summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/cpio/cpio-2.12
AgeCommit message (Collapse)Author
2019-12-16cpio: update to 2.13Alexander Kanavin
Drop a couple of backports. (From OE-Core rev: 66f3b09364c499d9b0610f7c01763ae5dc1521cf) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2018-12-05cpio: update patch to merged versionRoss Burton
The segfault on append was fixed upstream with a different patch, so apply that instead. (From OE-Core rev: 24000d1fdba2684202e15371f80bb385722c9d91) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2018-12-01cpio: fix crash when appending to archivesRoss Burton
The upstream fix for CVE-2016-2037 introduced a read from uninitialized memory bug when appending to an existing archive, which is an operation we perform when building an image. (From OE-Core rev: 046e3e1fca925febf47b3fdd5d4e9ee2e1fad868) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2018-06-15cpio: fix CVE-2016-2037Andre McCurdy
"The cpio_safer_name_suffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted cpio file." https://nvd.nist.gov/vuln/detail/CVE-2016-2037 Note that there appear to be two versions of this fix. The original patch posted to the bug-cpio mailing list [1] is used by Debian [2], but apparently causes regression [3]. The patch accepted to the upstream git repo [4] seems to be the most complete fix. [1] https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg00005.html [2] https://security-tracker.debian.org/tracker/CVE-2016-2037 [3] https://www.mail-archive.com/bug-cpio@gnu.org/msg00584.html [4] http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b (From OE-Core rev: f170288ac706126e69a504a14d564b2e5c3513e4) Signed-off-by: Andre McCurdy <armccurdy@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-01-11Add "CVE:" tag to current patches in OE-coreMariano Lopez
The currnet patches in OE-core doesn't have the "CVE:" tag, now part of the policy of the patches. This is patch add this tag to several patches. There might be patches that I miss; the tag can be added in the future. (From OE-Core rev: 065ebeb3e15311d0d45385e15bf557b1c95b1669) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2015-12-16cpio: update to 2.12Alexander Kanavin
Drop backported patches: Fix-symlink-bad-length-test-for-64-bit-architectures.patch fix-memory-overrun.patch fix-testcase-symlink-bad-lengths.patch 0001-fix-testcase-of-symlink-bad-length.patch statdef.patch is fixing code that doesn't exist anymore. The problem handled by remove-gets.patch has been fixed differently. The CVE-2015-1197 has been ignored by upstream and had to be rebased: http://lists.gnu.org/archive/html/bug-cpio/2015-09/msg00007.html (From OE-Core rev: feeaa86eb8b1071d56eb6d7ad7120aa389c736a0) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-06-27 22:51:55 +0000