reset upstream subtrees to yocto 2.6
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/recipes-devtools/git/files/CVE-2018-11233.patch b/poky/meta/recipes-devtools/git/files/CVE-2018-11233.patch
deleted file mode 100644
index f4468cf..0000000
--- a/poky/meta/recipes-devtools/git/files/CVE-2018-11233.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 014281e62b7920a6d710a85089e00ca012b0744c Mon Sep 17 00:00:00 2001
-From: Jeff King <peff@peff.net>
-Date: Sun, 13 May 2018 12:09:42 -0400
-Subject: [PATCH] is_ntfs_dotgit: use a size_t for traversing string
-
-We walk through the "name" string using an int, which can
-wrap to a negative value and cause us to read random memory
-before our array (e.g., by creating a tree with a name >2GB,
-since "int" is still 32 bits even on most 64-bit platforms).
-Worse, this is easy to trigger during the fsck_tree() check,
-which is supposed to be protecting us from malicious
-garbage.
-
-Note one bit of trickiness in the existing code: we
-sometimes assign -1 to "len" at the end of the loop, and
-then rely on the "len++" in the for-loop's increment to take
-it back to 0. This is still legal with a size_t, since
-assigning -1 will turn into SIZE_MAX, which then wraps
-around to 0 on increment.
-
-Signed-off-by: Jeff King <peff@peff.net>
-CVE: CVE-2018-11233
-Upstream-Status: Backport[https://github.com/git/git/commit/11a9f4d807a0d71dc6eff51bb87baf4ca2cccf1d]
-Signed-off-by: Sinan Kaya <okaya@kernel.org>
----
- path.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/path.c b/path.c
-index da8b65573..d31c795ff 100644
---- a/path.c
-+++ b/path.c
-@@ -1305,7 +1305,7 @@ static int only_spaces_and_periods(const char *path, size_t len, size_t skip)
-
- int is_ntfs_dotgit(const char *name)
- {
-- int len;
-+ size_t len;
-
- for (len = 0; ; len++)
- if (!name[len] || name[len] == '\\' || is_dir_sep(name[len])) {
---
-2.19.0
-
diff --git a/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch b/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch
deleted file mode 100644
index c272eac..0000000
--- a/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch
+++ /dev/null
@@ -1,288 +0,0 @@
-From 0383bbb9015898cbc79abd7b64316484d7713b44 Mon Sep 17 00:00:00 2001
-From: Jeff King <peff@peff.net>
-Date: Mon, 30 Apr 2018 03:25:25 -0400
-Subject: [PATCH] submodule-config: verify submodule names as paths
-
-Submodule "names" come from the untrusted .gitmodules file,
-but we blindly append them to $GIT_DIR/modules to create our
-on-disk repo paths. This means you can do bad things by
-putting "../" into the name (among other things).
-
-Let's sanity-check these names to avoid building a path that
-can be exploited. There are two main decisions:
-
- 1. What should the allowed syntax be?
-
- It's tempting to reuse verify_path(), since submodule
- names typically come from in-repo paths. But there are
- two reasons not to:
-
- a. It's technically more strict than what we need, as
- we really care only about breaking out of the
- $GIT_DIR/modules/ hierarchy. E.g., having a
- submodule named "foo/.git" isn't actually
- dangerous, and it's possible that somebody has
- manually given such a funny name.
-
- b. Since we'll eventually use this checking logic in
- fsck to prevent downstream repositories, it should
- be consistent across platforms. Because
- verify_path() relies on is_dir_sep(), it wouldn't
- block "foo\..\bar" on a non-Windows machine.
-
- 2. Where should we enforce it? These days most of the
- .gitmodules reads go through submodule-config.c, so
- I've put it there in the reading step. That should
- cover all of the C code.
-
- We also construct the name for "git submodule add"
- inside the git-submodule.sh script. This is probably
- not a big deal for security since the name is coming
- from the user anyway, but it would be polite to remind
- them if the name they pick is invalid (and we need to
- expose the name-checker to the shell anyway for our
- test scripts).
-
- This patch issues a warning when reading .gitmodules
- and just ignores the related config entry completely.
- This will generally end up producing a sensible error,
- as it works the same as a .gitmodules file which is
- missing a submodule entry (so "submodule update" will
- barf, but "git clone --recurse-submodules" will print
- an error but not abort the clone.
-
- There is one minor oddity, which is that we print the
- warning once per malformed config key (since that's how
- the config subsystem gives us the entries). So in the
- new test, for example, the user would see three
- warnings. That's OK, since the intent is that this case
- should never come up outside of malicious repositories
- (and then it might even benefit the user to see the
- message multiple times).
-
-Credit for finding this vulnerability and the proof of
-concept from which the test script was adapted goes to
-Etienne Stalmans.
-
-CVE: CVE-2018-11235
-Upstream-Status: Backport [https://github.com/gitster/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44#diff-1772b951776d1647ca31a2256f7fe88f]
-
-Signed-off-by: Jeff King <peff@peff.net>
-Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
----
- builtin/submodule--helper.c | 24 ++++++++++++++
- git-submodule.sh | 5 +++
- submodule-config.c | 31 ++++++++++++++++++
- submodule-config.h | 7 +++++
- t/t7415-submodule-names.sh | 76 +++++++++++++++++++++++++++++++++++++++++++++
- 5 files changed, 143 insertions(+)
- create mode 100755 t/t7415-submodule-names.sh
-
-diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
-index cbb17a902..b4b4d29d8 100644
---- a/builtin/submodule--helper.c
-+++ b/builtin/submodule--helper.c
-@@ -1480,6 +1480,29 @@ static int is_active(int argc, const cha
- return !is_submodule_active(the_repository, argv[1]);
- }
-
-+/*
-+ * Exit non-zero if any of the submodule names given on the command line is
-+ * invalid. If no names are given, filter stdin to print only valid names
-+ * (which is primarily intended for testing).
-+ */
-+static int check_name(int argc, const char **argv, const char *prefix)
-+{
-+ if (argc > 1) {
-+ while (*++argv) {
-+ if (check_submodule_name(*argv) < 0)
-+ return 1;
-+ }
-+ } else {
-+ struct strbuf buf = STRBUF_INIT;
-+ while (strbuf_getline(&buf, stdin) != EOF) {
-+ if (!check_submodule_name(buf.buf))
-+ printf("%s\n", buf.buf);
-+ }
-+ strbuf_release(&buf);
-+ }
-+ return 0;
-+}
-+
- #define SUPPORT_SUPER_PREFIX (1<<0)
-
- struct cmd_struct {
-@@ -1502,6 +1525,7 @@ static struct cmd_struct commands[] = {
- {"push-check", push_check, 0},
- {"absorb-git-dirs", absorb_git_dirs, SUPPORT_SUPER_PREFIX},
- {"is-active", is_active, 0},
-+ {"check-name", check_name, 0},
- };
-
- int cmd_submodule__helper(int argc, const char **argv, const char *prefix)
-diff --git a/git-submodule.sh b/git-submodule.sh
-index c0d0e9a4c..92750b9e2 100755
---- a/git-submodule.sh
-+++ b/git-submodule.sh
-@@ -229,6 +229,11 @@ Use -f if you really want to add it." >&
- sm_name="$sm_path"
- fi
-
-+ if ! git submodule--helper check-name "$sm_name"
-+ then
-+ die "$(eval_gettext "'$sm_name' is not a valid submodule name")"
-+ fi
-+
- # perhaps the path exists and is already a git repo, else clone it
- if test -e "$sm_path"
- then
-diff --git a/submodule-config.c b/submodule-config.c
-index 4f58491dd..de54351c6 100644
---- a/submodule-config.c
-+++ b/submodule-config.c
-@@ -190,6 +190,31 @@ static struct submodule *cache_lookup_na
- return NULL;
- }
-
-+int check_submodule_name(const char *name)
-+{
-+ /* Disallow empty names */
-+ if (!*name)
-+ return -1;
-+
-+ /*
-+ * Look for '..' as a path component. Check both '/' and '\\' as
-+ * separators rather than is_dir_sep(), because we want the name rules
-+ * to be consistent across platforms.
-+ */
-+ goto in_component; /* always start inside component */
-+ while (*name) {
-+ char c = *name++;
-+ if (c == '/' || c == '\\') {
-+in_component:
-+ if (name[0] == '.' && name[1] == '.' &&
-+ (!name[2] || name[2] == '/' || name[2] == '\\'))
-+ return -1;
-+ }
-+ }
-+
-+ return 0;
-+}
-+
- static int name_and_item_from_var(const char *var, struct strbuf *name,
- struct strbuf *item)
- {
-@@ -201,6 +226,12 @@ static int name_and_item_from_var(const
- return 0;
-
- strbuf_add(name, subsection, subsection_len);
-+ if (check_submodule_name(name->buf) < 0) {
-+ warning(_("ignoring suspicious submodule name: %s"), name->buf);
-+ strbuf_release(name);
-+ return 0;
-+ }
-+
- strbuf_addstr(item, key);
-
- return 1;
-diff --git a/submodule-config.h b/submodule-config.h
-index d434ecdb4..103cc79dd 100644
---- a/submodule-config.h
-+++ b/submodule-config.h
-@@ -48,4 +48,11 @@ extern const struct submodule *submodule
- const char *key);
- extern void submodule_free(void);
-
-+/*
-+ * Returns 0 if the name is syntactically acceptable as a submodule "name"
-+ * (e.g., that may be found in the subsection of a .gitmodules file) and -1
-+ * otherwise.
-+ */
-+int check_submodule_name(const char *name);
-+
- #endif /* SUBMODULE_CONFIG_H */
-diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
-new file mode 100755
-index 000000000..75fa071c6
---- /dev/null
-+++ b/t/t7415-submodule-names.sh
-@@ -0,0 +1,76 @@
-+#!/bin/sh
-+
-+test_description='check handling of .. in submodule names
-+
-+Exercise the name-checking function on a variety of names, and then give a
-+real-world setup that confirms we catch this in practice.
-+'
-+. ./test-lib.sh
-+
-+test_expect_success 'check names' '
-+ cat >expect <<-\EOF &&
-+ valid
-+ valid/with/paths
-+ EOF
-+
-+ git submodule--helper check-name >actual <<-\EOF &&
-+ valid
-+ valid/with/paths
-+
-+ ../foo
-+ /../foo
-+ ..\foo
-+ \..\foo
-+ foo/..
-+ foo/../
-+ foo\..
-+ foo\..\
-+ foo/../bar
-+ EOF
-+
-+ test_cmp expect actual
-+'
-+
-+test_expect_success 'create innocent subrepo' '
-+ git init innocent &&
-+ git -C innocent commit --allow-empty -m foo
-+'
-+
-+test_expect_success 'submodule add refuses invalid names' '
-+ test_must_fail \
-+ git submodule add --name ../../modules/evil "$PWD/innocent" evil
-+'
-+
-+test_expect_success 'add evil submodule' '
-+ git submodule add "$PWD/innocent" evil &&
-+
-+ mkdir modules &&
-+ cp -r .git/modules/evil modules &&
-+ write_script modules/evil/hooks/post-checkout <<-\EOF &&
-+ echo >&2 "RUNNING POST CHECKOUT"
-+ EOF
-+
-+ git config -f .gitmodules submodule.evil.update checkout &&
-+ git config -f .gitmodules --rename-section \
-+ submodule.evil submodule.../../modules/evil &&
-+ git add modules &&
-+ git commit -am evil
-+'
-+
-+# This step seems like it shouldn't be necessary, since the payload is
-+# contained entirely in the evil submodule. But due to the vagaries of the
-+# submodule code, checking out the evil module will fail unless ".git/modules"
-+# exists. Adding another submodule (with a name that sorts before "evil") is an
-+# easy way to make sure this is the case in the victim clone.
-+test_expect_success 'add other submodule' '
-+ git submodule add "$PWD/innocent" another-module &&
-+ git add another-module &&
-+ git commit -am another
-+'
-+
-+test_expect_success 'clone evil superproject' '
-+ git clone --recurse-submodules . victim >output 2>&1 &&
-+ ! grep "RUNNING POST CHECKOUT" output
-+'
-+
-+test_done
---
-2.13.3
-
diff --git a/poky/meta/recipes-devtools/git/git.inc b/poky/meta/recipes-devtools/git/git.inc
index 8603c04..26a22ac 100644
--- a/poky/meta/recipes-devtools/git/git.inc
+++ b/poky/meta/recipes-devtools/git/git.inc
@@ -7,9 +7,7 @@
PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
- ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
- file://CVE-2018-11235.patch \
- file://CVE-2018-11233.patch"
+ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
S = "${WORKDIR}/git-${PV}"
@@ -54,13 +52,6 @@
-e 's#${libdir}/perl-native/#${libdir}/#' \
${@d.getVar("PERLTOOLS").replace(' /',d.getVar('D') + '/')}
- # ${libdir} is not applicable here, perl-native files are always
- # installed to /usr/lib on both 32/64 bits targets.
-
- mkdir -p ${D}${libdir}
- mv ${D}${exec_prefix}/lib/perl-native/perl ${D}${libdir}
- rmdir -p ${D}${exec_prefix}/lib/perl-native || true
-
if [ ! "${@bb.utils.filter('PACKAGECONFIG', 'cvsserver', d)}" ]; then
# Only install the git cvsserver command if explicitly requested
# as it requires the DBI Perl module, which does not exist in
@@ -74,8 +65,7 @@
# if explicitly requested as they require the SVN::Core Perl
# module, which does not exist in OE-Core.
rm -r ${D}${libexecdir}/git-core/git-svn \
- ${D}${libdir}/perl/site_perl/*/Git/SVN*
- sed -i -e '/SVN/d' ${D}${libdir}/perl/site_perl/*/auto/Git/.packlist
+ ${D}${datadir}/perl5/Git/SVN*
fi
}
@@ -126,7 +116,7 @@
FILES_${PN}-perltools += " \
${PERLTOOLS} \
${libdir}/perl \
- ${datadir}/perl \
+ ${datadir}/perl5 \
"
RDEPENDS_${PN}-perltools = "${PN} perl perl-module-file-path findutils"
diff --git a/poky/meta/recipes-devtools/git/git_2.16.1.bb b/poky/meta/recipes-devtools/git/git_2.16.1.bb
deleted file mode 100644
index 9dc4eba..0000000
--- a/poky/meta/recipes-devtools/git/git_2.16.1.bb
+++ /dev/null
@@ -1,11 +0,0 @@
-require git.inc
-
-EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
- ac_cv_fread_reads_directories=${ac_cv_fread_reads_directories=yes} \
- "
-EXTRA_OEMAKE += "NO_GETTEXT=1"
-
-SRC_URI[tarball.md5sum] = "37467da8e79e72f28598d667f219f75e"
-SRC_URI[tarball.sha256sum] = "56cfa48af2b289bba172ca0a47c29f0083f5846cf4759978b70988e4f07fc9fd"
-SRC_URI[manpages.md5sum] = "5587407f3c28446af12fde3f3131ba34"
-SRC_URI[manpages.sha256sum] = "d499e825f429d76862be415f579c20cc26b046573a3a39237acaf9682cb71be7"
diff --git a/poky/meta/recipes-devtools/git/git_2.18.1.bb b/poky/meta/recipes-devtools/git/git_2.18.1.bb
new file mode 100644
index 0000000..b2960c0
--- /dev/null
+++ b/poky/meta/recipes-devtools/git/git_2.18.1.bb
@@ -0,0 +1,11 @@
+require git.inc
+
+EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
+ ac_cv_fread_reads_directories=${ac_cv_fread_reads_directories=yes} \
+ "
+EXTRA_OEMAKE += "NO_GETTEXT=1"
+
+SRC_URI[tarball.md5sum] = "9b62c267d878f6cb02f8abc59a99525d"
+SRC_URI[tarball.sha256sum] = "5c710c866d8c9ba3b3e062755e0e9d0ef4f665752bd64810e3eb9f1b0f0eb076"
+SRC_URI[manpages.md5sum] = "ef32a459a4a08a3b8e837a31c925c848"
+SRC_URI[manpages.sha256sum] = "d05bfab2dc45de4f6e7d61ca173071d6902905a4963f7ac3cbca608c0d4592c9"