[yocto-security] [OE-core CVE] branch thud-next updated. 2018-10-55-g4f22710
cve-notice at lists.openembedded.org
cve-notice at lists.openembedded.org
Fri Nov 16 09:02:06 PST 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "".
The branch, thud-next has been updated
via 4f22710f9a310412f1de0b4e6905c058ec416f25 (commit)
via cc0471439aa0085ca87deccf061c5b676ef12388 (commit)
via 8f5b6a3789a7fcbac0a384b84b4c7ef5994023b6 (commit)
via bade7cc344c2f0e9316f973c34e9c9dfcbdbe32d (commit)
via 5f4fe91cb6c21cd3ecd0b68d1c6b46a9530c7570 (commit)
via f0394e80a37f1da47042a1aa0487594f390603f9 (commit)
via d8e1b7afc536f989e7e6efdab0998d54f26ad1f6 (commit)
via e97a31e6bbaec5cb56d4750bf5171dbba510ee33 (commit)
via af67bf422a4df5b7e07894512ff73a5f493682ab (commit)
via 17d5574f05384edeb5c80ada2724fff4a1c3c94b (commit)
via 2012d6b076fc833864a0254d56d78536314a6799 (commit)
via 4cbf901b3a127ed039371e614946002d26d56997 (commit)
via 8079e2d62e23f7c274f46185e6dad64fa95394c1 (commit)
via 84bb9c0514ecbd7c31935c22062b18b4aaefbef1 (commit)
via bb06900a1f29fdd4066f6d7e7a961d230c2e9438 (commit)
via 0b5972c8189dade0e77df175651b8d8707647bb1 (commit)
via 3904f98851c6a63dd9377e38f1432be6b1c0a94d (commit)
via 2f86c3f1180ba8bf77301a0bc29c3b290bc28d91 (commit)
via 185918234a07cb506d7d7464a49ac33972c7d963 (commit)
via 82f9157e84dcaf0ad4292053b09be68c2290d197 (commit)
via 9a25b2eb9cc13dd77a774dad83067ea5f9bf9716 (commit)
via f1af780769477f06eb925fd87c844baba04ada2d (commit)
via 69f7579eb36c00b557225377e1a3cc61b103be23 (commit)
via b06a6cde5c5503f456f260c773cf126085e18c8d (commit)
via a13e088942e2a3c3521e98954a394e61a15234e8 (commit)
via 6e162e619b6f5173c073cd9bedbcadf205017e30 (commit)
via e3c7e1703499e6a5332d9ab8a941671ec8235c4f (commit)
via 786322ec408e2ef5cd6fb809456e0453e5f5e162 (commit)
via ed5e7541677f6a046f85389cd0c879be3db422cd (commit)
via effa141bfce55aab25142ee578c95383c755ad73 (commit)
via e188a75aa882efc98b8390f43f18279c3707314a (commit)
via d0a209e8cf29d982567e3978e1dcbb3871505a39 (commit)
via a5c1ff6deb6393666745889eee8297112848ba28 (commit)
via 2edb0f24a13f27b2fae94fb447221ad2ddb924a0 (commit)
via 90ab83ecc509c2fdc1f6083d771031decdcaad63 (commit)
via 9dcb393551b65c8b674f625e90171b512f5e5a60 (commit)
via e7b891b76954c784f5a93bd0a1c91315673ce40d (commit)
via 0f0db9fc8512a0ecd0cdba3304a195cd925a5029 (commit)
via 78e751e33d3ec4394d96391e737cc39cad960ebe (commit)
via 9d5c6a87eb72a8b8b8d417126a831565982ca9a6 (commit)
via 98ab5c5770d20b39bf3c58083f31f31838f2e940 (commit)
via 6098c19e1f179896af7013c4b5db3081549c97bc (commit)
via 6c32ea184941d292cd8f0eb898e6cc90120ada40 (commit)
via bd8d2c25f595e30a3fdcad8a2409913bb8af7c5c (commit)
via 777c1f8b6e20643964c304400e2d746dc2926524 (commit)
via 024b395425c95a08c881d922c310be78ffad483a (commit)
via 2ddb3b25ed063b47d3fe2b3e9e17b7f9d0e2a7e5 (commit)
via 5c2b164e1022c46f6bf541894429773c3dde7af2 (commit)
via 13591d7224393dc0ae529a03cdf74aceb3540ce9 (commit)
via eeb621aa19f690971caf862290a172a115578ba1 (commit)
via 0ef70603bc983315eb0e8a97958d995a31198c35 (commit)
via 32e5dd919a61b1c245fb6a867d0ea4a71d394aca (commit)
via a24d0c174411a32a2793c89980ca87c4f9d98bc4 (commit)
via 9d5d19cee30ac73b9fbf75308e5729857384983e (commit)
via 14b5854d50c38e94fc0d1ce6af36698fc69f52b4 (commit)
from 1fd7d0f2fbf7e200844c675ddb77513a8d5d7327 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 4f22710f9a310412f1de0b4e6905c058ec416f25
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Fri Nov 16 10:28:10 2018 +0000
sanity: Add check for WSL
Users are starting to expect OE to work under WSL which it doesn't. Add a warning to
tell them about this up front and manage expectations.
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit cc0471439aa0085ca87deccf061c5b676ef12388
Author: Richard Purdie <richard.purdie at linuxfoundation.org>
Date: Fri Nov 16 09:33:28 2018 +0000
oeqa/utils/httpserver: Rework to avoid hangs and improve logging
testimage.bbclass installs a SIGTERM handler which conflicts with the
use of multiprocessing here. This is paritcularly problematic if the http
service is terminated before its started and hence before its had a chance
to reset the default signal handler (as the code was written).
Instead, temporarily remove testimage's handler whilst forking the http process
which means the correct handler is installed and won't deadlock.
Also take the opportunity to add in some log messages about the server start
and shutdown so that future debugging is easier and its clearer what the code
is doing.
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 8f5b6a3789a7fcbac0a384b84b4c7ef5994023b6
Author: Martin Hundebøll <martin at geanix.com>
Date: Thu Nov 15 10:12:50 2018 +0100
openssl-1.1.1: remove build path from version info
The openssl build system generates buildinf.h containing the full
compiler command line used to compile objects. This breaks
reproducibility, as the compile command is baked into libcrypto, where
it is used when running `openssl version -f`.
Add stripped build variables for the compiler and cflags lines, and use
those when generating buildinfo.h.
This is based on a similar patch for older openssl versions:
https://patchwork.openembedded.org/patch/147229/
Signed-off-by: Martin Hundebøll <martin at geanix.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit bade7cc344c2f0e9316f973c34e9c9dfcbdbe32d
Author: Martin Hundebøll <martin at geanix.com>
Date: Thu Nov 15 10:12:49 2018 +0100
busybox: make busybox.links.{suid, nosuid} reproducible
The busybox.link.* files are generated from autoconf.h and applets.h,
which are both auto-generated by the build system. The contents of the
two files might be in different order, and so the link files are not
reproducble as is.
Fix this by sorting the lists using `sort`.
Signed-off-by: Martin Hundebøll <martin at geanix.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
commit 5f4fe91cb6c21cd3ecd0b68d1c6b46a9530c7570
Author: Martin Hundebøll <martin at geanix.com>
Date: Thu Nov 15 10:12:48 2018 +0100
shadow: improve reproducibility by hard-coding shell path
The shadow configure script tries really hard to detect the running
shell to make sure it doesn't do unsupported calls.
On my system the shell is detected as /bin/sh, while a build in an
ubuntu docker it resolves to /bin/bash. And since the shell path is
baked into the target binaries through config.h, the build becomes
inreproducible.
Fix reproducibility by hard-coding the shell to be /bin/sh
Signed-off-by: Martin Hundebøll <martin at geanix.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
-----------------------------------------------------------------------
Summary of changes:
meta/classes/archiver.bbclass | 10 +-
meta/classes/base.bbclass | 10 +-
meta/classes/crosssdk.bbclass | 8 +-
meta/classes/go.bbclass | 2 +-
meta/classes/image-buildinfo.bbclass | 2 +
meta/classes/reproducible_build.bbclass | 5 +-
meta/classes/sanity.bbclass | 11 +
meta/conf/bitbake.conf | 3 +-
meta/files/common-licenses/FreeType | 4 +-
meta/lib/oeqa/core/runner.py | 8 +
meta/lib/oeqa/runtime/cases/apt.py | 2 +-
meta/lib/oeqa/runtime/cases/dnf.py | 2 +-
meta/lib/oeqa/runtime/cases/opkg.py | 2 +-
meta/lib/oeqa/runtime/cases/ptest.py | 21 +-
meta/lib/oeqa/selftest/cases/buildoptions.py | 23 +
meta/lib/oeqa/selftest/cases/containerimage.py | 1 +
meta/lib/oeqa/selftest/cases/recipetool.py | 4 +-
meta/lib/oeqa/selftest/context.py | 2 +-
meta/lib/oeqa/utils/httpserver.py | 37 +-
.../v86d/v86d/Support-for-cross-compilation.patch | 34 +
meta/recipes-bsp/v86d/v86d/aarch64-host.patch | 18 -
meta/recipes-bsp/v86d/v86d_0.1.10.bb | 4 +-
...trip-sysroot-and-debug-prefix-map-from-co.patch | 70 ++
.../openssl/openssl/0002-fix-CVE-2018-0734.patch | 108 +++
.../openssl/openssl/0003-fix-CVE-2018-0735.patch | 50 ++
.../openssl/openssl10/0001-fix-CVE-2018-0734.patch | 33 +
.../openssl/openssl10_1.0.2p.bb | 1 +
meta/recipes-connectivity/openssl/openssl_1.1.1.bb | 3 +
meta/recipes-core/busybox/busybox.inc | 3 +-
.../0034-inject-file-assembly-directives.patch | 13 +
.../images/build-appliance-image_15.0.0.bb | 6 +-
.../initscripts-1.0/populate-volatile.sh | 4 +-
.../packagegroup-core-tools-profile.bb | 1 +
...sive-let-s-rework-the-recursive-logic-to-.patch | 219 ++++++
...eserializing-state-always-use-read_line-L.patch | 250 +++++++
...sure-we-have-enough-space-for-the-DHCP6-o.patch | 39 +
meta/recipes-core/systemd/systemd_239.bb | 3 +
meta/recipes-core/sysvinit/sysvinit_2.88dsf.bb | 2 +-
meta/recipes-devtools/apt/apt.inc | 2 +-
meta/recipes-devtools/binutils/binutils-2.31.inc | 4 +
.../binutils/binutils/CVE-2018-18309.patch | 308 ++++++++
.../binutils/binutils/CVE-2018-18605.patch | 47 ++
.../binutils/binutils/CVE-2018-18606.patch | 70 ++
.../binutils/binutils/CVE-2018-18607.patch | 77 ++
.../{elfutils_0.173.bb => elfutils_0.174.bb} | 10 +-
...01-arlib-Check-that-sh_entsize-isn-t-zero.patch | 36 +
...Check-end-of-attributes-list-consistently.patch | 84 ---
...Sanity-check-partial-core-file-data-reads.patch | 60 ++
.../0001-size-Handle-recursive-ELF-ar-files.patch | 40 +
...rn-error-if-elf_compress_gnu-is-used-on-S.patch | 59 --
...de-alternatives-for-glibc-assumptions-hel.patch | 808 +--------------------
.../elfutils/files/CVE-2018-16062.patch | 79 --
meta/recipes-devtools/go/go-cross.inc | 4 +-
meta/recipes-devtools/go/go-dep_0.5.0.bb | 5 +
meta/recipes-devtools/go/go-runtime.inc | 2 +-
meta/recipes-devtools/go/go-target.inc | 2 +-
...proc-parse_size-Check-for-string-provided.patch | 37 +
meta/recipes-devtools/nasm/nasm_2.13.03.bb | 1 +
.../python/python3/python3-manifest.json | 17 +
meta/recipes-devtools/python/python3_3.5.6.bb | 4 +-
.../{CVE-2018-17958.patch => CVE-2018-10839.patch} | 22 +-
meta/recipes-devtools/valgrind/valgrind_3.14.0.bb | 1 +
...add-operand-checking-to-.setnativefontmap.patch | 59 ++
...Improve-hiding-of-security-critical-custo.patch | 434 +++++++++++
...32-add-control-over-hiding-error-handlers.patch | 172 +++++
...operators-pass-a-name-object-to-error-han.patch | 105 +++
...-699938-.loadfontloop-must-be-an-operator.patch | 31 +
...define-some-additional-internal-operators.patch | 42 ++
...don-t-include-operator-arrays-in-execstac.patch | 197 +++++
...put-unavailable-from-.policyprocs-helper-.patch | 245 +++++++
.../ghostscript/ghostscript_9.25.bb | 8 +
meta/recipes-extended/shadow/shadow.inc | 2 +
...code-native_2018f.bb => tzcode-native_2018g.bb} | 8 +-
.../tzdata/{tzdata_2018f.bb => tzdata_2018g.bb} | 4 +-
.../unzip/unzip/CVE-2018-18384.patch | 39 +
meta/recipes-extended/unzip/unzip_6.0.bb | 1 +
meta/recipes-graphics/xorg-lib/pixman_0.34.0.bb | 2 +-
.../xorg-xserver/xserver-xorg/CVE-2018-14665.patch | 62 ++
.../xorg-xserver/xserver-xorg_1.20.1.bb | 1 +
meta/recipes-kernel/perf/perf.bb | 4 +
meta/recipes-support/apr/apr-util_1.6.1.bb | 2 +-
meta/recipes-support/apr/apr_1.6.3.bb | 2 +-
.../recipes-support/curl/curl/CVE-2018-16839.patch | 35 +
.../recipes-support/curl/curl/CVE-2018-16840.patch | 43 ++
.../recipes-support/curl/curl/CVE-2018-16842.patch | 35 +
meta/recipes-support/curl/curl_7.61.0.bb | 3 +
meta/recipes-support/gdbm/gdbm_1.18.bb | 2 +-
.../libgpg-error/libgpg-error_1.32.bb | 6 +-
.../nss/{nss_3.38.bb => nss_3.39.bb} | 4 +-
scripts/autobuilder-worker-prereq-tests | 9 +-
scripts/lib/wic/filemap.py | 9 +-
scripts/oe-buildenv-internal | 11 +-
92 files changed, 3255 insertions(+), 1119 deletions(-)
create mode 100644 meta/recipes-bsp/v86d/v86d/Support-for-cross-compilation.patch
delete mode 100644 meta/recipes-bsp/v86d/v86d/aarch64-host.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/0003-fix-CVE-2018-0735.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl10/0001-fix-CVE-2018-0734.patch
create mode 100644 meta/recipes-core/systemd/systemd/0001-chown-recursive-let-s-rework-the-recursive-logic-to-.patch
create mode 100644 meta/recipes-core/systemd/systemd/0001-core-when-deserializing-state-always-use-read_line-L.patch
create mode 100644 meta/recipes-core/systemd/systemd/0001-dhcp6-make-sure-we-have-enough-space-for-the-DHCP6-o.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-18309.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-18605.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-18606.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-18607.patch
rename meta/recipes-devtools/elfutils/{elfutils_0.173.bb => elfutils_0.174.bb} (89%)
create mode 100644 meta/recipes-devtools/elfutils/files/0001-arlib-Check-that-sh_entsize-isn-t-zero.patch
delete mode 100644 meta/recipes-devtools/elfutils/files/0001-libdw-Check-end-of-attributes-list-consistently.patch
create mode 100644 meta/recipes-devtools/elfutils/files/0001-libdwfl-Sanity-check-partial-core-file-data-reads.patch
create mode 100644 meta/recipes-devtools/elfutils/files/0001-size-Handle-recursive-ELF-ar-files.patch
delete mode 100644 meta/recipes-devtools/elfutils/files/0002-libelf-Return-error-if-elf_compress_gnu-is-used-on-S.patch
delete mode 100644 meta/recipes-devtools/elfutils/files/CVE-2018-16062.patch
create mode 100644 meta/recipes-devtools/nasm/nasm/0001-preproc-parse_size-Check-for-string-provided.patch
copy meta/recipes-devtools/qemu/qemu/{CVE-2018-17958.patch => CVE-2018-10839.patch} (74%)
create mode 100644 meta/recipes-extended/ghostscript/files/0001-Bug-699795-add-operand-checking-to-.setnativefontmap.patch
create mode 100644 meta/recipes-extended/ghostscript/files/0002-Bug-699816-Improve-hiding-of-security-critical-custo.patch
create mode 100644 meta/recipes-extended/ghostscript/files/0003-Bug-699832-add-control-over-hiding-error-handlers.patch
create mode 100644 meta/recipes-extended/ghostscript/files/0004-For-hidden-operators-pass-a-name-object-to-error-han.patch
create mode 100644 meta/recipes-extended/ghostscript/files/0005-Bug-699938-.loadfontloop-must-be-an-operator.patch
create mode 100644 meta/recipes-extended/ghostscript/files/0006-Undefine-some-additional-internal-operators.patch
create mode 100644 meta/recipes-extended/ghostscript/files/0007-Bug-699927-don-t-include-operator-arrays-in-execstac.patch
create mode 100644 meta/recipes-extended/ghostscript/files/0008-Make-.forceput-unavailable-from-.policyprocs-helper-.patch
rename meta/recipes-extended/tzcode/{tzcode-native_2018f.bb => tzcode-native_2018g.bb} (70%)
rename meta/recipes-extended/tzdata/{tzdata_2018f.bb => tzdata_2018g.bb} (98%)
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2018-18384.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2018-14665.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16839.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16840.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16842.patch
rename meta/recipes-support/nss/{nss_3.38.bb => nss_3.39.bb} (98%)
hooks/post-receive
--
More information about the yocto-security
mailing list