70a90d49b9
Details: https://nvd.nist.gov/vuln/detail/CVE-2016-2568 This commit mostly just tries to add some info to this issue, in the hope that it will save some time for others who try to investigate it. This CVE most probably will stay open in meta-oe in the foreseeable future, although it can be mitigated reasonably easily by the users of the layer. The description of the vulnerability is short enough that it can be reproduced here: "pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer." The general consensus amongst developers/major distros[1][2][3] seems to be that it should be mitigated on the kernel side, to not allow non-privileged users to fake input. To this end, the kernel has introduced a new config in v6.2, called CONFIG_LEGACY_TIOCSTI - when it is enabled, non-privileged used can also fake input. It is however by default enabled (and it is also enabled in the kernels shipped in oe-core, at least at the time of writing this). Disabling this kernel config is considered to be the mitigation, to allow input-faking only by privileged users. [1]: https://security-tracker.debian.org/tracker/CVE-2016-2568 [2]: https://bugzilla.suse.com/show_bug.cgi?id=968674 [3]: https://marc.info/?t=145694748900001&r=1&w=2 / https://marc.info/?l=util-linux-ng&m=145702209921574&w=2 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
meta-oe
This layer depends on:
URI: git://github.com/openembedded/openembedded-core.git branch: master
luajit recipe requires host compiler to be able to generate 32bit code when target is 32bit e.g. arm, so ensure that $CC -m32 is functional on build host, if building this recipe, needed packages to fullfit this might have different names on different host distributions e.g. on archlinux based distributions install prerequisites like below
pacman -S lib32-gcc-libs lib32-glibc
Ubuntu sudo apt-get install gcc-multilib linux-libc-dev:i386
Send pull requests to openembedded-devel@lists.openembedded.org with '[meta-oe]' in the subject'
When sending single patches, please use something like: 'git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix="meta-oe][PATCH"'
You are encouraged to fork the mirror on GitHub https://github.com/openembedded/meta-openembedded to share your patches, this is preferred for patch sets consisting of more than one patch.
Note, it is discouraged to send patches via GitHub pull request system. Such patches get less attention from developers and can be mishandled or not reviewed properly. Please use emails instead. For exemple, you can use 'git request-pull' to generate an email referencing your git repository.
Other services like GitLab, repo.or.cz or self-hosted setups are of course accepted as well, 'git fetch ' works the same on all of them. We recommend GitHub because it is free, easy to use, has been proven to be reliable and has a really good web GUI.
Layer maintainer: Khem Raj raj.khem@gmail.com