poky: sumo refresh 874976b..45ef387
Update poky to sumo HEAD.
Alexander Kanavin (1):
openssl: fix upstream version check for 1.0 version
Andre McCurdy (19):
openssl_1.1: avoid using += with an over-ride
openssl_1.1: minor recipe formatting tweaks etc
openssl_1.0: merge openssl10.inc into the openssl_1.0.2o.bb recipe
openssl_1.0: minor recipe formatting tweaks etc
openssl_1.0: drop curly brackets from shell local variables
openssl_1.0: fix cryptodev-linux PACKAGECONFIG support
openssl_1.0: drop leading "-" from no-ssl3 config option
openssl_1.0: avoid running make twice for target do_compile()
openssl: remove uclibc remnants
openssl: support musl-x32 build
openssl: minor indent fixes
openssl_1.0: drop obsolete ca.patch
openssl_1.0: drop obsolete exporting of AS, EX_LIBS and DIRS
openssl_1.0: drop unmaintained darwin support
openssl_1.0: add PACKAGECONFIG option to control manpages
openssl_1.0: squash whitespace in CC_INFO
openssl: fix missing dependency on hostperl-runtime-native
openssl_1.0: drop unnecessary dependency on makedepend-native
openssl_1.0: drop unnecessary call to perlpath.pl from do_configure()
Andrej Valek (3):
openssl-1.1: fix c_rehash perl errors
openssl: update 1.0.2o -> 1.0.2p
openssl: update 1.1.0h -> 1.1.0i
Anuj Mittal (1):
wic/qemux86: don't pass ip parameter to kernel in wks
Changqing Li (1):
unzip: fix CVE-2018-1000035
Hongxu Jia (2):
nasm: fix CVE-2018-8883 & CVE-2018-8882 & CVE-2018-10316
patch: fix CVE-2018-6952
Jagadeesh Krishnanjanappa (19):
libvorbis: CVE-2017-14160 CVE-2018-10393
libvorbis: CVE-2018-10392
flac: CVE-2017-6888
libarchive: CVE-2017-14503
libsndfile1: CVE-2017-14245 CVE-2017-14246
libsndfile1: CVE-2017-14634
coreutils: CVE-2017-18018
libgcrypt: CVE-2018-0495
git: CVE-2018-11235
gnupg: CVE-2018-12020
shadow: CVE-2018-7169
procps: CVE-2018-1124
python: CVE-2018-1000030
qemu: CVE-2018-7550
qemu: CVE-2018-12617
perl: CVE-2018-6798
perl: CVE-2018-6797
perl: CVE-2018-6913
perl: CVE-2018-12015
Joshua Watt (2):
alsa-lib: Cleanup packaging
swig: Remove superfluous python dependency
Ovidiu Panait (1):
openssl-nativesdk: Fix "can't open config file" warning
Ross Burton (6):
bzip2: use Yocto Project mirror for SRC_URI
classes: sanity-check LIC_FILES_CHKSUM
openssl: disable ccache usage
unzip: fix symlink problem
bitbake: utils/md5_file: don't iterate line-by-line
bitbake: checksum: sanity check path when recursively checksumming
Change-Id: I262a451f483cb276343ae6f02c272af053d33d7a
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch b/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch
new file mode 100644
index 0000000..c272eac
--- /dev/null
+++ b/poky/meta/recipes-devtools/git/files/CVE-2018-11235.patch
@@ -0,0 +1,288 @@
+From 0383bbb9015898cbc79abd7b64316484d7713b44 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Mon, 30 Apr 2018 03:25:25 -0400
+Subject: [PATCH] submodule-config: verify submodule names as paths
+
+Submodule "names" come from the untrusted .gitmodules file,
+but we blindly append them to $GIT_DIR/modules to create our
+on-disk repo paths. This means you can do bad things by
+putting "../" into the name (among other things).
+
+Let's sanity-check these names to avoid building a path that
+can be exploited. There are two main decisions:
+
+ 1. What should the allowed syntax be?
+
+ It's tempting to reuse verify_path(), since submodule
+ names typically come from in-repo paths. But there are
+ two reasons not to:
+
+ a. It's technically more strict than what we need, as
+ we really care only about breaking out of the
+ $GIT_DIR/modules/ hierarchy. E.g., having a
+ submodule named "foo/.git" isn't actually
+ dangerous, and it's possible that somebody has
+ manually given such a funny name.
+
+ b. Since we'll eventually use this checking logic in
+ fsck to prevent downstream repositories, it should
+ be consistent across platforms. Because
+ verify_path() relies on is_dir_sep(), it wouldn't
+ block "foo\..\bar" on a non-Windows machine.
+
+ 2. Where should we enforce it? These days most of the
+ .gitmodules reads go through submodule-config.c, so
+ I've put it there in the reading step. That should
+ cover all of the C code.
+
+ We also construct the name for "git submodule add"
+ inside the git-submodule.sh script. This is probably
+ not a big deal for security since the name is coming
+ from the user anyway, but it would be polite to remind
+ them if the name they pick is invalid (and we need to
+ expose the name-checker to the shell anyway for our
+ test scripts).
+
+ This patch issues a warning when reading .gitmodules
+ and just ignores the related config entry completely.
+ This will generally end up producing a sensible error,
+ as it works the same as a .gitmodules file which is
+ missing a submodule entry (so "submodule update" will
+ barf, but "git clone --recurse-submodules" will print
+ an error but not abort the clone.
+
+ There is one minor oddity, which is that we print the
+ warning once per malformed config key (since that's how
+ the config subsystem gives us the entries). So in the
+ new test, for example, the user would see three
+ warnings. That's OK, since the intent is that this case
+ should never come up outside of malicious repositories
+ (and then it might even benefit the user to see the
+ message multiple times).
+
+Credit for finding this vulnerability and the proof of
+concept from which the test script was adapted goes to
+Etienne Stalmans.
+
+CVE: CVE-2018-11235
+Upstream-Status: Backport [https://github.com/gitster/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44#diff-1772b951776d1647ca31a2256f7fe88f]
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ builtin/submodule--helper.c | 24 ++++++++++++++
+ git-submodule.sh | 5 +++
+ submodule-config.c | 31 ++++++++++++++++++
+ submodule-config.h | 7 +++++
+ t/t7415-submodule-names.sh | 76 +++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 143 insertions(+)
+ create mode 100755 t/t7415-submodule-names.sh
+
+diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
+index cbb17a902..b4b4d29d8 100644
+--- a/builtin/submodule--helper.c
++++ b/builtin/submodule--helper.c
+@@ -1480,6 +1480,29 @@ static int is_active(int argc, const cha
+ return !is_submodule_active(the_repository, argv[1]);
+ }
+
++/*
++ * Exit non-zero if any of the submodule names given on the command line is
++ * invalid. If no names are given, filter stdin to print only valid names
++ * (which is primarily intended for testing).
++ */
++static int check_name(int argc, const char **argv, const char *prefix)
++{
++ if (argc > 1) {
++ while (*++argv) {
++ if (check_submodule_name(*argv) < 0)
++ return 1;
++ }
++ } else {
++ struct strbuf buf = STRBUF_INIT;
++ while (strbuf_getline(&buf, stdin) != EOF) {
++ if (!check_submodule_name(buf.buf))
++ printf("%s\n", buf.buf);
++ }
++ strbuf_release(&buf);
++ }
++ return 0;
++}
++
+ #define SUPPORT_SUPER_PREFIX (1<<0)
+
+ struct cmd_struct {
+@@ -1502,6 +1525,7 @@ static struct cmd_struct commands[] = {
+ {"push-check", push_check, 0},
+ {"absorb-git-dirs", absorb_git_dirs, SUPPORT_SUPER_PREFIX},
+ {"is-active", is_active, 0},
++ {"check-name", check_name, 0},
+ };
+
+ int cmd_submodule__helper(int argc, const char **argv, const char *prefix)
+diff --git a/git-submodule.sh b/git-submodule.sh
+index c0d0e9a4c..92750b9e2 100755
+--- a/git-submodule.sh
++++ b/git-submodule.sh
+@@ -229,6 +229,11 @@ Use -f if you really want to add it." >&
+ sm_name="$sm_path"
+ fi
+
++ if ! git submodule--helper check-name "$sm_name"
++ then
++ die "$(eval_gettext "'$sm_name' is not a valid submodule name")"
++ fi
++
+ # perhaps the path exists and is already a git repo, else clone it
+ if test -e "$sm_path"
+ then
+diff --git a/submodule-config.c b/submodule-config.c
+index 4f58491dd..de54351c6 100644
+--- a/submodule-config.c
++++ b/submodule-config.c
+@@ -190,6 +190,31 @@ static struct submodule *cache_lookup_na
+ return NULL;
+ }
+
++int check_submodule_name(const char *name)
++{
++ /* Disallow empty names */
++ if (!*name)
++ return -1;
++
++ /*
++ * Look for '..' as a path component. Check both '/' and '\\' as
++ * separators rather than is_dir_sep(), because we want the name rules
++ * to be consistent across platforms.
++ */
++ goto in_component; /* always start inside component */
++ while (*name) {
++ char c = *name++;
++ if (c == '/' || c == '\\') {
++in_component:
++ if (name[0] == '.' && name[1] == '.' &&
++ (!name[2] || name[2] == '/' || name[2] == '\\'))
++ return -1;
++ }
++ }
++
++ return 0;
++}
++
+ static int name_and_item_from_var(const char *var, struct strbuf *name,
+ struct strbuf *item)
+ {
+@@ -201,6 +226,12 @@ static int name_and_item_from_var(const
+ return 0;
+
+ strbuf_add(name, subsection, subsection_len);
++ if (check_submodule_name(name->buf) < 0) {
++ warning(_("ignoring suspicious submodule name: %s"), name->buf);
++ strbuf_release(name);
++ return 0;
++ }
++
+ strbuf_addstr(item, key);
+
+ return 1;
+diff --git a/submodule-config.h b/submodule-config.h
+index d434ecdb4..103cc79dd 100644
+--- a/submodule-config.h
++++ b/submodule-config.h
+@@ -48,4 +48,11 @@ extern const struct submodule *submodule
+ const char *key);
+ extern void submodule_free(void);
+
++/*
++ * Returns 0 if the name is syntactically acceptable as a submodule "name"
++ * (e.g., that may be found in the subsection of a .gitmodules file) and -1
++ * otherwise.
++ */
++int check_submodule_name(const char *name);
++
+ #endif /* SUBMODULE_CONFIG_H */
+diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
+new file mode 100755
+index 000000000..75fa071c6
+--- /dev/null
++++ b/t/t7415-submodule-names.sh
+@@ -0,0 +1,76 @@
++#!/bin/sh
++
++test_description='check handling of .. in submodule names
++
++Exercise the name-checking function on a variety of names, and then give a
++real-world setup that confirms we catch this in practice.
++'
++. ./test-lib.sh
++
++test_expect_success 'check names' '
++ cat >expect <<-\EOF &&
++ valid
++ valid/with/paths
++ EOF
++
++ git submodule--helper check-name >actual <<-\EOF &&
++ valid
++ valid/with/paths
++
++ ../foo
++ /../foo
++ ..\foo
++ \..\foo
++ foo/..
++ foo/../
++ foo\..
++ foo\..\
++ foo/../bar
++ EOF
++
++ test_cmp expect actual
++'
++
++test_expect_success 'create innocent subrepo' '
++ git init innocent &&
++ git -C innocent commit --allow-empty -m foo
++'
++
++test_expect_success 'submodule add refuses invalid names' '
++ test_must_fail \
++ git submodule add --name ../../modules/evil "$PWD/innocent" evil
++'
++
++test_expect_success 'add evil submodule' '
++ git submodule add "$PWD/innocent" evil &&
++
++ mkdir modules &&
++ cp -r .git/modules/evil modules &&
++ write_script modules/evil/hooks/post-checkout <<-\EOF &&
++ echo >&2 "RUNNING POST CHECKOUT"
++ EOF
++
++ git config -f .gitmodules submodule.evil.update checkout &&
++ git config -f .gitmodules --rename-section \
++ submodule.evil submodule.../../modules/evil &&
++ git add modules &&
++ git commit -am evil
++'
++
++# This step seems like it shouldn't be necessary, since the payload is
++# contained entirely in the evil submodule. But due to the vagaries of the
++# submodule code, checking out the evil module will fail unless ".git/modules"
++# exists. Adding another submodule (with a name that sorts before "evil") is an
++# easy way to make sure this is the case in the victim clone.
++test_expect_success 'add other submodule' '
++ git submodule add "$PWD/innocent" another-module &&
++ git add another-module &&
++ git commit -am another
++'
++
++test_expect_success 'clone evil superproject' '
++ git clone --recurse-submodules . victim >output 2>&1 &&
++ ! grep "RUNNING POST CHECKOUT" output
++'
++
++test_done
+--
+2.13.3
+
diff --git a/poky/meta/recipes-devtools/git/git.inc b/poky/meta/recipes-devtools/git/git.inc
index dd9d792..bea23ec 100644
--- a/poky/meta/recipes-devtools/git/git.inc
+++ b/poky/meta/recipes-devtools/git/git.inc
@@ -7,7 +7,8 @@
PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
- ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
+ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
+ file://CVE-2018-11235.patch"
S = "${WORKDIR}/git-${PV}"