Re: [oe-core][PATCH] libexif: upgrade to 0.6.22, change source to GitHub

[George McCollister]

What are thoughts on applying this version bump to older supported
releases? https://libexif.github.io/ states:
stability / bugfix / security release fixes CVE-2018-20030,
CVE-2020-13114, CVE-2020-13113, CVE-2020-13112, CVE-2020-0093,
CVE-2019-9278, CVE-2020-12767, CVE-2016-6328, CVE-2017-7544,

I say go for it.

-George

On Wed, May 27, 2020 at 8:05 AM Trevor Gamblin
 wrote:
>
>
> On 5/27/20 3:59 AM, Alexander Kanavin wrote:
>
> Hardcoding the split version components isn't great (and breaks automated 
> updates), I have a patch queued that does this better:
>
> Works for me.
>
> Thanks!
>
>
> http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/commit/?h=akanavin/package-version-updates=314af89080317673cf91e24537b2e0d9b36747c2
>
> Specifically:
> def version_underscore(v):
>  return "_".join(v.split("."))
>
> SRC_URI = 
> "https://github.com/libexif/libexif/releases/download/libexif-${@version_underscore("${PV}")}-release/libexif-${PV}.tar.xz
>  \
>  "
>
> Alex
>
> On Tue, 26 May 2020 at 23:13, Trevor Gamblin  
> wrote:
>>
>> Updated libexif to 0.6.22, but needed to change to GitHub as a source,
>> since SourceForge does not yet have 0.6.22 version. The new version
>> includes the fixes for the three patch files that have been removed,
>> as well as other severe CVEs.
>>
>> CVE: CVE-2018-20030
>> CVE: CVE-2020-13114
>> CVE: CVE-2020-13113
>> CVE: CVE-2020-13112
>> CVE: CVE-2020-0093
>> CVE: CVE-2019-9278
>> CVE: CVE-2020-12767
>> CVE: CVE-2016-6328
>> CVE: CVE-2017-7544
>>
>> Signed-off-by: Trevor Gamblin 
>> ---
>>  .../libexif/libexif/CVE-2016-6328.patch   |  64 --
>>  .../libexif/libexif/CVE-2017-7544.patch   |  40 --
>>  .../libexif/libexif/CVE-2018-20030.patch  | 115 --
>>  .../recipes-support/libexif/libexif_0.6.21.bb |  17 ---
>>  .../recipes-support/libexif/libexif_0.6.22.bb |  21 
>>  5 files changed, 21 insertions(+), 236 deletions(-)
>>  delete mode 100644 meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
>>  delete mode 100644 meta/recipes-support/libexif/libexif/CVE-2017-7544.patch
>>  delete mode 100644 meta/recipes-support/libexif/libexif/CVE-2018-20030.patch
>>  delete mode 100644 meta/recipes-support/libexif/libexif_0.6.21.bb
>>  create mode 100644 meta/recipes-support/libexif/libexif_0.6.22.bb
>>
>> diff --git a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch 
>> b/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
>> deleted file mode 100644
>> index a6f307439b..00
>> --- a/meta/recipes-support/libexif/libexif/CVE-2016-6328.patch
>> +++ /dev/null
>> @@ -1,64 +0,0 @@
>> -CVE: CVE-2016-6328
>> -Upstream-Status: Backport
>> -Signed-off-by: Ross Burton 
>> -
>> -From 41bd04234b104312f54d25822f68738ba8d7133d Mon Sep 17 00:00:00 2001
>> -From: Marcus Meissner 
>> -Date: Tue, 25 Jul 2017 23:44:44 +0200
>> -Subject: [PATCH] fixes some (not all) buffer overreads during decoding 
>> pentax
>> - makernote entries.
>> -
>> -This should fix:
>> -https://sourceforge.net/p/libexif/bugs/125/ CVE-2016-6328
>> 
>> - libexif/pentax/mnote-pentax-entry.c | 16 +---
>> - 1 file changed, 13 insertions(+), 3 deletions(-)
>> -
>> -diff --git a/libexif/pentax/mnote-pentax-entry.c 
>> b/libexif/pentax/mnote-pentax-entry.c
>> -index d03d159..ea0429a 100644
>>  a/libexif/pentax/mnote-pentax-entry.c
>> -+++ b/libexif/pentax/mnote-pentax-entry.c
>> -@@ -425,24 +425,34 @@ mnote_pentax_entry_get_value (MnotePentaxEntry *entry,
>> -   case EXIF_FORMAT_SHORT:
>> - {
>> -   const unsigned char *data = entry->data;
>> --  size_t k, len = strlen(val);
>> -+  size_t k, len = strlen(val), sizeleft;
>> -+
>> -+  sizeleft = entry->size;
>> -   for(k=0; kcomponents; k++) {
>> -+  if (sizeleft < 2)
>> -+  break;
>> -   vs = exif_get_short (data, entry->order);
>> -   snprintf (val+len, maxlen-len, "%i ", vs);
>> -   len = strlen(val);
>> -   data += 2;
>> -+  sizeleft -= 2;
>> -   }
>> - }
>> - break;
>> -   case EXIF_FORMAT_LONG:
>> - {
>> -   const unsigned char *data = entry->data;
>> --  size_t k, len = strlen(val);
>> -+  size_t k, len = strlen(val), sizeleft;
>> -+
>> -+  sizeleft = entry->size;
>> -   for(k=0; kcomponents; k++) {
>> -+  if (sizeleft < 4)
>> -+  break;
>> -   vl = exif_get_long (data, entry->order);
>> -   snprintf (val+len, maxlen-len, "%li", (long 
>> int) vl);
>> -  

Re: [OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path

[George McCollister]

Can we get 59565fec0b3f3e24eb01c03b671913599cd3134d cherry-picked to
warrior now that this has landed in master?

Thanks,
George
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path

[George McCollister]

On Wed, Sep 25, 2019 at 1:34 PM Khem Raj  wrote:
>
> On 9/25/19 11:13 AM, George McCollister wrote:
> > On Wed, Sep 25, 2019 at 11:08 AM Mark Hatle
> >  wrote:
> >>
> >> On 9/25/19 6:52 AM, George McCollister wrote:
> >>> Set OPENSSL_ENGINES to the path where engines are actually installed.
> >>>
> >>> Signed-off-by: George McCollister 
> >>> ---
> >>>   meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +-
> >>>   1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb 
> >>> b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> >>> index 072f727e0b..8819e19ec4 100644
> >>> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> >>> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> >>> @@ -148,7 +148,7 @@ do_install_append_class-native () {
> >>>OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
> >>>SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
> >>>SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
> >>> - OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
> >>> + OPENSSL_ENGINES=${libdir}/engines-1.1
> >>
> >> Is this a bug in the openssl recipe (it's placing engines in the wrong 
> >> place),
> >> or a bug in the recipes providing acceleration engines and THEY are going 
> >> into
> >> the wrong place?
> >
> > This recipe installs:
> > packages-split/openssl-engines/usr/lib/engines-1.1/afalg.so
> > packages-split/openssl-engines/usr/lib/engines-1.1/padlock.so
> > packages-split/openssl-engines/usr/lib/engines-1.1/capi.so
> >
> > libp11 in meta-oe installs these:
> > packages-split/libp11/usr/lib/engines-1.1
> > packages-split/libp11/usr/lib/engines-1.1/pkcs11.so
> > packages-split/libp11-dev/usr/lib/engines-1.1
> > packages-split/libp11-dev/usr/lib/engines-1.1/libpkcs11.so
> >
> >>
> >> The ssl-1.1/engines makes more sense to me..  as /usr/lib/engines-1.1 
> >> obscures
> >> that they are OpenSSL related.
> >
> > I don't have a strong opinion either way but ssl-1.1/engines does make
> > a bit more sense.
> > Debian appears to install them in engines-1.1 though:
> >   https://packages.debian.org/buster/amd64/libssl1.1/filelist
> >
> > I do need this fixed in warrior though and wonder if anyone would
> > gripe about changing where they are installed post release.
> >
> > How shall we proceed? Does anyone else want to chime in?
> >
>
> Using /usr/lib/ is known jargon and lets use it. I think doing
> it the way other distros are doing it and how upstream defaults are is
> also helpful. it reduced one more thing to worry about. Release branches
> should not be an issue as long as we have them packages in same output
> package.

It looks like Fedora is also using engines-1.1:
https://apps.fedoraproject.org/packages/openssl-libs/

I've found there is no Configure switch to set the engines directory.
I believe it will require a patch to changes 3 - 4 lines in
Configurations/unix-Makefile.tmpl.
meta-oe/recipes-support/libp11/libp11_0.4.10.bb would also need to be
changed to use the new path.

Is carrying a custom patch to deviate from the upstream package and
major distribution behavior really wise?

If there is somewhat of a consensus to go that way knowing it requires
a custom patch I'll send a patch for openssl and then one to fix
libp11 (which the first patch will break).

>
> >>
> >> --Mark
> >>
> >>>   }
> >>>
> >>>   do_install_append_class-nativesdk () {
> >>>
> >>
> >> --
> >> ___
> >> Openembedded-core mailing list
> >> Openembedded-core@lists.openembedded.org
> >> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> >
> > -George
> >
>
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path

[George McCollister]

On Wed, Sep 25, 2019 at 1:37 PM Andre McCurdy  wrote:
>
> On Wed, Sep 25, 2019 at 11:13 AM George McCollister
>  wrote:
> > On Wed, Sep 25, 2019 at 11:08 AM Mark Hatle
> >  wrote:
> > > On 9/25/19 6:52 AM, George McCollister wrote:
> > > > Set OPENSSL_ENGINES to the path where engines are actually installed.
> > > >
> > > > Signed-off-by: George McCollister 
> > > > ---
> > > >  meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb 
> > > > b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > > > index 072f727e0b..8819e19ec4 100644
> > > > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > > > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > > > @@ -148,7 +148,7 @@ do_install_append_class-native () {
> > > >   OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
> > > >   SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
> > > >   SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
> > > > - OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
> > > > + OPENSSL_ENGINES=${libdir}/engines-1.1
> > >
> > > Is this a bug in the openssl recipe (it's placing engines in the wrong 
> > > place),
> > > or a bug in the recipes providing acceleration engines and THEY are going 
> > > into
> > > the wrong place?
> >
> > This recipe installs:
> > packages-split/openssl-engines/usr/lib/engines-1.1/afalg.so
> > packages-split/openssl-engines/usr/lib/engines-1.1/padlock.so
> > packages-split/openssl-engines/usr/lib/engines-1.1/capi.so
> >
> > libp11 in meta-oe installs these:
> > packages-split/libp11/usr/lib/engines-1.1
> > packages-split/libp11/usr/lib/engines-1.1/pkcs11.so
> > packages-split/libp11-dev/usr/lib/engines-1.1
> > packages-split/libp11-dev/usr/lib/engines-1.1/libpkcs11.so
> >
> > >
> > > The ssl-1.1/engines makes more sense to me..  as /usr/lib/engines-1.1 
> > > obscures
> > > that they are OpenSSL related.
> >
> > I don't have a strong opinion either way but ssl-1.1/engines does make
> > a bit more sense.
> > Debian appears to install them in engines-1.1 though:
> >  https://packages.debian.org/buster/amd64/libssl1.1/filelist
>
> It would be interesting to know when the path in the -native wrapper
> script stopped matching the path where the engines plugins are
> installed. ie was the wrapper script always wrong? Did the default
> install path used by openssl change at some point?

It's been wrong on and off with openssl 1.0 and I believe always wrong
with openssl 1.1.

>
> > I do need this fixed in warrior though and wonder if anyone would
> > gripe about changing where they are installed post release.
> >
> > How shall we proceed? Does anyone else want to chime in?
>
> The change being proposed is for the openssl-native wrapper script, so
> won't affect anything on the target.
>
> I'm curious why openssl-native needs engines plugins at all?

I need the pkcs11 engine for pkcs11 signing with an HSM. Unfortunately
for me most people won't notice if the wrapper doesn't match the
installed plugin path.
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path

[George McCollister]

On Wed, Sep 25, 2019 at 11:08 AM Mark Hatle
 wrote:
>
> On 9/25/19 6:52 AM, George McCollister wrote:
> > Set OPENSSL_ENGINES to the path where engines are actually installed.
> >
> > Signed-off-by: George McCollister 
> > ---
> >  meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb 
> > b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > index 072f727e0b..8819e19ec4 100644
> > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
> > @@ -148,7 +148,7 @@ do_install_append_class-native () {
> >   OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
> >   SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
> >   SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
> > - OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
> > + OPENSSL_ENGINES=${libdir}/engines-1.1
>
> Is this a bug in the openssl recipe (it's placing engines in the wrong place),
> or a bug in the recipes providing acceleration engines and THEY are going into
> the wrong place?

This recipe installs:
packages-split/openssl-engines/usr/lib/engines-1.1/afalg.so
packages-split/openssl-engines/usr/lib/engines-1.1/padlock.so
packages-split/openssl-engines/usr/lib/engines-1.1/capi.so

libp11 in meta-oe installs these:
packages-split/libp11/usr/lib/engines-1.1
packages-split/libp11/usr/lib/engines-1.1/pkcs11.so
packages-split/libp11-dev/usr/lib/engines-1.1
packages-split/libp11-dev/usr/lib/engines-1.1/libpkcs11.so

>
> The ssl-1.1/engines makes more sense to me..  as /usr/lib/engines-1.1 obscures
> that they are OpenSSL related.

I don't have a strong opinion either way but ssl-1.1/engines does make
a bit more sense.
Debian appears to install them in engines-1.1 though:
 https://packages.debian.org/buster/amd64/libssl1.1/filelist

I do need this fixed in warrior though and wonder if anyone would
gripe about changing where they are installed post release.

How shall we proceed? Does anyone else want to chime in?

>
> --Mark
>
> >  }
> >
> >  do_install_append_class-nativesdk () {
> >
>
> --
> ___
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-George
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 1/1] openssl: make OPENSSL_ENGINES match install path

[George McCollister]

Set OPENSSL_ENGINES to the path where engines are actually installed.

Signed-off-by: George McCollister 
---
 meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb 
b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
index 072f727e0b..8819e19ec4 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1d.bb
@@ -148,7 +148,7 @@ do_install_append_class-native () {
OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
-   OPENSSL_ENGINES=${libdir}/ssl-1.1/engines
+   OPENSSL_ENGINES=${libdir}/engines-1.1
 }
 
 do_install_append_class-nativesdk () {
-- 
2.22.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 0/1] make OPENSSL_ENGINES match install path

[George McCollister]

Set OPENSSL_ENGINES in the openssl 1.1 recipe to the path where engines
are actually installed. This should be cherry-picked to warrior and
probably anything older with an openssl 1.1 recipe. I've not tested it
with anything older than warrior so someone else can make that call.

George McCollister (1):
  openssl: make OPENSSL_ENGINES match install path

 meta/recipes-connectivity/openssl/openssl_1.1.1d.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.22.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [sumo][PATCH 8/8] systemd: fix CVE-2019-6454

[George McCollister]

Apply patches from systemd_237-3ubuntu10.13 to fix CVE-2019-6454.
CVE-2019-6454 is an issue in which systemd (PID1) can be crashed
with a specially formed D-Bus message.

For information see:
https://usn.ubuntu.com/3891-1/
https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates=d7584b894afcaa8a4a1abb69db2a9c81a6276e80

Signed-off-by: George McCollister 
---
 .../systemd/systemd/CVE-2019-6454.patch| 210 +
 ...e-receive-an-invalid-dbus-message-ignore-.patch |  61 ++
 meta/recipes-core/systemd/systemd_237.bb   |   2 +
 3 files changed, 273 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch

diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch 
b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
new file mode 100644
index 00..e3c67c166c
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,210 @@
+Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
+ them on the stacka
+Forwarded: no
+
+Patch from: systemd_237-3ubuntu10.13
+
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?h=applied/ubuntu/bionic-updates=d7584b894afcaa8a4a1abb69db2a9c81a6276e80
+
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+
+Signed-off-by: George McCollister 
+
+--- a/src/libsystemd/sd-bus/bus-internal.c
 b/src/libsystemd/sd-bus/bus-internal.c
+@@ -61,7 +61,7 @@
+ if (slash)
+ return false;
+ 
+-return true;
++return (q - p) <= BUS_PATH_SIZE_MAX;
+ }
+ 
+ char* object_path_startswith(const char *a, const char *b) {
+--- a/src/libsystemd/sd-bus/bus-internal.h
 b/src/libsystemd/sd-bus/bus-internal.h
+@@ -339,6 +339,10 @@
+ 
+ #define BUS_MESSAGE_SIZE_MAX (64*1024*1024)
+ #define BUS_AUTH_SIZE_MAX (64*1024)
++/* Note that the D-Bus specification states that bus paths shall have no size 
limit. We enforce here one
++ * anyway, since truly unbounded strings are a security problem. The limit we 
pick is relatively large however,
++ * to not clash unnecessarily with real-life applications. */
++#define BUS_PATH_SIZE_MAX (64*1024)
+ 
+ #define BUS_CONTAINER_DEPTH 128
+ 
+--- a/src/libsystemd/sd-bus/bus-objects.c
 b/src/libsystemd/sd-bus/bus-objects.c
+@@ -1150,7 +1150,8 @@
+ const char *path,
+ sd_bus_error *error) {
+ 
+-char *prefix;
++_cleanup_free_ char *prefix = NULL;
++size_t pl;
+ int r;
+ 
+ assert(bus);
+@@ -1166,7 +1167,12 @@
+ return 0;
+ 
+ /* Second, add fallback vtables registered for any of the prefixes */
+-prefix = alloca(strlen(path) + 1);
++pl = strlen(path);
++assert(pl <= BUS_PATH_SIZE_MAX);
++prefix = new(char, pl + 1);
++if (!prefix)
++return -ENOMEM;
++
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+ r = object_manager_serialize_path(bus, reply, prefix, path, 
true, error);
+ if (r < 0)
+@@ -1362,6 +1368,7 @@
+ }
+ 
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
++_cleanup_free_ char *prefix = NULL;
+ int r;
+ size_t pl;
+ bool found_object = false;
+@@ -1386,9 +1393,12 @@
+ assert(m->member);
+ 
+ pl = strlen(m->path);
+-do {
+-char prefix[pl+1];
++assert(pl <= BUS_PATH_SIZE_MAX);
++prefix = new(char, pl + 1);
++if (!prefix)
++return -ENOMEM;
+ 
++do {
+ bus->nodes_modified = false;
+ 
+ r = object_find_and_run(bus, m, m->path, false, 
_object);
+@@ -1516,9 +1526,15 @@
+ 
+ n = hashmap_get(bus->nodes, path);
+ if (!n) {
+-char *prefix;
++_cleanup_free_ char *prefix = NULL;
++size_t pl;
++
++pl = strlen(path);
++assert(pl <= BUS_PATH_SIZE_MAX);
++prefix = new(char, pl + 1);
++if (!prefix)
++return -ENOMEM;
+ 
+-prefix = alloca(strlen(path) + 1);
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+ n = hashmap_get(bus->nodes, prefix);
+ if (n)
+@@ -2108,8 +2124,9 @@
+ char **names) {
+ 
+ BUS_DONT_DESTROY(bus);
++_cleanup_free_ char *prefix = NULL;
+ bool found_interface = false;
+-char *prefix;
++size_t pl;
+ int r;
+ 
+ assert_return(bus, -EINVAL);
+@@ -2128,6 +2145,12 @@
+ if (names && names[0] == NULL)
+ return 0;
+ 
++pl = strlen(path);
++assert(pl <= BUS_PATH_SI

[OE-core] [sumo][PATCH 7/8] systemd: fix CVE-2018-6954

[George McCollister]

Apply patches to fix CVE-2018-6954

NVD description from https://nvd.nist.gov/vuln/detail/CVE-2018-6954

systemd-tmpfiles in systemd through 237 mishandles symlinks present in
non-terminal path components, which allows local users to obtain
ownership of arbitrary files via vectors involving creation of a
directory and a file under that directory, and later replacing that
directory with a symlink. This occurs even if the fs.protected_symlinks
sysctl is turned on.

Patches from systemd_237-3ubuntu10.13.debian.

These patches shouldn't be required on newer OE releases since they use
systemd v239 or higher.

Signed-off-by: George McCollister 
---
 ...n-t-resolve-pathnames-when-traversing-rec.patch |  643 +++
 .../systemd/systemd/0002-Make-tmpfiles-safe.patch  | 1828 
 meta/recipes-core/systemd/systemd_237.bb   |2 +
 3 files changed, 2473 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0002-Make-tmpfiles-safe.patch

diff --git 
a/meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch
 
b/meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch
new file mode 100644
index 00..108e4ad8b8
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch
@@ -0,0 +1,643 @@
+From 33dc9a280f952f503e5493ee29f6815bef29d551 Mon Sep 17 00:00:00 2001
+From: Franck Bui 
+Date: Fri, 2 Mar 2018 17:19:32 +0100
+Subject: [PATCH] tmpfiles: don't resolve pathnames when traversing recursively
+ through directory trees
+
+Otherwise we can be fooled if one path component is replaced underneath us.
+
+The patch achieves that by always operating at file descriptor level (by using
+*at() helpers) and by making sure we do not any path resolution when traversing
+direcotry trees.
+
+However this is not always possible, for instance when listing the content of a
+directory or some operations don't provide the *at() helpers or others (such as
+fchmodat()) don't have the AT_EMPTY_PATH flag. In such cases we operate on
+/proc/self/fd/%i pseudo-symlink instead, which works the same for all kinds of
+objects and requires no checking of type beforehand.
+
+Also O_PATH flag is used when opening file objects in order to prevent
+undesired behaviors: device nodes from reacting, automounts from
+triggering, etc...
+
+Fixes: CVE-2018-6954
+
+Origin: upstream, 
https://github.com/systemd/systemd/commit/936f6bdb803c432578e2cdcc5f93f3bfff93aff0
+Bug: https://github.com/systemd/systemd/issues/7986
+
+Patch from:
+systemd_237-3ubuntu10.13.debian CVE-2018-6954.patch
+
+https://usn.ubuntu.com/3816-1/ states that CVE-2018-6954 doesn't
+affect Ubuntu 18.10 which uses the same version of systemd as thud
+(239).
+
+CVE: CVE-2018-6954
+Upstream-Status: Backport
+
+Signed-off-by: George McCollister 
+---
+ src/tmpfiles/tmpfiles.c | 363 +++-
+ 1 file changed, 239 insertions(+), 124 deletions(-)
+
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 88cc543f09..613d418eb3 100644
+--- a/src/tmpfiles/tmpfiles.c
 b/src/tmpfiles/tmpfiles.c
+@@ -792,94 +792,105 @@ static bool hardlink_vulnerable(struct stat *st) {
+ return !S_ISDIR(st->st_mode) && st->st_nlink > 1 && 
dangerous_hardlinks();
+ }
+ 
+-static int path_set_perms(Item *i, const char *path) {
+-char fn[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
+-_cleanup_close_ int fd = -1;
+-struct stat st;
++static int fd_set_perms(Item *i, int fd, const struct stat *st) {
++_cleanup_free_ char *path = NULL;
++int r;
+ 
+ assert(i);
+-assert(path);
+-
+-if (!i->mode_set && !i->uid_set && !i->gid_set)
+-goto shortcut;
+-
+-/* We open the file with O_PATH here, to make the operation
+- * somewhat atomic. Also there's unfortunately no fchmodat()
+- * with AT_SYMLINK_NOFOLLOW, hence we emulate it here via
+- * O_PATH. */
+-
+-fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+-if (fd < 0) {
+-int level = LOG_ERR, r = -errno;
++assert(fd);
+ 
+-/* Option "e" operates only on existing objects. Do not
+- * print errors about non-existent files or directories */
+-if (i->type == EMPTY_DIRECTORY && errno == ENOENT) {
+-level = LOG_DEBUG;
+-r = 0;
+-}
+-
+-log_full_errno(level, errno, "Adjusting owner and mode for %s 
failed: %m", path);
++r = fd_get_path(fd, );
++if (r < 0)
+ return r;
+-}
+ 
+-if (fstatat(fd, "&q

[OE-core] [sumo][PATCH 5/8] systemd: Security fix CVE-2018-16865

[George McCollister]

Affects < v240

Based on thud commit d5d2b821fc85b8cf39f683061ac2a45bddd2139f
The second patch in the thud commit doesn't apply against 237. Use the
version of the second patch CVE-2018-16865_2.patch from
systemd_237-3ubuntu10.13.debian.

Signed-off-by: George McCollister 
---
 ...ld-set-a-limit-on-the-number-of-fields-1k.patch | 60 
 ...ote-set-a-limit-on-the-number-of-fields-i.patch | 79 ++
 meta/recipes-core/systemd/systemd_237.bb   |  2 +
 3 files changed, 141 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch

diff --git 
a/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
 
b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
new file mode 100644
index 00..e8a6f2b986
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
@@ -0,0 +1,60 @@
+From 4566aaf97f5b4143b930d75628f3abc905249dcd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= 
+Date: Wed, 5 Dec 2018 22:45:02 +0100
+Subject: [PATCH] journald: set a limit on the number of fields (1k)
+
+We allocate a iovec entry for each field, so with many short entries,
+our memory usage and processing time can be large, even with a relatively
+small message size. Let's refuse overly long entries.
+
+CVE-2018-16865
+https://bugzilla.redhat.com/show_bug.cgi?id=1653861
+
+What from I can see, the problem is not from an alloca, despite what the CVE
+description says, but from the attack multiplication that comes from creating
+many very small iovecs: (void* + size_t) for each three bytes of input message.
+
+Patch backported from systemd master at
+052c57f132f04a3cf4148f87561618da1a6908b4.
+
+CVE: CVE-2018-16865
+Upstream-Status: Backport
+
+---
+ src/basic/journal-importer.h  | 3 +++
+ src/journal/journald-native.c | 5 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/basic/journal-importer.h b/src/basic/journal-importer.h
+index f49ce734a1..c4ae45d32d 100644
+--- a/src/basic/journal-importer.h
 b/src/basic/journal-importer.h
+@@ -16,6 +16,9 @@
+ #define DATA_SIZE_MAX (1024*1024*768u)
+ #define LINE_CHUNK 8*1024u
+ 
++/* The maximum number of fields in an entry */
++#define ENTRY_FIELD_COUNT_MAX 1024
++
+ struct iovec_wrapper {
+ struct iovec *iovec;
+ size_t size_bytes;
+diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
+index 5ff22a10af..951d092053 100644
+--- a/src/journal/journald-native.c
 b/src/journal/journald-native.c
+@@ -140,6 +140,11 @@ static int server_process_entry(
+ }
+ 
+ /* A property follows */
++if (n > ENTRY_FIELD_COUNT_MAX) {
++log_debug("Received an entry that has more than " 
STRINGIFY(ENTRY_FIELD_COUNT_MAX) " fields, ignoring entry.");
++r = 1;
++goto finish;
++}
+ 
+ /* n existing properties, 1 new, +1 for _TRANSPORT */
+ if (!GREEDY_REALLOC(iovec, m,
+-- 
+2.11.0
+
diff --git 
a/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch
 
b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch
new file mode 100644
index 00..f297333e72
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch
@@ -0,0 +1,79 @@
+From ce1475b4f69f0a4382c6190f55e080d91de84611 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= 
+Date: Fri, 7 Dec 2018 10:48:10 +0100
+Subject: [PATCH] journal-remote: set a limit on the number of fields in a
+ message
+
+Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
+reused for the new error condition (too many fields).
+
+This matches the change done for systemd-journald, hence forming the second
+part of the fix for CVE-2018-16865
+(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).
+
+Patch backported from systemd master at
+ef4d6abe7c7fab6cbff975b32e76b09feee56074.
+
+Patch for 237 from:
+systemd_237-3ubuntu10.13.debian CVE-2018-16865_2.patch
+
+CVE: CVE-2018-16865
+Upstream-Status: Backport
+
+---
+ src/journal-remote/journal-remote-main.c | 7 +--
+ src/journal-remote/journal-remote.c  | 3 +++
+ src/shared/journal-importer.c| 5 -
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+--- a/src/basic/journal-importer.c
 b/src/basic/journal-importer.c
+@@ -38,6 +38,9 @@
+ };
+ 
+ static int iovw_put(struct iovec_wrapper *iovw, void* data, size_t len) {
++if (iovw->count >= ENTRY_FIELD_COUNT_MAX)

[OE-core] [sumo][PATCH 3/8] systemd: fix CVE-2018-15688

[George McCollister]

From: Chen Qi 

Backport patch to fix the following CVE.

CVE: CVE-2018-15688

Signed-off-by: Chen Qi 
Signed-off-by: Richard Purdie 

Cherry-picked from thud 13591d7224393dc0ae529a03cdf74aceb3540ce9

Signed-off-by: George McCollister 
---
 ...sure-we-have-enough-space-for-the-DHCP6-o.patch | 39 ++
 meta/recipes-core/systemd/systemd_237.bb   |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch

diff --git 
a/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch
 
b/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch
new file mode 100644
index 00..0c912f25df
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch
@@ -0,0 +1,39 @@
+From a2622b8398ba026faf481f5eddeb53231d9de4a7 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering 
+Date: Fri, 19 Oct 2018 12:12:33 +0200
+Subject: [PATCH] dhcp6: make sure we have enough space for the DHCP6 option
+ header
+
+Fixes a vulnerability originally discovered by Felix Wilhelm from
+Google.
+
+CVE-2018-15688
+LP: #1795921
+https://bugzilla.redhat.com/show_bug.cgi?id=1639067
+
+(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)
+
+CVE: CVE-2018-15688
+Upstream-Status: Backport
+
+Signed-off-by: Chen Qi 
+---
+ src/libsystemd-network/dhcp6-option.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd-network/dhcp6-option.c 
b/src/libsystemd-network/dhcp6-option.c
+index c4b402b..dcbaad0 100644
+--- a/src/libsystemd-network/dhcp6-option.c
 b/src/libsystemd-network/dhcp6-option.c
+@@ -103,7 +103,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, 
DHCP6IA *ia) {
+ return -EINVAL;
+ }
+ 
+-if (*buflen < len)
++if (*buflen < offsetof(DHCP6Option, data) + len)
+ return -ENOBUFS;
+ 
+ ia_hdr = *buf;
+-- 
+2.7.4
+
diff --git a/meta/recipes-core/systemd/systemd_237.bb 
b/meta/recipes-core/systemd/systemd_237.bb
index cae9bccc60..87793dd3af 100644
--- a/meta/recipes-core/systemd/systemd_237.bb
+++ b/meta/recipes-core/systemd/systemd_237.bb
@@ -56,6 +56,7 @@ SRC_URI += "file://touchscreen.rules \

file://0035-Define-glibc-compatible-basename-for-non-glibc-syste.patch \

file://0001-core-when-deserializing-state-always-use-read_line-L.patch \

file://0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch \
+   
file://0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch \
"
 SRC_URI_append_qemuall = " 
file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
 
-- 
2.11.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [sumo][PATCH 6/8] systemd: Security fix CVE-2018-16866

[George McCollister]

From: Marcus Cooper 

Affects < v240

Signed-off-by: Marcus Cooper 

>From v2 patch on openembedded-core@lists.openembedded.org
Incresed file name number from 0026 to 0027.

Signed-off-by: George McCollister 
---
 ...nal-fix-out-of-bounds-read-CVE-2018-16866.patch | 49 ++
 meta/recipes-core/systemd/systemd_237.bb   |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch

diff --git 
a/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
 
b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
new file mode 100644
index 00..3925a4abbb
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
@@ -0,0 +1,49 @@
+From ebd06c37d4311db9851f4d3fdd023de3dd590de0 Mon Sep 17 00:00:00 2001
+From: Filipe Brandenburger 
+Date: Thu, 10 Jan 2019 14:53:33 -0800
+Subject: [PATCH] journal: fix out-of-bounds read CVE-2018-16866
+
+The original code didn't account for the fact that strchr() would match on the
+'\0' character, making it read past the end of the buffer if no non-whitespace
+character was present.
+
+This bug was introduced in commit ec5ff4445cca6a which was first released in
+systemd v221 and later fixed in commit 8595102d3ddde6 which was released in
+v240, so versions in the range [v221, v240) are affected.
+
+Patch backported from systemd-stable at 
f005e73d3723d62a39be661931fcb6347119b52b
+also includes a change from systemd master which removes a heap buffer overflow
+a6aadf4ae0bae185dc4c414d492a4a781c80ffe5.
+
+CVE: CVE-2018-16866
+Upstream-Status: Backport
+Signed-off-by: Marcus Cooper 
+---
+ src/journal/journald-syslog.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
+index 9dea116722..809b318c06 100644
+--- a/src/journal/journald-syslog.c
 b/src/journal/journald-syslog.c
+@@ -194,7 +194,7 @@ size_t syslog_parse_identifier(const char **buf, char 
**identifier, char **pid)
+ e = l;
+ l--;
+ 
+-if (p[l-1] == ']') {
++if (l > 0 && p[l-1] == ']') {
+ size_t k = l-1;
+ 
+ for (;;) {
+@@ -219,7 +219,7 @@ size_t syslog_parse_identifier(const char **buf, char 
**identifier, char **pid)
+ if (t)
+ *identifier = t;
+ 
+-if (strchr(WHITESPACE, p[e]))
++if (p[e] != '\0' && strchr(WHITESPACE, p[e]))
+ e++;
+ *buf = p + e;
+ return e;
+-- 
+2.11.0
+
diff --git a/meta/recipes-core/systemd/systemd_237.bb 
b/meta/recipes-core/systemd/systemd_237.bb
index e6ef385f52..b53221896f 100644
--- a/meta/recipes-core/systemd/systemd_237.bb
+++ b/meta/recipes-core/systemd/systemd_237.bb
@@ -60,6 +60,7 @@ SRC_URI += "file://touchscreen.rules \

file://0024-journald-do-not-store-the-iovec-entry-for-process-co.patch \
file://0025-journald-set-a-limit-on-the-number-of-fields-1k.patch \

file://0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch \
+   file://0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch \
"
 SRC_URI_append_qemuall = " 
file://0001-core-device.c-Change-the-default-device-timeout-to-2.patch"
 
-- 
2.11.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [sumo][PATCH 4/8] systemd: Security fix CVE-2018-16864

[George McCollister]

Affects < v240

Based on thud commit 403e74b07b6f3c4a2444e68c74a8434fb17aee49
The patch in the thud commit doesn't compile against 237. Use the
version of this patch, CVE-2018-16864.patch from
systemd_237-3ubuntu10.13.debian.

Signed-off-by: George McCollister 
---
 ...-not-store-the-iovec-entry-for-process-co.patch | 193 +
 meta/recipes-core/systemd/systemd_237.bb   |   1 +
 2 files changed, 194 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch

diff --git 
a/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch
 
b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch
new file mode 100644
index 00..c0b0667d85
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch
@@ -0,0 +1,193 @@
+From c29b44cb90e2cc521533e6169cf847553ebefd81 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= 
+Date: Wed, 5 Dec 2018 18:38:39 +0100
+Subject: [PATCH] journald: do not store the iovec entry for process
+ commandline on stack
+
+This fixes a crash where we would read the commandline, whose length is under
+control of the sending program, and then crash when trying to create a stack
+allocation for it.
+
+CVE-2018-16864
+https://bugzilla.redhat.com/show_bug.cgi?id=1653855
+
+The message actually doesn't get written to disk, because
+journal_file_append_entry() returns -E2BIG.
+
+Patch for 237 from:
+systemd_237-3ubuntu10.13.debian CVE-2018-16864.patch
+
+CVE: CVE-2018-16864
+Upstream-Status: Backport
+
+---
+ src/basic/io-util.c   | 10 ++
+ src/basic/io-util.h   |  2 ++
+ src/coredump/coredump.c   | 31 +++
+ src/journal/journald-server.c | 25 +++--
+ 4 files changed, 38 insertions(+), 30 deletions(-)
+
+--- a/src/basic/io-util.c
 b/src/basic/io-util.c
+@@ -26,6 +26,7 @@
+ #include 
+ 
+ #include "io-util.h"
++#include "string-util.h"
+ #include "time-util.h"
+ 
+ int flush_fd(int fd) {
+@@ -270,3 +271,12 @@
+ 
+ return q - (const uint8_t*) p;
+ }
++
++char* set_iovec_string_field(struct iovec *iovec, size_t *n_iovec, const char 
*field, const char *value) {
++char *x;
++
++x = strappend(field, value);
++if (x)
++iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(x);
++return x;
++}
+--- a/src/basic/io-util.h
 b/src/basic/io-util.h
+@@ -91,3 +91,5 @@
+ #define IOVEC_MAKE(base, len) (struct iovec) IOVEC_INIT(base, len)
+ #define IOVEC_INIT_STRING(string) IOVEC_INIT((char*) string, strlen(string))
+ #define IOVEC_MAKE_STRING(string) (struct iovec) IOVEC_INIT_STRING(string)
++
++char* set_iovec_string_field(struct iovec *iovec, size_t *n_iovec, const char 
*field, const char *value);
+--- a/src/coredump/coredump.c
 b/src/coredump/coredump.c
+@@ -1067,19 +1067,10 @@
+ return 0;
+ }
+ 
+-static char* set_iovec_field(struct iovec iovec[27], size_t *n_iovec, const 
char *field, const char *value) {
+-char *x;
+-
+-x = strappend(field, value);
+-if (x)
+-iovec[(*n_iovec)++] = IOVEC_MAKE_STRING(x);
+-return x;
+-}
+-
+ static char* set_iovec_field_free(struct iovec iovec[27], size_t *n_iovec, 
const char *field, char *value) {
+ char *x;
+ 
+-x = set_iovec_field(iovec, n_iovec, field, value);
++x = set_iovec_string_field(iovec, n_iovec, field, value);
+ free(value);
+ return x;
+ }
+@@ -1129,33 +1120,33 @@
+ disable_coredumps();
+ }
+ 
+-set_iovec_field(iovec, n_iovec, "COREDUMP_UNIT=", 
context[CONTEXT_UNIT]);
++set_iovec_string_field(iovec, n_iovec, "COREDUMP_UNIT=", 
context[CONTEXT_UNIT]);
+ }
+ 
+ if (cg_pid_get_user_unit(pid, ) >= 0)
+ set_iovec_field_free(iovec, n_iovec, "COREDUMP_USER_UNIT=", 
t);
+ 
+ /* The next few are mandatory */
+-if (!set_iovec_field(iovec, n_iovec, "COREDUMP_PID=", 
context[CONTEXT_PID]))
++if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_PID=", 
context[CONTEXT_PID]))
+ return log_oom();
+ 
+-if (!set_iovec_field(iovec, n_iovec, "COREDUMP_UID=", 
context[CONTEXT_UID]))
++if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_UID=", 
context[CONTEXT_UID]))
+ return log_oom();
+ 
+-if (!set_iovec_field(iovec, n_iovec, "COREDUMP_GID=", 
context[CONTEXT_GID]))
++if (!set_iovec_string_field(iovec, n_iovec, "COREDUMP_GID=", 
context[CONTEXT_GID]))
+ return log_oom();
+ 
+-if (!set_iovec_field(iovec, n_iovec, "COREDUMP_SIG

[OE-core] [sumo][PATCH 2/8] systemd: fix CVE-2018-15687

[George McCollister]

Backport patch to fix the following CVE.

CVE: CVE-2018-15687

Based on thud commit eeb621aa19f690971caf862290a172a115578ba1
The patch in the thud commit doesn't compile against 237. Use the
version of this patch,  CVE-2018-15687.patch from
systemd_237-3ubuntu10.13.debian.

Signed-off-by: George McCollister 
---
 ...sive-let-s-rework-the-recursive-logic-to-.patch | 252 +
 meta/recipes-core/systemd/systemd_237.bb   |   1 +
 2 files changed, 253 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch

diff --git 
a/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
 
b/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
new file mode 100644
index 00..9a0b55f97d
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
@@ -0,0 +1,252 @@
+From 2da8ba3f507345d0401ea9d7191fa16ffa560ebc Mon Sep 17 00:00:00 2001
+From: Lennart Poettering 
+Date: Fri, 19 Oct 2018 11:26:59 +0200
+Subject: [PATCH] chown-recursive: let's rework the recursive logic to use
+ O_PATH
+
+That way we can pin a specific inode and analyze it and manipulate it
+without it being swapped out beneath our hands.
+
+Fixes a vulnerability originally found by Jann Horn from Google.
+
+CVE-2018-15687
+LP: #1796692
+https://bugzilla.redhat.com/show_bug.cgi?id=1639076
+
+Origin: upstream, 
https://github.com/poettering/systemd/commit/5de6cce58b3e8b79239b6e83653459d91af6e57c
+Bug-Ubuntu: https://launchpad.net/bugs/1796692
+
+Patch for 237 from:
+systemd_237-3ubuntu10.13.debian CVE-2018-15687.patch
+
+CVE: CVE-2018-15687
+Upstream-Status: Backport
+
+---
+ src/core/chown-recursive.c | 146 ++---
+ 1 file changed, 70 insertions(+), 76 deletions(-)
+
+diff --git a/src/core/chown-recursive.c b/src/core/chown-recursive.c
+index c479450..27c6448 100644
+--- a/src/core/chown-recursive.c
 b/src/core/chown-recursive.c
+@@ -18,18 +18,20 @@
+   along with systemd; If not, see <http://www.gnu.org/licenses/>.
+ ***/
+
+-#include 
+-#include 
+ #include 
++#include 
++#include 
+
+-#include "user-util.h"
+-#include "macro.h"
+-#include "fd-util.h"
+-#include "dirent-util.h"
+ #include "chown-recursive.h"
++#include "dirent-util.h"
++#include "fd-util.h"
++#include "macro.h"
++#include "stdio-util.h"
++#include "strv.h"
++#include "user-util.h"
+
+-static int chown_one(int fd, const char *name, const struct stat *st, uid_t 
uid, gid_t gid) {
+-int r;
++static int chown_one(int fd, const struct stat *st, uid_t uid, gid_t gid) {
++char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
+
+ assert(fd >= 0);
+ assert(st);
+@@ -38,90 +40,82 @@
+ (!gid_is_valid(gid) || st->st_gid == gid))
+ return 0;
+
+-if (name)
+-r = fchownat(fd, name, uid, gid, AT_SYMLINK_NOFOLLOW);
+-else
+-r = fchown(fd, uid, gid);
+-if (r < 0)
+-return -errno;
++/* We change ownership through the /proc/self/fd/%i path, so that we 
have a stable reference that works with
++ * O_PATH. (Note: fchown() and fchmod() do not work with O_PATH, the 
kernel refuses that. */
++xsprintf(procfs_path, "/proc/self/fd/%i", fd);
+
+-/* The linux kernel alters the mode in some cases of chown(). Let's 
undo this. */
+-if (name) {
+-if (!S_ISLNK(st->st_mode))
+-r = fchmodat(fd, name, st->st_mode, 0);
+-else /* There's currently no AT_SYMLINK_NOFOLLOW for 
fchmodat() */
+-r = 0;
+-} else
+-r = fchmod(fd, st->st_mode);
+-if (r < 0)
++if (chown(procfs_path, uid, gid) < 0)
+ return -errno;
+
++/* The linux kernel alters the mode in some cases of chown(). Let's 
undo this. We do this only for non-symlinks
++ * however. That's because for symlinks the access mode is ignored 
anyway and because on some kernels/file
++ * systems trying to change the access mode will succeed but has no 
effect while on others it actively
++ * fails. */
++if (!S_ISLNK(st->st_mode))
++if (chmod(procfs_path, st->st_mode & 0) < 0)
++return -errno;
++
+ return 1;
+ }
+
+ static int chown_recursive_internal(int fd, const struct stat *st, uid_t uid, 
gid_t gid) {
++_cleanup_closedir_ DIR *d = NULL;
+ bool changed = false;
++struct dirent *de;
+ int r;
+
+ assert(fd >= 0);
+ assert(st);
+
+-if (S

[OE-core] [sumo][PATCH 1/8] systemd: fix CVE-2018-15686

[George McCollister]

From: Chen Qi 

Backport patch to fix the following CVE.

CVE: CVE-2018-15686

Signed-off-by: Chen Qi 
Signed-off-by: Richard Purdie 

Cherry-picked from thud 0ef70603bc983315eb0e8a97958d995a31198c35

Signed-off-by: George McCollister 
---
 ...eserializing-state-always-use-read_line-L.patch | 250 +
 meta/recipes-core/systemd/systemd_237.bb   |   1 +
 2 files changed, 251 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch

diff --git 
a/meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch
 
b/meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch
new file mode 100644
index 00..405300148a
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch
@@ -0,0 +1,250 @@
+From 56f77f7fcceea2fbb3b4efb8e307dd7784c63115 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering 
+Date: Wed, 17 Oct 2018 18:36:24 +0200
+Subject: [PATCH] =?UTF-8?q?=3D=3FUTF-8=3Fq=3Fcore:=3D20when=3D20deserializ?=
+ =?UTF-8?q?ing=3D20state=3D20always=3F=3D?=
+
+ =?UTF-8?q?=20use=20read=5Fline(=E2=80=A6,=20LONG=5FLINE=5FMAX,=20?=
+ =?UTF-8?q?=E2=80=A6)?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This should be much better than fgets(), as we can read substantially
+longer lines and overly long lines result in proper errors.
+
+Fixes a vulnerability discovered by Jann Horn at Google.
+
+CVE-2018-15686
+LP: #1796402
+https://bugzilla.redhat.com/show_bug.cgi?id=1639071
+
+(cherry picked from commit 8948b3415d762245ebf5e19d80b97d4d8cc208c1)
+
+CVE: CVE-2018-15686
+Upstream-Status: Backport
+
+Signed-off-by: Chen Qi 
+
+---
+ src/core/job.c | 19 +++
+ src/core/manager.c | 44 
+ src/core/unit.c| 34 ++
+ src/core/unit.h|  2 +-
+ 4 files changed, 50 insertions(+), 49 deletions(-)
+
+diff --git a/src/core/job.c b/src/core/job.c
+index c6de8d27e..e0f9cee2f 100644
+--- a/src/core/job.c
 b/src/core/job.c
+@@ -28,6 +28,7 @@
+ #include "dbus-job.h"
+ #include "dbus.h"
+ #include "escape.h"
++#include "fileio.h"
+ #include "job.h"
+ #include "log.h"
+ #include "macro.h"
+@@ -1067,24 +1068,26 @@ int job_serialize(Job *j, FILE *f) {
+ }
+ 
+ int job_deserialize(Job *j, FILE *f) {
++int r;
++
+ assert(j);
+ assert(f);
+ 
+ for (;;) {
+-char line[LINE_MAX], *l, *v;
++_cleanup_free_ char *line = NULL;
++char *l, *v;
+ size_t k;
+ 
+-if (!fgets(line, sizeof(line), f)) {
+-if (feof(f))
+-return 0;
+-return -errno;
+-}
++r = read_line(f, LONG_LINE_MAX, );
++if (r < 0)
++return log_error_errno(r, "Failed to read 
serialization line: %m");
++if (r == 0)
++return 0;
+ 
+-char_array_0(line);
+ l = strstrip(line);
+ 
+ /* End marker */
+-if (l[0] == 0)
++if (isempty(l))
+ return 0;
+ 
+ k = strcspn(l, "=");
+diff --git a/src/core/manager.c b/src/core/manager.c
+index e837a46f5..423f82c94 100644
+--- a/src/core/manager.c
 b/src/core/manager.c
+@@ -2841,22 +2841,19 @@ int manager_deserialize(Manager *m, FILE *f, FDSet 
*fds) {
+ m->n_reloading++;
+ 
+ for (;;) {
+-char line[LINE_MAX];
++_cleanup_free_ char *line = NULL;
+ const char *val, *l;
+ 
+-if (!fgets(line, sizeof(line), f)) {
+-if (feof(f))
+-r = 0;
+-else
+-r = -errno;
+-
++r = read_line(f, LONG_LINE_MAX, );
++if (r < 0) {
++log_error_errno(r, "Failed to read serialization 
line: %m");
+ goto finish;
+ }
++if (r == 0)
++break;
+ 
+-char_array_0(line);
+ l = strstrip(line);
+-
+-if (l[0] == 0)
++if (isempty(l)) /* end marker */
+ break;
+ 
+ if ((val = startswith(l, "current-job-id="))) {
+@@ -3003,29 +3000,31 @@ int manager_deserialize(Manager *m, FILE *f, FDSet 
*fds) {
+ }
+ 
+ for (;;) {
+-Unit *u;
+-char name[UNIT_NAME_MAX+2];
++_cleanup_free_ char

[OE-core] [sumo][PATCH 0/8] systemd: fix CVEs

[George McCollister]

Apply CVE patches to systemd. Backport changes from thud when possible
otherwise use patches from:
https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.13

The following changes since commit 31f0c5e59c7fb0ae0915de584fbfcf3d95bbb061:

  testsdk: Improvements to the json logging (2018-12-07 10:56:32 +)

are available in the git repository at:

  git://github.com/gmccollister/openembedded-core sumo-cve-fixes
  https://github.com/gmccollister/openembedded-core/tree/sumo-cve-fixes

Chen Qi (2):
  systemd: fix CVE-2018-15686
  systemd: fix CVE-2018-15688

George McCollister (5):
  systemd: fix CVE-2018-15687
  systemd: Security fix CVE-2018-16864
  systemd: Security fix CVE-2018-16865
  systemd: fix CVE-2018-6954
  systemd: fix CVE-2019-6454

Marcus Cooper (1):
  systemd: Security fix CVE-2018-16866

 ...sive-let-s-rework-the-recursive-logic-to-.patch |  252 +++
 ...eserializing-state-always-use-read_line-L.patch |  250 +++
 ...sure-we-have-enough-space-for-the-DHCP6-o.patch |   39 +
 ...n-t-resolve-pathnames-when-traversing-rec.patch |  643 +++
 .../systemd/systemd/0002-Make-tmpfiles-safe.patch  | 1828 
 ...-not-store-the-iovec-entry-for-process-co.patch |  193 +++
 ...ld-set-a-limit-on-the-number-of-fields-1k.patch |   60 +
 ...ote-set-a-limit-on-the-number-of-fields-i.patch |   79 +
 ...nal-fix-out-of-bounds-read-CVE-2018-16866.patch |   49 +
 .../systemd/systemd/CVE-2019-6454.patch|  210 +++
 ...e-receive-an-invalid-dbus-message-ignore-.patch |   61 +
 meta/recipes-core/systemd/systemd_237.bb   |   11 +
 12 files changed, 3675 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-tmpfiles-don-t-resolve-pathnames-when-traversing-rec.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0002-Make-tmpfiles-safe.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0024-journald-do-not-store-the-iovec-entry-for-process-co.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0025-journald-set-a-limit-on-the-number-of-fields-1k.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0026-journal-remote-set-a-limit-on-the-number-of-fields-i.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/0027-journal-fix-out-of-bounds-read-CVE-2018-16866.patch
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch

-- 
2.11.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] systemd: fix CVE-2019-6454

[George McCollister]

I missed that some how.

Thanks for correcting me.
-George

On Fri, Feb 22, 2019 at 11:18 AM Alexander Kanavin
 wrote:
>
> On Fri, 22 Feb 2019 at 18:13, George McCollister
>  wrote:
> >
> > I believe this was discussed before and the recommendation was to wait
> > until 241 to be release. In any case I currently have no interest in
> > upgrading it. My main motivation is to patch this CVE in sumo but
> > maintainers seem to want it in master first (even though different
> > version of the patches are required).
>
> 241 has been released:
> https://github.com/systemd/systemd/releases
>
> It's fine if you don't want to do the upgrade, just wanted to correct
> that point.
>
> Alex
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] systemd: fix CVE-2019-6454

[George McCollister]

I believe this was discussed before and the recommendation was to wait
until 241 to be release. In any case I currently have no interest in
upgrading it. My main motivation is to patch this CVE in sumo but
maintainers seem to want it in master first (even though different
version of the patches are required).

-George

On Fri, Feb 22, 2019 at 11:04 AM Alexander Kanavin
 wrote:
>
> On Fri, 22 Feb 2019 at 17:55, George McCollister
>  wrote:
> > Apply patches from systemd_239-7ubuntu10.8 to fix CVE-2019-6454.
> > CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a
> > specially formed D-Bus message.
> > +
> > +For information see:
> > +https://usn.ubuntu.com/3891-1/
> > +https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
> > +
> > +CVE: CVE-2019-6454
> > +Upstream-Status: Backport
>
> It would be better to update systemd to latest upstream release, are
> you able to do this?
>
> Alex
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] systemd: fix CVE-2019-6454

[George McCollister]

Apply patches from systemd_239-7ubuntu10.8 to fix CVE-2019-6454.
CVE-2019-6454 is an issue in which systemd (PID1) can be crashed with a
specially formed D-Bus message.

For information see:
https://usn.ubuntu.com/3891-1/
https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb

Signed-off-by: George McCollister 
---
 .../systemd/systemd/CVE-2019-6454.patch   | 210 ++
 ...eive-an-invalid-dbus-message-ignore-.patch |  61 +
 meta/recipes-core/systemd/systemd_239.bb  |   2 +
 3 files changed, 273 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
 create mode 100644 
meta/recipes-core/systemd/systemd/sd-bus-if-we-receive-an-invalid-dbus-message-ignore-.patch

diff --git a/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch 
b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
new file mode 100644
index 00..80170dac0f
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2019-6454.patch
@@ -0,0 +1,210 @@
+Description: sd-bus: enforce a size limit for dbus paths, and don't allocate
+ them on the stacka
+Forwarded: no
+
+Patch from: systemd_239-7ubuntu10.8
+
+For information see:
+https://usn.ubuntu.com/3891-1/
+https://git.launchpad.net/ubuntu/+source/systemd/commit/?id=f8e75d5634904c8e672658856508c3a02f349adb
+
+CVE: CVE-2019-6454
+Upstream-Status: Backport
+
+Signed-off-by: George McCollister 
+
+--- a/src/libsystemd/sd-bus/bus-internal.c
 b/src/libsystemd/sd-bus/bus-internal.c
+@@ -45,7 +45,7 @@
+ if (slash)
+ return false;
+
+-return true;
++return (q - p) <= BUS_PATH_SIZE_MAX;
+ }
+
+ char* object_path_startswith(const char *a, const char *b) {
+--- a/src/libsystemd/sd-bus/bus-internal.h
 b/src/libsystemd/sd-bus/bus-internal.h
+@@ -333,6 +333,10 @@
+
+ #define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
+ #define BUS_AUTH_SIZE_MAX (64*1024)
++/* Note that the D-Bus specification states that bus paths shall have no size 
limit. We enforce here one
++ * anyway, since truly unbounded strings are a security problem. The limit we 
pick is relatively large however,
++ * to not clash unnecessarily with real-life applications. */
++#define BUS_PATH_SIZE_MAX (64*1024)
+
+ #define BUS_CONTAINER_DEPTH 128
+
+--- a/src/libsystemd/sd-bus/bus-objects.c
 b/src/libsystemd/sd-bus/bus-objects.c
+@@ -1134,7 +1134,8 @@
+ const char *path,
+ sd_bus_error *error) {
+
+-char *prefix;
++_cleanup_free_ char *prefix = NULL;
++size_t pl;
+ int r;
+
+ assert(bus);
+@@ -1150,7 +1151,12 @@
+ return 0;
+
+ /* Second, add fallback vtables registered for any of the prefixes */
+-prefix = alloca(strlen(path) + 1);
++pl = strlen(path);
++assert(pl <= BUS_PATH_SIZE_MAX);
++prefix = new(char, pl + 1);
++if (!prefix)
++return -ENOMEM;
++
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+ r = object_manager_serialize_path(bus, reply, prefix, path, 
true, error);
+ if (r < 0)
+@@ -1346,6 +1352,7 @@
+ }
+
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
++_cleanup_free_ char *prefix = NULL;
+ int r;
+ size_t pl;
+ bool found_object = false;
+@@ -1370,9 +1377,12 @@
+ assert(m->member);
+
+ pl = strlen(m->path);
+-do {
+-char prefix[pl+1];
++assert(pl <= BUS_PATH_SIZE_MAX);
++prefix = new(char, pl + 1);
++if (!prefix)
++return -ENOMEM;
+
++do {
+ bus->nodes_modified = false;
+
+ r = object_find_and_run(bus, m, m->path, false, 
_object);
+@@ -1499,9 +1509,15 @@
+
+ n = hashmap_get(bus->nodes, path);
+ if (!n) {
+-char *prefix;
++_cleanup_free_ char *prefix = NULL;
++size_t pl;
++
++pl = strlen(path);
++assert(pl <= BUS_PATH_SIZE_MAX);
++prefix = new(char, pl + 1);
++if (!prefix)
++return -ENOMEM;
+
+-prefix = alloca(strlen(path) + 1);
+ OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+ n = hashmap_get(bus->nodes, prefix);
+ if (n)
+@@ -2091,8 +2107,9 @@
+ char **names) {
+
+ BUS_DONT_DESTROY(bus);
++_cleanup_free_ char *prefix = NULL;
+ bool found_interface = false;
+-char *prefix;
++size_t pl;
+ int r;
+
+ assert_return(bus, -EINVAL);
+@@ -2111,6 +2128,12 @@
+ if (names && names[0] == NULL)
+ return 0;
+
++pl = strlen(path);
++assert(pl <= BUS_PATH_SIZE_MAX);
++prefix = new(char, pl + 1);
++if (!prefix)
++return -ENO

[OE-core] [morty][PATCH] apr: fix off_t size can't match when configure and in target glibc

[George McCollister]

From: Dengke Du 

When subversion run on x86 and lib32 on x86-64, it use the APR's
apr.h header file. But when configure the APR, APR meets the cross
compiling, it was hardcoded in configure.in in apr source code. As
the following:

APR_CHECK_SIZEOF_EXTENDED([#include ], off_t, 8)

It pass 8 bytes to off_t when meets cross compiling, but on x86 or lib32
the off_t in glibc was 4 bytes, so it let the application who use apr.h
go to wrong.

Such as subversion:

svnadmin create test

So we should let the APR detect the correct off_t when cross compiling,
change it to the following:

AC_CHECK_SIZEOF(off_t)

The same for the following hardcoded types for cross compiling:

pid_t   8
size_t  8
ssize_t 8

Change the above correspondingly.

Signed-off-by: Dengke Du 
Signed-off-by: Ross Burton 

Cherry-picked from master e18820ca9202c07e2406d702c46f45415182b7a6
I spent 4 hours tracking down a problem where apache was responding
to a request with corrupt Content-Range data. This patch fixes the
problem.

Signed-off-by: George McCollister 
---
 ...ze-doesn-t-match-in-glibc-when-cross.patch | 76 +++
 meta/recipes-support/apr/apr_1.5.2.bb |  1 +
 2 files changed, 77 insertions(+)
 create mode 100644 
meta/recipes-support/apr/apr/0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch

diff --git 
a/meta/recipes-support/apr/apr/0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch
 
b/meta/recipes-support/apr/apr/0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch
new file mode 100644
index 00..12371428f0
--- /dev/null
+++ 
b/meta/recipes-support/apr/apr/0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch
@@ -0,0 +1,76 @@
+From f26e8b88d2c90ed7eb9d4e276412b0923c23d10f Mon Sep 17 00:00:00 2001
+From: Dengke Du 
+Date: Wed, 14 Dec 2016 18:13:08 +0800
+Subject: [PATCH] apr: fix off_t size doesn't match in glibc when cross
+ compiling
+
+In configure.in, it contains the following:
+
+   APR_CHECK_SIZEOF_EXTENDED([#include ], off_t, 8)
+
+the macro "APR_CHECK_SIZEOF_EXTENDED" was defined in build/apr_common.m4,
+it use the "AC_TRY_RUN" macro, this macro let the off_t to 8, when cross
+compiling enable.
+
+So it was hardcoded for cross compiling, we should detect it dynamic based on
+the sysroot's glibc. We change it to the following:
+
+   AC_CHECK_SIZEOF(off_t)
+
+The same for the following hardcoded types for cross compiling:
+
+   pid_t   8
+   ssize_t 8
+   size_t  8
+   off_t   8
+
+Change the above correspondingly.
+
+Signed-off-by: Dengke Du 
+---
+ configure.in | 8 
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/configure.in b/configure.in
+index 9d57ae6..5b19940 100644
+--- a/configure.in
 b/configure.in
+@@ -1681,7 +1681,7 @@ else
+ socklen_t_value="int"
+ fi
+ 
+-APR_CHECK_SIZEOF_EXTENDED([#include ], pid_t, 8)
++AC_CHECK_SIZEOF(pid_t)
+ 
+ if test "$ac_cv_sizeof_pid_t" = "$ac_cv_sizeof_short"; then
+ pid_t_fmt='#define APR_PID_T_FMT "hd"'
+@@ -1750,7 +1750,7 @@ APR_CHECK_TYPES_COMPATIBLE(ssize_t, long, 
[ssize_t_fmt="ld"])
+ APR_CHECK_TYPES_COMPATIBLE(size_t, unsigned int, [size_t_fmt="u"])
+ APR_CHECK_TYPES_COMPATIBLE(size_t, unsigned long, [size_t_fmt="lu"])
+ 
+-APR_CHECK_SIZEOF_EXTENDED([#include ], ssize_t, 8)
++AC_CHECK_SIZEOF(ssize_t)
+ 
+ AC_MSG_CHECKING([which format to use for apr_ssize_t])
+ if test -n "$ssize_t_fmt"; then
+@@ -1767,7 +1767,7 @@ fi
+ 
+ ssize_t_fmt="#define APR_SSIZE_T_FMT \"$ssize_t_fmt\""
+ 
+-APR_CHECK_SIZEOF_EXTENDED([#include ], size_t, 8)
++AC_CHECK_SIZEOF(size_t)
+ 
+ AC_MSG_CHECKING([which format to use for apr_size_t])
+ if test -n "$size_t_fmt"; then
+@@ -1784,7 +1784,7 @@ fi
+ 
+ size_t_fmt="#define APR_SIZE_T_FMT \"$size_t_fmt\""
+ 
+-APR_CHECK_SIZEOF_EXTENDED([#include ], off_t, 8)
++AC_CHECK_SIZEOF(off_t)
+ 
+ if test "${ac_cv_sizeof_off_t}${apr_cv_use_lfs64}" = "4yes"; then
+ # Enable LFS
+-- 
+2.7.4
+
diff --git a/meta/recipes-support/apr/apr_1.5.2.bb 
b/meta/recipes-support/apr/apr_1.5.2.bb
index 302c93504b..f560c8b9c4 100644
--- a/meta/recipes-support/apr/apr_1.5.2.bb
+++ b/meta/recipes-support/apr/apr_1.5.2.bb
@@ -17,6 +17,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
file://upgrade-and-fix-1.5.1.patch \
file://Fix-packet-discards-HTTP-redirect.patch \
file://configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \
+   
file://0001-apr-fix-off_t-size-doesn-t-match-in-glibc-when-cross.patch \
 "
 
 SRC_URI[md5sum] = "4e9769f3349fe11fc0a5e1b224c236aa"
-- 
2.17.1

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [meta-oe][rocko][PATCH] protobuf: fix SRC_URI by removing branch

[George McCollister]

On Wed, May 30, 2018 at 8:27 AM, Martin Jansa  wrote:
> The change itself is OK, but you should update the commit message so that
> other people won't get bad idea about how the fetcher works.

Sounds good, I agree.

>
> Also please don't send meta-oe patches to both lists, it should go just to
> openembedded-devel (to prevent both patchwork instances picking this
> change).

I specifically sent it to both lists because the original discussion
was on openembedded-core while I knew the correct place to send the
patch is openembedded-devel. Next time I won't send it to the wrong
list, I'll just send a separate reply to the thread stating I have
sent a patch to the correct list.

>
> On Wed, May 30, 2018 at 3:19 PM George McCollister
>  wrote:
>>
>> On Wed, May 30, 2018 at 8:08 AM, Martin Jansa 
>> wrote:
>> > This doesn't just rely on SRCREV (bitbake fetcher would be complaining
>> > if
>> > the SRCREV isn't found in the branch used in SRC_URI), it relies on this
>> > SRCREV to be in master branch (which is the default branch for git
>> > fetcher):
>>
>> Okay, point taken.
>>
>> >
>> > docker-shr @ ~/projects/protobuf $ git branch -a --contains
>> > b04e5cba356212e4e8c66c61bbe0c3a20537c5b9
>> > * master
>>
>> Since it's in master the patch should work fine anyway. Should I
>> update the commit message and add branch=master or just leave it as
>> is?
>>
>> >   remotes/origin/3.5.1.1
>> >   remotes/origin/3.5.x
>> >   remotes/origin/3.6.x
>> >   remotes/origin/HEAD -> origin/master
>> >   remotes/origin/cython_protobuf
>> >   remotes/origin/master
>> >   remotes/origin/php-generated-dev
>> >   remotes/origin/python-wheel
>> >   remotes/origin/python_deps
>> >
>> >
>> > On Wed, May 30, 2018 at 3:01 PM George McCollister
>> >  wrote:
>> >>
>> >> The 3.4.x branch was removed upstream but the commit referenced in
>> >> SRCREV is the 3.4.1 release and is still available:
>> >> https://github.com/google/protobuf/releases/tag/v3.4.1
>> >>
>> >> Drop branch=3.4.x from SRC_URI and just rely on SRCREV.
>> >>
>> >> Signed-off-by: George McCollister 
>> >> ---
>> >>  meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb | 2 +-
>> >>  1 file changed, 1 insertion(+), 1 deletion(-)
>> >>
>> >> diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
>> >> b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
>> >> index fae7c18a1..fe28f475a 100644
>> >> --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
>> >> +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
>> >> @@ -18,7 +18,7 @@ SRCREV = "b04e5cba356212e4e8c66c61bbe0c3a20537c5b9"
>> >>
>> >>  PV = "3.4.1+git${SRCPV}"
>> >>
>> >> -SRC_URI = "git://github.com/google/protobuf.git;branch=3.4.x"
>> >> +SRC_URI = "git://github.com/google/protobuf.git"
>> >>
>> >>  EXTRA_OECONF += " --with-protoc=echo"
>> >>
>> >> --
>> >> 2.11.0
>> >>
>> >> --
>> >> ___
>> >> Openembedded-core mailing list
>> >> Openembedded-core@lists.openembedded.org
>> >> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
>> Regards,
>> George
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [meta-oe][rocko][PATCH] protobuf: fix SRC_URI by removing branch

[George McCollister]

On Wed, May 30, 2018 at 8:08 AM, Martin Jansa  wrote:
> This doesn't just rely on SRCREV (bitbake fetcher would be complaining if
> the SRCREV isn't found in the branch used in SRC_URI), it relies on this
> SRCREV to be in master branch (which is the default branch for git fetcher):

Okay, point taken.

>
> docker-shr @ ~/projects/protobuf $ git branch -a --contains
> b04e5cba356212e4e8c66c61bbe0c3a20537c5b9
> * master

Since it's in master the patch should work fine anyway. Should I
update the commit message and add branch=master or just leave it as
is?

>   remotes/origin/3.5.1.1
>   remotes/origin/3.5.x
>   remotes/origin/3.6.x
>   remotes/origin/HEAD -> origin/master
>   remotes/origin/cython_protobuf
>   remotes/origin/master
>   remotes/origin/php-generated-dev
>   remotes/origin/python-wheel
>   remotes/origin/python_deps
>
>
> On Wed, May 30, 2018 at 3:01 PM George McCollister
>  wrote:
>>
>> The 3.4.x branch was removed upstream but the commit referenced in
>> SRCREV is the 3.4.1 release and is still available:
>> https://github.com/google/protobuf/releases/tag/v3.4.1
>>
>> Drop branch=3.4.x from SRC_URI and just rely on SRCREV.
>>
>> Signed-off-by: George McCollister 
>> ---
>>  meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
>> b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
>> index fae7c18a1..fe28f475a 100644
>> --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
>> +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
>> @@ -18,7 +18,7 @@ SRCREV = "b04e5cba356212e4e8c66c61bbe0c3a20537c5b9"
>>
>>  PV = "3.4.1+git${SRCPV}"
>>
>> -SRC_URI = "git://github.com/google/protobuf.git;branch=3.4.x"
>> +SRC_URI = "git://github.com/google/protobuf.git"
>>
>>  EXTRA_OECONF += " --with-protoc=echo"
>>
>> --
>> 2.11.0
>>
>> --
>> ___
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Regards,
George
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [meta-oe][rocko][PATCH] protobuf: fix SRC_URI by removing branch

[George McCollister]

The 3.4.x branch was removed upstream but the commit referenced in
SRCREV is the 3.4.1 release and is still available:
https://github.com/google/protobuf/releases/tag/v3.4.1

Drop branch=3.4.x from SRC_URI and just rely on SRCREV.

Signed-off-by: George McCollister 
---
 meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb 
b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
index fae7c18a1..fe28f475a 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.4.1.bb
@@ -18,7 +18,7 @@ SRCREV = "b04e5cba356212e4e8c66c61bbe0c3a20537c5b9"
 
 PV = "3.4.1+git${SRCPV}"
 
-SRC_URI = "git://github.com/google/protobuf.git;branch=3.4.x"
+SRC_URI = "git://github.com/google/protobuf.git"
 
 EXTRA_OECONF += " --with-protoc=echo"
 
-- 
2.11.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

[George McCollister]

On Thu, Nov 30, 2017 at 9:16 AM, akuster808 <akuster...@gmail.com> wrote:
>
>
> On 11/21/2017 12:03 PM, George McCollister wrote:
>> Add backported patches from the upstream release/2.25/master branch to
>> fix CVE-2017-1000366. Also add a backported patch that resolves SSE
>> related build problems introduced by these patches.
>
> Thanks for the patch. This series causes an error when: bitbake
> core-image-sato -c populate_sdk, so its on hold.
>

Sorry for the delay, this got buried in my inbox and I didn't see it
until today (updated email filters so it shouldn't happen again).

The problem here is that
0003-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch is
applied first and also touches elf/rtld.c. This causes the patches in
this series to be applied incorrectly against nativesdk-glibc. The
fact that the nativesdk patches are applied before the base patches is
a bit concerning as it could cause other problems as well. It seems
like it would be much safer to apply the base patches then apply the
nativesdk patches to avoid conflicts. Your thoughts?
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

[George McCollister]

Add backported patches from the upstream release/2.25/master branch to
fix CVE-2017-1000366. Also add a backported patch that resolves SSE
related build problems introduced by these patches.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch |  70 +++
 ...ject-overly-long-LD_PRELOAD-path-elements.patch | 144 +
 ...Reject-overly-long-LD_AUDIT-path-elements.patch | 230 +
 ...ssing-IS_IN-libc-guards-to-vectorized-str.patch |  62 ++
 meta/recipes-core/glibc/glibc_2.25.bb  |   4 +
 5 files changed, 510 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0030-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0031-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch

diff --git 
a/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 
b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
new file mode 100644
index 00..0178d50ff0
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
@@ -0,0 +1,70 @@
+From 4002021818bc31aec9b353c6e13ce9f82e84cd38 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 19 Jun 2017 18:31:27 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog  | 7 +++
+ NEWS   | 1 +
+ elf/rtld.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index f140ee67de..7bfdf45bb5 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Weimer  <fwei...@redhat.com>
++
++  [BZ #21624]
++  CVE-2017-1000366
++  * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
++  __libc_enable_secure.
++
+ 2017-02-05  Siddhesh Poyarekar  <siddh...@sourceware.org>
+ 
+   * version.h (RELEASE): Set to "stable"
+diff --git a/NEWS b/NEWS
+index ec15dde761..f7d38536d6 100644
+--- a/NEWS
 b/NEWS
+@@ -5,6 +5,7 @@ See the end for copying conditions.
+ Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
+ using `glibc' in the "product" field.
+ 
++  [21624] Unsafe alloca allows local attackers to alias stack and heap 
(CVE-2017-1000366)
+ Version 2.25
+ 
+ * The feature test macro __STDC_WANT_LIB_EXT2__, from ISO/IEC TR
+diff --git a/elf/rtld.c b/elf/rtld.c
+index a036ece956..2fc33a6178 100644
+--- a/elf/rtld.c
 b/elf/rtld.c
+@@ -2418,7 +2418,8 @@ process_envvars (enum mode *modep)
+ 
+   case 12:
+ /* The library search path.  */
+-if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++if (!__libc_enable_secure
++&& memcmp (envline, "LIBRARY_PATH", 12) == 0)
+   {
+ library_path = [13];
+ break;
+-- 
+2.15.0
+
diff --git 
a/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 
b/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
new file mode 100644
index 00..142bd86d2f
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
@@ -0,0 +1,144 @@
+From d4fe2023bb908b85d577ac3843acd44bada330ce Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=46703a3995aa3ca2b816814aa4ad05ed524194dd
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog  |  7 ++
+ elf/rtld.c | 82 ++
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 7bfdf45bb5..0aff2bd347 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Wei

[OE-core] [morty][PATCH v3 1/2] glibc: Fix CVE-2015-5180

[George McCollister]

Add backported patch to fix CVE-2015-5180 from the upstream
release/2.24/master branch.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---

Changes in v2:
 - Fix commit message

Changes in v3:
 - None. Resending with other patch in the series.

 ...80-resolv-Fix-crash-with-internal-QTYPE-B.patch | 357 +
 meta/recipes-core/glibc/glibc_2.24.bb  |   1 +
 2 files changed, 358 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch

diff --git 
a/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
 
b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
new file mode 100644
index 00..ba0bebe488
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
@@ -0,0 +1,357 @@
+From ff9b7c4fb73295cd2de2d2ccfbbf4f6d50883d47 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Sat, 31 Dec 2016 20:22:09 +0100
+Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ
+ #18784]
+
+Also rename T_UNSPEC because an upcoming public header file
+update will use that name.
+
+(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=patch;h=b3b37f1a5559a7620e31c8053ed1b44f798f2b6d
+
+CVE: CVE-2015-5180
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog |  14 
+ NEWS  |   6 ++
+ include/arpa/nameser_compat.h |   6 +-
+ resolv/Makefile   |   5 ++
+ resolv/nss_dns/dns-host.c |   2 +-
+ resolv/res_mkquery.c  |   4 +
+ resolv/res_query.c|   6 +-
+ resolv/tst-resolv-qtypes.c| 185 ++
+ 8 files changed, 221 insertions(+), 7 deletions(-)
+ create mode 100644 resolv/tst-resolv-qtypes.c
+
+diff --git a/ChangeLog b/ChangeLog
+index 893262de11..2bdaf69e43 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,17 @@
++2016-12-31  Florian Weimer  <fwei...@redhat.com>
++
++  [BZ #18784]
++  CVE-2015-5180
++  * include/arpa/nameser_compat.h (T_QUERY_A_AND_): Rename from
++  T_UNSPEC.  Adjust value.
++  * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
++  * resolv/res_query.c (__libc_res_nquery): Likewise.
++  * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
++  QTYPEs.
++  * resolv/tst-resolv-qtypes.c: New file.
++  * resolv/Makefile (xtests): Add tst-resolv-qtypes.
++  (tst-resolv-qtypes): Link against libresolv and libpthread.
++
+ 2016-10-26  Carlos O'Donell  <car...@redhat.com>
+ 
+   * include/atomic.h
+diff --git a/NEWS b/NEWS
+index 3002773c16..4b1ca3cb65 100644
+--- a/NEWS
 b/NEWS
+@@ -11,6 +11,12 @@ using `glibc' in the "product" field.
+   printers show various pthread variables in human-readable form when read
+   using the 'print' or 'display' commands in gdb.
+ 
++* The DNS stub resolver functions would crash due to a NULL pointer
++  dereference when processing a query with a valid DNS question type which
++  was used internally in the implementation.  The stub resolver now uses a
++  question type which is outside the range of valid question type values.
++  (CVE-2015-5180)
++
+ Version 2.24
+ 
+ * The minimum Linux kernel version that this version of the GNU C Library
+diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
+index 2e735ede4c..7c0deed9ae 100644
+--- a/include/arpa/nameser_compat.h
 b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include 
+ 
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+-   T_A and T_).  */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++   internally by the implementation.  */
++#define T_QUERY_A_AND_ 439963904
+ 
+ #endif
+diff --git a/resolv/Makefile b/resolv/Makefile
+index 8be41d3ae1..a4c86b9762 100644
+--- a/resolv/Makefile
 b/resolv/Makefile
+@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
+ extra-libs += libanl
+ routines += gai_sigqueue
+ tests += tst-res_hconf_reorder
++
++# This test sends millions of packets and is rather slow.
++xtests += tst-resolv-qtypes
+ endif
+ extra-libs-others = $(extra-libs)
+ libresolv-routines := gethnamaddr res_comp res_debug  \
+@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
+ $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
+   $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
+   $(evaluate-test)
++
++$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 5f9e35701b..d16fa4b8ed 100644
+--

[OE-core] [morty][PATCH v3 2/2] glibc: Fix CVE-2017-1000366

[George McCollister]

Add backported patches from the upstream release/2.24/master branch to
fix CVE-2017-1000366. Also add a backported patch that resolves SSE
related build problems introduced by these patches.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---

Changes in v2:
 - Fix commit message

Changes in v3:
 - Added upstream patch to fix SSE issue introduced by this patch
   series.

 ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch |  71 +++
 ...ject-overly-long-LD_PRELOAD-path-elements.patch | 145 +
 ...Reject-overly-long-LD_AUDIT-path-elements.patch | 231 +
 ...ssing-IS_IN-libc-guards-to-vectorized-str.patch |  62 ++
 meta/recipes-core/glibc/glibc_2.24.bb  |   4 +
 5 files changed, 513 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch

diff --git 
a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 
b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
new file mode 100644
index 00..78e9ea9e65
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
@@ -0,0 +1,71 @@
+From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 19 Jun 2017 18:33:26 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog  | 7 +++
+ NEWS   | 1 +
+ elf/rtld.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 2bdaf69e43..7a999802dd 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Weimer  <fwei...@redhat.com>
++
++  [BZ #21624]
++  CVE-2017-1000366
++  * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
++  __libc_enable_secure.
++
+ 2016-12-31  Florian Weimer  <fwei...@redhat.com>
+ 
+   [BZ #18784]
+diff --git a/NEWS b/NEWS
+index 4b1ca3cb65..66b49dbbc0 100644
+--- a/NEWS
 b/NEWS
+@@ -17,6 +17,7 @@ using `glibc' in the "product" field.
+   question type which is outside the range of valid question type values.
+   (CVE-2015-5180)
+ 
++  [21624] Unsafe alloca allows local attackers to alias stack and heap 
(CVE-2017-1000366)
+ Version 2.24
+ 
+ * The minimum Linux kernel version that this version of the GNU C Library
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 647661ca45..215a9aec8f 100644
+--- a/elf/rtld.c
 b/elf/rtld.c
+@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep)
+ 
+   case 12:
+ /* The library search path.  */
+-if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++if (!__libc_enable_secure
++&& memcmp (envline, "LIBRARY_PATH", 12) == 0)
+   {
+ library_path = [13];
+ break;
+-- 
+2.15.0
+
diff --git 
a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 
b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
new file mode 100644
index 00..7f81ed1566
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
@@ -0,0 +1,145 @@
+From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister <

Re: [OE-core] [morty][PATCH v2 1/2] glibc: Fix CVE-2015-5180

[George McCollister]

On Thu, Nov 16, 2017 at 12:45 PM, akuster808 <akuster...@gmail.com> wrote:
>
>
> On 11/15/2017 12:36 PM, George McCollister wrote:
>> Add backported patch to fix CVE-2015-5180 from the upstream
>> release/2.24/master branch.
>>
>> Signed-off-by: George McCollister <george.mccollis...@gmail.com>
>
> Thanks for this series. I will have to wait until I address this in Pyro.

CVE-2015-5180 should not be an issue in glibc 2.25.

The CVE-2017-1000366 commits backported to glibc 2.25 are here:
https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d
https://sourceware.org/git/?p=glibc.git;a=commit;h=46703a3995aa3ca2b816814aa4ad05ed524194dd
https://sourceware.org/git/?p=glibc.git;a=commit;h=c69d4a0f680a24fdbe323764a50382ad324041e9

Would it help if I sent Pyro patches for these?

>
> - armin
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH v2 2/2] glibc: Fix CVE-2017-1000366

[George McCollister]

Add backported patches from the upstream release/2.24/master branch to
fix CVE-2017-1000366

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---

Changes in v2:
 - Fix commit message

 ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch |  71 +++
 ...ject-overly-long-LD_PRELOAD-path-elements.patch | 145 +
 ...Reject-overly-long-LD_AUDIT-path-elements.patch | 231 +
 meta/recipes-core/glibc/glibc_2.24.bb  |   3 +
 4 files changed, 450 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch

diff --git 
a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 
b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
new file mode 100644
index 00..78e9ea9e65
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
@@ -0,0 +1,71 @@
+From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 19 Jun 2017 18:33:26 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog  | 7 +++
+ NEWS   | 1 +
+ elf/rtld.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 2bdaf69e43..7a999802dd 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Weimer  <fwei...@redhat.com>
++
++  [BZ #21624]
++  CVE-2017-1000366
++  * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
++  __libc_enable_secure.
++
+ 2016-12-31  Florian Weimer  <fwei...@redhat.com>
+ 
+   [BZ #18784]
+diff --git a/NEWS b/NEWS
+index 4b1ca3cb65..66b49dbbc0 100644
+--- a/NEWS
 b/NEWS
+@@ -17,6 +17,7 @@ using `glibc' in the "product" field.
+   question type which is outside the range of valid question type values.
+   (CVE-2015-5180)
+ 
++  [21624] Unsafe alloca allows local attackers to alias stack and heap 
(CVE-2017-1000366)
+ Version 2.24
+ 
+ * The minimum Linux kernel version that this version of the GNU C Library
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 647661ca45..215a9aec8f 100644
+--- a/elf/rtld.c
 b/elf/rtld.c
+@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep)
+ 
+   case 12:
+ /* The library search path.  */
+-if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++if (!__libc_enable_secure
++&& memcmp (envline, "LIBRARY_PATH", 12) == 0)
+   {
+ library_path = [13];
+ break;
+-- 
+2.15.0
+
diff --git 
a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 
b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
new file mode 100644
index 00..7f81ed1566
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
@@ -0,0 +1,145 @@
+From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog  |  7 ++
+ elf/rtld.c | 82 ++
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 7a999802dd..ea5ecd4a1e 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Weimer  <fwei...@redhat.com>
++
++  * elf/rtld.c (SECURE_N

[OE-core] [morty][PATCH v2 1/2] glibc: Fix CVE-2015-5180

[George McCollister]

Add backported patch to fix CVE-2015-5180 from the upstream
release/2.24/master branch.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---

Changes in v2:
 - Fix commit message

 ...80-resolv-Fix-crash-with-internal-QTYPE-B.patch | 357 +
 meta/recipes-core/glibc/glibc_2.24.bb  |   1 +
 2 files changed, 358 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch

diff --git 
a/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
 
b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
new file mode 100644
index 00..ba0bebe488
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
@@ -0,0 +1,357 @@
+From ff9b7c4fb73295cd2de2d2ccfbbf4f6d50883d47 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Sat, 31 Dec 2016 20:22:09 +0100
+Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ
+ #18784]
+
+Also rename T_UNSPEC because an upcoming public header file
+update will use that name.
+
+(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=patch;h=b3b37f1a5559a7620e31c8053ed1b44f798f2b6d
+
+CVE: CVE-2015-5180
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog |  14 
+ NEWS  |   6 ++
+ include/arpa/nameser_compat.h |   6 +-
+ resolv/Makefile   |   5 ++
+ resolv/nss_dns/dns-host.c |   2 +-
+ resolv/res_mkquery.c  |   4 +
+ resolv/res_query.c|   6 +-
+ resolv/tst-resolv-qtypes.c| 185 ++
+ 8 files changed, 221 insertions(+), 7 deletions(-)
+ create mode 100644 resolv/tst-resolv-qtypes.c
+
+diff --git a/ChangeLog b/ChangeLog
+index 893262de11..2bdaf69e43 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,17 @@
++2016-12-31  Florian Weimer  <fwei...@redhat.com>
++
++  [BZ #18784]
++  CVE-2015-5180
++  * include/arpa/nameser_compat.h (T_QUERY_A_AND_): Rename from
++  T_UNSPEC.  Adjust value.
++  * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
++  * resolv/res_query.c (__libc_res_nquery): Likewise.
++  * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
++  QTYPEs.
++  * resolv/tst-resolv-qtypes.c: New file.
++  * resolv/Makefile (xtests): Add tst-resolv-qtypes.
++  (tst-resolv-qtypes): Link against libresolv and libpthread.
++
+ 2016-10-26  Carlos O'Donell  <car...@redhat.com>
+ 
+   * include/atomic.h
+diff --git a/NEWS b/NEWS
+index 3002773c16..4b1ca3cb65 100644
+--- a/NEWS
 b/NEWS
+@@ -11,6 +11,12 @@ using `glibc' in the "product" field.
+   printers show various pthread variables in human-readable form when read
+   using the 'print' or 'display' commands in gdb.
+ 
++* The DNS stub resolver functions would crash due to a NULL pointer
++  dereference when processing a query with a valid DNS question type which
++  was used internally in the implementation.  The stub resolver now uses a
++  question type which is outside the range of valid question type values.
++  (CVE-2015-5180)
++
+ Version 2.24
+ 
+ * The minimum Linux kernel version that this version of the GNU C Library
+diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
+index 2e735ede4c..7c0deed9ae 100644
+--- a/include/arpa/nameser_compat.h
 b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include 
+ 
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+-   T_A and T_).  */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++   internally by the implementation.  */
++#define T_QUERY_A_AND_ 439963904
+ 
+ #endif
+diff --git a/resolv/Makefile b/resolv/Makefile
+index 8be41d3ae1..a4c86b9762 100644
+--- a/resolv/Makefile
 b/resolv/Makefile
+@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
+ extra-libs += libanl
+ routines += gai_sigqueue
+ tests += tst-res_hconf_reorder
++
++# This test sends millions of packets and is rather slow.
++xtests += tst-resolv-qtypes
+ endif
+ extra-libs-others = $(extra-libs)
+ libresolv-routines := gethnamaddr res_comp res_debug  \
+@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
+ $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
+   $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
+   $(evaluate-test)
++
++$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 5f9e35701b..d16fa4b8ed 100644
+--- a/resolv/nss_dns/dns-host.c
 b/resolv/nss_dns/dns-host.c
+@@

[OE-core] [morty][PATCH 2/2] Fix CVE-2017-1000366

[George McCollister]

Add backported patches from the upstream release/2.24/master branch to
fix CVE-2017-1000366

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch |  71 +++
 ...ject-overly-long-LD_PRELOAD-path-elements.patch | 145 +
 ...Reject-overly-long-LD_AUDIT-path-elements.patch | 231 +
 meta/recipes-core/glibc/glibc_2.24.bb  |   3 +
 4 files changed, 450 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch

diff --git 
a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 
b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
new file mode 100644
index 00..78e9ea9e65
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
@@ -0,0 +1,71 @@
+From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 19 Jun 2017 18:33:26 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog  | 7 +++
+ NEWS   | 1 +
+ elf/rtld.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 2bdaf69e43..7a999802dd 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Weimer  <fwei...@redhat.com>
++
++  [BZ #21624]
++  CVE-2017-1000366
++  * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
++  __libc_enable_secure.
++
+ 2016-12-31  Florian Weimer  <fwei...@redhat.com>
+ 
+   [BZ #18784]
+diff --git a/NEWS b/NEWS
+index 4b1ca3cb65..66b49dbbc0 100644
+--- a/NEWS
 b/NEWS
+@@ -17,6 +17,7 @@ using `glibc' in the "product" field.
+   question type which is outside the range of valid question type values.
+   (CVE-2015-5180)
+ 
++  [21624] Unsafe alloca allows local attackers to alias stack and heap 
(CVE-2017-1000366)
+ Version 2.24
+ 
+ * The minimum Linux kernel version that this version of the GNU C Library
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 647661ca45..215a9aec8f 100644
+--- a/elf/rtld.c
 b/elf/rtld.c
+@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep)
+ 
+   case 12:
+ /* The library search path.  */
+-if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++if (!__libc_enable_secure
++&& memcmp (envline, "LIBRARY_PATH", 12) == 0)
+   {
+ library_path = [13];
+ break;
+-- 
+2.15.0
+
diff --git 
a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 
b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
new file mode 100644
index 00..7f81ed1566
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
@@ -0,0 +1,145 @@
+From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch=2755c57269f24e9d59c22c49788f92515346c1bb
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog  |  7 ++
+ elf/rtld.c | 82 ++
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 7a999802dd..ea5ecd4a1e 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Weimer  <fwei...@redhat.com>
++
++  * elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define.

[OE-core] [morty][PATCH 1/2] Fix CVE-2015-5180

[George McCollister]

Add backported patch to fix CVE-2015-5180 from the upstream
release/2.24/master branch.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 ...80-resolv-Fix-crash-with-internal-QTYPE-B.patch | 357 +
 meta/recipes-core/glibc/glibc_2.24.bb  |   1 +
 2 files changed, 358 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch

diff --git 
a/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
 
b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
new file mode 100644
index 00..ba0bebe488
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
@@ -0,0 +1,357 @@
+From ff9b7c4fb73295cd2de2d2ccfbbf4f6d50883d47 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fwei...@redhat.com>
+Date: Sat, 31 Dec 2016 20:22:09 +0100
+Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ
+ #18784]
+
+Also rename T_UNSPEC because an upcoming public header file
+update will use that name.
+
+(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=patch;h=b3b37f1a5559a7620e31c8053ed1b44f798f2b6d
+
+CVE: CVE-2015-5180
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ ChangeLog |  14 
+ NEWS  |   6 ++
+ include/arpa/nameser_compat.h |   6 +-
+ resolv/Makefile   |   5 ++
+ resolv/nss_dns/dns-host.c |   2 +-
+ resolv/res_mkquery.c  |   4 +
+ resolv/res_query.c|   6 +-
+ resolv/tst-resolv-qtypes.c| 185 ++
+ 8 files changed, 221 insertions(+), 7 deletions(-)
+ create mode 100644 resolv/tst-resolv-qtypes.c
+
+diff --git a/ChangeLog b/ChangeLog
+index 893262de11..2bdaf69e43 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,17 @@
++2016-12-31  Florian Weimer  <fwei...@redhat.com>
++
++  [BZ #18784]
++  CVE-2015-5180
++  * include/arpa/nameser_compat.h (T_QUERY_A_AND_): Rename from
++  T_UNSPEC.  Adjust value.
++  * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
++  * resolv/res_query.c (__libc_res_nquery): Likewise.
++  * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
++  QTYPEs.
++  * resolv/tst-resolv-qtypes.c: New file.
++  * resolv/Makefile (xtests): Add tst-resolv-qtypes.
++  (tst-resolv-qtypes): Link against libresolv and libpthread.
++
+ 2016-10-26  Carlos O'Donell  <car...@redhat.com>
+ 
+   * include/atomic.h
+diff --git a/NEWS b/NEWS
+index 3002773c16..4b1ca3cb65 100644
+--- a/NEWS
 b/NEWS
+@@ -11,6 +11,12 @@ using `glibc' in the "product" field.
+   printers show various pthread variables in human-readable form when read
+   using the 'print' or 'display' commands in gdb.
+ 
++* The DNS stub resolver functions would crash due to a NULL pointer
++  dereference when processing a query with a valid DNS question type which
++  was used internally in the implementation.  The stub resolver now uses a
++  question type which is outside the range of valid question type values.
++  (CVE-2015-5180)
++
+ Version 2.24
+ 
+ * The minimum Linux kernel version that this version of the GNU C Library
+diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
+index 2e735ede4c..7c0deed9ae 100644
+--- a/include/arpa/nameser_compat.h
 b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include 
+ 
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+-   T_A and T_).  */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++   internally by the implementation.  */
++#define T_QUERY_A_AND_ 439963904
+ 
+ #endif
+diff --git a/resolv/Makefile b/resolv/Makefile
+index 8be41d3ae1..a4c86b9762 100644
+--- a/resolv/Makefile
 b/resolv/Makefile
+@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
+ extra-libs += libanl
+ routines += gai_sigqueue
+ tests += tst-res_hconf_reorder
++
++# This test sends millions of packets and is rather slow.
++xtests += tst-resolv-qtypes
+ endif
+ extra-libs-others = $(extra-libs)
+ libresolv-routines := gethnamaddr res_comp res_debug  \
+@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
+ $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
+   $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
+   $(evaluate-test)
++
++$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 5f9e35701b..d16fa4b8ed 100644
+--- a/resolv/nss_dns/dns-host.c
 b/resolv/nss_dns/dns-host.c
+@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_

[OE-core] [morty][PATCH 3/4] zlib: Fix CVE-2016-9842

[George McCollister]

Add backported patch to fix CVE-2016-9842 which was fixed in zlib 1.2.9

https://nvd.nist.gov/vuln/detail/CVE-2016-9842

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 .../zlib/zlib-1.2.8/CVE-2016-9842.patch| 35 ++
 meta/recipes-core/zlib/zlib_1.2.8.bb   |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9842.patch

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9842.patch 
b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9842.patch
new file mode 100644
index 00..41b8d2a30a
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9842.patch
@@ -0,0 +1,35 @@
+commit e54e1299404101a5a9d0cf5e45512b543967f958
+Author: Mark Adler <mad...@alumni.caltech.edu>
+Date:   Sat Sep 5 17:45:55 2015 -0700
+
+Avoid shifts of negative values inflateMark().
+
+The C standard says that bit shifts of negative integers is
+undefined.  This casts to unsigned values to assure a known
+result.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958
+
+CVE: CVE-2016-9842
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+
+diff --git a/inflate.c b/inflate.c
+index 2889e3a..a718416 100644
+--- a/inflate.c
 b/inflate.c
+@@ -1506,9 +1506,10 @@ z_streamp strm;
+ {
+ struct inflate_state FAR *state;
+ 
+-if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
++if (strm == Z_NULL || strm->state == Z_NULL)
++return (long)(((unsigned long)0 - 1) << 16);
+ state = (struct inflate_state FAR *)strm->state;
+-return ((long)(state->back) << 16) +
++return (long)(((unsigned long)((long)state->back)) << 16) +
+ (state->mode == COPY ? state->length :
+ (state->mode == MATCH ? state->was - state->length : 0));
+ }
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb 
b/meta/recipes-core/zlib/zlib_1.2.8.bb
index 88f60611d9..eb38589b6a 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -12,6 +12,7 @@ SRC_URI = 
"${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://ldflags-tests.patch \
file://CVE-2016-9840.patch \
file://CVE-2016-9841.patch \
+   file://CVE-2016-9842.patch \
file://run-ptest \
"
 
-- 
2.15.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH 2/4] zlib: Fix CVE-2016-9841

[George McCollister]

Add backported patch to fix CVE-2016-9841 which was fixed in zlib 1.2.9

https://nvd.nist.gov/vuln/detail/CVE-2016-9841

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 .../zlib/zlib-1.2.8/CVE-2016-9841.patch| 230 +
 meta/recipes-core/zlib/zlib_1.2.8.bb   |   1 +
 2 files changed, 231 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch 
b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch
new file mode 100644
index 00..9cf7a77786
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch
@@ -0,0 +1,230 @@
+commit 9aaec95e82117c1cb0f9624264c3618fc380cecb
+Author: Mark Adler <mad...@alumni.caltech.edu>
+Date:   Wed Sep 21 22:25:21 2016 -0700
+
+Use post-increment only in inffast.c.
+
+An old inffast.c optimization turns out to not be optimal anymore
+with modern compilers, and furthermore was not compliant with the
+C standard, for which decrementing a pointer before its allocated
+memory is undefined. Per the recommendation of a security audit of
+the zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this "optimization" was removed, in order to
+avoid the possibility of undefined behavior.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
+
+CVE: CVE-2016-9841
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+
+diff --git a/inffast.c b/inffast.c
+index bda59ce..f0d163d 100644
+--- a/inffast.c
 b/inffast.c
+@@ -10,25 +10,6 @@
+ 
+ #ifndef ASMINF
+ 
+-/* Allow machine dependent optimization for post-increment or pre-increment.
+-   Based on testing to date,
+-   Pre-increment preferred for:
+-   - PowerPC G3 (Adler)
+-   - MIPS R5000 (Randers-Pehrson)
+-   Post-increment preferred for:
+-   - none
+-   No measurable difference:
+-   - Pentium III (Anderson)
+-   - M68060 (Nikl)
+- */
+-#ifdef POSTINC
+-#  define OFF 0
+-#  define PUP(a) *(a)++
+-#else
+-#  define OFF 1
+-#  define PUP(a) *++(a)
+-#endif
+-
+ /*
+Decode literal, length, and distance codes and write out the resulting
+literal and match bytes until either not enough input or output is
+@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for 
strm->avail_out */
+ 
+ /* copy state to local variables */
+ state = (struct inflate_state FAR *)strm->state;
+-in = strm->next_in - OFF;
++in = strm->next_in;
+ last = in + (strm->avail_in - 5);
+-out = strm->next_out - OFF;
++out = strm->next_out;
+ beg = out - (start - strm->avail_out);
+ end = out + (strm->avail_out - 257);
+ #ifdef INFLATE_STRICT
+@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for 
strm->avail_out */
+input data or output space */
+ do {
+ if (bits < 15) {
+-hold += (unsigned long)(PUP(in)) << bits;
++hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+-hold += (unsigned long)(PUP(in)) << bits;
++hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ here = lcode[hold & lmask];
+@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value 
for strm->avail_out */
+ Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
+ "inflate: literal '%c'\n" :
+ "inflate: literal 0x%02x\n", here.val));
+-PUP(out) = (unsigned char)(here.val);
++*out++ = (unsigned char)(here.val);
+ }
+ else if (op & 16) { /* length base */
+ len = (unsigned)(here.val);
+ op &= 15;   /* number of extra bits */
+ if (op) {
+ if (bits < op) {
+-hold += (unsigned long)(PUP(in)) << bits;
++hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ len += (unsigned)hold & ((1U << op) - 1);
+@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for 
strm->avail_out */
+ }
+ Tracevv((stderr, "inflate: length %u\n", len));
+ if (bits < 15) {
+-hold += (unsigned long)(PUP(in)) << bits;
++hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+-hold += (unsigned long)(PUP(in)) << bits;
++hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+   

[OE-core] [morty][PATCH 4/4] zlib: Fix CVE-2016-9843

[George McCollister]

Add backported patch to fix CVE-2016-9843 which was fixed in zlib 1.2.9

https://nvd.nist.gov/vuln/detail/CVE-2016-9843

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 .../zlib/zlib-1.2.8/CVE-2016-9843.patch| 55 ++
 meta/recipes-core/zlib/zlib_1.2.8.bb   |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch 
b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch
new file mode 100644
index 00..1ff8acf265
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch
@@ -0,0 +1,55 @@
+commit d1d577490c15a0c6862473d7576352a9f18ef811
+Author: Mark Adler <mad...@alumni.caltech.edu>
+Date:   Wed Sep 28 20:20:25 2016 -0700
+
+Avoid pre-decrement of pointer in big-endian CRC calculation.
+
+There was a small optimization for PowerPCs to pre-increment a
+pointer when accessing a word, instead of post-incrementing. This
+required prefacing the loop with a decrement of the pointer,
+possibly pointing before the object passed. This is not compliant
+with the C standard, for which decrementing a pointer before its
+allocated memory is undefined. When tested on a modern PowerPC
+with a modern compiler, the optimization no longer has any effect.
+Due to all that, and per the recommendation of a security audit of
+the zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this "optimization" was removed, in order to
+avoid the possibility of undefined behavior.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811
+
+CVE: CVE-2016-9843
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+
+diff --git a/crc32.c b/crc32.c
+index 979a719..05733f4 100644
+--- a/crc32.c
 b/crc32.c
+@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
+ }
+ 
+ /* = 
*/
+-#define DOBIG4 c ^= *++buf4; \
++#define DOBIG4 c ^= *buf4++; \
+ c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
+ crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
+ #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
+@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
+ }
+ 
+ buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
+-buf4--;
+ while (len >= 32) {
+ DOBIG32;
+ len -= 32;
+@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
+ DOBIG4;
+ len -= 4;
+ }
+-buf4++;
+ buf = (const unsigned char FAR *)buf4;
+ 
+ if (len) do {
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb 
b/meta/recipes-core/zlib/zlib_1.2.8.bb
index eb38589b6a..338d0f9573 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -13,6 +13,7 @@ SRC_URI = 
"${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://CVE-2016-9840.patch \
file://CVE-2016-9841.patch \
file://CVE-2016-9842.patch \
+   file://CVE-2016-9843.patch \
file://run-ptest \
"
 
-- 
2.15.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH 1/4] zlib: Fix CVE-2016-9840

[George McCollister]

Add backported patch to fix CVE-2016-9840 which was fixed in zlib 1.2.9

https://nvd.nist.gov/vuln/detail/CVE-2016-9840

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 .../zlib/zlib-1.2.8/CVE-2016-9840.patch| 77 ++
 meta/recipes-core/zlib/zlib_1.2.8.bb   |  1 +
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch 
b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
new file mode 100644
index 00..4f0d2c6975
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
@@ -0,0 +1,77 @@
+commit 6a043145ca6e9c55184013841a67b2fef87e44c0
+Author: Mark Adler <mad...@alumni.caltech.edu>
+Date:   Wed Sep 21 23:35:50 2016 -0700
+
+Remove offset pointer optimization in inftrees.c.
+
+inftrees.c was subtracting an offset from a pointer to an array,
+in order to provide a pointer that allowed indexing starting at
+the offset. This is not compliant with the C standard, for which
+the behavior of a pointer decremented before its allocated memory
+is undefined. Per the recommendation of a security audit of the
+zlib code by Trail of Bits and TrustInSoft, in support of the
+Mozilla Foundation, this tiny optimization was removed, in order
+to avoid the possibility of undefined behavior.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
+
+CVE: CVE-2016-9840
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+
+diff --git a/inftrees.c b/inftrees.c
+index 22fcd66..0d2670d 100644
+--- a/inftrees.c
 b/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+ code FAR *next; /* next available space in table */
+ const unsigned short FAR *base; /* base value table to use */
+ const unsigned short FAR *extra;/* extra bits table to use */
+-int end;/* use base and extra for symbol > end */
++unsigned match; /* use base and extra for symbol >= match */
+ unsigned short count[MAXBITS+1];/* number of codes of each length */
+ unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
+ static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+ switch (type) {
+ case CODES:
+ base = extra = work;/* dummy value--not used */
+-end = 19;
++match = 20;
+ break;
+ case LENS:
+ base = lbase;
+-base -= 257;
+ extra = lext;
+-extra -= 257;
+-end = 256;
++match = 257;
+ break;
+ default:/* DISTS */
+ base = dbase;
+ extra = dext;
+-end = -1;
++match = 0;
+ }
+ 
+ /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+ for (;;) {
+ /* create table entry */
+ here.bits = (unsigned char)(len - drop);
+-if ((int)(work[sym]) < end) {
++if (work[sym] + 1 < match) {
+ here.op = (unsigned char)0;
+ here.val = work[sym];
+ }
+-else if ((int)(work[sym]) > end) {
+-here.op = (unsigned char)(extra[work[sym]]);
+-here.val = base[work[sym]];
++else if (work[sym] >= match) {
++here.op = (unsigned char)(extra[work[sym] - match]);
++here.val = base[work[sym] - match];
+ }
+ else {
+ here.op = (unsigned char)(32 + 64); /* end of block */
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb 
b/meta/recipes-core/zlib/zlib_1.2.8.bb
index 913c7033d4..b6a4c687ca 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -10,6 +10,7 @@ SRC_URI = 
"${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://remove.ldconfig.call.patch \
file://Makefile-runtests.patch \
file://ldflags-tests.patch \
+   file://CVE-2016-9840.patch \
file://run-ptest \
"
 
-- 
2.15.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2 1/2] shadow: fix CVE-2017-2616

[George McCollister]

Apply backported patch that fixes CVE-2017-2616
Sending SIGKILL to other processes with root privileges via su

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---

Changes in v2:
 - Add SOB to patch file.

 .../files/0001-su-properly-clear-child-PID.patch   | 72 ++
 meta/recipes-extended/shadow/shadow.inc|  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 
meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch

diff --git 
a/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch 
b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch
new file mode 100644
index 00..9fefd9e599
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch
@@ -0,0 +1,72 @@
+From 3ed6ba2105c7a35d6dc7e8b805202d0235df1fb1 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+
+Upstream-Status: Backport
+https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch?h=jessie
+https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
+
+CVE: CVE-2017-2616
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ src/su.c | 19 +--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 3704217..1efcd61 100644
+--- a/src/su.c
 b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
+   /* wake child when resumed */
+   kill (pid, SIGCONT);
+   stop = false;
++  } else {
++  pid_child = 0;
+   }
+   } while (!stop);
+   }
+ 
+-  if (0 != caught) {
++  if (0 != caught && 0 != pid_child) {
+   (void) fputs ("\n", stderr);
+   (void) fputs (_("Session terminated, terminating shell..."),
+ stderr);
+   (void) kill (-pid_child, caught);
+ 
+   (void) signal (SIGALRM, kill_child);
++  (void) signal (SIGCHLD, catch_signals);
+   (void) alarm (2);
+ 
+-  (void) wait ();
++  sigemptyset ();
++  if ((sigaddset (, SIGALRM) != 0)
++  || (sigprocmask (SIG_BLOCK, , NULL) != 0)) {
++  fprintf (stderr, _("%s: signal masking malfunction\n"), 
Prog);
++  kill_child (0);
++  } else {
++  while (0 == waitpid (pid_child, , WNOHANG)) {
++  sigsuspend ();
++  }
++  pid_child = 0;
++  (void) sigprocmask (SIG_UNBLOCK, , NULL);
++  }
++
+   (void) fputs (_(" ...terminated.\n"), stderr);
+   }
+ 
+-- 
+2.15.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc 
b/meta/recipes-extended/shadow/shadow.inc
index cc189649b2..031e880630 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -17,6 +17,7 @@ SRC_URI = 
"http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
+   file://0001-su-properly-clear-child-PID.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', 
d)} \
"
 
-- 
2.15.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2 2/2] shadow: fix CVE-2016-6252

[George McCollister]

Apply backported patch that fixes CVE-2016-6252
Integer overflow in shadow 4.2.1 allows local users to gain privileges
via crafted input to newuidmap.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---

Changes in v2:
 - Add SOB to patch file.

 .../shadow/files/0001-Simplify-getulong.patch  | 54 ++
 meta/recipes-extended/shadow/shadow.inc|  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 
meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch

diff --git a/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch 
b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
new file mode 100644
index 00..8a41fb1dd6
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
@@ -0,0 +1,54 @@
+From 70723e568159f3130b6076463f0bf978763e3369 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krah...@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+
+Upstream-Status: Backport
+https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch?h=jessie
+https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1
+
+CVE: CVE-2016-6252
+
+Signed-off-by: George McCollister <george.mccollis...@gmail.com>
+---
+ lib/getulong.c | 9 +++--
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
 b/lib/getulong.c
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-  long long int val;
++  unsigned long int val;
+   char *endptr;
+ 
+   errno = 0;
+-  val = strtoll (numstr, , 0);
++  val = strtoul (numstr, , 0);
+   if (('\0' == *numstr)
+|| ('\0' != *endptr)
+|| (ERANGE == errno)
+-   /*@+ignoresigns@*/
+-   || (val != (unsigned long int)val)
+-   /*@=ignoresigns@*/
+  ) {
+   return 0;
+   }
+ 
+-  *result = (unsigned long int)val;
++  *result = val;
+   return 1;
+ }
+ 
+-- 
+2.15.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc 
b/meta/recipes-extended/shadow/shadow.inc
index 031e880630..9fb1cd3d17 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -18,6 +18,7 @@ SRC_URI = 
"http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
file://0001-su-properly-clear-child-PID.patch \
+   file://0001-Simplify-getulong.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', 
d)} \
"
 
-- 
2.15.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 2/2] shadow: fix CVE-2016-6252

[George McCollister]

Apply backported patch that fixes CVE-2016-6252
Integer overflow in shadow 4.2.1 allows local users to gain privileges
via crafted input to newuidmap.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 .../shadow/files/0001-Simplify-getulong.patch  | 52 ++
 meta/recipes-extended/shadow/shadow.inc|  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 
meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch

diff --git a/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch 
b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
new file mode 100644
index 00..1d69e2fee4
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Simplify-getulong.patch
@@ -0,0 +1,52 @@
+From 1ea1133aa22c691684dc9921c53313ff1b3b825b Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krah...@suse.com>
+Date: Wed, 3 Aug 2016 11:51:07 -0500
+Subject: [PATCH] Simplify getulong
+
+Use strtoul to read an unsigned long, rather than reading
+a signed long long and casting it.
+
+https://bugzilla.suse.com/show_bug.cgi?id=979282
+
+Upstream-Status: Backport
+https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/302-CVE-2016-6252-fix-integer-overflow.patch?h=jessie
+https://github.com/shadow-maint/shadow/commit/1d5a926cc2d6078d23a96222b1ef3e558724dad1
+
+CVE: CVE-2016-6252
+---
+ lib/getulong.c | 9 +++--
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/lib/getulong.c b/lib/getulong.c
+index 61579ca..08d2c1a 100644
+--- a/lib/getulong.c
 b/lib/getulong.c
+@@ -44,22 +44,19 @@
+  */
+ int getulong (const char *numstr, /*@out@*/unsigned long int *result)
+ {
+-  long long int val;
++  unsigned long int val;
+   char *endptr;
+ 
+   errno = 0;
+-  val = strtoll (numstr, , 0);
++  val = strtoul (numstr, , 0);
+   if (('\0' == *numstr)
+|| ('\0' != *endptr)
+|| (ERANGE == errno)
+-   /*@+ignoresigns@*/
+-   || (val != (unsigned long int)val)
+-   /*@=ignoresigns@*/
+  ) {
+   return 0;
+   }
+ 
+-  *result = (unsigned long int)val;
++  *result = val;
+   return 1;
+ }
+ 
+-- 
+2.15.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc 
b/meta/recipes-extended/shadow/shadow.inc
index 031e880630..9fb1cd3d17 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -18,6 +18,7 @@ SRC_URI = 
"http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
file://0001-su-properly-clear-child-PID.patch \
+   file://0001-Simplify-getulong.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', 
d)} \
"
 
-- 
2.15.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 1/2] shadow: fix CVE-2017-2616

[George McCollister]

Apply backported patch that fixes CVE-2017-2616
Sending SIGKILL to other processes with root privileges via su

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 .../files/0001-su-properly-clear-child-PID.patch   | 70 ++
 meta/recipes-extended/shadow/shadow.inc|  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 
meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch

diff --git 
a/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch 
b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch
new file mode 100644
index 00..205a7af054
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-su-properly-clear-child-PID.patch
@@ -0,0 +1,70 @@
+From 26d94ff403df048fe4438a97959793610d6e7ea8 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tob...@stoeckmann.org>
+Date: Thu, 23 Feb 2017 09:47:29 -0600
+Subject: [PATCH] su: properly clear child PID
+
+If su is compiled with PAM support, it is possible for any local user
+to send SIGKILL to other processes with root privileges. There are
+only two conditions. First, the user must be able to perform su with
+a successful login. This does NOT have to be the root user, even using
+su with the same id is enough, e.g. "su $(whoami)". Second, SIGKILL
+can only be sent to processes which were executed after the su process.
+It is not possible to send SIGKILL to processes which were already
+running. I consider this as a security vulnerability, because I was
+able to write a proof of concept which unlocked a screen saver of
+another user this way.
+
+Upstream-Status: Backport
+https://anonscm.debian.org/cgit/pkg-shadow/shadow.git/plain/debian/patches/301-CVE-2017-2616-su-properly-clear-child-PID.patch?h=jessie
+https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686
+
+CVE: CVE-2017-2616
+---
+ src/su.c | 19 +--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/su.c b/src/su.c
+index 3704217..1efcd61 100644
+--- a/src/su.c
 b/src/su.c
+@@ -363,20 +363,35 @@ static void prepare_pam_close_session (void)
+   /* wake child when resumed */
+   kill (pid, SIGCONT);
+   stop = false;
++  } else {
++  pid_child = 0;
+   }
+   } while (!stop);
+   }
+ 
+-  if (0 != caught) {
++  if (0 != caught && 0 != pid_child) {
+   (void) fputs ("\n", stderr);
+   (void) fputs (_("Session terminated, terminating shell..."),
+ stderr);
+   (void) kill (-pid_child, caught);
+ 
+   (void) signal (SIGALRM, kill_child);
++  (void) signal (SIGCHLD, catch_signals);
+   (void) alarm (2);
+ 
+-  (void) wait ();
++  sigemptyset ();
++  if ((sigaddset (, SIGALRM) != 0)
++  || (sigprocmask (SIG_BLOCK, , NULL) != 0)) {
++  fprintf (stderr, _("%s: signal masking malfunction\n"), 
Prog);
++  kill_child (0);
++  } else {
++  while (0 == waitpid (pid_child, , WNOHANG)) {
++  sigsuspend ();
++  }
++  pid_child = 0;
++  (void) sigprocmask (SIG_UNBLOCK, , NULL);
++  }
++
+   (void) fputs (_(" ...terminated.\n"), stderr);
+   }
+ 
+-- 
+2.15.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc 
b/meta/recipes-extended/shadow/shadow.inc
index cc189649b2..031e880630 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -17,6 +17,7 @@ SRC_URI = 
"http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
+   file://0001-su-properly-clear-child-PID.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', 
d)} \
"
 
-- 
2.15.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH v2 1/3] python-3.5-manifest: Add imp to importlib

[George McCollister]

The imp python module is the forerunner of importlib. Include imp in
the importlib subpackage instead of the misc subpackage so that it can
be depended on without bringing in a bunch of unrelated, unused modules.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python-3.5-manifest.inc 
b/meta/recipes-devtools/python/python-3.5-manifest.inc
index 3046114..6c690db 100644
--- a/meta/recipes-devtools/python/python-3.5-manifest.inc
+++ b/meta/recipes-devtools/python/python-3.5-manifest.inc
@@ -115,7 +115,7 @@ FILES_${PN}-image="${libdir}/python3.5/colorsys.* 
${libdir}/python3.5/imghdr.* $
 
 SUMMARY_${PN}-importlib="Python import implementation library"
 RDEPENDS_${PN}-importlib="${PN}-core ${PN}-lang"
-FILES_${PN}-importlib="${libdir}/python3.5/importlib "
+FILES_${PN}-importlib="${libdir}/python3.5/importlib ${libdir}/python3.5/imp.* 
"
 
 SUMMARY_${PN}-io="Python low-level I/O"
 RDEPENDS_${PN}-io="${PN}-core ${PN}-math"
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH v2 2/3] gdb-cross-canadian: Depend on nativesdk-python3-importlib

[George McCollister]

Add missing dependency on nativesdk-python3-importlib so the imp Python
module is installed.

Before this patch, running gdb from the sdk would give the following
error:

Python Exception  No module named 'imp':

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc 
b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
index e53081d..3ff1989 100644
--- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
+++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
@@ -14,7 +14,8 @@ GDBPROPREFIX = "--program-prefix='${TARGET_PREFIX}'"
 PACKAGECONFIG ??= "python readline"
 PACKAGECONFIG[python] = 
"--with-python=${WORKDIR}/python,--without-python,nativesdk-python3, \
  nativesdk-python3-core nativesdk-python3-lang 
nativesdk-python3-re \
- nativesdk-python3-codecs nativesdk-python3-netclient"
+ nativesdk-python3-codecs nativesdk-python3-netclient \
+ nativesdk-python3-importlib"
 PACKAGECONFIG[readline] = 
"--with-system-readline,--without-system-readline,nativesdk-readline"
 
 SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb"
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH v2 3/3] python-3-manifest: fix adding imp to importlib

[George McCollister]

From: Anders Darander 

Commit: 512334f102a33833d39af53467894315f0715d07
"python-3.5-manifest: Add imp to importlib"

added imp to importlib in the generated manifest, but not in the generator 
script.

Signed-off-by: Anders Darander 
Signed-off-by: Ross Burton 
---
 scripts/contrib/python/generate-manifest-3.5.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/contrib/python/generate-manifest-3.5.py 
b/scripts/contrib/python/generate-manifest-3.5.py
index 2906cc6..71a71f7 100755
--- a/scripts/contrib/python/generate-manifest-3.5.py
+++ b/scripts/contrib/python/generate-manifest-3.5.py
@@ -269,7 +269,7 @@ if __name__ == "__main__":
 "formatter.* htmlentitydefs.* htmllib.* markupbase.* sgmllib.* 
HTMLParser.* " )
 
 m.addPackage( "${PN}-importlib", "Python import implementation library", 
"${PN}-core ${PN}-lang",
-"importlib" )
+"importlib imp.*" )
 
 m.addPackage( "${PN}-gdbm", "Python GNU database support", "${PN}-core",
 "lib-dynload/_gdbm.*.so" )
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH v2 0/3] Resolve gdb-cross-canadian dependency on imp

[George McCollister]

Add imp to python3-importlib. Make gdb-cross-canadian depend on
nativesdk-python3-importlib when python is enabled.

Changed since v1:
Cherry picked patch that changes generate-manifest-3.5.py to add imp to 
importlib

The following changes since commit 55c835c73cc41b6fc809c941c295d62a612e49e0:

  build-appliance-image: Update to morty head revision (2017-02-08 12:00:29 
+)

are available in the git repository at:

  git://github.com/gmccollister/openembedded-core morty-gdb-cross-canadian
  
https://github.com/gmccollister/openembedded-core/tree/morty-gdb-cross-canadian

Anders Darander (1):
  python-3-manifest: fix adding imp to importlib

George McCollister (2):
  python-3.5-manifest: Add imp to importlib
  gdb-cross-canadian: Depend on nativesdk-python3-importlib

 meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++-
 meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +-
 scripts/contrib/python/generate-manifest-3.5.py  | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [morty][PATCH 0/2] Resolve gdb-cross-canadian dependency on imp

[George McCollister]

On Thu, Feb 9, 2017 at 2:46 AM, Jussi Kukkonen <jussi.kukko...@intel.com> wrote:
> On 8 February 2017 at 22:06, George McCollister
> <george.mccollis...@gmail.com> wrote:
>>
>> Any chance we can get this applied to morty?
>
>
> You should add [morty] tag to subject and CC the maintainer
> (akuster...@gmail.com) to improve chances of this happening. I'm sure Armin
> would also appreciate explicit confirmation that the patches apply to morty
> branch.

[morty] was in the subject but I didn't CC the maintainer. Now I know
who the maintainer is.

>
> Before that some review though (sorry I missed this in Dec) ... it looks
> like the "Add imp to importlib" commit only modified manifest.inc: this is a
> generated file and your changes will be overwritten next time someone runs
> the generator. You should modify
> scripts/contrib/python/generate-manifest-3.5.py and run that to generate the
> new manifest.inc file.

Yes, I messed that up. Someone else fixed it in master here:
http://git.openembedded.org/openembedded-core/commit/scripts/contrib/python/generate-manifest-3.5.py?id=bfe1d948ab034017622110c8365be7026e139fbf

>
> It would be nice if we did not store noth the source and the generated files
> in git but that's how it's currently setup...

I'll resend my two patches with the patch that fixes
generate-manifest-3.5.py for morty.

>
> Jussi
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [morty][PATCH 0/2] Resolve gdb-cross-canadian dependency on imp

[George McCollister]

Any chance we can get this applied to morty?
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [master][PATCH 0/2] Resolve gdb-cross-canadian dependency on imp

[George McCollister]

Add imp to python3-importlib. Make gdb-cross-canadian depend on
nativesdk-python3-importlib when python is enabled.

The following changes since commit 11063a01d4511b2688ea7ba2d7359e4e07328c66:

  ruby: upgrade to 2.3.1 (2016-11-30 15:47:17 +)

are available in the git repository at:

  git://github.com/gmccollister/openembedded-core master-gdb-cross-canadian
  
https://github.com/gmccollister/openembedded-core/tree/master-gdb-cross-canadian

George McCollister (2):
  python-3.5-manifest: Add imp to importlib
  gdb-cross-canadian: Depend on nativesdk-python3-importlib

 meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++-
 meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

-- 
2.9.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [master][PATCH 2/2] gdb-cross-canadian: Depend on nativesdk-python3-importlib

[George McCollister]

Add missing dependency on nativesdk-python3-importlib so the imp Python
module is installed.

Before this patch, running gdb from the sdk would give the following
error:

Python Exception  No module named 'imp':

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc 
b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
index e53081d..3ff1989 100644
--- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
+++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
@@ -14,7 +14,8 @@ GDBPROPREFIX = "--program-prefix='${TARGET_PREFIX}'"
 PACKAGECONFIG ??= "python readline"
 PACKAGECONFIG[python] = 
"--with-python=${WORKDIR}/python,--without-python,nativesdk-python3, \
  nativesdk-python3-core nativesdk-python3-lang 
nativesdk-python3-re \
- nativesdk-python3-codecs nativesdk-python3-netclient"
+ nativesdk-python3-codecs nativesdk-python3-netclient \
+ nativesdk-python3-importlib"
 PACKAGECONFIG[readline] = 
"--with-system-readline,--without-system-readline,nativesdk-readline"
 
 SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb"
-- 
2.9.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [master][PATCH 1/2] python-3.5-manifest: Add imp to importlib

[George McCollister]

The imp python module is the forerunner of importlib. Include imp in
the importlib subpackage instead of the misc subpackage so that it can
be depended on without bringing in a bunch of unrelated, unused modules.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python-3.5-manifest.inc 
b/meta/recipes-devtools/python/python-3.5-manifest.inc
index 851f12e..7fcd871 100644
--- a/meta/recipes-devtools/python/python-3.5-manifest.inc
+++ b/meta/recipes-devtools/python/python-3.5-manifest.inc
@@ -115,7 +115,7 @@ FILES_${PN}-image="${libdir}/python3.5/colorsys.* 
${libdir}/python3.5/__pycache_
 
 SUMMARY_${PN}-importlib="Python import implementation library"
 RDEPENDS_${PN}-importlib="${PN}-core ${PN}-lang"
-FILES_${PN}-importlib="${libdir}/python3.5/importlib 
${libdir}/python3.5/importlib/__pycache__ "
+FILES_${PN}-importlib="${libdir}/python3.5/importlib 
${libdir}/python3.5/importlib/__pycache__ ${libdir}/python3.5/imp.* 
${libdir}/python3.5/__pycache__/imp.* "
 
 SUMMARY_${PN}-io="Python low-level I/O"
 RDEPENDS_${PN}-io="${PN}-core ${PN}-math"
-- 
2.9.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH 2/2] gdb-cross-canadian: Depend on nativesdk-python3-importlib

[George McCollister]

Add missing dependency on nativesdk-python3-importlib so the imp Python
module is installed.

Before this patch, running gdb from the sdk would give the following
error:

Python Exception  No module named 'imp':

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc 
b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
index e53081d..3ff1989 100644
--- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
+++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
@@ -14,7 +14,8 @@ GDBPROPREFIX = "--program-prefix='${TARGET_PREFIX}'"
 PACKAGECONFIG ??= "python readline"
 PACKAGECONFIG[python] = 
"--with-python=${WORKDIR}/python,--without-python,nativesdk-python3, \
  nativesdk-python3-core nativesdk-python3-lang 
nativesdk-python3-re \
- nativesdk-python3-codecs nativesdk-python3-netclient"
+ nativesdk-python3-codecs nativesdk-python3-netclient \
+ nativesdk-python3-importlib"
 PACKAGECONFIG[readline] = 
"--with-system-readline,--without-system-readline,nativesdk-readline"
 
 SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb"
-- 
2.9.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH 1/2] python-3.5-manifest: Add imp to importlib

[George McCollister]

The imp python module is the forerunner of importlib. Include imp in
the importlib subpackage instead of the misc subpackage so that it can
be depended on without bringing in a bunch of unrelated, unused modules.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python-3.5-manifest.inc 
b/meta/recipes-devtools/python/python-3.5-manifest.inc
index 3046114..6c690db 100644
--- a/meta/recipes-devtools/python/python-3.5-manifest.inc
+++ b/meta/recipes-devtools/python/python-3.5-manifest.inc
@@ -115,7 +115,7 @@ FILES_${PN}-image="${libdir}/python3.5/colorsys.* 
${libdir}/python3.5/imghdr.* $
 
 SUMMARY_${PN}-importlib="Python import implementation library"
 RDEPENDS_${PN}-importlib="${PN}-core ${PN}-lang"
-FILES_${PN}-importlib="${libdir}/python3.5/importlib "
+FILES_${PN}-importlib="${libdir}/python3.5/importlib ${libdir}/python3.5/imp.* 
"
 
 SUMMARY_${PN}-io="Python low-level I/O"
 RDEPENDS_${PN}-io="${PN}-core ${PN}-math"
-- 
2.9.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [morty][PATCH 0/2] Resolve gdb-cross-canadian dependency on imp

[George McCollister]

Add imp to python3-importlib. Make gdb-cross-canadian depend on
nativesdk-python3-importlib when python is enabled.

The following changes since commit c8d96b10ee3bc2eae0fd269d2564286fd0bc82ed:

  rm_work: Ensure we don't remove sigbasedata files (2016-11-16 10:34:34 +)

are available in the git repository at:

  git://github.com/gmccollister/openembedded-core morty-gdb-cross-canadian
  
https://github.com/gmccollister/openembedded-core/tree/morty-gdb-cross-canadian

George McCollister (2):
  python-3.5-manifest: Add imp to importlib
  gdb-cross-canadian: Depend on nativesdk-python3-importlib

 meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++-
 meta/recipes-devtools/python/python-3.5-manifest.inc | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

-- 
2.9.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] gdb-cross-canadian: Depend on nativesdk-python3-misc

[George McCollister]

On Mon, Dec 5, 2016 at 3:21 PM, Burton, Ross <ross.bur...@intel.com> wrote:
>
> On 5 December 2016 at 16:38, George McCollister
> <george.mccollis...@gmail.com> wrote:
>>
>> Add missing dependency on nativesdk-python3-misc so the imp Python
>> module is installed.
>
>
> So imp is the Python-facing API for 'import', and python-misc is a grab-bag
> of random stuff.  Should imp be moved to be in python3-importlib (where its
> replacement already lives) or moved into python3-core?

importlib is the replacement for imp (it's deprecated since version
3.4) so this sounds reasonable to me. Shall I send a patch to add
imp.py to python3-importlib and another to add python3-importlib to
PACKAGECONFIG[python] in gdb-cross-canadian.inc?

-George
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] gdb-cross-canadian: Depend on nativesdk-python3-misc

[George McCollister]

Add missing dependency on nativesdk-python3-misc so the imp Python
module is installed.

Before this patch, running gdb from the sdk would give the following
error:

Python Exception  No module named 'imp':

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-devtools/gdb/gdb-cross-canadian.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc 
b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
index e53081d..844daf2 100644
--- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
+++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
@@ -14,7 +14,8 @@ GDBPROPREFIX = "--program-prefix='${TARGET_PREFIX}'"
 PACKAGECONFIG ??= "python readline"
 PACKAGECONFIG[python] = 
"--with-python=${WORKDIR}/python,--without-python,nativesdk-python3, \
  nativesdk-python3-core nativesdk-python3-lang 
nativesdk-python3-re \
- nativesdk-python3-codecs nativesdk-python3-netclient"
+ nativesdk-python3-codecs nativesdk-python3-netclient \
+ nativesdk-python3-misc"
 PACKAGECONFIG[readline] = 
"--with-system-readline,--without-system-readline,nativesdk-readline"
 
 SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb"
-- 
2.9.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH v2 0/5] kernel-fitimage: Add initramfs, x86 support

[George McCollister]

On Mon, Aug 8, 2016 at 1:05 PM, Denys Dmytriyenko <de...@denix.org> wrote:
> On Mon, Aug 08, 2016 at 11:37:52AM -0500, George McCollister wrote:
>> Add support for building fitImages that include an initramfs and booting
>> on x86.
>
> I'm in the process of testing this version now.
>
>
> I'm wondering, if bundling everything in a single patchset will delay
> acceptance even further? Case in point - I'm mostly interested in initramfs
> support and it's been in limbo state for several months now. It was a single
> patch back then and there were no major comments or issues with it. Few months
> later, 2 extra patches were added with x86 support. Now recent $B change broke
> few things and we need 2 more patches just to get everything working again...

I'm surprised it wasn't accepted when it was a single patch. At this
point I don't know what's keeping it from being accepted since I
haven't received any feedback. I suspect whoever is maintaining OE
core doesn't have time to look at it.

>
> The reason I'm bringing this up is because I've been working on this area
> recently and would like to contribute back some code (fixes, customizations).
> Since it depends on this patchset, I'm not sure if I should wait for it to get
> accepted or we'll just end up growing the patchset for another iteration...

Your fixes, customizations are welcome however I've had this concern
as it has grown. Hopefully we can get some feedback soon as to what's
holding up the acceptance.

>
> --
> Denys
>
>
>> * V2
>>  - Include Andrew Bradford's cd to $B patch since it is now required for
>>do_assemble_fitimage to work
>>  - Fix initramfs support patch to cd to $B in do_assemble_fitimage_initramfs
>>  - Remove ${B} in call to fitimage_emit_section_ramdisk per
>>Denys Dmytriyenko's suggestion
>>  - Add patch to cd to $B in do_concat_dtb()
>>
>> The following changes since commit c4dda05cb9755cb865c1d1bd142196f8a9f45d3d:
>>
>>   Revert "packagegroup-core-x11-base.bb: replace pointercal with 
>> pointercal-xinput" (2016-08-04 20:54:57 +0100)
>>
>> are available in the git repository at:
>>
>>   git://github.com/gmccollister/openembedded-core master-fit
>>   https://github.com/gmccollister/openembedded-core/tree/master-fit
>>
>> Andrew Bradford (1):
>>   kernel-fitimage.bbclass: do_assemble_fitimage(): cd to $B
>>
>> George McCollister (4):
>>   kernel-fitimage: add initramfs support
>>   kernel-fitimage: Add x86 support
>>   uboot-sign: Handle .rom signing the same as .img
>>   uboot-sign: do_concat_dtb(): cd to $B
>>
>>  meta/classes/kernel-fitimage.bbclass | 346 
>> +--
>>  meta/classes/uboot-sign.bbclass  |   4 +-
>>  2 files changed, 249 insertions(+), 101 deletions(-)
>>
>> --
>> 2.8.0
>>
>> --
>> ___
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2 4/5] uboot-sign: Handle .rom signing the same as .img

[George McCollister]

Handle u-boot.rom signing (U-Boot as x86 BIOS replacement) the same way
that u-boot.img signing is handled.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/uboot-sign.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index 57d4903..d56ad8e 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -64,7 +64,8 @@ do_concat_dtb () {
# Concatenate U-Boot w/o DTB & DTB with public key
# (cf. kernel-fitimage.bbclass for more details)
if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
-   if [ "x${UBOOT_SUFFIX}" = "ximg" -a -e 
"${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
+   if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" 
] && \
+   [ -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
install ${S}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
install ${S}/${UBOOT_BINARY} 
${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE}
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v3 2/5] kernel-fitimage: add initramfs support

[George McCollister]

If INITRAMFS_IMAGE is set, build an additional fitImage containing the
initramfs. Copy the additional fitImage and the source (*.its) file, used
to create it to DEPLOYDIR. The fitImage containing the initramfs must be
built before do_deploy and after do_install to avoid circular dependencies.

UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the
   initramfs.
UBOOT_RD_ENTRYPOINT  - Specifies the entry point used by u-boot for the
   initramfs.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/kernel-fitimage.bbclass | 285 +++
 1 file changed, 189 insertions(+), 96 deletions(-)

diff --git a/meta/classes/kernel-fitimage.bbclass 
b/meta/classes/kernel-fitimage.bbclass
index 7cca180..f05d8a5 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -16,7 +16,7 @@ python __anonymous () {
 
 image = d.getVar('INITRAMFS_IMAGE', True)
 if image:
-d.appendVarFlag('do_assemble_fitimage', 'depends', ' 
${INITRAMFS_IMAGE}:do_image_complete')
+d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' 
${INITRAMFS_IMAGE}:do_image_complete')
 
 # Verified boot will sign the fitImage and append the public key to
 # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling
@@ -32,8 +32,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= ""
 #
 # Emit the fitImage ITS header
 #
+# $1 ... .its filename
 fitimage_emit_fit_header() {
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 /dts-v1/;
 
 / {
@@ -45,32 +46,33 @@ EOF
 #
 # Emit the fitImage section bits
 #
-# $1 ... Section bit type: imagestart - image section start
+# $1 ... .its filename
+# $2 ... Section bit type: imagestart - image section start
 #  confstart  - configuration section start
 #  sectend- section end
 #  fitend - fitimage end
 #
 fitimage_emit_section_maint() {
-   case $1 in
+   case $2 in
imagestart)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 
 images {
 EOF
;;
confstart)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 
 configurations {
 EOF
;;
sectend)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
};
 EOF
;;
fitend)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 };
 EOF
;;
@@ -80,9 +82,10 @@ EOF
 #
 # Emit the fitImage ITS kernel section
 #
-# $1 ... Image counter
-# $2 ... Path to kernel image
-# $3 ... Compression type
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to kernel image
+# $4 ... Compression type
 fitimage_emit_section_kernel() {
 
kernel_csum="sha1"
@@ -90,17 +93,17 @@ fitimage_emit_section_kernel() {
ENTRYPOINT=${UBOOT_ENTRYPOINT}
if test -n "${UBOOT_ENTRYSYMBOL}"; then
ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \
-   awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'`
+   awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'`
fi
 
-   cat << EOF >> fit-image.its
-kernel@${1} {
+   cat << EOF >> ${1}
+kernel@${2} {
 description = "Linux kernel";
-data = /incbin/("${2}");
+data = /incbin/("${3}");
 type = "kernel";
 arch = "${UBOOT_ARCH}";
 os = "linux";
-compression = "${3}";
+compression = "${4}";
 load = <${UBOOT_LOADADDRESS}>;
 entry = <${ENTRYPOINT}>;
 hash@1 {
@@ -113,16 +116,17 @@ EOF
 #
 # Emit the fitImage ITS DTB section
 #
-# $1 ... Image counter
-# $2 ... Path to DTB image
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to DTB image
 fitimage_emit_section_dtb() {
 
dtb_csum="sha1"
 
-   cat << EOF >> fit-image.its
-fdt@${1} {
+   cat << EOF >> ${1}
+fdt@${2} {
 description = "Flattened Device Tree blob";
-data = /incbin/("${2}");
+data = /incbin/("${3}");
 type = "flat_dt";
 arch = "${UBOOT_ARCH}";
 compression = "none";

[OE-core] [PATCH v2 0/5] kernel-fitimage: Add initramfs, x86 support

[George McCollister]

Add support for building fitImages that include an initramfs and booting
on x86.

* V2
 - Include Andrew Bradford's cd to $B patch since it is now required for
   do_assemble_fitimage to work
 - Fix initramfs support patch to cd to $B in do_assemble_fitimage_initramfs
 - Remove ${B} in call to fitimage_emit_section_ramdisk per
   Denys Dmytriyenko's suggestion
 - Add patch to cd to $B in do_concat_dtb()

The following changes since commit c4dda05cb9755cb865c1d1bd142196f8a9f45d3d:

  Revert "packagegroup-core-x11-base.bb: replace pointercal with 
pointercal-xinput" (2016-08-04 20:54:57 +0100)

are available in the git repository at:

  git://github.com/gmccollister/openembedded-core master-fit
  https://github.com/gmccollister/openembedded-core/tree/master-fit

Andrew Bradford (1):
  kernel-fitimage.bbclass: do_assemble_fitimage(): cd to $B

George McCollister (4):
  kernel-fitimage: add initramfs support
  kernel-fitimage: Add x86 support
  uboot-sign: Handle .rom signing the same as .img
  uboot-sign: do_concat_dtb(): cd to $B

 meta/classes/kernel-fitimage.bbclass | 346 +--
 meta/classes/uboot-sign.bbclass  |   4 +-
 2 files changed, 249 insertions(+), 101 deletions(-)

-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 5/5] uboot-sign: do_concat_dtb(): cd to $B

[George McCollister]

Prior to running oe_runmake make sure $B is the cwd. This is required
due to bitbake commit 67a7b8b021badc17d8fdf447c250e79d291e75f7
"build: don't use $B as the default cwd for functions".

Without this change, do_concat_dtb fails with:
| ERROR: oe_runmake failed
| make: *** No targets specified and no makefile found.  Stop.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/uboot-sign.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index d56ad8e..3c56db8 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -66,6 +66,7 @@ do_concat_dtb () {
if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" 
] && \
[ -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
+   cd ${B}
oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
install ${S}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
install ${S}/${UBOOT_BINARY} 
${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE}
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2 3/5] kernel-fitimage: Add x86 support

[George McCollister]

For x86, bzImage must be built instead of zImage.

Include setup.bin (which is required to boot the kernel) in the fitimage
and always use a load/boot address of 0x0009.

For details see:
http://git.denx.de/?p=u-boot.git;a=blob;f=doc/uImage.FIT/x86-fit-boot.txt

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/kernel-fitimage.bbclass | 112 +--
 1 file changed, 82 insertions(+), 30 deletions(-)

diff --git a/meta/classes/kernel-fitimage.bbclass 
b/meta/classes/kernel-fitimage.bbclass
index f05d8a5..8580247 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -7,12 +7,17 @@ python __anonymous () {
 depends = "%s u-boot-mkimage-native dtc-native" % depends
 d.setVar("DEPENDS", depends)
 
+if d.getVar("UBOOT_ARCH", True) == "x86":
+replacementtype = "bzImage"
+else:
+replacementtype = "zImage"
+
# Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
# to kernel.bbclass . We have to override it, since we pack zImage
# (at least for now) into the fitImage .
 typeformake = d.getVar("KERNEL_IMAGETYPE_FOR_MAKE", True) or ""
 if 'fitImage' in typeformake.split():
-d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', 
typeformake.replace('fitImage', 'zImage'))
+d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', 
typeformake.replace('fitImage', replacementtype))
 
 image = d.getVar('INITRAMFS_IMAGE', True)
 if image:
@@ -138,6 +143,33 @@ EOF
 }
 
 #
+# Emit the fitImage ITS setup section
+#
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to setup image
+fitimage_emit_section_setup() {
+
+   setup_csum="sha1"
+
+   cat << EOF >> ${1}
+setup@${2} {
+description = "Linux setup.bin";
+data = /incbin/("${3}");
+type = "x86_setup";
+arch = "${UBOOT_ARCH}";
+os = "linux";
+compression = "none";
+load = <0x0009>;
+entry = <0x0009>;
+hash@1 {
+algo = "${setup_csum}";
+};
+};
+EOF
+}
+
+#
 # Emit the fitImage ITS ramdisk section
 #
 # $1 ... .its filename
@@ -171,6 +203,7 @@ EOF
 # $2 ... Linux kernel ID
 # $3 ... DTB image ID
 # $4 ... ramdisk ID
+# $5 ... config ID
 fitimage_emit_section_config() {
 
conf_csum="sha1"
@@ -179,24 +212,25 @@ fitimage_emit_section_config() {
fi
 
# Test if we have any DTBs at all
-   if [ -z "${3}" -a -z "${4}" ] ; then
-   conf_desc="Boot Linux kernel"
-   fdt_line=""
-   ramdisk_line=""
-   elif [ -z "${4}" ]; then
-   conf_desc="Boot Linux kernel with FDT blob"
-   fdt_line="fdt = \"fdt@${3}\";"
-   ramdisk_line=""
-   elif [ -z "${3}" ]; then
-   conf_desc="Boot Linux kernel with ramdisk"
-   fdt_line=""
-   ramdisk_line="ramdisk = \"ramdisk@${4}\";"
-   else
-   conf_desc="Boot Linux kernel with FDT blob, ramdisk"
+   conf_desc="Linux kernel"
+   kernel_line="kernel = \"kernel@${2}\";"
+   fdt_line=""
+   ramdisk_line=""
+
+   if [ -n "${3}" ]; then
+   conf_desc="${conf_desc}, FDT blob"
fdt_line="fdt = \"fdt@${3}\";"
+   fi
+
+   if [ -n "${4}" ]; then
+   conf_desc="${conf_desc}, ramdisk"
ramdisk_line="ramdisk = \"ramdisk@${4}\";"
fi
-   kernel_line="kernel = \"kernel@${2}\";"
+
+   if [ -n "${5}" ]; then
+   conf_desc="${conf_desc}, setup"
+   setup_line="setup = \"setup@${5}\";"
+   fi
 
cat << EOF >> ${1}
 default = "conf@1";
@@ -205,6 +239,7 @@ fitimage_emit_section_config() {
${kernel_line}
${fdt_line}
${ramdisk_line}
+   ${setup_line}
 hash@1 {
 algo = "${conf_csum}";
 };
@@ -212,16 +247,22 @@ EOF
 
if [ ! -z "${conf_sign_keyname}" ] ; then
 
-

[OE-core] [PATCH 1/5] kernel-fitimage.bbclass: do_assemble_fitimage(): cd to $B

[George McCollister]

From: Andrew Bradford 

Prior to assembling the fitimage, ensure that $B is the cwd due to
bitbake commit 67a7b8b021badc17d8fdf447c250e79d291e75f7 "build: don't
use $B as the default cwd for functions".

Without this change, do_assemble_fitimage() fails like:

Log data follows:
| DEBUG: Executing shell function do_assemble_fitimage
| arm-ka-linux-gnueabi-objcopy: 'vmlinux': No such file
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_assemble_fitimage

Signed-off-by: Andrew Bradford 
---
 meta/classes/kernel-fitimage.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/kernel-fitimage.bbclass 
b/meta/classes/kernel-fitimage.bbclass
index 9a3caf5..7cca180 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -189,6 +189,7 @@ EOF
 }
 
 do_assemble_fitimage() {
+   cd ${B}
if echo ${KERNEL_IMAGETYPES} | grep -wq "fitImage"; then
kernelcount=1
dtbcount=""
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH v2 1/3] kernel-fitimage: add initramfs support

[George McCollister]

On Fri, Aug 5, 2016 at 4:25 PM, Denys Dmytriyenko <de...@denix.org> wrote:
> On Mon, Jul 18, 2016 at 12:57:55PM -0500, George McCollister wrote:
>> If INITRAMFS_IMAGE is set, build an additional fitImage containing the
>> initramfs. Copy the additional fitImage and the source (*.its) file, used
>> to create it to DEPLOYDIR. The fitImage containing the initramfs must be
>> built before do_deploy and after do_install to avoid circular dependencies.
>>
>> UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the
>>initramfs.
>> UBOOT_RD_ENTRYPOINT  - Specifies the entry point used by u-boot for the
>>    initramfs.
>>
>> Signed-off-by: George McCollister <george.mccollis...@gmail.com>
>> ---
>>  meta/classes/kernel-fitimage.bbclass | 282 
>> +++
>>  1 file changed, 187 insertions(+), 95 deletions(-)
>>
>> diff --git a/meta/classes/kernel-fitimage.bbclass 
>> b/meta/classes/kernel-fitimage.bbclass
>> index 9a3caf5..ede69e7 100644
>> --- a/meta/classes/kernel-fitimage.bbclass
>> +++ b/meta/classes/kernel-fitimage.bbclass
>> @@ -16,7 +16,7 @@ python __anonymous () {
>>
>
> 
>
>
>> + #
>> + # Step 3: Prepare a ramdisk section.
>> + #
>> + if [ "x${ramdiskcount}" = "x1" ] ; then
>> + copy_initramfs
>> + fitimage_emit_section_ramdisk ${1} "${ramdiskcount}" 
>> ${B}/usr/${INITRAMFS_IMAGE}-${MACHINE}.cpio
>
> May I suggest dropping ${B} here to get the ramdisk path shorter and easier to
> read? It's relative to ${B} anyway - same as all the DTBs...
>
> + fitimage_emit_section_ramdisk ${1} "${ramdiskcount}" 
> usr/${INITRAMFS_IMAGE}-${MACHINE}.cpio

Change made, will be included in the new pull request.
Thanks

>
>> + fi
>>
>
> 
>
> --
> Denys
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 2/3] kernel-fitimage: Add x86 support

[George McCollister]

For x86, bzImage must be built instead of zImage.

Include setup.bin (which is required to boot the kernel) in the fitimage
and always use a load/boot address of 0x0009.

For details see:
http://git.denx.de/?p=u-boot.git;a=blob;f=doc/uImage.FIT/x86-fit-boot.txt

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/kernel-fitimage.bbclass | 112 +--
 1 file changed, 82 insertions(+), 30 deletions(-)

diff --git a/meta/classes/kernel-fitimage.bbclass 
b/meta/classes/kernel-fitimage.bbclass
index ede69e7..d4e3ed8 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -7,12 +7,17 @@ python __anonymous () {
 depends = "%s u-boot-mkimage-native dtc-native" % depends
 d.setVar("DEPENDS", depends)
 
+if d.getVar("UBOOT_ARCH", True) == "x86":
+replacementtype = "bzImage"
+else:
+replacementtype = "zImage"
+
# Override KERNEL_IMAGETYPE_FOR_MAKE variable, which is internal
# to kernel.bbclass . We have to override it, since we pack zImage
# (at least for now) into the fitImage .
 typeformake = d.getVar("KERNEL_IMAGETYPE_FOR_MAKE", True) or ""
 if 'fitImage' in typeformake.split():
-d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', 
typeformake.replace('fitImage', 'zImage'))
+d.setVar('KERNEL_IMAGETYPE_FOR_MAKE', 
typeformake.replace('fitImage', replacementtype))
 
 image = d.getVar('INITRAMFS_IMAGE', True)
 if image:
@@ -138,6 +143,33 @@ EOF
 }
 
 #
+# Emit the fitImage ITS setup section
+#
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to setup image
+fitimage_emit_section_setup() {
+
+   setup_csum="sha1"
+
+   cat << EOF >> ${1}
+setup@${2} {
+description = "Linux setup.bin";
+data = /incbin/("${3}");
+type = "x86_setup";
+arch = "${UBOOT_ARCH}";
+os = "linux";
+compression = "none";
+load = <0x0009>;
+entry = <0x0009>;
+hash@1 {
+algo = "${setup_csum}";
+};
+};
+EOF
+}
+
+#
 # Emit the fitImage ITS ramdisk section
 #
 # $1 ... .its filename
@@ -171,6 +203,7 @@ EOF
 # $2 ... Linux kernel ID
 # $3 ... DTB image ID
 # $4 ... ramdisk ID
+# $5 ... config ID
 fitimage_emit_section_config() {
 
conf_csum="sha1"
@@ -179,24 +212,25 @@ fitimage_emit_section_config() {
fi
 
# Test if we have any DTBs at all
-   if [ -z "${3}" -a -z "${4}" ] ; then
-   conf_desc="Boot Linux kernel"
-   fdt_line=""
-   ramdisk_line=""
-   elif [ -z "${4}" ]; then
-   conf_desc="Boot Linux kernel with FDT blob"
-   fdt_line="fdt = \"fdt@${3}\";"
-   ramdisk_line=""
-   elif [ -z "${3}" ]; then
-   conf_desc="Boot Linux kernel with ramdisk"
-   fdt_line=""
-   ramdisk_line="ramdisk = \"ramdisk@${4}\";"
-   else
-   conf_desc="Boot Linux kernel with FDT blob, ramdisk"
+   conf_desc="Linux kernel"
+   kernel_line="kernel = \"kernel@${2}\";"
+   fdt_line=""
+   ramdisk_line=""
+
+   if [ -n "${3}" ]; then
+   conf_desc="${conf_desc}, FDT blob"
fdt_line="fdt = \"fdt@${3}\";"
+   fi
+
+   if [ -n "${4}" ]; then
+   conf_desc="${conf_desc}, ramdisk"
ramdisk_line="ramdisk = \"ramdisk@${4}\";"
fi
-   kernel_line="kernel = \"kernel@${2}\";"
+
+   if [ -n "${5}" ]; then
+   conf_desc="${conf_desc}, setup"
+   setup_line="setup = \"setup@${5}\";"
+   fi
 
cat << EOF >> ${1}
 default = "conf@1";
@@ -205,6 +239,7 @@ fitimage_emit_section_config() {
${kernel_line}
${fdt_line}
${ramdisk_line}
+   ${setup_line}
 hash@1 {
 algo = "${conf_csum}";
 };
@@ -212,16 +247,22 @@ EOF
 
if [ ! -z "${conf_sign_keyname}" ] ; then
 
-

[OE-core] [PATCH v2 1/3] kernel-fitimage: add initramfs support

[George McCollister]

If INITRAMFS_IMAGE is set, build an additional fitImage containing the
initramfs. Copy the additional fitImage and the source (*.its) file, used
to create it to DEPLOYDIR. The fitImage containing the initramfs must be
built before do_deploy and after do_install to avoid circular dependencies.

UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the
   initramfs.
UBOOT_RD_ENTRYPOINT  - Specifies the entry point used by u-boot for the
   initramfs.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/kernel-fitimage.bbclass | 282 +++
 1 file changed, 187 insertions(+), 95 deletions(-)

diff --git a/meta/classes/kernel-fitimage.bbclass 
b/meta/classes/kernel-fitimage.bbclass
index 9a3caf5..ede69e7 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -16,7 +16,7 @@ python __anonymous () {
 
 image = d.getVar('INITRAMFS_IMAGE', True)
 if image:
-d.appendVarFlag('do_assemble_fitimage', 'depends', ' 
${INITRAMFS_IMAGE}:do_image_complete')
+d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' 
${INITRAMFS_IMAGE}:do_image_complete')
 
 # Verified boot will sign the fitImage and append the public key to
 # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling
@@ -32,8 +32,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= ""
 #
 # Emit the fitImage ITS header
 #
+# $1 ... .its filename
 fitimage_emit_fit_header() {
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 /dts-v1/;
 
 / {
@@ -45,32 +46,33 @@ EOF
 #
 # Emit the fitImage section bits
 #
-# $1 ... Section bit type: imagestart - image section start
+# $1 ... .its filename
+# $2 ... Section bit type: imagestart - image section start
 #  confstart  - configuration section start
 #  sectend- section end
 #  fitend - fitimage end
 #
 fitimage_emit_section_maint() {
-   case $1 in
+   case $2 in
imagestart)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 
 images {
 EOF
;;
confstart)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 
 configurations {
 EOF
;;
sectend)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
};
 EOF
;;
fitend)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 };
 EOF
;;
@@ -80,9 +82,10 @@ EOF
 #
 # Emit the fitImage ITS kernel section
 #
-# $1 ... Image counter
-# $2 ... Path to kernel image
-# $3 ... Compression type
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to kernel image
+# $4 ... Compression type
 fitimage_emit_section_kernel() {
 
kernel_csum="sha1"
@@ -90,17 +93,17 @@ fitimage_emit_section_kernel() {
ENTRYPOINT=${UBOOT_ENTRYPOINT}
if test -n "${UBOOT_ENTRYSYMBOL}"; then
ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \
-   awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'`
+   awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'`
fi
 
-   cat << EOF >> fit-image.its
-kernel@${1} {
+   cat << EOF >> ${1}
+kernel@${2} {
 description = "Linux kernel";
-data = /incbin/("${2}");
+data = /incbin/("${3}");
 type = "kernel";
 arch = "${UBOOT_ARCH}";
 os = "linux";
-compression = "${3}";
+compression = "${4}";
 load = <${UBOOT_LOADADDRESS}>;
 entry = <${ENTRYPOINT}>;
 hash@1 {
@@ -113,16 +116,17 @@ EOF
 #
 # Emit the fitImage ITS DTB section
 #
-# $1 ... Image counter
-# $2 ... Path to DTB image
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to DTB image
 fitimage_emit_section_dtb() {
 
dtb_csum="sha1"
 
-   cat << EOF >> fit-image.its
-fdt@${1} {
+   cat << EOF >> ${1}
+fdt@${2} {
 description = "Flattened Device Tree blob";
-data = /incbin/("${2}");
+data = /incbin/("${3}");
 type = "flat_dt";
 arch = "${UBOOT_ARCH}";
 compression = "none";

[OE-core] [PATCH 3/3] uboot-sign: Handle .rom signing the same as .img

[George McCollister]

Handle u-boot.rom signing (U-Boot as x86 BIOS replacement) the same way
that u-boot.img signing is handled.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/uboot-sign.bbclass | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index 57d4903..d56ad8e 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -64,7 +64,8 @@ do_concat_dtb () {
# Concatenate U-Boot w/o DTB & DTB with public key
# (cf. kernel-fitimage.bbclass for more details)
if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
-   if [ "x${UBOOT_SUFFIX}" = "ximg" -a -e 
"${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
+   if [ "x${UBOOT_SUFFIX}" = "ximg" -o "x${UBOOT_SUFFIX}" = "xrom" 
] && \
+   [ -e "${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
install ${S}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
install ${S}/${UBOOT_BINARY} 
${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE}
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 0/3] kernel-fitimage: Add initramfs, x86 support

[George McCollister]

Add support for building fitImages that include an initramfs and booting
on x86.

The following changes since commit da7a2c7b00b40a8759dbe9f4ab6df3e337e3d6b6:

  useradd-staticids: use map() instead of imap() (2016-07-12 23:11:57 +0100)

are available in the git repository at:

  git://github.com/gmccollister/openembedded-core master-fit
  https://github.com/gmccollister/openembedded-core/tree/master-fit

George McCollister (3):
  kernel-fitimage: add initramfs support
  kernel-fitimage: Add x86 support
  uboot-sign: Handle .rom signing the same as .img

 meta/classes/kernel-fitimage.bbclass | 344 +--
 meta/classes/uboot-sign.bbclass  |   3 +-
 2 files changed, 246 insertions(+), 101 deletions(-)

-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] useradd-staticids: use map() instead of imap()

[George McCollister]

In Python3 the itertools module's imap function has been migrated to the
globalname space as map(). Calling itertools.imap() will fail because it
no longer exists.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/useradd-staticids.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/useradd-staticids.bbclass 
b/meta/classes/useradd-staticids.bbclass
index b6e498c..149245b 100644
--- a/meta/classes/useradd-staticids.bbclass
+++ b/meta/classes/useradd-staticids.bbclass
@@ -43,7 +43,7 @@ def update_useradd_static_config(d):
 if fields[0] not in id_table:
 id_table[fields[0]] = fields
 else:
-id_table[fields[0]] = list(itertools.imap(lambda 
x, y: x or y, fields, id_table[fields[0]]))
+id_table[fields[0]] = list(map(lambda x, y: x or 
y, fields, id_table[fields[0]]))
 except IOError as e:
 if e.errno == errno.ENOENT:
 pass
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH 1/1] useradd-staticids.bbclass: Make sure opened files are closed

[George McCollister]

On Thu, Jun 9, 2016 at 6:07 PM, Peter Kjellerstedt
 wrote:
> This avoids warnings about unclosed files with Python 3.
>
> Signed-off-by: Peter Kjellerstedt 
> ---
>  meta/classes/useradd-staticids.bbclass | 30 +-
>  1 file changed, 17 insertions(+), 13 deletions(-)
>
> diff --git a/meta/classes/useradd-staticids.bbclass 
> b/meta/classes/useradd-staticids.bbclass
> index a9b506d..440c0e3 100644
> --- a/meta/classes/useradd-staticids.bbclass
> +++ b/meta/classes/useradd-staticids.bbclass
> @@ -4,6 +4,7 @@ def update_useradd_static_config(d):
>  import argparse
>  import itertools
>  import re
> +import errno
>
>  class myArgumentParser( argparse.ArgumentParser ):
>  def _print_message(self, message, file=None):
> @@ -30,19 +31,22 @@ def update_useradd_static_config(d):
>  are set)."""
>  id_table = dict()
>  for conf in file_list.split():
> -if os.path.exists(conf):
> -f = open(conf, "r")
> -for line in f:
> -if line.startswith('#'):
> -continue
> -# Make sure there always are at least exp_fields 
> elements in
> -# the field list. This allows for leaving out trailing
> -# colons in the files.
> -fields = list_extend(line.rstrip().split(":"), 
> exp_fields)
> -if fields[0] not in id_table:
> -id_table[fields[0]] = fields
> -else:
> -id_table[fields[0]] = list(itertools.imap(lambda x, 
> y: x or y, fields, id_table[fields[0]]))
> +try:
> +with open(conf, "r") as f:
> +for line in f:
> +if line.startswith('#'):
> +continue
> +# Make sure there always are at least exp_fields
> +# elements in the field list. This allows for leaving
> +# out trailing colons in the files.
> +fields = list_extend(line.rstrip().split(":"), 
> exp_fields)
> +if fields[0] not in id_table:
> +id_table[fields[0]] = fields
> +else:
> +id_table[fields[0]] = list(itertools.imap(lambda 
> x, y: x or y, fields, id_table[fields[0]]))
This is still broken for me. As far as I can tell itertools.imap
doesn't exist in Python 3.

> +except IOError as e:
> +if e.errno == errno.ENOENT:
> +pass
>
>  return id_table
>
> --
> 2.8.3
>
> --
> ___
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] linux-yocto/4.1: fix musb compilation error

[George McCollister]

Yes, I found the issue on krogoth.

-George

On Fri, May 27, 2016 at 11:25 AM, akuster808  wrote:
> does this affect krogoth?
>
> - armin
>
> On 05/27/2016 09:18 AM, Bruce Ashfield wrote:
>> We had a partial musb change merged into the 4.1 tree, which resulted in:
>>
>>   | kernel-source/drivers/usb/musb/musb_dsps.c:
>>   In function 'dsps_create_musb_pdev':
>>   | kernel-source/drivers/usb/musb/musb_dsps.c:750:8:
>>   error: 'struct musb_hdrc_config' has no member named 'maximum_speed'
>>   |   config->maximum_speed = usb_get_maximum_speed(>dev);
>>   | ^~
>>
>> By backporting commit:
>>
>>   9b7537642cb6a [usb: musb: set the controller speed based on the config 
>> setting]
>>
>> We get our missing structure field, and we can once again build musb.
>>
>> [YOCTO: #9680]
>>
>> Signed-off-by: Bruce Ashfield 
>> ---
>>  meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb   |  2 +-
>>  meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb |  2 +-
>>  meta/recipes-kernel/linux/linux-yocto_4.1.bb  | 16 
>>  3 files changed, 10 insertions(+), 10 deletions(-)
>>
>> diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb 
>> b/meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb
>> index 1d4c404ef0ca..24cc0ac07703 100644
>> --- a/meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb
>> +++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.1.bb
>> @@ -11,7 +11,7 @@ python () {
>>  raise bb.parse.SkipPackage("Set PREFERRED_PROVIDER_virtual/kernel 
>> to linux-yocto-rt to enable it")
>>  }
>>
>> -SRCREV_machine ?= "320892013ad33ab41f530ad321939aec07d09d22"
>> +SRCREV_machine ?= "e22280e8c2905d96c7cc5917df202b6ed904d042"
>>  SRCREV_meta ?= "4b4199bd24f206d459061bb0a920d009429d5ed3"
>>
>>  SRC_URI = 
>> "git://git.yoctoproject.org/linux-yocto-4.1.git;branch=${KBRANCH};name=machine
>>  \
>> diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb 
>> b/meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb
>> index 9757c4d02067..bf7d6c5959e1 100644
>> --- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb
>> +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.1.bb
>> @@ -9,7 +9,7 @@ LINUX_VERSION ?= "4.1.24"
>>  KMETA = "kernel-meta"
>>  KCONF_BSP_AUDIT_LEVEL = "2"
>>
>> -SRCREV_machine ?= "ecc983477682203619da0e456fa4a8689ac41097"
>> +SRCREV_machine ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a"
>>  SRCREV_meta ?= "4b4199bd24f206d459061bb0a920d009429d5ed3"
>>
>>  PV = "${LINUX_VERSION}+git${SRCPV}"
>> diff --git a/meta/recipes-kernel/linux/linux-yocto_4.1.bb 
>> b/meta/recipes-kernel/linux/linux-yocto_4.1.bb
>> index e0d288b6e93c..c325bc59c6c8 100644
>> --- a/meta/recipes-kernel/linux/linux-yocto_4.1.bb
>> +++ b/meta/recipes-kernel/linux/linux-yocto_4.1.bb
>> @@ -11,14 +11,14 @@ KBRANCH_qemux86  ?= "standard/base"
>>  KBRANCH_qemux86-64 ?= "standard/base"
>>  KBRANCH_qemumips64 ?= "standard/mti-malta64"
>>
>> -SRCREV_machine_qemuarm ?= "d11c336b38ab0d4e55eb683aca5ca9c6b6cd8b42"
>> -SRCREV_machine_qemuarm64 ?= "ecc983477682203619da0e456fa4a8689ac41097"
>> -SRCREV_machine_qemumips ?= "f8e363f638b283738369155b4a9990b5d0f902a7"
>> -SRCREV_machine_qemuppc ?= "ecc983477682203619da0e456fa4a8689ac41097"
>> -SRCREV_machine_qemux86 ?= "ecc983477682203619da0e456fa4a8689ac41097"
>> -SRCREV_machine_qemux86-64 ?= "ecc983477682203619da0e456fa4a8689ac41097"
>> -SRCREV_machine_qemumips64 ?= "1db47ec6c39071b29f82a040b9b9a81584f50461"
>> -SRCREV_machine ?= "ecc983477682203619da0e456fa4a8689ac41097"
>> +SRCREV_machine_qemuarm ?= "cadb80aa4bcee282f1b0798ef35ad8b96ec44931"
>> +SRCREV_machine_qemuarm64 ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a"
>> +SRCREV_machine_qemumips ?= "737eda6388a529d0937e9d91daa3644b11f322dc"
>> +SRCREV_machine_qemuppc ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a"
>> +SRCREV_machine_qemux86 ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a"
>> +SRCREV_machine_qemux86-64 ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a"
>> +SRCREV_machine_qemumips64 ?= "f276d128428b031521d766bfbfe84f9f9f992930"
>> +SRCREV_machine ?= "403eda4633e9037fb715d0d1e8ae847b2bd0651a"
>>  SRCREV_meta ?= "4b4199bd24f206d459061bb0a920d009429d5ed3"
>>
>>  SRC_URI = 
>> "git://git.yoctoproject.org/linux-yocto-4.1.git;name=machine;branch=${KBRANCH};
>>  \
>>
> --
> ___
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] uboot-sign: rebuild u-boot.img with signed dtb

[George McCollister]

u-boot-nodtb.img doesn't exist so if UBOOT_SUFFIX = "img" is used
u-boot.img must be rebuilt by running make with
EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE} then the resulting .img file must
be install to the deploy directories.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/uboot-sign.bbclass | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/meta/classes/uboot-sign.bbclass b/meta/classes/uboot-sign.bbclass
index 82cec9e..57d4903 100644
--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -63,9 +63,13 @@ do_deploy_dtb () {
 do_concat_dtb () {
# Concatenate U-Boot w/o DTB & DTB with public key
# (cf. kernel-fitimage.bbclass for more details)
-   cd ${DEPLOYDIR}
if [ "x${UBOOT_SIGN_ENABLE}" = "x1" ]; then
-   if [ -e "${UBOOT_NODTB_IMAGE}" -a -e "${UBOOT_DTB_IMAGE}" ]; 
then
+   if [ "x${UBOOT_SUFFIX}" = "ximg" -a -e 
"${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
+   oe_runmake EXT_DTB=${DEPLOYDIR}/${UBOOT_DTB_IMAGE}
+   install ${S}/${UBOOT_BINARY} ${DEPLOYDIR}/${UBOOT_IMAGE}
+   install ${S}/${UBOOT_BINARY} 
${DEPLOY_DIR_IMAGE}/${UBOOT_IMAGE}
+   elif [ -e "${DEPLOYDIR}/${UBOOT_NODTB_IMAGE}" -a -e 
"${DEPLOYDIR}/${UBOOT_DTB_IMAGE}" ]; then
+   cd ${DEPLOYDIR}
cat ${UBOOT_NODTB_IMAGE} ${UBOOT_DTB_IMAGE} | tee 
${B}/${UBOOT_BINARY} > ${UBOOT_IMAGE}
else
bbwarn "Failure while adding public key to u-boot 
binary. Verified boot won't be available."
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH v2] kernel-fitimage: add initramfs support

[George McCollister]

If INITRAMFS_IMAGE is set, build an additional fitImage containing the
initramfs. Copy the additional fitImage and the source .its file used to
create it to DEPLOYDIR. The fitImage containing the initramfs must be
built before do_deploy and after do_install to avoid circular dependencies.

UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the
   initramfs.
UBOOT_RD_ENTRYPOINT  - Specifies the entry point used by u-boot for the
   initramfs.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/kernel-fitimage.bbclass | 280 +++
 1 file changed, 185 insertions(+), 95 deletions(-)

diff --git a/meta/classes/kernel-fitimage.bbclass 
b/meta/classes/kernel-fitimage.bbclass
index 298eda2..65e0ee3 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -14,7 +14,7 @@ python __anonymous () {
 
 image = d.getVar('INITRAMFS_IMAGE', True)
 if image:
-d.appendVarFlag('do_assemble_fitimage', 'depends', ' 
${INITRAMFS_IMAGE}:do_image_complete')
+d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' 
${INITRAMFS_IMAGE}:do_image_complete')
 
 # Verified boot will sign the fitImage and append the public key to
 # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling
@@ -30,8 +30,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= ""
 #
 # Emit the fitImage ITS header
 #
+# $1 ... .its filename
 fitimage_emit_fit_header() {
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 /dts-v1/;
 
 / {
@@ -43,32 +44,33 @@ EOF
 #
 # Emit the fitImage section bits
 #
-# $1 ... Section bit type: imagestart - image section start
+# $1 ... .its filename
+# $2 ... Section bit type: imagestart - image section start
 #  confstart  - configuration section start
 #  sectend- section end
 #  fitend - fitimage end
 #
 fitimage_emit_section_maint() {
-   case $1 in
+   case $2 in
imagestart)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 
 images {
 EOF
;;
confstart)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 
 configurations {
 EOF
;;
sectend)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
};
 EOF
;;
fitend)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 };
 EOF
;;
@@ -78,9 +80,10 @@ EOF
 #
 # Emit the fitImage ITS kernel section
 #
-# $1 ... Image counter
-# $2 ... Path to kernel image
-# $3 ... Compression type
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to kernel image
+# $4 ... Compression type
 fitimage_emit_section_kernel() {
 
kernel_csum="sha1"
@@ -88,17 +91,17 @@ fitimage_emit_section_kernel() {
ENTRYPOINT=${UBOOT_ENTRYPOINT}
if test -n "${UBOOT_ENTRYSYMBOL}"; then
ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \
-   awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'`
+   awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'`
fi
 
-   cat << EOF >> fit-image.its
-kernel@${1} {
+   cat << EOF >> ${1}
+kernel@${2} {
 description = "Linux kernel";
-data = /incbin/("${2}");
+data = /incbin/("${3}");
 type = "kernel";
 arch = "${UBOOT_ARCH}";
 os = "linux";
-compression = "${3}";
+compression = "${4}";
 load = <${UBOOT_LOADADDRESS}>;
 entry = <${ENTRYPOINT}>;
 hash@1 {
@@ -111,16 +114,17 @@ EOF
 #
 # Emit the fitImage ITS DTB section
 #
-# $1 ... Image counter
-# $2 ... Path to DTB image
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to DTB image
 fitimage_emit_section_dtb() {
 
dtb_csum="sha1"
 
-   cat << EOF >> fit-image.its
-fdt@${1} {
+   cat << EOF >> ${1}
+fdt@${2} {
 description = "Flattened Device Tree blob";
-data = /incbin/("${2}");
+data = /incbin/("${3}");
 type = "flat_dt";
 arch = "${UBOOT_ARCH}";
 compression = "none";

Re: [OE-core] [PATCH] kernel-fitimage: add initramfs support

[George McCollister]

On Wed, May 25, 2016 at 5:33 PM, Marek Vasut <ma...@denx.de> wrote:
> On 05/25/2016 01:25 AM, George McCollister wrote:
>> If INITRAMFS_IMAGE is set, build an additional fitImage containing the
>> initramfs. Copy the additional fitImage and the source .its file used to
>> create it to DEPLOYDIR. The fitImage containing the initramfs must be
>> built before do_deploy and after do_install to avoid circular dependencies.
>
> Yes, the circular dep is quite nasty.
>
>> UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the
>>initramfs.
>> UBOOT_RD_ENTRYPOINT  - Specifies the entry point used by u-boot for the
>>initramfs.
>>
>> Signed-off-by: George McCollister <george.mccollis...@gmail.com>
>> ---
>>  meta/classes/kernel-fitimage.bbclass | 275 
>> +++
>>  1 file changed, 180 insertions(+), 95 deletions(-)
>>
>> diff --git a/meta/classes/kernel-fitimage.bbclass 
>> b/meta/classes/kernel-fitimage.bbclass
>> index 298eda2..2c2a642 100644
>> --- a/meta/classes/kernel-fitimage.bbclass
>> +++ b/meta/classes/kernel-fitimage.bbclass
>> @@ -14,7 +14,7 @@ python __anonymous () {
>>
>>  image = d.getVar('INITRAMFS_IMAGE', True)
>>  if image:
>> -d.appendVarFlag('do_assemble_fitimage', 'depends', ' 
>> ${INITRAMFS_IMAGE}:do_image_complete')
>> +d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' 
>> ${INITRAMFS_IMAGE}:do_image_complete')
>>
>>  # Verified boot will sign the fitImage and append the public key to
>>  # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling
>> @@ -30,8 +30,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= ""
>>  #
>>  # Emit the fitImage ITS header
>>  #
>> +# $1 ... .its filename
>>  fitimage_emit_fit_header() {
>> - cat << EOF >> fit-image.its
>> + cat << EOF >> ${1}
>>  /dts-v1/;
>>
>>  / {
>> @@ -43,32 +44,33 @@ EOF
>>  #
>>  # Emit the fitImage section bits
>>  #
>> -# $1 ... Section bit type: imagestart - image section start
>> +# $1 ... .its filename
>> +# $2 ... Section bit type: imagestart - image section start
>>  #  confstart  - configuration section start
>>  #  sectend- section end
>>  #  fitend - fitimage end
>>  #
>>  fitimage_emit_section_maint() {
>> - case $1 in
>> + case $2 in
>>   imagestart)
>> - cat << EOF >> fit-image.its
>> + cat << EOF >> ${1}
>>
>>  images {
>>  EOF
>>   ;;
>>   confstart)
>> - cat << EOF >> fit-image.its
>> + cat << EOF >> ${1}
>>
>>  configurations {
>>  EOF
>>   ;;
>>   sectend)
>> - cat << EOF >> fit-image.its
>> + cat << EOF >> ${1}
>>   };
>>  EOF
>>   ;;
>>   fitend)
>> - cat << EOF >> fit-image.its
>> + cat << EOF >> ${1}
>>  };
>>  EOF
>>   ;;
>
> OK
>
>> @@ -78,9 +80,10 @@ EOF
>>  #
>>  # Emit the fitImage ITS kernel section
>>  #
>> -# $1 ... Image counter
>> -# $2 ... Path to kernel image
>> -# $3 ... Compression type
>> +# $1 ... .its filename
>> +# $2 ... Image counter
>> +# $3 ... Path to kernel image
>> +# $4 ... Compression type
>>  fitimage_emit_section_kernel() {
>>
>>   kernel_csum="sha1"
>> @@ -88,17 +91,17 @@ fitimage_emit_section_kernel() {
>>   ENTRYPOINT=${UBOOT_ENTRYPOINT}
>>   if test -n "${UBOOT_ENTRYSYMBOL}"; then
>>   ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \
>> - awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'`
>> + awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'`
>>   fi
>>
>> - cat << EOF >> fit-image.its
>> -kernel@${1} {
>> + cat << EOF >> ${1}
>> +kernel@${2} {
>>  description = "Linux kernel";
>> -data = /incbin/("${2}");
>> +data = /incbin/("${3}");
>>  type = "kernel";
&g

[OE-core] [PATCH] kernel-fitimage: add initramfs support

[George McCollister]

If INITRAMFS_IMAGE is set, build an additional fitImage containing the
initramfs. Copy the additional fitImage and the source .its file used to
create it to DEPLOYDIR. The fitImage containing the initramfs must be
built before do_deploy and after do_install to avoid circular dependencies.

UBOOT_RD_LOADADDRESS - Specifies the load address used by u-boot for the
   initramfs.
UBOOT_RD_ENTRYPOINT  - Specifies the entry point used by u-boot for the
   initramfs.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/kernel-fitimage.bbclass | 275 +++
 1 file changed, 180 insertions(+), 95 deletions(-)

diff --git a/meta/classes/kernel-fitimage.bbclass 
b/meta/classes/kernel-fitimage.bbclass
index 298eda2..2c2a642 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -14,7 +14,7 @@ python __anonymous () {
 
 image = d.getVar('INITRAMFS_IMAGE', True)
 if image:
-d.appendVarFlag('do_assemble_fitimage', 'depends', ' 
${INITRAMFS_IMAGE}:do_image_complete')
+d.appendVarFlag('do_assemble_fitimage_initramfs', 'depends', ' 
${INITRAMFS_IMAGE}:do_image_complete')
 
 # Verified boot will sign the fitImage and append the public key to
 # U-boot dtb. We ensure the U-Boot dtb is deployed before assembling
@@ -30,8 +30,9 @@ UBOOT_MKIMAGE_DTCOPTS ??= ""
 #
 # Emit the fitImage ITS header
 #
+# $1 ... .its filename
 fitimage_emit_fit_header() {
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 /dts-v1/;
 
 / {
@@ -43,32 +44,33 @@ EOF
 #
 # Emit the fitImage section bits
 #
-# $1 ... Section bit type: imagestart - image section start
+# $1 ... .its filename
+# $2 ... Section bit type: imagestart - image section start
 #  confstart  - configuration section start
 #  sectend- section end
 #  fitend - fitimage end
 #
 fitimage_emit_section_maint() {
-   case $1 in
+   case $2 in
imagestart)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 
 images {
 EOF
;;
confstart)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 
 configurations {
 EOF
;;
sectend)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
};
 EOF
;;
fitend)
-   cat << EOF >> fit-image.its
+   cat << EOF >> ${1}
 };
 EOF
;;
@@ -78,9 +80,10 @@ EOF
 #
 # Emit the fitImage ITS kernel section
 #
-# $1 ... Image counter
-# $2 ... Path to kernel image
-# $3 ... Compression type
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to kernel image
+# $4 ... Compression type
 fitimage_emit_section_kernel() {
 
kernel_csum="sha1"
@@ -88,17 +91,17 @@ fitimage_emit_section_kernel() {
ENTRYPOINT=${UBOOT_ENTRYPOINT}
if test -n "${UBOOT_ENTRYSYMBOL}"; then
ENTRYPOINT=`${HOST_PREFIX}nm ${S}/vmlinux | \
-   awk '$3=="${UBOOT_ENTRYSYMBOL}" {print $1}'`
+   awk '$4=="${UBOOT_ENTRYSYMBOL}" {print $2}'`
fi
 
-   cat << EOF >> fit-image.its
-kernel@${1} {
+   cat << EOF >> ${1}
+kernel@${2} {
 description = "Linux kernel";
-data = /incbin/("${2}");
+data = /incbin/("${3}");
 type = "kernel";
 arch = "${UBOOT_ARCH}";
 os = "linux";
-compression = "${3}";
+compression = "${4}";
 load = <${UBOOT_LOADADDRESS}>;
 entry = <${ENTRYPOINT}>;
 hash@1 {
@@ -111,16 +114,17 @@ EOF
 #
 # Emit the fitImage ITS DTB section
 #
-# $1 ... Image counter
-# $2 ... Path to DTB image
+# $1 ... .its filename
+# $2 ... Image counter
+# $3 ... Path to DTB image
 fitimage_emit_section_dtb() {
 
dtb_csum="sha1"
 
-   cat << EOF >> fit-image.its
-fdt@${1} {
+   cat << EOF >> ${1}
+fdt@${2} {
 description = "Flattened Device Tree blob";
-data = /incbin/("${2}");
+data = /incbin/("${3}");
 type = "flat_dt";
 arch = "${UBOOT_ARCH}";
 compression = "none";

[OE-core] [master][krogoth][jethro][PATCH 1/1] wic: fix path parsing, use last occurrence

[George McCollister]

If the path contains 'scripts' more than once the first occurrence will be
incorrectly used. Use rfind instead of find to find the last occurrence.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 scripts/lib/wic/plugin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/lib/wic/plugin.py b/scripts/lib/wic/plugin.py
index ccfdfcb..151ff31 100644
--- a/scripts/lib/wic/plugin.py
+++ b/scripts/lib/wic/plugin.py
@@ -42,7 +42,7 @@ class PluginMgr(object):
 
 def __init__(self):
 wic_path = os.path.dirname(__file__)
-eos = wic_path.find('scripts') + len('scripts')
+eos = wic_path.rfind('scripts') + len('scripts')
 scripts_path = wic_path[:eos]
 self.scripts_path = scripts_path
 self.plugin_dir = scripts_path + PLUGIN_DIR
-- 
2.8.0

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [master][krogoth][jethro][PATCH 0/1] wic: fix path parsing, use last occurrence

[George McCollister]

This patch was pushed to fido (35ecb0b8557aae85f377c9d99f1a72cbb76fb6d8)
but was never brought forward.
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [RFC][PATCH 2/9] bash-completion: build nativesdk variant

[George McCollister]

>
>> Op 14 jan. 2016, om 21:56 heeft George McCollister 
>> <george.mccollis...@gmail.com> het volgende geschreven:
>>
>> The nativesdk variant is required for some recipes like git to use the class.
>
> Squash this into 1/9 to avoid mid-series breakage.

Will do.

Thanks,
George
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 2/9] bash-completion: build nativesdk variant

[George McCollister]

The nativesdk variant is required for some recipes like git to use the class.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-support/bash-completion/bash-completion_2.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/bash-completion/bash-completion_2.1.bb 
b/meta/recipes-support/bash-completion/bash-completion_2.1.bb
index fbe4278..5c39863 100644
--- a/meta/recipes-support/bash-completion/bash-completion_2.1.bb
+++ b/meta/recipes-support/bash-completion/bash-completion_2.1.bb
@@ -37,3 +37,5 @@ RDEPENDS_${PN} = "bash"
 PACKAGES =+ "${PN}-extra"
 FILES_${PN}-extra = "${datadir}/${BPN}/completions/ \
 ${datadir}/${BPN}/helpers/"
+
+BBCLASSEXTEND = "nativesdk"
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 0/9] cleanup packaging of bash completions

[George McCollister]

Recipes in OE core and meta-oe (possibly others too) package bash completion
files in a similar but inconsitent manner. This patch series adds a class
bash-completion.bbclass that creates a subpackage containing files installed to
the common bash-completion paths.

Prior to this series some recipes created bash-completion subpackages which had
no RDEPENDS, others with bash-completion and yet others with bash. I decided to
have the class add an RDEPENDS for bash-completion and move bash-completion to
OE-core for this reason. If someone has a different view on what should be done
please, speak up.

I'll be posting an accompanying series to openembedded-devel for meta-oe.

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 8/9] kmod: use bash-completion.bbclass

[George McCollister]

Use bash-completion.bbclass to package bash completions.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-kernel/kmod/kmod_git.bb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-kernel/kmod/kmod_git.bb 
b/meta/recipes-kernel/kmod/kmod_git.bb
index e0bb95c..69185b2 100644
--- a/meta/recipes-kernel/kmod/kmod_git.bb
+++ b/meta/recipes-kernel/kmod/kmod_git.bb
@@ -39,7 +39,7 @@ do_compile_prepend() {
 sed -i 's/ac_pwd=/#ac_pwd=/' config.status ; sed -i 
"/#ac_pwd=/a\ac_pwd='.'" config.status
 }
 
-inherit update-alternatives
+inherit update-alternatives bash-completion
 
 ALTERNATIVE_PRIORITY = "60"
 
@@ -56,8 +56,7 @@ ALTERNATIVE_TARGET[lsmod] = "${base_bindir}/lsmod.${BPN}"
 
 ALTERNATIVE_LINK_NAME[depmod] = "${base_sbindir}/depmod"
 
-PACKAGES =+ "libkmod ${PN}-bash-completion"
+PACKAGES =+ "libkmod"
 
 FILES_libkmod = "${base_libdir}/libkmod*${SOLIBS} ${libdir}/libkmod*${SOLIBS}"
 FILES_${PN} += "${base_libdir}/depmod.d ${base_libdir}/modprobe.d"
-FILES_${PN}-bash-completion = "${datadir}/bash-completion"
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 7/9] git: use bash-completion.bbclass

[George McCollister]

Use bash-completion.bbclass to package bash completions.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-devtools/git/git.inc | 6 +-
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/meta/recipes-devtools/git/git.inc 
b/meta/recipes-devtools/git/git.inc
index d9770e6..c19e0d4 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -17,7 +17,7 @@ EXTRA_OECONF = 
"--with-perl=${STAGING_BINDIR_NATIVE}/perl-native/perl \
--without-tcltk \
 "
 
-inherit autotools-brokensep perlnative
+inherit autotools-brokensep perlnative bash-completion
 
 EXTRA_OEMAKE = "NO_PYTHON=1 CFLAGS='${CFLAGS}' LDFLAGS='${LDFLAGS}'"
 EXTRA_OEMAKE += "'PERL_PATH=/usr/bin/env perl'"
@@ -96,10 +96,6 @@ PERLTOOLS = " \
 ${datadir}/git-core/templates/hooks/pre-rebase.sample \
 "
 
-# Basic tab completion support
-PACKAGES =+ "${PN}-bash-completion"
-FILES_${PN}-bash-completion = "${datadir}/bash-completion/completions/*"
-
 # Git tools requiring perl
 PACKAGES =+ "${PN}-perltools"
 FILES_${PN}-perltools += " \
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 9/9] gstreamer1.0: use bash-completion.bbclass

[George McCollister]

Use bash-completion.bbclass to package bash completions.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-multimedia/gstreamer/gstreamer1.0.inc | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0.inc 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0.inc
index c10f66f..5688b5e 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0.inc
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0.inc
@@ -7,7 +7,7 @@ SECTION = "multimedia"
 LICENSE = "LGPLv2+"
 DEPENDS = "glib-2.0 libxml2 bison-native flex-native libcap"
 
-inherit autotools pkgconfig gettext upstream-version-is-even
+inherit autotools pkgconfig gettext upstream-version-is-even bash-completion
 
 PACKAGECONFIG[debug] = "--enable-debug,--disable-debug"
 PACKAGECONFIG[check] = "--enable-check,--disable-check"
@@ -26,6 +26,3 @@ CACHED_CONFIGUREVARS += "ac_cv_header_valgrind_valgrind_h=no"
 
 FILES_${PN} += " ${libdir}/gstreamer-1.0/*.so"
 FILES_${PN}-dev += " ${libdir}/gstreamer-1.0/*.la ${libdir}/gstreamer-1.0/*.a 
${libdir}/gstreamer-1.0/include"
-FILES_${PN}-bash-completion += " ${datadir}/bash-completion/completions/ 
${datadir}/bash-completion/helpers/gst*"
-
-PACKAGES += " ${PN}-bash-completion"
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 3/9] bash-completion.bbclass: add class

[George McCollister]

Add bash-completion.bbclass which will package bash completion files in
a subpackage ${PN}-bash-completion. Use of this class will ensure
consitent handling of bash completions across recipes.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/classes/bash-completion.bbclass | 5 +
 1 file changed, 5 insertions(+)
 create mode 100644 meta/classes/bash-completion.bbclass

diff --git a/meta/classes/bash-completion.bbclass 
b/meta/classes/bash-completion.bbclass
new file mode 100644
index 000..74a878e
--- /dev/null
+++ b/meta/classes/bash-completion.bbclass
@@ -0,0 +1,5 @@
+PACKAGES += "${PN}-bash-completion"
+
+FILES_${PN}-bash-completion = "${datadir}/bash-completion 
${sysconfdir}/bash_completion.d"
+
+RDEPENDS_${PN}-bash-completion = "bash-completion"
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 4/9] dbus-glib: use bash-completion.bbclass

[George McCollister]

Use bash-completion.bbclass to package bash completions.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-core/dbus/dbus-glib.inc | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/dbus/dbus-glib.inc 
b/meta/recipes-core/dbus/dbus-glib.inc
index f8c0ebe..4661e3a 100644
--- a/meta/recipes-core/dbus/dbus-glib.inc
+++ b/meta/recipes-core/dbus/dbus-glib.inc
@@ -15,7 +15,7 @@ SRC_URI = 
"http://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-${PV}.tar.gz
file://test-install-makefile.patch \
 "
 
-inherit autotools pkgconfig gettext
+inherit autotools pkgconfig gettext bash-completion
 
 #default disable regression tests, some unit test code in non testing code
 #PACKAGECONFIG_pn-${PN} = "tests" enable regression tests local.conf
@@ -26,11 +26,10 @@ EXTRA_OECONF = 
"--with-introspect-xml=${STAGING_DATADIR_NATIVE}/dbus/dbus-bus-in
 
--with-dbus-binding-tool=${STAGING_BINDIR_NATIVE}/dbus-binding-tool"
 EXTRA_OECONF_class-native = 
"--with-introspect-xml=${STAGING_DATADIR_NATIVE}/dbus/dbus-bus-introspect.xml"
 
-PACKAGES += "${PN}-bash-completion ${PN}-tests"
+PACKAGES += "${PN}-tests"
 
 FILES_${PN} = "${libdir}/lib*${SOLIBS}"
-FILES_${PN}-bash-completion = 
"${sysconfdir}/bash_completion.d/dbus-bash-completion.sh \
-   ${libexecdir}/dbus-bash-completion-helper"
+FILES_${PN}-bash-completion += "${libexecdir}/dbus-bash-completion-helper"
 FILES_${PN}-dev += "${libdir}/dbus-1.0/include ${bindir}/dbus-glib-tool"
 FILES_${PN}-dev += "${bindir}/dbus-binding-tool"
 
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 5/9] glib: use bash-completion.bbclass

[George McCollister]

Use bash-completion.bbclass to package bash completions.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-core/glib-2.0/glib.inc | 6 ++
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/glib-2.0/glib.inc 
b/meta/recipes-core/glib-2.0/glib.inc
index 86f7e0e..079b214 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -22,12 +22,12 @@ DEPENDS_append = " ${@bb.utils.contains('PTEST_ENABLED', 
'1', ' glib-2.0-native
 DEPENDS_class-native = "pkgconfig-native gettext-native libffi-native 
zlib-native"
 DEPENDS_class-nativesdk = "nativesdk-libtool nativesdk-gettext 
nativesdk-libffi nativesdk-zlib"
 
-PACKAGES =+ "${PN}-utils ${PN}-bash-completion ${PN}-codegen"
+PACKAGES =+ "${PN}-utils ${PN}-codegen"
 
 LEAD_SONAME = "libglib-2.0.*"
 FILES_${PN}-utils = "${bindir}/* ${datadir}/glib-2.0/gettext"
 
-inherit autotools gettext gtk-doc pkgconfig ptest-gnome 
upstream-version-is-even
+inherit autotools gettext gtk-doc pkgconfig ptest-gnome 
upstream-version-is-even bash-completion
 
 S = "${WORKDIR}/glib-${PV}"
 
@@ -51,8 +51,6 @@ FILES_${PN}-dev += "${libdir}/glib-2.0/include \
 ${libdir}/gio/modules/*.la"
 FILES_${PN}-dbg += "${datadir}/glib-2.0/gdb ${datadir}/gdb"
 FILES_${PN}-codegen = "${datadir}/glib-2.0/codegen/*.py"
-FILES_${PN}-bash-completion = "${sysconfdir}/bash_completion.d \
-   ${datadir}/bash-completion"
 
 ARM_INSTRUCTION_SET = "arm"
 USE_NLS = "yes"
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [RFC][PATCH 6/9] util-linux: use bash-completion.bbclass

[George McCollister]

Use bash-completion.bbclass to package bash completions.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 meta/recipes-core/util-linux/util-linux.inc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/util-linux/util-linux.inc 
b/meta/recipes-core/util-linux/util-linux.inc
index 7ef7a54..b9961f7 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -17,7 +17,7 @@ LIC_FILES_CHKSUM = 
"file://README.licensing;md5=1715f5ee3e01203ca1e1e0b9ee65918c
 
file://libmount/COPYING;md5=fb93f01d4361069c5616327705373b16 \
 
file://libblkid/COPYING;md5=fb93f01d4361069c5616327705373b16"
 
-inherit autotools gettext pkgconfig systemd update-alternatives python-dir 
ptest
+inherit autotools gettext pkgconfig systemd update-alternatives python-dir 
ptest bash-completion
 DEPENDS = "zlib ncurses"
 DEPENDS_append_class-native = " lzo-native"
 DEPENDS_append_class-nativesdk = " lzo-native"
@@ -31,7 +31,7 @@ PACKAGES =+ "util-linux-agetty util-linux-fdisk 
util-linux-cfdisk util-linux-sfd
  util-linux-uuidgen util-linux-lscpu util-linux-fsck 
util-linux-blkid \
  util-linux-mkfs util-linux-mcookie util-linux-reset 
util-linux-runuser \
  util-linux-mkfs.cramfs util-linux-fsck.cramfs util-linux-fstrim \
- util-linux-partx ${PN}-bash-completion util-linux-hwclock \
+ util-linux-partx util-linux-hwclock \
  util-linux-findfs util-linux-getopt util-linux-sulogin"
 PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'pylibmount', 
'util-linux-pylibmount', '', d)}"
 
@@ -64,7 +64,6 @@ PACKAGECONFIG[pylibmount] = "--with-python 
--enable-pylibmount,--without-python
 # Readline support
 PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
 
-FILES_${PN}-bash-completion += "${datadir}/bash-completion"
 FILES_${PN}-doc += "${datadir}/getopt/getopt-*.*"
 
 FILES_${PN}-dev += 
"${libdir}/${PYTHON_DIR}/dist-packages/libmount/pylibmount.la"
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][fido] wic: fix path parsing, use last occurrence

[George McCollister]

If the path contains 'scripts' more than once the first occurrence will be
incorrectly used. Use rfind instead of find to find the last occurrence.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 scripts/lib/wic/plugin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/lib/wic/plugin.py b/scripts/lib/wic/plugin.py
index 41a8017..3acd5b4 100644
--- a/scripts/lib/wic/plugin.py
+++ b/scripts/lib/wic/plugin.py
@@ -42,7 +42,7 @@ class PluginMgr(object):
 
 def __init__(self):
 wic_path = os.path.dirname(__file__)
-eos = wic_path.find('scripts') + len('scripts')
+eos = wic_path.rfind('scripts') + len('scripts')
 scripts_path = wic_path[:eos]
 self.scripts_path = scripts_path
 self.plugin_dir = scripts_path + PLUGIN_DIR
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] wic: fix path parsing, use last occurrence

[George McCollister]

If the path contains 'scripts' more than once the first occurrence will be
incorrectly used. Use rfind instead of find to find the last occurrence.

Signed-off-by: George McCollister <george.mccollis...@gmail.com>
---
 scripts/lib/wic/plugin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/lib/wic/plugin.py b/scripts/lib/wic/plugin.py
index ccfdfcb..151ff31 100644
--- a/scripts/lib/wic/plugin.py
+++ b/scripts/lib/wic/plugin.py
@@ -42,7 +42,7 @@ class PluginMgr(object):
 
 def __init__(self):
 wic_path = os.path.dirname(__file__)
-eos = wic_path.find('scripts') + len('scripts')
+eos = wic_path.rfind('scripts') + len('scripts')
 scripts_path = wic_path[:eos]
 self.scripts_path = scripts_path
 self.plugin_dir = scripts_path + PLUGIN_DIR
-- 
2.4.5

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH][fido] binutils: fix native builds when host has gcc5

[George McCollister]

Cherry pick upstream commit to fix -Werror=logical-not-parentheses error
when building with native gcc5.

Signed-off-by: George McCollister george.mccollis...@gmail.com
---
 meta/recipes-devtools/binutils/binutils-2.24.inc   |  1 +
 ...86.c-Werror-logical-not-parentheses-error.patch | 76 ++
 2 files changed, 77 insertions(+)
 create mode 100644 
meta/recipes-devtools/binutils/binutils/Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.24.inc 
b/meta/recipes-devtools/binutils/binutils-2.24.inc
index 63c9287..2fb56eb 100644
--- a/meta/recipes-devtools/binutils/binutils-2.24.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.24.inc
@@ -40,6 +40,7 @@ SRC_URI = \
  file://binutils_CVE-2014-8503.patch \
  file://binutils_CVE-2014-8504.patch \
  file://binutils_CVE-2014-8737.patch \
+ file://Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch \
  
 
 SRC_URI[md5sum] = e0f71a7b2ddab0f8612336ac81d9636b
diff --git 
a/meta/recipes-devtools/binutils/binutils/Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch
 
b/meta/recipes-devtools/binutils/binutils/Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch
new file mode 100644
index 000..0511c39
--- /dev/null
+++ 
b/meta/recipes-devtools/binutils/binutils/Fix-tc-i386.c-Werror-logical-not-parentheses-error.patch
@@ -0,0 +1,76 @@
+From 360ddc990a941bc506576f45a3858d38f508410b Mon Sep 17 00:00:00 2001
+From: Alan Modra amo...@gmail.com
+Date: Fri, 12 Sep 2014 09:46:30 +0930
+Subject: [PATCH] Fix tc-i386.c -Werror=logical-not-parentheses error
+
+   * config/tc-i386.c (match_template): Remove redundant !! testing
+   single-bit bitfields.
+   (build_modrm_byte): Don't compare single-bit bitfields to 1.
+
+Upstream commit:
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ac4eb736520174305bf6e691827f7473b858cff1
+
+Manually resolved gas/ChangeLog conflict by placing the change at the
+top of the file.
+gas/config/tc-i386.c patched with offset
+
+Signed-off-by: George McCollister george.mccollis...@gmail.com
+---
+ gas/ChangeLog|  6 ++
+ gas/config/tc-i386.c | 12 ++--
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/gas/ChangeLog b/gas/ChangeLog
+index 7fafa26..c6e60c9 100644
+--- a/gas/ChangeLog
 b/gas/ChangeLog
+@@ -1,3 +1,9 @@
++2014-09-12  Alan Modra  amo...@gmail.com
++
++  * config/tc-i386.c (match_template): Remove redundant !! testing
++  single-bit bitfields.
++  (build_modrm_byte): Don't compare single-bit bitfields to 1.
++
+ 2013-11-18  H.J. Lu  hongjiu...@intel.com
+ 
+   * config/tc-i386.c (lex_got): Add a dummy int bnd_prefix
+diff --git a/gas/config/tc-i386.c b/gas/config/tc-i386.c
+index 3c423da..4464091 100644
+--- a/gas/config/tc-i386.c
 b/gas/config/tc-i386.c
+@@ -4672,9 +4672,9 @@ match_template (void)
+   !operand_types[0].bitfield.regymm
+   !operand_types[0].bitfield.regzmm)
+ || (!operand_types[t-operands  1].bitfield.regmmx
+- !!operand_types[t-operands  1].bitfield.regxmm
+- !!operand_types[t-operands  1].bitfield.regymm
+- !!operand_types[t-operands  1].bitfield.regzmm))
++ operand_types[t-operands  1].bitfield.regxmm
++ operand_types[t-operands  1].bitfield.regymm
++ operand_types[t-operands  1].bitfield.regzmm))
+  (t-base_opcode != 0x0fc7
+ || t-extension_opcode != 1 /* cmpxchg8b */))
+   continue;
+@@ -4689,7 +4689,7 @@ match_template (void)
+   ((!operand_types[0].bitfield.regmmx
+!operand_types[0].bitfield.regxmm)
+  || (!operand_types[t-operands  1].bitfield.regmmx
+-  !!operand_types[t-operands  1].bitfield.regxmm)))
++  operand_types[t-operands  1].bitfield.regxmm)))
+   continue;
+ 
+   /* Do not verify operands when there are none.  */
+@@ -6139,8 +6139,8 @@ build_modrm_byte (void)
+ op = i.tm.operand_types[];
+ op.bitfield.regmem = 0;
+ if ((dest + 1) = i.operands
+-|| (op.bitfield.reg32 != 1
+- !op.bitfield.reg64 != 1
++|| (!op.bitfield.reg32
++ op.bitfield.reg64
+  !operand_type_equal (op, regxmm)
+  !operand_type_equal (op, regymm)
+  !operand_type_equal (op, regzmm)
+-- 
+2.4.3
+
-- 
2.4.3

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core