diff options
author | Scott Murray <scott.murray@konsulko.com> | 2019-02-08 10:53:08 -0500 |
---|---|---|
committer | Stephane Desneux <stephane.desneux@iot.bzh> | 2019-04-04 18:02:11 +0200 |
commit | 7faccb97d69c7581e338f88ce3a2153cdd69fd16 (patch) | |
tree | 57dd664e04593af6eed43cb6ecffab438d93d860 /meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch | |
parent | e978a20f40916eac57a5e1af8f65b6ed9f719e50 (diff) |
Upgrade to thud
Changes include:
- Add LAYERSERIES_COMPAT definitions to layer.conf files
- Remove now unnecessary SECURITY_*FLAGS over-rides from distro
configuration
- Set intel-corei7-64 preferred kernel version to 4.19 to match
latest linux-intel kernel available in meta-intel
- Update qemuarm preferred kernel version to 4.18 to match latest
linux-yocto
- Update firmware package and devicetree file names for raspberrypi3
- Remove linux-firmware bbappend specific to raspberrypi, it seems no
longer required and breaks the cross SDK build
- Update linux-intel bbappend to 4.19, remove now unnecessary patch
- Remove now unnecessary lttng-modules backport
- Update linux-raspberrypi bbappend to 4.14 kernel
- Added kernel configuration fragment for raspberrypi to disable
Kprobes. This is required until linux-raspberrypi is updated to
greater than 4.14.104 to avoid a build failure in lttng-modules
related to a check for known breakage in the kernel CONFIG_OPTPROBES
code.
- Replace obsolete base_conditional usage with oe.utils.conditional
- Add gstreamer1.0-plugins-bad bbappend for raspberrypi3 to disable
faad PACKAGECONFIG to avoid commercial license issues
- Remove unused and unbuildable Vayu gstreamer recipes
- Update linux-ti-staging bbappend for new BSP kernel
- Regen dcan2_pinmux_enable.patch for linux-ti-staging to remove fuzz
warning, and remove upstreamed fix_dcan_addresses.patch
- Remove ipumm-fw from meta-agl-bsp/meta-ti, as newer version is
available in the upstream BSP
- Update meta-agl-bsp/meta-ti weston patch to apply against 5.0.0
- Update meta-agl-bsp/meta-ti wayland-ivi-extension patch to apply
against 2.2.0
- Add ti-sgx-ddk-km patch to add AGL toolchain configuration file
- Remove now unnecessary fdtoverlay recipe
- Update core.cfg and ivishell.cfg in weston-ini-conf recipe to handle
move of ivi-controller.so configuration in Weston 5.0.0
- Update connman-ncurses patch to remove fuzz warning
- Add installation of systemd over-ride file for run-postinsts.service
in run-postinsts bbappend to workaround race condition between
ldconfig.service and the /sbin/ldconfig invocations in the
post-install scripts run by run-postinsts.service. The observed
failure was cynara's post-install script failing and its database
not being created.
- Remove now unnecessary valgrind backport
- Add patches to fix most driver compilation against newer kernels
- Update libmicrohttpd bbappend
- Remove libssp-dev from agl-image-graphical-qt5-crosssdk and
agl-demo-platform-html5-crosssdk, upstream have removed it from
non-mingw32 platform SDKs
- Update wayland-ivi-extension recipe to build 2.2.0, and update
local patches
- Update weston patches for 5.0.0. Patches:
0016-ivi-shell_add_screen_remove_layer_api.patch
0017-ivi-shell-register-ivi_layout_interface.patch
have been removed as they have been applied upstream and are no longer
necessary. Patches:
0018-compositor-add-output-type-to-weston_output.patch
0019-compositor-drm-introduce-drm_get_dmafd_from_view.patch
(both related to Waltham) have been disabled for now as they need
significant rework.
- Remove weston-conf RRECOMMENDS in weston bbappend to avoid conflict
with weston-ini-conf
- Add OECMAKE_GENERATOR = "Unix Makefiles" to aglwgt.bbclass to work
around CMake+ninja issue in cmake-apps-module
- Update dbus cynara patches for 1.12.10
- Add do_install_append in cynara recipe to remove /var/cynara from
cynara package so the directory creation and labelling in the
post-install scriptlet will function as intended
- Remove now unnecessary e2fsprogs backport
- Remove now unnecessary libcap-ng backport
- Update pulseaudio patches to remove fuzz warnings
- Update neardal patch to remove fuzz warning
- Update freetype patch to remove fuzz warning
- Rename opencv bbappend to 3.% to handle 3.x backports in upstream
- Updated qtwayland patch to remove fuzz warning
Changes from Stephane Desneux <stephane.desneux@iot.bzh>:
- Remove wayland-ivi-extension PREFERRED_VERSION
- Remove now unnecessary nativesdk-cmake patch
- Remove now unnecessary ptest-runner patches
- Remove now unnecessary harfbuzz patches
- Disable waltham-transmitter as it does not build against weston 5.0.0
- Update af-main, cynara, and security-manager to use pkg_postinst_ontarget
- Bump connman-ncurses revision to avoid deprecated ncurses functions
- Update libva package usage with new intel-vaapi-driver name
- Add patches to security-manager to fix compilation with gcc8
- Updated systemd bbappend
Changes from Jan-Simon Möller <jsmoeller@linuxfoundation.org>:
- Remove meta-agl-bsp/ROCKO.FIXMEs
- Remove linux-yocto_4.12.bbappend and now unnecessary associated
patch
- Remove now unneeded kern-tools-native patch
- Bump gstreamer PREFERRED_VERSIONs to 1.14.x
- Remove latencytop from packagegroup-agl-core-devel, it has been
dropped by upstream
- Remove now unnecessary rpm patches
- Update pulseaudio bbappend to 12.2
- Update opencv bbappend to 3.4
- Update freetype bbappend to 2.9.1
- Update dbus bbappend to 1.12.10
- Update weston bbappend to 5.0.0
- Update cynara patches to remove fuzz warnings
- Add patch to cynara to fix compilation with gcc8
- Add xmlsec1 bbappend to clear EXTRA_OECONF to fix compilation on
sumo or newer
Changes from Ronan Le Martet <ronan.lemartet@iot.bzh>:
- Update meta-rcar-gen3-adas layer gstreamer1.0-plugin-vspfilter
bbappend to version 1.0.1
Known issues (marked with FIXME):
- CMake+ninja issue in cmake-apps-module has been worked around with
OECMAKE_GENERATOR
- waltham-transmitter and the patches to weston related to it have been
disabled
- Currently unclear if patch to libcap-native is actually required or
not
Bug-AGL: SPEC-1837
Change-Id: I7b8b9ef667aec2d229952eace6663dfc761654d0
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Diffstat (limited to 'meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch')
-rw-r--r-- | meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch | 79 |
1 files changed, 0 insertions, 79 deletions
diff --git a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch b/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch deleted file mode 100644 index d7a868d2c..000000000 --- a/meta-security/recipes-security/libcap-ng/libcap-ng/CVE-2014-3215.patch +++ /dev/null @@ -1,79 +0,0 @@ -Upstream-Status: Pending - -diff --git a/docs/capng_lock.3 b/docs/capng_lock.3 -index 7683119..a070c1e 100644 ---- a/docs/capng_lock.3 -+++ b/docs/capng_lock.3 -@@ -8,12 +8,13 @@ int capng_lock(void); - - .SH "DESCRIPTION" - --capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. -+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs. This should be called while possessing the CAP_SETPCAP capability in the kernel. - -+This function will do the following if permitted by the kernel: If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it. Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS. If both fail, it will return an error. - - .SH "RETURN VALUE" - --This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options. -+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options. - - .SH "SEE ALSO" - -diff --git a/src/cap-ng.c b/src/cap-ng.c -index bd105ba..422f2bc 100644 ---- a/src/cap-ng.c -+++ b/src/cap-ng.c -@@ -45,6 +45,7 @@ - * 2.6.24 kernel XATTR_NAME_CAPS - * 2.6.25 kernel PR_CAPBSET_DROP, CAPABILITY_VERSION_2 - * 2.6.26 kernel PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3 -+ * 3.5 kernel PR_SET_NO_NEW_PRIVS - */ - - /* External syscall prototypes */ -@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data); - #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ - #endif - -+/* prctl values that we use */ -+#ifndef PR_SET_SECUREBITS -+#define PR_SET_SECUREBITS 28 -+#endif -+#ifndef PR_SET_NO_NEW_PRIVS -+#define PR_SET_NO_NEW_PRIVS 38 -+#endif -+ - // States: new, allocated, initted, updated, applied - typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT, - CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t; -@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag) - - int capng_lock(void) - { --#ifdef PR_SET_SECUREBITS -- int rc = prctl(PR_SET_SECUREBITS, -- 1 << SECURE_NOROOT | -- 1 << SECURE_NOROOT_LOCKED | -- 1 << SECURE_NO_SETUID_FIXUP | -- 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); -+ int rc; -+ -+ // On Linux 3.5 and up, we can directly prevent ourselves and -+ // our descendents from gaining privileges. -+ if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0) -+ return 0; -+ -+ // This kernel is too old or otherwise doesn't support -+ // PR_SET_NO_NEW_PRIVS. Fall back to using securebits. -+ rc = prctl(PR_SET_SECUREBITS, -+ 1 << SECURE_NOROOT | -+ 1 << SECURE_NOROOT_LOCKED | -+ 1 << SECURE_NO_SETUID_FIXUP | -+ 1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0); - if (rc) - return -1; --#endif - - return 0; - } |