Richard Purdie [Thu, 29 Aug 2019 11:10:16 +0000 (12:10 +0100)]
ca-certificates: Fix reproducibilty and multilib issue
This command was dependent on the order of files on the disk and for multilib builds
could result in:
Error: Transaction check error:
file /etc/ca-certificates.conf conflicts between attempted installs of ca-certificates-20190110-r0.core2_32 and lib64-ca-certificates-20190110-r0.x86_64
Sorting the file makes things deterministic.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c8f329fc562c9eecdcc1cb10d2c7661f44110fb4) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 73ebdcaedde460108f98971f037e50e9b15c9f0c) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
License-Update: URI fix Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 87acc51a7892524a22640bf9eba46c11701365d6) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
André Draszik [Thu, 29 Mar 2018 15:43:19 +0000 (16:43 +0100)]
ca-certificates: use relative symlinks from $ETCCERTSDIR
update-ca-certificates symlinks (trusted) certificates
from $CERTSDIR or $LOCALCERTSDIR into $ETCCERTSDIR.
update-ca-certificates can call hook scripts installed
into /etc/ca-certificates/update.d. Those scripts are
passed the pem file in /etc/ssl/certs/ that was added or
removed in this run and those pem files are absolute
symlinks into $CERTSDIR or $LOCALCERTSDIR at the moment.
When running update-ca-certificates during image build
time, they thusly all point into the host's file system,
not into the $SYSROOT. This means:
* the host's file system layout must match the one
produced by OE, and
* it also means that the host must have installed the same
(or more) certificates as the target in $CERTSDIR and
$LOCALCERTSDIR
This is a problem when wanting to execute hook scripts,
because they all need to be taught about $SYSROOT, and
behave differently depending on whether they're called
at image build time, or on the target, as otherwise they
will be trying to actually read the host's certificates
from $CERTSDIR or $LOCALCERTSDIR.
This also is a problem when running anything else during
image build time that depends on the trusted CA
certificates.
Changing the symlink to be relative solves all of these
problems. At the same time, we have to make sure to add
$CERTSDIR to SYSROOT_DIRS, so that the symlinks are still
valid when somebody DEPENDS on ca-certificates-native. As
a side-effect, this also fixes a problem in meta-java,
where some recipes (e.g. openjdk-8-native) try to access
certificates from $CERTSDIR to generate the java trustStore
at build time.
Do so.
Upstream-Status: Inappropriate [OE-specific] Signed-off-by: André Draszik <andre.draszik@jci.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 09bb7718d74573be9a5db4d0737fb14126f6489c) Signed-off-by: Andreas Oberritter <obi@opendreambox.org> [edited]
Mikko Rapeli [Mon, 26 Mar 2018 11:57:58 +0000 (14:57 +0300)]
ca-certificates: change SRC_URI from Debian anonscm to salsa
Debian anonscm service in Alioth is shutdown and thus
fetching ca-certificates sources fails.
https://wiki.debian.org/Alioth
"Alioth is broken, and there is nobody around to fix it. Don't ask the remaining people who give it life support to implement fixes and changes. It is being replaced by a cocktail of ?GitLab (see Salsa), read-only repos and keep-alive mechanisms. See below for more information."
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit fc20ff2003cee7ee3b78ba3bc236a60a8caabc35) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
ca-certificates: run postinst script only for -target package
Nativesdk package has a special arrangement where the same thing is done
in do_install(). It was assumed (in the comment) that postinsts don't run when
installing nativesdk packages, but this was incorrect: they are run, but
any failures were previously silently ignored. Now this missing failure reporting has
been fixed, and so we get to see the failures.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 8ebb695c1429f8d57d655072a362a4f176258699) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
This is actually the same version as previously; upstream didn't have
a tag for it before and now it does, so we can reduce confusion. The SRCREV
change is due to a few added commits which modify upstream's debian
packaging (not used by us).
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 8359730165908025b0762eaa25569e2fdcd9d086) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Upstream lacks a tag for this release, so make it a PR bump.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 0b0a716b243491f026cb7b15e8f546325d6fa760) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
package_deb, ipk: improve subprocess output on package manager command
Redirecting stderr to stdout helps debugging issues, i.e instead of just
getting the return code, get also the error log from the pkg manger
This commit is in the way to figure out the root cause of [YOCTO #12012],
where dpkg-deb fails with a 2 return code and according to the man page,
there are multiple issues leading to the same code.
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 9ff023fb26f5f0ce19e757beda00ccc32c009b21) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Martin Jansa [Mon, 20 Nov 2017 19:27:43 +0000 (19:27 +0000)]
kernel.bbclass: move variables for kernel artifacts names to separate bbclass
* this makes it easier to access these variables from some other bbclass
e.g. sdcard_image-rpi.bbclass in meta-raspberry where we need to know
how some files in deploy are named, but we cannot inherit kernel.bbclass
as it's used in image recipe not kernel recipe
* alternatively we can move these to bitbake.conf like similar image variables are:
meta/conf/bitbake.conf:IMAGE_BASENAME = "${PN}"
meta/conf/bitbake.conf:IMAGE_NAME = "${IMAGE_BASENAME}-${MACHINE}-${DATETIME}"
meta/conf/bitbake.conf:IMAGE_LINK_NAME = "${IMAGE_BASENAME}-${MACHINE}"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
(cherry picked from commit cb576ccb10793329b3e245a64a8b0698a7904607) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Martin Jansa [Mon, 20 Nov 2017 18:04:58 +0000 (18:04 +0000)]
kernel.bbclass: use the consistent naming schema for initramfs
* use INITRAMFS_BASE_NAME and INITRAMFS_SYMLINK_NAME variables, like
other kernel artifacts are using
* use "${PKGE}-${PKGV}-${PKGR}-${MACHINE}-${DATETIME}" instead of
"${PV}-${PR}-${MACHINE}-${DATETIME}" to be consistent with other files
* allow to modify default symlink name with INITRAMFS_SYMLINK_NAME
instead of currently used:
initramfs_symlink_name=${type}-initramfs-${MACHINE}
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
(cherry picked from commit f3a28cfdc3ba6a0d9bff0ade86571b6df9d042b0) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Martin Jansa [Mon, 20 Nov 2017 12:09:25 +0000 (12:09 +0000)]
kernel-devicetree.bbclass: Fix and simplify instalation of DTB files
* add 2 new variables:
KERNEL_DTB_BASE_NAME
KERNEL_DTB_SYMLINK_NAME
instead of reusing KERNEL_IMAGE_SYMLINK_NAME and than expecting that
default value ${MACHINE} was being used in e.g.:
DTB_SYMLINK_NAME=`echo ${symlink_name} | sed "s/${MACHINE}/${DTB_BASE_NAME}/g"`
* install normal DTB files only once even if there is multiple entries
in KERNEL_IMAGETYPE_FOR_MAKE and don't prefix them with the type of
the kernel image, use the KERNEL_IMAGETYPE_FOR_MAKE as a prefix only
when installing them bundled with kernel or initramfs image.
* deploy the files from ${D}/${KERNEL_IMAGEDEST}/ instead of kernel
build directory, so that we don't need to call
DTB_PATH=`get_real_dtb_path_in_kernel "${DTB}"`
again in do_deploy
* create all links in do_deploy task, because default KERNEL_DTB_BASE_NAME
like KERNEL_IMAGE_BASE_NAME contains PKGR and PKGR is different in
do_install and do_deploy, because kernel.bbclass calls
meta/classes/kernel.bbclass:do_install[prefuncs] += "package_get_auto_pr"
meta/classes/kernel.bbclass:do_deploy[prefuncs] += "package_get_auto_pr"
* the filenames are a bit different, but with separate variable it
should be easier for other bbclasses which use these DTB files to
find them correctly, just use either the cannonical name
$dtb_base_name.$dtb_ext or $dtb_base_name-${KERNEL_DTB_SYMLINK_NAME}.$dtb_ext
because PKGR (and other PKG* variables) might be different in your
task and kernel.do_deploy task.
* fix DTB files being deployed with incorrect filenames when
KERNEL_IMAGE_SYMLINK_NAME isn't set to ${MACHINE}, e.g. instead of
the default:
-rw-r--r-- 2 bitbake bitbake 1.4K Nov 20 07:41 deploy/images/raspberrypi3-64/Image-1-4.9.59+git0+e7976b2aff-r0.2-lirc-rpi-20171120043031.dtbo
lrwxrwxrwx 2 bitbake bitbake 64 Nov 20 07:41 deploy/images/raspberrypi3-64/Image-lirc-rpi.dtbo -> Image-1-4.9.59+git0+e7976b2aff-r0.2-lirc-rpi-20171120043031.dtbo
lrwxrwxrwx 2 bitbake bitbake 64 Nov 20 07:41 deploy/images/raspberrypi3-64/lirc-rpi.dtbo -> Image-1-4.9.59+git0+e7976b2aff-r0.2-lirc-rpi-20171120043031.dtbo
I was getting:
-rw-r--r-- 2 bitbake bitbake 1348 Nov 20 10:28 deploy/images/raspberrypi3-64/Image-linux-raspberrypi-lirc-rpi.dtbo
lrwxrwxrwx 2 bitbake bitbake 37 Nov 20 10:28 deploy/images/raspberrypi3-64/Image-linux-raspberrypi-lirc-rpi-master-20171120102653.dtbo -> Image-linux-raspberrypi-lirc-rpi.dtbo
lrwxrwxrwx 2 bitbake bitbake 37 Nov 20 10:28 deploy/images/raspberrypi3-64/lirc-rpi.dtbo -> Image-linux-raspberrypi-lirc-rpi.dtbo
and e.g. sdcard_image-rpi.bbclass from meta-raspberrypi:
https://github.com/agherzan/meta-raspberrypi/blob/37e4e18f4a745ce8dc11f7e40a29da0859ff13c6/classes/sdcard_image-rpi.bbclass
was failing in:
mcopy -i ${WORKDIR}/boot.img -s ${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE}-${DTB_BASE_NAME}.dtb ::${DTB_BASE_NAME}.dtb
because ${KERNEL_IMAGETYPE}-${DTB_BASE_NAME}.dtb doesn't exist in my
build, due to
DTB_SYMLINK_NAME=`echo ${symlink_name} | sed "s/${MACHINE}/${DTB_BASE_NAME}/g"`
not replacing whole "${KERNEL_IMAGE_SYMLINK_NAME}" (read ${MACHINE})
with just ${DTB_BASE_NAME}
* with this change applied the deploy dir looks like this:
-rw-r--r-- 2 bitbake bitbake 1.4K Nov 20 15:49 deploy/images/raspberrypi3-64/lirc-rpi-1-4.9.59+git0+e7976b2aff-r0.8-raspberrypi3-64-20171120154716.dtbo
lrwxrwxrwx 2 bitbake bitbake 74 Nov 20 15:49 deploy/images/raspberrypi3-64/lirc-rpi.dtbo -> lirc-rpi-1-4.9.59+git0+e7976b2aff-r0.8-raspberrypi3-64-20171120154716.dtbo
lrwxrwxrwx 2 bitbake bitbake 74 Nov 20 15:49 deploy/images/raspberrypi3-64/lirc-rpi-raspberrypi3-64.dtbo -> lirc-rpi-1-4.9.59+git0+e7976b2aff-r0.8-raspberrypi3-64-20171120154716.dtbo
and works correctly even with DISTRO using different naming scheme
* the sdcard_image-rpi.bbclass still needs to be modified, I've provided
updated version here:
https://github.com/agherzan/meta-raspberrypi/pull/159
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
(cherry picked from commit 7e0e6c976396c1bc46ef3382d1d272c0ff2c765a) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Martin Jansa [Mon, 20 Nov 2017 15:43:07 +0000 (15:43 +0000)]
kernel-devicetree.bbclass: Use lowercase names for shell variables
* just to make it more clear what is local shell variable and what is
replaced by bitbake from the metadata and also to prevent the variable
to be incorrectly expanded by bitbake if someone happens to define
e.g. DTB_BASE_NAME
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
(cherry picked from commit 47dc3bd11b0fac9b50b6784aab3f3828d4ea957b) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Otavio Salvador [Thu, 21 Sep 2017 13:58:33 +0000 (10:58 -0300)]
kernel-devicetree.bbclass: Add support to generate append to kernel
The are use cases where the Device Tree appended to the kernel is
convinient, so we generate the bundle concatenating the kernel (and
potentionally the initramfs) and the Device Tree binaries.
To enable it, set KERNEL_DEVICETREE_BUNDLE variable to '1'
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit f044567326988e84e5d72040e9387c3240836ddb) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Otavio Salvador [Tue, 12 Sep 2017 20:36:06 +0000 (17:36 -0300)]
kernel: Move Device Tree support to kernel.bbclass
The Device Tree is commonly used but it is still kept as a .inc file
instead of a proper class. Instead now we move the Device Tree code to
a kernel-devicetree class and automatically enable it when the
KERNEL_DEVICETREE variable is set.
To avoid breakage in existing layers, we kept a linux-dtb.inc file
which raises a warning telling the user about the change so in next
release this can be removed.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 03a00be7f2062aefef0e51ef20a4c9737f6685e7) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Otavio Salvador [Tue, 5 Sep 2017 06:04:44 +0000 (03:04 -0300)]
kernel: Stop using update-alternatives
The update-alternatives where using relative links so not being really
in use since December 2016 (see OE-Core:c7bc46b9 "kernel: Fix
symlinks") so instead we now generate the relative symlinks during the
do_install task and drop the update-alternatives use at all.
Acked-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit 10a1b293191268e6792ac8e27bd6427f1974c7ce) Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
It is a small version of gpg which can only verify signatures. It
should be installable on its own. This matches the behaviour of
the gnupg 1.4 recipe, which was removed recently.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
package_manager/deb: let apt-get handle postinst scripts
With all required environment variables and configuration options in
apt.conf in place, apt-get is able to install packages offline, i.e.
when creating the rootfs, including the execution of postinst scripts
and updating the package database. This is new behaviour.
At the time the deleted code would have executed, its work was already
done by apt-get.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
connman: Simplify and fix packaging of VPN plug-ins
- Use simple static packaging.
- Move VPN runtime dependencies from connman to the individual plug-ins.
- Create a connmann-ppp package containing libppp-plugin.so, which is
a shared library needed by l2tp and pptp plug-ins.
- Let connman suggest VPN packages instead of recommending them, so they
don't get installed by default.
- Remove unknown configure options (--with-pptp --with-l2tp)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Armin Kuster [Thu, 3 May 2018 16:00:59 +0000 (09:00 -0700)]
ruby: Update to 2.4.4
The dot releases are maint only.
2.4.4 included:
CVE-2017-17742: HTTP response splitting in WEBrick
CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
CVE-2018-8777: DoS by large request in WEBrick
CVE-2018-8778: Buffer under-read in String#unpack
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
2.4.3 includes:
CVE-2017-17405: Command injection vulnerability in Net::FTP
Martin Jansa [Wed, 25 Apr 2018 14:07:05 +0000 (14:07 +0000)]
scripts/test-dependencies.sh: remove
* with RSS used in pyro this script isn't very useful anymore
* RSS makes sure that the dependencies are almost always deterministic
the only case known to me where dependencies are different based on
what was already built in TMPDIR are runtime dependencies resolved
by shlibs code in package.bbclass (which is using global pkgdata, not
specific to given recipe and its RSS) as described here:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=9217#c4
but for this case it's not worth running complete test-dependencies.sh
runs
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Martin Jansa [Wed, 25 Apr 2018 14:07:04 +0000 (14:07 +0000)]
sstate-diff-machines.sh: Replace MACHINE_ARCH only at the beginning and separated with dash
* I had some components where the MACHINE name was also included in PV of allarch recipe
which was tripping the script into saying that they have different signatures (because
for one MACHINE was the string in PV replaced with 'MACHINE' and not for other MACHINEs
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Ross Burton [Mon, 24 Jul 2017 20:34:49 +0000 (21:34 +0100)]
libpng: use SourceForge mirror
The Gentoo mirror also deletes old versions when they're not used, so revert
back to the canonical SourceForge site, adding /older-releases/ to MIRRORS to
handle new releases moving the version we want.
Original idea by Maxin B. John <maxin.john@intel.com>.
Daniel Díaz [Thu, 12 Apr 2018 22:55:08 +0000 (17:55 -0500)]
gdb: fix header ordering for TRAP_HWBKPT
This error can appear in gdb/nat/linux-ptrace.c because of
the order in which some headers are processed:
| In file included from ../../gdb-7.11.1/gdb/nat/linux-ptrace.c:20:0:
| ../../gdb-7.11.1/gdb/nat/linux-ptrace.h:175:22: error: expected identifier before numeric constant
| # define TRAP_HWBKPT 4
| ^
| Makefile:2357: recipe for target 'linux-ptrace.o' failed
| make[2]: *** [linux-ptrace.o] Error 1
| make[2]: *** Waiting for unfinished jobs....
| make[2]: Leaving directory '/oe/build/tmp-rpb-glibc/work/aarch64-linaro-linux/gdb/7.11.1-r0/build-aarch64-linaro-linux/gdb'
| Makefile:8822: recipe for target 'all-gdb' failed
| make[1]: *** [all-gdb] Error 2
| make[1]: Leaving directory '/oe/build/tmp-rpb-glibc/work/aarch64-linaro-linux/gdb/7.11.1-r0/build-aarch64-linaro-linux'
| Makefile:846: recipe for target 'all' failed
| make: *** [all] Error 2
A patch from GDB's current master solves the issue.
Armin Kuster [Fri, 23 Mar 2018 04:57:20 +0000 (21:57 -0700)]
distcc: Change SRC_URI
ERROR: distcc-3.2-r0 do_fetch: Fetcher failure: Unable to find revision d8b18df3e9dcbe4f092bed565835d3975e99432c in branch 3.2 even from upstream
ERROR: distcc-3.2-r0 do_fetch: Fetcher failure for URL: 'git://github.com/distcc/distcc.git;branch=3.2'. Unable to fetch URL from any source.
ERROR: distcc-3.2-r0 do_fetch: Function failed: base_do_fetch
[v2]
upstream deleted the branch and the hash no longer exists.
Took the git snapshot from yocto and created a copy on my github.
There was no offical 3.2 release, only rc versions.
Tanu Kaskinen [Wed, 21 Mar 2018 17:08:38 +0000 (19:08 +0200)]
e2fsprogs: fix compatibility with glibc 2.27
glibc 2.27 added function copy_file_range(), and e2fsprogs happens to
have a different function with the same name. The conflict made
e2fsprogs-native build fail.
Here's a backport of a fix from upstream, the fix was released in
e2fsprogs 1.43.8.
The master branch doesn't need this fix, since it has new enough
e2fsprogs version. At least rocko, pyro and morty need this, I haven't
checked older stable branches. Apparently the problematic function was
introduced in e2fsprogs version 1.43.
Niko Mauno [Fri, 16 Mar 2018 09:01:53 +0000 (11:01 +0200)]
package_manager.py: Explicit complementary fail
When running bitbake -c populate_sdk <image_name>, it is expected that
packages matching SDKIMAGE_INSTALL_COMPLEMENTARY name mask (unless
declared in PACKAGE_EXCLUDE_COMPLEMENTARY) are installed to resulting
SDK. Underlying mechanism issues a package manager install call for set
of complementary packages. However the mechanism doesn't seem to inform
the user all too obviously in case the package manager command behind
install_complementary() method fails -- and since it is combined with
attempt_only=True option, user might end up wondering why several *-dev,
*-dbg packages are missing from resulting SDK.
Improve associated install() method behaviour in affected OpkgPM and
DpkgPM classes so that a problematic state of affairs becomes directly
obvious for bitbake user, resulting in shell output like:
WARNING: someimage-1.0-r0 do_populate_sdk: Unable to install packages.
Command '...' returned 1:
Collected errors:
* Solver encountered 1 problem(s):
* Problem 1/1:
* - package somepkg-dev-1.0-r0.x86 requires somepkg = 1.0-r0, but
none of the providers can be installed
*
* Solution 1:
* - allow deinstallation of someotherpkg-1.1-r1.x86
* - do not ask to install a package providing somepkg-dev
* Solution 2:
* - do not ask to install a package providing somepkg-dev
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0d4459e7086fced5e9e0b4ad10378c9eddec56a8) Signed-off-by: Armin Kuster <akuster808@gmail.com>
Tanu Kaskinen [Sat, 31 Mar 2018 05:21:31 +0000 (08:21 +0300)]
libvorbis: CVE-2017-14632
Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing
uninitialized memory in the function vorbis_analysis_headerout() in
info.c when vi->channels<=0, a similar issue to Mozilla bug 550184.
projects / thirdparty / openembedded / openembedded-core-contrib.git / log
