diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-14 00:59:39 +0100 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-08-29 19:44:03 -0400 |
| commit | 220d5534d34c16d996dd3eb9c3dcc94591f5ded4 (patch) | |
| tree | 9576094c44a78d81de247a95922d23d4aad8fb43 /poky/meta/recipes-devtools | |
| parent | 8845f92d5dc18f9b0792c43621c96f4036393aac (diff) | |
| download | talos-openbmc-220d5534d34c16d996dd3eb9c3dcc94591f5ded4.tar.gz talos-openbmc-220d5534d34c16d996dd3eb9c3dcc94591f5ded4.zip | |
poky: sumo refresh 874976b..45ef387
Update poky to sumo HEAD.
Alexander Kanavin (1):
openssl: fix upstream version check for 1.0 version
Andre McCurdy (19):
openssl_1.1: avoid using += with an over-ride
openssl_1.1: minor recipe formatting tweaks etc
openssl_1.0: merge openssl10.inc into the openssl_1.0.2o.bb recipe
openssl_1.0: minor recipe formatting tweaks etc
openssl_1.0: drop curly brackets from shell local variables
openssl_1.0: fix cryptodev-linux PACKAGECONFIG support
openssl_1.0: drop leading "-" from no-ssl3 config option
openssl_1.0: avoid running make twice for target do_compile()
openssl: remove uclibc remnants
openssl: support musl-x32 build
openssl: minor indent fixes
openssl_1.0: drop obsolete ca.patch
openssl_1.0: drop obsolete exporting of AS, EX_LIBS and DIRS
openssl_1.0: drop unmaintained darwin support
openssl_1.0: add PACKAGECONFIG option to control manpages
openssl_1.0: squash whitespace in CC_INFO
openssl: fix missing dependency on hostperl-runtime-native
openssl_1.0: drop unnecessary dependency on makedepend-native
openssl_1.0: drop unnecessary call to perlpath.pl from do_configure()
Andrej Valek (3):
openssl-1.1: fix c_rehash perl errors
openssl: update 1.0.2o -> 1.0.2p
openssl: update 1.1.0h -> 1.1.0i
Anuj Mittal (1):
wic/qemux86: don't pass ip parameter to kernel in wks
Changqing Li (1):
unzip: fix CVE-2018-1000035
Hongxu Jia (2):
nasm: fix CVE-2018-8883 & CVE-2018-8882 & CVE-2018-10316
patch: fix CVE-2018-6952
Jagadeesh Krishnanjanappa (19):
libvorbis: CVE-2017-14160 CVE-2018-10393
libvorbis: CVE-2018-10392
flac: CVE-2017-6888
libarchive: CVE-2017-14503
libsndfile1: CVE-2017-14245 CVE-2017-14246
libsndfile1: CVE-2017-14634
coreutils: CVE-2017-18018
libgcrypt: CVE-2018-0495
git: CVE-2018-11235
gnupg: CVE-2018-12020
shadow: CVE-2018-7169
procps: CVE-2018-1124
python: CVE-2018-1000030
qemu: CVE-2018-7550
qemu: CVE-2018-12617
perl: CVE-2018-6798
perl: CVE-2018-6797
perl: CVE-2018-6913
perl: CVE-2018-12015
Joshua Watt (2):
alsa-lib: Cleanup packaging
swig: Remove superfluous python dependency
Ovidiu Panait (1):
openssl-nativesdk: Fix "can't open config file" warning
Ross Burton (6):
bzip2: use Yocto Project mirror for SRC_URI
classes: sanity-check LIC_FILES_CHKSUM
openssl: disable ccache usage
unzip: fix symlink problem
bitbake: utils/md5_file: don't iterate line-by-line
bitbake: checksum: sanity check path when recursively checksumming
Change-Id: I262a451f483cb276343ae6f02c272af053d33d7a
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-devtools')
21 files changed, 1458 insertions, 3 deletions
diff --git a/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch b/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch new file mode 100644 index 000000000..c272eac8d --- /dev/null +++ b/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch @@ -0,0 +1,288 @@ +From 0383bbb9015898cbc79abd7b64316484d7713b44 Mon Sep 17 00:00:00 2001 +From: Jeff King <peff@peff.net> +Date: Mon, 30 Apr 2018 03:25:25 -0400 +Subject: [PATCH] submodule-config: verify submodule names as paths + +Submodule "names" come from the untrusted .gitmodules file, +but we blindly append them to $GIT_DIR/modules to create our +on-disk repo paths. This means you can do bad things by +putting "../" into the name (among other things). + +Let's sanity-check these names to avoid building a path that +can be exploited. There are two main decisions: + + 1. What should the allowed syntax be? + + It's tempting to reuse verify_path(), since submodule + names typically come from in-repo paths. But there are + two reasons not to: + + a. It's technically more strict than what we need, as + we really care only about breaking out of the + $GIT_DIR/modules/ hierarchy. E.g., having a + submodule named "foo/.git" isn't actually + dangerous, and it's possible that somebody has + manually given such a funny name. + + b. Since we'll eventually use this checking logic in + fsck to prevent downstream repositories, it should + be consistent across platforms. Because + verify_path() relies on is_dir_sep(), it wouldn't + block "foo\..\bar" on a non-Windows machine. + + 2. Where should we enforce it? These days most of the + .gitmodules reads go through submodule-config.c, so + I've put it there in the reading step. That should + cover all of the C code. + + We also construct the name for "git submodule add" + inside the git-submodule.sh script. This is probably + not a big deal for security since the name is coming + from the user anyway, but it would be polite to remind + them if the name they pick is invalid (and we need to + expose the name-checker to the shell anyway for our + test scripts). + + This patch issues a warning when reading .gitmodules + and just ignores the related config entry completely. + This will generally end up producing a sensible error, + as it works the same as a .gitmodules file which is + missing a submodule entry (so "submodule update" will + barf, but "git clone --recurse-submodules" will print + an error but not abort the clone. + + There is one minor oddity, which is that we print the + warning once per malformed config key (since that's how + the config subsystem gives us the entries). So in the + new test, for example, the user would see three + warnings. That's OK, since the intent is that this case + should never come up outside of malicious repositories + (and then it might even benefit the user to see the + message multiple times). + +Credit for finding this vulnerability and the proof of +concept from which the test script was adapted goes to +Etienne Stalmans. + +CVE: CVE-2018-11235 +Upstream-Status: Backport [https://github.com/gitster/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44#diff-1772b951776d1647ca31a2256f7fe88f] + +Signed-off-by: Jeff King <peff@peff.net> +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + builtin/submodule--helper.c | 24 ++++++++++++++ + git-submodule.sh | 5 +++ + submodule-config.c | 31 ++++++++++++++++++ + submodule-config.h | 7 +++++ + t/t7415-submodule-names.sh | 76 +++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 143 insertions(+) + create mode 100755 t/t7415-submodule-names.sh + +diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c +index cbb17a902..b4b4d29d8 100644 +--- a/builtin/submodule--helper.c ++++ b/builtin/submodule--helper.c +@@ -1480,6 +1480,29 @@ static int is_active(int argc, const cha + return !is_submodule_active(the_repository, argv[1]); + } + ++/* ++ * Exit non-zero if any of the submodule names given on the command line is ++ * invalid. If no names are given, filter stdin to print only valid names ++ * (which is primarily intended for testing). ++ */ ++static int check_name(int argc, const char **argv, const char *prefix) ++{ ++ if (argc > 1) { ++ while (*++argv) { ++ if (check_submodule_name(*argv) < 0) ++ return 1; ++ } ++ } else { ++ struct strbuf buf = STRBUF_INIT; ++ while (strbuf_getline(&buf, stdin) != EOF) { ++ if (!check_submodule_name(buf.buf)) ++ printf("%s\n", buf.buf); ++ } ++ strbuf_release(&buf); ++ } ++ return 0; ++} ++ + #define SUPPORT_SUPER_PREFIX (1<<0) + + struct cmd_struct { +@@ -1502,6 +1525,7 @@ static struct cmd_struct commands[] = { + {"push-check", push_check, 0}, + {"absorb-git-dirs", absorb_git_dirs, SUPPORT_SUPER_PREFIX}, + {"is-active", is_active, 0}, ++ {"check-name", check_name, 0}, + }; + + int cmd_submodule__helper(int argc, const char **argv, const char *prefix) +diff --git a/git-submodule.sh b/git-submodule.sh +index c0d0e9a4c..92750b9e2 100755 +--- a/git-submodule.sh ++++ b/git-submodule.sh +@@ -229,6 +229,11 @@ Use -f if you really want to add it." >& + sm_name="$sm_path" + fi + ++ if ! git submodule--helper check-name "$sm_name" ++ then ++ die "$(eval_gettext "'$sm_name' is not a valid submodule name")" ++ fi ++ + # perhaps the path exists and is already a git repo, else clone it + if test -e "$sm_path" + then +diff --git a/submodule-config.c b/submodule-config.c +index 4f58491dd..de54351c6 100644 +--- a/submodule-config.c ++++ b/submodule-config.c +@@ -190,6 +190,31 @@ static struct submodule *cache_lookup_na + return NULL; + } + ++int check_submodule_name(const char *name) ++{ ++ /* Disallow empty names */ ++ if (!*name) ++ return -1; ++ ++ /* ++ * Look for '..' as a path component. Check both '/' and '\\' as ++ * separators rather than is_dir_sep(), because we want the name rules ++ * to be consistent across platforms. ++ */ ++ goto in_component; /* always start inside component */ ++ while (*name) { ++ char c = *name++; ++ if (c == '/' || c == '\\') { ++in_component: ++ if (name[0] == '.' && name[1] == '.' && ++ (!name[2] || name[2] == '/' || name[2] == '\\')) ++ return -1; ++ } ++ } ++ ++ return 0; ++} ++ + static int name_and_item_from_var(const char *var, struct strbuf *name, + struct strbuf *item) + { +@@ -201,6 +226,12 @@ static int name_and_item_from_var(const + return 0; + + strbuf_add(name, subsection, subsection_len); ++ if (check_submodule_name(name->buf) < 0) { ++ warning(_("ignoring suspicious submodule name: %s"), name->buf); ++ strbuf_release(name); ++ return 0; ++ } ++ + strbuf_addstr(item, key); + + return 1; +diff --git a/submodule-config.h b/submodule-config.h +index d434ecdb4..103cc79dd 100644 +--- a/submodule-config.h ++++ b/submodule-config.h +@@ -48,4 +48,11 @@ extern const struct submodule *submodule + const char *key); + extern void submodule_free(void); + ++/* ++ * Returns 0 if the name is syntactically acceptable as a submodule "name" ++ * (e.g., that may be found in the subsection of a .gitmodules file) and -1 ++ * otherwise. ++ */ ++int check_submodule_name(const char *name); ++ + #endif /* SUBMODULE_CONFIG_H */ +diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh +new file mode 100755 +index 000000000..75fa071c6 +--- /dev/null ++++ b/t/t7415-submodule-names.sh +@@ -0,0 +1,76 @@ ++#!/bin/sh ++ ++test_description='check handling of .. in submodule names ++ ++Exercise the name-checking function on a variety of names, and then give a ++real-world setup that confirms we catch this in practice. ++' ++. ./test-lib.sh ++ ++test_expect_success 'check names' ' ++ cat >expect <<-\EOF && ++ valid ++ valid/with/paths ++ EOF ++ ++ git submodule--helper check-name >actual <<-\EOF && ++ valid ++ valid/with/paths ++ ++ ../foo ++ /../foo ++ ..\foo ++ \..\foo ++ foo/.. ++ foo/../ ++ foo\.. ++ foo\..\ ++ foo/../bar ++ EOF ++ ++ test_cmp expect actual ++' ++ ++test_expect_success 'create innocent subrepo' ' ++ git init innocent && ++ git -C innocent commit --allow-empty -m foo ++' ++ ++test_expect_success 'submodule add refuses invalid names' ' ++ test_must_fail \ ++ git submodule add --name ../../modules/evil "$PWD/innocent" evil ++' ++ ++test_expect_success 'add evil submodule' ' ++ git submodule add "$PWD/innocent" evil && ++ ++ mkdir modules && ++ cp -r .git/modules/evil modules && ++ write_script modules/evil/hooks/post-checkout <<-\EOF && ++ echo >&2 "RUNNING POST CHECKOUT" ++ EOF ++ ++ git config -f .gitmodules submodule.evil.update checkout && ++ git config -f .gitmodules --rename-section \ ++ submodule.evil submodule.../../modules/evil && ++ git add modules && ++ git commit -am evil ++' ++ ++# This step seems like it shouldn't be necessary, since the payload is ++# contained entirely in the evil submodule. But due to the vagaries of the ++# submodule code, checking out the evil module will fail unless ".git/modules" ++# exists. Adding another submodule (with a name that sorts before "evil") is an ++# easy way to make sure this is the case in the victim clone. ++test_expect_success 'add other submodule' ' ++ git submodule add "$PWD/innocent" another-module && ++ git add another-module && ++ git commit -am another ++' ++ ++test_expect_success 'clone evil superproject' ' ++ git clone --recurse-submodules . victim >output 2>&1 && ++ ! grep "RUNNING POST CHECKOUT" output ++' ++ ++test_done +-- +2.13.3 + diff --git a/poky/meta/recipes-devtools/git/git.inc b/poky/meta/recipes-devtools/git/git.inc index dd9d792c5..bea23ec78 100644 --- a/poky/meta/recipes-devtools/git/git.inc +++ b/poky/meta/recipes-devtools/git/git.inc @@ -7,7 +7,8 @@ DEPENDS = "openssl curl zlib expat" PROVIDES_append_class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ - ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages" + ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ + file://CVE-2018-11235.patch" S = "${WORKDIR}/git-${PV}" diff --git a/poky/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch b/poky/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch new file mode 100644 index 000000000..a56a08b5a --- /dev/null +++ b/poky/meta/recipes-devtools/nasm/nasm/0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch @@ -0,0 +1,65 @@ +From c5785fdf1d660eaefb9711284414262d0cfe8843 Mon Sep 17 00:00:00 2001 +From: Adam Majer <amajer@suse.de> +Date: Fri, 17 Aug 2018 14:48:17 +0800 +Subject: [PATCH] Verify that we are not reading past end of a buffer + +Simple reproducer is just, + + ret &d:ep + +which triggers a buffer overread due to parsing of an invalid +segment override. + +Signed-off-by: Adam Majer <amajer@suse.de> + +Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392447] +CVE: CVE-2018-8883 +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + include/opflags.h | 2 +- + include/tables.h | 1 + + x86/regs.pl | 3 ++- + 3 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/opflags.h b/include/opflags.h +index ef2838c1..8d4b6b1e 100644 +--- a/include/opflags.h ++++ b/include/opflags.h +@@ -166,7 +166,7 @@ + #define REG_CLASS_BND GEN_REG_CLASS(9) + + #define is_class(class, op) (!((opflags_t)(class) & ~(opflags_t)(op))) +-#define is_reg_class(class, reg) is_class((class), nasm_reg_flags[(reg)]) ++#define is_reg_class(class, reg) is_class((class), ((reg) < nasm_reg_flags_size ? nasm_reg_flags[(reg)] : 0)) + + #define IS_SREG(reg) is_reg_class(REG_SREG, (reg)) + #define IS_FSGS(reg) is_reg_class(REG_FSGS, (reg)) +diff --git a/include/tables.h b/include/tables.h +index 24a665e2..458752ce 100644 +--- a/include/tables.h ++++ b/include/tables.h +@@ -64,6 +64,7 @@ extern const char * const nasm_reg_names[]; + typedef uint64_t opflags_t; + typedef uint16_t decoflags_t; + extern const opflags_t nasm_reg_flags[]; ++extern const size_t nasm_reg_flags_size; + /* regvals.c */ + extern const int nasm_regvals[]; + +diff --git a/x86/regs.pl b/x86/regs.pl +index 3a1b56f5..cb5cea68 100755 +--- a/x86/regs.pl ++++ b/x86/regs.pl +@@ -158,7 +158,8 @@ if ( $fmt eq 'h' ) { + printf " %-15s /* %-5s */\n", + $regs{$reg}.',', $reg; + } +- print "};\n"; ++ print "};\n\n"; ++ print "const size_t nasm_reg_flags_size = sizeof(nasm_reg_flags) / sizeof(opflags_t);\n"; + } elsif ( $fmt eq 'vc' ) { + # Output regvals.c + print "/* automatically generated from $file - do not edit */\n\n"; +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch b/poky/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch new file mode 100644 index 000000000..682d4c727 --- /dev/null +++ b/poky/meta/recipes-devtools/nasm/nasm/0001-assemble-Check-global-line-limit.patch @@ -0,0 +1,50 @@ +From 7a46d6b9e3a1d8a0ab0d816ef1bf194ad285e082 Mon Sep 17 00:00:00 2001 +From: "Chang S. Bae" <chang.seok.bae@intel.com> +Date: Fri, 17 Aug 2018 14:26:03 +0800 +Subject: [PATCH] assemble: Check global line limit + +Without the limit, the while loop opens to semi-infinite +that will exhaustively consume the heap space. Also, the +index value gets into the garbage. + +https://bugzilla.nasm.us/show_bug.cgi?id=3392474 + +Reported-by : Dongliang Mu <mudongliangabcd@gmail.com> +Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com> +Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com> + +Upstream-Status: Backport from upstream [http://repo.or.cz/nasm.git] +CVE: CVE-2018-10316 +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + asm/nasm.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/asm/nasm.c b/asm/nasm.c +index 8497ec9..81f6cee 100644 +--- a/asm/nasm.c ++++ b/asm/nasm.c +@@ -99,6 +99,8 @@ static char outname[FILENAME_MAX]; + static char listname[FILENAME_MAX]; + static char errname[FILENAME_MAX]; + static int globallineno; /* for forward-reference tracking */ ++#define GLOBALLINENO_MAX INT32_MAX ++ + /* static int pass = 0; */ + const struct ofmt *ofmt = &OF_DEFAULT; + const struct ofmt_alias *ofmt_alias = NULL; +@@ -1360,7 +1362,10 @@ static void assemble_file(char *fname, StrList **depend_ptr) + location.offset = offs = get_curr_offs(); + + while ((line = preproc->getline())) { +- globallineno++; ++ if (globallineno++ == GLOBALLINENO_MAX) ++ nasm_error(ERR_FATAL, ++ "overall line number reaches the maximum %d\n", ++ GLOBALLINENO_MAX); + + /* + * Here we parse our directives; this is not handled by the +-- +2.7.4 + diff --git a/poky/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch b/poky/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch new file mode 100644 index 000000000..bc706c3f1 --- /dev/null +++ b/poky/meta/recipes-devtools/nasm/nasm/0001-fix-CVE-2018-8882.patch @@ -0,0 +1,30 @@ +From 33438037e00ec750bff020578b1a5b6f75f60555 Mon Sep 17 00:00:00 2001 +From: Adam Majer <amajer@suse.de> +Date: Fri, 17 Aug 2018 14:41:02 +0800 +Subject: [PATCH] fix CVE-2018-8882 + +https://bugzilla.nasm.us/show_bug.cgi?id=3392445 + +Upstream-Status: Submitted [https://bugzilla.nasm.us/show_bug.cgi?id=3392445] +CVE: CVE-2018-8882 +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + asm/float.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/asm/float.c b/asm/float.c +index dcf69fea..2965d3db 100644 +--- a/asm/float.c ++++ b/asm/float.c +@@ -608,6 +608,8 @@ static void ieee_shr(fp_limb *mant, int i) + if (offs) + for (j = MANT_LIMBS-1; j >= offs; j--) + mant[j] = mant[j-offs]; ++ } else if (MANT_LIMBS-1-offs < 0) { ++ j = MANT_LIMBS-1; + } else { + n = mant[MANT_LIMBS-1-offs] >> sr; + for (j = MANT_LIMBS-1; j > offs; j--) { +-- +2.17.1 + diff --git a/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb b/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb index 236d7e5e3..6a02df485 100644 --- a/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb +++ b/poky/meta/recipes-devtools/nasm/nasm_2.13.03.bb @@ -5,6 +5,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe" SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \ file://0001-asmlib-Drop-pure-function-attribute-from-seg_init.patch \ + file://0001-assemble-Check-global-line-limit.patch \ + file://0001-fix-CVE-2018-8882.patch \ + file://0001-Verify-that-we-are-not-reading-past-end-of-a-buffer.patch \ " SRC_URI[md5sum] = "0c581d482f39d5111879ca9601938f74" diff --git a/poky/meta/recipes-devtools/patch/patch/0001-Fix-swapping-fake-lines-in-pch_swap.patch b/poky/meta/recipes-devtools/patch/patch/0001-Fix-swapping-fake-lines-in-pch_swap.patch new file mode 100644 index 000000000..049149eb9 --- /dev/null +++ b/poky/meta/recipes-devtools/patch/patch/0001-Fix-swapping-fake-lines-in-pch_swap.patch @@ -0,0 +1,36 @@ +From 9c986353e420ead6e706262bf204d6e03322c300 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher <agruen@gnu.org> +Date: Fri, 17 Aug 2018 13:35:40 +0200 +Subject: [PATCH] Fix swapping fake lines in pch_swap + +* src/pch.c (pch_swap): Fix swapping p_bfake and p_efake when there is a +blank line in the middle of a context-diff hunk: that empty line stays +in the middle of the hunk and isn't swapped. + +Fixes: https://savannah.gnu.org/bugs/index.php?53133 +Signed-off-by: Andreas Gruenbacher <agruen@gnu.org> + +Upstream-Status: Backport [https://git.savannah.gnu.org/git/patch.git] +CVE: CVE-2018-6952 +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> + +--- + src/pch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pch.c b/src/pch.c +index e92bc64..a500ad9 100644 +--- a/src/pch.c ++++ b/src/pch.c +@@ -2122,7 +2122,7 @@ pch_swap (void) + } + if (p_efake >= 0) { /* fix non-freeable ptr range */ + if (p_efake <= i) +- n = p_end - i + 1; ++ n = p_end - p_ptrn_lines; + else + n = -i; + p_efake += n; +-- +2.10.2 + diff --git a/poky/meta/recipes-devtools/patch/patch_2.7.6.bb b/poky/meta/recipes-devtools/patch/patch_2.7.6.bb index 823486dd0..85b0db733 100644 --- a/poky/meta/recipes-devtools/patch/patch_2.7.6.bb +++ b/poky/meta/recipes-devtools/patch/patch_2.7.6.bb @@ -5,6 +5,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ file://0002-Fix-segfault-with-mangled-rename-patch.patch \ file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \ file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \ + file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \ " SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600" diff --git a/poky/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch b/poky/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch new file mode 100644 index 000000000..a33deaff6 --- /dev/null +++ b/poky/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch @@ -0,0 +1,48 @@ +From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> +Date: Fri, 8 Jun 2018 11:45:40 +0100 +Subject: [PATCH] [PATCH] Remove existing files before overwriting them + +Archive should extract only the latest same-named entry. +Extracted regular file should not be writtent into existing block +device (or any other one). + +https://rt.cpan.org/Ticket/Display.html?id=125523 + +CVE: CVE-2018-12015 +Upstream-Status: Backport [https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5] + +Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk> +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + lib/Archive/Tar.pm | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm +index 6244369..a83975f 100644 +--- a/cpan/Archive-Tar/lib/Archive/Tar.pm ++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm +@@ -845,6 +845,20 @@ sub _extract_file { + return; + } + ++ ### If a file system already contains a block device with the same name as ++ ### the being extracted regular file, we would write the file's content ++ ### to the block device. So remove the existing file (block device) now. ++ ### If an archive contains multiple same-named entries, the last one ++ ### should replace the previous ones. So remove the old file now. ++ ### If the old entry is a symlink to a file outside of the CWD, the new ++ ### entry would create a file there. This is CVE-2018-12015 ++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>. ++ if (-l $full || -e _) { ++ if (!unlink $full) { ++ $self->_error( qq[Could not remove old file '$full': $!] ); ++ return; ++ } ++ } + if( length $entry->type && $entry->is_file ) { + my $fh = IO::File->new; + $fh->open( '>' . $full ) or ( +-- +2.13.3 + diff --git a/poky/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch new file mode 100644 index 000000000..b56ebd3ea --- /dev/null +++ b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch @@ -0,0 +1,45 @@ +From abe1e6c568b96bcb382dfa4f61c56d1ab001ea51 Mon Sep 17 00:00:00 2001 +From: Karl Williamson <khw@cpan.org> +Date: Fri, 2 Feb 2018 15:14:27 -0700 +Subject: [PATCH] (perl #132227) restart a node if we change to uni rules + within the node and encounter a sharp S + +This could lead to a buffer overflow. + +(cherry picked from commit a02c70e35d1313a5f4e245e8f863c810e991172d) + +CVE: CVE-2018-6797 +Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/abe1e6c568b96bcb382dfa4f61c56d1ab001ea51] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + regcomp.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/regcomp.c b/regcomp.c +index 3b9550b10d..a7dee9a09e 100644 +--- a/regcomp.c ++++ b/regcomp.c +@@ -13543,6 +13543,18 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth) + * /u. This includes the multi-char fold SHARP S to + * 'ss' */ + if (UNLIKELY(ender == LATIN_SMALL_LETTER_SHARP_S)) { ++ ++ /* If the node started out having uni rules, we ++ * wouldn't have gotten here. So this means ++ * something in the middle has changed it, but ++ * didn't think it needed to reparse. But this ++ * sharp s now does indicate the need for ++ * reparsing. */ ++ if (RExC_uni_semantics) { ++ p = oldp; ++ goto loopdone; ++ } ++ + RExC_seen_unfolded_sharp_s = 1; + maybe_exactfu = FALSE; + } +-- +2.15.1-424-g9478a660812 + + diff --git a/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch new file mode 100644 index 000000000..34771624f --- /dev/null +++ b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch @@ -0,0 +1,130 @@ +From 0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff Mon Sep 17 00:00:00 2001 +From: Karl Williamson <khw@cpan.org> +Date: Tue, 6 Feb 2018 14:50:48 -0700 +Subject: [PATCH] [perl #132063]: Heap buffer overflow + +The proximal cause is several instances in regexec.c of the code +assuming that the input was valid UTF-8, whereas the input was too short +for what the start byte claimed it would be. + +I grepped through the core for any other similar uses, and did not find +any. + +(cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84) + +CVE: CVE-2018-6798 +Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/patch/0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + regexec.c | 29 ++++++++++++++++------------- + t/lib/warnings/regexec | 7 +++++++ + 2 files changed, 23 insertions(+), 13 deletions(-) + +diff --git a/regexec.c b/regexec.c +index 5735b997fd..ea432c39d3 100644 +--- a/regexec.c ++++ b/regexec.c +@@ -1466,7 +1466,9 @@ Perl_re_intuit_start(pTHX_ + ? trie_utf8_fold \ + : trie_latin_utf8_fold))) + +-#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \ ++/* 'uscan' is set to foldbuf, and incremented, so below the end of uscan is ++ * 'foldbuf+sizeof(foldbuf)' */ ++#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uc_end, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \ + STMT_START { \ + STRLEN skiplen; \ + U8 flags = FOLD_FLAGS_FULL; \ +@@ -1474,7 +1476,7 @@ STMT_START { + case trie_flu8: \ + _CHECK_AND_WARN_PROBLEMATIC_LOCALE; \ + if (utf8_target && UTF8_IS_ABOVE_LATIN1(*uc)) { \ +- _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc + UTF8SKIP(uc)); \ ++ _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc_end - uc); \ + } \ + goto do_trie_utf8_fold; \ + case trie_utf8_exactfa_fold: \ +@@ -1483,7 +1485,7 @@ STMT_START { + case trie_utf8_fold: \ + do_trie_utf8_fold: \ + if ( foldlen>0 ) { \ +- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \ ++ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \ + foldlen -= len; \ + uscan += len; \ + len=0; \ +@@ -1500,7 +1502,7 @@ STMT_START { + /* FALLTHROUGH */ \ + case trie_latin_utf8_fold: \ + if ( foldlen>0 ) { \ +- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \ ++ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \ + foldlen -= len; \ + uscan += len; \ + len=0; \ +@@ -1519,7 +1521,7 @@ STMT_START { + } \ + /* FALLTHROUGH */ \ + case trie_utf8: \ +- uvc = utf8n_to_uvchr( (const U8*) uc, UTF8_MAXLEN, &len, uniflags ); \ ++ uvc = utf8n_to_uvchr( (const U8*) uc, uc_end - uc, &len, uniflags ); \ + break; \ + case trie_plain: \ + uvc = (UV)*uc; \ +@@ -2599,10 +2601,10 @@ S_find_byclass(pTHX_ regexp * prog, const regnode *c, char *s, + } + points[pointpos++ % maxlen]= uc; + if (foldlen || uc < (U8*)strend) { +- REXEC_TRIE_READ_CHAR(trie_type, trie, +- widecharmap, uc, +- uscan, len, uvc, charid, foldlen, +- foldbuf, uniflags); ++ REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, ++ (U8 *) strend, uscan, len, uvc, ++ charid, foldlen, foldbuf, ++ uniflags); + DEBUG_TRIE_EXECUTE_r({ + dump_exec_pos( (char *)uc, c, strend, + real_start, s, utf8_target, 0); +@@ -5511,8 +5513,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog) + if ( base && (foldlen || uc < (U8*)(reginfo->strend))) { + I32 offset; + REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, +- uscan, len, uvc, charid, foldlen, +- foldbuf, uniflags); ++ (U8 *) reginfo->strend, uscan, ++ len, uvc, charid, foldlen, ++ foldbuf, uniflags); + charcount++; + if (foldlen>0) + ST.longfold = TRUE; +@@ -5642,8 +5645,8 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog) + while (foldlen) { + if (!--chars) + break; +- uvc = utf8n_to_uvchr(uscan, UTF8_MAXLEN, &len, +- uniflags); ++ uvc = utf8n_to_uvchr(uscan, foldlen, &len, ++ uniflags); + uscan += len; + foldlen -= len; + } +diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec +index 900dd6ee7f..6635142dea 100644 +--- a/t/lib/warnings/regexec ++++ b/t/lib/warnings/regexec +@@ -260,3 +260,10 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale); + "k" =~ /(?[ \N{KELVIN SIGN} ])/i; + ":" =~ /(?[ \: ])/; + EXPECT ++######## ++# NAME perl #132063, read beyond buffer end ++# OPTION fatal ++"\xff" =~ /(?il)\x{100}|\x{100}/; ++EXPECT ++Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2. ++Malformed UTF-8 character (fatal) at - line 2. +-- +2.15.1-424-g9478a660812 + diff --git a/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch new file mode 100644 index 000000000..fb9b41a5e --- /dev/null +++ b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch @@ -0,0 +1,37 @@ +From f65da1ca2eee74696d9c120e9d69af37b4fa1920 Mon Sep 17 00:00:00 2001 +From: Tony Cook <tony@develop-help.com> +Date: Mon, 19 Feb 2018 15:11:42 +1100 +Subject: [PATCH] (perl #132063) we should no longer warn for this code + +The first patch for 132063 prevented the buffer read overflow when +dumping the warning but didn't fix the underlying problem. + +The next change treats the supplied buffer correctly, preventing the +non-UTF-8 SV from being treated as UTF-8, preventing the warning. + +(cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f) + +CVE: CVE-2018-6798 +Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f65da1ca2eee74696d9c120e9d69af37b4fa1920] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + t/lib/warnings/regexec | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec +index 6635142dea..c370ddc3c7 100644 +--- a/t/lib/warnings/regexec ++++ b/t/lib/warnings/regexec +@@ -262,8 +262,5 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale); + EXPECT + ######## + # NAME perl #132063, read beyond buffer end +-# OPTION fatal + "\xff" =~ /(?il)\x{100}|\x{100}/; + EXPECT +-Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2. +-Malformed UTF-8 character (fatal) at - line 2. +-- +2.15.1-424-g9478a660812 + diff --git a/poky/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch new file mode 100644 index 000000000..157af7bf9 --- /dev/null +++ b/poky/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch @@ -0,0 +1,153 @@ +From f17fed5006177dce8ac48229c424a2da0d6ba492 Mon Sep 17 00:00:00 2001 +From: Tony Cook <tony@develop-help.com> +Date: Tue, 8 Aug 2017 09:32:58 +1000 +Subject: [PATCH] (perl #131844) fix various space calculation issues in + pp_pack.c + +- for the originally reported case, if the start/cur pointer is in the + top 75% of the address space the add (cur) + glen addition would + overflow, resulting in the condition failing incorrectly. + +- the addition of the existing space used to the space needed could + overflow, resulting in too small an allocation and a buffer overflow. + +- the scaling for UTF8 could overflow. + +- the multiply to calculate the space needed for many items could + overflow. + +For the first case, do a space calculation without making new pointers. + +For the other cases, detect the overflow and croak if there's an +overflow. + +Originally this used Size_t_MAX as the maximum size of a memory +allocation, but for -DDEBUGGING builds realloc() throws a panic for +allocations over half the address space in size, changing the error +reported for the allocation. + +For non-DEBUGGING builds the Size_t_MAX limit has the small chance +of finding a system that has 3GB of contiguous space available, and +allocating that space, which could be a denial of servce in some cases. + +Unfortunately changing the limit to half the address space means that +the exact case with the original issue can no longer occur, so the +test is no longer testing against the address + length issue that +caused the original problem, since the allocation is failing earlier. + +One option would be to change the test so the size request by pack is +just under 2GB, but this has a higher (but still low) probability that +the system has the address space available, and will actually try to +allocate the memory, so let's not do that. + +Note: changed +plan tests => 14713; +to +plan tests => 14712; +in a/t/op/pack.t +to apply this patch on perl 5.24.1. + +CVE: CVE-2018-6913 +Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f17fed5006177dce8ac48229c424a2da0d6ba492] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + pp_pack.c | 25 +++++++++++++++++++++---- + t/op/pack.t | 24 +++++++++++++++++++++++- + 2 files changed, 44 insertions(+), 5 deletions(-) + +diff --git a/pp_pack.c b/pp_pack.c +index 8937d6d715..5e9cc64301 100644 +--- a/pp_pack.c ++++ b/pp_pack.c +@@ -357,11 +357,28 @@ STMT_START { \ + } \ + } STMT_END + ++#define SAFE_UTF8_EXPAND(var) \ ++STMT_START { \ ++ if ((var) > SSize_t_MAX / UTF8_EXPAND) \ ++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \ ++ (var) = (var) * UTF8_EXPAND; \ ++} STMT_END ++ ++#define GROWING2(utf8, cat, start, cur, item_size, item_count) \ ++STMT_START { \ ++ if (SSize_t_MAX / (item_size) < (item_count)) \ ++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \ ++ GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \ ++} STMT_END ++ + #define GROWING(utf8, cat, start, cur, in_len) \ + STMT_START { \ + STRLEN glen = (in_len); \ +- if (utf8) glen *= UTF8_EXPAND; \ +- if ((cur) + glen >= (start) + SvLEN(cat)) { \ ++ STRLEN catcur = (STRLEN)((cur) - (start)); \ ++ if (utf8) SAFE_UTF8_EXPAND(glen); \ ++ if (SSize_t_MAX - glen < catcur) \ ++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \ ++ if (catcur + glen >= SvLEN(cat)) { \ + (start) = sv_exp_grow(cat, glen); \ + (cur) = (start) + SvCUR(cat); \ + } \ +@@ -372,7 +389,7 @@ STMT_START { \ + STMT_START { \ + const STRLEN glen = (in_len); \ + STRLEN gl = glen; \ +- if (utf8) gl *= UTF8_EXPAND; \ ++ if (utf8) SAFE_UTF8_EXPAND(gl); \ + if ((cur) + gl >= (start) + SvLEN(cat)) { \ + *cur = '\0'; \ + SvCUR_set((cat), (cur) - (start)); \ +@@ -2126,7 +2143,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* sym + if (props && !(props & PACK_SIZE_UNPREDICTABLE)) { + /* We can process this letter. */ + STRLEN size = props & PACK_SIZE_MASK; +- GROWING(utf8, cat, start, cur, (STRLEN) len * size); ++ GROWING2(utf8, cat, start, cur, size, (STRLEN)len); + } + } + +diff --git a/t/op/pack.t b/t/op/pack.t +index 664aaaf1b0..cf0e286509 100644 +--- a/t/op/pack.t ++++ b/t/op/pack.t +@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' : + my $no_signedness = $] > 5.009 ? '' : + "Signed/unsigned pack modifiers not available on this perl"; + +-plan tests => 14712; ++plan tests => 14717; + + use strict; + use warnings qw(FATAL all); +@@ -2044,3 +2044,25 @@ ok(1, "argument underflow did not crash" + is(pack("H40", $up_nul), $twenty_nuls, + "check pack H zero fills (utf8 source)"); + } ++ ++SKIP: ++{ ++ # [perl #131844] pointer addition overflow ++ $Config{ptrsize} == 4 ++ or skip "[perl #131844] need 32-bit build for this test", 4; ++ # prevent ASAN just crashing on the allocation failure ++ local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS}; ++ $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1"; ++ fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 }, ++ "pointer addition overflow"); ++ ++ # integer (STRLEN) overflow from addition of glen to current length ++ fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 }, ++ "integer overflow calculating allocation (addition)"); ++ ++ fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 }, ++ "integer overflow calculating allocation (utf8)"); ++ ++ fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 }, ++ "integer overflow calculating allocation (multiply)"); ++} +-- +2.15.1-424-g9478a660812 + diff --git a/poky/meta/recipes-devtools/perl/perl_5.24.1.bb b/poky/meta/recipes-devtools/perl/perl_5.24.1.bb index 91f310d42..5fed8965c 100644 --- a/poky/meta/recipes-devtools/perl/perl_5.24.1.bb +++ b/poky/meta/recipes-devtools/perl/perl_5.24.1.bb @@ -66,6 +66,11 @@ SRC_URI += " \ file://perl-5.26.1-guard_old_libcrypt_fix.patch \ file://CVE-2017-12883.patch \ file://CVE-2017-12837.patch \ + file://CVE-2018-6798-1.patch \ + file://CVE-2018-6798-2.patch \ + file://CVE-2018-6797.patch \ + file://CVE-2018-6913.patch \ + file://CVE-2018-12015.patch \ " # Fix test case issues diff --git a/poky/meta/recipes-devtools/python/python.inc b/poky/meta/recipes-devtools/python/python.inc index 979b601bf..69542c96c 100644 --- a/poky/meta/recipes-devtools/python/python.inc +++ b/poky/meta/recipes-devtools/python/python.inc @@ -7,7 +7,9 @@ INC_PR = "r1" LIC_FILES_CHKSUM = "file://LICENSE;md5=f741e51de91d4eeea5930b9c3c7fa69d" -SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz" +SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ + file://CVE-2018-1000030-1.patch \ + file://CVE-2018-1000030-2.patch" SRC_URI[md5sum] = "1f6db41ad91d9eb0a6f0c769b8613c5b" SRC_URI[sha256sum] = "71ffb26e09e78650e424929b2b457b9c912ac216576e6bd9e7d204ed03296a66" diff --git a/poky/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch b/poky/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch new file mode 100644 index 000000000..06ad4c695 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch @@ -0,0 +1,138 @@ +From 6401e5671781eb217ee1afb4603cc0d1b0367ae6 Mon Sep 17 00:00:00 2001 +From: Serhiy Storchaka <storchaka@gmail.com> +Date: Fri, 10 Nov 2017 12:58:55 +0200 +Subject: [PATCH] [2.7] bpo-31530: Stop crashes when iterating over a file on + multiple threads. (#3672) + +CVE: CVE-2018-1000030 +Upstream-Status: Backport [https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + Lib/test/test_file2k.py | 32 ++++++++++++++++++++++ + .../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | 4 +++ + Objects/fileobject.c | 19 +++++++++++-- + 3 files changed, 52 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst + +diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py +index e39ef7042e..d8966e034e 100644 +--- a/Lib/test/test_file2k.py ++++ b/Lib/test/test_file2k.py +@@ -652,6 +652,38 @@ class FileThreadingTests(unittest.TestCase): + self.f.writelines('') + self._test_close_open_io(io_func) + ++ def test_iteration_torture(self): ++ # bpo-31530: Crash when concurrently iterate over a file. ++ with open(self.filename, "wb") as fp: ++ for i in xrange(2**20): ++ fp.write(b"0"*50 + b"\n") ++ with open(self.filename, "rb") as f: ++ def iterate(): ++ try: ++ for l in f: ++ pass ++ except IOError: ++ pass ++ self._run_workers(iterate, 10) ++ ++ def test_iteration_seek(self): ++ # bpo-31530: Crash when concurrently seek and iterate over a file. ++ with open(self.filename, "wb") as fp: ++ for i in xrange(10000): ++ fp.write(b"0"*50 + b"\n") ++ with open(self.filename, "rb") as f: ++ it = iter([1] + [0]*10) # one thread reads, others seek ++ def iterate(): ++ try: ++ if next(it): ++ for l in f: ++ pass ++ else: ++ for i in range(100): ++ f.seek(i*100, 0) ++ except IOError: ++ pass ++ self._run_workers(iterate, 10) + + @unittest.skipUnless(os.name == 'posix', 'test requires a posix system.') + class TestFileSignalEINTR(unittest.TestCase): +diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst +new file mode 100644 +index 0000000000..a6cb6c9e9b +--- /dev/null ++++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst +@@ -0,0 +1,4 @@ ++Fixed crashes when iterating over a file on multiple threads. ++seek() and next() methods of file objects now raise an exception during ++concurrent operation on the same file object. ++A lock can be used to prevent the error. +diff --git a/Objects/fileobject.c b/Objects/fileobject.c +index 7e07a5376f..2f63c374d1 100644 +--- a/Objects/fileobject.c ++++ b/Objects/fileobject.c +@@ -430,7 +430,7 @@ close_the_file(PyFileObject *f) + if (f->ob_refcnt > 0) { + PyErr_SetString(PyExc_IOError, + "close() called during concurrent " +- "operation on the same file object."); ++ "operation on the same file object"); + } else { + /* This should not happen unless someone is + * carelessly playing with the PyFileObject +@@ -438,7 +438,7 @@ close_the_file(PyFileObject *f) + * pointer. */ + PyErr_SetString(PyExc_SystemError, + "PyFileObject locking error in " +- "destructor (refcnt <= 0 at close)."); ++ "destructor (refcnt <= 0 at close)"); + } + return NULL; + } +@@ -762,6 +762,12 @@ file_seek(PyFileObject *f, PyObject *args) + + if (f->f_fp == NULL) + return err_closed(); ++ if (f->unlocked_count > 0) { ++ PyErr_SetString(PyExc_IOError, ++ "seek() called during concurrent " ++ "operation on the same file object"); ++ return NULL; ++ } + drop_readahead(f); + whence = 0; + if (!PyArg_ParseTuple(args, "O|i:seek", &offobj, &whence)) +@@ -2238,6 +2244,7 @@ readahead(PyFileObject *f, Py_ssize_t bufsize) + { + Py_ssize_t chunksize; + ++ assert(f->unlocked_count == 0); + if (f->f_buf != NULL) { + if( (f->f_bufend - f->f_bufptr) >= 1) + return 0; +@@ -2279,6 +2286,12 @@ readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize) + char *buf; + Py_ssize_t len; + ++ if (f->unlocked_count > 0) { ++ PyErr_SetString(PyExc_IOError, ++ "next() called during concurrent " ++ "operation on the same file object"); ++ return NULL; ++ } + if (f->f_buf == NULL) + if (readahead(f, bufsize) < 0) + return NULL; +@@ -2692,7 +2705,7 @@ int PyObject_AsFileDescriptor(PyObject *o) + } + else { + PyErr_SetString(PyExc_TypeError, +- "argument must be an int, or have a fileno() method."); ++ "argument must be an int, or have a fileno() method"); + return -1; + } + +-- +2.13.3 + diff --git a/poky/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch b/poky/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch new file mode 100644 index 000000000..9b7713be8 --- /dev/null +++ b/poky/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch @@ -0,0 +1,306 @@ +From dbf52e02f18dac6f5f0a64f78932f3dc6efc056b Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson <benjamin@python.org> +Date: Tue, 2 Jan 2018 09:25:41 -0800 +Subject: [PATCH] bpo-31530: fix crash when multiple threads iterate over a + file, round 2 (#5060) + +Multiple threads iterating over a file can corrupt the file's internal readahead +buffer resulting in crashes. To fix this, cache buffer state thread-locally for +the duration of a file_iternext call and only update the file's internal state +after reading completes. + +No attempt is made to define or provide "reasonable" semantics for iterating +over a file on multiple threads. (Non-crashing) races are still +present. Duplicated, corrupt, and missing data will happen. + +This was originally fixed by 6401e5671781eb217ee1afb4603cc0d1b0367ae6, which +raised an exception from seek() and next() when concurrent operations were +detected. Alas, this simpler solution breaks legitimate use cases such as +capturing the standard streams when multiple threads are logging. + +CVE: CVE-2018-1000030 +Upstream-Status: Backport [https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> + +--- + Lib/test/test_file2k.py | 27 ++--- + .../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | 3 - + Objects/fileobject.c | 118 ++++++++++++--------- + 3 files changed, 78 insertions(+), 70 deletions(-) + +diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py +index d8966e034e..c73e8d8dc4 100644 +--- a/Lib/test/test_file2k.py ++++ b/Lib/test/test_file2k.py +@@ -653,18 +653,15 @@ class FileThreadingTests(unittest.TestCase): + self._test_close_open_io(io_func) + + def test_iteration_torture(self): +- # bpo-31530: Crash when concurrently iterate over a file. ++ # bpo-31530 + with open(self.filename, "wb") as fp: + for i in xrange(2**20): + fp.write(b"0"*50 + b"\n") + with open(self.filename, "rb") as f: +- def iterate(): +- try: +- for l in f: +- pass +- except IOError: ++ def it(): ++ for l in f: + pass +- self._run_workers(iterate, 10) ++ self._run_workers(it, 10) + + def test_iteration_seek(self): + # bpo-31530: Crash when concurrently seek and iterate over a file. +@@ -674,17 +671,15 @@ class FileThreadingTests(unittest.TestCase): + with open(self.filename, "rb") as f: + it = iter([1] + [0]*10) # one thread reads, others seek + def iterate(): +- try: +- if next(it): +- for l in f: +- pass +- else: +- for i in range(100): +- f.seek(i*100, 0) +- except IOError: +- pass ++ if next(it): ++ for l in f: ++ pass ++ else: ++ for i in xrange(100): ++ f.seek(i*100, 0) + self._run_workers(iterate, 10) + ++ + @unittest.skipUnless(os.name == 'posix', 'test requires a posix system.') + class TestFileSignalEINTR(unittest.TestCase): + def _test_reading(self, data_to_write, read_and_verify_code, method_name, +diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst +index a6cb6c9e9b..beb09b5ae6 100644 +--- a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst ++++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst +@@ -1,4 +1 @@ + Fixed crashes when iterating over a file on multiple threads. +-seek() and next() methods of file objects now raise an exception during +-concurrent operation on the same file object. +-A lock can be used to prevent the error. +diff --git a/Objects/fileobject.c b/Objects/fileobject.c +index 8d1c5812f0..270b28264a 100644 +--- a/Objects/fileobject.c ++++ b/Objects/fileobject.c +@@ -609,7 +609,12 @@ err_iterbuffered(void) + return NULL; + } + +-static void drop_readahead(PyFileObject *); ++static void ++drop_file_readahead(PyFileObject *f) ++{ ++ PyMem_FREE(f->f_buf); ++ f->f_buf = NULL; ++} + + /* Methods */ + +@@ -632,7 +637,7 @@ file_dealloc(PyFileObject *f) + Py_XDECREF(f->f_mode); + Py_XDECREF(f->f_encoding); + Py_XDECREF(f->f_errors); +- drop_readahead(f); ++ drop_file_readahead(f); + Py_TYPE(f)->tp_free((PyObject *)f); + } + +@@ -767,13 +772,7 @@ file_seek(PyFileObject *f, PyObject *args) + + if (f->f_fp == NULL) + return err_closed(); +- if (f->unlocked_count > 0) { +- PyErr_SetString(PyExc_IOError, +- "seek() called during concurrent " +- "operation on the same file object"); +- return NULL; +- } +- drop_readahead(f); ++ drop_file_readahead(f); + whence = 0; + if (!PyArg_ParseTuple(args, "O|i:seek", &offobj, &whence)) + return NULL; +@@ -2242,12 +2241,16 @@ static PyGetSetDef file_getsetlist[] = { + {0}, + }; + ++typedef struct { ++ char *buf, *bufptr, *bufend; ++} readaheadbuffer; ++ + static void +-drop_readahead(PyFileObject *f) ++drop_readaheadbuffer(readaheadbuffer *rab) + { +- if (f->f_buf != NULL) { +- PyMem_Free(f->f_buf); +- f->f_buf = NULL; ++ if (rab->buf != NULL) { ++ PyMem_FREE(rab->buf); ++ rab->buf = NULL; + } + } + +@@ -2255,36 +2258,34 @@ drop_readahead(PyFileObject *f) + (unless at EOF) and no more than bufsize. Returns negative value on + error, will set MemoryError if bufsize bytes cannot be allocated. */ + static int +-readahead(PyFileObject *f, Py_ssize_t bufsize) ++readahead(PyFileObject *f, readaheadbuffer *rab, Py_ssize_t bufsize) + { + Py_ssize_t chunksize; + +- assert(f->unlocked_count == 0); +- if (f->f_buf != NULL) { +- if( (f->f_bufend - f->f_bufptr) >= 1) ++ if (rab->buf != NULL) { ++ if ((rab->bufend - rab->bufptr) >= 1) + return 0; + else +- drop_readahead(f); ++ drop_readaheadbuffer(rab); + } +- if ((f->f_buf = (char *)PyMem_Malloc(bufsize)) == NULL) { ++ if ((rab->buf = PyMem_MALLOC(bufsize)) == NULL) { + PyErr_NoMemory(); + return -1; + } + FILE_BEGIN_ALLOW_THREADS(f) + errno = 0; +- chunksize = Py_UniversalNewlineFread( +- f->f_buf, bufsize, f->f_fp, (PyObject *)f); ++ chunksize = Py_UniversalNewlineFread(rab->buf, bufsize, f->f_fp, (PyObject *)f); + FILE_END_ALLOW_THREADS(f) + if (chunksize == 0) { + if (ferror(f->f_fp)) { + PyErr_SetFromErrno(PyExc_IOError); + clearerr(f->f_fp); +- drop_readahead(f); ++ drop_readaheadbuffer(rab); + return -1; + } + } +- f->f_bufptr = f->f_buf; +- f->f_bufend = f->f_buf + chunksize; ++ rab->bufptr = rab->buf; ++ rab->bufend = rab->buf + chunksize; + return 0; + } + +@@ -2294,51 +2295,43 @@ readahead(PyFileObject *f, Py_ssize_t bufsize) + logarithmic buffer growth to about 50 even when reading a 1gb line. */ + + static PyStringObject * +-readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize) ++readahead_get_line_skip(PyFileObject *f, readaheadbuffer *rab, Py_ssize_t skip, Py_ssize_t bufsize) + { + PyStringObject* s; + char *bufptr; + char *buf; + Py_ssize_t len; + +- if (f->unlocked_count > 0) { +- PyErr_SetString(PyExc_IOError, +- "next() called during concurrent " +- "operation on the same file object"); +- return NULL; +- } +- if (f->f_buf == NULL) +- if (readahead(f, bufsize) < 0) ++ if (rab->buf == NULL) ++ if (readahead(f, rab, bufsize) < 0) + return NULL; + +- len = f->f_bufend - f->f_bufptr; ++ len = rab->bufend - rab->bufptr; + if (len == 0) +- return (PyStringObject *) +- PyString_FromStringAndSize(NULL, skip); +- bufptr = (char *)memchr(f->f_bufptr, '\n', len); ++ return (PyStringObject *)PyString_FromStringAndSize(NULL, skip); ++ bufptr = (char *)memchr(rab->bufptr, '\n', len); + if (bufptr != NULL) { + bufptr++; /* Count the '\n' */ +- len = bufptr - f->f_bufptr; +- s = (PyStringObject *) +- PyString_FromStringAndSize(NULL, skip + len); ++ len = bufptr - rab->bufptr; ++ s = (PyStringObject *)PyString_FromStringAndSize(NULL, skip + len); + if (s == NULL) + return NULL; +- memcpy(PyString_AS_STRING(s) + skip, f->f_bufptr, len); +- f->f_bufptr = bufptr; +- if (bufptr == f->f_bufend) +- drop_readahead(f); ++ memcpy(PyString_AS_STRING(s) + skip, rab->bufptr, len); ++ rab->bufptr = bufptr; ++ if (bufptr == rab->bufend) ++ drop_readaheadbuffer(rab); + } else { +- bufptr = f->f_bufptr; +- buf = f->f_buf; +- f->f_buf = NULL; /* Force new readahead buffer */ ++ bufptr = rab->bufptr; ++ buf = rab->buf; ++ rab->buf = NULL; /* Force new readahead buffer */ + assert(len <= PY_SSIZE_T_MAX - skip); +- s = readahead_get_line_skip(f, skip + len, bufsize + (bufsize>>2)); ++ s = readahead_get_line_skip(f, rab, skip + len, bufsize + (bufsize>>2)); + if (s == NULL) { +- PyMem_Free(buf); ++ PyMem_FREE(buf); + return NULL; + } + memcpy(PyString_AS_STRING(s) + skip, bufptr, len); +- PyMem_Free(buf); ++ PyMem_FREE(buf); + } + return s; + } +@@ -2356,7 +2349,30 @@ file_iternext(PyFileObject *f) + if (!f->readable) + return err_mode("reading"); + +- l = readahead_get_line_skip(f, 0, READAHEAD_BUFSIZE); ++ { ++ /* ++ Multiple threads can enter this method while the GIL is released ++ during file read and wreak havoc on the file object's readahead ++ buffer. To avoid dealing with cross-thread coordination issues, we ++ cache the file buffer state locally and only set it back on the file ++ object when we're done. ++ */ ++ readaheadbuffer rab = {f->f_buf, f->f_bufptr, f->f_bufend}; ++ f->f_buf = NULL; ++ l = readahead_get_line_skip(f, &rab, 0, READAHEAD_BUFSIZE); ++ /* ++ Make sure the file's internal read buffer is cleared out. This will ++ only do anything if some other thread interleaved with us during ++ readahead. We want to drop any changeling buffer, so we don't leak ++ memory. We may lose data, but that's what you get for reading the same ++ file object in multiple threads. ++ */ ++ drop_file_readahead(f); ++ f->f_buf = rab.buf; ++ f->f_bufptr = rab.bufptr; ++ f->f_bufend = rab.bufend; ++ } ++ + if (l == NULL || PyString_GET_SIZE(l) == 0) { + Py_XDECREF(l); + return NULL; +-- +2.13.3 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch new file mode 100644 index 000000000..c89f18982 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch @@ -0,0 +1,53 @@ +From 141b197408ab398c4f474ac1a728ab316e921f2b Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Wed, 13 Jun 2018 11:46:57 +0530 +Subject: [PATCH] qga: check bytes count read by guest-file-read + +While reading file content via 'guest-file-read' command, +'qmp_guest_file_read' routine allocates buffer of count+1 +bytes. It could overflow for large values of 'count'. +Add check to avoid it. + +Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Cc: qemu-stable@nongnu.org +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> + +CVE: CVE-2018-12617 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=141b197408ab398c4f474ac1a728ab316e921f2b] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + qga/commands-posix.c | 2 +- + qga/commands-win32.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/qga/commands-posix.c b/qga/commands-posix.c +index 594d21ef3e..9284e71666 100644 +--- a/qga/commands-posix.c ++++ b/qga/commands-posix.c +@@ -458,7 +458,7 @@ struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count, + + if (!has_count) { + count = QGA_READ_COUNT_DEFAULT; +- } else if (count < 0) { ++ } else if (count < 0 || count >= UINT32_MAX) { + error_setg(errp, "value '%" PRId64 "' is invalid for argument count", + count); + return NULL; +diff --git a/qga/commands-win32.c b/qga/commands-win32.c +index 70ee5379f6..73f31fa8c2 100644 +--- a/qga/commands-win32.c ++++ b/qga/commands-win32.c +@@ -318,7 +318,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count, + } + if (!has_count) { + count = QGA_READ_COUNT_DEFAULT; +- } else if (count < 0) { ++ } else if (count < 0 || count >= UINT32_MAX) { + error_setg(errp, "value '%" PRId64 + "' is invalid for argument count", count); + return NULL; +-- +2.13.3 + diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch new file mode 100644 index 000000000..9923d123a --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch @@ -0,0 +1,62 @@ +From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001 +From: Jack Schwartz <jack.schwartz@oracle.com> +Date: Thu, 21 Dec 2017 09:25:15 -0800 +Subject: [PATCH] multiboot: bss_end_addr can be zero + +The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/), +section 3.1.3, allows for bss_end_addr to be zero. + +A zero bss_end_addr signifies there is no .bss section. + +CVE: CVE-2018-7550 +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8] + +Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> +Signed-off-by: Jack Schwartz <jack.schwartz@oracle.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Kevin Wolf <kwolf@redhat.com> +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> +--- + hw/i386/multiboot.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c +index 46d9c68bf5..bb8d8e4629 100644 +--- a/hw/i386/multiboot.c ++++ b/hw/i386/multiboot.c +@@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg, + mh_entry_addr = ldl_p(header+i+28); + + if (mh_load_end_addr) { +- if (mh_bss_end_addr < mh_load_addr) { +- fprintf(stderr, "invalid mh_bss_end_addr address\n"); +- exit(1); +- } +- mb_kernel_size = mh_bss_end_addr - mh_load_addr; +- + if (mh_load_end_addr < mh_load_addr) { + fprintf(stderr, "invalid mh_load_end_addr address\n"); + exit(1); +@@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg, + fprintf(stderr, "invalid kernel_file_size\n"); + exit(1); + } +- mb_kernel_size = kernel_file_size - mb_kernel_text_offset; +- mb_load_size = mb_kernel_size; ++ mb_load_size = kernel_file_size - mb_kernel_text_offset; ++ } ++ if (mh_bss_end_addr) { ++ if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) { ++ fprintf(stderr, "invalid mh_bss_end_addr address\n"); ++ exit(1); ++ } ++ mb_kernel_size = mh_bss_end_addr - mh_load_addr; ++ } else { ++ mb_kernel_size = mb_load_size; + } + + /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE. +-- +2.13.3 + diff --git a/poky/meta/recipes-devtools/qemu/qemu_2.11.1.bb b/poky/meta/recipes-devtools/qemu/qemu_2.11.1.bb index 7de21ac0f..a447dc719 100644 --- a/poky/meta/recipes-devtools/qemu/qemu_2.11.1.bb +++ b/poky/meta/recipes-devtools/qemu/qemu_2.11.1.bb @@ -24,6 +24,8 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \ file://0012-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch \ file://0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch \ file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \ + file://CVE-2018-7550.patch \ + file://CVE-2018-12617.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar" diff --git a/poky/meta/recipes-devtools/swig/swig.inc b/poky/meta/recipes-devtools/swig/swig.inc index bf61b02d6..aec544997 100644 --- a/poky/meta/recipes-devtools/swig/swig.inc +++ b/poky/meta/recipes-devtools/swig/swig.inc @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e7807a6282784a7dde4c846626b08fc6 \ SECTION = "devel" -DEPENDS = "libpcre python3" +DEPENDS = "libpcre" SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz" |
