| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* CVE-2018-1000030-1
[2.7] bpo-31530: Stop crashes when iterating over a file on multiple threads
* CVE-2018-1000030-2
Multiple threads iterating over a file can corrupt the file's internal readahead
buffer resulting in crashes. To fix this, cache buffer state thread-locally for
the duration of a file_iternext call and only update the file's internal state
after reading completes.
No attempt is made to define or provide "reasonable" semantics for iterating
over a file on multiple threads. (Non-crashing) races are still
present. Duplicated, corrupt, and missing data will happen.
This was originally fixed by 6401e56, which
raised an exception from seek() and next() when concurrent operations were
detected. Alas, this simpler solution breaks legitimate use cases such as
capturing the standard streams when multiple threads are logging.
Affects python <= 2.7.14
(From OE-Core rev: 4b6c84e0f950f839bfb8c40f197197f838d8b733)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
proc/readproc.c: Fix bugs and overflows in file2strvec().
Note: this is by far the most important and complex patch of the whole
series, please review it carefully; thank you very much!
For this patch, we decided to keep the original function's design and
skeleton, to avoid regressions and behavior changes, while fixing the
various bugs and overflows. And like the "Harden file2str()" patch, this
patch does not fail when about to overflow, but truncates instead: there
is information available about this process, so return it to the caller;
also, we used INT_MAX as a limit, but a lower limit could be used.
The easy changes:
- Replace sprintf() with snprintf() (and check for truncation).
- Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and
do break instead of return: it simplifies the code (only one place to
handle errors), and also guarantees that in the while loop either n or
tot is > 0 (or both), even if n is reset to 0 when about to overflow.
- Remove the "if (n < 0)" block in the while loop: it is (and was) dead
code, since we enter the while loop only if n >= 0.
- Rewrite the missing-null-terminator detection: in the original
function, if the size of the file is a multiple of 2047, a null-
terminator is appended even if the file is already null-terminated.
- Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)":
originally, it was equivalent to "if (n < 0)", but we added "tot <= 0"
to handle the first break of the while loop, and to guarantee that in
the rest of the function tot is > 0.
- Double-force ("belt and suspenders") the null-termination of rbuf:
this is (and was) essential to the correctness of the function.
- Replace the final "while" loop with a "for" loop that behaves just
like the preceding "for" loop: in the original function, this would
lead to unexpected results (for example, if rbuf is |\0|A|\0|, this
would return the array {"",NULL} but should return {"","A",NULL}; and
if rbuf is |A|\0|B| (should never happen because rbuf should be null-
terminated), this would make room for two pointers in ret, but would
write three pointers to ret).
The hard changes:
- Prevent the integer overflow of tot in the while loop, but unlike
file2str(), file2strvec() cannot let tot grow until it almost reaches
INT_MAX, because it needs more space for the pointers: this is why we
introduced ARG_LEN, which also guarantees that we can add "align" and
a few sizeof(char*)s to tot without overflowing.
- Prevent the integer overflow of "tot + c + align": when INT_MAX is
(almost) reached, we write the maximal safe amount of pointers to ret
(ARG_LEN guarantees that there is always space for *ret = rbuf and the
NULL terminator).
Affects procps-ng < 3.3.15
(From OE-Core rev: 82d873a1b73da25ae415afe0e6203693f78b88c9)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.
This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).
We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".
Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Affects shadow <= 4.5
(From OE-Core rev: a875522540372a4fa6658885692e564dfd729f54)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
gpg: Sanitize diagnostic with the original file name.
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
(From OE-Core rev: f1c0da2bcb0587ac25176db11365d4a2a15b3d30)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).
Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:
1. What should the allowed syntax be?
It's tempting to reuse verify_path(), since submodule
names typically come from in-repo paths. But there are
two reasons not to:
a. It's technically more strict than what we need, as
we really care only about breaking out of the
$GIT_DIR/modules/ hierarchy. E.g., having a
submodule named "foo/.git" isn't actually
dangerous, and it's possible that somebody has
manually given such a funny name.
b. Since we'll eventually use this checking logic in
fsck to prevent downstream repositories, it should
be consistent across platforms. Because
verify_path() relies on is_dir_sep(), it wouldn't
block "foo\..\bar" on a non-Windows machine.
2. Where should we enforce it? These days most of the
.gitmodules reads go through submodule-config.c, so
I've put it there in the reading step. That should
cover all of the C code.
We also construct the name for "git submodule add"
inside the git-submodule.sh script. This is probably
not a big deal for security since the name is coming
from the user anyway, but it would be polite to remind
them if the name they pick is invalid (and we need to
expose the name-checker to the shell anyway for our
test scripts).
This patch issues a warning when reading .gitmodules
and just ignores the related config entry completely.
This will generally end up producing a sensible error,
as it works the same as a .gitmodules file which is
missing a submodule entry (so "submodule update" will
barf, but "git clone --recurse-submodules" will print
an error but not abort the clone.
There is one minor oddity, which is that we print the
warning once per malformed config key (since that's how
the config subsystem gives us the entries). So in the
new test, for example, the user would see three
warnings. That's OK, since the intent is that this case
should never come up outside of malicious repositories
(and then it might even benefit the user to see the
message multiple times).
Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.
Affects: git < 2.13.7 and git < 2.14.4 and git < 2.15.2 and git < 2.16.4 and
git < 2.17.1
(From OE-Core rev: 229bb7cd70c79944d54696d50f4f34df85a5804a)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ecc: Add blinding for ECDSA.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
randomized nonce B.
(From OE-Core rev: e05c9b1be8e852293dfc7026f0e3178c3bc5444d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2017-18018-1:
doc: clarify chown/chgrp --dereference defaults
* doc/coreutils.texi: the documentation for the --dereference
flag of chown/chgrp states that it is the default mode of
operation. Document that this is only the case when operating
non-recursively.
CVE-2017-18018-2:
doc: warn about following symlinks recursively in chown/chgrp
In both chown and chgrp (which shares its code with chown), operating
on symlinks recursively has a window of vulnerability where the
destination user or group can change the target of the operation.
Warn about combining the --dereference, --recursive, and -L flags.
* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
(node chown invocation): Add it to --dereference and -L.
(node chgrp invocation): Likewise.
Affects coreutils <= 8.29
(From OE-Core rev: a523bc6a2ff7d5b5415a789de02fb055ccd2c077)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
CVE-2017-14634
Closes: #318
Affects libsndfile1 = 1.0.28
(From OE-Core rev: 00da7bad24cf78c9dba091b9e480515f25886b48)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sfe_copy_data_fp: check value of "max" variable for being normal
and check elements of the data[] array for being finite.
Both checks use functions provided by the <math.h> header as declared
by the C99 standard.
Fixes #317
CVE-2017-14245
CVE-2017-14246
Affects libsndfile1 = 1.0.28
(From OE-Core rev: 39b1dc89ce2870d1a2630b2319783a6203cbcb08)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Reject LHA archive entries with negative size.
Affects libarchive = 3.3.2
(From OE-Core rev: 3e000591928cfc35df192c7eb00db65687930566)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
stream_decoder.c: Fix a memory leak
Leak reported by Secunia Research.
Affects flac = 1.3.2
(From OE-Core rev: bca64ae1b02717c04edfee6dcc9a89cfa91d0c73)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 10a52e436d2f9a40c04271bc8aeb04c75fb11383)
(From OE-Core rev: 058bdd077da005d412fbbcd98d70fbd80fa80555)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: f75289b9215580030540245cd0b5f945bfb05ffa)
(From OE-Core rev: 97a52df900519b0c7fbb9e92a3168a542d68aba6)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Large zip files can cause unzip to crash, take a patch from Fedora to fix it.
(From OE-Core rev: a001833b7c7a0a6eef88e053fe65e2a0c91ca7bc)
(From OE-Core rev: 61235238157b747d47728f6c3d9ad8241dde0102)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Please see this security advisory:
https://www.openssl.org/news/secadv/20180612.txt
Remove obsolete patch.
(From OE-Core rev: 0d19caefeeca14f44c80ccb716c30b17f14255a5)
(From OE-Core rev: 784059db22d763ca9f579a10a34fd90c68542e82)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Please see this security advisory:
https://www.openssl.org/news/secadv/20180612.txt
Refresh patches
(From OE-Core rev: ff3db93e53c4f9d56807d3755c799459944e9a87)
(From OE-Core rev: 84233553e963e26ca5f9f983662d4bd133176bb9)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Patch original c_rehash script with Debian patch instead
of overriding it with own version.
Error output from c_reshah without patching:
Unknown regexp modifier "/b" at ./c_rehash line 15, at end of line
Unknown regexp modifier "/W" at ./c_rehash line 28, at end of line
Unknown regexp modifier "/3" at ./c_rehash line 28, at end of line
Unknown regexp modifier "/2" at ./c_rehash line 28, at end of line
No such class installdir at ./c_rehash line 63, near "Prefix our
installdir"
(Might be a runaway multi-line // string starting on line 28)
syntax error at ./c_rehash line 63, near "Prefix our installdir"
Can't redeclare "my" in "my" at ./c_rehash line 68, near ""
Execution of ./c_rehash aborted due to compilation errors.
(From OE-Core rev: f8a826f497073533a3e4c390255ae197d65d6ef3)
(From OE-Core rev: 4524d1f916b55db6d280ff51a41933b8ec9046b0)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Marko Peter <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The perlpath.pl script is used to patch the #! lines in all perl
scripts in the utils directory. However, as these scripts are run via
e.g. "perl foo.pl", they don't actually rely on the #! path to be
correct (which can be confirmed by the observation that the path is
currently being set to ${STAGING_BINDIR_NATIVE}/perl, which doesn't
exist).
(From OE-Core rev: ba88fe46d47846042518a5a1017d782ba548202c)
(From OE-Core rev: 1b0dcca0f083081295f32f09b408ab6c6c10f66f)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The openssl Configure script will only select standalone makedepend
(vs running "$CC -M") when building with gcc < 3.x or with an Apple
Xcode version which predates the switch to clang (in approx 2010?).
Neither of these cases are possible when building under OE, therefore
the dependency on makedepend-native can be dropped (ie align the
openssl 1.0 recipe with the 1.1 recipe, which has dropped the
makedepend-native dependency already).
(From OE-Core rev: 4c5bd69e5cb203c8a4c2f3716c941661c0afc830)
(From OE-Core rev: 74524ec2a0f5a4210dd6680afb4b685a69f96a71)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Openssl 1.1 requires perl in order to build (just as openssl 1.0
does). The missing dependency has gone unnoticed up to now since
hostperl-runtime-native is included in ASSUME_PROVIDED.
(From OE-Core rev: ed5f8bb582453e7d8a1636ad1463380076209bd2)
(From OE-Core rev: 33a9519040b6e5cd9e83bb76589f75b00f1cd1c2)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Squash whitespace in CC_INFO to avoid recipe whitespace changes to
CFLAG affecting the final openssl binaries (the value of CC_INFO gets
embedded in libcrypto, via buildinf.h).
(From OE-Core rev: 2227c51896d4399daac9d85f40d7510b7c8ae03f)
(From OE-Core rev: 0bda7fda8ce11b9b8c4c69aee1afbda30c3eadd5)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Creating the openssl manpages, which happens as part of do_install(),
can take a significant amount of time (e.g. ~50 seconds on a quad
core laptop). Provide a PACKAGECONFIG option to allow creation of the
manpages to be skipped completely if not required and inherit the
manpages class to automatically control the PACKAGECONFIG option
(based on the "api-documentation" distro feature).
(From OE-Core rev: 1ddca1872f64c566fd812a6ec44f2d4e4d84f58f)
(From OE-Core rev: 061c17ff22f4df573bccbf4b66f2fdf5501c3617)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The fact that the darwin support only appears to consider x86 (and
not x86_64) suggests that it's not maintained or tested. In general
oe-core doesn't support building on darwin.
(From OE-Core rev: 9c7f37bb1345c38211acd137c00b9d07f92601a7)
(From OE-Core rev: ebe53ed0e34b88c7d7fef22e1a5ad4959517fdab)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously (when EXTRA_OEMAKE contained -e) exporting these variables
over-rode default values in the top-level openssl Makefile. However,
since -e was removed from EXTRA_OEMAKE as part of:
http://git.openembedded.org/openembedded-core/commit/?id=537a404cfbb811fcb526cdb5f2e059257de6ef13
exporting these variables does nothing. The comment from that commit
that only AR is affected by removing -e wasn't correct, but the
effects of letting the openssl Makefile also control AS, EX_LIBS and
DIRS seem to be either benign or beneficial.
Since without -e make ignores DIRS from the environment and always
runs for all subdirs (including "test"), adding "test" to DIRS and
calling "make depend" again from do_compile_ptest() can be dropped.
(From OE-Core rev: b3e81e3cf86dd8736b62a6b88d6a6dbe518c9e5e)
(From OE-Core rev: 8aa33c15b7c71cda8de3e3571879a5d39c915adb)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a second line to the -help output of the CA.pl script
(which lists almost the same command line options as the line above
it but in a slightly different order). Although it's tagged as a
Debian backport, there's no patch like it in recent Debian patch sets
for openssl 1.0.2.
(From OE-Core rev: 9b3af406747a3d565d12d948400d44fb12ab0d96)
(From OE-Core rev: 4a136f8b2cfb6cdd5ba16a2ebbe9b418fead1c76)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix inconsistent indent (and also make the openssl 1.1 recipe more
consistent and consistent with the openssl 1.0 recipe).
(From OE-Core rev: 69844643aa1b829c27f144db634c8223c18c783f)
(From OE-Core rev: 3e0290b51da404761ac6a7d2657fd10693bf21b9)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Align the openssl 1.1 recipe with changes made to openssl 1.0:
http://git.openembedded.org/openembedded-core/commit/?id=a072d4620db462c5d3459441d5684cfd99938400
(From OE-Core rev: 24e745aaa2354432a9112879450263cab742c85b)
(From OE-Core rev: ec24fcc63e33b9c808b81968bad94e497051d350)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Align the openssl 1.1 recipe with changes made to openssl 1.0:
http://git.openembedded.org/openembedded-core/commit/?id=e01e7c543a559c8926d72159b5cd55db0c661434
(From OE-Core rev: 35cf2c1266927b609e0022be2c7bd8e08410a456)
(From OE-Core rev: 7a5fd1ca7d4b3aa0060134e7ea2af57bb9f2fe07)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently target builds call make twice as part of do_compile(). It
appears to be an accidental side effect of needing to only pass
CC_INFO on the make command line for target builds, since CC_INFO is
only referenced by the reproducible build patches.
(From OE-Core rev: 6c4942b5c771876ad0e62e56923f59cc71776157)
(From OE-Core rev: 1aaca6b00c083eba25eb8502bbdffef4e45fafd8)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although passing -no-ssl3 works, comments in the openssl Configure
script suggest doing so isn't really correct:
s /^-no-/no-/; # some people just can't read the instructions
The documented way to pass no-<cipher> config options is without a
leading "-"
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/INSTALL
(From OE-Core rev: 369927de1d94a295671d3750c95b70a497b13425)
(From OE-Core rev: 3936fafb3bd85499361f32abef4919ad3c74d83f)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since openssl isn't an autotools recipe, defining cryptodev-linux
related config options via PACKAGECONFIG hasn't worked correctly
since PACKAGECONFIG_CONFARGS stopped being automatically appended to
EXTRA_OECONF in 2016:
http://git.openembedded.org/openembedded-core/commit/?id=c98fb5f5129e71829ffab4449b3d28082bc95ab4
The issue appears to have been hidden as the flags are also hardcoded
in CFLAG - and therefore always enabled, regardless of the state of
the PACKAGECONFIG option. Fix by passing both EXTRA_OECONF and
PACKAGECONFIG_CONFARGS when running the openssl Configure script.
Although the openssl 1.1 recipe doesn't contain any PACKAGECONFIG
options yet, pre-emptively make the same fix there too.
Also only enable cryptodev-linux by default for target builds (based
on the historical comments in the recipe, that seems to have been the
original intention).
(From OE-Core rev: 6fee11b04b979a5b3237902d947db7118cafca2b)
(From OE-Core rev: 201f4a889c0e4b3d13369e38662bf97ed8a9a8e1)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make clear distinction between local variables and bitbake variables.
(From OE-Core rev: d1e441db511faf9c170733c01ded8c56faac9ab6)
(From OE-Core rev: cf9f9657eefd65817094f220af92f2791a8cb68e)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop redundant setting of S to its default value, fix inconsistent
indent and re-order variables to align more closely to the OE
style-guide.
(From OE-Core rev: c36637a0304551bf2736bb15796947d9aaf00076)
(From OE-Core rev: 67cde33115798b298f7840cad34d8ef91b3b7fa2)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The openssl10.inc include file only has one user, so we can improve
maintainability by merging the include file into the recipe which
uses it.
(From OE-Core rev: f5568740d5ff72090c3ca894ddfdc3078169da25)
(From OE-Core rev: 5b4ffcbcdc28aec506a21f5abd76848c1de24011)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Drop redundant setting of S to its default value and re-order
variables to align more closely to the OE style-guide.
(From OE-Core rev: 4871481e66449dd2b054119b37d0baedb166b72c)
(From OE-Core rev: 5da668175ee7c56067c1272e7a701d5c38e94524)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using += with an over-ride can be a source of confusion so try to
avoid the construct in core recipes.
The current usage is incorrect and prevents the aarch64 and musl
specific config options from being active together.
(From OE-Core rev: 2a30a9ecab6465892698f7fc9d14a430d8a26f0c)
(From OE-Core rev: 000da57cc858f5432153be849faba3862e4e9ed5)
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When SDK is not installed in the default location, openssl will not be
able to find the the openssl.cnf config file:
"WARNING: can't open config file: XXXX/usr/lib/ssl/openssl.cnf"
To fix this, we need to provide the environment variable $OPENSSL_CONF
pointing to the correct config file location.
(From OE-Core rev: b3f148333515efdb746b78c57d62cfbf3321b21e)
(From OE-Core rev: fcea508efedeb36ca31fe8ad0cbc6d194fcfd1f7)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ccache and openssl don't get on:
| make[1]: Entering directory '/home/prj/yocto/build/tmp/work/core2-64-poky-linux/openssl/1.0.2o-r0/openssl-1.0.2o/crypto'
| ccache: invalid option -- 'D'
Disable the use of ccache in the openssl recipe until someone root-causes this.
[ YOCTO #12810 ]
(From OE-Core rev: 8f9ceebb197dba10f2d08449de2dd64584de06bb)
(From OE-Core rev: e90da34e5667acacd9ad0dd167846a6126fefad2)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 50dc3283e39e85912cdbeb9e885dcd22011d4a51)
(From OE-Core rev: a1a5b0f814063c1b95024aee763c71b3f069e12b)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Cleans up the packaging by moving libasound.so.2 back into the alsa-lib
package which was previously empty.
Previously, it was difficult to create an image that had libasound.so.2,
then create an SDK from that image that had the proper development
files, because the only way to get libasound.so.2 was to do:
IMAGE_INSTALL += "libasound"
This however caused a problem because all of the development files that
would be desired in the SDK were located in alsa-lib-dev, which wouldn't
be included because alsa-lib wasn't included, and it was impossible to
include alsa-lib because it was an empty package that was culled.
(From OE-Core rev: 6c3438a62d10f155cd6a391bdb2f1939fc4774ec)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 30352f3d84344bff8c06625f9674947417f6e8e1)
Change-Id: I2fb065b7e00569ba3a6aac631ac863999455bfb2
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We assume that LIC_FILES_CHKSUM is a file: URI but don't actually verify this,
which can lead to problems if you have a URI that resolves to a path of / as
Bitbake will then dutifully checksum / recursively.
[ YOCTO #12883 ]
(From OE-Core rev: e2b8a3d5a10868f9c0dec8d7b9f5f89fdd100fc8)
(From OE-Core rev: a5db618986746bf9082c4b3cbdac4e523328432e)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Sanity check number of channels in setup.
Fixes #2335.
Link: https://gitlab.xiph.org/xiph/vorbis/issues/2335
(From OE-Core rev: 10569dfa6da1f7f9f021852acf4f936b3aead16a)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
| |
CVE-2017-14160: fix bounds check on very low sample rates.
(From OE-Core rev: 0b0409ab6ef27599feeb2fc8a82150305b91f26b)
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bzip.org domain expired and is now a holding site for adverts, so we can't
trust a tarball that appears on that site (luckily we have source checksums to
detect this).
For now, point SRC_URI at the tarball in the Yocto Project source mirror, but
set HOMEPAGE and UPSTREAM_CHECK_URI to the sourceware.org/bzip2/ page which
apparently will be resurrected as the new canonical home page.
(From OE-Core rev: 9e291d9923efc988abe8689c64bafbb29da06339)
(From OE-Core rev: 1bd48516cc3f65e860a2d8a8a3c6cee56c8332a1)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by ChenQi, leaving bits/wordsize.h out of being
multilibbed introduced a problem in building the SDK for
arm64:
Error: Transaction check error:
file /usr/include/bits/wordsize.h conflicts between attempted installs of lib32-libc6-dev-2.27-r0.armv7vet2hf_vfp and libc6-dev-2.27-r0.aarch64
This effectively reverts commit a74c77d6.
(From OE-Core rev: 90ad502bf8faa233e25cf297c1eeefcb0367aea3)
(From OE-Core rev: 056ae940da49b38890c2960651f0fdb5331a5fac)
Signed-off-by: Daniel Díaz <daniel.diaz@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
| |
(From OE-Core rev: 2a4595f0c45a9c0ecdeb1d92613821321e48a1ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Affects <= 2.30
(From OE-Core rev: d18dfef01fb7d37029e5a612f79201adf7ff5921)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Affects <= 2.30
(From OE-Core rev: 1ff22881249591d64fe61353a4d97ab91dc8efa0)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Affects <= 2.30
(From OE-Core rev: 832316491aab8b90719cefeba2bfd94cef04b80f)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
| |
|
|
|
|
|
|
|
| |
Affects <= 2.30
(From OE-Core rev: 3c83b9be884015e238249c0382299aedf4d81459)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
