[PATCH 00/20] Dizzy-next pull request 2016-1

[PATCH 00/20] Dizzy-next pull request 2016-1

[Armin Kuster]

Please consider these changes for dizzy-next community support.

The following changes since commit 6d34267e0a13e10ab91b60590b27a2b5ba3b7da6:

  documentation: Changed some 'intro' tags to resolve multiple mega-manual warnings. (2015-11-18 16:44:05 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib akuster/dizzy-next
  http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/dizzy-next

Armin Kuster (2):
  openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
  Fixes a heap buffer overflow in glibc wscanf.

Belal, Awais (1):
  grub2: Fix CVE-2015-8370

Chen Qi (1):
  image.bbclass: don't let do_rootfs depend on BUILDNAME

Martin Jansa (3):
  fontcache: allow to pass extra parameters and environment to fc-cache
  texinfo: don't create dependency on INHERIT variable
  linux-dtb.inc: drop unused DTB_NAME variable from do_install

Mike Crowe (1):
  allarch: Force TARGET_*FLAGS variable values

Richard Purdie (2):
  layer.conf: Add several allarch dependency exclusions
  layer.conf: Add missing dependency for allarch package
    initramfs-framework

Sergiy Kibrik (1):
  rsync: backport libattr checking patch

Sona Sarmadi (7):
  libtasn1: CVE-2015-3622
  grep2.19: CVE-2015-1345
  libxml2: CVE-2015-7942
  libxml2: CVE-2015-8035
  openssl: CVE-2015-3194, CVE-2015-3195
  libxml2: CVE-2015-8241
  bind: CVE-2015-8000

Tudor Florea (2):
  glibc: use patch for CVE-2015-1781
  unzip: CVE-2015-7696, CVE-2015-7697

 meta/classes/allarch.bbclass                       |   4 +
 meta/classes/fontcache.bbclass                     |  19 +-
 meta/classes/image.bbclass                         |   2 +-
 meta/conf/layer.conf                               |  11 ++
 ...E-2015-8370-Grub2-user-pass-vulnerability.patch |  50 ++++++
 meta/recipes-bsp/grub/grub-efi_2.00.bb             |   1 +
 meta/recipes-bsp/grub/grub_2.00.bb                 |   1 +
 .../bind/bind/CVE-2015-8000.patch                  | 194 +++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.9.5.bb       |   1 +
 .../openssh/openssh/CVE-2015-6563.patch            |  36 ++++
 .../openssh/openssh/CVE-2015-6564.patch            |  34 ++++
 .../openssh/openssh/CVE-2015-6565.patch            |  35 ++++
 meta/recipes-connectivity/openssh/openssh_6.6p1.bb |   5 +-
 .../CVE-2015-3194-Add-PSS-parameter-check.patch    |  37 ++++
 ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch |  61 +++++++
 .../recipes-connectivity/openssl/openssl_1.0.1p.bb |   2 +
 ...5-1472-wscanf-allocates-too-little-memory.patch | 108 ++++++++++++
 meta/recipes-core/glibc/glibc_2.20.bb              |   5 +-
 meta/recipes-core/libxml/libxml2.inc               |   3 +
 .../libxml/libxml2/CVE-2015-7942.patch             |  58 ++++++
 .../libxml/libxml2/CVE-2015-8035.patch             |  35 ++++
 .../libxml/libxml2/CVE-2015-8241.patch             |  41 +++++
 .../rsync/files/check_libattr.patch                |  33 ++++
 meta/recipes-devtools/rsync/rsync_3.1.0.bb         |   3 +-
 .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch    | 129 ++++++++++++++
 meta/recipes-extended/grep/grep_2.19.bb            |   4 +-
 meta/recipes-extended/texinfo/texinfo_5.2.bb       |   2 +-
 .../unzip/unzip/CVE-2015-7696.patch                |  38 ++++
 .../unzip/unzip/CVE-2015-7697.patch                |  31 ++++
 meta/recipes-extended/unzip/unzip_6.0.bb           |   2 +
 meta/recipes-kernel/linux/linux-dtb.inc            |   1 -
 .../gnutls/libtasn1/libtasn1-CVE-2015-3622.patch   |  44 +++++
 meta/recipes-support/gnutls/libtasn1_4.0.bb        |   1 +
 scripts/postinst-intercepts/update_font_cache      |   4 +-
 34 files changed, 1020 insertions(+), 15 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
 create mode 100644 meta/recipes-devtools/rsync/files/check_libattr.patch
 create mode 100644 meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
 create mode 100644 meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch

-- 
1.9.1

[PATCH 01/20] libtasn1: CVE-2015-3622

[Armin Kuster]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=a, Size: 2869 bytes --]

From: Sona Sarmadi <sona.sarmadi@enea.com>

_asn1_extract_der_octet: prevent past of boundary access

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3622
http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=patch;
h=f979435823a02f842c41d49cd41cc81f25b5d677

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../gnutls/libtasn1/libtasn1-CVE-2015-3622.patch   | 44 ++++++++++++++++++++++
 meta/recipes-support/gnutls/libtasn1_4.0.bb        |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch

diff --git a/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch b/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch
new file mode 100644
index 0000000..0989ef6
--- /dev/null
+++ b/meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch
@@ -0,0 +1,44 @@
+From f979435823a02f842c41d49cd41cc81f25b5d677 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@redhat.com>
+Date: Mon, 20 Apr 2015 14:56:27 +0200
+Subject: [PATCH] _asn1_extract_der_octet: prevent past of boundary access
+
+Fixes CVE-2015-3622.
+Upstream-Status: Backport
+
+Reported by Hanno Böck.
+---
+ lib/decoding.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/lib/decoding.c b/lib/decoding.c
+index 7fbd931..42ddc6b 100644
+--- a/lib/decoding.c
++++ b/lib/decoding.c
+@@ -732,6 +732,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
+     return ASN1_DER_ERROR;
+ 
+   counter = len3 + 1;
++  DECR_LEN(der_len, len3);
+ 
+   if (len2 == -1)
+     counter_end = der_len - 2;
+@@ -740,6 +741,7 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
+ 
+   while (counter < counter_end)
+     {
++      DECR_LEN(der_len, 1);
+       len2 = asn1_get_length_der (der + counter, der_len, &len3);
+ 
+       if (IS_ERR(len2, flags))
+@@ -764,7 +766,6 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
+ 	  len2 = 0;
+ 	}
+ 
+-      DECR_LEN(der_len, 1);
+       counter += len2 + len3 + 1;
+     }
+ 
+-- 
+1.7.2.5
+
diff --git a/meta/recipes-support/gnutls/libtasn1_4.0.bb b/meta/recipes-support/gnutls/libtasn1_4.0.bb
index 289833ec..16cf4d6 100644
--- a/meta/recipes-support/gnutls/libtasn1_4.0.bb
+++ b/meta/recipes-support/gnutls/libtasn1_4.0.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
 SRC_URI = "${GNU_MIRROR}/libtasn1/libtasn1-${PV}.tar.gz \
            file://libtasn1_fix_for_automake_1.12.patch \
            file://dont-depend-on-help2man.patch \
+           file://libtasn1-CVE-2015-3622.patch \
            "
 
 SRC_URI[md5sum] = "d3d2d9bce3b6668b9827a9df52635be1"
-- 
1.9.1

[PATCH 02/20] grep2.19: CVE-2015-1345

[Armin Kuster]

From: Sona Sarmadi <sona.sarmadi@enea.com>

Fixes heap-based buffer overflow flaw in grep.
Affected versions are: grep 2.19 through 2.21

Removed THANKS.in changes from upstream patch since this
file does not exist in version 2.19.
Replaced tab with spaces in SRC_URI as well.

Upstream fix:
http://git.sv.gnu.org/cgit/grep.git/commit/?id=
83a95bd8c8561875b948cadd417c653dbe7ef2e2

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch    | 129 +++++++++++++++++++++
 meta/recipes-extended/grep/grep_2.19.bb            |   4 +-
 2 files changed, 132 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch

diff --git a/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
new file mode 100644
index 0000000..32846f5
--- /dev/null
+++ b/meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
@@ -0,0 +1,129 @@
+From 83a95bd8c8561875b948cadd417c653dbe7ef2e2 Mon Sep 17 00:00:00 2001
+From: Yuliy Pisetsky <ypisetsky@fb.com>
+Date: Thu, 01 Jan 2015 23:36:55 +0000
+Subject: grep -F: fix a heap buffer (read) overrun
+
+grep's read buffer is often filled to its full size, except when
+reading the final buffer of a file.  In that case, the number of
+bytes read may be far less than the size of the buffer.  However, for
+certain unusual pattern/text combinations, grep -F would mistakenly
+examine bytes in that uninitialized region of memory when searching
+for a match.  With carefully chosen inputs, one can cause grep -F to
+read beyond the end of that buffer altogether.  This problem arose via
+commit v2.18-90-g73893ff with the introduction of a more efficient
+heuristic using what is now the memchr_kwset function. The use of
+that function in bmexec_trans could leave TP much larger than EP,
+and the subsequent call to bm_delta2_search would mistakenly access
+beyond end of the main input read buffer.
+
+* src/kwset.c (bmexec_trans): When TP reaches or exceeds EP,
+do not call bm_delta2_search.
+* tests/kwset-abuse: New file.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS (Bug fixes): Mention it.
+
+Prior to this patch, this command would trigger a UMR:
+
+  printf %0360db 0 | valgrind src/grep -F $(printf %019dXb 0)
+
+  Use of uninitialised value of size 8
+     at 0x4142BE: bmexec_trans (kwset.c:657)
+     by 0x4143CA: bmexec (kwset.c:678)
+     by 0x414973: kwsexec (kwset.c:848)
+     by 0x414DC4: Fexecute (kwsearch.c:128)
+     by 0x404E2E: grepbuf (grep.c:1238)
+     by 0x4054BF: grep (grep.c:1417)
+     by 0x405CEB: grepdesc (grep.c:1645)
+     by 0x405EC1: grep_command_line_arg (grep.c:1692)
+     by 0x4077D4: main (grep.c:2570)
+
+See the accompanying test for how to trigger the heap buffer overrun.
+
+Thanks to Nima Aghdaii for testing and finding numerous
+ways to break early iterations of this patch.
+
+Fixes CVE-2015-1345.
+Upstream-Status: Backport
+
+---
+diff --git a/NEWS b/NEWS
+index 975440d..3835d8d 100644
+--- a/NEWS
++++ b/NEWS
+@@ -2,6 +2,11 @@ GNU grep NEWS                                    -*- outline -*-
+ 
+ * Noteworthy changes in release ?.? (????-??-??) [?]
+ 
++** Bug fixes
++
++  grep no longer reads from uninitialized memory or from beyond the end
++  of the heap-allocated input buffer.
++
+ 
+ * Noteworthy changes in release 2.21 (2014-11-23) [stable]
+ 
+diff --git a/src/kwset.c b/src/kwset.c
+index 4003c8d..376f7c3 100644
+--- a/src/kwset.c
++++ b/src/kwset.c
+@@ -643,6 +643,8 @@ bmexec_trans (kwset_t kwset, char const *text, size_t size)
+                     if (! tp)
+                       return -1;
+                     tp++;
++                    if (ep <= tp)
++                      break;
+                   }
+               }
+           }
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2cba2cd..0508cd2 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -75,6 +75,7 @@ TESTS =						\
+   inconsistent-range				\
+   invalid-multibyte-infloop			\
+   khadafy					\
++  kwset-abuse					\
+   long-line-vs-2GiB-read			\
+   match-lines					\
+   max-count-overread				\
+diff --git a/tests/kwset-abuse b/tests/kwset-abuse
+new file mode 100755
+index 0000000..6d8ec0c
+--- a/dev/null
++++ b/tests/kwset-abuse
+@@ -0,0 +1,32 @@
++#! /bin/sh
++# Evoke a segfault in a hard-to-reach code path of kwset.c.
++# This bug affected grep versions 2.19 through 2.21.
++#
++# Copyright (C) 2015 Free Software Foundation, Inc.
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++. "${srcdir=.}/init.sh"; path_prepend_ ../src
++
++fail=0
++
++# This test case chooses a haystack of size 260,000, since prodding
++# with gdb showed a reallocation slightly larger than that in fillbuf.
++# To reach the buggy code, the needle must have length < 1/11 that of
++# the haystack, and 10,000 is a nice round number that fits the bill.
++printf '%0260000dXy\n' 0 | grep -F $(printf %010000dy 0)
++
++test $? = 1 || fail=1
++
++Exit $fail
+--
+cgit v0.9.0.2
diff --git a/meta/recipes-extended/grep/grep_2.19.bb b/meta/recipes-extended/grep/grep_2.19.bb
index 9c162cc..d60ce5e 100644
--- a/meta/recipes-extended/grep/grep_2.19.bb
+++ b/meta/recipes-extended/grep/grep_2.19.bb
@@ -5,7 +5,9 @@ SECTION = "console/utils"
 LICENSE = "GPLv3"
 LIC_FILES_CHKSUM = "file://COPYING;md5=8006d9c814277c1bfc4ca22af94b59ee"
 
-SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz"
+SRC_URI = "${GNU_MIRROR}/grep/grep-${PV}.tar.xz \
+           file://grep2.19-CVE-2015-1345.patch \
+           "
 
 SRC_URI[md5sum] = "ac732142227d9fe9567d71301e127979"
 SRC_URI[sha256sum] = "6388295be48cfcaf7665d9cd3914e6625ea000e9414132bfefd45cf1d8eec34d"
-- 
1.9.1

[PATCH 03/20] rsync: backport libattr checking patch

[Armin Kuster]

From: Sergiy Kibrik <sakib@meta.ua>

Add check_libattr.patch to version 3.1.0 recipe, which checks
and includes libattr to linker, otherwise rsync may fail to build
with linker error below (as -lattr option gets omitted):

[..]
lib/sysxattrs.o: undefined reference to symbol 'llistxattr@@ATTR_1.0'
[..]/lib/libattr.so.1: error adding symbols: DSO missing from command line

Signed-off-by: Sergiy Kibrik <sakib@meta.ua>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../rsync/files/check_libattr.patch                | 33 ++++++++++++++++++++++
 meta/recipes-devtools/rsync/rsync_3.1.0.bb         |  3 +-
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/rsync/files/check_libattr.patch

diff --git a/meta/recipes-devtools/rsync/files/check_libattr.patch b/meta/recipes-devtools/rsync/files/check_libattr.patch
new file mode 100644
index 0000000..cb159fa
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/check_libattr.patch
@@ -0,0 +1,33 @@
+From 677c6e14cc7d5f41371d5616865a5f0cfc0a273f Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayned@samba.org>
+Date: Mon, 5 May 2014 09:25:13 -0700
+Subject: [PATCH] Check for attr lib.
+
+---
+ configure.ac | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index c7b28c5..8e3703c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1007,7 +1007,7 @@ else
+     *)
+ 	AC_MSG_RESULT(running tests:)
+ 	AC_CHECK_LIB(acl,acl_get_file)
+-	    AC_CACHE_CHECK([for ACL support],samba_cv_HAVE_POSIX_ACLS,[
++	AC_CACHE_CHECK([for ACL support],samba_cv_HAVE_POSIX_ACLS,[
+ 	    AC_TRY_LINK([#include <sys/types.h>
+ #include <sys/acl.h>],
+ [ acl_t acl; int entry_id; acl_entry_t *entry_p; return acl_get_entry( acl, entry_id, entry_p);],
+@@ -1057,6 +1057,7 @@ else
+ 	AC_DEFINE(HAVE_LINUX_XATTRS, 1, [True if you have Linux xattrs])
+ 	AC_DEFINE(SUPPORT_XATTRS, 1)
+ 	AC_DEFINE(NO_SYMLINK_USER_XATTRS, 1, [True if symlinks do not support user xattrs])
++	AC_CHECK_LIB(attr,getxattr)
+ 	;;
+     darwin*)
+ 	AC_MSG_RESULT(Using OS X xattrs)
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/rsync/rsync_3.1.0.bb b/meta/recipes-devtools/rsync/rsync_3.1.0.bb
index a4a5c10..d253fe9 100644
--- a/meta/recipes-devtools/rsync/rsync_3.1.0.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.1.0.bb
@@ -1,7 +1,8 @@
 require rsync.inc
 
 
-SRC_URI += "file://acinclude.m4"
+SRC_URI += "file://acinclude.m4 \
+	    file://check_libattr.patch"
 
 SRC_URI[md5sum] = "3be148772a33224771a8d4d2a028b132"
 SRC_URI[sha256sum] = "81ca23f77fc9b957eb9845a6024f41af0ff0c619b7f38576887c63fa38e2394e"
-- 
1.9.1

[PATCH 04/20] openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

three security fixes.

CVE-2015-6563 (Low) openssh: Privilege separation weakness related to PAM support
CVE-2015-6564 (medium)  openssh: Use-after-free bug related to PAM support
CVE-2015-6565 (High)  openssh: Incorrectly set TTYs to be world-writable

(From OE-Core rev: 259df232b513367a0a18b17e3e377260a770288f)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>

Conflicts:
	meta/recipes-connectivity/openssh/openssh_6.6p1.bb
---
 .../openssh/openssh/CVE-2015-6563.patch            | 36 ++++++++++++++++++++++
 .../openssh/openssh/CVE-2015-6564.patch            | 34 ++++++++++++++++++++
 .../openssh/openssh/CVE-2015-6565.patch            | 35 +++++++++++++++++++++
 meta/recipes-connectivity/openssh/openssh_6.6p1.bb |  5 ++-
 4 files changed, 109 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
new file mode 100644
index 0000000..19cea41
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
@@ -0,0 +1,36 @@
+CVE-2015-6563
+
+Don't resend username to PAM; it already has it. 
+Pointed out by Moritz Jodeit; ok dtucker@
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
++++ openssh-6.7p1/monitor.c
+@@ -1046,9 +1046,7 @@ extern KbdintDevice sshpam_device;
+ int
+ mm_answer_pam_init_ctx(int sock, Buffer *m)
+ {
+-
+ 	debug3("%s", __func__);
+-	authctxt->user = buffer_get_string(m, NULL);
+ 	sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ 	sshpam_authok = NULL;
+ 	buffer_clear(m);
+Index: openssh-6.7p1/monitor_wrap.c
+===================================================================
+--- openssh-6.7p1.orig/monitor_wrap.c
++++ openssh-6.7p1/monitor_wrap.c
+@@ -826,7 +826,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
+ 
+ 	debug3("%s", __func__);
+ 	buffer_init(&m);
+-	buffer_put_cstring(&m, authctxt->user);
+ 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
+ 	debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
+ 	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
new file mode 100644
index 0000000..588d42d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
@@ -0,0 +1,34 @@
+CVE-2015-6564
+
+ set sshpam_ctxt to NULL after free
+
+ Avoids use-after-free in monitor when privsep child is compromised.
+ Reported by Moritz Jodeit; ok dtucker@
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/5e75f5198769056089fb06c4d738ab0e5abc66f7
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/monitor.c
+===================================================================
+--- openssh-6.7p1.orig/monitor.c
++++ openssh-6.7p1/monitor.c
+@@ -1128,14 +1128,16 @@ mm_answer_pam_respond(int sock, Buffer *
+ int
+ mm_answer_pam_free_ctx(int sock, Buffer *m)
+ {
++    int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
+ 
+ 	debug3("%s", __func__);
+ 	(sshpam_device.free_ctx)(sshpam_ctxt);
++    sshpam_ctxt = sshpam_authok = NULL;
+ 	buffer_clear(m);
+ 	mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ 	auth_method = "keyboard-interactive";
+ 	auth_submethod = "pam";
+-	return (sshpam_authok == sshpam_ctxt);
++	return r;
+ }
+ #endif
+ 
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
new file mode 100644
index 0000000..42667b0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
@@ -0,0 +1,35 @@
+CVE-2015-6565 openssh: Incorrectly set TTYs to be world-writable
+
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+
+Upstream-Status: Backport
+
+merged two changes into one.
+[1] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=a5883d4eccb94b16c355987f58f86a7dee17a0c2
+tighten permissions on pty when the "tty" group does not exist; pointed out by Corinna Vinschen; ok markus
+
+[2] https://anongit.mindrot.org/openssh.git/commit/sshpty.c?id=6f941396b6835ad18018845f515b0c4fe20be21a
+fix pty permissions; patch from Nikolay Edigaryev; ok deraadt
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: openssh-6.7p1/sshpty.c
+===================================================================
+--- openssh-6.7p1.orig/sshpty.c
++++ openssh-6.7p1/sshpty.c
+@@ -196,13 +196,8 @@ pty_setowner(struct passwd *pw, const ch
+ 
+ 	/* Determine the group to make the owner of the tty. */
+ 	grp = getgrnam("tty");
+-	if (grp) {
+-		gid = grp->gr_gid;
+-		mode = S_IRUSR | S_IWUSR | S_IWGRP;
+-	} else {
+-		gid = pw->pw_gid;
+-		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
+-	}
++    gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
++    mode = (grp != NULL) ? 0620 : 0600;
+ 
+ 	/*
+ 	 * Change owner and mode of the tty as required.
diff --git a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
index f575665..4b88704 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.6p1.bb
@@ -25,7 +25,10 @@ SRC_URI = "ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar.
            file://run-ptest \
            file://openssh-CVE-2014-2532.patch \
            file://openssh-CVE-2014-2653.patch \
-           file://auth2-none.c-avoid-authenticate-empty-passwords-to-m.patch"
+           file://CVE-2015-6563.patch  \
+           file://CVE-2015-6564.patch \
+           file://CVE-2015-6565.patch \
+           "
 
 PAM_SRC_URI = "file://sshd"
 
-- 
1.9.1

[PATCH 05/20] fontcache: allow to pass extra parameters and environment to fc-cache

[Armin Kuster]

From: Martin Jansa <Martin.Jansa@gmail.com>

* this can be useful for passing extra parameters, pass
  -v by default to see what's going on in do_rootfs
* we need to use this for extra parameter we implemented
  in fontconfig:
  --ignore-mtime always use cache file regardless of font directory mtime
  because the checksum of fontcache generated in do_rootfs
  doesn't match with /usr/share/fonts directory as seen on
  target device causing fontconfig to re-create the cache
  when fontconfig is used for first time or worse create
  new cache in every user's home directory when /usr/
  filesystem is read only and cache cannot be updated.

  Running FC_DEBUG=16 fc-cache -v on such device shows:
  FcCacheTimeValid dir "/usr/share/fonts" cache checksum 1441207803 dir checksum 1441206149
* my guess is that the checksum is different, because pseudo
  (which is unloaded when running qemuwrapper) or because some
  influence of running the rootfs under qemu.

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/classes/fontcache.bbclass                | 19 +++++++++++++++----
 scripts/postinst-intercepts/update_font_cache |  4 ++--
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/meta/classes/fontcache.bbclass b/meta/classes/fontcache.bbclass
index d122387..8ebdfc4 100644
--- a/meta/classes/fontcache.bbclass
+++ b/meta/classes/fontcache.bbclass
@@ -9,12 +9,23 @@ inherit qemu
 FONT_PACKAGES ??= "${PN}"
 FONT_EXTRA_RDEPENDS ?= "fontconfig-utils"
 FONTCONFIG_CACHE_DIR ?= "${localstatedir}/cache/fontconfig"
+FONTCONFIG_CACHE_PARAMS ?= "-v"
+# You can change this to e.g. FC_DEBUG=16 to debug fc-cache issues,
+# something has to be set, because qemuwrapper is using this variable after -E
+# multiple variables aren't allowed because for qemu they are separated
+# by comma and in -n "$D" case they should be separated by space
+FONTCONFIG_CACHE_ENV ?= "FC_DEBUG=1"
 fontcache_common() {
-if [ "x$D" != "x" ] ; then
-	$INTERCEPT_DIR/postinst_intercept update_font_cache ${PKG} mlprefix=${MLPREFIX} bindir=${bindir} \
-		libdir=${libdir} base_libdir=${base_libdir} fontconfigcachedir=${FONTCONFIG_CACHE_DIR}
+if [ -n "$D" ] ; then
+	$INTERCEPT_DIR/postinst_intercept update_font_cache ${PKG} mlprefix=${MLPREFIX} \
+		'bindir="${bindir}"' \
+		'libdir="${libdir}"' \
+		'base_libdir="${base_libdir}"' \
+		'fontconfigcachedir="${FONTCONFIG_CACHE_DIR}"' \
+		'fontconfigcacheparams="${FONTCONFIG_CACHE_PARAMS}"' \
+		'fontconfigcacheenv="${FONTCONFIG_CACHE_ENV}"'
 else
-	fc-cache
+	${FONTCONFIG_CACHE_ENV} fc-cache ${FONTCONFIG_CACHE_PARAMS}
 fi
 }
 
diff --git a/scripts/postinst-intercepts/update_font_cache b/scripts/postinst-intercepts/update_font_cache
index c8c6018..0deab3c 100644
--- a/scripts/postinst-intercepts/update_font_cache
+++ b/scripts/postinst-intercepts/update_font_cache
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-PSEUDO_UNLOAD=1 qemuwrapper -L $D -E LD_LIBRARY_PATH=$D/${libdir}:$D/${base_libdir}\
-					$D${bindir}/fc-cache --sysroot=$D
+PSEUDO_UNLOAD=1 qemuwrapper -L $D -E LD_LIBRARY_PATH=$D/${libdir}:$D/${base_libdir} \
+					-E ${fontconfigcacheenv} $D${bindir}/fc-cache --sysroot=$D ${fontconfigcacheparams}
 chown -R root:root $D${fontconfigcachedir}
-- 
1.9.1

[PATCH 06/20] image.bbclass: don't let do_rootfs depend on BUILDNAME

[Armin Kuster]

From: Chen Qi <Qi.Chen@windriver.com>

BUILDNAME is set by cooker as a string of current time. Letting do_rootfs
task depend on this variable gets us no benefit. Besides, letting do_rootfs
task depend on this variable will cause us trouble when executing
`bitbake -S none core-image-minimal'. With current code, this command
gives us error complaining about the different bashhash of do_rootfs task.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/classes/image.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 1c0fda7..c0f9775 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -94,7 +94,7 @@ def rootfs_variables(d):
                  'IMAGE_ROOTFS_MAXSIZE','IMAGE_NAME','IMAGE_LINK_NAME','IMAGE_MANIFEST','DEPLOY_DIR_IMAGE','RM_OLD_IMAGE','IMAGE_FSTYPES','IMAGE_INSTALL_COMPLEMENTARY','IMAGE_LINGUAS','SDK_OS',
                  'SDK_OUTPUT','SDKPATHNATIVE','SDKTARGETSYSROOT','SDK_DIR','SDK_VENDOR','SDKIMAGE_INSTALL_COMPLEMENTARY','SDK_PACKAGE_ARCHS','SDK_OUTPUT','SDKTARGETSYSROOT','MULTILIBRE_ALLOW_REP',
                  'MULTILIB_TEMP_ROOTFS','MULTILIB_VARIANTS','MULTILIBS','ALL_MULTILIB_PACKAGE_ARCHS','MULTILIB_GLOBAL_VARIANTS','BAD_RECOMMENDATIONS','NO_RECOMMENDATIONS','PACKAGE_ARCHS',
-                 'PACKAGE_CLASSES','TARGET_VENDOR','TARGET_VENDOR','TARGET_ARCH','TARGET_OS','OVERRIDES','BBEXTENDVARIANT','FEED_DEPLOYDIR_BASE_URI','INTERCEPT_DIR','BUILDNAME','USE_DEVFS',
+                 'PACKAGE_CLASSES','TARGET_VENDOR','TARGET_VENDOR','TARGET_ARCH','TARGET_OS','OVERRIDES','BBEXTENDVARIANT','FEED_DEPLOYDIR_BASE_URI','INTERCEPT_DIR','USE_DEVFS',
                  'STAGING_KERNEL_DIR','COMPRESSIONTYPES']
     variables.extend(command_variables(d))
     variables.extend(variable_depends(d))
-- 
1.9.1

[PATCH 07/20] layer.conf: Add several allarch dependency exclusions

[Armin Kuster]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

These are dependencies that our allarch packages have in OE-Core that cause
those allarch packages to rebuild every time MACHINE changes.

With these changes, OE-Core allarch packages all have a common sstate
signatures and no longer rebuild.

(From OE-Core rev: 63bff90fa4fb4a95e8c79f9f8e5dd90ae1dfc69d)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/conf/layer.conf | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/meta/conf/layer.conf b/meta/conf/layer.conf
index de96548..047292d 100644
--- a/meta/conf/layer.conf
+++ b/meta/conf/layer.conf
@@ -43,5 +43,15 @@ SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \
   gcc-cross-${TARGET_ARCH}->musl \
   gcc-cross-${TARGET_ARCH}->uclibc \
   gcc-cross-${TARGET_ARCH}->linux-libc-headers \
+  ppp-dialin->ppp \
+  resolvconf->bash \
+  docbook-xsl-stylesheets->perl \
+  initramfs-framework->busybox \
+  initramfs-framework->systemd \
+  liberation-fonts->fontconfig \
+  gnome-icon-theme->librsvg \
+  font-alias->font-util \
+  weston-init->weston \
+  weston-init->kbd \
 "
 
-- 
1.9.1

[PATCH 08/20] layer.conf: Add missing dependency for allarch package initramfs-framework

[Armin Kuster]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Similiarly to the other previous changes, add a missing allarch package dependency
for initramfs-framework on udev.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/conf/layer.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/conf/layer.conf b/meta/conf/layer.conf
index 047292d..5b47cf4 100644
--- a/meta/conf/layer.conf
+++ b/meta/conf/layer.conf
@@ -48,6 +48,7 @@ SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS += " \
   docbook-xsl-stylesheets->perl \
   initramfs-framework->busybox \
   initramfs-framework->systemd \
+  initramfs-framework->udev \
   liberation-fonts->fontconfig \
   gnome-icon-theme->librsvg \
   font-alias->font-util \
-- 
1.9.1

[PATCH 09/20] allarch: Force TARGET_*FLAGS variable values

[Armin Kuster]

From: Mike Crowe <mac@mcrowe.com>

TARGET_CPPFLAGS, TARGET_CFLAGS, TARGET_CPPFLAGS and TARGET_LDFLAGS may
differ between MACHINEs. Since they are exported they affect task hashes
even if unused which leads to multiple variants of allarch packages
existing in sstate and bouncing in the sysroot when switching between
MACHINEs.

allarch packages shouldn't be using these variables anyway, so let's
ensure they have a fixed value in order to avoid this problem.

(Compare with 05a70ac30b37cab0952f1b9df501993a9dec70da and
14f4d016fef9d660da1e7e91aec4a0e807de59ab.)

Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/classes/allarch.bbclass | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/classes/allarch.bbclass b/meta/classes/allarch.bbclass
index 4bc9927..6f63f9d 100644
--- a/meta/classes/allarch.bbclass
+++ b/meta/classes/allarch.bbclass
@@ -27,6 +27,10 @@ python () {
         d.setVar("PACKAGE_EXTRA_ARCHS", "")
         d.setVar("SDK_ARCH", "none")
         d.setVar("SDK_CC_ARCH", "none")
+        d.setVar("TARGET_CPPFLAGS", "none")
+        d.setVar("TARGET_CFLAGS", "none")
+        d.setVar("TARGET_CXXFLAGS", "none")
+        d.setVar("TARGET_LDFLAGS", "none")
 
         # Avoid this being unnecessarily different due to nuances of
         # the target machine that aren't important for "all" arch
-- 
1.9.1

[PATCH 10/20] texinfo: don't create dependency on INHERIT variable

[Armin Kuster]

From: Martin Jansa <Martin.Jansa@gmail.com>

* we don't want the do_package signature depending on INHERIT variable
* e.g. just adding the own-mirrors causes texinfo to rebuild:
  # bitbake-diffsigs BUILD/sstate-diff/*/*/texinfo/*do_package.sig*
  basehash changed from 015df2fd8e396cc1e15622dbac843301 to 9f1d06c4f238c70a99ccb6d8da348b6a
  Variable INHERIT value changed from
  ' rm_work blacklist blacklist report-error ${PACKAGE_CLASSES} ${USER_CLASSES} ${INHERIT_DISTRO} ${INHERIT_BLACKLIST} sanity'
  to
  ' rm_work own-mirrors blacklist blacklist report-error ${PACKAGE_CLASSES} ${USER_CLASSES} ${INHERIT_DISTRO} ${INHERIT_BLACKLIST} sanity'

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-extended/texinfo/texinfo_5.2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-extended/texinfo/texinfo_5.2.bb b/meta/recipes-extended/texinfo/texinfo_5.2.bb
index cf9dcfd..3394474 100644
--- a/meta/recipes-extended/texinfo/texinfo_5.2.bb
+++ b/meta/recipes-extended/texinfo/texinfo_5.2.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 PROVIDES_append_class-native = " texinfo-replacement-native"
 
 def compress_pkg(d):
-    if "compress_doc" in (d.getVar("INHERIT", True) or "").split():
+    if bb.data.inherits_class('compress_doc', d):
          compress = d.getVar("DOC_COMPRESS", True)
          if compress == "gz":
              return "gzip"
-- 
1.9.1

[PATCH 11/20] linux-dtb.inc: drop unused DTB_NAME variable from do_install

[Armin Kuster]

From: Martin Jansa <Martin.Jansa@gmail.com>

* this is causing do_install to depend on KERNEL_IMAGE_BASE_NAME which
  in some cases contains something like BUILD_NUMBER from CI, that
  caused do_install to be reexecuted every single time, which is very
  sad to be caused by unused variable.
* jethro and newer don't need this change, because it's also fixed in
  commit 86b3f29f93e3f87903668ea317c6bd97be4cdf62
  Author: Marek Vasut <marex@denx.de>
  Date:   Thu May 14 14:31:11 2015 +0200
  Subject: kernel: Build DTBs early

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-kernel/linux/linux-dtb.inc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/recipes-kernel/linux/linux-dtb.inc b/meta/recipes-kernel/linux/linux-dtb.inc
index 6b8f1a5..4779be2 100644
--- a/meta/recipes-kernel/linux/linux-dtb.inc
+++ b/meta/recipes-kernel/linux/linux-dtb.inc
@@ -13,7 +13,6 @@ do_install_append() {
 				DTB=`basename ${DTB} | sed 's,\.dts$,.dtb,g'`
 			fi
 			DTB_BASE_NAME=`basename ${DTB} .dtb`
-			DTB_NAME=`echo ${KERNEL_IMAGE_BASE_NAME} | sed "s/${MACHINE}/${DTB_BASE_NAME}/g"`
 			DTB_SYMLINK_NAME=`echo ${KERNEL_IMAGE_SYMLINK_NAME} | sed "s/${MACHINE}/${DTB_BASE_NAME}/g"`
 			DTB_PATH="${B}/arch/${ARCH}/boot/dts/${DTB}"
 			oe_runmake ${DTB}
-- 
1.9.1

[PATCH 12/20] glibc: use patch for CVE-2015-1781

[Armin Kuster]

From: Tudor Florea <tudor.florea@enea.com>

Patch added to the repo wasn't actually considered due to a
erronously way of specifying the sources.

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-core/glibc/glibc_2.20.bb | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index a0736cd..2ab4083 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -40,14 +40,12 @@ EGLIBCPATCHES = "\
 #           file://eglibc-install-pic-archives.patch \
 #	    file://initgroups_keys.patch \
 #
-CVEPATCHES = "\
-        file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
-"
 
 CVEPATCHES = "\
         file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
         file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
         file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
+        file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
     "
 LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
1.9.1

[PATCH 13/20] libxml2: CVE-2015-7942

[Armin Kuster]

From: Sona Sarmadi <sona.sarmadi@enea.com>

Fixes heap-based buffer overflow in xmlParseConditionalSections().

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/
?id=9b8512337d14c8ddf662fcb98b0135f225a1c489

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-core/libxml/libxml2.inc               |  1 +
 .../libxml/libxml2/CVE-2015-7942.patch             | 58 ++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 840a8eb..15a2421 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -23,6 +23,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml-m4-use-pkgconfig.patch \
            file://libxml2-CVE-2014-3660.patch \
            file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+           file://CVE-2015-7942.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
new file mode 100644
index 0000000..738ae94
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,58 @@
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Fixes CVE-2015-7942.
+Upstream-Status: Backport
+
+Upstream patch:
+https://git.gnome.org/browse/libxml2/commit/
+?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index bbe97eb..fe603ac 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++	    xmlStopParser(ctxt);
++	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+ 		xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++	xmlStopParser(ctxt);
++	return;
+     }
+ 
+     if (RAW == 0)
+-- 
+cgit v0.11.2
+
-- 
1.9.1

[PATCH 14/20] unzip: CVE-2015-7696, CVE-2015-7697

[Armin Kuster]

From: Tudor Florea <tudor.florea@enea.com>

CVE-2015-7696: Fixes a heap overflow triggered by unzipping a file with password
CVE-2015-7697: Fixes a denial of service with a file that never finishes unzipping

References:
http://www.openwall.com/lists/oss-security/2015/10/11/5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7697

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../unzip/unzip/CVE-2015-7696.patch                | 38 ++++++++++++++++++++++
 .../unzip/unzip/CVE-2015-7697.patch                | 31 ++++++++++++++++++
 meta/recipes-extended/unzip/unzip_6.0.bb           |  2 ++
 3 files changed, 71 insertions(+)
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
 create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch

diff --git a/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch b/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
new file mode 100644
index 0000000..ea93823
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
@@ -0,0 +1,38 @@
+Upstream-Status: Backport
+Signed-off-by: Tudor Florea <tudor.flore@enea.com>
+
+From 68efed87fabddd450c08f3112f62a73f61d493c9 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Mon, 14 Sep 2015 18:23:17 +0200
+Subject: [PATCH 1/2] upstream fix for heap overflow
+
+https://bugzilla.redhat.com/attachment.cgi?id=1073002
+---
+ crypt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/crypt.c b/crypt.c
+index 784e411..a8975f2 100644
+--- a/crypt.c
++++ b/crypt.c
+@@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
+     GLOBAL(pInfo->encrypted) = FALSE;
+     defer_leftover_input(__G);
+     for (n = 0; n < RAND_HEAD_LEN; n++) {
+-        b = NEXTBYTE;
++        /* 2012-11-23 SMS.  (OUSPG report.)
++         * Quit early if compressed size < HEAD_LEN.  The resulting
++         * error message ("unable to get password") could be improved,
++         * but it's better than trying to read nonexistent data, and
++         * then continuing with a negative G.csize.  (See
++         * fileio.c:readbyte()).
++         */
++        if ((b = NEXTBYTE) == (ush)EOF)
++        {
++            return PK_ERR;
++        }
+         h[n] = (uch)b;
+         Trace((stdout, " (%02x)", h[n]));
+     }
+-- 
+2.4.6
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch b/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
new file mode 100644
index 0000000..da68988
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
@@ -0,0 +1,31 @@
+Upstream-Status: Backport
+Signed-off-by: Tudor Florea <tudor.flore@enea.com>
+
+From bd8a743ee0a77e65ad07ef4196c4cd366add3f26 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 14 Sep 2015 18:24:56 +0200
+Subject: [PATCH 2/2] fix infinite loop when extracting empty bzip2 data
+
+---
+ extract.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/extract.c b/extract.c
+index 7134bfe..29db027 100644
+--- a/extract.c
++++ b/extract.c
+@@ -2733,6 +2733,12 @@ __GDEF
+     int repeated_buf_err;
+     bz_stream bstrm;
+ 
++    if (G.incnt <= 0 && G.csize <= 0L) {
++        /* avoid an infinite loop */
++        Trace((stderr, "UZbunzip2() got empty input\n"));
++        return 2;
++    }
++
+ #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
+     if (G.redirect_slide)
+         wsize = G.redirect_size, redirSlide = G.redirect_buffer;
+-- 
+2.4.6
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index e590f81..acbc837 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -14,6 +14,8 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
 	file://09-cve-2014-8139-crc-overflow.patch \
 	file://10-cve-2014-8140-test-compr-eb.patch \
 	file://11-cve-2014-8141-getzip64data.patch \
+	file://CVE-2015-7696.patch \
+	file://CVE-2015-7697.patch \
 "
 
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
-- 
1.9.1

[PATCH 15/20] libxml2: CVE-2015-8035

[Armin Kuster]

From: Sona Sarmadi <sona.sarmadi@enea.com>

Fixes DoS when parsing specially crafted XML document
if XZ support is enabled.

References:
https://bugzilla.gnome.org/show_bug.cgi?id=757466

Upstream correction:
https://git.gnome.org/browse/libxml2/commit/?id=
f0709e3ca8f8947f2d91ed34e92e38a4c23eae63

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-core/libxml/libxml2.inc               |  1 +
 .../libxml/libxml2/CVE-2015-8035.patch             | 35 ++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 15a2421..d5e263b 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -24,6 +24,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml2-CVE-2014-3660.patch \
            file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
            file://CVE-2015-7942.patch \
+           file://CVE-2015-8035.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
new file mode 100644
index 0000000..d08693f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,35 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+
+Upstream-Status: Backport
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+cgit v0.11.2
+
-- 
1.9.1

[PATCH 16/20] openssl: CVE-2015-3194, CVE-2015-3195

[Armin Kuster]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=a, Size: 6227 bytes --]

From: Sona Sarmadi <sona.sarmadi@enea.com>

Fixes following vulnerabilities:
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
X509_ATTRIBUTE memory leak (CVE-2015-3195)

References:
https://openssl.org/news/secadv/20151203.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3194
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3195

Upstream patches:
CVE-2015-3194:
https://git.openssl.org/?p=openssl.git;a=commit;h=
d8541d7e9e63bf5f343af24644046c8d96498c17

CVE-2015-3195:
https://git.openssl.org/?p=openssl.git;a=commit;h=
b29ffa392e839d05171206523e84909146f7a77c

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../CVE-2015-3194-Add-PSS-parameter-check.patch    | 37 +++++++++++++
 ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch | 61 ++++++++++++++++++++++
 .../recipes-connectivity/openssl/openssl_1.0.1p.bb |  2 +
 3 files changed, 100 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
new file mode 100644
index 0000000..a6697ca
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
@@ -0,0 +1,37 @@
+From d8541d7e9e63bf5f343af24644046c8d96498c17 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Fri, 2 Oct 2015 13:10:29 +0100
+Subject:Add PSS parameter check.
+
+Avoid seg fault by checking mgf1 parameter is not NULL. This can be
+triggered during certificate verification so could be a DoS attack
+against a client or a server enabling client authentication.
+
+Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
+
+CVE-2015-3194
+
+Upstream-Status: Backport
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ crypto/rsa/rsa_ameth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
+index 93e071d..c7f1148 100644
+--- a/crypto/rsa/rsa_ameth.c
++++ b/crypto/rsa/rsa_ameth.c
+@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg,
+     if (pss->maskGenAlgorithm) {
+         ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
+         if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
+-            && param->type == V_ASN1_SEQUENCE) {
++            && param && param->type == V_ASN1_SEQUENCE) {
+             p = param->value.sequence->data;
+             plen = param->value.sequence->length;
+             *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
new file mode 100644
index 0000000..be705c0
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
@@ -0,0 +1,61 @@
+commit b29ffa392e839d05171206523e84909146f7a77c
+Author: Dr. Stephen Henson <steve@openssl.org>
+Date: Tue, 10 Nov 2015 19:03:07 +0000
+Subject: Fix leak with ASN.1 combine.
+
+When parsing a combined structure pass a flag to the decode routine
+so on error a pointer to the parent structure is not zeroed as
+this will leak any additional components in the parent.
+
+This can leak memory in any application parsing PKCS#7 or CMS structures.
+
+CVE-2015-3195.
+
+Upstream-Status: Backport
+
+Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
+libFuzzer.
+
+PR#4131
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ crypto/asn1/tasn_dec.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
+index febf605..9256049 100644
+--- a/crypto/asn1/tasn_dec.c
++++ b/crypto/asn1/tasn_dec.c
+@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+     int otag;
+     int ret = 0;
+     ASN1_VALUE **pchptr, *ptmpval;
++    int combine = aclass & ASN1_TFLG_COMBINE;
++    aclass &= ~ASN1_TFLG_COMBINE;
+     if (!pval)
+         return 0;
+     if (aux && aux->asn1_cb)
+@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+  auxerr:
+     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+  err:
+-    ASN1_item_ex_free(pval, it);
++    if (combine == 0)
++        ASN1_item_ex_free(pval, it);
+     if (errtt)
+         ERR_add_error_data(4, "Field=", errtt->field_name,
+                            ", Type=", it->sname);
+@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
+     } else {
+         /* Nothing special */
+         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-                               -1, 0, opt, ctx);
++                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+         if (!ret) {
+             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
+             goto err;
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
index 3f61790..1d0242f 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.1p.bb
@@ -34,6 +34,8 @@ SRC_URI += "file://configure-targets.patch \
             file://Makefiles-ptest.patch \
             file://ptest-deps.patch \
             file://run-ptest \
+            file://CVE-2015-3194-Add-PSS-parameter-check.patch \
+            file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
            "
 
 SRC_URI[md5sum] = "7563e92327199e0067ccd0f79f436976"
-- 
1.9.1

[PATCH 17/20] libxml2: CVE-2015-8241

[Armin Kuster]

From: Sona Sarmadi <sona.sarmadi@enea.com>

Upstream bug (contains reproducer):
https://bugzilla.gnome.org/show_bug.cgi?id=756263

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=
ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-core/libxml/libxml2.inc               |  1 +
 .../libxml/libxml2/CVE-2015-8241.patch             | 41 ++++++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index d5e263b..2dafeb4 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -25,6 +25,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
            file://CVE-2015-7942.patch \
            file://CVE-2015-8035.patch \
+           file://CVE-2015-8241.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
new file mode 100644
index 0000000..98b30f0
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
@@ -0,0 +1,41 @@
+From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Tue, 3 Nov 2015 20:40:49 +0800
+Subject: Avoid extra processing of MarkupDecl when EOF
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756263
+
+One place where ctxt->instate == XML_PARSER_EOF whic was set up
+by entity detection issues doesn't get noticed, and even overrided
+
+Fixes CVE-2015-8241.
+
+Upstream-Status: Backport
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index d67b300..134afe7 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6972,6 +6972,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt) {
+ 	    xmlParsePI(ctxt);
+ 	}
+     }
++
++    /*
++     * detect requirement to exit there and act accordingly
++     * and avoid having instate overriden later on
++     */
++    if (ctxt->instate == XML_PARSER_EOF)
++        return;
++
+     /*
+      * This is only for internal subset. On external entities,
+      * the replacement is done before parsing stage
+-- 
+cgit v0.11.2
+
-- 
1.9.1

[PATCH 18/20] Fixes a heap buffer overflow in glibc wscanf.

[Armin Kuster]

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1472
https://sourceware.org/ml/libc-alpha/2015-02/msg00119.html
http://openwall.com/lists/oss-security/2015/02/04/1

Reference to upstream fix:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>

Hand applied.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...5-1472-wscanf-allocates-too-little-memory.patch | 108 +++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.20.bb              |   1 +
 2 files changed, 109 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
new file mode 100644
index 0000000..ab513aa
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
@@ -0,0 +1,108 @@
+CVE-2015-1472: wscanf allocates too little memory
+
+BZ #16618
+
+Under certain conditions wscanf can allocate too little memory for the
+to-be-scanned arguments and overflow the allocated buffer.  The
+implementation now correctly computes the required buffer size when
+using malloc.
+
+A regression test was added to tst-sscanf.
+
+Upstream-Status: Backport
+
+The patch is from (Paul Pluzhnikov <ppluzhnikov@google.com>):
+[https://sourceware.org/git/?p=glibc.git;a=patch;h=5bd80bfe9ca0d955bfbbc002781bc7b01b6bcb06]
+
+diff -ruN a/ChangeLog b/ChangeLog
+--- a/ChangeLog	2015-09-22 10:20:14.399408389 +0200
++++ b/ChangeLog	2015-09-22 10:33:07.374388595 +0200
+@@ -1,3 +1,12 @@
++2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
++
++       [BZ #16618] CVE-2015-1472
++       * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
++       * stdio-common/vfscanf.c (_IO_vfscanf_internal): Compute needed
++       size in bytes. Store needed elements in wpmax. Use needed size
++       in bytes for extend_alloca.
++
++
+ 2014-12-16  Florian Weimer  <fweimer@redhat.com>
+ 
+        [BZ #17630]
+diff -ruN a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
+--- a/stdio-common/tst-sscanf.c	2015-09-22 10:20:09.995596201 +0200
++++ b/stdio-common/tst-sscanf.c	2015-09-22 10:21:39.211791399 +0200
+@@ -233,5 +233,38 @@
+ 	}
+     }
+ 
++  /* BZ #16618
++     The test will segfault during SSCANF if the buffer overflow
++     is not fixed.  The size of `s` is such that it forces the use
++     of malloc internally and this triggers the incorrect computation.
++     Thus the value for SIZE is arbitrariy high enough that malloc
++     is used.  */
++  {
++#define SIZE 131072
++    CHAR *s = malloc ((SIZE + 1) * sizeof (*s));
++    if (s == NULL)
++      abort ();
++    for (size_t i = 0; i < SIZE; i++)
++      s[i] = L('0');
++    s[SIZE] = L('\0');
++    int i = 42;
++    /* Scan multi-digit zero into `i`.  */
++    if (SSCANF (s, L("%d"), &i) != 1)
++      {
++	printf ("FAIL: bug16618: SSCANF did not read one input item.\n");
++	result = 1;
++      }
++    if (i != 0)
++      {
++	printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n");
++	result = 1;
++      }
++    free (s);
++    if (result != 1)
++      printf ("PASS: bug16618: Did not crash.\n");
++#undef SIZE
++  }
++
++
+   return result;
+ }
+diff -ruN a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
+--- a/stdio-common/vfscanf.c	2015-09-22 10:20:14.051423230 +0200
++++ b/stdio-common/vfscanf.c	2015-09-22 10:21:39.215791228 +0200
+@@ -279,9 +279,10 @@
+       if (__glibc_unlikely (wpsize == wpmax))				      \
+ 	{								    \
+ 	  CHAR_T *old = wp;						    \
+-	  size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax			    \
+-			    ? UCHAR_MAX + 1 : 2 * wpmax);		    \
+-	  if (use_malloc || !__libc_use_alloca (newsize))		    \
++	  bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \
++	  size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax);		    \
++	  size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX;	    \
++	  if (!__libc_use_alloca (newsize))				    \
+ 	    {								    \
+ 	      wp = realloc (use_malloc ? wp : NULL, newsize);		    \
+ 	      if (wp == NULL)						    \
+@@ -293,14 +294,13 @@
+ 		}							    \
+ 	      if (! use_malloc)						    \
+ 		MEMCPY (wp, old, wpsize);				    \
+-	      wpmax = newsize;						    \
++	      wpmax = wpneed;						    \
+ 	      use_malloc = true;					    \
+ 	    }								    \
+ 	  else								    \
+ 	    {								    \
+ 	      size_t s = wpmax * sizeof (CHAR_T);			    \
+-	      wp = (CHAR_T *) extend_alloca (wp, s,			    \
+-					     newsize * sizeof (CHAR_T));    \
++	      wp = (CHAR_T *) extend_alloca (wp, s, newsize);		    \
+ 	      wpmax = s / sizeof (CHAR_T);				    \
+ 	      if (old != NULL)						    \
+ 		MEMCPY (wp, old, wpsize);				    \
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index 2ab4083..bfd8c64 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -46,6 +46,7 @@ CVEPATCHES = "\
         file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
         file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
         file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
+	file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
     "
 LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
1.9.1

[PATCH 19/20] grub2: Fix CVE-2015-8370

[Armin Kuster]

From: "Belal, Awais" <Awais_Belal@mentor.com>

http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2

Signed-off-by: Awais Belal <awais_belal@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 50 ++++++++++++++++++++++
 meta/recipes-bsp/grub/grub-efi_2.00.bb             |  1 +
 meta/recipes-bsp/grub/grub_2.00.bb                 |  1 +
 3 files changed, 52 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch

diff --git a/meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch b/meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
new file mode 100644
index 0000000..9ddd7a6
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
@@ -0,0 +1,50 @@
+Upstream-Status: Accepted
+Signed-off-by: Awais Belal <awais_belal@mentor.com>
+
+From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Wed, 16 Dec 2015 04:57:18 +0000
+Subject: Fix security issue when reading username and password
+
+This patch fixes two integer underflows at:
+  * grub-core/lib/crypto.c
+  * grub-core/normal/auth.c
+
+CVE-2015-8370
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
+Also-By: Andrey Borzenkov <arvidjaar@gmail.com>
+---
+Index: grub-2.00/grub-core/lib/crypto.c
+===================================================================
+--- grub-2.00.orig/grub-core/lib/crypto.c
++++ grub-2.00/grub-core/lib/crypto.c
+@@ -458,7 +458,8 @@ grub_password_get (char buf[], unsigned
+ 
+       if (key == '\b')
+ 	{
+-	  cur_len--;
++      if (cur_len)
++        cur_len--;
+ 	  continue;
+ 	}
+ 
+Index: grub-2.00/grub-core/normal/auth.c
+===================================================================
+--- grub-2.00.orig/grub-core/normal/auth.c
++++ grub-2.00/grub-core/normal/auth.c
+@@ -174,8 +174,11 @@ grub_username_get (char buf[], unsigned
+ 
+       if (key == '\b')
+ 	{
+-	  cur_len--;
+-	  grub_printf ("\b");
++      if (cur_len)
++       {
++	     cur_len--;
++	     grub_printf ("\b");
++        }
+ 	  continue;
+ 	}
+ 
diff --git a/meta/recipes-bsp/grub/grub-efi_2.00.bb b/meta/recipes-bsp/grub/grub-efi_2.00.bb
index 7674255..6822e7a 100644
--- a/meta/recipes-bsp/grub/grub-efi_2.00.bb
+++ b/meta/recipes-bsp/grub/grub-efi_2.00.bb
@@ -30,6 +30,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
            file://grub-2.00-add-oe-kernel.patch \
            file://grub-efi-fix-with-glibc-2.20.patch \
            file://0001-parse_dhcp_vendor-Add-missing-const-qualifiers.patch \
+           file://0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch \
           "
 SRC_URI[md5sum] = "e927540b6eda8b024fb0391eeaa4091c"
 SRC_URI[sha256sum] = "65b39a0558f8c802209c574f4d02ca263a804e8a564bc6caf1cd0fd3b3cc11e3"
diff --git a/meta/recipes-bsp/grub/grub_2.00.bb b/meta/recipes-bsp/grub/grub_2.00.bb
index d4df676..94b6da9 100644
--- a/meta/recipes-bsp/grub/grub_2.00.bb
+++ b/meta/recipes-bsp/grub/grub_2.00.bb
@@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
           file://fix-endianness-problem.patch \
           file://grub2-remove-sparc64-setup-from-x86-builds.patch \
           file://0001-parse_dhcp_vendor-Add-missing-const-qualifiers.patch \
+          file://0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch \
           "
 
 SRC_URI[md5sum] = "e927540b6eda8b024fb0391eeaa4091c"
-- 
1.9.1

[PATCH 20/20] bind: CVE-2015-8000

[Armin Kuster]

From: Sona Sarmadi <sona.sarmadi@enea.com>

Fixes a denial of service in BIND.

An error in the parsing of incoming responses allows some
records with an incorrect class to be accepted by BIND
instead of being rejected as malformed. This can trigger
a REQUIRE assertion failure when those records are subsequently
cached.

[YOCTO #8838]

References:
http://www.openwall.com/lists/oss-security/2015/12/15/14
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000
https://bugzilla.redhat.com/attachment.cgi?id=1105581

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../bind/bind/CVE-2015-8000.patch                  | 194 +++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.9.5.bb       |   1 +
 2 files changed, 195 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
new file mode 100644
index 0000000..b8d8412
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
@@ -0,0 +1,194 @@
+responses with a malformed class attribute can trigger an
+assertion failure in db.c
+
+[security]
+Insufficient testing when parsing a message allowed records with
+an incorrect class to be be accepted, triggering a REQUIRE failure
+when those records were subsequently cached. (CVE-2015-8000) [RT#4098]
+
+Upstream-Status: Backport
+
+[The patch is taken from BIND 9.9.4:
+https://bugzilla.redhat.com/attachment.cgi?id=1105581]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
+index a6862fa..d999e75 100644
+--- a/lib/dns/include/dns/message.h
++++ b/lib/dns/include/dns/message.h
+@@ -210,6 +210,8 @@ struct dns_message {
+ 	unsigned int			verify_attempted : 1;
+ 	unsigned int			free_query : 1;
+ 	unsigned int			free_saved : 1;
++	unsigned int			tkey : 1;
++	unsigned int			rdclass_set : 1;
+ 
+ 	unsigned int			opt_reserved;
+ 	unsigned int			sig_reserved;
+@@ -1374,6 +1376,15 @@ dns_message_buildopt(dns_message_t *msg, dns_rdataset_t **opt,
+  * \li	 other.
+  */
+ 
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
++/*%<
++ * Set the expected class of records in the response.
++ *
++ * Requires:
++ * \li   msg be a valid message with parsing intent.
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_MESSAGE_H */
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 53efc5a..73def73 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -436,6 +436,8 @@ msginit(dns_message_t *m) {
+ 	m->saved.base = NULL;
+ 	m->saved.length = 0;
+ 	m->free_saved = 0;
++	m->tkey = 0;
++	m->rdclass_set = 0;
+ 	m->querytsig = NULL;
+ }
+ 
+@@ -1086,13 +1088,19 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ 		 * If this class is different than the one we already read,
+ 		 * this is an error.
+ 		 */
+-		if (msg->state == DNS_SECTION_ANY) {
+-			msg->state = DNS_SECTION_QUESTION;
++		if (msg->rdclass_set == 0) {
+ 			msg->rdclass = rdclass;
++			msg->rdclass_set = 1;
+ 		} else if (msg->rdclass != rdclass)
+ 			DO_FORMERR;
+ 
+ 		/*
++		 * Is this a TKEY query?
++		 */
++		if (rdtype == dns_rdatatype_tkey)
++			msg->tkey = 1;
++
++		/*
+ 		 * Can't ask the same question twice.
+ 		 */
+ 		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+@@ -1236,12 +1244,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ 		 * If there was no question section, we may not yet have
+ 		 * established a class.  Do so now.
+ 		 */
+-		if (msg->state == DNS_SECTION_ANY &&
++		if (msg->rdclass_set == 0 &&
+ 		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
+ 		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
+ 		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
+ 			msg->rdclass = rdclass;
+-			msg->state = DNS_SECTION_QUESTION;
++			msg->rdclass_set = 1;
+ 		}
+ 
+ 		/*
+@@ -1251,7 +1259,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ 		if (msg->opcode != dns_opcode_update
+ 		    && rdtype != dns_rdatatype_tsig
+ 		    && rdtype != dns_rdatatype_opt
+-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
++		    && rdtype != dns_rdatatype_key /* in a TKEY query */
+ 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
+ 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+ 		    && msg->rdclass != dns_rdataclass_any
+@@ -1259,6 +1267,16 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ 			DO_FORMERR;
+ 
+ 		/*
++		 * If this is not a TKEY query/response then the KEY
++		 * record's class needs to match.
++		 */
++		if (msg->opcode != dns_opcode_update && !msg->tkey &&
++		    rdtype == dns_rdatatype_key &&
++		    msg->rdclass != dns_rdataclass_any &&
++		    msg->rdclass != rdclass)
++			DO_FORMERR;
++
++		/*
+ 		 * Special type handling for TSIG, OPT, and TKEY.
+ 		 */
+ 		if (rdtype == dns_rdatatype_tsig) {
+@@ -1372,6 +1390,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+ 				skip_name_search = ISC_TRUE;
+ 				skip_type_search = ISC_TRUE;
+ 				issigzero = ISC_TRUE;
++			} else {
++				if (msg->rdclass != dns_rdataclass_any &&
++				    msg->rdclass != rdclass)
++					DO_FORMERR;
+ 			}
+ 		} else
+ 			covers = 0;
+@@ -1610,6 +1632,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+ 	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+ 
+ 	msg->header_ok = 1;
++	msg->state = DNS_SECTION_QUESTION;
+ 
+ 	/*
+ 	 * -1 means no EDNS.
+@@ -3550,3 +3573,15 @@ dns_message_buildopt(dns_message_t *message, dns_rdataset_t **rdatasetp,
+ 		dns_message_puttemprdatalist(message, &rdatalist);
+ 	return (result);
+ }
++
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
++
++	REQUIRE(DNS_MESSAGE_VALID(msg));
++	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
++	REQUIRE(msg->state == DNS_SECTION_ANY);
++	REQUIRE(msg->rdclass_set == 0);
++
++	msg->rdclass = rdclass;
++	msg->rdclass_set = 1;
++}
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index aa23b11..d220986 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -6964,6 +6964,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
+ 			goto done;
+ 	}
+ 
++	dns_message_setclass(message, fctx->res->rdclass);
++
+ 	result = dns_message_parse(message, &devent->buffer, 0);
+ 	if (result != ISC_R_SUCCESS) {
+ 		switch (result) {
+@@ -7036,6 +7038,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
+ 	 */
+ 	log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
+ 
++	if (message->rdclass != fctx->res->rdclass) {
++		resend = ISC_TRUE;
++		FCTXTRACE("bad class");
++		goto done;
++	}
++
+ 	/*
+ 	 * Process receive opt record.
+ 	 */
+diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
+index 9ad8960..938373a 100644
+--- a/lib/dns/xfrin.c
++++ b/lib/dns/xfrin.c
+@@ -1241,6 +1241,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
+ 	msg->tsigctx = xfr->tsigctx;
+ 	xfr->tsigctx = NULL;
+ 
++	dns_message_setclass(msg, xfr->rdclass);
++
+ 	if (xfr->nmsg > 0)
+ 		msg->tcp_continuation = 1;
+ 
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb
index ee94011..6e4878d 100644
--- a/meta/recipes-connectivity/bind/bind_9.9.5.bb
+++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb
@@ -22,6 +22,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
 	   file://CVE-2015-1349.patch \ 
 	   file://CVE-2015-4620.patch \
 	   file://CVE-2015-5722.patch \
+           file://CVE-2015-8000.patch \
 	   "
 
 SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"
-- 
1.9.1

Re: [PATCH 00/20] Dizzy-next pull request 2016-1

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 6155 bytes --]

On Sat, Jan 09, 2016 at 04:30:26PM -0800, Armin Kuster wrote:
> Please consider these changes for dizzy-next community support.
> 
> The following changes since commit 6d34267e0a13e10ab91b60590b27a2b5ba3b7da6:
> 
>   documentation: Changed some 'intro' tags to resolve multiple mega-manual warnings. (2015-11-18 16:44:05 +0000)
> 
> are available in the git repository at:
> 
>   git://git.yoctoproject.org/poky-contrib akuster/dizzy-next
>   http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/dizzy-next

This is for oe-core, right? So it shouldn't be in poky-contrib and the
http link doesn't work, it should be:
http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akuster/dizzy-next

> 
> Armin Kuster (2):
>   openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
>   Fixes a heap buffer overflow in glibc wscanf.

What is this 2nd patch? It doesn't follow commit summary convention and
I don't see it in master (at least not with this subject)
http://git.yoctoproject.org/cgit.cgi/poky-contrib/commit/?h=akuster/dizzy-next&id=4807ff0ca0abf085e6b81257534a4a62fde88d16

Other changes look good to me.

> Belal, Awais (1):
>   grub2: Fix CVE-2015-8370
> 
> Chen Qi (1):
>   image.bbclass: don't let do_rootfs depend on BUILDNAME
> 
> Martin Jansa (3):
>   fontcache: allow to pass extra parameters and environment to fc-cache
>   texinfo: don't create dependency on INHERIT variable
>   linux-dtb.inc: drop unused DTB_NAME variable from do_install
> 
> Mike Crowe (1):
>   allarch: Force TARGET_*FLAGS variable values
> 
> Richard Purdie (2):
>   layer.conf: Add several allarch dependency exclusions
>   layer.conf: Add missing dependency for allarch package
>     initramfs-framework
> 
> Sergiy Kibrik (1):
>   rsync: backport libattr checking patch
> 
> Sona Sarmadi (7):
>   libtasn1: CVE-2015-3622
>   grep2.19: CVE-2015-1345
>   libxml2: CVE-2015-7942
>   libxml2: CVE-2015-8035
>   openssl: CVE-2015-3194, CVE-2015-3195
>   libxml2: CVE-2015-8241
>   bind: CVE-2015-8000
> 
> Tudor Florea (2):
>   glibc: use patch for CVE-2015-1781
>   unzip: CVE-2015-7696, CVE-2015-7697
> 
>  meta/classes/allarch.bbclass                       |   4 +
>  meta/classes/fontcache.bbclass                     |  19 +-
>  meta/classes/image.bbclass                         |   2 +-
>  meta/conf/layer.conf                               |  11 ++
>  ...E-2015-8370-Grub2-user-pass-vulnerability.patch |  50 ++++++
>  meta/recipes-bsp/grub/grub-efi_2.00.bb             |   1 +
>  meta/recipes-bsp/grub/grub_2.00.bb                 |   1 +
>  .../bind/bind/CVE-2015-8000.patch                  | 194 +++++++++++++++++++++
>  meta/recipes-connectivity/bind/bind_9.9.5.bb       |   1 +
>  .../openssh/openssh/CVE-2015-6563.patch            |  36 ++++
>  .../openssh/openssh/CVE-2015-6564.patch            |  34 ++++
>  .../openssh/openssh/CVE-2015-6565.patch            |  35 ++++
>  meta/recipes-connectivity/openssh/openssh_6.6p1.bb |   5 +-
>  .../CVE-2015-3194-Add-PSS-parameter-check.patch    |  37 ++++
>  ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch |  61 +++++++
>  .../recipes-connectivity/openssl/openssl_1.0.1p.bb |   2 +
>  ...5-1472-wscanf-allocates-too-little-memory.patch | 108 ++++++++++++
>  meta/recipes-core/glibc/glibc_2.20.bb              |   5 +-
>  meta/recipes-core/libxml/libxml2.inc               |   3 +
>  .../libxml/libxml2/CVE-2015-7942.patch             |  58 ++++++
>  .../libxml/libxml2/CVE-2015-8035.patch             |  35 ++++
>  .../libxml/libxml2/CVE-2015-8241.patch             |  41 +++++
>  .../rsync/files/check_libattr.patch                |  33 ++++
>  meta/recipes-devtools/rsync/rsync_3.1.0.bb         |   3 +-
>  .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch    | 129 ++++++++++++++
>  meta/recipes-extended/grep/grep_2.19.bb            |   4 +-
>  meta/recipes-extended/texinfo/texinfo_5.2.bb       |   2 +-
>  .../unzip/unzip/CVE-2015-7696.patch                |  38 ++++
>  .../unzip/unzip/CVE-2015-7697.patch                |  31 ++++
>  meta/recipes-extended/unzip/unzip_6.0.bb           |   2 +
>  meta/recipes-kernel/linux/linux-dtb.inc            |   1 -
>  .../gnutls/libtasn1/libtasn1-CVE-2015-3622.patch   |  44 +++++
>  meta/recipes-support/gnutls/libtasn1_4.0.bb        |   1 +
>  scripts/postinst-intercepts/update_font_cache      |   4 +-
>  34 files changed, 1020 insertions(+), 15 deletions(-)
>  create mode 100644 meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
>  create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
>  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
>  create mode 100644 meta/recipes-devtools/rsync/files/check_libattr.patch
>  create mode 100644 meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
>  create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
>  create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
>  create mode 100644 meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch
> 
> -- 
> 1.9.1
> 
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]

Re: [PATCH 00/20] Dizzy-next pull request 2016-1

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 6542 bytes --]

On Thu, Jan 21, 2016 at 12:57:52PM +0100, Martin Jansa wrote:
> On Sat, Jan 09, 2016 at 04:30:26PM -0800, Armin Kuster wrote:
> > Please consider these changes for dizzy-next community support.
> > 
> > The following changes since commit 6d34267e0a13e10ab91b60590b27a2b5ba3b7da6:
> > 
> >   documentation: Changed some 'intro' tags to resolve multiple mega-manual warnings. (2015-11-18 16:44:05 +0000)
> > 
> > are available in the git repository at:
> > 
> >   git://git.yoctoproject.org/poky-contrib akuster/dizzy-next
> >   http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/dizzy-next
> 
> This is for oe-core, right? So it shouldn't be in poky-contrib and the
> http link doesn't work, it should be:
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akuster/dizzy-next
> 
> > 
> > Armin Kuster (2):
> >   openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
> >   Fixes a heap buffer overflow in glibc wscanf.
> 
> What is this 2nd patch? It doesn't follow commit summary convention and
> I don't see it in master (at least not with this subject)
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/commit/?h=akuster/dizzy-next&id=4807ff0ca0abf085e6b81257534a4a62fde88d16
> 
> Other changes look good to me.

ping?

> > Belal, Awais (1):
> >   grub2: Fix CVE-2015-8370
> > 
> > Chen Qi (1):
> >   image.bbclass: don't let do_rootfs depend on BUILDNAME
> > 
> > Martin Jansa (3):
> >   fontcache: allow to pass extra parameters and environment to fc-cache
> >   texinfo: don't create dependency on INHERIT variable
> >   linux-dtb.inc: drop unused DTB_NAME variable from do_install
> > 
> > Mike Crowe (1):
> >   allarch: Force TARGET_*FLAGS variable values
> > 
> > Richard Purdie (2):
> >   layer.conf: Add several allarch dependency exclusions
> >   layer.conf: Add missing dependency for allarch package
> >     initramfs-framework
> > 
> > Sergiy Kibrik (1):
> >   rsync: backport libattr checking patch
> > 
> > Sona Sarmadi (7):
> >   libtasn1: CVE-2015-3622
> >   grep2.19: CVE-2015-1345
> >   libxml2: CVE-2015-7942
> >   libxml2: CVE-2015-8035
> >   openssl: CVE-2015-3194, CVE-2015-3195
> >   libxml2: CVE-2015-8241
> >   bind: CVE-2015-8000
> > 
> > Tudor Florea (2):
> >   glibc: use patch for CVE-2015-1781
> >   unzip: CVE-2015-7696, CVE-2015-7697
> > 
> >  meta/classes/allarch.bbclass                       |   4 +
> >  meta/classes/fontcache.bbclass                     |  19 +-
> >  meta/classes/image.bbclass                         |   2 +-
> >  meta/conf/layer.conf                               |  11 ++
> >  ...E-2015-8370-Grub2-user-pass-vulnerability.patch |  50 ++++++
> >  meta/recipes-bsp/grub/grub-efi_2.00.bb             |   1 +
> >  meta/recipes-bsp/grub/grub_2.00.bb                 |   1 +
> >  .../bind/bind/CVE-2015-8000.patch                  | 194 +++++++++++++++++++++
> >  meta/recipes-connectivity/bind/bind_9.9.5.bb       |   1 +
> >  .../openssh/openssh/CVE-2015-6563.patch            |  36 ++++
> >  .../openssh/openssh/CVE-2015-6564.patch            |  34 ++++
> >  .../openssh/openssh/CVE-2015-6565.patch            |  35 ++++
> >  meta/recipes-connectivity/openssh/openssh_6.6p1.bb |   5 +-
> >  .../CVE-2015-3194-Add-PSS-parameter-check.patch    |  37 ++++
> >  ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch |  61 +++++++
> >  .../recipes-connectivity/openssl/openssl_1.0.1p.bb |   2 +
> >  ...5-1472-wscanf-allocates-too-little-memory.patch | 108 ++++++++++++
> >  meta/recipes-core/glibc/glibc_2.20.bb              |   5 +-
> >  meta/recipes-core/libxml/libxml2.inc               |   3 +
> >  .../libxml/libxml2/CVE-2015-7942.patch             |  58 ++++++
> >  .../libxml/libxml2/CVE-2015-8035.patch             |  35 ++++
> >  .../libxml/libxml2/CVE-2015-8241.patch             |  41 +++++
> >  .../rsync/files/check_libattr.patch                |  33 ++++
> >  meta/recipes-devtools/rsync/rsync_3.1.0.bb         |   3 +-
> >  .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch    | 129 ++++++++++++++
> >  meta/recipes-extended/grep/grep_2.19.bb            |   4 +-
> >  meta/recipes-extended/texinfo/texinfo_5.2.bb       |   2 +-
> >  .../unzip/unzip/CVE-2015-7696.patch                |  38 ++++
> >  .../unzip/unzip/CVE-2015-7697.patch                |  31 ++++
> >  meta/recipes-extended/unzip/unzip_6.0.bb           |   2 +
> >  meta/recipes-kernel/linux/linux-dtb.inc            |   1 -
> >  .../gnutls/libtasn1/libtasn1-CVE-2015-3622.patch   |  44 +++++
> >  meta/recipes-support/gnutls/libtasn1_4.0.bb        |   1 +
> >  scripts/postinst-intercepts/update_font_cache      |   4 +-
> >  34 files changed, 1020 insertions(+), 15 deletions(-)
> >  create mode 100644 meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
> >  create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
> >  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
> >  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
> >  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
> >  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
> >  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
> >  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> >  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
> >  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
> >  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
> >  create mode 100644 meta/recipes-devtools/rsync/files/check_libattr.patch
> >  create mode 100644 meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
> >  create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
> >  create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
> >  create mode 100644 meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch
> > 
> > -- 
> > 1.9.1
> > 
> > -- 
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core@lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core
> 
> -- 
> Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com



-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]

Re: [PATCH 00/20] Dizzy-next pull request 2016-1

[akuster808]

On 1/27/16 3:33 AM, Martin Jansa wrote:
> On Thu, Jan 21, 2016 at 12:57:52PM +0100, Martin Jansa wrote:
>> On Sat, Jan 09, 2016 at 04:30:26PM -0800, Armin Kuster wrote:
>>> Please consider these changes for dizzy-next community support.
>>>
>>> The following changes since commit 6d34267e0a13e10ab91b60590b27a2b5ba3b7da6:
>>>
>>>   documentation: Changed some 'intro' tags to resolve multiple mega-manual warnings. (2015-11-18 16:44:05 +0000)
>>>
>>> are available in the git repository at:
>>>
>>>   git://git.yoctoproject.org/poky-contrib akuster/dizzy-next
>>>   http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/dizzy-next
>> This is for oe-core, right? So it shouldn't be in poky-contrib and the
>> http link doesn't work, it should be:
>> http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akuster/dizzy-next

no. this should be for oe core.
>>
>>> Armin Kuster (2):
>>>   openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
>>>   Fixes a heap buffer overflow in glibc wscanf.
>> What is this 2nd patch? It doesn't follow commit summary convention and
>> I don't see it in master (at least not with this subject)
>> http://git.yoctoproject.org/cgit.cgi/poky-contrib/commit/?h=akuster/dizzy-next&id=4807ff0ca0abf085e6b81257534a4a62fde88d16


>> Other changes look good to me.

that was a patch from the patch queue and affect glibc below 2.21 so
Master, Jethro nor fido are  affected.

http://patches.openembedded.org/patch/109797/
> ping?

Dizzy 1.7.4 is  not planned yet.

- armin
>
>>> Belal, Awais (1):
>>>   grub2: Fix CVE-2015-8370
>>>
>>> Chen Qi (1):
>>>   image.bbclass: don't let do_rootfs depend on BUILDNAME
>>>
>>> Martin Jansa (3):
>>>   fontcache: allow to pass extra parameters and environment to fc-cache
>>>   texinfo: don't create dependency on INHERIT variable
>>>   linux-dtb.inc: drop unused DTB_NAME variable from do_install
>>>
>>> Mike Crowe (1):
>>>   allarch: Force TARGET_*FLAGS variable values
>>>
>>> Richard Purdie (2):
>>>   layer.conf: Add several allarch dependency exclusions
>>>   layer.conf: Add missing dependency for allarch package
>>>     initramfs-framework
>>>
>>> Sergiy Kibrik (1):
>>>   rsync: backport libattr checking patch
>>>
>>> Sona Sarmadi (7):
>>>   libtasn1: CVE-2015-3622
>>>   grep2.19: CVE-2015-1345
>>>   libxml2: CVE-2015-7942
>>>   libxml2: CVE-2015-8035
>>>   openssl: CVE-2015-3194, CVE-2015-3195
>>>   libxml2: CVE-2015-8241
>>>   bind: CVE-2015-8000
>>>
>>> Tudor Florea (2):
>>>   glibc: use patch for CVE-2015-1781
>>>   unzip: CVE-2015-7696, CVE-2015-7697
>>>
>>>  meta/classes/allarch.bbclass                       |   4 +
>>>  meta/classes/fontcache.bbclass                     |  19 +-
>>>  meta/classes/image.bbclass                         |   2 +-
>>>  meta/conf/layer.conf                               |  11 ++
>>>  ...E-2015-8370-Grub2-user-pass-vulnerability.patch |  50 ++++++
>>>  meta/recipes-bsp/grub/grub-efi_2.00.bb             |   1 +
>>>  meta/recipes-bsp/grub/grub_2.00.bb                 |   1 +
>>>  .../bind/bind/CVE-2015-8000.patch                  | 194 +++++++++++++++++++++
>>>  meta/recipes-connectivity/bind/bind_9.9.5.bb       |   1 +
>>>  .../openssh/openssh/CVE-2015-6563.patch            |  36 ++++
>>>  .../openssh/openssh/CVE-2015-6564.patch            |  34 ++++
>>>  .../openssh/openssh/CVE-2015-6565.patch            |  35 ++++
>>>  meta/recipes-connectivity/openssh/openssh_6.6p1.bb |   5 +-
>>>  .../CVE-2015-3194-Add-PSS-parameter-check.patch    |  37 ++++
>>>  ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch |  61 +++++++
>>>  .../recipes-connectivity/openssl/openssl_1.0.1p.bb |   2 +
>>>  ...5-1472-wscanf-allocates-too-little-memory.patch | 108 ++++++++++++
>>>  meta/recipes-core/glibc/glibc_2.20.bb              |   5 +-
>>>  meta/recipes-core/libxml/libxml2.inc               |   3 +
>>>  .../libxml/libxml2/CVE-2015-7942.patch             |  58 ++++++
>>>  .../libxml/libxml2/CVE-2015-8035.patch             |  35 ++++
>>>  .../libxml/libxml2/CVE-2015-8241.patch             |  41 +++++
>>>  .../rsync/files/check_libattr.patch                |  33 ++++
>>>  meta/recipes-devtools/rsync/rsync_3.1.0.bb         |   3 +-
>>>  .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch    | 129 ++++++++++++++
>>>  meta/recipes-extended/grep/grep_2.19.bb            |   4 +-
>>>  meta/recipes-extended/texinfo/texinfo_5.2.bb       |   2 +-
>>>  .../unzip/unzip/CVE-2015-7696.patch                |  38 ++++
>>>  .../unzip/unzip/CVE-2015-7697.patch                |  31 ++++
>>>  meta/recipes-extended/unzip/unzip_6.0.bb           |   2 +
>>>  meta/recipes-kernel/linux/linux-dtb.inc            |   1 -
>>>  .../gnutls/libtasn1/libtasn1-CVE-2015-3622.patch   |  44 +++++
>>>  meta/recipes-support/gnutls/libtasn1_4.0.bb        |   1 +
>>>  scripts/postinst-intercepts/update_font_cache      |   4 +-
>>>  34 files changed, 1020 insertions(+), 15 deletions(-)
>>>  create mode 100644 meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
>>>  create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
>>>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
>>>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
>>>  create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
>>>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
>>>  create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
>>>  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
>>>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>>>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>>>  create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
>>>  create mode 100644 meta/recipes-devtools/rsync/files/check_libattr.patch
>>>  create mode 100644 meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
>>>  create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
>>>  create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
>>>  create mode 100644 meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch
>>>
>>> -- 
>>> 1.9.1
>>>
>>> -- 
>>> _______________________________________________
>>> Openembedded-core mailing list
>>> Openembedded-core@lists.openembedded.org
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>> -- 
>> Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com
>
>

Re: [PATCH 00/20] Dizzy-next pull request 2016-1

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 7454 bytes --]

> that was a patch from the patch queue and affect glibc below 2.21 so

glibc/wscanf: CVE-2015-1472

looks like better subject

> Dizzy 1.7.4 is  not planned yet.

I don't care about point releases, I care only about contents of release
branch, can it be merged to dizzy branch?


On Sat, Jan 30, 2016 at 3:44 AM, akuster808 <akuster808@gmail.com> wrote:

> On 1/27/16 3:33 AM, Martin Jansa wrote:
> > On Thu, Jan 21, 2016 at 12:57:52PM +0100, Martin Jansa wrote:
> >> On Sat, Jan 09, 2016 at 04:30:26PM -0800, Armin Kuster wrote:
> >>> Please consider these changes for dizzy-next community support.
> >>>
> >>> The following changes since commit
> 6d34267e0a13e10ab91b60590b27a2b5ba3b7da6:
> >>>
> >>>   documentation: Changed some 'intro' tags to resolve multiple
> mega-manual warnings. (2015-11-18 16:44:05 +0000)
> >>>
> >>> are available in the git repository at:
> >>>
> >>>   git://git.yoctoproject.org/poky-contrib akuster/dizzy-next
> >>>   http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/dizzy-next
> >> This is for oe-core, right? So it shouldn't be in poky-contrib and the
> >> http link doesn't work, it should be:
> >>
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akuster/dizzy-next
>
> no. this should be for oe core.
> >>
> >>> Armin Kuster (2):
> >>>   openssh: CVE-2015-6563 CVE-2015-6564 CVE-2015-6565
> >>>   Fixes a heap buffer overflow in glibc wscanf.
> >> What is this 2nd patch? It doesn't follow commit summary convention and
> >> I don't see it in master (at least not with this subject)
> >>
> http://git.yoctoproject.org/cgit.cgi/poky-contrib/commit/?h=akuster/dizzy-next&id=4807ff0ca0abf085e6b81257534a4a62fde88d16
>
>
> >> Other changes look good to me.
>
> that was a patch from the patch queue and affect glibc below 2.21 so
> Master, Jethro nor fido are  affected.
>
> http://patches.openembedded.org/patch/109797/
> > ping?
>
> Dizzy 1.7.4 is  not planned yet.
>
> - armin
> >
> >>> Belal, Awais (1):
> >>>   grub2: Fix CVE-2015-8370
> >>>
> >>> Chen Qi (1):
> >>>   image.bbclass: don't let do_rootfs depend on BUILDNAME
> >>>
> >>> Martin Jansa (3):
> >>>   fontcache: allow to pass extra parameters and environment to fc-cache
> >>>   texinfo: don't create dependency on INHERIT variable
> >>>   linux-dtb.inc: drop unused DTB_NAME variable from do_install
> >>>
> >>> Mike Crowe (1):
> >>>   allarch: Force TARGET_*FLAGS variable values
> >>>
> >>> Richard Purdie (2):
> >>>   layer.conf: Add several allarch dependency exclusions
> >>>   layer.conf: Add missing dependency for allarch package
> >>>     initramfs-framework
> >>>
> >>> Sergiy Kibrik (1):
> >>>   rsync: backport libattr checking patch
> >>>
> >>> Sona Sarmadi (7):
> >>>   libtasn1: CVE-2015-3622
> >>>   grep2.19: CVE-2015-1345
> >>>   libxml2: CVE-2015-7942
> >>>   libxml2: CVE-2015-8035
> >>>   openssl: CVE-2015-3194, CVE-2015-3195
> >>>   libxml2: CVE-2015-8241
> >>>   bind: CVE-2015-8000
> >>>
> >>> Tudor Florea (2):
> >>>   glibc: use patch for CVE-2015-1781
> >>>   unzip: CVE-2015-7696, CVE-2015-7697
> >>>
> >>>  meta/classes/allarch.bbclass                       |   4 +
> >>>  meta/classes/fontcache.bbclass                     |  19 +-
> >>>  meta/classes/image.bbclass                         |   2 +-
> >>>  meta/conf/layer.conf                               |  11 ++
> >>>  ...E-2015-8370-Grub2-user-pass-vulnerability.patch |  50 ++++++
> >>>  meta/recipes-bsp/grub/grub-efi_2.00.bb             |   1 +
> >>>  meta/recipes-bsp/grub/grub_2.00.bb                 |   1 +
> >>>  .../bind/bind/CVE-2015-8000.patch                  | 194
> +++++++++++++++++++++
> >>>  meta/recipes-connectivity/bind/bind_9.9.5.bb       |   1 +
> >>>  .../openssh/openssh/CVE-2015-6563.patch            |  36 ++++
> >>>  .../openssh/openssh/CVE-2015-6564.patch            |  34 ++++
> >>>  .../openssh/openssh/CVE-2015-6565.patch            |  35 ++++
> >>>  meta/recipes-connectivity/openssh/openssh_6.6p1.bb |   5 +-
> >>>  .../CVE-2015-3194-Add-PSS-parameter-check.patch    |  37 ++++
> >>>  ...CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch |  61 +++++++
> >>>  .../recipes-connectivity/openssl/openssl_1.0.1p.bb |   2 +
> >>>  ...5-1472-wscanf-allocates-too-little-memory.patch | 108 ++++++++++++
> >>>  meta/recipes-core/glibc/glibc_2.20.bb              |   5 +-
> >>>  meta/recipes-core/libxml/libxml2.inc               |   3 +
> >>>  .../libxml/libxml2/CVE-2015-7942.patch             |  58 ++++++
> >>>  .../libxml/libxml2/CVE-2015-8035.patch             |  35 ++++
> >>>  .../libxml/libxml2/CVE-2015-8241.patch             |  41 +++++
> >>>  .../rsync/files/check_libattr.patch                |  33 ++++
> >>>  meta/recipes-devtools/rsync/rsync_3.1.0.bb         |   3 +-
> >>>  .../grep/grep-2.19/grep2.19-CVE-2015-1345.patch    | 129
> ++++++++++++++
> >>>  meta/recipes-extended/grep/grep_2.19.bb            |   4 +-
> >>>  meta/recipes-extended/texinfo/texinfo_5.2.bb       |   2 +-
> >>>  .../unzip/unzip/CVE-2015-7696.patch                |  38 ++++
> >>>  .../unzip/unzip/CVE-2015-7697.patch                |  31 ++++
> >>>  meta/recipes-extended/unzip/unzip_6.0.bb           |   2 +
> >>>  meta/recipes-kernel/linux/linux-dtb.inc            |   1 -
> >>>  .../gnutls/libtasn1/libtasn1-CVE-2015-3622.patch   |  44 +++++
> >>>  meta/recipes-support/gnutls/libtasn1_4.0.bb        |   1 +
> >>>  scripts/postinst-intercepts/update_font_cache      |   4 +-
> >>>  34 files changed, 1020 insertions(+), 15 deletions(-)
> >>>  create mode 100644
> meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
> >>>  create mode 100644
> meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
> >>>  create mode 100644
> meta/recipes-connectivity/openssh/openssh/CVE-2015-6563.patch
> >>>  create mode 100644
> meta/recipes-connectivity/openssh/openssh/CVE-2015-6564.patch
> >>>  create mode 100644
> meta/recipes-connectivity/openssh/openssh/CVE-2015-6565.patch
> >>>  create mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2015-3194-Add-PSS-parameter-check.patch
> >>>  create mode 100644
> meta/recipes-connectivity/openssl/openssl/CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch
> >>>  create mode 100644
> meta/recipes-core/glibc/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch
> >>>  create mode 100644
> meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
> >>>  create mode 100644
> meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
> >>>  create mode 100644
> meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
> >>>  create mode 100644
> meta/recipes-devtools/rsync/files/check_libattr.patch
> >>>  create mode 100644
> meta/recipes-extended/grep/grep-2.19/grep2.19-CVE-2015-1345.patch
> >>>  create mode 100644
> meta/recipes-extended/unzip/unzip/CVE-2015-7696.patch
> >>>  create mode 100644
> meta/recipes-extended/unzip/unzip/CVE-2015-7697.patch
> >>>  create mode 100644
> meta/recipes-support/gnutls/libtasn1/libtasn1-CVE-2015-3622.patch
> >>>
> >>> --
> >>> 1.9.1
> >>>
> >>> --
> >>> _______________________________________________
> >>> Openembedded-core mailing list
> >>> Openembedded-core@lists.openembedded.org
> >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> >> --
> >> Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com
> >
> >
>
>

[-- Attachment #2: Type: text/html, Size: 11401 bytes --]

Re: [PATCH 00/20] Dizzy-next pull request 2016-1

[Richard Purdie]

On Sat, 2016-01-30 at 10:08 +0100, Martin Jansa wrote:
> > that was a patch from the patch queue and affect glibc below 2.21
> so
> 
> glibc/wscanf: CVE-2015-1472
> 
> looks like better subject
> 
> > Dizzy 1.7.4 is  not planned yet.
> 
> I don't care about point releases, I care only about contents of
> release branch, can it be merged to dizzy branch?

I was hoping the branch would get corrected so I could then just pull
the correct commits. I suspect Armin didn't realise I was waiting for
that.

In the interests of expedience, I've reworded that commit and merged
the branch.

There are a couple of tweaks that would make things easier for me to
take these:

a) Could you in the 00/XX series header in future confirm you've
checked and that these issues are addressed in the later stable
branches? I do worry that for example there may be unaddressed issues
in fido.

b) If you could share an oe-core contrib branch with these in, it does
make it easier for me to merge them. I can deal with that comparatively
easily though.

I have merged this to dizzy though.

Cheers,

Richard

Re: [PATCH 00/20] Dizzy-next pull request 2016-1

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1350 bytes --]

> I have merged this to dizzy though.

Thanks!

On Sat, Jan 30, 2016 at 1:06 PM, Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Sat, 2016-01-30 at 10:08 +0100, Martin Jansa wrote:
> > > that was a patch from the patch queue and affect glibc below 2.21
> > so
> >
> > glibc/wscanf: CVE-2015-1472
> >
> > looks like better subject
> >
> > > Dizzy 1.7.4 is  not planned yet.
> >
> > I don't care about point releases, I care only about contents of
> > release branch, can it be merged to dizzy branch?
>
> I was hoping the branch would get corrected so I could then just pull
> the correct commits. I suspect Armin didn't realise I was waiting for
> that.
>
> In the interests of expedience, I've reworded that commit and merged
> the branch.
>
> There are a couple of tweaks that would make things easier for me to
> take these:
>
> a) Could you in the 00/XX series header in future confirm you've
> checked and that these issues are addressed in the later stable
> branches? I do worry that for example there may be unaddressed issues
> in fido.
>
> b) If you could share an oe-core contrib branch with these in, it does
> make it easier for me to merge them. I can deal with that comparatively
> easily though.
>
> I have merged this to dizzy though.
>
> Cheers,
>
> Richard
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 1887 bytes --]