From ${URL} : Executing "bitbake -g -u depexp <package>" when DISPLAY is not properly set causes segfault and a denial of service (through OOM) via a crafted script. Bug Report URL: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7299 Patch link (master branch): http://git.openembedded.org/bitbake/commit/?id=f35e9bd7b59c180fe9a3d9177efb57b92d9cd373 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fix is in 1.26 upstream: https://github.com/openembedded/bitbake/releases
@Maintainers ping. Gentoo Security Padawan ChrisADR
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ca40e7827f412c1ac0cf5c17da299599e040e4e commit 5ca40e7827f412c1ac0cf5c17da299599e040e4e Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-17 17:13:57 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-17 17:14:28 +0000 profiles/package.mask: mask dev-embedded/bitbake Bug: https://bugs.gentoo.org/540360 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
bitbake-1.42.0.tar.gz Why not just version bump it?
(In reply to Michael Lawrence from comment #4) > bitbake-1.42.0.tar.gz > > Why not just version bump it? If someone wants to maintain it then they can.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e28041d3c2fc03af42339e44f8696f17573a405 commit 6e28041d3c2fc03af42339e44f8696f17573a405 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-17 08:40:21 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-17 09:23:21 +0000 dev-embedded/bitbake: Remove last-rited pkg Bug: https://bugs.gentoo.org/540360 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-embedded/bitbake/Manifest | 1 - dev-embedded/bitbake/bitbake-1.17.0.ebuild | 38 ------------------------------ dev-embedded/bitbake/bitbake-9999.ebuild | 38 ------------------------------ dev-embedded/bitbake/metadata.xml | 11 --------- profiles/package.mask | 5 ---- 5 files changed, 93 deletions(-)
Package is removed from repository. Not creating removal GLSA because reported vulnerability is just a local crash.