Re: [oe-core][PATCH] libexif: upgrade to 0.6.22, change source to GitHub
What are thoughts on applying this version bump to older supported releases? https://libexif.github.io/ states: stability / bugfix / security release fixes CVE-2018-20030, CVE-2020-13114, CVE-2020-13113, CVE-2020-13112, CVE-2020-0093, CVE-2019-9278, CVE-2020-12767, CVE-2016-6328, CVE-2017-7544, I say go for it. -George On Wed, May 27, 2020 at 8:05 AM Trevor Gamblin wrote: > > > On 5/27/20 3:59 AM, Alexander Kanavin wrote: > > Hardcoding the split version components isn't great (and breaks automated > updates), I have a patch queued that does this better: > > Works for me. > > Thanks! > > > http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?h=akanavin/package-version-updates=314af89080317673cf91e24537b2e0d9b36747c2 > > Specifically: > def version_underscore(v): > return "_".join(v.split(".")) > > SRC_URI = > "https://github.com/libexif/libexif/releases/download/libexif-${@version_underscore("${PV}")}-release/libexif-${PV}.tar.xz > \ > " > > Alex > > On Tue, 26 May 2020 at 23:13, Trevor Gamblin > wrote: >> >> Updated libexif to 0.6.22, but needed to change to GitHub as a source, >> since SourceForge does not yet have 0.6.22 version. The new version >> includes the fixes for the three patch files that have been removed, >> as well as other severe CVEs. >> >> CVE: CVE-2018-20030 >> CVE: CVE-2020-13114 >> CVE: CVE-2020-13113 >> CVE: CVE-2020-13112 >> CVE: CVE-2020-0093 >> CVE: CVE-2019-9278 >> CVE: CVE-2020-12767 >> CVE: CVE-2016-6328 >> CVE: CVE-2017-7544 >> >> Signed-off-by: Trevor Gamblin >> --- >> .../libexif/libexif/CVE-2016-6328.patch | 64 -- >> .../libexif/libexif/CVE-2017-7544.patch | 40 -- >> .../libexif/libexif/CVE-2018-20030.patch | 115 -- >> .../recipes-support/libexif/libexif_0.6.21.bb | 17 --- >> .../recipes-support/libexif/libexif_0.6.22.bb | 21 >> 5 files changed, 21 insertions(+), 236 deletions(-) >> delete mode 100644 meta/recipes-support/libexif/libexif/CVE-2016-6328.patch >> delete mode 100644 meta/recipes-support/libexif/libexif/CVE-2017-7544.patch >> delete mode 100644 meta/recipes-support/libexif/libexif/CVE-2018-20030.patch >> delete mode 100644 meta/recipes-support/libexif/libexif_0.6.21.bb >> create mode 100644 meta/recipes-support/libexif/libexif_0.6.22.bb >> >> diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch >> b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch >> deleted file mode 100644 >> index a6f307439b..00 >> --- a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch >> +++ /dev/null >> @@ -1,64 +0,0 @@ >> -CVE: CVE-2016-6328 >> -Upstream-Status: Backport >> -Signed-off-by: Ross Burton >> - >> -From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001 >> -From: Marcus Meissner >> -Date: Tue, 25 Jul 2017 23:44:44 +0200 >> -Subject: [PATCH] fixes some (not all) buffer overreads during decoding >> pentax >> - makernote entries. >> - >> -This should fix: >> -https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328 >> >> - libexif/pentax/mnote-pentax-entry.c | 16 +--- >> - 1 file changed, 13 insertions(+), 3 deletions(-) >> - >> -diff --git a/libexif/pentax/mnote-pentax-entry.c >> b/libexif/pentax/mnote-pentax-entry.c >> -index d03d159..ea0429a 100644 >> a/libexif/pentax/mnote-pentax-entry.c >> -+++ b/libexif/pentax/mnote-pentax-entry.c >> -@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry, >> - case EXIF_FORMAT_SHORT: >> - { >> - const unsigned char *data = entry->data; >> -- size_t k, len = strlen(val); >> -+ size_t k, len = strlen(val), sizeleft; >> -+ >> -+ sizeleft = entry->size; >> - for(k=0; kcomponents; k++) { >> -+ if (sizeleft < 2) >> -+ break; >> - vs = exif_get_short (data, entry->order); >> - snprintf (val+len, maxlen-len, "%i ", vs); >> - len = strlen(val); >> - data += 2; >> -+ sizeleft -= 2; >> - } >> - } >> - break; >> - case EXIF_FORMAT_LONG: >> - { >> - const unsigned char *data = entry->data; >> -- size_t k, len = strlen(val); >> -+ size_t k, len = strlen(val), sizeleft; >> -+ >> -+ sizeleft = entry->size; >> - for(k=0; kcomponents; k++) { >> -+ if (sizeleft < 4) >> -+ break; >> - vl = exif_get_long (data, entry->order); >> - snprintf (val+len, maxlen-len, "%li", (long >> int) vl); >> -
Re: [OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path
Can we get 59565fec0b3f3e24eb01c03b671913599cd3134d cherry-picked to warrior now that this has landed in master? Thanks, George -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path
On Wed, Sep 25, 2019 at 1:34 PM Khem Raj wrote: > > On 9/25/19 11:13 AM, George McCollister wrote: > > On Wed, Sep 25, 2019 at 11:08 AM Mark Hatle > > wrote: > >> > >> On 9/25/19 6:52 AM, George McCollister wrote: > >>> Set OPENSSL_ENGINES to the path where engines are actually installed. > >>> > >>> Signed-off-by: George McCollister > >>> --- > >>> meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +- > >>> 1 file changed, 1 insertion(+), 1 deletion(-) > >>> > >>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > >>> b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > >>> index 072f727e0b..8819e19ec4 100644 > >>> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > >>> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > >>> @@ -148,7 +148,7 @@ do_install_append_class-native () { > >>>OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ > >>>SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ > >>>SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ > >>> - OPENSSL_ENGINES=${libdir}/ssl-1.1/engines > >>> + OPENSSL_ENGINES=${libdir}/engines-1.1 > >> > >> Is this a bug in the openssl recipe (it's placing engines in the wrong > >> place), > >> or a bug in the recipes providing acceleration engines and THEY are going > >> into > >> the wrong place? > > > > This recipe installs: > > packages-split/openssl-engines/usr/lib/engines-1.1/afalg.so > > packages-split/openssl-engines/usr/lib/engines-1.1/padlock.so > > packages-split/openssl-engines/usr/lib/engines-1.1/capi.so > > > > libp11 in meta-oe installs these: > > packages-split/libp11/usr/lib/engines-1.1 > > packages-split/libp11/usr/lib/engines-1.1/pkcs11.so > > packages-split/libp11-dev/usr/lib/engines-1.1 > > packages-split/libp11-dev/usr/lib/engines-1.1/libpkcs11.so > > > >> > >> The ssl-1.1/engines makes more sense to me.. as /usr/lib/engines-1.1 > >> obscures > >> that they are OpenSSL related. > > > > I don't have a strong opinion either way but ssl-1.1/engines does make > > a bit more sense. > > Debian appears to install them in engines-1.1 though: > > https://packages.debian.org/buster/amd64/libssl1.1/filelist > > > > I do need this fixed in warrior though and wonder if anyone would > > gripe about changing where they are installed post release. > > > > How shall we proceed? Does anyone else want to chime in? > > > > Using /usr/lib/ is known jargon and lets use it. I think doing > it the way other distros are doing it and how upstream defaults are is > also helpful. it reduced one more thing to worry about. Release branches > should not be an issue as long as we have them packages in same output > package. It looks like Fedora is also using engines-1.1: https://apps.fedoraproject.org/packages/openssl-libs/ I've found there is no Configure switch to set the engines directory. I believe it will require a patch to changes 3 - 4 lines in Configurations/unix-Makefile.tmpl. meta-oe/recipes-support/libp11/libp11_0.4.10.bb would also need to be changed to use the new path. Is carrying a custom patch to deviate from the upstream package and major distribution behavior really wise? If there is somewhat of a consensus to go that way knowing it requires a custom patch I'll send a patch for openssl and then one to fix libp11 (which the first patch will break). > > >> > >> --Mark > >> > >>> } > >>> > >>> do_install_append_class-nativesdk () { > >>> > >> > >> -- > >> ___ > >> Openembedded-core mailing list > >> Openembedded-core@lists.openembedded.org > >> http://lists.openembedded.org/mailman/listinfo/openembedded-core > > > > -George > > > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path
On Wed, Sep 25, 2019 at 1:37 PM Andre McCurdy wrote: > > On Wed, Sep 25, 2019 at 11:13 AM George McCollister > wrote: > > On Wed, Sep 25, 2019 at 11:08 AM Mark Hatle > > wrote: > > > On 9/25/19 6:52 AM, George McCollister wrote: > > > > Set OPENSSL_ENGINES to the path where engines are actually installed. > > > > > > > > Signed-off-by: George McCollister > > > > --- > > > > meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > > > > b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > > > > index 072f727e0b..8819e19ec4 100644 > > > > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > > > > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > > > > @@ -148,7 +148,7 @@ do_install_append_class-native () { > > > > OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ > > > > SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ > > > > SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ > > > > - OPENSSL_ENGINES=${libdir}/ssl-1.1/engines > > > > + OPENSSL_ENGINES=${libdir}/engines-1.1 > > > > > > Is this a bug in the openssl recipe (it's placing engines in the wrong > > > place), > > > or a bug in the recipes providing acceleration engines and THEY are going > > > into > > > the wrong place? > > > > This recipe installs: > > packages-split/openssl-engines/usr/lib/engines-1.1/afalg.so > > packages-split/openssl-engines/usr/lib/engines-1.1/padlock.so > > packages-split/openssl-engines/usr/lib/engines-1.1/capi.so > > > > libp11 in meta-oe installs these: > > packages-split/libp11/usr/lib/engines-1.1 > > packages-split/libp11/usr/lib/engines-1.1/pkcs11.so > > packages-split/libp11-dev/usr/lib/engines-1.1 > > packages-split/libp11-dev/usr/lib/engines-1.1/libpkcs11.so > > > > > > > > The ssl-1.1/engines makes more sense to me.. as /usr/lib/engines-1.1 > > > obscures > > > that they are OpenSSL related. > > > > I don't have a strong opinion either way but ssl-1.1/engines does make > > a bit more sense. > > Debian appears to install them in engines-1.1 though: > > https://packages.debian.org/buster/amd64/libssl1.1/filelist > > It would be interesting to know when the path in the -native wrapper > script stopped matching the path where the engines plugins are > installed. ie was the wrapper script always wrong? Did the default > install path used by openssl change at some point? It's been wrong on and off with openssl 1.0 and I believe always wrong with openssl 1.1. > > > I do need this fixed in warrior though and wonder if anyone would > > gripe about changing where they are installed post release. > > > > How shall we proceed? Does anyone else want to chime in? > > The change being proposed is for the openssl-native wrapper script, so > won't affect anything on the target. > > I'm curious why openssl-native needs engines plugins at all? I need the pkcs11 engine for pkcs11 signing with an HSM. Unfortunately for me most people won't notice if the wrapper doesn't match the installed plugin path. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path
On Wed, Sep 25, 2019 at 11:08 AM Mark Hatle wrote: > > On 9/25/19 6:52 AM, George McCollister wrote: > > Set OPENSSL_ENGINES to the path where engines are actually installed. > > > > Signed-off-by: George McCollister > > --- > > meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > > b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > > index 072f727e0b..8819e19ec4 100644 > > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb > > @@ -148,7 +148,7 @@ do_install_append_class-native () { > > OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ > > SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ > > SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ > > - OPENSSL_ENGINES=${libdir}/ssl-1.1/engines > > + OPENSSL_ENGINES=${libdir}/engines-1.1 > > Is this a bug in the openssl recipe (it's placing engines in the wrong place), > or a bug in the recipes providing acceleration engines and THEY are going into > the wrong place? This recipe installs: packages-split/openssl-engines/usr/lib/engines-1.1/afalg.so packages-split/openssl-engines/usr/lib/engines-1.1/padlock.so packages-split/openssl-engines/usr/lib/engines-1.1/capi.so libp11 in meta-oe installs these: packages-split/libp11/usr/lib/engines-1.1 packages-split/libp11/usr/lib/engines-1.1/pkcs11.so packages-split/libp11-dev/usr/lib/engines-1.1 packages-split/libp11-dev/usr/lib/engines-1.1/libpkcs11.so > > The ssl-1.1/engines makes more sense to me.. as /usr/lib/engines-1.1 obscures > that they are OpenSSL related. I don't have a strong opinion either way but ssl-1.1/engines does make a bit more sense. Debian appears to install them in engines-1.1 though: https://packages.debian.org/buster/amd64/libssl1.1/filelist I do need this fixed in warrior though and wonder if anyone would gripe about changing where they are installed post release. How shall we proceed? Does anyone else want to chime in? > > --Mark > > > } > > > > do_install_append_class-nativesdk () { > > > > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -George -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path
Set OPENSSL_ENGINES to the path where engines are actually installed. Signed-off-by: George McCollister --- meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb index 072f727e0b..8819e19ec4 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb @@ -148,7 +148,7 @@ do_install_append_class-native () { OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \ SSL_CERT_DIR=${libdir}/ssl-1.1/certs \ SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \ - OPENSSL_ENGINES=${libdir}/ssl-1.1/engines + OPENSSL_ENGINES=${libdir}/engines-1.1 } do_install_append_class-nativesdk () { -- 2.22.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 0/1] make OPENSSL_ENGINES match install path
Set OPENSSL_ENGINES in the openssl 1.1 recipe to the path where engines are actually installed. This should be cherry-picked to warrior and probably anything older with an openssl 1.1 recipe. I've not tested it with anything older than warrior so someone else can make that call. George McCollister (1): openssl: make OPENSSL_ENGINES match install path meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 2.22.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [sumo][PATCH 8/8] systemd: fix CVE-2019-6454
Apply patches from systemd_237-3ubuntu10.13 to fix CVE-2019-6454. CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a specially formed D-Bus message. For information see: https://usn.ubuntu.com/3891-1/ https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates=d7584b894afcaa8a4a1abb69db2a9c81a6276e80 Signed-off-by: George McCollister --- .../systemd/systemd/CVE-2019-6454.patch| 210 + ...e-receive-an-invalid-dbus-message-ignore-.patch | 61 ++ meta/recipes-core/systemd/systemd_237.bb | 2 + 3 files changed, 273 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch create mode 100644 meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch new file mode 100644 index 00..e3c67c166c --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch @@ -0,0 +1,210 @@ +Description: sd-bus: enforce a size limit for dbus paths, and don't allocate + them on the stacka +Forwarded: no + +Patch from: systemd_237-3ubuntu10.13 + +For information see: +https://usn.ubuntu.com/3891-1/ +https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates=d7584b894afcaa8a4a1abb69db2a9c81a6276e80 + +CVE: CVE-2019-6454 +Upstream-Status: Backport + +Signed-off-by: George McCollister + +--- a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c +@@ -61,7 +61,7 @@ + if (slash) + return false; + +-return true; ++return (q - p) <= BUS_PATH_SIZE_MAX; + } + + char* object_path_startswith(const char *a, const char *b) { +--- a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h +@@ -339,6 +339,10 @@ + + #define BUS_MESSAGE_SIZE_MAX (64*1024*1024) + #define BUS_AUTH_SIZE_MAX (64*1024) ++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one ++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, ++ * to not clash unnecessarily with real-life applications. */ ++#define BUS_PATH_SIZE_MAX (64*1024) + + #define BUS_CONTAINER_DEPTH 128 + +--- a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c +@@ -1150,7 +1150,8 @@ + const char *path, + sd_bus_error *error) { + +-char *prefix; ++_cleanup_free_ char *prefix = NULL; ++size_t pl; + int r; + + assert(bus); +@@ -1166,7 +1167,12 @@ + return 0; + + /* Second, add fallback vtables registered for any of the prefixes */ +-prefix = alloca(strlen(path) + 1); ++pl = strlen(path); ++assert(pl <= BUS_PATH_SIZE_MAX); ++prefix = new(char, pl + 1); ++if (!prefix) ++return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_manager_serialize_path(bus, reply, prefix, path, true, error); + if (r < 0) +@@ -1362,6 +1368,7 @@ + } + + int bus_process_object(sd_bus *bus, sd_bus_message *m) { ++_cleanup_free_ char *prefix = NULL; + int r; + size_t pl; + bool found_object = false; +@@ -1386,9 +1393,12 @@ + assert(m->member); + + pl = strlen(m->path); +-do { +-char prefix[pl+1]; ++assert(pl <= BUS_PATH_SIZE_MAX); ++prefix = new(char, pl + 1); ++if (!prefix) ++return -ENOMEM; + ++do { + bus->nodes_modified = false; + + r = object_find_and_run(bus, m, m->path, false, _object); +@@ -1516,9 +1526,15 @@ + + n = hashmap_get(bus->nodes, path); + if (!n) { +-char *prefix; ++_cleanup_free_ char *prefix = NULL; ++size_t pl; ++ ++pl = strlen(path); ++assert(pl <= BUS_PATH_SIZE_MAX); ++prefix = new(char, pl + 1); ++if (!prefix) ++return -ENOMEM; + +-prefix = alloca(strlen(path) + 1); + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + n = hashmap_get(bus->nodes, prefix); + if (n) +@@ -2108,8 +2124,9 @@ + char **names) { + + BUS_DONT_DESTROY(bus); ++_cleanup_free_ char *prefix = NULL; + bool found_interface = false; +-char *prefix; ++size_t pl; + int r; + + assert_return(bus, -EINVAL); +@@ -2128,6 +2145,12 @@ + if (names && names[0] == NULL) + return 0; + ++pl = strlen(path); ++assert(pl <= BUS_PATH_SI
[OE-core] [sumo][PATCH 7/8] systemd: fix CVE-2018-6954
Apply patches to fix CVE-2018-6954 NVD description from https://nvd.nist.gov/vuln/detail/CVE-2018-6954 systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on. Patches from systemd_237-3ubuntu10.13.debian. These patches shouldn't be required on newer OE releases since they use systemd v239 or higher. Signed-off-by: George McCollister --- ...n-t-resolve-pathnames-when-traversing-rec.patch | 643 +++ .../systemd/systemd/0002-Make-tmpfiles-safe.patch | 1828 meta/recipes-core/systemd/systemd_237.bb |2 + 3 files changed, 2473 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch create mode 100644 meta/recipes-core/systemd/systemd/0002-Make-tmpfiles-safe.patch diff --git a/meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch b/meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch new file mode 100644 index 00..108e4ad8b8 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch @@ -0,0 +1,643 @@ +From 33dc9a280f952f503e5493ee29f6815bef29d551 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 2 Mar 2018 17:19:32 +0100 +Subject: [PATCH] tmpfiles: don't resolve pathnames when traversing recursively + through directory trees + +Otherwise we can be fooled if one path component is replaced underneath us. + +The patch achieves that by always operating at file descriptor level (by using +*at() helpers) and by making sure we do not any path resolution when traversing +direcotry trees. + +However this is not always possible, for instance when listing the content of a +directory or some operations don't provide the *at() helpers or others (such as +fchmodat()) don't have the AT_EMPTY_PATH flag. In such cases we operate on +/proc/self/fd/%i pseudo-symlink instead, which works the same for all kinds of +objects and requires no checking of type beforehand. + +Also O_PATH flag is used when opening file objects in order to prevent +undesired behaviors: device nodes from reacting, automounts from +triggering, etc... + +Fixes: CVE-2018-6954 + +Origin: upstream, https://github.com/systemd/systemd/commit/936f6bdb803c432578e2cdcc5f93f3bfff93aff0 +Bug: https://github.com/systemd/systemd/issues/7986 + +Patch from: +systemd_237-3ubuntu10.13.debian CVE-2018-6954.patch + +https://usn.ubuntu.com/3816-1/ states that CVE-2018-6954 doesn't +affect Ubuntu 18.10 which uses the same version of systemd as thud +(239). + +CVE: CVE-2018-6954 +Upstream-Status: Backport + +Signed-off-by: George McCollister +--- + src/tmpfiles/tmpfiles.c | 363 +++- + 1 file changed, 239 insertions(+), 124 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 88cc543f09..613d418eb3 100644 +--- a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +@@ -792,94 +792,105 @@ static bool hardlink_vulnerable(struct stat *st) { + return !S_ISDIR(st->st_mode) && st->st_nlink > 1 && dangerous_hardlinks(); + } + +-static int path_set_perms(Item *i, const char *path) { +-char fn[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; +-_cleanup_close_ int fd = -1; +-struct stat st; ++static int fd_set_perms(Item *i, int fd, const struct stat *st) { ++_cleanup_free_ char *path = NULL; ++int r; + + assert(i); +-assert(path); +- +-if (!i->mode_set && !i->uid_set && !i->gid_set) +-goto shortcut; +- +-/* We open the file with O_PATH here, to make the operation +- * somewhat atomic. Also there's unfortunately no fchmodat() +- * with AT_SYMLINK_NOFOLLOW, hence we emulate it here via +- * O_PATH. */ +- +-fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH); +-if (fd < 0) { +-int level = LOG_ERR, r = -errno; ++assert(fd); + +-/* Option "e" operates only on existing objects. Do not +- * print errors about non-existent files or directories */ +-if (i->type == EMPTY_DIRECTORY && errno == ENOENT) { +-level = LOG_DEBUG; +-r = 0; +-} +- +-log_full_errno(level, errno, "Adjusting owner and mode for %s failed: %m", path); ++r = fd_get_path(fd, ); ++if (r < 0) + return r; +-} + +-if (fstatat(fd, "&q
[OE-core] [sumo][PATCH 5/8] systemd: Security fix CVE-2018-16865
Affects < v240 Based on thud commit d5d2b821fc85b8cf39f683061ac2a45bddd2139f The second patch in the thud commit doesn't apply against 237. Use the version of the second patch CVE-2018-16865_2.patch from systemd_237-3ubuntu10.13.debian. Signed-off-by: George McCollister --- ...ld-set-a-limit-on-the-number-of-fields-1k.patch | 60 ...ote-set-a-limit-on-the-number-of-fields-i.patch | 79 ++ meta/recipes-core/systemd/systemd_237.bb | 2 + 3 files changed, 141 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch create mode 100644 meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch diff --git a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch new file mode 100644 index 00..e8a6f2b986 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch @@ -0,0 +1,60 @@ +From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 5 Dec 2018 22:45:02 +0100 +Subject: [PATCH] journald: set a limit on the number of fields (1k) + +We allocate a iovec entry for each field, so with many short entries, +our memory usage and processing time can be large, even with a relatively +small message size. Let's refuse overly long entries. + +CVE-2018-16865 +https://bugzilla.redhat.com/show_bug.cgi?id=1653861 + +What from I can see, the problem is not from an alloca, despite what the CVE +description says, but from the attack multiplication that comes from creating +many very small iovecs: (void* + size_t) for each three bytes of input message. + +Patch backported from systemd master at +052c57f132f04a3cf4148f87561618da1a6908b4. + +CVE: CVE-2018-16865 +Upstream-Status: Backport + +--- + src/basic/journal-importer.h | 3 +++ + src/journal/journald-native.c | 5 + + 2 files changed, 8 insertions(+) + +diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h +index f49ce734a1..c4ae45d32d 100644 +--- a/src/basic/journal-importer.h b/src/basic/journal-importer.h +@@ -16,6 +16,9 @@ + #define DATA_SIZE_MAX (1024*1024*768u) + #define LINE_CHUNK 8*1024u + ++/* The maximum number of fields in an entry */ ++#define ENTRY_FIELD_COUNT_MAX 1024 ++ + struct iovec_wrapper { + struct iovec *iovec; + size_t size_bytes; +diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c +index 5ff22a10af..951d092053 100644 +--- a/src/journal/journald-native.c b/src/journal/journald-native.c +@@ -140,6 +140,11 @@ static int server_process_entry( + } + + /* A property follows */ ++if (n > ENTRY_FIELD_COUNT_MAX) { ++log_debug("Received an entry that has more than " STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry."); ++r = 1; ++goto finish; ++} + + /* n existing properties, 1 new, +1 for _TRANSPORT */ + if (!GREEDY_REALLOC(iovec, m, +-- +2.11.0 + diff --git a/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch new file mode 100644 index 00..f297333e72 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch @@ -0,0 +1,79 @@ +From ce1475b4f69f0a4382c6190f55e080d91de84611 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Fri, 7 Dec 2018 10:48:10 +0100 +Subject: [PATCH] journal-remote: set a limit on the number of fields in a + message + +Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is +reused for the new error condition (too many fields). + +This matches the change done for systemd-journald, hence forming the second +part of the fix for CVE-2018-16865 +(https://bugzilla.redhat.com/show_bug.cgi?id=1653861). + +Patch backported from systemd master at +ef4d6abe7c7fab6cbff975b32e76b09feee56074. + +Patch for 237 from: +systemd_237-3ubuntu10.13.debian CVE-2018-16865_2.patch + +CVE: CVE-2018-16865 +Upstream-Status: Backport + +--- + src/journal-remote/journal-remote-main.c | 7 +-- + src/journal-remote/journal-remote.c | 3 +++ + src/shared/journal-importer.c| 5 - + 3 files changed, 12 insertions(+), 3 deletions(-) + +--- a/src/basic/journal-importer.c b/src/basic/journal-importer.c +@@ -38,6 +38,9 @@ + }; + + static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) { ++if (iovw->count >= ENTRY_FIELD_COUNT_MAX)
[OE-core] [sumo][PATCH 3/8] systemd: fix CVE-2018-15688
From: Chen Qi Backport patch to fix the following CVE. CVE: CVE-2018-15688 Signed-off-by: Chen Qi Signed-off-by: Richard Purdie Cherry-picked from thud 13591d7224393dc0ae529a03cdf74aceb3540ce9 Signed-off-by: George McCollister --- ...sure-we-have-enough-space-for-the-DHCP6-o.patch | 39 ++ meta/recipes-core/systemd/systemd_237.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch diff --git a/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch b/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch new file mode 100644 index 00..0c912f25df --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch @@ -0,0 +1,39 @@ +From a2622b8398ba026faf481f5eddeb53231d9de4a7 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 19 Oct 2018 12:12:33 +0200 +Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option + header + +Fixes a vulnerability originally discovered by Felix Wilhelm from +Google. + +CVE-2018-15688 +LP: #1795921 +https://bugzilla.redhat.com/show_bug.cgi?id=1639067 + +(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892) + +CVE: CVE-2018-15688 +Upstream-Status: Backport + +Signed-off-by: Chen Qi +--- + src/libsystemd-network/dhcp6-option.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +index c4b402b..dcbaad0 100644 +--- a/src/libsystemd-network/dhcp6-option.c b/src/libsystemd-network/dhcp6-option.c +@@ -103,7 +103,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) { + return -EINVAL; + } + +-if (*buflen < len) ++if (*buflen < offsetof(DHCP6Option, data) + len) + return -ENOBUFS; + + ia_hdr = *buf; +-- +2.7.4 + diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb index cae9bccc60..87793dd3af 100644 --- a/meta/recipes-core/systemd/systemd_237.bb +++ b/meta/recipes-core/systemd/systemd_237.bb @@ -56,6 +56,7 @@ SRC_URI += "file://touchscreen.rules \ file://0035-Define-glibc-compatible-basename-for-non-glibc-syste.patch \ file://0001-core-when-deserializing-state-always-use-read_line-L.patch \ file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \ + file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \ " SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch" -- 2.11.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [sumo][PATCH 6/8] systemd: Security fix CVE-2018-16866
From: Marcus Cooper Affects < v240 Signed-off-by: Marcus Cooper >From v2 patch on openembedded-core@lists.openembedded.org Incresed file name number from 0026 to 0027. Signed-off-by: George McCollister --- ...nal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 ++ meta/recipes-core/systemd/systemd_237.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch diff --git a/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch new file mode 100644 index 00..3925a4abbb --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch @@ -0,0 +1,49 @@ +From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001 +From: Filipe Brandenburger +Date: Thu, 10 Jan 2019 14:53:33 -0800 +Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866 + +The original code didn't account for the fact that strchr() would match on the +'\0' character, making it read past the end of the buffer if no non-whitespace +character was present. + +This bug was introduced in commit ec5ff4445cca6a which was first released in +systemd v221 and later fixed in commit 8595102d3ddde6 which was released in +v240, so versions in the range [v221, v240) are affected. + +Patch backported from systemd-stable at f005e73d3723d62a39be661931fcb6347119b52b +also includes a change from systemd master which removes a heap buffer overflow +a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. + +CVE: CVE-2018-16866 +Upstream-Status: Backport +Signed-off-by: Marcus Cooper +--- + src/journal/journald-syslog.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c +index 9dea116722..809b318c06 100644 +--- a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c +@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) + e = l; + l--; + +-if (p[l-1] == ']') { ++if (l > 0 && p[l-1] == ']') { + size_t k = l-1; + + for (;;) { +@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) + if (t) + *identifier = t; + +-if (strchr(WHITESPACE, p[e])) ++if (p[e] != '\0' && strchr(WHITESPACE, p[e])) + e++; + *buf = p + e; + return e; +-- +2.11.0 + diff --git a/meta/recipes-core/systemd/systemd_237.bb b/meta/recipes-core/systemd/systemd_237.bb index e6ef385f52..b53221896f 100644 --- a/meta/recipes-core/systemd/systemd_237.bb +++ b/meta/recipes-core/systemd/systemd_237.bb @@ -60,6 +60,7 @@ SRC_URI += "file://touchscreen.rules \ file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \ file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \ file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \ + file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \ " SRC_URI_append_qemuall = " file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch" -- 2.11.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [sumo][PATCH 4/8] systemd: Security fix CVE-2018-16864
Affects < v240 Based on thud commit 403e74b07b6f3c4a2444e68c74a8434fb17aee49 The patch in the thud commit doesn't compile against 237. Use the version of this patch, CVE-2018-16864.patch from systemd_237-3ubuntu10.13.debian. Signed-off-by: George McCollister --- ...-not-store-the-iovec-entry-for-process-co.patch | 193 + meta/recipes-core/systemd/systemd_237.bb | 1 + 2 files changed, 194 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch diff --git a/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch new file mode 100644 index 00..c0b0667d85 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch @@ -0,0 +1,193 @@ +From c29b44cb90e2cc521533e6169cf847553ebefd81 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 5 Dec 2018 18:38:39 +0100 +Subject: [PATCH] journald: do not store the iovec entry for process + commandline on stack + +This fixes a crash where we would read the commandline, whose length is under +control of the sending program, and then crash when trying to create a stack +allocation for it. + +CVE-2018-16864 +https://bugzilla.redhat.com/show_bug.cgi?id=1653855 + +The message actually doesn't get written to disk, because +journal_file_append_entry() returns -E2BIG. + +Patch for 237 from: +systemd_237-3ubuntu10.13.debian CVE-2018-16864.patch + +CVE: CVE-2018-16864 +Upstream-Status: Backport + +--- + src/basic/io-util.c | 10 ++ + src/basic/io-util.h | 2 ++ + src/coredump/coredump.c | 31 +++ + src/journal/journald-server.c | 25 +++-- + 4 files changed, 38 insertions(+), 30 deletions(-) + +--- a/src/basic/io-util.c b/src/basic/io-util.c +@@ -26,6 +26,7 @@ + #include + + #include "io-util.h" ++#include "string-util.h" + #include "time-util.h" + + int flush_fd(int fd) { +@@ -270,3 +271,12 @@ + + return q - (const uint8_t*) p; + } ++ ++char* set_iovec_string_field(struct iovec *iovec, size_t *n_iovec, const char *field, const char *value) { ++char *x; ++ ++x = strappend(field, value); ++if (x) ++iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(x); ++return x; ++} +--- a/src/basic/io-util.h b/src/basic/io-util.h +@@ -91,3 +91,5 @@ + #define IOVEC_MAKE(base, len) (struct iovec) IOVEC_INIT(base, len) + #define IOVEC_INIT_STRING(string) IOVEC_INIT((char*) string, strlen(string)) + #define IOVEC_MAKE_STRING(string) (struct iovec) IOVEC_INIT_STRING(string) ++ ++char* set_iovec_string_field(struct iovec *iovec, size_t *n_iovec, const char *field, const char *value); +--- a/src/coredump/coredump.c b/src/coredump/coredump.c +@@ -1067,19 +1067,10 @@ + return 0; + } + +-static char* set_iovec_field(struct iovec iovec[27], size_t *n_iovec, const char *field, const char *value) { +-char *x; +- +-x = strappend(field, value); +-if (x) +-iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(x); +-return x; +-} +- + static char* set_iovec_field_free(struct iovec iovec[27], size_t *n_iovec, const char *field, char *value) { + char *x; + +-x = set_iovec_field(iovec, n_iovec, field, value); ++x = set_iovec_string_field(iovec, n_iovec, field, value); + free(value); + return x; + } +@@ -1129,33 +1120,33 @@ + disable_coredumps(); + } + +-set_iovec_field(iovec, n_iovec, "COREDUMP_UNIT=", context[CONTEXT_UNIT]); ++set_iovec_string_field(iovec, n_iovec, "COREDUMP_UNIT=", context[CONTEXT_UNIT]); + } + + if (cg_pid_get_user_unit(pid, ) >= 0) + set_iovec_field_free(iovec, n_iovec, "COREDUMP_USER_UNIT=", t); + + /* The next few are mandatory */ +-if (!set_iovec_field(iovec, n_iovec, "COREDUMP_PID=", context[CONTEXT_PID])) ++if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_PID=", context[CONTEXT_PID])) + return log_oom(); + +-if (!set_iovec_field(iovec, n_iovec, "COREDUMP_UID=", context[CONTEXT_UID])) ++if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_UID=", context[CONTEXT_UID])) + return log_oom(); + +-if (!set_iovec_field(iovec, n_iovec, "COREDUMP_GID=", context[CONTEXT_GID])) ++if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_GID=", context[CONTEXT_GID])) + return log_oom(); + +-if (!set_iovec_field(iovec, n_iovec, "COREDUMP_SIG
[OE-core] [sumo][PATCH 2/8] systemd: fix CVE-2018-15687
Backport patch to fix the following CVE. CVE: CVE-2018-15687 Based on thud commit eeb621aa19f690971caf862290a172a115578ba1 The patch in the thud commit doesn't compile against 237. Use the version of this patch, CVE-2018-15687.patch from systemd_237-3ubuntu10.13.debian. Signed-off-by: George McCollister --- ...sive-let-s-rework-the-recursive-logic-to-.patch | 252 + meta/recipes-core/systemd/systemd_237.bb | 1 + 2 files changed, 253 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch diff --git a/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch b/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch new file mode 100644 index 00..9a0b55f97d --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch @@ -0,0 +1,252 @@ +From 2da8ba3f507345d0401ea9d7191fa16ffa560ebc Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 19 Oct 2018 11:26:59 +0200 +Subject: [PATCH] chown-recursive: let's rework the recursive logic to use + O_PATH + +That way we can pin a specific inode and analyze it and manipulate it +without it being swapped out beneath our hands. + +Fixes a vulnerability originally found by Jann Horn from Google. + +CVE-2018-15687 +LP: #1796692 +https://bugzilla.redhat.com/show_bug.cgi?id=1639076 + +Origin: upstream, https://github.com/poettering/systemd/commit/5de6cce58b3e8b79239b6e83653459d91af6e57c +Bug-Ubuntu: https://launchpad.net/bugs/1796692 + +Patch for 237 from: +systemd_237-3ubuntu10.13.debian CVE-2018-15687.patch + +CVE: CVE-2018-15687 +Upstream-Status: Backport + +--- + src/core/chown-recursive.c | 146 ++--- + 1 file changed, 70 insertions(+), 76 deletions(-) + +diff --git a/src/core/chown-recursive.c b/src/core/chown-recursive.c +index c479450..27c6448 100644 +--- a/src/core/chown-recursive.c b/src/core/chown-recursive.c +@@ -18,18 +18,20 @@ + along with systemd; If not, see <http://www.gnu.org/licenses/>. + ***/ + +-#include +-#include + #include ++#include ++#include + +-#include "user-util.h" +-#include "macro.h" +-#include "fd-util.h" +-#include "dirent-util.h" + #include "chown-recursive.h" ++#include "dirent-util.h" ++#include "fd-util.h" ++#include "macro.h" ++#include "stdio-util.h" ++#include "strv.h" ++#include "user-util.h" + +-static int chown_one(int fd, const char *name, const struct stat *st, uid_t uid, gid_t gid) { +-int r; ++static int chown_one(int fd, const struct stat *st, uid_t uid, gid_t gid) { ++char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1]; + + assert(fd >= 0); + assert(st); +@@ -38,90 +40,82 @@ + (!gid_is_valid(gid) || st->st_gid == gid)) + return 0; + +-if (name) +-r = fchownat(fd, name, uid, gid, AT_SYMLINK_NOFOLLOW); +-else +-r = fchown(fd, uid, gid); +-if (r < 0) +-return -errno; ++/* We change ownership through the /proc/self/fd/%i path, so that we have a stable reference that works with ++ * O_PATH. (Note: fchown() and fchmod() do not work with O_PATH, the kernel refuses that. */ ++xsprintf(procfs_path, "/proc/self/fd/%i", fd); + +-/* The linux kernel alters the mode in some cases of chown(). Let's undo this. */ +-if (name) { +-if (!S_ISLNK(st->st_mode)) +-r = fchmodat(fd, name, st->st_mode, 0); +-else /* There's currently no AT_SYMLINK_NOFOLLOW for fchmodat() */ +-r = 0; +-} else +-r = fchmod(fd, st->st_mode); +-if (r < 0) ++if (chown(procfs_path, uid, gid) < 0) + return -errno; + ++/* The linux kernel alters the mode in some cases of chown(). Let's undo this. We do this only for non-symlinks ++ * however. That's because for symlinks the access mode is ignored anyway and because on some kernels/file ++ * systems trying to change the access mode will succeed but has no effect while on others it actively ++ * fails. */ ++if (!S_ISLNK(st->st_mode)) ++if (chmod(procfs_path, st->st_mode & 0) < 0) ++return -errno; ++ + return 1; + } + + static int chown_recursive_internal(int fd, const struct stat *st, uid_t uid, gid_t gid) { ++_cleanup_closedir_ DIR *d = NULL; + bool changed = false; ++struct dirent *de; + int r; + + assert(fd >= 0); + assert(st); + +-if (S
[OE-core] [sumo][PATCH 1/8] systemd: fix CVE-2018-15686
From: Chen Qi Backport patch to fix the following CVE. CVE: CVE-2018-15686 Signed-off-by: Chen Qi Signed-off-by: Richard Purdie Cherry-picked from thud 0ef70603bc983315eb0e8a97958d995a31198c35 Signed-off-by: George McCollister --- ...eserializing-state-always-use-read_line-L.patch | 250 + meta/recipes-core/systemd/systemd_237.bb | 1 + 2 files changed, 251 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch diff --git a/meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch b/meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch new file mode 100644 index 00..405300148a --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch @@ -0,0 +1,250 @@ +From 56f77f7fcceea2fbb3b4efb8e307dd7784c63115 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 17 Oct 2018 18:36:24 +0200 +Subject: [PATCH] =?UTF-8?q?=3D=3FUTF-8=3Fq=3Fcore:=3D20when=3D20deserializ?= + =?UTF-8?q?ing=3D20state=3D20always=3F=3D?= + + =?UTF-8?q?=20use=20read=5Fline(=E2=80=A6,=20LONG=5FLINE=5FMAX,=20?= + =?UTF-8?q?=E2=80=A6)?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This should be much better than fgets(), as we can read substantially +longer lines and overly long lines result in proper errors. + +Fixes a vulnerability discovered by Jann Horn at Google. + +CVE-2018-15686 +LP: #1796402 +https://bugzilla.redhat.com/show_bug.cgi?id=1639071 + +(cherry picked from commit 8948b3415d762245ebf5e19d80b97d4d8cc208c1) + +CVE: CVE-2018-15686 +Upstream-Status: Backport + +Signed-off-by: Chen Qi + +--- + src/core/job.c | 19 +++ + src/core/manager.c | 44 + src/core/unit.c| 34 ++ + src/core/unit.h| 2 +- + 4 files changed, 50 insertions(+), 49 deletions(-) + +diff --git a/src/core/job.c b/src/core/job.c +index c6de8d27e..e0f9cee2f 100644 +--- a/src/core/job.c b/src/core/job.c +@@ -28,6 +28,7 @@ + #include "dbus-job.h" + #include "dbus.h" + #include "escape.h" ++#include "fileio.h" + #include "job.h" + #include "log.h" + #include "macro.h" +@@ -1067,24 +1068,26 @@ int job_serialize(Job *j, FILE *f) { + } + + int job_deserialize(Job *j, FILE *f) { ++int r; ++ + assert(j); + assert(f); + + for (;;) { +-char line[LINE_MAX], *l, *v; ++_cleanup_free_ char *line = NULL; ++char *l, *v; + size_t k; + +-if (!fgets(line, sizeof(line), f)) { +-if (feof(f)) +-return 0; +-return -errno; +-} ++r = read_line(f, LONG_LINE_MAX, ); ++if (r < 0) ++return log_error_errno(r, "Failed to read serialization line: %m"); ++if (r == 0) ++return 0; + +-char_array_0(line); + l = strstrip(line); + + /* End marker */ +-if (l[0] == 0) ++if (isempty(l)) + return 0; + + k = strcspn(l, "="); +diff --git a/src/core/manager.c b/src/core/manager.c +index e837a46f5..423f82c94 100644 +--- a/src/core/manager.c b/src/core/manager.c +@@ -2841,22 +2841,19 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { + m->n_reloading++; + + for (;;) { +-char line[LINE_MAX]; ++_cleanup_free_ char *line = NULL; + const char *val, *l; + +-if (!fgets(line, sizeof(line), f)) { +-if (feof(f)) +-r = 0; +-else +-r = -errno; +- ++r = read_line(f, LONG_LINE_MAX, ); ++if (r < 0) { ++log_error_errno(r, "Failed to read serialization line: %m"); + goto finish; + } ++if (r == 0) ++break; + +-char_array_0(line); + l = strstrip(line); +- +-if (l[0] == 0) ++if (isempty(l)) /* end marker */ + break; + + if ((val = startswith(l, "current-job-id="))) { +@@ -3003,29 +3000,31 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) { + } + + for (;;) { +-Unit *u; +-char name[UNIT_NAME_MAX+2]; ++_cleanup_free_ char
[OE-core] [sumo][PATCH 0/8] systemd: fix CVEs
Apply CVE patches to systemd. Backport changes from thud when possible otherwise use patches from: https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.13 The following changes since commit 31f0c5e59c7fb0ae0915de584fbfcf3d95bbb061: testsdk: Improvements to the json logging (2018-12-07 10:56:32 +) are available in the git repository at: git://github.com/gmccollister/openembedded-core sumo-cve-fixes https://github.com/gmccollister/openembedded-core/tree/sumo-cve-fixes Chen Qi (2): systemd: fix CVE-2018-15686 systemd: fix CVE-2018-15688 George McCollister (5): systemd: fix CVE-2018-15687 systemd: Security fix CVE-2018-16864 systemd: Security fix CVE-2018-16865 systemd: fix CVE-2018-6954 systemd: fix CVE-2019-6454 Marcus Cooper (1): systemd: Security fix CVE-2018-16866 ...sive-let-s-rework-the-recursive-logic-to-.patch | 252 +++ ...eserializing-state-always-use-read_line-L.patch | 250 +++ ...sure-we-have-enough-space-for-the-DHCP6-o.patch | 39 + ...n-t-resolve-pathnames-when-traversing-rec.patch | 643 +++ .../systemd/systemd/0002-Make-tmpfiles-safe.patch | 1828 ...-not-store-the-iovec-entry-for-process-co.patch | 193 +++ ...ld-set-a-limit-on-the-number-of-fields-1k.patch | 60 + ...ote-set-a-limit-on-the-number-of-fields-i.patch | 79 + ...nal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 + .../systemd/systemd/CVE-2019-6454.patch| 210 +++ ...e-receive-an-invalid-dbus-message-ignore-.patch | 61 + meta/recipes-core/systemd/systemd_237.bb | 11 + 12 files changed, 3675 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch create mode 100644 meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch create mode 100644 meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch create mode 100644 meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch create mode 100644 meta/recipes-core/systemd/systemd/0002-Make-tmpfiles-safe.patch create mode 100644 meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch create mode 100644 meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch create mode 100644 meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch create mode 100644 meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch create mode 100644 meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch -- 2.11.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] systemd: fix CVE-2019-6454
I missed that some how. Thanks for correcting me. -George On Fri, Feb 22, 2019 at 11:18 AM Alexander Kanavin wrote: > > On Fri, 22 Feb 2019 at 18:13, George McCollister > wrote: > > > > I believe this was discussed before and the recommendation was to wait > > until 241 to be release. In any case I currently have no interest in > > upgrading it. My main motivation is to patch this CVE in sumo but > > maintainers seem to want it in master first (even though different > > version of the patches are required). > > 241 has been released: > https://github.com/systemd/systemd/releases > > It's fine if you don't want to do the upgrade, just wanted to correct > that point. > > Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] systemd: fix CVE-2019-6454
I believe this was discussed before and the recommendation was to wait until 241 to be release. In any case I currently have no interest in upgrading it. My main motivation is to patch this CVE in sumo but maintainers seem to want it in master first (even though different version of the patches are required). -George On Fri, Feb 22, 2019 at 11:04 AM Alexander Kanavin wrote: > > On Fri, 22 Feb 2019 at 17:55, George McCollister > wrote: > > Apply patches from systemd_239-7ubuntu10.8 to fix CVE-2019-6454. > > CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a > > specially formed D-Bus message. > > + > > +For information see: > > +https://usn.ubuntu.com/3891-1/ > > +https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb > > + > > +CVE: CVE-2019-6454 > > +Upstream-Status: Backport > > It would be better to update systemd to latest upstream release, are > you able to do this? > > Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] systemd: fix CVE-2019-6454
Apply patches from systemd_239-7ubuntu10.8 to fix CVE-2019-6454. CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a specially formed D-Bus message. For information see: https://usn.ubuntu.com/3891-1/ https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb Signed-off-by: George McCollister --- .../systemd/systemd/CVE-2019-6454.patch | 210 ++ ...eive-an-invalid-dbus-message-ignore-.patch | 61 + meta/recipes-core/systemd/systemd_239.bb | 2 + 3 files changed, 273 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch create mode 100644 meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch new file mode 100644 index 00..80170dac0f --- /dev/null +++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch @@ -0,0 +1,210 @@ +Description: sd-bus: enforce a size limit for dbus paths, and don't allocate + them on the stacka +Forwarded: no + +Patch from: systemd_239-7ubuntu10.8 + +For information see: +https://usn.ubuntu.com/3891-1/ +https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb + +CVE: CVE-2019-6454 +Upstream-Status: Backport + +Signed-off-by: George McCollister + +--- a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c +@@ -45,7 +45,7 @@ + if (slash) + return false; + +-return true; ++return (q - p) <= BUS_PATH_SIZE_MAX; + } + + char* object_path_startswith(const char *a, const char *b) { +--- a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h +@@ -333,6 +333,10 @@ + + #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) + #define BUS_AUTH_SIZE_MAX (64*1024) ++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one ++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, ++ * to not clash unnecessarily with real-life applications. */ ++#define BUS_PATH_SIZE_MAX (64*1024) + + #define BUS_CONTAINER_DEPTH 128 + +--- a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c +@@ -1134,7 +1134,8 @@ + const char *path, + sd_bus_error *error) { + +-char *prefix; ++_cleanup_free_ char *prefix = NULL; ++size_t pl; + int r; + + assert(bus); +@@ -1150,7 +1151,12 @@ + return 0; + + /* Second, add fallback vtables registered for any of the prefixes */ +-prefix = alloca(strlen(path) + 1); ++pl = strlen(path); ++assert(pl <= BUS_PATH_SIZE_MAX); ++prefix = new(char, pl + 1); ++if (!prefix) ++return -ENOMEM; ++ + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + r = object_manager_serialize_path(bus, reply, prefix, path, true, error); + if (r < 0) +@@ -1346,6 +1352,7 @@ + } + + int bus_process_object(sd_bus *bus, sd_bus_message *m) { ++_cleanup_free_ char *prefix = NULL; + int r; + size_t pl; + bool found_object = false; +@@ -1370,9 +1377,12 @@ + assert(m->member); + + pl = strlen(m->path); +-do { +-char prefix[pl+1]; ++assert(pl <= BUS_PATH_SIZE_MAX); ++prefix = new(char, pl + 1); ++if (!prefix) ++return -ENOMEM; + ++do { + bus->nodes_modified = false; + + r = object_find_and_run(bus, m, m->path, false, _object); +@@ -1499,9 +1509,15 @@ + + n = hashmap_get(bus->nodes, path); + if (!n) { +-char *prefix; ++_cleanup_free_ char *prefix = NULL; ++size_t pl; ++ ++pl = strlen(path); ++assert(pl <= BUS_PATH_SIZE_MAX); ++prefix = new(char, pl + 1); ++if (!prefix) ++return -ENOMEM; + +-prefix = alloca(strlen(path) + 1); + OBJECT_PATH_FOREACH_PREFIX(prefix, path) { + n = hashmap_get(bus->nodes, prefix); + if (n) +@@ -2091,8 +2107,9 @@ + char **names) { + + BUS_DONT_DESTROY(bus); ++_cleanup_free_ char *prefix = NULL; + bool found_interface = false; +-char *prefix; ++size_t pl; + int r; + + assert_return(bus, -EINVAL); +@@ -2111,6 +2128,12 @@ + if (names && names[0] == NULL) + return 0; + ++pl = strlen(path); ++assert(pl <= BUS_PATH_SIZE_MAX); ++prefix = new(char, pl + 1); ++if (!prefix) ++return -ENO
[OE-core] [morty][PATCH] apr: fix off_t size can't match when configure and in target glibc
From: Dengke Du When subversion run on x86 and lib32 on x86-64, it use the APR's apr.h header file. But when configure the APR, APR meets the cross compiling, it was hardcoded in configure.in in apr source code. As the following: APR_CHECK_SIZEOF_EXTENDED([#include ], off_t, 8) It pass 8 bytes to off_t when meets cross compiling, but on x86 or lib32 the off_t in glibc was 4 bytes, so it let the application who use apr.h go to wrong. Such as subversion: svnadmin create test So we should let the APR detect the correct off_t when cross compiling, change it to the following: AC_CHECK_SIZEOF(off_t) The same for the following hardcoded types for cross compiling: pid_t 8 size_t 8 ssize_t 8 Change the above correspondingly. Signed-off-by: Dengke Du Signed-off-by: Ross Burton Cherry-picked from master e18820ca9202c07e2406d702c46f45415182b7a6 I spent 4 hours tracking down a problem where apache was responding to a request with corrupt Content-Range data. This patch fixes the problem. Signed-off-by: George McCollister --- ...ze-doesn-t-match-in-glibc-when-cross.patch | 76 +++ meta/recipes-support/apr/apr_1.5.2.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-support/apr/apr/0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch diff --git a/meta/recipes-support/apr/apr/0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch b/meta/recipes-support/apr/apr/0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch new file mode 100644 index 00..12371428f0 --- /dev/null +++ b/meta/recipes-support/apr/apr/0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch @@ -0,0 +1,76 @@ +From f26e8b88d2c90ed7eb9d4e276412b0923c23d10f Mon Sep 17 00:00:00 2001 +From: Dengke Du +Date: Wed, 14 Dec 2016 18:13:08 +0800 +Subject: [PATCH] apr: fix off_t size doesn't match in glibc when cross + compiling + +In configure.in, it contains the following: + + APR_CHECK_SIZEOF_EXTENDED([#include ], off_t, 8) + +the macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4, +it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross +compiling enable. + +So it was hardcoded for cross compiling, we should detect it dynamic based on +the sysroot's glibc. We change it to the following: + + AC_CHECK_SIZEOF(off_t) + +The same for the following hardcoded types for cross compiling: + + pid_t 8 + ssize_t 8 + size_t 8 + off_t 8 + +Change the above correspondingly. + +Signed-off-by: Dengke Du +--- + configure.in | 8 + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/configure.in b/configure.in +index 9d57ae6..5b19940 100644 +--- a/configure.in b/configure.in +@@ -1681,7 +1681,7 @@ else + socklen_t_value="int" + fi + +-APR_CHECK_SIZEOF_EXTENDED([#include ], pid_t, 8) ++AC_CHECK_SIZEOF(pid_t) + + if test "$ac_cv_sizeof_pid_t" = "$ac_cv_sizeof_short"; then + pid_t_fmt='#define APR_PID_T_FMT "hd"' +@@ -1750,7 +1750,7 @@ APR_CHECK_TYPES_COMPATIBLE(ssize_t, long, [ssize_t_fmt="ld"]) + APR_CHECK_TYPES_COMPATIBLE(size_t, unsigned int, [size_t_fmt="u"]) + APR_CHECK_TYPES_COMPATIBLE(size_t, unsigned long, [size_t_fmt="lu"]) + +-APR_CHECK_SIZEOF_EXTENDED([#include ], ssize_t, 8) ++AC_CHECK_SIZEOF(ssize_t) + + AC_MSG_CHECKING([which format to use for apr_ssize_t]) + if test -n "$ssize_t_fmt"; then +@@ -1767,7 +1767,7 @@ fi + + ssize_t_fmt="#define APR_SSIZE_T_FMT \"$ssize_t_fmt\"" + +-APR_CHECK_SIZEOF_EXTENDED([#include ], size_t, 8) ++AC_CHECK_SIZEOF(size_t) + + AC_MSG_CHECKING([which format to use for apr_size_t]) + if test -n "$size_t_fmt"; then +@@ -1784,7 +1784,7 @@ fi + + size_t_fmt="#define APR_SIZE_T_FMT \"$size_t_fmt\"" + +-APR_CHECK_SIZEOF_EXTENDED([#include ], off_t, 8) ++AC_CHECK_SIZEOF(off_t) + + if test "${ac_cv_sizeof_off_t}${apr_cv_use_lfs64}" = "4yes"; then + # Enable LFS +-- +2.7.4 + diff --git a/meta/recipes-support/apr/apr_1.5.2.bb b/meta/recipes-support/apr/apr_1.5.2.bb index 302c93504b..f560c8b9c4 100644 --- a/meta/recipes-support/apr/apr_1.5.2.bb +++ b/meta/recipes-support/apr/apr_1.5.2.bb @@ -17,6 +17,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ file://upgrade-and-fix-1.5.1.patch \ file://Fix-packet-discards-HTTP-redirect.patch \ file://configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \ + file://0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch \ " SRC_URI[md5sum] = "4e9769f3349fe11fc0a5e1b224c236aa" -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [meta-oe][rocko][PATCH] protobuf: fix SRC_URI by removing branch
On Wed, May 30, 2018 at 8:27 AM, Martin Jansa wrote: > The change itself is OK, but you should update the commit message so that > other people won't get bad idea about how the fetcher works. Sounds good, I agree. > > Also please don't send meta-oe patches to both lists, it should go just to > openembedded-devel (to prevent both patchwork instances picking this > change). I specifically sent it to both lists because the original discussion was on openembedded-core while I knew the correct place to send the patch is openembedded-devel. Next time I won't send it to the wrong list, I'll just send a separate reply to the thread stating I have sent a patch to the correct list. > > On Wed, May 30, 2018 at 3:19 PM George McCollister > wrote: >> >> On Wed, May 30, 2018 at 8:08 AM, Martin Jansa >> wrote: >> > This doesn't just rely on SRCREV (bitbake fetcher would be complaining >> > if >> > the SRCREV isn't found in the branch used in SRC_URI), it relies on this >> > SRCREV to be in master branch (which is the default branch for git >> > fetcher): >> >> Okay, point taken. >> >> > >> > docker-shr @ ~/projects/protobuf $ git branch -a --contains >> > b04e5cba356212e4e8c66c61bbe0c3a20537c5b9 >> > * master >> >> Since it's in master the patch should work fine anyway. Should I >> update the commit message and add branch=master or just leave it as >> is? >> >> > remotes/origin/3.5.1.1 >> > remotes/origin/3.5.x >> > remotes/origin/3.6.x >> > remotes/origin/HEAD -> origin/master >> > remotes/origin/cython_protobuf >> > remotes/origin/master >> > remotes/origin/php-generated-dev >> > remotes/origin/python-wheel >> > remotes/origin/python_deps >> > >> > >> > On Wed, May 30, 2018 at 3:01 PM George McCollister >> > wrote: >> >> >> >> The 3.4.x branch was removed upstream but the commit referenced in >> >> SRCREV is the 3.4.1 release and is still available: >> >> https://github.com/google/protobuf/releases/tag/v3.4.1 >> >> >> >> Drop branch=3.4.x from SRC_URI and just rely on SRCREV. >> >> >> >> Signed-off-by: George McCollister >> >> --- >> >> meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb | 2 +- >> >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> >> >> diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb >> >> b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb >> >> index fae7c18a1..fe28f475a 100644 >> >> --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb >> >> +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb >> >> @@ -18,7 +18,7 @@ SRCREV = "b04e5cba356212e4e8c66c61bbe0c3a20537c5b9" >> >> >> >> PV = "3.4.1+git${SRCPV}" >> >> >> >> -SRC_URI = "git://github.com/google/protobuf.git;branch=3.4.x" >> >> +SRC_URI = "git://github.com/google/protobuf.git" >> >> >> >> EXTRA_OECONF += " --with-protoc=echo" >> >> >> >> -- >> >> 2.11.0 >> >> >> >> -- >> >> ___ >> >> Openembedded-core mailing list >> >> Openembedded-core@lists.openembedded.org >> >> http://lists.openembedded.org/mailman/listinfo/openembedded-core >> >> Regards, >> George -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [meta-oe][rocko][PATCH] protobuf: fix SRC_URI by removing branch
On Wed, May 30, 2018 at 8:08 AM, Martin Jansa wrote: > This doesn't just rely on SRCREV (bitbake fetcher would be complaining if > the SRCREV isn't found in the branch used in SRC_URI), it relies on this > SRCREV to be in master branch (which is the default branch for git fetcher): Okay, point taken. > > docker-shr @ ~/projects/protobuf $ git branch -a --contains > b04e5cba356212e4e8c66c61bbe0c3a20537c5b9 > * master Since it's in master the patch should work fine anyway. Should I update the commit message and add branch=master or just leave it as is? > remotes/origin/3.5.1.1 > remotes/origin/3.5.x > remotes/origin/3.6.x > remotes/origin/HEAD -> origin/master > remotes/origin/cython_protobuf > remotes/origin/master > remotes/origin/php-generated-dev > remotes/origin/python-wheel > remotes/origin/python_deps > > > On Wed, May 30, 2018 at 3:01 PM George McCollister > wrote: >> >> The 3.4.x branch was removed upstream but the commit referenced in >> SRCREV is the 3.4.1 release and is still available: >> https://github.com/google/protobuf/releases/tag/v3.4.1 >> >> Drop branch=3.4.x from SRC_URI and just rely on SRCREV. >> >> Signed-off-by: George McCollister >> --- >> meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb >> b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb >> index fae7c18a1..fe28f475a 100644 >> --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb >> +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb >> @@ -18,7 +18,7 @@ SRCREV = "b04e5cba356212e4e8c66c61bbe0c3a20537c5b9" >> >> PV = "3.4.1+git${SRCPV}" >> >> -SRC_URI = "git://github.com/google/protobuf.git;branch=3.4.x" >> +SRC_URI = "git://github.com/google/protobuf.git" >> >> EXTRA_OECONF += " --with-protoc=echo" >> >> -- >> 2.11.0 >> >> -- >> ___ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core Regards, George -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [meta-oe][rocko][PATCH] protobuf: fix SRC_URI by removing branch
The 3.4.x branch was removed upstream but the commit referenced in SRCREV is the 3.4.1 release and is still available: https://github.com/google/protobuf/releases/tag/v3.4.1 Drop branch=3.4.x from SRC_URI and just rely on SRCREV. Signed-off-by: George McCollister --- meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb index fae7c18a1..fe28f475a 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb @@ -18,7 +18,7 @@ SRCREV = "b04e5cba356212e4e8c66c61bbe0c3a20537c5b9" PV = "3.4.1+git${SRCPV}" -SRC_URI = "git://github.com/google/protobuf.git;branch=3.4.x" +SRC_URI = "git://github.com/google/protobuf.git" EXTRA_OECONF += " --with-protoc=echo" -- 2.11.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366
On Thu, Nov 30, 2017 at 9:16 AM, akuster808 <akuster...@gmail.com> wrote: > > > On 11/21/2017 12:03 PM, George McCollister wrote: >> Add backported patches from the upstream release/2.25/master branch to >> fix CVE-2017-1000366. Also add a backported patch that resolves SSE >> related build problems introduced by these patches. > > Thanks for the patch. This series causes an error when: bitbake > core-image-sato -c populate_sdk, so its on hold. > Sorry for the delay, this got buried in my inbox and I didn't see it until today (updated email filters so it shouldn't happen again). The problem here is that 0003-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch is applied first and also touches elf/rtld.c. This causes the patches in this series to be applied incorrectly against nativesdk-glibc. The fact that the nativesdk patches are applied before the base patches is a bit concerning as it could cause other problems as well. It seems like it would be much safer to apply the base patches then apply the nativesdk patches to avoid conflicts. Your thoughts? -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366
Add backported patches from the upstream release/2.25/master branch to fix CVE-2017-1000366. Also add a backported patch that resolves SSE related build problems introduced by these patches. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch | 70 +++ ...ject-overly-long-LD_PRELOAD-path-elements.patch | 144 + ...Reject-overly-long-LD_AUDIT-path-elements.patch | 230 + ...ssing-IS_IN-libc-guards-to-vectorized-str.patch | 62 ++ meta/recipes-core/glibc/glibc_2.25.bb | 4 + 5 files changed, 510 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch create mode 100644 meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch create mode 100644 meta/recipes-core/glibc/glibc/0030-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch create mode 100644 meta/recipes-core/glibc/glibc/0031-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch diff --git a/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch new file mode 100644 index 00..0178d50ff0 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch @@ -0,0 +1,70 @@ +From 4002021818bc31aec9b353c6e13ce9f82e84cd38 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 19 Jun 2017 18:31:27 +0200 +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 + programs [BZ #21624] + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. + +This makes an exploitable unbounded alloca in _dl_init_paths unreachable +for AT_SECURE=1 programs. + +(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d + +CVE: CVE-2017-1000366 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 7 +++ + NEWS | 1 + + elf/rtld.c | 3 ++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index f140ee67de..7bfdf45bb5 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,10 @@ ++2017-06-19 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #21624] ++ CVE-2017-1000366 ++ * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for ++ __libc_enable_secure. ++ + 2017-02-05 Siddhesh Poyarekar <siddh...@sourceware.org> + + * version.h (RELEASE): Set to "stable" +diff --git a/NEWS b/NEWS +index ec15dde761..f7d38536d6 100644 +--- a/NEWS b/NEWS +@@ -5,6 +5,7 @@ See the end for copying conditions. + Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> + using `glibc' in the "product" field. + ++ [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366) + Version 2.25 + + * The feature test macro __STDC_WANT_LIB_EXT2__, from ISO/IEC TR +diff --git a/elf/rtld.c b/elf/rtld.c +index a036ece956..2fc33a6178 100644 +--- a/elf/rtld.c b/elf/rtld.c +@@ -2418,7 +2418,8 @@ process_envvars (enum mode *modep) + + case 12: + /* The library search path. */ +-if (memcmp (envline, "LIBRARY_PATH", 12) == 0) ++if (!__libc_enable_secure ++&& memcmp (envline, "LIBRARY_PATH", 12) == 0) + { + library_path = [13]; + break; +-- +2.15.0 + diff --git a/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch b/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch new file mode 100644 index 00..142bd86d2f --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch @@ -0,0 +1,144 @@ +From d4fe2023bb908b85d577ac3843acd44bada330ce Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 19 Jun 2017 22:31:04 +0200 +Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements + +(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=commit;h=46703a3995aa3ca2b816814aa4ad05ed524194dd + +CVE: CVE-2017-1000366 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 7 ++ + elf/rtld.c | 82 ++ + 2 files changed, 73 insertions(+), 16 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 7bfdf45bb5..0aff2bd347 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,10 @@ ++2017-06-19 Florian Wei
[OE-core] [morty][PATCH v3 1/2] glibc: Fix CVE-2015-5180
Add backported patch to fix CVE-2015-5180 from the upstream release/2.24/master branch. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- Changes in v2: - Fix commit message Changes in v3: - None. Resending with other patch in the series. ...80-resolv-Fix-crash-with-internal-QTYPE-B.patch | 357 + meta/recipes-core/glibc/glibc_2.24.bb | 1 + 2 files changed, 358 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch new file mode 100644 index 00..ba0bebe488 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch @@ -0,0 +1,357 @@ +From ff9b7c4fb73295cd2de2d2ccfbbf4f6d50883d47 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Sat, 31 Dec 2016 20:22:09 +0100 +Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ + #18784] + +Also rename T_UNSPEC because an upcoming public header file +update will use that name. + +(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=patch;h=b3b37f1a5559a7620e31c8053ed1b44f798f2b6d + +CVE: CVE-2015-5180 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 14 + NEWS | 6 ++ + include/arpa/nameser_compat.h | 6 +- + resolv/Makefile | 5 ++ + resolv/nss_dns/dns-host.c | 2 +- + resolv/res_mkquery.c | 4 + + resolv/res_query.c| 6 +- + resolv/tst-resolv-qtypes.c| 185 ++ + 8 files changed, 221 insertions(+), 7 deletions(-) + create mode 100644 resolv/tst-resolv-qtypes.c + +diff --git a/ChangeLog b/ChangeLog +index 893262de11..2bdaf69e43 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,17 @@ ++2016-12-31 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #18784] ++ CVE-2015-5180 ++ * include/arpa/nameser_compat.h (T_QUERY_A_AND_): Rename from ++ T_UNSPEC. Adjust value. ++ * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it. ++ * resolv/res_query.c (__libc_res_nquery): Likewise. ++ * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range ++ QTYPEs. ++ * resolv/tst-resolv-qtypes.c: New file. ++ * resolv/Makefile (xtests): Add tst-resolv-qtypes. ++ (tst-resolv-qtypes): Link against libresolv and libpthread. ++ + 2016-10-26 Carlos O'Donell <car...@redhat.com> + + * include/atomic.h +diff --git a/NEWS b/NEWS +index 3002773c16..4b1ca3cb65 100644 +--- a/NEWS b/NEWS +@@ -11,6 +11,12 @@ using `glibc' in the "product" field. + printers show various pthread variables in human-readable form when read + using the 'print' or 'display' commands in gdb. + ++* The DNS stub resolver functions would crash due to a NULL pointer ++ dereference when processing a query with a valid DNS question type which ++ was used internally in the implementation. The stub resolver now uses a ++ question type which is outside the range of valid question type values. ++ (CVE-2015-5180) ++ + Version 2.24 + + * The minimum Linux kernel version that this version of the GNU C Library +diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h +index 2e735ede4c..7c0deed9ae 100644 +--- a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h +@@ -1,8 +1,8 @@ + #ifndef _ARPA_NAMESER_COMPAT_ + #include + +-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e., +- T_A and T_). */ +-#define T_UNSPEC 62321 ++/* The number is outside the 16-bit RR type range and is used ++ internally by the implementation. */ ++#define T_QUERY_A_AND_ 439963904 + + #endif +diff --git a/resolv/Makefile b/resolv/Makefile +index 8be41d3ae1..a4c86b9762 100644 +--- a/resolv/Makefile b/resolv/Makefile +@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes) + extra-libs += libanl + routines += gai_sigqueue + tests += tst-res_hconf_reorder ++ ++# This test sends millions of packets and is rather slow. ++xtests += tst-resolv-qtypes + endif + extra-libs-others = $(extra-libs) + libresolv-routines := gethnamaddr res_comp res_debug \ +@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace + $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \ + $(evaluate-test) ++ ++$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 5f9e35701b..d16fa4b8ed 100644 +--
[OE-core] [morty][PATCH v3 2/2] glibc: Fix CVE-2017-1000366
Add backported patches from the upstream release/2.24/master branch to fix CVE-2017-1000366. Also add a backported patch that resolves SSE related build problems introduced by these patches. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- Changes in v2: - Fix commit message Changes in v3: - Added upstream patch to fix SSE issue introduced by this patch series. ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch | 71 +++ ...ject-overly-long-LD_PRELOAD-path-elements.patch | 145 + ...Reject-overly-long-LD_AUDIT-path-elements.patch | 231 + ...ssing-IS_IN-libc-guards-to-vectorized-str.patch | 62 ++ meta/recipes-core/glibc/glibc_2.24.bb | 4 + 5 files changed, 513 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch create mode 100644 meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch create mode 100644 meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch create mode 100644 meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch new file mode 100644 index 00..78e9ea9e65 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch @@ -0,0 +1,71 @@ +From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 19 Jun 2017 18:33:26 +0200 +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 + programs [BZ #21624] + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. + +This makes an exploitable unbounded alloca in _dl_init_paths unreachable +for AT_SECURE=1 programs. + +(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac +https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb + +CVE: CVE-2017-1000366 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 7 +++ + NEWS | 1 + + elf/rtld.c | 3 ++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index 2bdaf69e43..7a999802dd 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,10 @@ ++2017-06-19 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #21624] ++ CVE-2017-1000366 ++ * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for ++ __libc_enable_secure. ++ + 2016-12-31 Florian Weimer <fwei...@redhat.com> + + [BZ #18784] +diff --git a/NEWS b/NEWS +index 4b1ca3cb65..66b49dbbc0 100644 +--- a/NEWS b/NEWS +@@ -17,6 +17,7 @@ using `glibc' in the "product" field. + question type which is outside the range of valid question type values. + (CVE-2015-5180) + ++ [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366) + Version 2.24 + + * The minimum Linux kernel version that this version of the GNU C Library +diff --git a/elf/rtld.c b/elf/rtld.c +index 647661ca45..215a9aec8f 100644 +--- a/elf/rtld.c b/elf/rtld.c +@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep) + + case 12: + /* The library search path. */ +-if (memcmp (envline, "LIBRARY_PATH", 12) == 0) ++if (!__libc_enable_secure ++&& memcmp (envline, "LIBRARY_PATH", 12) == 0) + { + library_path = [13]; + break; +-- +2.15.0 + diff --git a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch new file mode 100644 index 00..7f81ed1566 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch @@ -0,0 +1,145 @@ +From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 19 Jun 2017 22:31:04 +0200 +Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements + +(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467 +https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb + +CVE: CVE-2017-1000366 + +Signed-off-by: George McCollister <
Re: [OE-core] [morty][PATCH v2 1/2] glibc: Fix CVE-2015-5180
On Thu, Nov 16, 2017 at 12:45 PM, akuster808 <akuster...@gmail.com> wrote: > > > On 11/15/2017 12:36 PM, George McCollister wrote: >> Add backported patch to fix CVE-2015-5180 from the upstream >> release/2.24/master branch. >> >> Signed-off-by: George McCollister <george.mccollis...@gmail.com> > > Thanks for this series. I will have to wait until I address this in Pyro. CVE-2015-5180 should not be an issue in glibc 2.25. The CVE-2017-1000366 commits backported to glibc 2.25 are here: https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d https://sourceware.org/git/?p=glibc.git;a=commit;h=46703a3995aa3ca2b816814aa4ad05ed524194dd https://sourceware.org/git/?p=glibc.git;a=commit;h=c69d4a0f680a24fdbe323764a50382ad324041e9 Would it help if I sent Pyro patches for these? > > - armin -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH v2 2/2] glibc: Fix CVE-2017-1000366
Add backported patches from the upstream release/2.24/master branch to fix CVE-2017-1000366 Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- Changes in v2: - Fix commit message ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch | 71 +++ ...ject-overly-long-LD_PRELOAD-path-elements.patch | 145 + ...Reject-overly-long-LD_AUDIT-path-elements.patch | 231 + meta/recipes-core/glibc/glibc_2.24.bb | 3 + 4 files changed, 450 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch create mode 100644 meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch create mode 100644 meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch new file mode 100644 index 00..78e9ea9e65 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch @@ -0,0 +1,71 @@ +From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 19 Jun 2017 18:33:26 +0200 +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 + programs [BZ #21624] + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. + +This makes an exploitable unbounded alloca in _dl_init_paths unreachable +for AT_SECURE=1 programs. + +(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac +https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb + +CVE: CVE-2017-1000366 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 7 +++ + NEWS | 1 + + elf/rtld.c | 3 ++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index 2bdaf69e43..7a999802dd 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,10 @@ ++2017-06-19 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #21624] ++ CVE-2017-1000366 ++ * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for ++ __libc_enable_secure. ++ + 2016-12-31 Florian Weimer <fwei...@redhat.com> + + [BZ #18784] +diff --git a/NEWS b/NEWS +index 4b1ca3cb65..66b49dbbc0 100644 +--- a/NEWS b/NEWS +@@ -17,6 +17,7 @@ using `glibc' in the "product" field. + question type which is outside the range of valid question type values. + (CVE-2015-5180) + ++ [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366) + Version 2.24 + + * The minimum Linux kernel version that this version of the GNU C Library +diff --git a/elf/rtld.c b/elf/rtld.c +index 647661ca45..215a9aec8f 100644 +--- a/elf/rtld.c b/elf/rtld.c +@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep) + + case 12: + /* The library search path. */ +-if (memcmp (envline, "LIBRARY_PATH", 12) == 0) ++if (!__libc_enable_secure ++&& memcmp (envline, "LIBRARY_PATH", 12) == 0) + { + library_path = [13]; + break; +-- +2.15.0 + diff --git a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch new file mode 100644 index 00..7f81ed1566 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch @@ -0,0 +1,145 @@ +From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 19 Jun 2017 22:31:04 +0200 +Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements + +(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467 +https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb + +CVE: CVE-2017-1000366 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 7 ++ + elf/rtld.c | 82 ++ + 2 files changed, 73 insertions(+), 16 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 7a999802dd..ea5ecd4a1e 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,10 @@ ++2017-06-19 Florian Weimer <fwei...@redhat.com> ++ ++ * elf/rtld.c (SECURE_N
[OE-core] [morty][PATCH v2 1/2] glibc: Fix CVE-2015-5180
Add backported patch to fix CVE-2015-5180 from the upstream release/2.24/master branch. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- Changes in v2: - Fix commit message ...80-resolv-Fix-crash-with-internal-QTYPE-B.patch | 357 + meta/recipes-core/glibc/glibc_2.24.bb | 1 + 2 files changed, 358 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch new file mode 100644 index 00..ba0bebe488 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch @@ -0,0 +1,357 @@ +From ff9b7c4fb73295cd2de2d2ccfbbf4f6d50883d47 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Sat, 31 Dec 2016 20:22:09 +0100 +Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ + #18784] + +Also rename T_UNSPEC because an upcoming public header file +update will use that name. + +(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=patch;h=b3b37f1a5559a7620e31c8053ed1b44f798f2b6d + +CVE: CVE-2015-5180 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 14 + NEWS | 6 ++ + include/arpa/nameser_compat.h | 6 +- + resolv/Makefile | 5 ++ + resolv/nss_dns/dns-host.c | 2 +- + resolv/res_mkquery.c | 4 + + resolv/res_query.c| 6 +- + resolv/tst-resolv-qtypes.c| 185 ++ + 8 files changed, 221 insertions(+), 7 deletions(-) + create mode 100644 resolv/tst-resolv-qtypes.c + +diff --git a/ChangeLog b/ChangeLog +index 893262de11..2bdaf69e43 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,17 @@ ++2016-12-31 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #18784] ++ CVE-2015-5180 ++ * include/arpa/nameser_compat.h (T_QUERY_A_AND_): Rename from ++ T_UNSPEC. Adjust value. ++ * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it. ++ * resolv/res_query.c (__libc_res_nquery): Likewise. ++ * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range ++ QTYPEs. ++ * resolv/tst-resolv-qtypes.c: New file. ++ * resolv/Makefile (xtests): Add tst-resolv-qtypes. ++ (tst-resolv-qtypes): Link against libresolv and libpthread. ++ + 2016-10-26 Carlos O'Donell <car...@redhat.com> + + * include/atomic.h +diff --git a/NEWS b/NEWS +index 3002773c16..4b1ca3cb65 100644 +--- a/NEWS b/NEWS +@@ -11,6 +11,12 @@ using `glibc' in the "product" field. + printers show various pthread variables in human-readable form when read + using the 'print' or 'display' commands in gdb. + ++* The DNS stub resolver functions would crash due to a NULL pointer ++ dereference when processing a query with a valid DNS question type which ++ was used internally in the implementation. The stub resolver now uses a ++ question type which is outside the range of valid question type values. ++ (CVE-2015-5180) ++ + Version 2.24 + + * The minimum Linux kernel version that this version of the GNU C Library +diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h +index 2e735ede4c..7c0deed9ae 100644 +--- a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h +@@ -1,8 +1,8 @@ + #ifndef _ARPA_NAMESER_COMPAT_ + #include + +-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e., +- T_A and T_). */ +-#define T_UNSPEC 62321 ++/* The number is outside the 16-bit RR type range and is used ++ internally by the implementation. */ ++#define T_QUERY_A_AND_ 439963904 + + #endif +diff --git a/resolv/Makefile b/resolv/Makefile +index 8be41d3ae1..a4c86b9762 100644 +--- a/resolv/Makefile b/resolv/Makefile +@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes) + extra-libs += libanl + routines += gai_sigqueue + tests += tst-res_hconf_reorder ++ ++# This test sends millions of packets and is rather slow. ++xtests += tst-resolv-qtypes + endif + extra-libs-others = $(extra-libs) + libresolv-routines := gethnamaddr res_comp res_debug \ +@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace + $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \ + $(evaluate-test) ++ ++$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 5f9e35701b..d16fa4b8ed 100644 +--- a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +@@
[OE-core] [morty][PATCH 2/2] Fix CVE-2017-1000366
Add backported patches from the upstream release/2.24/master branch to fix CVE-2017-1000366 Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch | 71 +++ ...ject-overly-long-LD_PRELOAD-path-elements.patch | 145 + ...Reject-overly-long-LD_AUDIT-path-elements.patch | 231 + meta/recipes-core/glibc/glibc_2.24.bb | 3 + 4 files changed, 450 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch create mode 100644 meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch create mode 100644 meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch new file mode 100644 index 00..78e9ea9e65 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch @@ -0,0 +1,71 @@ +From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 19 Jun 2017 18:33:26 +0200 +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1 + programs [BZ #21624] + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. + +This makes an exploitable unbounded alloca in _dl_init_paths unreachable +for AT_SECURE=1 programs. + +(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac +https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb + +CVE: CVE-2017-1000366 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 7 +++ + NEWS | 1 + + elf/rtld.c | 3 ++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index 2bdaf69e43..7a999802dd 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,10 @@ ++2017-06-19 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #21624] ++ CVE-2017-1000366 ++ * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for ++ __libc_enable_secure. ++ + 2016-12-31 Florian Weimer <fwei...@redhat.com> + + [BZ #18784] +diff --git a/NEWS b/NEWS +index 4b1ca3cb65..66b49dbbc0 100644 +--- a/NEWS b/NEWS +@@ -17,6 +17,7 @@ using `glibc' in the "product" field. + question type which is outside the range of valid question type values. + (CVE-2015-5180) + ++ [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366) + Version 2.24 + + * The minimum Linux kernel version that this version of the GNU C Library +diff --git a/elf/rtld.c b/elf/rtld.c +index 647661ca45..215a9aec8f 100644 +--- a/elf/rtld.c b/elf/rtld.c +@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep) + + case 12: + /* The library search path. */ +-if (memcmp (envline, "LIBRARY_PATH", 12) == 0) ++if (!__libc_enable_secure ++&& memcmp (envline, "LIBRARY_PATH", 12) == 0) + { + library_path = [13]; + break; +-- +2.15.0 + diff --git a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch new file mode 100644 index 00..7f81ed1566 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch @@ -0,0 +1,145 @@ +From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 19 Jun 2017 22:31:04 +0200 +Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements + +(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467 +https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb + +CVE: CVE-2017-1000366 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 7 ++ + elf/rtld.c | 82 ++ + 2 files changed, 73 insertions(+), 16 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 7a999802dd..ea5ecd4a1e 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,10 @@ ++2017-06-19 Florian Weimer <fwei...@redhat.com> ++ ++ * elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define.
[OE-core] [morty][PATCH 1/2] Fix CVE-2015-5180
Add backported patch to fix CVE-2015-5180 from the upstream release/2.24/master branch. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- ...80-resolv-Fix-crash-with-internal-QTYPE-B.patch | 357 + meta/recipes-core/glibc/glibc_2.24.bb | 1 + 2 files changed, 358 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch new file mode 100644 index 00..ba0bebe488 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch @@ -0,0 +1,357 @@ +From ff9b7c4fb73295cd2de2d2ccfbbf4f6d50883d47 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fwei...@redhat.com> +Date: Sat, 31 Dec 2016 20:22:09 +0100 +Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ + #18784] + +Also rename T_UNSPEC because an upcoming public header file +update will use that name. + +(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5) + +Upstream-Status: Backport +https://sourceware.org/git/?p=glibc.git;a=patch;h=b3b37f1a5559a7620e31c8053ed1b44f798f2b6d + +CVE: CVE-2015-5180 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + ChangeLog | 14 + NEWS | 6 ++ + include/arpa/nameser_compat.h | 6 +- + resolv/Makefile | 5 ++ + resolv/nss_dns/dns-host.c | 2 +- + resolv/res_mkquery.c | 4 + + resolv/res_query.c| 6 +- + resolv/tst-resolv-qtypes.c| 185 ++ + 8 files changed, 221 insertions(+), 7 deletions(-) + create mode 100644 resolv/tst-resolv-qtypes.c + +diff --git a/ChangeLog b/ChangeLog +index 893262de11..2bdaf69e43 100644 +--- a/ChangeLog b/ChangeLog +@@ -1,3 +1,17 @@ ++2016-12-31 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #18784] ++ CVE-2015-5180 ++ * include/arpa/nameser_compat.h (T_QUERY_A_AND_): Rename from ++ T_UNSPEC. Adjust value. ++ * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it. ++ * resolv/res_query.c (__libc_res_nquery): Likewise. ++ * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range ++ QTYPEs. ++ * resolv/tst-resolv-qtypes.c: New file. ++ * resolv/Makefile (xtests): Add tst-resolv-qtypes. ++ (tst-resolv-qtypes): Link against libresolv and libpthread. ++ + 2016-10-26 Carlos O'Donell <car...@redhat.com> + + * include/atomic.h +diff --git a/NEWS b/NEWS +index 3002773c16..4b1ca3cb65 100644 +--- a/NEWS b/NEWS +@@ -11,6 +11,12 @@ using `glibc' in the "product" field. + printers show various pthread variables in human-readable form when read + using the 'print' or 'display' commands in gdb. + ++* The DNS stub resolver functions would crash due to a NULL pointer ++ dereference when processing a query with a valid DNS question type which ++ was used internally in the implementation. The stub resolver now uses a ++ question type which is outside the range of valid question type values. ++ (CVE-2015-5180) ++ + Version 2.24 + + * The minimum Linux kernel version that this version of the GNU C Library +diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h +index 2e735ede4c..7c0deed9ae 100644 +--- a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h +@@ -1,8 +1,8 @@ + #ifndef _ARPA_NAMESER_COMPAT_ + #include + +-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e., +- T_A and T_). */ +-#define T_UNSPEC 62321 ++/* The number is outside the 16-bit RR type range and is used ++ internally by the implementation. */ ++#define T_QUERY_A_AND_ 439963904 + + #endif +diff --git a/resolv/Makefile b/resolv/Makefile +index 8be41d3ae1..a4c86b9762 100644 +--- a/resolv/Makefile b/resolv/Makefile +@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes) + extra-libs += libanl + routines += gai_sigqueue + tests += tst-res_hconf_reorder ++ ++# This test sends millions of packets and is rather slow. ++xtests += tst-resolv-qtypes + endif + extra-libs-others = $(extra-libs) + libresolv-routines := gethnamaddr res_comp res_debug \ +@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace + $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \ + $(evaluate-test) ++ ++$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 5f9e35701b..d16fa4b8ed 100644 +--- a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_
[OE-core] [morty][PATCH 3/4] zlib: Fix CVE-2016-9842
Add backported patch to fix CVE-2016-9842 which was fixed in zlib 1.2.9 https://nvd.nist.gov/vuln/detail/CVE-2016-9842 Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- .../zlib/zlib-1.2.8/CVE-2016-9842.patch| 35 ++ meta/recipes-core/zlib/zlib_1.2.8.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9842.patch diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9842.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9842.patch new file mode 100644 index 00..41b8d2a30a --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9842.patch @@ -0,0 +1,35 @@ +commit e54e1299404101a5a9d0cf5e45512b543967f958 +Author: Mark Adler <mad...@alumni.caltech.edu> +Date: Sat Sep 5 17:45:55 2015 -0700 + +Avoid shifts of negative values inflateMark(). + +The C standard says that bit shifts of negative integers is +undefined. This casts to unsigned values to assure a known +result. + +Upstream-Status: Backport +http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz +https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958 + +CVE: CVE-2016-9842 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> + +diff --git a/inflate.c b/inflate.c +index 2889e3a..a718416 100644 +--- a/inflate.c b/inflate.c +@@ -1506,9 +1506,10 @@ z_streamp strm; + { + struct inflate_state FAR *state; + +-if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16; ++if (strm == Z_NULL || strm->state == Z_NULL) ++return (long)(((unsigned long)0 - 1) << 16); + state = (struct inflate_state FAR *)strm->state; +-return ((long)(state->back) << 16) + ++return (long)(((unsigned long)((long)state->back)) << 16) + + (state->mode == COPY ? state->length : + (state->mode == MATCH ? state->was - state->length : 0)); + } diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb index 88f60611d9..eb38589b6a 100644 --- a/meta/recipes-core/zlib/zlib_1.2.8.bb +++ b/meta/recipes-core/zlib/zlib_1.2.8.bb @@ -12,6 +12,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \ file://ldflags-tests.patch \ file://CVE-2016-9840.patch \ file://CVE-2016-9841.patch \ + file://CVE-2016-9842.patch \ file://run-ptest \ " -- 2.15.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH 2/4] zlib: Fix CVE-2016-9841
Add backported patch to fix CVE-2016-9841 which was fixed in zlib 1.2.9 https://nvd.nist.gov/vuln/detail/CVE-2016-9841 Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- .../zlib/zlib-1.2.8/CVE-2016-9841.patch| 230 + meta/recipes-core/zlib/zlib_1.2.8.bb | 1 + 2 files changed, 231 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch new file mode 100644 index 00..9cf7a77786 --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch @@ -0,0 +1,230 @@ +commit 9aaec95e82117c1cb0f9624264c3618fc380cecb +Author: Mark Adler <mad...@alumni.caltech.edu> +Date: Wed Sep 21 22:25:21 2016 -0700 + +Use post-increment only in inffast.c. + +An old inffast.c optimization turns out to not be optimal anymore +with modern compilers, and furthermore was not compliant with the +C standard, for which decrementing a pointer before its allocated +memory is undefined. Per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. + +Upstream-Status: Backport +http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz +https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb + +CVE: CVE-2016-9841 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> + +diff --git a/inffast.c b/inffast.c +index bda59ce..f0d163d 100644 +--- a/inffast.c b/inffast.c +@@ -10,25 +10,6 @@ + + #ifndef ASMINF + +-/* Allow machine dependent optimization for post-increment or pre-increment. +- Based on testing to date, +- Pre-increment preferred for: +- - PowerPC G3 (Adler) +- - MIPS R5000 (Randers-Pehrson) +- Post-increment preferred for: +- - none +- No measurable difference: +- - Pentium III (Anderson) +- - M68060 (Nikl) +- */ +-#ifdef POSTINC +-# define OFF 0 +-# define PUP(a) *(a)++ +-#else +-# define OFF 1 +-# define PUP(a) *++(a) +-#endif +- + /* +Decode literal, length, and distance codes and write out the resulting +literal and match bytes until either not enough input or output is +@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + + /* copy state to local variables */ + state = (struct inflate_state FAR *)strm->state; +-in = strm->next_in - OFF; ++in = strm->next_in; + last = in + (strm->avail_in - 5); +-out = strm->next_out - OFF; ++out = strm->next_out; + beg = out - (start - strm->avail_out); + end = out + (strm->avail_out - 257); + #ifdef INFLATE_STRICT +@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ +input data or output space */ + do { + if (bits < 15) { +-hold += (unsigned long)(PUP(in)) << bits; ++hold += (unsigned long)(*in++) << bits; + bits += 8; +-hold += (unsigned long)(PUP(in)) << bits; ++hold += (unsigned long)(*in++) << bits; + bits += 8; + } + here = lcode[hold & lmask]; +@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? + "inflate: literal '%c'\n" : + "inflate: literal 0x%02x\n", here.val)); +-PUP(out) = (unsigned char)(here.val); ++*out++ = (unsigned char)(here.val); + } + else if (op & 16) { /* length base */ + len = (unsigned)(here.val); + op &= 15; /* number of extra bits */ + if (op) { + if (bits < op) { +-hold += (unsigned long)(PUP(in)) << bits; ++hold += (unsigned long)(*in++) << bits; + bits += 8; + } + len += (unsigned)hold & ((1U << op) - 1); +@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + } + Tracevv((stderr, "inflate: length %u\n", len)); + if (bits < 15) { +-hold += (unsigned long)(PUP(in)) << bits; ++hold += (unsigned long)(*in++) << bits; + bits += 8; +-hold += (unsigned long)(PUP(in)) << bits; ++hold += (unsigned long)(*in++) << bits; + bits += 8; +
[OE-core] [morty][PATCH 4/4] zlib: Fix CVE-2016-9843
Add backported patch to fix CVE-2016-9843 which was fixed in zlib 1.2.9 https://nvd.nist.gov/vuln/detail/CVE-2016-9843 Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- .../zlib/zlib-1.2.8/CVE-2016-9843.patch| 55 ++ meta/recipes-core/zlib/zlib_1.2.8.bb | 1 + 2 files changed, 56 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch new file mode 100644 index 00..1ff8acf265 --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch @@ -0,0 +1,55 @@ +commit d1d577490c15a0c6862473d7576352a9f18ef811 +Author: Mark Adler <mad...@alumni.caltech.edu> +Date: Wed Sep 28 20:20:25 2016 -0700 + +Avoid pre-decrement of pointer in big-endian CRC calculation. + +There was a small optimization for PowerPCs to pre-increment a +pointer when accessing a word, instead of post-incrementing. This +required prefacing the loop with a decrement of the pointer, +possibly pointing before the object passed. This is not compliant +with the C standard, for which decrementing a pointer before its +allocated memory is undefined. When tested on a modern PowerPC +with a modern compiler, the optimization no longer has any effect. +Due to all that, and per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. + +Upstream-Status: Backport +http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz +https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811 + +CVE: CVE-2016-9843 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> + +diff --git a/crc32.c b/crc32.c +index 979a719..05733f4 100644 +--- a/crc32.c b/crc32.c +@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) + } + + /* = */ +-#define DOBIG4 c ^= *++buf4; \ ++#define DOBIG4 c ^= *buf4++; \ + c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ + crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] + #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 +@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) + } + + buf4 = (const z_crc_t FAR *)(const void FAR *)buf; +-buf4--; + while (len >= 32) { + DOBIG32; + len -= 32; +@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) + DOBIG4; + len -= 4; + } +-buf4++; + buf = (const unsigned char FAR *)buf4; + + if (len) do { diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb index eb38589b6a..338d0f9573 100644 --- a/meta/recipes-core/zlib/zlib_1.2.8.bb +++ b/meta/recipes-core/zlib/zlib_1.2.8.bb @@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \ file://CVE-2016-9840.patch \ file://CVE-2016-9841.patch \ file://CVE-2016-9842.patch \ + file://CVE-2016-9843.patch \ file://run-ptest \ " -- 2.15.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH 1/4] zlib: Fix CVE-2016-9840
Add backported patch to fix CVE-2016-9840 which was fixed in zlib 1.2.9 https://nvd.nist.gov/vuln/detail/CVE-2016-9840 Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- .../zlib/zlib-1.2.8/CVE-2016-9840.patch| 77 ++ meta/recipes-core/zlib/zlib_1.2.8.bb | 1 + 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch new file mode 100644 index 00..4f0d2c6975 --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch @@ -0,0 +1,77 @@ +commit 6a043145ca6e9c55184013841a67b2fef87e44c0 +Author: Mark Adler <mad...@alumni.caltech.edu> +Date: Wed Sep 21 23:35:50 2016 -0700 + +Remove offset pointer optimization in inftrees.c. + +inftrees.c was subtracting an offset from a pointer to an array, +in order to provide a pointer that allowed indexing starting at +the offset. This is not compliant with the C standard, for which +the behavior of a pointer decremented before its allocated memory +is undefined. Per the recommendation of a security audit of the +zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this tiny optimization was removed, in order +to avoid the possibility of undefined behavior. + +Upstream-Status: Backport +http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz +https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0 + +CVE: CVE-2016-9840 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> + +diff --git a/inftrees.c b/inftrees.c +index 22fcd66..0d2670d 100644 +--- a/inftrees.c b/inftrees.c +@@ -54,7 +54,7 @@ unsigned short FAR *work; + code FAR *next; /* next available space in table */ + const unsigned short FAR *base; /* base value table to use */ + const unsigned short FAR *extra;/* extra bits table to use */ +-int end;/* use base and extra for symbol > end */ ++unsigned match; /* use base and extra for symbol >= match */ + unsigned short count[MAXBITS+1];/* number of codes of each length */ + unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ + static const unsigned short lbase[31] = { /* Length codes 257..285 base */ +@@ -181,19 +181,17 @@ unsigned short FAR *work; + switch (type) { + case CODES: + base = extra = work;/* dummy value--not used */ +-end = 19; ++match = 20; + break; + case LENS: + base = lbase; +-base -= 257; + extra = lext; +-extra -= 257; +-end = 256; ++match = 257; + break; + default:/* DISTS */ + base = dbase; + extra = dext; +-end = -1; ++match = 0; + } + + /* initialize state for loop */ +@@ -216,13 +214,13 @@ unsigned short FAR *work; + for (;;) { + /* create table entry */ + here.bits = (unsigned char)(len - drop); +-if ((int)(work[sym]) < end) { ++if (work[sym] + 1 < match) { + here.op = (unsigned char)0; + here.val = work[sym]; + } +-else if ((int)(work[sym]) > end) { +-here.op = (unsigned char)(extra[work[sym]]); +-here.val = base[work[sym]]; ++else if (work[sym] >= match) { ++here.op = (unsigned char)(extra[work[sym] - match]); ++here.val = base[work[sym] - match]; + } + else { + here.op = (unsigned char)(32 + 64); /* end of block */ diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb index 913c7033d4..b6a4c687ca 100644 --- a/meta/recipes-core/zlib/zlib_1.2.8.bb +++ b/meta/recipes-core/zlib/zlib_1.2.8.bb @@ -10,6 +10,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \ file://remove.ldconfig.call.patch \ file://Makefile-runtests.patch \ file://ldflags-tests.patch \ + file://CVE-2016-9840.patch \ file://run-ptest \ " -- 2.15.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 1/2] shadow: fix CVE-2017-2616
Apply backported patch that fixes CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- Changes in v2: - Add SOB to patch file. .../files/0001-su-properly-clear-child-PID.patch | 72 ++ meta/recipes-extended/shadow/shadow.inc| 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch diff --git a/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch new file mode 100644 index 00..9fefd9e599 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch @@ -0,0 +1,72 @@ +From 3ed6ba2105c7a35d6dc7e8b805202d0235df1fb1 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Thu, 23 Feb 2017 09:47:29 -0600 +Subject: [PATCH] su: properly clear child PID + +If su is compiled with PAM support, it is possible for any local user +to send SIGKILL to other processes with root privileges. There are +only two conditions. First, the user must be able to perform su with +a successful login. This does NOT have to be the root user, even using +su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL +can only be sent to processes which were executed after the su process. +It is not possible to send SIGKILL to processes which were already +running. I consider this as a security vulnerability, because I was +able to write a proof of concept which unlocked a screen saver of +another user this way. + +Upstream-Status: Backport +https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch?h=jessie +https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686 + +CVE: CVE-2017-2616 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + src/su.c | 19 +-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/su.c b/src/su.c +index 3704217..1efcd61 100644 +--- a/src/su.c b/src/su.c +@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void) + /* wake child when resumed */ + kill (pid, SIGCONT); + stop = false; ++ } else { ++ pid_child = 0; + } + } while (!stop); + } + +- if (0 != caught) { ++ if (0 != caught && 0 != pid_child) { + (void) fputs ("\n", stderr); + (void) fputs (_("Session terminated, terminating shell..."), + stderr); + (void) kill (-pid_child, caught); + + (void) signal (SIGALRM, kill_child); ++ (void) signal (SIGCHLD, catch_signals); + (void) alarm (2); + +- (void) wait (); ++ sigemptyset (); ++ if ((sigaddset (, SIGALRM) != 0) ++ || (sigprocmask (SIG_BLOCK, , NULL) != 0)) { ++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); ++ kill_child (0); ++ } else { ++ while (0 == waitpid (pid_child, , WNOHANG)) { ++ sigsuspend (); ++ } ++ pid_child = 0; ++ (void) sigprocmask (SIG_UNBLOCK, , NULL); ++ } ++ + (void) fputs (_(" ...terminated.\n"), stderr); + } + +-- +2.15.0 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index cc189649b2..031e880630 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -17,6 +17,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ file://0001-useradd-copy-extended-attributes-of-home.patch \ file://0001-shadow-CVE-2017-12424 \ + file://0001-su-properly-clear-child-PID.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ " -- 2.15.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 2/2] shadow: fix CVE-2016-6252
Apply backported patch that fixes CVE-2016-6252 Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- Changes in v2: - Add SOB to patch file. .../shadow/files/0001-Simplify-getulong.patch | 54 ++ meta/recipes-extended/shadow/shadow.inc| 1 + 2 files changed, 55 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch diff --git a/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch new file mode 100644 index 00..8a41fb1dd6 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch @@ -0,0 +1,54 @@ +From 70723e568159f3130b6076463f0bf978763e3369 Mon Sep 17 00:00:00 2001 +From: Sebastian Krahmer <krah...@suse.com> +Date: Wed, 3 Aug 2016 11:51:07 -0500 +Subject: [PATCH] Simplify getulong + +Use strtoul to read an unsigned long, rather than reading +a signed long long and casting it. + +https://bugzilla.suse.com/show_bug.cgi?id=979282 + +Upstream-Status: Backport +https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch?h=jessie +https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1 + +CVE: CVE-2016-6252 + +Signed-off-by: George McCollister <george.mccollis...@gmail.com> +--- + lib/getulong.c | 9 +++-- + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/lib/getulong.c b/lib/getulong.c +index 61579ca..08d2c1a 100644 +--- a/lib/getulong.c b/lib/getulong.c +@@ -44,22 +44,19 @@ + */ + int getulong (const char *numstr, /*@out@*/unsigned long int *result) + { +- long long int val; ++ unsigned long int val; + char *endptr; + + errno = 0; +- val = strtoll (numstr, , 0); ++ val = strtoul (numstr, , 0); + if (('\0' == *numstr) +|| ('\0' != *endptr) +|| (ERANGE == errno) +- /*@+ignoresigns@*/ +- || (val != (unsigned long int)val) +- /*@=ignoresigns@*/ + ) { + return 0; + } + +- *result = (unsigned long int)val; ++ *result = val; + return 1; + } + +-- +2.15.0 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 031e880630..9fb1cd3d17 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -18,6 +18,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ file://0001-useradd-copy-extended-attributes-of-home.patch \ file://0001-shadow-CVE-2017-12424 \ file://0001-su-properly-clear-child-PID.patch \ + file://0001-Simplify-getulong.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ " -- 2.15.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 2/2] shadow: fix CVE-2016-6252
Apply backported patch that fixes CVE-2016-6252 Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- .../shadow/files/0001-Simplify-getulong.patch | 52 ++ meta/recipes-extended/shadow/shadow.inc| 1 + 2 files changed, 53 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch diff --git a/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch new file mode 100644 index 00..1d69e2fee4 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch @@ -0,0 +1,52 @@ +From 1ea1133aa22c691684dc9921c53313ff1b3b825b Mon Sep 17 00:00:00 2001 +From: Sebastian Krahmer <krah...@suse.com> +Date: Wed, 3 Aug 2016 11:51:07 -0500 +Subject: [PATCH] Simplify getulong + +Use strtoul to read an unsigned long, rather than reading +a signed long long and casting it. + +https://bugzilla.suse.com/show_bug.cgi?id=979282 + +Upstream-Status: Backport +https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch?h=jessie +https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1 + +CVE: CVE-2016-6252 +--- + lib/getulong.c | 9 +++-- + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/lib/getulong.c b/lib/getulong.c +index 61579ca..08d2c1a 100644 +--- a/lib/getulong.c b/lib/getulong.c +@@ -44,22 +44,19 @@ + */ + int getulong (const char *numstr, /*@out@*/unsigned long int *result) + { +- long long int val; ++ unsigned long int val; + char *endptr; + + errno = 0; +- val = strtoll (numstr, , 0); ++ val = strtoul (numstr, , 0); + if (('\0' == *numstr) +|| ('\0' != *endptr) +|| (ERANGE == errno) +- /*@+ignoresigns@*/ +- || (val != (unsigned long int)val) +- /*@=ignoresigns@*/ + ) { + return 0; + } + +- *result = (unsigned long int)val; ++ *result = val; + return 1; + } + +-- +2.15.0 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index 031e880630..9fb1cd3d17 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -18,6 +18,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ file://0001-useradd-copy-extended-attributes-of-home.patch \ file://0001-shadow-CVE-2017-12424 \ file://0001-su-properly-clear-child-PID.patch \ + file://0001-Simplify-getulong.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ " -- 2.15.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/2] shadow: fix CVE-2017-2616
Apply backported patch that fixes CVE-2017-2616 Sending SIGKILL to other processes with root privileges via su Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- .../files/0001-su-properly-clear-child-PID.patch | 70 ++ meta/recipes-extended/shadow/shadow.inc| 1 + 2 files changed, 71 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch diff --git a/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch new file mode 100644 index 00..205a7af054 --- /dev/null +++ b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch @@ -0,0 +1,70 @@ +From 26d94ff403df048fe4438a97959793610d6e7ea8 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tob...@stoeckmann.org> +Date: Thu, 23 Feb 2017 09:47:29 -0600 +Subject: [PATCH] su: properly clear child PID + +If su is compiled with PAM support, it is possible for any local user +to send SIGKILL to other processes with root privileges. There are +only two conditions. First, the user must be able to perform su with +a successful login. This does NOT have to be the root user, even using +su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL +can only be sent to processes which were executed after the su process. +It is not possible to send SIGKILL to processes which were already +running. I consider this as a security vulnerability, because I was +able to write a proof of concept which unlocked a screen saver of +another user this way. + +Upstream-Status: Backport +https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch?h=jessie +https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686 + +CVE: CVE-2017-2616 +--- + src/su.c | 19 +-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/su.c b/src/su.c +index 3704217..1efcd61 100644 +--- a/src/su.c b/src/su.c +@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void) + /* wake child when resumed */ + kill (pid, SIGCONT); + stop = false; ++ } else { ++ pid_child = 0; + } + } while (!stop); + } + +- if (0 != caught) { ++ if (0 != caught && 0 != pid_child) { + (void) fputs ("\n", stderr); + (void) fputs (_("Session terminated, terminating shell..."), + stderr); + (void) kill (-pid_child, caught); + + (void) signal (SIGALRM, kill_child); ++ (void) signal (SIGCHLD, catch_signals); + (void) alarm (2); + +- (void) wait (); ++ sigemptyset (); ++ if ((sigaddset (, SIGALRM) != 0) ++ || (sigprocmask (SIG_BLOCK, , NULL) != 0)) { ++ fprintf (stderr, _("%s: signal masking malfunction\n"), Prog); ++ kill_child (0); ++ } else { ++ while (0 == waitpid (pid_child, , WNOHANG)) { ++ sigsuspend (); ++ } ++ pid_child = 0; ++ (void) sigprocmask (SIG_UNBLOCK, , NULL); ++ } ++ + (void) fputs (_(" ...terminated.\n"), stderr); + } + +-- +2.15.0 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index cc189649b2..031e880630 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -17,6 +17,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \ file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \ file://0001-useradd-copy-extended-attributes-of-home.patch \ file://0001-shadow-CVE-2017-12424 \ + file://0001-su-properly-clear-child-PID.patch \ ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \ " -- 2.15.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH v2 1/3] python-3.5-manifest: Add imp to importlib
The imp python module is the forerunner of importlib. Include imp in the importlib subpackage instead of the misc subpackage so that it can be depended on without bringing in a bunch of unrelated, unused modules. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/python/python-3.5-manifest.inc b/meta/recipes-devtools/python/python-3.5-manifest.inc index 3046114..6c690db 100644 --- a/meta/recipes-devtools/python/python-3.5-manifest.inc +++ b/meta/recipes-devtools/python/python-3.5-manifest.inc @@ -115,7 +115,7 @@ FILES_${PN}-image="${libdir}/python3.5/colorsys.* ${libdir}/python3.5/imghdr.* $ SUMMARY_${PN}-importlib="Python import implementation library" RDEPENDS_${PN}-importlib="${PN}-core ${PN}-lang" -FILES_${PN}-importlib="${libdir}/python3.5/importlib " +FILES_${PN}-importlib="${libdir}/python3.5/importlib ${libdir}/python3.5/imp.* " SUMMARY_${PN}-io="Python low-level I/O" RDEPENDS_${PN}-io="${PN}-core ${PN}-math" -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH v2 2/3] gdb-cross-canadian: Depend on nativesdk-python3-importlib
Add missing dependency on nativesdk-python3-importlib so the imp Python module is installed. Before this patch, running gdb from the sdk would give the following error: Python Exception No module named 'imp': Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc index e53081d..3ff1989 100644 --- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc +++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc @@ -14,7 +14,8 @@ GDBPROPREFIX = "--program-prefix='${TARGET_PREFIX}'" PACKAGECONFIG ??= "python readline" PACKAGECONFIG[python] = "--with-python=${WORKDIR}/python,--without-python,nativesdk-python3, \ nativesdk-python3-core nativesdk-python3-lang nativesdk-python3-re \ - nativesdk-python3-codecs nativesdk-python3-netclient" + nativesdk-python3-codecs nativesdk-python3-netclient \ + nativesdk-python3-importlib" PACKAGECONFIG[readline] = "--with-system-readline,--without-system-readline,nativesdk-readline" SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb" -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH v2 3/3] python-3-manifest: fix adding imp to importlib
From: Anders DaranderCommit: 512334f102a33833d39af53467894315f0715d07 "python-3.5-manifest: Add imp to importlib" added imp to importlib in the generated manifest, but not in the generator script. Signed-off-by: Anders Darander Signed-off-by: Ross Burton --- scripts/contrib/python/generate-manifest-3.5.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/contrib/python/generate-manifest-3.5.py b/scripts/contrib/python/generate-manifest-3.5.py index 2906cc6..71a71f7 100755 --- a/scripts/contrib/python/generate-manifest-3.5.py +++ b/scripts/contrib/python/generate-manifest-3.5.py @@ -269,7 +269,7 @@ if __name__ == "__main__": "formatter.* htmlentitydefs.* htmllib.* markupbase.* sgmllib.* HTMLParser.* " ) m.addPackage( "${PN}-importlib", "Python import implementation library", "${PN}-core ${PN}-lang", -"importlib" ) +"importlib imp.*" ) m.addPackage( "${PN}-gdbm", "Python GNU database support", "${PN}-core", "lib-dynload/_gdbm.*.so" ) -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH v2 0/3] Resolve gdb-cross-canadian dependency on imp
Add imp to python3-importlib. Make gdb-cross-canadian depend on nativesdk-python3-importlib when python is enabled. Changed since v1: Cherry picked patch that changes generate-manifest-3.5.py to add imp to importlib The following changes since commit 55c835c73cc41b6fc809c941c295d62a612e49e0: build-appliance-image: Update to morty head revision (2017-02-08 12:00:29 +) are available in the git repository at: git://github.com/gmccollister/openembedded-core morty-gdb-cross-canadian https://github.com/gmccollister/openembedded-core/tree/morty-gdb-cross-canadian Anders Darander (1): python-3-manifest: fix adding imp to importlib George McCollister (2): python-3.5-manifest: Add imp to importlib gdb-cross-canadian: Depend on nativesdk-python3-importlib meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++- meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +- scripts/contrib/python/generate-manifest-3.5.py | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [morty][PATCH 0/2] Resolve gdb-cross-canadian dependency on imp
On Thu, Feb 9, 2017 at 2:46 AM, Jussi Kukkonen <jussi.kukko...@intel.com> wrote: > On 8 February 2017 at 22:06, George McCollister > <george.mccollis...@gmail.com> wrote: >> >> Any chance we can get this applied to morty? > > > You should add [morty] tag to subject and CC the maintainer > (akuster...@gmail.com) to improve chances of this happening. I'm sure Armin > would also appreciate explicit confirmation that the patches apply to morty > branch. [morty] was in the subject but I didn't CC the maintainer. Now I know who the maintainer is. > > Before that some review though (sorry I missed this in Dec) ... it looks > like the "Add imp to importlib" commit only modified manifest.inc: this is a > generated file and your changes will be overwritten next time someone runs > the generator. You should modify > scripts/contrib/python/generate-manifest-3.5.py and run that to generate the > new manifest.inc file. Yes, I messed that up. Someone else fixed it in master here: http://git.openembedded.org/openembedded-core/commit/scripts/contrib/python/generate-manifest-3.5.py?id=bfe1d948ab034017622110c8365be7026e139fbf > > It would be nice if we did not store noth the source and the generated files > in git but that's how it's currently setup... I'll resend my two patches with the patch that fixes generate-manifest-3.5.py for morty. > > Jussi -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [morty][PATCH 0/2] Resolve gdb-cross-canadian dependency on imp
Any chance we can get this applied to morty? -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [master][PATCH 0/2] Resolve gdb-cross-canadian dependency on imp
Add imp to python3-importlib. Make gdb-cross-canadian depend on nativesdk-python3-importlib when python is enabled. The following changes since commit 11063a01d4511b2688ea7ba2d7359e4e07328c66: ruby: upgrade to 2.3.1 (2016-11-30 15:47:17 +) are available in the git repository at: git://github.com/gmccollister/openembedded-core master-gdb-cross-canadian https://github.com/gmccollister/openembedded-core/tree/master-gdb-cross-canadian George McCollister (2): python-3.5-manifest: Add imp to importlib gdb-cross-canadian: Depend on nativesdk-python3-importlib meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++- meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) -- 2.9.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [master][PATCH 2/2] gdb-cross-canadian: Depend on nativesdk-python3-importlib
Add missing dependency on nativesdk-python3-importlib so the imp Python module is installed. Before this patch, running gdb from the sdk would give the following error: Python Exception No module named 'imp': Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc index e53081d..3ff1989 100644 --- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc +++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc @@ -14,7 +14,8 @@ GDBPROPREFIX = "--program-prefix='${TARGET_PREFIX}'" PACKAGECONFIG ??= "python readline" PACKAGECONFIG[python] = "--with-python=${WORKDIR}/python,--without-python,nativesdk-python3, \ nativesdk-python3-core nativesdk-python3-lang nativesdk-python3-re \ - nativesdk-python3-codecs nativesdk-python3-netclient" + nativesdk-python3-codecs nativesdk-python3-netclient \ + nativesdk-python3-importlib" PACKAGECONFIG[readline] = "--with-system-readline,--without-system-readline,nativesdk-readline" SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb" -- 2.9.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [master][PATCH 1/2] python-3.5-manifest: Add imp to importlib
The imp python module is the forerunner of importlib. Include imp in the importlib subpackage instead of the misc subpackage so that it can be depended on without bringing in a bunch of unrelated, unused modules. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/python/python-3.5-manifest.inc b/meta/recipes-devtools/python/python-3.5-manifest.inc index 851f12e..7fcd871 100644 --- a/meta/recipes-devtools/python/python-3.5-manifest.inc +++ b/meta/recipes-devtools/python/python-3.5-manifest.inc @@ -115,7 +115,7 @@ FILES_${PN}-image="${libdir}/python3.5/colorsys.* ${libdir}/python3.5/__pycache_ SUMMARY_${PN}-importlib="Python import implementation library" RDEPENDS_${PN}-importlib="${PN}-core ${PN}-lang" -FILES_${PN}-importlib="${libdir}/python3.5/importlib ${libdir}/python3.5/importlib/__pycache__ " +FILES_${PN}-importlib="${libdir}/python3.5/importlib ${libdir}/python3.5/importlib/__pycache__ ${libdir}/python3.5/imp.* ${libdir}/python3.5/__pycache__/imp.* " SUMMARY_${PN}-io="Python low-level I/O" RDEPENDS_${PN}-io="${PN}-core ${PN}-math" -- 2.9.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH 2/2] gdb-cross-canadian: Depend on nativesdk-python3-importlib
Add missing dependency on nativesdk-python3-importlib so the imp Python module is installed. Before this patch, running gdb from the sdk would give the following error: Python Exception No module named 'imp': Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc index e53081d..3ff1989 100644 --- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc +++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc @@ -14,7 +14,8 @@ GDBPROPREFIX = "--program-prefix='${TARGET_PREFIX}'" PACKAGECONFIG ??= "python readline" PACKAGECONFIG[python] = "--with-python=${WORKDIR}/python,--without-python,nativesdk-python3, \ nativesdk-python3-core nativesdk-python3-lang nativesdk-python3-re \ - nativesdk-python3-codecs nativesdk-python3-netclient" + nativesdk-python3-codecs nativesdk-python3-netclient \ + nativesdk-python3-importlib" PACKAGECONFIG[readline] = "--with-system-readline,--without-system-readline,nativesdk-readline" SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb" -- 2.9.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH 1/2] python-3.5-manifest: Add imp to importlib
The imp python module is the forerunner of importlib. Include imp in the importlib subpackage instead of the misc subpackage so that it can be depended on without bringing in a bunch of unrelated, unused modules. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/python/python-3.5-manifest.inc b/meta/recipes-devtools/python/python-3.5-manifest.inc index 3046114..6c690db 100644 --- a/meta/recipes-devtools/python/python-3.5-manifest.inc +++ b/meta/recipes-devtools/python/python-3.5-manifest.inc @@ -115,7 +115,7 @@ FILES_${PN}-image="${libdir}/python3.5/colorsys.* ${libdir}/python3.5/imghdr.* $ SUMMARY_${PN}-importlib="Python import implementation library" RDEPENDS_${PN}-importlib="${PN}-core ${PN}-lang" -FILES_${PN}-importlib="${libdir}/python3.5/importlib " +FILES_${PN}-importlib="${libdir}/python3.5/importlib ${libdir}/python3.5/imp.* " SUMMARY_${PN}-io="Python low-level I/O" RDEPENDS_${PN}-io="${PN}-core ${PN}-math" -- 2.9.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [morty][PATCH 0/2] Resolve gdb-cross-canadian dependency on imp
Add imp to python3-importlib. Make gdb-cross-canadian depend on nativesdk-python3-importlib when python is enabled. The following changes since commit c8d96b10ee3bc2eae0fd269d2564286fd0bc82ed: rm_work: Ensure we don't remove sigbasedata files (2016-11-16 10:34:34 +) are available in the git repository at: git://github.com/gmccollister/openembedded-core morty-gdb-cross-canadian https://github.com/gmccollister/openembedded-core/tree/morty-gdb-cross-canadian George McCollister (2): python-3.5-manifest: Add imp to importlib gdb-cross-canadian: Depend on nativesdk-python3-importlib meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++- meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) -- 2.9.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gdb-cross-canadian: Depend on nativesdk-python3-misc
On Mon, Dec 5, 2016 at 3:21 PM, Burton, Ross <ross.bur...@intel.com> wrote: > > On 5 December 2016 at 16:38, George McCollister > <george.mccollis...@gmail.com> wrote: >> >> Add missing dependency on nativesdk-python3-misc so the imp Python >> module is installed. > > > So imp is the Python-facing API for 'import', and python-misc is a grab-bag > of random stuff. Should imp be moved to be in python3-importlib (where its > replacement already lives) or moved into python3-core? importlib is the replacement for imp (it's deprecated since version 3.4) so this sounds reasonable to me. Shall I send a patch to add imp.py to python3-importlib and another to add python3-importlib to PACKAGECONFIG[python] in gdb-cross-canadian.inc? -George -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] gdb-cross-canadian: Depend on nativesdk-python3-misc
Add missing dependency on nativesdk-python3-misc so the imp Python module is installed. Before this patch, running gdb from the sdk would give the following error: Python Exception No module named 'imp': Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc index e53081d..844daf2 100644 --- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc +++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc @@ -14,7 +14,8 @@ GDBPROPREFIX = "--program-prefix='${TARGET_PREFIX}'" PACKAGECONFIG ??= "python readline" PACKAGECONFIG[python] = "--with-python=${WORKDIR}/python,--without-python,nativesdk-python3, \ nativesdk-python3-core nativesdk-python3-lang nativesdk-python3-re \ - nativesdk-python3-codecs nativesdk-python3-netclient" + nativesdk-python3-codecs nativesdk-python3-netclient \ + nativesdk-python3-misc" PACKAGECONFIG[readline] = "--with-system-readline,--without-system-readline,nativesdk-readline" SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb" -- 2.9.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2 0/5] kernel-fitimage: Add initramfs, x86 support
On Mon, Aug 8, 2016 at 1:05 PM, Denys Dmytriyenko <de...@denix.org> wrote: > On Mon, Aug 08, 2016 at 11:37:52AM -0500, George McCollister wrote: >> Add support for building fitImages that include an initramfs and booting >> on x86. > > I'm in the process of testing this version now. > > > I'm wondering, if bundling everything in a single patchset will delay > acceptance even further? Case in point - I'm mostly interested in initramfs > support and it's been in limbo state for several months now. It was a single > patch back then and there were no major comments or issues with it. Few months > later, 2 extra patches were added with x86 support. Now recent $B change broke > few things and we need 2 more patches just to get everything working again... I'm surprised it wasn't accepted when it was a single patch. At this point I don't know what's keeping it from being accepted since I haven't received any feedback. I suspect whoever is maintaining OE core doesn't have time to look at it. > > The reason I'm bringing this up is because I've been working on this area > recently and would like to contribute back some code (fixes, customizations). > Since it depends on this patchset, I'm not sure if I should wait for it to get > accepted or we'll just end up growing the patchset for another iteration... Your fixes, customizations are welcome however I've had this concern as it has grown. Hopefully we can get some feedback soon as to what's holding up the acceptance. > > -- > Denys > > >> * V2 >> - Include Andrew Bradford's cd to $B patch since it is now required for >>do_assemble_fitimage to work >> - Fix initramfs support patch to cd to $B in do_assemble_fitimage_initramfs >> - Remove ${B} in call to fitimage_emit_section_ramdisk per >>Denys Dmytriyenko's suggestion >> - Add patch to cd to $B in do_concat_dtb() >> >> The following changes since commit c4dda05cb9755cb865c1d1bd142196f8a9f45d3d: >> >> Revert "packagegroup-core-x11-base.bb: replace pointercal with >> pointercal-xinput" (2016-08-04 20:54:57 +0100) >> >> are available in the git repository at: >> >> git://github.com/gmccollister/openembedded-core master-fit >> https://github.com/gmccollister/openembedded-core/tree/master-fit >> >> Andrew Bradford (1): >> kernel-fitimage.bbclass: do_assemble_fitimage(): cd to $B >> >> George McCollister (4): >> kernel-fitimage: add initramfs support >> kernel-fitimage: Add x86 support >> uboot-sign: Handle .rom signing the same as .img >> uboot-sign: do_concat_dtb(): cd to $B >> >> meta/classes/kernel-fitimage.bbclass | 346 >> +-- >> meta/classes/uboot-sign.bbclass | 4 +- >> 2 files changed, 249 insertions(+), 101 deletions(-) >> >> -- >> 2.8.0 >> >> -- >> ___ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 4/5] uboot-sign: Handle .rom signing the same as .img
Handle u-boot.rom signing (U-Boot as x86 BIOS replacement) the same way that u-boot.img signing is handled. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/uboot-sign.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index 57d4903..d56ad8e 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass @@ -64,7 +64,8 @@ do_concat_dtb () { # Concatenate U-Boot w/o DTB & DTB with public key # (cf. kernel-fitimage.bbclass for more details) if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then - if [ "x${UBOOT_SUFFIX}" = "ximg" -a -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then + if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \ + [ -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE} install ${S}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE} install ${S}/${UBOOT_BINARY} ${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE} -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v3 2/5] kernel-fitimage: add initramfs support
If INITRAMFS_IMAGE is set, build an additional fitImage containing the initramfs. Copy the additional fitImage and the source (*.its) file, used to create it to DEPLOYDIR. The fitImage containing the initramfs must be built before do_deploy and after do_install to avoid circular dependencies. UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the initramfs. UBOOT_RD_ENTRYPOINT - Specifies the entry point used by u-boot for the initramfs. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/kernel-fitimage.bbclass | 285 +++ 1 file changed, 189 insertions(+), 96 deletions(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 7cca180..f05d8a5 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -16,7 +16,7 @@ python __anonymous () { image = d.getVar('INITRAMFS_IMAGE', True) if image: -d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') +d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') # Verified boot will sign the fitImage and append the public key to # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling @@ -32,8 +32,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= "" # # Emit the fitImage ITS header # +# $1 ... .its filename fitimage_emit_fit_header() { - cat << EOF >> fit-image.its + cat << EOF >> ${1} /dts-v1/; / { @@ -45,32 +46,33 @@ EOF # # Emit the fitImage section bits # -# $1 ... Section bit type: imagestart - image section start +# $1 ... .its filename +# $2 ... Section bit type: imagestart - image section start # confstart - configuration section start # sectend- section end # fitend - fitimage end # fitimage_emit_section_maint() { - case $1 in + case $2 in imagestart) - cat << EOF >> fit-image.its + cat << EOF >> ${1} images { EOF ;; confstart) - cat << EOF >> fit-image.its + cat << EOF >> ${1} configurations { EOF ;; sectend) - cat << EOF >> fit-image.its + cat << EOF >> ${1} }; EOF ;; fitend) - cat << EOF >> fit-image.its + cat << EOF >> ${1} }; EOF ;; @@ -80,9 +82,10 @@ EOF # # Emit the fitImage ITS kernel section # -# $1 ... Image counter -# $2 ... Path to kernel image -# $3 ... Compression type +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to kernel image +# $4 ... Compression type fitimage_emit_section_kernel() { kernel_csum="sha1" @@ -90,17 +93,17 @@ fitimage_emit_section_kernel() { ENTRYPOINT=${UBOOT_ENTRYPOINT} if test -n "${UBOOT_ENTRYSYMBOL}"; then ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \ - awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'` + awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'` fi - cat << EOF >> fit-image.its -kernel@${1} { + cat << EOF >> ${1} +kernel@${2} { description = "Linux kernel"; -data = /incbin/("${2}"); +data = /incbin/("${3}"); type = "kernel"; arch = "${UBOOT_ARCH}"; os = "linux"; -compression = "${3}"; +compression = "${4}"; load = <${UBOOT_LOADADDRESS}>; entry = <${ENTRYPOINT}>; hash@1 { @@ -113,16 +116,17 @@ EOF # # Emit the fitImage ITS DTB section # -# $1 ... Image counter -# $2 ... Path to DTB image +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to DTB image fitimage_emit_section_dtb() { dtb_csum="sha1" - cat << EOF >> fit-image.its -fdt@${1} { + cat << EOF >> ${1} +fdt@${2} { description = "Flattened Device Tree blob"; -data = /incbin/("${2}"); +data = /incbin/("${3}"); type = "flat_dt"; arch = "${UBOOT_ARCH}"; compression = "none";
[OE-core] [PATCH v2 0/5] kernel-fitimage: Add initramfs, x86 support
Add support for building fitImages that include an initramfs and booting on x86. * V2 - Include Andrew Bradford's cd to $B patch since it is now required for do_assemble_fitimage to work - Fix initramfs support patch to cd to $B in do_assemble_fitimage_initramfs - Remove ${B} in call to fitimage_emit_section_ramdisk per Denys Dmytriyenko's suggestion - Add patch to cd to $B in do_concat_dtb() The following changes since commit c4dda05cb9755cb865c1d1bd142196f8a9f45d3d: Revert "packagegroup-core-x11-base.bb: replace pointercal with pointercal-xinput" (2016-08-04 20:54:57 +0100) are available in the git repository at: git://github.com/gmccollister/openembedded-core master-fit https://github.com/gmccollister/openembedded-core/tree/master-fit Andrew Bradford (1): kernel-fitimage.bbclass: do_assemble_fitimage(): cd to $B George McCollister (4): kernel-fitimage: add initramfs support kernel-fitimage: Add x86 support uboot-sign: Handle .rom signing the same as .img uboot-sign: do_concat_dtb(): cd to $B meta/classes/kernel-fitimage.bbclass | 346 +-- meta/classes/uboot-sign.bbclass | 4 +- 2 files changed, 249 insertions(+), 101 deletions(-) -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 5/5] uboot-sign: do_concat_dtb(): cd to $B
Prior to running oe_runmake make sure $B is the cwd. This is required due to bitbake commit 67a7b8b021badc17d8fdf447c250e79d291e75f7 "build: don't use $B as the default cwd for functions". Without this change, do_concat_dtb fails with: | ERROR: oe_runmake failed | make: *** No targets specified and no makefile found. Stop. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/uboot-sign.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index d56ad8e..3c56db8 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass @@ -66,6 +66,7 @@ do_concat_dtb () { if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \ [ -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then + cd ${B} oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE} install ${S}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE} install ${S}/${UBOOT_BINARY} ${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE} -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 3/5] kernel-fitimage: Add x86 support
For x86, bzImage must be built instead of zImage. Include setup.bin (which is required to boot the kernel) in the fitimage and always use a load/boot address of 0x0009. For details see: http://git.denx.de/?p=u-boot.git;a=blob;f=doc/uImage.FIT/x86-fit-boot.txt Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/kernel-fitimage.bbclass | 112 +-- 1 file changed, 82 insertions(+), 30 deletions(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index f05d8a5..8580247 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -7,12 +7,17 @@ python __anonymous () { depends = "%s u-boot-mkimage-native dtc-native" % depends d.setVar("DEPENDS", depends) +if d.getVar("UBOOT_ARCH", True) == "x86": +replacementtype = "bzImage" +else: +replacementtype = "zImage" + # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal # to kernel.bbclass . We have to override it, since we pack zImage # (at least for now) into the fitImage . typeformake = d.getVar("KERNEL_IMAGETYPE_FOR_MAKE", True) or "" if 'fitImage' in typeformake.split(): -d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', typeformake.replace('fitImage', 'zImage')) +d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', typeformake.replace('fitImage', replacementtype)) image = d.getVar('INITRAMFS_IMAGE', True) if image: @@ -138,6 +143,33 @@ EOF } # +# Emit the fitImage ITS setup section +# +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to setup image +fitimage_emit_section_setup() { + + setup_csum="sha1" + + cat << EOF >> ${1} +setup@${2} { +description = "Linux setup.bin"; +data = /incbin/("${3}"); +type = "x86_setup"; +arch = "${UBOOT_ARCH}"; +os = "linux"; +compression = "none"; +load = <0x0009>; +entry = <0x0009>; +hash@1 { +algo = "${setup_csum}"; +}; +}; +EOF +} + +# # Emit the fitImage ITS ramdisk section # # $1 ... .its filename @@ -171,6 +203,7 @@ EOF # $2 ... Linux kernel ID # $3 ... DTB image ID # $4 ... ramdisk ID +# $5 ... config ID fitimage_emit_section_config() { conf_csum="sha1" @@ -179,24 +212,25 @@ fitimage_emit_section_config() { fi # Test if we have any DTBs at all - if [ -z "${3}" -a -z "${4}" ] ; then - conf_desc="Boot Linux kernel" - fdt_line="" - ramdisk_line="" - elif [ -z "${4}" ]; then - conf_desc="Boot Linux kernel with FDT blob" - fdt_line="fdt = \"fdt@${3}\";" - ramdisk_line="" - elif [ -z "${3}" ]; then - conf_desc="Boot Linux kernel with ramdisk" - fdt_line="" - ramdisk_line="ramdisk = \"ramdisk@${4}\";" - else - conf_desc="Boot Linux kernel with FDT blob, ramdisk" + conf_desc="Linux kernel" + kernel_line="kernel = \"kernel@${2}\";" + fdt_line="" + ramdisk_line="" + + if [ -n "${3}" ]; then + conf_desc="${conf_desc}, FDT blob" fdt_line="fdt = \"fdt@${3}\";" + fi + + if [ -n "${4}" ]; then + conf_desc="${conf_desc}, ramdisk" ramdisk_line="ramdisk = \"ramdisk@${4}\";" fi - kernel_line="kernel = \"kernel@${2}\";" + + if [ -n "${5}" ]; then + conf_desc="${conf_desc}, setup" + setup_line="setup = \"setup@${5}\";" + fi cat << EOF >> ${1} default = "conf@1"; @@ -205,6 +239,7 @@ fitimage_emit_section_config() { ${kernel_line} ${fdt_line} ${ramdisk_line} + ${setup_line} hash@1 { algo = "${conf_csum}"; }; @@ -212,16 +247,22 @@ EOF if [ ! -z "${conf_sign_keyname}" ] ; then -
[OE-core] [PATCH 1/5] kernel-fitimage.bbclass: do_assemble_fitimage(): cd to $B
From: Andrew BradfordPrior to assembling the fitimage, ensure that $B is the cwd due to bitbake commit 67a7b8b021badc17d8fdf447c250e79d291e75f7 "build: don't use $B as the default cwd for functions". Without this change, do_assemble_fitimage() fails like: Log data follows: | DEBUG: Executing shell function do_assemble_fitimage | arm-ka-linux-gnueabi-objcopy: 'vmlinux': No such file | WARNING: exit code 1 from a shell command. | ERROR: Function failed: do_assemble_fitimage Signed-off-by: Andrew Bradford --- meta/classes/kernel-fitimage.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 9a3caf5..7cca180 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -189,6 +189,7 @@ EOF } do_assemble_fitimage() { + cd ${B} if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then kernelcount=1 dtbcount="" -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH v2 1/3] kernel-fitimage: add initramfs support
On Fri, Aug 5, 2016 at 4:25 PM, Denys Dmytriyenko <de...@denix.org> wrote: > On Mon, Jul 18, 2016 at 12:57:55PM -0500, George McCollister wrote: >> If INITRAMFS_IMAGE is set, build an additional fitImage containing the >> initramfs. Copy the additional fitImage and the source (*.its) file, used >> to create it to DEPLOYDIR. The fitImage containing the initramfs must be >> built before do_deploy and after do_install to avoid circular dependencies. >> >> UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the >>initramfs. >> UBOOT_RD_ENTRYPOINT - Specifies the entry point used by u-boot for the >> initramfs. >> >> Signed-off-by: George McCollister <george.mccollis...@gmail.com> >> --- >> meta/classes/kernel-fitimage.bbclass | 282 >> +++ >> 1 file changed, 187 insertions(+), 95 deletions(-) >> >> diff --git a/meta/classes/kernel-fitimage.bbclass >> b/meta/classes/kernel-fitimage.bbclass >> index 9a3caf5..ede69e7 100644 >> --- a/meta/classes/kernel-fitimage.bbclass >> +++ b/meta/classes/kernel-fitimage.bbclass >> @@ -16,7 +16,7 @@ python __anonymous () { >> > > > > >> + # >> + # Step 3: Prepare a ramdisk section. >> + # >> + if [ "x${ramdiskcount}" = "x1" ] ; then >> + copy_initramfs >> + fitimage_emit_section_ramdisk ${1} "${ramdiskcount}" >> ${B}/usr/${INITRAMFS_IMAGE}-${MACHINE}.cpio > > May I suggest dropping ${B} here to get the ramdisk path shorter and easier to > read? It's relative to ${B} anyway - same as all the DTBs... > > + fitimage_emit_section_ramdisk ${1} "${ramdiskcount}" > usr/${INITRAMFS_IMAGE}-${MACHINE}.cpio Change made, will be included in the new pull request. Thanks > >> + fi >> > > > > -- > Denys -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 2/3] kernel-fitimage: Add x86 support
For x86, bzImage must be built instead of zImage. Include setup.bin (which is required to boot the kernel) in the fitimage and always use a load/boot address of 0x0009. For details see: http://git.denx.de/?p=u-boot.git;a=blob;f=doc/uImage.FIT/x86-fit-boot.txt Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/kernel-fitimage.bbclass | 112 +-- 1 file changed, 82 insertions(+), 30 deletions(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index ede69e7..d4e3ed8 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -7,12 +7,17 @@ python __anonymous () { depends = "%s u-boot-mkimage-native dtc-native" % depends d.setVar("DEPENDS", depends) +if d.getVar("UBOOT_ARCH", True) == "x86": +replacementtype = "bzImage" +else: +replacementtype = "zImage" + # Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal # to kernel.bbclass . We have to override it, since we pack zImage # (at least for now) into the fitImage . typeformake = d.getVar("KERNEL_IMAGETYPE_FOR_MAKE", True) or "" if 'fitImage' in typeformake.split(): -d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', typeformake.replace('fitImage', 'zImage')) +d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', typeformake.replace('fitImage', replacementtype)) image = d.getVar('INITRAMFS_IMAGE', True) if image: @@ -138,6 +143,33 @@ EOF } # +# Emit the fitImage ITS setup section +# +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to setup image +fitimage_emit_section_setup() { + + setup_csum="sha1" + + cat << EOF >> ${1} +setup@${2} { +description = "Linux setup.bin"; +data = /incbin/("${3}"); +type = "x86_setup"; +arch = "${UBOOT_ARCH}"; +os = "linux"; +compression = "none"; +load = <0x0009>; +entry = <0x0009>; +hash@1 { +algo = "${setup_csum}"; +}; +}; +EOF +} + +# # Emit the fitImage ITS ramdisk section # # $1 ... .its filename @@ -171,6 +203,7 @@ EOF # $2 ... Linux kernel ID # $3 ... DTB image ID # $4 ... ramdisk ID +# $5 ... config ID fitimage_emit_section_config() { conf_csum="sha1" @@ -179,24 +212,25 @@ fitimage_emit_section_config() { fi # Test if we have any DTBs at all - if [ -z "${3}" -a -z "${4}" ] ; then - conf_desc="Boot Linux kernel" - fdt_line="" - ramdisk_line="" - elif [ -z "${4}" ]; then - conf_desc="Boot Linux kernel with FDT blob" - fdt_line="fdt = \"fdt@${3}\";" - ramdisk_line="" - elif [ -z "${3}" ]; then - conf_desc="Boot Linux kernel with ramdisk" - fdt_line="" - ramdisk_line="ramdisk = \"ramdisk@${4}\";" - else - conf_desc="Boot Linux kernel with FDT blob, ramdisk" + conf_desc="Linux kernel" + kernel_line="kernel = \"kernel@${2}\";" + fdt_line="" + ramdisk_line="" + + if [ -n "${3}" ]; then + conf_desc="${conf_desc}, FDT blob" fdt_line="fdt = \"fdt@${3}\";" + fi + + if [ -n "${4}" ]; then + conf_desc="${conf_desc}, ramdisk" ramdisk_line="ramdisk = \"ramdisk@${4}\";" fi - kernel_line="kernel = \"kernel@${2}\";" + + if [ -n "${5}" ]; then + conf_desc="${conf_desc}, setup" + setup_line="setup = \"setup@${5}\";" + fi cat << EOF >> ${1} default = "conf@1"; @@ -205,6 +239,7 @@ fitimage_emit_section_config() { ${kernel_line} ${fdt_line} ${ramdisk_line} + ${setup_line} hash@1 { algo = "${conf_csum}"; }; @@ -212,16 +247,22 @@ EOF if [ ! -z "${conf_sign_keyname}" ] ; then -
[OE-core] [PATCH v2 1/3] kernel-fitimage: add initramfs support
If INITRAMFS_IMAGE is set, build an additional fitImage containing the initramfs. Copy the additional fitImage and the source (*.its) file, used to create it to DEPLOYDIR. The fitImage containing the initramfs must be built before do_deploy and after do_install to avoid circular dependencies. UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the initramfs. UBOOT_RD_ENTRYPOINT - Specifies the entry point used by u-boot for the initramfs. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/kernel-fitimage.bbclass | 282 +++ 1 file changed, 187 insertions(+), 95 deletions(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 9a3caf5..ede69e7 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -16,7 +16,7 @@ python __anonymous () { image = d.getVar('INITRAMFS_IMAGE', True) if image: -d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') +d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') # Verified boot will sign the fitImage and append the public key to # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling @@ -32,8 +32,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= "" # # Emit the fitImage ITS header # +# $1 ... .its filename fitimage_emit_fit_header() { - cat << EOF >> fit-image.its + cat << EOF >> ${1} /dts-v1/; / { @@ -45,32 +46,33 @@ EOF # # Emit the fitImage section bits # -# $1 ... Section bit type: imagestart - image section start +# $1 ... .its filename +# $2 ... Section bit type: imagestart - image section start # confstart - configuration section start # sectend- section end # fitend - fitimage end # fitimage_emit_section_maint() { - case $1 in + case $2 in imagestart) - cat << EOF >> fit-image.its + cat << EOF >> ${1} images { EOF ;; confstart) - cat << EOF >> fit-image.its + cat << EOF >> ${1} configurations { EOF ;; sectend) - cat << EOF >> fit-image.its + cat << EOF >> ${1} }; EOF ;; fitend) - cat << EOF >> fit-image.its + cat << EOF >> ${1} }; EOF ;; @@ -80,9 +82,10 @@ EOF # # Emit the fitImage ITS kernel section # -# $1 ... Image counter -# $2 ... Path to kernel image -# $3 ... Compression type +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to kernel image +# $4 ... Compression type fitimage_emit_section_kernel() { kernel_csum="sha1" @@ -90,17 +93,17 @@ fitimage_emit_section_kernel() { ENTRYPOINT=${UBOOT_ENTRYPOINT} if test -n "${UBOOT_ENTRYSYMBOL}"; then ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \ - awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'` + awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'` fi - cat << EOF >> fit-image.its -kernel@${1} { + cat << EOF >> ${1} +kernel@${2} { description = "Linux kernel"; -data = /incbin/("${2}"); +data = /incbin/("${3}"); type = "kernel"; arch = "${UBOOT_ARCH}"; os = "linux"; -compression = "${3}"; +compression = "${4}"; load = <${UBOOT_LOADADDRESS}>; entry = <${ENTRYPOINT}>; hash@1 { @@ -113,16 +116,17 @@ EOF # # Emit the fitImage ITS DTB section # -# $1 ... Image counter -# $2 ... Path to DTB image +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to DTB image fitimage_emit_section_dtb() { dtb_csum="sha1" - cat << EOF >> fit-image.its -fdt@${1} { + cat << EOF >> ${1} +fdt@${2} { description = "Flattened Device Tree blob"; -data = /incbin/("${2}"); +data = /incbin/("${3}"); type = "flat_dt"; arch = "${UBOOT_ARCH}"; compression = "none";
[OE-core] [PATCH 3/3] uboot-sign: Handle .rom signing the same as .img
Handle u-boot.rom signing (U-Boot as x86 BIOS replacement) the same way that u-boot.img signing is handled. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/uboot-sign.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index 57d4903..d56ad8e 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass @@ -64,7 +64,8 @@ do_concat_dtb () { # Concatenate U-Boot w/o DTB & DTB with public key # (cf. kernel-fitimage.bbclass for more details) if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then - if [ "x${UBOOT_SUFFIX}" = "ximg" -a -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then + if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" ] && \ + [ -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE} install ${S}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE} install ${S}/${UBOOT_BINARY} ${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE} -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 0/3] kernel-fitimage: Add initramfs, x86 support
Add support for building fitImages that include an initramfs and booting on x86. The following changes since commit da7a2c7b00b40a8759dbe9f4ab6df3e337e3d6b6: useradd-staticids: use map() instead of imap() (2016-07-12 23:11:57 +0100) are available in the git repository at: git://github.com/gmccollister/openembedded-core master-fit https://github.com/gmccollister/openembedded-core/tree/master-fit George McCollister (3): kernel-fitimage: add initramfs support kernel-fitimage: Add x86 support uboot-sign: Handle .rom signing the same as .img meta/classes/kernel-fitimage.bbclass | 344 +-- meta/classes/uboot-sign.bbclass | 3 +- 2 files changed, 246 insertions(+), 101 deletions(-) -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] useradd-staticids: use map() instead of imap()
In Python3 the itertools module's imap function has been migrated to the globalname space as map(). Calling itertools.imap() will fail because it no longer exists. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/useradd-staticids.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/useradd-staticids.bbclass b/meta/classes/useradd-staticids.bbclass index b6e498c..149245b 100644 --- a/meta/classes/useradd-staticids.bbclass +++ b/meta/classes/useradd-staticids.bbclass @@ -43,7 +43,7 @@ def update_useradd_static_config(d): if fields[0] not in id_table: id_table[fields[0]] = fields else: -id_table[fields[0]] = list(itertools.imap(lambda x, y: x or y, fields, id_table[fields[0]])) +id_table[fields[0]] = list(map(lambda x, y: x or y, fields, id_table[fields[0]])) except IOError as e: if e.errno == errno.ENOENT: pass -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 1/1] useradd-staticids.bbclass: Make sure opened files are closed
On Thu, Jun 9, 2016 at 6:07 PM, Peter Kjellerstedtwrote: > This avoids warnings about unclosed files with Python 3. > > Signed-off-by: Peter Kjellerstedt > --- > meta/classes/useradd-staticids.bbclass | 30 +- > 1 file changed, 17 insertions(+), 13 deletions(-) > > diff --git a/meta/classes/useradd-staticids.bbclass > b/meta/classes/useradd-staticids.bbclass > index a9b506d..440c0e3 100644 > --- a/meta/classes/useradd-staticids.bbclass > +++ b/meta/classes/useradd-staticids.bbclass > @@ -4,6 +4,7 @@ def update_useradd_static_config(d): > import argparse > import itertools > import re > +import errno > > class myArgumentParser( argparse.ArgumentParser ): > def _print_message(self, message, file=None): > @@ -30,19 +31,22 @@ def update_useradd_static_config(d): > are set).""" > id_table = dict() > for conf in file_list.split(): > -if os.path.exists(conf): > -f = open(conf, "r") > -for line in f: > -if line.startswith('#'): > -continue > -# Make sure there always are at least exp_fields > elements in > -# the field list. This allows for leaving out trailing > -# colons in the files. > -fields = list_extend(line.rstrip().split(":"), > exp_fields) > -if fields[0] not in id_table: > -id_table[fields[0]] = fields > -else: > -id_table[fields[0]] = list(itertools.imap(lambda x, > y: x or y, fields, id_table[fields[0]])) > +try: > +with open(conf, "r") as f: > +for line in f: > +if line.startswith('#'): > +continue > +# Make sure there always are at least exp_fields > +# elements in the field list. This allows for leaving > +# out trailing colons in the files. > +fields = list_extend(line.rstrip().split(":"), > exp_fields) > +if fields[0] not in id_table: > +id_table[fields[0]] = fields > +else: > +id_table[fields[0]] = list(itertools.imap(lambda > x, y: x or y, fields, id_table[fields[0]])) This is still broken for me. As far as I can tell itertools.imap doesn't exist in Python 3. > +except IOError as e: > +if e.errno == errno.ENOENT: > +pass > > return id_table > > -- > 2.8.3 > > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] linux-yocto/4.1: fix musb compilation error
Yes, I found the issue on krogoth. -George On Fri, May 27, 2016 at 11:25 AM, akuster808wrote: > does this affect krogoth? > > - armin > > On 05/27/2016 09:18 AM, Bruce Ashfield wrote: >> We had a partial musb change merged into the 4.1 tree, which resulted in: >> >> | kernel-source/drivers/usb/musb/musb_dsps.c: >> In function 'dsps_create_musb_pdev': >> | kernel-source/drivers/usb/musb/musb_dsps.c:750:8: >> error: 'struct musb_hdrc_config' has no member named 'maximum_speed' >> | config->maximum_speed = usb_get_maximum_speed(>dev); >> | ^~ >> >> By backporting commit: >> >> 9b7537642cb6a [usb: musb: set the controller speed based on the config >> setting] >> >> We get our missing structure field, and we can once again build musb. >> >> [YOCTO: #9680] >> >> Signed-off-by: Bruce Ashfield >> --- >> meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb | 2 +- >> meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb | 2 +- >> meta/recipes-kernel/linux/linux-yocto_4.1.bb | 16 >> 3 files changed, 10 insertions(+), 10 deletions(-) >> >> diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb >> b/meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb >> index 1d4c404ef0ca..24cc0ac07703 100644 >> --- a/meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb >> +++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb >> @@ -11,7 +11,7 @@ python () { >> raise bb.parse.SkipPackage("Set PREFERRED_PROVIDER_virtual/kernel >> to linux-yocto-rt to enable it") >> } >> >> -SRCREV_machine ?= "320892013ad33ab41f530ad321939aec07d09d22" >> +SRCREV_machine ?= "e22280e8c2905d96c7cc5917df202b6ed904d042" >> SRCREV_meta ?= "4b4199bd24f206d459061bb0a920d009429d5ed3" >> >> SRC_URI = >> "git://git.yoctoproject.org/linux-yocto-4.1.git;branch=${KBRANCH};name=machine >> \ >> diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb >> b/meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb >> index 9757c4d02067..bf7d6c5959e1 100644 >> --- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb >> +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb >> @@ -9,7 +9,7 @@ LINUX_VERSION ?= "4.1.24" >> KMETA = "kernel-meta" >> KCONF_BSP_AUDIT_LEVEL = "2" >> >> -SRCREV_machine ?= "ecc983477682203619da0e456fa4a8689ac41097" >> +SRCREV_machine ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a" >> SRCREV_meta ?= "4b4199bd24f206d459061bb0a920d009429d5ed3" >> >> PV = "${LINUX_VERSION}+git${SRCPV}" >> diff --git a/meta/recipes-kernel/linux/linux-yocto_4.1.bb >> b/meta/recipes-kernel/linux/linux-yocto_4.1.bb >> index e0d288b6e93c..c325bc59c6c8 100644 >> --- a/meta/recipes-kernel/linux/linux-yocto_4.1.bb >> +++ b/meta/recipes-kernel/linux/linux-yocto_4.1.bb >> @@ -11,14 +11,14 @@ KBRANCH_qemux86 ?= "standard/base" >> KBRANCH_qemux86-64 ?= "standard/base" >> KBRANCH_qemumips64 ?= "standard/mti-malta64" >> >> -SRCREV_machine_qemuarm ?= "d11c336b38ab0d4e55eb683aca5ca9c6b6cd8b42" >> -SRCREV_machine_qemuarm64 ?= "ecc983477682203619da0e456fa4a8689ac41097" >> -SRCREV_machine_qemumips ?= "f8e363f638b283738369155b4a9990b5d0f902a7" >> -SRCREV_machine_qemuppc ?= "ecc983477682203619da0e456fa4a8689ac41097" >> -SRCREV_machine_qemux86 ?= "ecc983477682203619da0e456fa4a8689ac41097" >> -SRCREV_machine_qemux86-64 ?= "ecc983477682203619da0e456fa4a8689ac41097" >> -SRCREV_machine_qemumips64 ?= "1db47ec6c39071b29f82a040b9b9a81584f50461" >> -SRCREV_machine ?= "ecc983477682203619da0e456fa4a8689ac41097" >> +SRCREV_machine_qemuarm ?= "cadb80aa4bcee282f1b0798ef35ad8b96ec44931" >> +SRCREV_machine_qemuarm64 ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a" >> +SRCREV_machine_qemumips ?= "737eda6388a529d0937e9d91daa3644b11f322dc" >> +SRCREV_machine_qemuppc ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a" >> +SRCREV_machine_qemux86 ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a" >> +SRCREV_machine_qemux86-64 ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a" >> +SRCREV_machine_qemumips64 ?= "f276d128428b031521d766bfbfe84f9f9f992930" >> +SRCREV_machine ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a" >> SRCREV_meta ?= "4b4199bd24f206d459061bb0a920d009429d5ed3" >> >> SRC_URI = >> "git://git.yoctoproject.org/linux-yocto-4.1.git;name=machine;branch=${KBRANCH}; >> \ >> > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] uboot-sign: rebuild u-boot.img with signed dtb
u-boot-nodtb.img doesn't exist so if UBOOT_SUFFIX = "img" is used u-boot.img must be rebuilt by running make with EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE} then the resulting .img file must be install to the deploy directories. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/uboot-sign.bbclass | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass index 82cec9e..57d4903 100644 --- a/meta/classes/uboot-sign.bbclass +++ b/meta/classes/uboot-sign.bbclass @@ -63,9 +63,13 @@ do_deploy_dtb () { do_concat_dtb () { # Concatenate U-Boot w/o DTB & DTB with public key # (cf. kernel-fitimage.bbclass for more details) - cd ${DEPLOYDIR} if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then - if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; then + if [ "x${UBOOT_SUFFIX}" = "ximg" -a -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then + oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE} + install ${S}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE} + install ${S}/${UBOOT_BINARY} ${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE} + elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then + cd ${DEPLOYDIR} cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} | tee ${B}/${UBOOT_BINARY} > ${UBOOT_IMAGE} else bbwarn "Failure while adding public key to u-boot binary. Verified boot won't be available." -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2] kernel-fitimage: add initramfs support
If INITRAMFS_IMAGE is set, build an additional fitImage containing the initramfs. Copy the additional fitImage and the source .its file used to create it to DEPLOYDIR. The fitImage containing the initramfs must be built before do_deploy and after do_install to avoid circular dependencies. UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the initramfs. UBOOT_RD_ENTRYPOINT - Specifies the entry point used by u-boot for the initramfs. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/kernel-fitimage.bbclass | 280 +++ 1 file changed, 185 insertions(+), 95 deletions(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 298eda2..65e0ee3 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -14,7 +14,7 @@ python __anonymous () { image = d.getVar('INITRAMFS_IMAGE', True) if image: -d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') +d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') # Verified boot will sign the fitImage and append the public key to # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling @@ -30,8 +30,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= "" # # Emit the fitImage ITS header # +# $1 ... .its filename fitimage_emit_fit_header() { - cat << EOF >> fit-image.its + cat << EOF >> ${1} /dts-v1/; / { @@ -43,32 +44,33 @@ EOF # # Emit the fitImage section bits # -# $1 ... Section bit type: imagestart - image section start +# $1 ... .its filename +# $2 ... Section bit type: imagestart - image section start # confstart - configuration section start # sectend- section end # fitend - fitimage end # fitimage_emit_section_maint() { - case $1 in + case $2 in imagestart) - cat << EOF >> fit-image.its + cat << EOF >> ${1} images { EOF ;; confstart) - cat << EOF >> fit-image.its + cat << EOF >> ${1} configurations { EOF ;; sectend) - cat << EOF >> fit-image.its + cat << EOF >> ${1} }; EOF ;; fitend) - cat << EOF >> fit-image.its + cat << EOF >> ${1} }; EOF ;; @@ -78,9 +80,10 @@ EOF # # Emit the fitImage ITS kernel section # -# $1 ... Image counter -# $2 ... Path to kernel image -# $3 ... Compression type +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to kernel image +# $4 ... Compression type fitimage_emit_section_kernel() { kernel_csum="sha1" @@ -88,17 +91,17 @@ fitimage_emit_section_kernel() { ENTRYPOINT=${UBOOT_ENTRYPOINT} if test -n "${UBOOT_ENTRYSYMBOL}"; then ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \ - awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'` + awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'` fi - cat << EOF >> fit-image.its -kernel@${1} { + cat << EOF >> ${1} +kernel@${2} { description = "Linux kernel"; -data = /incbin/("${2}"); +data = /incbin/("${3}"); type = "kernel"; arch = "${UBOOT_ARCH}"; os = "linux"; -compression = "${3}"; +compression = "${4}"; load = <${UBOOT_LOADADDRESS}>; entry = <${ENTRYPOINT}>; hash@1 { @@ -111,16 +114,17 @@ EOF # # Emit the fitImage ITS DTB section # -# $1 ... Image counter -# $2 ... Path to DTB image +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to DTB image fitimage_emit_section_dtb() { dtb_csum="sha1" - cat << EOF >> fit-image.its -fdt@${1} { + cat << EOF >> ${1} +fdt@${2} { description = "Flattened Device Tree blob"; -data = /incbin/("${2}"); +data = /incbin/("${3}"); type = "flat_dt"; arch = "${UBOOT_ARCH}"; compression = "none";
Re: [OE-core] [PATCH] kernel-fitimage: add initramfs support
On Wed, May 25, 2016 at 5:33 PM, Marek Vasut <ma...@denx.de> wrote: > On 05/25/2016 01:25 AM, George McCollister wrote: >> If INITRAMFS_IMAGE is set, build an additional fitImage containing the >> initramfs. Copy the additional fitImage and the source .its file used to >> create it to DEPLOYDIR. The fitImage containing the initramfs must be >> built before do_deploy and after do_install to avoid circular dependencies. > > Yes, the circular dep is quite nasty. > >> UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the >>initramfs. >> UBOOT_RD_ENTRYPOINT - Specifies the entry point used by u-boot for the >>initramfs. >> >> Signed-off-by: George McCollister <george.mccollis...@gmail.com> >> --- >> meta/classes/kernel-fitimage.bbclass | 275 >> +++ >> 1 file changed, 180 insertions(+), 95 deletions(-) >> >> diff --git a/meta/classes/kernel-fitimage.bbclass >> b/meta/classes/kernel-fitimage.bbclass >> index 298eda2..2c2a642 100644 >> --- a/meta/classes/kernel-fitimage.bbclass >> +++ b/meta/classes/kernel-fitimage.bbclass >> @@ -14,7 +14,7 @@ python __anonymous () { >> >> image = d.getVar('INITRAMFS_IMAGE', True) >> if image: >> -d.appendVarFlag('do_assemble_fitimage', 'depends', ' >> ${INITRAMFS_IMAGE}:do_image_complete') >> +d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' >> ${INITRAMFS_IMAGE}:do_image_complete') >> >> # Verified boot will sign the fitImage and append the public key to >> # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling >> @@ -30,8 +30,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= "" >> # >> # Emit the fitImage ITS header >> # >> +# $1 ... .its filename >> fitimage_emit_fit_header() { >> - cat << EOF >> fit-image.its >> + cat << EOF >> ${1} >> /dts-v1/; >> >> / { >> @@ -43,32 +44,33 @@ EOF >> # >> # Emit the fitImage section bits >> # >> -# $1 ... Section bit type: imagestart - image section start >> +# $1 ... .its filename >> +# $2 ... Section bit type: imagestart - image section start >> # confstart - configuration section start >> # sectend- section end >> # fitend - fitimage end >> # >> fitimage_emit_section_maint() { >> - case $1 in >> + case $2 in >> imagestart) >> - cat << EOF >> fit-image.its >> + cat << EOF >> ${1} >> >> images { >> EOF >> ;; >> confstart) >> - cat << EOF >> fit-image.its >> + cat << EOF >> ${1} >> >> configurations { >> EOF >> ;; >> sectend) >> - cat << EOF >> fit-image.its >> + cat << EOF >> ${1} >> }; >> EOF >> ;; >> fitend) >> - cat << EOF >> fit-image.its >> + cat << EOF >> ${1} >> }; >> EOF >> ;; > > OK > >> @@ -78,9 +80,10 @@ EOF >> # >> # Emit the fitImage ITS kernel section >> # >> -# $1 ... Image counter >> -# $2 ... Path to kernel image >> -# $3 ... Compression type >> +# $1 ... .its filename >> +# $2 ... Image counter >> +# $3 ... Path to kernel image >> +# $4 ... Compression type >> fitimage_emit_section_kernel() { >> >> kernel_csum="sha1" >> @@ -88,17 +91,17 @@ fitimage_emit_section_kernel() { >> ENTRYPOINT=${UBOOT_ENTRYPOINT} >> if test -n "${UBOOT_ENTRYSYMBOL}"; then >> ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \ >> - awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'` >> + awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'` >> fi >> >> - cat << EOF >> fit-image.its >> -kernel@${1} { >> + cat << EOF >> ${1} >> +kernel@${2} { >> description = "Linux kernel"; >> -data = /incbin/("${2}"); >> +data = /incbin/("${3}"); >> type = "kernel"; &g
[OE-core] [PATCH] kernel-fitimage: add initramfs support
If INITRAMFS_IMAGE is set, build an additional fitImage containing the initramfs. Copy the additional fitImage and the source .its file used to create it to DEPLOYDIR. The fitImage containing the initramfs must be built before do_deploy and after do_install to avoid circular dependencies. UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the initramfs. UBOOT_RD_ENTRYPOINT - Specifies the entry point used by u-boot for the initramfs. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/kernel-fitimage.bbclass | 275 +++ 1 file changed, 180 insertions(+), 95 deletions(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 298eda2..2c2a642 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -14,7 +14,7 @@ python __anonymous () { image = d.getVar('INITRAMFS_IMAGE', True) if image: -d.appendVarFlag('do_assemble_fitimage', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') +d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' ${INITRAMFS_IMAGE}:do_image_complete') # Verified boot will sign the fitImage and append the public key to # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling @@ -30,8 +30,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= "" # # Emit the fitImage ITS header # +# $1 ... .its filename fitimage_emit_fit_header() { - cat << EOF >> fit-image.its + cat << EOF >> ${1} /dts-v1/; / { @@ -43,32 +44,33 @@ EOF # # Emit the fitImage section bits # -# $1 ... Section bit type: imagestart - image section start +# $1 ... .its filename +# $2 ... Section bit type: imagestart - image section start # confstart - configuration section start # sectend- section end # fitend - fitimage end # fitimage_emit_section_maint() { - case $1 in + case $2 in imagestart) - cat << EOF >> fit-image.its + cat << EOF >> ${1} images { EOF ;; confstart) - cat << EOF >> fit-image.its + cat << EOF >> ${1} configurations { EOF ;; sectend) - cat << EOF >> fit-image.its + cat << EOF >> ${1} }; EOF ;; fitend) - cat << EOF >> fit-image.its + cat << EOF >> ${1} }; EOF ;; @@ -78,9 +80,10 @@ EOF # # Emit the fitImage ITS kernel section # -# $1 ... Image counter -# $2 ... Path to kernel image -# $3 ... Compression type +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to kernel image +# $4 ... Compression type fitimage_emit_section_kernel() { kernel_csum="sha1" @@ -88,17 +91,17 @@ fitimage_emit_section_kernel() { ENTRYPOINT=${UBOOT_ENTRYPOINT} if test -n "${UBOOT_ENTRYSYMBOL}"; then ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \ - awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'` + awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'` fi - cat << EOF >> fit-image.its -kernel@${1} { + cat << EOF >> ${1} +kernel@${2} { description = "Linux kernel"; -data = /incbin/("${2}"); +data = /incbin/("${3}"); type = "kernel"; arch = "${UBOOT_ARCH}"; os = "linux"; -compression = "${3}"; +compression = "${4}"; load = <${UBOOT_LOADADDRESS}>; entry = <${ENTRYPOINT}>; hash@1 { @@ -111,16 +114,17 @@ EOF # # Emit the fitImage ITS DTB section # -# $1 ... Image counter -# $2 ... Path to DTB image +# $1 ... .its filename +# $2 ... Image counter +# $3 ... Path to DTB image fitimage_emit_section_dtb() { dtb_csum="sha1" - cat << EOF >> fit-image.its -fdt@${1} { + cat << EOF >> ${1} +fdt@${2} { description = "Flattened Device Tree blob"; -data = /incbin/("${2}"); +data = /incbin/("${3}"); type = "flat_dt"; arch = "${UBOOT_ARCH}"; compression = "none";
[OE-core] [master][krogoth][jethro][PATCH 1/1] wic: fix path parsing, use last occurrence
If the path contains 'scripts' more than once the first occurrence will be incorrectly used. Use rfind instead of find to find the last occurrence. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- scripts/lib/wic/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/wic/plugin.py b/scripts/lib/wic/plugin.py index ccfdfcb..151ff31 100644 --- a/scripts/lib/wic/plugin.py +++ b/scripts/lib/wic/plugin.py @@ -42,7 +42,7 @@ class PluginMgr(object): def __init__(self): wic_path = os.path.dirname(__file__) -eos = wic_path.find('scripts') + len('scripts') +eos = wic_path.rfind('scripts') + len('scripts') scripts_path = wic_path[:eos] self.scripts_path = scripts_path self.plugin_dir = scripts_path + PLUGIN_DIR -- 2.8.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [master][krogoth][jethro][PATCH 0/1] wic: fix path parsing, use last occurrence
This patch was pushed to fido (35ecb0b8557aae85f377c9d99f1a72cbb76fb6d8) but was never brought forward. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [RFC][PATCH 2/9] bash-completion: build nativesdk variant
> >> Op 14 jan. 2016, om 21:56 heeft George McCollister >> <george.mccollis...@gmail.com> het volgende geschreven: >> >> The nativesdk variant is required for some recipes like git to use the class. > > Squash this into 1/9 to avoid mid-series breakage. Will do. Thanks, George -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 2/9] bash-completion: build nativesdk variant
The nativesdk variant is required for some recipes like git to use the class. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-support/bash-completion/bash-completion_2.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/bash-completion/bash-completion_2.1.bb b/meta/recipes-support/bash-completion/bash-completion_2.1.bb index fbe4278..5c39863 100644 --- a/meta/recipes-support/bash-completion/bash-completion_2.1.bb +++ b/meta/recipes-support/bash-completion/bash-completion_2.1.bb @@ -37,3 +37,5 @@ RDEPENDS_${PN} = "bash" PACKAGES =+ "${PN}-extra" FILES_${PN}-extra = "${datadir}/${BPN}/completions/ \ ${datadir}/${BPN}/helpers/" + +BBCLASSEXTEND = "nativesdk" -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 0/9] cleanup packaging of bash completions
Recipes in OE core and meta-oe (possibly others too) package bash completion files in a similar but inconsitent manner. This patch series adds a class bash-completion.bbclass that creates a subpackage containing files installed to the common bash-completion paths. Prior to this series some recipes created bash-completion subpackages which had no RDEPENDS, others with bash-completion and yet others with bash. I decided to have the class add an RDEPENDS for bash-completion and move bash-completion to OE-core for this reason. If someone has a different view on what should be done please, speak up. I'll be posting an accompanying series to openembedded-devel for meta-oe. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 8/9] kmod: use bash-completion.bbclass
Use bash-completion.bbclass to package bash completions. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-kernel/kmod/kmod_git.bb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meta/recipes-kernel/kmod/kmod_git.bb b/meta/recipes-kernel/kmod/kmod_git.bb index e0bb95c..69185b2 100644 --- a/meta/recipes-kernel/kmod/kmod_git.bb +++ b/meta/recipes-kernel/kmod/kmod_git.bb @@ -39,7 +39,7 @@ do_compile_prepend() { sed -i 's/ac_pwd=/#ac_pwd=/' config.status ; sed -i "/#ac_pwd=/a\ac_pwd='.'" config.status } -inherit update-alternatives +inherit update-alternatives bash-completion ALTERNATIVE_PRIORITY = "60" @@ -56,8 +56,7 @@ ALTERNATIVE_TARGET[lsmod] = "${base_bindir}/lsmod.${BPN}" ALTERNATIVE_LINK_NAME[depmod] = "${base_sbindir}/depmod" -PACKAGES =+ "libkmod ${PN}-bash-completion" +PACKAGES =+ "libkmod" FILES_libkmod = "${base_libdir}/libkmod*${SOLIBS} ${libdir}/libkmod*${SOLIBS}" FILES_${PN} += "${base_libdir}/depmod.d ${base_libdir}/modprobe.d" -FILES_${PN}-bash-completion = "${datadir}/bash-completion" -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 7/9] git: use bash-completion.bbclass
Use bash-completion.bbclass to package bash completions. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-devtools/git/git.inc | 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index d9770e6..c19e0d4 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc @@ -17,7 +17,7 @@ EXTRA_OECONF = "--with-perl=${STAGING_BINDIR_NATIVE}/perl-native/perl \ --without-tcltk \ " -inherit autotools-brokensep perlnative +inherit autotools-brokensep perlnative bash-completion EXTRA_OEMAKE = "NO_PYTHON=1 CFLAGS='${CFLAGS}' LDFLAGS='${LDFLAGS}'" EXTRA_OEMAKE += "'PERL_PATH=/usr/bin/env perl'" @@ -96,10 +96,6 @@ PERLTOOLS = " \ ${datadir}/git-core/templates/hooks/pre-rebase.sample \ " -# Basic tab completion support -PACKAGES =+ "${PN}-bash-completion" -FILES_${PN}-bash-completion = "${datadir}/bash-completion/completions/*" - # Git tools requiring perl PACKAGES =+ "${PN}-perltools" FILES_${PN}-perltools += " \ -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 9/9] gstreamer1.0: use bash-completion.bbclass
Use bash-completion.bbclass to package bash completions. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-multimedia/gstreamer/gstreamer1.0.inc | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0.inc b/meta/recipes-multimedia/gstreamer/gstreamer1.0.inc index c10f66f..5688b5e 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0.inc +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0.inc @@ -7,7 +7,7 @@ SECTION = "multimedia" LICENSE = "LGPLv2+" DEPENDS = "glib-2.0 libxml2 bison-native flex-native libcap" -inherit autotools pkgconfig gettext upstream-version-is-even +inherit autotools pkgconfig gettext upstream-version-is-even bash-completion PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" PACKAGECONFIG[check] = "--enable-check,--disable-check" @@ -26,6 +26,3 @@ CACHED_CONFIGUREVARS += "ac_cv_header_valgrind_valgrind_h=no" FILES_${PN} += " ${libdir}/gstreamer-1.0/*.so" FILES_${PN}-dev += " ${libdir}/gstreamer-1.0/*.la ${libdir}/gstreamer-1.0/*.a ${libdir}/gstreamer-1.0/include" -FILES_${PN}-bash-completion += " ${datadir}/bash-completion/completions/ ${datadir}/bash-completion/helpers/gst*" - -PACKAGES += " ${PN}-bash-completion" -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 3/9] bash-completion.bbclass: add class
Add bash-completion.bbclass which will package bash completion files in a subpackage ${PN}-bash-completion. Use of this class will ensure consitent handling of bash completions across recipes. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/classes/bash-completion.bbclass | 5 + 1 file changed, 5 insertions(+) create mode 100644 meta/classes/bash-completion.bbclass diff --git a/meta/classes/bash-completion.bbclass b/meta/classes/bash-completion.bbclass new file mode 100644 index 000..74a878e --- /dev/null +++ b/meta/classes/bash-completion.bbclass @@ -0,0 +1,5 @@ +PACKAGES += "${PN}-bash-completion" + +FILES_${PN}-bash-completion = "${datadir}/bash-completion ${sysconfdir}/bash_completion.d" + +RDEPENDS_${PN}-bash-completion = "bash-completion" -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 4/9] dbus-glib: use bash-completion.bbclass
Use bash-completion.bbclass to package bash completions. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-core/dbus/dbus-glib.inc | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/meta/recipes-core/dbus/dbus-glib.inc b/meta/recipes-core/dbus/dbus-glib.inc index f8c0ebe..4661e3a 100644 --- a/meta/recipes-core/dbus/dbus-glib.inc +++ b/meta/recipes-core/dbus/dbus-glib.inc @@ -15,7 +15,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-${PV}.tar.gz file://test-install-makefile.patch \ " -inherit autotools pkgconfig gettext +inherit autotools pkgconfig gettext bash-completion #default disable regression tests, some unit test code in non testing code #PACKAGECONFIG_pn-${PN} = "tests" enable regression tests local.conf @@ -26,11 +26,10 @@ EXTRA_OECONF = "--with-introspect-xml=${STAGING_DATADIR_NATIVE}/dbus/dbus-bus-in --with-dbus-binding-tool=${STAGING_BINDIR_NATIVE}/dbus-binding-tool" EXTRA_OECONF_class-native = "--with-introspect-xml=${STAGING_DATADIR_NATIVE}/dbus/dbus-bus-introspect.xml" -PACKAGES += "${PN}-bash-completion ${PN}-tests" +PACKAGES += "${PN}-tests" FILES_${PN} = "${libdir}/lib*${SOLIBS}" -FILES_${PN}-bash-completion = "${sysconfdir}/bash_completion.d/dbus-bash-completion.sh \ - ${libexecdir}/dbus-bash-completion-helper" +FILES_${PN}-bash-completion += "${libexecdir}/dbus-bash-completion-helper" FILES_${PN}-dev += "${libdir}/dbus-1.0/include ${bindir}/dbus-glib-tool" FILES_${PN}-dev += "${bindir}/dbus-binding-tool" -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 5/9] glib: use bash-completion.bbclass
Use bash-completion.bbclass to package bash completions. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-core/glib-2.0/glib.inc | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index 86f7e0e..079b214 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -22,12 +22,12 @@ DEPENDS_append = " ${@bb.utils.contains('PTEST_ENABLED', '1', ' glib-2.0-native DEPENDS_class-native = "pkgconfig-native gettext-native libffi-native zlib-native" DEPENDS_class-nativesdk = "nativesdk-libtool nativesdk-gettext nativesdk-libffi nativesdk-zlib" -PACKAGES =+ "${PN}-utils ${PN}-bash-completion ${PN}-codegen" +PACKAGES =+ "${PN}-utils ${PN}-codegen" LEAD_SONAME = "libglib-2.0.*" FILES_${PN}-utils = "${bindir}/* ${datadir}/glib-2.0/gettext" -inherit autotools gettext gtk-doc pkgconfig ptest-gnome upstream-version-is-even +inherit autotools gettext gtk-doc pkgconfig ptest-gnome upstream-version-is-even bash-completion S = "${WORKDIR}/glib-${PV}" @@ -51,8 +51,6 @@ FILES_${PN}-dev += "${libdir}/glib-2.0/include \ ${libdir}/gio/modules/*.la" FILES_${PN}-dbg += "${datadir}/glib-2.0/gdb ${datadir}/gdb" FILES_${PN}-codegen = "${datadir}/glib-2.0/codegen/*.py" -FILES_${PN}-bash-completion = "${sysconfdir}/bash_completion.d \ - ${datadir}/bash-completion" ARM_INSTRUCTION_SET = "arm" USE_NLS = "yes" -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [RFC][PATCH 6/9] util-linux: use bash-completion.bbclass
Use bash-completion.bbclass to package bash completions. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- meta/recipes-core/util-linux/util-linux.inc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc index 7ef7a54..b9961f7 100644 --- a/meta/recipes-core/util-linux/util-linux.inc +++ b/meta/recipes-core/util-linux/util-linux.inc @@ -17,7 +17,7 @@ LIC_FILES_CHKSUM = "file://README.licensing;md5=1715f5ee3e01203ca1e1e0b9ee65918c file://libmount/COPYING;md5=fb93f01d4361069c5616327705373b16 \ file://libblkid/COPYING;md5=fb93f01d4361069c5616327705373b16" -inherit autotools gettext pkgconfig systemd update-alternatives python-dir ptest +inherit autotools gettext pkgconfig systemd update-alternatives python-dir ptest bash-completion DEPENDS = "zlib ncurses" DEPENDS_append_class-native = " lzo-native" DEPENDS_append_class-nativesdk = " lzo-native" @@ -31,7 +31,7 @@ PACKAGES =+ "util-linux-agetty util-linux-fdisk util-linux-cfdisk util-linux-sfd util-linux-uuidgen util-linux-lscpu util-linux-fsck util-linux-blkid \ util-linux-mkfs util-linux-mcookie util-linux-reset util-linux-runuser \ util-linux-mkfs.cramfs util-linux-fsck.cramfs util-linux-fstrim \ - util-linux-partx ${PN}-bash-completion util-linux-hwclock \ + util-linux-partx util-linux-hwclock \ util-linux-findfs util-linux-getopt util-linux-sulogin" PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'pylibmount', 'util-linux-pylibmount', '', d)}" @@ -64,7 +64,6 @@ PACKAGECONFIG[pylibmount] = "--with-python --enable-pylibmount,--without-python # Readline support PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline" -FILES_${PN}-bash-completion += "${datadir}/bash-completion" FILES_${PN}-doc += "${datadir}/getopt/getopt-*.*" FILES_${PN}-dev += "${libdir}/${PYTHON_DIR}/dist-packages/libmount/pylibmount.la" -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH][fido] wic: fix path parsing, use last occurrence
If the path contains 'scripts' more than once the first occurrence will be incorrectly used. Use rfind instead of find to find the last occurrence. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- scripts/lib/wic/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/wic/plugin.py b/scripts/lib/wic/plugin.py index 41a8017..3acd5b4 100644 --- a/scripts/lib/wic/plugin.py +++ b/scripts/lib/wic/plugin.py @@ -42,7 +42,7 @@ class PluginMgr(object): def __init__(self): wic_path = os.path.dirname(__file__) -eos = wic_path.find('scripts') + len('scripts') +eos = wic_path.rfind('scripts') + len('scripts') scripts_path = wic_path[:eos] self.scripts_path = scripts_path self.plugin_dir = scripts_path + PLUGIN_DIR -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] wic: fix path parsing, use last occurrence
If the path contains 'scripts' more than once the first occurrence will be incorrectly used. Use rfind instead of find to find the last occurrence. Signed-off-by: George McCollister <george.mccollis...@gmail.com> --- scripts/lib/wic/plugin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lib/wic/plugin.py b/scripts/lib/wic/plugin.py index ccfdfcb..151ff31 100644 --- a/scripts/lib/wic/plugin.py +++ b/scripts/lib/wic/plugin.py @@ -42,7 +42,7 @@ class PluginMgr(object): def __init__(self): wic_path = os.path.dirname(__file__) -eos = wic_path.find('scripts') + len('scripts') +eos = wic_path.rfind('scripts') + len('scripts') scripts_path = wic_path[:eos] self.scripts_path = scripts_path self.plugin_dir = scripts_path + PLUGIN_DIR -- 2.4.5 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH][fido] binutils: fix native builds when host has gcc5
Cherry pick upstream commit to fix -Werror=logical-not-parentheses error when building with native gcc5. Signed-off-by: George McCollister george.mccollis...@gmail.com --- meta/recipes-devtools/binutils/binutils-2.24.inc | 1 + ...86.c-Werror-logical-not-parentheses-error.patch | 76 ++ 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.24.inc b/meta/recipes-devtools/binutils/binutils-2.24.inc index 63c9287..2fb56eb 100644 --- a/meta/recipes-devtools/binutils/binutils-2.24.inc +++ b/meta/recipes-devtools/binutils/binutils-2.24.inc @@ -40,6 +40,7 @@ SRC_URI = \ file://binutils_CVE-2014-8503.patch \ file://binutils_CVE-2014-8504.patch \ file://binutils_CVE-2014-8737.patch \ + file://Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch \ SRC_URI[md5sum] = e0f71a7b2ddab0f8612336ac81d9636b diff --git a/meta/recipes-devtools/binutils/binutils/Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch b/meta/recipes-devtools/binutils/binutils/Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch new file mode 100644 index 000..0511c39 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch @@ -0,0 +1,76 @@ +From 360ddc990a941bc506576f45a3858d38f508410b Mon Sep 17 00:00:00 2001 +From: Alan Modra amo...@gmail.com +Date: Fri, 12 Sep 2014 09:46:30 +0930 +Subject: [PATCH] Fix tc-i386.c -Werror=logical-not-parentheses error + + * config/tc-i386.c (match_template): Remove redundant !! testing + single-bit bitfields. + (build_modrm_byte): Don't compare single-bit bitfields to 1. + +Upstream commit: +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ac4eb736520174305bf6e691827f7473b858cff1 + +Manually resolved gas/ChangeLog conflict by placing the change at the +top of the file. +gas/config/tc-i386.c patched with offset + +Signed-off-by: George McCollister george.mccollis...@gmail.com +--- + gas/ChangeLog| 6 ++ + gas/config/tc-i386.c | 12 ++-- + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/gas/ChangeLog b/gas/ChangeLog +index 7fafa26..c6e60c9 100644 +--- a/gas/ChangeLog b/gas/ChangeLog +@@ -1,3 +1,9 @@ ++2014-09-12 Alan Modra amo...@gmail.com ++ ++ * config/tc-i386.c (match_template): Remove redundant !! testing ++ single-bit bitfields. ++ (build_modrm_byte): Don't compare single-bit bitfields to 1. ++ + 2013-11-18 H.J. Lu hongjiu...@intel.com + + * config/tc-i386.c (lex_got): Add a dummy int bnd_prefix +diff --git a/gas/config/tc-i386.c b/gas/config/tc-i386.c +index 3c423da..4464091 100644 +--- a/gas/config/tc-i386.c b/gas/config/tc-i386.c +@@ -4672,9 +4672,9 @@ match_template (void) + !operand_types[0].bitfield.regymm + !operand_types[0].bitfield.regzmm) + || (!operand_types[t-operands 1].bitfield.regmmx +- !!operand_types[t-operands 1].bitfield.regxmm +- !!operand_types[t-operands 1].bitfield.regymm +- !!operand_types[t-operands 1].bitfield.regzmm)) ++ operand_types[t-operands 1].bitfield.regxmm ++ operand_types[t-operands 1].bitfield.regymm ++ operand_types[t-operands 1].bitfield.regzmm)) + (t-base_opcode != 0x0fc7 + || t-extension_opcode != 1 /* cmpxchg8b */)) + continue; +@@ -4689,7 +4689,7 @@ match_template (void) + ((!operand_types[0].bitfield.regmmx +!operand_types[0].bitfield.regxmm) + || (!operand_types[t-operands 1].bitfield.regmmx +- !!operand_types[t-operands 1].bitfield.regxmm))) ++ operand_types[t-operands 1].bitfield.regxmm))) + continue; + + /* Do not verify operands when there are none. */ +@@ -6139,8 +6139,8 @@ build_modrm_byte (void) + op = i.tm.operand_types[]; + op.bitfield.regmem = 0; + if ((dest + 1) = i.operands +-|| (op.bitfield.reg32 != 1 +- !op.bitfield.reg64 != 1 ++|| (!op.bitfield.reg32 ++ op.bitfield.reg64 + !operand_type_equal (op, regxmm) + !operand_type_equal (op, regymm) + !operand_type_equal (op, regzmm) +-- +2.4.3 + -- 2.4.3 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core