Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-2.5.3 2018-11-16T16:33:09+00:00 2018-11-16T16:33:09+00:00 Chen Qi Qi.Chen@windriver.com 2018-10-19T02:43:15+00:00 urn:sha1:24132c45bcefee4fa1d9de11da1c636ee7584832 Backport patch to fix the following CVE. CVE: CVE-2018-14647 (From OE-Core rev: 68e51756f67499081c3c53cff6c5c1efdf4b60f0) (From OE-Core rev: c566c8d6525a263a48035d4de5249780ab08e521) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-16T16:33:09+00:00 Chen Qi Qi.Chen@windriver.com 2018-10-19T02:43:14+00:00 urn:sha1:87f8184671afda5fb33cca2533bf969aa8b95c9b Backport a patch to fix the following CVE. CVE: CVE-2018-1000802 (From OE-Core rev: c0343f1035af98cb451eea0de94c16fe89ffdf48) (From OE-Core rev: 64d0cfb0f2291434f3ceacff99015f6a35942868) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-16T16:33:09+00:00 Ross Burton ross.burton@intel.com 2018-10-12T13:44:03+00:00 urn:sha1:1e88059649a043f9ba06c6eabf9a3a75b01bf768 Python uses AC_RUN_IFELSE to determine the byte order for floats and doubles, and falls back onto "I don't know" if it can't run code. This results in crippled floating point numbers in Python, and the regression tests fail. Instead of running code, take a macro from autoconf-archive which compiles C with a special double in which has an ASCII representation, and then greps the binary to identify the format. This is essentially a backport of the Python 3 patch in oe-core 1781b87. (From OE-Core rev: 94cea72a23a374eb616d5642977b45172537beac) (From OE-Core rev: ceae3eb0d8a0ee69182cf4f4cfa5a6a3814df1f8) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-16T16:33:09+00:00 Ross Burton ross.burton@intel.com 2018-10-12T11:55:02+00:00 urn:sha1:74408fe75017ea3ce42a9cdc46ab179320bb295f As the manifest handling is done differently now, just inherit ptest with the other inherits. test_shutil needs unzip so add to RDEPENDS. Instead of using a patched Makefile, call test.regrtest directly. (From OE-Core rev: 84f34ad223b1e3f36cab2ac12246eb90efc919bc) (From OE-Core rev: c4647674da480c5925178cd821ce2d485c7467b7) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-11-16T16:33:09+00:00 Derek Straka derek@asterius.io 2018-06-30T11:37:35+00:00 urn:sha1:62f52fdda08e2a8fad08b94ce326cae12e4b8757 Update to the latest stable version License-Update: Copyright year updated to include 2018 Remove the alignment patch that is included upstream (From OE-Core rev: 855020053906478cea164ed254c08bedce48479d) (From OE-Core rev: ab2dd15f72a94cce528276e6e3e38c56677e7ba4) Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Bug fix update only, drop patches included in update] Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-10-18T10:08:53+00:00 Sinan Kaya okaya@kernel.org 2018-10-05T00:39:08+00:00 urn:sha1:97ee1f80870745bf6c542ee2f184c9e468672714 * CVE-2018-1060 Prevent low-grade poplib REDOS: The regex to test a mail server's timestamp is susceptible to catastrophic backtracking on long evil responses from the server. Happily, the maximum length of malicious inputs is 2K thanks to a limit introduced in the fix for CVE-2013-1752. * CVE-2018-1061 Prevent difflib REDOS The default regex for IS_LINE_JUNK is susceptible to catastrophic backtracking. This is a potential DOS vector. Replace it with an equivalent non-vulnerable regex. Affects < 3.5.6rc1 CVE: CVE-2018-1060 CVE: CVE-2018-1061 Ref: https://access.redhat.com/security/cve/cve-2018-1060 Ref: https://access.redhat.com/security/cve/cve-2018-1061 (From OE-Core rev: 1461bcc72e6649920ecf4226e006e5667c48a21c) Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-29T14:23:51+00:00 Jagadeesh Krishnanjanappa jkrishnanjanappa@mvista.com 2018-08-22T11:41:42+00:00 urn:sha1:46d4ce537d9525a9eda357525d0d78e7b73851c7 * CVE-2018-1000030-1 [2.7] bpo-31530: Stop crashes when iterating over a file on multiple threads * CVE-2018-1000030-2 Multiple threads iterating over a file can corrupt the file's internal readahead buffer resulting in crashes. To fix this, cache buffer state thread-locally for the duration of a file_iternext call and only update the file's internal state after reading completes. No attempt is made to define or provide "reasonable" semantics for iterating over a file on multiple threads. (Non-crashing) races are still present. Duplicated, corrupt, and missing data will happen. This was originally fixed by 6401e56, which raised an exception from seek() and next() when concurrent operations were detected. Alas, this simpler solution breaks legitimate use cases such as capturing the standard streams when multiple threads are logging. Affects python <= 2.7.14 (From OE-Core rev: 4b6c84e0f950f839bfb8c40f197197f838d8b733) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-08-04T06:42:20+00:00 Ross Burton ross.burton@intel.com 2018-07-30T21:59:06+00:00 urn:sha1:72d2148535ca515a3adf2200ae253c5f0507199c (From OE-Core rev: 910f68c9c8dc26e12d28ef29e956af63d100f121) (From OE-Core rev: 04c2d53ef48a09747d0577d9ec1ffa548d247615) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Martin Hundebøll <martin@geanix.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-07-02T10:41:25+00:00 Martin Kelly mkelly@xevo.com 2018-06-01T21:02:35+00:00 urn:sha1:28b0c96473f821bcf754fda59a6ef3ef1bb63d58 Currently, $HOME/.local is being added into sys.path in the Python SDK causing subtle host contamination. Suppress this by exporting PYTHONNOUSERSITE = "1" as documented in PEP 370. This issue occurred in the past for python*-native and was fixed similarly in OE-core commit 8fe9fb4d5a61dcbcb3fc5b9ee0234cc135af873f ("python*native.bbclass: suppress user site dirs"). (From OE-Core rev: 0dc36439cb9fe1cea50bed59da6302f78372a30b) (From OE-Core rev: 376827d359a3769ee6477eac6e6b349a2050a867) Signed-off-by: Martin Kelly <mkelly@xevo.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-06-15T16:56:57+00:00 Joe Slater joe.slater@windriver.com 2018-04-23T17:21:42+00:00 urn:sha1:3452141b0204f70896969d32602eadb4852fd731 Redefiine regen-all in Makefile to invoke regen-importlib after building other regen- targets. Change the recipe to not build it before regen-all. This avoids trying to build it multiple times, which can occasionally fail. (From OE-Core rev: 72d62c9af07bf34bb8fbb3958742eb592985acc2) (From OE-Core rev: 5b9af58be9194233a05a10c3e5b5efd053cc28d2) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>