[OE-core] [PATCH] rm_work: Remove redundant 'after' in addtask statement
Introduced in commit b3de5d5795767a4b8c331fa5040166e7e410eeec. Signed-off-by: Jacob Kroon --- meta/classes/rm_work.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) I considered adding a warning to bitbake when the 'after'/'before' groups are empty, but decided not to, thinking it might be useful to be able to pass variables that could potentially evaluate to nothing. diff --git a/meta/classes/rm_work.bbclass b/meta/classes/rm_work.bbclass index c478f4a187..a6bd3f719f 100644 --- a/meta/classes/rm_work.bbclass +++ b/meta/classes/rm_work.bbclass @@ -121,7 +121,7 @@ do_rm_work_all () { } do_rm_work_all[recrdeptask] = "do_rm_work" do_rm_work_all[noexec] = "1" -addtask rm_work_all after before do_build +addtask rm_work_all before do_build do_populate_sdk[postfuncs] += "rm_work_populatesdk" rm_work_populatesdk () { -- 2.21.0 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] ✗ patchtest: failure for binutils: Security fix for CVE-2019-12972 (rev2)
== Series Details == Series: binutils: Security fix for CVE-2019-12972 (rev2) Revision: 2 URL : https://patchwork.openembedded.org/series/19614/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Issue Series does not apply on top of target branch [test_series_merge_on_head] Suggested fixRebase your series on top of targeted branch Targeted branch thud (currently at d3d3f44303) If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] ✗ patchtest: failure for binutils: Security fix for CVE-2019-12972
== Series Details == Series: binutils: Security fix for CVE-2019-12972 Revision: 1 URL : https://patchwork.openembedded.org/series/19614/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Issue Series does not apply on top of target branch [test_series_merge_on_head] Suggested fixRebase your series on top of targeted branch Targeted branch thud (currently at d3d3f44303) If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud][v2][PATCH] binutils: Security fix for CVE-2019-12972
From: Armin Kuster Source: git://sourceware.org / binutils-gdb.git MR: 98770 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c Description: Fixes CVE-2019-12972 Signed-off-by: Armin Kuster [v2] forgot to refresh inc file before sending --- meta/recipes-devtools/binutils/binutils-2.31.inc | 1 + .../binutils/binutils/CVE-2019-12972.patch | 39 ++ 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index 247f779..e1a6673 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc @@ -47,6 +47,7 @@ SRC_URI = "\ file://CVE-2018-18606.patch \ file://CVE-2018-18607.patch \ file://CVE-2019-1.patch \ + file://CVE-2019-12972.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch new file mode 100644 index 000..3e95b92 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch @@ -0,0 +1,39 @@ +From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Fri, 21 Jun 2019 11:51:38 +0930 +Subject: [PATCH] PR24689, string table corruption + +The testcase in the PR had a e_shstrndx section of type SHT_GROUP. +hdr->contents were initialized by setup_group rather than being read +from the file, thus last byte was not zero and string dereference ran +off the end of the buffer. + + PR 24689 + * elfcode.h (elf_object_p): Check type of e_shstrndx section. + +Upstream-Status: Backport +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 + +CVE: CVE-2019-12972 +Affects: <= 2.23.0 +Dropped Changelog +Signed-off-by Armin Kuster +--- + bfd/ChangeLog | 5 + + bfd/elfcode.h | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/elfcode.h +=== +--- git.orig/bfd/elfcode.h git/bfd/elfcode.h +@@ -747,7 +747,8 @@ elf_object_p (bfd *abfd) + /* A further sanity check. */ + if (i_ehdrp->e_shnum != 0) + { +- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)) ++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd) ++|| i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB) + { + /* PR 2257: +We used to just goto got_wrong_format_error here -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud][PATCH] binutils: Security fix for CVE-2019-12972
From: Armin Kuster Source: git://sourceware.org / binutils-gdb.git MR: 98770 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c Description: Fixes CVE-2019-12972 Signed-off-by: Armin Kuster --- meta/recipes-devtools/binutils/binutils-2.31.inc | 1 + .../binutils/binutils/CVE-2019-12972.patch | 39 ++ 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc index 247f779..865fa10 100644 --- a/meta/recipes-devtools/binutils/binutils-2.31.inc +++ b/meta/recipes-devtools/binutils/binutils-2.31.inc @@ -47,6 +47,7 @@ SRC_URI = "\ file://CVE-2018-18606.patch \ file://CVE-2018-18607.patch \ file://CVE-2019-1.patch \ + file://CVE-2019-8457.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch new file mode 100644 index 000..3e95b92 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch @@ -0,0 +1,39 @@ +From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001 +From: Alan Modra +Date: Fri, 21 Jun 2019 11:51:38 +0930 +Subject: [PATCH] PR24689, string table corruption + +The testcase in the PR had a e_shstrndx section of type SHT_GROUP. +hdr->contents were initialized by setup_group rather than being read +from the file, thus last byte was not zero and string dereference ran +off the end of the buffer. + + PR 24689 + * elfcode.h (elf_object_p): Check type of e_shstrndx section. + +Upstream-Status: Backport +https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031 + +CVE: CVE-2019-12972 +Affects: <= 2.23.0 +Dropped Changelog +Signed-off-by Armin Kuster +--- + bfd/ChangeLog | 5 + + bfd/elfcode.h | 3 ++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +Index: git/bfd/elfcode.h +=== +--- git.orig/bfd/elfcode.h git/bfd/elfcode.h +@@ -747,7 +747,8 @@ elf_object_p (bfd *abfd) + /* A further sanity check. */ + if (i_ehdrp->e_shnum != 0) + { +- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)) ++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd) ++|| i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB) + { + /* PR 2257: +We used to just goto got_wrong_format_error here -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] gcc-9.2: Security fix for CVE-2019-14250
Affects: <= 9.2 Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster --- meta/recipes-devtools/gcc/gcc-9.2.inc | 1 + .../gcc/gcc-9.2/CVE-2019-14250.patch | 44 +++ 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-devtools/gcc/gcc-9.2/CVE-2019-14250.patch diff --git a/meta/recipes-devtools/gcc/gcc-9.2.inc b/meta/recipes-devtools/gcc/gcc-9.2.inc index 1c3e200dab..01d3bf0f32 100644 --- a/meta/recipes-devtools/gcc/gcc-9.2.inc +++ b/meta/recipes-devtools/gcc/gcc-9.2.inc @@ -64,6 +64,7 @@ SRC_URI = "\ file://0034-fix-segmentation-fault-in-precompiled-header-generat.patch \ file://0035-Fix-for-testsuite-failure.patch \ file://0036-Re-introduce-spe-commandline-options.patch \ + file://CVE-2019-14250.patch \ " S = "${TMPDIR}/work-shared/gcc-${PV}-${PR}/gcc-${PV}" SRC_URI[md5sum] = "3818ad8600447f05349098232c2ddc78" diff --git a/meta/recipes-devtools/gcc/gcc-9.2/CVE-2019-14250.patch b/meta/recipes-devtools/gcc/gcc-9.2/CVE-2019-14250.patch new file mode 100644 index 00..65ea34558a --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-9.2/CVE-2019-14250.patch @@ -0,0 +1,44 @@ +From 517b211a3d78366ca8d5929f580e8ca72fd2c004 Mon Sep 17 00:00:00 2001 +From: rguenth +Date: Thu, 25 Jul 2019 10:46:54 + +Subject: [PATCH] 2019-07-25 Richard Biener + + PR lto/90924 + Backport from mainline + 2019-07-12 Ren Kimura + + * simple-object-elf.c (simple_object_elf_match): Check zero value + shstrndx. + + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-9-branch@273793 138bc75d-0d04-0410-961f-82ee72b054a4 + +Upstream-Status: Backport +Affectes: < 9.2 +CVE: CVE-2019-14250 +Dropped changelog +Signed-off-by: Armin Kuster + +--- + libiberty/simple-object-elf.c | 8 + 2 files changed, 17 insertions(+) + +Index: gcc-9.2.0/libiberty/simple-object-elf.c +=== +--- gcc-9.2.0.orig/libiberty/simple-object-elf.c gcc-9.2.0/libiberty/simple-object-elf.c +@@ -557,6 +557,14 @@ simple_object_elf_match (unsigned char h + return NULL; + } + ++ if (eor->shstrndx == 0) ++{ ++ *errmsg = "invalid ELF shstrndx == 0"; ++ *err = 0; ++ XDELETE (eor); ++ return NULL; ++} ++ + return (void *) eor; + } + -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] FETCHCMD drop breaks build when append is used (from patch b259bd31eb)
On Sat, Aug 31, 2019 at 1:24 PM Andre McCurdy wrote: > > On Sat, Aug 31, 2019 at 11:07 AM Andrey Zhizhikin wrote: > > On Sat, Aug 31, 2019 at 2:18 PM Adrian Bunk wrote: > > > Disallowing appends could cause huge problems for a user or layer that > > > has to append local options (e.g. proxy) building a recipe like libedit > > > that has to change the User-Agent. > > Clearly we need to have a solution for libedit. I don't see it's > related to user or layer specific issues of setting a password or a > proxy though. > > There seem to be three independent cases where appending to the > fetcher commands in bitbake.conf has been used: > > 1) Setting usernames/passwords for private mirrors, sstate servers, > etc. For that I believe the recommended solution is .netrc. Not only > is putting passwords on the command line a bad idea in general, but it > also won't work consistently for fetchers where download() and > checkstatus() are implemented differently - e.g. for wget, download() > calls wget (and therefore respects FETCHCMD_wget) but checkstatus() is > implemented directly in python (and ignores FETCHCMD_wget completely). > To see the effects, try setting up a password protected http or https > sstate server... it will work if you put your credentials in .netrc > but not if you add them to FETCHCMD_wget. > > 2) Configuring a proxy server for users behind a firewall. For that I > believe the recommended solution is the various *_proxy environment > variables? > > 3) Forcing a custom User-Agent. I don't know what the best solution is > here but it feels like the wget fetcher should either handle this > internally (e.g. set a more compatible User-Agent by default? > Automatic retries with various User-Agents?) or provide a documented > API which specifically sets the User-Agent in cases where the default > really does need to be over-ridden. > > In the end the bitbake fetchers are abstractions and if users need to > force their own options directly into the final command line (ie > bypassing the abstraction) then it suggests the abstraction is > incomplete. It feels like a slippery slope if we start to encourage or > rely on doing that. It looks like the User-Agent workaround for libedit might not be needed any more anyway... wget http://thrysoee.dk/editline/libedit-20190324-3.1.tar.gz works fine for me ( User-Agent: Wget/1.17.1 (linux-gnu) ) -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] FETCHCMD drop breaks build when append is used (from patch b259bd31eb)
On Sat, Aug 31, 2019 at 11:07 AM Andrey Zhizhikin wrote: > On Sat, Aug 31, 2019 at 2:18 PM Adrian Bunk wrote: > > Disallowing appends could cause huge problems for a user or layer that > > has to append local options (e.g. proxy) building a recipe like libedit > > that has to change the User-Agent. Clearly we need to have a solution for libedit. I don't see it's related to user or layer specific issues of setting a password or a proxy though. There seem to be three independent cases where appending to the fetcher commands in bitbake.conf has been used: 1) Setting usernames/passwords for private mirrors, sstate servers, etc. For that I believe the recommended solution is .netrc. Not only is putting passwords on the command line a bad idea in general, but it also won't work consistently for fetchers where download() and checkstatus() are implemented differently - e.g. for wget, download() calls wget (and therefore respects FETCHCMD_wget) but checkstatus() is implemented directly in python (and ignores FETCHCMD_wget completely). To see the effects, try setting up a password protected http or https sstate server... it will work if you put your credentials in .netrc but not if you add them to FETCHCMD_wget. 2) Configuring a proxy server for users behind a firewall. For that I believe the recommended solution is the various *_proxy environment variables? 3) Forcing a custom User-Agent. I don't know what the best solution is here but it feels like the wget fetcher should either handle this internally (e.g. set a more compatible User-Agent by default? Automatic retries with various User-Agents?) or provide a documented API which specifically sets the User-Agent in cases where the default really does need to be over-ridden. In the end the bitbake fetchers are abstractions and if users need to force their own options directly into the final command line (ie bypassing the abstraction) then it suggests the abstraction is incomplete. It feels like a slippery slope if we start to encourage or rely on doing that. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 0/3 v2] kernel-yocto: 5.2 intro series
largely this worked fine ( buildwise ) for meta-openembedded layers included see https://errors.yoctoproject.org/Errors/Build/87912/ The 5.2 regressions are below, If anyone has cycles to fix them would be great. klibc, klibc-static-utils - syscall stub generator in klibc now gets confused and cant generate the header file with syscalls drbd, can-isotp - External kernel modules ( maybe need some forward porting ) bpftool - Fails with new error (undefined reference to `do_btf') Cheers -Khem On Fri, Aug 30, 2019 at 9:06 AM wrote: > > From: Bruce Ashfield > > Richard, > > These are the patches for the 5.2 intro that aren't in your current > master-next. > > Kevin's meta-yocto-bsp can use a minor SRCREV bump, and I'll send that shortly > to the appropriate list. But even running with it as-is, isn't a problem. > > I will also follow up with the 5.0 removal and some other minor tweaks once > this introduction of recipes goes green. > > Cheers, > > Bruce > > The following changes since commit be28058c101a38ad9e01c0ce95bbe0c7dee19410: > > Revert "poky.conf: make systemd as default init manager" (2019-08-30 > 13:37:48 +0100) > > are available in the Git repository at: > > git://git.pokylinux.org/poky-contrib zedd/kernel-next > http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=zedd/kernel-next > > Bruce Ashfield (3): > linux-libc-headers: update to v5.2 headers > linux-yocto: introduce 5.2 recipes > qemu: bump linux-yocto preferred version to 5.2 > > meta/conf/distro/include/tcmode-default.inc | 2 +- > meta/conf/machine/include/x86-base.inc| 2 +- > meta/conf/machine/qemuarmv5.conf | 2 +- > ...sm-ptrace.h-should-not-depend-on-uap.patch | 62 --- > ...aders_5.0.bb => linux-libc-headers_5.2.bb} | 5 +- > .../linux/linux-yocto-rt_5.2.bb | 44 + > .../linux/linux-yocto-tiny_5.2.bb | 32 ++ > meta/recipes-kernel/linux/linux-yocto_5.2.bb | 54 > 8 files changed, 135 insertions(+), 68 deletions(-) > delete mode 100644 > meta/recipes-kernel/linux-libc-headers/linux-libc-headers/0001-arm64-sve-uapi-asm-ptrace.h-should-not-depend-on-uap.patch > rename meta/recipes-kernel/linux-libc-headers/{linux-libc-headers_5.0.bb => > linux-libc-headers_5.2.bb} (75%) > create mode 100644 meta/recipes-kernel/linux/linux-yocto-rt_5.2.bb > create mode 100644 meta/recipes-kernel/linux/linux-yocto-tiny_5.2.bb > create mode 100644 meta/recipes-kernel/linux/linux-yocto_5.2.bb > > -- > 2.19.1 > > -- > ___ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] FETCHCMD drop breaks build when append is used (from patch b259bd31eb)
On Sat, Aug 31, 2019 at 2:18 PM Adrian Bunk wrote: > > Disallowing appends could cause huge problems for a user or layer that > has to append local options (e.g. proxy) building a recipe like libedit > that has to change the User-Agent. My point exactly! I belive that even though this is currently the only recipe to have this append, this might not be the last one. And in this case, that prospective recipe would require user to setup his local build system with additional .netrc file, just to have it built. > > cu > Adrian > -- Regards, Andrey. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] FETCHCMD drop breaks build when append is used (from patch b259bd31eb)
On Fri, Aug 30, 2019 at 4:41 PM Andre McCurdy wrote: > > I think for the specific case of usernames and passwords the advice > would be to put them in .netrc etc rather than trying to append to the > fetcher command lines (but mainly for security reasons rather than > this issue). This I do agree, but it is only related to the username/passwd combination for a local user to perform a local fetch. Sometimes however this append might be needed for authentication tokens for CI/CD systems running in containers. In this case it would be quite tricky to do it via .netrc (IMHO). > > > One answer could be that modifications of the fetcher command lines > should be done by completely defining them rather than appending. I'm > not sure how reasonable that is though. I believe in this case we would fall back to the original solution, where defaults were defined in bitbake.conf file. > > In the end the approach to fixing this depends on whether appending to > the default fetcher commands is considered valid usage or not... and I > don't know the answer to that. I guess the best course of action should be to check whether appends are introduced in the fetcher class and use them if they are. This need to be confirmer with BItbak people though. -- Regards, Andrey. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] ✗ patchtest: failure for gcc-8.3: Security fix for CVE-2019-14250
== Series Details == Series: gcc-8.3: Security fix for CVE-2019-14250 Revision: 1 URL : https://patchwork.openembedded.org/series/19612/ State : failure == Summary == Thank you for submitting this patch series to OpenEmbedded Core. This is an automated response. Several tests have been executed on the proposed series by patchtest resulting in the following failures: * Issue Series does not apply on top of target branch [test_series_merge_on_head] Suggested fixRebase your series on top of targeted branch Targeted branch warrior (currently at 952bfcc3f4) If you believe any of these test results are incorrect, please reply to the mailing list (openembedded-core@lists.openembedded.org) raising your concerns. Otherwise we would appreciate you correcting the issues and submitting a new version of the patchset if applicable. Please ensure you add/increment the version number when sending the new version (i.e. [PATCH] -> [PATCH v2] -> [PATCH v3] -> ...). --- Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior][PATCH] gcc-8.3: Security fix for CVE-2019-14250
From: Armin Kuster Affects < 9.2 Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster --- meta/recipes-devtools/gcc/gcc-8.3.inc | 1 + .../gcc/gcc-8.3/CVE-2019-14250.patch | 44 ++ 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc b/meta/recipes-devtools/gcc/gcc-8.3.inc index dce85a2..80f716a 100644 --- a/meta/recipes-devtools/gcc/gcc-8.3.inc +++ b/meta/recipes-devtools/gcc/gcc-8.3.inc @@ -74,6 +74,7 @@ SRC_URI = "\ file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \ file://0042-PR-debug-86964.patch \ file://0043-PR85434-Prevent-spilling-of-stack-protector-guard-s-.patch \ + file://CVE-2019-14250.patch \ " SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896" SRC_URI[sha256sum] = "64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c" diff --git a/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch new file mode 100644 index 000..e327684 --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-8.3/CVE-2019-14250.patch @@ -0,0 +1,44 @@ +From a4f1b58eb48b349a5f353bc69c30be553506d33b Mon Sep 17 00:00:00 2001 +From: rguenth +Date: Thu, 25 Jul 2019 10:48:26 + +Subject: [PATCH] 2019-07-25 Richard Biener + + PR lto/90924 + Backport from mainline + 2019-07-12 Ren Kimura + + * simple-object-elf.c (simple_object_elf_match): Check zero value + shstrndx. + + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@273794 138bc75d-0d04-0410-961f-82ee72b054a4 + +Upstream-Status: Backport +Affectes: < 9.2 +CVE: CVE-2019-14250 +Dropped changelog +Signed-off-by: Armin Kuster + +--- + libiberty/simple-object-elf.c | 8 + 2 files changed, 17 insertions(+) + +Index: gcc-8.2.0/libiberty/simple-object-elf.c +=== +--- gcc-8.2.0.orig/libiberty/simple-object-elf.c gcc-8.2.0/libiberty/simple-object-elf.c +@@ -549,6 +549,14 @@ simple_object_elf_match (unsigned char h + return NULL; + } + ++ if (eor->shstrndx == 0) ++{ ++ *errmsg = "invalid ELF shstrndx == 0"; ++ *err = 0; ++ XDELETE (eor); ++ return NULL; ++} ++ + return (void *) eor; + } + -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud][PATCH] gcc: Security fix for CVE-2019-14250
From: Armin Kuster Source: gcc.org MR: 99120 Type: Security Fix Disposition: Backport from https://gcc.gnu.org/viewcvs?rev=273794=gcc=rev ChangeID: 28ab763c18f1543607181cd9657f45f7752b6fcb Description: Affects < 9.2 Signed-off-by: Armin Kuster --- meta/recipes-devtools/gcc/gcc-8.2.inc | 1 + .../gcc/gcc-8.2/CVE-2019-14250.patch | 44 ++ 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch diff --git a/meta/recipes-devtools/gcc/gcc-8.2.inc b/meta/recipes-devtools/gcc/gcc-8.2.inc index 866a775..bd95ccd 100644 --- a/meta/recipes-devtools/gcc/gcc-8.2.inc +++ b/meta/recipes-devtools/gcc/gcc-8.2.inc @@ -73,6 +73,7 @@ SRC_URI = "\ ${BACKPORTS} \ " BACKPORTS = "\ + file://CVE-2019-14250.patch \ " SRC_URI[md5sum] = "4ab282f414676496483b3e1793d07862" SRC_URI[sha256sum] = "196c3c04ba2613f893283977e6011b2345d1cd1af9abeac58e916b1aab3e0080" diff --git a/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch new file mode 100644 index 000..e327684 --- /dev/null +++ b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch @@ -0,0 +1,44 @@ +From a4f1b58eb48b349a5f353bc69c30be553506d33b Mon Sep 17 00:00:00 2001 +From: rguenth +Date: Thu, 25 Jul 2019 10:48:26 + +Subject: [PATCH] 2019-07-25 Richard Biener + + PR lto/90924 + Backport from mainline + 2019-07-12 Ren Kimura + + * simple-object-elf.c (simple_object_elf_match): Check zero value + shstrndx. + + +git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@273794 138bc75d-0d04-0410-961f-82ee72b054a4 + +Upstream-Status: Backport +Affectes: < 9.2 +CVE: CVE-2019-14250 +Dropped changelog +Signed-off-by: Armin Kuster + +--- + libiberty/simple-object-elf.c | 8 + 2 files changed, 17 insertions(+) + +Index: gcc-8.2.0/libiberty/simple-object-elf.c +=== +--- gcc-8.2.0.orig/libiberty/simple-object-elf.c gcc-8.2.0/libiberty/simple-object-elf.c +@@ -549,6 +549,14 @@ simple_object_elf_match (unsigned char h + return NULL; + } + ++ if (eor->shstrndx == 0) ++{ ++ *errmsg = "invalid ELF shstrndx == 0"; ++ *err = 0; ++ XDELETE (eor); ++ return NULL; ++} ++ + return (void *) eor; + } + -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] libgpg-error: Fix build with gawk 5.x
Signed-off-by: Khem Raj --- .../libgpg-error-1.36-gawk5-support.patch | 142 ++ .../libgpg-error/libgpg-error_1.36.bb | 1 + 2 files changed, 143 insertions(+) create mode 100644 meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.36-gawk5-support.patch diff --git a/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.36-gawk5-support.patch b/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.36-gawk5-support.patch new file mode 100644 index 00..2db11b2176 --- /dev/null +++ b/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.36-gawk5-support.patch @@ -0,0 +1,142 @@ +From 7865041c77f4f7005282f10f9bb19072fbdf Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Mon, 15 Apr 2019 15:10:44 +0900 +Subject: [PATCH] awk: Prepare for Gawk 5.0. + +* src/Makefile.am: Use pkg_namespace (instead of namespace). +* src/mkerrnos.awk: Likewise. +* lang/cl/mkerrcodes.awk: Don't escape # in regexp. +* src/mkerrcodes.awk, src/mkerrcodes1.awk, src/mkerrcodes2.awk: Ditto. + +-- + +In Gawk 5.0, regexp routines are replaced by Gnulib implementation, +which only allows escaping specific characters. + +GnuPG-bug-id: 4459 +Reported-by: Marius Schamschula +Signed-off-by: NIIBE Yutaka +Upstream-Status: Backport [https://dev.gnupg.org/T4459] +--- + lang/cl/mkerrcodes.awk | 2 +- + src/Makefile.am| 2 +- + src/mkerrcodes.awk | 2 +- + src/mkerrcodes1.awk| 2 +- + src/mkerrcodes2.awk| 2 +- + src/mkerrnos.awk | 2 +- + src/mkstrtable.awk | 10 +- + 7 files changed, 11 insertions(+), 11 deletions(-) + +--- a/lang/cl/mkerrcodes.awk b/lang/cl/mkerrcodes.awk +@@ -122,7 +122,7 @@ header { + } + + !header { +- sub (/\#.+/, ""); ++ sub (/#.+/, ""); + sub (/[ ]+$/, ""); # Strip trailing space and tab characters. + + if (/^$/) +--- a/src/Makefile.am b/src/Makefile.am +@@ -293,7 +293,7 @@ code-from-errno.h: mkerrcodes$(EXEEXT_FO + + errnos-sym.h: Makefile mkstrtable.awk errnos.in + $(AWK) -f $(srcdir)/mkstrtable.awk -v textidx=2 -v nogettext=1 \ +- -v prefix=GPG_ERR_ -v namespace=errnos_ \ ++ -v prefix=GPG_ERR_ -v pkg_namespace=errnos_ \ + $(srcdir)/errnos.in >$@ + + +--- a/src/mkerrcodes.awk b/src/mkerrcodes.awk +@@ -85,7 +85,7 @@ header { + } + + !header { +- sub (/\#.+/, ""); ++ sub (/#.+/, ""); + sub (/[ ]+$/, ""); # Strip trailing space and tab characters. + + if (/^$/) +--- a/src/mkerrcodes1.awk b/src/mkerrcodes1.awk +@@ -81,7 +81,7 @@ header { + } + + !header { +- sub (/\#.+/, ""); ++ sub (/#.+/, ""); + sub (/[ ]+$/, ""); # Strip trailing space and tab characters. + + if (/^$/) +--- a/src/mkerrcodes2.awk b/src/mkerrcodes2.awk +@@ -91,7 +91,7 @@ header { + } + + !header { +- sub (/\#.+/, ""); ++ sub (/#.+/, ""); + sub (/[ ]+$/, ""); # Strip trailing space and tab characters. + + if (/^$/) +--- a/src/mkerrnos.awk b/src/mkerrnos.awk +@@ -83,7 +83,7 @@ header { + } + + !header { +- sub (/\#.+/, ""); ++ sub (/#.+/, ""); + sub (/[ ]+$/, ""); # Strip trailing space and tab characters. + + if (/^$/) +--- a/src/mkstrtable.awk b/src/mkstrtable.awk +@@ -77,7 +77,7 @@ + # + # The variable prefix can be used to prepend a string to each message. + # +-# The variable namespace can be used to prepend a string to each ++# The variable pkg_namespace can be used to prepend a string to each + # variable and macro name. + + BEGIN { +@@ -102,7 +102,7 @@ header { + print "/* The purpose of this complex string table is to produce"; + print " optimal code with a minimum of relocations. */"; + print ""; +- print "static const char " namespace "msgstr[] = "; ++ print "static const char " pkg_namespace "msgstr[] = "; + header = 0; + } + else +@@ -110,7 +110,7 @@ header { + } + + !header { +- sub (/\#.+/, ""); ++ sub (/#.+/, ""); + sub (/[ ]+$/, ""); # Strip trailing space and tab characters. + + if (/^$/) +@@ -150,7 +150,7 @@ END { + else + print " gettext_noop (\"" last_msgstr "\");"; + print ""; +- print "static const int " namespace "msgidx[] ="; ++ print "static const int " pkg_namespace "msgidx[] ="; + print " {"; + for (i = 0; i < coded_msgs; i++) + print "" pos[i] ","; +@@ -158,7 +158,7 @@ END { + print " };"; + print ""; + print "static GPG_ERR_INLINE int"; +- print namespace "msgidxof (int code)"; ++ print pkg_namespace "msgidxof (int code)"; + print "{"; + print " return (0 ? 0"; + diff --git a/meta/recipes-support/libgpg-error/libgpg-error_1.36.bb b/meta/recipes-support/libgpg-error/libgpg-error_1.36.bb index 2db544a12e..b11ab0548d 100644 --- a/meta/recipes-support/libgpg-error/libgpg-error_1.36.bb +++ b/meta/recipes-support/libgpg-error/libgpg-error_1.36.bb @@ -14,6 +14,7 @@ SECTION = "libs" UPSTREAM_CHECK_URI = "https://gnupg.org/download/index.html; SRC_URI =
Re: [OE-core] FETCHCMD drop breaks build when append is used (from patch b259bd31eb)
On Fri, Aug 30, 2019 at 07:40:51AM -0700, Andre McCurdy wrote: > On Fri, Aug 30, 2019 at 3:08 AM Andrey Zhizhikin wrote: >... > > This patch would also break several other recipes which are using > > appends to FETCHCMD, for example for FETCHCMD_wget the libedit would > > fail since it appends the wget to use different User-Agent. > > > > I've copied Raj here since he introduced this recipe in the form it is > > and would definitely break. > > > > Can you please have a look at this and advise on how one can continue > > to use the FETCHCMD appends for the future? > > One answer could be that modifications of the fetcher command lines > should be done by completely defining them rather than appending. I'm > not sure how reasonable that is though. > > In the end the approach to fixing this depends on whether appending to > the default fetcher commands is considered valid usage or not... and I > don't know the answer to that. >... Disallowing appends could cause huge problems for a user or layer that has to append local options (e.g. proxy) building a recipe like libedit that has to change the User-Agent. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] base.bbclass: add dependency on pseudo from do_prepare_recipe_sysroot
> -Original Message- > From: openembedded-core-boun...@lists.openembedded.org core-boun...@lists.openembedded.org> On Behalf Of Richard Purdie > Sent: den 30 augusti 2019 18:50 > To: Mattias Hansson ; openembedded- > c...@lists.openembedded.org > Cc: Mattias Hansson > Subject: Re: [OE-core] [PATCH] base.bbclass: add dependency on pseudo > from do_prepare_recipe_sysroot > > On Fri, 2019-08-16 at 11:13 +0200, Mattias Hansson wrote: > > do_prepare_recipe_sysroot may perform groupadd, which requires pseudo. > > However, do_prepare_recipe_sysroot does not depend on pseudo explicitly, > > which sometimes causes a build error when building a recipe that adds > > groups. > > > > This issue only occurs when executing do_prepare_recipe_sysroot for a > > recipe that adds groups before finishing a task that depends on pseudo > > for a recipe that doesn't add groups. > > > > Signed-off-by: Mattias Hansson > > --- > > meta/classes/base.bbclass | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass > > index 0c8a4b2862..0576b110c9 100644 > > --- a/meta/classes/base.bbclass > > +++ b/meta/classes/base.bbclass > > @@ -480,6 +480,7 @@ python () { > > # If we're building a target package we need to use fakeroot (pseudo) > > # in order to capture permissions, owners, groups and special files > > if not bb.data.inherits_class('native', d) and not > > bb.data.inherits_class('cross', d): > > +d.setVarFlag('do_prepare_recipe_sysroot', 'fakeroot', '1') > > d.setVarFlag('do_unpack', 'umask', '022') > > d.setVarFlag('do_configure', 'umask', '022') > > d.setVarFlag('do_compile', 'umask', '022') > > This basically forces all target recipes prepare-recipe sysroot to run > under pseudo "just in case", with all the performance overhead that > entails. prepare_recipe_sysroot does a lot of file accesses so this is > significant. It will also increase the pseudo database sizes > everywhere. > > We'll need to find a better way to handle this I'm afraid. > > Cheers, > > Richard What do you prefer then, that we add this to useradd.bbclass instead? python () { # This corresponds to similar code in base.bbclass, but is added here as it # is only needed for recipes that add users/groups. if not bb.data.inherits_class('native', d) and not bb.data.inherits_class('cross', d): d.setVarFlag('do_prepare_recipe_sysroot', 'fakeroot', '1')} } That way it should only affect recipes that manipulate users/groups. //Peter -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] FETCHCMD drop breaks build when append is used (from patch b259bd31eb)
> -Original Message- > From: openembedded-core-boun...@lists.openembedded.org core-boun...@lists.openembedded.org> On Behalf Of Andre McCurdy > Sent: den 30 augusti 2019 16:41 > To: Andrey Zhizhikin > Cc: OE Core mailing list > Subject: Re: [OE-core] FETCHCMD drop breaks build when append is used > (from patch b259bd31eb) > > On Fri, Aug 30, 2019 at 3:08 AM Andrey Zhizhikin > wrote: > > > > Hello Andre, > > > > I've just pulled the master and experienced a build failure during > > fetching of updated recipe's source tarballs. > > > > The reason for this being that defaults for FETCHCMD has been dropped > > with your patch b259bd31eb from the series. Once defaults are removed > > and appends are used - the FETCHCMD gets defined to the value listed > > in append, which normally does not contain a command itself rather > > than necessary additional parameters (like user/passwd if working > with > > local pre-mirror servers). > > I think for the specific case of usernames and passwords the advice > would be to put them in .netrc etc rather than trying to append to the > fetcher command lines (but mainly for security reasons rather than > this issue). > > > This patch would also break several other recipes which are using > > appends to FETCHCMD, for example for FETCHCMD_wget the libedit would > > fail since it appends the wget to use different User-Agent. > > > > I've copied Raj here since he introduced this recipe in the form it > is > > and would definitely break. > > > > Can you please have a look at this and advise on how one can continue > > to use the FETCHCMD appends for the future? > > One answer could be that modifications of the fetcher command lines > should be done by completely defining them rather than appending. I'm > not sure how reasonable that is though. > > In the end the approach to fixing this depends on whether appending to > the default fetcher commands is considered valid usage or not... and I > don't know the answer to that. > > > For now, I've defined the FETCHCMD_wget in my local.conf but I do not > > believe that this is the general way everyone should follow if they > > would need to append fetcher commands... > > > > Thanks a lot! > > > > -- > > Regards, > > Andrey. Given that the libedit recipe in OE-Core does: FETCHCMD_wget += "-U bitbake" someone will probably have to do something about this... One can also note that wget.py and npm.py will now use different arguments to wget after the default was removed from bitbake.conf (the difference being the added use of -nv in npm.py so nothing major, but still...) //Peter -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core