2018-05-08T16:46:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=5878d5d3f9bab146caa9d4a62861e613d438ff41'/>
<id>urn:sha1:5878d5d3f9bab146caa9d4a62861e613d438ff41</id>
<content type='text'>
Currently building perl-native modules triggers
build perl for target due to PACKAGES_DYNAMIC regex.

This commit will cause, that perl native modules will
trigger perl-native build.

(From OE-Core rev: 7dd9772eca6df52db09b65537fdf689f1aa3fd8f)

(From OE-Core rev: 3ad793c9ae1eb0b0599078298d55a37042f11239)

Signed-off-by: Krzysztof Taborski &lt;taborskikrzysztof@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>perl: fix CVE-2017-12837</title>
<updated>2018-06-15T16:56:57+00:00</updated>
<author>
<name>Hongxu Jia</name>
<email>hongxu.jia@windriver.com</email>
</author>
<published>2018-04-24T07:37:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=06b5932512251287a966eab9f43031f46dc296ec'/>
<id>urn:sha1:06b5932512251287a966eab9f43031f46dc296ec</id>
<content type='text'>
https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5

(From OE-Core rev: bd53256e165f5bb59a28d77a466d71fce39080fa)

(From OE-Core rev: 5f808ec161d1604ffd1744f5d488b0ca9fc8f50f)

Signed-off-by: Hongxu Jia &lt;hongxu.jia@windriver.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>perl: Security fix CVE-2017-12883</title>
<updated>2018-04-23T16:26:05+00:00</updated>
<author>
<name>Armin Kuster</name>
<email>akuster808@gmail.com</email>
</author>
<published>2018-04-22T01:00:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b90e69401730310daa2bb09378cda8a833bb2e01'/>
<id>urn:sha1:b90e69401730310daa2bb09378cda8a833bb2e01</id>
<content type='text'>
Affects: Perl  &lt; 5.24.3-rc1 and  5.26.x before 5.26.1-RC1

(From OE-Core rev: 60ebf7fcb7bfcef8a8e0cd52e737b082623ff109)

Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>meta: add missing Signed-off-by and Upstream-Status tags</title>
<updated>2018-04-13T15:58:07+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2018-04-09T17:16:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b452ba687b0314191f6258a22799575710170e8d'/>
<id>urn:sha1:b452ba687b0314191f6258a22799575710170e8d</id>
<content type='text'>
(From OE-Core rev: 4612441b59fd8264fdd5bd4f3e5d195f6085c94c)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>nativesdk-glibc: Split glibc and libcrypt to use libxcrypt instead</title>
<updated>2018-04-07T21:34:45+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2018-04-06T12:53:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=29f65bda6d2c9fea4adb125c4857ee64f9312b9f'/>
<id>urn:sha1:29f65bda6d2c9fea4adb125c4857ee64f9312b9f</id>
<content type='text'>
Fedora28[1] has decided to go ahead and use libxcrypt to replace libcrypt from glibc
despite the change not having merged into glibc upstream yet. This breaks the use of
uninative in OE on fedora28 since binaries there are now using new symbols only found
in libxcrypt. libxcrypt is meant to be backwards compatible with libcrypt but not the
reverse.

Since this will impact OE in the next release cycle, this changes nativesdk only
to use this new model and adds libxcrypt to work in that case. This allows us to
build a uninative which is compatible with fedora28 and previous other OSes.

In order to work, recipes will now need to depend on virtual/crypt where they use
libcrypt since its now a separate library and we can't depend on it from glibc to
preseve backwards compatibility since glibc needs to build first. For now, only the
problematic nativesdk recipes have been fixed up. For target use, the default
provider remains glibc for now. Assuming this change is merged into upstream glibc,
we will need to roll this change out for the target but we will do this in the next
release cycle when we can better deal with the resulting bugs.

[1] https://fedoraproject.org/wiki/Changes/Replace_glibc_libcrypt_with_libxcrypt

Original patch from Charles-Antoine Couret &lt;charles-antoine.couret@essensium.com&gt;,
tweaked by RP to add virtual provides, SkipRecipe for libxcrypt and other minor
tweaks.

(From OE-Core rev: c1573cb7faeb296fe7077a60d02443d5ed5bded0)

Signed-off-by: Charles-Antoine Couret &lt;charles-antoine.couret@essensium.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
