[OE-core] [for-krogoth] Backport of new libarchive release

akuster808 akuster808 at gmail.com
Tue Jul 12 01:25:22 UTC 2016 

Otavio,

On 07/11/2016 07:41 AM, Otavio Salvador wrote:
> Hello Armin and OE-Core fellows,
>
> The libarchive 3.2.1 fixes several bugs and security related issues so
> it seems like a good candidate for backport. I list below the commits
> I did in our local fork while testing it:

CVE-2016-1541 is the only missing CVE. Are you aware of others? General 
bug fixes are good.  But If I am not mistaken, there are 803 commits 
between 3.1.2 (krogoth) and 3.2.1 (master). The is more than I want to 
take at this time.

thanks for keeping an eye out for changes needing to go into krogoth.

kind regards,
Armin

>
> commit 95e2a448d857659935ecd4762faea851151d1bce (HEAD -> for-krogoth)
> Author: Alexander Kanavin <alexander.kanavin at linux.intel.com>
> Date:   Tue Jun 28 11:06:13 2016 +0300
>
>      libarchive: update to 3.2.1
>
>      Drop merged 0001-configure.ac-check-acl-libacl.h-and-sys-acl.h-based-.patch
>
>      Signed-off-by: Alexander Kanavin <alexander.kanavin at linux.intel.com>
>      Signed-off-by: Ross Burton <ross.burton at intel.com>
>      (cherry picked from commit 4d65a93d3e705cfb9b4cfe102e9d0cabaffe7a52)
>
> commit 088ad58922bd6af83a17c3c0a9ae3b78564e798d
> Author: Maxin B. John <maxin.john at intel.com>
> Date:   Mon Jun 6 00:12:03 2016 +0300
>
>      libarchive: respect disable-acl configuration option
>
>      Update configure.ac to properly handle --disable-acl option
>
>      [YOCTO #9668]
>
>      Signed-off-by: Maxin B. John <maxin.john at intel.com>
>      Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
>      (cherry picked from commit 84fe3f29f2bdaf98c9beefdfede143084fba093b)
>
> commit 71a550d24e1098e34e35da68335d83f893afe169
> Author: Richard Purdie <richard.purdie at linuxfoundation.org>
> Date:   Sat Jun 4 09:04:26 2016 +0100
>
>      libarchive: Add PACKAGECONFIG for lz4 to ensure determinism
>
>      This avoids:
>
>      WARNING: opkg-1_0.3.1-r0 do_package_qa: QA Issue: libopkg rdepends
> on lz4, but it isn't a build dependency, missing lz4 in DEPENDS or
> PACKAGECONFIG? [build-deps]
>
>      and ERROR:
>
>      build-appliance-image-15.0.0-r0 do_rootfs: Unable to install
> packages. Command
> '/home/pokybuild/yocto-autobuilder/yocto-worker/build-appliance/build/build/tmp/sysroots/x86_64-linux/usr/bin/smart
> --log-level=warning
> --data-dir=/home/pokybuild/yocto-autobuilder/yocto-worker/build-appliance/build/build/tmp/work/qemux86_64-poky-linux/build-appliance-image/15.0.0-r0/rootfs/var/lib/smart
> install -y packagegroup-core-boot at qemux86_64
> packagegroup-core-ssh-openssh at all psplash at core2_64
> kernel-dev at qemux86_64 packagegroup-core-x11-base at all
> kernel-devsrc at qemux86_64 smartpm at core2_64 packagegroup-self-hosted at all
> rpm at core2_64 locale-base-en-us at core2_64 locale-base-en-gb at core2_64'
> returned 1:
>      Loading cache...
>      Updating cache...
> ######################################## [100%]
>
>      Computing transaction...error: Can't install
> libopkg1-1:0.3.1-r0.0 at core2_64: no package provides lz4 >=
> 131+git0+d86dc9167
>
>      Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
>      (cherry picked from commit f12fe90a78ca1239691e8fd8f7b06ce59b8b72cc)
>
> commit afc19399bfe4e5dfff5243ed14ab806c78c092bb
> Author: Paul Barker <paul at paulbarker.me.uk>
> Date:   Sat May 28 14:26:15 2016 +0100
>
>      libarchive: Upgrade to v3.2.0
>
>      All patches are removed as they are no longer needed. Most were
> merged into this
>      release of libarchive. "0001-Set-xattrs-after-setting-times.patch"
> was dropped
>      upstream after discussion, see
> https://github.com/libarchive/libarchive/pull/664.
>
>      The COPYING file in libarchive had a couple of minor changes to
> clarify which
>      files are under which copyrights but the overall license is unaffected.
>
>      Signed-off-by: Paul Barker <paul at paulbarker.me.uk>
>      Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
>      (cherry picked from commit 4976382011106b9515e44359f2f6bb1d0c69fdb3)
>
> Please consider those for next krogoth pull request.
>
> Thanks in advance,
>

More information about the Openembedded-core mailing list