From c8f4712845034714fed763414987305bacafe1fd Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Mon, 24 Jun 2019 09:36:18 -0400 Subject: subtree updates poky: 50d272863d..0b3e371116: Alistair Francis (1): recipes-bsp/opensbi: Fix the u-boot payload name Changqing Li (2): update-rc.d: update SRCREV and license checksum update-rc.d: support enable/disable options Chen Qi (2): context.py: avoid skipping tests by meaningless command argument oeqa: avoid class setup method to run when skipping the whole class Joe Slater (1): glib-2.0: Fix CVE-2019-12450 Jonathan Rajotte (1): lttng-tools: update to 2.10.7 Joseph Reynolds (1): dropbear: new feature: disable-weak-ciphers Joshua Watt (4): perl: Improve ptest package reproducibility python3: Reformat sysconfig perl: Reproducible build fixes bash: Remove .build files for reproducible builds Martin Jansa (1): gcc-runtime.inc: create the correct directory before creating the symlinks in it Ricardo Ribalda Delgado (1): go: avoid host contamination by GOCACHE Ross Burton (1): pigz: bump alternative priority Tim Orling (1): ptest-packagelists.inc: add libmodule-build-perl-ptest meta-openembedded: 3b245e4fe8..64974b8779: Adrian Bunk (9): libauthen-radius-perl: Remove manual RDEPENDS from PN-ptest to PN package network-manager-applet: Remove obsolete dbus-glib and libnm-glib dependencies ndctl: Remove the unnecessary dependency on virtual/kernel tipcutils: Remove the unnecessary dependency on virtual/kernel xl2tpd: Remove the old 1.3.6 version gpsd: Force using python-scons-native for now efibootmgr: Remove, was moved to oe-core efivar: Remove, was moved to oe-core wireless-regdb: Remove, was moved to oe-core Andrey Zhizhikin (1): cpuburn-arm: add aarch64 machine and build configuration Ankit Navik (1): safec: Add Safe C license Bartosz Golaszewski (1): libgpiod: upgrade to v1.4 Hongxu Jia (1): dracut: fix generated initramfs boot failure under bash 5 Kai Kang (1): xfce4-screensaver: 0.1.4 -> 0.1.5 Khem Raj (5): stressapptest: Fix build with libc++ stressapptest: Implement reading sysfs and use it if sysconf is not there stressapptest: Use git SHA instead of git archive gmime: Add recipe pidgin-sipe: Depend on gmime Maciej Pijanowski (1): recipes-benchmark/stressapptest_1.0.9.bb: add recipe Mingli Yu (3): mariadb: Upgrade to 10.3.16 mozjs: Fix do_patch error for mips64-n32 python-lxml: replace -Og with -O for mips64-32 Naveen Saini (1): pm-graph: fix multilib build failure Nicola Lunghi (1): libp11: No need to delete *.la anymore Oleksandr Kravchuk (1): openconnect: update to 8.03 Pascal Bach (3): protobuf: 3.6.1 -> 3.8.0 protobuf-c: add patch for protobuf 3 compatibility python3-protobuf, python-protobuf: 3.6.1 -> 3.8.0 Persian Prince (1): blueman_%.bbappend: Avoid PAK archive (application/x-pak) Saikiran Madugula (1): gitver: Pass git directory argument to gitrev_run Tim Orling (1): libmodule-build-perl: drop, has moved to oe-core Yi Zhao (1): snort: upgrade 2.9.11.1 -> 2.9.13 Zang Ruochen (3): python-twisted: upgrade 19.2.0 -> 19.2.1 python-wrapt: upgrade 1.11.1 -> 1.11.2 python-certifi: upgrade 2019.3.9 -> 2019.6.16 Change-Id: I0c3385628e0382c56c94fa27ba4d14e301c2e558 Signed-off-by: Brad Bishop --- poky/meta/recipes-core/dropbear/dropbear.inc | 6 ++- .../dropbear/dropbear-disable-weak-ciphers.patch | 44 +++++++++++++++ .../glib-2.0/glib-2.0/CVE-2019-12450.patch | 62 ++++++++++++++++++++++ poky/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb | 1 + .../recipes-core/update-rc.d/update-rc.d_0.8.bb | 4 +- 5 files changed, 113 insertions(+), 4 deletions(-) create mode 100644 poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch create mode 100644 poky/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch (limited to 'poky/meta/recipes-core') diff --git a/poky/meta/recipes-core/dropbear/dropbear.inc b/poky/meta/recipes-core/dropbear/dropbear.inc index b74d186cd..dcbda741c 100644 --- a/poky/meta/recipes-core/dropbear/dropbear.inc +++ b/poky/meta/recipes-core/dropbear/dropbear.inc @@ -20,7 +20,8 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ file://dropbear@.service \ file://dropbear.socket \ file://dropbear.default \ - ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} " + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} " PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ file://0006-dropbear-configuration-file.patch \ @@ -46,8 +47,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert" BINCOMMANDS = "dbclient ssh scp" EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"' -PACKAGECONFIG ?= "" +PACKAGECONFIG ?= "disable-weak-ciphers" PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt" +PACKAGECONFIG[disable-weak-ciphers] = "" EXTRA_OECONF += "\ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" diff --git a/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch new file mode 100644 index 000000000..e48a34bac --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch @@ -0,0 +1,44 @@ +This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers +in the dropbear ssh server and client since they're considered weak ciphers +and we want to support the stong algorithms. + +Upstream-Status: Inappropriate [configuration] +Signed-off-by: Joseph Reynolds + +Index: dropbear-2019.78/default_options.h +=================================================================== +--- dropbear-2019.78.orig/default_options.h ++++ dropbear-2019.78/default_options.h +@@ -91,7 +91,7 @@ IMPORTANT: Some options will require "ma + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE 1 ++#define DROPBEAR_ENABLE_CBC_MODE 0 + + /* Enable "Counter Mode" for ciphers. This is more secure than + * CBC mode against certain attacks. It is recommended for security +@@ -101,7 +101,7 @@ IMPORTANT: Some options will require "ma + /* Message integrity. sha2-256 is recommended as a default, + sha1 for compatibility */ + #define DROPBEAR_SHA1_HMAC 1 +-#define DROPBEAR_SHA1_96_HMAC 1 ++#define DROPBEAR_SHA1_96_HMAC 0 + #define DROPBEAR_SHA2_256_HMAC 1 + + /* Hostkey/public key algorithms - at least one required, these are used +@@ -149,12 +149,12 @@ IMPORTANT: Some options will require "ma + * Small systems should generally include either curve25519 or ecdh for performance. + * curve25519 is less widely supported but is faster + */ +-#define DROPBEAR_DH_GROUP14_SHA1 1 ++#define DROPBEAR_DH_GROUP14_SHA1 0 + #define DROPBEAR_DH_GROUP14_SHA256 1 + #define DROPBEAR_DH_GROUP16 0 + #define DROPBEAR_CURVE25519 1 + #define DROPBEAR_ECDH 1 +-#define DROPBEAR_DH_GROUP1 1 ++#define DROPBEAR_DH_GROUP1 0 + + /* When group1 is enabled it will only be allowed by Dropbear client + not as a server, due to concerns over its strength. Set to 0 to allow diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch b/poky/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch new file mode 100644 index 000000000..59e49195c --- /dev/null +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch @@ -0,0 +1,62 @@ +glib-2.0: fix CVE-2019-12450 + +Not in release 2.61.1. + +CVE: CVE-2019-12450 + +Upstream-Status: Backport [github.com/GNOME/glib.git] +Signed-off-by: Joe Slater +--- +From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 23 May 2019 10:41:53 +0200 +Subject: [PATCH] gfile: Limit access to files when copying + +file_copy_fallback creates new files with default permissions and +set the correct permissions after the operation is finished. This +might cause that the files can be accessible by more users during +the operation than expected. Use G_FILE_CREATE_PRIVATE for the new +files to limit access to those files. +--- + gio/gfile.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/gio/gfile.c b/gio/gfile.c +index 24b136d80..74b58047c 100644 +--- a/gio/gfile.c ++++ b/gio/gfile.c +@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source, + out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)), + FALSE, NULL, + flags & G_FILE_COPY_BACKUP, +- G_FILE_CREATE_REPLACE_DESTINATION, +- info, ++ G_FILE_CREATE_REPLACE_DESTINATION | ++ G_FILE_CREATE_PRIVATE, info, + cancellable, error); + else + out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)), +- FALSE, 0, info, ++ FALSE, G_FILE_CREATE_PRIVATE, info, + cancellable, error); + } + else if (flags & G_FILE_COPY_OVERWRITE) +@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source, + out = (GOutputStream *)g_file_replace (destination, + NULL, + flags & G_FILE_COPY_BACKUP, +- G_FILE_CREATE_REPLACE_DESTINATION, ++ G_FILE_CREATE_REPLACE_DESTINATION | ++ G_FILE_CREATE_PRIVATE, + cancellable, error); + } + else + { +- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error); ++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error); + } + + if (!out) +-- +2.17.1 + diff --git a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb index bb77294e1..5942241de 100644 --- a/poky/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb +++ b/poky/meta/recipes-core/glib-2.0/glib-2.0_2.60.3.bb @@ -16,6 +16,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://0001-Do-not-write-bindir-into-pkg-config-files.patch \ file://0001-meson.build-do-not-hardcode-linux-as-the-host-system.patch \ file://0001-meson-do-a-build-time-check-for-strlcpy-before-attem.patch \ + file://CVE-2019-12450.patch \ " SRC_URI_append_class-native = " file://relocate-modules.patch" diff --git a/poky/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb b/poky/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb index baa21aeae..75632d943 100644 --- a/poky/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb +++ b/poky/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb @@ -4,10 +4,10 @@ DESCRIPTION = "update-rc.d is a utility that allows the management of symlinks t SECTION = "base" LICENSE = "GPLv2+" -LIC_FILES_CHKSUM = "file://update-rc.d;beginline=5;endline=15;md5=148a48321b10eb37c1fa3ee02b940a75" +LIC_FILES_CHKSUM = "file://update-rc.d;beginline=5;endline=15;md5=d40a07c27f535425934bb5001f2037d9" SRC_URI = "git://git.yoctoproject.org/update-rc.d" -SRCREV = "22e0692898c3e7ceedc8eb5ff4ec8e0b9c340b2d" +SRCREV = "4b150b25b38de688d25cde2b2d22c268ed65a748" UPSTREAM_CHECK_COMMITS = "1" -- cgit v1.2.3