diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-09-24 05:34:48 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-09-24 05:35:28 +0300 |
| commit | a34c030e5ec7021e7fb452410d38abfb3993ec68 (patch) | |
| tree | b8f41acc23015f7f1de01de3c87c434195c681d4 /poky/meta/recipes-extended | |
| parent | dec060e0fadb20cc708370ae192db4462283ee58 (diff) | |
| download | openbmc-a34c030e5ec7021e7fb452410d38abfb3993ec68.tar.xz | |
poky: subtree update:745e38ff0f..81f9e815d3
Adrian Bunk (6):
openssl: Upgrade 1.1.1c -> 1.1.1d
glib-2.0: Upgrade 2.60.6 -> 2.60.7
lttng-modules: Upgrade 2.10.10 -> 2.10.11
lttng-ust: Upgrade 2.10.4 -> 2.10.5
squashfs-tools: Remove UPSTREAM_CHECK_COMMITS
libmpc: Remove dead UPSTREAM_CHECK_URI
Alexander Kanavin (2):
runqemu: decouple gtk and gl options
strace: add a timeout for running ptests
Alistair Francis (1):
gdb: Mark gdbserver as ALLOW_EMPTY for riscv32
Andre McCurdy (9):
busybox: drop unused mount.busybox and umount.busybox wrappers
busybox: drop inittab from SRC_URI ( now moved to busybox-inittab )
busybox-inittab: minor formatting tweaks
base-files: drop legacy empty file /etc/default/usbd
busybox: rcS and rcK should not be writeable by everyone
ffmpeg: add PACKAGECONFIG controls for alsa and zlib (enable by default)
libwebp: apply ARM specific config options to big endian ARM
initscripts: enable alignment.sh init script for big endian ARM
libunwind: apply configure over-ride to both big and little endian ARM
Andrew F. Davis (4):
libepoxy: Disable x11 when not building for x11
cogl: Set depends to the virtual needed not explicitly on Mesa
gtk+3: Set depends to the virtual needed not explicitly on Mesa
weston: Set depends to the virtual needed not explicitly on Mesa
Armin Kuster (1):
gcc: Security fix for CVE-2019-15847
Changhyeok Bae (1):
iw: upgrade to 5.3
Changqing Li (2):
classextend.py: don't extend file for file dependency
report-error.bbclass: add local.conf/auto.conf into error report
Chen Qi (1):
python-numpy: fix build for libn32
Daniel Gomez (1):
lttng-modules: Add missing SRCREV_FORMAT
Diego Rondini (1):
initramfs-framework: support PARTLABEL option
Dmitry Eremin-Solenikov (7):
image-uefi.conf: add config file holding configuration for UEFI images
grub-bootconf: switch to image-uefi.conf
grub-efi: switch to image-uefi.conf
grub-efi.bbclass: switch to image-uefi.conf
systemd-boot: switch to image-uefi.conf
systemd-boot.bbclass: switch to image-uefi.conf
live-vm-common.bbclass: provide efi population functions for live images
Hector Palacios (1):
udev-extraconf: skip mounting partitions already mounted by systemd
Henning Schild (6):
oe-git-proxy: allow setting SOCAT from outside
oeqa: add case for oe-git-proxy
Revert "oe-git-proxy: Avoid resolving NO_PROXY against local files"
oe-git-proxy: disable shell pathname expansion for the whole script
oe-git-proxy: NO_PROXY suffix matching without wildcard for match_host
oe-git-proxy: fix dash "Bad substitution"
Hongxu Jia (1):
elfutils: 0.176 -> 0.177
Jack Mitchell (1):
iptables: add systemd helper unit to load/restore rules
Jaewon Lee (1):
populate_sdk_ext: Introduce mechanism to keep nativesdk* sstate in esdk
Jason Wessel (1):
gnupg: Extend -native wrapper to fix gpgme-native's gpgconf problems
Jiang Lu (2):
glib-networking:enable glib-networking build as native package
libsoup:enable libsoup build as native package
Joshua Watt (4):
sstatesig: Update server URI
Remove SSTATE_HASHEQUIV_SERVER
bitbake: bitbake: Rework hash equivalence
classes/archiver: Fix WORKDIR for shared source
Kai Kang (1):
systemd: provides ${base_sbindir}/udevadm
Khem Raj (10):
ptrace: Drop ptrace aid for musl/ppc
elfutils: Fix build on ppc/musl
cogl: Do not depend PN-dev on empty PN
musl: Update to latest master
glibc: Move DISTRO_FEATURE specific do_install code for target recipe only
populate_sdk_base.bbclass: nativesdk-glibc-locale is required on musl too
nativesdk.bbclass: Clear out LIBCEXTENSION and ABIEXTENSION
openssl: Enable os option for with-rand-seed as well
weston-init: Add possibility to run weston as non-root user
layer.conf: Remove weston-conf from SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS
Li Zhou (1):
qemu: Security Advisory - qemu - CVE-2019-15890
Limeng (1):
tune-cortexa57-cortexa53: add tunes for ARM Cortex-A53-Cortex-A57
Martin Jansa (2):
perf: fix build on kernels which don't have ${S}/tools/include/linux/bits.h
bitbake: Revert "bitbake: cooker: Ensure bbappends are found in stable order"
Maxime Roussin-BĂ©langer (1):
meta: add missing descriptions and homepage in bsp
Mikko Rapeli (2):
busybox.inc: handle empty DEBUG_PREFIX_MAP
bitbake: svn fetcher: allow "svn propget svn:externals" to fail
Nathan Rossi (7):
resulttool: Handle multiple series containing ptestresults
gcc-cross.inc: Process binaries in build dir to be relocatable
oeqa/core/case.py: Add OEPTestResultTestCase for ptestresult helpers
oeqa/selftest: Rework toolchain tests to use OEPTestResultTestCase
glibc-testsuite: SkipRecipe if libc is not glibc
cmake: 3.15.2 -> 3.15.3
meson.bbclass: Handle microblaze* mapping to cpu family
Oleksandr Kravchuk (5):
python3-pygobject: update to 3.34.0
font-util: update to 1.3.2
expat: update to 2.2.8
curl: update to 7.66.0
python3-dbus: update to 1.2.12
Otavio Salvador (1):
mesa: Upgrade 19.1.1 -> 19.1.6
Peter Kjellerstedt (3):
glibc: Make it build without ldconfig in DISTRO_FEATURES
package_rpm.bbclass: Remove a misleading bb.note()
tzdata: Correct the packaging of /etc/localtime and /etc/timezone
Quentin Schulz (1):
externalsrc: stop rebuilds of 2+ externalsrc recipes sharing the same git repo
Randy MacLeod (4):
valgrind: enable ~500 more ptests
valgrind: make a few more ptests pass
valgrind: ptest improvements to run-ptest and more
valgrind: disable 256 ptests for aarch64
Richard Purdie (8):
bitbake: runqueue/siggen: Optimise hash equiv queries
runqemu: Mention snapshot in the help output
initramfs-framework: support PARTLABEL option
systemd: Handle slow to boot mips hwdb update timeouts
meta-extsdk: Either an sstate task is a proper task or it isn't
oeqa/concurrenttest: Use ionice to delete build directories
bitbake: utils: Add ionice option to prunedir
build-appliance-image: Update to master head revision
Robert Yang (2):
conf/multilib.conf: Add ovmf to NON_MULTILIB_RECIPES
bitbake: runqueue: validate_hashes(): currentcount should be a number
Ross Burton (16):
libtasn1: fix build with api-documentation enabled
gstreamer1.0-libav: enable gtk-doc again
python3: handle STAGING_LIBDIR/INCDIR being unset
mesa: no need to depend on target python3
adwaita-icon-theme: fix rare install race
oeqa/selftest/wic: improve assert messages in test_fixed_size
oeqa/selftest/imagefeatures: dump the JSON if it can't be parsed
libical: upgrade to 3.0.6
acpica: upgrade 20190509 -> 20190816
gdk-pixbuf: upgrade 2.38.1 -> 2.38.2
piglit: upgrade to latest revision
libinput: upgrade 1.14.0 -> 1.14.1
rootfs-postcommands: check /etc/gconf exists before working on it
systemd-systemctl-native: don't care about line endings
opkg-utils: respect SOURCE_DATE_EPOCH when building ipkgs
bitbake: fetch2/git: add git-lfs toggle option
Scott Murray (1):
systemd: upgrade to 243
Stefan Ghinea (1):
ghostscript: CVE-2019-14811, CVE-2019-14817
Tim Blechmann (1):
icecc: blacklist pixman
Yeoh Ee Peng (3):
bitbake: bitbake-layers: show-recipes: Show recipes only
bitbake: bitbake-layers: show-recipes: Select recipes from selected layer
bitbake: bitbake-layers: show-recipes: Enable bare output
Yi Zhao (3):
screen: add /etc/screenrc as global config file
nfs-utils: fix nfs mount error on 32bit nfs server
grub: remove diffutils and freetype runtime dependencies
Zang Ruochen (2):
btrfs-tools:upgrade 5.2.1 -> 5.2.2
timezone:upgrade 2019b -> 2019c
Change-Id: I1ec24480a8964e474cd99d60a0cb0975e49b46b8
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/recipes-extended')
| -rw-r--r-- | poky/meta/recipes-extended/acpica/acpica_20190816.bb (renamed from poky/meta/recipes-extended/acpica/acpica_20190509.bb) | 4 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch | 68 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch | 270 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch | 236 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/ghostscript/ghostscript_9.27.bb | 3 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/iptables/iptables/iptables.rules | 0 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/iptables/iptables/iptables.service | 13 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/iptables/iptables_1.8.3.bb | 17 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/screen/screen_4.6.2.bb | 3 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/timezone/timezone.inc | 10 | ||||
| -rw-r--r-- | poky/meta/recipes-extended/timezone/tzdata.bb | 5 |
11 files changed, 618 insertions, 11 deletions
diff --git a/poky/meta/recipes-extended/acpica/acpica_20190509.bb b/poky/meta/recipes-extended/acpica/acpica_20190816.bb index cf6db336a..8f7997477 100644 --- a/poky/meta/recipes-extended/acpica/acpica_20190509.bb +++ b/poky/meta/recipes-extended/acpica/acpica_20190816.bb @@ -17,8 +17,8 @@ COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux" DEPENDS = "bison flex bison-native" SRC_URI = "https://acpica.org/sites/acpica/files/acpica-unix2-${PV}.tar.gz" -SRC_URI[md5sum] = "dd1f8240f924b12b0a0de0c31ab26ab1" -SRC_URI[sha256sum] = "860b5f94a0590b278592acf16a4556b05ff0309c08e8c48aa29827cfa02c8e9d" +SRC_URI[md5sum] = "6a73b1e34715916fa31132dbe11008b0" +SRC_URI[sha256sum] = "888e80f3bb77381620a5ead208e1a1be06f3ea66ddc8cfdfa62811cae5f03752" UPSTREAM_CHECK_URI = "https://acpica.org/downloads" S = "${WORKDIR}/acpica-unix2-${PV}" diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch new file mode 100644 index 000000000..3f28555e8 --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14811-0001.patch @@ -0,0 +1,68 @@ +From 885444fcbe10dc42787ecb76686c8ee4dd33bf33 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Tue, 20 Aug 2019 10:10:28 +0100 +Subject: [PATCH] make .forceput inaccessible + +Bug #701343, #701344, #701345 + +More defensive programming. We don't want people to access .forecput +even though it is no longer sufficient to bypass SAFER. The exploit +in #701343 didn't work anyway because of earlier work to stop the error +handler being used, but nevertheless, prevent access to .forceput from +.setuserparams2. + +CVE: CVE-2019-14811 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + Resource/Init/gs_lev2.ps | 6 +++--- + Resource/Init/gs_pdfwr.ps | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Resource/Init/gs_lev2.ps b/Resource/Init/gs_lev2.ps +index 98d55fe..f1b771f 100644 +--- a/Resource/Init/gs_lev2.ps ++++ b/Resource/Init/gs_lev2.ps +@@ -158,7 +158,7 @@ end + { + pop pop + } ifelse +- } forall ++ } executeonly forall + % A context switch might have occurred during the above loop, + % causing the interpreter-level parameters to be reset. + % Set them again to the new values. From here on, we are safe, +@@ -229,9 +229,9 @@ end + { pop pop + } + ifelse +- } ++ } executeonly + forall pop +-} .bind odef ++} .bind executeonly odef + + % Initialize the passwords. + % NOTE: the names StartJobPassword and SystemParamsPassword are known to +diff --git a/Resource/Init/gs_pdfwr.ps b/Resource/Init/gs_pdfwr.ps +index 00c19fa..dfe504d 100644 +--- a/Resource/Init/gs_pdfwr.ps ++++ b/Resource/Init/gs_pdfwr.ps +@@ -652,11 +652,11 @@ currentdict /.pdfmarkparams .undef + systemdict /.pdf_hooked_DSC_Creator //true .forceput + } executeonly if + pop +- } if ++ } executeonly if + } { + pop + } ifelse +- } ++ } executeonly + { + pop + } ifelse +-- +2.20.1 + diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch new file mode 100644 index 000000000..c76e21caa --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0001.patch @@ -0,0 +1,270 @@ +From 0bafbd9c1273fab0dc79fd20db0ffc4443683f96 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Mon, 29 Apr 2019 11:14:06 +0100 +Subject: [PATCH 1/2] PDF interpreter - Decode ToUnicode entries of the form + /Identity-H/V + +Bug #701003 "Text searchability broken due to omission of /ToUnicode /Identity-H" + +The PDF references from 1.2 too 2.0 all state that the value associated +with a ToUnicode key in a FontDescriptor must be a stream object. However +this file (and one case seen previously, bug 687351) have FontDescriptor +dictionaries where the value associated with a /ToUnicode key is a +name object, in both cases /Identity-H. + +Although this is clearly not legal, Acrobat not only tolerates it, it +actually uses it for search/copy/paste (see bug 701003 for details). +Without the key Acrobat is unable to successfully search the output file. + +We can't simply preserve the name object as a ToUnicode value; when +handling ToUnicode we actually decode the CMap and build a +GlyphNames2Unicode map (an internal representation of the G2U data +produced by the Microsoft PostScript printer driver). When writing the +output file we use that information to get a Unicode value for each +character we write, and build a new ToUnicode CMap using that. + +This commit tackles the problem by pre-scanning for a name object and +then checking to see if its Identity-H or Identity-V (although we have +not seen an Identity-V, there seems no reason why it wouldn't be +equally valid). If we find either of these then we construct a +GlyphNames2Unicode table for all possible values (0 - 65535) and store +that with the font as normal. When we write the output file we only +write the required entries for the subset font, so we write a now +completely legal ToUnicode CMap, and Acrobat is equally happy with that +as the original name. + +If the ToUnicode value isn't a name object, or isn't one of the +identities then we proceed as before. This means we will print a +warning for non conforming ToUnicode entries and ignore them. + +CVE: CVE-2019-14817 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + Resource/Init/pdf_font.ps | 200 ++++++++++++++++++++++++-------------- + 1 file changed, 129 insertions(+), 71 deletions(-) + +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index 9fb85f6..2df3303 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -621,86 +621,144 @@ currentdict end readonly def + PDFDEBUG { + (.processToUnicode beg) = + } if +- 2 index /ToUnicode knownoget { +- dup type /dicttype eq { dup /File known not } { //true } ifelse { +- % We undefine wrong /Length and define /File in stream dictionaries. +- % Bug687351.pdf defines /ToUnicode /Identity-H, what is incorrect. +- ( **** Warning: Ignoring bad ToUnicode CMap.\n) pdfformatwarning +- pop ++ ++ 2 index /ToUnicode knownoget ++ { ++ dup type /nametype eq { ++ % This is contrary to the specification but it seems that Acrobat at least will accept ++ % a ToUnicode with a value of Identity-H *and* will use that for search, copy/paste. ++ % We can't pass through a name, so the best we can do is build a GlyphNames2Unicode ++ % map matching that which would have been generated by a full 16-bit Identity CMap ++ % ++ % See bug numbers 701003 and 687351 ++ % ++ dup /Identity-H eq 1 index /Identity-V eq or{ ++ pop ++ 1 index /FontInfo .knownget not { ++ currentglobal 2 index dup gcheck setglobal ++ /FontInfo 5 dict dup 5 1 roll .forceput ++ setglobal ++ } if ++ dup /GlyphNames2Unicode .knownget not { ++ //true % No existing G2U, make one ++ } { ++ dup wcheck { ++ //false % Existing, writeable G2U, don't make new one ++ } { ++ pop //true % Existing read only G2U, make new one ++ } ifelse ++ } ifelse ++ { ++ currentglobal exch dup gcheck setglobal ++ dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput ++ 3 2 roll setglobal ++ } if % font-res font-dict encoding|null font-info g2u ++ ++ 0 1 65535{ ++ % g2u index ++ dup dup 256 mod exch 256 idiv % g2u index lo-byte hi-byte ++ 2 string dup 0 4 -1 roll % g2u index lo-byte () () 0 hi-byte ++ put % g2u index lo-byte (x) ++ dup 1 % g2u index lo-byte (x) (x) 1 ++ 4 -1 roll put % g2u index (x) (x) 1 lo-byte -> dict index (xx) ++ 2 index % g2u index (xx) dict ++ 3 1 roll % g2u g2u index (xx) ++ put % g2u ++ } for ++ pop % font-res font-dict encoding|null font-info ++ pop % font-res font-dict encoding|null ++ //false % We built a GlyphNames2Unicode table, don't need to process further ++ }{ ++ //true % name is not Identity-V or H, fail by falling through ++ }ifelse + } { +- /PDFScanRules .getuserparam dup //null eq { +- pop //PDFScanRules_null +- } { +- 1 dict dup /PDFScanRules 4 -1 roll put +- } ifelse +- //PDFScanRules_true setuserparams +- PDFfile fileposition +- 3 -1 roll +- count 1 sub +- countdictstack +- { //false resolvestream +- % Following Acrobat we ignore everything outside +- % begincodespacerange .. endcmap. +- dup 0 (begincodespacerange) /SubFileDecode filter flushfile +- /CIDInit /ProcSet findresource begin +- //ToUnicodeCMapReader begin +- 12 dict begin +- /CMapType 2 def +- mark exch % emulate 'begincodespacerange' +- 0 (endcmap) /SubFileDecode filter cvx /begincmap cvx exch 2 .execn +- endcmap +- userdict /.lastToUnicode currentdict put +- end end end +- } ++ //true ++ } ifelse % not a name, try as a dictionary (as specified) + +- PDFSTOPONERROR { +- { exec } 0 get +- //false +- 5 -2 roll +- 5 ++ % If the ToUnicode isn't a name, or the name isn't Identity-V or -H then follow the specification ++ % If its not a dictionary type throw an error, otherwise decode it and build a GlyphNames2Unicode ++ % ++ { ++ dup type /dicttype eq { dup /File known not } { //true } ifelse { ++ % We undefine wrong /Length and define /File in stream dictionaries. ++ % Bug687351.pdf defines /ToUnicode /Identity-H, what is incorrect. ++ ( **** Warning: Ignoring bad ToUnicode CMap.\n) pdfformatwarning ++ pop + } { +- { stopped } 0 get +- 4 2 roll +- 4 +- } ifelse +- array astore cvx exec ++ /PDFScanRules .getuserparam dup //null eq { ++ pop //PDFScanRules_null ++ } { ++ 1 dict dup /PDFScanRules 4 -1 roll put ++ } ifelse ++ //PDFScanRules_true setuserparams ++ PDFfile fileposition ++ 3 -1 roll ++ count 1 sub ++ countdictstack ++ { //false resolvestream ++ % Following Acrobat we ignore everything outside ++ % begincodespacerange .. endcmap. ++ dup 0 (begincodespacerange) /SubFileDecode filter flushfile ++ /CIDInit /ProcSet findresource begin ++ //ToUnicodeCMapReader begin ++ 12 dict begin ++ /CMapType 2 def ++ mark exch % emulate 'begincodespacerange' ++ 0 (endcmap) /SubFileDecode filter cvx /begincmap cvx exch 2 .execn ++ endcmap ++ userdict /.lastToUnicode currentdict put ++ end end end ++ } + +- countdictstack exch sub 0 .max { end } repeat +- count exch sub 2 sub 0 .max { exch pop } repeat +- 3 1 roll % Stach the stop flag. +- PDFfile exch setfileposition +- setuserparams +- { +- ( **** Warning: Failed to read ToUnicode CMap.\n) pdfformatwarning +- } { +- 1 index /FontInfo .knownget not { +- currentglobal 2 index dup gcheck setglobal +- /FontInfo 5 dict dup 5 1 roll .forceput +- setglobal +- } if +- dup /GlyphNames2Unicode .knownget not { +- //true % No existing G2U, make one ++ PDFSTOPONERROR { ++ { exec } 0 get ++ //false ++ 5 -2 roll ++ 5 ++ } { ++ { stopped } 0 get ++ 4 2 roll ++ 4 ++ } ifelse ++ array astore cvx exec ++ ++ countdictstack exch sub 0 .max { end } repeat ++ count exch sub 2 sub 0 .max { exch pop } repeat ++ 3 1 roll % Stach the stop flag. ++ PDFfile exch setfileposition ++ setuserparams ++ { ++ ( **** Warning: Failed to read ToUnicode CMap.\n) pdfformatwarning + } { +- dup wcheck { +- //false % Existing, writeable G2U, don't make new one ++ 1 index /FontInfo .knownget not { ++ currentglobal 2 index dup gcheck setglobal ++ /FontInfo 5 dict dup 5 1 roll .forceput ++ setglobal ++ } if ++ dup /GlyphNames2Unicode .knownget not { ++ //true % No existing G2U, make one + } { +- pop //true % Existing read only G2U, make new one ++ dup wcheck { ++ //false % Existing, writeable G2U, don't make new one ++ } { ++ pop //true % Existing read only G2U, make new one ++ } ifelse + } ifelse ++ { ++ currentglobal exch dup gcheck setglobal ++ dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput ++ 3 2 roll setglobal ++ } if % font-res font-dict encoding|null font-info g2u ++ exch pop exch % font-res font-dict g2u encoding|null ++ userdict /.lastToUnicode get % font-res font-dict g2u Encoding|null CMap ++ .convert_ToUnicode-into-g2u % font-res font-dict ++ //null % font-res font-dict //null + } ifelse +- { +- currentglobal exch dup gcheck setglobal +- dup /GlyphNames2Unicode 100 dict dup 4 1 roll .forceput +- 3 2 roll setglobal +- } if % font-res font-dict encoding|null font-info g2u +- exch pop exch % font-res font-dict g2u encoding|null +- userdict /.lastToUnicode get % font-res font-dict g2u Encoding|null CMap +- .convert_ToUnicode-into-g2u % font-res font-dict +- //null % font-res font-dict //null + } ifelse +- } ifelse +- } if +- PDFDEBUG { +- (.processToUnicode end) = ++ } if ++ PDFDEBUG { ++ (.processToUnicode end) = ++ } if + } if + } if + } stopped +-- +2.20.1 + diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch new file mode 100644 index 000000000..6348fff2d --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2019-14817-0002.patch @@ -0,0 +1,236 @@ +From cd1b1cacadac2479e291efe611979bdc1b3bdb19 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Wed, 21 Aug 2019 10:10:51 +0100 +Subject: [PATCH 2/2] PDF interpreter - review .forceput security + +Bug #701450 "Safer Mode Bypass by .forceput Exposure in .pdfexectoken" + +By abusing the error handler it was possible to get the PDFDEBUG portion +of .pdfexectoken, which uses .forceput left readable. + +Add an executeonly appropriately to make sure that clause isn't readable +no mstter what. + +Review all the uses of .forceput searching for similar cases, add +executeonly as required to secure those. All cases in the PostScript +support files seem to be covered already. + +CVE: CVE-2019-14817 +Upstream-Status: Backport [git://git.ghostscript.com/ghostpdl.git] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + Resource/Init/pdf_base.ps | 2 +- + Resource/Init/pdf_draw.ps | 14 +++++++------- + Resource/Init/pdf_font.ps | 29 ++++++++++++++++------------- + Resource/Init/pdf_main.ps | 6 +++--- + Resource/Init/pdf_ops.ps | 11 ++++++----- + 5 files changed, 33 insertions(+), 29 deletions(-) + +diff --git a/Resource/Init/pdf_base.ps b/Resource/Init/pdf_base.ps +index 1a218f4..cffde5c 100644 +--- a/Resource/Init/pdf_base.ps ++++ b/Resource/Init/pdf_base.ps +@@ -157,7 +157,7 @@ currentdict /num-chars-dict .undef + { + dup ==only () = flush + } ifelse % PDFSTEP +- } if % PDFDEBUG ++ } executeonly if % PDFDEBUG + 2 copy .knownget { + exch pop exch pop exch pop exec + } { +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index e18a7c2..0a3924c 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -501,8 +501,8 @@ end + ( Output may be incorrect.\n) pdfformaterror + //pdfdict /.gs_warning_issued //true .forceput + PDFSTOPONERROR { /gs /undefined signalerror } if +- } if +- } ++ } executeonly if ++ } executeonly + ifelse + } bind executeonly def + +@@ -1142,7 +1142,7 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput +@@ -1150,8 +1150,8 @@ currentdict end readonly def + pdfformaterror + } executeonly ifelse + end +- } ifelse +- } loop ++ } executeonly ifelse ++ } executeonly loop + { + (\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) + //pdfdict /.Qqwarning_issued .knownget +@@ -1165,14 +1165,14 @@ currentdict end readonly def + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + pop + + % restore pdfemptycount +diff --git a/Resource/Init/pdf_font.ps b/Resource/Init/pdf_font.ps +index 2df3303..6a6a5fe 100644 +--- a/Resource/Init/pdf_font.ps ++++ b/Resource/Init/pdf_font.ps +@@ -638,7 +638,7 @@ currentdict end readonly def + currentglobal 2 index dup gcheck setglobal + /FontInfo 5 dict dup 5 1 roll .forceput + setglobal +- } if ++ } executeonly if + dup /GlyphNames2Unicode .knownget not { + //true % No existing G2U, make one + } { +@@ -668,10 +668,12 @@ currentdict end readonly def + pop % font-res font-dict encoding|null font-info + pop % font-res font-dict encoding|null + //false % We built a GlyphNames2Unicode table, don't need to process further +- }{ ++ } executeonly ++ { + //true % name is not Identity-V or H, fail by falling through + }ifelse +- } { ++ } executeonly ++ { + //true + } ifelse % not a name, try as a dictionary (as specified) + +@@ -759,9 +761,9 @@ currentdict end readonly def + PDFDEBUG { + (.processToUnicode end) = + } if +- } if +- } if +- } stopped ++ } executeonly if ++ } executeonly if ++ } executeonly stopped + { + .dstackdepth 1 countdictstack 1 sub + {pop end} for +@@ -1291,19 +1293,20 @@ currentdict /eexec_pdf_param_dict .undef + //pdfdict /.Qqwarning_issued //true .forceput + } executeonly if + Q +- } repeat ++ } executeonly repeat + Q +- } PDFfile fileposition 2 .execn % Keep pdfcount valid. ++ } executeonly PDFfile fileposition 2 .execn % Keep pdfcount valid. + PDFfile exch setfileposition +- } ifelse +- } { ++ } executeonly ifelse ++ } executeonly ++ { + % PDF Type 3 fonts don't use .notdef + % d1 implementation adjusts the width as needed + 0 0 0 0 0 0 + pdfopdict /d1 get exec + } ifelse + end end +- } bdef ++ } executeonly bdef + dup currentdict Encoding .processToUnicode + currentdict end .completefont exch pop + } bind executeonly odef +@@ -2103,9 +2106,9 @@ currentdict /CMap_read_dict undef + (Will continue, but content may be missing.) = flush + } ifelse + } if +- } if ++ } executeonly if + /findresource cvx /undefined signalerror +- } loop ++ } executeonly loop + } bind executeonly odef + + /buildCIDType0 { % <CIDFontType0-font-resource> buildCIDType0 <font> +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 5305ea6..a59e63c 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -2749,15 +2749,15 @@ currentdict /PDF2PS_matrix_key undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if +- } if ++ } executeonly if ++ } executeonly if + pop + count PDFexecstackcount sub { pop } repeat + (after exec) VMDEBUG +diff --git a/Resource/Init/pdf_ops.ps b/Resource/Init/pdf_ops.ps +index 285e582..6c1f100 100644 +--- a/Resource/Init/pdf_ops.ps ++++ b/Resource/Init/pdf_ops.ps +@@ -186,14 +186,14 @@ currentdict /gput_always_allow .undef + .setglobal + pdfformaterror + } executeonly ifelse +- } ++ } executeonly + { + currentglobal //pdfdict gcheck .setglobal + //pdfdict /.Qqwarning_issued //true .forceput + .setglobal + pdfformaterror + } executeonly ifelse +- } if ++ } executeonly if + } bind executeonly odef + + % Save PDF gstate +@@ -440,11 +440,12 @@ currentdict /gput_always_allow .undef + dup type /booleantype eq { + .currentSMask type /dicttype eq { + .currentSMask /Processed 2 index .forceput ++ } executeonly ++ { ++ .setSMask ++ }ifelse + } executeonly + { +- .setSMask +- }ifelse +- }{ + .setSMask + }ifelse + +-- +2.20.1 + diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript_9.27.bb b/poky/meta/recipes-extended/ghostscript/ghostscript_9.27.bb index fcc9e0099..349c0c2e8 100644 --- a/poky/meta/recipes-extended/ghostscript/ghostscript_9.27.bb +++ b/poky/meta/recipes-extended/ghostscript/ghostscript_9.27.bb @@ -25,6 +25,9 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://do-not-check-local-libpng-source.patch \ file://avoid-host-contamination.patch \ file://mkdir-p.patch \ + file://CVE-2019-14811-0001.patch \ + file://CVE-2019-14817-0001.patch \ + file://CVE-2019-14817-0002.patch \ " SRC_URI = "${SRC_URI_BASE} \ diff --git a/poky/meta/recipes-extended/iptables/iptables/iptables.rules b/poky/meta/recipes-extended/iptables/iptables/iptables.rules new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/poky/meta/recipes-extended/iptables/iptables/iptables.rules diff --git a/poky/meta/recipes-extended/iptables/iptables/iptables.service b/poky/meta/recipes-extended/iptables/iptables/iptables.service new file mode 100644 index 000000000..041316e45 --- /dev/null +++ b/poky/meta/recipes-extended/iptables/iptables/iptables.service @@ -0,0 +1,13 @@ +[Unit] +Description=Packet Filtering Framework +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules +ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/poky/meta/recipes-extended/iptables/iptables_1.8.3.bb b/poky/meta/recipes-extended/iptables/iptables_1.8.3.bb index 6ac3fc60c..ff9fcb1b5 100644 --- a/poky/meta/recipes-extended/iptables/iptables_1.8.3.bb +++ b/poky/meta/recipes-extended/iptables/iptables_1.8.3.bb @@ -10,12 +10,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\ SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \ file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \ file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \ + file://iptables.service \ + file://iptables.rules \ " SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513" SRC_URI[sha256sum] = "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80" -inherit autotools pkgconfig +inherit autotools pkgconfig systemd EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}" @@ -56,6 +58,19 @@ INSANE_SKIP_${PN}-module-xt-ct = "dev-so" ALLOW_EMPTY_${PN}-modules = "1" +do_install_append() { + + install -d ${D}${sysconfdir}/iptables + install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir} + + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_system_unitdir}/iptables.service +} + +SYSTEMD_SERVICE_${PN} = "iptables.service" + RDEPENDS_${PN} = "${PN}-module-xt-standard" RRECOMMENDS_${PN} = " \ ${PN}-modules \ diff --git a/poky/meta/recipes-extended/screen/screen_4.6.2.bb b/poky/meta/recipes-extended/screen/screen_4.6.2.bb index 24ec75107..21b476ddb 100644 --- a/poky/meta/recipes-extended/screen/screen_4.6.2.bb +++ b/poky/meta/recipes-extended/screen/screen_4.6.2.bb @@ -35,10 +35,11 @@ inherit autotools texinfo PACKAGECONFIG ??= "" PACKAGECONFIG[utempter] = "ac_cv_header_utempter_h=yes,ac_cv_header_utempter_h=no,libutempter," -EXTRA_OECONF = "--with-pty-mode=0620 --with-pty-group=5 \ +EXTRA_OECONF = "--with-pty-mode=0620 --with-pty-group=5 --with-sys-screenrc=${sysconfdir}/screenrc \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" do_install_append () { + install -D -m 644 ${S}/etc/etcscreenrc ${D}/${sysconfdir}/screenrc if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then install -D -m 644 ${WORKDIR}/screen.pam ${D}/${sysconfdir}/pam.d/screen fi diff --git a/poky/meta/recipes-extended/timezone/timezone.inc b/poky/meta/recipes-extended/timezone/timezone.inc index ce16524eb..f6bab1acb 100644 --- a/poky/meta/recipes-extended/timezone/timezone.inc +++ b/poky/meta/recipes-extended/timezone/timezone.inc @@ -4,7 +4,7 @@ SECTION = "base" LICENSE = "PD & BSD & BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" -PV = "2019b" +PV = "2019c" SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ @@ -12,7 +12,7 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" -SRC_URI[tzcode.md5sum] = "91e0978d947496fd6aaf46d351f9c41d" -SRC_URI[tzcode.sha256sum] = "2e479d409337da41408629ce6c3b4d8410b10ba6d4431d862e22d2b137d7756d" -SRC_URI[tzdata.md5sum] = "b26b5d7d844cb96c73ed2fb6d588daaf" -SRC_URI[tzdata.sha256sum] = "05d9092c90dcf9ec4f3ccfdea80c7dcea5e882b3b105c3422da172aaa9a50c64" +SRC_URI[tzcode.md5sum] = "195a17454c5db05cab96595380650391" +SRC_URI[tzcode.sha256sum] = "f6ebd3668e02d5ed223d3b7b1947561bf2d2da2f4bd1db61efefd9e06c167ed4" +SRC_URI[tzdata.md5sum] = "f6987e6dfdb2eb83a1b5076a50b80894" +SRC_URI[tzdata.sha256sum] = "79c7806dab09072308da0e3d22c37d3b245015a591891ea147d3b133b60ffc7c" diff --git a/poky/meta/recipes-extended/timezone/tzdata.bb b/poky/meta/recipes-extended/timezone/tzdata.bb index 82fe369ba..1e2d9bd1b 100644 --- a/poky/meta/recipes-extended/timezone/tzdata.bb +++ b/poky/meta/recipes-extended/timezone/tzdata.bb @@ -147,6 +147,8 @@ FILES_tzdata-misc += "${datadir}/zoneinfo/Cuba \ RPROVIDES_tzdata-misc = "tzdata-misc" FILES_tzdata-core += " \ + ${sysconfdir}/localtime \ + ${sysconfdir}/timezone \ ${datadir}/zoneinfo/Pacific/Honolulu \ ${datadir}/zoneinfo/America/Anchorage \ ${datadir}/zoneinfo/America/Los_Angeles \ @@ -202,8 +204,7 @@ FILES_tzdata-core += " \ ${datadir}/zoneinfo/iso3166.tab \ ${datadir}/zoneinfo/Etc/*" -CONFFILES_tzdata-core += "${@ "${sysconfdir}/timezone" if bb.utils.to_boolean(d.getVar('INSTALL_TIMEZONE_FILE')) else "" }" -CONFFILES_tzdata-core += "${sysconfdir}/localtime" +CONFFILES_tzdata-core = "${sysconfdir}/localtime ${sysconfdir}/timezone" ALLOW_EMPTY_${PN} = "1" RDEPENDS_${PN} = "${TZ_PACKAGES}" |