Li Wang [Mon, 10 Aug 2020 08:15:25 +0000 (16:15 +0800)]
qemu : fix CVE-2020-15863
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Li Wang <Li.Wang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Stefan Ghinea [Fri, 21 Aug 2020 19:47:47 +0000 (22:47 +0300)]
qemu: CVE-2020-10756
An out-of-bounds read vulnerability was found in the SLiRP networking
implementation of the QEMU emulator. This flaw occurs in the
icmp6_send_echoreply() routine while replying to an ICMP echo request,
also known as ping. This flaw allows a malicious guest to leak the
contents of the host memory, resulting in possible information disclosure.
This flaw affects versions of libslirp before 4.3.1.
This test keeps failing on the autobuilder and is proving extremely
annoying. It works much better in later releases but for zeus and
earlier, lets just stop running it as it doesn't really tell us
anything useful at this point, nobody has any plans to improve
the distro exclusions or otherwise fix it in the older releases.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Wed, 9 Sep 2020 09:15:32 +0000 (10:15 +0100)]
acl: Disable parallel make install
Similiarly to attr, do_install fails on newer versions of make with interesting
and hard to debug errors. Disablle parallle make install as a workaround.
Later verisons of acl in newer releases don't have the issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Mon, 7 Sep 2020 15:33:08 +0000 (16:33 +0100)]
attr: Disable parallel make install
do_install fails on newer versions of make with interesting and hard to
debug errors. Disablle parallle make install as a workaround. Later verisons
of attr in newer releases don't have the issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Tue, 10 Mar 2020 13:02:07 +0000 (13:02 +0000)]
oeqa/selftest: Ensure buildtools in environment variables isn't replaced
This avoids the seeing broken replacements like:
oe-selftest-centos/build/build-st-926tools/sysroots/x86_64-pokysdk-linux/etc/ssl/certs/ca-certificates.crt
which understandably break builds.
Richard Purdie [Sun, 8 Mar 2020 10:20:12 +0000 (10:20 +0000)]
oeqa/testsdk: Use original PATH
We want to test the SDK with PATH from the original host, not with our own
tools injected via HOSTTOOLS. It even uses some tools which aren't in
HOSTTOOLS.
This is necessary after changing the SDK to not reset PATH to the system
default which is bad for other reasons and brings the testing into sync
with that change.
virtual/crypt-native is assume provided in bitbake.conf, so
buildtools-extended-tarball shoud provide crypt since it doesn't
use the host's headers/libraries.
Richard Purdie [Mon, 9 Mar 2020 20:59:11 +0000 (20:59 +0000)]
glibc: Update nativesdk locale relocation patch
The locale binary reported incorrect locale lists in relocated toolchains
as some path references were not relocated by this patch. Fix this missing
relocations so the locale binary correctly reports the locales.
Steve Sakoman [Fri, 12 Jun 2020 15:55:01 +0000 (05:55 -1000)]
buildtools-tarball: export OPENSSL_CONF in environment setup
The autobuilder has been experiencing SSL: CERTIFICATE_VERIFY_FAILED
errors during error report uploads when using buildtools due to looking
for certs in /opt/poky
Jeremy Puhlman [Wed, 15 Apr 2020 02:32:05 +0000 (19:32 -0700)]
buildtools-extended-tarball: Add libstc++.a
Builds like native-openjdk, really wants a to link
some tools against the static version. Since when
using the extended tarball, its the only place to
get it, add the library.
Tim Orling [Mon, 23 Dec 2019 01:18:36 +0000 (17:18 -0800)]
nativesdk-buildtools-perl-dummy: add dependencies for autoconf and automake
* For buildtools-extended-tarball, where we are adding all of build-essentials
to the nativesdk, we need additional perl modules for autoconf and automake.
Richard Purdie [Mon, 9 Mar 2020 21:09:43 +0000 (21:09 +0000)]
buildtools-extended-tarball: Add locale command
The eSDK installation code checks installed locales with the locale command which is
from glibc-utils. Add this so that we find the correct locales from the buildtools.
Trying to create a clean PATH breaks cases where we install a buildtools tarball
on hosts to provide newer versions of gcc. Rework the fix for #8698 to clean up
directories in PATH which don't exist isntead. Do it with python as the shell
version was too fraught with corner cases.
Richard Purdie [Fri, 17 Jan 2020 17:21:39 +0000 (17:21 +0000)]
binutils: Fix relocation of ld.so.conf in nativesdk builds
We need binutils to look at our ld.so.conf file within the SDK to ensure
we search the SDK's libdirs as well as those from the host system.
There add a patch which passes in the directory to the code using a define,
then add it to a section we relocate in a similar way to the way we relocate
the gcc internal paths. This ensures that ld works correctly in our buildtools
tarball.
Standard sysroot relocation doesn't work since we're not in a sysroot,
we want to use both the host system and SDK libs.
Tim Orling [Mon, 23 Dec 2019 01:18:37 +0000 (17:18 -0800)]
buildtools-extended-tarball: add recipe with build-essentials
* For some aging distros, such as CentOS 7, the native version
of gcc is simply too ancient and is a constant source of
headaches for moving forward.
* Add an extended version of buildtools-tarball which adds all
of build-essential, so that the host is now modernized and
capable of compiling the latest versions of components.
This patch fixes below error:
PCRE could allow a remote attacker to execute arbitrary
code on the system, caused by an integer overflow in
libpcre via a large number after (?C substring.
By sending a request with a large number, an attacker
can execute arbitrary code on the system or
cause the application to crash.
Konrad Weihmann [Sat, 8 Aug 2020 14:51:49 +0000 (07:51 -0700)]
pypi.bbclass: mind package suffix on version check
Some pypi packages do have suffixes like dev, or a0 or b1.
When doing a version check on these, the version will get falsely
identified as major release versions.
Add a terminating slash to rule out those false positives
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 0603f6d9f2abfa67b99b1bc39228f6aa16a0370d)
[Yocto bug #13990] Signed-off-by: Armin Kuster <akuster808@gmail.com>
Ahmad Fatoum [Mon, 20 Jul 2020 10:30:11 +0000 (12:30 +0200)]
core: glib-2.0: fix requested libmount/mkostemp/selinux not being linked in
Since 010202076760 ("meson.bbclass: avoid unexpected operating-system
names"), meson is no longer used with a cross file that appends the used
libc to the operating system name, e.g. linux-gnueabi.
Prior to that commit, the host_system == 'linux' checks in glib's meson
failed, which led to glib being compiled without libmount, mkostemp and
selinux even if explicitly requested.
As the aforementioned commit affects all recipes built by glib, it might
not be a candidate for backporting to current stable branches. To fix
just the glib issue, instances of host_system == 'linux' are patched
locally.
The patch is marked as Upstream-Status: Inappropriate as it is rendered
unnecessary for OE releases newer than Dunfell.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Master (nss version 3.54) is not affected by this issue. This is a backport
from nss version 3.54.
NSS has shown timing differences when performing DSA signatures, which was
exploitable and could eventually leak private keys. This vulnerability affects
Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
Konrad Weihmann [Sun, 26 Jul 2020 14:10:06 +0000 (16:10 +0200)]
cve-update: handle baseMetricV2 as optional
Currently in NVD DB an item popped up, which hasn't set baseMetricV2.
Let the parser handle it as an optional item.
In case use baseMetricV2 before baseMetricV3
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fdcbf3f28289188c5a97664d1421d4a5c4991eda) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ without the CVE-2020-11656 fix that did not apply cleanly ] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
He Zhe [Sat, 22 Feb 2020 03:37:24 +0000 (11:37 +0800)]
perf: Correct the substitution of python shebangs
To make the native python3 always used,
- Use sed one-liner instead
- Add substitution for ${S}/scripts/bpf_helpers_doc.py to fix the
following warning.
File "/usr/lib/python3.6/sysconfig.py", line 421, in _init_posix
_temp = __import__(name, globals(), locals(), ['build_time_vars'], 0)
ModuleNotFoundError: No module named '_sysconfigdata'
This issue is first reported by Joel Stanley <joel@jms.id.au>
The sed one-liner is credited to Anuj Mittal <anuj.mittal@intel.com>
Bruce Ashfield [Mon, 13 Jan 2020 04:41:23 +0000 (23:41 -0500)]
perf: fix build for v5.5+
In kernel 5.5+ there are python3 scripts that explicitly use
/usr/bin/python3 as the interpreter. That will find the host
python and produce undefined results.
We add that interpreter path to our substitutions to ensure
that our sysroot variant is used.
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Richard Purdie [Wed, 8 Jul 2020 21:07:58 +0000 (00:07 +0300)]
perl: Fix host specific modules problems
We were seeing a ton of empty perl modules being created such as
"perl-module-x86-64-linux-encoding" where the name would include
${TARGET_ARCH}-linux. These files were already being filtered in an
earlier do_split_packages() expression so exclude them from the latter
one to remove the pointless empty modules in PACKAGES.
This doesn't explain why some were not deterministic but will recude
the do_package execution time and clean up the build directories
at the very least.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Otavio Salvador [Wed, 8 Jul 2020 21:07:55 +0000 (00:07 +0300)]
mtd-utils: Fix return value of ubiformat
This changeset fixes a feature regression in ubiformat. Older versions
of ubiformat, when invoked with a flash-image, would return 0 in the
case no error was encountered. Upon upgrading to latest, it was
discovered that ubiformat returned 255 even without encountering an
error condition.
This changeset corrects the above issue and causes ubiformat, when given an
image file, to return 0 when no errors are detected.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
(cherry picked from commit 7ebacd9cbaec98fbc406e8ae99c9805a24fdadc6) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
(cherry picked from commit 99ae6dbb7278dfd264453af852c108fa56a0d4e3) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Kai Kang [Wed, 8 Jul 2020 21:07:53 +0000 (00:07 +0300)]
wpa-supplicant: remove service templates from SYSTEMD_SERVICE
Remove service templates wpa_supplicant-nl80211@.service and
wpa_supplicant-wired@.service from SYSTEMD_SERVICE that they should NOT
be started/stopped by calling 'systemctl' in postinst and prerm scripts.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
(cherry picked from commit fe9b8e50461ab00ab3ad8b065ebd32f0eea2a255) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
(cherry picked from commit 18129cbaeddb3278efe9963718556e3765f06c1e) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Ralph Siemsen [Wed, 8 Jul 2020 21:07:50 +0000 (00:07 +0300)]
cve-check: include epoch in product version output
In the generated cve.log files, include the epoch in the product
version. This better matches how versions are displayed elsewhere,
in particular the bb.warn("Found unpatched CVE...") that appears
on the terminal when CVEs are found.
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
(cherry picked from commit e1c3c0b6e5b01304e2127f5058986697e82adf93) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Certain recipes e.g. bash readline ( from meta-gplv2 ) download patches instead of having them in
metadata, this could fail cve_check
ERROR: readline-5.2-r9 do_cve_check: File Not found: qemuarm/build/../downloads/readline52-001
This patch ensures that download is done before running CVE scan, even
though these will be external patches and may not contain CVE tags as it
expects, but it will fix the run failures as seen above
file: add bzip2-replacement-native to DEPENDS to fix sstate issue
file-native when built on a Debian 10 host will embed a dependency to
'libbz2.so.1.0' (instead of 'libbz2.so.1'). This can cause issues
when sharing the sstate between hosts e.g.:
recipe-sysroot-native/usr/lib/rpm/rpmdeps:
error while loading shared libraries: libbz2.so.1.0: \
cannot open shared object file: No such file or directory
To avoid this situation, let's add the bzip2-replacement-native to the
file recipe's DEPENDS_class-native .
Details in https://bugzilla.yoctoproject.org/show_bug.cgi?id=13915 .
Signed-off-by: Kai Kang <kai.kang@windriver.com>
(cherry picked from commit e4a6eda4c246b2bca059defed796bdab19a7ab5f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
haiqing [Mon, 15 Jun 2020 03:05:57 +0000 (11:05 +0800)]
libpam: Remove option 'obscure' from common-password
libpam does not support 'obscure' checks to password,
there are the same checks in pam_cracklib module.
And this fix can remove the below error message while
updating password with 'passwd':
pam_unix(passwd:chauthtok):unrecognized option[obscure]
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ea761dbac90be77797308666fe1586b05e3df824) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Lili Li [Fri, 26 Jun 2020 05:45:56 +0000 (13:45 +0800)]
kernel.bbclass: Fix Module.symvers support
Starting from v5.8-rc1 commit 269a535ca931 (modpost: generate
vmlinux.symvers and reuse it for the second modpost"), kernel will
generate new vmlinux.symvers instead of dumping all the vmlinux symbols
into Module.symvers in the first pass.
Error log:
'run.do_shared_workdir.16614' failed with exit code 1:
DEBUG: cp: cannot stat 'Module.symvers': No such file or directory
This change will check the file Module.symvers existence before copying it.
Signed-off-by: Lili Li <lili.li@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cd2d62a08a1dfcd890a03ee55132b6d6c65f5ab7) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Paul Barker [Sat, 23 May 2020 19:16:06 +0000 (20:16 +0100)]
avahi: Don't advertise example services by default
The example service files are placed into /etc/avahi/services when we
run `make install` for avahi. This results in ssh and sftp-ssh services
being announced by default even if no ssh server is installed in an
image.
These example files should be moved away to another location such as
/usr/share/doc/avahi (taking inspiration from Arch Linux).
Signed-off-by: Paul Barker <pbarker@konsulko.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
1. They need to be run under regular user.
2. Some tests genuinely need more time than 30 seconds
3. The Makefile patch erroneously introduced a test-breaking change.
Richard Purdie [Wed, 13 May 2020 15:24:50 +0000 (10:24 -0500)]
sstatesig: Optimise get_taskhash for hashequiv
With hashequiv the get_taskhash function is called much more regularly
and contains expensive operations. This these don't change based upon
hash in a given build, improve the caching within the function to
reduce overhead.
projects / thirdparty / openembedded / openembedded-core.git / log
